Internet threat news
With financial institutions admitting data breaches, some very serious others less so, it seems governments are also taking the opportunity to disclose information concerning hacks. This week saw both the Australian Government and the South Korean Government admitting that sensitive information, in South Korea’s case classified information, was stolen. Regarding the Australian hack, a total of 30 GB of sensitive data pertaining to the military and its equipment were stolen. In regards to the South Korean hack, North Korea is accused of stealing approximately 235 GB of data which included classified plans detailing the South and its Allies response in case of war with the North.
Earlier this President Donald Trump’s government moved to ban all Kaspersky Lab products from US Government institutions and agencies. Law enforcement and information agencies also recommended to the private sector that they should desist for purchasing products and services from the Russian based company. Very little evidence was provided to the public as to the decision made by President Trump, however, the reason for the decision rests in Kaspersky Lab’s alleged inappropriate links to the Russian Government.
This matter resurfaced recently on October 6 with articles published in both the Wall Street Journal and the Washington Post that a breach which may have occurred in 2015 was made possible in part by Kaspersky’s Antivirus Software. US officials seem to believe that a scan performed by Kaspersky Lab’s security software on the contractor's computer helped Russian hackers in identifying the files containing sensitive information. Evidence in both articles for the claims rests on anonymous sources who allege one of two situations may have occurred which enabled Russian hackers to gain access to classified documents.
Security researchers have developed a variant of the Rowhammer malware that is able to bypass all the current countermeasures proposed for such an attack. The blanket term Rowhammer has come to describe a security exploit that takes advantage of the fact that hardware vendors are cramming too many memory cells together on the same boards in order to make smaller components with larger memory storage. An attacker can exploit this by bombarding RAM memory cell rows with constant read-write operations causing the memory cells to change their electrical charge. This means that the stored data can be modified from 1 to 0, or alternatively 0 to 1, thus altering information stored on the computer. By altering the stored information in such a way the attacker is able to deliver malicious code that alters normal OS behavior to escalate the attacker's privileges, root devices, or cause denial-of-service states to crucial services, such as security software.
Over the last two years, security researchers have seen servers accessed and data wiped with the attacker sending a ransom note to have the data restored. The most recent victim has been the team behind R6DB, an online service which provides Rainbow Six Siege player statistics. The attack occurred on September 30 in which an automated bot accessed the server, wiped the database, and left a ransom note behind. The database appears to be a PostgreSQL instance. At the time of writing, this article R6DB have recovered most of the data and are currently running updates on the new server.
Once EternalBlue was released into the wild by the Shadowbrokers it was predicted that its effects would be far-reaching. Time has proven those predictions correct with many hacking groups around the global adding yet another tool in spreading malicious payload. In this instance the creators of the banking Trojan Retefe have leveraged EternalBlue in order to spread across computers via unpatched and outdated SMB servers.
Earlier this year Emotet and TrickBot were discovered by security researchers sporting highly customised version of EternalBlue. This was at a period where the use of worms to spread malicious payloads across networks was declining with some thinking the malware variant to be dying a slow death. Upon the emergence of EternalBlue new life was seemed to be breathed into something that was thought to be a relic of the recent past. Other than seeing worms become fashionable once more, how banking Trojans were used and operated also changed. In the past those deploying such Trojans would like them to remain undetected for as long as possible, now it seemed they wanted to infect as many computers as possible thus gaining a vast amount of credentials in a smaller space of time. This would have been the trade-off for being easier to detect one can assume.
Cryptocurrencies are fast becoming, if not already, a massive investment tool that is rewriting the rules as to what the currency currently in your wallet can be. With innovation often comes teething problems, these in themselves are not a worry. What is a worry is how malware authors are exploiting innovative ideas for short-term gain. This is hardly new and seems to be an information age constant in that if a tool or idea can be abused to swindle and extort it shall. This maxim is probably not even an information age phenomenon but one that pervades human history.
Coinhive appears to have started its life fairly innocently. As a tool Coinhive could be used by website owners to generate extra income rather than utilizing ad banners. It is essentially a java library that can be added to the website which when visited by a visitor Coinhive will use a percentage of the visitors CPU to mine Monero. Once the visitor is no longer on the page Coinhive will stop mining using the visitor’s CPU. The Pirate Bay, the famous or infamous depending on which side of the piracy fence you sit, began trailing Coinhive rather than having ad banners on their torrent website. Users were notified about the trial and its implications but were soon dropped by The Pirate Bay due to negative user feedback.
On Tuesday news broke that the latest version of CCleaner, a popular application owned by Avast, had been hacked, little was known as to the attacker’s intention. As is often the case with attacks conducted by knowledgeable and experienced attackers the targets and aim are exceptionally difficult to ascertain. Given time and dedicated research teams often these can be determined but determining who is responsible is harder.
The CCleaner hack was pulled off by modifying version 5.33 to include Floxif malware as reported by Cisco Talos and MorphiSec. Initially, it was believed that users who downloaded the jeopardized version merely downloaded a fake version of CCleaner. Researchers later determined that the version was indeed legitimate and CCleaner’s supply chain was jeopardized. Ultimately it was determined that Floxif, a malware downloader, was used in this instance to collect information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part.
When Equifax announced at the start of September that it had been a victim of a massive data breach and given the companies unique position of been one of the three major credit unions in the United States, everyone knew heads would roll. This feeling would only be exacerbated when late on Friday, eastern standard time, the company released a press statement detailing the incident and announcing the resignation of both the Chief Information Officer and Chief Security Officer.
The press release also confirmed that potentially the personal information of over 143 million U.S. citizens has been impacted with at least credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed. Added to that Equifax also identified unauthorized access to limited personal information for certain U.K. and Canadian residents. Many, if not all, of the above statistics regarding the incident were speculated upon in the media, the press release by Equifax serves as confirmation.
Microsoft, as part of September Patch Tuesday, has released patches for a total of 81 CVE listed vulnerabilities of varying severity. The latest security update addresses 27 critical and 54 important vulnerabilities in severity, of which 38 vulnerabilities are impacting Windows, 39 could lead to Remote Code Execution (RCE). The updates are applicable to all Microsoft products that are currently supported.
Four of the patches are known and have already been exploited in the wild. One of the vulnerabilities was previously unknown to the public with details been released on September 12. The previously unknown vulnerability was discovered by researchers at FireEye and privately reported to Windows, with both parties only releasing details to the public in conjunction with the release of the patch.
When news of hacks, data breaches, and malware attacks break on mainstream media one knows that the seriousness of the situation can be rarely questioned. When it happens to a company responsible for generating a large portion of credit scores for the American public and advertises the latest advances in ID theft protection those with a sense of humor might comment how ironic the situation is, those who may have their identities were stolen as a result probably won’t be laughing.
News broke on September 7 when Equifax announced that it had suffered a major data breach. Essentially 143 million Americans, including a few British and Canadian citizens, had their incredibly sensitive personal information exposed and potentially stolen. Information which was jeopardized included consumers' names, Social Security numbers, and birth dates for 143 million Americans, and in some instances, driving license numbers and credit card numbers for about 209,000 citizens.
This week saw security researchers announcing, not one, but two vulnerabilities within Microsoft products. Despite being warned months previously of the problems by different security labs, Microsoft has either decided to ignore them or decide that they are not a problem. The first vulnerability relates to Microsoft’s Edge browser while the second vulnerability is found within the Window’s kernel. Earlier in the year, the tech giant responded well and patched vulnerabilities in conjunction with other security firms. This led many to believe Microsoft was trying to turn the leaf with regards to security issues of which they had been criticised for previously. With the latest vulnerabilities, it seems that the leaf has remained unturned.
Researchers at Cisco Talos discovered a vulnerability in Edge which related to the Content Security Policy enforcement feature within the browser. Apple’s Safari browser and Google’s Chrome browser were discovered to have similar vulnerabilities. Unlike Microsoft, both Apple and Google patched the vulnerabilities. The patches are Safari (CVE-2017-2419) and Chrome (CVE-2017-5033), administrators are advised to make sure the latest patches are downloaded and installed if the above-mentioned browsers are used.
Fast becoming the favored banking Trojan, TrickBot has been updated to steal funds from Coinbase accounts. Coinbase seems to be having a torrid time of late with a surge of complaints from its customer base for the year so far. The rise in complaints has been a reported staggering 4,700% when compared to last year. The total for 2016 is 6 complaints. The amount for 2017 so far is sitting at 442. Any real or perceived vulnerabilities to the platform offered by Coinbase may signal battle stations.
As for TrickBot, since June of this year, it has been updated every month to target more than just the traditional banking sector. Given that recently Bitcoin reached the $5,000 mark on Friday before initiated a mass selloff and returning to $4,500, been able to steal such a highly volatile commodity must be on many hackers Christmas lists. As a malware strain, it is relatively new, first surfacing in the wild in the autumn of 2016. It is believed to be created by some of the Russian hackers behind the Dyre banking Trojan, with some of the operators being arrested in 2015 in Russia. This sentiment is shared by many within the cyber security sector.
Researchers at both ESET and Kaspersky Lab's Global Research and Analysis Team have uncovered a new backdoor allegedly used by the infamous Turla group. The backdoor has been used to spy on consulates, ministries and embassies worldwide to spy on governments and diplomats. This campaign has reportedly been in action since 2016 and it appears that embassies and consulates of old Eastern Bloc countries were the main targets of the campaign. ESET researchers have termed the backdoor Gazer while Kaspersky Lab's Global Research and Analysis Team have named it Whitebear. Despite the differing names both organisations believe it to be attributed to the Turla group, famed experts of cyber espionage who have been active since the internet was in its infancy and are alleged to have the backing from Russian Intelligence Services.
Security experts are warning against opening messages sent to Facebook users with a video link attached. Do not open the video even if sent by a friend. The video links to numerous fake websites, depending on the users OS and browser, in an attempt to install malicious software on their systems. The attackers make use of social engineering to lure the potential victim into clicking on the required links. On the initial message, it will read “< your friend name > Video” followed by a bit.ly link. Researchers are yet to determine how the malware spreads, they assume spammers are using compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link.
David Jacoby, the researcher at Kaspersky Labs who discovered the malware when he received a message from a friend on Facebook he hardly speaks to. He immediately knew the message was suspicious and began analysing the message. In a short space of time, he discovered that the message was indeed part of an advanced and carefully crafted adware campaign capable of infecting user’s systems across platforms be they Windows, MacOS, and Linux.
Page 8 of 21<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>