Internet threat news

In January 2018, the InfoSec community was rocked by the news of the Meltdown and Spectre vulnerabilities affecting entire generations of Intel processors. As of May 14, 2019, academics announced that they had discovered a new side-channel attack affecting Intel processors. The attack utilizes a set of vulnerabilities that can allow attackers to retrieve data being processed inside a CPU. The flaw has been termed Zombieload and is fundamentally similar to the Meltdown, Spectre, and Foreshadow side-channel attacks that emerged.

As with the other three, the Zombieload flaw is exploited by abusing the speculative execution process. Speculative execution is an optimization technique where a computer system performs some task that may not be needed. Work is done before it is known whether it is actually needed, so as to prevent a delay that would have to be incurred by doing the work after it is known that it is needed. If it turns out the work was not needed, after all, most changes made by the work are reverted and the results are ignored. The academics who discovered the flaw published their findings in an academic paper titled, “ZombieLoad: Cross-Privilege-Boundary Data Sampling”, where prior to publishing the academics in question spent more than a year punching holes through the various components of the speculative execution process. What they discovered was an attack method which allowed for the leaking of data from the target CPU’s buffer zones and data processing operations.

According to researchers at Kaspersky Labs a Korean-speaking hacker group called ScarCruft, which is alleged to be a state-sponsored advanced persistent threat (APT) group, has increased its cyber-espionage ability by including a Bluetooth harvesting module within its current arsenal of cyber weapons. The group is known for targeting organizations and companies with links to the Korean peninsula and is known to use common techniques such as spear phishing and strategic web compromises to carry out campaigns. The latter technique, strategic web compromises sometimes also referred to as watering-hole attacks, where the attacker compromises a carefully selected website by inserting an exploit resulting in malware infection.

Kaspersky has been tracking ScarCruft activity since 2016 with what was termed Operation Daybreak where the group used a zero-day exploit to begin the process of infecting victims with malware. The malware traditionally is installed in a multi-stage process designed to bypass Windows UAC (User Account Control) in order to execute the next payload with higher privileges. The next step in the infection process occurs when the malware creates a downloader and a configuration file from its resource and executes it. The downloader malware uses the configuration file and connects to the command and control server to fetch the next payload. One of the key features of the malware is one of the methods it uses to avoid detection. The downloaded malware comes in the form of an image file with malicious code hidden within.

Those who have invested in Bitcoin have had much to smile about recently. The cryptocurrency rose to 6,000 USD on May 8, this was the first time it had broken this mark since November of last year. Nowhere near the 10,000 USD of yesteryear at the height of cryptocurrency popularity, this is still seen as some form of validation for those loyal to the original cryptocurrency. However, if you used the popular cryptocurrency exchange Binance, seen as one of the top five exchanges on the market currently, the price of bitcoin may be overshadowed by the news that hackers managed to steal 41 million USD from the exchange.

The hack occurred on May 7 and was responsibly disclosed to users of the platform via an official blog post. The company stated that the hack occurred as a result of hackers using a variety of techniques, which included phishing and the use of malware, to gain access to user accounts, which included API keys, 2FA codes, and potentially other information. It appears that the attack was incredibly well co-ordinated because at a set time the hackers initiated a mass withdrawal from these accounts, generating a massive 7,074 BTC transaction from Binance's main “hot wallet” to several smaller accounts. The massive withdrawal did trigger numerous alerts and warnings within the Japanese based exchange but sadly these warnings came too late in order to prevent them from happening.

Various Japanese news outlets reported that the Japanese Defense Ministry has adopted policies to enable the creation and maintenance of cyber-weapons in the form of malware. Japan is the latest country to announce that to formally recognize that it owns and develops cyber-weapons along with the US, UK, and Germany. According to the Japan Times the malware, which is to be created by a private company and the malware will be able to break into a computer system, hoping such a computer virus could work as a deterrent against cyber attacks. The malware is intended to be used as a defensive measure only according to government officials.

This announcement comes as part of the Japanese Defense Ministry plan to enhance its defensive capabilities beyond the ground, marine, and air domains but adopting both cyber and outer space as new areas requiring defensive expansion. Compared with other nations Japan is perceived to be lagging behind in its capability in addressing cyber threats. In order to readdress this, the ministry is looking to increase the number of personnel in its cyberspace unit to 220 from 150. This number is still considered small when one compares it to other countries with 6,200 personnel in the United States, 7,000 personnel in North Korea and 130,000 personnel in China according to data collected by the ministry.

Attackers have been actively exploiting a zero-day vulnerability in the widely used Oracle WebLogic Server to deliver not one but two ransomware variants. Zero-day vulnerabilities can be defined as a software security flaw that doesn’t yet have a patch. These vulnerabilities can result in security holes waiting to be exploited by cybercriminals. What is truly novel, and somewhat frightening, about the attack is the ransomware can be downloaded and executed without the end user clicking on anything, the attacker simply exploits the vulnerability. Traditionally, ransomware infections require the end user to initiate the downloading of the malware. This can be done by clicking a link or downloading an attachment, as examples. The above attack does not need this once an integral step to infection.

The vulnerability exploited in the attack was discovered two weeks ago along with a proof of concept exploit code. The vulnerability, CVE-2019-2725, was made public by the Chinese National Vulnerability Database and according to researchers from the security educational group SANS ISC warned that the vulnerability was under active attack. The vulnerability is regarded by experts as easy to exploit and allows the attacker the ability to execute code of their choice on cloud servers. The disclosure caused Oracle to release an emergency patch and it is strongly advised that administrators download the patch if they have not already.

Researchers at Malwarebytes have been closely following a sustained campaign against both users of the popular Electrum Bitcoin wallet and the company itself. What initially started out as a phishing campaign which was designed to trick users into downloading a malicious version of the wallet by exploiting a weakness in the Electrum software. This malicious wallet would then steal funds from the victim, by February of 2019 the attackers had stolen approximately 4 million USD, and in April this number has increased to 4.6 million USD. In February, the wallet's developers responded by exploiting the same flaw in order to redirect users to download the latest patched version.

For most incidents that would be the end, however, in March it became apparent that the software was in far more trouble than originally believed. The developers of the wallet actually had to attack their own users using an unknown vulnerability so that they couldn’t accidentally connect to a bad node exploited by the attackers. Now the attackers have responded by infecting machines with a botnet in order to carry out Distributed Denial of Service (DDoS) attacks against the wallet’s infrastructure. According to the researchers on April 24, the number of infected machines in the botnet was just below 100,000 and the next day it reached its highest at 152,000. The number of infected hosts keeps fluctuating but has seemed to plateau at over 100,000.

Researchers have seen a new campaign dropping the Qbot banking trojan via a phishing email campaign. The campaign was discovered by the JASK Special Operations Team. The trojan is dropped via camouflaging the spam email as parts of previous conversations in order to help avoid detection. The Qbot trojan is by no means new, first appearing in 2009, despite its age it has gone through numerous updates and evolutions in order to steal financial data and banking credentials from their targets. Numerous updates have also enabled the trojan to drop additional malware, to log user keystrokes, and create a backdoor to compromised machines. According to the JASK Special Operations Team,

“The delivery mechanism for this Qbot infection was a phishing campaign where the targeted user received an email containing a link to an online document. Interestingly enough, the delivery email was actually a reply to a pre-existing email thread.”

The team of researchers published their findings in an article which further showed that the link used by the hackers contained a VBScript-based dropper script packed as a ZIP archive and designed to drop the Qbot malware payload after being launched by the victim. The trojan is then downloaded by abusing the legitimate Windows BITSAdmin utility (bitsadmin.exe). The file that is used to hide the trojan is titled “August.png” and has up until the time of writing been detected 55 times on VirusTotal.

While Christians over the globe were celebrating the Easter weekend, news of three separate data breaches surfaced. On Saturday, 20 April 2019, a popular health and fitness platform Bodybuliding.com alerted its customers of a security breach detected during February 2019 which was the direct result of a phishing email received back in July 2018. Bodybuilding.com is the world's largest fitness website, with a community of over 1,000,000 BodySpace members and more than 17,000,000 forum members, as well as over 32,000,000 orders shipped all over the world since its online shop was opened for business. Along with the announcement two separate health care companies also suffered data breaches. With regards to the health care companies, one company illustrated how an organization should deal with a breach and another the wrong way.

Returning to the Bodybuilding.com data breach, the company announced that the breach may have affected certain customer information and after investigating the incident with the help of “external forensic consultants that specialize in cyber-attacks,” Bodybuilding.com says that it “could not rule out that personal information may have been accessed.” The company further confirmed that no full debit or credit card numbers could be accessed and stolen as the company only stored the last four digits and only for customers who opted to have their cards stored with their account information. Further, no social security numbers were compromised. As a precaution the company has reset all user passwords, meaning that users would have reset their passwords when logging onto the platform again.

Combatting malware infections is often a hard and thankless task made increasingly difficult by hackers. This task is made harder when attackers change tactics. When the costs associated with infections, such as data recovery, increase more stress is placed on organizations and those that defend the organizations. The latest report by Coveware shows that ransom amounts demanded in ransomware incidents has risen approximately 90%. Not only will departments responsible for cybersecurity curse the news but financial managers as well.

Coveware's Ransomware Marketplace Report involved analysis of recent ransomware cases the security firm has investigated. Figures from the investigation showed that the average ransom organizations paid per incident during the first quarter of this year stands at 12,762 USD, compared to 6,733 USD in the final quarter of 2018. This shows that the ransom cost associated with ransomware infections has almost doubled. According to Coveware, this increase can be accredited to the emergence of more expensive and more hands-on forms of ransomware like Ryuk, Bitpaymer and Dharma. These new hands-on, termed hands-on as the attackers actively target victims, ransomware variants no longer use the spray and pray technique of sending out massed spam emails but are far more targeted in approach. This approach has placed companies and organizations in their crosshairs in order to try to extort a much larger ransom.

In December 2019 this publication covered the emergence of sextortion scammers using ransomware in a bid to increase illicit earnings. It would appear that yet again such scammers are feeling the pinch and changes tactics once more in order to make money. The scammers behind the “Aaron Smith” scam, named after the email address used to send out the scam emails, made nearly 150,000 USD in Bitcoin in the period between August 30 and October 15. These profits have taken a remarkable knock, with the operators making only 17,000 USD in the first quarter of 2019.

In an effort to prevent this downward slide from continuing the scammers have changed tactics in order to prevent spam filters from stopping their emails of reaching their potential victims. According to researchers at Cisco Talos in a recently published article, revealed how the scammers adopted a relatively simple technique in an attempt to bypass spam filters. In the email example provided in the article, one would not be able to see that the message hides something behind the normal text. On deeper analysis, the message reveals a more complex underlying code that mixes plain text letters with HTML character entities. The recipient sees only the rendering of the email client. It is when the email is viewed in such a way the technique employed by the scammers is revealed.

From recently published research by FireEye indicates that the hackers behind the Triton malware are active once more. The group rose to the public’s attention in 2017 when the malware was used to target a petrochemical plant in Saudi Arabia. In this instance, according to research conducted by Symantec, it is believed that the attack was meant to cause physical damage at the industrial site. The attack was close to causing severe damage at the facility, but Triton's activities inadvertently closed down the plant due to its manipulation of SIS systems which caused them to enter a failed safe state.

Triton, sometimes of referred to as Trisis was specifically engineered to target a specific type of industrial control system (ICS), namely Triconex safety instrumented systems (SIS) controllers developed by Schneider Electric. The malware is named after the specific safety instrumented system it targets. Triton is unusual in the sense that it hones on processes with the aim to shut them down, resulting in the tampering with safety systems which could result in damage been caused to industrial systems resulting damage to machinery. Malware designed for such a purpose is relatively rare and forms only a handful of the threats faced on the current landscape. Previously seen examples include Stuxnet and Industroyer with the latter being a highly customizable piece of malware which can be equipped to better suit the attacker’s needs. Stuxnet was seen targeting nuclear power stations while Industroyer was seen targeting more conventional power stations.

In the middle of March 2019, we covered the emergence of a new POS malware, DMSniff. The article further highlighted the threat posed SMBs and retailers posed by malware specifically designed to scrap card details from POS machines when a card is swiped. Central to this threat is one group FIN6 and their use of the Trinity to steal and later sell card details on hacker forums which roped them in millions upon millions of dollars. According to a report published by security firm FireEye, FIN6 are now deploying ransomware in where it cannot infect the target with its created POS malware.

FIN6 has been linked to numerous attacks netting in millions of dollars. Researchers at FireEye describes the group and its tactics as,

Security firm TrendMicro has discovered a new variant of the XLoader trojan is targeting Android devices by posing as a security app. Mac users are not out of the woods either as the trojan also attempts to infect iPhones and iPads through a malicious iOS profile. Previously researchers have seen Xloader posing as both Facebook and Chrome. This latest variant includes a new deployment technique and modifications to the source code.

The malware is also hosted on fake websites that mimic legitimate domains, this is done in an attempt to trick users into downloading what they believe is a legitimate and necessary security product. Researchers also found that links to the malicious websites are sent to potential victims using SMiShing, short for SMS phishing.

Hackers and cybercriminals are just as susceptible to trends to the millions upon millions of social media users. In the case of hackers, a trend is often determined by ease of use and chances of securing an easy payday rather than what the latest celebrities are promoting. More often than not security firms publish findings on the drastic increase in one type of malware or the other. In a turn of events, Kaspersky Labs published findings of how one method of distributing malware is finding less favor among hackers.