This Week in Cybersecurity News
CozyDuke APT Group Believed to have Targeted White House and State Department by Ashly Carman, SC Magazine
The APT group known as CozyDuke is suspected to be behind the attack on the White House and State Department. Researchers also believe CozyDuke was behind attacks on other government organizations and commercial entities in the U.S., Germany, South Korea and Uzbekistan. In the more recent campaigns, CozyDuke is using the standard Windows API and phasing out custom features from prior campaigns to simplify the process.
Zero-Day Malvertising Attack Went Undetected For Two Months by Kelly Jackson Higgins, Dark Reading
An Adobe Flash Player zero-day exploit was embedded in online ads for close to two months in an attack that targeted US users with a ransomware payload. The vulnerability was patched on February 2, bringing an end to the campaign but attacks using the exploit were found as early as December 2014 and targeted the websites of Dailymotion, Huffington Post, answers.com, and New York Daily News among others.
SSL Certificate Flaw Allows Hackers to Crash Devices Running iOS 8 by Fred O’Connor, IDG News Service
A flaw found in iOS 8 allows attackers to render devices useless if they’re within range of a fake wireless hotspot. The vulnerability exploits a flaw in how iOS 8 handles SSL certificates and allowed researchers to get apps running on devices using iOS 8 to crash or place the device in a constant reboot cycle. Users should update to the latest version of iOS and avoid using suspicious free networks.
Researchers have discovered an exploit that enables cybercriminals to track keystrokes and mouse clicks in a web browser. The exploit is effective against machines using late-model Intel CPU, such as a Core i7, and a browser that supports HTML5. The attack is performed by Java Script served from a malicious web ad network.
Financial Botnets Go Beyond Banking to Hit Payroll, HR Portals by Robert Lemos, eWeek
Researchers have found that the operators behind banking botnets are expanding and going after smaller banks and targeting other areas such as corporate accounting and payroll systems following the takedown of high profile botnets like Gameover Zeus.
ICYMI Threat Geek Post of the Week: The Internet’s New Superfriends?
Posted by ThreatGeek at 10:00 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, Apple, APT prevention, APT protection, cyber information protection, Cyber Scoop, cyber threat intelligence, cyber threat security, cybercrime , malware, malware detection , network defense, prevent cyber attacks, prevent data breaches, protect against APT, situational awareness, threat assessment , threat geek, threat intelligence , threat intelligence feed, zero day attacks | Permalink | Comments (0)
This Week in Cybersecurity News
Bank-card-sniffing Shop Menace Punkey Pinned Down in US Secret Service Investigation by John Leyden, The Register
Security researchers have identified a new strain of POS malware during an investigation led by the US Secret Service. The malware, called Punkey, hides inside the explorer.exe process on Windows POS systems and once activated, scans the memory of other running programs for card holder data before uploading the data to a command and control server.
Windows Vulnerability can Compromise Credentials by Jeremy Kirk, IDG News Service
A vulnerability found in the late 1990s in Microsoft Windows can still be used to steal login credentials. The flaw affects any PC, tablet or server running Windows and could compromise as many as 31 software programs. The vulnerability is called “redirect to SMB” and can be exploited if an attacker can intercept communications with a web server using a man-in-the-middle attack.
FighterPOS Malware Strikes Over 100 Terminals in Brazil, Captures Info for 22K Cards by Danielle Walker, SC Magazine
Recent POS malware attacks targeting more than 100 terminals in Brazil are believed to be the handiwork of a single person who managed to steal more than 22,000 unique credit cards numbers in a little over a month. In addition to collecting credit card track 1, track 2 and CVV codes, the malware called FighterPOS also features RAM scrapping functionality and allowed threat actors to launch DDoS attacks.
Apple Patches ‘Darwin Nuke’ Other Security Flaws with New OS Releases by Jai Vijayan, Dark Reading
A flaw in the kernel of Darwin, the open source components on which iOS and OS X are built that allowed attackers to remotely activate denial-of-service attacks has been patched by Apple. The flaw known as “Darwin Nuke” could also damage a user’s Mac or iOS device and impact any corporate network to which it’s connected. Users should update to the new OS X Yosemite v10.10.3 and iOS 8.3 to receive the patch.
Meet “Great Cannon,” The Man-in-the-Middle Weapon China used on GitHub by Dan Goodin, Ars Technica
A tool dubbed the “Great Cannon” has been used by the Chinese government to launch a massive denial-of-service attack against two anti-censorship GitHub pages. The tool could also be used to install malware on end users. The junk traffic came from computers of people who browsed websites containing analytics software from the Chinese search engine Baidu. One to two percent of the visits from people outside China had malicious code inserted into their traffic that caused the two targeted GitHub pages to repeatedly load.
ICYMI Threat Geek Post of the Week: Fidelis Threat Advisory #1016: Pushdo It To Me One More Time
Posted by ThreatGeek at 10:00 AM in advanced malware, Advanced Persistent Threat, advanced threats, Cyber Scoop, cyber threat intelligence, cyber threat security, cybercrime , data breach prevention, malware, malware detection , network defense, prevent cyber attacks, prevent data breaches, protect against APT, situational awareness, threat assessment , threat geek, threat intelligence | Permalink | Comments (0)
Fidelis Threat Advisory #1016
Pushdo It To Me One More Time
Once thought to be defunct, the resilient Pushdo has surfaced with infections observed in more than 50 countries, with a substantial infection rate located in the Asia-Pacific region. Based on data aggregated from a controlled sinkhole, Fidelis Cybersecurity has observed some notable changes with the primary command and control (C&C) and conducted in-depth analysis of the secondary C&C Domain Generation Algorithim (DGA). In order to support network defenders, Fidelis Cybersecurity is offering a new, free data feed of verified indicators to support the detection and mitigation of Pushdo. Our intention behind revealing these details is to enable widespread detection and remediation of this threat as well as to force a comprehensive retooling exercise on the operators of the Pushdo botnet.
To see the full report and findings, visit the Fidelis Threat Advisory #1016
Posted by ThreatGeek at 09:00 AM in advanced malware, advanced threats, cyber threat intelligence, cyber threat security, cybercrime , encryption, Fidelis Threat Advisories, malware, malware detection , network defense, prevent cyber attacks, threat assessment , threat geek, threat intelligence , threat intelligence feed | Permalink | Comments (0)
First, a quick update. Since our publication of the RATting on AlienSpy Fidelis Threat Advisory, the AlienSpy domain was suspended by GoDaddy who was the registrar for the domain. Obviously that means no one currently can buy an AlienSpy membership, but it also means existing AlienSpy members and builders are also unable to authenticate for a valid membership.
There are currently four major impacts this has.
This means all AlienSpy actors worldwide are currently out of commission though the victim systems continue to have the malware present and disabled services like AV will remain in that state until corrected. However, victim systems are no longer controlled by the attackers.
Posted by ThreatGeek at 12:30 PM in advanced malware, Advanced Persistent Threat, advanced threats, cybercrime , malware, malware detection , prevent cyber attacks, threat geek, threat intelligence , threat mitigation | Permalink | Comments (0)
This Week in Cybersecurity News
Cross-platform RAT 'AlienSpy' Targets Mac OS X, Windows and Android Users by Danielle Walker, SC Magazine
Researchers discovered a multi-platform RAT, called AlienSpy. The new RAT can infect devices running Windows, Linux, Mac OS X and Android. AlienSpy is being sold on a subscription basis from $19.90 to $219.90 and is capable of disabling many antivirus tools.
Russian Hackers Breached White House via US State Department by Sara Peters, Dark Reading
Attackers compromised an unclassified White House system in October 2014 by sending spearphishing messages from a hijacked US State Department email account. Officials will not confirm that the Russian government is behind the attack but investigators found code that points to Russian sources.
Beware of Pro-ISIS Script Kiddies Exploiting WordPress Sites, FBI Warns by Dan Goodin, Ars Technica
According to the FBI, individuals sympathetic to the Islamic State of Iraq and al-Shams terrorist group are exploiting known vulnerabilities in Wordpress. The vulnerabilities have been patched by Wordpress and plugin developers but individual Web masters may have failed to install them.
Islamist Hackers Take French Broadcaster TV5Monde off Air by Lucian Constantin, IDG News Service
French-language TV network TV5Monde was hit by a cyberattack on April 8 that disrupted broadcasting across its channels and hijacked its websites and social media accounts. The TV network had to shut down broadcasting across its 11 channels for several hours and eventually resumed with pre-recorded programs. The “Cyber Caliphate,” a group that claims affiliation to ISIS was responsible for the attack.
Europol Kills off Shape-shifting 'Mystique' Malware by Dan Simmons, BBC News
Europe’s Cybercrime Centre and the FBI have deactivated malware known as Beebone. At its height, Beebone was controlling 100,000 computers a day in September 2014. Criminals had used the malware to steal passwords and download other programs on infected computers.
ICYMI Threat Geek Post of the Week: Fidelis Threat Advisory #1015: Ratting on AlienSpy
Posted by ThreatGeek at 12:15 PM in advanced malware, Advanced Persistent Threat, advanced threats, cyber threat intelligence, cyber threat security, cybercrime , data breaches , incident response, malware, malware detection , situational awareness, threat assessment , threat geek, threat intelligence , threat intelligence feed | Permalink | Comments (0)
On April 8 something happened that may have far-reaching implications for the fight against cybercrime and malware. No, it wasn’t the recent Fidelis Threat Advisory on the AlienSpy RAT. . The event that I’m talking about was an international coalition of cybercrime fighters coming together to rid the Internet of a particularly nasty botnet named Beebone (also known as AAEH) in what has been dubbed Operation Source.
Before we get into the coalition and what it means, let’s take a quick look at Beebone and what it can do.
Beebone is particularly nefarious because it was designed to utilize polymorphic worm capabilities to ensure that it remains on an infected host network. In other words, Beebone uses its internal code to change its structure and then automatically spread to other vulnerable machines on the victim network. Beebone itself is a downloader that utilizes botnet Command and Control (C2) to further infect its victim hosts with additional types of malware such as rootkits, ransomware, password stealers, and other nastiness. Beyond its host-based polymorphism, the authors of Beebone were releasing a multitude of new variants of the malware daily, each sufficiently different to make detections by traditional Antivirus difficult.
Posted by ThreatGeek at 09:00 AM in advanced malware, advanced threats, cyber threat intelligence, cybercrime , Cybersecurity legislation, malware, malware detection , Sig Murphy, threat assessment , threat geek, threat intelligence | Permalink | Comments (0)
Fidelis Threat Advisory #1015
Ratting on AlienSpy
This report is a comprehensive description of AlienSpy, a remote access trojan (RAT) with significant capabilities that is currently being used in global phishing campaigns against consumers as well as enterprises. Our goal with this paper is to provide detailed analysis of its capabilities, tie it to previous generations of RATs that have been observed over the course of many years and provide observations from recent encounters with the RAT. Further, we intend to support the broader research community with a Yara rule developed as a result of our research as well a rich set of IOCs from campaigns that are currently operational, extending the body of knowledge around this RAT.
There is a long line of RATs that have received attention in the past few years and are known to be related in provenance and have been observed in related campaigns. These include njRAT, njWorm and Houdini RAT, all of which have been repeatedly deployed against victims in the consumer space as well as large enterprises. These RATs are recognized to have a robust feature set and much of the evolution that has been seen is in the nature of the delivery, rather than in core functionality.
AlienSpy is different in this regard. It is the latest in a well known lineage of RATs – Frutas, Adwind and Unrecom are all predecessors. We believe that it benefits from unified development and support that has resulted in rapid evolution of its feature set including multiplatform support, including Android, as well as evasion techniques not present in other RATs. It must be noted that previous generations in this RAT continue to be used in specific campaigns, notably Adwind. However, we’re currently observing a wave of AlienSpy samples being deployed worldwide against consumers as well as enterprises in the Technology, Financial Services, Government and Energy sectors.
To see the full report and findings, visit the Fidelis Threat Advisory #1015
Posted by ThreatGeek at 09:00 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, cyber information protection, cyber threat intelligence, cyber threat security, cybercrime , data breach prevention, Fidelis Threat Advisories, intelligent network forensics, malware, malware detection , network defense, network forensics, network forensics tools, network monitoring , prevent cyber attacks, prevent data breaches, protect against APT, threat assessment , threat geek, threat intelligence , threat intelligence feed, threat mitigation | Permalink | Comments (0)
This Week in Cybersecurity News
Hackers, Corporate Spies Targeted by Obama Sanctions Order by Justin Sink and Chris Strohm, Bloomberg
President Barack Obama signed an executive order on April 1 allowing the Treasury Department to freeze the assets of people, companies or other entities overseas identified as the source of cybercrimes. The sanctions will be used if a cyberattacks threatens to harm U.S. national security, foreign policy or the broader economy.
Laziok Trojan Exploits Three Year-Old Windows Flaw by Jai Vijayan, Dark Reading
Trojan Laziok is a malware tool that exploits a three-year old Windows vulnerability to gain access to the networks of Middle Eastern energy companies. Researchers at Symantec described the malware as a reconnaissance tool that allows attackers to gather information and decide whether to carry our further attacks against the systems.
Security Firm says New Spy Software in 10 Countries came from Lebanon, by Joseph Menn, Reuters
A campaign, called Volatile Cedar by Check Point Software Technologies, targeted telecommunications and networking companies, military contractors, media organizations and other institutions in Lebanon, Israel, Turkey and seven other countries. The campaign aimed to steal data by hacking into public-facing websites and then moving from host computers to others in the organization that contained valuable information.
Nite Ize Website Attack Impacts Credit Cards, Possibly Customer Database by Adam Greenberg, SC Magazine
Nite Ize, an online store experienced a cyberattack that resulted in 309 credit card transactions being compromised and possible unauthorized access to a database containing names, usernames, passwords, mailing addresses, email addresses and phone numbers of 50,000 customers. The compromised transactions occurred between March 3 and March 11.
Stolen Uber Customer Accounts Are for Sale on the Dark Web for $1 by Joseph Cox, Motherboard
Two vendors on the dark web are selling the credentials of active Uber accounts for between $1 and $5 apiece. It is currently unclear how the sellers acquired the account credentials but Uber has found no evidence of a breach.
ICYMI Threat Geek Post of the Week: Adwind Continues to Fly – Now using Turkish Language Lures by John Bambenek
Posted by ThreatGeek at 10:00 AM in advanced malware, Advanced Persistent Threat, advanced persistent threat protection, advanced threats, APT prevention, APT protection, Cyber Scoop, cyber threat intelligence, cyber threat security, cybercrime , Cybersecurity legislation, data breaches , incident response, malware, situational awareness, threat assessment , threat geek, threat intelligence , threat intelligence feed, zero day attacks | Permalink | Comments (0)