Internet threat news

Widely regarded as one of the most dangerous botnets in recent history Emotet activity stopped in May 2019. Researchers noticed that Emotet activity started picking up again in August. In less than a month, researchers have detected a new spam email campaign been distributed by the botnet. Malicious emails have been sent from the Emotet botnet have been seen spotted targeting those residing in Germany, the United Kingdom, Poland, and Italy. Further, emails have been seen sent to US individuals, businesses, and government organizations.

By June 2019 all activity on Emotet servers had ceased. On August 22, 2019, the command and control servers starting receiving requests and acting upon those requests. Researchers noticed that those behind the botnet have been actively preparing for a new spam email campaign.

In a recent public service announcement released by the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) revealed the true extent and costs associated with Business Email Compromise (BEC) scams. IC3 in the announcement reported that there had been a 100% increase in BEC scams for the period of May 2018 to June 2019. BEC scams involve the spoofing of corporate email accounts known for conducting wire transfers across the globe to suppliers in different countries. Using numerous techniques, malware variants, and social engineering the scammers fraudulently wire funds, or in some cases convince employees to wire funds, to accounts under their control. These scams have seen increased rates of success as scammers often started impersonating CEOs and other positions of power to better trick employees.

In the announcement not only is the increase in such attacks given but the number of complaints received by the department. From June 2016 IC3 received 166,349 complaints both domestically and internationally. The department estimated that such scams have resulted in an estimated dollar loss of 26 billion. Importantly the scams do not only target large corporation but small and medium-sized businesses as well. A factor to be considered in the 100% increase is the increased awareness, both in the public and corporate spheres, of the scams. This increased awareness has attributed to more victims reporting complaints and opening cases. Such scams have been reported in 177 countries, along with funds been fraudulently sent from nearly 140 countries.

Researchers have discovered a new piece of malware which creates a backdoor by abusing Windows BITS service in order to hide traffic be sent and received by the operator's command and control servers. This is not the first instance of researchers discovering malware designed to abuse the BITS system with the first use case dating back to 2015, maybe even earlier. The malware appears to be used by a state-sponsored cyberespionage group named Stealth Falcon. More on the group and the links to the malware to follow.

In a report published by the Slovak security firm, ESET details of the new piece of malware are illuminated upon. Researchers have called the malware Win32/StealthFalcon, with researchers believing that this new piece of malware is stealthier than previous tools known to be employed by the cyber espionage group. As alluded to above much of the malware’s stealth ability comes down to its abuse of the BITS system. BITS or Background Intelligent Transfer Service was first introduced by Windows upon the release of Windows XP and has been included in subsequent versions of the operating system. BITS allows for the transfer of files between machines using idle network bandwidth. This system is used by Windows to send updates to users, as one example, but other apps also use it to download updates while the user is not using bandwidth.

Last week the InfoSec community was informed about 14 vulnerabilities found in Apple’s iOS. Further, it was stated that these vulnerabilities were actively seen being exploited in the wild since September 2016. Over seven months of research was published by Google’s Project Zero working in conjunction with Google’s Threat Analysis Group (TAG) detailing in great detail how the vulnerabilities where exploited. The attackers used the vulnerabilities in at least five exploit chains with Project Zero publishing their research on each of the five chains. The reports can be read here beginning with the first exploit chain. It goes without saying that the information in the reports is technical and won’t be covered in much depth in this article but for those technically minded the reading will be interesting.

For students purchasing a new year’s worth of academic material and textbooks, the price for the books can be overwhelming. For those students, a quick search may reveal that the book they desperately need is available for free online. For a lot of students free beats paid 99% of the time, sadly, according to Kaspersky, many instances of these free textbooks are loaded with numerous strains of malware. Commonly, hackers have looked to infect those illegally downloading movies or TV series, as well as those looking to get an advantage over others by cheat codes in games. Both have long been the hunting grounds for hackers but the loading of malware on free academic material show that hackers never bind themselves to just one method when targeting users.

To say that TrickBot trojan has become more than a constant pain for those defending networks would be an understatement. Added to the constant stream of updates and upgrades the malware authors also rent out their creation to other cybercriminal organizations. This tactic has resulted in the malware authors developing partnerships with some of the more prominent cybercriminal organizations presenting a greater threat to security researchers. Now TrickBot includes features which enable hackers to carry out SIM Swapping attacks.

SIM Swapping is an increasingly popular attack vector. The scam involves the hacker exploiting mobile service providers been able to seamlessly port an old number to a new SIM card. The hacker begins by getting their hands on personal information of the victim. This may be done with a phishing email but other methods have been used previously. The hacker will then contact the victim’s service provider and pretend to be the victim to get the number ported to the SIM they have in their possession. In a lot of cases, the hacker can now bypass SMS multi-factor authentication methods and reset passwords for a victim's bank accounts, email accounts, or cryptocurrency exchange portals. In the US over the past two years, such scams have spiked in popularity with the potential for victims to lose hundreds of thousands of dollars.

Hackers are actively attacking enterprise networks by exploiting flaws made public earlier this month. The hackers taking advantage of public technical details and demo exploit code to launch attacks against enterprise targets. The hackers are exploiting flaws discovered in Webmin, a web-based utility for managing Linux and UNIX systems, and VPN products such as Pulse Secure and Fortinet's FortiGate. All three flaws are seen as incredibly serious as if successfully exploited can allow the attacker to take full control of enterprise systems. Researchers are of the opinion that these attacks are some of the worst seen this year due to the networks been targeted that are full of incredibly sensitive data.

The first of these attacks appears to have begun last week on Tuesday with hackers exploiting the flaw discovered in Webmin. The flaw, given the classification CVE-2019-15107, was seen been exploited a day after the flaw was disclosed. The flaw essentially created a backdoor, this was done a year before when other hackers managed to compromise a server belonging to a Webmin developer, where it remained hidden for more than a year before being discovered. As soon as the flaw was disclosed scans for vulnerable Webmin running servers began. Once confirmed by Webmin the flaw, rather than just be scanned for, was now been actively attacked.

Hackers do not need computer science geniuses to carry out successful cyber-attacks or scams, with many attacks relying on the work and malware developed by previous threat actors. When a seemingly advanced hacker group which uses its own tools begins to attack financial institutions warning flags should and are often raised. This is the case regarding Silence, a hacker group specializing in stealing funds from financial institutions, has significantly ramped up operations targeting banks from over 30 countries. This has resulted in the group causing a sharp increase in financial losses suffered by organizations across the globe.
 
Researchers at Group-IB, Singapore-based cybersecurity company specializing in attack prevention, have been tracking Silence since its timid birth in 2016. The security firm has released two comprehensive reports tracking and analyzing the group’s attacks. The first report published towards the end of 2018. Silence at its formation was content to learn from those hackers who had come before. Once lessons were learned the group began actively targeting banks and other financial institutions. Since attacks began to now the hacker group has stolen over 4 million USD from numerous banks and financial institutions. By the time of the first report was published the group had only managed to successfully steal 800,000 USD. The difference in amounts stolen illustrates the ramping up of the group’s activity from the first report to the second.

Last week this publication covered how the Cerberus banking trojan was filling a gap in the malware-as-a-service market (MaaS) left by a crackdown on other similar trojans. The threats posed by MaaS schemes was briefly looked at in that article. As if to put a finer point on threat security researchers have discovered a recent campaign of the trojan Adwind been distributed in a campaign targeting utility companies. Adwind, also called jRAT, AlienSpy, JSocket, and Sockrat, has been active in one form or the other since 2013 and like Cerberus adopted the MaaS model.
 
According to a report by security firm Cofense, the newest campaign distributing Adwind was discovered by its researchers. The malware is distributed by a phishing campaign using emails from a compromised company server. The email contains a PDF file which contains the malicious payload. Further, the malware is rented out to threat actors for a subscription fee. According to the researchers, the trojan is capable of defeating a broad spectrum of anti-virus products. However, if the product features a sandbox environment or behavior-based detection methods it will be able to detect the malware with little problem. This ability to avoid detection is critical to the malware's success but the infection chain begins earlier with the receiving of the phishing email.

Banking trojans, malware-as-a-service (MaaS), and others are just some of the terms used by security researcher’s to define malware types and cybercrime. This jargon can come to be a headache for some and a nightmare for others when they find out their bank accounts have been cleaned out. With the emergence of Cerberus, a banking trojan sold as a service to rent to any interested party is now filling a gap in the market left by other such trojans which also rented out their services who have subsequently thrown in the towel. Like those that have stopped operations Cerberus actively targets mobile phones running Android.
 
In an article published by researchers from security firm ThreatFabric, has revealed details about the trojan, named after the mythological three-headed dog who guarded the gates to the underworld. Before Cerberus is looked at, it is wise to unpack exactly what a banking trojan is as well as the MaaS business model. Banking trojans, particularly those targeting mobile devices, are pieces of malware which disguise themselves as legitimate apps which when installed are designed to steal credentials, particularly those for banking apps. Once the correct credentials are stolen the hacker could access the victims banking app and account allowing for the withdrawal of funds fraudulently. MaaS can be seen as the malware equivalent to the software-as-a-service business model. Rather than leasing out the services of a software package, malware authors rent out their malware with some others even providing technical support to their less than moral customers.

Researchers based at ESET, the well-known Slovakian security firm, have published an article detailing the emergence of a new spambot targeting those residing within the borders of France. A spambot is a malicious program designed to collect email addresses, once a list is created spam email is sent to those collected addresses. Most spambots will send malvertising with the intent to collect more information, sometimes credit card information, or redirect users to specific websites. What is of interest to researchers is that the campaign spreading the malware not only distributes a spam bot but has been leveraged to carry out in a sextortion campaign.
 
Varenyky, the name given to the malware by researchers, targets the users of Orange S.A., a French internet service provider. The first detections by ESET occurred in May 2019, these detections were subsequently verified by ANY.RUN with a twitter post on June 2019. The malware was named in July when researchers witnessed the first sextortion scam been launched. Researchers contend that,

State-sponsored actors have long known that hiding malware in images, a technique called steganography, is an effective way to distribute and infect users with malware. Steganography can be defined as the technique of hiding secret data within an ordinary, non-secret, file or message to avoid detection. The secret data is then extracted and sent to its target destination. This technique is often employed by including malware within the hidden text of an image, whether .jpg or other formats, the malware is often encrypted to prevent detection. Since the use of the technique was popularised by state-sponsored actors, hackers have since adopted the technique to further their goals.

Now, according to an article published by security firm Trend Micro, the LokiBot malware family has been upgraded to use steganography to infect victims. Steganography is used for legitimate purposes, such as assisting in protecting intellectual property, this is not the case for LokiBot. A recent analysis of LokiBot has revealed that the latest variant has been encrypted and hidden in .png image files. Further, malicious archive files were also detected in spam emails. The latest variant was detected when a phishing email was sent to a company in South East Asia. The mail contained a Microsoft Word .doc attachment containing two objects, a Microsoft Excel 97-2003 Worksheet and a package labeled “package.json.” A scan on VirusTotal uncovered other, similar samples containing very similar if not the same steganographic elements.

Often in the InfoSec community, a lot of attention is given to new and innovative malware variants and how they infect a user to turn them from daily user to victim. This has led to a view that most hackers and cybercriminals are incredibly tech-savvy and can code lines at a rate of hundreds per minute. Often, what has worked for confidence artists for years also works now in a digital age. In April of this year, this publication covering how sextortion scammers were changing tactics after their profits took a significant knock as victims were advised not to pay as the likelihood of the criminals having incriminating or embarrassing material was incredibly unlikely. Now the US Federal Bureau of Investigation warns of another scam which combines a romance scam with a money mule scam.
 
In a money mule scam people are often tricked into transferring money from an illegitimate source to either another illegitimate source or more commonly to a legitimate source in an attempt to launder the money. Money gained from ransomware campaigns, for example, needs to be laundered so it can be used more efficiently by criminal organizations. Previously to try and trick people, the scam would involve fake job or ad postings which prompted victims to transfer funds to fake businesses. The victim’s believed they were a legitimate partner in the business but landed up laundering money for a cybercriminal or other criminal enterprise. The other side of the coin is a romance scam, sometimes also called a confidence scam, which involves the criminals trawling dating and friendship sites. These often play out with the criminal befriending a man or women, in an attempt to gain their trust, once the victim's trust is gained the con begins with the other party asking for money to be sent over. This can be for a variety of supposed reasons whether flights, bail, or legal fees. Of course, the money is never used for this but pocketed by the criminal.

The business of protecting users, networks, and entire systems from hackers and state-sponsored threat groups has never been a stagnant industry or boring. New threats in the form of malware are expected but how to detect them and ultimately prevent them from causing havoc is not an easy task. Security researchers at Lockheed Martin 2011, developed a methodology to detect and neutralize cyber threats. The methodology was called the Cyber Kill Chain which involved several stages in dealing with cyber threats. The stages presented how a cyber-attack occurred and presented it as a chain of events. This chain was developed to help researchers and analysts understand the enemy. However, a lot has happened since 2011 and the Cyber Kill Chain may not accurately describe how a cyber-attack happens and how the attacker operates.

This opinion is shared by numerous researchers including Tom Kellermann, Chief Security Officer at Carbon Black and former cyber commissioner for President Obama, who recently published a paper titled “Cognitions of a Cybercriminal” which prevents a new theory to help researchers better combat cyber threats. His theory, which he terms “Cognitive Attack Loop”, looks to address the apparent failure of the Cyber Kill Method. The theory is an attempt to describe how real-world attacks, particularly those of state-sponsored groups, are carried out. Recent attacks illustrate that the old view of hackers looking to break in, steal, and exit as quickly as possible, like in a burglary, no longer applies.