now browsing by tag


#infosec | Sextortion Fallout Scam Tricks Users into Malware Download

Source: National Cyber Security – Produced By Gregory Evans

Security researchers are warning of a new sextortion-related campaign designed to trick the recipient into clicking on a nude image booby-trapped with malware.

The unsolicited email contains a message from ‘Red Skull’ hacking crew, who claim to have compromised the account of a contact of the recipient and found images of his naked girlfriend.

As this individual didn’t pay up, the hackers are now emailing the image to everyone in his contacts list, or so the scam goes.

To view the picture, the user is encouraged to “enable content” and in so doing execute macros on the machine. However, doing so will run a PowerShell command in the background to download and execute the Racoon information-stealing malware, according to IBM X-Force.

Fortunately, the associated domain has been taken down.

“This new take on sextortion is quite remarkable. It makes the victim believe that someone they know has been exploited in an attack that has nothing to do with them. If people do not identify as the victim, they may act much more careless, especially those curious to find out who was actually targeted,” the security vendor explained.

“Thanks to the quick removal of the domain, it is safe to say that the success of this single campaign should be less significant, despite the sophistication and creativity of its emails. Nevertheless, the threat actor distributing these emails has been very actively exploring new methods of social exploitation, so this will certainly not be the last time we write a collection about these types of emails.”

In fact, the same hackers are behind a new campaign in which malicious spam is sent to users posing as an “indictment message” sent by a court. The relevant information on the hearing is said to be included in the malicious attachment.

Other phishing emails use DocuSign as a lure to click through and unwittingly download Racoon.


#infosec #itsecurity #hacking #hacker #computerhacker #blackhat #ceh #ransomeware #maleware #ncs #nationalcybersecurityuniversity #defcon #ceh #cissp #computers #cybercrime #cybercrimes #technology #jobs #itjobs #gregorydevans #ncs #ncsv #certifiedcybercrimeconsultant #privateinvestigators #hackerspace #nationalcybersecurityawarenessmonth #hak5 #nsa #computersecurity #deepweb #nsa #cia #internationalcybersecurity #internationalcybersecurityconference #iossecurity #androidsecurity #macsecurity #windowssecurity

Source link

The post #infosec | Sextortion Fallout Scam Tricks Users into Malware Download appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | These Are The Most Rampant Windows And Mac Malware Threats For 2020: Here’s What That Means

Source: National Cyber Security – Produced By Gregory Evans

Seven weeks into 2020, and we are deep into the season for cybersecurity reporting. You can expect a wide range of summaries of the threat landscape from 2019 and forecasts as to what to expect this year. As threat actors from China, Russia, Iran and North Korea continue to probe network and system security around the world, we also have the rising threat of ever more sophisticated malware hitting individuals and the companies they work for, all fuelled by the scourge of social engineering to make every malicious campaign more dangerous and more likely to hit its mark.

BlackBerry Cylance has published its “2020 Threat Report” today, February 19, and its theme is the blurring lines between state actors and the criminal networks that develop their own exploits or lease “malware as a service,” pushing threats out via email and messaging campaigns, targeting industries or territories. This year, 2020, will be seminal in the world of threat reporting and defense—IoT’s acceleration is a game changer in cyber, with the emergence of a vast array of endpoints and the adoption of faster networking and pervasive “always connected” services.

The challenge with IoT is the limited control of the security layers within those endpoints—it’s all very well having smart lightbulbs, smart toys and smart fridges. But if every connected technology you allow into your home is given your WiFi code and a connection to the internet, then it is near impossible to assure yourself of the security of those devices. Current best practice—however impractical that sounds—is to air-gap the networks in your home: trusted devices—your phones, computers and tablets, and then everything else. If one family of devices can’t see the other, then you are much better protected from malicious actors exploiting casual vulnerabilities.

I have warned on this before, and the market now needs the makers of networking equipment to develop simple one-click multiple networking options, so we can introduce the concept of a separated IoT network and core network into all our homes—something akin to the guest networks we now have but never use on our routers, but simpler, more of a default, and therefore better used.

According to Cylance’s Eric Milam, the geopolitical climate will also “influence attacks” this year. There are two points behind this. First, mass market campaigns from state-sponsored threat actors in Iran and North Korea, from organized groups in Russia and China, and from criminal networks leveraging the same techniques, targeting individuals at “targeted scale.” And, second, as nation-states find ever more devious ways to exploit network defenses, those same tools and techniques ultimately find their way into the wider threat market.

The real threats haven’t changed much: Phishing attacks, ranging from the most basic spoofs to more sophisticated and socially engineered targeting; headline-grabbing ransomware and virus epidemics; the blurring between nation-state and criminal lines, accompanied by various flavors of government warnings. And then, of course, we have the online execution of crimes that would otherwise take place in the physical world—non-payment and non-delivery, romance scams, harassment, extortion, identity theft, all manner of financial and investment fraud.

But, we do also have a rising tide of malware. Some of that rising tide is prevalence, and some is sophistication. We also have criminal business models where malware is bought and sold or even rented on the web’s darker markets.

In the Cylance report, there is a useful summary of the “top malware threats” for Windows and Mac users. Cylance says that it complied its most dangerous list by using an “in-house tooling framework to monitor the threat landscape for attacks across different operating systems.” Essentially that means detecting malware in the wild across the endpoints monitored by its software and systems. It’s a volume list.

For cyber-guru Ian Thornton-Trump, the real concerns for individuals and companies around the world remain Business Email Compromise, “the fastest growing and most lucrative cyber-criminal enterprise.” He also points out that doing the basics better goes a long way—“there is little if any mention of account compromises due to poor password hygiene or password reuse and the lack of identifying poorly or misconfigured cloud hosting platforms leading to some of the largest data breaches” in many of the reports now coming out.

So here are Cylance’s fifteen most rampant threats. This is their own volume-based list compiled from what their own endpoints detected. There are missing names—Trickbot, Sodinokibi/REvil, Ryuk, but they’re implied. Trickbot as a secondary Emotet payload, for example, or Cylance’s observation that “the threat actors behind Ryuk are teaming with Emotet and Trickbot groups to exfiltrate sensitive data prior to encryption and blackmail victims, with the threat of proprietary data leakage should they fail to pay the ransom in a timely manner.”

There are a lot of legacy malware variants listed—hardly a surprise, these have evolved and now act as droppers for more recent threats. We also now see multiple malware variants combine, each with a specific purpose. Ten of the malware variants target Windows and five target Macs—the day-to-day risks to Windows users remain more prevalent given the scale and variety of the user base, especially within industry.

Windows Threats

  • Emotet: This is the big one—a banking trojan hat has been plaguing users in various guises since 2014. The malware has morphed from credential theft to acting as a “delivery mechanism” for other malware. The malware is viral—once it gets hold of your system, it will set about infecting your contact with equally compelling, socially engineered subterfuges.
  • Kovter: This fileless malware targets the computer’s registry, as such it makes it more difficult to detect. The malware began life hiding behind spoofed warnings over illegal downloads or file sharing. Now it has joined the mass ad-fraud market, generating fraudulent clicks which quickly turn to revenue for the malware’s operators.
  • Poison Ivy: A malicious “build you own” remote access trojan toolkit, providing a client-server setup that can be tailed to enable different threat actors to compile various campaigns. the malware infects target machines with various types of espionage, data exfiltration and credential theft. Again the malware is usually spread by emailed Microsoft Office attachments.
  • Qakbot: Another legacy malware, dating back a decade, bit which has evolved with time into something more dangerous that its origins. The more recent variants are better adapted to avoiding detection and to spreading across networks from infected machines. The malware can lock user and administrator accounts, making remove more difficult.
  • Ramnit: A “parasitic virus” with “worming capabilities,” designed to infect removable storage media, aiding replication and the persistence of an attack. The malware can also infect HTML files, infecting machines where those files are opened. The malware will steal credentials and can also enable a remote system takeover.
  • Sakurel (aka. Sakula and VIPER): Another remote access trojan, “typically used in targeted attacks.” The delivery mechanism is through malicious URLs, dropping code on the machine when the URL is accessed. The malware can also act as a monitor on user browsing behavior, with other targeted attacks as more malware is pulled onto the machine.
  • Upatre: A more niche, albeit still viable threat, according to Cylance. Infection usually results from emails which attach spoof voicemails or invoices, but Cylance warns that users can also be infected by visiting malicious websites. As is becoming much more prevalent now, this established legacy malware acts as a dropper for other threats.
  • Ursnif: This is another evolved banking trojan, which infects machines that visit malicious websites, planting code in the process. The malware can adapt web content to increase the chances of infection. The malware remains a baking trojan in the main, but also acts as a dropper and can pull screenshots and crypto wallets from infected machines.
  • Vercuse: This malware can be delivered by casual online downloads, but also through infected removable storage drives. The malware has adapted various methods of detection avoidance, including terminating processes if tools are detected. The primary threat from this malware now is as a dropper for other threats.
  • Zegost: This malware is designed to identify useful information on infected machines and exfiltrate this back to its operators. That data can include activity logging, which includes credential theft. The malware can also be used for an offensive denial of service attack, essentially harnessing infected machines at scale to hit targets.

Mac Threats

  • CallMe: This is a legacy malware for the Mac world, opening a backdoor onto infected systems that can be exploited by its command and control server. Dropped through malicious Microsoft Office attachments, usually Word, the vulnerability has been patched for contemporary versions of MacOS and Office software. Users on those setups are protected.
  • KeRanger: One of the first ransomware within the Mac world, the malware started life with a valid Mac Developer ID, since revoked. The malware will encrypt multiple file types and includes a process for pushing the ransom README file to the targeted user. Mitigation includes updates systems, but also offline backups as per all ransomware defenses.
  • LaoShu: A remote access trojan that uses infected PDF files too spread its payload. The malware will look for specific file types, compressing those into an exfiltration zip file that can be pulled from the machine. While keeping systems updated, this malware also calls for good user training and email bevavior, including avoidance of unknown attachments.
  • NetWiredRC: A favourite of the Iranian state-sponsored APT33, this malware is a remote access trojan that will operate across both Windows and Mac platforms. The malware focuses on exfiltrating “sensitive information” and credentials—the latter providing routes in for state attackers. Cylances advises administrators to block 212[.]7[.]208[.]65 in firewalls and monitor for “%home%/” on systems.
  • XcodeGhost: Targeting both Mac and iOS, this compiler malware is considered “the first large-scale attack on Apple’s App Store.” Again with espionage and wider attacks in minds, the malware targets, captures and pulls strategic information from an infected machine. its infection of “secure apps” servers as a wider warning as to taking care when pulling apps from relatively unknown sources.

In reality, the list itself is largely informational as mitigation is much the same: Some combination of AV tools, user training, email filtering, attachment/macro controls, perhaps some network monitoring—especially for known IP addresses. The use of accredited VPNs, avoiding public WiFi, backups. Cylance also advises Windows administrators to watch for unusual registry mods and system boot executions.

Thornton-Trump warns that we need constant reminding that cyber security is about “people, process and technology.” Looking just at the technology side inevitably gives a skewed view. For him, any vendor reports inevitably “overstate the case for anti-malware defences in contrast to upgrade and improvement of other defensive mechanisms, including awareness training and vulnerability management.”

And so, ultimately, user training and keeping everything updated resolves a material proportion of these threats. Along with some basic precautions around backups and use of cloud or detached storage which provides some redundancy. Common sense, inevitably, also features highly—whatever platform you may be using.

Source link

The post #cyberfraud | #cybercriminals | These Are The Most Rampant Windows And Mac Malware Threats For 2020: Here’s What That Means appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Malproxying: Leave your malware at home

Source: National Cyber Security – Produced By Gregory Evans

Endpoint protection plays a critical role in
the modern organizational security stack. Yet the very nature of this security
model is fundamentally flawed. Endpoint security solutions, and the malicious
actors trying to breach them, are locked into a perpetual game of cat and
mouse. Each side must continually adapt and react to the tactics of the other.
And, unfortunately for organizational security specialists, the playing field
is radically unbalanced.

Security solutions and professionals need to
maintain perfect endpoint protection; hackers, meanwhile, need only a single
successful attempt to wreak extraordinary damage. Yet security solutions do
have one point in their favor: The most common endpoint security evasion
techniques require constant updating which limits the pool of attackers and the
scale at which attacks are launched.

This leads to a troubling
question — what if a technique existed that allowed attackers to evade defense
mechanisms while requiring little in the way of adjustments to malicious code?
That was the topic of a well-received recent presentation I gave along with my
colleague security researcher Hila Cohen at DEF CON 27 in Las Vegas, Nevada.

Let’s take a closer look at this technique
and its implications for endpoint security.

The Current State of Endpoint Security

Existing security solutions use three
mechanisms to maintain protection:

  • Static signatures — these can be a simple hash from a sequence
    of bytes in a file. Signatures sign file segments (or memory blocks), enabling
    a check against common IOCs (Indicators of Compromise) to see if the file is
  • Heuristic rules — these rules can inspect the imported
    function list, executable uses, its sections sizes and structure, and many more
    properties including entropy. Heuristic rules attempt to discern properties
    that are common among malicious files yet don’t exist in safe executables. They
    are not based on IOCs and don’t examine binary sequences or hashes included in
    the static signature category.
  • Behavioral signatures –these
    signatures attempt to identify, evaluate and block all malicious activity.
    Because of the limitations of static signatures and heuristic rules, infected
    files are often miscategorized as safe. Behavioral signatures take a different
    approach, as they are based on an operational sequence executed in the system,
    rather than the implementation of malicious logic.

As mentioned above, endpoint protection
solutions have a variety of weaknesses. Attackers can change the IOCs,
properties and behavior of malicious files, allowing them to evade detection
and quarantining. However, these techniques are highly manual and require significant
expertise, making it difficult for attackers to implement at scale.

There is, however, another approach enabling
the circumvention of endpoint security without the need for extensive labor or
expertise: Malproxying.

How Malproxying Works

The core operational model of endpoint
security solutions is simple: Identify and analyze code, then classify and
(potentially) block. Yet what if an attacker could obscure that code entirely?

That’s the premise of the malproxying
technique, which avoids deploying malicious code on target machines and
therefore separates that code from any interaction with the target operating
system. Here’s how it works:

A piece of code interacts with its operating
system and environment through a set of API calls. The attacker redirects those
API calls, and instead of running them on his operating system, he proxies them
over the network to the target machine. So, the malicious code resides on the
attacker side, where it is not monitored by any security solution (as the
attacker completely controls the environment), but the actions performed by
that malicious code actually interact with the target environment, allowing it
to bypass common endpoint security protection mechanisms. The malicious code,
meanwhile, cannot tell that it has not been executed on the targeted machine.

On a deeper level, the technique involves two
key components: attacker and target stubs. The attacker code loads and executes
malicious instructions, controls its API function calls and redirects them over
a network tunnel to the target stub.

The target code appears innocent and has no
malicious activity pre-coded. It receives the API requests and parameters,
executes those requests and returns the results back to the attacker stub.
These results are returned to the malicious code, in the exact way they would
be returned if the malicious code had called the API functions locally. The
malicious code is totally unaware of the long journey the response went through
until it arrived at its destination.

Countering Malproxying

The malproxying technique is designed to
evade the primary mechanisms used by endpoint detection solutions. The target
stub contains no malicious logic in its base form, rendering it hard to
identify and easy to modify if caught. Static signatures and heuristic rules
are easily bypassed.

Behavioral signatures, however, are another
matter. In the bottom line, a “malicious” sequence of API calls must be
executed on the target machine to achieve the attacker’s malicious goals. A
sophisticated monitoring tool can detect that malicious flow and trigger an
alarm. This merely invites another protracted cat and mouse battle, as the
attackers have to find new ways to make it very hard for monitoring tools to
assemble the trace of their malicious actions.

For example, an attacker could trigger each
API function call in a different thread, making it harder for security
solutions to identify a single code flow to check whether it is malicious or
not. Second, the attacker could bypass the detection points, where the security
solution tracks the activity of our process. Once those detection points are
bypassed, the security solution is blind to any API-based activity.

Continual improvement and refinement of
behavioral detection capabilities represent a better option. Actions triggered
by malicious logic can be tracked using various techniques to ensure that calls
are fully tracked. By building a more robust log of executed system function
calls — and the signatures that define malicious behavior — organizations can
develop a more viable line of defense against this novel attack technique.

Amit Waisel, Senior Technology Lead in Security Research, XM Cyber

The post Malproxying: Leave your malware at home appeared first on SC Media.

Original Source link

The post #cybersecurity | hacker | Malproxying: Leave your malware at home appeared first on National Cyber Security.

View full post on National Cyber Security

#deepweb | Malware volume drops, crytptojacking down 78%, stealthy attacks on web apps double

Source: National Cyber Security – Produced By Gregory Evans

Good news as volumes of attacks drop, but bad as attackers turn to stealthier attacks on softer targets

Global malware attacks fell for only the second time in five years, dropping six percent to 9.9 billion, down from 10.5 billion, according to a new report. 

This seeming good news is not all it seems however, with attackers eschewing large volume attacks in favour of more evasive and targeted attacks on soft targets. In other ‘good’ news, ransomware attacks also dropped nine  percent to almost 188 million, while the volume of cryptojacking incidents plummeted 78 percent in the second half of 2019. This last is probably due to the volatile crypto market directly impacting revenues for hackers, as well as the shuttering of browser-based Monero-mining service Coinhive in March 2019. 

However, the bad news is that hackers have turned their attention to more lucrative targets, with web apps such as Dropbox and Slack seeing a huge uptick in attacks, up 52 percent in the past year to 40.8 million. According to the 2020 SonicWall Cyber Threat Report the overall internet trend towards encrypting traffic has been reflected in hacking too, with a rise in encrypted threats of 27 percent, totalling up to almost four million.

In addition, fileless malware and a range of new techniques (including code obfuscation, sandbox detection and bypass) saw a rise in popularity, with new threats hiding in common and trusted file types such as Office (20.3 percent) and PDFs (17.4 percent). Indeed, these two file types represented 38 percent of new threats detected by SonicWall.

Terry Greer-King, VP EMEA at SonicWall told SC Media UK that cyber-criminals are becoming smarter and more ambitious than ever before: “They now spend more time honing their craft, targeting vulnerable IoT devices and aiming ransomware at the highest-value targets most likely to payout. With hackers doubling their attacks on popular web apps used for work and everyday needs, financial and personal information within those services is now more vulnerable than ever. Sold on the dark web for a profit, there’s no telling where these details will end up.”

Interestingly, another trend highlighted by the report is a rise in IoT attacks, which saw a moderate five percent increase, with a total volume of 34.3 million attacks in 2019. With IoT Devices widely tipped for an exponential rise (one industry study predicts the global IoT security market will to reach or exceed £27 billion by 2023, a spike of 33.7 percent), the stage is set for increased volumes of IoT attack traffic as device penetration and deployment increases. 

“Total end-to-end security is key, including a layered approach to security across wired, wireless, mobile and cloud networks. It will continue to be crucial to secure and manage IoT devices to prevent tampering and unauthorised access. As the report testifies, data will continue to be put under threat by malicious actors, often across changing vectors, and so it is hugely important that businesses and governments are proactive in protecting this.”, summarised Greer-King.

The report found that the most popular ransomware family of 2019 (making up 33 percent of all ransomware attacks), was Cerber, also boasting four of the top 10 ransomware signatures of the year, including the top two spots totaling more than 77 million hits. 

Source link

The post #deepweb | <p> Malware volume drops, crytptojacking down 78%, stealthy attacks on web apps double <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Android Malware for Mobile Ad Fraud Spiked Sharply …

Source: National Cyber Security – Produced By Gregory Evans

Some 93% of all mobile transactions across 20 countries were blocked as fraudulent, Upstream says.

Criminal groups are increasingly targeting users of Android mobile devices with malware for conducting ad fraud on a massive scale.

Mobile security vendor Upstream this week said that in 2019 it identified as many as 98,000 malicious Android apps and 43 million infected Android devices across the 20 countries where mobile operators currently use its technology. The numbers are up sharply from 2018 when Upstream recorded some 63,000 apps and 30 million infected devices.

A startling 32% of the top 100 most active malicious Android apps that Upstream blocked in 2019 were available for download on Google’s Google Play mobile app stores. Many of them still are, according to Upstream. Another 19% of the most worst-offending malicious Android apps were also on Google Play but have been removed, the vendor noted.

More than nine out of 10 — or 1.6 billion of the 1.71 billion mobile transactions that Upstream’s security platform processed last year — were blocked for being fraudulent. If those transactions had been allowed, the total cost to end users in fraudulent charges would have topped $2.1 billion, Upstream said in a report. In Egypt, 99% of the mobile transactions that Upstream’s platform handled were fraudulent.

Android is the most targeted mobile OS because of how widely it is used and also because the operating system is open and therefore more vulnerable, says Dimitris Maniatis, CEO at Upstream. 

Android is a favorite playground for bad actors, especially in the case of low-end devices, he says. “Users should have a heightened awareness of any preinstalled apps that come bundled with their device and pay attention to the mobile data usage by each,” Maniatis says. “Organizations should have measures in place to check the app’s reviews, developer details, and list of requested permissions, making sure that they all relate to the app’s stated purpose.”

Upstream’s analysis of 2019 data shows that the favorite apps for hiding ad-fraud malware are those that purport to improve productivity or improve device functionality. Some 23% of the malicious Android ads that Upstream encountered last year fell into this category. Other apps that attackers frequently used to hide malware included gaming apps, entertainment/lifestyle and shopping apps, communications and social apps, and music and audio and video players.

The top most downloaded malicious Android apps in 2019, according to Upstream, were Ai.type (an emoji keyboard), video downloader Snaptube, file-sharing app 4shared, video streaming and downloading app VidMate, and weather app The top five apps alone have been downloaded some 700 million times. The top 100 malicious Android apps combined have been downloaded more than 8 billion times, Maniatis says.

In the US, the worst offenders, according to Upstream, were Free Messages, Video, Chat,Text for Messenger Plus; GPS Speedometer; QVideo, EasyScanner; and WhoUnfriendedMe.

A Stealthy Menace
In many cases, malicious apps do the function they are purportedly designed to do. For example, a weather app might forecast weather but in the background also carry out a variety of malicious activity without the user knowing a thing.

Malware for mobile ad fraud can visit websites and view and click on banner ads, make purchases, mimic a real user going through a subscription process, or deliver bogus ads to the device without the user being aware of the activity. The goal is to generate revenue for the malware author in different ways, including via payouts for fraudulent traffic and ad clicks.

Often such rogue apps can remain on a device for a long time because the malicious activity is only happening in the background. In some cases, the apps change their name after being downloaded or don’t have an icon to locate them easily.

“Losses from online, mobile, and in-app advertising reached $42 billion in 2019 and are expected to reach $100 billion by 2023, according to Juniper research published last May,” Maniatis says. “Considering that fraudsters operate at scale and can simultaneously target millions, tens of millions, or even hundreds of millions of devices in one hit, the means to stop them in their tracks need to likewise operate at scale.”

A vast majority of the victims are users of Android phones, especially in countries including Brazil, Egypt, Indonesia, South Africa, and Ethiopia.

While detecting malicious mobile apps can be difficult, there are often some indicators — like a constantly drained battery, an overheated device, or high data charges. User ratings and reviews are also sometimes a good indicator of an apps quality, though not always.

The most downloaded malicious Android apps, for instance, all had good reviews and high rating, but only because of a carpet bombing of fake reviews, says Maniatis. “The only way to get around this currently is to scroll enough and see genuine negative reviews from real users,” he says.

Related Content:

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

More Insights

Source link

The post Android Malware for Mobile Ad Fraud Spiked Sharply … appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | hacker | Federally funded Unimax smartphone pre-loaded with malware

Source: National Cyber Security – Produced By Gregory Evans The Unimax UMX U686CL is a Chinese-made smartphone distributed by the federally funded Assured Wireless by Virgin Mobile has been found to come pre-loaded with two malicious applications. Malwarebytes researchers found the malware every owner finds on their phone is Wireless Update and amazingly the device’s […] View full post on

#comptia | #ransomware | High-Impact Windows 10 Security Threat Revealed As App-Killing Malware Evolves

Source: National Cyber Security – Produced By Gregory Evans New research reveals alarming Windows 10 ‘Clop’ app-killing threat Getty The Federal Bureau of Investigation (FBI) issued a high-impact threat warning to U.S. businesses and organizations on October 2, 2019. That threat was ransomware, and the FBI warned that cybercriminals “upgrade and change their techniques to […] View full post on

Hackers Behind GozNym Malware Sentenced for Stealing $100 Million

Source: National Cyber Security – Produced By Gregory Evans

GozNym Banking Malware

Three members of an international organized cybercrime group that was behind a multi-million dollar theft primarily against U.S. businesses and financial institutions have been sentenced to prison, the U.S. Justice Department announced.

The criminals used the GozNym banking Trojan to break into more than 4,000 victim computers globally, primarily in the United States and Europe, between 2015 and 2016, and fraudulently steal nearly $100 million from their banking accounts.

In May this year, Europol dismantled the cybercrime network behind GozNym, with the United States issuing charges against a total of ten members of the group, 5 of which were arrested at that time, while five others, including the developer of GozNym, remain at the run.

In a federal court in Pittsburgh on Friday, Krasimir Nikolov, one of the group’s members, was sentenced to a period of time served after having served over 39 months in prison for his role as an “account takeover specialist” in the scheme, and will now be transferred to Bulgaria.

Nikolov, 47, was arrested in September 2016 by Bulgarian authorities and extradited to Pittsburgh in December 2016 to face federal charges of criminal conspiracy, computer fraud, and bank fraud.

“Nikolov used the victims’ stolen online banking credentials captured by GozNym malware to access victims’ online bank accounts and attempt to steal victims’ money through electronic transfers into bank accounts controlled by fellow conspirators,” the DoJ said in a press release.

Two other GozNym group members sentenced on Friday—Alexander Konovolov and Marat Kazandjian—also participated in the scheme and sentenced to seven and five years of imprisonment, respectively. Both were arrested and prosecuted in Georgia.

While Konovolov served as a primary organizer and leader of the GozNym network that controlled over 41,000 infected computers and recruited cybercriminals using underground online criminal forums, Kazandjian was his primary assistant and technical administrator.

GozNym is a notorious banking Trojan that was developed by combining two known powerful Trojans, Gozi ISFB malware—a banking Trojan that first appeared in 2012, and Nymaim—a Trojan downloader that can also function as ransomware.

Web Application Firewall

The malware, primarily delivered via massive malspam campaigns to hack on victims’ Windows PCs, waits for victims to enter their banking passwords into their web browser, captures them, and then used them to break into victims’ bank accounts and fraudulently transfer funds to their own accounts.

GozNym malware network was hosted and operated through “Avalanche” bulletproof service, whose administrator was arrested in Ukraine during a search in November 2016.

“This new paradigm involves unprecedented levels of cooperation with willing and trusted law enforcement partners around the world who share our goals of searching, arresting, and prosecuting cyber criminals no matter where they might be,” said U.S. Attorney Scott W. Brady.

The victims of this cybercrime network were primarily U.S. businesses and their financial institutions, including a number of victims located in the Western District of Pennsylvania, though the DoJ did not name any.

The Original Source Of This Story: Source link

The post Hackers Behind GozNym Malware Sentenced for Stealing $100 Million appeared first on National Cyber Security.

View full post on National Cyber Security

#infosec | US Jails NeverQuest Malware Creator for 4 Years

Source: National Cyber Security – Produced By Gregory Evans A Russian hacker who created a piece of malware to steal money from bank accounts has been jailed for four years by a United States court.  Stanislav Vitaliyevich Lisov was arrested by Spanish authorities at Barcelona–El Prat Airport on January 13, 2017, at the request of […] View full post on

#cybersecurity | hacker | Attackers pose as German, Italian & US gov’t agencies to spread malware

Source: National Cyber Security – Produced By Gregory Evans

Since October, a threat actor has been impersonating governmental agencies in phishing emails designed to infect American, German and Italian organizations with various forms of malware, including the Cobalt Strike backdoor, Maze ransomware and the IcedID banking trojan.

Business and IT services, manufacturing companies, and healthcare organizations make up a large share of the targets in this operation, said a blog post today from Proofpoint, which calls the group TA2101. In many cases, the emails are sent from addresses that are made to look authentic at first glance, only they end in the .icu top-level domain.

The Proofpoint Threat Insight Team observed TA2101 campaigns targeting German on Oct. 16 and 23, and then again on Nov. 6, during which time the actor pretended to be the Bundeszentralamt fur Steuern, aka the German Federal Ministry of Finance. The adversary sent hundreds of emails with lures designed to entice recipients into opening Word documents containing malicious macros. These macros executed a PowerShell script that delivered Cobalt Strike, a legitimate attack simulation tool that in the wrong hands can be used as actual malware.

The October emails, aimed largely at IT services companies, falsely claimed that recipients were due to receive a tax refund, and instructed them to open the Word doc to fill out a refund request form.

The Nov. 6 emails similarly targeted business and IT services companies. In this instance, however, the attached documents were disguised as an RSA SecureID key, but actually contained macros that delivered Maze ransomware. One day later, TA2101 sent out even more emails, except instead of impersonated the Federal Ministry of Finance, the attackers pretended to be the ISP 1&1 Internet AG.

Phishing activity targeting Italian organizations, especially manufacturing companies, took place on Oct. 29. For this scam, TA2101 emailed dozens of prospective victims a notification of law enforcement activities that purportedly came from Agenzia Entrate, the Italian Ministry of Taxation and threatened recipients with financial penalties. Again, opening the attached Word doc would trigger the embedded macros to install Maze.

The most recent campaign referenced in the blog post took place on Nov. 12 and zeroed in on American organizations. These emails, which used a domain instead of .icu, seemed to come from the U.S. Postal Service and again appeared to include a Word document with an RSA SecurID key. Opening the document this case caused the macros to deliver the IcedID banking trojan.

“Proofpoint researchers have observed a consistent set of TTPs… that allows attribution of these campaigns to a single actor with high confidence. These include the use of .icu domains, as well as identical email addresses for the Start of Authority (SOA) resource records stored for the DNS entries for the domains used in these campaigns,” wrote Proofpoint researcher and blog post author Bryan Campbell. The SOA email addresses,, is also linked campaigns that attempted to spread Buran ransomware in September.”

“Additionally, Proofpoint researchers have observed that the canonical URLs used by this actor are formatted in a repeatable fashion with word_/.tmp in the string with slight variations made over time,” the blog post continued. “Proofpoint researchers suspect that the word_/.tmp usage might be linked to previous campaigns that were spotted earlier by the infosec community in 2019.”

Original Source link

The post #cybersecurity | hacker | Attackers pose as German, Italian & US gov’t agencies to spread malware appeared first on National Cyber Security.

View full post on National Cyber Security