CyberCrime - W/E - 072117
CIA's "Highrise" Android Tool Swipes SMS Messages (07/18/2017)
WikiLeaks released details regarding a Central Intelligence Agency (CIA) exploit known as "Highrise," which is an application designed for mobile devices running Android 4.0 to 4.3. HighRise acts as an SMS proxy that provides greater separation between devices in the field ("targets") and the listening post (LP) by proxying "incoming" and "outgoing" SMS messages to an Internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured Internet communication.
WikiLeaks released details regarding a Central Intelligence Agency (CIA) exploit known as "Highrise," which is an application designed for mobile devices running Android 4.0 to 4.3. HighRise acts as an SMS proxy that provides greater separation between devices in the field ("targets") and the listening post (LP) by proxying "incoming" and "outgoing" SMS messages to an Internet LP. Highrise provides a communications channel between the HighRise field operator and the LP with a TLS/SSL secured Internet communication.
CoinDash Gets Hacked as It Launches Token Sale (07/19/2017)
The moment the CoinDash Token Sale went public at 13:00PM GMT on July 17, the Web site was hacked and a malicious address replaced the legitimate Token Sale one. As a result, more than 2,000 investors sent ETH (Ether or ethereum) to the malicious address. The stolen cryptocurrency amounted to a total of 37,000 ETH ($7.7 million USD). In a statement on its home page, CoinDash reported that it is fully cooperating with law enforcement regarding the theft during its initial coin offering and will "credit investors who sent ETH to the fraudulent address with the CDT amount they would have received by sending their ETH to the correct smart contract address."
The moment the CoinDash Token Sale went public at 13:00PM GMT on July 17, the Web site was hacked and a malicious address replaced the legitimate Token Sale one. As a result, more than 2,000 investors sent ETH (Ether or ethereum) to the malicious address. The stolen cryptocurrency amounted to a total of 37,000 ETH ($7.7 million USD). In a statement on its home page, CoinDash reported that it is fully cooperating with law enforcement regarding the theft during its initial coin offering and will "credit investors who sent ETH to the fraudulent address with the CDT amount they would have received by sending their ETH to the correct smart contract address."
DarkHotel APT Group Phishes for Info from Politicians (07/20/2017)
Bitdefender has encountered a new DarkHotel attack known as Inexsmar, which makes a significant departure from the advanced persistent threat (APT) group's traditional modus operandi. This sample dates back to September 2016 and is used in a campaign that targets political figures rather than corporate research and development personnel, CEOs, and other senior corporate officials. The new campaign phishes for information, sends it back to a command and control server, and if the data fits certain requirements, the DarkHotel downloader is installed onto the victim's machine. The attacks hone in on government workers who have an interest in North Korea.
Bitdefender has encountered a new DarkHotel attack known as Inexsmar, which makes a significant departure from the advanced persistent threat (APT) group's traditional modus operandi. This sample dates back to September 2016 and is used in a campaign that targets political figures rather than corporate research and development personnel, CEOs, and other senior corporate officials. The new campaign phishes for information, sends it back to a command and control server, and if the data fits certain requirements, the DarkHotel downloader is installed onto the victim's machine. The attacks hone in on government workers who have an interest in North Korea.
FedEx: Our Subsidiary May Never Recover from Petya Attacks (07/18/2017)
FedEx has said that the Petya ransomware attacks in June significantly affected worldwide operations at its TNT Express delivery service in Ukraine and it has no idea when the infected systems will be completely remedied. "At this time, we cannot estimate how long it will take to restore the systems that were impacted and it is reasonably possible that TNT Express will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus," FedEx said in its statement. FedEx's own systems were unaffected by the attacks.
FedEx has said that the Petya ransomware attacks in June significantly affected worldwide operations at its TNT Express delivery service in Ukraine and it has no idea when the infected systems will be completely remedied. "At this time, we cannot estimate how long it will take to restore the systems that were impacted and it is reasonably possible that TNT Express will be unable to fully restore all of the affected systems and recover all of the critical business data that was encrypted by the virus," FedEx said in its statement. FedEx's own systems were unaffected by the attacks.
SIREN Porn-Driven Botnet Connected to Email Botnet (07/18/2017)
ZeroFOX has been investigating a large-scale, spam pornography botnet on Twitter dubbed SIREN. Since first identifying SIREN in February, the researchers have identified over 8.5 million tweets from nearly 90,000 accounts related to this campaign. SIREN is closely tied to a large-scale email spam botnet that was disclosed by KrebsOnSecurity. The two botnets share similar methods and push victims to the same types of porn Web sites.
ZeroFOX has been investigating a large-scale, spam pornography botnet on Twitter dubbed SIREN. Since first identifying SIREN in February, the researchers have identified over 8.5 million tweets from nearly 90,000 accounts related to this campaign. SIREN is closely tied to a large-scale email spam botnet that was disclosed by KrebsOnSecurity. The two botnets share similar methods and push victims to the same types of porn Web sites.
Two Iranians Charged with Hacking Software Company (07/19/2017)
Two Iranian nationals have been charged with a criminal conspiracy relating to computer fraud and abuse, unauthorized access to, and theft of information from, computers, wire fraud, exporting a defense article without a license, and violating sanctions against Iran. Arrest warrants have been issued for Mohammed Reza Rezakhah and Mohammed Saeed Ajily, according to the Department of Justice (DOJ). The indictment states that the two men and another individual conspired together to access computers without authorization in order to obtain software which they would then sell and redistribute in Iran and elsewhere outside the US. Once the software was obtained, Ajily marketed and sold the software through various companies and associates to Iranian entities, including universities and military and government entities, specifically noting that such sales were in contravention of US export controls and sanctions.
Two Iranian nationals have been charged with a criminal conspiracy relating to computer fraud and abuse, unauthorized access to, and theft of information from, computers, wire fraud, exporting a defense article without a license, and violating sanctions against Iran. Arrest warrants have been issued for Mohammed Reza Rezakhah and Mohammed Saeed Ajily, according to the Department of Justice (DOJ). The indictment states that the two men and another individual conspired together to access computers without authorization in order to obtain software which they would then sell and redistribute in Iran and elsewhere outside the US. Once the software was obtained, Ajily marketed and sold the software through various companies and associates to Iranian entities, including universities and military and government entities, specifically noting that such sales were in contravention of US export controls and sanctions.
UK Cyber Agency: Energy Systems Likely Hacked (07/19/2017)
The UK's National Cyber Security Center (NCSC) has warned that hackers are taking aim at the country's energy sector and that some organizations in the industrial control systems vertical have already been compromised. This information comes from an NCSC document obtained by Motherboard and part of it states, "The NCSC is aware of connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors." A follow-up on the NCSC document by the BBC has confirmed that it is legitimate.
The UK's National Cyber Security Center (NCSC) has warned that hackers are taking aim at the country's energy sector and that some organizations in the industrial control systems vertical have already been compromised. This information comes from an NCSC document obtained by Motherboard and part of it states, "The NCSC is aware of connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors, who are known to target the energy and manufacturing sectors." A follow-up on the NCSC document by the BBC has confirmed that it is legitimate.
WikiLeaks Dumps SSH Credential-Stealing CIA Implants (07/18/2017)
WikiLeaks published documentation on BothanSpy and Gyrfalcon, two Central Intelligence Agency (CIA) implants that have been used to intercept and exfiltrate SSH credentials. BothanSpy targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. Gyrfalcon takes aim at the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu).
WikiLeaks published documentation on BothanSpy and Gyrfalcon, two Central Intelligence Agency (CIA) implants that have been used to intercept and exfiltrate SSH credentials. BothanSpy targets the SSH client program Xshell on the Microsoft Windows platform and steals user credentials for all active SSH sessions. Gyrfalcon takes aim at the OpenSSH client on Linux platforms (centos,debian,rhel,suse,ubuntu).