Internet threat news

Remote Access Trojans, or RAT, are a favored malware variant of hackers and other cybercriminals across the globe. The use of such trojans is as varied and diverse as those using them illegally. They have been seen in cyber espionage campaigns to financial fraud campaigns and are a stable tool in any hacker’s bag of tricks. Simply put a RAT is merely is a back door to a targeted system that gives the hacker administrative control over the system. They are normally downloaded invisibly and predominantly spread via malicious emails.

Often when security researchers discuss an interesting aspect of a piece of malware, those infected will see it as more frustrating than interesting. NanoCore can remain on a system even once its processes are killed is such an aspect. Interesting to some, frustrating to those affected. In a report published by researchers at Fortinet noticed that a recently found sample of the NanoCore RAT which is able to prevent users from killing its processes.

The Ryuk ransomware, named after a character from the popular Death Note anime, has become known as targeted ransomware. Discovered in August 2018, it was seen been used by hackers to first scope out potential targets. Once a suitable target was found the ransomware gained access to the targeted computer via Remote Desktop Services and then proceed to steal credentials. This targeted approach allowed hackers to target businesses and other high profile targets in order to extort greater sums of money. Now new research suggests that the operators of Ryuk and the infamous TrickBot have partnered up to earn even more money from their illicit trade.

Ryuk made international headlines when it was linked to a ransomware attack which affected the newspaper distribution networks of large media houses including the Wall Street Journal, New York Times, and Los Angeles Times. It has been estimated that those behind Ryuk have already netted approximately 3.7 million USD. New research published by both FireEye and CrowdStrike show that those behind Ryuk are looking to extort even more funds by partnering with the group behind TrickBot.

It is the best practice to enable two-factor authentication, often simply referred to as 2FA, when one can. Beyond best practice, it is recommended by experts to enable 2FA to prevent becoming a victim of the numerous phishing campaigns that stalk the Internet on a daily basis. Two events that have recently arisen that may be the beginning of the end for 2FA, or at the very least far more secure versions of it. The first of these events being a penetration testing tool released by a Polish security researcher capable of bypassing 2FA in a phishing attack. The second being a research report released by Amnesty International which details how APT groups are able to bypass 2FA using phishing tactics. While developed by different interested parties these developments may signal a significant eroding of trust in the widely trusted 2FA protocols.

With the recent spate of cyber-attacks utilizing two or more different malware variants or tactics, the smart money would have predicted the trend to continue into 2019. In a recently discovered campaign, the smart money appears to be right. Hackers are targeting victims with a two-pronged attack that secretly infiltrates systems with data-stealing malware, before dropping ransomware onto the infected system. In a report published by researchers based at Malwarebytes, this new campaign employs the Vidar data stealer and the now infamous GandCrab ransomware.

Many of the world’s hackers see no need to reinvent the wheel and those behind this campaign seem to fit the mold. The malware is distributed via the tried, tested, and the approved method of a malvertising campaign. The hackers in this instance have been targeting high-traffic torrent and streaming sites in an attempt to try and lure victims into clicking on a risky link and which will redirect victims to a site hosting the malicious payloads. While using tried and tested malvertising techniques the hackers again use a well-known method of delivery, the Fallout exploit kit. The exploit kit appeared to have surfaced in August 2018, at a time when many researchers felt that exploit kits were going the way of the dinosaur. The kit uses a number of exploits which target Internet Explorer and Flash Player in order to get a foothold onto the victim’s computer.

The convenience of being able to pay bills, fines, and taxes online can be seen as a far superior method of standing in queues waiting for an open teller. This convenience should be balanced with security. Users are entering credit card details and other important personal information. Any security measures taken should be robust but that may be an ideal even if it seems logical. Click2Gov, a website which enables users to pay bills online, appears not to have taken security as seriously as should be done.

Click2Gov is used by many US states and cities to expedite the paying of utility bills and fines by residents. Developed by Central Square, formerly known as Superion, it was rumored that in 2017 the local government payment service may have been subject to a data breach. The rumors were confirmed in September 2018 when FireEye published an article detailing the breach. According to researchers the hackers deployed a new, never seen before malware strained designed to scrape payment card details from US citizens.

The US Department of Defense Inspector General (DOD IG) published a report detailing the cybersecurity status of the Ballistic Missile Defense System (BMDS). The results are far from good and can hardly put US tax payer’s thoughts at ease. In summary, the report found that there was no data encryption, no antivirus programs, no multifactor authentication mechanisms, and 28-year-old unpatched vulnerabilities as just a few of the failings discovered. The authors of the report inspected five random locations where the Missile Defense Agency (MDA) had placed ballistic missiles that form part of the BMDS, which is a Department of Defence program developed to protect US territories by launching ballistic missiles to intercept enemy missiles.

The report concluded that “the Army, Navy, and MDA did not protect networks and systems that process, store, and transmit BMDS technical information.” This conclusion was drawn from several problematic areas with multifactor authentication been the most problematic according to the Inspector General.  According to MDA employment guidelines, any new MDA employee would receive a username and password so they can access BMDS' network. As new employees are eased into their new jobs, they would later also receive a common access card (CAC). This is specifically designed to enable their accounts in conjunction with their password, as a second-factor authentication. The normal procedure says that all new MDA workers must use multifactor authentication within two weeks of being hired.

Researchers at Malwarebytes has uncovered another malware destroying the perception that Macs are naturally secure and robust enough to defend against the dark side. What researchers discovered is a malware targeting Mac systems that is fundamentally a combination of two open-source programs. The first being a backdoor and the second been a crypto miner. The malware has been named DarthMiner and if infected will definitely turn your system away from the light side.

In the article published by Malwarebytes, it would seem that DarthMiner is distributed via a compromised application called Adobe Zii, which is marketed as an app which assists in the pirating of Adobe products. Rather the application does nothing of the sort, a fact hinted at by the use of a generic Automator applet icon. One would normally expect an app such as this to at least use a stolen Adobe Creative Cloud logo. If not an application to assist in piracy what does it in fact do? The fake application was designed to run a shell script that downloads and executes a Python script, and then downloads and runs an app named sample.app, which appears to be a version of Adobe Zii, most likely to hide the malicious activity.

Sextortion scams are known for been incredibly pervasive with the use of social engineering methods in an attempt to blackmail victims. These scams (for example "I am a spyware developer" or "I have bad news") often take the form of an email allegedly sent by a hacker which informs the victim that the hacker has compromised the victim’s computer and has managed to steal compromising information. This information, for example, may allegedly be of the victim watching pornography, is then threatened to be released within a time frame is the hacker does not receive a payment, usually in cryptocurrency, before the time deadline.

Security researchers at Proofpoint have discovered such a campaign which ultimately leads to a ransomware infection as well. Researchers published their findings in an article which details how a sextortion campaign that also included URLs linking to AZORult stealer that ultimately led to infection with GandCrab ransomware.

Most countries have some form of legislation detailing how corporations, state departments, and in certain instances, private individuals must make cybersecurity a priority. These pieces of legislation more often than not specify how data and networks are to be protected and if not done according to legislation how the powers that be can punish those found to be negligent. This punishment is often meted out in the form of massive fines, which can easily hit the hundreds of millions mark. For the first in time in United States legal history, twelve states have jointly filed a lawsuit in a data breach case. The twelve states have filed a lawsuit in accordance with the Health Insurance Portability and Accountability Act (HIPAA) in response to a data breach which occurred in 2015. HIPAA is a piece of legislation enacted in the US that provides data privacy and security provisions for safeguarding medical information. The law has emerged into greater prominence in recent years with the proliferation of health data breaches caused by cyber attacks and ransomware attacks on health insurers and providers. Compliance with the law is seen as non-negotiable with legislators and the relevant enforcement bodies.

Law enforcement agencies and security firms the world over constantly advice victims of ransomware not to make payment. Despite this well-meaning advice payments are still made. It is estimated that the authors of the SamSam ransomware netted nearly 6 million USD. If you made a payment to the crew behind SamSam you will want to read further as the payment made may violate US sanctions. Towards the end of November 2018, the American Department of Justice (DoJ) announced the first ever instance of an indictment against criminal actors for deploying a for-profit ransomware, hacking, and extortion scheme for the department. According to the indictment, Faramarz Shahi Savandi, and Mohammad Mehdi Shah Mansouri, both operating in Iran, authored and deployed the SamSam ransomware. The subsequent attack encrypted files on computers belonging to US hospitals, schools, companies, government agencies, and other entities.

Malware leveraging AutoCAD is not a new phenomenon, however, while not new it is rare when compared to other malware infections. Researchers at Forcepoint have discovered a unique AutoCAD malware strain been used in a cyber-espionage group. For those who have never come across AutoCAD, the CAD stands for Computer Assisted Design and has played a vital role in the past decades building our technology-driven society, helping structures and engineering reach new levels of complexity. Designing a building such as the Burj Khalifa by hand would be difficult if not impossible hence AutoCAD has come to be a crucial piece of software for engineering firms across the globe.

According to the report published by the firm the campaign appears to have been active since 2014, based on telemetry data the company has analyzed. Further Forcepoint believes the group behind this recent campaign is most likely very sophisticated and primarily interested in industrial espionage, due to its focus on using a niche infection vector like AutoCAD, a very expensive piece of software, utilized mainly by engineers and designers.

It seems like nearly every week, sometimes every few days, security researchers discover a new crypto miner. The latest discovery is not only a crypto miner also installs a rootkit and another strain of malware that can execute DDoS attacks. Malware targeting Linux users is not as common an occurrence as Windows-based malware strains but as time goes by they appear to become far more complex and multi-functional. Security researchers at Dr.Web, a Russian based security firm, discovered the malware which as of yet has not been named. As it stands the malware is referred to by its generic detection name of Linux.BtcMine.174.

Calling the miner a crypto miner is incorrect. The malware is probably best described as a trojan given its multi-faceted nature. The trojan can be seen as a good example of the evolution currently seen in Linux malware as despite its generic name it more complex than the majority of Linux malware strains detected. The trojan itself is a giant shell script of over 1,000 lines of code. This script is the first file executed on an infected Linux system. The first thing this script does is to find a folder on disk to which it writes permissions so it can copy itself and later use to download other modules.

The day after Thanksgiving in the United States has become known as Black Friday and has become defined by mad shopping for discounted products. The term may have originated in Philadelphia in the 1960s, where it was used to describe the heavy and disruptive pedestrian and vehicle traffic that would occur on the day after Thanksgiving. Now it is defined by stampedes at retail shops like Target and Best Buy plastered on the news. It is not only at brick and mortar stores can consumers get injured. Online shopping on Black Friday can be equally as dangerous to consumers, more accurately their bank balance.

The dangers posed to consumers are those normally faced by online purchases, only given the sheer increase in traffic cybercriminals have a greater chance of catching consumers out. The prime tool used to steal information from consumers are Banking Trojans. A banking trojan can be defined as a piece of malware designed to get financial information or hack users through a banking or financial system, commonly through an online banking or brokerage interface. They can work in a variety of ways by either seeding code into bank websites or through intercepting passwords or information through the use of keyloggers.

The group behind the malware dubbed Olympic Destroyer, which plagues the Korean Winter Olympics at the start of the year, seem to have upgraded their arsenal. Researchers at Check Point believe the group is in the process of an evolutionary shift in terms of tactics and execution. Researchers over the past few weeks have witnessed new activity by the group called Hades. By analyzing samples previously observed by other researchers and the newly discovered samples researchers have attempted to create a more up to date summary of the group’s tactics. For advanced persistent threat (APT) groups a month is a long time and more than enough time to change tactics. It has been approximately nine since Olympic Destroyer made international headlines.

The incident in question occurred just before the opening ceremony of the Winter Olympics hosted by South Korea. The attack caused the official games website to go dark. In addition, television sets and Internet-related systems at the games were also disrupted for roughly 12 hours. The attack was dubbed Olympic Destroyer, with many believing it was a result of the banning of Russia and its athletes from competing in the games under the Russian flag. The decision to ban Russia was a result of the country’s involvement in a state-sponsored doping campaign. For many within the InfoSec community, the Olympic Destroyer attack was in retaliation of the banning decision.