Internet threat news

Last week this platform published an article which covered the emergence of a new exploit kit called Fallout discovered by security researchers at FireEye. Initially the exploit kit has been used to distribute the SmokeLauncher trojan and the GandCrab ransomware. This week, it has started to distribute a new ransomware called SAVEfiles via malvertising campaigns.

SAVEFiles was discovered by security researcher Michael Gillespie, who has developed a reputation for discovering and analyzing new ransomware variants. While the ransomware was discovered by Gillespie it was not known necessarily how the ransomware was distributed. Exploit kit expert Kafeine discovered that SAVEFiles was been distributed via malvertising campaigns where IP addresses in Japan, France, and other locations have been targeted. It was further discovered that the campaign will cause the visitor to go through a stream of redirects until they eventually get to a site hosting the Fallout Exploit kit. The exploit kit will then automatically download and install the SAVEfiles ransomware onto the victim’s computer. The connection to hxxp://xxxart.pp.ua/1/get.php is the ransomware connecting back to its Command & Control server to receive an encryption key.

Apple has recently pulled several Trend Micro apps from its app store. These include the free packages Dr. Cleaner, Dr. Antivirus, and Dr. Archiver listed has been developed by Trend Micro. The reason for the apps receiving the boot: they exfiltrate user data for the user’s browser history. The discovery was made by Thomas Reed of Malwarebytes Labs and @privacyis1st. As a result of the public outcry and industry condemnation, Apple was forced to pull the apps. At the time of writing, only Dr. Wifi and Network Scanner were still available for download. In the report published by Thomas Reed, much of their research centered around Dr. Antivirus and Dr. Cleaner. Upon analysis, it was revealed that Dr. Antivirus was incredibly limited in what, in terms of malware, it could detect. This is due in part to restrictions placed on app development by Apple and imposed on the App Store. As with many similar apps, detection rates were poor even when used to detect malware within the user folder, Dr. Antivirus was no different.

The use and popularity of hackers using exploit kits seems to be waning. This decline in use has been attributed to arrests, prison sentences, and service disruptions caused by law enforcement in partnership with security firms. This is most certainly good news but does not mean their use is completely extinct. Security researchers at FireEye have discovered a new exploit kit been used in a campaign targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

An exploit kit is essentially a type of “toolkit” used by hackers to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Often exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash, Java, and many others. A typical exploit kit can include a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.

Security researchers at security firm ESET have witnessed the threat group “PowerPool” exploiting a Windows zero-day vulnerability. The vulnerability is being used by the threat group to elevate the privileges of a backdoor in targeted attacks. The flaw was disclosed on August 27 with the proof of concept code been published on GitHub the same day. The information was disclosed by a researcher seemingly frustrated with Microsoft’s bug submission process. The researcher’s Twitter account was no longer accessible shortly after she posted the tweet, but it’s unclear whether it was suspended or deleted. The flaw, however, has been already confirmed by security researchers, including Will Dormann, a vulnerability analyst at CERT/CC. It would seem that PowerPool has also confirmed that vulnerability in light of recent attacks.

The Russian-based hacking group Cobalt is again targeting banks in a new campaign. In this latest campaign, it would appear that the group has limited its targets to Russian and Romanian banks. Cobalt has been active since 2016 and already boasts a number of scalps. As it stands the group has been credited with the theft of 9.7 million USD from the Russian MetakkinvestBank; ATM thefts of 2.18 million USD from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan. The group has also been seen to target industries other than the banking sector. Last year it was reported that Cobalt had expanded its range into also targeting government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare organizations, often using government organizations and ministries as a stepping stone for other targets. Many of these utilized supply chain attacks.

In what Jennifer Lawrence, and the other victims of the so-called “Fappening”, will see as a victory, one of the hackers responsible has received an eight-month prison term for his part in the hack. In 2014 George Garofano, 26-years-old, of North Branford in Connecticut, covertly gained access to approximately 240 private iCloud accounts, many of which belonged to celebrities as well as other individuals. The access was gained in a period spanning from 2013 to 2014 and access was gained via an email phishing campaign. Garofano used the access gained to steal private images and video from the accounts and disseminate the material on the internet. One of the reasons for the uproar was that many of the images disseminated showed the victims nude.

Garofano, who is currently released on a $50,000 bond, was ordered to report to prison on October 10. Added to this he will also serve a three year supervised release once his prison term is complete. Garafano was one of four people charged in the 2014 hacking scandal and was the last to be prosecuted. Prosecutors argued for a sentence of 10 to 16 months in prison, in line with federal guidelines. Garofano asked for leniency, requesting no more than five months in prison and another five months of home confinement on the basis that he believed he had already suffered serious consequences and had apparently behaved in an appropriate manner since he was charged.

For Cosmos Bank, a bank that has been in business for 112 years, August will go down as one of the bank’s worst months. On August 14, 2018, the Hindustan Times reported that the bank suffered a two-stage attack where malware was used on the bank's ATM server to steal the credit card information of customers, alongside SWIFT codes required for transactions. It was estimated that during the first wave roughly 11.5 million USD in transactions from multiple countries was stolen. In the second wave, on the same day, close to 2 million USD was withdrawn through debit card transactions across India. Later when those funds were traced it was discovered that they were transferred to Hong Kong via fraudulent SWIFT transactions.

Cosmos Bank chairman Milind Kale said the cyber attack was a global effort as cyberattackers operated from "22 nations." The bank pointed the finger at Canada as the place of origin for many of the fraudulent transactions. A further article published by the Hindustan Times said that the hackers failed in their first attempt to compromise the bank's systems. Despite the first failed attempt worryingly no alert was issued to put the bank on guard against any further suspicious activity. The bank has since confirmed that no funds had been debited from its customers’ accounts.

The North Korean linked Lazarus group has been on both government and security firms advanced persistent threat (APT) watch lists for a while now. Sometimes referred to as Hidden Cobra, particularly by the US Computer Emergency Readiness Team (US-CERT), the group has conducted many cyber espionage campaigns as well as targeting banks and other financial companies around the globe. Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies. Much of the groups work targeted Windows systems and machines. However, the group is now targeting MacOS.

Lazarus Group is perhaps most well-known for the Sony Pictures hack which occurred in October 2014. The group managed to gain access to the media giant’s network and stole massive amounts of confidential data and then leaked them online. The hack was seen as retaliation to the movie The Interview starring James Franco which was seen by Lazarus group as derogatory to North Korea. The group also issued vague threats to theatres who intended to show the film. Sony canceled the release of the movie as a result of the hack and subsequent threats.

For several years now the Chinese government has been attempting to create a set of standards and norms governing cybersecurity. In the wake of increased trade tensions between the US and China, there is a growing fear among security researchers and investors that these standards may be used to deter or sabotage the efforts of foreign tech firms trying to enter the Chinese market. The set of standards is often simply referred to as the “national cybersecurity standards”. These standards are issued by the Chinese National Information Security Standardization Technical Committee (TC260), a government agency that has issued roughly 300 standards since 2015.

Generally, these standards are seen as recommendations made by the government. They are intended to govern the design and operation of various products, such as routers, firewalls, or even software applications. Some of these standards describe methods of providing the Chinese government with access to sensitive data belonging to Chinese citizens. It further specifies how that data is handled by a particular type of service or piece of hardware. Other stipulations provide a list of acceptable encryption algorithms. Others specify how a product's cross-border data transfer and behavior are to be handled and monitored. According to the Chinese government, these standards are all only "recommended" as mere guidelines for product and service designs and bare no official status for the sale of products on the Chinese market. However, the Center for Strategic and International Studies (CSIS), a Washington-based think tank, in practice, many of these "recommended" standards may actually be required to do business in China without explicitly saying so.

The start of the year seemed to open with a bang on the cybersecurity news front. The Spectre and Meltdown vulnerabilities made headlines with fears that they could be as bad, if not worse, than the previous Heartbleed vulnerability that made its mark on CPUs previously. Since then every now and then news trickles in of a researcher having been able to exploit those vulnerabilities in slightly new ways. On August 14, 2018, news broke that researchers had discovered another vulnerability affecting Intel processors. The researchers who discovered the vulnerability have called it Foreshadow and have set up a website where users can gain more information including the paper they published.

Currently, two research teams independently discovered the Foreshadow vulnerability and the L1 Terminal Fault vulnerability. A team from KU Leuven, a university in Belgium, informed Intel of its findings on January 3, the day when the now infamous Spectre and Meltdown vulnerabilities were disclosed to the public. The second team, comprising researchers from Israel-based Technion, University of Michigan, the University of Adelaide in Australia, and Australia-based CSIRO's Data61, reported its findings to Intel on January 23.

Security researcher Ruben Santamarta published a research paper detailing that that hundreds of airplanes from several airlines could have been hacked remotely from the ground through vulnerabilities in satellite communications systems. The latest research paper follows a paper published in 2014 by Santamarta in which the researcher described theoretical attack scenarios on satellite communications. Santamarta continued his research in November 2017 when he managed to passively collect from an airplane’s Wi-Fi network while on a trip. Santamarta noticed that several commonly used services, such as Telnet, HTTP, and FTP, were available for certain IP addresses. More worrying, some interfaces associated with the plane’s onboard satellite communications (satcom) modems were accessible without any authentication.

Recently many security firms have detailed the rise of cryptojacking as a favored method of hackers for increasing their payroll. What was noticed was the detections of ransomware had declined massively while cryptojacking detections had skyrocketed exponentially. This led some to believe that ransomware was slowing dying. Recent events prove this not to be the case or in the very least hackers using ransomware variants did not get the memo their favored malware variant is dead.

Over the weekend news began surfacing that TSMC, the company responsible for the processors in many of Apple’s mobile devices, suffered a WannaCry attack. Last year the City of Atlanta was devastated by a ransomware attack which cost the city 2.6 million USD to recover from. Yesterday Golf Week published an article stating that the PGA had suffered an attack by hackers which resulted in officials been locked out of crucial files related to this week’s PGA Championship at Bellerive Country Club and the upcoming Ryder Cup in France.

News began surfacing on August 6, that TSMC, or to give the company its unabbreviated name Taiwan Semiconductor Manufacturing Company, suffered a malware incident over the previous weekend. It was revealed that the chip manufacturer suffered a WannaCry attack which resulted in plant closures, all of which had an impact on production. TSMC is the company responsible for manufacturing a very large percentage of Apple’s processing units, most been used in mobile devices like the iPhone. It is also further widely believed that the company is producing the technology behind the A12 core processor chips in the new iPhone scheduled for release later this year.

Currently been exploited in mainly Brazil is a massive cryptojacking campaign infecting MikroTik routers. Central to the campaign is the hacker’s use of the now infamous Coinhive in-browser cryptocurrency miner. Cryptojacking is the unauthorized use of someone else’s computer to mine cryptocurrency. Hackers do this by either getting the victim to click on a malicious link in an email that loads crypto mining code on the computer or in this case a router. The crypto mining code then works in the background as unsuspecting victims use their computers normally. The only sign they might notice is slower performance or lags in execution that may not have been experienced previously.