Internet threat news

On September 28, 2018, Facebook announced that it had suffered a major security breach. The social media giant simultaneously announced that 50 million user accounts were accessed by unknown attackers. The discovery was made by Facebook engineers on the previous Tuesday and that the attackers managed to seize control of the affected accounts. Since the announcement, Facebook has logged out the 50 million breached users and a further 40 million vulnerable accounts to prevent further exploitation of user accounts by the unknown attacks. It is generally seen by many that Facebook has had a torrid time of late this year, this major security incident may be the icing on the cake.

According to Facebook, the attackers managed to seize control of user accounts by exploiting three distinct bugs in Facebook's code. These bugs allowed the attackers to steal the digital keys the company uses to keep users logged in. As it was the digital keys that were stolen users are not required to change their passwords with Facebook having to reset the keys for all those affected. In a call to reporters CEO Mark Zuckerberg, whose own account was compromised, said that attackers would have had the ability to view private messages or post on someone's account, but there's no evidence that this occurred.

Recent reports across multiple platforms would indicate that hackers are still able to exploit the Google Play Store to upload malware with the intention of infecting Android devices. This is by no means a new phenomenon but hackers prove again that they are a resourceful bunch. No matter what countermeasures are employed a resourceful hacker will find a way to exploit the situation. In three separate instances, threat actors have looked to distribute malware using the Play Store. On September 24, security researchers at SophosLabs published an article explaining that at least 25 Android apps on the official Google Play store contain code that mines cryptocurrencies in the background. It is important to note that these apps do not inform users of the mining or in the majority of circumstances offer the user no opt-out option.

A recently discovered malware strain can be seen as a Swiss Army knife. Not only can it function as ransomware it can also log and steal their keystrokes and add infected computers to a spam-sending botnet. Multi-tasking malware is by no means a new phenomenon, malware authors will look to add new components and functions to existing malware strains in an attempt to make them more versatile. While not a new phenomenon, these multi-tasking nasties have an unexpected side effect of making classification difficult. This, in turn, causes much strife amongst the InfoSec community.

The malware, dubbed Virobot, was recently discovered by researchers at TrendMicro (sample discovered by security researcher MalwareHunterTeam). The malware which is capable of working as a botnet, ransomware, and keylogger has been classified as a ransomware strain by those same researchers, fortunately, it would appear that the malware is still under development. This is in part due to the uniqueness of the ransomware component. According to TrendMicro, the ransomware component has no ties to previous ransomware strains but that is where the uniqueness ends.

Banks and other financial institutions have long been the targets of hackers. Not only do they deal with massive amounts of funds daily, but they are also entrusted with valuable personal information that stealing it is a major goal for many cyber criminals. This treasure trove of personal information includes credit card data, customer information, and the wealth of corporate data that can be sold off or exchanged by those looking to make a quick profit or get an edge over a business competitor. Now they have a new increasingly popular threat to combat. Credential stuffing is an emerging attack method which can be considered a brute force attack. Credential stuffing is the automated injection of breached username and password pairs in order to fraudulently gain access to user accounts. Access to accounts is done by using large numbers of spilled credentials are automatically entered into websites, often by botnets) until they are potentially matched to an existing account, which the attacker can then hijack for their own purposes.

Last week this platform published an article which covered the emergence of a new exploit kit called Fallout discovered by security researchers at FireEye. Initially the exploit kit has been used to distribute the SmokeLauncher trojan and the GandCrab ransomware. This week, it has started to distribute a new ransomware called SAVEfiles via malvertising campaigns.

SAVEFiles was discovered by security researcher Michael Gillespie, who has developed a reputation for discovering and analyzing new ransomware variants. While the ransomware was discovered by Gillespie it was not known necessarily how the ransomware was distributed. Exploit kit expert Kafeine discovered that SAVEFiles was been distributed via malvertising campaigns where IP addresses in Japan, France, and other locations have been targeted. It was further discovered that the campaign will cause the visitor to go through a stream of redirects until they eventually get to a site hosting the Fallout Exploit kit. The exploit kit will then automatically download and install the SAVEfiles ransomware onto the victim’s computer. The connection to hxxp://xxxart.pp.ua/1/get.php is the ransomware connecting back to its Command & Control server to receive an encryption key.

Apple has recently pulled several Trend Micro apps from its app store. These include the free packages Dr. Cleaner, Dr. Antivirus, and Dr. Archiver listed has been developed by Trend Micro. The reason for the apps receiving the boot: they exfiltrate user data for the user’s browser history. The discovery was made by Thomas Reed of Malwarebytes Labs and @privacyis1st. As a result of the public outcry and industry condemnation, Apple was forced to pull the apps. At the time of writing, only Dr. Wifi and Network Scanner were still available for download. In the report published by Thomas Reed, much of their research centered around Dr. Antivirus and Dr. Cleaner. Upon analysis, it was revealed that Dr. Antivirus was incredibly limited in what, in terms of malware, it could detect. This is due in part to restrictions placed on app development by Apple and imposed on the App Store. As with many similar apps, detection rates were poor even when used to detect malware within the user folder, Dr. Antivirus was no different.

The use and popularity of hackers using exploit kits seems to be waning. This decline in use has been attributed to arrests, prison sentences, and service disruptions caused by law enforcement in partnership with security firms. This is most certainly good news but does not mean their use is completely extinct. Security researchers at FireEye have discovered a new exploit kit been used in a campaign targeting users in Japan, Korea, the Middle East, Southern Europe, and other countries in the Asia Pacific region.

An exploit kit is essentially a type of “toolkit” used by hackers to attack vulnerabilities in systems so they can distribute malware or perform other malicious activities. Often exploit kits are packaged with exploits that can target commonly installed software such as Adobe Flash, Java, and many others. A typical exploit kit can include a management console, a bunch of vulnerabilities targeted to different applications, and several add-on functions that make it easier for a cybercriminal to launch an attack.

Security researchers at security firm ESET have witnessed the threat group “PowerPool” exploiting a Windows zero-day vulnerability. The vulnerability is being used by the threat group to elevate the privileges of a backdoor in targeted attacks. The flaw was disclosed on August 27 with the proof of concept code been published on GitHub the same day. The information was disclosed by a researcher seemingly frustrated with Microsoft’s bug submission process. The researcher’s Twitter account was no longer accessible shortly after she posted the tweet, but it’s unclear whether it was suspended or deleted. The flaw, however, has been already confirmed by security researchers, including Will Dormann, a vulnerability analyst at CERT/CC. It would seem that PowerPool has also confirmed that vulnerability in light of recent attacks.

The Russian-based hacking group Cobalt is again targeting banks in a new campaign. In this latest campaign, it would appear that the group has limited its targets to Russian and Romanian banks. Cobalt has been active since 2016 and already boasts a number of scalps. As it stands the group has been credited with the theft of 9.7 million USD from the Russian MetakkinvestBank; ATM thefts of 2.18 million USD from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan. The group has also been seen to target industries other than the banking sector. Last year it was reported that Cobalt had expanded its range into also targeting government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare organizations, often using government organizations and ministries as a stepping stone for other targets. Many of these utilized supply chain attacks.

In what Jennifer Lawrence, and the other victims of the so-called “Fappening”, will see as a victory, one of the hackers responsible has received an eight-month prison term for his part in the hack. In 2014 George Garofano, 26-years-old, of North Branford in Connecticut, covertly gained access to approximately 240 private iCloud accounts, many of which belonged to celebrities as well as other individuals. The access was gained in a period spanning from 2013 to 2014 and access was gained via an email phishing campaign. Garofano used the access gained to steal private images and video from the accounts and disseminate the material on the internet. One of the reasons for the uproar was that many of the images disseminated showed the victims nude.

Garofano, who is currently released on a $50,000 bond, was ordered to report to prison on October 10. Added to this he will also serve a three year supervised release once his prison term is complete. Garafano was one of four people charged in the 2014 hacking scandal and was the last to be prosecuted. Prosecutors argued for a sentence of 10 to 16 months in prison, in line with federal guidelines. Garofano asked for leniency, requesting no more than five months in prison and another five months of home confinement on the basis that he believed he had already suffered serious consequences and had apparently behaved in an appropriate manner since he was charged.

For Cosmos Bank, a bank that has been in business for 112 years, August will go down as one of the bank’s worst months. On August 14, 2018, the Hindustan Times reported that the bank suffered a two-stage attack where malware was used on the bank's ATM server to steal the credit card information of customers, alongside SWIFT codes required for transactions. It was estimated that during the first wave roughly 11.5 million USD in transactions from multiple countries was stolen. In the second wave, on the same day, close to 2 million USD was withdrawn through debit card transactions across India. Later when those funds were traced it was discovered that they were transferred to Hong Kong via fraudulent SWIFT transactions.

Cosmos Bank chairman Milind Kale said the cyber attack was a global effort as cyberattackers operated from "22 nations." The bank pointed the finger at Canada as the place of origin for many of the fraudulent transactions. A further article published by the Hindustan Times said that the hackers failed in their first attempt to compromise the bank's systems. Despite the first failed attempt worryingly no alert was issued to put the bank on guard against any further suspicious activity. The bank has since confirmed that no funds had been debited from its customers’ accounts.

The North Korean linked Lazarus group has been on both government and security firms advanced persistent threat (APT) watch lists for a while now. Sometimes referred to as Hidden Cobra, particularly by the US Computer Emergency Readiness Team (US-CERT), the group has conducted many cyber espionage campaigns as well as targeting banks and other financial companies around the globe. Over the last few months, Lazarus has successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies. Much of the groups work targeted Windows systems and machines. However, the group is now targeting MacOS.

Lazarus Group is perhaps most well-known for the Sony Pictures hack which occurred in October 2014. The group managed to gain access to the media giant’s network and stole massive amounts of confidential data and then leaked them online. The hack was seen as retaliation to the movie The Interview starring James Franco which was seen by Lazarus group as derogatory to North Korea. The group also issued vague threats to theatres who intended to show the film. Sony canceled the release of the movie as a result of the hack and subsequent threats.

For several years now the Chinese government has been attempting to create a set of standards and norms governing cybersecurity. In the wake of increased trade tensions between the US and China, there is a growing fear among security researchers and investors that these standards may be used to deter or sabotage the efforts of foreign tech firms trying to enter the Chinese market. The set of standards is often simply referred to as the “national cybersecurity standards”. These standards are issued by the Chinese National Information Security Standardization Technical Committee (TC260), a government agency that has issued roughly 300 standards since 2015.

Generally, these standards are seen as recommendations made by the government. They are intended to govern the design and operation of various products, such as routers, firewalls, or even software applications. Some of these standards describe methods of providing the Chinese government with access to sensitive data belonging to Chinese citizens. It further specifies how that data is handled by a particular type of service or piece of hardware. Other stipulations provide a list of acceptable encryption algorithms. Others specify how a product's cross-border data transfer and behavior are to be handled and monitored. According to the Chinese government, these standards are all only "recommended" as mere guidelines for product and service designs and bare no official status for the sale of products on the Chinese market. However, the Center for Strategic and International Studies (CSIS), a Washington-based think tank, in practice, many of these "recommended" standards may actually be required to do business in China without explicitly saying so.

The start of the year seemed to open with a bang on the cybersecurity news front. The Spectre and Meltdown vulnerabilities made headlines with fears that they could be as bad, if not worse, than the previous Heartbleed vulnerability that made its mark on CPUs previously. Since then every now and then news trickles in of a researcher having been able to exploit those vulnerabilities in slightly new ways. On August 14, 2018, news broke that researchers had discovered another vulnerability affecting Intel processors. The researchers who discovered the vulnerability have called it Foreshadow and have set up a website where users can gain more information including the paper they published.

Currently, two research teams independently discovered the Foreshadow vulnerability and the L1 Terminal Fault vulnerability. A team from KU Leuven, a university in Belgium, informed Intel of its findings on January 3, the day when the now infamous Spectre and Meltdown vulnerabilities were disclosed to the public. The second team, comprising researchers from Israel-based Technion, University of Michigan, the University of Adelaide in Australia, and Australia-based CSIRO's Data61, reported its findings to Intel on January 23.