Reverse Engineering and observing an IoT botnet
www.gdatasoftware.com/blog/2020/08/36243-reverse-engineering-and-observing-an-iot-botnet IoT devices are everywhere around us and some of them are not up to date with todays security standard. A single light bulb exposed to the internet can offer an attacker a variety of possibilities to attack companies or households. The possibilities are endless. If we think about a router or follow the example with the light bulb, such a hijacked device can be used for various malicious activities. For example building a botnet and monetizing it by offering DDoS as a service or using the IoT device as a gateway into a corporate network. There have also been cases, where ransomware was used on IoT devices.
43 COVID-19 Cybersecurity Statistics
www.pandasecurity.com/mediacenter/news/covid-cybersecurity-statistics/ In January 2020, the Coronavirus outbreak started to garner international headlines. On March 11, 2020, the World Health Organization declared COVID-19 a worldwide pandemic. That week, life around the world changed. Bustling streets became empty, hospital beds overflowed, and businesses were faced with the impossible decision of whether or not to close their doors, in some cases, for good.
Transparent Tribe: Evolution analysis, part 2
securelist.com/transparent-tribe-part-2/98233/ Transparent Tribe, also known as PROJECTM or MYTHIC LEOPARD, is a highly prolific group whose activities can be traced as far back as 2013. In the last four years, this APT group has never taken time off. They continue to hit their targets, which typically are Indian military and government personnel. This is the second of two articles written to share the results of our recent investigations into Transparent Tribe. In the previous article, we described the various Crimson RAT components and provided an overview of impacted users.
Emulation of Malicious Shellcode With Speakeasy
www.fireeye.com/blog/threat-research/2020/08/emulation-of-malicious-shellcode-with-speakeasy.html In order to enable emulation of malware samples at scale, we have developed the Speakeasy emulation framework. Speakeasy aims to make it as easy as possible for users who are not malware analysts to acquire triage reports in an automated way, as well as enabling reverse engineers to write custom plugins to triage difficult malware families. Originally created to emulate Windows kernel mode malware, Speakeasy now also supports user mode samples. The projects main goal is high resolution emulation of the Windows operating system for dynamic malware analysis for the x86 and amd64 platforms.
Confessions of an ID Theft Kingpin, Part I
krebsonsecurity.com/2020/08/confessions-of-an-id-theft-kingpin-part-i/ At the height of his cybercriminal career, the hacker known as Hieupc was earning $125,000 a month running a bustling identity theft service that siphoned consumer dossiers from some of the worlds top data brokers. That is, until his greed and ambition played straight into an elaborate snare set by the U.S. Secret Service. Now, after more than seven years in prison Hieupc is back in his home country and hoping to convince other would-be cybercrooks to use their computer skills for good.
FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks
us-cert.cisa.gov/ncas/alerts/aa20-239a North Korea’s intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access. To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to this team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts..
APT Hackers Exploit Autodesk 3ds Max Software for Industrial Espionage
thehackernews.com/2020/08/autodesk-malware-attack.html It’s one thing for APT groups to conduct cyber espionage to meet their own financial objectives. But it’s an entirely different matter when they are used as “hackers for hire” by competing private companies to make away with confidential information. Bitdefender’s Cyber Threat Intelligence Lab discovered yet another instance of an espionage attack targeting an unnamed international architectural and video production company that had all the hallmarks of a carefully orchestrated campaign.. Also:
Malicious Excel Sheet with a NULL VT Score
isc.sans.edu/forums/diary/Malicious+Excel+Sheet+with+a+NULL+VT+Score/26506/ Just a quick diary today to demonstrate, once again, that relying only on a classic antivirus solution is not sufficient in 2020. I found a sample that just has a very nice score of 0/57 on VT. Yes, according to all AV’s the file is safe. Really? If it matched one of my hunting rules, there is for sure something suspicious inside. Let’s have a look at it.
Four More Bugs Patched in Microsofts Azure Sphere IoT Platform
threatpost.com/four-more-bugs-patched-in-microsofts-azure-sphere-iot-platform/158643/ Researchers have unearthed more vulnerabilities in Microsofts IoT security solution. Details tied to a pair of remote code execution bugs in Microsofts IoT security platform called Azure Sphere were released Monday. Also made public were specifics associated with two additional privilege escalation flaws impacting the same cloud security platform. Public disclosure of all four of the bugs piggyback on six vulnerabilities found in July also impacting Microsofts Azure Sphere. Cybersecurity researchers at Cisco Talos found each of the bugs and released the technical details of the vulnerabilities only after Microsoft issued patches.
FBI informant provides a glimpse into the inner workings of tech support scams
www.zdnet.com/article/fbi-informant-provides-a-glimpse-into-the-inner-workings-of-tech-support-scams/ US authorities have charged three suspects involved in a large-scale tech support scam operation after FBI agents arrested one of their co-conspirators and turned him into an informant. Evidence provided by the informant along with court documents filed in the case provide an in-depth glimpse at the techniques and inner workings of a modern-day tech support scam, from its earliest stages to the methods crooks use to launder funds obtained from defrauded victims.
Tekijää arvaillaan raju palvelunestohyökkäys kaatoi kaukaisen pörssin, osakekauppa pysähtyi
www.tivi.fi/uutiset/tv/de6acbb4-07df-4fb9-9434-03765cdaa607 Uuden-Seelannin pörssi ei ole romahtanut, mutta kaupankäynti on pysähtynyt toistuvasti palvelunestohyökkäysten vuoksi. Osakekauppa Uudessa-Seelannissa on toistuvasti pysähtynyt kirskahdellen tällä viikolla. Sikäläinen pörssi (NZX) on ollut jo parin päivän ajan palvelunestohyökkäysten kohteena. Ongelmien vuoksi kauppa arvopapereilla on jouduttu keskeyttämään toistuvasti.. Also:
Russian Arrested After Offering $1 Million to U.S. Company Employee for Planting Malware
thehackernews.com/2020/08/russian-extortion-malware.html Hackers always find a way in, even if there’s no software vulnerability to exploit. The FBI has arrested a Russian national who recently traveled to the United States and offered $1 million in bribe to an employee of a targeted company for his help in installing malware into the company’s computer network manually. Also:
Code-execution bug in Pulse Secure VPN threatens patch laggards everywhere
arstechnica.com/information-technology/2020/08/code-execution-bug-in-pulse-secure-vpn-threatens-patch-laggards-everywhere/ If you haven’t updated Pulse Secure VPN, now would be an excellent time to do so. Organizations that have yet to install the latest version of the Pulse Secure VPN have a good reason to stop ditheringa code-execution vulnerability that allows attackers to take control of networks that use the product. Tracked as CVE-2020-8218, the vulnerability requires an attacker to have administrative rights on the machine running the VPN. Researchers from GoSecure, the firm that discovered the flaw, found an easy way to clear that hurdle: trick an administrator into clicking on a malicious link embedded in an email or other type of message.
SunCrypt Ransomware sheds light on the Maze ransomware cartel
www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/ A ransomware named SunCrypt has joined the ‘Maze cartel,’ and with their membership, we get insight into how these groups are working together. In June, we broke the story that the Maze threat actors created a cartel of ransomware operations to share information and techniques to help each other extort their victims. When first started, this cartel included Maze and LockBit, but soon expanded to include Ragnar Locker. When Maze first formed this group, they refused to answer our questions on how members of their cartel benefited, and if there was a monetary benefit to Maze.
A quarter of the Alexa Top 10K websites are using browser fingerprinting scripts
Phishing Attack Used Box to Land in Victim Inboxes
www.darkreading.com/attacks-breaches/phishing-attack-used-box-to-land-in-victim-inboxes/d/d-id/1338754 A phishing attack targeting government and security organizations used a legitimate Box page with Microsoft 365 branding to trick victims. A newly discovered credential phishing campaign used a legitimate Box webpage and exploited widespread trust in Microsoft 365 to capture victims’ credentials in a convoluted attack chain. The team at Armorblox discovered this threat back in June and say it affected city officials, as well as government and cybersecurity organizations. Attackers chose to host the phishing site on a legitimate Box page, which security experts say helped the emails land in victims’ inboxes.
Cisco Patches High-Severity Bugs Impacting Switches, Fibre Storage
threatpost.com/cisco-high-severity-bugs-impact-switches-fibre-storage/158691/ Cisco Systems disclosed eight high-severity bugs impacting a range of its networking gear, including its switches and fiber storage solutions. Ciscos NX-OS was hardest hit, with six security alerts tied to the network operating system that underpins the networking giants Nexus-series Ethernet switches and MDS-series Fibre Channel storage area network switches. Patches are available for all vulnerabilities, according to a Cisco Security Advisory posted on Wednesday. In addition to the eight patched high-severity bugs, Cisco also fixed a flaw (CVE-2020-3504) listed as medium severity that impacts the Cisco Unified Computing System management software.
Emotet Update increases Downloads
www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/ The Hornetsecurity Security Lab observed a 1000 % increase in downloads of the Emotet loader. The increase in Emotet loader downloads correlates with Emotets packer change, which causes the Emotet loader to be less detected by AV software. Our gathered data suggests that the increase in Emotet loader downloads stems from the loader being detected less and thus also the Emotet loader download URLs being blocked less by security mechanisms. Our data, however, also suggests that AV vendors are already closing the detection gap and the detection of the Emotet loader should increase again and thus the number of downloads decreasing again.
RATs and Spam: The Node.JS QRAT
www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/ The Qua or Quaverse Remote Access Trojan (QRAT) is a Java-based RAT that can be used to gain complete control over a system. Introduced in 2015, QRAT was marketed as an undetectable Java RAT and is offered under the software-as-a-service model. Just after its original debut, we blogged about QRATs being spammed. As shown in Figure 1, the functionality of the spammed QRATs can be extended through the
Conti (Ryuk) joins the ranks of ransomware gangs operating data leak sites
www.zdnet.com/article/conti-ryuk-joins-the-ranks-of-ransomware-gangs-operating-data-leak-sites/ More and more ransomware gangs are now operating sites where they leak sensitive data from victims who refuse to pay the ransom demand. It has now become a mainstream tactic for big ransomware groups to create so-called “leak sites” where they upload and leak sensitive documents from companies who refuse to pay the ransomware decryption fee. These “leak sites” are part of a new trend forming on the cybercriminal underground where ransomware groups are adopting a new tactic called “double extortion.”