Internet threat news

While Christians over the globe were celebrating the Easter weekend, news of three separate data breaches surfaced. On Saturday, 20 April 2019, a popular health and fitness platform Bodybuliding.com alerted its customers of a security breach detected during February 2019 which was the direct result of a phishing email received back in July 2018. Bodybuilding.com is the world's largest fitness website, with a community of over 1,000,000 BodySpace members and more than 17,000,000 forum members, as well as over 32,000,000 orders shipped all over the world since its online shop was opened for business. Along with the announcement two separate health care companies also suffered data breaches. With regards to the health care companies, one company illustrated how an organization should deal with a breach and another the wrong way.

Returning to the Bodybuilding.com data breach, the company announced that the breach may have affected certain customer information and after investigating the incident with the help of “external forensic consultants that specialize in cyber-attacks,” Bodybuilding.com says that it “could not rule out that personal information may have been accessed.” The company further confirmed that no full debit or credit card numbers could be accessed and stolen as the company only stored the last four digits and only for customers who opted to have their cards stored with their account information. Further, no social security numbers were compromised. As a precaution the company has reset all user passwords, meaning that users would have reset their passwords when logging onto the platform again.

Combatting malware infections is often a hard and thankless task made increasingly difficult by hackers. This task is made harder when attackers change tactics. When the costs associated with infections, such as data recovery, increase more stress is placed on organizations and those that defend the organizations. The latest report by Coveware shows that ransom amounts demanded in ransomware incidents has risen approximately 90%. Not only will departments responsible for cybersecurity curse the news but financial managers as well.

Coveware's Ransomware Marketplace Report involved analysis of recent ransomware cases the security firm has investigated. Figures from the investigation showed that the average ransom organizations paid per incident during the first quarter of this year stands at 12,762 USD, compared to 6,733 USD in the final quarter of 2018. This shows that the ransom cost associated with ransomware infections has almost doubled. According to Coveware, this increase can be accredited to the emergence of more expensive and more hands-on forms of ransomware like Ryuk, Bitpaymer and Dharma. These new hands-on, termed hands-on as the attackers actively target victims, ransomware variants no longer use the spray and pray technique of sending out massed spam emails but are far more targeted in approach. This approach has placed companies and organizations in their crosshairs in order to try to extort a much larger ransom.

In December 2019 this publication covered the emergence of sextortion scammers using ransomware in a bid to increase illicit earnings. It would appear that yet again such scammers are feeling the pinch and changes tactics once more in order to make money. The scammers behind the “Aaron Smith” scam, named after the email address used to send out the scam emails, made nearly 150,000 USD in Bitcoin in the period between August 30 and October 15. These profits have taken a remarkable knock, with the operators making only 17,000 USD in the first quarter of 2019.

In an effort to prevent this downward slide from continuing the scammers have changed tactics in order to prevent spam filters from stopping their emails of reaching their potential victims. According to researchers at Cisco Talos in a recently published article, revealed how the scammers adopted a relatively simple technique in an attempt to bypass spam filters. In the email example provided in the article, one would not be able to see that the message hides something behind the normal text. On deeper analysis, the message reveals a more complex underlying code that mixes plain text letters with HTML character entities. The recipient sees only the rendering of the email client. It is when the email is viewed in such a way the technique employed by the scammers is revealed.

From recently published research by FireEye indicates that the hackers behind the Triton malware are active once more. The group rose to the public’s attention in 2017 when the malware was used to target a petrochemical plant in Saudi Arabia. In this instance, according to research conducted by Symantec, it is believed that the attack was meant to cause physical damage at the industrial site. The attack was close to causing severe damage at the facility, but Triton's activities inadvertently closed down the plant due to its manipulation of SIS systems which caused them to enter a failed safe state.

Triton, sometimes of referred to as Trisis was specifically engineered to target a specific type of industrial control system (ICS), namely Triconex safety instrumented systems (SIS) controllers developed by Schneider Electric. The malware is named after the specific safety instrumented system it targets. Triton is unusual in the sense that it hones on processes with the aim to shut them down, resulting in the tampering with safety systems which could result in damage been caused to industrial systems resulting damage to machinery. Malware designed for such a purpose is relatively rare and forms only a handful of the threats faced on the current landscape. Previously seen examples include Stuxnet and Industroyer with the latter being a highly customizable piece of malware which can be equipped to better suit the attacker’s needs. Stuxnet was seen targeting nuclear power stations while Industroyer was seen targeting more conventional power stations.

In the middle of March 2019, we covered the emergence of a new POS malware, DMSniff. The article further highlighted the threat posed SMBs and retailers posed by malware specifically designed to scrap card details from POS machines when a card is swiped. Central to this threat is one group FIN6 and their use of the Trinity to steal and later sell card details on hacker forums which roped them in millions upon millions of dollars. According to a report published by security firm FireEye, FIN6 are now deploying ransomware in where it cannot infect the target with its created POS malware.

FIN6 has been linked to numerous attacks netting in millions of dollars. Researchers at FireEye describes the group and its tactics as,

Security firm TrendMicro has discovered a new variant of the XLoader trojan is targeting Android devices by posing as a security app. Mac users are not out of the woods either as the trojan also attempts to infect iPhones and iPads through a malicious iOS profile. Previously researchers have seen Xloader posing as both Facebook and Chrome. This latest variant includes a new deployment technique and modifications to the source code.

The malware is also hosted on fake websites that mimic legitimate domains, this is done in an attempt to trick users into downloading what they believe is a legitimate and necessary security product. Researchers also found that links to the malicious websites are sent to potential victims using SMiShing, short for SMS phishing.

Hackers and cybercriminals are just as susceptible to trends to the millions upon millions of social media users. In the case of hackers, a trend is often determined by ease of use and chances of securing an easy payday rather than what the latest celebrities are promoting. More often than not security firms publish findings on the drastic increase in one type of malware or the other. In a turn of events, Kaspersky Labs published findings of how one method of distributing malware is finding less favor among hackers.

According to an article published by security firm Kaspersky, the Taiwanese tech giant ASUS is believed to have pushed the malware to hundreds of thousands of customers through its trusted automatic software update tool. This was a result of hackers compromising the company’s server and used it to push the malware to machines. The company appears to be the unwitting participant in the whole affair and the malicious file used a legitimate ASUS digital certificates to make it appear to be an authentic software update from the company. The attack by the attackers can be regarded as a textbook supply chain attack.

A supply chain attack can be defined as when a malicious actor injects malicious code into the source code of a software product without the software company been aware of the initial malicious injection. There have been many examples of these attacks through the years but perhaps one of the most infamous in recent memory was the NotPetya attacks which occurred in 2017. Hackers are drawn to this attack method as it has multiple advantages. One of the biggest advantages is the difficulty of detection as the attack requires the hacker to create a backdoor to legitimate, certified software as companies will use their security team to prevent attacks from outside the company and not during software development. Further, companies are hesitant to report such attacks to authorities as they are scared of the reputational damage that is bound to occur.

Right on the end of May 2017, we published an article detailing how researchers had discovered over 8,600 vulnerabilities in pacemakers. These vulnerabilities were found across four producers of several products defined as pacemakers and some were discovered in radio controlled devices. On March 21, 2019, the US Food and Drug Administration, known as the FDA, for short, issued a warning over a critical flaw affecting scores of Medtronic heart defibrillators that allows a nearby attacker to change the settings of a patient's cardiac device by manipulating radio communications between it and control devices. This alert further highlights the cybersecurity difficulties experienced by the community and globe regarding internet of things (IoT) devices. It is important to note that Medtronic pacemakers are not affected by the recent vulnerability discovery.

On March 19, 2019, Norwegian aluminum production giant Hydro announced that it had suffered a cyber-attack. Further, the company announced that it was a ransomware infection that affected the entire company. This can be seen as a major cybersecurity event as, since the start of 2019, there have not been major ransomware incidents that targeted companies which led to the company having to shut down operations to any degree. This attack also further illustrates how hackers using ransomware have changed tactics targeting government organizations and large companies. Earlier in March Jackson County in the US has hit by a ransomware attack which shut down local government websites, however, the potential cost of the Hydro incident will pale in comparison when loss of earnings and other factors are considered.

Recently published research shows that the infamous Mirai botnet has been upgraded to attack to new classes of Internet of Things (IoT) devices, those been smart signage TVs and wireless presentation systems. This at first glance does not appear to be a major revelation, what is worrying is how the authors of Mirai appear to have spent a lot of time and effort into these upgrades. The upgrades center around the inclusion of new exploits which have been added to older versions of the botnet. With the rise of IoT devices so did the rise of botnets, a malware type which can be defined as a collection of internet-connected devices, which may include PCs, servers, mobile devices, and importantly for Mirai’s case internet of things devices that are infected and controlled by the malware. This creates a network which can be used by a malicious actor to send email spam, engage in click fraud campaigns, and generate malicious traffic for distributed denial-of-service (DDoS) attacks.

Waking up to a notification from your bank saying that you spent a lot of money on some online purchase from a company in a country you’ve never thought of visiting is a horrible way to wake up. Cybercriminals have a unique ability to ruin days, even those of people careful with their credit cards. You make sure when you swipe your bank cards you are present or even swipe yourself to combat card skimming fraud and protect your details. What then if the POS (point of sale) device has been compromised with malware designed to steal your credit card details unbeknownst to you and the retailer?

In research published by Flashpoint, this is a reality facing both customers and small to medium businesses (SMBs). Malware called DMSniff is actively been used to target restaurants, cinemas, and other retailers in the entertainment and hospitality industries. The malware is believed to be active since 2016 has managed to fly under the radar until now, having been uncovered with the key targets of campaigns been small and medium-sized companies which rely heavily on card transactions, such as the food, hospitality and entertainment industries. This is not the first malware researchers have seen targeting POS machines bur DMSniff includes a unique feature designed to continually send stolen details even if the command and control (C&C) server operated by the cybercriminals has been shut down.

It was a commonly held belief that hackers using ransomware would only go after private individuals. When WannaCry struck this belief was well and truly shattered. Increasingly hacker groups are seeing the value of attacking government organizations, hospitals, and companies. One of the reasons for this is that, particularly in the case of government departments and organizations, the systems are large, sometimes complex, and often using software that is no longer supported by the manufacturers. Jackson County, a rural area in Georgia, USA, has experienced this the hard way after suffering a ransomware attack, of which, they paid the hackers 400,00 USD for the decryption key just to have access to critical infrastructure.

On March 1 news reports began surfacing that Jackson County had suffered a ransomware attack which affected the county’s internal networks. According to Jackson County’s website, a civic alert notified the public that most of their systems were offline. Fortunately for emergency operators the systems assisting the 911, emergency services were unaffected by the attack. In an interview with StatesScoop Sheriff, Janis Mangum stated,

Towards the end of July 2018, it was reported that SingHealth, a medical services provider in Singapore, suffered a major data breach where approximately 1.5 million patients had their records exposed. At the time AFP that the initial analysis was done by Singapore's Cyber Security Agency and that the attack indicated “a deliberate, targeted, and well-planned cyber-attack and not the work of casual hackers or criminal gangs,” No one was directly attributed to the attack and officials declined to comment on whom they believed to be responsible. However, one of the victims of the breach was Prime Minister Lee Hsien Loong illustrating that nobody is immune to being targeted by a sufficiently motivated hacker group.

At the time of the data breach, authorities and security firms were hesitant to attribute the attack to a particular group or individual, and perhaps rightly so as hasty conclusions regarding attributing the attack could lead numerous headaches. While no group was directly named it was believed state actors may have been responsible given the nature of the breach. That did not mean that authorities and security firms were resigned to not prove who was behind the attack. According to a report published by Symantec, the attack can be attributed to a group codenamed Whitefly. IN the past the group has attacked organizations in healthcare, media, telecommunications, and engineering, and is likely part of a larger operation targeting other nations. The report which was published on Wednesday, March 6, 2019, details how the previously unknown group was determined to be Whitefly. The group appears to have been operating since 2017 and primarily targeted organizations in Singapore. The group appears to be focussed on stealing massive amounts of data including large volumes of sensitive data.