CyberCrime - W/E - 100518
APT38 Threat Group Tied to North Korea, Infiltrates Banks (10/03/2018)
FireEye has outlined details regarding APT38, a threat group that the vendor believes is responsible for stealing millions of dollars from banks around the globe and conducting financial crime on behalf of North Korea. APT38 shares many characteristics with Lazaraus, a known North Korean-affiliated attack group, and another threat entity called TEMP.Hermit, but appears to be a separate adversary. APT38 has been active since at least 2014 and has conducted operations in more than 16 organizations in at least 11 countries, sometimes simultaneously. The entity is characterized by long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools. FireEye said that on average, APT38 has remained on victim networks for approximately 155 days.
FireEye has outlined details regarding APT38, a threat group that the vendor believes is responsible for stealing millions of dollars from banks around the globe and conducting financial crime on behalf of North Korea. APT38 shares many characteristics with Lazaraus, a known North Korean-affiliated attack group, and another threat entity called TEMP.Hermit, but appears to be a separate adversary. APT38 has been active since at least 2014 and has conducted operations in more than 16 organizations in at least 11 countries, sometimes simultaneously. The entity is characterized by long planning, extended periods of access to compromised victim environments preceding any attempts to steal money, fluency across mixed operating system environments, the use of custom developed tools. FireEye said that on average, APT38 has remained on victim networks for approximately 155 days.
FBI Warns of Abuse of RDP to Conduct Malicious Activities (10/02/2018)
The FBI and the Internet Crime Complaint Center (IC3) issued an alert regarding the usage of remote administration tools, most notably the Remote Desktop Protocol (RDP), as an attack vector so that thieves can compromise identities, steal login credentials, and ransom other sensitive information. RDP provides complete control over the desktop of a remote machine by transmitting input such as mouse movements and keystrokes and sending back a graphical user interface. In order for a remote desktop connection to be established, the local and remote machines need to authenticate via a username and password. Cyber actors can infiltrate the connection between the machines and inject malware or ransomware into the remote system.
The FBI and the Internet Crime Complaint Center (IC3) issued an alert regarding the usage of remote administration tools, most notably the Remote Desktop Protocol (RDP), as an attack vector so that thieves can compromise identities, steal login credentials, and ransom other sensitive information. RDP provides complete control over the desktop of a remote machine by transmitting input such as mouse movements and keystrokes and sending back a graphical user interface. In order for a remote desktop connection to be established, the local and remote machines need to authenticate via a username and password. Cyber actors can infiltrate the connection between the machines and inject malware or ransomware into the remote system.
US Blames North Korea for ATM FASTCash Malware Attacks (10/02/2018)
The North Korean government is to blame for an ATM cash-out scheme that is called "FASTCash. The FBI, Department of Homeland Security (DHS), and Treasury Department have issued a joint alert to offer insight into FASTCash, which is using malware affiliated with HIDDEN COBRA, also known as the North Korean government, to target banks in Africa and Asia. As of October 2, no US banks have been affected by FASTCash but authorities want businesses and financial institutions to be aware of this activity. Since 2016, FASTCash schemes have remotely compromised payment switch application servers within banks to facilitate fraudulent transactions.
The North Korean government is to blame for an ATM cash-out scheme that is called "FASTCash. The FBI, Department of Homeland Security (DHS), and Treasury Department have issued a joint alert to offer insight into FASTCash, which is using malware affiliated with HIDDEN COBRA, also known as the North Korean government, to target banks in Africa and Asia. As of October 2, no US banks have been affected by FASTCash but authorities want businesses and financial institutions to be aware of this activity. Since 2016, FASTCash schemes have remotely compromised payment switch application servers within banks to facilitate fraudulent transactions.
US-CERT Offers Insight into Advanced Persistent Threat Actors (10/03/2018)
The US-CERT released a technical alert addressing the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by advanced persistent threat (APT) actors. This publication identifies APT actors' tactics, techniques, and procedures and describes the best practices that could be employed to mitigate each of them. A second technical alert warns of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers.
The US-CERT released a technical alert addressing the exploitation of trusted network relationships and the subsequent illicit use of legitimate credentials by advanced persistent threat (APT) actors. This publication identifies APT actors' tactics, techniques, and procedures and describes the best practices that could be employed to mitigate each of them. A second technical alert warns of ongoing APT actor activity attempting to infiltrate the networks of global managed service providers.
Zoho Office Suite Abused by Keyloggers to Exfiltrate Data (10/04/2018)
Security firm Cofense has uncovered Zoho's connection to a high number of keylogger phishing campaigns designed to harvest data from infected machines. Of all keyloggers analyzed by Cofense, 40% used a zoho.com or zoho.eu email address to exfiltrate data from victim machines. Zoho is an online office suite software. Cofense's Darrel Rendell said in a blog post, "The reason for threat actors overwhelmingly abusing Zoho is unclear, but minimal security process enforcements - optional 2FA (not enforced), activity monitoring, etc. - combine with user susceptibility to create fertile ground."
Security firm Cofense has uncovered Zoho's connection to a high number of keylogger phishing campaigns designed to harvest data from infected machines. Of all keyloggers analyzed by Cofense, 40% used a zoho.com or zoho.eu email address to exfiltrate data from victim machines. Zoho is an online office suite software. Cofense's Darrel Rendell said in a blog post, "The reason for threat actors overwhelmingly abusing Zoho is unclear, but minimal security process enforcements - optional 2FA (not enforced), activity monitoring, etc. - combine with user susceptibility to create fertile ground."