CyberCrime - W/E - 2/1/19
International Law Enforcement Shutters Underground Marketplace (01/28/2019)
The Justice Department announced the seizure of the xDedic Marketplace, a Web site that operated for years and was used to sell access to compromised computers worldwide and to personally identifiable information of US residents. Europol, along with law enforcement authorities in Belgium and Ukraine, worked closely with the FBI and other US authorities to dismantle and seize the infrastructure for the xDedic Marketplace. The seizure orders were executed on January 24 and the site has since ceased operations. Based on evidence obtained during the investigation, authorities believe the Web site facilitated more than $68 million USD in fraud.
The Justice Department announced the seizure of the xDedic Marketplace, a Web site that operated for years and was used to sell access to compromised computers worldwide and to personally identifiable information of US residents. Europol, along with law enforcement authorities in Belgium and Ukraine, worked closely with the FBI and other US authorities to dismantle and seize the infrastructure for the xDedic Marketplace. The seizure orders were executed on January 24 and the site has since ceased operations. Based on evidence obtained during the investigation, authorities believe the Web site facilitated more than $68 million USD in fraud.
Iranian Threat APT39 Steals Personal Data, Has Possible Ties to Other Cyber Spy Groups (01/29/2019)
An Iranian threat group known as APT39 steals personal information to support monitoring, tracking, or surveillance operations that serve Iran's national priorities, or to create additional accesses and vectors to facilitate future campaigns. FireEyehas been tracking APT39 and found that its activities are similar to another threat group called Chafer. APT39 primarily uses the SEAWEED and CACHEMONEY backdoors along with a variant of the POWBAT backdoor and its activities are mostly focused on the Middle East. Mainly, this threat entity has attacked organizations in the telecommunications and travel industries. FireEye suspects that APT39 has aligned with another threat group, APT34, since the two collectives share malware distribution methods and have additional similarities. APT34 has potential ties to the OilRig threat entity.
An Iranian threat group known as APT39 steals personal information to support monitoring, tracking, or surveillance operations that serve Iran's national priorities, or to create additional accesses and vectors to facilitate future campaigns. FireEyehas been tracking APT39 and found that its activities are similar to another threat group called Chafer. APT39 primarily uses the SEAWEED and CACHEMONEY backdoors along with a variant of the POWBAT backdoor and its activities are mostly focused on the Middle East. Mainly, this threat entity has attacked organizations in the telecommunications and travel industries. FireEye suspects that APT39 has aligned with another threat group, APT34, since the two collectives share malware distribution methods and have additional similarities. APT34 has potential ties to the OilRig threat entity.
Law Enforcement Goes After Users of DDoS for Hire Services (01/28/2019)
Europol and other law enforcement authorities have been working to track down the users of distributed denial-of-service (DDoS) attacks related to the April 2018 takedown of the webstressor.org illegal marketplace. After shuttering webstressor, authorities began sifting through information on the site's 151,000 users. Actions are currently underway around the world, Europol said, to bring those who used the site's services to launch DDoS attacks.
Europol and other law enforcement authorities have been working to track down the users of distributed denial-of-service (DDoS) attacks related to the April 2018 takedown of the webstressor.org illegal marketplace. After shuttering webstressor, authorities began sifting through information on the site's 151,000 users. Actions are currently underway around the world, Europol said, to bring those who used the site's services to launch DDoS attacks.
Massive DDoS Attack Exceeds 500 Packets Per Second (01/30/2019)
Imperva mitigated a distributed denial-of-service (DDoS) attack against a client that exceeded 500 million packets per second. The January 10 attack was a normal SYN flood augmented by a large SYN flood (packets of 800-900 bytes). A SYN flood occurs when an attacker sends TCP connection requests faster than the targeted machine can process them, causing network saturation. The source ports and addresses of the traffic sent to the customer's server were highly randomized and most likely spoofed.
Imperva mitigated a distributed denial-of-service (DDoS) attack against a client that exceeded 500 million packets per second. The January 10 attack was a normal SYN flood augmented by a large SYN flood (packets of 800-900 bytes). A SYN flood occurs when an attacker sends TCP connection requests faster than the targeted machine can process them, causing network saturation. The source ports and addresses of the traffic sent to the customer's server were highly randomized and most likely spoofed.
ThinkPHP Vulnerability Abused by Botnets Hakai and Yowai (01/28/2019)
Miscreants are abusing a patched ThinkPHP vulnerability for botnet propagation by a new Mirai variant Trend Micro has called Yowai along with the Gafgyt variant Hakai. Cybercriminals use Web sites created using the PHP framework to breach Web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial-of-service attacks (DDoS). Yowai has a configuration table similar to Mirai and can be decrypted with the same procedures and adds the ThinkPHP exploit with other known vulnerabilities in its list of infection entry vectors. The Hakai sample explored flaws that may have remained unpatched in systems and added exploits for vulnerabilities in ThinkPHP, D-Link DSL-2750B routers, and other devices to propagate and perform various DDoS attacks.
Miscreants are abusing a patched ThinkPHP vulnerability for botnet propagation by a new Mirai variant Trend Micro has called Yowai along with the Gafgyt variant Hakai. Cybercriminals use Web sites created using the PHP framework to breach Web servers via dictionary attacks on default credentials and gain control of these routers for distributed denial-of-service attacks (DDoS). Yowai has a configuration table similar to Mirai and can be decrypted with the same procedures and adds the ThinkPHP exploit with other known vulnerabilities in its list of infection entry vectors. The Hakai sample explored flaws that may have remained unpatched in systems and added exploits for vulnerabilities in ThinkPHP, D-Link DSL-2750B routers, and other devices to propagate and perform various DDoS attacks.