Internet threat news

Cryptojacking Surges in Popularity

Since the emergence of Coinhive was reported the popularity of cryptojacking has increased exponentially. Coinhive allows website owners to integrate a Javascript miner on their website to generate extra revenue. The mining is done by the website user when on the website. Many websites have adopted Coinhive for exactly this purpose. People ethically employing Coinhive notify users that their computer resources are been used to mine cryptocurrency, in this instance Monero, while on the website.

While a novel idea and can be employed ethically it is open to abuse. Security researchers at Malwarebytes have released a report detailing the abuses been experienced by users globally. Malwarebytes has been one of the first major antivirus companies that have added support for blocking such scripts.

   
Crunchyroll.com Hijacked

Popular websites have always been a target for hackers trying to spread malware. The popular website Crunchyroll.com, which allows users to stream their favorite anime shows, experienced an attack over the weekend which forced the company to close its website over the weekend. While there is still speculation as to the nature of the attack, the attack still serves as a reminder to any company with a website that it is a target.

On November 4, it appeared that visitors to the popular website were asked to download a desktop version of their software. This software was not as it seemed as it also included malware that was installed along with it. Crunchyroll staff based in Germany were quick to notice that something was not right and immediately took to Twitter to warn users not to access the website. The website was then taken offline to prevent further infections.

This desktop application was not one offered by the site themselves, but one being offered by the hackers in order to distribute malware. It is still not known what malware the file, called “CrunchyViewer.exe”, was looking to distribute. Later the same day Ellation, Crunchyroll’s parent company, released a statement detailing what occurred and giving instructions on how to remove the malicious content if it was downloaded.

   
Hackers Hijack Ethereum Mining Equipment

Hackers targeting all facets of the cryptocurrency boom is by no means a new phenomenon. On Nov 1, news broke of two separate incidents targeting cryptocurrency wallets in two different ways. Reasons for cryptocurrencies becoming one of the favored targets for hackers can be directly attributed their increasing popularity and soaring stock values. While the blockchain revolution is changing how we operate, hackers are still deploying the same methods as always to steal legitimate users cryptocurrency.

A security researcher at Romanian firm Bitdefender, Bogdan Botezatu, detected the first attacks on Monday this week when their SSH (Secure Shell) honeypots detected a bot attempting to change the system configuration to hijack funds from Ethereum mining operations. The bot was targeting an operating system optimized for Ethereum mining, called EthOS. This is a commercial operating system that can mine Ethereum, Zcash, Monero and other crypto-currencies that rely on GPU power. According to the OS’s creators, their offering is currently running on more than 38,000 mining rigs across the world. As with other specialized operating systems, it comes pre-loaded with the necessary tools and a default username and password. After deployment, the user only needs to add a wallet for mining fees and, of course, most importantly, change the default username and password.

   
unCAPTCHA Breaks reCAPTCHA

Google’s reCAPTCHA has become one of the staple security innovations protecting users from spam and abuse in recent years. Advertised as a free service offered by tech giants Google, reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. This is intended to allow only legitimate users access to your website.

In research published by the Computer Science Department at the University of Maryland (UM), a team of four created a system which effectively breaks reCAPTCHA with an accuracy of 85%. Anything which can break reCAPTCHA to an accuracy of over 1% is considered broken.

The automated system, termed unCAPTCHA by the team from UM, works by not targeting the image-based challenge but rather the audio version that Google added so people with disabilities can solve its puzzle. In summary, this is done by downloading the audio puzzle and feeding it to six text-to-speech (TTS) systems, aggregating the results, and feeding most probable answer back to Google's servers.

In tests carried out by the team, it was shown that unCAPTCHA can break 450 reCAPTCHA challenges with an 85.15% accuracy in 5.42 seconds, which is less time taken for a human to listen to one reCAPTCHA audio challenge. In order to do this, the code uses TTS systems such as Bing Speech Recognition, IBM, Google Cloud, Google Speech Recognition, Sphinx. The code has been made available on GitHub.

   
Bad Rabbit Ransomware Hitting Russia and Ukraine

News broke on October 24 of a new ransomware variant targeting Russian and Ukrainian systems. The ransomware infected both personal computers and company servers. Among the affected organizations are Kiev’s metro system, Russian media organization Interfax and Odessa airport. Interfax was forced to publish to its Facebook page during the outage since its servers were taken offline for a number of hours.

The ransom demanded is 0.05 Bitcoin ($287.65 at the time of writing) and is conveyed in the now customary method of a ransom note. The malware code is unusual in the sense that it is laced with pop culture references pertaining to the hit show Game of Thrones, whose holding company HBO has its own battles with cybercrime. The ransomware also tries a list of passwords while attempting to spread which include “love”, “sex”, “god” and “secret”, which were dubbed the “four most common passwords” by the 1995 movie Hackers. In fact, the four most common passwords are 123456, 123456789, qwerty, and 12345678.

   
Reaper Botnet is Huge

Since the middle of September, researchers have been watching an Internet of Things Botnet grow by nearly 10,000 infections per day. The botnet has been codenamed IoT_reaper. The current size of Reaper is estimated to be over 2 million infections. Much has been published over the years about how vulnerable IoT devices are. We are now beginning to see the practical implications of all the warnings made by experts.

According to researchers at Netlab the botnet is mainly made up of IP-based security cameras, network video recorders (NVRs), and digital video recorders (DVRs). The botnet uses some code from the Mirai IoT malware, but there are also many new things that make the botnet a standalone threat in its own right. One of the major differences between the Reaper and Mirai is its propagation method. Mirai was dependant on scanning for open Telnet ports and attempted to log in using a preset list of default or weak credentials. Reaper primarily uses exploits to forcibly take over unpatched devices and add them to its command and control (C&C) infrastructure.

Reaper also differs from Mirai in several important ways including that it uses exploits to take over devices. Other ways Reaper differs is that it is Lua execution environment integrated. This enables Reaper to perform more complex attacks. Reaper’s scan behavior is also not very aggressive helping keep it under the radar, making it harder to detect.

   
SockBot Discovered in Development

Recently we reported on the first ever ransomware which changes both the user PIN and encrypts user data on Android devices, discovered by researchers at ESET. In less than a week another piece of malware was discovered targeting Android users. SockBot, discovered by researchers at Symantec, is a Trojan which was used to target users who play Minecraft Pocket Edition mobile game. A total of 8 apps have been discovered carrying the Trojan on Google’s Play Store. The apps which were advertised as player skin apps and legitimate had total installation count ranging between 600,000 and 2.6 million.

All of the apps were created by the same developer going by the name of FunBaster. Google has since removed the apps. Fortunately, for those who may have been infected with SockBot, Google is able to remove infected apps from user’s mobile devices. This action taken by Google would have drastically reduced the number of possible infections. Using a popular app or game to try and lure users to download malicious apps is by no means a new trick. Given the popularity of Minecraft and a user base that consists of many younger users not aware of the dangers posed the creator picked a target easily susceptible to a malware attack.

   
The Dawn of DoubleLocker

Researchers at Slovakia based security firm ESET have discovered a new ransomware variant that targets Android users. The researchers believe this to be the first instance on ransomware which abuses Android Accessibility. A feature that provides users alternative ways to interact with their smartphone devices, and mainly abused in the past by Android banking Trojans to steal banking credentials. Discovered by ESET products as Android/DoubleLocker.A, this ransomware strain is based on the foundations of a particular banking Trojan, known for misusing accessibility services of the Android operating system.  

Lukáš Štefanko, the ESET malware researcher who discovered DoubleLocker believes that based on the ransomware’s banking Trojan roots DoubleLocker has the possibility of being converted into a ransombanker malware. This would be a two-stage malware that first tries to wipe your bank or PayPal account and subsequently locks your device and data to request a ransom. While this is currently speculation, ESET researchers have seen similar malware in the wild already dating back to May of this year.

   
F-35 Joint Strike Fighter Plans Stolen

With financial institutions admitting data breaches, some very serious others less so, it seems governments are also taking the opportunity to disclose information concerning hacks. This week saw both the Australian Government and the South Korean Government admitting that sensitive information, in South Korea’s case classified information, was stolen. Regarding the Australian hack, a total of 30 GB of sensitive data pertaining to the military and its equipment were stolen. In regards to the South Korean hack, North Korea is accused of stealing approximately 235 GB of data which included classified plans detailing the South and its Allies response in case of war with the North.

   
Kaspersky Labs Linked to NSA Data Breach

Earlier this President Donald Trump’s government moved to ban all Kaspersky Lab products from US Government institutions and agencies. Law enforcement and information agencies also recommended to the private sector that they should desist for purchasing products and services from the Russian based company. Very little evidence was provided to the public as to the decision made by President Trump, however, the reason for the decision rests in Kaspersky Lab’s alleged inappropriate links to the Russian Government.

This matter resurfaced recently on October 6 with articles published in both the Wall Street Journal and the Washington Post that a breach which may have occurred in 2015 was made possible in part by Kaspersky’s Antivirus Software. US officials seem to believe that a scan performed by Kaspersky Lab’s security software on the contractor's computer helped Russian hackers in identifying the files containing sensitive information. Evidence in both articles for the claims rests on anonymous sources who allege one of two situations may have occurred which enabled Russian hackers to gain access to classified documents.

   
Rowhammer Variant Bypasses Countermeasures

Security researchers have developed a variant of the Rowhammer malware that is able to bypass all the current countermeasures proposed for such an attack. The blanket term Rowhammer has come to describe a security exploit that takes advantage of the fact that hardware vendors are cramming too many memory cells together on the same boards in order to make smaller components with larger memory storage. An attacker can exploit this by bombarding RAM memory cell rows with constant read-write operations causing the memory cells to change their electrical charge. This means that the stored data can be modified from 1 to 0, or alternatively 0 to 1, thus altering information stored on the computer. By altering the stored information in such a way the attacker is able to deliver malicious code that alters normal OS behavior to escalate the attacker's privileges, root devices, or cause denial-of-service states to crucial services, such as security software.

   
Database Wipe Ransom Hits R6DB

Over the last two years, security researchers have seen servers accessed and data wiped with the attacker sending a ransom note to have the data restored. The most recent victim has been the team behind R6DB, an online service which provides Rainbow Six Siege player statistics. The attack occurred on September 30 in which an automated bot accessed the server, wiped the database, and left a ransom note behind. The database appears to be a PostgreSQL instance. At the time of writing, this article R6DB have recovered most of the data and are currently running updates on the new server.

   
Another Banking Trojan Leverages EternalBlue

Once EternalBlue was released into the wild by the Shadowbrokers it was predicted that its effects would be far-reaching. Time has proven those predictions correct with many hacking groups around the global adding yet another tool in spreading malicious payload. In this instance the creators of the banking Trojan Retefe have leveraged EternalBlue in order to spread across computers via unpatched and outdated SMB servers.

Earlier this year Emotet and TrickBot were discovered by security researchers sporting highly customised version of EternalBlue. This was at a period where the use of worms to spread malicious payloads across networks was declining with some thinking the malware variant to be dying a slow death. Upon the emergence of EternalBlue new life was seemed to be breathed into something that was thought to be a relic of the recent past. Other than seeing worms become fashionable once more, how banking Trojans were used and operated also changed. In the past those deploying such Trojans would like them to remain undetected for as long as possible, now it seemed they wanted to infect as many computers as possible thus gaining a vast amount of credentials in a smaller space of time. This would have been the trade-off for being easier to detect one can assume.

   
Coinhive: Innovative but Abused

Cryptocurrencies are fast becoming, if not already, a massive investment tool that is rewriting the rules as to what the currency currently in your wallet can be. With innovation often comes teething problems, these in themselves are not a worry. What is a worry is how malware authors are exploiting innovative ideas for short-term gain. This is hardly new and seems to be an information age constant in that if a tool or idea can be abused to swindle and extort it shall. This maxim is probably not even an information age phenomenon but one that pervades human history.

Coinhive appears to have started its life fairly innocently. As a tool Coinhive could be used by website owners to generate extra income rather than utilizing ad banners. It is essentially a java library that can be added to the website which when visited by a visitor Coinhive will use a percentage of the visitors CPU to mine Monero. Once the visitor is no longer on the page Coinhive will stop mining using the visitor’s CPU. The Pirate Bay, the famous or infamous depending on which side of the piracy fence you sit, began trailing Coinhive rather than having ad banners on their torrent website. Users were notified about the trial and its implications but were soon dropped by The Pirate Bay due to negative user feedback.

   

Page 5 of 18

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>