Cyber Crime - W/E - 122217
Chinese Criminal Group Targets Servers Running Database Services (12/19/2017)
GuardiCore has been investigating multiple attack campaigns conducted by an established Chinese crime group that operates worldwide. The campaigns are launched from a coordinated infrastructure and are mostly targeting servers running database services. There are three identified attack variants: Hex, Hanako, and Taylor. The variants target different SQL servers, each with its own goals, scale, and target services. Investigation of a single Microsoft SQL Server attack that made use of an unknown binary against servers monitored by the GuardiCore Global Sensor Network led to a network of deception servers deployed in multiple data centers globally. The attacks began in March and the compromised machines are mostly in China, but there are victims elsewhere including Japan, the US, and Thailand.
GuardiCore has been investigating multiple attack campaigns conducted by an established Chinese crime group that operates worldwide. The campaigns are launched from a coordinated infrastructure and are mostly targeting servers running database services. There are three identified attack variants: Hex, Hanako, and Taylor. The variants target different SQL servers, each with its own goals, scale, and target services. Investigation of a single Microsoft SQL Server attack that made use of an unknown binary against servers monitored by the GuardiCore Global Sensor Network led to a network of deception servers deployed in multiple data centers globally. The attacks began in March and the compromised machines are mostly in China, but there are victims elsewhere including Japan, the US, and Thailand.
Dragonfly Threat Group Eyes New Victim Industries with Latest Cyber Assaults (12/18/2017)
Analysis of the Dragonfly threat entity by McAfee has shown that the group is attacking the pharmaceutical, financial, and accounting industries. Dragonfly uses several methods including phishing campaigns, watering holes, and exploits to gain a foothold into victim networks. Symantec previously warned that Dragonfly was targeting energy companies. McAfee's Christiaan Beek and Raj Samani stated in a blog post, "Everything about this campaign points to a well-prepared assault that carefully considers each target, and conducts reconnaissance before taking any measures to exploit compromised targets."
Analysis of the Dragonfly threat entity by McAfee has shown that the group is attacking the pharmaceutical, financial, and accounting industries. Dragonfly uses several methods including phishing campaigns, watering holes, and exploits to gain a foothold into victim networks. Symantec previously warned that Dragonfly was targeting energy companies. McAfee's Christiaan Beek and Raj Samani stated in a blog post, "Everything about this campaign points to a well-prepared assault that carefully considers each target, and conducts reconnaissance before taking any measures to exploit compromised targets."
Five Arrests Made in Ransomware Attacks on US, Europe (12/20/2017)
Romanian authorities arrested three individuals suspected of infecting computer systems by spreading the CTB-Locker ransomware, Europol announced. Two other individuals from the same cybercriminal group were arrested in a parallel ransomware investigation linked to the US. The FBI worked with other law enforcement organizations including the Dutch police, the UK's National Crime Agency, and Europol's European Cybercrime Center in this operation, dubbed "Bakovia."
Romanian authorities arrested three individuals suspected of infecting computer systems by spreading the CTB-Locker ransomware, Europol announced. Two other individuals from the same cybercriminal group were arrested in a parallel ransomware investigation linked to the US. The FBI worked with other law enforcement organizations including the Dutch police, the UK's National Crime Agency, and Europol's European Cybercrime Center in this operation, dubbed "Bakovia."
Latest Activity for Lazarus Group Is Mining for Cryptocurrency (12/20/2017)
Proofpoint has uncovered a number of multi-stage attacks using cryptocurrency lures to infect victims with backdoors and reconnaissance malware that can be attributed to the Lazarus threat group. Victims are then infected with additional malware including the Gh0st remote access Trojan to steal credentials for cryptocurrency wallets and exchanges. The Lazarus Group is attributed to a North Korean state-sponsored threat actor.
Proofpoint has uncovered a number of multi-stage attacks using cryptocurrency lures to infect victims with backdoors and reconnaissance malware that can be attributed to the Lazarus threat group. Victims are then infected with additional malware including the Gh0st remote access Trojan to steal credentials for cryptocurrency wallets and exchanges. The Lazarus Group is attributed to a North Korean state-sponsored threat actor.
Security Vendor Fox-IT Hit by Man-in-the-Middle Attack (12/19/2017)
Fox-IT confirmed that it was affected by a man-in-the-middle (MitM) attack on September 19 when an individual accessed the DNS records for the Fox-IT.com domain at the vendor's third party domain registrar. The attacker initially modified a DNS record for one particular server to point to a server in his or her possession and to intercept and forward the traffic to the original server that belongs to Fox-IT. The vendor said in a blog post, "The attack was specifically aimed at ClientPortal, Fox-IT's document exchange Web application, which we use for secure exchange of files with customers, suppliers and other organizations. We believe that the attacker's goal was to carry out a sustained MitM attack." The attack lasted more than 10 hours and the hacker accessed a limited number of files.
Fox-IT confirmed that it was affected by a man-in-the-middle (MitM) attack on September 19 when an individual accessed the DNS records for the Fox-IT.com domain at the vendor's third party domain registrar. The attacker initially modified a DNS record for one particular server to point to a server in his or her possession and to intercept and forward the traffic to the original server that belongs to Fox-IT. The vendor said in a blog post, "The attack was specifically aimed at ClientPortal, Fox-IT's document exchange Web application, which we use for secure exchange of files with customers, suppliers and other organizations. We believe that the attacker's goal was to carry out a sustained MitM attack." The attack lasted more than 10 hours and the hacker accessed a limited number of files.
Video Streaming Sites Use Crypto-Jacking in Stealth to Mine Monero (12/19/2017)
Four popular video streaming sites are utilizing users' devices - without their knowledge - to mine for the Monero cryptocurrency. This information comes from the team at AdGuard, which discovered that the sites - Openload, Streamango.com, Rapidvideo.com, and OnlineVideoConverter.com - register 992 million visits monthly. All four sites use classic "crypto-jacking," which means that the user is unaware of the fact that cryptocurrency is mined in the background. Additionally, all four sites place a miner on pages where users spend a great deal of time.
Four popular video streaming sites are utilizing users' devices - without their knowledge - to mine for the Monero cryptocurrency. This information comes from the team at AdGuard, which discovered that the sites - Openload, Streamango.com, Rapidvideo.com, and OnlineVideoConverter.com - register 992 million visits monthly. All four sites use classic "crypto-jacking," which means that the user is unaware of the fact that cryptocurrency is mined in the background. Additionally, all four sites place a miner on pages where users spend a great deal of time.
White House Points Finger at North Korea for WannaCry Cyber Attacks (12/19/2017)
The White House is blaming the WannaCry ransomware attacks that took place in May on the North Korean government, the Wall Street Journal has reported. Thomas P. Bossert, assistant to President Trump for homeland security and counterterrorism, said, "We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsofttraced the attack to cyber affiliates of the North Korean government." Bossert also said that Microsoft had taken actions during the week of December 11 to "disrupt activities of North Korean hackers" but did not provide further details.
The White House is blaming the WannaCry ransomware attacks that took place in May on the North Korean government, the Wall Street Journal has reported. Thomas P. Bossert, assistant to President Trump for homeland security and counterterrorism, said, "We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsofttraced the attack to cyber affiliates of the North Korean government." Bossert also said that Microsoft had taken actions during the week of December 11 to "disrupt activities of North Korean hackers" but did not provide further details.
Zealot: Sophisticated Apache Struts Campaign Uses NSA Exploits to Mine Monero (12/19/2017)
F5 Networks has observed a new, malicious Apache Struts campaign using a sophisticated, multi-staged attack targeting internal networks with the EternalBlue and EternalSynergy exploits attributed to the National Security Agency (NSA). The campaign, known as "Zealot," has a highly obfuscated PowerShell agent for Windows and a Python agent for Linux/OS X that seem to be based on the EmpireProject post-exploitation framework. Zealot is also mining Monero cryptocurrency. According to F5, Zealot is quite sophisticated and is automatically delivering malware on internal networks via Web application vulnerabilities.
F5 Networks has observed a new, malicious Apache Struts campaign using a sophisticated, multi-staged attack targeting internal networks with the EternalBlue and EternalSynergy exploits attributed to the National Security Agency (NSA). The campaign, known as "Zealot," has a highly obfuscated PowerShell agent for Windows and a Python agent for Linux/OS X that seem to be based on the EmpireProject post-exploitation framework. Zealot is also mining Monero cryptocurrency. According to F5, Zealot is quite sophisticated and is automatically delivering malware on internal networks via Web application vulnerabilities.