Internet threat news

Hackers offering Malware-as-a-Service (Maas) is not a new trend by any means. Since the first detections of such schemes, their popularity has not seemed to dwindle of the years. This is in part because they allow those less technically minded, or too lazy to develop their own malware, with an option to make a quick buck, albeit an illegal one. MaaS can be defined as the hiring of software and hardware for carrying out cyber attacks. In a majority of instances, the owners of MaaS servers provide paid access to a botnet that distributes malware. Like their more legal cousins, clients of such services are offered a personal account through which to control the attack, as well as technical support.

Security researchers at Fortinet have published details on a recently discovered DDoS-for-hire service built with leaked code that offers easy and cheap access to sufficient power to knock down most targets. Distributed Denial of Service (DDoS) attacks is an attack in which multiple compromised devices attack a target simultaneously, such as a server, website, or other network resources, and cause a denial of service for users. DDoS businesses have been around for quite a while, with the sheer amount of mobile devices it is more common for these to be used to drive attacks.

Last week this publication published an article detailing the show of sympathy from the GandCrab ransomware developers to the people of Syria who had been infected. This show of sympathy took the form of the developers releasing the decryption keys for Syrians infected with GandCrab. On the face of it, the show of goodwill did appear as one. Unfortunately, while the keys were released there was now decryptor available to those infected with the ransomware. This meant that the keys were useless for most of the Syrians affected.

If you were of any other nationality you were truly out of luck as you had no decryption tool or key to help decrypt your encrypted files. That was the state of affairs till October 25. Announced via a Europol press release the law enforcement body stated that in a collaborative effort by Romanian police, with counterparts from Bulgaria, France, Hungary, Italy, Poland, the Netherlands, United Kingdom, United States and the security firm Bitdefender a decryption tool had been developed. Importantly the tool works on all but two versions of GandCrab (v 2 and 3). The release of this tool follows a week after the GandCrab developers made public decryption keys allowing only a limited pool of victims located in Syria to recover their files.

Security Researchers at FireEye have tracked the development of Triton to a research institute owned by the Russian government. In a report published on Tuesday 23 October, researchers claim that they have uncovered a strong link between the Triton malware and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a technical research organization located in Moscow and owned by the Russian government. Triton, which has also been called Trisis and Hatman, was used in a campaign targeting Industrial Control Systems (ICS) in the Middle East. Industrial Control Systems are extensively used in industries such as chemical processing, paper manufacture, power generation, oil and gas processing, and telecommunications.

In a recent article published by Cisco Talos team, researchers have seen a Chinese linked cyber espionage group using the Datper Trojan. The group called Tick, who have also been called Redbaldknight and Bronze Butler in the past, have been launching espionage campaigns targeting those in Japan and South Korea for a number of years. In the campaign analyzed by the Talos team, the group also used compromised websites located in the two countries as command and control (C&C) servers.

Since 2016, Tick has developed a reputation for targeting Japan and South Korea by using custom tools for each separate campaign. Although custom tools are often used researchers have been able to uncover certain tactics employed on a near constant basis. Such tactics include similarities in the use of infrastructure and overlaps in hijacked C&C domains or the use of the same IP. Cisco researchers, knowing about the patterns, were able to determine similarities between the Datper, xxmm backdoor, and Emdivi malware families that the threat actor has used in attacks. The use of the xxmm backdoor and Emdivi malware has also been used in previous campaigns orchestrated by the group.

GandCrab Hackers show some Heart

Syria was at one stage known for being one of the birthplaces of human civilization. Recently the beleaguered nation is more known for the terrible civil war. As of April 2018, more than 465,000 Syrians have been killed in the fighting, over a million injured, and over 12 million, that being half the country's pre-war population, have been displaced. Many would feel that Syrians been targeted in hacking campaigns would be worse than a kick to the teeth, given the struggle for survival faced by many. Fortunately, some hackers feel the same. In a post to an underground hacking and cybercrime forum, the GandCrab developers have released the decryption keys for Syrian victims.

The developers of GandCrab seem to have responded to a tweet in which a Syrian victim asked for help after photos of his deceased children were encrypted. After seeing the tweet, the hackers announced via a forum that they have released the keys for all Syrian victims. They also mentioned that it was a mistake not to exclude Syria for the list of targeted countries.

The small island nation, known for its small population and giant-slaying football team, hardly ever makes the headlines in cybersecurity publications. That was until October 12, when cybersecurity news sites began publishing articles detailing how Iceland had just experienced its biggest attack yet. This is a stark contrast to reports from 2017 which stated that Iceland experienced no reported cases of the WannaCry attack in May of that year.

Fast forward to the present day where a phishing campaign took Iceland by surprise, sending out malicious emails to thousands of individuals, in an attempt to fool them into installing a powerful remote access tool. For many nations, a cyber attack affecting thousands can be seen a mere trifle. However, when you consider that the population of Iceland is approximately 350,000 people, thousands represent a significant percentage of the population.

Security experts often sound like the worst stuck record ever. “Update your software,” “update your hardware,” “update your operating system,” are said verbatim and on repeat constantly. The reason for all the repetition is that users to do not follow this simple advice. Updates are seen as an inconvenience rather than a security essential. If you are the owner of a MikroTik router it is most certainly time to patch your router. Security researchers on Twitter, including Kira 2.0, sounded the warning sirens showing that nearly 12,000 MikroTik routers are currently infected with various malware strains. Researchers began investigating further and it was discovered that a known vulnerability in the firmware of MikroTik routers is potentially far more dangerous than previously believed. The vulnerability in question, CVE-2018-14847, is present in the Winbox administration utility of MikroTik's RouterOS. According to research done by Tenable, the vulnerability allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.

On Thursday, October 4, 2018, Bloomberg published an article which claimed that Chinese spies were able to gain privileged access to just under 30 major US companies. This access was granted through the spies planting tiny microchips inside motherboards used for Supermicro servers that eventually made their way inside the IT infrastructures of the major companies which included Apple and Amazon. The report shocked the public and resulted in Supermicro’s stock value plummeting by nearly 50%.

Soon after the story was published the companies supposedly involved came out with statements that strongly denied the claims made in the article. Not only did the companies question the story but many leading thinkers within the InfoSec community cast doubts upon the article's claims.

Most hackers and threat actors are often content to copy the work of others. This means that most of the world’s cyber-attack campaigns are conducted using tried and tested tactics and already existing, if slightly modified, malware variants. When a new and original method of attack becomes apparent the InfoSec community most certainly takes note. Security researchers at ESET definitely have the community’s attention with their report on LoJax.

LoJax is possibly the first case of an attack leveraging the Unified Extensible Firmware Interface (UEFI) boot system being used in an attack by a threat actor. In summary, the malware uses repurposed commercial software to create a backdoor in a computer’s firmware. The campaign using the malware has been active since 2017 and it is capable of surviving the re-installation of the Windows operating system or even hard drive replacement. While the malware had been spotted previously, ESET’s research is the first to show that it was actively attacking the firmware of computers to establish a tenacious foothold. What’s more, ESET has attributed the spread of the malware to Sednit, also known as FancyBear, the Russian state-sponsored operation tied by US intelligence and law enforcement to the cyber-attack on the Democratic National Committee.

On September 28, 2018, Facebook announced that it had suffered a major security breach. The social media giant simultaneously announced that 50 million user accounts were accessed by unknown attackers. The discovery was made by Facebook engineers on the previous Tuesday and that the attackers managed to seize control of the affected accounts. Since the announcement, Facebook has logged out the 50 million breached users and a further 40 million vulnerable accounts to prevent further exploitation of user accounts by the unknown attacks. It is generally seen by many that Facebook has had a torrid time of late this year, this major security incident may be the icing on the cake.

According to Facebook, the attackers managed to seize control of user accounts by exploiting three distinct bugs in Facebook's code. These bugs allowed the attackers to steal the digital keys the company uses to keep users logged in. As it was the digital keys that were stolen users are not required to change their passwords with Facebook having to reset the keys for all those affected. In a call to reporters CEO Mark Zuckerberg, whose own account was compromised, said that attackers would have had the ability to view private messages or post on someone's account, but there's no evidence that this occurred.

Recent reports across multiple platforms would indicate that hackers are still able to exploit the Google Play Store to upload malware with the intention of infecting Android devices. This is by no means a new phenomenon but hackers prove again that they are a resourceful bunch. No matter what countermeasures are employed a resourceful hacker will find a way to exploit the situation. In three separate instances, threat actors have looked to distribute malware using the Play Store. On September 24, security researchers at SophosLabs published an article explaining that at least 25 Android apps on the official Google Play store contain code that mines cryptocurrencies in the background. It is important to note that these apps do not inform users of the mining or in the majority of circumstances offer the user no opt-out option.

A recently discovered malware strain can be seen as a Swiss Army knife. Not only can it function as ransomware it can also log and steal their keystrokes and add infected computers to a spam-sending botnet. Multi-tasking malware is by no means a new phenomenon, malware authors will look to add new components and functions to existing malware strains in an attempt to make them more versatile. While not a new phenomenon, these multi-tasking nasties have an unexpected side effect of making classification difficult. This, in turn, causes much strife amongst the InfoSec community.

The malware, dubbed Virobot, was recently discovered by researchers at TrendMicro (sample discovered by security researcher MalwareHunterTeam). The malware which is capable of working as a botnet, ransomware, and keylogger has been classified as a ransomware strain by those same researchers, fortunately, it would appear that the malware is still under development. This is in part due to the uniqueness of the ransomware component. According to TrendMicro, the ransomware component has no ties to previous ransomware strains but that is where the uniqueness ends.

Banks and other financial institutions have long been the targets of hackers. Not only do they deal with massive amounts of funds daily, but they are also entrusted with valuable personal information that stealing it is a major goal for many cyber criminals. This treasure trove of personal information includes credit card data, customer information, and the wealth of corporate data that can be sold off or exchanged by those looking to make a quick profit or get an edge over a business competitor. Now they have a new increasingly popular threat to combat. Credential stuffing is an emerging attack method which can be considered a brute force attack. Credential stuffing is the automated injection of breached username and password pairs in order to fraudulently gain access to user accounts. Access to accounts is done by using large numbers of spilled credentials are automatically entered into websites, often by botnets) until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

Last week this platform published an article which covered the emergence of a new exploit kit called Fallout discovered by security researchers at FireEye. Initially the exploit kit has been used to distribute the SmokeLauncher trojan and the GandCrab ransomware. This week, it has started to distribute a new ransomware called SAVEfiles via malvertising campaigns.

SAVEFiles was discovered by security researcher Michael Gillespie, who has developed a reputation for discovering and analyzing new ransomware variants. While the ransomware was discovered by Gillespie it was not known necessarily how the ransomware was distributed. Exploit kit expert Kafeine discovered that SAVEFiles was been distributed via malvertising campaigns where IP addresses in Japan, France, and other locations have been targeted. It was further discovered that the campaign will cause the visitor to go through a stream of redirects until they eventually get to a site hosting the Fallout Exploit kit. The exploit kit will then automatically download and install the SAVEfiles ransomware onto the victim’s computer. The connection to hxxp://xxxart.pp.ua/1/get.php is the ransomware connecting back to its Command & Control server to receive an encryption key.