Internet threat news

Ransomware continues to be a major bane facing enterprises and government organizations, with the latest high profile victim being Travelex. The currency exchange suffered a Sodinokibi attack, which left some of the company’s online services offline for three weeks. Another new worry for those tasked with securing networks is that ransomware operators are now not only encrypting data but stealing it and threatening, in some cases actually, releasing the data to the public. Researchers spend time analyzing the code behind the malware but what of the costs associated with an infection? Often for CEOs, CFOs, and stakeholders this is often the most important factor when looking to come through such an infection relatively intact.

Online gaming has long been a target for hackers, whether to cheat or to deny other gamers the service they have in many cases paid for. In denying other players the online service hackers will often employ distributed denial of service (DDoS) attacks. Not only do such attacks prevent other players from playing or using attached services or web stores, but they impact negatively on the company’s earnings. Hackers have already figured out that they could hire out their services to other malicious gamers and reap a profit. In a process that started in September 2018, Ubisoft has adopted a new tactic to try and prevent future attacks from happening. This tactic involves the courts to sue operators advertising their DDoS skills to whoever is willing to pay.

It seems like the start of the year is not complete without a new and dangerous vulnerability been disclosed to the public. Last year it was the Spectre and Meltdown CPU vulnerabilities. This year the new threat is posed by CVE-2020-0601, better known as Curveball. The vulnerability is described as a spoofing vulnerability that exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. According to Windows, this vulnerability could allow an attacker to,

Sodinokibi and a handful of other ransomware variants are currently dominating discussions regarding ransomware. Continual updates; changes in tactics and infection vectors; and improved targeting tactics placing corporations and government organizations within their crosshairs, have all made Sodinokibi a nightmare to deal with if infected. Now another change in tactics adds to the threat posed by the ransomware variant. The change of tactics does not involve a new advanced code module or infection vector, rather the release of data stolen if the victim does not pay the ransom in time.

In December 2019, representatives of the Sodinokibi ransomware threatened to take such steps on an underground Russian hacker forum. The post was shared with the community by security researcher Damian who discovered UNKN, the public-facing representation of the ransomware, had posted the threat. Such a tactic has been seen before with Maze, another ransomware variant, published 700 MB of data stolen from Allied Universal. At the time this was believed to be only 10% of the data stolen by hackers while simultaneously conducting ransomware operations. The data was released in response to payment not being made by the victim. Sodinokibi now has followed suit.

With tensions near the boiling point between Iran and the US, news feeds across the globe have been dominated by headlines. The InfoSec community was also stirring with opinion pieces relating to Iran capabilities in carrying out cyberattacks. However, Iranian state-sponsored hackers are now in the headlines for an incident that occurred on December 29, 2019. It is believed the above-mentioned hackers infected Bapco, Bahrain's national oil company, with a new data wiper.

Wipers, also known as data wipers, are specific pieces of malware specifically designed to destroy data. In the past state-sponsored groups have used wipers in an attempt to remove all trace they had compromised a network. According to a security alert issued by Saudi Arabia's National Cybersecurity Authority and linked by ZDNet the attack was not as successful as intended as only a section of Bapco’s network and connected work stations were affected. The alert was sent to local businesses within the energy sector to warn them of potential intrusion and infection. Given the release of the alert happening over the weekend and the date of the incident, it is important to note that this incident is not directly related to current Iranian and American tensions.

In a recent blog article published by the Microsoft Defender, ATP Research Team reveals some interesting numbers regarding RDP brute-force attacks. The key findings of the research team include that brute-force attacks on RDP ports last an average of two to three days and only approximately 0.08% of these attacks are successful. The sample size for the research was 45,000 PCs over a period of months which lends to the study's credibility.

Remote Desktop Protocol (RDP) is a feature of the Windows operating system that allows users to log into a remote computer using a desktop-like interface via the computer's public IP address and port 3389. Typically used in enterprise environments it allows system and network administrators to manage servers and workstations remotely. Likewise, RDP is used by employees while away from their desks to perform work tasks. While proving a handy administrative tool, hackers soon learned that if they could scan for Internet-facing RDP ports that are not properly secured and gain access to targeted machines. Once access is gained hackers can drop any number of malware strains they want to.

The US Coast Guard announced that it had suffered a ransomware infection which resulted in the shutdown of a maritime facility for more than 30 hours. The security bulletin, published just before Christmas, also stated that the ransomware was Ryuk. The bulletin, however, makes no mention of the name or the location of the port authority, it merely described the incident as recent. The US Coast Guard noted that the security bulletin intended to inform other maritime authorities of the incident to act as a warning and hopefully prevent future attacks.

While the bulletin did not specify which port or maritime authority was impacted by the attack, it did state that they believe hackers gained access to the network via a phishing email sent to one of the authority’s employees. The agency further elaborated that,

On December 23, Russian news agencies began reporting that the government had concluded a series of tests designed to disconnect Russia from the Internet. The tests involved Russian government agencies, local internet service providers, and local Russian internet companies with the main aim of the tests to see whether the country's national internet infrastructure, called RuNet, could function without access to the global DNS system and global Internet infrastructure. The Russian government concluded that the test was a success as Internet traffic was routed internally, effectively creating a massive intranet.

At the time of writing the public will have to take the government’s word for it as no technical data has been released to the public. Government officials stated that several disconnection scenarios were tested, including a hostile cyber-attack scenario from a theoretical foreign power. Alexei Sokolov, deputy head of the Ministry of Digital Development, Communications and Mass Media, further stated that the results of the successful test would be presented to President Vladimir Putin next year. Sokolov further summarised the success of the test as,

In a recent report security researchers have found evidence showing that a Chinese state-sponsored hacking group, APT20, has been able to bypass two-factor authentication (2FA) in a recent campaign. Advanced persistent threat (APT) groups are typically defined as groups, more often than not state-sponsored, who gain access to a specific network and are able to operate for long periods of time before discovery. APT20, or Wocao, is such a group and appeared until very recently to have gone on a hiatus with not much known of their operations for periods spanning 2016 and 2017.

In the report published by Fox-IT, it was shown that the group's primary targets were government entities and managed service providers (MSPs). The government entities and MSPs were active in fields like aviation, healthcare, finance, insurance, energy, and even something as niche as gambling and physical locks. As mentioned above, security researchers seemed to lose track of APT20 activity during the period from 2016 to 2017. I’m sure some hoped they were gone for good but given the current research, the group changed its tactics fairly considerably. Based on this new information it would seem the group has been active over the last two years.

What could be worse than being infected by one piece of malware? The answer is painfully obvious, in that more than one infection is worse. What started as a lame joke may be a reality for organizations infected with Legion Loader. In a recent campaign discovered by researchers, a threat actor is attempting to infect as many machines as possible with a loader capable of dropping multiple malware strains.

Discovered by researchers at Deep Instinct who subsequently published their findings in an article, details how what various strains are dropped during the attack. Due to the number of malware strains dropped the researchers have dubbed this campaign “Hornet’s Nest.” It is not yet known how victims are infected with the initial Legion Loader but the attack is being offered as a cybercrime-as-a-service operation. Despite not knowing the initial attack and infection vectors, Legion Loader is written in C++ and still appears to be under development. Clues in the code also suggest that the loader is developed by a Russian speaker and based on the current attack pattern the operators are targeting organizations in the US and Europe.

Payment processing giant Visa warns that North American fuel pumps are currently being targeted by cybercrime syndicates looking to install Point of Sale (PoS) malware across their networks. PoS malware is typically seen as malware designed to steal credit card information from the point of sale devices commonly used in shops, as well as fuel pumps, to process debit and credit card transactions.

The malware works differently when compared to banking trojans and other malware designed to steal financial information. This is because payments processed through such devices are encrypted so that if the information is intercepted it can’t be read by prying eyes. The decryption of the data only occurs in the PoS device’s random-access memory (RAM), where it is processed. PoS malware specifically targets the RAM to steal the unencrypted information. The process is called RAM scraping and is made possible via built-in backdoors and command and control features abused by hackers.

Phishing, namely the fraudulent attempt to gain an individual's personal information or credit card information via the use of emails and fake websites, continues to be a favored tactic employed by hackers to part users with money and information that can be used for identity theft. In a recent blog post has revealed three of the more cunning phishing operations they discovered for the year of 2019.

Over the years protections against phishing have increased and become incredibly effective, preventing billions of malicious phishing emails from reaching end-users. This has in a sense created an arms war between cybercriminals and those looking to secure machines and networks. Researchers at Windows’ Office 365 Advanced Threat Protection noticed an escalation in the tactics used as well as techniques involving the abuse of legitimate cloud services like those offered by Microsoft, Google, Amazon, and others. The first cunning case study involves the use of URLs that point to legitimate but compromised websites.

New and novel ways to further a malware main objectives do not happen too often. Hackers prefer to use tried and tested means to distribute and deploy malware. Even the development of new malware is generally done by veteran groups of hackers with a certain skillset. When a new trick is seen interest is raised accordingly amongst researchers and journalists. The trick that has gotten all the attention lately was created by the malware authors behind the Snatch ransomware. The trick involves rebooting the infected machine into Safe Mode and then encrypting files. This is done in an attempt to avoid detection.

In a recent report published by Sophos, researchers noted that the trick works because some antivirus packages do not start in Safe Mode, the mode is used to recover from a corrupted operating system. This is likely the first time such a tactic has been seen in the wild. This is novel for a second reason as the majority of malware currently circling the Internet does not persist on the machine after a reboot, meaning Snatch has been designed to persist and function after the machine has been rebooted in Safe Mode.

After a two year hiatus the botnet, named Great Cannon, has been resurrected back to life to carry our DDoS attacks. A distributed denial of service (DDoS) attack is a malicious attempt to disrupt the traffic heading to a server, network, or website by flooding the infrastructure with traffic. This is done by utilizing compromised machines, referred to as sometimes as bots, to continually send requests to the target. Another method used to carry out the attacks is to intercept other legitimate traffic and then redirecting that traffic towards the victim. This works by essentially causing a traffic jam as the server cannot deal with all the requests and cannot deal with legitimate traffic denying users the service offered.

Great Cannon was last seen in 2017 when Chinese authorities used it for DDoS attacks against Mingjingnews.com, a New York-based Chinese news site. Now the DDoS botnet is been used to launch attacks against LIHKG, an online forum where Hong Kong residents are organizing anti-Beijing protests. Great Cannon made a name for itself when it was used to attack GitHub and GreatFire.org. GitHub was targeted for hosting tools to aid Chinese users to bypass China's national firewall, while GreatFire.org was targeted because it exposes internet censorship across the globe.