now browsing by tag


Belgrade #Suspect #Arrested over Being #Part of #Hackers’ Group ‘The #Dark #Overlord’

Officials from Serbia recently detained a Belgrade resident who’s doubted as belonging to a hacking group named DarkOverlord or The Dark Overlord.

The resident, a man aged 38, uses the initials “S.S” for his name and is a Belgrade citizen.
Except for these, nothing about his identity is known.

The Federal Bureau of Investigation has kept silent giving no remarks about the arrest. However, Serbian officials state they executed the detention when they were conducting an operation for exposing the people using the moniker “The Dark Overlord” online.

Running active from 2016, DarkOverlord has gained notoriety for hacking schools and medical providers to seize their personal files followed with blackmailing the institutions into paying money if they don’t want their information to be sold on the underground world. Earlier, the hackers had apparently seized addresses, phone numbers and Social Security Numbers belonging to innumerable medical patients that could’ve been utilized for committing ID-theft. posted this, May 17, 2018.

Beginning from June 2016, The Dark Overlord infiltrated the systems of 50-or-so victims, stealing a variety of data such as intellectual property and crucial health information followed with demanding ransoms in exchange of leaving the filched data safe.

The hackers’ syndicate is well-known with regards to executing one cyber-crime series spanning 2-yrs and comprising extortion along with hacking followed with revealing episodes contained in a Netflix sequence namely “Orange-is-the-New-Black” and also breaking into U.S. school computers as well as threatening the country’s students with murder.

At times the crooks weren’t satisfied with hacking they’d start physical violence threat against the hacked entities. During 2017, an infamous campaign carried out in USA included breach of systems of high schools and then theft of personal data to be followed with holding those data for ransoms. And in case the schools did not pay up, the gang would find out the contact details of staff and students from the filched data and then threaten them.

It’s not clear whether The Dark Overlord group consists of one person or several individuals. However on Twitter, it frequently uses the words “us” and “we” as reference to the gang while blackmailing hacked victims.


The post Belgrade #Suspect #Arrested over Being #Part of #Hackers’ Group ‘The #Dark #Overlord’ appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

New #macOS #Backdoor #Linked to #Cyber-espionage #Group

A recently discovered macOS backdoor is believed to be a new version of malware previously associated with the OceanLotus cyber-espionage group, Trend Micro says.

Also known as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, OceanLotus is believed to be operating out of Vietnam and has been targeting high-profile corporate and government organizations in Southeast Asia. Well-resourced and determined, the group uses custom-built malware and already established techniques.

Some of the group’s targets include human rights organizations, media organizations, research institutes, and maritime construction firms.

The newly discovered macOS backdoor, which Trend Micro detects as OSX_OCEANLOTUS.D, has been observed on machines that have the Perl programming language installed.

The malware is being distributed via malicious documents attached to emails. The document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

The document contains malicious, obfuscated macros with a payload written in Perl. The macro extracts an XML file from the Word document. This file is an executable acting as the dropper for the final payload, which is the backdoor.

The dropper, which has all of its strings encrypted using a hardcoded RSA256 key, is also used to establish the backdoor’s persistence on the infected systems. The dropper checks whether it runs as root or not, and uses different path and filename based on that.

The dropper sets the backdoor’s attributes to “hidden” and uses random values for the file date and time, and deletes itself at the end of the process.

The backdoor has two main functions, which collect platform information and sending it to the command and control (C&C) server. It can also receive additional C&C communication information, which is encrypted before being sent.

“Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new macOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system,” Trend Micro concludes.


The post New #macOS #Backdoor #Linked to #Cyber-espionage #Group appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures


THIS WEEK, SAKS Fifth Avenue, Saks Off 5th, and Lord & Taylor department stores—all owned by The Hudson’s Bay Company—acknowledged a data breach impacting more than five million credit and debit card numbers. The culprits? The same group that’s spent the last few years pulling off data heists from Omni Hotels & Resorts, Trump Hotels, Jason’s Deli, Whole Foods, Chipotle: A mysterious group known as Fin7.

Data breaches dog consumers every day, whether they’re ordering food from Panera, or tracking their nutrition with an Under Armour app. But if you’ve particularly had your credit card number stolen from a restaurant, hotel, or retail store in the past few years, you may have experienced FIN7 up close.

While lots of criminal hacking gangs are simply out to make money, researchers regard FIN7 as a particularly professional and disciplined organization. The group—which often appears to be Russian-speaking, but hasn’t been tied to a home country—generally works on a normal business schedule, with nights and weekends off. It has developed its own malware tools and attack styles, and seems to have a well-funded research and testing division that helps it evade detection by antivirus scanners and authorities more broadly. In the Saks breach, FIN7 used “point of sale” malware—software secretly installed in the cash register transaction systems customers interact with—to lift the financial data, a signature move.

“They’re connected to almost every major point of sale breach,” says Dmitry Chorine, cofounder and CTO of Gemini Advisory, a threat intelligence firm that works with financial institutions and that first reported the Saks/Lord & Taylor breach. “From what we’ve learned over the years the group is operated as a business entity. They definitely have a mastermind, they have managers, they have money launderers, they have software developers, and they have software testers. And let’s not forget they have the financial means to stay hidden. They make at least $50 million every month. Given that they’ve been in business for many years, they probably have at least a billion dollars on hand.”

Name Game
Researchers have carefully tracked FIN7 for years, identifying their tools and watching their techniques evolve and advance. And many of the observers have even gone head-to-head with the group during network attacks, learning the group’s ethos by actively sparring with it.

The anonymity of cyberspace makes it difficult to pin down exactly who commits which crimes, though, and whether they’re actually all part of the same group or simply using similar tools.

As a result, FIN7 is known by many names. Many. The “FIN7” name itself is often associated with retail and hospitality credit card number heists, while another group—perhaps another division of the same entity, or a pre-existing gang that FIN7 spun off from—focuses on targeting financial organizations to directly steal and launder money. This bank heist operation has been called Carbanak or Cobalt (after a tool called Cobalt Strike), or some variation; FIN7 is sometimes called by these names as well. The security firm Crowdstrike also has its own versions of the names, Carbon Spider and Cobalt Spider. Carbon Spider targets the retail and hospitality industries; and Cobalt Spider hits financial institutions and ATMs. Adding to the confusion, Gemini Advisory also sometimes calls FIN7 “JokerStash,” after the dark web marketplace where the group sells the credit card data is steals.

It’s a mess. But while it’s virtually impossible to know the exact breakdown, all of these actors evolved from malware campaigns between 2013 and 2015 that used the banking trojans Carberp and Anunak to attack financial institutions. “There’s definitely a relationship between what we call Carbon Spider and Cobalt Spider,” says Adam Meyers, vice president of intelligence at the security firm CrowdStrike. “There’s some overlap in the malware that’s used and there are a lot of theories. Did Carbon Spider split from Cobalt? Do they have shared tooling? Did somebody leave the group and bring some of the tools with them?”

Consumate Professionals
Regardless of the name, FIN7’s effectiveness stems from a rigorous, professional approach—including devious phishing schemes that trick victims into infecting their own networks—that researchers say is more typical of nation state hacking than criminal skulduggery. The group has also demonstrated a powerful ability to quickly evolve new strategies and adapt tools. Last fall, the security firm Morphisec showed that it only took FIN7 a day to create a fileless malware attack for a newly discovered weakness in Microsoft applications.

“The feeling you get working against them on an incident response team is that they aren’t going down without a fight,” says William Peteroy, CEO of the security firm Icebrg, which has helped clients remediate FIN7 attacks. “They are very committed to getting access to certain targets, they are very committed to maintaining access to those targets, and it’s for the overall goal of pulling as much credit card data out of the environment as they can. They’re not the best-trained, best operations security people on the internet, but they are professional. They go to work in the morning and their job is to steal credit card numbers.”

Based on Icebrg’s research and firsthand experience, Peteroy sees the group’s focus on evading antivirus scans as one of its biggest assets. FIN7 constantly tests its hacking tools against malware scanners to see if they raise an alarm, and tweaks them if they do to fly under the radar for another day.

“They have a pretty incredible track record of staying one step ahead of antivirus vendors,” Peteroy says. “They do constant testing of their toolsets. You would not expect to see a technique like that from a criminal organization. But it’s really just like a business maximizing your profitability. You’re not trying to develop things that are 10 steps ahead, you’re just trying to keep one step ahead.”

So far FIN7 has largely succeeded at staying just out of reach, but it works at such a massive scale on so many heists at once that there are bound to be missteps. Just last week, Spanish police working with Europol, the FBI, and a group of other international agencies arrested what they called the “mastermind” behind Carbanak’s financial institution hacking, particularly a spree of ATM jackpotting and other money laundering. “The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity,” Steven Wilson, the head of Europol’s European Cybercrime Centre, said of the operation last week.

Though an impressive step, researchers are skeptical that the arrest will really destabilize or neuter such a robust criminal syndicate. “Someone who was using part of the tools was arrested in Spain. He may be at a higher level of the food chain, but it definitely doesn’t necessarily mean the whole group has been dismantled,” says Gemini Advisory’s Chorine. “Even if you observe the chatter on criminal forums, there’s no clear indication of who was arrested.”

So as has been the case for years now, FIN7 will likely live to steal another credit card number. Or, more likely, millions of them.


The post THE #BILLION-DOLLAR #HACKING GROUP BEHIND A #STRING OF BIG #BREACHES appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Russian group #hacked German #government’s secure #computer #networks

Source: National Cyber Security News

A Russian-backed hacker group known for many high-level cyber attacks was able to infiltrate the German government’s secure computer networks, the dpa news agency reported Wednesday.

Dpa cited unidentified security sources saying the group APT28 hacked into Germany’s foreign and defence ministries and managed to steal data.

The attack was noticed in December and may have lasted a year, dpa reported.

The Interior Ministry said in a statement that “within the federal administration the attack was isolated and brought under control.” The ministry said it was investigating.

A spokesman wouldn’t give further details, citing the ongoing analysis and security measures being taken.

“This case is being worked on with the highest priority and considerable resources,” the ministry statement said.

APT28, which has been linked to Russian military intelligence, has previously been identified as the likely source of an attack on the German Parliament in 2015, as well as on NATO and governments in eastern Europe.

Also known by other names including “Fancy Bear,” APT28 has also been blamed for hacks of the U.S. election campaign, anti-doping agencies and other targets.

Read More….


View full post on National Cyber Security Ventures

A #Hacking Group Is #Already #Exploiting the #Office #Equation Editor #Bug

Source: National Cyber Security – Produced By Gregory Evans

A week after details about a severe Microsoft Office vulnerability came to light, at least one criminal group is now using it to infect users.

The group is not your regular spam botnet, but a top cyber-criminal operation known to security researchers as Cobalt, a hacking outfit that has targeted banks, ATM networks, and financial institutions for the past two years.

CVE-2017-11882 used by Cobalt hacking group

According to Reversing Labs, a UK-based cyber-security firm, the Cobalt group is now spreading RTF documents to high-value targets that are laced with exploits that take advantage of CVE-2017-11882.

This is a vulnerability in the Office Equation Editor component that allows an attacker to execute code on victims’ computers without user interaction.

You don’t need a grizzled veteran of the infosec community to tell you that a vulnerability with such results would be incredibly valuable for any cyber-criminal organization.

Besides the damage this vulnerability can do, Cobalt’s quick adoption of CVE-2017-11882 was most likely aided by the availability of four proof of concept (PoC) exploits that have been published online in the past week [1, 2, 3, 4].

According to Reversing Labs, the Cobalt is currently sending emails laced with a booby-trapped RTF file that would utilize a CVE-2017-11882 exploit to download and run additional malicious files. The infection chain would go through multiple steps, but in the end, it would download and load a malicious DLL file that has yet to be analyzed in more depth.

Proofpoint Matthew Mesa also saw the same emails, but saw a slightly different exploitation chain.

Cobalt has jumped on Microsoft bugs before

As for the Cobalt group, they have a history of jumping on Microsoft bugs as soon as they’re disclosed and weaponizing them for their campaigns. The same thing happened with CVE-2017-8759, a remote code execution vulnerability that affected the .NET Framework, patched by Microsoft in the September 2017 Patch Tuesday.

Security firms first started documenting the Cobalt group in 2016, when it was spotted hitting ATMs and financial institutions across Europe. The group then spread to targets in the Americas, and later also targeted Russian banks, using the ex-Soviet space as a testing ground for new attacks, before it moved to more wealthy targets elsewhere.

The group’s most well-known malware family is Cobalt Strike, named after an eponymous commercial penetration testing software because it uses some of its components.

Patch now, before vulnerability is exploited en masse

As we’ve seen in the past, it doesn’t take too long for a vulnerability to trickle down from professional cyber-criminal groups to spam botnet herders once public PoCs are available.

Users should apply Windows updates KB2553204, KB3162047, KB4011276, and KB4011262, included in the November 2017 Patch Tuesday, to guard against CVE-2017-11882 exploitation.


The post A #Hacking Group Is #Already #Exploiting the #Office #Equation Editor #Bug appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Chinese #hacking group #returns with new #tactics for #espionage #campaign

Source: National Cyber Security – Produced By Gregory Evans

Chinese #hacking group #returns with new #tactics for #espionage #campaign

A Chinese hacking operation is back with new malware attack techniques and has switched its focus to conducting espionage on western corporations, having previously targeted organisations and individuals in Taiwan, Tibet, and the Philippines.

Dubbed KeyBoy, the advanced persistent threat actor has been operating out of China since at least 2013 and in that time has mainly focused its campaigns against targets in South East Asia region.

The last publicly known actively by KeyBoy saw it target the Tibetan Parliament between August and October 2016, according to researchers, but following that the group appeared to cease activity — or at least managed to get off the radar.

But now the group has reemerged and is targeting western organisations with malware which allows them to secretly perform malicious activities on infected computers. They include taking screenshots, key-logging, browsing and downloading files, gathering extended system information about the machine, and shutting down the infected machine.

KeyBoy’s latest activity has been uncovered by security analysts at PwC, who’ve analysed the new payload and found it includes new infection techniques replacing legitimate Windows binaries with a copy of the malware.

Like similar espionage campaigns by other hacking operations, the campaign begins with emails containing a malicious document – in the case analysed by PwC, the lure was a Microsoft Word document named ‘ Q4 Work Plan.docx’.

But rather than delivering macros or an exploit, the lure uses the Dynamic Data Exchange (DDE) protocol to fetch and download a remote payload. Microsoft has previously described DDE as a feature, not a flaw.

In this case, Word tells the user there’s been an error and the document needs updating – if this instruction is run, a remote fake DLL payload is run, which in turn serves up a dropper for the malware.

Once the process has been run and the malware is installed, the initial DLL is deleted, leaving no trace of the malicious fake. As the malware also disables Windows File Protection and related popups, it therefore isn’t immediately obvious to system administrators that a legitimate DLL was replaced.

Once inside the target system, the attackers are free to conduct espionage campaigns as they please – although PwC researchers have listed possible indicators of compromisewhich organisations can use to discover if there are traces of KeyBoy in the network.

Similar techniques and attack capabilities have been observed in past KeyBoy campaigns, leading researchers to conclude that this campaign is by the same group.

Researchers have yet to uncover which specific organisations or sectors KeyBoy is targeting with its latest campaign, but say that the group has now turned its attention to conducting corporate espionage on organisations in the west.

Aside from knowing that they’re based in China, it’s not yet been possible to uncover the KeyBoy hacker group or identify their ultimate motives. While it has some of the hallmarks of a state-backed operation, previous research into the group says any type of criminal gangcould operate this style of campaign.


The post Chinese #hacking group #returns with new #tactics for #espionage #campaign appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

WikiLeaks ‘hacked’ as OurMine group answers ‘hack us’ challenge

Source: National Cyber Security – Produced By Gregory Evans

WikiLeaks suffered an embarrassing cyber-attack when Saudi Arabian-based hacking group OurMine took over its web address. The attack saw visitors to redirected to a page created by OurMine which claimed that the attack was a response to a challenge from the organisation to hack them. But while it may…

The post WikiLeaks ‘hacked’ as OurMine group answers ‘hack us’ challenge appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Hacker Group 31337 Dumps Data Stolen From Mandiant Analyst

Source: National Cyber Security – Produced By Gregory Evans

Cybersecurity firm FireEye has confirmed that the personal laptop of one of its Mandiant breach-investigation employees, as well as his social media accounts, were hacked by a group of self-professed black hat hackers, calling themselves “31337.” “We are aware of reports that a Mandiant employee’s social media accounts and personal…

The post Hacker Group 31337 Dumps Data Stolen From Mandiant Analyst appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Business group hit by hackers

Source: National Cyber Security – Produced By Gregory Evans

CYBER scammers are targeting the Townsville Chamber of Commerce with the organisation considering taking out insurance against attacks following a spate of email phishing incidents. The chamber fell victim to the latest phishing attack on Wednesday, when an email claiming to be from the organisation was sent to a number…

The post Business group hit by hackers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

ISIS-linked group claims hack of Leon County website

Source: National Cyber Security – Produced By Gregory Evans

No important data was compromised in a hack Thursday of Leon County’s government website by an ISIS-linked group. Up for only minutes on the Leon County homepage, the message accompanied by a photo of North Korean Supreme Leader Kim Jong-un and audio of a 1964 Ronald Regan speech was gone…

The post ISIS-linked group claims hack of Leon County website appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures