Tag: Threat Intelligence

Industrial espionage fears arise over malicious Chrome extension

Valid arguments about a possible industrial espionage campaign are being raised surrounding a Google Chrome extension that was caught collecting browsing history, ZDNet has learned from ExtraHop, a real-time IT analytics firm. The company said it detected the malicious code hidden inside a Google Chrome extension aimed at web developers. The extension, named Postman, is still available in the Chrome Web Store, despite ExtraHop reporting it to Google more than a month ago.

The discovery of this extension comes on the heels of Netscout revealing that North Korean nation-state hackers have used a Chrome extension in a government-orchestrate cyber-espionage campaign.

Read more about the malicious Chrome extension on ZDNet.

This phishing scam group built a list of 50,000 execs to target

A group of online scammers has generated a list of 50,000 of executives including CFOs and other finance chiefs to use as targets for their schemes. The list was discovered by security company Agari after the scammers unwisely targeted the company with one of its scams, prompting the company to investigate further.

The group – which Agari is calling London Blue – seems to specialise in business email compromise (BEC) scams. While there are many variations, the basic aim is to trick someone within an organisation – usually working in finance – to send funds to a bank account controlled by the crooks, thinking that the transfer is a request from someone senior inside their own organisation.

Read more about the London Blue BEC group on ZDNet.

Phishing Campaign Delivers FlawedAmmyy, RMS RATs

A new campaign delivering various remote access Trojans (RATs) is likely the work of a known Dridex/Locky operator, Morphisec security researchers warn. Dubbed Pied Piper, the campaign targets users in multiple countries and is likely operated by TA505, the threat group known to have orchestrated large Dridex and Locky attacks in the past. Observed starting last week, the phishing attempts use documents with malicious macros for malware delivery.

The campaign is multi-staged and still ongoing, with a version delivering the FlawedAmmyy RAT, while another variant dropping the Remote Manipulator (RMS) RAT. Earlier this year, TA505 was observed exploiting an Office zero-day to deliver the FlawedAmmyy RAT.

Read more about the new campaign by TA505 on SecurityWeek.

KingMiner malware hijacks the full power of Windows Server CPUs

Cryptojacking, the hijacking of PCs and systems for the purpose of stealing CPU power in order to covertly mine for cryptocurrency, is becoming a thorn in the side of individuals and businesses alike. One in three organizations have been targeted by cryptocurrency mining malware.

Researchers from Check Point said in a blog post that one form of cryptomining malware, known as KingMiner, first appeared in June this year and is now out in the wild as a new-and-improved variant. The malware generally targets IIS/SQL Microsoft Servers using brute-force attacks in order to gain the credentials necessary to compromise a server. The miner is configured to use 75 percent of CPU capacity, but potentially due to coding errors, will actually utilize 100 percent of the CPU.

Read more about the newly discovered KingMiner malware on ZDNet.

New BEC Scams Take Advantage of the California Wildfires

Whenever there is a tragedy, some lowlife will try to take advantage of it. Such is the case with a new round of BEC scams that try to take leverage the California wildfires to defraud their victims.

In this campaign, the scammers pretend to be the CEO of a company who tells an employee that their clients have been affected by the California wildfires and that they need to send them assistance.  This is when things get a bit weird, because instead of asking for money to be transferred, they request that the employee go out and buy Google Play gift cards, reveal the redemption codes, and then send them back to the attacker.

Read more about the new BEC scam on BleepingComputer.

L0rdix becomes the new Swiss Army knife of Windows hacking

A new hacking tool making the rounds in underground forums has been deemed the latest “go-to” universal offering for attackers targeting Microsoft Windows PCs. The software is called L0rdix and according to cybersecurity researchers from enSilo is “aimed at infecting Windows-based machines, combines stealing and cryptocurrency mining methods, [and] can avoid malware analysis tools.”

In a blog post, enSilo researcher Ben Hunter said the tool is relatively new and is available for purchase. There are, however, indicators that L0rdix is still undergoing development despite an array of different functions already implemented within the malware. Written in .NET, L0rdix has been developed with stealth in mind.

Read more about the L0rdix hacking tool on ZDNet.

6 mobile security threats you should take seriously in 2019

Mobile security is at the top of every company’s worry list these days — and for good reason: Nearly all workers now routinely access corporate data from smartphones, and that means keeping sensitive info out of the wrong hands is an increasingly intricate puzzle.

While it’s easy to focus on the sensational subject of malware, the truth is that mobile malware infections are incredibly uncommon in the real world, thanks to both the nature of mobile malware and the inherent protections built into modern mobile operating systems. The more realistic mobile security hazards lie in some easily overlooked areas, all of which are only expected to become more pressing in the coming year.

Read more about the major mobile security threats for 2019 on CSO.

Winter Olympic Games hackers are back with an updated arsenal

The hacking team behind a cyberattack which impacted the Winter Olympic Games is back with an updated cache of droppers and hacking tools. Researchers from Check Point said that Hades, the advanced persistence threat (APT) group believed to be behind an attack this year levied against systems used in the Winter Olympic Games, has begun a potential evolutionary shift.

“Over the last few weeks, we have noticed new activity from Hades,” the researchers say. “This new wave of attack shares a lot with those previously attributed to the group but it seems that this time we are witnessing significant changes that may hint at a new evolution from the group.”

Read more about the new activity of the Hades APT on ZDNet.

Hacking group returns, switches attacks from ransomware to trojan malware

A prolific hacking group has returned with a new campaign which looks to deliver a new remote access trojan (RAT) to victims in order to create a backdoor into PCs to steal credentials and banking information.

The campaign is suspected to be the work of TA505, a well-resourced hacking group which has been active since at least 2014. Now TA505 is running a new campaign, which has been detailed by researchers at security company Proofpoint. In line with a change of focus by other cyber criminal groups, TA505 has shifted away from ransomware and banking trojans and now appears to focus on RATs.

Read more about the new campaign by TA505 on ZDNet.

Most antivirus programs fail to detect this cryptocurrency-stealing malware

A new, active campaign is using malware capable of dancing around traditional antivirus solutions in order to empty cryptocurrency wallets. The malware is being used in the DarkGate campaign, a previously undetected hacking operation uncovered this week by enSilo security researchers. According to the team, DarkGate is currently underway in Spain and France, targeting Microsoft Windows PCs by way of torrent files.

Torrent files are most commonly associated with pirated content, but the technology itself is not illegal. In this case, however, the infected .torrent files masquerade as pirated versions of popular television shows and films.

Read more about the malware used in the DarkGate campaign on ZDNet.