CyberCrime - W/E - 11/30/18
Attackers Use Chained Bugs to Exploit Drupal Servers (11/20/2018)
A chain of vulnerabilities, including Drupalgeddon 2 and Dirty COW, have been used in a persistent attack on Drupal Web servers, the security team at Imperva has revealed. The attack mechanism involves compromising Drupal servers by abusing the Drupalgeddon 2 and Dirty COW bugs and gaining entry to machines that have been misconfigured. The attacker builds a word list by locating all of Drupal's settings files and extracting any line with the word "pass" in it since many administrators leave "root" as the default user to connect from the Web application to the database. Then, armed with a potential list of passwords, the attacker tries to use the operating system command "su root" to change the user to root. If the attacker succeeds in changing the user, he or she can proceed to download the secondary payload and execute commands. If the administrator didn't leave the root passwords in the configuration files, the attacker moves on to use Dirty COW to exploit privileges.
A chain of vulnerabilities, including Drupalgeddon 2 and Dirty COW, have been used in a persistent attack on Drupal Web servers, the security team at Imperva has revealed. The attack mechanism involves compromising Drupal servers by abusing the Drupalgeddon 2 and Dirty COW bugs and gaining entry to machines that have been misconfigured. The attacker builds a word list by locating all of Drupal's settings files and extracting any line with the word "pass" in it since many administrators leave "root" as the default user to connect from the Web application to the database. Then, armed with a potential list of passwords, the attacker tries to use the operating system command "su root" to change the user to root. If the attacker succeeds in changing the user, he or she can proceed to download the secondary payload and execute commands. If the administrator didn't leave the root passwords in the configuration files, the attacker moves on to use Dirty COW to exploit privileges.
Cozy Bear Threat Entity Phishes Multiple Industries in Campaign (11/19/2018)
FireEye detected intrusion attempts against multiple industries, including think tank, law enforcement, media, US military, imagery, transportation, pharmaceutical, national government, and defense contracting. The attempts involved a phishing email appearing to be from the Department of State with links to zip files containing malicious Windows shortcuts that delivered the Cobalt Strike Beacon. Several elements from this campaign point to APT29, a Russian threat entity also known as Cozy Bear.
FireEye detected intrusion attempts against multiple industries, including think tank, law enforcement, media, US military, imagery, transportation, pharmaceutical, national government, and defense contracting. The attempts involved a phishing email appearing to be from the Department of State with links to zip files containing malicious Windows shortcuts that delivered the Cobalt Strike Beacon. Several elements from this campaign point to APT29, a Russian threat entity also known as Cozy Bear.
Cyberspy Group Targeted Murdered Mexican Journalist's Colleagues (11/28/2018)
The research team at Citizen Lab has uncovered evidence that the colleagues of a slain Mexican journalist investigating cartels were targeted with NSO Group's Pegasus spyware in the days after his killing. Two days after award-winning journalist Javier Valdez C rdenas was gunned down, the director and a colleague for the Mexican newspaper that he founded began receiving infection attempts with Pegasus spyware. Several of the infection attempts purported to provide information about the C rdenas killing. The NSO Group is connected to the Mexican government. The entity began delivering spyware-infected messages to the colleagues of C rdenas on May 17, 2018 as the NSO Group attempted to infiltrate devices.
The research team at Citizen Lab has uncovered evidence that the colleagues of a slain Mexican journalist investigating cartels were targeted with NSO Group's Pegasus spyware in the days after his killing. Two days after award-winning journalist Javier Valdez C rdenas was gunned down, the director and a colleague for the Mexican newspaper that he founded began receiving infection attempts with Pegasus spyware. Several of the infection attempts purported to provide information about the C rdenas killing. The NSO Group is connected to the Mexican government. The entity began delivering spyware-infected messages to the colleagues of C rdenas on May 17, 2018 as the NSO Group attempted to infiltrate devices.
New Threat Entity "DNSpionage" Takes Aim at Middle Eastern Organizations (11/28/2018)
Cisco's Talos researchers discovered a campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains and a private Lebanese airline company. This campaign utilizes two fake, malicious Web sites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which Talos has dubbed "DNSpionage," supports HTTP and DNS communication with the attackers.
Cisco's Talos researchers discovered a campaign targeting Lebanon and the United Arab Emirates (UAE) affecting .gov domains and a private Lebanese airline company. This campaign utilizes two fake, malicious Web sites containing job postings that are used to compromise targets via malicious Microsoft Office documents with embedded macros. The malware utilized by this actor, which Talos has dubbed "DNSpionage," supports HTTP and DNS communication with the attackers.
Porn Site-Visiting Government Employee Didn't Leak Classified Data (11/27/2018)
The former federal employee who visited more than 9,000 pornographic Web sites from his work computer - many of which were laced with Russian malware - did not expose classified data, a government watchdog report has confirmed. The Office of Inspector General for the Department of the Interior (DOI) found that the US Geological Survey (USGS) employee had accessed an average of 79 adult sites per day between September 26, 2016 and March 13, 2017 and that many of those Web pages routed through sites that originated in Russia and were infected with malware. The personal cell phone used by the employee was also infected with viruses and malware and he admitted that he knew it was wrong to visit porn sites on his work system, that he had been doing so for years, and that he had received the required annual IT security training that discusses rules of behavior for Internet use. According to the report, the unnamed employee retired from the USGS on November 25, 2017, one day prior to when he was to be fired.
The former federal employee who visited more than 9,000 pornographic Web sites from his work computer - many of which were laced with Russian malware - did not expose classified data, a government watchdog report has confirmed. The Office of Inspector General for the Department of the Interior (DOI) found that the US Geological Survey (USGS) employee had accessed an average of 79 adult sites per day between September 26, 2016 and March 13, 2017 and that many of those Web pages routed through sites that originated in Russia and were infected with malware. The personal cell phone used by the employee was also infected with viruses and malware and he admitted that he knew it was wrong to visit porn sites on his work system, that he had been doing so for years, and that he had received the required annual IT security training that discusses rules of behavior for Internet use. According to the report, the unnamed employee retired from the USGS on November 25, 2017, one day prior to when he was to be fired.
Ransomware Attack Diverts Patients from Ohio Hospitals (11/27/2018)
A ransomware attack that began on November 23 and hit the computer systems for the East Ohio Regional Hospital and Ohio Valley Medical Center resulted in patients being taken to other healthcare facilities, the Times Leader reported. Area emergency squads were told to divert patients to other hospitals while IT staff members worked to lessen the ransomware's impact. Patient data was not breached, a spokeswoman said. It was not known which type of ransomware was to blame for this incident.
A ransomware attack that began on November 23 and hit the computer systems for the East Ohio Regional Hospital and Ohio Valley Medical Center resulted in patients being taken to other healthcare facilities, the Times Leader reported. Area emergency squads were told to divert patients to other hospitals while IT staff members worked to lessen the ransomware's impact. Patient data was not breached, a spokeswoman said. It was not known which type of ransomware was to blame for this incident.
SamSam Ransomware Masterminds Indicted on Hacking Charges (11/28/2018)
Two Iranian men have been indicted for their roles in unleashing the SamSam ransomware, which forcibly encrypted data on the computers of victims over a nearly three year period, the Justice Department (DOJ) announced. According to the indictment, beginning in December 2015, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri authored the malware and allegedly accessed the computers of victim entities without authorization through security vulnerabilities, and installed and executed SamSam on the computers, resulting in the encryption of data on the victims' computers. Over 200 victims, including hospitals, municipalities, and public institutions, were affected. Savandi and Mansouri would then extort victim entities by demanding a ransom paid in bitcoin in exchange for decryption keys for the encrypted data. Savandi and Mansouri have collected over $6 million USD in ransom payments to date, and caused over $30 million in losses to victims.
Two Iranian men have been indicted for their roles in unleashing the SamSam ransomware, which forcibly encrypted data on the computers of victims over a nearly three year period, the Justice Department (DOJ) announced. According to the indictment, beginning in December 2015, Faramarz Shahi Savandi and Mohammad Mehdi Shah Mansouri authored the malware and allegedly accessed the computers of victim entities without authorization through security vulnerabilities, and installed and executed SamSam on the computers, resulting in the encryption of data on the victims' computers. Over 200 victims, including hospitals, municipalities, and public institutions, were affected. Savandi and Mansouri would then extort victim entities by demanding a ransom paid in bitcoin in exchange for decryption keys for the encrypted data. Savandi and Mansouri have collected over $6 million USD in ransom payments to date, and caused over $30 million in losses to victims.