Cyber Crime - W/E - 062317
Erebus Ransomware Now Targets Linux as Korean Hosting Provider Is Forced to Pay Up (06/19/2017)
The Erebus ransomware, which first was spotted in malicious advertisements and then bypassed Windows' User Account Controls, has evolved into a Linux threat, Trend Micro's researchers say. On June 10, Erebus infected 153 Linux servers belonging to a South Korean hosting company. The attackers demanded 550 bitcoins ($1.62 million USD) in order to decrypt the affected files from all its servers. The affected company, NAYANA, has since negotiated a payment of 397.6 bitcoins (around $1.01 million) to be paid in installments so that it can retrieve its locked files.
The Erebus ransomware, which first was spotted in malicious advertisements and then bypassed Windows' User Account Controls, has evolved into a Linux threat, Trend Micro's researchers say. On June 10, Erebus infected 153 Linux servers belonging to a South Korean hosting company. The attackers demanded 550 bitcoins ($1.62 million USD) in order to decrypt the affected files from all its servers. The affected company, NAYANA, has since negotiated a payment of 397.6 bitcoins (around $1.01 million) to be paid in installments so that it can retrieve its locked files.
IC3 Issues Its Analysis of Cybercrime in 2016 (06/22/2017)
The Internet Crime Complaint Center (IC3) has released its 2016 Crime Report, providing analysis of the nearly 300,000 complaints received during that year. The top three crime types reported by victims in 2016 were non-payment and non-delivery scams, personal data breach, and payment scams. The top three crime types by reported loss were business email compromise, romance and confidence fraud, and non-payment and non-delivery scams.
The Internet Crime Complaint Center (IC3) has released its 2016 Crime Report, providing analysis of the nearly 300,000 complaints received during that year. The top three crime types reported by victims in 2016 were non-payment and non-delivery scams, personal data breach, and payment scams. The top three crime types by reported loss were business email compromise, romance and confidence fraud, and non-payment and non-delivery scams.
Lost Skype Connections Are Result of Hacker Group (06/22/2017)
A group of hackers calling itself CyberTeam claimed responsibility for attacking Skype and interrupting connections. Microsoft, which owns Skype, noted in a June 19 blog post that it was "aware of an incident where users will either lose connectivity to the application or may be unable to send or receive messages. Some users will be unable to see a black bar that indicates them that a group call is ongoing, and longer delays in adding users to their buddy list." The threat was resolved on June 21.
A group of hackers calling itself CyberTeam claimed responsibility for attacking Skype and interrupting connections. Microsoft, which owns Skype, noted in a June 19 blog post that it was "aware of an incident where users will either lose connectivity to the application or may be unable to send or receive messages. Some users will be unable to see a black bar that indicates them that a group call is ongoing, and longer delays in adding users to their buddy list." The threat was resolved on June 21.
Mexican Journalists, Others Targeted with NSO Spyware (06/20/2017)
A report from Citizen Lab details a campaign that targeted 10 Mexican journalists and human rights defenders, one minor child, and one United States citizen. The victims received messages with targets to exploits that came from the cyber warfare company NSO Group. The targets were working on a range of issues that include investigations of corruption by the Mexican President, and the participation of Mexico's federal authorities in human rights abuses. NSO Group sells government-exclusive spyware.
A report from Citizen Lab details a campaign that targeted 10 Mexican journalists and human rights defenders, one minor child, and one United States citizen. The victims received messages with targets to exploits that came from the cyber warfare company NSO Group. The targets were working on a range of issues that include investigations of corruption by the Mexican President, and the participation of Mexico's federal authorities in human rights abuses. NSO Group sells government-exclusive spyware.
Multiple Spy Campaigns Point to BlackTech Threat Group (06/22/2017)
While observing the activities of BlackTech, a cyber espionage group operating against targets in East Asia, Trend Micro has concluded that three seemingly disparate campaigns actually belong to this threat entity. The three campaigns, PLEAD, Shrouded Crossbow, and Waterbear, all share similarities including the same command and control servers, tools, and techniques. PLEAD is an information theft campaign with a penchant for confidential documents. Shrouded Crossbow targets privatized agencies and government contractors as well as enterprises in the consumer electronics, computer, healthcare, and financial industries with its BIFROST backdoors. Waterbear has been in operation for quite some time and has a modular architecture.
While observing the activities of BlackTech, a cyber espionage group operating against targets in East Asia, Trend Micro has concluded that three seemingly disparate campaigns actually belong to this threat entity. The three campaigns, PLEAD, Shrouded Crossbow, and Waterbear, all share similarities including the same command and control servers, tools, and techniques. PLEAD is an information theft campaign with a penchant for confidential documents. Shrouded Crossbow targets privatized agencies and government contractors as well as enterprises in the consumer electronics, computer, healthcare, and financial industries with its BIFROST backdoors. Waterbear has been in operation for quite some time and has a modular architecture.
NY Supreme Court Judge Scammed Out of $1 Million in Phishing Scam (06/21/2017)
New York State Supreme Court Justice Lori Sattler was duped by email scammers who managed to pilfer $1 million USD from her in a phishing message that she thought had come from her lawyer, the NY Daily News has learned. Sattler wired the money to who she thought was her real estate lawyer, but the money was actually sent to a bank account in China.
New York State Supreme Court Justice Lori Sattler was duped by email scammers who managed to pilfer $1 million USD from her in a phishing message that she thought had come from her lawyer, the NY Daily News has learned. Sattler wired the money to who she thought was her real estate lawyer, but the money was actually sent to a bank account in China.
Orange Is the New Black Leaked Despite Studio's Ransom Payment (06/21/2017)
Larson Studios executives told Variety that they were extorted into paying $50,000 USD to a group of hackers who then proceeded to leak shows online, including 10 unreleased episodes of "Orange Is the New Black." An insecure Windows 7 computer was to blame as the attackers had been rooting around in the studio's network to try and access a system. While Larson Studios did pay the ransom, the hacking entity, calling itself the "Dark Overlord," released the shows on the Web since the studio had contacted law enforcement.
Larson Studios executives told Variety that they were extorted into paying $50,000 USD to a group of hackers who then proceeded to leak shows online, including 10 unreleased episodes of "Orange Is the New Black." An insecure Windows 7 computer was to blame as the attackers had been rooting around in the studio's network to try and access a system. While Larson Studios did pay the ransom, the hacking entity, calling itself the "Dark Overlord," released the shows on the Web since the studio had contacted law enforcement.
PA Engineer Pleads Guilty to Hacking Employer's Remote Utility Meters (06/20/2017)
A Pennsylvania radio frequency engineer was sentenced to a year and a day in prison after pleading guilty to hacking the remote utility meters for his former employer, the Department of Justice (DOJ) announced. After the company terminated Adam Flanagan, he used his knowledge of how the remote meter readers operate to gain access to them through the Internet and to disable them. The result was that the municipal water authorities had to send people out to read the individual meters because the billing data was inaccurate.
Pinkslipbot/Qbot Uses Infected Machines as Control Servers (06/19/2017)
The scientists at McAfee have discovered that banking malware Pinkslipbot (also known as QakBot/QBot) has used infected machines as control servers since April 2016, even after its capability to steal personal and financial data from the infected machine has been removed by a security product. These include home users whose computers are usually behind a network address translation router. To do its job, Pinkslipbot uses universal plug-and-play to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine. It is widely thought that Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers.
The scientists at McAfee have discovered that banking malware Pinkslipbot (also known as QakBot/QBot) has used infected machines as control servers since April 2016, even after its capability to steal personal and financial data from the infected machine has been removed by a security product. These include home users whose computers are usually behind a network address translation router. To do its job, Pinkslipbot uses universal plug-and-play to open ports, allowing incoming connections from anyone on the Internet to communicate with the infected machine. It is widely thought that Pinkslipbot is the first malware to use infected machines as HTTPS-based control servers.
Researchers Analyze Hidden Cobra/Lazarus DDoS Attacks (06/21/2017)
Analysis of the North Korean Hidden Cobra malware, which is also identified as the Lazarus threat group, conducted by Arbor Networks shows that of the 632 IP addresses linked to Hidden Cobra, 24 of them were involved in at least one distributed denial-of-service (DDoS) attack between March 1 and June 13. Sixteen of the IPs were connected to more than one DDoS attack, and the largest of these peaked at 4.3 Gbps. Of the 164 attacks that Arbor Networks observed within the three and a half month period, 48% of them hit targets in the US. Hidden Cobra/Lazarus is responsible for the WannaCry ransomware attacks, the breach of Sony Pictures, and hacks on Bangladesh's central bank.
Analysis of the North Korean Hidden Cobra malware, which is also identified as the Lazarus threat group, conducted by Arbor Networks shows that of the 632 IP addresses linked to Hidden Cobra, 24 of them were involved in at least one distributed denial-of-service (DDoS) attack between March 1 and June 13. Sixteen of the IPs were connected to more than one DDoS attack, and the largest of these peaked at 4.3 Gbps. Of the 164 attacks that Arbor Networks observed within the three and a half month period, 48% of them hit targets in the US. Hidden Cobra/Lazarus is responsible for the WannaCry ransomware attacks, the breach of Sony Pictures, and hacks on Bangladesh's central bank.
Sophisticated FIN10 Threat Group Extorts Victims into Paying Up or Else (06/19/2017)
FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor dubbed FIN10. FIN10 is known for compromising networks, stealing sensitive data, and directly engaging victim executives and board members in an attempt to extort them into paying between 100 and 500 bitcoins (valued at between $125,000 USD and $620,000). For some victims that did not give in to the demand, FIN10 escalated its operation and destroyed critical production systems and leaked stolen data to journalists in an attempt to increase visibility of the compromise and coerce victims into paying up. The first known FIN10 operation was in 2013.
FireEye has identified a set of financially motivated intrusion operations being carried out by a threat actor dubbed FIN10. FIN10 is known for compromising networks, stealing sensitive data, and directly engaging victim executives and board members in an attempt to extort them into paying between 100 and 500 bitcoins (valued at between $125,000 USD and $620,000). For some victims that did not give in to the demand, FIN10 escalated its operation and destroyed critical production systems and leaked stolen data to journalists in an attempt to increase visibility of the compromise and coerce victims into paying up. The first known FIN10 operation was in 2013.
USPS, Amazon, FedEx Top List of Most Spoofed Companies (06/21/2017)
F-Secure released its top 10 list of companies most often spoofed by spammers during the first half of 2017. The US Postal Service, Amazon, FedEx, Apple, and PayPal were the five companies that scammers spoofed the most to attempt to lure in victims. Walgreens, Microsoft, eHarmony, Lyft, Facebook, Bank of America, and Match.com rounded out the top 10 list.
F-Secure released its top 10 list of companies most often spoofed by spammers during the first half of 2017. The US Postal Service, Amazon, FedEx, Apple, and PayPal were the five companies that scammers spoofed the most to attempt to lure in victims. Walgreens, Microsoft, eHarmony, Lyft, Facebook, Bank of America, and Match.com rounded out the top 10 list.