4 September 2017

Last week through the prism of cyberattacks

Last week through the prism of cyberattacks

At the beginning of the week ID-Ransomware's Michael Gillespie reported in his Twitter about discovery of a new Nuclear BTCWare Ransomware variant.

Despite a new variant has the same encryption method, it differs from other in such features: it encrypts the victim's AES encryption key via different public RSA encryption key and uses ransom note with a file named HELP.hta and .[affiliate_email].nuclear extension.

However, not only BTCWare has a new variant. AppRiver observed one of the largest 2017 ransomware campaigns, targeting about 23 million users. Hackers used the latest variant of Locky ransomware – “Lukitus”. Unlike other ransomware, Lukitus is delivered in the form of notifications supposedly coming from Dropbox and via booby-trapped Word documents.

MalwareHunterTeam discovered a new variant of the CryptoMix ransomware turning the filenames into a hexadecimal strings and appending .arena extension to the encrypted files.

As it also turned out on August 28, the SMS messages with shortened URLs, South Koreans have been receiving for the last month, were used to deliver MoqHao malware. The issue affects only Android-devices. After accessing the system, Trojan is able to gather sensitive information, install Android apps, execute arbitrary commands and send phishing SMS to the people from victim’s contact list. The first version of the malware was revealed in January, 2017.

Similar campaign was observed 2 years ago, which leads to conclusion that phishing attacks were performed by an organized hacking group.

On August 29, a Paris-based security researcher Benkow detected a spambot, trapping 711 million email accounts. A week before, the investigator discovered that one of the Netherlandish web servers stores a great deal of text files containing a huge amount of email addresses, passwords, and email servers used to send spam. Benkow stated that information included data from previous data breaches (e.g. LinkedIn, Badoo).

Troy Hunt, founder of the data breach search service Have I Been Pwned?, called it the "largest" amount of data to enter the breach notification site.

The revealed spambot, dubbed "Onliner", is used to spread Ursnif banking malware (data-stealing Trojan) and has already led to more than 100,000 unique infections across the world.

On Tuesday, second-hand electronics dealership CeX published an alert about recent data breach, affecting 2 million users. The company also sent emails to the affected customers with recommendation to change webuy.com passwords. Attackers managed to steal first names, surnames, phone numbers, physical and email addresses. However, credit cards data weren’t leaked.

Essential founder and CEO Andy Rubin published “apologies” for disclosure of private data of 70 customers. The company was sending out emails to their clients with requirements to verify their identities by providing a picture of driver’s license, state ID or passport. Due to improper configuration of the Essential’s mailing software, the confidential users’ data were sent to other customers. To right a wrong Andy Rubin offered affected customers a year of identity theft protection service LifeLock for free.

This summer Dorchester School District 2 became a victim of an unknown ransomware attack. The issue led to crash of operating systems on 25 out of 65 servers for the district’s computer network. On August 30, DD2 officials informed parents and staff that no students and staff identity data were compromised. However, attackers corrupted some files, for which DD2 had to pay $2900 ransom.

On Wednesday, US citizens were warned of a new wave of phishing attacks. The hackers were sending malicious emails allegedly on behalf of FBI and Internal Revenue Service (IRS) with a link to bogus FBI questionnaire. The phishing website was spreading ransomware. To gain more persuading effect attackers used FBI and IRS emblems.

This week hacking groups came back again.

Two security vendors published advisories with information about recent malicious activities supposedly related to the Russian-speaking APT group Turla. ESET reported about backdoor Gazer, mostly exploited for data-stealing campaigns against diplomatic premises in Southeastern Europe and countries of the former Soviet Union. The backdoor has certain similarities with other backdoors Carbon and Kazuar, used by Turla earlier.

Kaspersky Lab informed about dating back to mid-February activity WhiteBear, during which the researchers observed use of another data-stealing backdoor dubbed Kopiluwak. WhiteBear is believed to become the second phase of White Atlas campaign targeting embassies and diplomatic/foreign affair organizations in 2016.

On Wednesday evening, Saudi Arabian hacking group OurMine performed DNS poisoning attack against WikiLeaks and managed to deface its official website.

The US Government website was revealed to host a JavaScript delivering Cerber ransomware. The victims were supposed to download a double-zip archive, containing a malicious PowerShell. The PowerShell therefore downloads .gif file that is in fact Cerber executable.

Security researchers claimed the issue has similarities with another Cerber spreading campaign Blank Slate.

The second half of the week brought a new observation of ransomware attack, targeting millions of users’ inboxes. The victims received emails containing a malicious attachment: JavaScript file in a 7zip archive that was dubbed as ‘file-encryption/ransomware’ type virus.

Symantec reported about new cyber-espionage attacks against India and Pakistan, started from October, 2016. According to the report, the attacks were performed by several espionage groups. All of them used common methods and techniques what makes suppose that it were state-sponsored groups. The campaign resembles campaign targeting Qatar when programs called Spynote and Revokery were exploited.

The spies accessed personal data via “Ehdoor” backdoor embedded into documents falsely containing security reports. The malware allows to steal personal data, upload files and carry out processes and was earlies used in attacks against government, military and military-affiliated targets in the Middle East and elsewhere.

August 31, Palo Alto Networks’ Unit 42 registered a malicious campaign DragonOK targeting citizens of Cambodia. Threat actor used updated spear phishing techniques and themes to deliver Remote Access Trojan KHRAT.

On June 21, a document with the filename “Mission Announcement Letter for MIWRMP phase 3 implementation support mission, June 26-30, 2017(update).doc” was spreading via update.upload-dropbox[.]com website, located at a Russian IP address 194.87.94[.]61. MIWRMP states for “Mekong Integrated Water Resources Management Project”, a multi-million dollar, World Bank funded project relating to effective water resource and fisheries management in North Eastern Cambodia.

On the last day of the summer, Malwarebytes Labs researchers discovered a new drive-by download campaign, exploiting RIG exploit kit and spreading Princess/PrincessLocker ransomware.

September 1 brought reports of two security companies about new EITest campaign. Researchers of the SANS Internet Storm Center and Palo Alto Networks admitted that malicious activities were performed to deliver either NetSupport Manager remote access tool (RAT) or Locky ransomware.

The hackers were spreading HoeflerText notifications containing JavaScripts in Google Chrome, Opera, Vivaldi and Firefox browsers.

On the weekend security experts Dylan Katz and Victor Gevers informed about renewal of ransom attacks against MongoDB. Three new groups, having appeared during the last week, hijacked over 26,000 servers.

Except MongoDB the attacks target other server technologies, such as ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL servers.

The issue, called MongoDB Apocalypse, has been already observed from December 2016 till February 2017. Since that time hackers managed to ruin over 45000 databases.

By Olga Vikiriuk.

Back to the list

Latest Posts

Week in review: major security incidents in September 11-17

Week in review: major security incidents in September 11-17

The article contains a brief report of cybersecurity incidents for the past week.
18 September 2017
Patch Tuesday review: zero-day vulnerability in .NET Framework and 82 other bugs

Patch Tuesday review: zero-day vulnerability in .NET Framework and 82 other bugs

Microsoft patched 83 vulnerabilities in total.
12 September 2017
Exploring dark web: Marketplaces for wannabe hackers

Exploring dark web: Marketplaces for wannabe hackers

The top markets for criminals: some research into Deep Web.
12 September 2017
Featured vulnerabilities
Remote code execution in Foxit Reader
High Not Patched | 23 Sep, 2017
Remote code execution in Google Chrome
High Patched | 23 Sep, 2017
Command execution in Digium Asterisk GUI
High Not Patched | 22 Sep, 2017
Authentication bypass in Ctek SkyRouters
Low Patched | 22 Sep, 2017

Future events
Location: Hotel Grandior, konferenční centrum,Na Poříčí 42, Praha 1
End date: 2017-10-06

6. října 2016 na Vás čeká bohatý program, v rámci kterého představí své vize a novinky pro rok 2017 přední odborníci české IT scény. Nenechte si ujít důležité informace z oblasti licencování, technologických trendů, cloudových a poradenských služeb či produktových novinek předních světových výrobců softwaru!

Akce se koná v konferenčním centru hotelu Grandior, Na Poříčí 42, Praha 1.

Předběžný program:

Dopolední blok IT Inspiration

  • IT pro firmy nové generace
  • Digitální transformace a internet věcí z pohledu Microsoftu
  • Novinky a trendy v IBM Cloud Computingu

Odpolední blok Advisory & Security

  • Nový licenční program Enterprise Advantage
  • Force audit výrobce: Rizika, prevence a průběh
  • Hybridní licencování
  • Prezentace společnosti Comguard
  • Platforma Pyracloud by SoftwareONE

Blok Cloud

  • Firma As A Service
  • Virtualizace a cloudová řešení VMware
  • Jak na to: Transformace do cloudu
  • Prezentace společnosti Veeam
  • Ochrana informací a správa identit
  • BYOD

Registrovat se můžete na stránkách konference.

CIO Business World je partnerem akce.

Location: Na Strži 65/1702, Praha 4
Links: http://financnictvi.konference.cz/

Technologické inovace ve finančním sektoru (FINTECH). Kybernetická bezpečnost, risk management, decision engine, datová analýza, reporting, platformy bezpečnostních technologií, mobilní aplikace v globálním světě financí, projektové řízení, případové studie.
Location: Bajkalská 25/A, Bratislava
Links: http://bdd.exponet.sk/

Explózia dát je nepochybne sprievodným javom súčasnosti. Preto aj problematika bezpečnosti a dostupnosti dát zaznamenáva prevratný rozvoj a jej obsah a rozsah sa mení tiež v súvislosti s vývojom nových technológií. Ochrana dát sa netýka len jednotlivých zariadení, ale aj sietí, online úložísk a služieb. Množstvo dát, portfólio zariadení a úložisk sa tiež významne rozširuje s nástupom internetu vecí. Konferencia sa zameriava na aktuálne trendy a možnosti lepšej ochrany a efektívnej práce s dátami.
Location: Na Strži 65/1702, Praha 4
Links: http://did.konference.cz/

Konference přinese aktuální témata, vystoupení předních odborníků z praxe i z akademického prostředí, případové studie. V popředí zájmu budou big data, data analytics, propojování interních a externích dat, business intelligence, geodata, open data,  big data ve finančnictví, vzdělávání i astronomii.