CyberCrime - W/E - 1/10/20
INTERPOL Disrupts Southeast Asian Cryptojacking Campaign (01/08/2020)
Based on data from police and partners in the cybersecurity industry, INTERPOL identified a global cryptojacking campaign in Southeast Asia facilitated by the exploitation of a vulnerability in MikroTik routers. Operation Goldfish Alpha launched in June and uncovered over 20,000 hacked routers in the region, accounting for 18% of infections globally. Over the five month operation, cybercrime investigators and experts from police and national computer emergency response teams across 10 countries worked together to locate the infected routers, alert the victims, and patch the devices so they were no longer under the control of the cybercriminals. Trend Micro was among the organizations that supported this effort.
Based on data from police and partners in the cybersecurity industry, INTERPOL identified a global cryptojacking campaign in Southeast Asia facilitated by the exploitation of a vulnerability in MikroTik routers. Operation Goldfish Alpha launched in June and uncovered over 20,000 hacked routers in the region, accounting for 18% of infections globally. Over the five month operation, cybercrime investigators and experts from police and national computer emergency response teams across 10 countries worked together to locate the infected routers, alert the victims, and patch the devices so they were no longer under the control of the cybercriminals. Trend Micro was among the organizations that supported this effort.
Iranian Hackers Deface US Government Web Site (01/06/2020)
The AFP reported that the Web site for the Federal Depository Library Program (FDLP) was defaced by a group that claimed to be Iranian hackers on January 4. The US government site was replaced with images, which included Iran's leader, the Iranian flag, and a message saying "Iranian Hackers!" In a statement, the FDLP acknowledged the intrusion and said that it made its site inaccessible for about 24 hours to perform a security assessment. None of the data on the site was compromised.
The AFP reported that the Web site for the Federal Depository Library Program (FDLP) was defaced by a group that claimed to be Iranian hackers on January 4. The US government site was replaced with images, which included Iran's leader, the Iranian flag, and a message saying "Iranian Hackers!" In a statement, the FDLP acknowledged the intrusion and said that it made its site inaccessible for about 24 hours to perform a security assessment. None of the data on the site was compromised.
Lazarus Boosts AppleJeus Campaign with New Tactics to Steal Cryptocurrency (01/08/2020)
The Lazarus adversary is continuing its AppleJeus operation to steal cryptocurrency but with improved tactics and procedures and the use of Telegram as one of its new attack vectors. Victims in the UK, Poland, Russia, and China, in addition to several business entities connected to cryptocurrency, were affected during the operation. During its initial 2018 AppleJeus operation, Lazarus created a fake cryptocurrency company in order to deliver its manipulated application and exploit a high level of trust among potential victims. The attack vector in Lazarus' 2019 attacks mimicked the one from the previous year, but with some improvements. This time, Lazarus created fake cryptocurrency-related Websites, which hosted links to fake organization Telegram channels and delivered malware via the messenger. Kaspersky has detailed its findings on the most recent AppleJeus campaign.
The Lazarus adversary is continuing its AppleJeus operation to steal cryptocurrency but with improved tactics and procedures and the use of Telegram as one of its new attack vectors. Victims in the UK, Poland, Russia, and China, in addition to several business entities connected to cryptocurrency, were affected during the operation. During its initial 2018 AppleJeus operation, Lazarus created a fake cryptocurrency company in order to deliver its manipulated application and exploit a high level of trust among potential victims. The attack vector in Lazarus' 2019 attacks mimicked the one from the previous year, but with some improvements. This time, Lazarus created fake cryptocurrency-related Websites, which hosted links to fake organization Telegram channels and delivered malware via the messenger. Kaspersky has detailed its findings on the most recent AppleJeus campaign.
Microsoft Disrupts North Korean Hackers' Operations (01/06/2020)
Microsoft took measures to disrupt the operations of Thallium, a North Korean threat entity which included the seizure of 50 domains from the group. With this action, the sites can no longer be used to execute attacks. Thallium uses spear phishing tactics and the BabyShark and KimJongRAT malware families to attack its targets, most often government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the US, Japan, and South Korea. Microsoft filed a court case in Virginia, which resulted in a court order enabling the vendor to take control of 50 of Thallium's domains.
Microsoft took measures to disrupt the operations of Thallium, a North Korean threat entity which included the seizure of 50 domains from the group. With this action, the sites can no longer be used to execute attacks. Thallium uses spear phishing tactics and the BabyShark and KimJongRAT malware families to attack its targets, most often government employees, think tanks, university staff members, members of organizations focused on world peace and human rights, and individuals that work on nuclear proliferation issues. Most targets were based in the US, Japan, and South Korea. Microsoft filed a court case in Virginia, which resulted in a court order enabling the vendor to take control of 50 of Thallium's domains.
Phishing Scheme Takes Aim at Canadian Bank (12/23/2019)
A phishing campaign that impersonated the Royal Bank of Canada used legitimate-looking emails containing PDF attachments to victims. By sending highly convincing e-mails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this scheme were able to run a large-scale operation and remain under the radar for quite some time, the researchers at Check Point Software said.
A phishing campaign that impersonated the Royal Bank of Canada used legitimate-looking emails containing PDF attachments to victims. By sending highly convincing e-mails to their targets, constantly registering look-alike domains for popular banking services in Canada and crafting tailor-made documents, the attackers behind this scheme were able to run a large-scale operation and remain under the radar for quite some time, the researchers at Check Point Software said.
Three GozNym Members Receive Jail Time for Cybercriminal Operation (12/23/2019)
Three individuals associated with the GozNym malware cybercrime network have been sentenced to prison, the Justice Department (DOJ) announced on December 20. The malware was used to steal online banking credentials to access victims' online bank accounts and attempt to steal victims' money through electronic transfers into bank accounts. GozNym targeted Europe and North America but the network was dismantled by law enforcement in 2016. One of the individuals, Krasimir Nikolov, a resident of Bulgaria, was sentenced to time served after having spent more than 39 months in prison following his conviction on charges of criminal conspiracy, computer fraud, and bank fraud. He will be extradited to Bulgaria.
Three individuals associated with the GozNym malware cybercrime network have been sentenced to prison, the Justice Department (DOJ) announced on December 20. The malware was used to steal online banking credentials to access victims' online bank accounts and attempt to steal victims' money through electronic transfers into bank accounts. GozNym targeted Europe and North America but the network was dismantled by law enforcement in 2016. One of the individuals, Krasimir Nikolov, a resident of Bulgaria, was sentenced to time served after having spent more than 39 months in prison following his conviction on charges of criminal conspiracy, computer fraud, and bank fraud. He will be extradited to Bulgaria.