Internet threat news

On a weekly basis, it appears someone gets swindled from their cryptocurrency in one form or the other. Whether Bitcoin, Ethereum, Litecoin, or Monero hackers have been quick to pounce on the new technology seemingly rewriting the rules of economics and trade. Some hackers use nasty pieces of malware while others are content merely to trick users into sending cryptocurrencies to the wrong address. In the latest instance, trickery was the name of the game. An as yet unknown attacker has tricked Experty ICO participants into sending Ethereum funds to the wrong wallet address. This was done by merely sending emails with a fake pre-ICO sale announcement to Experty users who signed up for notifications.

Facebook has bought a Boston based government ID verification service, Confirm, which Facebook will most likely use to confirm the identities of suspicious accounts in its fight against fake accounts used to spread political propaganda. Prior to Facebook purchasing the start-up, the start-up provided APIs that app developers could embed with their services. The Confirm APIs (Application Program Interface) allowed apps and online services to analyze a scan or photo of a user ID and determine if it was real or fake. Prior to the purchase, Confirm boasted that over 750 customers deployed its API throughout various products. Some of the common use cases for Confirm's government ID verification services included onboarding and account creation processes; P2P identity checks; fraud escalation, banking, and legal transactions. As per the purchase agreement, Confirm will shut down its activity and the company's employees will join Facebook's Boston office.

The hacking group behind SamSam attacks have been busy striking high profile targets since the beginning of January. These targets include hospitals, a city council, and an ICS (Industrial Control Systems) firm. Reported attacks include the one against the Hancock Health Hospital in of Greenfield, Indiana; Adams Memorial Hospital in Decatur, Indiana; the municipality of Farmington, New Mexico; cloud-based EHR (electronic health records) provider Allscripts; and an unnamed ICS company in the US. Unlike many other ransomware campaigns the group behind SamaSam, also sometimes referred to as Samas, use the variant in a targeted way not relying on massive phishing campaigns.

On January 18 the Greenfield Reporter published an article detailing the SamSam attack on Hancock Health Hospital. Hospital officials admitted that hackers’ targeted more than 1,400 files, the names of every one temporarily changed to “I’m sorry.” They gave the hospital seven days to pay or the files would be permanently encrypted but no patient records were jeopardized. Since the attack, an analysis of the attack revealed the believed location of the attackers is somewhere in Eastern Europe.

Necurs is considered the world’s biggest spam botnet with what is widely believed to be millions of bots at the creators’ disposal. In the latest use of Necurs, the spammers are currently sending millions of spam emails that push an obscure cryptocurrency named Swisscoin. Such schemes are called pump and dump schemes as spammers will buy stock in advance at a low price and sell it at a higher value when the spam campaign drives up the price. In order to drive up the stock price before selling this technique relies heavily on sending large quantities of spam to drive interest up towards a particular penny stock, in this case, the obscure and less than kosher Swisscoin.

This latest spam campaign looks to be the first time the Necurs botnet has been used to push a cryptocurrency albeit an obscure one like Swisscoin. This, however, is not the botnets first pump and dump scheme. In March 2017 the botnet was used in a similar fashion to influence the share price of InCapta stock. Then it was estimated that Necurs had anywhere between 5 million and 6 million bots able to easily send tens of thousands of emails an hour. Prior to the InCapta spam run, Necurs rather infamously was used to spread the Dridex banking trojan and several variants of the Locky ransomware family.

In this instance, the promoting of a cryptocurrency in order to influence stock prices immediately caught the attention of security researchers. This is because it differs drastically from the past method of targeting penny stocks that fall under 5 USD per stock. This left researchers questioning the choice of cryptocurrency. Why not look to influence the share price of a well-known altcoin?

Cryptocurrencies make news headlines at a near daily rate. Often they concern whether Bitcoin is about to reach a new high or the bubble is about to burst. Unfortunately, it seems they make the headlines just as often when it comes to hackers stealing funds from crypto wallets. While many nations have begun debating the dangers surrounding cryptocurrencies, or at the very least what they perceive as the dangers, continued headlines stating how money is stolen can do little for the technology that many have gotten excited about.

On Saturday, January 13, another instance of a hack came to light. This time an unknown hacker, or hacker group, managed to hijack the DNS (Domain Name Server) for BlackWallet.co, a web-based wallet application for the Stellar Lumen cryptocurrency (XLM). The hacker managed to steal over $400,000 from users' accounts.

While much of the InfoSec community is still reeling after the Meltdown and Spectre announcements, a new trend in malware developments may be occurring. Researchers at cybersecurity firm Trend Micro have released a report detailing what they believe to be the first malware discovered developed in the Kotlin programming language.

Kotlin was, for most of its early existence, a little-known programming language. That was until May 2017 when Google, at the Google I/O 2017 conference, that the programming language would become the first third-party supported programming language for Android apps, besides Java. This gave the language a surge in popularity and use. So much so that Kotlin is estimated to surpass Java as the primary programming language used for Android apps by December 2018. In hindsight, one could argue the surge in popularity would inevitably result in malware authors looking to use the language to achieve their nefarious ends. The question would be a matter of if rather when.

While the media and InfoSec community waits with bated breath for Intel and AMD’s response to the critical flaws found in generations of processors, Microsoft has been wasting little time in trying to shore up the problem with patches of their own. In their haste, it appears certain issues have arisen. In an announcement earlier today, January 9, announced that they would be pausing the roll out patches for devices featuring AMD processors. In another announcement made by Microsoft is was stated that they would not be rolling out any more security updates unless Antivirus offerings set a registry key.

The makers of the world’s most prevalent OS announced its decision today in light of numerous AMD users reporting a Blue Screen of Death (BSOD) and other types of errors that in some cases prevented computers from booting. On a support page Microsoft announced “After investigating, Microsoft has determined that some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown,”

Over the last two days, the InfoSec community has been rocked by news of a yet unnamed critical vulnerability affecting several generations of Intel CPUs. The vulnerability is due to be announced on January 9 but till then many researchers have compared the vulnerability to the now infamous Heartbleed bug. Heartbleed affected the OpenSSL library “heartbeat” which essentially lets one computer tell the other computer, “I am here. Don't close this session. I am thinking.” The heartbeat system has one computer establish a secure connection with another and send an incoming request data packet. The second computer will then copy that request into a reply packet and sends it back to confirm the connection is working and valid. The vulnerability is a memory buffer overflow, where if the machine receives fewer packets than it is expecting to receive, it randomly grabs bits of information from memory to pad out the response to the correct size. In an attack scenario, the vulnerability could have been exploited on high traffic websites to access usernames and passwords of users who had just logged on.

Vietnamese activists and bloggers received a lump of coal this Christmas. The Army of the South East Asian country announced its latest plans to try and stop online dissent. A new cyber unit was announced to be created featuring 10,000 staff geared towards trawling the internet and social media in an effort to curd what one general has called “wrongful views”. The new unit has been called “Force 47” by their creators.

Vietnamese leaders have long distrusted the internet and seen it as a tool which if left uncontrolled can be used by dissenters to ultimately erode the government’s power base. In the summer of 2017, the countries President warned that rumors and innuendo could weaken the foundations of the state. While the exact objectives of Force 47 are not clear, some observers have concluded that the cyber soldiers will escalate smear campaigns against activists online.

Researchers based at Princeton University and Purdue University have released research detailing how they conducted acoustic attacks on four Western Digital branded hard drives. These attacks could be used to create both a temporary or permanent denial-of-service (DoS) attack. In the examples provided, the group proved that such an attack could be used to prevent CCTV systems from recording video footage or freeze computers dealing with critical operations. The basic principle behind this attack is that sound waves introduce mechanical vibrations into an HDD's data-storage platters. If this sound is played at a specific frequency it will result in a resonance effect that further results in an increased vibration effect. As hard drives store vast amounts of data on relatively small sections of the platter, they are programmed to stop all read/write operations during the time a platter vibrates. This is done to prevent the scratching of the disks that could result in permanent damage.

For large sections of the world, Christmas and New Year are times of goodwill towards others. It appears hackers never got that memo which meant security researchers were also deprived of a day off. News of a vulnerability affecting a web server that's been embedded in hundreds of thousands of IoT (Internet of Things) devices broke yesterday, that being Christmas day. While many shared the day with family, others were stuck behind screens pouring over details relating to the vulnerability tracked as CVE-2017-17562.

The vulnerability directly affects GoAhead, a small web server package created by Embedthis Software LLC, a company based in Seattle, USA. According to the product's website, it is currently deployed inside products released by big industry names such as Comcast, Oracle, D-Link, ZTE, HP, Siemens, Canon, and many others. This popularity can be attributed to the fact that the tiny web server can run on devices with limited resources, such as Internet of Things (IoT) devices, routers, printers, and other networking equipment.

As 2017 draws to its inevitable close the year has seen a number of trends develop. Amongst ransomware’s perpetual rise and crypto jackers, one of this year’s greatest talking points is the leaking of private data. Whether this is due to hackers abusing exploits or purely human error it can have major implications for those involved moving forward. With only just more than a week left in the year, another leak potentially affecting 123 million American households has surfaced.

In this instance, Alteryx, US data analytics provider has left an Amazon S3 storage bucket exposed online. Thus by doing so leaking the sensitive details of over 123 million US households in the process. This can be seen as yet another blow to user’s privacy and the privacy rights entailed. The discovery was made by researchers at US cyber-security firm UpGuard. The firm had previously discovered similar leaks involving Amazon S3 storage buckets containing sensitive NSA files and another containing data from the US Army's CENTCOM and PACOM divisions.

Researchers at F5 Networks have been analyzing and monitoring an advanced and aggressive malware campaign. They have termed the campaign Zealot, the name derives from one of the files dropped on targeted servers called zealot.zip. Currently, it appears as only Linux and Microsoft servers are been targeted. The servers are been attacked with an assortment of exploits with the goal of installing malware that mines the Monero cryptocurrency. As has been seen throughout the year, Monero has become the favored cryptocurrency of cybercriminals for its increased anonymity features.

According to Maxim Zavodchik and Liron Segal, two security researchers for F5 Networks, the attackers are scanning for servers that are still vulnerable to two exploits, the first being Apache Struts (CVE-2017-5638) and the second being DotNetNuke ASP.NET CMS (CVE-2017-9822). If these are unpatched the attackers will be able to gain a foothold in the unpatched network.

A team of three researchers has dusted off an old crypto vulnerability that can still affect major firms relying on RSA encryption key exchanges. Once the vulnerability is exploited it could enable an attacker to obtain the private encryption key necessary to decrypt sensitive HTTPS traffic under certain conditions. The three researchers, Tripwire’s Craig Young, researcher and journalist Hanno Böck, and Juraj Somorovsky of Ruhr-Universität Bochum have informed vendors affected by the vulnerability. They will make the Proof of Concept code available in time once all affected vendors have patched the vulnerability now called ROBOT. ROBOT, which stands for Return Of Bleichenbacher's Oracle Threat, is the latest in a fairly long line of similar vulnerabilities worked on by researchers. Daniel Bleichenbacher discovered the original threat back in 1998. Since then researchers have published new variations of the original Bleichenbacher attack in 2003, 2012, 2014, and 2015. This includes 2016’s DROWN, Decrypting RSA with Obsolete and Weakened eNcryption, which until ROBOT was announced was the latest threat to use a variation of Bleichenbacher’s method. DROWN could enable an attacker to crack encrypted communications and steal potentially sensitive data. At the time in potentially affected a third of all HTTPS sites.