Internet threat news

Towards the end of July 2018, it was reported that SingHealth, a medical services provider in Singapore, suffered a major data breach where approximately 1.5 million patients had their records exposed. At the time AFP that the initial analysis was done by Singapore's Cyber Security Agency and that the attack indicated “a deliberate, targeted, and well-planned cyber-attack and not the work of casual hackers or criminal gangs,” No one was directly attributed to the attack and officials declined to comment on whom they believed to be responsible. However, one of the victims of the breach was Prime Minister Lee Hsien Loong illustrating that nobody is immune to being targeted by a sufficiently motivated hacker group.

At the time of the data breach, authorities and security firms were hesitant to attribute the attack to a particular group or individual, and perhaps rightly so as hasty conclusions regarding attributing the attack could lead numerous headaches. While no group was directly named it was believed state actors may have been responsible given the nature of the breach. That did not mean that authorities and security firms were resigned to not prove who was behind the attack. According to a report published by Symantec, the attack can be attributed to a group codenamed Whitefly. IN the past the group has attacked organizations in healthcare, media, telecommunications, and engineering, and is likely part of a larger operation targeting other nations. The report which was published on Wednesday, March 6, 2019, details how the previously unknown group was determined to be Whitefly. The group appears to have been operating since 2017 and primarily targeted organizations in Singapore. The group appears to be focussed on stealing massive amounts of data including large volumes of sensitive data.

Over the past weekend, hackers launched a ransomware campaign in an attempt to infect millions of Israelis. Based on current evidence it is believed that the hackers are operating out of Palestine and may be affiliated with the #OpIsreal campaigns. OpIsreal forms part of nearly yearly cyber-attacks against the Government of Israel as well as private websites operated from Israel. The main goal of the annual campaign is “erasing Israel from the Internet”. Popularity and public support behind the campaigns have been decreasing steadily over the years. According to SenseCy participants in the campaigns have decreased steadily from over 6000 in 2014 to just 600 in 2017.

While popularity for OpIsrael is on the decline, the group has experienced some successful campaigns, mainly the denial of service attacks on Israeli websites in 2013, in protest to Israel’s policies regarding Palestine. If the latest ransomware campaign is indeed part of OpIsrael, it might signify a switch in tactics from hacktivism to merely cybercrime devoid of a moral imperative. On March 2, 2019, hackers successfully poisoned DNS records for Nagich, a web service that provides an accessibility widget that is embedded on thousands of Israeli websites to provide access for persons with reading disabilities. Hackers then used the widget to automatically embed malicious code on thousands of Israeli websites. The code would first publish the message “#OpJerusalem, Jerusalem is the capital of Palestine,” then proceed to initiate an automatic download for a Windows file named “flashplayer_install.exe” a file tainted with ransomware.

What started it out with the intention of being an innovative way to replace banner ads on websites turned into an incredibly popular piece of malware. When Coinhive began its life it was innocent. Rather than web developers using space for ad banners they could add a JavaScript file to the browser which would use the visitors CPU to mine Monero, now infamously known as a favored cryptocurrency used by hackers around the globe. This mining was intended to occur only while visitors were on the web page and with their express consent. What started out innocently was quickly weaponized.

The Pirate Bay, provided a proof of concept test of Coinhive by asking users if they would prefer ad banners or the application to mine cryptocurrency while using the service. The torrent site known for its flagrant abuse of copyright law received a fair amount of criticism for the move, but it could be seen as a successful proof of concept. The Pirate Bay was eventually to receive ban orders due to copyright infringement and like with other similar torrent sites is involved in a perpetual cat and mouse game with authorities. Despite this many saw Coinhive as a potential technology to disrupt big corporations stranglehold on ad revenue.

The dream of having an ATM give you money without ever deducting it from your bank account is a relatable dream for a large majority of the population. Real currency that can be spent as one wished with no repercussion on your own personal balance is too good to be true. Hacker’s beg to differ and have been hacking ATMs for years, often relying on the fact that most ATMs have outdated software, in most cases older versions of Microsoft, that has long since been abandoned and no longer receiving any support.

According to research published by Kaspersky Labs a new piece of malware designed specifically to hack ATMs. Called WinPot, quite literally turns the ATM into a slot machine. However, a slot machine implies there is a chance of winning. WinPot allows the “player” to always win and illegally receive cash from the machine. In order to install this type of malware the hacker needs either network access or to be able to physically access the machine itself. As detailed in another report published by Kaspersky Labs details how just using a 15 USD drill and drilling in the right spot will grant a hacker serial access to the computer within the ATM. Once this is done it is relatively simple to install the malware which replaces the ATMs normal display with four buttons labeled “SPIN”. Each “SPIN” button represents one of the four cassettes, the cash dispensing containers, in the ATM. When the hacker selects one cash is dispensed from that container. Kaspersky does not name the ATM brand but wisely just refers to it as a “popular” ATM brand.

It is no over-exaggeration to say that APT 28, also called Fancy Bear, has become a thorn in the side of law enforcement and security researchers. Fancy Bear is believed to have links with Russian military and intelligence agencies including the GRU, or the Main Directorate of the General Staff of the Russian Armed Forces for those wanting the entire name, which is the main intelligence agency serving the Russian armed forces. Fancy Bear is one of the most active advanced persistent threat groups on the planet and is believed to have played a pivotal role in the attacks upon the Democratic National Committee, both in 2016 and in 2018. Now Microsoft, in a blog post, that the group is actively targeting political organizations engaged in the upcoming the upcoming 2019 European Parliament election, due to be held in May 2019.

According to Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft, the Redmond based tech giant has recently detected activity targeting democratic institutions in Europe. The detections are as a result of Microsoft’s expansion of its Threat Intelligence Center (MSTIC) and Digital Crimes Unit (DCU) to protect customers across the globe. The malicious activity is also not isolated to the political sphere but often extend to think tanks and non-profit organizations working on topics related to democracy, electoral integrity, and public policy. These are organizations that are often in contact with government officials and other policymakers. As an example of this Microsoft detected attacks targeting employees of the German Council on Foreign Relations and European offices of The Aspen Institute and The German Marshall Fund. It was also stated that researchers detected attacks dating to between September and December 2018 targeting 104 accounts belonging to employees at various organizations, with the organizations been domiciled in Belgium, France, Germany, Poland, Romania, and Serbia.

Security researchers at Avast discovered a new malware strain which is being distributed via Facebook Messenger and Skype. This may come as another blow to Facebook’s reputation that is limping from one public relations nightmare to the next. News of the new Malware quickly followed the release of the UK’s Digital, Culture, Media, and Sport select committee’s investigation report. The investigation took 18 months to complete and had the mandate to investigate Facebook’s role into the dissemination of fake news. The over a hundred-page report found that Facebook may be guilty of purposefully obstructing its inquiry and failing to tackle attempts by Russia to manipulate elections. The report went further and labeled the social media giant as “digital gangsters”.

In a report published over the weekend by Avast will not have the same effect as the report mentioned above, however, malware has the ability to ruin a day for multiple individuals and companies do not want their applications used to distribute malware no matter how big they are. In the report researchers described that the new threat can be seen as a “multi-stage malware”, meaning that the malware deploys in stages. This is a common tactic used by malware authors to avoid detection and allow for the deployment of other malware strains at a later date. Avast discovered the malware in August 2018 and have noticed the malware had been updated on a monthly basis. The firm noticed though that in January 2019 the malware has been updated on a daily basis.

Popular YouTubers are akin to other celebrities in daily life. They have hordes of fans following their exploits with many of those fans wishing some of the stardom would rub off on them. Hackers are now exploiting this desire and leveraging famous YouTubers in a phishing scam. Phishing still remains a popular method of getting users to hand over vital information and often involves hackers trying to lure unsuspecting victims to the site to trick them into disclosing their login, password, credit card number, PIN, or simply to redirect traffic to generate click revenue. This is more often than not by hackers creating authentic looking emails or websites to act as the lure and trick victims, often including some form of social engineering to get the user, now a victim, to enter information without question.

In articles published by both Kaspersky Labs and RiskIQ details how the scam operates and the eventual goal. Many instances of cybercrime go unreported in the larger news networks, however, given our fascination with famous individuals this event has been covered by the BBC and the Verge. In summary, the scam involves the sending of an email to the target from what would appear to be a famous YouTuber with the email often stating that the recipient stands in line to win something, be that an iPhone X or something else of value. In order to be entered into the competition the recipient just has to follow a few simple steps involving a few mouse clicks. If this is done the recipient is now the victim.

In what may prove to be a world first security researcher’s at ESET discovered a piece of clipper malware which replaces victims Bitcoin and Ethereum wallet addresses with the attackers own. Clipper malware, often also referred as a clipboard hijacker, is designed to access the computer’s data buffer, commonly referred to as the clipboard, for anything that resembles a cryptocurrency wallet address. If such an address is found those addresses are removed and replaced with the attackers in the hope that the victim will transfer funds to the attacker's address. Given that wallet addresses are long and far from easily recalled from memory clippers are proven a low tech but effective means of stealing from victims.

Detected as Android/Clipper.C by ESET researchers, the malware masquerades as the legitimate service MetaMask in order to trick users to download the malware. These malware strains have not been seen in large amounts targeting mobile devices. Rather, the majority of instances have been seen infecting desktop devices. They are still incredibly new malware with Windows PC’s seen infected in the wild in 2017. It arrived on Android in 2018 but only on non-official app stores, known for distributing various malware variants to those not using official app stores that have a level of protection. That was until February 1, 2018, when researchers discovered the clipper on Google Play Store, Android’s official app store.

The malware authors behind the GandCrab ransomware are continually giving law enforcement and security researcher headache after a headache. Not only does the author’s continually evolve the malware to include newer features, but they also keep evolving their business, if it can be called one, model. Despite setbacks, the group seems to come back stronger. In a combined effort Europol and Bitdefender released a decryption tool for many of the versions of GandCrab seen in the wild. Such a concerted effort to thwart GandCrab operators left them bruised but not out. The latest version, 5.1, has no decryption as of yet, although a removal guide is available on this platform. Further, the business model has now included measures to help dishonest data recovery firms hide costs to bump up their margins.

In a recent report published by security firm, Coveware illustrated how dishonest data-recovery firms have found a business ally in the malware authors behind GandCrab. In essence, the GandCrab TOR website allows dishonest data-recovery companies to hide the actual ransom cost from victims. This is done in a variety of ways but one such method includes the awarding of coupons to recovery firms who frequently access GandCrab's TOR site.

A report published by blockchain analysis firm Chainalysis has revealed that two separate hacker groups are responsible for up to 60% of all publicly reported cryptocurrency exchange hacks. Further, it is estimated that the two groups combined have stolen approximately 1 billion USD worth of cryptocurrency since the start of their operations. Chainalysis may not be the first name the public thinks of when it comes to cybersecurity, however, the group has earned a solid reputation for illuminating what it terms cryptocrime. The firm made headlines when working with Google it was discovered that that 95% of all ransomware payments made since the start of 2014 were converted into fiat currency via the BTC-e exchange portal. Their investigation led to the arrest of Alexander Vinnick, the CEO of BTC-e at the time.

According to Chainalysis the two prominent groups tracked over a period of years, called Alpha and Beta respectively by the firm, on average stole 90 million USD per hack. Through their analysis, they found that the biggest group is Alpha but that does not mean Beta is by any means too small to ignore. Both groups specialize in breaching exchange portals in order to steal cryptocurrency. They then move the stolen currency through a complex network of wallets and exchanges in an attempt to disguise their origin.

It is no secret that the US faces many cybersecurity threats to national and business interests. With government workers returning to jobs after a lengthy government shutdown over President Trump’s planned border wall the true cost of how the shutdown impacted cybersecurity can be calculated. However, not all government bodies were completely hamstrung. In a combined operation between the US Department of Justice (DOJ), the FBI's Los Angeles Field Office and, the US Air Force Office of Special Investigations (AFOSI) announced that operations were underway to take down Joanap, a botnet operated by North Korean hacker groups. On January 30, 2018, the US Department of Justice announced its efforts about the operation which had been active since October 2018. The DOJ provided court documents which included a court order and a search warrant to provide the public with more information.

Based on the documents provided, readers will be provided with a unique insight into how the operation was made possible and conducted. The operation started with the authorities operating servers which mimicked infected computers part of the botnet, and silently mapped other infected hosts. This was made possible purely because of the way the botnet had been constructed. The botnet relies upon peer-to-peer (P2P) communications system where infected hosts relay commands introduced in the botnet's network from one to another, instead of reporting to one central command-and-control server. In its simplest form P2P communication relies on creating a network architecture that partitions tasks or workloads between peers. Peers have equal privileges, it is this fact that was the botnet’s Achilles heel.

Last week new ransomware variants come to light which grabbed more than a few headlines. First, we had Phobos, operated by the group behind the Dharma ransomware family, then secondly hAnt which targeted mining rigs. Towards the end of last week, it would seem that those using trojans in financially motivated cybercrimes did not want to be forgotten. Two trojans were discovered by two separate security firms, both looking to steal victims’ money but in two different ways.

First discovered in 2015 the RTM Trojan, or Read-the-Manual, was used in campaigns designed to target predominantly Russian speakers. In a new campaign, it is again Russian speakers who appear to be the main target of the campaign. The latest campaign has been analyzed and tracked by Palo Alto Network's Unit 42 security team and rests on convincing users into downloading and executing the RTM banking trojan, also sometimes called Redaman. This is done by using the threats of debt and missing payments to scare users into inadvertently downloading the malware.

It has been a busy week in the news for ransomware. First, it emerged a new family called Phobos was discovered and been used by the group behind the Crysis and Dharma families of ransomware. Then reports emerged of another new ransomware called Anatova. Then finally, although the week has not ended yet, another new ransomware has been seen infecting Bitcoin mining rigs in China called hAnt.

China is widely regarded as the country where the highest concentration of mining farms can be found. Thus, it is of no coincidence that the majority of hAnt infections have been reported coming from China. Initially, news of the infections broke on Yibenchain.com with a later article in English been published on ZDNet. According to the article on ZDNet the ransomware was first discovered in August 2018, however, a new campaign targeting mining farms seems to have started earlier this month.

Discovered in December 2018, a new ransomware variant called Phobos was discovered by researchers at Covewave which it would seem is a combination of the Dharma and Crysis ransomware variants. The naming of the new ransomware variant will pique the interest of those fond of Greek Mythology as Phobos was the god of fear who was the son of Ares and a brother to Deimos the god of terror. With such a strong name questions will be asked as to whether the malware is indeed something to be scared of.

In the report published by Coveware what readers will initially find the most striking is the similarities to the Dharma ransomware variant that has been used so successfully over the years. These similarities go so far as to use the same attack vector that Dharma has, namely open or poorly secured RDP ports. The leveraging of unsecured RDP or Remote Desktop Protocols ports is a favored attack method of hackers. In September 2018, the FBI warned businesses owners to secure these ports as a spike in attempts to gain a foothold in a network was seen exploiting this attack vector. One such attack campaign seen was a campaign using the Crysis ransomware, a closely related cousin to Phobos.