CyberCrime - W/E - 7/26/19
APT34/OilRig Impersonates Cambridge U to Lure Victims in Malware-Laced Campaign (07/22/2019)
FireEye identified a phishing campaign conducted by APT34, an Iranian threat actor posing as a member of Cambridge University to gain victims' trust to open malicious documents. The campaign used LinkedIn to deliver the malicious documents and organizations in energy/utilities, government, and oil/gas were the targets. APT34 (also known as OilRig and Greenbug) uses a mix of public and non-public tools to collect strategic information that would benefit nation-state interests pertaining to geopolitical and economic needs. FireEye also identified a variant of the Pickpocket browser credential-stealing tool and two new malware families, VALUEVAULT and LONGWATCH, in use by this campaign.
FireEye identified a phishing campaign conducted by APT34, an Iranian threat actor posing as a member of Cambridge University to gain victims' trust to open malicious documents. The campaign used LinkedIn to deliver the malicious documents and organizations in energy/utilities, government, and oil/gas were the targets. APT34 (also known as OilRig and Greenbug) uses a mix of public and non-public tools to collect strategic information that would benefit nation-state interests pertaining to geopolitical and economic needs. FireEye also identified a variant of the Pickpocket browser credential-stealing tool and two new malware families, VALUEVAULT and LONGWATCH, in use by this campaign.
Attackers Actively Exploiting Bug in Campus Platform; 62 Colleges Already Breached (07/24/2019)
The Department of Education issued an advisory regarding the active and ongoing exploitation of a previously identified vulnerability in the Ellucian Banner system. Attackers can leverage the bug to the Banner system with an institutional account. The department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. Additionally, there is information "that indicates criminal elements have been actively scanning the Internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation. Banner is an administrative software system designed for higher education institutions. Security researcher Joshua Mulliken detailed the bug in a December 2018 advisory.
The Department of Education issued an advisory regarding the active and ongoing exploitation of a previously identified vulnerability in the Ellucian Banner system. Attackers can leverage the bug to the Banner system with an institutional account. The department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. Additionally, there is information "that indicates criminal elements have been actively scanning the Internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation. Banner is an administrative software system designed for higher education institutions. Security researcher Joshua Mulliken detailed the bug in a December 2018 advisory.
Bugs in WordPress Abused to Push Out Malicious Ad Campaign (07/24/2019)
Researchers at Wordfence warn of a malvertising campaign which is causing victims' sites to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads. By exploiting WordPress vulnerabilities, the attackers inject a JavaScript payload into the front end of a victim's site. These injections each contain a short script which sources additional code from one or more third-party URLs. That code is executed when a visitor opens the victim Web site. When the third party code executes in a visitor's browser, it performs an initial redirect to a central domain, which then performs another redirect to a new destination based on a number of factors, notably the type of device in use by the redirected user.
Researchers at Wordfence warn of a malvertising campaign which is causing victims' sites to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads. By exploiting WordPress vulnerabilities, the attackers inject a JavaScript payload into the front end of a victim's site. These injections each contain a short script which sources additional code from one or more third-party URLs. That code is executed when a visitor opens the victim Web site. When the third party code executes in a visitor's browser, it performs an initial redirect to a central domain, which then performs another redirect to a new destination based on a number of factors, notably the type of device in use by the redirected user.
Cyber Attacks Cause State of Emergency Declaration in Louisiana (07/24/2019)
Louisiana's governor declared a state of emergency on July 24 due to an ongoing cyber attack that has affected several school districts in the northern part of the state. The Governor's Office of Homeland Security and Emergency Preparedness activated its crisis action team and also the Emergency Services Function-17 to coordinate the response to this cybersecurity incident, which included the FBI and state agencies. Governor John Bel Edwards said, "The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since,"
Louisiana's governor declared a state of emergency on July 24 due to an ongoing cyber attack that has affected several school districts in the northern part of the state. The Governor's Office of Homeland Security and Emergency Preparedness activated its crisis action team and also the Emergency Services Function-17 to coordinate the response to this cybersecurity incident, which included the FBI and state agencies. Governor John Bel Edwards said, "The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since,"
Facebook Slammed with $5 Billion Penalty for Violating Consumers' Privacy (07/24/2019)
The Federal Trade Commission (FTC) has imposed a $5 billion USD fine and new restrictions on Facebook as punishment for violating consumers' privacy. The settlement order imposes restrictions on Facebook's business operations, creates multiple channels of compliance, and requires Facebook to restructure its approach to privacy. The social media giant must establish strong mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight. To encourage users to share information on its platform, Facebook promises users they can control the privacy of their information through the platform's privacy settings. Following a year-long investigation, the FTC found that Facebook repeatedly used deceptive practices to undermine users' privacy preferences. These tactics allowed the company to share users' personal information with third-party apps that were downloaded by the user's Facebook "friends." The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing. "Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers' choices," said FTC Chairman Joe Simons. "The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook's entire privacy culture to decrease the likelihood of continued violations." The $5 billion penalty is the largest ever imposed on any company for violating consumers' privacy.
The Federal Trade Commission (FTC) has imposed a $5 billion USD fine and new restrictions on Facebook as punishment for violating consumers' privacy. The settlement order imposes restrictions on Facebook's business operations, creates multiple channels of compliance, and requires Facebook to restructure its approach to privacy. The social media giant must establish strong mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight. To encourage users to share information on its platform, Facebook promises users they can control the privacy of their information through the platform's privacy settings. Following a year-long investigation, the FTC found that Facebook repeatedly used deceptive practices to undermine users' privacy preferences. These tactics allowed the company to share users' personal information with third-party apps that were downloaded by the user's Facebook "friends." The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing. "Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers' choices," said FTC Chairman Joe Simons. "The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook's entire privacy culture to decrease the likelihood of continued violations." The $5 billion penalty is the largest ever imposed on any company for violating consumers' privacy.
Former Government Contractor Gets Jail Time for Stealing Classified Data (07/22/2019)
Former National Security Agency (NSA) contractor Harold Martin has been sentenced to nine years in prison for stealing highly classified national defense information for almost 20 years, the Justice Department (DOJ) announced. Beginning in the late 1990s and continuing through August 2016, Martin stole and retained government property from secure locations and computer systems, including documents in both hard copy and digital form relating to national defense.
Former National Security Agency (NSA) contractor Harold Martin has been sentenced to nine years in prison for stealing highly classified national defense information for almost 20 years, the Justice Department (DOJ) announced. Beginning in the late 1990s and continuing through August 2016, Martin stole and retained government property from secure locations and computer systems, including documents in both hard copy and digital form relating to national defense.
FTC Sues Cambridge Analytica for Deceptive Privacy Practices (07/24/2019)
The Federal Trade Commission (FTC) filed an administrative complaint against data analytics company Cambridge Analytica, and filed settlements for public comment with Cambridge Analytica's former chief executive and an app developer who worked with the company, alleging they employed deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The FTC alleges that Cambridge Analytica and two defendants, app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix, deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their Facebook profile data. Kogan is the developer of the GSRApp that was utilized by Facebook users to answer personality-type questions. Kogan, Nix, and Cambridge Analytica used and analyzed the data collected from the app to train an algorithm to generate personality scores for the app users and their Facebook friends. Those personality scores were then matched to US voter records and used by Cambridge Analytica for voter profiling and targeted advertising services. GSRApp told users it would not download any identifiable information - only demographic data - but the FTC has said that those claims were false and the app collected Facebook User IDs, which connects individuals to their Facebook profiles, as well as other personal information such as their gender, birthdate, location, and their Facebook friends list.
The Federal Trade Commission (FTC) filed an administrative complaint against data analytics company Cambridge Analytica, and filed settlements for public comment with Cambridge Analytica's former chief executive and an app developer who worked with the company, alleging they employed deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The FTC alleges that Cambridge Analytica and two defendants, app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix, deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their Facebook profile data. Kogan is the developer of the GSRApp that was utilized by Facebook users to answer personality-type questions. Kogan, Nix, and Cambridge Analytica used and analyzed the data collected from the app to train an algorithm to generate personality scores for the app users and their Facebook friends. Those personality scores were then matched to US voter records and used by Cambridge Analytica for voter profiling and targeted advertising services. GSRApp told users it would not download any identifiable information - only demographic data - but the FTC has said that those claims were false and the app collected Facebook User IDs, which connects individuals to their Facebook profiles, as well as other personal information such as their gender, birthdate, location, and their Facebook friends list.
Legitimate WeTransfer Links Exploited to Drop Malware-Laced URLs (07/24/2019)
Cofense has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. The attackers are using what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.
Cofense has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. The attackers are using what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.
Massive DDoS Attack Lasts Nearly Two Weeks, Used Mirai-Infected Devices (07/25/2019)
Imperva mitigated a massive distributed denial-of-service attack that peaked at 292,000 packets per second and used 402,000 compromised devices. The attack, sourced back to Brazil, lasted 13 days and hit an Imperva client in the entertainment industry. The attackers used a legitimate User-Agent, the same as used by the entertainment industry customer service application, to mask the attack which targeted the authentication component of the client's streaming application. Upon analysis, the devices used in the attack all had the same open ports which showed their association with the Mirai malware.
Imperva mitigated a massive distributed denial-of-service attack that peaked at 292,000 packets per second and used 402,000 compromised devices. The attack, sourced back to Brazil, lasted 13 days and hit an Imperva client in the entertainment industry. The attackers used a legitimate User-Agent, the same as used by the entertainment industry customer service application, to mask the attack which targeted the authentication component of the client's streaming application. Upon analysis, the devices used in the attack all had the same open ports which showed their association with the Mirai malware.
Multi-Stage Attack Chain Turns Elasticsearch Servers into DDoS Botnet Zombies (07/24/2019)
Elasticsearch is being abused by turning affected targets into botnet zombies used in distributed denial-of-service (DDoS) attacks. The attack chain involves searching for exposed or publicly accessible Elasticsearch databases/servers. The malware would invoke a shell with an attacker-crafted search query with encoded Java commands. Once this is successfully carried out, the first malicious script is downloaded from a domain, which, in Trend Micro's analysis, appears to be expendable or easy-to-replace. The first-stage script will attempt to shut down the firewall as well as competing and already-running cryptocurrency mining activities and other processes. The second-stage script is then retrieved, likely from a compromised Web site. Using expendable domains allows the attackers to swap URLs as soon as they are detected.
Elasticsearch is being abused by turning affected targets into botnet zombies used in distributed denial-of-service (DDoS) attacks. The attack chain involves searching for exposed or publicly accessible Elasticsearch databases/servers. The malware would invoke a shell with an attacker-crafted search query with encoded Java commands. Once this is successfully carried out, the first malicious script is downloaded from a domain, which, in Trend Micro's analysis, appears to be expendable or easy-to-replace. The first-stage script will attempt to shut down the firewall as well as competing and already-running cryptocurrency mining activities and other processes. The second-stage script is then retrieved, likely from a compromised Web site. Using expendable domains allows the attackers to swap URLs as soon as they are detected.
Operation LagTime IT Threat Campaign Takes Aim at Asian Infrastructure (07/24/2019)
Proofpoint researchers identified a targeted advanced persistent threat (APT) campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. The campaign, dubbed "Operation LagTime IT," uses spear phishing as its attack vector and a Microsoft Equation Editor zero-day bug to deliver a custom malware called Cotx RAT. Additionally, this APT group implements Poison Ivy payloads that share overlapping command and control infrastructure with the Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic tools used in this operation, Proofpoint analysts attribute this activity to the Chinese APT group known as TA428. The group has targeted government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes.
Proofpoint researchers identified a targeted advanced persistent threat (APT) campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. The campaign, dubbed "Operation LagTime IT," uses spear phishing as its attack vector and a Microsoft Equation Editor zero-day bug to deliver a custom malware called Cotx RAT. Additionally, this APT group implements Poison Ivy payloads that share overlapping command and control infrastructure with the Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic tools used in this operation, Proofpoint analysts attribute this activity to the Chinese APT group known as TA428. The group has targeted government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes.
QuickBooks Cloud Host Falls Victim to Ransomware Attack (07/22/2019)
KrebsOnSecurity reported that iNSYNQ, a cloud hosting provider, was hit by a ransomware attack that left its network inaccessible and customers unable to reach their data. iNSYNQ specializes in delivering cloud-based QuickBooks accounting software and services. In a statement, the company said, "The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible. As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment." CEO Elliot Luchansky said in a separate statement on July 22, "iNSYNQ and our customers were the victims of a malware attack that's a totally new variant that hadn't been detected before, confirmed by the experienced and knowledgeable cybersecurity team we've employed."
KrebsOnSecurity reported that iNSYNQ, a cloud hosting provider, was hit by a ransomware attack that left its network inaccessible and customers unable to reach their data. iNSYNQ specializes in delivering cloud-based QuickBooks accounting software and services. In a statement, the company said, "The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible. As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment." CEO Elliot Luchansky said in a separate statement on July 22, "iNSYNQ and our customers were the victims of a malware attack that's a totally new variant that hadn't been detected before, confirmed by the experienced and knowledgeable cybersecurity team we've employed."
Symantec Examines BEC Scam Statistics (07/24/2019)
According to Symantec telemetry, the average daily volume of business email compromise (BEC) messages was significantly higher in the first quarter of 2019 than in the same period one year ago. From January to March 2018, the average daily BEC email volume was 85,816, while from January to March 2019, the average daily volume was 128,700, a 50% increase. The top five nations targeted by BEC scammers between mid-2018 and mid-2019 were as follows: the US (39%), the UK (26%), Australia (11%), Belgium (3%), and Germany (3%),
According to Symantec telemetry, the average daily volume of business email compromise (BEC) messages was significantly higher in the first quarter of 2019 than in the same period one year ago. From January to March 2018, the average daily BEC email volume was 85,816, while from January to March 2019, the average daily volume was 128,700, a 50% increase. The top five nations targeted by BEC scammers between mid-2018 and mid-2019 were as follows: the US (39%), the UK (26%), Australia (11%), Belgium (3%), and Germany (3%),
Three Romanians Receive Jail Time for Hacking Schemes (07/24/2019)
Three Romanian citizens - Teodor Laurentiu Costea, Robert Codrut Dumitrescu, and Cosmin Draghici - have been sentenced to federal prison on wire fraud conspiracy, computer fraud and abuse, and aggravated identity theft charges, the Justice Department (DOJ) announced. The "vishing" and "smishing" schemes resulted in the illegal intrusion into computer servers in the US. The men also deployed phishing messages to thousands of victims and subsequently stole victims' Social Security numbers and bank account information. Losses totaled over $21 million USD. Vishing is a type of phishing scheme that communicates a phishing message, or a message that purports to be from a legitimate source, in this case the victims' banks, through a voice recording. Smishing is similar but communicates a phishing message through text messages.
Three Romanian citizens - Teodor Laurentiu Costea, Robert Codrut Dumitrescu, and Cosmin Draghici - have been sentenced to federal prison on wire fraud conspiracy, computer fraud and abuse, and aggravated identity theft charges, the Justice Department (DOJ) announced. The "vishing" and "smishing" schemes resulted in the illegal intrusion into computer servers in the US. The men also deployed phishing messages to thousands of victims and subsequently stole victims' Social Security numbers and bank account information. Losses totaled over $21 million USD. Vishing is a type of phishing scheme that communicates a phishing message, or a message that purports to be from a legitimate source, in this case the victims' banks, through a voice recording. Smishing is similar but communicates a phishing message through text messages.