Internet threat news

Based on research published by security firm McAfee has confirmed that the gang behind the NetWalker ransomware have established themselves as one of the most dangerous ransomware operators on the threat landscape. The research conducted by the firm reveals that the gang has potentially netted 25 million USD in ransomware payments since March 2020, proving the profitability of well organized and skilled ransomware gangs can generate as well as the danger posed by such gangs. While the 25 million USD figure is an estimate as it is not like these gangs have to report earnings to auditors or revenue services, it does mean that the gang ranks amongst some of the most successful gangs today including Dharma, Sodinokibi, and Ryuk. It is also noted by some that the figure of 25 million may be conservative due to the security firm’s limited view of the entire ransomware operation.

When Kaspersky Labs provided evidence the North Korean state-sponsored hacker collective named Lazarus was behind the WannaCry ransomware debacle that propelled ransomware into the limelight of malware, some scoffed. Those that believed it not to be the case seemingly also ignored evidence provided by several Western intelligence agencies. State-sponsored groups did not participate in for-profit, or financially motivated, hacking campaigns was the wisdom of the time. That time being 2017, now a better understanding of the group has led to wisdom on such matters. State-sponsored groups can indeed be financially motivated and perform cyber espionage. There was not a rule chiseled in stone, and there was most certainly no hacking rulebook being published in North Korea, raids on banks and cryptocurrency exchanges can attest to the mindset exhibited by Lazarus.

For Garmin’s vast user base the news that something is wrong with the services offered, is perhaps painfully old by now. In summary, reports began emerging as soon as July 23 that large swathes of the company’s services were offline. The company remained quiet as to why services were offline except for a tweet and an announcement via their website. In time several employees would speak out and say that the company had experienced a ransomware attack, what’s more, the offending piece of malware was WastedLocker. In even another staggering twist, reports emerged that 10 million USD was being demanded as a ransom by the cybercriminals behind the attack.

One of the key ways academics and researchers prevent cyberattacks is by finding flaws and vulnerabilities in software packages before hackers can. The Spectre and Meltdown vulnerabilities were found in this way and prompted major tech giants to find solutions before irreparable damage could be done. A team of academics from the Ruhr-University Bochum in Germany published a paper detailing how fifteen out of 27 desktop PDF viewers are susceptible to a new kind of attack, dubbed “Shadow Attack” by the team. The academics involved in the research and subsequent publishing of the research paper have already made quite a name for themselves uncovering other flaws that impact the widely used PDF file format.

Sifting through academic papers can be tedious work, overly formal language and jargon make it a trying endeavor even for professionals. That being said the report succinctly summed up the need and findings of the academic’s research in the opening paragraph, stating,

After an extended hiatus of nearly five months, Emotet has surged back to life with a new campaign sending out malicious emails to users worldwide. Historically the malware has been spread via malicious emails containing documents, often Word or Excel being the favored platforms to exploit, containing malicious macros that will install Emotet on the machine. From there the malware can include the infected machine into the malware’s botnet to send more malicious emails out, spread laterally across a network, and be used to drop other types of malware. Emotet is known to drop ransomware as well as info-stealing malware once it has infected a machine.

In an article published by Bleeping Computer and a technical blog post published by Malwarebytes details of the new campaign have been released to the public. In the first-mentioned article, researchers confirmed that Emotet activity seemed to fall off the map on February 7, 2020. An Emotet tracking group Cryptolaemus noted that while there was no spamming activity for the 5 month period, the malware’s developers were actively adding malicious modules to the code. It was also noted that a couple of days before July 17, the day activity surged back to life, a few test emails were distributed across the network.

Reports began emerging on July 15 that certain high profile Twitter users, including Joe Biden, Elon Musk, and Wiz Khalifa, were advertising a way to double your money if you sent an amount of cryptocurrency to a specific wallet. Claims similar to this have been seen numerous times before in several other crypto scams, where scammers look to trick or extort cryptocurrency from individuals. It was later revealed by Twitter that the actual accounts of those listed above, and several others were hacked and used to spread the scam without the knowledge of the account users.

Other high profile accounts that were compromised included Kim Kardashian West, Jeff Bezos, Bill Gates, Barack Obama, Wiz Khalifa, Warren Buffett, YouTuber MrBeast, Wendy’s, Uber, CashApp, and Mike Bloomberg. Something to note is that the political figures, Joe Biden, Barack Obama, and Mike Bloomberg are all affiliated to the Democratic Party in one form or the other with Joe Biden being the current Democrat nominee set to take on the current president Donald Trump in November’s election. From a number of reports, it would seem that now Republican Party figures had their accounts compromised by the scammers. Further, Warren Buffet, a known and very vocal critic of cryptocurrencies who publicly stated that he does not own any cryptocurrency and has no plans to own cryptocurrency had his account compromised.

The last time this publication covered Phorpiex it was seen distributing the Nemty across its botnet infrastructure. In the past the botnet was seen distributing GandCrab, however, researchers discovered that the botnet was seen distributing a new ransomware called Avaddon during the preceding month of June 2020. Avaddon’s distribution was discovered by Proofpoint who likewise noted that several other older ransomware strains were being distributed in separate campaigns but at roughly the same time.

In a separate report published by Check Point, it was revealed that the recent surge in Phorpiex activity amounted to the botnet being one of the most active malware families for the month of June. In the month of May, the malware was ranked 13th in terms of activity, the botnet climbed the rankings in June to be the second most detected malware family. The first was Agent Tesla which has been described by researchers as,

The year has already seen several new ransomware strains emerge into the wild as well as some new campaigns from new ransomware families. With the discovery of Conti this trend continues. Conti does not deserve mention for being part of a trend but rather for the unique features and the unique spin on ransomware traits the ransomware’s developers have instilled in the malware. In a technical report published by security firm Carbon Black, the curtain has been drawn back to reveal a dangerous strain of the ransomware despite being in its infancy.

According to the report, the ransomware boasts three features that separate it from the mass of other ransomware strains currently making up the threat landscape. Those being that the ransomware has a network only encryption mode, high-speed file encryption, and the ransomware’s capability to abuse Windows Restart Manager. Returning to the network only encryption mode, for the time being, in essence, this allows the ransomware an incredible amount of control over what is targeted for encryption which in turn can be done by the attacker via a command-line client. In practice, this allows the attacker to skip encrypting files on local drives and focus solely on targeting network drives and the files shared on them.

For the most part, Google has made several great strides in preventing malware from abusing the Google Play app store. Better security policies and procedures help prevent the Android user base from increasingly becoming victims supporting a hacker’s needs. That being said, it is not impossible for malware to find its way onto the app store, more often than not hidden behind the illusion of being a useful app. Cerberus has achieved just that being discovered by researchers hidden behind a currency converter targeting Spanish users. Cerberus is a relatively new banking trojan discovered in June 2019, primarily designed to infect Android devices and steal private banking information which the attackers use to turn a profit, either selling on banking details or using the details themselves to commit fraud. Initially, upon the malware’s discovery, the banking trojan was being offered as a Malware-as-a-Service (MaaS) by renting out the malware to other hackers as well as providing technical support, often in a parody of the Software-as-a-Service business model.

Following the advisory issued by the Australian Government warning that Australian businesses and government departments were currently been targeted by malware favored by several Chinese Advanced Persistent Threat (APT) groups, researchers at several security firms have uncovered more APT activity. This time related to the group code-named Promethium. In two separate reports it has been revealed the Promethium, also referred to as StrongPity, has been seen deploying a set of new weaponized trojans that abuse the popularity of legitimate applications.

The group is believed to have been active since 2012, with some reports even suggesting the group was formed as early as 2002. Traditionally, Promethium has focused activity on targeting organizations and individuals in Turkey and Syria. Some campaigns even included targets in Italy and Belgium. The group’s main objective is intelligence gathering and has been exposed on a number of occasions by both security researchers and civil rights groups. All of which seem to have not bothered the group and its activities in the slightest as the group is widely regarded as one of the most prolific intelligence-gathering groups seemingly driven by political motivations.

In an advisory published by the Australian Cyber Security Centre (ACSC) in collaboration with the Australian Government warns of “copy-paste compromises” been used to target Australian networks. What the advisory terms “copy-paste compromises” is derived from threat actors using known proof of concept exploit code and copied open source tools. In an associated advisory which goes into much greater detail about the attacks, the attacker's tactics were summarized as,

“The actor has been identified leveraging a number of initial access vectors, with the most prevalent being the exploitation of public facing infrastructure — primarily through the use of remote code execution vulnerability in unpatched versions of Telerik UI. Other vulnerabilities in public facing infrastructure leveraged by the actor include exploitation of a deserialisation vulnerability in Microsoft Internet Information Services (IIS), a 2019 SharePoint vulnerability and the 2019 Citrix vulnerability…The actor has shown the capability to quickly leverage public exploit proof of concepts (POCs) to target networks of interest and regularly conducts reconnaissance of target networks looking for vulnerable services, potentially maintaining a list of public facing services to quickly target following future vulnerability releases. The actor has also shown an aptitude for identifying development, test and orphaned services that are not well known or maintained by victim organisations.”

Ominously named Lucifer, researchers from Palo Alto Networks' Unit 42 have been tracking the malware since its initial discovery in May 2020, the malware boasts both crypto-miner and DDoS capabilities and has been seen exploiting Windows-specific flaws. From the malware’s code, the attackers seemingly wanted to call the malware Satan, however, a ransomware variant called Satan beat them to it. Researchers have called the malware Lucifer, no less intimidating, as not to cause confusion with the ransomware.

Traditionally hybrid malware is seen as a combination of two separate types of malware. In the past, it was common to see adware combined with a worm-like feature to enable lateral movement across networks which in essence would make the malware act like a bot infecting machines and connecting them to a botnet controlled by the attacker. Put differently, hybrid malware looks to combine traditional roles of viruses and worms in that it looks to alter code like a virus and spread to other machines like a worm. Lucifer, according to a blog post published by Palo Alto Networks' Unit 42, alters code to add a crypto miner and spreads laterally using well-known weaponized exploits. In reality, many different malware strains will have hybrid qualities as malware authors are constantly looking to improve functionality and they are not bound by the definitions security researchers place on the different types of malware to make analysis easier.

In what has now become known as “BlueLeaks” the data belonging to hundreds of US Police Departments and Fusion Centers has been leaked online. An activist group going by DDoSecrets, or Distributed Denial of Secrets to give the group their long-form name, published 269 GB worth of data stolen from US law enforcement agencies and fusion centers. The data was made available via a search engine on June 19, 2020, to perhaps coinciding with the Juneteenth celebrations which commemorate the end of slavery in the US. This year’s observances of the event have gained new meaning against the backdrop of protests against police brutality in the wake of the killing of George Floyd.

The stolen data has been made available via a searchable portal which according to the “BlueLeaks” portal the data includes more than one million files, such as scanned documents, videos, emails, and audio files. The data is believed to cover more than ten years of collected information pertaining to over 200 police departments across the US. Not only does the data pertain to police departments but also fusion centers that are defined as state-owned and operated entities that gather and disseminate law enforcement and public safety information between state, local, tribal and territorial, federal, and private sector partners.

Effective disinformation campaigns have been a tried and tested method used by spies in times of war and in times of peace. Hackers, following the example set by certain state departments and intelligence services, learned fairly quickly that they could sell their services to the highest bidder in return for a disinformation campaign using social media to fan a wildfire. While hackers looked to use the same tactics honed by nation-state actors the same platforms used to disseminate have been cracking down on campaigns. However, it still appears that skilled operators can avoid measures put in place by the likes of Facebook, Twitter, and Google and spread false information to serve political ends.

Social media research group Graphika published a 120-page report that uncovers a widely unknown Russian disinformation operation active since 2014 and has flown largely under the radar. Those behind the operation have been named Secondary Infektion and is not to be confused with the Internet Research Agency (IRA), the Sankt Petersburg Company (troll farm) that has interfered in the US 2016 presidential election. Graphika is of the informed opinion that the two groups exist as separate entities with differing objectives despite the obvious overlap. Since operations began Secondary Infektion has been relying on fake news articles, fake leaks, and forged documents to generate political scandals in countries across Europe and North America. Along with the report, Graphika has also published a library of forgeries attributed to the group that shows the group's handiwork and ability to deceive even the most skeptical.