How hackers used a PowerPoint file to spy on Tibet’s government-in-exile

A recently discovered PowerPoint file offers new clues on how hackers are trying to spy on Tibet’s government-in-exile. The malicious document was emailed to subscribers of a mailing list managed by the Central Tibetan Administration (CTA), the organization representing Tibet’s exiled government, according to Talos, Cisco’s threat intelligence unit. Tibet is officially part of China, but Tibetan leaders have lived in exile in India for decades. The email masqueraded as a file that would appeal to their politics. The PowerPoint file name – “Tibet-was-never-a-part-of-China.ppsx” – caters to the CTA mailing list, as does the message in the body of the email marking the upcoming 60th anniversary of the exile of Tibetan spiritual leader the Dalai Lama, researchers said. “Unfortunately, this [is] just part of a continuing trend of nation-state actors working to spy on civilian populations for political reasons,” Talos researchers said in a blog published Monday. They did not attribute the […]

The post How hackers used a PowerPoint file to spy on Tibet’s government-in-exile appeared first on CyberScoop.

Continue reading How hackers used a PowerPoint file to spy on Tibet’s government-in-exile

Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

Two of the most disruptive and widely-received spam email campaigns over the past few months — including an ongoing sextortion email scam and a bomb threat hoax that shut down dozens of schools, businesses and government buildings late last year — were made possible thanks to an authentication weakness at GoDaddy.com, the world’s largest domain name registrar, KrebsOnSecurity has learned.

Perhaps more worryingly, experts warn this same weakness that let spammers hijack domains registered through GoDaddy also affects a great many other major Internet service providers, and is actively being abused to launch phishing and malware attacks which leverage dormant Web site names currently owned and controlled by some of the world’s most trusted corporate names and brands. Continue reading Bomb Threat, Sextortion Spammers Abused Weakness at GoDaddy.com

DOJ indictment spotlights China’s civilian intel agency – and its hacker recruits

In unsealing charges Tuesday against 10 Chinese nationals, the Department of Justice showed its focus is on China’s civilian intelligence agency, which analysts say has become Beijing’s preferred arm for conducting economic espionage. The agency, the Ministry of State Security, is more professional and technical in its hacking operations than China’s People Liberation Army, according to CrowdStrike co-founder Dmitri Alperovitch. “We have seen [the MSS], over the years, break into [corporate] organizations,” Alperovitch said Tuesday at an event hosted by The New York Times. “They were always better technically than the PLA.” After a landmark 2015 agreement between the United States and China not to steal intellectual property, Chinese activity in that vein tapered off for about a year, according to Alperovitch. Now, he said, it is back in full force. “[W]e’re seeing, on a weekly basis, intrusions into U.S. and other Western companies from Chinese actors,” with the MSS […]

The post DOJ indictment spotlights China’s civilian intel agency – and its hacker recruits appeared first on Cyberscoop.

Continue reading DOJ indictment spotlights China’s civilian intel agency – and its hacker recruits

Talos: Android trojan resembling Play Store installs sophisticated spyware

A newly uncovered Android trojan can install advanced spyware on unsuspecting users’ phones under the guise that it’s just part of the operating system, according to research from Cisco Talos out Thursday. Talos says that the malware’s sophistication is “of an uncommonly high level, making it a dangerous threat.” Vitor Ventura, who authored the Talos report, told CyberScoop by email that it “appears to be a new family of malware.” After being installed and going through some onboarding procedures, the “GPlayed” trojan has a broad range of spying capabilities. It can exfiltrate information like texts and contacts, track geolocation, change the lockscreen password and collect payment credentials. Beyond that, the trojan has the built-in ability to adapt after being installed, Talos says. It load new plugins remotely, inject new scripts and compile new code. “This means that the authors or the operators can add capabilities without the need to recompile and […]

The post Talos: Android trojan resembling Play Store installs sophisticated spyware appeared first on Cyberscoop.

Continue reading Talos: Android trojan resembling Play Store installs sophisticated spyware

VPNFilter now has ‘even greater capabilities,’ research shows

VPNFilter, the malware framework that co-opted half a million routers into a botnet earlier this year, has “even greater capabilities” than previously documented, new research shows. Talos, Cisco’s threat intelligence unit, said it recently found seven more VPNFilter modules that “add significant functionality to the malware,” whose botnet loomed over Ukraine ahead of a key soccer match in late May as well as an important public holiday in that country. Among the newly discovered capabilities of VPNFilter are the ability to exploit endpoint devices via compromised network gear, plus “data filtering and multiple encrypted tunneling capabilities to mask command and control and data exfiltration traffic,” Talos researcher Edmund Brumaghin wrote in a blog post Wednesday. The VPNFilter-enabled botnet had the ability to “brick” or disable thousands of devices, so researchers and U.S. law enforcement urgently sought to raise awareness of and mitigate the threat. The same week that Talos exposed VPNFilter, […]

The post VPNFilter now has ‘even greater capabilities,’ research shows appeared first on Cyberscoop.

Continue reading VPNFilter now has ‘even greater capabilities,’ research shows

Cisco Talos’ Craig Williams on the hunt for bugs and abnormal behavior

Look at some of the biggest cybersecurity incidents in the last year and one threat intelligence organization tends to pop up: Talos. Researchers from Talos, a division of networking giant Cisco, have helped expose VPNFilter, the massive botnet that loomed over Ukraine and tracked cybercriminals who have used mobile device management servers to distribute malware. On the sidelines of the Black Hat and DEF CON conference in Las Vegas this month, CyberScoop sat down with Craig Williams, Talos’s director of outreach, to get his take on some of these high-profile threats and how he approaches the craft of investigating malware campaigns. Like most other threat intelligence units, Talos has to manage a critical relationship with law enforcement, deciding when to loop-in the public sector as it comes across all different kinds of attacks.  Williams provides some insight into how Talos handles these interactions, which can often be as complex as the malware he pores over daily. This conversation […]

The post Cisco Talos’ Craig Williams on the hunt for bugs and abnormal behavior appeared first on Cyberscoop.

Continue reading Cisco Talos’ Craig Williams on the hunt for bugs and abnormal behavior

Talos: Remcos software is a surveillance tool posing as legitimate software

U.S. law enforcement has been alerted to the use of the Remcos RAT in multiple global hacking campaigns, according to Cisco’s Talos Security Intelligence and Research Group. The ads say Remcos Remote Access Tool is legal IT management software. But the RAT allows a user to sneak malware by security products and then secretly surveil a targeted computer. Remcos itself is sold by a German-registered company, Breaking Security, that markets it as a legitimate way to remotely access computers. However, the software has been spotted in hacking campaigns targeting defense contractors in Turkey, news agencies, diesel equipment manufacturers, airlines and energy sector companies. “What we found here is a piece of software being used by bad guys in a lot of different places,” Cisco Talos director Craig Williams told CyberScoop. “They sell a crypter attempting to make the malware undetectable, a keylogger payload, a mass mailer to mail it out and they even have […]

The post Talos: Remcos software is a surveillance tool posing as legitimate software appeared first on Cyberscoop.

Continue reading Talos: Remcos software is a surveillance tool posing as legitimate software

20 new vulnerabilities discovered in the Samsung SmartThings Hub, patches issued

If you let it, Samsung’s SmartThings Hub can control virtually your entire home, up to and including locks and cameras. That makes it wildly convenient to use — but also extraordinarily important to secure. It’s not easy. On Thursday, the cybersecurity researchers at Cisco Talos published 20 vulnerabilities in the hub that can be combined to gain complete control of it. Samsung has already released an automatic patch. Users are urged to verify their own hub is updated. As IoT devices rapidly proliferate across the U.S. and around the world — a home can be “smartened” up for a few hundred bucks — hackers are increasingly looking to twist the gadgets to their own ends. Cellebrite, the world famous Israeli firm most known for cracking iPhones, is increasingly targeting IoT devices because of a rise in demand from police and intelligence agencies around the world. “Given that these devices often gather sensitive information, the discovered vulnerabilities could be leveraged to give an attacker the ability […]

The post 20 new vulnerabilities discovered in the Samsung SmartThings Hub, patches issued appeared first on Cyberscoop.

Continue reading 20 new vulnerabilities discovered in the Samsung SmartThings Hub, patches issued

Indian iPhone Spy Campaign Used Fake MDM Platform

Cyberattackers have used a bogus mobile device management (MDM) system to target a small – but presumably high-value – set of iPhones in India in a cyberespionage campaign that has some unusual hallmarks. Continue reading Indian iPhone Spy Campaign Used Fake MDM Platform