A hacker group by the name of Dark Overlord threatened to release files it claims were stolen from a law firm — believed to have advised the insurance company responsible for handling claims related to the September 11 terrorist attack — unless the firm paid ransom in the form of bitcoin. According the group’s own announcement, stolen data includes:
The threat to release stolen information stems from a prior ransomware attack, where the law firm paid the initial ransom, but breached the hacker group’s “terms of agreement” by reporting the incident to law enforcement. The hacker group is now threatening to “bury” the law firm, unless they pay a second ransom.
This is not the first appearance of Dark Overlord — the group is also responsible for leaking stolen episode content of the popular Netflix series, Orange is the New Black, after Netflix refused to pay ransom.
Source: SC Magazine
Emotet malware evolving into a significant cyber threat
A botnet and popular family of malware by the name of Emotet has emerged as an increasingly dangerous cyber threat to organizations over the past year as its operators beef up their tactics
Starting out as a bank Trojan, Emotet, when first deployed in 2014, was designed to steal banking credentials and other sensitive data. Emotet was frequently spread via phishing emails including malicious documents or links. Emotet has evolved rapidly, now utilizing business email compromise as a delivery mechanism, and arming the software with the ability to drop additional payloads.
- Emotet operators, a group by the name of Mealybug, has evolved its business model over time from a banking Trojan to a means of delivering its other threat vectors.
- Mealybug has joined other malware-as-a-service operators, selling its malware to other users.
- Combined with other strains of ransomware, Emotet becomes more difficult to protect against, making it an even more dangerous threat vector.
- The United States Computer Emergency Readiness Team (US-CERT) has taken notice, issuing an alert on Emotet in July 2018, calling it “an advanced modular banking Trojan that mainly functions as a downloader or dropper of other banking Trojans.”
- Trend Micro, a cybersecurity firm, picked up on an Emotet campaign this past summer, in the form of a spam email designed to look like a legitimate bank email address. Emails contained a link to download a .doc filecontaining a macros that, when run, downloads and runs the Emotet malware.
FBI and AFOSI joint crackdown on the Joanap botnet sparked by WannaCry, Sony Pictures ransomware attacks
In January 2019, the U.S. Department of Justice (DOJ) announced efforts to "map and further disrupt" a botnet tied to North Korea that has spent the last decade infecting computers running Microsoft Windows around the world.
- The “Joanap” botnet is believed to be part of "Hidden Cobra," an advanced persistent threat (APT) group also known as Lazarus Group and Guardians of Peace, backed by the North Korean government.
- Hidden Cobra is the same hacking group believed to be associated with the WannaCry ransomware and SWIFT Banking attacks in 2016, as well as the 2014 hacking of Sony Motion Pictures.
- Joanap-infected computers operate on a peer-to-peer communications infrastructure which effectively makes every infected computer a part of its command-and-control system. Even though malware software picks up Joanap, the peer-to-peer configuration leaves many infected computers connected to the internet.
- In an effort to identify infected hosts and take down the botnet, the FBI, with the Air Force Office of Special Investigations (AFOSI), obtained search warrants that allowed them to join the botnet using their own "intentionally infected" computers.
- The intentionally infected computers were designed to mimic its peers, allowing the agencies to collecting technical and limited identifying information in an attempt to map the extent of the botnet’s network.
- Information collected by the FBI and AFOSI from Joanap-infected computers included IP addresses, port numbers, and connection timestamps.
- The agencies are now notifying victims of the presence of Joanap on their infected computers via the victim’s internet service providers, going so far as to send personal notifications to users who are not using a router or firewall to protect their systems.
- The efforts of the FBI and AFOSI to disrupt the Joanap botnet began after charges against a North Korean computer programmer, Park Jin Hyok, were unsealed by the U.S. government last September, revealing his role in masterminding the Sony Pictures and WannaCry ransomware attacks.
Source: The Hacker News
U.S. intelligence officials detail top nation-state threats
The U.S. Director of National Intelligence, Dan Coats, with several of the nation’s top intelligence officials, warned the Senate Intelligence Committee in January of the top nation-state threats facing the country, including China, Russia, Iran and North Korea.
- In the hearing, U.S. intelligence officials warned that the countries remain a significant threat to the United States’ government and private sectors.
- The biggest threat vectors highlighted include cyber operations, online influence operations and election interference, as well as the development and proliferation of weapons of mass destruction, terrorism, counterintelligence, space and transnational organized crime, and regional threats.
- According to the Worldwide Threat Assessment of the U.S. Intelligence Community, presently, “China and Russia pose the greatest espionage and cyberattack threats,” though, the intelligence community anticipates, “that all our adversaries and strategic competitors will increasingly build and integrate cyber espionage, attack and influence capabilities into their efforts to influence U.S. policies and advance their own national security interests.”
- The report also points to Iran’s online espionage and cyberattacks as a significant threat, noting the nation-state’s use of “increasingly sophisticated cyber techniques to conduct espionage,” as well as its attempts to “deploy cyberattack capabilities that would enable attacks against critical infrastructure in the United States and allied countries." The report also note’s Tehran’s use of social media to target U.S. and allied audiences.
- North Korea also continues to use cyber capabilities in its efforts to steal from financial institutions as a means of generating revenue, including a successful raid of an account with the New York Federal Reserve that drained an estimated $81 million from Bangladesh’s central bank.
Source: Bank Info Security
Malicious documents linked to apparent cyberattack targeting U.S. banks
In another case of malware-as-a-service, cybersecurity firm, FireEye Intelligence, recently identified two malicious documents capable of delivering Cobalt Strike’s “Beacon” payload, used in what FireEye believes to be a malware campaign targeting U.S. banks.
- Hackers created a false bank domain designed to impersonate the website of Florida-based Mercantile Bank, believed to have been the intended recipient.
- Within two days of each other, two Microsoft Office Open XML spreadsheet files were uploaded to VirusTotal, an online tool used to analyze suspicious files and detect the presence of malware, and notify the security community of any reported instances of malware.
- Both files contained a vague or blurred photo to lure users into enabling the macro script. The first file resided on the false bank domain, while the second resided on a false digital rewards site.
- Upon analysis of the file and host website, evidence was found to suggest that the attackers intended target may have been a financial organization.
- Beacon malware is a commercially available backdoor that is part of the Cobalt Strike software platform, commonly used for pen testing network environments.
- Beacon supports several capabilities, such as injecting and executing arbitrary code, uploading and downloading files, and executing shell commands.
- Evidence was also found indicating that both payloads were generated by the same user, though no ties have been discovered between the username and known actors in the underground community.
“Anonymous” hacktivist sentenced to 10 years in prison for DDoS attacks
Hacktivist Martin Gottesfeld has been sentenced to over 10 years in prison for launching crippling cyberattacks on two healthcare organizations in 2014, in protest of reported patient mistreatment by both organizations. Gottesfeld’s sentencing is a continuation of efforts by the U.S. government to disrupt the “webstressers” market and punish those responsible for launching distributed denial of service (DDoS) attacks.
- On behalf of the hacker collective, Anonymous, Gottesfled carried out a DDoS attack against Boston Children's Hospital and a Massachusetts nonprofit home treatment facility, Wayside Youth & Family Support Network, which provides mental health counseling services to children, young adults, and families.
- The attack was in response to the reported mistreatment of a teenager by the organizations, by which custody was given to the state of Massachusetts.
- In April 2014, Gottesfeld deployed a botnet of over 40,000 network routers infected with customized malware designed to carry out the attacks and disrupt service to the organizations’ websites.
- Intended to take Boston Children’s Hospital offline, the attack also affected several other hospitals in the area.
- The DDoS attacks crippled Wayside Youth and Family Support Network for more than a week. The nonprofit spent $18,000 on response and mitigation efforts.
- Gottesfeld, 34, was ordered to serve 121 months in prison and to pay nearly $443,000 in restitution for damages suffered by the targeted facilities.
Source: The Hacker News
Mobile phone giants caught red-handed selling customer location data — again
Major mobile service providers, such as AT&T, T-Mobile, and Sprint, have been actively collecting their customers' location data and selling it to the highest bidder for years — and this is not the first time abuses have been caught out:
- Phone carriers have been in the practice of selling access to their customers' location data to companies known as location aggregators.
- The aggregators then provide or sell the location data to their clients, who then provide or sell phone tracking services to outside organizations, such as roadside assistance operations, financial institutions, or even bounty hunters.
- The problem with this model was the ability for anyone with any mobile phone number to use any service with access to the location data to track down a mobile phone’s location, and presumably its owner, to within a couple of blocks — for just $300 in one instance.
- Following the report, AT&T, which had previously curtailed its location sharing services to just those that “protect” its customers, announced their decision to end its location data sharing services completely. T-Mobile CEO, John Legere, followed suit, tweeting that his company will also gradually end the practice by March 2019.
- The Federal Communications Commission (FCC) will be launching an investigation.
Source: Bleeping Computer
North Korea linked to hacking in an attempt to sidestep ongoing sanctions
Under financial strain due to ongoing sanctions, a cash-starved North Korea has turned to other means of generating revenue, namely, backing the exploitation of financial institutions around the world.
A recently disclosed attack on the Chilean interbank network, Redbanc, appears linked to the notorious Lazarus hacking group, a nation-state sponsored group linked to North Korea.
- The attack involved PowerRatankba, a malware toolkit already associated with the Lazarus Group, and was confirmed to have been installed on Redbanc’s corporate network without triggering antivirus detection.
- The malware was delivered after an IT professional with Redbanc clicked to apply for a job opening they had discovered through social media. The employee even participated in an interview over Skype, never pausing to question the legitimacy of the position, application, or interview process.
- Designed to display a fake job application form, when clicked, the PowerRatankba dropper, downloaded and executed in the background. The payload was not available during analysis, but was later recovered from the computer’s security “sandbox.”
- The malware uses Windows Management Instrumentation (WMI) to obtain information on the system and sends the gathered data, such as system details, process lists, username, proxy settings, etc. to a server. It also checks for open file shares and Remote Desktop Protocol (RDP) ports, a known network and systems vulnerability.
- PowerRatankba is a first stage reconnaissance tool that can also open the door to further malicious implants. For example, if admin privileges are available, the malware then attempts to download the next stage and register the tool as a service.
- Lazarus has reportedly been involved in a number of bank intrusions across the world, though they appear to be heavily targeting financial institutions and cryptocurrency exchanges in Latin America.
Source: Security Week
Unsecured server left millions of mortgage documents exposed
A server containing more than 24 million financial, banking and credit report documents for tens of thousands of loans and mortgages going back the last 10 years was not password protected, allowing unauthorized users access to the documents.
- The document cache contained 51GB of credit and mortgage reports in computer-readable optical character recognition (OCR) format.
- The vulnerability exposed partial documents containing various sensitive data, including social security numbers, names, phone numbers, addresses, credit history, and other information collected as part of a mortgage or credit report.
- The instance was taken offline and the data secured, but had been available for an unspecified period of time.
- The leak was traced back to Texas-based Ascension, a data and analytics company, providing services such as data analysis and portfolio valuations for the financial industry.
- One of the services provided by Ascension converts paper documents and handwritten notes into computer-readable OCR files.
- General counsel for Ascension’s parent company, Rocktop Partners, which owns more than 46,000 loans worth $4.4 billion, confirmed the security incident to TechCrunch.
Sources: Security Discovery and Tech Crunch
Cisco releases patch to prevent router hijackings
Networking giant, Cisco, recently released a patch for significant vulnerabilities in two of its Small Business router models:
- Cisco informed customers on January 23, 2019 that its Small Business RV320 and RV325 routers were vulnerable to two high-severity flaws.
- One of the flaws, tracked as CVE-2019-1653, has been described as an “information disclosure” vulnerability allowing an unauthenticated user to remotely obtain sensitive information from the router, including router configuration and detailed diagnostic information.
- The second flaw, identified as CVE-2019-1652, allows an attacker with admin privileges to execute arbitrary commands as root.
- Combined, these two vulnerabilities allow an unauthorized user to hijack the router.
- The United States had the highest number of impacted devices with roughly 4,400 affected routers.
Source: The Hacker News
Additional details revealed about the massive collection of email addresses and passwords for sale
Described by an article in The Guardian as the “the largest collection ever of breached data found,” KrebsOnSecurity went digging for additional details regarding a massive collection of email addresses and plain text passwords, recently posted for sale on the dark web
- Cyber experts believe the data was first posted to underground forums in October 2018, and that the 87 gigabytes (GB) being advertised is just a subset of a much larger cache of email addresses and passwords the hacker is selling online.
- Upon further investigation, the data dump, referred to as “Collection #1” by the seller consists of 2-3 year-old data pulled from a huge number of hacked sites, described by the seller as a mix of “dumps and leaked bases.”
- Additional data for sale totals close to a full terabyte (TB) of data.
Source: Krebs on Security
How safe is your organization? Take the Cyber Risk Scorecard survey to assess your current cybersecurity standing and find additional steps your organization can take to protect against common cyber threats.