CyberCrime - W/E - 8/9/19
"Warshipping" Delivers Attacks in Packages to Silently Torpedo Corporate Networks (08/07/2019)
A tactic dubbed "warshipping" by IBM's X-Force Red team of researchers involves the use of ecommerce-related package deliveries by cyber thieves with the intention of hacking into corporate or personal home networks from the office mailroom or from someone's front door. By using warshipping, the scientists could infiltrate a network without being detected. Warshipping involves the use of disposable, low-cost, and low-power computers to remotely perform close-proximity attacks, regardless of a cybercriminal's location. A malicious actor can hide a tiny device (similar to the size of a small cellphone) in a package and ship it off to his or her victim to gain access to a specific network. The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed inside an item as it is no bigger than the palm of a hand.
A tactic dubbed "warshipping" by IBM's X-Force Red team of researchers involves the use of ecommerce-related package deliveries by cyber thieves with the intention of hacking into corporate or personal home networks from the office mailroom or from someone's front door. By using warshipping, the scientists could infiltrate a network without being detected. Warshipping involves the use of disposable, low-cost, and low-power computers to remotely perform close-proximity attacks, regardless of a cybercriminal's location. A malicious actor can hide a tiny device (similar to the size of a small cellphone) in a package and ship it off to his or her victim to gain access to a specific network. The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed inside an item as it is no bigger than the palm of a hand.
Advisory Details Password Spraying Attacks Targeting Various Services (08/07/2019)
The Australian Cyber Security Center (ACSC) is aware of a high volume of ongoing password spray attacks targeting Australian organizations. The password spray attacks target users on standard corporate external services such as Webmail, remote desktop access, Active Directory Federated Services, or cloud based services such as Office 365. Depending on the credentials and service, successful authentication can potentially lead to the actor gaining access to corporate emails, the corporate directory, global address books, remote desktop services or administrative access. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ACSC advisory.
The Australian Cyber Security Center (ACSC) is aware of a high volume of ongoing password spray attacks targeting Australian organizations. The password spray attacks target users on standard corporate external services such as Webmail, remote desktop access, Active Directory Federated Services, or cloud based services such as Office 365. Depending on the credentials and service, successful authentication can potentially lead to the actor gaining access to corporate emails, the corporate directory, global address books, remote desktop services or administrative access. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ACSC advisory.
APT41 Employs Numerous Methods for Its Espionage and Cybercriminal Activities (08/06/2019)
FireEye has detailed its research into APT41, a Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain and has been conducting simultaneous cybercrime and cyber espionage operations from 2014 onward. This entity has an arsenal of over 46 different malware families and tools to accomplish its missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. In one campaign that ran for nearly a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware, including backdoors, credential stealers, keyloggers, and rootkits.
FireEye has detailed its research into APT41, a Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain and has been conducting simultaneous cybercrime and cyber espionage operations from 2014 onward. This entity has an arsenal of over 46 different malware families and tools to accomplish its missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. In one campaign that ran for nearly a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware, including backdoors, credential stealers, keyloggers, and rootkits.
Confidence/Romance Scams Continue to Victimize Trusting Individuals (08/06/2019)
The Internet Crime Complaint Center (IC3) posted a warning regarding an increase in confidence/romance scams in which an actor deceives a victim into believing they have a trust relationship and uses that relationship to persuade the victim to send money, provide personal and financial information, purchase items of value for the actor, or even launder money. In 2018, the IC3 received complaints from more than 18,000 individuals who had been victimized by these scams and more than $362 million USD was reported stolen. That year, confidence/romance fraud was the seventh most commonly reported scam to the IC3 based on the number of complaints received, and the second costliest scam in terms of victim loss. Tips to protect against such scams are listed in the IC3 alert.
The Internet Crime Complaint Center (IC3) posted a warning regarding an increase in confidence/romance scams in which an actor deceives a victim into believing they have a trust relationship and uses that relationship to persuade the victim to send money, provide personal and financial information, purchase items of value for the actor, or even launder money. In 2018, the IC3 received complaints from more than 18,000 individuals who had been victimized by these scams and more than $362 million USD was reported stolen. That year, confidence/romance fraud was the seventh most commonly reported scam to the IC3 based on the number of complaints received, and the second costliest scam in terms of victim loss. Tips to protect against such scams are listed in the IC3 alert.
Cryptomining Campaign Impacts More than a Half Million Global Computers (08/07/2019)
Scientists at Carbon Black identified a cryptocurrency mining campaign, "Access Mining," which has been enhanced to steal system access information for possible sale on the dark Web. This campaign potentially affects over 500,000 systems worldwide but most have been located in located in Asia Pacific, Russia and Eastern Europe.. Access Mining uses multi-stage malware that sends detailed system metadata to a network of hijacked Web servers, presumably for the purposes of resale on one (or many) remote access marketplaces across the dark Web.
Scientists at Carbon Black identified a cryptocurrency mining campaign, "Access Mining," which has been enhanced to steal system access information for possible sale on the dark Web. This campaign potentially affects over 500,000 systems worldwide but most have been located in located in Asia Pacific, Russia and Eastern Europe.. Access Mining uses multi-stage malware that sends detailed system metadata to a network of hijacked Web servers, presumably for the purposes of resale on one (or many) remote access marketplaces across the dark Web.
DOJ Uncovers Major Crime Ring at AT&T Call Center (08/07/2019)
The US Department of Justice (DOJ) uncovered a strange case of fraud and "misuse" of AT&T's network centered around the unlocking of smartphones on the company's network. The crime was perpetrated by Pakistani citizen Muhammad Fahd, who bribed staff at a Bothell, Washington AT&T call center in order to have carrier-locked smartphones unlocked from the AT&T network before the company's policy would normally allow it. While this act is already considered criminal, the much more concerning aspect of the incident may be the fact that Fahd also paid AT&T staff to insert malware and "otherwise misuse" the AT&T network for his personal gain. In exchange for facilitating his criminal activity, the participating workers at the call center were bribed to the tune of $428,500 over a five-year period. The numerous charges against Fahd include wire fraud, five charges incidents of Travel Act violations, conspiracy to violate the Computer Fraud and Abuse act, and four counts linked of accessing and damaging protected computers. The DOJ claims the fraud ring unlocked "millions of devices," allowing its ringleader to abuse the early unlocking procedure to make millions of dollars in the process.
The US Department of Justice (DOJ) uncovered a strange case of fraud and "misuse" of AT&T's network centered around the unlocking of smartphones on the company's network. The crime was perpetrated by Pakistani citizen Muhammad Fahd, who bribed staff at a Bothell, Washington AT&T call center in order to have carrier-locked smartphones unlocked from the AT&T network before the company's policy would normally allow it. While this act is already considered criminal, the much more concerning aspect of the incident may be the fact that Fahd also paid AT&T staff to insert malware and "otherwise misuse" the AT&T network for his personal gain. In exchange for facilitating his criminal activity, the participating workers at the call center were bribed to the tune of $428,500 over a five-year period. The numerous charges against Fahd include wire fraud, five charges incidents of Travel Act violations, conspiracy to violate the Computer Fraud and Abuse act, and four counts linked of accessing and damaging protected computers. The DOJ claims the fraud ring unlocked "millions of devices," allowing its ringleader to abuse the early unlocking procedure to make millions of dollars in the process.
Feds: Don't Fall Victim to Tragedy-Related Scams (08/06/2019)
The Cybersecurity and Infrastructure Security Agency (CISA) advises businesses and consumers to be vigilant for possible malicious cyber activity seeking to capitalize on the tragic events in El Paso, TX and Dayton, OH. Fraudulent email campaigns are possible after the two mass shootings as some scammers will champion donations for charitable causes, yet use the opportunity to spread malware and siphon money from unsuspecting parties.
The Cybersecurity and Infrastructure Security Agency (CISA) advises businesses and consumers to be vigilant for possible malicious cyber activity seeking to capitalize on the tragic events in El Paso, TX and Dayton, OH. Fraudulent email campaigns are possible after the two mass shootings as some scammers will champion donations for charitable causes, yet use the opportunity to spread malware and siphon money from unsuspecting parties.
Hacktivists Abuse SMS Protocol to Mass-Text US Subscribers (08/06/2019)
Two hackers are attempting to text every mobile phone in the US using SMS gateways, a legitimate technology often utilized by businesses to mass-text users, Wired has reported. The hackers, known by their Twitter handles as @j3ws3r and @0xGiraffe, created a script and generated every possible phone number between 1111111 and 9999999 and then connected them to a list of US area codes. Although many of the messages were filtered out by US carriers, some still got through to cell phone users. "I'm here to warn the masses about SMS email gateways. Please look up how to disable it on your phone or call your provider and ask," was the message spammed out by @j3ws3r.
Two hackers are attempting to text every mobile phone in the US using SMS gateways, a legitimate technology often utilized by businesses to mass-text users, Wired has reported. The hackers, known by their Twitter handles as @j3ws3r and @0xGiraffe, created a script and generated every possible phone number between 1111111 and 9999999 and then connected them to a list of US area codes. Although many of the messages were filtered out by US carriers, some still got through to cell phone users. "I'm here to warn the masses about SMS email gateways. Please look up how to disable it on your phone or call your provider and ask," was the message spammed out by @j3ws3r.
Middle Eastern Entities Negatively Impacted by Threat Actors OilRig, MuddyWater, Hades (08/06/2019)
In the second half of 2019, Kaspersky researchers observed activity in the Middle East including a series of online asset leaks such as code, infrastructure, group, and apparent victim details, allegedly belonging to known Persian-speaking threat actors, OilRig and MuddyWater. Though these leaks originated from different sources, they all appeared within a few weeks of each other. The third online leak, which was said to expose information related to an entity called the "RANA institute," was published in Persian on a Web site called "Hidden Reality." Kaspersky researchers' analysis of the materials, infrastructure, and the dedicated Web site led to the conclusion that this particular leak could be connected to the threat actor Hades. Hades is the cyber threat group behind the OlympicDestroyer incident targeting the 2018 Winter Olympic Games, as well as the ExPetr worm and other disinformation campaigns. Further details about these infiltrations can be gleaned from Kaspersky's quarterly advanced persistent threats summary.
In the second half of 2019, Kaspersky researchers observed activity in the Middle East including a series of online asset leaks such as code, infrastructure, group, and apparent victim details, allegedly belonging to known Persian-speaking threat actors, OilRig and MuddyWater. Though these leaks originated from different sources, they all appeared within a few weeks of each other. The third online leak, which was said to expose information related to an entity called the "RANA institute," was published in Persian on a Web site called "Hidden Reality." Kaspersky researchers' analysis of the materials, infrastructure, and the dedicated Web site led to the conclusion that this particular leak could be connected to the threat actor Hades. Hades is the cyber threat group behind the OlympicDestroyer incident targeting the 2018 Winter Olympic Games, as well as the ExPetr worm and other disinformation campaigns. Further details about these infiltrations can be gleaned from Kaspersky's quarterly advanced persistent threats summary.
Phishing Campaign Drops LookOut Malware on Critical Infrastructure Companies (08/06/2019)
Between July 19 and July 25, several spear phishing emails were identified targeting three US companies in the utilities sector. The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. This URL is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The emails contain a malicious Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed "LookBack." This malware consists of a remote access Trojan module and a proxy mechanism used for command and control communication. LookBack appears to be the work of a nation-state actor that is targeting utilities systems and critical infrastructure providers.
Between July 19 and July 25, several spear phishing emails were identified targeting three US companies in the utilities sector. The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. This URL is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The emails contain a malicious Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed "LookBack." This malware consists of a remote access Trojan module and a proxy mechanism used for command and control communication. LookBack appears to be the work of a nation-state actor that is targeting utilities systems and critical infrastructure providers.
Rocke Cybercriminal Gang Attacks Cloud Environments (08/06/2019)
Palo Alto Networks released details about Rocke, a China-based cybercrime group engaged in cryptomining operations targeting the cloud. By analyzing NetFlow data between December 2018 and June, the researchers found that 28.1% of the cloud environments surveyed had at least one fully established network connection with at least one known Rocke command and control domain. Several of those organizations maintained near daily connections. Meanwhile, 20% of the organizations maintained hourly heartbeats consistent with Rocke tactics, techniques, and procedures. Rocke also released a new backdoor called Godlua, which could function as an agent, allowing the group's actors to perform additional scripted operations, including denial-of-service attacks, network proxying, and two shell capabilities. NetFlow is a capability on Cisco routers that allows for the collection of IP network traffic.
Palo Alto Networks released details about Rocke, a China-based cybercrime group engaged in cryptomining operations targeting the cloud. By analyzing NetFlow data between December 2018 and June, the researchers found that 28.1% of the cloud environments surveyed had at least one fully established network connection with at least one known Rocke command and control domain. Several of those organizations maintained near daily connections. Meanwhile, 20% of the organizations maintained hourly heartbeats consistent with Rocke tactics, techniques, and procedures. Rocke also released a new backdoor called Godlua, which could function as an agent, allowing the group's actors to perform additional scripted operations, including denial-of-service attacks, network proxying, and two shell capabilities. NetFlow is a capability on Cisco routers that allows for the collection of IP network traffic.
Spammers Abuse Legitimate Company Sites to Send Malicious Messages (08/08/2019)
Kaspersky researchers have identified a global, emerging trend in spam and phishing delivery techniques. Cybercriminals are increasingly exploiting registration, subscription, and feedback forms on trusted company Web sites to insert spam content or phishing links into confirmation emails. The goal of such campaigns is to have emails originate from a legitimate, reputable source so that users do not ignore the unwanted email. The spam messages appear to come from a legitimate company.
Kaspersky researchers have identified a global, emerging trend in spam and phishing delivery techniques. Cybercriminals are increasingly exploiting registration, subscription, and feedback forms on trusted company Web sites to insert spam content or phishing links into confirmation emails. The goal of such campaigns is to have emails originate from a legitimate, reputable source so that users do not ignore the unwanted email. The spam messages appear to come from a legitimate company.
STRONTIUM/Fancy Bear Compromises IoT Devices to Access Corporate Networks (08/06/2019)
Microsoft researchers discovered infrastructure from STRONTIUM (also known as Sednit, APT28, Pawn Storm, and Fancy Bear) attempting to compromise Internet of Things (IoT) devices, including a voice over IP phone, an office printer, and a video decoder across multiple customer locations. The investigation showed that the threat actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer's passwords, and in the third instance the latest security update had not been applied to the device. After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets and enumerated administrative groups for further exploitative purposes. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting.
Microsoft researchers discovered infrastructure from STRONTIUM (also known as Sednit, APT28, Pawn Storm, and Fancy Bear) attempting to compromise Internet of Things (IoT) devices, including a voice over IP phone, an office printer, and a video decoder across multiple customer locations. The investigation showed that the threat actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer's passwords, and in the third instance the latest security update had not been applied to the device. After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets and enumerated administrative groups for further exploitative purposes. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting.