CyberCrime - W/E - 9/6/19
Avast Teams Up with Law Enforcement to Halt Retadup Malware (08/28/2019)
Avast worked in conjunction with US and French authorities to neutralize 850,000 infections caused by the Retadup malware, which had been distributing a malicious cryptocurrency miner and other malware to computers running the Windows operating system, mostly in Latin America. While analyzing Retadup, Avast identified a design flaw in the file that would allow removal of the malware from victims' computers, with the takeover of the command and control (C&C) server. Retadup's C&C infrastructure was mostly located in France, so the team worked with French authorities to stop the threat. Some parts of the C&C infrastructure were also located in the United States, so French authorities included the FBI. The worm's malicious C&C server has been replaced with a disinfection server that has caused the connected pieces of malware to self-destruct.
Avast worked in conjunction with US and French authorities to neutralize 850,000 infections caused by the Retadup malware, which had been distributing a malicious cryptocurrency miner and other malware to computers running the Windows operating system, mostly in Latin America. While analyzing Retadup, Avast identified a design flaw in the file that would allow removal of the malware from victims' computers, with the takeover of the command and control (C&C) server. Retadup's C&C infrastructure was mostly located in France, so the team worked with French authorities to stop the threat. Some parts of the C&C infrastructure were also located in the United States, so French authorities included the FBI. The worm's malicious C&C server has been replaced with a disinfection server that has caused the connected pieces of malware to self-destruct.
Critical Infrastructure Companies Preyed Upon by Hexane Threat Gang (08/28/2019)
A previously unknown threat entity targeted critical infrastructure organizations without being detected for more than 12 months, the security team at Secureworks advised. The threat group, which may have first become active in April 2018, targets organizations in sectors of strategic national importance, including oil and gas and possibly telecommunications. Its activity is similar to other groups, including OilRig and Elfin, but the researchers suspect this is a new entity entirely. This new group has been dubbed "Hexane" (also known as LYCEUM) and typically accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.
A previously unknown threat entity targeted critical infrastructure organizations without being detected for more than 12 months, the security team at Secureworks advised. The threat group, which may have first become active in April 2018, targets organizations in sectors of strategic national importance, including oil and gas and possibly telecommunications. Its activity is similar to other groups, including OilRig and Elfin, but the researchers suspect this is a new entity entirely. This new group has been dubbed "Hexane" (also known as LYCEUM) and typically accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.
FTC Reminds Consumers to Be Wary of Romance Scams (08/27/2019)
Consumers should be aware of romance scams that are finding their way into inboxes. The Federal Trade Commission has produced a video and issued an alert to help consumers avoid such scams.
Consumers should be aware of romance scams that are finding their way into inboxes. The Federal Trade Commission has produced a video and issued an alert to help consumers avoid such scams.
Heatstroke Campaign Implements Multi-Stage Phishing Attack (08/31/2019)
A campaign known as Heatstroke is using a multi-stage phishing attack to siphon private email addresses and eventually, payment credentials, the researchers at Trend Micro say. Heatstroke's multistage approach tries to mimic what a legitimate Web site would do to lull the potential victim into thinking nothing is amiss. The phishing kit's content is forwarded from another location, but masked to appear as if it was on the landing page itself. The researchers have learned that the phishing attack chain is dynamic, changing its routines depending upon the user's behavior.
A campaign known as Heatstroke is using a multi-stage phishing attack to siphon private email addresses and eventually, payment credentials, the researchers at Trend Micro say. Heatstroke's multistage approach tries to mimic what a legitimate Web site would do to lull the potential victim into thinking nothing is amiss. The phishing kit's content is forwarded from another location, but masked to appear as if it was on the landing page itself. The researchers have learned that the phishing attack chain is dynamic, changing its routines depending upon the user's behavior.
New IRS Scam Spotted in Consumer, Business Inboxes (08/27/2019)
The Internal Revenue Service (IRS) is warning taxpayers and tax professionals about an IRS impersonation scam campaign spreading nationally on email. The email subject line may vary, but examples use the phrase "Automatic Income Tax Reminder" or "Electronic Tax Return Reminder." The IRS reminds consumers that it never sends unsolicited emails and never emails taxpayers about the status of refunds.
The Internal Revenue Service (IRS) is warning taxpayers and tax professionals about an IRS impersonation scam campaign spreading nationally on email. The email subject line may vary, but examples use the phrase "Automatic Income Tax Reminder" or "Electronic Tax Return Reminder." The IRS reminds consumers that it never sends unsolicited emails and never emails taxpayers about the status of refunds.
Over 80 Ecommerce Sites Compromised in Magecart Skimming Scheme (08/28/2019)
Over 80 Web sites using the Magento ecommerce platform have been compromised to send payment card data via formjacking to servers under the control of the Magecart gang. Information gleaned by Arxan Technologies and the Aite Group found that 25% of the compromised sites were motorsports or luxury retail brands. Many of the sites were using older versions of Magento that were known to have vulnerabilities.
Over 80 Web sites using the Magento ecommerce platform have been compromised to send payment card data via formjacking to servers under the control of the Magecart gang. Information gleaned by Arxan Technologies and the Aite Group found that 25% of the compromised sites were motorsports or luxury retail brands. Many of the sites were using older versions of Magento that were known to have vulnerabilities.
Report: US Launched Cyber Attack on Iranian Databased Used to Target Oil Tankers (09/01/2019)
A US cyber attack on a database belonging to Iran's Islamic Revolutionary Guard Corps prevented the Iranian paramilitary from launching attacks on oil tankers in the Gulf region, the New York Times (NY Times) has learned. According to unnamed US officials, the June 20 attack knocked systems offline and Iran was still attempting to recover data and reestablish its military communications. The attacked database was used to determine which oil tankers to target.
A US cyber attack on a database belonging to Iran's Islamic Revolutionary Guard Corps prevented the Iranian paramilitary from launching attacks on oil tankers in the Gulf region, the New York Times (NY Times) has learned. According to unnamed US officials, the June 20 attack knocked systems offline and Iran was still attempting to recover data and reestablish its military communications. The attacked database was used to determine which oil tankers to target.
Satori Botnet Operator Pleads Guilty to Hacking (09/04/2019)
Kenneth Currin Schuchman pled guilty to a hacking charge for operating the Satori botnet, which exploited vulnerabilities across 100,000 Internet of Things (IoT) devices, KrebsOnSecurity reported. Schuchman, a Vancouver, WA resident who used the online monikers "Nexus" and "Nexus-Zeta," built the botnet with at least two other individuals with leaked code from the Mirai botnet and used Satori in large-scale distributed denial-of-service attacks between July 2017 and October 2018. The botnet exploited vulnerabilities in routers, digital video recorders, and other IoT devices. Schuchman is facing up to 10 years in prison and fines up to $250,000 USD.
Kenneth Currin Schuchman pled guilty to a hacking charge for operating the Satori botnet, which exploited vulnerabilities across 100,000 Internet of Things (IoT) devices, KrebsOnSecurity reported. Schuchman, a Vancouver, WA resident who used the online monikers "Nexus" and "Nexus-Zeta," built the botnet with at least two other individuals with leaked code from the Mirai botnet and used Satori in large-scale distributed denial-of-service attacks between July 2017 and October 2018. The botnet exploited vulnerabilities in routers, digital video recorders, and other IoT devices. Schuchman is facing up to 10 years in prison and fines up to $250,000 USD.
TA505 Adopts New Tactics to Infiltrate New Areas (08/27/2019)
While the TA505 threat actor continues to use either the FlawedAmmyy remote access Trojan or the ServHelper malware as payloads, the entity has begun using .ISO image attachments as the point of entry; as well as a .NET downloader, a new style for macro delivery; a newer version of ServHelper; and a .DLL variant of FlawedAmmyy downloader. Trend Micro's research team has also observed TA505 targeting new countries, such as Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary.
While the TA505 threat actor continues to use either the FlawedAmmyy remote access Trojan or the ServHelper malware as payloads, the entity has begun using .ISO image attachments as the point of entry; as well as a .NET downloader, a new style for macro delivery; a newer version of ServHelper; and a .DLL variant of FlawedAmmyy downloader. Trend Micro's research team has also observed TA505 targeting new countries, such as Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary.
Twitter CEO's Account Hacked to Send Out Nasty Tweets (08/31/2019)
A hacker took control of the Twitter account for the social media platform's CEO Jack Dorsey, using it to send offensive tweets. Some of the tweets used the hashtag #ChucklingSquad, which is thought to be the name of the hacking group responsible. Once hijacked, the @jack account spewed messages containing racial epithets and a retweet of a message in support of the Nazis, the AFP reported. Twitter said via tweet that Dorsey's account was "compromised due to a security oversight by the mobile provider" and had been secured. The messages were viewable for about a half hour.
A hacker took control of the Twitter account for the social media platform's CEO Jack Dorsey, using it to send offensive tweets. Some of the tweets used the hashtag #ChucklingSquad, which is thought to be the name of the hacking group responsible. Once hijacked, the @jack account spewed messages containing racial epithets and a retweet of a message in support of the Nazis, the AFP reported. Twitter said via tweet that Dorsey's account was "compromised due to a security oversight by the mobile provider" and had been secured. The messages were viewable for about a half hour.
US Mobile Users Targeted in Trickbot Campaign (08/31/2019)
The Gold Blackburn threat group is using Web injects from the Trickbot malware to take aim at Verizon Wireless, T-Mobile, and Sprint. When a victim navigates to the Web site of one of these organizations, the legitimate server response is intercepted by Trickbot and proxied through a command and control (C2) server. This C2 server injects additional HTML and JavaScript into the page, which is then rendered in the victim's Web browser. For all three carriers, injected code causes an additional form field that requests the user's PIN code. SecureWorks provided a write-up of this activity.
The Gold Blackburn threat group is using Web injects from the Trickbot malware to take aim at Verizon Wireless, T-Mobile, and Sprint. When a victim navigates to the Web site of one of these organizations, the legitimate server response is intercepted by Trickbot and proxied through a command and control (C2) server. This C2 server injects additional HTML and JavaScript into the page, which is then rendered in the victim's Web browser. For all three carriers, injected code causes an additional form field that requests the user's PIN code. SecureWorks provided a write-up of this activity.