Internet threat news

We have followed the exploits of the GandCrab operators with keen interest on this platform. We covered how Bitdefender and Europol worked together to develop and release a decryptor for GandCrab versions 1 (GDCB extension), 4 (KRAB extension), and 5 (random 10-character extension), however, none existed for version 5.2. We also covered how the operators of GandCrab were offering their ransomware as a service which resulted in the ransomware seen to be distributed via a sextortion scam. Well, we have seen a mix of good news and bad news in combatting the ransomware, today's latest news is will definitely be considered good by the general public. On June 17, Bogdan Botezatu, a security researcher with Bitdefender announced via Twitter that a decryptor for v5.2 had been released as a free tool to the public and could be used by any victim suffering from such an infection.

The healthcare sector has come under increasing fire over recent years. This fire was caused by numerous cybersecurity incidents, from breaches to malware infections affecting critical service delivery. Now the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert warning that files using the Digital Imaging and Communications in Medicine (DICOM) standard can be abused to hide malware. The DICOM standard is used in virtually all hospitals around the world, including by imaging equipment (CT, MR, ultrasound), imaging information systems (HIS, RIS, PACS), and peripheral equipment (workstations and 3D printers). The vulnerability in DICOM type files was discovered by Cylera’s Markel Picado Ortiz, who has described the flaw as a “fundamental design flaw.”

According to the NCCIC successful exploitation of this design flaw, which has been publically announced and has been given a CVE designation of CVE-2019-11687, could allow an attacker to embed executable code into image files used by medical imaging devices. Further, malicious code embedded within such image files which results in a Windows executable will not interfere with the readability and functionality of the DICOM imagery. This could potentially make the detection of malware harder and promote malware persistence on infected devices.

On Thursday, June 6, 2019, for approximately two hours a large amount of European Internet traffic was rerouted through the infrastructure of China Telecom, China's third-largest telco and internet service provider (ISP). According to experts, the traffic was rerouted following a BGP route leak at Swiss data center colocation company Safe Host. It has been estimated that over 70,000 routes from its internal routing table had been leaked and subsequently rerouted to the Chinese ISP. This is the second time the ISP has been caught hijacking traffic from Western countries.

A BGP route leak has been defined by the Internet Engineering Task Force (IETF) as “the propagation of routing announcement(s) beyond their intended scope. That is, an announcement from an Autonomous System (AS) of a learned BGP route to another AS is in violation of the intended policies of the receiver, the sender, and/or one of the ASes along the preceding AS path.” That is a mouthful of technical terms that sounds like a foreign language to even InfoSec researchers. In summary, the Border Gateway Patrol (BGP) is used to reroute traffic at the ISP level. It has been known to be problematic with leaks occurring frequently. However, there are safeguards and safety procedures that providers usually set up to prevent BGP route leaks from influencing each other's networks. However, instead of ignoring the BGP leak, China Telecom re-announced Safe Host's routes as its own, and by doing so, interposed itself as one of the shortest ways to reach Safe Host's network and other nearby European communication companies and ISPs.

It is almost a weekly occurrence that a company announces they have suffered a data breach. Oven the numbers, in the millions, are difficult for us to wrap our heads around. Besides this, the cost to the individual affected by such a breach can be hidden within the sheer scope of these large numbers. When financial data is stolen such as credit card numbers and other account information, hackers can either use the data to clone cards and make fraudulent purchases. Or they can sell the data on Dark Web platforms so others may do the same or commit identity theft. What of personal information relating to an individual’s healthcare and medical history?

In 2018, this publication covered the data breach affecting SingHealth where 1.5 million patients’ medical records were leaked including the president of Singapore. Earlier this year we also covered who might be responsible for the breach and subsequent leak of information. This all begs the question as to why do hackers want this information. Medical data can include any and all data relating to past and present health conditions, pharmacy prescriptions, hospital records, insurance details, and online medical account credentials. Unlike with financial data, it would appear on the surface that other than for blackmail purposes there is little that can be done with such information.

A new report published by Carbon Black examines how hackers use medical information for their own gain. Hackers are actively selling such information on Dark Web marketplaces. Such information is demanding high prices and is clearly in demand. The most expensive offering on these marketplaces is information relating to providing information which can be used to forge a medical background, an alarming prospect given the harm which could be done when someone who has not qualified, poses as a medical professional. Such information can be used in the real world to forge insurance documents, medical diplomas, doctor licenses, and DEA licenses. Such information has been seen going for 500 USD per listing.

When the developers behind Coinhive announced that they would be shutting down the service of allowing websites to mine cryptocurrency rather than advertising, the rise of cryptominers was predicted by some to end. The development of Coinhive opened a Pandora’s Box and drove the abuse and development of other cryptominers, malware designed to hijack CPU resources to mine cryptocurrency, it was unlikely that Coinhive’s demise would signal the death of the malware variant. This statement seems proven by the emergence of a new crypto miner, labeled BlackSquid by researchers at TrendMicro, the malware is designed to infect web servers, network drives, and removable drives to turn them into Monero mining rigs. According to a report published by TrendMicro the malware uses several vulnerabilities to break into systems and help evade detection.

Over the years there have been numerous examples of distributed denial of service (DDoS) designed to be executed on Linux machines and servers. With the advent of the Internet of Things, the number of devices available to be controlled by attackers has skyrocketed and along with it numerous versions of botnets. Cryptominers have also come to be a common foe for Linux admins. It is rare to see Linux based malware in other forms be they trojans or backdoors. According to researchers based at security firm Intezer have discovered a previously undetected malware strain targeting Linux systems. In a report published by the researcher, Ignacio Sanmillan, the malware employs advanced evasion techniques with the use of rootkits to leverage trojan-based payloads.

The malware called HiddenWasp seems to base most of its code on the recently-discovered Linux malware strain Winniti, a hacking tool alleged developed by state-sponsored Chinese hackers.

According to security researcher going by the pseudonym Frost, a bunch of websites is pushing a download which promises users the ability to earn up to 30 USD in Bitcoin daily. The program, called Bitcoin Collector, is nowhere near what it is advertised to be, rather it is a scam which will infect systems with ransomware and an information harvesting trojan. This is most certainly not what the user, now victim, had in mind when downloading the program they hoped would earn them a nice daily sum. Bitcoin is currently enjoying a surge in value with at the time of writing 1 BTC is 8,730 USD. This surge in recent value has been attributed to a variety of factors including accumulation of the cryptocurrency and unspent coin been at record highs. Regardless of the reasons, it will still mean that Bitcoin and other cryptocurrencies including Ethereum and Monero are still worth stealing and been exploited to lure unsuspecting victims.

Part of the scam incorporates a referral program which allows users to earn Ethereum for referring a set number of new users. The FAQ on one of the websites states that by referring 1,000 visits using your referral link you will earn 3 Ethereum. That is approximately worth 750 USD currently. This, however, is not the crux of the scam. Rather it is the download provided on the website which promises daily earnings of Bitcoins. These earnings are supposedly given free and are automatically paid out. If a potential victim clicks on the offer they are redirected to another website controlled by those behind Bitcoin Collector. Here the potential victim is offered a download which will download and install the money-making application. To further sell the legitimacy of the scam the scammers have even gone so far as to link a Virus Total detection page in an attempt to prove that it is not malicious.

Over the past couple of days, the security researcher who goes by the pseudonym SandboxEscaper has released several Microsoft Windows vulnerabilities to the public with no prior notice given to Microsoft. The researcher has developed a reputation amongst the InfoSec community for releasing vulnerabilities to the public, in particular, Windows vulnerabilities, without informing the software producer or giving prior notice as is seen as a good practice amongst researchers.

The first of the flaws published on May 22, can be classified as a local privilege escalation (LPE) zero-day. LPE can be seen as exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. It is important to note that when exploited such flaws cannot be used to break into a system. Rather hackers can use them at later stages in their attacks to elevate their access on compromised hosts from low-privileged to admin-level accounts. In this instance, the flaw resides in the Windows Task Scheduler process. In order to exploit it the attacker would need to run .job file which has been malformed to change the discretionary access control list (DACL), this is the system which limits who has access to a file, in the Task Scheduler. If correctly done the attacker can raise their privileges on the system from a low level to that of an admin. Once this is done the attacker would be granted access to the entire system.

According to IBM hacktivist attacks that resulted in quantifiable damage to the victim has declined by 95 percent since 2015. According to the data provided by IBM’s X-Force threat intelligence unit between 2015 and 2019 shows that the number of hacktivist attacks dropped from 35 in 2015 to 24 in 2016 and only 5 in 2017. In 2018, only two incidents were recorded and no attacks have been observed by IBM so far in 2019. The threat intelligence team noted that the data collected only includes attacks observed by reliable sources, only instances where someone took responsibility, and only if the attack resulted in quantifiable damage. In this instance, hacktivism can then be defined as the act of hacking a website or computer network in an effort to convey a social or political message.

2016 was a bumper year for the hacktivist group Anonymous that help bring the group to the public’s attention. From Operation Icarus, which was a series of Distributed Denial of Service attacks on banks to cyber attacks launched against the Thai police. This was followed in 2018 by a series of attacks on the Spanish government. Despite the associated press with the attacks it did not result in others been inspired to follow the path set by other hacktivists. IBM has contributed this decline to a variety of reasons. Central to the decline is the decrease in Anonymous activities over the years. IBM attributed this decline to the loss of key leaders within the organization and public relations failings. In 2016 during the US presidential election, a debate among Anonymous members spilled over into the public domain. While some members advocated for attacks against candidate websites, others strongly disagreed, arguing that the group does not support a particular political ideology and criticizing proposed attacks as “cringe-worthy.”

In January 2018, the InfoSec community was rocked by the news of the Meltdown and Spectre vulnerabilities affecting entire generations of Intel processors. As of May 14, 2019, academics announced that they had discovered a new side-channel attack affecting Intel processors. The attack utilizes a set of vulnerabilities that can allow attackers to retrieve data being processed inside a CPU. The flaw has been termed Zombieload and is fundamentally similar to the Meltdown, Spectre, and Foreshadow side-channel attacks that emerged.

As with the other three, the Zombieload flaw is exploited by abusing the speculative execution process. Speculative execution is an optimization technique where a computer system performs some task that may not be needed. Work is done before it is known whether it is actually needed, so as to prevent a delay that would have to be incurred by doing the work after it is known that it is needed. If it turns out the work was not needed, after all, most changes made by the work are reverted and the results are ignored. The academics who discovered the flaw published their findings in an academic paper titled, “ZombieLoad: Cross-Privilege-Boundary Data Sampling”, where prior to publishing the academics in question spent more than a year punching holes through the various components of the speculative execution process. What they discovered was an attack method which allowed for the leaking of data from the target CPU’s buffer zones and data processing operations.

According to researchers at Kaspersky Labs a Korean-speaking hacker group called ScarCruft, which is alleged to be a state-sponsored advanced persistent threat (APT) group, has increased its cyber-espionage ability by including a Bluetooth harvesting module within its current arsenal of cyber weapons. The group is known for targeting organizations and companies with links to the Korean peninsula and is known to use common techniques such as spear phishing and strategic web compromises to carry out campaigns. The latter technique, strategic web compromises sometimes also referred to as watering-hole attacks, where the attacker compromises a carefully selected website by inserting an exploit resulting in malware infection.

Kaspersky has been tracking ScarCruft activity since 2016 with what was termed Operation Daybreak where the group used a zero-day exploit to begin the process of infecting victims with malware. The malware traditionally is installed in a multi-stage process designed to bypass Windows UAC (User Account Control) in order to execute the next payload with higher privileges. The next step in the infection process occurs when the malware creates a downloader and a configuration file from its resource and executes it. The downloader malware uses the configuration file and connects to the command and control server to fetch the next payload. One of the key features of the malware is one of the methods it uses to avoid detection. The downloaded malware comes in the form of an image file with malicious code hidden within.

Those who have invested in Bitcoin have had much to smile about recently. The cryptocurrency rose to 6,000 USD on May 8, this was the first time it had broken this mark since November of last year. Nowhere near the 10,000 USD of yesteryear at the height of cryptocurrency popularity, this is still seen as some form of validation for those loyal to the original cryptocurrency. However, if you used the popular cryptocurrency exchange Binance, seen as one of the top five exchanges on the market currently, the price of bitcoin may be overshadowed by the news that hackers managed to steal 41 million USD from the exchange.

The hack occurred on May 7 and was responsibly disclosed to users of the platform via an official blog post. The company stated that the hack occurred as a result of hackers using a variety of techniques, which included phishing and the use of malware, to gain access to user accounts, which included API keys, 2FA codes, and potentially other information. It appears that the attack was incredibly well co-ordinated because at a set time the hackers initiated a mass withdrawal from these accounts, generating a massive 7,074 BTC transaction from Binance's main “hot wallet” to several smaller accounts. The massive withdrawal did trigger numerous alerts and warnings within the Japanese based exchange but sadly these warnings came too late in order to prevent them from happening.

Various Japanese news outlets reported that the Japanese Defense Ministry has adopted policies to enable the creation and maintenance of cyber-weapons in the form of malware. Japan is the latest country to announce that to formally recognize that it owns and develops cyber-weapons along with the US, UK, and Germany. According to the Japan Times the malware, which is to be created by a private company and the malware will be able to break into a computer system, hoping such a computer virus could work as a deterrent against cyber attacks. The malware is intended to be used as a defensive measure only according to government officials.

This announcement comes as part of the Japanese Defense Ministry plan to enhance its defensive capabilities beyond the ground, marine, and air domains but adopting both cyber and outer space as new areas requiring defensive expansion. Compared with other nations Japan is perceived to be lagging behind in its capability in addressing cyber threats. In order to readdress this, the ministry is looking to increase the number of personnel in its cyberspace unit to 220 from 150. This number is still considered small when one compares it to other countries with 6,200 personnel in the United States, 7,000 personnel in North Korea and 130,000 personnel in China according to data collected by the ministry.

Attackers have been actively exploiting a zero-day vulnerability in the widely used Oracle WebLogic Server to deliver not one but two ransomware variants. Zero-day vulnerabilities can be defined as a software security flaw that doesn’t yet have a patch. These vulnerabilities can result in security holes waiting to be exploited by cybercriminals. What is truly novel, and somewhat frightening, about the attack is the ransomware can be downloaded and executed without the end user clicking on anything, the attacker simply exploits the vulnerability. Traditionally, ransomware infections require the end user to initiate the downloading of the malware. This can be done by clicking a link or downloading an attachment, as examples. The above attack does not need this once an integral step to infection.

The vulnerability exploited in the attack was discovered two weeks ago along with a proof of concept exploit code. The vulnerability, CVE-2019-2725, was made public by the Chinese National Vulnerability Database and according to researchers from the security educational group SANS ISC warned that the vulnerability was under active attack. The vulnerability is regarded by experts as easy to exploit and allows the attacker the ability to execute code of their choice on cloud servers. The disclosure caused Oracle to release an emergency patch and it is strongly advised that administrators download the patch if they have not already.