Cyware Monthly Cyber Threat Intelligence

Monthly Threat Briefing • April 27, 2018
Monthly Threat Briefing • April 27, 2018
April marks the huge step taken by Facebook, Microsoft, Oracle and 31 other technology companies in signing the Cybersecurity Tech Accord. Another major good news was, the US Department of Energy announced $25 million in grants for projects that can strengthen cyberdefenses. Several technological advancements--including an algorithm to detect fake news, new HoneyBot, and an Android sandbox technology--have been made this month, to strengthen enterprise security. The RSA conference also hoisted several security advancements such as the Adversarial Robustness Toolbox by IBM.
The US Department of Energy announced $25 million in grants for projects that can strengthen the cyberdefenses of the nation’s critical energy infrastructure, including its power grid, oil, and natural gas industry. The announcement comes just weeks after cyberattacks crippled electronic communications systems for several US pipeline companies.
Facebook, Microsoft, Oracle and 31 other technology companies signed the Cybersecurity Tech Accord this week pledging to defend all customers and products from cyberattacks. They also took a “no offense” commitment to not help governments launch cyberattacks and protect their services against tampering and exploitation at every stage, from development to distribution.
Researchers at Ben-Gurion University of the Negev and the University of Washington have developed a new algorithm to detect fake users on social media platforms, including Facebook and Twitter, based on the assumption that fake accounts typically establish unlikely links to other users. The algorithm features two machine learning-based iterations - one to estimate the probability of a link existing between two users and the second to generate meta-features used to construct a generic classifier to detect fake profiles.
At the RSA Conference in San Francisco, IBM unveiled the Adversarial Robustness Toolbox - an open-source security library designed to help support developers and users fight against cyberattacks that target AI systems. Featuring a library, interfaces, and metrics, the toolbox will help developers create and deploy practical cybersecurity defense systems for the AI sector.
Britain’s Home Secretary Amber Rudd has launched a police crackdown on dark web crime. During a speech at the National Cyber Security Centre’s conference, Rudd announced the Home Office will be releasing £9m to support law enforcement units that deal with cybercrime and dark web activity. Another £5m will be spent on improving local cybercrime units at a regional and local level. The funding is part of the £50 million allocated to bolster the UK’s cyber-defensive capabilities at a national, regional and local level.
A new £13.5 million cyber innovation centre is being developed at London’s Queen Elizabeth Olympic Park to spur growth and development in the growing East London tech cluster and the nation’s cybersecurity sector. Run by Plexal, the London Cyber Innovation Centre will offer local start-ups the infrastructure, space and technology to work closely with larger enterprises on security risks, challenges and solutions.
Cisco Systems with working with Canadian startup Isara, to develop new quantum-safe cryptographic algorithms that may help companies protect their internal systems, platforms and data against potentially powerful quantum threats. The two companies will be working on a proof-of-concept project to test digital certificates that operate in both classic and quantum-safe algorithm modes.
MIT Media Lab researchers have developed a new headset dubbed AlterEgo that can “hear” your thoughts and allows you to “silently” communicate with a computer interface simply by vocalizing internally. By reading the neuromuscular signals your brain sends to the face and jaw during internal speech, the headset can identify the words you think of, but don’t actually say out loud, and reconstruct it with 92% accuracy.
The antivirus scanning engine, VirusTotal, made an announcement about a new Android sandbox technology. Named Droidy, this is a simulated Android OS environment for analyzing Android app behavior and producing reports for users and security researchers. These reports will contain additional behavioral details that would help security researchers confirm the malicious classification of VirusTotal scan results or even overturn them.
A new novel tool is designed by a group of researchers at Georgia Tech that would help in delaying and exposing would-be hackers to industrial automation. The small robot, called HoneyBot, is designed to trick cybercriminals into thinking it's a vulnerable robot performing important industrial automation tasks. Once a successful breach is detected, the tool raises alarm and helps IT security professionals in blocking the attack.
Decrypters for few versions of the Magniber ransomware have been created by security researchers from AhnLab, a South Korea-based cyber-security firm. Users can download the decryptors from AhnLab's website. Unfortunately, the usage instructions aren’t available in English. Hence, victims will have to use online translation services to understand them.
Europol has successfully dismantled the Webstresser website. As per claims by the police, the website sold Distributed Denial of Service (DDoS) attacks and helped launch up to 6 million of them for as many as 136,000 registered users. The investigation was led by the Dutch National High Tech Crime Unit and the UK National Crime Agency (NCA), and assisted by Europol. Four alleged administrators of the site were arrested, the site was shut down and its infrastructure was seized.
A new Windows platform security technology, meant to mitigate attacks in software, has been released by Microsoft. The company announced Windows Defender System Guard runtime attestation that can provide signals for Endpoint Detection and Response (EDR) and antivirus vendors. The security technology is also capable of detecting kernel tampering, rootkits, and exploits.
A study by researchers in New Zealand found out that the newly proposed quantum blockchain can result in blockchain systems that are unaffected by quantum-computer hacking. This is considered to be the first ever fully quantum blockchain. This new quantum blockchain functions by interpreting its mistakes and influencing its own past.
Unfortunately, the month April also registered several data breaches and security threats. Data leaks at TrueMove H (one of Thailand’s biggest mobile operators) and Texas Health Resources affected 11,400 customers and 4000 patients respectively. In other news, a joint statement has been issued by the DHS, FBI and the UK’s National Cyber Security Centre, accusing Russian hackers of penetrating network infrastructure. Among the affected companies, this month, are Sodexo, LocalBox, YouTube and Coinsecure.
Several variants--samples of ViperRAT malware, an upgraded version of njRAT, and ZeusVM--of previously discovered malware have been identified in April. New strains of malware spotted this month are: Roaming Mantis, affecting exposed home routers; Desert Scropion, a spyware; SquirtDanger, a data-stealing malware; SmashingCoconut, a Windows-based wiper malware; and the PUBG ransomware. Security researchers also found a new MacOS backdoor identified as ‘OSX_OCEANLOTUS.D', a new banking Trojan called 'IcedID', and a new Mirai style botnet targeting the financial sector.
Kaspersky Labs researchers found a new strain of malware dubbed the Roaming Mantis. Hackers distribute the malware by hijacking DNS settings on vulnerable routers to redirect users to malicious websites. While it is still not clear how hackers managed to gain access to exposed home routers, the crooks were able to hijack traffic from 150 unique IP addresses and redirect users to malicious sites about 6,000 times between February 9 and April 9.
Security firm Lookout found new samples of the ViperRAT malware lurking on the Google Play Store again.Two ViperRAT-infected apps - VokaChat and Chattak - had been downloaded over 1000 times before they were detected by Lookout and removed by Google. The new malware samples appeared to be updated with chat functionality enabled within the apps to evade detection and suspicion.
Lookout researchers also uncovered the Desert Scorpion spyware packaged in mobile messaging apps on the Google Play Store. Believed to have been developed by surveillance actor APT-C-23, it targeted individuals of interest in the Middle East, particularly in Palestine. A chat app called Dardesh was used to download the first stage of the malware before tricking users into downloading the more sophisticated surveillance-focused second stage.
Dell SecureWorks Counter Threat Unit detailed a new Nigeria-linked BEC group called Gold Galleon that has been plundering the global maritime shipping industry. Using publicly available business email addresses, low-tier RAT tools and spear-phishing techniques, the group has attempted to steal at least $3.9 million between June 2017 and January 2018.
Palo Alto Networks’ Unit 42 identified a new malware called SquirtDanger that appears to have been developed by veteran Russian malware author “TheBottle”. Written in C#, the malware comes with various capabilities including the ability to take screenshots, list and kill processes, access and delete files, and even steal wallets or swap existing ones with one belonging to the attackers.
Trend Micro researchers have detected a significant amount of scanning activity from China akin to that of the infamous Mirai botnet in 2016. Researchers’ network monitoring system observed a surge of activity from over 3,000 IP addresses of scanners with Brazil seeming to be the target location. Similar to Mirai, the scanners were constantly scouring the internet for potentially vulnerable internet-connected devices. such as routers or IP cameras, and using default administrator credentials to hijack them.
A new, but unusual strain of ransomware called PUBG locks down victims’ computer files and will only decrypt them if you play the game “PlayerUnknown’s Battlegrounds.” The ransomware encrypts the user’s files with a .PUBG extension and displays a pop-up warning instructing the victim to play to restore them. Interestingly, the ransom instructions offers a code to unlock their files immediately as well as an option to play the game for an hour. The TlsGame program only needs to run for about 3 seconds to start the decryption process, suggesting it’s likely a joke.
The US Department of Homeland Security (DHS) released an intelligence note identifying a new malware called SmashingCoconut that shares similarities to the one used by North Korea against Sony back in November 2014. The 32-bit Windows-based wiper malware can render a targeted system inoperable if run using administrator privileges, delete all files and write over the master boot data record and wipe both the bootable and non-bootable partitions on the hard drive.
Researchers uncovered a new fake update scam that has been exploiting thousands of legitimate websites since December 2017. The “FakeUpdates” campaign affected websites using outdated versions of WordPress, Joomla and Squarespace. The affected sites display authentic-looking messages to visitors prompting them to “save” the update for Firefox, Chrome or Flash. If a user does fall for it, a heavily obfuscated JavaScript file is downloaded from DropBox that deploys the ZeusVM variant - Chtonic banking malware - or a NetSupport RAT.
Researchers have found out a new Mirai style botnet targeting the financial sector. As per researchers, the attack on the financial sector is the largest since the Mirai wreaked havoc on Dyn servers in October 2016. The research found out three financial institutions becoming the latest victim of the new IoTroop botnet, created through hijacked internet connected web cameras and televisions. The aim of the hackers being the botnet seems to choke the internet traffic of financial firms by overloading servers and subsequently knocking off the services.
Security researchers at Trend Micro have found out a new MacOS backdoor that is probably the latest version of a threat used by APT 32, also known as Cobalt Kitty and OceanLotus. The backdoor has been identified as ‘OSX_OCEANLOTUS.D’. The attackers exploiting the backdoor have been found targeting MacOS computers having Perl programming language installed. The backdoor is being distributed through a malicious Microsoft Word document that claims to be a registration form for an event with HDMC, a Vietnamese organization that advertises national independence and democracy.
An upgraded version of njRAT has been found pushing Lime Ransomware and a bitcoin wallet stealer. Also known as Bladabindi, njRAT is an old-time Trojan that was first spotted in 2013 and has survived since then. The malware is known for using .NET obfuscation tools that make it go stealth against antivirus solutions and subsequently hinder any analysis by security researchers. The malware also makes use of dynamic DNA for command and control servers and communicates using a custom TCP protocol over a configurable port.
Last year in November, security researchers unearthed a new banking Trojan which was labeled as ‘IcedID’. Initially, it was found being distributed by Emotet and later in the new year there was a considerable increase in IcedID infections which were detected all throughout the AMP ecosystem. Now researchers have found infections through Emotet being mellowed down but more being spread through emails with malicious Microsoft Word documents without macros. Once the user clicks on the document, Rovnix is downloaded and executed which further downloads IcedID. In addition to Rovnix, a Bytecoin miner is also being downloaded as a second payload.
Dubbed Operation GhostSecret, a global data-stealing campaign has been discovered by McAfee security researchers, targeting several industries including critical infrastructure, entertainment, finance, health care, and telecommunications. The campaign leverages various tools, implants and malware variants associated with the Hidden Cobra hacker group.
A new variant of the Crossrider variant has been spotted attacking Mac devices disguising itself as a fake Adobe Flash Player installer. The configuration of the variant forces Safari and Chrome to redirect users to a page on chumsearch[dot]com. Unfortunately, this cannot be changed in the browser settings. The profile can be found by opening System Preferences, then clicking the Profiles icon.
Unit 42, Palo Alto Networks' threat research arm has discovered the author behind the new botnet malware family SquirtDanger. The Russian hacker, TheBottle, is found to be associated with these attacks. The malware is capable of conducting several actions including taking screenshots, clearing browsing cookies, steal stored information, upload/download files etc.
Three new malware variants associated with the APT34 hacker group have been discovered by a threat hunt team. The hacker group is believed to be operating since at least 2014, and uses BONDUPTATER (used to download software) and POWRUNER (used as a backdoor to exploit software vulnerabilities).
A new and advanced phishing kit, currently available in Brazil, is being analyzed by Check Point Researchers and a cyber intelligence company, CyberInt. The new kit is believed to be an epitome of the next generation in phishing architecture, as it makes for an even easier set-up and a more convincing fake website. The phishing kit generally targets online shoppers and aims at stealing users’ personal details and credit card information.
Members of the top-tier Russian hacking forum have started using the crimeware kit, dubbed the Rubella Macro Builder. The kit is cheap, fast and can bypass basic antivirus detections. The crimeware kit is being distributed via Microsoft Word or Excel email attachments.