Viry a Červi

Facebook’s ex-president: we exploited “vulnerability in human psychology”

Sophos Naked Security - 14 Listopad, 2017 - 15:46
"God only knows what it's doing to our children's brains"

Estonia cuffs suspect, claims he's a Russian 'hacker spy'

The Register - Anti-Virus - 14 Listopad, 2017 - 15:39
20-year-old is not an agent, Russia retorts

Russia has denied that a person nabbed by Estonian local authorities was one of its spies. Estonia alleges the suspect had been intent on hacking into the Baltic country’s computer network.…

Kategorie: Viry a Červi

Apple iPhone X Face ID Fooled by a Mask - 14 Listopad, 2017 - 15:00
Vietnamese security company Bkav says it has built a proof-of-concept mask that fools Apple’s Face ID technology.
Kategorie: Viry a Červi

Shut the front door: Jewson 'fesses up to data breach

The Register - Anti-Virus - 14 Listopad, 2017 - 12:03
Builder's merchant tells punters their privates might be out in the cold

Builders merchant Jewson has confirmed in writing to customers that their privates could have been exposed in a cyber break-in that occurred late this summer.…

Kategorie: Viry a Červi

Sure, Face ID is neat, but it cannot replace a good old fashioned passcode

The Register - Anti-Virus - 14 Listopad, 2017 - 11:04
Facial recognition isn't the most reliable authentication right now

Apple's iPhone X is one of several technologies bringing facial biometrics into the mainstream. It seems to have everything bar a heat scanner; the TrueDepth camera projects an impressive-sounding 30,000 infrared dots on to your phiz, scanning every blackhead in minute 3D detail.…

Kategorie: Viry a Červi

APT Trends report Q3 2017

Kaspersky Securelist - 14 Listopad, 2017 - 10:41


Beginning in the second quarter of 2017, Kaspersky’s Global Research and Analysis Team (GReAT) began publishing summaries of the quarter’s private threat intelligence reports in an effort to make the public aware of what research we have been conducting.  This report serves as the next installment, focusing on important reports produced during Q3 of 2017.

As stated last quarter, these reports will serve as a representative snapshot of what has been offered in greater detail in our private reports in order to highlight significant events and findings we feel most should be aware of. For brevity’s sake, we are choosing not to publish indicators associated with the reports highlighted. However, if you would like to learn more about our intelligence reports or request more information for a specific report, readers are encouraged to contact:

Chinese-Speaking Actors

The third quarter demonstrated to us that Chinese-speaking actors have not “disappeared” and are still very much active, conducting espionage against a wide range of countries and industry verticals.  In total, 10 of the 24 reports produced centered around activity attributed to multiple actors in this region.

The most interesting of these reports focused on two specific supply chain attacks; Netsarang / ShadowPad and CCleaner.  In July 2017, we discovered a previously unknown malware framework (ShadowPad) embedded inside the installation packages hosted on the Netsarang distribution site.   Netsarang is a popular server management software used throughout the world.  The ShadowPad framework contained a remotely activated backdoor which could be triggered by the threat actor through a specific value in a DNS TXT record.  Others in the research community have loosely attributed this attack to the threat actor Microsoft refers to as BARIUM.  Following up on this supply chain attack, another was reported initially by Cisco Talos in September involving CCleaner, a popular cleaner / optimization tool for PCs.  The actors responsible signed the malicious installation packages with a legitimate Piriform code signing certificate and pushed the malware between August and September.

Q3 also showed China is very interested in policies and negotiations involving Russia with other countries.  We reported on two separate campaigns demonstrating this interest.  To date, we have observed three separate incidents where Russia and another country hold talks and are targeted shortly thereafter, IndigoZebra being the first.  IronHusky was a campaign we first discovered in July targeting Russian and Mongolian government, aviation companies, and research institutes.  Earlier in April, both conducted talks related to modernizing the Mongolian air defenses with Russia’s help.  Shortly after these talks, the two countries were targeted with a Poison Ivy variant from a Chinese-speaking threat actor.  In June, India and Russia signed a much awaited agreement to expand a nuclear power plant in India, as well as further define the defense cooperation between the two countries.  Very soon after, both countries energy sector were targeted with a new piece of malware we refer to as “H2ODecomposition”.  In some case this malware was masquerading as a popular Indian antivirus solution (QuickHeal).  The name of the malware was derived from an initial RC5 string used in the encryption process (2H2O=2H2+O2) which describes a chemical reaction used in hydrogen fuel cells.

Other reports published in the third quarter under chinese-speaking actors were mainly updates to TTPs by known adversaries such as Spring Dragon, Ocean Lotus, Blue Termite, and Bald Knight.  The Spring Dragon report summarized the evolution of their malware to date.  Ocean Lotus was observed conducting watering hole attacks on the ASEAN website (as done previously) but with a new toolkit.  A new testing version of Emdivi was discovered in use by Blue Termite as well as their testing of CVE-2017-0199 for use.  Finally, Bald Knight (AKA – Tick) was seen using their popular XXMM malware family to target Japan and South Korea.

Below is a summary of report titles produced for the Chinese region.  As stated above, if you would like to learn more about our threat intelligence products or request more information on a specific report, please direct inquiries to

  1. Analysis and evolution of Spring Dragon tools
  2. EnergyMobster – Campaign targeting Russian-Indian energy project
  3. IronHusky – Intelligence of Russian-Mongolian military negotiations
  4. The Bald Knight Rises
  5. Massive watering holes campaign targeting Asia-Pacific
  6. Massive Watering Holes Campaign Targeting AsiaPacific – The Toolset
  7. NetSarang software backdoored in supply chain attack – early warning
  8. ShadowPad – popular server management software hit in supply chain attack
  9. New BlueTermite samples and potential new wave of attacks
  10. CCleaner backdoored – more supply chain attacks
Russian-Speaking Actors

The third quarter was a bit slower with respect to Russian speaking threat actors.  We produced four total reports, two of which focused on ATM malware, one on financial targeting in Ukraine and Russia, and finally a sort of wrap-up of Sofacy activity over the summer.

The ATM related reports centered around Russian speaking actors using two previously unknown pieces of malware designed specifically for certain models.  “Cutlet Maker” and “ATMProxy” both ultimately allowed the users to dispense cash at will from a chosen cartridge within the ATMs.  ATMProxy was interesting since it would sit dormant on an ATM until a card with a specific hard coded number was inserted, at which point it would dispense more cash than what was requested.

Another report discussed a new technique utilizing highly targeted watering holes to target financial entities in Ukraine and Russia with Buhtrap.  Buhtrap has been around since at least 2014, but this new wave of attacks was leveraging search engine optimization (SEO) to float malicious watering hole sites to the top of search results, thus providing more of a chance for valid targets to visit the malicious sites.

Finally, we produced a summary report on Sofacy’s summertime activity.  Nothing here was groundbreaking, but rather showed the group remained active with their payloads of choice; SPLM, GAMEFISH, and XTUNNEL.  Targeting also remained the same, focusing on European defense entities, Turkey, and former republics.

Below is a list of report titles for reference:

  1. ATMProxy – A new way to rob ATMs
  2. Cutlet maker – Newly identified ATM malware families sold on Darknet
  3. Summertime Sofacy – July 2017
  4. Buhtrap – New wave of attacks on financial targets
English-Speaking Actors

The last quarter also had us reporting on yet another member of the Lamberts family.  Red Lambert was discovered during our previous analysis of Grey Lambert and utilized hard coded SSL certificates in its command and control communications.  What was most interesting about the Red Lambert is that we discovered a possible operational security (OPSEC) failure on the actor’s part, leading us to a specific company who may have been responsible, in whole or in part, for the development of this Lambert malware.

  1. The Red Lambert
Korean-Speaking Actors

We were also able to produce two reports on Korean speaking actors, specifically involving Scarcruft and Bluenoroff.  Scarcruft was seen targeting high profile, political entities in South Korea using both destructive malware as well as malware designed more for espionage.  Bluenoroff, the financially motivated arm of Lazarus, targeted a Costa Rican casino using Manuscrypt.  Interestingly enough, this casino was compromised by Bluenoroff six months prior as well, indicating they potentially lost access and were attempting to get back in.

Report titles focusing on Korean-speaking actors:

  1. Scent of ScarCruft
  2. Bluenoroff hit Casino with Manuscrypt
Other Activity

Finally, we also wrote seven other reports on “uncategorized” actors in the third quarter.  Without going into detail on each of these reports, we will focus on two.  The first being a report on the Shadowbrokers’ June 2017 malware dump.  An anonymous “customer” who paid to get access to the dump of files posted the hashes of the files for the month, mainly due to their displeasure in what was provided for the money.  We were only able to verify one of nine file hashes, which ended up being an already known version of Triple Fantasy.

The other report we’d like to highlight (“Pisco Gone Sour”) is one involving an unknown actor targeting Chilean critical institutions with Veil , Meterpreter, and Powershell Empire.  We are constantly searching for new adversaries in our daily routine and this appears to be just that.  The use of publicly available tools makes it difficult to attribute this activity to a specific group, but our current assessment based on targeting is that the actor may be based somewhere in South America.

  1. Dark Cyrene – politically motivated campaign in the Middle East
  2. Pisco Gone Sour – Cyber Espionage Campaign Targeting Chile
  3. Crystal Finance Millennium website used to launch a new wave of attacks in Ukraine
  4. New Machete activity – August 2017
  5. ATMii
  6. Shadowbroker June 2017 Pack
  7. The Silence – new trojan attacking financial organizations
Final Thoughts

Normally we would end this report with some predictions for the next quarter, but as it will be the end of the year soon, we will be doing a separate predictions report for 2018.  Instead, we would like to point out one alarming trend we’ve observed over the last two quarters which is an increase in supply chain attacks.  Since Q2, there have been at least five incidents where actors have targeted the supply chain to accomplish their goals instead of going directly after the end target; MeDoc, Netsarang, CCleaner, Crystal Finance, and Elmedia.  While these incidents were not the result of just one group, it does show how the attention of many of the actors out there may be shifting in a direction that could be much more dangerous.  Successfully compromising the supply chain provides easy access to a much wider target base than available through traditional means such as spear phishing.  As an added benefit, these attacks can remain undetected for months, if not longer.  It remains to be seen if this trend will continue into 2018, but given the successes from the five mentioned above, we feel we haven’t seen the last of this type of attack in the near future.

Think the US is alone? 18 countries had their elections hacked last year

The Register - Anti-Virus - 14 Listopad, 2017 - 06:01
Less than a quarter of world has freeish internet communication

While America explores quite how much its election was interfered with by outsiders, the news isn't good for the rest of us, according to independent watchdog Freedom House.…

Kategorie: Viry a Červi

WikiLeaks is wiki-leaked. And it's still not even a proper wiki anyway

The Register - Anti-Virus - 14 Listopad, 2017 - 03:58
Assange .org tried to help coordinate Trump's election campaign

Julian Assange's WikiLeaks – that bastion of fiercely independent journalism – privately urged the Trump campaign to not concede the 2016 presidential election, to contest the result as rigged, and asked for one of Donald's tax returns so as to appear impartial and nothing whatsoever to do with Russia's meddling in the White House race.…

Kategorie: Viry a Červi

Thousand-dollar iPhone X's Face ID wrecked by '$150 3D-printed mask'

The Register - Anti-Virus - 13 Listopad, 2017 - 20:35
l'd like to take his... his Face ID... off

Video  Apple's facial-recognition login system in its rather expensive iPhone X can be, it is claimed, fooled by a 3D printed mask, a couple of photos, and a blob of silicone.…

Kategorie: Viry a Červi

Historie počítačové havěti – video

VIRY.CZ - 13 Listopad, 2017 - 19:50

Na webu lze najít nový video rozhovor se mnou o historii počítačové havěti. Snažil jsem se vytáhnout to nejzajímavější co minulost přinesla a co nás trápí dnes. Samotný rozhovor začíná přibližně od času 8:50.

Klukům z kafemlejnku děkuji za organizaci a možnost vystoupení!

Díl 25. – Historie malware

The post Historie počítačové havěti – video appeared first on VIRY.CZ.

Kategorie: Viry a Červi

Phishing Biggest Threat to Google Account Security - 13 Listopad, 2017 - 19:29
Phishing remains the biggest account takeover threat to Google users, surpassing keyloggers and credential leaks.
Kategorie: Viry a Červi

New IcedID Trojan Targets US Banks - 13 Listopad, 2017 - 18:42
A new banking Trojan dubbed IcedID is is being distributed by a seasoned cybergang or hacker targeting U.S. financial institutions.
Kategorie: Viry a Červi

FBI “should not be reluctant” to challenge encryption in court

Sophos Naked Security - 13 Listopad, 2017 - 17:58
Deputy US Attorney General speaks out to support encryption backdoors

YouTube to crack down on inappropriate videos targeting kids

Sophos Naked Security - 13 Listopad, 2017 - 12:07
The automatic filters are far from foolproof, so YouTube's investigating other ways to take down the disturbing content.

Monday review – the hot 21 stories of the week

Sophos Naked Security - 13 Listopad, 2017 - 11:52
From the 35,000 character tweet and the fake WhatsApp that was downloaded 1m times to the hacker who deleted $300m, and more!

VB2017 video: Consequences of bad security in health care

Virus Bulletin News - 13 Listopad, 2017 - 11:41
Jelena Milosevic, a nurse with a passion for IT security, is uniquely placed to witness poor security practices in the health care sector, and to fully understand the consequences. Today, we publish the recording of a presentation given by Jelena at VB2017 in Madrid, in which she shared her inside view of security in hospitals.

Read more
Kategorie: Viry a Červi

Stop your moaning, says maker of buggy Bluetooth sex toy

The Register - Anti-Virus - 13 Listopad, 2017 - 06:58
Companion app recorded audio you while you - ahem - played, but it never left your phone

Sex-toy maker Lovsense has told its customers to stop moaning about one of its products, which recorded audio of users as they – ahem – played, and stored it on their Android phones.…

Kategorie: Viry a Červi

Ride-share upstart 'Fasten' revealed as Hive of insecurity

The Register - Anti-Virus - 13 Listopad, 2017 - 01:34
Like Uber but for leaking personal data: a million customer records left on unsecured Hadoop

Boston-based ride-hailing hopeful Fasten has coughed to a million-customer data breach that happened because someone left a database lying around unsecured.…

Kategorie: Viry a Červi

CopperheadOS stops updates to thwart knock-off phone floggers

The Register - Anti-Virus - 12 Listopad, 2017 - 23:29
Hardened Android vendor found third parties eating its lunch

The folk in charge of the hardened Android distribution CopperheadOS have run into problems with licence violations. Over the weekend, they temporarily disabled over-the-air updates for Nexus devices, and pulled some downloads from their website.…

Kategorie: Viry a Červi

Firefox to offer tracking protection for all in its next update

Sophos Naked Security - 12 Listopad, 2017 - 15:00
This next major update, Quantum, is expected to include an option to turn on Tracking Protection during normal browsing
Syndikovat obsah