Internet threat news

Continuing the trend with government and law enforcement been targeted by ransomware operators, news broke that the Georgia Department of Public Safety (DPS) has been struck by a ransomware infection. According to Fox News 5, the infection began on Friday, July 26. The infection was discovered when an officer spotted a strange message on a “field laptop”. According to other news sources the infection spread to the entire DPS system effectively crippling some operations. In response, the agency shut down all its IT systems, such as email servers, public website, and backend servers, to contain the infection.

Efforts to contain the infection resulted in the outage police car laptops for three police departments. Those departments included the Georgia State Patrol, Georgia Capitol Police, and the Georgia Motor Carrier Compliance Division. While the effects of the ransomware were felt across departments t did not severely impede the three departments' ability to do their work. With officers treating the outage as if it was planned maintenance or another reason for system downtime. This was not the first time a department of the Georgian government has experienced a cyber incident in recent memory, the Georgia Emergency Management Agency (GEMA) and the Lawrenceville Police department were also hit by ransomware earlier in the month.

An online group of anonymous cybersecurity researchers called Intrusion Truth has revealed who exactly is behind the advanced persistent threat APT group codenamed APT 17, or often also referred to as Deputy Dog or Axiom. The group has been linked to numerous hacks on private companies and government agencies this decade. In 2017, this publication published an article detailing how the popular drive cleaner CCleaner and its software download service was compromised to download and install the Floxif malware. Researchers at Cisco Talos attributed the attack to APT 17 and also discovered that numerous private companies were also targeted in the same campaign including security firms.

This will be the third Chinese cyber espionage group unmasked by Intrusion Truth, with earlier investigations resulting in the US Department of Justice indicting members from both APT 3 and APT 10. The anonymous crusaders have developed a reputation for uncovering who exactly is behind some of the more infamous cyberespionage groups. Intrusion Truth uses a technique, called doxing, to help uncover the identities of those behind APT groups. Doxing has come to mean the process by which hackers, or in this case security researchers, retrieve and publish personal details of their targets. Information can include but is certainly not limited to, names, addresses, phone numbers, and credit card details. Often in malicious cases of doxing the main aim of the hacker is coercion, however, in this instance, it could be argued that the doxing is done to increase pressure on the APT group or result in charges been laid against individuals.

Good news when it comes to matters concerning cybersecurity is in the vast minority when compared to data breaches, ransomware infections, state-sponsored attacks, and the like. Often vast amounts of money are stolen, defrauded, and extorted from victims and with such a torrent of threats and information about new threats individuals can often be left feeling helpless. The reality is there exist partnerships that spread across the globe that do their utmost to combat the scourge of cybercrime. One of those partnerships is No More Ransom, a partnership between law enforcement and private institutions to combat and disrupt ransomware operations.

The partnership was initially created by three founding partners in July 2016, those organizations being Europol, Politie, and McAfee. The partnership has since grown to include more than 150 partners. Today (link to press release when officially released), July 26, 2019, marks the partnerships third anniversary. Over those three years, No More Ransom has racked up some significant milestones along the way. The industry often measures the success of a particular ransomware strain by the amount of money it has made. No More Ransom can be seen as the complete opposite. At the time of writing the partnership had helped more than 200,000 victims successfully recover encrypted files. The site has been visited over 3 million times with visitors from 188 countries. Perhaps most significantly the partnership has prevented an estimated 108 million USD in profit from reaching the pockets of cybercriminals. No More Ransom has come to be an important resource in the fight against ransomware for individuals and organisations.

According to BBC Russia, a contractor believed to work with the FSB, Russia’s intelligence service, was hacked on July 15, 2019. A group of hackers named 0v1ru$ hacked into SyTech's Active Directory server from where they gained access to the company's entire IT network, including a JIRA instance. This access enabled the hackers to steal 7.5TB of data, which included information concerning projects worked on by the contractor for the intelligence agency. Forbes, who has also been covering the incident, believe that this incident may be the largest suffered by and impacting the FSB.

To add insult to injury the hacking group left a “Yoba Face” on the contractor's homepage, the face been mainly interpreted as an emoticon for trolling. 0v1ru$ then passed on the data to another, larger, hacking group DigitalRevolution who subsequently shared the files with various media outlets and the headlines with Twitter. DigitalRevolution made headlines in 2018 when they successfully breached Quantum another Russian contractor. While announcing the hack on Twitter the larger of the two groups then shared the stolen files with journalists. While there is conflicting information about the exact nature of the leaked information, BBC Russia stated that no state secrets where leaked.

Currently, owners of routers within the borders of Brazil are experiencing a sustained attack on their home routers. For nearly a year now routers based in Brazil have been targeted with a new type of router attack, which according to researchers at multiple security firms has not been seen anywhere else in the world. If the attack spreads to routers in other countries this will mean Brazil is ground zero for this new kind of attack and a single Brazilian router may hold the infamous and unwanted title of patient zero. Often routers are targeted for the creation of botnets, such as Mirai or other DNS (Domain Name Server) attacks. This latest attack shares many similar traits with other DNS attacks but differs in some significant ways. A DNS attack can be defined as an attack which looks to take advantage of certain vulnerabilities arising from the DNS system. These include DNS spoofing or Cache Poisoning, when the attacker corrupts a DSN server by replacing a legitimate IP address in the server’s cache with that of another, rogue address in order to redirect traffic to a malicious website, collect information or initiate another attack; and Denial of Service attacks which involve an attack in which a malicious bot sends send more traffic to a targeted IP address than what it was designed to handle resulting in downtime.

A new week, a new ransomware variant seems to be an ongoing trend in the digital realm. This week continues the trend with news emerging of the discovery of a new ransomware variant, called DoppelPaymer. The new ransomware has been seen to be infecting victims since mid-June with the ransom asked sometimes topping hundreds of thousands of USD. According at security firm CrowdStrike the ransomware has seen at least eight variants which have extended the malware’s capabilities with each successive variant, the first of these dates back to April of this year.

DoppelPaymer takes its name from another ransomware BitPaymer, from which the early copies much of the latter’s code. Despite the similarities in the source code between the two pieces of malware, there are significant differences between the two. CrowdStrike noted that,

“There are obvious similarities between the tactics, techniques, and procedures (TTPs) used by DoppelPaymer and prior TTPs of BitPaymer, such as the use of TOR for ransom payment and the .locked extension. However, the code overlaps suggest that DoppelPaymer is a more recent fork of the latest version of BitPaymer. For example, in the latest version of BitPaymer, the code for RC4 string obfuscation reverses the bytes prior to encryption, and includes a helper function that provides support for multiple forms of symmetric encryption (i.e., RC4, 128-bit AES, and 256-bit AES)…”

A new Android malware has been discovered. What makes this piece of malicious code interesting is its capability to replace legitimate apps with ad infested ones on the victim’s device. The malware, called Agent Smith by security firm Check Point, has infected over 25 million devices. The malware version of Agent Smith is far more dangerous to the everyday user then the fictional character from the Matrix films. The vast majority of these being on the Asian sub-continent with the vast majority of infections been detected in India with 15.2 million infections. Both Pakistan and Bangladesh have also experienced large numbers of infections, with those being 2.5 million and 1.7 million respectively. It has also been revealed that victims can remain infected for an average of two months.

In an article recently published by security firm Check Point, details of the malware have been released to the public along with a technical analysis of the malware. According to researchers, the malware was discovered earlier this year. Since its discovery researchers have tracked down the location of the malware’s operators, with their location being the city of Guangzhou, China. The operators appear to have set up a legitimate company as a front for distributing and profiting from Agent Smith. The legitimate company advertises itself as a business that helps Chinese Android app developers publish and promote their apps on overseas platforms. However, Check Point discovered that the company was posting ads for job positions that would be consistent with the requirements of operating Agent Smith and its associated infrastructure. Further, these positions would have very little to do with the job requirements needed for the legitimate side of the company.

Depending on what circles you associate yourself with the name Astaroth has different meanings. From a character in the popular game Soulcalibur to a Great Duke of Hell according to Christian demonology. The InfoSec has its own identity placed on the name, that being an info-stealing Trojan. In a new campaign, the Microsoft Security Team warns, Asteroth is being distributed in a new campaign using “living off the land” techniques to avoid detection by anti-virus software packages. “Living off the land” tactics involve the attacker exploiting legitimate operating system tools to execute pieces of code, which are not written to disk but reside in memory, which means that the tactic also employs fileless malware execution, meaning a user does not need to actively download the malware in the form by clicking on a malicious link or attachment. Another factor which makes “living off the land” tactics a considerable threat to face is that the system tools exploited are often tools admins use for monitoring systems so they are whitelisted meaning that detection is further hampered as now researchers have to look at tools originally deemed safe.

With the malware developers behind GandCrab supposedly retiring something had to fill the void left in the market created by their departure. It would seem a contender has stepped up to the plate and that contenders name is Sodinokibi, also referred to as Sodin or REvil. This new ransomware has been on researchers’ radars since the beginning of 2019 but a comprehensive analysis of the ransomware has proven difficult given that the operators continually change tactics which only leave morsels of information with which to go on.

Researcher’s at Kaspersky Labs have discovered a new campaign seen distributing Sodinokibi, called Sodin by the security firm, which exploits a Windows zero-day vulnerability rather than the tried and tested distribution methods such as spam email campaigns prompting users to download the malicious program. In an article published by Orkhan Mamedov, Artur Pakulov, and Fedor Sinitsyn it was noticed that the malware has been distributed via CVE-2018-8453 Windows zero-day in a campaign which is geographically focused in Asia, targeting Hong Kong, South Korea, and Taiwan. The vulnerability when exploited allows for the escalation of privileges when the Win32k component fails to properly handle objects in memory. The flaw has already received a patch which was released in October 2018. Previously the vulnerability was seen exploited by a state-sponsored hacking group called FruityArmor. In that instance, it was used to distribute a payload designed to remain undetected and persistent on a target’s machine which further allowed the attacker persistent access to the machine.

According to a blog article published by security researcher’s based at Cisco Talos, a new malware loader has been seen in the wild specifically designed to hide in plain sight and allow the payload to evade detection by anti-malware solutions by injecting into the memory of compromised computers before the payload is dropped. This discovery represents the danger posed by hackers who create custom loaders to deliver a wide range of malware strains to suit their purposes. The loader is known to exploit the infamous “Heaven’s Gate” technique to avoid detection.

The Heaven’s Gate technique was first seen in 2009 allows 32-bit malware running on 64-bit systems to hide API calls by switching to a 64-bit environment. This effectively helps the loader evade detection as many anti-virus products struggle to detect such techniques. To further evade detection the loader further hides the payload within the packed and obfuscated loader which will unpack it and inject it a legitimate RegAsm.exe process using the process-hollowing technique. Process-hollowing involves the creating of a process on a machine which runs in a suspended state, which means it is not mapped on the machine’s memory further making it difficult for anti-virus packages to detect something is wrong. The technique is similar to process injection, in that execution of the malicious code is masked under a legitimate process to evade detection. In this instance the RegAsm.exe will be created by the malware loader in a suspended state and, subsequently, its memory will be unmapped and replaced with the malicious payload. This means that the payload is never written to the compromised machine's disk making it that much harder for the computer's defences to react to the intrusion.

Researchers at Malwarebytes have discovered a new and large malvertising campaign which targets users of the popular YouTube to MP3 conversion website Onlinevideoconverter. According to SimilarWeb the conversion website is visited by over 200 million users a month, making it clear why it has been targeted by hackers distributing malware via a malvertising campaign. Such campaigns had fallen out of favor in recent months according to researchers at Malwarebytes with detections of such campaigns steadily decreasing. The latest campaign is a clear indication that the tactic is still a viable one for hackers to use.

Malvertising involves the malicious use of advertising to spread malware. One of the main methods in distributing malware this way is by hiding and then subsequently executing malicious code within relatively safe online advertisements. These ads can lead a victim to unreliable content or directly infect a victim's computer with malware, which may damage a system, access sensitive information or even control the computer through remote access. Malvertising is often used in conjunction with what has been termed by researchers as drive-by downloads and can be defined as the unintentional downloading of malware without the need for the user to click on a download link. The malware can be downloaded merely by clicking on an ad which is deemed safe by the user.

EA, undoubtedly one of the world’s major players in the games industry in terms of both releases and sales, is not immune to security issues, like with any company reliant on the Internet. The company has a reputation for generating bad press, whether from business practices or unfulfilled promises relating to games. However, when a company in conjunction with security firms finds and fixes a security flaw that would potentially affect millions of customers negatively a certain amount of positive acknowledgment should be given. In this instance, the flaws which were discovered by security firms Check Point and CyberInt consisted of a chain of vulnerabilities which if exploited, could result in the attacker taking over millions of user accounts.

In both a blog post and a press release, researchers detail exactly the flaw and the possible ramifications if exploited. The chain of vulnerabilities discovered by the researchers exploits EA Games' use of authentication tokens in conjunction with the oAuth Single Sign-On (SSO) and trust authentication mechanism that is built into the login process. When exploited a threat actor would be able to hijack a player’s session resulting in compromise and at worst complete account takeover. Further, if exploited correctly a complete account takeover would give the threat actor access to a wealth of information including credit card details. These details could then be used to fraudulently by in-game currency on behalf of the compromised user which could be used by the threat actor. Most worryingly, if the flaw was exploited in the wild before it was patched would require no information been handed over to the threat actor by the user.

We have followed the exploits of the GandCrab operators with keen interest on this platform. We covered how Bitdefender and Europol worked together to develop and release a decryptor for GandCrab versions 1 (GDCB extension), 4 (KRAB extension), and 5 (random 10-character extension), however, none existed for version 5.2. We also covered how the operators of GandCrab were offering their ransomware as a service which resulted in the ransomware seen to be distributed via a sextortion scam. Well, we have seen a mix of good news and bad news in combatting the ransomware, today's latest news is will definitely be considered good by the general public. On June 17, Bogdan Botezatu, a security researcher with Bitdefender announced via Twitter that a decryptor for v5.2 had been released as a free tool to the public and could be used by any victim suffering from such an infection.

The healthcare sector has come under increasing fire over recent years. This fire was caused by numerous cybersecurity incidents, from breaches to malware infections affecting critical service delivery. Now the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) has issued an alert warning that files using the Digital Imaging and Communications in Medicine (DICOM) standard can be abused to hide malware. The DICOM standard is used in virtually all hospitals around the world, including by imaging equipment (CT, MR, ultrasound), imaging information systems (HIS, RIS, PACS), and peripheral equipment (workstations and 3D printers). The vulnerability in DICOM type files was discovered by Cylera’s Markel Picado Ortiz, who has described the flaw as a “fundamental design flaw.”

According to the NCCIC successful exploitation of this design flaw, which has been publically announced and has been given a CVE designation of CVE-2019-11687, could allow an attacker to embed executable code into image files used by medical imaging devices. Further, malicious code embedded within such image files which results in a Windows executable will not interfere with the readability and functionality of the DICOM imagery. This could potentially make the detection of malware harder and promote malware persistence on infected devices.