Internet threat news

It is by no means new news that governments around the world are been targeted by ransomware operators. Recently the US Coast Guard, Georgia Police Department, and the municipality of Jackson County have all fallen victim to a ransomware attack. This is not solely a problem experienced by US government departments, Emisoft determined that ransomware attacks impacted at least 948 government agencies, educational entities, and healthcare providers. Returning to the US briefly Recorded Future discovered that 81 successful ransomware attacks took place against US government bodies across the year. The successful attacks further impact other towns, cities, and departments in subsequent knock-on effects. This all begs the question as to why?

As part of Microsoft’s February Patch Tuesday a total of 99 vulnerabilities were patched. Much of the attention given to the event surrounded the patching of CVE-2020-0674, a zero-day vulnerability found in Internet Explorer that when exploited could potentially allow an attacker to execute arbitrary code through corrupting the scripting engine’s memory. This vulnerability was actively been targeted by hackers according to Microsoft in an advisory dated January 17, 2020. It was little wonder that this got the attention other than the other 98 patches released on patch Tuesday. However, some nation-state groups appear far more interested in CVE-2020-0688, a vulnerability found Microsoft’s Exchange Server which was described rather tersely by Microsoft as,

The Ryuk ransomware continues to add high profile targets to its victim list. From the US Coast Guard to Fortune 500 companies, it would seem no company or organization is safe if the malware’s operators have the company in their sights. The latest to fall victim to a Ryuk infection is legal services and e-discovery firm Epiq. The company took its systems offline on March 2, 2020, after Ryuk began encrypting critical files. The news was initially broken on the same day by Robert Ambrogi who discovered the company’s corporate website was offline following a security incident.

For hackers, whether the financially motivated or state-sponsored kind, the question of how to clean and safely use stolen funds is a major hurdle to jump. When banks and other financial institutions adopted know your client (KYC) rules as specified in numerous countries adopting similar pieces of legislation which determined the rules, ways in which hackers could launder their money were once again hamstrung. With the rise of cryptocurrency exchanges, another avenue opened when unscrupulous owners didn’t care too much where the Bitcoin was coming from. Authorities were not blind to this development and several high profile arrests and platform closures were made which helped prevent further laundering.

At the RSA 2020 security conference in San Francisco security researchers from ESET disclosed a new vulnerability that impacts WiFi communications. Along with the presentation given by ESET the Slovakian based security firm also published a white paper detailing the discovered vulnerability, currently been tracked as CVE-2019-15126. Named Kr00k, the bug can be exploited by attackers to not only incept traffic but decrypt some traffic that relies upon WPA2 connections.

According to the security firm Kr00k affects all WiFi-capable devices running on Broadcom and Cypress Wi-Fi chips. These are two of the world's most popular WiFi chipsets, and they are included in almost everything, from laptops to smartphones, and from access points to smart speakers and other Internet of Things (IoT) devices. Given the wide usage of the affected chips, it has been estimated that over a billion devices are vulnerable.

The last time this publication reported on the Raccoon info stealer malware, was when it was being dropped by Legion Loader as an additional payload along with several other malware variants. Raccoon has yet again popped up on the researcher’s radar, which is unsurprising given how popular on underground forums the malware has become of the last year. Raccoon proves that what was once cutting edge a few years ago, can be offered now for a modest price but still retain its effectiveness. While Raccoon does to rewrite the book on malware development it has undergone constant upgrades while been offered as a malware-as-a-service (MaaS) and continues to be a threat despite its lack of sophistication.

In January 2012, the European Union (EU) began the long process of creating a framework for data protection reform. One of the proposals associated with these reforms was the legislation was titled the General Data Protection Regulation (GDPR). The reforms were agreed upon in December 2015, and GDPR came into full effect on May 25, 2018. This often left companies and other organizations scurrying to ensure they were compliant with the law which probably left a bad taste in many a CEO’s or board of director’s mouths. It has been a year and a half since the law, which boosts user privacy, was adopted and it seems to be having a positive effect on cybersecurity according to FireEye’s lasts report.

Since 2015 the trojan LokiBot has been used by cybercriminals to create backdoors into Windows machines. Its continued popularity can be partly attributed to the various and often novel ways it has been distributed in the past and the tactics it employs to infect machines. In the past researchers have discovered campaigns where the trojan was spread via steganography, the technique of hiding secret data, often in an image to avoid detection. In this instance, the data hidden was malicious code that when the image was opened a script would execute. Now hackers deploying the trojan are disguising it as a launcher for one of the world’s most popular video games, Fortnite. This new campaign was discovered by researchers at Trend Micro who previously also discovered the campaign using steganography in August 2019. It is believed that the fake launcher is distributed via a spam email campaign sent to numerous potential targets.

Often new developments on the malware front can be broadly defined into two categories those that involve unique methods to carry out its designed purpose and those that are not. The recent development of hackers threatening, and in some cases, releasing sensitive data to the public if ransomware ransoms are not paid would fall into the not unique category. Such developments are blunt and rather heavy-handed, especially when compared to the new and unique method that the RobbinHood ransomware employs to bypass antivirus detection so that it can encrypt files without interruption.

Last week the US Federal Bureau of Investigation (FBI) sent out an alert warning the private industry of continued attacks carried out against software supply-chain companies. The report is yet to be released to the public as it is intended as a Private Industry Notification (PIN) which is only sent to selected industry partners and not the public at large. However, details of the alert have been provided to ZDNet who learned that attackers are attempting to infect companies with the Kwampirs malware. According to the alert sent out by the FBI stated,

Over the last several weeks the global health emergency surrounding the Coronavirus has overshadowed many other world events. Daily breaking news surrounding the virus’ spread too far-flung regions demand attention. Now, hackers are looking to further their own aims by abusing the medical threat posed by the virus. Currently, three separate campaigns have been discovered using the Coronavirus in an attempt to harvest user credentials or, as in one case, spread Emotet. This is by no means a new tactic, often phishers will send out spam emails related to upcoming sporting events or other world events that garner mass attention to try to get recipients to click on a link or malicious document. Exploiting a global health emergency, as declared by the World Health Organisation, is a key indicator of the moral fiber of the attackers behind these campaigns.

Last week this publication covered the arrest of three individuals accused of being part of a MageCart gang in Indonesia. This week brings more related news regarding MageCart attacks but so far none of this group has yet to be brought in front of a court. MageCart attacks often involve the injection of malicious JavaScript code into a trusted website's eCommerce checkout page. The malicious code then skims the card details entered by the customer resulting in the theft of consumer data. MageCart groups either gain access to the website directly or via third-party tools, such as analytics applications, to inject the malicious code.

Initially, a MageCart gang targeted an Olympic ticket reseller olympictickets2020[.]com by carrying out a MageCart-like attack on the website. Security researchers Jacob Pimental and Max Kersten discovered the attack, subsequently notified the company selling the tickets, and then later published their findings in late January 2020. The two researchers discovered that the group managed to append malicious code to the end of a legitimate JavaScript library, along with extra obfuscated code to help hide the group’s intentions. Once the researchers had managed to clear all the junk code away it was discovered that the malicious code would send the skimmed card details to opendoorcdn[.]com. Before any of this information was released to the public the researchers attempted to notify the ticket reseller via Twitter and email, as well as the chat feature included on the website in question. The pair did not receive much in the way of correspondence, however, it was noticed that the malicious code had been removed from the website on January 21, 2019.

For most of the Western World, December is associated with a myriad of holidays, for many hackers, it is open season. Consumers are warned to be careful when shopping online and companies are warned that they will be targets of what to some is a holiday period. When Wawa announced on December 19, 2020, that the retail giant based namely on the East Coast of the US suffered a data breach much of the InfoSec community was prepared for the news, even if they had no idea who would be the next victim.

At the time the company believed the breach was a result of being infected with point of sale POS malware. This specific type of malware is designed to steal credit and debit card details from point of sale devices commonly used in retail shops to process card payments. The threat posed by such malware led Visa to warn fuel stations throughout North America that there pumps and the devices attached are being targeted by cybercriminal organizations. POS malware is unique in how it manages to steal card data when compared to banking trojans. Payment devices encrypt the data of the card before sending it to the required bank network for approval. The encryption occurs in the device's random access memory (RAM), this allows the malware to scrap the hardware for the card details which are later stolen before they are encrypted. The details are then sent to command and control servers under the control of hackers.

In the fourth quarter of 2019, a spike in MageCart attacks was seen. The most infamous of which involved British Airways which involved nearly 400,000 individuals becoming victims through only a piece of code 22 lines long. Then in November, that same year details emerged detailing how Macy’s also fell victim to such an attack. The attack occurred between October 7 and October 15 when hackers had injected malicious code into the company’s online checkout web page. Now, Indonesian police have arrested three individuals accused of being part of a MageCart gang and carrying out similar attacks.

MageCart attacks involve hackers specifically targeting shopping cart applications found on eCommerce websites. The hacker uses malicious code to skim the card details entered by the customer, the process of skimming the card details has resulted in this type of attack been referred to as Web Skimming or eSkimming. The skimming of the card details amounts to theft and the hacker can now use those details for any number of purposes, popular uses been selling them on the Darknet. In order to inject the malicious code into the cart application, the hacker can either directly compromise the target eCommerce website, or target third party applications. This targeting of third party applications can be classified as a supply chain attack and often involves targeting analytics software, for example, in order to gain a foothold on the targets webpage.