CyberCrime - W/E - 062918
Chinese Cyber Spies Attack the Tibetan Community in Two Campaigns (06/27/2018)
Recorded Future has identified two cyber espionage campaigns that are targeting the Tibetan community. The two campaigns are being collectively called "RedAlpha" and combine light reconnaissance, selective targeting, and diverse malicious tooling. Analysis of the infrastructure among these campaigns lends credence to the fact that the threat entity is from China. The first campaign took place in 2017 using malware consisting of a custom dropper and the NetHelp infostealer implant. The second took place in 2018 and upgraded to a custom validator and njRAT commodity malware.
Recorded Future has identified two cyber espionage campaigns that are targeting the Tibetan community. The two campaigns are being collectively called "RedAlpha" and combine light reconnaissance, selective targeting, and diverse malicious tooling. Analysis of the infrastructure among these campaigns lends credence to the fact that the threat entity is from China. The first campaign took place in 2017 using malware consisting of a custom dropper and the NetHelp infostealer implant. The second took place in 2018 and upgraded to a custom validator and njRAT commodity malware.
Latest WannaCry Delivers Threats but No Ransomware (06/28/2018)
A campaign claiming to have locked files using the WannaCry ransomware and demanding supposed victims pay up is nothing more than a hoax, researchers at Sophos say. Although WannaCry is a ransomware that caused widespread damage to computers around the world in 2017, this campaign is the work of the thieves behind the SamSam ransomware and while they send realistic-looking threats to recipients, the criminals don't have the actual ransomware to use. Paul Ducklin from Sophos said, "Indeed, their claim that 'antivirus software will not be able to detect [the] program' is one of the few truths in this scam, for the simple and fortunate reason that, in this case, there is no program to detect."
A campaign claiming to have locked files using the WannaCry ransomware and demanding supposed victims pay up is nothing more than a hoax, researchers at Sophos say. Although WannaCry is a ransomware that caused widespread damage to computers around the world in 2017, this campaign is the work of the thieves behind the SamSam ransomware and while they send realistic-looking threats to recipients, the criminals don't have the actual ransomware to use. Paul Ducklin from Sophos said, "Indeed, their claim that 'antivirus software will not be able to detect [the] program' is one of the few truths in this scam, for the simple and fortunate reason that, in this case, there is no program to detect."
Law Enforcement Slaps Cuffs on Eight People Involved in Cybercriminal Campaign (06/27/2018)
The Department of Justice (DOJ) announced Operation Keyboard Warrior, an effort coordinated by United States and international law enforcement to disrupt online frauds perpetrated from Africa. Eight individuals have been arrested for their roles in a widespread, Africa-based cyber conspiracy that allegedly defrauded US companies and citizens of approximately $15 million USD since at least 2012. The indictment alleges that the Africa-based co-conspirators were responsible for a series of intrusions into the servers and email systems of a Memphis-based real estate company in 2016. Using sophisticated anonymization techniques, including the use of spoofed email addresses and virtual private networks, the co-conspirators identified large financial transactions, initiated fraudulent email correspondence with relevant business parties, and then redirected closing funds through a network of US-based money mules to final destinations in Africa. This aspect of the scheme caused hundreds of thousands in loss to companies and individuals in Memphis. Additionally, some of the Africa-based defendants are also charged with perpetrating, or causing to be perpetrated, various romance scams, fraudulent-check scams, gold-buying scams, advance-fee scams, and credit card scams.
The Department of Justice (DOJ) announced Operation Keyboard Warrior, an effort coordinated by United States and international law enforcement to disrupt online frauds perpetrated from Africa. Eight individuals have been arrested for their roles in a widespread, Africa-based cyber conspiracy that allegedly defrauded US companies and citizens of approximately $15 million USD since at least 2012. The indictment alleges that the Africa-based co-conspirators were responsible for a series of intrusions into the servers and email systems of a Memphis-based real estate company in 2016. Using sophisticated anonymization techniques, including the use of spoofed email addresses and virtual private networks, the co-conspirators identified large financial transactions, initiated fraudulent email correspondence with relevant business parties, and then redirected closing funds through a network of US-based money mules to final destinations in Africa. This aspect of the scheme caused hundreds of thousands in loss to companies and individuals in Memphis. Additionally, some of the Africa-based defendants are also charged with perpetrating, or causing to be perpetrated, various romance scams, fraudulent-check scams, gold-buying scams, advance-fee scams, and credit card scams.
Lazarus Continues Its Cyber Assault on South Korean Entities (06/28/2018)
The Lazarus threat group, which has connections to North Korea, has been attacking South Korea, including members of the G20 Financial Meeting. Another Lazaras-based attack swiped $30 million USD from South Korea's Bithumb cryptocurrency exchange. This information comes from AlienVault, which assessed the campaigns. Lazarus is using Manuscrypt malware which impersonates South Korean forum software.
The Lazarus threat group, which has connections to North Korea, has been attacking South Korea, including members of the G20 Financial Meeting. Another Lazaras-based attack swiped $30 million USD from South Korea's Bithumb cryptocurrency exchange. This information comes from AlienVault, which assessed the campaigns. Lazarus is using Manuscrypt malware which impersonates South Korean forum software.
ProtonMail Sustains Large DDoS Attack Originating from Russia (06/28/2018)
A cyber attack on encrypted email provider ProtonMail was thought to be the work of a threat group in Russia. The sustained distributed denial-of-service (DDoS) attack lasted for several hours. In a message posted on Reddit, a ProtonMail spokesperson said, "While we don't yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS's on record." Although the attacks occurred over several hours, outages were brief, lasting several minutes at a time.
A cyber attack on encrypted email provider ProtonMail was thought to be the work of a threat group in Russia. The sustained distributed denial-of-service (DDoS) attack lasted for several hours. In a message posted on Reddit, a ProtonMail spokesperson said, "While we don't yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS's on record." Although the attacks occurred over several hours, outages were brief, lasting several minutes at a time.
Rancor Threat Group Targets Southeast Asis with Two Malware Families (06/28/2018)
Palo Alto Networks has tracked "Rancor," a previously unidentified threat group that is using targeted attacks on entities in Southeast Asia to conduct surveillance. The Rancor group's attacks use two primary malware families named DDKONG and PLAINTEE. The researchers discovered Rancor while investigating the KHRAT Trojan's command and control domains, which resolved to an IP address that eventually led to the threat group.
Palo Alto Networks has tracked "Rancor," a previously unidentified threat group that is using targeted attacks on entities in Southeast Asia to conduct surveillance. The Rancor group's attacks use two primary malware families named DDKONG and PLAINTEE. The researchers discovered Rancor while investigating the KHRAT Trojan's command and control domains, which resolved to an IP address that eventually led to the threat group.