Researchers are still using lessons from VPNFilter to track threats one year later

It’s a been a year since private security researchers worked with the FBI to dismantle a 500,000-router-strong botnet that loomed over Ukraine. Now, lessons learned in that takedown of the “VPNFilter” botnet are still reverberating today in the cybersecurity community, informing defenders about other sets of malicious activity, said Martin Lee, a manager at Cisco Talos, the threat intelligence team that helped uncover the botnet. Lee pointed to the so-called Sea Turtle domain name system hijacking campaign, which Talos detailed last month. Like VPNFilter, the Sea Turtle activity was an example of a state-sponsored attacker abusing internet infrastructure at scale to steal credentials. Data gathered from the VPNFilter investigation, combined with the lesson that state-sponsored actors are wiling to subvert core internet infrastructure, has driven home the fact that attackers can exploit critical devices at scale in a way that few people had fully appreciated. “Essentially, [the Sea Turtle perpetrator] is a threat actor trying to do […]

The post Researchers are still using lessons from VPNFilter to track threats one year later appeared first on CyberScoop.

Continue reading Researchers are still using lessons from VPNFilter to track threats one year later

Middle East-linked hacking group is working hard to mask its moves

A group that’s been linked to Iranian-based hackers has been working to obfuscate its activities to evade detection, according to new research from Cisco’s Talos researchers. The hackers, whose attacks are ongoing, are working to avoid host-based signatures and Yara signatures by using a Visual Basic for Applications (VBA) script, PowerShell stager attacks, and a separate command and control server, researchers write in a blog post. In some cases the group, which Talos has dubbed “BlackWater,” has been successful in avoiding detection mechanisms. Some of the code the group has used in its attacks is the same as that used by a group known as MuddyWater. Talos writes the code was used in attacks against Kurds in Turkey. This code overlap and the fact that BlackWater and MuddyWater have had similar targets, including those in Turkey, lead Talos researchers to report they have “moderate confidence” that the actors behind BlackWater […]

The post Middle East-linked hacking group is working hard to mask its moves appeared first on CyberScoop.

Continue reading Middle East-linked hacking group is working hard to mask its moves

Meet Sodinokibi, a ransomware strain that exploits a critical Oracle server flaw

Hackers are exploiting a critical vulnerability in a widely used Oracle service to distribute a new strain of ransomware that attempts to encrypt data in a user’s directory, then make recovery more difficult by deleting trustworthy backups, according to research published Tuesday. Attackers are trying to infect victims with a new variant of the Sodinokibi ransomware by leveraging a known security flaw in Oracle’s WebLogic Server, according to Cisco’s Talos threat research team. The digital extortionists are exploiting the flaw known as CVE-2019-2725, a bug with a severity score of 9.8 out of 10 that Oracle sought to squash with a patch issued April 26, outside the company’s normal patch cycle. “Historically, most varieties of ransomware have required some form of user interaction, such as a user opening an attachment to an email message, clicking on a malicious link, or running a piece of malware on the device,” Cisco’s Talos […]

The post Meet Sodinokibi, a ransomware strain that exploits a critical Oracle server flaw appeared first on CyberScoop.

Continue reading Meet Sodinokibi, a ransomware strain that exploits a critical Oracle server flaw

Ongoing state-sponsored DNS hijacking campaign has compromised 40 entities

Hackers backed by a nation-state have successfully hijacked Domain Name System records to steal credentials from approximately 40 public and private entities across 13 countries in an attack that’s lasted for about two years, which Cisco’s Talos research team has dubbed “Sea Turtle” in research published Wednesday. The ongoing attack targets intelligence agencies, military organizations, and energy firms, as well as foreign ministries, telecommunications companies, and internet service providers. Cisco’s researchers characterize the attackers as “highly capable” and “unusually brazen,” but don’t go so far as to identify what country may be behind the attack. FireEye has indicated Iran is likely responsible for an attack that appears similar, but which Cisco claims is distinct from this new campaign. DNS hijacking allows hackers to gain credentials from victim entities in order to control the target’s DNS records — without flagging to the victims that they’re under attack. Using the DNS records, attackers are capable of […]

The post Ongoing state-sponsored DNS hijacking campaign has compromised 40 entities appeared first on CyberScoop.

Continue reading Ongoing state-sponsored DNS hijacking campaign has compromised 40 entities

Shimo VPN service contains six unpatched vulnerabilities, Talos discovers

A series of vulnerabilities in virtual private network service Shimo’s Helper Tool, a popular app used to connect multiple VPNs for Mac operating systems, would make it possible for hackers to obtain root control, according to research published Monday by Cisco’s Talos research team. Researchers detailed six vulnerabilities in the Shimo VPN Helper Tool that relies on to carry out its privileged work, according to a blog post. Details of the vulnerabilities were released after Cisco made “repeated attempts” to communicate with Shimo over 90 days to no avail, Talos said. Shimo did not immediately respond to a request for comment from CyberScoop. One vulnerability, listed as CVE-2018-4004, is a privilege escalation vulnerability that resides in the Shimo VPN helper’s disconnectService function, and would allow a “non-root user to kill privileged processes on the system.” Another, CVE-2018-4007, resides in the deleteConfig functionality and “could allow an attacker to delete any […]

The post Shimo VPN service contains six unpatched vulnerabilities, Talos discovers appeared first on CyberScoop.

Continue reading Shimo VPN service contains six unpatched vulnerabilities, Talos discovers

A Year Later, Cybercrime Groups Still Rampant on Facebook

Almost exactly one year ago, KrebsOnSecurity reported that a mere two hours of searching turned up more than 100 Facebook groups with some 300,000 members openly advertising services to support all types of cybercrime, including spam, credit card fraud… Continue reading A Year Later, Cybercrime Groups Still Rampant on Facebook

Facebook hosted more than 70 cybercrime groups that advertised all types of illicit activity

Cybercriminals used 74 Facebook groups to buy and sell hacking tools, stolen information and rent out spam services, according to research published Friday by Cisco’s Talos threat intelligence group. Roughly 385,000 members speaking a variety of different languages were involved with the groups, which used obvious names such as “Spam Professional,” “Spammer & Hacker Professional” and “Facebook hack (phishing),” Talos reported. Researchers said anyone with a Facebook account could find the groups by searching for keywords such as “spam,” “carding,” or “CVV,” and Facebook’s algorithm then would suggest similar groups. While most groups have been removed, their size and reach again demonstrates how Facebook has struggled to prevent users from using the platform for nefarious purposes. Some of the pages detected by Talos researchers existed for up to eight years. “Talos initially attempted to take down these groups individually through Facebook’s abuse reporting functionality,” the researchers said. “While some groups […]

The post Facebook hosted more than 70 cybercrime groups that advertised all types of illicit activity appeared first on CyberScoop.

Continue reading Facebook hosted more than 70 cybercrime groups that advertised all types of illicit activity

Hide it well or market it well: Two reports show how point-of-sale malware has users in mind

Sometimes the little things can help cybercriminals separate their wares from the pack. It could be an uncommon feature in the malware itself, or it could just be a new way to market a familiar strategy. In unrelated reports Wednesday, cybersecurity companies detailed DMSniff, which takes a new approach to remaining stealthy as it steals point-of-sale (POS) information from consumers, as well as GlitchPOS, which steals credit-card information in a familiar way but comes with an instructional video from its creators. Threat intelligence company Flashpoint reports that DMSniff has quietly been in active use since 2016 thanks in part to a domain generation algorithm, which allows hackers to continue siphoning data from a web page even after police or researchers have taken hackers’ domain pages offline. Flashpoint notes that the use of such an algorithm is “rarely seen” in the smash-and-grab world of POS malware, where thieves typically distribute malware to as many sites as possible and […]

The post Hide it well or market it well: Two reports show how point-of-sale malware has users in mind appeared first on CyberScoop.

Continue reading Hide it well or market it well: Two reports show how point-of-sale malware has users in mind

A Deep Dive on the Recent Widespread DNS Hijacking Attacks

The U.S. government — along with a number of leading security companies — recently warned about a series of highly complex and widespread attacks that allowed suspected Iranian hackers to siphon huge volumes of email passwords and other sensitive data from multiple governments and private companies. But to date, the specifics of exactly how that attack went down and who was hit have remained shrouded in secrecy.

This post seeks to document the extent of those attacks, and traces the origins of this overwhelmingly successful cyber espionage campaign back to a cascading series of breaches at key Internet infrastructure providers. Continue reading A Deep Dive on the Recent Widespread DNS Hijacking Attacks