Tag: Cyber Threat

North Korea Ramps Up ‘Operation GhostSecret’ Cyber Espionage Campaign

Despite the historic summit with its rival neighbor South Korea and possible subsequent talks with the US President Donald Trump in the coming weeks, North Korea continues full-steam ahead in its mission to gather intelligence and generate income for the regime via its notorious nation-state hacking machine.

North Korea’s pervasive Lazarus Group, aka Hidden Cobra, was recently discovered ramping up a global cyber espionage campaign dubbed Operation GhostSecret, stealing information from organizations in the critical infrastructure, entertainment, finance, healthcare, and telecommunications sectors. Researchers from McAfee unearthed the wave of attacks, which they say first started with targeted hacks of banks in Turkey last month.

Read more about the global cyber espionage campaign by Hidden Cobra that has recently targeted critical infrastructure, entertainment, finance, healthcare and telecoms, on DarkReading.

SamSam ransomware attacks have earned nearly $850,000

First emerging in late 2015, the group believed to be responsible for the SamSam ransomware family has targeted small and large businesses, healthcare, governments, and education. Over time, the ransom prices set by this group have changed some, but they’ve remained consistent when it comes to general affordability, which is why many victims have paid. To date, the group has made nearly $850,000 USD.

This somewhat shocking figure is based on current value of Bitcoin (BTC), which was $8,620.22 at the time this story was written. However, because the market is constantly changing, the actual value of the ransoms paid will go up or down, as the final value is determined on the rate at cash-out. Also, this figure is based on the previously known SamSam wallet (used during the Allscripts attack in January) and the wallet used in their most recent attack against the City of Atlanta. The fact the group behind SamSam has collected any ransom at all, let alone 98.5 BTC, tells an interesting story about the balance between security and business.

Read more about SamSam ransomware, which has been used by cyber criminals Since December 2017 to collect ransom payments from victims in healthcare, education, and government, on CSO.

Is Adware Causing You Frustration? Here’s How To Get Rid Of It

It might not be quite as serious as ransomware but adware is nevertheless a cause of much frustration for computer owners everywhere. If you’re constantly being bombarded with pop-up ads or redirected to advertising sites then you are almost certainly a victim of adware.

Some types of adware are more subtle, hiding in your system and collecting data which is then used to customise future advertisements. Adware is often downloaded alongside free programs as part of a package and, when agreed to, is a legitimate way of raising revenue. Other programmers sneak adware in with their software bundles without the buyers’ knowledge or use compromised websites to hijack insecure browsers.

In this case, adware can be rightly considered a type of malware. Fortunately, it is often easier than you might think to wipe all traces of adware from your system.

Read which steps you can follow to prevent ever having to make that IT support call, on Information Security Buzz.

Microsoft: Windows Defender can now spot FinFisher government spyware

Microsoft says it has cracked open the notorious FinFisher government spyware to design new ways to detect it and protect Windows and Office users. FinFisher is sold to law-enforcement agencies around the world and its maker, European firm Gamma Group, has been criticized for selling it to repressive regimes. Last year, researchers at FireEye discovered FinFisher being distributed in Word documents loaded with an attack for an Office zero-day targeting Russian-speaking victims. In some countries ISPs have also assisted FinFisher rollouts by redirecting targets to an attack site when they attempt to install popular apps.

Microsoft’s threat researchers say FinFisher’s level of anti-analysis protection puts it in a “different category of malware” and reveals the lengths its makers went to ensuring it remains hidden and hard to analyze. But after Microsoft’s reverse-engineering managed to unravel the malware, the company argues that Office 365 Advanced Threat Protection (ATP) is now more resistant to sandbox detection, while Windows Defender Advanced Threat Protection (ATP) anti-malware has improved detections for it.

Read more about how Microsoft has dismantled the government-grade FinFisher spyware to improve Windows and Office 365 defenses on ZDNet.

Chafer: Hacking group expands espionage operation with new attacks

A hacking operation has expanded its operations taking advantage of new tools to attack organisations across the Middle East for the purposes of surveillance and intelligence gathering. Targets are mostly working in telecoms and transport and their surrounding supply chains – with IT software, payroll, aircraft services and engineering firms all targets during the last year. The operations of Chafer, an Iran-based targeted attack group have been detailed by researchers at security company Symantec, who note that since first being exposed in 2015, the group has expanded its surveillance and cyber attack operations.

Several new tools have been added to the Chafer arsenal, including the EternalBlue exploit – the leaked NSA exploit which powered last year’s WannaCry and NotPetya outbreaks – allowing the attackers to more easily traverse target networks. In total, Chafer has deployed seven new tools, which it has used to attack nine new targets in the Middle Eastern region, including organisations in Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. Researchers also found evidence that Chafer has carried out attacks against an African airline and attempted to compromise an ‘international travel reservations firm’ – although attacks on the latter weren’t successful.

Read more about Symantic’s analysis of the Chafer hacking group on ZDNet.

Russia hacked Olympic computers and tried to frame North Korea

Russian military hackers hacked hundreds of computers at the 2018 Winter Olympic Games and tried to make it look like the hacks were conducted by North Korea, according to a report by The Washington Post.

U.S. officials, clinging to anonymity, told The Post the “false-flag” operation conducted by the Russian military agency GRU included obtaining access to hundreds of Olympic-related computers, as well as routers, in South Korea. The hacks are believed to be retaliation against the International Olympic Committee (IOC) for banning the Russian team from the Winter Games due to doping violations. Citing an intelligence report, The Post said Russian military hackers obtained access to “as many as 300 Olympic-related computers” by early February. Additionally, “GRU cyber operators also hacked routers in South Korea last month and deployed new malware on the day the Olympics began.”

It was unclear if the cyber attack during the opening ceremony, which caused disruptions to the internet and broadcasting systems, was a result of the infected routers. During the attack, organizers took down the servers to prevent more damage, which caused the Winter Olympics website to go down.

Read more about the cyber attack targeting Olympic computers that was reportedly carried out by Russian hackers on CSO.

Meet Coldroot, a nasty Mac trojan that went undetected for years

A Mac malware that can silently, remotely control a vulnerable computer and steal passwords from a user’s keychain has gone largely unnoticed by antivirus makers for two years — even though the code is readily available to download. Patrick Wardle, chief research officer at Digita Security, revealed in a blog post Tuesday details of Coldroot, a remote access trojan.

These kinds of malware are installed and access deep parts of the operating system in order to gain full, remote control of the system at any given moment — as if an attacker was sitting at the computer in person. But after tearing down the malware in a new analysis, he found that none of the antivirus makers listed on online malware scanner VirusTotal were able to detect the malware at the time of his research — even though its code was published in 2016. Though the malware is “not particularly sophisticated,” said Wardle, “it’s rather ‘feature complete’.”

Read more about the Mac Torjan that, when activated, can record and steal passwords, list files, rename and delete files, download and upload documents, remotely view the desktop in real time, and shut down the system, on ZDNet.

AndroRAT: New Android malware strain can hijack older phones

An Android trojan that started out as an open-source project has been updated to allow hackers to gain access to virtually all data on infected devices. Silent installation, shell command execution and the collection of credentials, Wi-Fi passwords and screenshots are just some of the capabilities of AndroRAT, which exploits CVE-2015-1805, a Linux kernel vulnerability that was publicly disclosed in 2016. While newer Android devices can be patched against attacks exploiting the vulnerability, Google’s lack of support for older devices means many remain vulnerable to attacks designed to gain additional privileges on the phone.

The new variant of AndroRAT is disguised as an app called ‘TrashCleaner’ and researchers at Trend Micro say it’s distributed via a malicious URL — indicating that this threat comes from third-party download sites or phishing attacks. If downloaded and installed, TrashCleaner will then prompt the Android device to install a Chinese-labelled calculator app with a logo which looks similar to the standard Android calculator.

Read more about the new variant of AndroRAT that is disguised as an app called ‘TrashCleaner’ on ZDNet.

US, International Law Enforcement Shut Down Massive Cybercrime Marketplace

US law enforcement authorities in collaboration with their counterparts in over a dozen nations have taken down a major cybercrime organization that was responsible for some $530 million in losses over the past seven years. Thirty-six individuals from 17 countries have been charged in connection with their alleged roles in the so-called Infraud Organization, including five from the US. Thirteen of the 36 individuals have been arrested so far. Eight of them are awaiting extradition to the United States. More arrests are expected to follow.

In a media call announcing the arrests Wednesday morning, Deputy Assistant Attorney General David Rybicki described the Infraud Organization as a global forum for buying and selling stolen payment card data, financial information, Social Security numbers, personal identity data, malware, and other products. “Infraud was truly the premier one-stop shop for cybercriminals worldwide,” Rybicki said. “Over the course of the Infraud Organization’s seven-year history, its members targeted more than 4.3 million credit cards, debit cards, and bank accounts held by individuals around the world and in all 50 states.”

Read more about the shut down of the Infraud Organization, whose members have not been linked to any actual data breaches, although those operating on the forum offered tools and services that certainly would have facilitated those activities according to the 50-page indictment, on Dark Reading.

Mac crypto miner distributed via MacUpdate, other software download sites

Software download site/aggregator MacUpdate has been spotted delivering a new Mac crypto miner to users. Stealthy cryptocurrency miners are most often aimed at Windows and browser users (e.g., the Coinhive script), but no one is safe: neither Linux users, nor Mac users, even though cryptocurrency-mining malware targeting Mac machines is a relatively rare occurrence.

The first instance of such a malware was spotted back in 2011, when the DevilRobber Trojan was found to have – among other things – the ability to use CPU and GPU time on infected Macs to perform Bitcoin mining. In August and November, 2017, SentinelOne researchers found and analyzed two Monero cryptocurrency mining Trojans targeting macOS: Pwnet and CpuMeaner.

CreativeUpdate, as this latest crypto miner has been dubbed, is just the latest attempt to hit up Mac users, many of whom are lulled into a false sense of security fueled by the relatively low number of Mac-specific malware out there.

Read more about the malware, which has been bundled with decoy copies of Firefox, OnyX, and Deeper and tries to open them before starting itself so that users don’t get suspicious, although this is not always successful, on Help Net Security.