Daily Archives: May 16, 2020

Ransomware Gang Demands $42 Million From Celebrity Law Firm

REvil Gang Ups Ransom Ante After Releasing Data on Lady Gaga
The operators of the REvil ransomware strain are attempting to ratchet up pressure on a New York law firm to pay a $42 million ransom before releasing more data on the firm's roster of celebrity clients. So far, cybercriminals released about 2 GB of legal information related to Lady Gaga.

APT group targets high profile networks in Central Asia

Security firms have foiled an advanced cyber espionage campaign carried out by Chinese APT and aimed at infiltrating a governmental institution and two companies.

Antivirus firms have uncovered and foiled an advanced cyber espionage campaign aimed at a governmental institution and two companies in the telecommunications and gas sector.

The level of sophistication of the attack and the nature of targets suggests the involvement of an advanced persisten threat, likely from China, focused on cyber espionage activity in Central Asia.

Attackers used multiple commodity malware and previously unknown backdoors in the attacks, the analysis of their code suggests a possible link with multiple campaigns uncovered over several years.

Most of the C2 used by the attackers are hosted by the provider Choopa, LLC, and threat actors made large use of Gh0st RAT, a malware attributed to China-linked cyber espionage groups.

The security firm ESET and Avast first detected the attacks since September and January respectively. The researchers identified a host used as a repository containing hacking tools and backdoors, whose code has many similarities with malware previously associated with China-linked APT groups.

“The samples we analyzed contain links to malware samples and campaigns, such as MicrocinBYEBY, and Vicious Panda, previously described by Kaspersky, Palo Alto Networks, and Check Point, respectively. The backdoors we found are custom tools that have not previously been analyzed, as far as we know.” reads a report published by Avast. “The majority of the C&C servers are registered to Choopa, LLC, a hosting platform that has been used by cybercriminals in the past.”

Below a timeline of the attacks that appeared to be associated with the same threat actor.

Avast APT Timeline_May-2020

“An APT group, which we believe could possibly be from China, planted backdoors to gain long-term access to corporate networks. Based on our analysis, we suspect the group was also behind attacks active in Mongolia, Russia, and Belarus.” continues Avast.

Researchers from ESET that investigared into the attacks discovered three backdoors that collectively tracked as Mikroceen. The backdoors allowed the threat actors to manage the target file system, establish a remote shell, take screenshots, manage services and processes, and run console commands.

Below the list of backdoors published by ESET:

  • sqllauncher.dll (VMProtected backdoor)
  • logon.dll (VMProtected backdoor)
  • logsupport.dll (VMProtected backdoor)

Both “sqllauncher.dll” and “logon.dll” run as services and use the same C2 infrastructure, experts noticed that all of them feature protection against reverse engineering. Two of them, “sqllauncher.dll” and “logon.dll,” run as services and use the same C2 server.

Attackers use a version of the Mimikatz post-exploitation tool and rely on Windows Management Instrumentation (WMI) for lateral movement.

“Avast reported its findings to the local CERT team and reached out to the telecommunications company. We have not heard back from either organization.” concluded Avast.

“Avast has recently protected users in Central Asia from further attacks using the samples we analyzed.”

Both Avast and ESET have published a list of indicators of compromise (IoC) for the above threats.

Pierluigi Paganini

(SecurityAffairs – Microcin malware, hacking)

The post APT group targets high profile networks in Central Asia appeared first on Security Affairs.

Is Your Child Being Cyberbullied? What Parents Need to Know

cyberbullying

In this season of social distancing, teens need their friends more than ever. Daily digital connection — through texting, video chat, social networks, and gaming — is critical to keeping friend groups strong. But could increased time online these days lead to an increase in cyberbullying?

While there isn’t data to answer that question definitively, it wouldn’t be surprising for parents to notice some signs of conflict surface as the months continue to creep by. And, with re-open dates for schools in limbo, it’s more important than ever to keep the family safety conversation humming.

For clarity: Allowing more screen time doesn’t mean more cyberbullying or conflict is certain to occur. However, experience has taught us that more screen time does increase the potential for digital conflict.

Social and Emotional Fallout

This unprecedented health event hasn’t been easy on anyone, but kids especially are likely to be holding onto some big emotions about it. A recent Common Sense Media study confirms that social media has been key to helping kids get through this crisis, but one in four kids surveyed feels “more lonely than usual.”

The school year with its milestones — proms, graduations, dates, parties — ended abruptly. It’s logical to assume these losses have sparked feelings of sadness, anger, frustration, and anxiety. And because online is where most kids connect with peers, these emotions can easily play out there in the form of aggressive behavior, conflict, or persistent drama.

Digital Awareness

cyberbullying

So how do you know if your child is being cyberbullied or dealing with conflict online? It isn’t always easy simply because so many kids won’t admit to being bullied. Often they believe telling an adult will make the harassment worse. They may feel ashamed or embarrassed about a regretful situation or the fact that they’re being targeted in the first place. For that reason, one of the best ways to help your child is to be aware of the time they spend online, the people they connect with, and how those digital circles impact their wellbeing.

What to Look For

The many forms of cyberbullying continue to evolve alongside the digital culture. Here are just a few ways kids bully one another.

 

  • Saying hurtful or intimidating things to someone on social media, a text, or email.
  • Making negative comments about a person’s sexuality, race, religion, handicaps, or physical features.
  • Camouflaging hurtful or threatening comments with words like “jk” (just joking).
  • Asking online friends to vote for or against another person, with Instagram polls or captions such as “Is this person hot or not?” or “Would you go out with this person?”
  • Posting or sharing with others the private photos, memes, emails, texts, or secrets without the permission of another person.
  • Intentionally posting unflattering or embarrassing photos of another person.
  • Spreading rumors or false information about another person online.
  • Making any threat to another person no matter how harmless you think it may be.

Signs of Cyberbullying

If your child is getting bullied online, there are some potential signs.

  • Anxious or upset after reading a text, frequently gets sick or nauseous, declines invitations from friends, or bows out of fun family outings.
  • Trouble sleeping or being withdrawn or moody.
  • Being protective of his or her phone, deleting or deactivating social networks
  • Sudden loss of a steady friend group or sudden complaining about once-loved friends.
  • Loss of interest in favorite sports or hobbies or a decline in grades.
  • References to suicide, loneliness, and hopelessness (when severe bullying is taking place).

Know Where They Go

Another way to understand your child’s emotional connection to his or her digital communities is to learn about their favorite platforms and monitor them. Pay specific attention to the tone of his or her social threads. And, if you see concerning comments or posts, ask your child how you can help. If your child is using risky apps such as WhatsApp or Kik, that allows people to use the app anonymously, discuss your concerns with your child. Some social networks are more conducive to cyberbullying than others.

Monitor Gaming Communities

Gaming time can skyrocket during the summer, and when games get competitive, cyberbullying can happen. Spend time with your child while he or she is gaming. Listen to the tone of the conversations and be aware of your child’s demeanor. For your child’s physical and emotional health, make every effort to set gaming limits as summer approaches.

Parenting Moves to Avoid

Bullying experts will tell you that what you don’t do if your child is getting bullied is often as important as what you do. Here’s some insight:

1) Never advise a child to ignore the bullying. 2) Never blame a child for being bullied even if he or she did something to aggravate the bullying. No one deserves to be bullied. 3) As angry as you feel that someone is bullying your child, do not encourage your child to fight back physically. 4) Don’t overreact; escalate accordingly. If you can identify the bully, consider talking with the child’s parents. 5) Don’t lead the charge. Give your child veto power over your involvement. If they say they don’t want you to get involved (unless you suspect physical danger or suicide), respect that. 6) If the bullying continues to escalate, report it, seek help from school counselors or the police if necessary. 7) Even if you are fearful, don’t take your child’s digital devices away. He or she didn’t do anything wrong.

Online Resources

A number of organizations are leading the charge against cyberbullying and have fantastic resources for families. Here are just a few: Cyberbullying Research CenterStopBullying.govStompOutBullying.orgKindCampaign.comItGetsBetter.orgNational Bullying Prevention Center. If you’d like your organization added to this list, please leave a comment.

We hope you and your family are staying healthy these days and finding some time to talk about online safety. If you need a refresher, read Part I and Part II of our Online Safety Basics series. And, if you’re looking for a fun school lesson for the day, you can always quiz your kids on any of McAfee’s Family Safety content!

The post Is Your Child Being Cyberbullied? What Parents Need to Know appeared first on McAfee Blogs.

Microsoft is open-sourcing COVID-19 threat intelligence

Microsoft has recently announced that it has made some of its COVID-19 threat intelligence open-source. 

While the number of Coronavirus-themed attacks continues to increase increased Microsoft announced it is open-sourcing its COVID-19 threat intelligence to help organizations to repeal these threats.

“Microsoft processes trillions of signals each day across identities, endpoint, cloud, applications, and email, which provides visibility into a broad range of COVID-19-themed attacks, allowing us to detect, protect, and respond to them across our entire security stack.” reads a post published by Microsoft. “Today, we take our COVID-19 threat intelligence sharing a step further by making some of our own indicators available publicly for those that are not already protected by our solutions. “

Sharing information could offer the community a more complete view of attackers’ tactics, techniques, and procedures.

Microsoft experts have already been sharing examples of malicious lures and have provided guided hunting of COVID-themed attacks through Azure Sentinel Notebooks.

COVID malspam

Microsoft is going to publicly release some of its threat indicators, the company pointed out that its users are already protected against these attacks by Microsoft Threat Protection (MTP).

Microsoft has made available the indicators both in the Azure Sentinel GitHub repo, and through the Microsoft Graph Security API.

“These indicators are now available in two ways. They are available in the Azure Sentinel GitHub and through the Microsoft Graph Security API. For enterprise customers who use MISP for storing and sharing threat intelligence, these indicators can easily be consumed via a MISP feed.” continues Microsoft.

“This threat intelligence is provided for use by the wider security community, as well as customers who would like to perform additional hunting, as we all defend against malicious actors seeking to exploit the COVID crisis.”

This is just the beginning of the threat intelligence sharing of Coronavirus-related IOCs that will be offered through the peak of the outbreak.

Microsoft is releasing file hash indicators related to malicious email attachments employed in the campaigns. 

Azure Sentinel customers can import the indicators using a Playbook or access them directly from queries. Microsoft added that both Office 365 ATP and Microsoft Defender ATP already block the attacks associated with the above indicators.

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post Microsoft is open-sourcing COVID-19 threat intelligence appeared first on Security Affairs.

QNodeService Trojan spreads via fake COVID-19 tax relief

Experts spotted a new malware dubbed QNodeService that was involved in Coronavirus-themed phishing campaign, crooks promise victims COVID-19 tax relief.

Researchers uncovered a new malware dubbed QNodeService that was employed in a Coronavirus-themed phishing campaign. The operators behind the campaign use COVID-19 lure promising victims tax relief.

The phishing messages use Trojan sample associated with a file named “Company PLP_Tax relief due to Covid-19 outbreak CI+PL.jar,” experts from MalwareHunterTeam noticed that the malicious code was only detected by ESET AV.

The QNodeService Trojan is written in Node.js and is delivered through a Java downloader embedded in the .jar file, Trend Micro warns. 

“Running this file led to the download of a new, undetected malware sample written in Node.js; this trojan is dubbed as “QNodeService”.” reads the analysis published by Trend Micro.

“The use of Node.js is an unusual choice for malware authors writing commodity malware, as it is primarily designed for web server development, and would not be pre-installed on machines likely to be targeted. However, the use of an uncommon platform may have helped evade detection by antivirus software.”

QNodeService is able to perform a broad range of activities, such as download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management. The malware can also steal system information including IP address and location, download additional malware payloads, and exfiltrate stolen data. The actual malware only targets Windows systems, but experts believe that developers are working to make it a cross-platform threat.

The Java downloader is obfuscated via Allatori in the bait document, the malware downloads the Node.js malware file (either “qnodejs-win32-ia32.js” or “qnodejs-win32-x64.js”) and a file called “wizard.js.” 

Either a 32-bit or 64-bit version of Node.js is dropped depending on the Windows system architecture of the target machine. 

The wizard.js file is an obfuscated Javascript (Node.js) file used to acheve persistence by creating a “Run” registry key entry and for downloading another malicious payload.

One of the most interesting feature implemented by the QNodeService malware is the support for an “http-forward” command, which allows attackers to download files without directly connecting to a victim’s PC. 

“Of particular note is the http-forward command, which allows an attacker to download a file without directly connecting to the victim machine, as shown below in figures 13-16.” continues Trend Micro. “However, a valid request path and access token are required to access files on the machine. The C&C server must first send “file-manager/forward-access” to generate the URL and access token to use for the http-forward command later.”

Trend Micro researchers included Indicators of Compromise (IoCs) in their report.

Unfortunately, Coronavirus-themed attacks continue to target individuals, businesses, and organizations worldwide.

At the end of March, experts from IBM X-Force uncovered a hacking campaign employing the Zeus Sphinx malware that focused on government relief payment.

Operators were spreading it in a spam campaign aimed at stealing victims’ financial information, the spam messages sent to the victims claim to provide information related to the Coronavirus outbreak and government relief payments

Researchers revealed that the malware is receiving constant upgrades to improve its capabilities. 

Pierluigi Paganini

(SecurityAffairs – Coronavirus, hacking)

The post QNodeService Trojan spreads via fake COVID-19 tax relief appeared first on Security Affairs.