Internet threat news

It is believed that a Chinese-linked espionage group is currently increasing its activity in targeting foreign engineering and maritime companies. This is according to a report recently published by FireEye, a well-respected cybersecurity firm known for its nation-state threat intelligence. The Chinese-linked espionage group has been called Leviathan by researchers and analyst. The group also goes by the name TEMP.Periscope and have been active for over a decade. The group has been historically interested in targets connected to the South China Sea geographical and political issues that have affected the region for China and its neighbors. These targets include research institutes, academic organizations, and private firms in the United States. Over the years the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.

On March 7, Microsoft released a report detailing that Windows Defender AV detected and thwarted a massive outbreak of the Dofoil, sometimes referred to as Smoke Loader, trojan. The campaign attempted to infect over 400,000 users in a 12-hour window. The campaign targeted mainly Russian users but instances were detected in the Ukraine and Turkey. Russia made up the vast majority of detected instances with 73% followed by Turkey which accounted for 18% and Ukraine on 4%. On March 13, Microsoft released a follow-up report explaining that the attack was caused by backdoored Russian-based BitTorrent client named MediaGet.

It would appear that Chinese Intelligence Agencies are altering the Chinese National Vulnerabilities Database (CNNVD) in an attempt to hide security flaws that government hackers might have an interest in. This is the conclusion made by Recorder Future, a US-based security firm, in a recently published report. Recorded Future has developed a reputation for tracking and revealing Chinese state-sponsored cyber spying. According to the latest report published by the firm, the firm noticed in recent months mass edits to the CNNVD website. This would imply that CNNVD operators have been backdating the publication dates for hundreds of vulnerabilities.

In November 2017, Recorded Future published a report examining the publication speed of the CNNVD. The report concluded that China had a process for evaluating whether high-threat vulnerabilities had operational utility in intelligence operations before publishing them to the publicly accessible CNNVD webpage. The firm wished to revisit the analysis in an attempt to further confirm their allegations only to find that CNNVD had altered their initial vulnerability publication dates. It is assumed this was done to cover up any evidence of wrongdoing.

Following the record-breaking Distributed Denial of Service Attacks (DDoS) that targeted both Github and a yet unnamed US-based company, referred to as a service provider in various reports, a surge in Memcached DDoS research and proof of concept code was bound to come up. Recently two proof of concept attacks has been published online illustrating a surge in popularity of attempting such a reflective DDoS attack.

Both the record-breaking attacks have shone a light on Memcached DDoS attacks, more so than previous research warning of the possibility of such attacks, but what exactly is a Memcached DDoS attack? In such an attack, the attacker targets Memcached servers that are exposed online. Memcached servers allow applications that need to access a lot of data from an external database to cache some of the data in memory, which can be accessed much more quickly by the application than having to travel out to the database to fetch something important. Such servers have been used by companies to speed up page load time and deal with spikes in demand.

These servers have been used internally, disconnected from the public internet but accessible within a trusted network to improve internal application performance in the past which would mean they would not be an easy target for such an attack. However, recently it would appear that such servers have a default setting which exposed UDP (user datagram protocol) online.

In a report published by Microsoft on March 1, researchers have been able to dissect FinFisher. FinFisher is advertised as a lawful interception solution built by Germany-based FinFisher GmbH. It is sold exclusively to governments and is criticised by civil rights groups across the globe. It is sometimes referred to as FinSpy and has been active for nearly half a decade, often used by government agencies in conjunction with surveillance operations.

According to Microsoft, due to the analysis conducted by their researchers, Windows Defender Advanced Threat Protection (Windows Defender ATP) is capable of detecting behavior associated with the complex FinFisher spyware. The analysis was not cut and dry as sometimes malware analysis can be. Microsoft admitted the malware is complex and required the researchers to develop special methods just to crack the offending spyware.

Researchers at UK based firm Wandera have been analyzing a new Android malware called RedDrop. The malware is reported to be able to do a wide range of actions including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive. The malware was spotted initially on the mobile devices of employees of several global consultancy firms and appears to target mainly those living in China.

Researchers at Wandera have discovered 53 malware-ridden apps that are exfiltrating sensitive data from infected devices. The primary goal of these apps and the network that supports it is to get users to unknowingly send SMS messages to premium services, thus incurring financial loss. Applications that have been infected with RedDrop are being distributed through a network of more than 4,000 domains and range from tools such as image editors and calculators to recreational apps. Every observed application offers the expected functionality, thus making it difficult for users to detect themselves if they have unwittingly downloaded a malicious program.

Authorities working for the American criminal justice system have sentenced Taylor Huddleston, 27, of Hot Springs, Arkansas to 33 months in prison and two years of supervised release for aiding and abetting hackers by creating and selling malware. Huddleston had already pleaded guilty in July 2017 and left it up to the courts to decide how much prison time he would serve. His guilty plea followed his arrest by the FBI earlier in 2017.

Huddleston’s case and subsequent sentencing is precedent setting because he was the first case where the author of a malware strain was arrested, despite not being accused of using the malware himself. This may not bode well for Marcus "MalwareTech" Hutchins as US authorities are pursuing a similar case against him. Hutchins rose to fame when he helped stop the WannaCry ransomware outbreak. In regard to Hutchins’ case, he is alleged to have created the Kronos banking trojan.

The Hutchins case is been followed rather closely by security researchers around the globe with many coming to Hutchins’ defense. As the case stands currently prosecutors allege that Hutchins confessed to creating Kronos during interrogation, but his lawyers filed a document on Friday outlining their argument that Hutchins' confession was coerced. They insist he was exhausted and intoxicated when authorities received his confession. Hutchins is currently on bail in Los Angeles, and no date for his trial in Wisconsin has yet been set.

Normally when people are warned about the dangers of technology they laugh it off as alarmist and go straight back to see how many likes their latest post has received. It is easy to dismiss warnings as alarmist especially when they entail the end of the world resulting from a much favored Hollywood apocalypse scenario. While scientific consensus agrees with mounting evidence that we are influencing and exacerbating climate change, many still are willing to stick their heads in sand and whistle to themselves.

Cyber-security is a field where warnings are dished out daily. These warnings are generally ignored by the public at large. The commandment of ensuring software is updated regularly is laughed off till the next outbreak of an easily preventable ransomware strain. This week a 100-page report was released, authored by over 20 experts in their respective fields. The topic concerns the use of Artificial Intelligence (AI) for malicious purposes. While the report acknowledges the usefulness of AI in programs that will come to define future computing it presents a stark and too rational warning for the malicious use of AI by authoritarian regimes and unscrupulous people. The report represents the modern day equivalent of a Pandora’s Box scenario.

Ivan Fratric, a security researcher at Google Project Zero found a way to bypass Arbitrary Code Guard (ACG), a feature added by Microsoft to Edge in Windows 10 Creators Update alongside Code Integrity Guard (CIG). The details of this vulnerability have been made public as Microsoft failed to release a patch for the vulnerability within the 90-day deadline. The security feature added by Microsoft in February 2017 was designed to prevent browser exploits from being able to execute malicious code.

The inclusion of the above features into the Edge browser as a modern trend developed where a large number of browser exploits attempt to transform a memory safety vulnerability into a method of running arbitrary native code on a target device. Utilising this technique offered the attacker the path of least resistance as it enabled the attacker to uniformly stage each phase of their attack. Well, such techniques present the attacker with certain advantages, the defender can successfully defend against such attacks without any prior knowledge of the attack, this being a definite advantage if used correctly. A successful defence then has to simply be able to prevent arbitrary code form from executing.

Lord Tariq Ahmad, Foreign Office Minister for Cyber Security, has directly attributed the NotPetya cyber-attack to the Russian Government. This would make it the first Western country to do so and lay blame at the doorstep of the Russian government for orchestrating and deploying the ransomware in 2017. In a statement issued by the English Foreign Office, Lord Ahmed stated “The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017…The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds.” Ahmed further expressed that “The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather than secretly trying to undermine it.” At the time of writing no statement had been made by the Russian Government in response to the allegations.

While both the Olympics and Winter Olympics were intended to celebrate the human spirit it appears some may have never gotten the memo. During the Cold War, the Olympics was used as another event to prove whether Soviet communism or American capitalism was the superior ideology. While times change the Olympics in its multiple forms still appears to be an event needing to be co-opted for far more reasons than the organizers originally intended.

The 2018 Winter Olympics in Pyeongchang, South Korea appears to be no different in this regard. Even before the games had started Olympic organization bodies and other organizations closely linked with the event have been targeted by hackers. As early as December 2017 researchers were detecting attacks against such organizations. The latest incident occurred during the opening ceremony when a mysterious internet shutdown occurred.

A group of scientists based at the Cyber Security Research Center at the Ben-Gurion University of the Negev in Israel have just released papers detailing how they managed to hack devices protected by a Faraday Cage. The team has developed a reputation for some extraordinary and generally spectacular hacks which seem impossible at the time.

A Faraday cage, or sometimes referred to as a Faraday Shield, is a metallic enclosure meant to block electromagnetic fields coming in or going out. Named after Michael Faraday who invented them, such devices utilize the phenomenon that when an external electrical field causes the electric charges within the cage's conducting material to be distributed such that they cancel the field's effect in the cage's interior. The phenomenon is used to protect sensitive electronic equipment from external radio frequency interference (RFI). Faraday cages are also used to enclose devices that produce RFI, such as radio transmitters, to prevent their radio waves from interfering with other nearby equipment. These protective devices have found a lot of commercial use with companies placing sensitive networking equipment, servers, or workstations inside data centers or rooms protected by a Faraday cage. Banks regularly use Faraday-shielded rooms to protect servers.

It appears the operators of a gaming server rental business are diversifying their product offering. The company is believed to have built an IoT DDoS botnet, which they are now offering as part of the server rental scheme. It is believed that this is been offered based on one fairly significant clue, that being that the new IoT botnet, called JenX, is operating from the same server used by the company. This server is located at skids.sancalvicie.com. Added to this the IoT’s Command and Control server is found on the same server and domain used by the gaming server rental business, that business being San Calvicie (hxxp://sancalvicie.com).

Researchers from Radware, who discovered JenX, concluded that the new botnet is likely the botnet that powers a DDoS function included in one of San Calvicie's rental offers named "Corriente Divina" by the operators. According to the company’s website for 16 USD, users can rent a GTA San Andreas multiplayer modded server, for 9 USD they can rent a Teamspeak server, and for an additional 20 USD, users can launch DDoS attacks of between 290 and 300 Gbps. The DDoS service offered by the company is claimed to be able to carry out Valve Source Engine Query and 32bytes DDoS floods. They also advertise a "Down OVH" option, suggesting their botnet is large enough to cause problems even for the world's largest ISP and VPS providers.

The MalwareHunter team has been tracking a new ransomware called MindLost. The security researcher has been tracking samples of this new ransomware since January 15. The new strain encrypts users data then redirects the now victim to an online page to pay the ransom via credit/debit card. MindLost referred to by Microsoft as Paggalangrypt, is not being actively distributed as of yet, leading researchers to believe it is still currently under development. Despite not been complete the ransomware does work and targets the following extensions .c, .jpg, .mp3, .mp4, .pdf, .png, .py and .txt. for encryption. It also searches for the file extension within the storage devices and folders to encrypt files.