Internet threat news

The year so far has been a punishing one for security firm Kaspersky. Continued clashes with US authorities has resulted in the company changes tactics and limit damage control. At a summit in Zurich, Switzerland, the embattled company held a conference on Tuesday, November 12, 2018, called Transparency Summit in a bid to convince the public they are a firm to be trusted. The summit highlighted the development of the company’s Global Transparency Initiative (GTI), announced in May of this year, which has resulted in the company moving operations from Moscow to Zurich with planned centers set for establishment across the globe. The summit also warned of the emergence of what Kaspersky calls “Tech Nationalism.” The summit and the transparency initiative have been the culmination of events that started with an article published in the Wall Street Journey in late 2017.

Malware designed to mine cryptocurrencies, more often Monero due to the platforms increased anonymity, are increasing in use and sophistication. The malware referred to as crypto miners, or crypto-jacking , use the infected victims CPU resources to mine for cryptocurrencies. The attackers rely on infecting as many devices as possible in order to turn some impressive profits. Researchers at TrendMicro have detected two new crypto miners with each targeting Linux and Windows users respectively. The latest miner to be discovered by researchers has been called KORKERDS. In a blog article published by TrendMicro discovered the strain mining cryptocurrencies on Linux computers. The interesting thing about KORKERDS is that unlike regular crypto miners, the malware employs a rootkit to assist in hiding itself. A rootkit is commonly seen as a program or collection of tools that give the attacker remote access to and control over a computer or other system. Rootkits are also used, as in the case KONKERDS, to prevent detection of the malware.

Artificial Intelligence, generally referred to simply as AI, has the potential to revolutionize numerous industries. It has the potential for making numerous forms of employment redundant, a much argued economic side effect impacting on those made redundant. At its best, it could drastically improve the lives on the planet. These assumptions look at AI what it can potentially do when there is no malice behind their actions. How then could AI change the nature of cyber threats? Before that question can be looked at it is wise to look at what AI currently is and how it is defined. There are a lot of misconceptions circulating the subject. Some prophesize the technology to be the end of the world while others see it as a technology to take humanity to the next step. Both Stephen Hawking and Elon Musk have previously voiced their concerns over the technology.

It has almost been a week since Apple unveiled the new MacBook Air in Brooklyn, New York, the reveal was important for another reason. Apple further revealed that all new notebooks that come with a built-in T2 security chip will now disconnect the built-in microphone at the hardware level when users close their devices' lids. This new feature can be seen as a security enhancement designed to prevent malware from secretly recording users. Secretly recording user conversations using the webcam, for example, has become a staple feature of many spyware and other malware variants over the last several years. While Apple doesn't like to talk about malware, recently there are quite a few browser hijackers (for example weknow.ac, nvsearch.club), potentially unwanted applications (for example advanced mac cleaner, mac cleanup pro) and adware (for example CoinTicker, MacOSDefender) targeting Mac OS operating system.

The group behind the Emotet trojan developing a reputation for deploying the malware as a banking trojan. Not content to be a one trick pony those behind the malware are continually developing the trojan. In the latest iteration of Emotet a module has been included that is capable of stealing a victim's emails for the previous six months. In previous versions, Emotet could be only capable of stealing email addresses. The new updates open up the possibility of data theft and corporate espionage for the cybercriminals. To further complicate matters the new capability can be deployed on any system that is already infected by the malware.

Hackers offering Malware-as-a-Service (Maas) is not a new trend by any means. Since the first detections of such schemes, their popularity has not seemed to dwindle of the years. This is in part because they allow those less technically minded, or too lazy to develop their own malware, with an option to make a quick buck, albeit an illegal one. MaaS can be defined as the hiring of software and hardware for carrying out cyber attacks. In a majority of instances, the owners of MaaS servers provide paid access to a botnet that distributes malware. Like their more legal cousins, clients of such services are offered a personal account through which to control the attack, as well as technical support.

Security researchers at Fortinet have published details on a recently discovered DDoS-for-hire service built with leaked code that offers easy and cheap access to sufficient power to knock down most targets. Distributed Denial of Service (DDoS) attacks is an attack in which multiple compromised devices attack a target simultaneously, such as a server, website, or other network resources, and cause a denial of service for users. DDoS businesses have been around for quite a while, with the sheer amount of mobile devices it is more common for these to be used to drive attacks.

Last week this publication published an article detailing the show of sympathy from the GandCrab ransomware developers to the people of Syria who had been infected. This show of sympathy took the form of the developers releasing the decryption keys for Syrians infected with GandCrab. On the face of it, the show of goodwill did appear as one. Unfortunately, while the keys were released there was now decryptor available to those infected with the ransomware. This meant that the keys were useless for most of the Syrians affected.

If you were of any other nationality you were truly out of luck as you had no decryption tool or key to help decrypt your encrypted files. That was the state of affairs till October 25. Announced via a Europol press release the law enforcement body stated that in a collaborative effort by Romanian police, with counterparts from Bulgaria, France, Hungary, Italy, Poland, the Netherlands, United Kingdom, United States and the security firm Bitdefender a decryption tool had been developed. Importantly the tool works on all but two versions of GandCrab (v 2 and 3). The release of this tool follows a week after the GandCrab developers made public decryption keys allowing only a limited pool of victims located in Syria to recover their files.

Security Researchers at FireEye have tracked the development of Triton to a research institute owned by the Russian government. In a report published on Tuesday 23 October, researchers claim that they have uncovered a strong link between the Triton malware and the Central Scientific Research Institute of Chemistry and Mechanics (CNIIHM), a technical research organization located in Moscow and owned by the Russian government. Triton, which has also been called Trisis and Hatman, was used in a campaign targeting Industrial Control Systems (ICS) in the Middle East. Industrial Control Systems are extensively used in industries such as chemical processing, paper manufacture, power generation, oil and gas processing, and telecommunications.

In a recent article published by Cisco Talos team, researchers have seen a Chinese linked cyber espionage group using the Datper Trojan. The group called Tick, who have also been called Redbaldknight and Bronze Butler in the past, have been launching espionage campaigns targeting those in Japan and South Korea for a number of years. In the campaign analyzed by the Talos team, the group also used compromised websites located in the two countries as command and control (C&C) servers.

Since 2016, Tick has developed a reputation for targeting Japan and South Korea by using custom tools for each separate campaign. Although custom tools are often used researchers have been able to uncover certain tactics employed on a near constant basis. Such tactics include similarities in the use of infrastructure and overlaps in hijacked C&C domains or the use of the same IP. Cisco researchers, knowing about the patterns, were able to determine similarities between the Datper, xxmm backdoor, and Emdivi malware families that the threat actor has used in attacks. The use of the xxmm backdoor and Emdivi malware has also been used in previous campaigns orchestrated by the group.

GandCrab Hackers show some Heart

Syria was at one stage known for being one of the birthplaces of human civilization. Recently the beleaguered nation is more known for the terrible civil war. As of April 2018, more than 465,000 Syrians have been killed in the fighting, over a million injured, and over 12 million, that being half the country's pre-war population, have been displaced. Many would feel that Syrians been targeted in hacking campaigns would be worse than a kick to the teeth, given the struggle for survival faced by many. Fortunately, some hackers feel the same. In a post to an underground hacking and cybercrime forum, the GandCrab developers have released the decryption keys for Syrian victims.

The developers of GandCrab seem to have responded to a tweet in which a Syrian victim asked for help after photos of his deceased children were encrypted. After seeing the tweet, the hackers announced via a forum that they have released the keys for all Syrian victims. They also mentioned that it was a mistake not to exclude Syria for the list of targeted countries.

The small island nation, known for its small population and giant-slaying football team, hardly ever makes the headlines in cybersecurity publications. That was until October 12, when cybersecurity news sites began publishing articles detailing how Iceland had just experienced its biggest attack yet. This is a stark contrast to reports from 2017 which stated that Iceland experienced no reported cases of the WannaCry attack in May of that year.

Fast forward to the present day where a phishing campaign took Iceland by surprise, sending out malicious emails to thousands of individuals, in an attempt to fool them into installing a powerful remote access tool. For many nations, a cyber attack affecting thousands can be seen a mere trifle. However, when you consider that the population of Iceland is approximately 350,000 people, thousands represent a significant percentage of the population.

Security experts often sound like the worst stuck record ever. “Update your software,” “update your hardware,” “update your operating system,” are said verbatim and on repeat constantly. The reason for all the repetition is that users to do not follow this simple advice. Updates are seen as an inconvenience rather than a security essential. If you are the owner of a MikroTik router it is most certainly time to patch your router. Security researchers on Twitter, including Kira 2.0, sounded the warning sirens showing that nearly 12,000 MikroTik routers are currently infected with various malware strains. Researchers began investigating further and it was discovered that a known vulnerability in the firmware of MikroTik routers is potentially far more dangerous than previously believed. The vulnerability in question, CVE-2018-14847, is present in the Winbox administration utility of MikroTik's RouterOS. According to research done by Tenable, the vulnerability allows remote attackers to bypass authentication and read arbitrary files by modifying a request to change one byte related to a Session ID.

On Thursday, October 4, 2018, Bloomberg published an article which claimed that Chinese spies were able to gain privileged access to just under 30 major US companies. This access was granted through the spies planting tiny microchips inside motherboards used for Supermicro servers that eventually made their way inside the IT infrastructures of the major companies which included Apple and Amazon. The report shocked the public and resulted in Supermicro’s stock value plummeting by nearly 50%.

Soon after the story was published the companies supposedly involved came out with statements that strongly denied the claims made in the article. Not only did the companies question the story but many leading thinkers within the InfoSec community cast doubts upon the article's claims.

Most hackers and threat actors are often content to copy the work of others. This means that most of the world’s cyber-attack campaigns are conducted using tried and tested tactics and already existing, if slightly modified, malware variants. When a new and original method of attack becomes apparent the InfoSec community most certainly takes note. Security researchers at ESET definitely have the community’s attention with their report on LoJax.

LoJax is possibly the first case of an attack leveraging the Unified Extensible Firmware Interface (UEFI) boot system being used in an attack by a threat actor. In summary, the malware uses repurposed commercial software to create a backdoor in a computer’s firmware. The campaign using the malware has been active since 2017 and it is capable of surviving the re-installation of the Windows operating system or even hard drive replacement. While the malware had been spotted previously, ESET’s research is the first to show that it was actively attacking the firmware of computers to establish a tenacious foothold. What’s more, ESET has attributed the spread of the malware to Sednit, also known as FancyBear, the Russian state-sponsored operation tied by US intelligence and law enforcement to the cyber-attack on the Democratic National Committee.