4 September 2017

Last week through the prism of cyberattacks

Last week through the prism of cyberattacks

At the beginning of the week ID-Ransomware's Michael Gillespie reported in his Twitter about discovery of a new Nuclear BTCWare Ransomware variant.

Despite a new variant has the same encryption method, it differs from other in such features: it encrypts the victim's AES encryption key via different public RSA encryption key and uses ransom note with a file named HELP.hta and .[affiliate_email].nuclear extension.

However, not only BTCWare has a new variant. AppRiver observed one of the largest 2017 ransomware campaigns, targeting about 23 million users. Hackers used the latest variant of Locky ransomware – “Lukitus”. Unlike other ransomware, Lukitus is delivered in the form of notifications supposedly coming from Dropbox and via booby-trapped Word documents.

MalwareHunterTeam discovered a new variant of the CryptoMix ransomware turning the filenames into a hexadecimal strings and appending .arena extension to the encrypted files.

As it also turned out on August 28, the SMS messages with shortened URLs, South Koreans have been receiving for the last month, were used to deliver MoqHao malware. The issue affects only Android-devices. After accessing the system, Trojan is able to gather sensitive information, install Android apps, execute arbitrary commands and send phishing SMS to the people from victim’s contact list. The first version of the malware was revealed in January, 2017.

Similar campaign was observed 2 years ago, which leads to conclusion that phishing attacks were performed by an organized hacking group.

On August 29, a Paris-based security researcher Benkow detected a spambot, trapping 711 million email accounts. A week before, the investigator discovered that one of the Netherlandish web servers stores a great deal of text files containing a huge amount of email addresses, passwords, and email servers used to send spam. Benkow stated that information included data from previous data breaches (e.g. LinkedIn, Badoo).

Troy Hunt, founder of the data breach search service Have I Been Pwned?, called it the "largest" amount of data to enter the breach notification site.

The revealed spambot, dubbed "Onliner", is used to spread Ursnif banking malware (data-stealing Trojan) and has already led to more than 100,000 unique infections across the world.

On Tuesday, second-hand electronics dealership CeX published an alert about recent data breach, affecting 2 million users. The company also sent emails to the affected customers with recommendation to change webuy.com passwords. Attackers managed to steal first names, surnames, phone numbers, physical and email addresses. However, credit cards data weren’t leaked.

Essential founder and CEO Andy Rubin published “apologies” for disclosure of private data of 70 customers. The company was sending out emails to their clients with requirements to verify their identities by providing a picture of driver’s license, state ID or passport. Due to improper configuration of the Essential’s mailing software, the confidential users’ data were sent to other customers. To right a wrong Andy Rubin offered affected customers a year of identity theft protection service LifeLock for free.

This summer Dorchester School District 2 became a victim of an unknown ransomware attack. The issue led to crash of operating systems on 25 out of 65 servers for the district’s computer network. On August 30, DD2 officials informed parents and staff that no students and staff identity data were compromised. However, attackers corrupted some files, for which DD2 had to pay $2900 ransom.

On Wednesday, US citizens were warned of a new wave of phishing attacks. The hackers were sending malicious emails allegedly on behalf of FBI and Internal Revenue Service (IRS) with a link to bogus FBI questionnaire. The phishing website was spreading ransomware. To gain more persuading effect attackers used FBI and IRS emblems.

This week hacking groups came back again.

Two security vendors published advisories with information about recent malicious activities supposedly related to the Russian-speaking APT group Turla. ESET reported about backdoor Gazer, mostly exploited for data-stealing campaigns against diplomatic premises in Southeastern Europe and countries of the former Soviet Union. The backdoor has certain similarities with other backdoors Carbon and Kazuar, used by Turla earlier.

Kaspersky Lab informed about dating back to mid-February activity WhiteBear, during which the researchers observed use of another data-stealing backdoor dubbed Kopiluwak. WhiteBear is believed to become the second phase of White Atlas campaign targeting embassies and diplomatic/foreign affair organizations in 2016.

On Wednesday evening, Saudi Arabian hacking group OurMine performed DNS poisoning attack against WikiLeaks and managed to deface its official website.

The US Government website was revealed to host a JavaScript delivering Cerber ransomware. The victims were supposed to download a double-zip archive, containing a malicious PowerShell. The PowerShell therefore downloads .gif file that is in fact Cerber executable.

Security researchers claimed the issue has similarities with another Cerber spreading campaign Blank Slate.

The second half of the week brought a new observation of ransomware attack, targeting millions of users’ inboxes. The victims received emails containing a malicious attachment: JavaScript file in a 7zip archive that was dubbed as ‘file-encryption/ransomware’ type virus.

Symantec reported about new cyber-espionage attacks against India and Pakistan, started from October, 2016. According to the report, the attacks were performed by several espionage groups. All of them used common methods and techniques what makes suppose that it were state-sponsored groups. The campaign resembles campaign targeting Qatar when programs called Spynote and Revokery were exploited.

The spies accessed personal data via “Ehdoor” backdoor embedded into documents falsely containing security reports. The malware allows to steal personal data, upload files and carry out processes and was earlies used in attacks against government, military and military-affiliated targets in the Middle East and elsewhere.

August 31, Palo Alto Networks’ Unit 42 registered a malicious campaign DragonOK targeting citizens of Cambodia. Threat actor used updated spear phishing techniques and themes to deliver Remote Access Trojan KHRAT.

On June 21, a document with the filename “Mission Announcement Letter for MIWRMP phase 3 implementation support mission, June 26-30, 2017(update).doc” was spreading via update.upload-dropbox[.]com website, located at a Russian IP address 194.87.94[.]61. MIWRMP states for “Mekong Integrated Water Resources Management Project”, a multi-million dollar, World Bank funded project relating to effective water resource and fisheries management in North Eastern Cambodia.

On the last day of the summer, Malwarebytes Labs researchers discovered a new drive-by download campaign, exploiting RIG exploit kit and spreading Princess/PrincessLocker ransomware.

September 1 brought reports of two security companies about new EITest campaign. Researchers of the SANS Internet Storm Center and Palo Alto Networks admitted that malicious activities were performed to deliver either NetSupport Manager remote access tool (RAT) or Locky ransomware.

The hackers were spreading HoeflerText notifications containing JavaScripts in Google Chrome, Opera, Vivaldi and Firefox browsers.

On the weekend security experts Dylan Katz and Victor Gevers informed about renewal of ransom attacks against MongoDB. Three new groups, having appeared during the last week, hijacked over 26,000 servers.

Except MongoDB the attacks target other server technologies, such as ElasticSearch, Hadoop, CouchDB, Cassandra, and MySQL servers.

The issue, called MongoDB Apocalypse, has been already observed from December 2016 till February 2017. Since that time hackers managed to ruin over 45000 databases.

By Olga Vikiriuk.

Back to the list

Latest Posts

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Today Microsoft has released security fixes for 60 vulnerabilities in total. Among them 2 zero-days in Windows Shell and Internet Explorer.
15 August 2018
Microsoft patches for June 2018

Microsoft patches for June 2018

50 vulnerabilities patched, some of them are potentially wormable.
13 June 2018
VPNFilter, attacks on routers and why external scanning is essential for security

VPNFilter, attacks on routers and why external scanning is essential for security

How to protect your router from VPNFilter and other attacks.
8 June 2018
Featured vulnerabilities
Denial of service in Asterisk
Medium Patched | 24 Sep, 2018
Multiple vulnerabilities in MediaWiki
Low Patched | 21 Sep, 2018
Remote code execution in Microsoft Jet Database
High Not Patched | 21 Sep, 2018
Remote code execution in Mozilla Firefox
Medium Patched | 21 Sep, 2018
Multiple vulnerabiltiies in Mozilla Firefox ESR
Medium Patched | 21 Sep, 2018