Viry a Červi

Insurers hurl sueball at Trustwave over 2008 Heartland megabreach

The Register - Anti-Virus - 10 Červenec, 2018 - 17:15
Firm smacks back: We 'did not manage Heartland's information security'

Security services firm Trustwave has been sued by insurers in America over the 2008 hacking of US payment processing biz Heartland.…

Kategorie: Viry a Červi

Think that bitcoins and a VPN keep you anonymous? Think again…

Sophos Naked Security - 10 Červenec, 2018 - 15:59
A popular cryptowallet service has advised users of the Hola VPN to shift their funds to replacement accounts after an alleged hack.

Researchers Reveal Workaround for Apple’s USB Restricted Mode - 10 Červenec, 2018 - 15:36
Researchers released a workaround for Apple's USB Restricted Mode security feature the same day it was rolled out.
Kategorie: Viry a Červi

It's mid-year report time, let's see how secure corporate networks are. Spoiler alert: Not at all

The Register - Anti-Virus - 10 Červenec, 2018 - 15:09
Pen test bods probe about two dozen orgs – all fail

Companies are still leaving basic security flaws and points of entry wide open for hackers to exploit.…

Kategorie: Viry a Červi

Why the airplane romance that went viral should worry everyone

Sophos Naked Security - 10 Červenec, 2018 - 14:45
Covert footage taken of two strangers on a plane went viral as people mooned over The Lovebirds In The Air (And Mucho Spying) Affair.

Woman scams scammer, incriminates self in the process

Sophos Naked Security - 10 Červenec, 2018 - 14:21
"This is SO NOT my ripped-off laptop," the scammer must have thought when the scammer-scammer sent a package of magazines instead.

Gas thieves remotely pwn pump with mysterious device

Sophos Naked Security - 10 Červenec, 2018 - 14:17
In broad daylight, over the course of about 90 minutes, thieves somehow remotely froze pump software and stole 600 gallons of gas.

Privates on parade: fitness tracker app reveals sensitive user details

Sophos Naked Security - 10 Červenec, 2018 - 13:11
Another online fitness tracking app - Polar Flow - is giving up sensitive information. But this time, it's revealing the names and home locations of government personnel.

Malware authors' continued use of stolen certificates isn't all bad news

Virus Bulletin News - 10 Červenec, 2018 - 12:32
A new malware campaign that uses two stolen code-signing certificates shows that such certificates continue to be popular among malware authors. But there is a positive side to malware authors' use of stolen certificates.

Read more
Kategorie: Viry a Červi

APT Trends Report Q2 2018

Kaspersky Securelist - 10 Červenec, 2018 - 12:00

In the second quarter of 2017, Kaspersky Lab’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports, in an effort to make the public aware of the research we have been conducting. This report serves as the latest installment, focusing on the relevant activities that we observed during Q2 2018.

These summaries are a representative snapshot of what has been discussed in greater detail in our private reports. They aim to highlight the significant events and findings that we feel people should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, readers who would like to learn more about our intelligence reports or request more information on a specific report are encouraged to contact:

Remarkable new findings

We are always interested in analyzing new techniques used by existing groups, or in finding new clusters of activity that might lead us to discover new actors. Q2 2018 was very interesting in terms of APT activity, with a remarkable campaign that reminds us how real some of the threats are that we have been predicting over the last few years. In particular, we have warned repeatedly how ideal networking hardware was for targeted attacks, and that we had started seeing the first advanced sets of activity focusing on these devices.

In terms of well-known groups, Asian actors were the most active by far.

Lazarus/BlueNoroff was suspected of targeting financial institutions in Turkey as part of a bigger cyberespionage campaign. The same actor was also suspected of a campaign against an online casino in Latin America that ended in a destructive attack. Based on our telemetry, we further observed Lazarus targeting financial institutions in Asia. Lazarus has accumulated a large collection of artefacts over the last few years, in some cases with heavy code reuse, which makes it possible to link many newly found sets of activity to this actor. One such tool is the Manuscrypt malware, used exclusively by Lazarus in many recent attacks. The US-CERT released a warning in June about a new version of Manuscrypt they call TYPEFRAME.

US-CERT alert on Manuscrypt/TYPEFRAME malware used by Lazarus

Even if it is unclear what the role of Lazarus will be in the new geopolitical landscape, where North Korea is actively engaged in peace talks, it would appear that financially motivated activity (through the BlueNoroff and, in some cases, the Andariel subgroup) continues unabated.

Possibly even more interesting is the relatively intense activity by Scarcruft, also known as Group123 and Reaper. Back in January, Scarcruft was found using a zero-day exploit, CVE-2018-4878 to target South Korea, a sign that the group’s capabilities were increasing. In the last few months, the use of Android malware by this actor has been discovered, as well as a new campaign where it spreads a new backdoor we call POORWEB. Initially, there was suspicion that Scarcruft was also behind the CVE-2018-8174 zero day announced by Qihoo360. We were later able to confirm the zero day was actually distributed by a different APT group, known as DarkHotel.

The overlaps between Scarcruft and Darkhotel go back to 2016 when we discovered Operation Daybreak and Operation Erebus. In both cases, attacks leveraged the same hacked website to distribute exploits, one of which was a zero day. We were later able to separate these as follows:

Operation Exploit Actor Daybreak CVE-2016-4171 DarkHotel Erebus CVE-2016-4117 Scarcruft

DarkHotel’s Operation Daybreak relied on spear-phishing emails predominantly targeting Chinese victims with a Flash Player zero day. Meanwhile, Scarcruft’s Operation Erebus focused primarily on South Korea.

Analysis of the CVE-2018-8174 exploit used by DarkHotel revealed that the attacker was using URLMoniker to invoke Internet Explorer through Microsoft Word, ignoring any default browser preferences on the victim’s computer. This is the first time we have observed this.  It is an interesting technique that we believe may be reused in future for different attacks. For more details check our Securelist Blog: “The King is Dead. Long Live the King!“.

We also observed some relatively quiet groups coming back with new activity. A noteworthy example is LuckyMouse (also known as APT27 and Emissary Panda), which abused ISPs in Asia for waterhole attacks on high profile websites. We wrote about LuckyMouse targeting national data centers in June. We also discovered that LuckyMouse unleashed a new wave of activity targeting Asian governmental organizations just around the time they had gathered for a summit in China.

Still, the most notable activity during this quarter is the VPNFilter campaign attributed by the FBI to the Sofacy and Sandworm (Black Energy) APT groups. The campaign targeted a large array of domestic networking hardware and storage solutions. It is even able to inject malware into traffic in order to infect computers behind the infected networking device. We have provided an analysis on the EXIF to C2 mechanism used by this malware.

This campaign is one of the most relevant examples we have seen of how networking hardware has become a priority for sophisticated attackers. The data provided by our colleagues at Cisco Talos indicates this campaign was at a truly global level. We can confirm with our own analysis that traces of this campaign can be found in almost every country.

Activity of well-known groups

It seems that some of the most active groups from the last few years have reduced their activity, although this does not mean they are less dangerous. For instance, it was publicly reported that Sofacy started using new, freely available modules as last stagers for some victims. However, we observed how this provided yet another innovation for their arsenal, with the addition of new downloaders written in the Go programming language to distribute Zebrocy.

There is possibly one notable exception to this supposed lack of activity. After the Olympic Destroyer campaign last January against the Pyeongchang Winter Olympic games, we observed new suspected activity by the same actor (we tentatively called them Hades) in Europe. This time, it seems the targets are financial organizations in Russia, and biological and chemical threat prevention laboratories in Europe and Ukraine.

But even more interesting is the resemblance between the TTPs and OPSEC of the Olympic Destroyer set of activity and those of Sofacy. Olympic Destroyer is a master of deception, so this may be yet another false flag, but so far we connect, with low to medium confidence, the Hades group activity to Sofacy.

One of the most interesting attacks we detected was an implant from Turla (attributed to this actor with medium confidence) that we call LightNeuron. This new artefact directly targets Exchange Servers and uses legitimate standard calls to intercept emails, exfiltrate data and even send mails on behalf of the victims. We believe this actor has been using this technique since maybe as early as 2014, and that there is a version affecting Unix servers running Postfix and Sendmail. So far we have seen victims of this implant in the Middle East and Central Asia.

Newcomers and comebacks

Every now and then, we are surprised to see old actors that have been dormant for months or even years distributing new malware. Obviously, this may be caused by a lack of visibility, but regardless of that, it indicates that these actors are still active.

One good example would be WhiteWhale, an actor that has been extremely quiet since 2016. We detected a new campaign last April where the actor was distributing both the Taidoor and Yalink malware families. This activity was almost exclusively targeting Japanese entities.

Following the intense diplomatic activity around the North Korea peace talks and the subsequent summit with the U.S. president in Singapore, Kimsuky decided to take advantage of this theme to distribute its malware in a new campaign. A massive update to its arsenal in late 2017 and early 2018 was mobilized in a new wave of spear-phishing emails.

We also discovered a new low-sophistication set of activity we call Perfanly, which we couldn´t attribute to any known actor. It has been targeting governmental entities in Malaysia and Indonesia since at least 2017. It uses custom multistage droppers as well as freely available tools such as Metasploit.

Between June and July, we observed a battery of attacks against various institutions in Kuwait. These attacks leverage Microsoft Office documents with macros, which drop a combination of VBS and Powershell scripts using DNS for command and control. We have observed similar activity in the past from groups such as Oilrig and Stonedrill, which leads us to believe the new attacks could be connected, though for now that connection is only assessed as low confidence.

Final thoughts

The combination of simple custom artefacts designed mainly to evade detection, with publicly available tools for later stages seems to be a well-established trend for certain sets of activity, like the ones found under the ‘Chinese-speaking umbrella’, as well as for many newcomers who find the entry barrier into APT cyberespionage activity non-existent.

The intermittent activity by many actors simply indicates they were never out of business. They might take small breaks to reorganize themselves, or to perform small operations that might go undetected on a global scale. Probably one of the most interesting cases is LuckyMouse, with aggressive new activity heavily related to the geopolitical agenda in Asia. It is impossible to know if there is any coordination with other actors who resurfaced in the region, but this is a possibility.

One interesting aspect is the high level of activity by Chinese-speaking actors against Mongolian entities over the last 10 months. This might be related to several summits between Asian countries – some related to new relations with North Korea – held in Mongolia, and to the country’s new role in the region.

There were also several alerts from NCSC and US CERT regarding Energetic Bear/Crouching Yeti activity. Even if it is not very clear how active this actor might be at the moment (the alerts basically warned about past incidents), it should be considered a dangerous, active and pragmatic actor very focused on certain industries. We recommend checking our latest analysis on Securelist because the way this actor uses hacked infrastructure can create a lot of collateral victims.

To recap, we would like to emphasize just how important networking hardware has become for advanced attackers. We have seen various examples during recent months and VPNFilter should be a wake-up call for those who didn’t believe this was an important issue.

We will continue to track all the APT activity we can find and will regularly highlight the more interesting findings, but if you want to know more, please reach out to us at

Evil third-party screens on smartphones are able to see all that you poke

The Register - Anti-Virus - 10 Červenec, 2018 - 11:47
Of course researchers added machine learning to the mix too

Smartphone hackers can glean secrets by analysing touchscreen user interactions, according to new research.…

Kategorie: Viry a Červi

Brown pants moment for BlueJeans: Dozens of AV tools scream its vid chat code is malware

The Register - Anti-Virus - 10 Červenec, 2018 - 08:28
How it all happened (clue: unsigned library loaded)

Programmers at videoconferencing software house BlueJeans have been living through a developer's nightmare the past month or so – antivirus packages falsely labeling their code as malware.…

Kategorie: Viry a Červi

Malware-slinging scum copied D-Link's code-signing certificates to dress up PC nasties

The Register - Anti-Virus - 10 Červenec, 2018 - 07:01
Password-stealing backdoor lobbed at Windows boxes

Security researchers have warned that someone's obtained copies of code-signing certificates from two Taiwanese companies – and is using them to sign malware.…

Kategorie: Viry a Červi

Apple OS Update Lifts Curtain on iPhone USB Restricted Mode - 9 Červenec, 2018 - 22:53
Apple has officially added a controversial security feature, USB Restricted Mode, to iPhones as part of its new iOS 11.4.1, released on Monday.
Kategorie: Viry a Červi

How to Solve the Developer vs. Cybersecurity Team Battle - 9 Červenec, 2018 - 21:29
InfoSec Insider Chris Eng tackles how companies can bring bridge the divide between software developers and cybersecurity teams to bring to market reliable and secure applications.
Kategorie: Viry a Červi

Polar Fitness App Exposes Location of ‘Spies’ and Military Personnel - 9 Červenec, 2018 - 19:43
The fitness app Polar Flow exposes the whereabouts of some of its high-profile users, including “spies” and those with sensitive positions in the military.
Kategorie: Viry a Červi

Microsoft might not support Windows XP any more, but GandCrab v4.1 ransomware does

The Register - Anti-Virus - 9 Červenec, 2018 - 18:20
Charming. First worm able to infect legacy systems has a module called 'network f*cker'

Miscreants have developed the first strain of ransomware worm capable of infecting legacy systems, such as Windows XP and 2003.…

Kategorie: Viry a Červi

ThreatList: Virtualization-related Bug Reports Jump 275 Percent in 2018 - 9 Červenec, 2018 - 17:46
The Zero Day Initiative said that the number of bugs reported in 2018 is on track to trump its previous busiest year, 2017.
Kategorie: Viry a Červi

Cops suspect Detroit fuel station was hacked before 10 drivers made off with 2.3k 'free' litres

The Register - Anti-Virus - 9 Červenec, 2018 - 17:45
But experts aren't convinced...

Updated  Police suspect that high-tech thieves may have hacked into a Detroit petrol station before stealing about 600 US gallons (+-2,300 litres) of fuel.…

Kategorie: Viry a Červi

Říká vám něco „SettingContent-ms“? Útočníkům bohužel ano

VIRY.CZ - 9 Červenec, 2018 - 16:51

Jako by nestačilo to, co bylo uveřejněno v předchozí novince. Máme zde totiž další zneužitelný formát souborů, tentokrát s příponou .SettingContent-ms

Paradoxně byl tento „úlet“ zaveden až do Windows 10. Výjimečně tak můžeme tvrdit, že majitelé starších verzí Windows jsou v bezpečí

Kategorie: Viry a Červi
Syndikovat obsah