Internet threat news

Brian Krebs is where we turn our attention today. This former Washington Post investigative reporter is not very technical, but he is plugged into cybercriminal news and is usually one of the first to uncover data breaches like the Target retailer attack that companies try to keep secret. This week he reports the fascinating news that criminal gangs in Russia have outsourced translation and extortion services to call centers. Ransomware, for example, attacks people all over the world who speak hundreds of languages.  Russians cannot negotiate payment for all of that in Arabic, Turkish, German, etc.  So they have hired call centers to help shake down their victims. One normally thinks of overseas call centers as providing PC support for harried customers or explaining to someone how to use her new 50 inch LED TV. But companies like CallMeBaby extort hacking victims by charging $10 and more to negotiate the terms or unlocking their locked data files.

Stagefright is an Android vulnerability that some have called the worst Android security problem ever.  A hacker can use this to gain root access to an Android device simply by calling a phone and sending it a specially constructed MP4 media file in an MMS (multimedia message).  MMS messages are processed by WhatsApp, Google Hangouts, or the ordinary Android messenger app. The exploit works by causing an error in the media player which a hacker can use to gain access to memory. This bug impacts Android versions between 2.2 and 5.1.  There are patches available. Plus users can turn off the automatic downloading of videos in those apps.  But not all Android devices are patched yet even though the bug was discovered some months ago in 2015.  This is because patches are pushed out at different schedules by the phone manufacturers and cellular carriers.

France, the country, and Anonymous, the hacktivists, have declared war on ISIS.  President Obama has reluctantly done the same: in his Oval Office address on December 7th, the 74th anniversary of the Japanese attack on Pearl Harbor, Obama used the word “war” for the first time in reference to current events. Of course, Anonymous does not have any aircraft carriers like France, but they are adept at hacking, so could be quite useful in helping cutting off ISIS’s access to the internet and countering some of their propaganda.  Mainly they do this by outing ISIS accounts on social media and hacking their email. That Anonymous, the virtual group, has joined with the USA, France, UK, and Germany, who have actual armies, is something new. Anonymous is usually on the side of anarchists and others who oppose government.  But in a startling piece of largely underreported news, The Independent and other media reported that an Anonymous sect stopped terror attacks in New York and Tunisia by uncovering and reporting those plans to the authorities.

One of the more common types of malware to threaten PC users over the last several years has been ransomware. Covered extensively on this blog, ransomware is malicious code that secretly encrypts the files and folders of an infected computer using state-of-the-art encryption techniques. Once encryption of all files and folders has been completed, the victim is presented with a message that demands a ransom (typically paid in Bitcoin) be paid to receive the key required to unlock these files. In some of the most extreme ransomware variants, there was absolutely no way to retrieve these files without paying the ransom and often, victims were “punished” for not paying up right away because the amount of ransom due in exchange for the decryption key would increase after a set period of time had elapsed. While these types of malware are still a serious threat to PC users around the world, most antivirus software programs have become adept at detecting and blocking the installation of these programs before any damage can be done. As is usually the case when one malware variant is neutralized, hackers have recently devised a new way to leverage the power of ransomware: targeting websites. Rather than hold a single PC for ransom, hackers have created a way to hold the files, pages, and images of a website for ransom – essentially making that website inaccessible until the ransom is paid. The latest threat, originally discovered by the Russian security firm Dr. Web, has been dubbed Linux.Encoder.1. This malware variant specifically targets websites that are powered by the Linux operating system (a common platform used by websites around the world). Popular Web hosting platforms based on Linux include Apache and Nginx and both of these platforms are vulnerable to infection by Linux.Encoder.1. This malware variant is especially dangerous because it is almost impossible to detect using standard antivirus tools.

MySQL database servers, which millions of organizations worldwide rely on for backend database services, could soon be leveraged in massive DDoS attacks because of a dangerous malware variant known as Chikdos. Chikdos was first discovered by Polish cybersecurity experts over two years ago. Chikdos, an extremely dangerous Trojan originally developed to target the Linux operating system, is typically installed through an SSH dictionary attack. By downloading and executing a simple .bot file upon logging into a compromised server, Chikdos is installed primarily as a means to launch DDoS attacks using DNS amplification. Although the original version of Chikdos specifically targeted Linux systems, a more recent version has also been discovered that is capable of infecting the Windows operating system as well. MySQL database servers can be run on either the Linux or the Windows platform. This makes Chikdos especially dangerous as it is capable of affecting practically every MySQL server connected to the Internet (either directly or through an intermediary machine that has already been compromised). When originally analyzed by security researchers, it was determined that Chikdos was created solely for the purpose of launching DDoS attacks against a variety of Web targets. Although DNS amplification is the malware’s attack vector of choice, there are three other attacks possible after a Chikdos infection has occurred. For those unfamiliar with the term, a DNS amplification attack spawns from a request containing 256 random or previously defined queries to the backend database is transmitted to a DNS server.

Over the last several years, malware has been evolving. From the ‘simple’ viruses of just a decade ago to the complex banking Trojan botnets of today - sometimes capable of stealing millions of dollars while evading modern detection methods - malware has become a constantly changing threat. Security researchers scramble to react to new threats while malicious actors work on ways to circumvent the latest security measures. This game never ends and new ways to infiltrate Windows systems appear all the time. Sometimes hackers fall back on old techniques (such as the use of infected macros to exploit vulnerabilities in the Microsoft Office suite). In other instances, hackers are forced to find entirely new methods of distribution and infection in an effort to avoid improved system security and increased consumer awareness about the dangers of malware. Although some of the most popular malware infection vectors right now include malvertising (distributing malware through legitimate advertising networks by embedding malicious code into digital ads) and spam campaigns relying on malicious attachments to spread malicious code, the program or service targeted by the malware changes all the time depending on the vulnerabilities present and the exact goal of the malware campaign. For instance, hackers have started focusing more attacks on Internet of Things (IoT) devices over the last several months. These gadgets (everything from automated thermostats to smart refrigerators) do not offer the same level of security as a PC but can unleash devastating attacks when harnessed by rogue software.

Over the last few years, malware creators have been moving away from traditional malware attacks that target the Windows OS; instead relying on malware specifically designed to infiltrate popular Web browsers. In most cases, the browsers are exploited via known vulnerabilities in common Web browser plugins including Adobe Flash Player, Microsoft Silverlight, and Java. Once a browser has been infected with malicious software, the cybercriminals behind these campaigns have almost limitless access to the PC and any future browsing sessions performed in the affected browser. In response to the increased threat presented by browser-specific malware, browser developers have had to change (radically in some cases) the way security within the browser application is handled. As hackers get better at hiding their malicious applications by using legitimate-sounding file names that have been carefully hidden in obscure directories, browser developers have discovered new ways to locate and quarantine infected code as quickly as possible. Active detection technology and providing a way for browser users to easily disable browser plugins that could put the PC at risk when not needed have made it increasingly difficult for cybercriminals to profit from these “traditional” browser-specific attack vectors. In response to the improved security of popular Web browsers, one group of hackers recently devised a new technique that specifically targets the Chrome Web browser.

Traditional malware is slowly becoming extinct as malware creators have realized that targeting routers and other Internet-connected devices (the Internet of Things) is more successful and in some cases, more financially lucrative as well. Routers and IoT devices are easy to infiltrate and because there is no antivirus solution available for these devices, detection by the average consumer is extremely unlikely. Once malicious actors have infected a router, the device can be used to launch DDoS attacks or to spoof legitimate websites as part of a phishing campaign. In fact, the highly publicized attacks of the Sony PlayStation and Xbox Live online gaming platforms were both carried out using a botnet created from routers that had been infected with a special malware package designed to leverage vulnerabilities in the embedded firmware of affected devices. Despite all the bad press that malware is subjected to on a daily basis, researchers from Symantec recently discovered a new strain of malware that targets routers as well as other embedded devices including many smart home automation products.

The Internet is a dangerous place and it seems like every day a new threat is discovered that could put your personal and financial data at risk. One of the most popular ways cybercriminals accomplish this is through a technique known as phishing. Phishing is a type of cyberattack whereby hackers create a fake website (known as a spoofed website) that is designed to look exactly like a legitimate online service. Popular online services such as Bank of America and PayPal are common targets for these types of attacks. When the victim unknowingly enters sensitive account information on the spoofed website, the hackers receive this information and can use it to fraudulently make wire transfers or as part of an identity theft campaign. The last few years have brought about significant changes in the way the Internet works and many of these changes are a direct response to the rising costs associated with successful phishing campaigns.

Researchers from Kaspersky Labs recently warned about a new Advanced Persistent Threat, or APT, that includes a powerful Remote Access Tool (RAT) with the ability to mitigate nearly all current IT security measures while granting full administrative access to the infected system from anywhere in the world. Although this dangerous malware variant was first reported on Kaspersky’s Threat Post blog, the malware was actually discovered by an Israeli cybersecurity startup company called enSilo. These researchers have dubbed the malicious program Moker and the threat was originally discovered on one of enSilo’s customer networks. Even enSilo isn’t sure how the malware found its way into the customer’s network in the first place but the fact remains that this is a dangerous piece of software that could literally destroy a network in seconds if the hackers behind this malware deployment so chose.

The last several months have been plagued by countless reports of hardware routers being exploited by hackers for various reasons. Popular router brands including Belkin, Net Gear, and Linksys have all been targeted by cybercriminals and used as botnets to launch DDoS attacks. In fact, the PlayStation and Xbox Live networks were both taken offline by hackers using exploited routers as the basis for the attack. Mandiant, a sister company of Swedish security firm FireEye, recently uncovered a new router vulnerability that could mean big trouble for businesses around the world relying on Cisco routers. The backdoor malware, which has been named SYNful Knock by security researchers, is designed to compromise popular business-class Cisco routers and provides the hackers with escalated backdoor privileges to the entire network by modifying the router’s firmware image. This new malware variant is different than previous versions of malware designed to compromise consumer routers because the malware persists even after the router has been rebooted.

A new malvertising campaign was recently discovered that has been running for at least three weeks without being detected although security experts concede that the threat could have been operating undetected for much longer than that. Considering the large number of malvertising schemes that have been highlighted on this blog in recent months, it is becoming increasingly clear that businesses need to be more vigilant than ever before when it comes to selecting the companies they use to serve online advertisements to visitors. Several well-known online presences, including the Drudge Report, Answers.com, and eBay’s UK branch, were all recently affected by tainted online ad networks that have been serving ads infected with the Angler exploit kit. The Angler exploit kit is currently one of the most elusive and dangerous online exploit kits in the wild and is capable of finding known vulnerabilities in common Web browser plugins in an attempt to infect PCs with an assortment of malicious programs depending on the needs of the cybercriminals behind the campaign.

A new version of the persistent and powerful adware program known as Shopperz has been spotted in the wild and this new version has security researchers wondering what other tricks may be in store for PC users in the future due to the sophistication of this new adware variant. Sometimes also referred to as Groover, Shopperz works by injecting ads into a PC users’ Web traffic using methods that are considered by security researchers to be both malicious and deceptive. Some of the techniques used by Shopperz to take over an infected PC include installing an extension in both Firefox and Internet Explorer and the creation of a Windows service that makes it extremely difficult for victims to remove the add-ons from both popular Web browsers. One such service is even designed to operate in Safe Mode - a Windows boot option that is often used to clean a PC of malware. Shopperz is also capable of creating a rogue Layered Service Provider (LSP) within the Window’s network stack.

An extremely dangerous and highly sophisticated new banking Trojan was recently spotted in the wild by researchers from IBM’s Security X-Force. Named Shifu, which means thief in Japanese, this banking Trojan appears to have been active since April of this year despite only being discovered in recent weeks by IBM staff members leveraging antifraud platforms that continuously monitor customer endpoints around the world. Shifu is currently targeting 14 Japanese banks as well as electronic banking platforms throughout Europe although at this time only Japan is experiencing active attacks from this Trojan. Shifu contains a variety of advanced features, many of which appear to be borrowed from the leaked source code of other notorious banking Trojans including Zeus, Dridex, Shiz, and Gozi.