CyberCrime - W/E - 9/13/19
Compromised Devices Abused in Campaign to Attack Web Servers (09/09/2019)
Trend Micro detected a spam campaign that uses compromised devices to attack vulnerable Web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to Web servers. The script sends an email with an embedded link to a scam site to specific email addresses. Some of the samples observed were used for spamming, for redirecting victims to cryptocurrency scams, and for spreading malware to vulnerable servers. The campaign has been seen targeting users in the UK.
Trend Micro detected a spam campaign that uses compromised devices to attack vulnerable Web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to Web servers. The script sends an email with an embedded link to a scam site to specific email addresses. Some of the samples observed were used for spamming, for redirecting victims to cryptocurrency scams, and for spreading malware to vulnerable servers. The campaign has been seen targeting users in the UK.
Massive DDoS Attack Hits Wikipedia and Lasts for Days (09/11/2019)
Wikipedia was slammed by a massive cyber attack that began on September 6 and lasted nearly three days. Security mitigation company ThousandEyes was monitoring Wikipedia and recorded a "significant drop in HTTP server availability" worldwide and site access was lost in Europe, the Middle East, and Africa. It is not known how large the attack was but information from ThousandEyes shows that it was a standard distributed denial-of-service attack resulting in massive traffic floods. The Wikimedia Foundation, the parent company of Wikipedia, condemned the attacks.
Wikipedia was slammed by a massive cyber attack that began on September 6 and lasted nearly three days. Security mitigation company ThousandEyes was monitoring Wikipedia and recorded a "significant drop in HTTP server availability" worldwide and site access was lost in Europe, the Middle East, and Africa. It is not known how large the attack was but information from ThousandEyes shows that it was a standard distributed denial-of-service attack resulting in massive traffic floods. The Wikimedia Foundation, the parent company of Wikipedia, condemned the attacks.
Oklahoma Law Enforcement Retirement System Cyber Attack Siphons $4.2 Million (09/09/2019)
A cyber attack targeting the Web site for the Oklahoma Law Enforcement Retirement System (OLERS) resulted in the theft of $4.2 million USD. The crime is being actively investigated by the FBI but a statement posted to the OLERS site said, "no pension benefits to members or beneficiaries have been impacted or put at risk. All benefits will continue to be paid in a timely fashion as always." OLERS administers retirement and medical benefits to Oklahoma law enforcement.
A cyber attack targeting the Web site for the Oklahoma Law Enforcement Retirement System (OLERS) resulted in the theft of $4.2 million USD. The crime is being actively investigated by the FBI but a statement posted to the OLERS site said, "no pension benefits to members or beneficiaries have been impacted or put at risk. All benefits will continue to be paid in a timely fashion as always." OLERS administers retirement and medical benefits to Oklahoma law enforcement.
Ransomware Attacks on the Rise, Take Precautions to Avoid Impacts (09/09/2019)
The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the nation. The organization released a document to provide details about ransomware, steps to take to prevent such attacks from occurring, and ways to recover if such incidents impact systems.
The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the nation. The organization released a document to provide details about ransomware, steps to take to prevent such attacks from occurring, and ways to recover if such incidents impact systems.
Report: US Grid Hit by March Cyber Attack Following Exploit of Firewall (09/10/2019)
A known vulnerability exploited in a firewall used at an unnamed power utility in the western US resulted in communications outages after an attacker launched a denial-of-service attack at a low-impact control center and multiple remote low-impact generation sites. This information comes from E&E News, which obtained a copy of a Lesson Learned Report from the North American Electric Reliability Corporation (NERC). According to E&E News, the incident occurred on March 5 and impacted California, Wyoming, and Utah. The incident was brief, lasting less than five minutes, and firewall reboots occurred over a 10-hour period with each firewall being offline for less than five minutes. The report stated, " Given that a firmware update to address the exploited vulnerability had been released prior to the event, the entity's process for assessing and implementing firmware updates was reviewed. Based on this review, the entity decided to implement a more formal and more frequent review of vendor firmware updates that would be tracked within internal compliance tracking software. It should be noted that the entity was already working to develop internal procedures to support this process; however, these were not completed or being practiced at the time of the event." .
A known vulnerability exploited in a firewall used at an unnamed power utility in the western US resulted in communications outages after an attacker launched a denial-of-service attack at a low-impact control center and multiple remote low-impact generation sites. This information comes from E&E News, which obtained a copy of a Lesson Learned Report from the North American Electric Reliability Corporation (NERC). According to E&E News, the incident occurred on March 5 and impacted California, Wyoming, and Utah. The incident was brief, lasting less than five minutes, and firewall reboots occurred over a 10-hour period with each firewall being offline for less than five minutes. The report stated, " Given that a firmware update to address the exploited vulnerability had been released prior to the event, the entity's process for assessing and implementing firmware updates was reviewed. Based on this review, the entity decided to implement a more formal and more frequent review of vendor firmware updates that would be tracked within internal compliance tracking software. It should be noted that the entity was already working to develop internal procedures to support this process; however, these were not completed or being practiced at the time of the event." .
Thrip Threat Group Continues Targeted Attacks in Southeast Asia with Sophisticated Tools (09/09/2019)
Symantec has linked two threat groups and now believes they are one and the same. Thrip, a Chinese espionage group, is using a previously unseen backdoor known as Hannotog and another backdoor known as Sagerunex. Analysis of Sagerunex shows close links to another long-established espionage group called Billbug (aka Lotus Blossom) and it is likely the two entities are the same. Since June 2018, Thrip has attacked at least 12 organization within Southeast Asia, including those in the military, maritime communications, education, and media sectors. The Hannotog backdoor has been in use since at least January 2017 and provides the attackers with a persistent presence on the victim's network. Sagerunex delivers remote access to the attackers.
Symantec has linked two threat groups and now believes they are one and the same. Thrip, a Chinese espionage group, is using a previously unseen backdoor known as Hannotog and another backdoor known as Sagerunex. Analysis of Sagerunex shows close links to another long-established espionage group called Billbug (aka Lotus Blossom) and it is likely the two entities are the same. Since June 2018, Thrip has attacked at least 12 organization within Southeast Asia, including those in the military, maritime communications, education, and media sectors. The Hannotog backdoor has been in use since at least January 2017 and provides the attackers with a persistent presence on the victim's network. Sagerunex delivers remote access to the attackers.
Trend Micro Investigates What Miscreants Really Talk About in the Dark Underground (09/10/2019)
A post from Trend Micro assesses what information individual cybercrime underground communities discuss in relation to threats and attacks. The Russian underground holds the most discussions on Internet of Things-related attacks while monetization is the main focus of this community. The Portuguese cybercriminal community is the second most active group and many members have discussed KL DNS, a redirection service that allows phishers to capture banking information from infected routers. Individuals in the English-speaking cybercriminal community are most interested in exploiting vulnerabilities, discussing exploit codes, and abusing connected printers.
A post from Trend Micro assesses what information individual cybercrime underground communities discuss in relation to threats and attacks. The Russian underground holds the most discussions on Internet of Things-related attacks while monetization is the main focus of this community. The Portuguese cybercriminal community is the second most active group and many members have discussed KL DNS, a redirection service that allows phishers to capture banking information from infected routers. Individuals in the English-speaking cybercriminal community are most interested in exploiting vulnerabilities, discussing exploit codes, and abusing connected printers.