CyberCrime - W/E - 10/18/19
China Hacked Aviation Companies to Get Intel to Build C919 Airplane (10/14/2019)
Chinese hackers coordinated a multi-year campaign to obtain information on the components used in the Comac C919 aircraft, which cost less than its competitors and made its maiden flight in 2017, following years of delays due to design flaws. CrowdStrike released a report that the Chinese state-aligned adversary TURBINE PANDA conducted cyber intrusions from roughly 2010 to 2015 against several of the companies that make the C919's various components. The goal was to obtain all the intelligence needed to manufacture the C919 components in China. The campaign included two parts: actual hacking and recruiting employees who worked at the targeted aviation companies. Among those targeted and compromised were Safran Group, Honeywell, and GE. According to the analysis, "Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs."
Chinese hackers coordinated a multi-year campaign to obtain information on the components used in the Comac C919 aircraft, which cost less than its competitors and made its maiden flight in 2017, following years of delays due to design flaws. CrowdStrike released a report that the Chinese state-aligned adversary TURBINE PANDA conducted cyber intrusions from roughly 2010 to 2015 against several of the companies that make the C919's various components. The goal was to obtain all the intelligence needed to manufacture the C919 components in China. The campaign included two parts: actual hacking and recruiting employees who worked at the targeted aviation companies. Among those targeted and compromised were Safran Group, Honeywell, and GE. According to the analysis, "Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs."
Hacker Arraigned in Cryptocurrency Scheme that Netted $1.4 Million (10/14/2019)
Alleged hacker Anthony Tyler Nashatka was arraigned in federal court on charges of conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, aggravated identity theft and other charges related to a scheme to defraud victims of at least $1.4 million USD in cryptocurrency in December of 2017, the Department of Justice (DOJ) announced. According to an indictment, Nashatka conspired to target a cryptocurrency exchange platform to obtain the private keys and other information of hundreds of its users as part of a scheme to steal the users' cryptocurrency. The indictment further describes how the defendants unlawfully used the identity of a victim to gain access to the platform's domain name settings, caused the transmission of a command to disable all of the cryptocurrency company's servers, diverted users from the actual platform to a fake website, and fraudulently induced victims to input their cryptocurrency addresses and private keys into the fake Web site.
Alleged hacker Anthony Tyler Nashatka was arraigned in federal court on charges of conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, aggravated identity theft and other charges related to a scheme to defraud victims of at least $1.4 million USD in cryptocurrency in December of 2017, the Department of Justice (DOJ) announced. According to an indictment, Nashatka conspired to target a cryptocurrency exchange platform to obtain the private keys and other information of hundreds of its users as part of a scheme to steal the users' cryptocurrency. The indictment further describes how the defendants unlawfully used the identity of a victim to gain access to the platform's domain name settings, caused the transmission of a command to disable all of the cryptocurrency company's servers, diverted users from the actual platform to a fake website, and fraudulently induced victims to input their cryptocurrency addresses and private keys into the fake Web site.
Imperva Breach Blamed on Leaky Cloud Configuration (10/14/2019)
Imperva admitted that a misconfiguration is to blame for a security breach affecting "a subset" of its Cloud Web Application Firewall (WAF) customers. "Our investigation identified an unauthorized use of an administrative API key in one of our production AWS accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords. Kunal Anand, Imperva's chief technology officer, said, "Our investigation identified an unauthorized use of an administrative API key in one of our production AWS (Amazon Web Services) accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords." The breach was discovered in August and the incident is not related to a vulnerability in the Cloud WAF product.
Imperva admitted that a misconfiguration is to blame for a security breach affecting "a subset" of its Cloud Web Application Firewall (WAF) customers. "Our investigation identified an unauthorized use of an administrative API key in one of our production AWS accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords. Kunal Anand, Imperva's chief technology officer, said, "Our investigation identified an unauthorized use of an administrative API key in one of our production AWS (Amazon Web Services) accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords." The breach was discovered in August and the incident is not related to a vulnerability in the Cloud WAF product.
Kaspersky Honeypots Detected 105 Million IoT Device Attacks in First Half of 2019 (10/15/2019)
Kaspersky honeypots detected 105 million attacks on Internet of Things (IoT) devices coming from 276,000 unique IP addresses in the first six months of 2019, a figure nearly nine times greater than the number found in the same period of 2018. The findings come from Kaspersky's IoT: A Malware Story report on honeypot activity in H1 2019. The report found that attacks on IoT devices are generally not sophisticated but are stealthy, leaving users unaware that their devices are being exploited. The Mirai malware was used in 39% of the attacks while Nyadrop was seen in 38.57% of attacks.
Kaspersky honeypots detected 105 million attacks on Internet of Things (IoT) devices coming from 276,000 unique IP addresses in the first six months of 2019, a figure nearly nine times greater than the number found in the same period of 2018. The findings come from Kaspersky's IoT: A Malware Story report on honeypot activity in H1 2019. The report found that attacks on IoT devices are generally not sophisticated but are stealthy, leaving users unaware that their devices are being exploited. The Mirai malware was used in 39% of the attacks while Nyadrop was seen in 38.57% of attacks.
Phorphiex Leaves Behind Cryptominer to Focus on Sextortion Campaign (10/16/2019)
Check Point Software has warned that the Phorpiex botnet, which has infected over 500,000 hosts and has been active for more than 10 years, is running a large-scale sextortion campaign. Previously, Phorpiex mined cryptocurrency and distributed various types of malware, including GandCrab, Pony, and Pushdo. The Phorpiex botnet uses a spam bot that downloads a database of email addresses from a command and control server but a recent campaign used databases with leaked passwords in combination with email addresses. A victim's password is usually included in the email message; this exacerbates the threat by showing that the password is known to the attacker. For further shock value, the message starts with a string that contains the password.
Check Point Software has warned that the Phorpiex botnet, which has infected over 500,000 hosts and has been active for more than 10 years, is running a large-scale sextortion campaign. Previously, Phorpiex mined cryptocurrency and distributed various types of malware, including GandCrab, Pony, and Pushdo. The Phorpiex botnet uses a spam bot that downloads a database of email addresses from a command and control server but a recent campaign used databases with leaked passwords in combination with email addresses. A victim's password is usually included in the email message; this exacerbates the threat by showing that the password is known to the attacker. For further shock value, the message starts with a string that contains the password.
Pitney Bowes Services Impacted by Cyber Attack (10/15/2019)
A ransomware attack hit Pitney Bowes, resulting in encrypted information and disrupted access for clients, the shipping services company said in a statement. "We have seen no evidence that customer accounts or data have been impacted," the company said. Customers will not be able to refill postage meters but can print postage if they have funds loaded in the system. Mailing system products and Your Account access are impacted by this attack.
A ransomware attack hit Pitney Bowes, resulting in encrypted information and disrupted access for clients, the shipping services company said in a statement. "We have seen no evidence that customer accounts or data have been impacted," the company said. Customers will not be able to refill postage meters but can print postage if they have funds loaded in the system. Mailing system products and Your Account access are impacted by this attack.
Under the Radar: For 4 Years, the Dukes Used New Malware Tools for Cyber Espionatge (10/17/2019)
The Dukes (also known as APT29 and Cozy Bear) threat group appeared to take a hiatus but the entity has reemerged with new malware implants in ongoing activities that ESET has dubbed "Operation Ghost." This campaign, which appears to have become active in 2013 and is ongoing, is using three malware implants - PolyglotDuke, RegDuke, and FatDuke - and has compromised the ministries of foreign affairs in at least three European countries. At least one European country's embassy in Washington, DC has also been affected. In Operation Ghost, the Dukes have used a limited number of tools but have utilized persistence, a four-stage, sophisticated malware platform, and have avoided communicating with the same command and control infrastructure between different victims.
The Dukes (also known as APT29 and Cozy Bear) threat group appeared to take a hiatus but the entity has reemerged with new malware implants in ongoing activities that ESET has dubbed "Operation Ghost." This campaign, which appears to have become active in 2013 and is ongoing, is using three malware implants - PolyglotDuke, RegDuke, and FatDuke - and has compromised the ministries of foreign affairs in at least three European countries. At least one European country's embassy in Washington, DC has also been affected. In Operation Ghost, the Dukes have used a limited number of tools but have utilized persistence, a four-stage, sophisticated malware platform, and have avoided communicating with the same command and control infrastructure between different victims.
Winnti Group Updates Threat Arsenal with Additional Malware (10/14/2019)
ESET published details regarding new Winnti Group activities, including that the threat entity uses a packer called PortReuse to target specific organizations. The Winnti Group, which was responsible for the ShadowHammer supply chain attacks, also utilizes a VMProtected packer that decrypts position-independent code using RC5, with a key based on a static string and the volume serial number of the victim's hard drive, and runs it directly. The group uses the ShadowPad malware and a custom version of the XMRig crytptocurrency miner as payloads.
ESET published details regarding new Winnti Group activities, including that the threat entity uses a packer called PortReuse to target specific organizations. The Winnti Group, which was responsible for the ShadowHammer supply chain attacks, also utilizes a VMProtected packer that decrypts position-independent code using RC5, with a key based on a static string and the volume serial number of the victim's hard drive, and runs it directly. The group uses the ShadowPad malware and a custom version of the XMRig crytptocurrency miner as payloads.