Author Archives: Sean Lyngaas

What happens when one APT hijacks another’s infrastructure

Posted on by

Like any group of spies or soldiers, state-sponsored hacking groups are acutely interested in what their peers are using. Servers, domains and other digital tools can be contested resources just like others in in espionage or warfare. And there’s no guarantee that any group can keep a tight grip on its own internet infrastructure. In documenting how Turla, a Russia-linked outfit, hijacked the server of OilRig, a group associated with Iran, new research from Symantec shows what that overlap looks like in action. “This is the first time Symantec has observed one actor hijack another’s infrastructure,” said Alexandrea Berninger, senior cyber intelligence analyst at Symantec. “Although we don’t expect this to become a common tactic, we do expect to see deceptive operations like this amongst the most capable threat actor groups.” The apparently hostile takeover took place in January 2018, when a computer in a Middle Eastern government organization downloaded a variant of the […]

The post What happens when one APT hijacks another’s infrastructure appeared first on CyberScoop.

Continue reading What happens when one APT hijacks another’s infrastructure

Android-based espionage campaign in the Middle East targets military data

Posted on by

A newly uncovered espionage campaign in the Middle East has infected more than 660 Android phones, and much of the stolen data appears to be “military-related,” researchers from cybersecurity company Trend Micro said Tuesday. The malware in question is highly invasive, posing as popular news and lifestyle apps to suck up a target phone’s call logs and records, text messages, and storage and memory details, among other data. Attackers aren’t using the Google Play store, a sometimes popular receptacle for malicious apps. Instead, the host website for the malware is being promoted via social media channels, according to Trend Micro. One feature of the malware even allows the operator to take a photo from an infected phone when the device’s owner “wakes” it in locked mode. Analysts did not pin the so-called “Bouncing Golf” spying operation on any group or person, but said the structure of the code used and the data targeted […]

The post Android-based espionage campaign in the Middle East targets military data appeared first on CyberScoop.

Continue reading Android-based espionage campaign in the Middle East targets military data

A bug in Wi-Fi ‘extenders’ could give a hacker full control over the devices

Posted on by

If you’re looking to strengthen the Wi-Fi signal in your home or business, be sure the equipment you use doesn’t have a vulnerability that could give free rein to hackers. IBM X-Force researcher Grzegorz Wypych has found such a firmware flaw, one that would let an attacker execute code remotely without having to log into the wireless device. The vulnerability is in an “extender” — a piece of gear used to expand Wi-Fi coverage — made by networking company TP-Link Technologies. Often available for cheap through electronics retailers, Wi-Fi extenders are used in homes and small businesses to boost connectivity. But, as Wypych pointed out, the extenders can also make their way into larger businesses looking for easy internet access for employees. The research is another reminder that internet of things (IoT) devices, although prized for their convenience, can come with big security risks. Wypych found that by altering an HTTP request […]

The post A bug in Wi-Fi ‘extenders’ could give a hacker full control over the devices appeared first on CyberScoop.

Continue reading A bug in Wi-Fi ‘extenders’ could give a hacker full control over the devices

After remote-code test, DHS sounds the alarm on BlueKeep

Posted on by

The Department of Homeland Security has added its voice to a chorus of government and corporate cybersecurity professionals urging users to patch their systems for BlueKeep, a critical vulnerability recently reported in old Microsoft Windows operating systems. DHS’s Cybersecurity and Infrastructure Security Agency said Monday said it had used the BlueKeep vulnerability to execute remote code on a test machine operating Windows 2000. The agency released an advisory reiterating that, like the famed WannaCry ransomware, BlueKeep is “wormable,” in that malware exploiting the vulnerability could spread to other systems. The BlueKeep vulnerability, for which Microsoft published an advisory on May 14, could allow a hacker to abuse the popular Remote Desktop Protocol, which grants remote access to computers for administrative purposes, to delete data or install new programs on a system. When it was disclosed, security experts immediately warned of BlueKeep’s severity, and as of last week, close to 1 million internet-exposed machines were still vulnerable […]

The post After remote-code test, DHS sounds the alarm on BlueKeep appeared first on CyberScoop.

Continue reading After remote-code test, DHS sounds the alarm on BlueKeep

Will Hurd’s Black Hat keynote nixed amid criticism of voting record

Posted on by

Black Hat USA has decided to cancel an upcoming keynote speech from Rep. Will Hurd after criticism of his voting record on women’s rights issues. The choice of the Texas Republican, a lawmaker with a detailed familiarity with cybersecurity issues, had drawn the ire of some in the cybersecurity industry because of his opposition to abortion. Less than 24 hours after Tech Crunch published an article that raised those concerns, Black Hat has scrapped Hurd’s keynote, which was to take place in August. TechCrunch was also first to report the cancellation. “Black Hat has chosen to remove U.S. Representative Will Hurd as our 2019 Black Hat USA Keynote,” Black Hat, one of the world’s biggest cybersecurity conferences, said in a statement. “We misjudged the separation of technology and politics. We will continue to focus on technology and research. However, we recognize that Black Hat USA is not the appropriate platform for the […]

The post Will Hurd’s Black Hat keynote nixed amid criticism of voting record appeared first on CyberScoop.

Continue reading Will Hurd’s Black Hat keynote nixed amid criticism of voting record

The group behind Trisis has expanded its targeting to the U.S. electric sector

Posted on by

The notorious hacking group behind the Trisis malware, which is designed to disrupt industrial safety systems, has expanded its targeting to include U.S. electric utilities, according to new research. The group, known as Xenotime, most famously deployed the Trisis malware on a Saudi petrochemical plant in the summer of 2017, forcing it to shut down. But starting in late 2018, according to analysts at industrial cybersecurity company Dragos, Xenotime went beyond its focus on oil and gas sector to probe the networks of electric utilities in the U.S. and elsewhere. “While there is no evidence at this time that Xenotime has successfully breached any of the entities it has probed in U.S. electric utilities, the fact that this actor – which has already demonstrated the willingness and capability to execute a disruptive ICS [industrial control system] attack – is now actively gathering information on electric utilities is deeply concerning,” Joe Slowik, […]

The post The group behind Trisis has expanded its targeting to the U.S. electric sector appeared first on CyberScoop.

Continue reading The group behind Trisis has expanded its targeting to the U.S. electric sector

Medical infusion-pump system has two bugs, researchers say

Posted on by

Researchers have found two vulnerabilities in a type of infusion-pump system, which hospitals used to administer medication, that they say could allow a hacker to disable the device, infect it with malware, or create false readings. The vulnerabilities are in a pump system known as the Alaris Gateway Workstation made by Becton, Dickinson and Company (BD), a New Jersey-based medical equipment vendor. “In extreme cases, the attacker could even communicate directly with pumps connected to the gateway to alter drug dosages and infusion rates,” researchers from CyberMDX, a medical-device security company that found the flaws, said in a press release Thursday. The more severe vulnerability is in the workstation’s firmware and could allow an attacker to “brick” the workstation, rendering it useless unless it is returned to the manufacturer for repair. The other vulnerability could let a hacker alter the workstation’s network configuration and monitor the pump’s status. Firmware updates issued […]

The post Medical infusion-pump system has two bugs, researchers say appeared first on CyberScoop.

Continue reading Medical infusion-pump system has two bugs, researchers say

Criminal campaign uses leaked NSA tools to set up cryptomining scheme, Trend Micro says

Posted on by

Since March, criminals have been using hacking tools that were reportedly stolen from the National Security Agency in targeting companies around the world as part of a cryptomining campaign, researchers with cybersecurity company Trend Micro said Thursday. The broad-brush campaign has hit organizations in the banking, manufacturing and education sectors, among others, Trend Micro says. The criminals are essentially hijacking corporate computing power to harvest the cryptocurrency Monero. It’s hardly a new concept, but in this case it’s a reminder that tools deployed by state-sponsored hackers can also be used by relatively unskilled crooks more interested in making money than in spying. “Entry-level cybercriminals are gaining easy access to what we can consider ‘military-grade’ tools — and are using them for seemingly ordinary cybercrime activity,” Trend Micro researchers wrote in a blog post. The attacks are exploiting old versions of Microsoft Windows using a variant of a backdoor based on the EternalBlue exploit, Trend Micro said. EternalBlue is code reportedly […]

The post Criminal campaign uses leaked NSA tools to set up cryptomining scheme, Trend Micro says appeared first on CyberScoop.

Continue reading Criminal campaign uses leaked NSA tools to set up cryptomining scheme, Trend Micro says

The moral clarity of ‘Cult of the Dead Cow’

Posted on by

In recent years, the word “hacker” has shed some of its negative connotation in policy circles as lawmakers discover white hats who are trying to make the world a better place. That evolution – to see what was once considered destructive as constructive, and to use it to make software more secure  – is an under-appreciated bright spot on today’s cybersecurity landscape. The hacking group that pushed the world furthest toward this paradigm shift is the Cult of the Dead Cow (cDc). Its story is skillfully told in the new eponymously named book from Reuters journalist Joseph Menn. “In general, the public has become more accepting of hacking and hackers,” Menn, a veteran cybersecurity reporter, told CyberScoop. “One of my goals in writing the book was to push that forward.” Menn traces cDc from its humble origins in northwestern Texas to the conquests of its more famous members like Peiter “Mudge” Zatko, who has […]

The post The moral clarity of ‘Cult of the Dead Cow’ appeared first on CyberScoop.

Continue reading The moral clarity of ‘Cult of the Dead Cow’

FIN8 tries to breach U.S. hotel with new malware variant, researchers say

Posted on by

A well-known criminal hacking group tried to breach the computer network of a U.S. hotel using a variant of malware the group had last deployed in 2017, according to research from endpoint security firm Morphisec. FIN8, as the financially-driven group is known, made several upgrades to its ShellTea malware, aiming it at the network of the hotel between March and May, according to Morphisec. Researchers believe it was an attempted attack on a point-of-sale POS) system, or one that processes payment card data. The intrustion attempt was blocked. In a blog post published Monday, Morphisec warned of the vulnerability of POS networks to groups like FIN8. “Many POS networks are running on the POS version of Window 7, making them more susceptible to vulnerabilities,” wrote Morphisec CTO Michael Gorelik. “The techniques implemented can easily evade standard POS defenses.” The research did not identify the hotel by name or specificy its location, […]

The post FIN8 tries to breach U.S. hotel with new malware variant, researchers say appeared first on CyberScoop.

Continue reading FIN8 tries to breach U.S. hotel with new malware variant, researchers say