Cryptomining Malware Vivin Uses Pirated Software as Attack Vector

Vivin, a cryptomining malware that likes munching on
Monero, is one of the many examples of such software roaming the dark corners
of the Internet. Security researchers have been tracking it for the last couple
of years, and it shows no sign of slowing down.

Cryptomining took a bit of a tumble as the cryptocurrency
market dwindled in the past couple of years, but it didn’t really stop. The
fact that new digital currencies kept popping up preserved people’s interest,
and the same is true for the hackers and individuals looking to profit.

Security researchers tracked
the Vivin malware as it morphed, adapting to the market and to what the people
were looking for. Whoever is behind the malware keeps making changes, choosing
new attack vectors, and rotating wallets so it doesn’t attract too much
attention.

The preferred delivery method is an interesting one, as
hackers chose to embed the malware in pirated software and games. Users would
download pirated materials and subsequently get infected with Vivin
cryptomining malware, which was set to use 80% of the system’s processing
power.

Surprisingly, the bad actor wielding Vivin made little
effort to hide his trail and was tracked by the researchers. “The length
of historical activity by Vivin, the multitude of wallets and malware execution
infrastructure, and the actor’s somewhat flippant attitude towards operational
security suggest that the Vivin will attempt to continue their operations for
the foreseeable future,” said the researchers.

As it stands, Vivin is alive and kicking, and will
probably remain so for as long as it’s profitable.

Five Microsoft Elasticsearch Servers with Private Data for 250 Million People Found Unsecured Online

Security researchers found a total of 250 million Microsoft
customer records spread on five unsecured servers that could have been accessed
by anyone using just a web browser. Microsoft has since secured the servers.

Unsecured Elasticsearch servers seem to be all the rage,
as various companies leave them unsecured and accessible from the Internet.
While Elasticsearch servers have very specific uses and are designed to provide
people with scalable and fast search capabilities, they also come with clear
instructions from the developers.

Besides the fact that Elasticsearch mustn’t be run as
root and can’t be directly exposed to the users, the databases can’t be
connected directly to the Internet.
Instead, an application needs to be used to make the proper requests, following
precise rules. In no scenario should an Elasticsearch server be found online,
let alone without any kind of authentication.

The five Elasticsearch servers identified
each contained the same data set of 250 Customer Service and Support (CSS)
records. The private data included email addresses, IP addresses, locations,
descriptions of CSS claims and cases, the emails of Microsoft’s support agents,
case numbers, resolutions, and remarks, along with internal notes marked as
“confidential.”

Once the breach was detected, and Microsoft notified, access
to the server was cut. It’s impossible to tell how long the data was available
online or how many people accessed it before Microsoft stepped in. Still, the
leaked information is exactly what’s needed for tech support scams.

Using this kind of data, scammers call people and
convince them they’re Microsoft employees. After all, who could have access to
this data other than Microsoft? Convincing people to install remote desktop
tools or phishing for additional information is the usual path taken by
scammers. It’s important to know that Microsoft never calls up people, for any
reason, and any interaction with the company is done exclusively from the customer’s
direction.

AMD patches critical vulnerabilities in its Radeon graphics cards

The research team from Cisco Talos has spotted four
exploitable vulnerabilities in AMD ATIDXX64.DLL driver that can affect VMware
Workstation running on Windows, according to recent Talos Vulnerability reports.

The security issues, tracked as CVE-2019-5124,
CVE-2019-5146, CVE-2019-5147 and CVE-2019-5183, were tested on Radeon RX 550 /
550 Series VMware Workstation 15 (15.5.0 build-14665864) with Windows 10 x64 as
guestVM. The researchers concluded that a threat actor could perform a denial
of service (DoS) attack or allow for remote execution of arbitrary code on a
targeted system.

While remote execution of arbitrary code would require an
attacker to use the available vulnerability to inject a malicious file in a
system, a DoS attack can cause a service to become unavailable or crash the
operating system.

The security issues include:

  • AMD ATI Radeon ATIDXX64.DLL MAD shader
    functionality denial-of-service vulnerability
    tested in version 26.20.13025.10004 (CVE-2019-5146)
  • AMD ATI Radeon ATIDXX64.DLL MOVC shader
    functionality denial-of-service vulnerability
    tested in version 26.20.13003.1007 (CVE-2019-5147)
  • AMD ATI Radeon ATIDXX64.DLL shader functionality
    constant buffer denial-of-service vulnerability
    in version 26.20.13001.50005 (CVE-2019-5124)
  • AMD ATI Radeon ATIDXX64.DLL shader functionality
    VTABLE remote code execution vulnerability
    (CVE-2019-5183) tested in version 26.20.13031.10003, 26.20.13031.15006 and
    26.20.13031.18002

The research team mentioned that all vulnerabilities pose a
high security risk as a remote non-authenticated attacker can exploit them.
Neither Talos nor AMD are aware of exploitation of the flaws.

The vendor quickly reacted to the news and released a fix,
recommending users to update version 15.5.1 with 20.1.1, available in the Radeon
Software Adrenalin 2020 Edition 20.1.1 Driver for Windows.

Teenager charged over $50 million SIM-swap cryptocurrency theft

Samy Bensaci, an 18-year-old living in Montreal, Canada, has been charged in connection with the theft of over $50 million worth of cryptocurrency in a SIM-swapping scam.

A SIM swap attack (also sometimes called a Port Out scam) is one where fraudsters manage to trick the customer support staff of cellphone operators into giving them control of someone else’s phone number.

When an online account subsequently sends its authentication token or reset password link to the user’s phone number via SMS, it ends up in the hands of the attacker. In this way a hacker can hijack an email account, and gain access to cryptocurrency wallets if they are not more strongly secured.

According to Lieutenant Hugo Fournier, a spokesperson for the Sûreté du Québec, the fraud that Benasci was allegedly involved in stole “$50 million from our neighbours to the south and $300,000 in Canada.”

Individuals allegedly targeted by the attack include Dan Tapscott, the head of the Blockchain Research Institute, and his son Alex, a well-known advisor on blockchain technologies and cryptocurrencies.

Many of those targeted by the SIM swap fraud are thought to have attended Consensus, an annual cryptocurrency and blockchain conference held in New York.

Arrested and charged in November, Benasci was released on CA $200,000 bail and ordered to live with his parents in Northeast Montreal according to local media reports.

Benasci is prohibited from accessing any device capable of accessing the internet – which includes computers, tablets, mobile phones, and games consoles, has been ordered to surrender his passport to local police in order to guarantee he will not leave the country.

In addition the court has prohibited Benasci from owning or exchanging any form of cryptocurrency

In particular, Bensaci is prohibited from accessing “any computer, tablet, mobile phone, game console, including PS3, PS4, Xbox, Nintendo Switch, or any other device capable of accessing the Internet”.

One victim of a SIM swap attack is Robert Ross, who claims he had one million dollars stolen from him after an AT&T customer service representative was tricked into redirecting Ross’s number to a cellphone under the control of a hacker:

“Because of AT&T, the hacker was then able to take control of my Gmail by clicking “forgot password”, which sent a text to the hacker’s phone instead of mine to reset my email password. In minutes, I lost control of my mobile service, email and several other accounts. Then he logged into my financial accounts and used my $1M in US dollars to buy Bitcoin with my $1M and sent it all to himself. He also got picture perfect copies of my birth certificate, passport and driver’s license.This all happened in 20 minutes, and all because of AT&T and a 21-year old criminal. This was most of my life savings and it’s been devastating to my family.”

Ross now runs the website StopSIMCrime.org, which aims to raise awareness and resources about the threat.

But despite Ross’s efforts, SIM swap frauds continues to occur, and some victims have lost much more than $1 million.

Ubisoft Sues Alleged DDoS-for-Hire Service

Game developer Ubisoft has sued the owners of SNG.ONE, an
alleged DDoS (distributed denial-of-service) website, claiming that they are behind
recent attacks against Tom Clancy’s Rainbow Six Siege servers.

Tom Clancy’s Rainbow Six Siege is a multiplayer game
developed and published by Ubisoft. In this multiplayer game, teams of players faced
off in online matches. The players are highly competitive and would do anything
to win the game, and that includes DDoSing opponents.

Players can win a match if the other party loses its Internet
connection, and this is where DDoS-for-hire comes into play. When the server
notices that a player exits from the match, for whatever reason, it grants victory
to the other team. Even if the Internet connection doesn’t drop, making it
unplayable would still be sufficient.

Since people are willing to pay for this kind of service,
a small industry operating DDoS services has been flourishing, and Ubisoft alleges
that SNG.ONE is one of those services. The service claims to offer penetration
testing specifically for DDoS attacks, and they also reportedly offer a
firewall solution capable of withstanding such attacks. They only accept
payment in Bitcoin.

“Defendants are members of a business enterprise
that provides its customers with subscription-based access to software and
other online services designed to enable their customers to perpetrate targeted
denial-of-service (“DoS”) and distributed denial-of-service
(“DDoS”) attacks (the “DDoS Attacks”) on the computer
servers that enable R6S players to play and compete in the game (collectively,
the “DDoS Services”),” state the legal documents obtained by Polygon.

Ubisoft is asking the courts to shut down the service and
is requesting damages. They also named the defendants as Dennis Kruk and
Maximilian Kuehl (Germany), Kelvin (Kevin) Uttih (Nigeria), and B.R from the
Netherlands.

During the attacks, Ubisoft proactively fought the
attackers and made changes to the servers so that the players would not feel
the impact of DDoS attackers. The company says it managed to reduce the
negative effect on multiplayer matches by 93%.

Maryland Bill Would Make Owning Ransomware a Criminal Offense

Lawmakers in the US State of Maryland are debating a new
bill that would make it illegal to own and distribute ransomware, and stiffens
punishment for ransomware operators.

If the bill passes, Maryland would be the third state, after
Michigan and Wyoming, to criminalize the possession and distribution of
ransomware.  The bill makes exceptions for
penetration testing, security researchers, and other legitimate reasons to own
ransomware.

While it might seem like a law with no teeth or purpose,
it’s actually designed to give prosecutors the right tools. Democrat State Senator
Susan Lee, the sponsor of the bill, enrolled the help of Markus Rauschecker,
the Cybersecurity Program director of the University of Maryland Center for
Health & Homeland Security.

“It’s important to send that signal. This bill highlights the threat and how big it is,” said Rauschecker to lawmakers, according to Capital News Service. If the bill becomes law, using ransomware would be classified as a misdemeanor and carry a penalty of up to ten years in jail and/or a fine up to $10,000.

The bill wasn’t proposed out of the blue. Hackers hit Baltimore, Maryland’s largest city, with a RobbinHood ransomware attack on May 7, 2019. All administrative transactions, payments and communications were frozen after city officials refused to pay the attackers. It took them more than eight weeks to restore all systems.

Following the attack, Baltimore City’s board allocated $10 million to an emergency ransomware response to prevent similar attacks. When the dust settled, the city estimated recovery costs at $18 million.

The current law in Maryland specifies that a cyberattack
that incurs damages of less than $10,000 is a misdemeanor and carries a punishment
of up to five years in prison and a fine up to $10,000. If the damages pass the
$10,000 mark, it turns into a felony, and the punishment goes up to 10 years in
prison.

The bill would dispense with limits for damages and raises
the punishment to up to 10 years, even if it’s a misdemeanor. A new hearing for
the ransomware bill is scheduled for January 28 in a House committee.

Ransomware Infects Main Server of Large Insurance Company in Oman

A ransomware attack has hit Oman United Insurance Company
SAOG, one of the largest insurers in Oman, but operations apparently remain
unaffected.

Finance is one of the sectors most targeted by hackers, including
banks, fintech firms, or insurance companies. One way to compromise a financial
organization is with ransomware, and this is exactly what happened with Oman
United Insurance Company SAOG.

The company notified the Capital Market Authority that
bad actors attacked their main server on January 1, 2020, and managed to
encrypt some data. However, it released no specific information to the public.

“The main server was hit and some data was also infected
and encrypted,” said
a spokesperson for The Oman Daily Observer. “The company lost some data
relating to the period from December 10, 2019, to January 1, 2020.”

“The online operation was suspended only for one day
(Thursday, January 2, 2020). However, the server is operating and we recovered
the lost data.”

From what the company revealed, it looks like they had
all the data backed up and restored operations quickly. Ransomware attacks are
starting to evolve, and some hackers will now try to exfiltrate data, which
they use for leverage during ransom talks. Fortunately for the Oman-based insurer,
that wasn’t the case.

One of Bitdefender’s
2020 Cybersecurity Predictions
relates specifically to ransomware and
companies in the financial sector. Ransomware is likely to be deployed in a
more targeted fashion, with the help of social engineering, BEC (Business Email
Compromise) attacks, and phishing campaigns.

Sextortion scam leverages Nest video footage to fool victims into believing they are being spied upon everywhere

A bizarre sextortion scam is attempting to trick victims that not only has their smartphone been hacked to spy upon their private lives, but also every other device they have encountered which contains a built-in camera.

As Ionut Ilascu at Bleeping Computer reports the scam begins with victims receiving an email entitled “Your Nudity online”, claiming to come from hackers who say they have spied on their victim for 11 months, and have managed to record nude video footage of the victim through their smartphone camera.

The extortionists offer “proof” to their intended victim, by sharing the login credentials of an email account, which contains a link to a webpage that appears to show a live feed from Google Nest cameras.

However, the Nest camera footage does not show any nude footage of the intended victim. Instead potential victims are tricked into believing that the live feed is unavailable as the connection to their supposedly infected smartphone has been temporarily lost.

The scammers attempt to explain away the lack of any evidence that the users’ phone has been infected with the following technobabble:

“Our virus goes Live at intervals to transmit Feed from any of the other devices which your cell phone infected so it can infected some more devices. During this period we lose visual of the Live Feed from your cell phone and when this happens we can triangulate the signal from your cell phone and we always know where you are.”

The idea that a hacker might be tracing a user’s precise location could, of course, be very unsettling.

Furthermore, the innocent member of the public targeted by the scammers is told by the supposed hackers that “we programmed the virus currently in your cell phone to record what it sees through its camera and to infect any other device with a camera in its range so we can always have an eye on you.”

For non-technical users the idea that smartphone malware could jump to and successfully infect other camera-enabled devices – such as security cameras – in the vicinity might seem plausible. But it’s poppycock.

Nonetheless, the fact that the webpage contains some embedded video feeds from public Nest cameras might be enough to fall the unwary or paranoid.

And then comes the sucker punch:

“We have pornographic type home videos of you already recorded and we intend publishing them all over the internet. Your videos are currently being uploaded by your cell phone on several Porn website servers and you have only a week till they are free for the public to view.” “Every SINGLE ONE of these Nude Recordings and Other Recordings where you were caught on camera doing something perhaps only you should know about are still on your cell phones iOS and uploads of these videos from your cell phone will continue every minute till all these videos are uploaded as cyberspace Porn.”

To add insult to injury, victims are told by their extortionists that the videos will also be uploaded onto electronic billboards.

The point of all these threats? To get the victim to contact the scammers via email where they will demand 500 Euros in payment through the Bitcoin cryptocurrency or US $600 worth of gift cards

But the truth is that they have not infected your smartphone. They have not infected any Nest cameras or CCTV cameras. They are not monitoring your location, nor spying on your daily activities. They do not have any pornographic videos of you.

Do your bit to discourage extortionists from making similar attacks. Stay clued up about the scams perpetrated via email, and make sure to raise awareness amongst your friends, colleagues and family – especially if you feel they might be vulnerable to falling for this type of unpleasant con trick.

JhoneRat targets Middle Eastern countries with advanced anti-detection techniques

Researchers have uncovered a new Windows-based remote access
tool (RAT) named JhoneRat targeting Arabic-speaking countries including Saudi
Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE,
Kuwait, Bahrain and Lebanon.

This new Trojan is quite sophisticated as the attackers use
multiple cloud services such as Twitter, Google Forms and Google Drive to
conceal it from virtual machines and analysis.

So what makes this new data stealer stand out? Unlike
similar malware, this homemade RAT was developed in Python using a non-open
source code to trick local security on the device, and it uses highly trusted
cloud services to drop malware.

In this case, the malicious campaign is executed via an
infected document on Google Drive. In the reconnaissance phase of the attack,
the RAT filters its victims by checking the keyboard layout of infected
devices. During the investigation, the Cisco Talos
research team identified three Microsoft Office documents that were used:

  • ‘Urgent.docx’ – initial document from November
    2019 where the user is asked to enable editing in English and Arabic
  • ‘fb.docx’ – the second document from the beginning
    of January that contains a list of leaked Facebook accounts from 2019
  • A blurred-out document allegedly from an UAE
    organization – the recipient is asked to enable editing to read it

In each case, an additional Microsoft Office document with a macro is executed, landing the second payload, an image file (.jpg, img.jpg or photo.jpg) with a base64-encoded binary appended at the end. Seems like the attackers even have a sense of humor. Two of the images discovered by researchers represent characters such as Mickey Mouse or Mr. Bean.

Once the image is opened, another binary (AutoIT) is downloaded from Google Drive again. The last payload downloaded is actually the JhoneRAT itself.

The RAT can take screenshots and upload them to ImgBB,
download additional binaries, execute commands and send the output to Google
Forms.

Even if the malware is out in the open, researchers advise
that the JhoneRat operation is still a work in progress and new malicious
documents may appear. Users are advised not to open any suspicious files or
enable macros in the Microsoft suite. You can also add to your device security
by using an antivirus solution that detects JhoneRat. Bitdefender detects the
files as Trojan.GenericKD.42247033 and Trojan.GenericKD.42249088

December cyber attack costs New Orleans $7 million, so far

A ransomware
attack targeting the city of New Orleans has inflicted $7 million in losses so
far, with more to be incurred in coming months, Mayor Latoya Cantrell said in a
recent update.

At 5 a.m. on December 13, New Orleans was becoming the latest victim in a long string of ransomware attacks directed as U.S. municipalities, throwing the state of Louisiana’s most populous city into a state of emergency.

Employees
were told to disconnect all computer systems, including servers, and halt all
work. The attackers had made no ransom demands, suggesting the attack was meant
to disrupt the city and dent its economy. However, this is not confirmed.

Despite training
to handle downtime thanks to its preparedness for hurricane season, the city is
bleeding money in recovery costs, Cantrell said. The city is out $7 million so
far and is expected to spend more on system upgrades and cybersecurity
investments. Officials said $3 million will be recovered from the city’s cyber
insurance.

“This is
something that we have to deal with as a city and it is an expense that we also
have to eat as a city,” said Cantrell. “It speaks to the priority of
infrastructure that has always been a priority of mine and it also speaks to
the real push for maintenance of infrastructure. This will be ongoing.”

Gilbert
Montano, the city’s chief administrative officer, expects staff to struggle for
at least six to eight more months before day-to-day operations return to
normal.

“Now, we’re
in the stabilization period,” said Montano. “We are trying to rebuild what we
had to turn off essentially and that is a long, laborious, time-sensitive
process and that’s where I am telling staff and employees we’re looking maybe
at a six to eight month window before actual normalcy starts to integrate all
of our systems.”

Chief
Information Officer Kim LaGrue reveals the city was using legacy systems when
the infection took place, meaning the contagion could stem from an unpatched vulnerability.

“Cleaning
over 3400 computers was necessary in that recovery,” LaGrue said. “We realized
we would lose some of those computers because we also build a stronger cyber
security platform and on that new platform certain antiquated devices just
could not be recovered, would not operate in this new platform.”

According to fox8live.com, the cyber attack has pushed the deadline to pay property taxes to February 14.

As reported by msspalert.com, the city plans to raise its cyber insurance coverage from $3 million to $10 million in 2020.

Posts navigation

1 2 3 4 16 17 18
Scroll to top