Author Archives: David Bisson

Malware Using Memes Posted on Twitter as C&C Service

Researchers have observed a new threat using malicious memes posted on Twitter to receive command-and-control (C&C) instructions. Trend Micro observed that the malicious activity begins after a threat detected as “TROJAN.MSIL.BERBOMTHUM.AA” executes on an infected machine. As of this writing, the Japanese multinational digital security firm had not identified the delivery mechanism for the malware. […]… Read More

The post Malware Using Memes Posted on Twitter as C&C Service appeared first on The State of Security.

Office 365 Phishing Attack Using Fake Non-Delivery Notifications

A new phishing attack is using fake non-delivery notifications in an attempt to steal users’ Microsoft Office 365 credentials. SANS ISC Handler Xavier Mertens discovered the attack while reviewing data captured by his honeypots. The attack begins when a user receives a fake non-delivery notification from Microsoft such as the one shown below: For the […]… Read More

The post Office 365 Phishing Attack Using Fake Non-Delivery Notifications appeared first on The State of Security.

Hide ‘N Seek Botnet Continues to Grow by Infecting IoT Devices Using Default Credentials

Avast security analysts reported that the Hide ‘N Seek botnet continues to grow by infecting vulnerable Internet of Things (IoT) devices still using their default passwords.

According to Avast, the Hide ‘N Seek botnet comes with two main functionalities. The first capability involves the use of a scanner borrowed from Mirai malware to reach random IP addresses of IoT devices and abuse well-known exploits. If this doesn’t work, the scanner attempts to brute-force access to an IoT device using a hard-coded list of default passwords.

For its second functionality, the IoT botnet uses a peer-to-peer (P2P) protocol to share information about new peers, exfiltrate files from an infected device and distribute new binaries, including some for a Monero cryptocurrency miner. Avast’s researchers believe the Monero miner was just a test and that the attackers’ true intentions are still unknown.

A Busy Year for Hide ‘N Seek

Bitdefender researchers were the first to spot the Hide ‘N Seek botnet in January 2018. A few months later, Bitdefender reported the threat had added code that abused two new vulnerabilities affecting Internet Protocol television (IPTV) camera models to scan for a larger pool of vulnerable devices and to achieve persistence on an infected IoT product.

More improvements followed in July, when 360 Netlab observed additional exploits and a then-inactive mining program. Two months later, Bitdefender discovered yet another update when Hide ‘N Seek gained the ability to exploit the Android Debug Bridge (ADB) over Wi-Fi feature in Android devices.

The botnet’s evolution is of particular concern given the overall growth in IoT threats. In just the first half of 2018, Kaspersky Lab detected 121,588 IoT malware samples — three times as many samples uncovered for all of 2017.

How to Defend Your Organization Against IoT Botnets

Security professionals can help defend against IoT botnets by changing all default passwords on their organization’s devices. Toward this end, security teams should also build an incident response team that can oversee software patches and disclose any breaches.

Sources: Avast, Bitdefender, Bitdefender (1), 360 Netlab, Bitdefender(2), Kaspersky Lab

The post Hide ‘N Seek Botnet Continues to Grow by Infecting IoT Devices Using Default Credentials appeared first on Security Intelligence.

KoffeyMaker Toolkit Used in Black Box ATM Attacks Against Eastern European Banks

In 2017 and 2018, threat actors utilized a toolkit called KoffeyMaker in multiple black box ATM attacks targeting Eastern European financial institutions.

When Kaspersky Lab investigated KoffeyMaker in connection with the attacks, researchers discovered that the devices in the campaign consisted of Windows laptops containing ATM dispenser drivers and a patched KDIAG tool.

Those behind the attacks secretly opened an ATM at each targeted bank, connected the device to the cash dispenser, closed the ATM and walked away with the device still inside the machine.

Returning at a later time, attackers leveraged a USB GPRS modem to gain remote access to the device, run the KDIAG tool and execute a command for the ATM to dispense bank notes before retrieving the laptop — all while another attacker collected the money. Together, they then made their escape with potentially tens of thousands of dollars in tow.

ATM Attacks Aren’t New to Europe

Attacks like those involving KoffeyMaker aren’t new. As reported by Information Security Media Group (ISMG), the number of jackpotting attacks against ATMs in European countries grew by 231 percent in 2017. Of those attacks, the majority were black box campaigns. One of these cases involved the use of Cutlet Maker, ATM malware detected by Kaspersky Lab that is not unlike KoffeyMaker in its design.

Fortunately, law enforcement had some success in arresting criminals during that same span of time. In one of the most noteworthy takedowns, several EU member states and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), arrested 27 individuals responsible for conducting black box ATM attacks across Europe.

How to Defend Against Tools Like KoffeyMaker

According to Kaspersky Lab, the only way for banks to defend against black box attacks is to use hardware encryption between an ATM’s computer and dispenser. Organizations should also implement a stronger data security strategy. This plan should include the use of encryption to protect sensitive cloud-based data.

Sources: Kaspersky Lab, ISMG, Kaspersky Lab (1), EC3

The post KoffeyMaker Toolkit Used in Black Box ATM Attacks Against Eastern European Banks appeared first on Security Intelligence.

Save the Children Federation Tricked Into Sending $1 Million to Scammers

Scammers tricked Save the Children Federation, a well-known U.S. charity, into sending them approximately one million dollars. As reported by The Boston Globe, digital attackers compromised the email account of a Save the Children Federation employee sometime in 2017. They then abused that access to issue a series of fake invoices and documents designed to […]… Read More

The post Save the Children Federation Tricked Into Sending $1 Million to Scammers appeared first on The State of Security.

CARROTBAT Malware Family Supports at Least 12 Unique Decoy Documents

A malware family known as CARROTBAT is currently supporting at least 12 unique decoy documents to reel in unsuspecting users.

Palo Alto Networks’ Unit 42 threat research team came across CARROTBAT back in 2017 while investigating a cyberattack against the British government. Further analysis revealed that the malware family functions as part of Fractured Block, an attack campaign targeting Southeast Asia that uses lures related to North and South Korea. The operation also leverages cryptocurrency-related subject matter to lure potential victims.

The malware functions as a dropper that enables attackers to drop and deploy an embedded decoy file. Once a user opens the decoy file, an obfuscated command executes on the system, causing a payload to run on the targeted machine.

In all, Unit 42 observed 29 samples of the malware family with compile dates ranging from March 2018 to September 2018. Those samples used a combined 12 different decoy files in their attacks.

Ties to Other Digital Threats

CARROTBAT has ties to other digital threats that are currently in circulation. Unit 42 came across four executable files belonging to the malware after pivoting on a domain that hosted SYSCON back in December 2017. First reported on by Trend Micro, SYSCON is an unsophisticated malware family known for using file transfer protocol (FTP) as a command-and-control (C&C) communication channel.

Researchers also found a sample of Konni, a remote access Trojan analyzed by Cisco Talos in May 2017, residing on the same domain hosting SYSCON at the time of CARROTBAT’s discovery. Palo Alto Networks said it’s still investigating these relationships, but researchers suspect this combined threat activity “may all belong to the same threat actor.”

Use UEM to Detect Malware Like CARROTBAT

Security professionals can defend their organizations against malware like CARROTBAT with the help of a unified endpoint management (UEM) solution that offers mobile threat management and other advanced features. They should also consider using deception to mislead malware attacks, especially those powered by artificial intelligence (AI).

Source: Palo Alto Networks, Trend Micro, Cisco Talos

The post CARROTBAT Malware Family Supports at Least 12 Unique Decoy Documents appeared first on Security Intelligence.

Saipem Identified a Digital Attack against Some of Its Servers

Italian oil and gas industry contractor Saipem has announced that it identified a digital attack against some of its servers. On 10 December, Saipem published a statement on its website in which it revealed the attack and said it was in the process of collecting information to determine the impact on its systems and the […]… Read More

The post Saipem Identified a Digital Attack against Some of Its Servers appeared first on The State of Security.

Popular JavaScript Library for Node.JS Infected With Malware to Empty Bitcoin Wallets

A version of a popular JavaScript library for Node.js contained malicious code for several months that enabled digital attackers to access users’ bitcoin wallets.

At the end of November, GitHub user Ayrton Sparling (aka FallingSnow) reported that someone had added malicious code to EventStream, a toolkit for Node.js that makes it easier for developers to create and work with data streams. The code became active in September when right9ctrl, the new owner of the library, published version 3.3.6 of EventStream. This version came with a dependency called flatmap-stream, which contained the malware.

The creator of flatmap-stream designed the module to steal bitcoin from Copay wallets, a wallet app designed by BitPay. The module then used Node Package Manager (NPM) to transfer the stolen bitcoins to a server located in Kuala Lumpur, Malaysia. NPM has since removed the backdoor.

According to Trend Micro, millions of developers downloaded the malicious code, since the module’s use of encryption enabled flatmap-stream to go undetected for more than two months.

Attacks Against Bitcoin Wallets on the Rise

Digital attackers aren’t new to the idea of stealing bitcoins out of users’ wallets. As reported by Carbon Black, these heists contributed to the loss of $1.1 billion in bitcoin during the first five months of 2018.

Some bad actors have also made a lot of money emptying cryptocurrency wallets. For instance, CoinDesk reported an attack that stole $78 million worth of bitcoin from the wallets of NiceHash, a cryptocurrency mining marketplace. News of this attack came less than a year after Cisco Talos uncovered CoinHoarder, a threat group that netted $50 million in three years by phishing blockchain.info users for access to their wallets.

How to Protect Against Cryptocurrency-Related Threats

Security professionals can help protect against bitcoin-related threats by training employees not to open suspicious emails designed to steal their credentials for cryptocurrency wallets and other accounts. They should also develop an endpoint security strategy built around artificial intelligence (AI) and machine learning to help defend against threats like crypto-mining malware.

Sources: Trend Micro, Carbon Black, CoinDesk, Cisco Talos

The post Popular JavaScript Library for Node.JS Infected With Malware to Empty Bitcoin Wallets appeared first on Security Intelligence.

Bug Affected 52.5 Million Users in Connection with a Google+ API

A bug connected to a Google+ API potentially exposed the profile information belonging to 52.5 million users of Google’s social network. According to David Thacker, VP of Product Management for G Suite, a software update in November introduced the weakness. This bug enabled apps that requested visibility of 52.5 million Google+ users’ name, email address, […]… Read More

The post Bug Affected 52.5 Million Users in Connection with a Google+ API appeared first on The State of Security.

New Sextortion Scam Campaign Delivering GandCrab Ransomware

Digital criminals have launched a new sextortion campaign that attempts to infect users’ computers with a version of GandCrab ransomware. On 5 December, researchers at Proofpoint observed a scam operation spewing out thousands of emails to users primarily based in the United States. Its emails followed the same model as those of an earlier campaign […]… Read More

The post New Sextortion Scam Campaign Delivering GandCrab Ransomware appeared first on The State of Security.

Sednit Threat Group Adds Delphi Dropper and Mail Downloader to Zebrocy Toolset

The Sednit threat group recently added a Delphi dropper and mail downloader to its Zebrocy tool set of downloaders, droppers and backdoors.

Researchers from ESET detected a new phishing campaign distributing the malware. The operation begins with a Delphi dropper that, once activated, loads and executes an Ultimate Packer for Executables (UPX)-packed Microsoft Intermediate Language (MSIL) downloader. This downloader gathers more than a dozen pieces of information and sends them to the attackers via email to retrieve a Delphi mail downloader.

A new addition to Zebrocy distribution campaigns, the Delphi mail downloader enables Sednit to assess the importance of an infected machine. The attackers then proceed with the campaign using the Delphi mail downloader to exfiltrate data and retrieve commands from the operator via emails and passwords. The mail downloader ultimately drops a Delphi downloader, which is responsible for executing the final Delphi backdoor payload.

Zebrocy: A Brief History

According to ESET, Sednit has been distributing the Zebrocy malware since at least 2016. In those operations, the family consisted largely of three components: a Delphi downloader, an AutoIt downloader and a Delphi backdoor. In some cases, the threat group omitted the Delphi downloader entirely.

Sednit’s decision to start a campaign with a dropper and use a Delphi mail downloader marks a new stage of delivery for its toolset; so does its decision to use the same weaponized documents for distributing multiple payloads. Palo Alto Networks witnessed this firsthand when it observed a campaign distributing Zebrocy and Cannon, a new first-stage payload that uses email as its command-and-control (C&C) communication channel.

How to Defend Against Threat Groups Like Sednit

Security professionals can help defend their organizations against phishing attacks by taking a layered approach to email security that involves mail scanning, perimeter protection and antispam measures. They should also invest in awareness training for all employees.

Sources: ESET, ESET(1), Palo Alto Networks

The post Sednit Threat Group Adds Delphi Dropper and Mail Downloader to Zebrocy Toolset appeared first on Security Intelligence.

Linux Rabbit and Rabbot Malware Leveraged to Install Cryptominers

Digital attackers used new malware called “Linux Rabbit” and “Rabbot” to install cryptominers on targeted devices and servers. In August 2018, researchers at Anomali Labs came across a campaign where Linux Rabbit targeted Linux servers located in Russia, South Korea, the United Kingdom and the United States. The malware began by using Tor hidden services […]… Read More

The post Linux Rabbit and Rabbot Malware Leveraged to Install Cryptominers appeared first on The State of Security.

More Than 100,000 PCs in China Infected by New Ransomware Strain

A new ransomware strain successfully infected more than 100,000 personal computers in China over a period of just four days. According to a report from Velvet Security, the first samples of this ransomware broke out on 1 December after users installed multiple social media-themed apps including “Account Operation V3.1,” an app designed to help users […]… Read More

The post More Than 100,000 PCs in China Infected by New Ransomware Strain appeared first on The State of Security.

Threat Actors Use Malspam Campaign to Target Italian Users With sLoad Downloader

Security researchers identified a malspam campaign targeting Italian users with a variant of the sLoad downloader.

In October and November, CERT-Yoroi detected a series of malicious email messages that shared common techniques. Each malicious sample arrived as a compressed ZIP archive containing two files: an LNK file pretending to point to a system folder and a hidden JPEG image stored with HA attributes.

When a user clicks on the link, the file uses a batch script to run a PowerShell script, which searches for another ZIP file. If it exists, the PowerShell script extracts code from that file and uses it to download other scripts. Among those other scripts are “NxPgKLnYEhMjXT.ps1,” which installs the sLoad implant on the victim’s machine.

Successful execution enables sLoad to collect information about the infected computer and periodically capture screenshots, among other functionality. It then sends this data to attackers via command and control (C&C) channels before receiving additional PowerShell code, behavior that is characteristic of Trojans and spyware.

sLoad: The Latest PowerShell-Borne Threat

This isn’t the first time that security researchers have detected attacks utilizing sLoad. In May 2018, the SANS Internet Storm Center (ISC) identified a PowerShell script targeting customers of major U.K. banks. Further analysis tied this activity to hxxps://cflfuppn[.]eu/sload/run-first.ps1.

Together, these campaigns targeting Italian and U.K. users represent the latest activity of just one threat delivered by PowerShell scripts. IBM X-Force Incident Response and Intelligence Services (IRIS) observed an increase in PowerShell attacks between 2017 and 2018. This finding coincides with Symantec’s detection of a 661 percent increase in the number of computers registering blocked PowerShell activity between mid-2017 and mid-2018.

How Security Professionals Can Block a Malspam Campaign

Security professionals can help defend their organizations against malspam campaigns by investing in awareness training that instructs employees to avoid suspicious links and email attachments. IBM X-Force IRIS also recommends using physical security controls to block the abuse of PowerShell scripts, and integrating security information and event management (SIEM) and endpoint detection and response (EDR) tools to provide an additional layer of protection.

Sources: Yoroi, SANS ISC, Symantec

The post Threat Actors Use Malspam Campaign to Target Italian Users With sLoad Downloader appeared first on Security Intelligence.

Thanksgiving Spam Campaign Use Obfuscation to Deliver Emotet Banking Trojan

Researchers uncovered a Thanksgiving-themed spam campaign that uses obfuscation to deliver the Emotet banking Trojan.

Trustwave’s SpidersLab came across a campaign that attempted to trick recipients into opening a fake Thanksgiving-themed e-card. The card was actually a Microsoft Word document saved as XML. This format helped the attack email evade malware filters and scanners.

Upon opening the document, researchers observed a small TextFrame object sitting in the top-left corner. Expanding this object revealed an obfuscated Command Prompt (CMD) shell that included an obfuscated PowerShell command. Once executed, the command downloaded a binary from one of five URLs, saved it to the Windows temporary file and executed it.

All the binary files delivered by the campaign were Emotet, a banking Trojan known for its ability to steal information from emails and web browsers.

Scam Campaigns Abound Around the Holidays

Fraudsters don’t just limit their holiday-themed spam campaigns to fake Thanksgiving e-cards. According to FBI Jacksonville, bad actors commonly resort to at least four different types of ruses around the holidays, including online shopping scams advertising offers that are too good to be true and fake social media contests that use surveys to steal people’s personal information.

Even if they do take time off during the holidays, fraudsters don’t usually wait too long to get back to business-as-usual. Case in point: Malwarebytes observed a large spam campaign delivering Neutrino bot within the first two weeks of 2017.

How to Defend Against Holiday-Related Spam

The United States Computer Emergency Response Team (US-CERT) urges consumers to defend against holiday-related spam by avoiding suspicious links and email attachments. In the meantime, organizations should increase their network monitoring during the holiday season and use various types of threat intelligence to defend against and block new spam campaigns.

Sources: Trustwave’s SpidersLab, FBI Jacksonville, Malwarebytes, US-CERT

The post Thanksgiving Spam Campaign Use Obfuscation to Deliver Emotet Banking Trojan appeared first on Security Intelligence.

Security Incident Potentially Exposed 100 Million Quora Users’ Personal Data

A security incident at Quora potentially compromised the personal information and other details of approximately 100 million users. On 30 November, the question-and-answer website identified that a third party had gained access to one of its systems and compromised the data of 100 million users. The information potentially exposed by the incident included users’ names, […]… Read More

The post Security Incident Potentially Exposed 100 Million Quora Users’ Personal Data appeared first on The State of Security.

Marriott Reveals Security Incident Involving Starwood Reservation Database

Marriott announced that it recently detected and addressed a security incident involving the Starwood guest reservation database. On 30 November, Marriott revealed that an internal investigation had found evidence of unauthorized access to the database containing guests’ reservation information at Sheraton hotels and other Starwood properties on or before 10 September 2018. The American multinational […]… Read More

The post Marriott Reveals Security Incident Involving Starwood Reservation Database appeared first on The State of Security.

Sofacy Group Targets Government Organizations With New Cannon Trojan

The Sofacy group recently targeted several government organizations around the world with the new Cannon Trojan.

In late October and early November, the Palo Alto Networks Unit 42 threat research team collected multiple weaponized documents targeting government organizations. The researchers couldn’t analyze all the files because the command-and-control (C&C) servers for some of them were down, but they managed to glean some valuable insights from two of the documents in particular.

The first file is a Microsoft Word document that loads a malicious macro when a user clicks the “enable content” button. This macro employs the AutoClose function to prevent Word from executing the malicious code until the user closes the document, thereby evading detection. At that point, the macro loads Zebrocy, an infostealer written in Delphi, which Sofacy has used since at least 2016.

The second document is very similar in structure to the first file, but executes a different payload: the Cannon Trojan. This new threat, which is written in C#, uses several email accounts to send system data and obtain a secondary payload from the attackers.

What’s Behind the Rise of Infostealers?

Zebrocy and Cannon aren’t the only infostealers Sofacy has employed in its attack campaigns. In the past, Symantec observed the group using another Trojan known as Seduploader to perform reconnaissance on an infected computer. The security firm also detected Sofacy’s execution of X-Agent as a second-stage infostealer.

These threats contributed to an overall increase in information stealers targeting government entities and regular organizations. In May 2018, FortiGuard noted a rise in data-stealing malware over the previous few months. Loki and Fareit experienced the most significant growth during that period.

How to Defend Against the Cannon Trojan

To defend against the Cannon Trojan and similar threats, security leaders should conduct ongoing phishing simulations with all employees. They should also take a layered approach to email security by implementing perimeter protection, scanning emails and conducting ongoing employee security awareness training.

Sources: Palo Alto Networks, Symantec, FortiGuard

The post Sofacy Group Targets Government Organizations With New Cannon Trojan appeared first on Security Intelligence.

Dell Discloses Digital Security Event Involving Customer Information

Dell disclosed a digital security incident in which unauthorized individuals targeted some pieces of customer information. On 28 November, the American multinational computer technology company announced that it had detected a security incident earlier in the month. The event consisted of unauthorized activity on Dell.com, Premier, Global Portal and support.dell.com (‘Esupport’). Other parts of the […]… Read More

The post Dell Discloses Digital Security Event Involving Customer Information appeared first on The State of Security.

Eight Individuals Indicted for Perpetrating Digital Advertising Fraud

A federal indictment charged eight individuals with perpetrating widespread digital advertising fraud that cost businesses millions of dollars. On 27 November, a federal court in Brooklyn unsealed the indictment charging Aleksandr Zhukov, Boris Timokhin, Mikhail Andreev, Denis Avdeev, Dmitry Novikov, Sergey Ovsyannikov, Aleksandr Isaev and Yevgeniy Timchenko with wire fraud, aggravated identity theft and other […]… Read More

The post Eight Individuals Indicted for Perpetrating Digital Advertising Fraud appeared first on The State of Security.

Worm Using Removable Drives to Distribute BLADABINDI Backdoor

A newly detected worm is propagating through removable drives to distribute a fileless variant of the BLADABINDI backdoor. In mid-November, researchers at Trend Micro first observed the worm, which the security firm detects as “Worm.Win32.BLADABINDI.AA.” They’re still investigating the threat’s exact method for infecting a system. But after analyzing its propagation routine, the researchers determined […]… Read More

The post Worm Using Removable Drives to Distribute BLADABINDI Backdoor appeared first on The State of Security.

German Social Media Provider Fined €20K for Data Breach

A German social media provider received an order to pay a €20,000 fine for a data breach that occurred in the summer of 2018. On 22 November, the regional data protection watchdog LfDI Baden-Württemberg announced that it had imposed the fine on a local “social media provider” after the organization filed a data breach report […]… Read More

The post German Social Media Provider Fined €20K for Data Breach appeared first on The State of Security.

Two Attack Campaigns Infect Brazilian Financial Institution Customers With Banking Trojans

Security researchers identified two malware distribution campaigns that infect customers of Brazilian financial institutions with banking Trojans.

While Cisco Talos observed that the two ongoing malware campaigns use different file types for the initial download stage and infection process, they also noticed some similarities between the two campaigns.

For instance, both campaigns abuse link-shortening services to disguise their distribution methods and employ the same naming convention for files used during the infection process. Researchers also traced both of the operations back to an email generation tool hosted in an Amazon S3 bucket, which they believe attackers are using to create a botnet.

Cisco Talos determined that the ultimate purpose of the campaigns is to deliver one of two banking Trojans to Brazilian financial institutions. Both of the final payloads exfiltrate data to a command-and-control (C&C) server and come equipped with a keylogger. However, while one Trojan attempts to steal customers’ payment card security codes, the other targets two-factor authentication (2FA) codes.

A Surge in Banking Trojans

News of these campaigns comes amid a surge in banking Trojan activity across a variety of platforms. In the second quarter of 2018, Kaspersky Lab detected 61,045 installation packages for mobile banking Trojans. That number was more than triple the amount observed in Q1 of 2018, and it far surpassed the totals observed over the previous year.

This growth continued through the summer. In August, Check Point noted that attackers had doubled their use of banking Trojans over the previous two months. In particular, researchers tracked increased activity for the Ramnit banking Trojan, a threat that rose to sixth place on Check Point’s August 2018 “Most Wanted Malware” list.

How to Protect Your Organization From Financial Cyberthreats

Security professionals can help defend against campaigns distributing banking Trojans by using endpoint security solutions designed to protect against fraud techniques. In addition, security teams can challenge the spam botnets used to deliver these threats by enabling email filtering and similar protections on corporate systems.

Sources: Cisco Talos, Kaspersky Lab, Check Point

The post Two Attack Campaigns Infect Brazilian Financial Institution Customers With Banking Trojans appeared first on Security Intelligence.

5 Digital Threats to Watch Out for on Black Friday

The end of November is a busy time in the United States. On Thanksgiving, friends and family gather together to give thanks for good food, good company and good fortune. Once they’ve put away the leftovers, many Americans don their coats, head to the malls and wait in line all night. For what? Black Friday, […]… Read More

The post 5 Digital Threats to Watch Out for on Black Friday appeared first on The State of Security.

TA505 Threat Group Distributes Previously Undocumented tRat Remote Access Trojan

Researchers spotted the TA505 threat group spreading a previously undocumented remote access Trojan (RAT) called tRaT.

In the fall of 2018, Proofpoint observed two email campaigns used to deliver tRat, a new modular RAT written in Delphi. Researchers spotted the first on Sept. 27. For that operation, unknown attackers abused the Norton antivirus brand to trick users into enabling content for malicious Microsoft Word documents.

The researchers detected the second campaign on Oct. 11. In that attack, a well-known threat actor group known as TA505 sent out emails with either malicious Microsoft Publisher documents or Microsoft Word attachments with different subject lines and senders. These emails specifically targeted customers of commercial banking institutions.

TA505 and the Growth of Remote Access Trojans

This isn’t the first time TA505, a financially motivated actor known for shifting with the times, has employed RATs to target users. In March and April, Proofpoint observed that the group began launching campaigns designed to infect users with the FlawedAmmyy RAT using the Quant Loader malware. These attacks involving FlawedAmmyy continued through June.

Interestingly, TA505 isn’t the only group that’s shown increased interest in FlawedAmmyy. Check Point researchers discovered several campaigns distributing the threat through the summer and early fall. This activity helped make FlawedAmmyy the first remote access Trojan to ever earn a spot on the security firm’s “Most Wanted Malware” list in October 2018.

How to Defend Against tRat

Security professionals can help their organizations defend against remote access Trojans like tRat by using tools such as VBA editor and oledump.py to analyze the macro code in suspect Microsoft Office documents. They should also investigate the static properties of potentially malicious documents by looking up the file hashes in a public malware sandbox.

Sources: Proofpoint, Proofpoint(1), Check Point

The post TA505 Threat Group Distributes Previously Undocumented tRat Remote Access Trojan appeared first on Security Intelligence.

Two Young Men Jailed for Involvement in TalkTalk Data Breach

Two young men received prison sentences for helping to perpetrate a data breach at the UK telecommunications provider TalkTalk. On 19 November, Judge Anuja Dhir QC at the Old Bailey sentenced Matthew Hanley, 23, to 12 months in prison. She handed down a slightly lighter sentence of eight months in jail to Connor Allsopp, 21. […]… Read More

The post Two Young Men Jailed for Involvement in TalkTalk Data Breach appeared first on The State of Security.

Fraudsters Targeting UK University Students with Fake Tax Refund Emails

Fraudsters are targeting UK university students with fake tax refund emails designed to steal their personal and/or banking information. According to BBC News, Her Majesty’s Revenue and Customs (HRMC) received reports of scammers targeting thousands of students at educational institutions across the country in October and November. In their scam attempts, the bad actors sent […]… Read More

The post Fraudsters Targeting UK University Students with Fake Tax Refund Emails appeared first on The State of Security.

Outlaw Threat Group Using Perl Shellbot to Target Enterprise IoT Devices

A cybercriminal group called Outlaw is using a Perl Shellbot to go after large organizations’ Internet of Things (IoT) devices.

The Trend Micro Cyber Safety Solutions Team observed a Perl Shellbot exploiting CVE-2017-1000117 to distribute an Internet Relay Chat (IRC) bot. This vulnerability enables attackers to pass a crafted “ssh://…” URL to unsuspecting victims and execute programs on their devices. According to Trend Micro, this threat can affect enterprise IoT devices, Linux servers, Windows-based environments and Android devices.

Outlaw communicates with the botnet using two compromised servers that belong to a Japanese art institution and a Bangladeshi government website. The threat group linked these two servers to a high-availability cluster to host an IRC bouncer and leveraged this asset for command-and-control (C&C) to target large businesses in more than a dozen countries, including the U.S., Germany, Israel and Japan.

The Ongoing Threat of IRC Botnets

IRC botnets are nothing new. In late 2016, MalwareMustDie observed attackers using new malware they called Linux/IRCTelnet to perform distributed denial-of-service (DDoS) attacks via an IRC botnet. More than a year later, Arbor Networks reported that attackers had used MedusaIRC and its IRC-based C&C to craft MedusaHTTP, an HTTP-based DDoS botnet written in .NET.

Unfortunately, it’s not difficult for cybercriminal groups like Outlaw to create this type of threat. Trend Micro observed that the code Outlaw used in its attacks is available online. Anyone can use that code to create a bot with an undetectable toolset.

How to Protect Enterprise IoT Devices From Outlaw

To protect their organizations against Outlaw’s activity, Trend Micro recommended monitoring for the creation of new accounts and restricting the use of FTP as much as possible. Security teams should also use reliable threat intelligence to block known malicious URLs and invest in security information and event management (SIEM) technology to identify unknown threats.

Sources: Trend Micro, MalwareMustDie, Arbor Networks

The post Outlaw Threat Group Using Perl Shellbot to Target Enterprise IoT Devices appeared first on Security Intelligence.

Malaysia’s Largest Media Company Allegedly Suffers Ransomware Attack

Malaysia’s largest media company allegedly suffered a ransomware attack that affected its ability to use its in-house email system. Anonymous sources told The Edge Financial Daily that ransomware attackers struck Media Prima Berhad, a media giant which operates businesses in television, print, radio, out-of-home advertising, content and digital media. According to those unnamed individuals, bad […]… Read More

The post Malaysia’s Largest Media Company Allegedly Suffers Ransomware Attack appeared first on The State of Security.

14 Malware Families Targeting E-Commerce Brands Ahead of Black Friday

Researchers discovered 14 malware families targeting dozens of e-commerce brands just over one week before Black Friday. Kaspersky Lab observed the threats targeting 67 e-commerce brands including 33 consumer apparel sites, eight consumer electronic outlets and three online retail platforms. Banking trojans made up more than half of the malware tracked by Kaspersky. They included […]… Read More

The post 14 Malware Families Targeting E-Commerce Brands Ahead of Black Friday appeared first on The State of Security.

New Ransomware Strain Evades Detection by All but One Antivirus Engine

Researchers discovered a new strain of Dharma ransomware that is able to evade detection by nearly all of the antivirus solutions on the market.

In October and November 2018, researchers with Heimdal Security uncovered four strains of Dharma, one of the oldest ransomware families in existence. One of the strains slid past a total of 53 antivirus engines listed on VirusTotal and 14 engines used by the Jotti malware scan. Just one of the security scanners included in each of those utilities picked up on the strain’s malicious behavior.

In its analysis of the strain, Heimdal observed a malicious executable dropped through a .NET file and another associated HTML Application (HTA) file that, when unpacked, directed victims to pay a ransom amount in bitcoin.

How Persistent Is the Threat of Ransomware?

The emergence of the new Dharma strain highlights ransomware’s ongoing relevance as a cyberthreat. Europol declared that it remains the key malware threat in both law enforcement and industry reporting. The agency attributed this proclamation to financially motivated malware attacks increasingly using ransomware over banking Trojans, a trend that it anticipates will continue for years to come.

Europol identified this tendency despite a surge in activity from other threats. For example, Comodo Cybersecurity found that crypto-mining malware rose to the top of detected malware incidents in the first three months of 2018. In so doing, malicious cryptominers supplanted ransomware as the No. 1 digital threat for that quarter, according to Comodo research.

Defend Against New Malware Strains With Strong Endpoint Security

Security professionals can help keep ransomware off their networks by using an endpoint management solution that provides real-time visibility into their endpoints. Experts also recommend using tools that integrate with security information and event management (SIEM) software to streamline responses to potential incidents.

Sources: Heimdal Security, Europol, Comodo Cybersecurity

The post New Ransomware Strain Evades Detection by All but One Antivirus Engine appeared first on Security Intelligence.

New Cobalt Gang PDF Attack Avoids Traditional Static Analysis Tools

An attack campaign conducted by the Cobalt Gang used a specially crafted PDF document to evade detection by static analysis tools.

Palo Alto Networks’ Unit 42 threat intelligence team observed the operation near the end of October 2018. The analyzed example used an email containing the subject line “Confirmations on October 16, 2018” to target employees at several banking organizations.

Attached to the email was a PDF document that didn’t come with an exploit or malicious code. Instead, an embedded link within the PDF document redirected recipients to a legitimate Google location which, in turn, redirected the browser to a Microsoft Word document containing malicious macros.

How Does the Cobalt Gang

At the time of discovery, the PDF attack bypassed nearly all traditional antivirus software. It was able to do so because the Cobalt Gang added some empty pages and pages with text to make the document look more authentic. These characteristics prevented the PDF from raising red flags with most static analysis tools.

Using specially crafted PDF documents isn’t the only way that digital attackers can fly under the radar. For instance, plenty don’t even use exploits and instead turn to spear phishing emails that leverage social engineering techniques.

Those that do use exploits can conduct their attacks with the help of tools like ThreadKit, a document exploit builder kit. These utilities enable individuals with low levels of technical expertise to get into the world of digital crime without forcing threat actors to come up with potentially attributable custom build processes for their attack documents.

How to Protect Against This PDF Attack

Security professionals can defend against this latest attack campaign from the Cobalt Gang by analyzing flagged PDF documents for base64-encoded strings, JavaScript keywords and other content that might be indicative of malspam. They should also use a ranking formula to prioritize vulnerabilities by risk so that they can close security weaknesses before exploit documents have a chance to abuse them.

Source: Palo Alto Networks

The post New Cobalt Gang PDF Attack Avoids Traditional Static Analysis Tools appeared first on Security Intelligence.

Enterprises Using IaaS or PaaS Have 14 Misconfigured Instances on Average, Cloud Adoption Study Finds

Enterprises using infrastructure-as-a-service (IaaS) or platform-as-a-service (PaaS) solutions have 14 misconfigured instances on average running at a given time.

A recent cloud adoption study by McAfee found that organizations have increased their usage of the cloud over time. The average number of cloud services in use per company grew from 1,682 in 2017 to 1,935 a year later. This growth was evident in both the number of enterprise cloud apps and consumer cloud apps.

But while organizations are increasingly turning to the cloud to satisfy their business needs, they aren’t taking the necessary steps to safeguard their cloud-based assets, the researchers observed. According to the report, some of the most common oversights involved inactive data encryption and unrestricted outbound access.

How Do Cloud Misconfigurations Put Data at Risk?

Cloud misconfigurations directly jeopardize organizations’ data. McAfee customers who turn on data loss prevention (DLP) discovered an average of 1,527 DLP incidents in their IaaS or PaaS storage per month. Overall, 27 percent of organizations using PaaS experienced a data theft incident affecting their cloud infrastructure.

Part of the problem is that no two cloud service providers (CSPs) offer the same security controls. Some CSPs even lack some of the most basic security measures. Just 8 percent of providers encrypted stored data at rest, for instance, while only 19.2 percent supported multifactor authentication (MFA).

How to Cope With Increasing Cloud Adoption

Security professionals can help their organizations stay protected amid increasing cloud adoption by embedding corporate security policies into contracts with CSPs. They should also consider conducting regular penetration tests to map their environments for vulnerabilities.

Sources: McAfee

The post Enterprises Using IaaS or PaaS Have 14 Misconfigured Instances on Average, Cloud Adoption Study Finds appeared first on Security Intelligence.

Half a Million People Potentially Affected by Data Breach at Bankers Life

A data breach at Bankers Life might have compromised the personally identifiable information of over half a million people. On 25 October 2018, Fortune 1000 company CNO Financial Group, Inc. submitted a report to the Office for Civil Rights’ Breach Portal at the U.S. Department of Health and Human Services. The report revealed an instance […]… Read More

The post Half a Million People Potentially Affected by Data Breach at Bankers Life appeared first on The State of Security.

HSBC Bank Notifies Customers of Data Breach

HSBC Bank sent a letter to an undisclosed number of customers informing them of a data breach that might have exposed their personal information. The California Attorney General’s Office recently received a template of a letter that HSBC Bank sent out to customers on 2 November. In the notice, the bank explains that it learned […]… Read More

The post HSBC Bank Notifies Customers of Data Breach appeared first on The State of Security.

Destructive Attacks Spike in Q3, Putting Election Security at Risk

A new report revealed that nearly one-third of cyber incidents reported in Q3 2018 were classified as “destructive attacks,” putting election security at risk in the lead-up to the 2018 midterms.

In its “Quarterly Incident Response Threat Report” for November 2018, Carbon Black found that 32 percent of election-season cyberattacks were destructive in nature — that is, “attacks that are tailored to specific targets, cause system outages and destroy data in ways designed to paralyze an organization’s operations.” These attacks targeted a wide range of industries, most notably financial services (78 percent) and healthcare (59 percent).

In addition, the report revealed that roughly half of cyberattacks now leverage island hopping, a technique that threatens not noly the target company, but its customers and partners as well. Thirty percent of survey respondents reported seeing victims’ websites converted into watering holes.

Time to Panic About Election Security? Not So Fast

Despite these alarming statistics and the very real risks they signify, Cris Thomas (aka Space Rogue) of IBM X-Force Red told TechRepublic that since voting machines are not connected to the internet, a malicious actor would need physical access to compromise one. This could prove challenging for attackers, who must understand not only the vulnerabilities in each individual voting machine, but also each precinct’s policies.

Bad actors could theoretically stage an attack by obtaining an official voting machine before the election and gaining physical access to it on voting day, but these machines come with checks and balances that detect when votes are changed, decreasing the liklihood of a successful attack.

Attacks Are Growing Increasingly Evasive — and Expensive

Still, the rise in destructive attacks is particularly concerning given that, as reported by Carbon Black, attacks across the board are becoming more difficult to detect. In addition, 51 percent of cases involved counter-incident response techniques, and nearly three-quarters of participants specifically witnessed the destruction of logs during these incidents. Meanwhile, 41 percent observed attackers circumventing network-based protections.

These evasive tactics could prove costly for companies. According to Accenture, threat actors could set companies back as much as $2.4 million with a single malware incident, with cybercrime costing each organization an average of $11.7 million per year.

How to Defend Against Destructive Attacks

Security professionals can defend their organizations against destructive attacks by developing a dedicated framework to predict what steps an adversary might take once inside the network. Security teams should supplement this framework with AI tools that can use pattern recognition and behavior analysis to stay one step ahead of cyberthreats.

Sources: Carbon Black, Accenture, TechRepublic

The post Destructive Attacks Spike in Q3, Putting Election Security at Risk appeared first on Security Intelligence.

DemonBot Targeting Hadoop Clusters to Perform DDoS Attacks

A new bot called DemonBot is targeting Hadoop clusters to execute distributed denial-of-service (DDoS) attacks.

The Radware Threat Research Center recently observed a threat actor exploiting a Hadoop Yet Another Resource Negotiator (YARN) unauthenticated remote command execution. This method of attack enables the malicious agent to infect clusters of Hadoop, an open source distributed processing framework that helps big data apps run in clustered systems, with DemonBot. Upon successful infection, the threat connects to its command-and-control (C&C) server and transmits information about the infected device.

Why Cloud Infrastructure Servers Are Juicy Targets

The threat’s goal is to leverage infected cloud infrastructure servers to conduct DDoS attacks. At this juncture, it is not exhibiting worm-like behavior akin to Mirai. Instead, it relies on 70 exploit servers for distribution, infrastructure that helps it perform 1 million exploits every day.

That being said, Radware found DemonBot to be binary-compatible with most Internet of Things (IoT) devices, which means the threat could spread to other types of products.

DemonBot isn’t the first bot to target cloud infrastructure servers like Hadoop clusters. In early October, a security researcher reported on Twitter that handlers of the Sora IoT botnet attempted to exploit the same YARN abused by DemonBot.

Radware attributed the growing interest in Hadoop to the fact that cloud infrastructure servers allow bad actors to stage larger and more stable DDoS attacks using multiple vectors, such as User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) floods.

How to Defend Against DemonBot

Security professionals can help protect their organizations against DemonBot by conducting a proper risk assessment on their cloud deployment. From there, they should enlist the help of penetration testers to map the vulnerabilities affecting their deployment.

Security teams should also look to invest in mitigation tools and services that specialize in defending against a DDoS attack.

Sources: Radware, Ankit Anubhav

The post DemonBot Targeting Hadoop Clusters to Perform DDoS Attacks appeared first on Security Intelligence.