Menu

Timesdelhi.com

May 26, 2019
Category archive

malware

Europol, DOJ announce the takedown of the GozNym banking malware

in Banking/Canada/Delhi/Europol/Germany/Hack/India/malware/poland/Politics/Security/United States/web browser by

Europol and the U.S. Justice Department, with help from six other countries, have disrupted and dismantled the GozNym malware, which they say stole more than $100 million from bank accounts since it first emerged.

In a press conference in The Hague, prosecutors said 10 defendants in five countries are accused of using the malware to steal money from more than 41,000 victims, mostly businesses and financial institutions.

Five defendants were arrested in Moldova, Bulgaria, Ukraine and Russia. The leader of the criminal network and his technical assistant are being prosecuted in Georgia.

The remaining five defendants, all Russian nationals, remain on the run and are wanted by the FBI, said prosecutors.

All were charged with conspiracy to commit computer fraud, conspiracy to commit wire and bank fraud, and conspiracy to commit money laundering. An eleventh member of the conspiracy, Krasimir Nikolov, was previously charged and extradited to the U.S. in 2016 and pleaded guilty in April in his role in the GozNym malware network.

The names, roles and locations of the indicted suspects. (Image: Justice Department/supplied)

The takedown was described as an “unprecedented international effort” by Scott Brady, U.S. attorney for Western Philadelphia — where a grand jury indicted the defendants — at the press conference announcing the charges.

GozNym is a powerful banking malware that spread across the U.S., Canada, Germany and Poland. The malware was developed from two existing malware families, both of which had their source code leaked years earlier: Nymaim, a two-stage malware dropper that infects computers through exploit kits from malicious links or emails; and Gozi, a web injection module used to hook into the web browser, allowing the attacker to steal login credentials and passwords.

The banking malware hit dozens of banks and credit unions since it first emerged in 2016.

Described as malware “as a service,” the leader of the network allegedly obtained the code for the two malware families and built GozNym, then recruited accomplices and advertised the new malware on Russian speaking forums. The malware used encryption and other obfuscation techniques to avoid detection by antivirus tools. Then, spammers are said to have sent hundreds of thousands of phishing emails to infect staff at businesses and banks. After the malware infected its victim computers, the malware would steal the passwords control of bank accounts, which the criminals would later log in and cash out.

Prosecutors said the malware network was hosted and operated through a bulletproof service, a domain and web hosting known for lax attitudes towards cybercrime and favored by criminals. Europol said the 2016 takedown of Avalanche, an infrastructure platform used by hundreds of criminals to host and run their malware campaigns.

Although the victims were not named, the Justice Department said at least 11 U.S. businesses — including a church, two law firms, and a casino — fell victim to the GozNym criminals.

Read more:
The hacker group behind the Triton malware strikes again
A new cryptocurrency mining malware uses leaked NSA exploits to spread across enterprise networks
Researchers find a new malware-friendly hosting site after a spike in attacks
Shellbot malware evolves to spread and shuts down other cryptominers
TrickBot malware attacks are ramping up ahead of Tax Day
New malware pulls its instructions from code hidden in memes posted to Twitter

Two years after WannaCry, a million computers remain at risk

in cyberattacks/Cyberwarfare/Delhi/Government/Hack/India/malware/Microsoft/microsoft windows/National Security Agency/North Korea/operating systems/Politics/ransomware/search engine/Security/security breaches by

Two years ago today, a powerful ransomware began spreading across the world.

WannaCry spread like wildfire, encrypting hundreds of thousands of computers in over 150 countries in a matter of hours. It was the first time that ransomware, a malware that encrypts a user’s files and demands cryptocurrency in ransom to unlock them, had spread across the world in what looked like a coordinated cyberattack.

Hospitals across the U.K. declared a “major incident” after they were knocked offline by the malware. Government systems, railway networks and private companies were also hit.

Security researchers quickly realized the malware was spreading like a computer worm, across computers and over the network, using the Windows SMB protocol. Suspicion soon fell on a batch of highly classified hacking tools developed by the National Security Agency, which weeks earlier had been been stolen and published online for anyone to use.

“It’s real,” said Kevin Beaumont, a U.K.-based security researcher at the time. “The shit is going to hit the fan big style.”

WannaCry relied on stolen NSA-developed exploits, DoublePulsar and EternalBlue, to hack into Windows PCs and spread through the network. (Image: file photo)

An unknown hacker group — later believed to be working for North Korea — had taken those published NSA cyberweapons and launched their attack — likely not realizing how far the spread would go. The hackers used the NSA’s backdoor, DoublePulsar, to create a persistent backdoor that was used to deliver the WannaCry ransomware. Using the EternalBlue exploit, the ransomware spread to every other unpatched computer on the network.

A single vulnerable and internet-exposed system was enough to wreak havoc.

Microsoft, already aware of the theft of hacking tools targeting its operating systems, had released patches. But consumers and companies alike moved slowly to patch their systems.

In just a few hours, the ransomware had caused billions of dollars in damages. Bitcoin wallets associated with the ransomware were filling up by victims to get their files back — more often than not in vain

Marcus Hutchins, a malware reverse engineer and security researcher, was on vacation when the attack hit. “I picked a hell of a fucking week to take off work,” he tweeted. Cutting his vacation short, he got to work. Using data from his malware tracking system had found what became WannaCry’s kill switch — a domain name embedded in the code, which he registered and immediately saw the number of infections grind to a halt. Hutchins, who pleaded guilty to unrelated computer crimes last month, was hailed a hero for stemming the spread of the attack. Many have called for leniency if not a full presidential pardon for his efforts.

Trust in the intelligence services collapsed overnight. Lawmakers demanded to know how the NSA planned to mop up the hurricane of damage it had caused. It also kicked off a heated debate about how the government hoards vulnerabilities to use as offensive weapons to conduct surveillance or espionage — or when it should disclose bugs to vendors in order to get them fixed.

A month later, the world braced itself for a second round of cyberattacks in what felt like what would soon become the norm.

NotPetya, another ransomware which researchers also found a kill switch for, used the same DoublePulsar and EternalBlue exploits to ravish shipping giants, supermarkets and advertising agencies, which were left reeling from the attacks.

Two years on, the threat posed by the leaked NSA tools remains a concern.

As many as 1.7 million internet-connected endpoints are still vulnerable to the exploits, according to the latest data. Data generated by Shodan, a search engine for exposed databases and devices, puts the figure at the million mark — with most of the vulnerable devices in the U.S. But that only accounts for devices directly connected to the internet and not the potentially millions more devices connected to those infected servers. The number of vulnerable devices is likely significantly higher.

More than 400,000 exposed systems in the U.S. alone can be exploited using NSA’s stolen hacking tools. (Image: Shodan)

WannaCry continues to spread and occasionally still infects its targets. Beaumont said in a tweet Sunday that the ransomware remains largely neutered, unable to unpack and begin encrypting data, for reasons that remain a mystery.

But the exposed NSA tools, which remain at large and able to infect vulnerable computers, continue to be used to deliver all sorts of malware — and new victims continue to appear.

Just weeks before city of Atlanta was hit by ransomware, cybersecurity expert Jake Williams found its networks had been infected by the NSA tools. More recently, the NSA tools have been repurposed to infect networks with cryptocurrency mining code to generate money from the vast pools of processing power. Others have used the exploits to covertly ensnare thousands of computers to harness their bandwidth to launch distributed denial-of-service attacks by pummeling other systems with massive amounts of internet traffic.

WannaCry caused panic. Systems were down, data was lost, and money had to be spent. It was a wakeup call that society needed to do better at basic cybersecurity.

But with a million-plus unpatched devices still at risk, there remains ample opportunity for further abuse. What we may not have forgotten two years on, clearly more can be done to learn from the failings of the past.

Read more:

Evernote fixes macOS app bug that allowed remote code execution

in cloud storage/computing/Delhi/Evernote/India/malware/Policy/Politics/privacy/Security/social bookmarking/Software/vulnerability/web annotation by

Evernote has fixed a vulnerability that could have allowed an attacker to run malicious code on a victim’s computer.

Dhiraj Mishra, a security researcher based in Dubai, reported the bug to Evernote on March 17.  In a blog post showing his proof-of-concept, Mishra showed TechCrunch that a user only had to click a link masked as a web address, which would open a locally stored app or file unhindered and without warning.

Evernote spokesperson Shelby Busen confirmed the bug had been fixed, and said the company “appreciates” the contributions from security researchers.

The researcher ‘popped calc’ as a way to demonstrate a remote code execution bug in Evernote (Image: supplied)

MITRE, the vulnerability database keeper, issued an advisory under CVE-2019-10038.

The bug could allow an attacker to remotely run malicious commands on any macOS computer with Evernote installed. Since the fix went into effect, Evernote now warns users when they click a link that opens a file on their Mac.

A similar local file path traversal bug was revealed Tuesday in Electronic Arts’ Origin gaming client.

Evernote was forced to reset close to 50 million passwords after a breach in 2013, and later caused controversy by changing its privacy policy that allowed employees to access user data. The company later walked back the policy change after user complaints.

Security flaw in EA’s Origin client exposed gamers to hackers

in Delhi/Electronic Arts/hacking/India/internet security/malware/microsoft windows/Politics/privacy/Safety/Security/security breaches/spokesperson by

Electronic Arts has fixed a vulnerability in its online gaming platform Origin after security researchers found they could trick an unsuspecting gamer into remotely running malicious code on their computer.

The bug affected Windows users with the Origin app installed. Tens of millions of gamers use the Origin app to buy, access and download games. To make it easier to access an individual game’s store from the web, the client has its own URL scheme that allows gamers to open the app and load a game from a web page by clicking a link with origin:// in the address.

But two security researchers, Daley Bee and Dominik Penner of Underdog Security, found that the app could be tricked into running any app on the victims computer.

“An attacker could’ve ran anything they wanted,” Bee told TechCrunch.

‘Popping calc’ to demonstrate a remote code execution bug in Origin. (Image: supplied)

The researchers gave TechCrunch proof-of-concept code to test the bug for ourselves. The code allowed any app to run at the same level of privileges as the logged-in user. In this case, the researchers popped open the Windows calculator — the go-to app for hackers to show they can run code remotely on an affected computer.

But worse, a hacker could send malicious PowerShell commands, an in-built app often used by attackers to download additional malicious components and install ransomware.

Bee said a malicious link could be sent as an email or listed on a webpage, but could also triggered if the malicious code was combined with a cross-site scripting exploit that ran automatically in the browser.

It was also possible to steal a user’s account access token using a single line of code, allowing a hacker to gain access to a user’s account without needing their password.

Origin’s macOS client wasn’t affected by the bug.

EA spokesperson John Reseburg confirmed a fix was rolled out Monday. TechCrunch confirmed the code no longer worked following the update.

TrickerBot malware attacks are ramping up ahead of Tax Day

in computer security/cybercrime/Delhi/India/malware/national security/Politics/Prevention/Security/United Kingdom by

A powerful data-stealing malware campaign with a tax theme is on the rise to target unsuspecting filers ahead of Tax Day.

TrickBot, a financially motivated trojan, infects Windows computers through a malicious Excel document sent by a specially crafted email. Once infected, the malware targets vulnerable devices on the network and combs for passwords and banking information to send back to the attacker. The collected information can be used to steal funds for fraud. The ever-expanding malware is continually developed to collect as many credentials as possible.

By stealing tax documents, the scammers can also file fraudulent end-of-year tax forms to reap the returns. The Internal Revenue said fraudsters scammed the agency out of more than $1.6 million in fraudulent returns during the 2016 tax year.

IBM X-Force researchers say the attackers have begun impersonating emails from three of the largest accounting and payroll providers, including ADP and Paychex, by registering similar-looking domains — known as domain squatting.

One of the spoofed emails impersonating a payroll provider. (Image: supplied)

“We believe this campaign to be highly targeted in its efforts to infiltrate US organizations, with the hallmarks of the TrickBot Trojan gang,” said Limor Kessem, global executive security advisor at IBM. “Since it emerged in 2016, we’ve seen that TrickBot’s operators focus their efforts on businesses and, therefore, manage distribution in ways that would look benign to enterprise uses: through booby-trapped productivity files and fake bank websites.”

Where TrickBot traditionally focused on business banking and high-value accounts with private banking and wealth management firms, the malware in recent years has expanded to hit cryptocurrency sites and owners.

“This is not a threat of the past,” said Kessem. “Based on our research, not only is TrickBot one of the most prominent organized crime gangs in the bank fraud arena, we also expect to see it maintain its position on the global malware chart, unless it is interrupted by law enforcement in 2019.”

The malware continues to grow, IBM said. Its backend infrastructure has at least 2,400 command and control servers with hundreds of configurations and versions, with infections most common in the U.S. and U.K. — seen as high value regions.

“As cybercriminal gangs of this level continue to gain steam, it’s increasingly important for businesses and consumers to be more aware of their own activity online, even when they’re doing something as simple as clicking on a link in an email,” said Kessem. “Email is an incredibly easy way for an attacker to interact with potential victims, posing as a trusted brand to infiltrate devices and eventually your networks,” she said.

Tax Day is April 15.

1 2 3
Go to Top