Cybercrime - W/E - 083118
Google Warns Senator's Office of Phishing Emails (08/28/2018)
Google warned Senator Pat Toomey's office that nation-state hackers sent phishing emails to old campaign accounts, the Associated Press (AP) reported. Steve Kelly, a spokesman for the Pennsylvania senator said the accounts that were phished were considered dormant and had not been used since the end of the 2016 campaign. Toomey is currently in office and the attacks would not have affected the midterm elections. Google suggested that the phishing emails were just seeking information as they did not contain links to malware.
Google warned Senator Pat Toomey's office that nation-state hackers sent phishing emails to old campaign accounts, the Associated Press (AP) reported. Steve Kelly, a spokesman for the Pennsylvania senator said the accounts that were phished were considered dormant and had not been used since the end of the 2016 campaign. Toomey is currently in office and the attacks would not have affected the midterm elections. Google suggested that the phishing emails were just seeking information as they did not contain links to malware.
Iranian Threat Group "Cobalt Dickens" Attacks Universities in Various Nations (08/28/2018)
SecureWorks researchers discovered an URL spoofing a login page for a university. Further research into the IP address hosting the spoofed page revealed a large campaign to steal credentials. Sixteen domains contained over 300 spoofed Web sites and login pages for 76 universities located in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the US. Because the threat entity is using similar operations to Cobalt Dickens, a group that has ties to the Iranian government, SecureWorks personnel believe the entities are one and the same. Cobalt Dickens previously attacked universities, using stolen credentials to swipe intellectual property from library systems.
SecureWorks researchers discovered an URL spoofing a login page for a university. Further research into the IP address hosting the spoofed page revealed a large campaign to steal credentials. Sixteen domains contained over 300 spoofed Web sites and login pages for 76 universities located in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the US. Because the threat entity is using similar operations to Cobalt Dickens, a group that has ties to the Iranian government, SecureWorks personnel believe the entities are one and the same. Cobalt Dickens previously attacked universities, using stolen credentials to swipe intellectual property from library systems.
Possible Iranian Operation Using Network of Fake News Sites to Influence Audiences (08/27/2018)
FireEye has identified a suspected influence operation that appears to originate from Iran aimed at audiences in the US, UK, Latin America, and the Middle East. This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests. These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific US policies favorable to Iran, such as the US-Iran nuclear deal (JCPOA). FireEye suspects that the operation is Iranian in nature due to site registration data and the linking of social media accounts to Iranian phone numbers.
FireEye has identified a suspected influence operation that appears to originate from Iran aimed at audiences in the US, UK, Latin America, and the Middle East. This operation is leveraging a network of inauthentic news sites and clusters of associated accounts across multiple social media platforms to promote political narratives in line with Iranian interests. These narratives include anti-Saudi, anti-Israeli, and pro-Palestinian themes, as well as support for specific US policies favorable to Iran, such as the US-Iran nuclear deal (JCPOA). FireEye suspects that the operation is Iranian in nature due to site registration data and the linking of social media accounts to Iranian phone numbers.
Report Suggests Lazarus Group Was Behind Indian Bank Heist of $13.5 Million (08/28/2018)
Scientists at Securonix uncovered details regarding a cyber attack targeting the SWIFT/ATM infrastructure of Cosmos Bank, a 112-year old cooperative bank in India and the second largest in the country, resulting in a loss of over $13.5 million USD. According to analysis, the hackers first gained a foothold into the banking system and then used that to fully compromise its internal and ATM structure. The attack involved multiple targeted malware infections followed by the setup of a malicious ATM/POS switch which hijacked connections between the central switch and the Core Banking System. The attackers then made adjustments to the target account balances to enable withdrawals. Securonix says that the North Korean-sponsored Lazarus Group is to blame for the attack on Cosmos Bank.
Scientists at Securonix uncovered details regarding a cyber attack targeting the SWIFT/ATM infrastructure of Cosmos Bank, a 112-year old cooperative bank in India and the second largest in the country, resulting in a loss of over $13.5 million USD. According to analysis, the hackers first gained a foothold into the banking system and then used that to fully compromise its internal and ATM structure. The attack involved multiple targeted malware infections followed by the setup of a malicious ATM/POS switch which hijacked connections between the central switch and the Core Banking System. The attackers then made adjustments to the target account balances to enable withdrawals. Securonix says that the North Korean-sponsored Lazarus Group is to blame for the attack on Cosmos Bank.