Internet threat news

GandCrab Version 5.1 Rewrites the Rules

The malware authors behind the GandCrab ransomware are continually giving law enforcement and security researcher headache after a headache. Not only does the author’s continually evolve the malware to include newer features, but they also keep evolving their business, if it can be called one, model. Despite setbacks, the group seems to come back stronger. In a combined effort Europol and Bitdefender released a decryption tool for many of the versions of GandCrab seen in the wild. Such a concerted effort to thwart GandCrab operators left them bruised but not out. The latest version, 5.1, has no decryption as of yet, although a removal guide is available on this platform. Further, the business model has now included measures to help dishonest data recovery firms hide costs to bump up their margins.

In a recent report published by security firm, Coveware illustrated how dishonest data-recovery firms have found a business ally in the malware authors behind GandCrab. In essence, the GandCrab TOR website allows dishonest data-recovery companies to hide the actual ransom cost from victims. This is done in a variety of ways but one such method includes the awarding of coupons to recovery firms who frequently access GandCrab's TOR site.

Two Hacker Groups Responsible for 60% of Crypto Hacks

A report published by blockchain analysis firm Chainalysis has revealed that two separate hacker groups are responsible for up to 60% of all publicly reported cryptocurrency exchange hacks. Further, it is estimated that the two groups combined have stolen approximately 1 billion USD worth of cryptocurrency since the start of their operations. Chainalysis may not be the first name the public thinks of when it comes to cybersecurity, however, the group has earned a solid reputation for illuminating what it terms cryptocrime. The firm made headlines when working with Google it was discovered that that 95% of all ransomware payments made since the start of 2014 were converted into fiat currency via the BTC-e exchange portal. Their investigation led to the arrest of Alexander Vinnick, the CEO of BTC-e at the time.

According to Chainalysis the two prominent groups tracked over a period of years, called Alpha and Beta respectively by the firm, on average stole 90 million USD per hack. Through their analysis, they found that the biggest group is Alpha but that does not mean Beta is by any means too small to ignore. Both groups specialize in breaching exchange portals in order to steal cryptocurrency. They then move the stolen currency through a complex network of wallets and exchanges in an attempt to disguise their origin.

US Authorities Move to Shutdown Joanap Botnet

It is no secret that the US faces many cybersecurity threats to national and business interests. With government workers returning to jobs after a lengthy government shutdown over President Trump’s planned border wall the true cost of how the shutdown impacted cybersecurity can be calculated. However, not all government bodies were completely hamstrung. In a combined operation between the US Department of Justice (DOJ), the FBI's Los Angeles Field Office and, the US Air Force Office of Special Investigations (AFOSI) announced that operations were underway to take down Joanap, a botnet operated by North Korean hacker groups. On January 30, 2018, the US Department of Justice announced its efforts about the operation which had been active since October 2018. The DOJ provided court documents which included a court order and a search warrant to provide the public with more information.

Based on the documents provided, readers will be provided with a unique insight into how the operation was made possible and conducted. The operation started with the authorities operating servers which mimicked infected computers part of the botnet, and silently mapped other infected hosts. This was made possible purely because of the way the botnet had been constructed. The botnet relies upon peer-to-peer (P2P) communications system where infected hosts relay commands introduced in the botnet's network from one to another, instead of reporting to one central command-and-control server. In its simplest form P2P communication relies on creating a network architecture that partitions tasks or workloads between peers. Peers have equal privileges, it is this fact that was the botnet’s Achilles heel.

Trojans Looking to Steal Your Money

Last week new ransomware variants come to light which grabbed more than a few headlines. First, we had Phobos, operated by the group behind the Dharma ransomware family, then secondly hAnt which targeted mining rigs. Towards the end of last week, it would seem that those using trojans in financially motivated cybercrimes did not want to be forgotten. Two trojans were discovered by two separate security firms, both looking to steal victims’ money but in two different ways.

First discovered in 2015 the RTM Trojan, or Read-the-Manual, was used in campaigns designed to target predominantly Russian speakers. In a new campaign, it is again Russian speakers who appear to be the main target of the campaign. The latest campaign has been analyzed and tracked by Palo Alto Network's Unit 42 security team and rests on convincing users into downloading and executing the RTM banking trojan, also sometimes called Redaman. This is done by using the threats of debt and missing payments to scare users into inadvertently downloading the malware.

New Ransomware Targets Chinese Mining Rigs

It has been a busy week in the news for ransomware. First, it emerged a new family called Phobos was discovered and been used by the group behind the Crysis and Dharma families of ransomware. Then reports emerged of another new ransomware called Anatova. Then finally, although the week has not ended yet, another new ransomware has been seen infecting Bitcoin mining rigs in China called hAnt.

China is widely regarded as the country where the highest concentration of mining farms can be found. Thus, it is of no coincidence that the majority of hAnt infections have been reported coming from China. Initially, news of the infections broke on with a later article in English been published on ZDNet. According to the article on ZDNet the ransomware was first discovered in August 2018, however, a new campaign targeting mining farms seems to have started earlier this month.

Phobos Ransomware Emerges from the Dark

Discovered in December 2018, a new ransomware variant called Phobos was discovered by researchers at Covewave which it would seem is a combination of the Dharma and Crysis ransomware variants. The naming of the new ransomware variant will pique the interest of those fond of Greek Mythology as Phobos was the god of fear who was the son of Ares and a brother to Deimos the god of terror. With such a strong name questions will be asked as to whether the malware is indeed something to be scared of.

In the report published by Coveware what readers will initially find the most striking is the similarities to the Dharma ransomware variant that has been used so successfully over the years. These similarities go so far as to use the same attack vector that Dharma has, namely open or poorly secured RDP ports. The leveraging of unsecured RDP or Remote Desktop Protocols ports is a favored attack method of hackers. In September 2018, the FBI warned businesses owners to secure these ports as a spike in attempts to gain a foothold in a network was seen exploiting this attack vector. One such attack campaign seen was a campaign using the Crysis ransomware, a closely related cousin to Phobos.

Collection #1: The Monster Breach

Data breaches have become a no longer ignorable fact of life. A fair amount of articles on this publication have dealt with breaches in their varying forms. From the record-breaking Equifax breach which was unrivaled in scale, to how much cash is to be made by hackers selling data acquired from a breach, 1.7 million USD for those interested. Even the consequences facing companies if breached. While the Equifax breach set all kinds of records for all the wrong reasons, news surfacing about “Collection #1” smashes all those nefarious records.

On January 17, 2019, security researcher Troy Hunt published an article detailing the discovery of email addresses and passwords exposed online. Mr. Hunt has called the breach “Collection #1” and the numbers are truly staggering. It consists of email addresses and passwords totaling 2,692,818,238 rows. In total, there are 1,160,253,228 unique combinations of email addresses and passwords with unique email addresses totaling 772,904,991. Then there are 21,222,975 unique passwords. It took the writer three read through attempts to try to make sense of the numbers and they are still unfathomable.

NanoCore Proves Hard to Kill

Remote Access Trojans, or RAT, are a favored malware variant of hackers and other cybercriminals across the globe. The use of such trojans is as varied and diverse as those using them illegally. They have been seen in cyber espionage campaigns to financial fraud campaigns and are a stable tool in any hacker’s bag of tricks. Simply put a RAT is merely is a back door to a targeted system that gives the hacker administrative control over the system. They are normally downloaded invisibly and predominantly spread via malicious emails.

Often when security researchers discuss an interesting aspect of a piece of malware, those infected will see it as more frustrating than interesting. NanoCore can remain on a system even once its processes are killed is such an aspect. Interesting to some, frustrating to those affected. In a report published by researchers at Fortinet noticed that a recently found sample of the NanoCore RAT which is able to prevent users from killing its processes.

Ryuk and TrickBot Now Partners in Crime

The Ryuk ransomware, named after a character from the popular Death Note anime, has become known as targeted ransomware. Discovered in August 2018, it was seen been used by hackers to first scope out potential targets. Once a suitable target was found the ransomware gained access to the targeted computer via Remote Desktop Services and then proceed to steal credentials. This targeted approach allowed hackers to target businesses and other high profile targets in order to extort greater sums of money. Now new research suggests that the operators of Ryuk and the infamous TrickBot have partnered up to earn even more money from their illicit trade.

Ryuk made international headlines when it was linked to a ransomware attack which affected the newspaper distribution networks of large media houses including the Wall Street Journal, New York Times, and Los Angeles Times. It has been estimated that those behind Ryuk have already netted approximately 3.7 million USD. New research published by both FireEye and CrowdStrike show that those behind Ryuk are looking to extort even more funds by partnering with the group behind TrickBot.

New Tool Bypasses 2FA

It is the best practice to enable two-factor authentication, often simply referred to as 2FA, when one can. Beyond best practice, it is recommended by experts to enable 2FA to prevent becoming a victim of the numerous phishing campaigns that stalk the Internet on a daily basis. Two events that have recently arisen that may be the beginning of the end for 2FA, or at the very least far more secure versions of it. The first of these events being a penetration testing tool released by a Polish security researcher capable of bypassing 2FA in a phishing attack. The second being a research report released by Amnesty International which details how APT groups are able to bypass 2FA using phishing tactics. While developed by different interested parties these developments may signal a significant eroding of trust in the widely trusted 2FA protocols.

Vidar and GandCrab Distributed in Same Campaign

With the recent spate of cyber-attacks utilizing two or more different malware variants or tactics, the smart money would have predicted the trend to continue into 2019. In a recently discovered campaign, the smart money appears to be right. Hackers are targeting victims with a two-pronged attack that secretly infiltrates systems with data-stealing malware, before dropping ransomware onto the infected system. In a report published by researchers based at Malwarebytes, this new campaign employs the Vidar data stealer and the now infamous GandCrab ransomware.

Many of the world’s hackers see no need to reinvent the wheel and those behind this campaign seem to fit the mold. The malware is distributed via the tried, tested, and the approved method of a malvertising campaign. The hackers in this instance have been targeting high-traffic torrent and streaming sites in an attempt to try and lure victims into clicking on a risky link and which will redirect victims to a site hosting the malicious payloads. While using tried and tested malvertising techniques the hackers again use a well-known method of delivery, the Fallout exploit kit. The exploit kit appeared to have surfaced in August 2018, at a time when many researchers felt that exploit kits were going the way of the dinosaur. The kit uses a number of exploits which target Internet Explorer and Flash Player in order to get a foothold onto the victim’s computer.

Hackers Earn 1.7 Million from Click2Gov Breach

The convenience of being able to pay bills, fines, and taxes online can be seen as a far superior method of standing in queues waiting for an open teller. This convenience should be balanced with security. Users are entering credit card details and other important personal information. Any security measures taken should be robust but that may be an ideal even if it seems logical. Click2Gov, a website which enables users to pay bills online, appears not to have taken security as seriously as should be done.

Click2Gov is used by many US states and cities to expedite the paying of utility bills and fines by residents. Developed by Central Square, formerly known as Superion, it was rumored that in 2017 the local government payment service may have been subject to a data breach. The rumors were confirmed in September 2018 when FireEye published an article detailing the breach. According to researchers the hackers deployed a new, never seen before malware strained designed to scrape payment card details from US citizens.

US Ballistic Missile Systems Have Less than Stellar Cybersecurity

The US Department of Defense Inspector General (DOD IG) published a report detailing the cybersecurity status of the Ballistic Missile Defense System (BMDS). The results are far from good and can hardly put US tax payer’s thoughts at ease. In summary, the report found that there was no data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities as just a few of the failings discovered. The authors of the report inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles that form part of the BMDS, which is a Department of Defence program developed to protect US territories by launching ballistic missiles to intercept enemy missiles.

The report concluded that “the Army, Navy, and MDA did not protect networks and systems that process, store, and transmit BMDS technical information.” This conclusion was drawn from several problematic areas with multifactor authentication been the most problematic according to the Inspector General.  According to MDA employment guidelines, any new MDA employee would receive a username and password so they can access BMDS' network. As new employees are eased into their new jobs, they would later also receive a common access card (CAC). This is specifically designed to enable their accounts in conjunction with their password, as a second-factor authentication. The normal procedure says that all new MDA workers must use multifactor authentication within two weeks of being hired.

DarthMiner Strikes Mac Empire

Researchers at Malwarebytes has uncovered another malware destroying the perception that Macs are naturally secure and robust enough to defend against the dark side. What researchers discovered is a malware targeting Mac systems that is fundamentally a combination of two open-source programs. The first being a backdoor and the second been a crypto miner. The malware has been named DarthMiner and if infected will definitely turn your system away from the light side.

In the article published by Malwarebytes, it would seem that DarthMiner is distributed via a compromised application called Adobe Zii, which is marketed as an app which assists in the pirating of Adobe products. Rather the application does nothing of the sort, a fact hinted at by the use of a generic Automator applet icon. One would normally expect an app such as this to at least use a stolen Adobe Creative Cloud logo. If not an application to assist in piracy what does it in fact do? The fake application was designed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named, which appears to be a version of Adobe Zii, most likely to hide the malicious activity.


Page 8 of 30

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Malware activity

Global virus and spyware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal