Category Archives: Security Research

NSA to establish new Cybersecurity Directorate to boost defense

Posted on by

The National Security Agency is creating a cybersecurity directorate to better protect the country against cyberthreats from foreign adversaries, an NSA spokesperson told CyberScoop. Anne Neuberger will be the intelligence agency’s first director for cybersecurity, a decision NSA Director Gen. Paul Nakasone is expected to make public Tuesday in New York City at the International Conference on Cyber Security. The directorate is slated to be operational Oct. 1 of this year, the spokesperson said. The move is intended to allow the NSA  — which is part of the U.S. military — to better provide information gleaned from signals intelligence to agencies and the private sector in order to protect national critical infrastructure, an NSA spokesperson said. “It’s a major organization that unifies our foreign intelligence and our cyberdefense mission, and it’s charged with preventing and eradicating threats to national security systems and the defense industrial base,” the official told CyberScoop. Civilian agencies — such as the Department of […]

The post NSA to establish new Cybersecurity Directorate to boost defense appeared first on CyberScoop.

Continue reading NSA to establish new Cybersecurity Directorate to boost defense

BitPaymer targets 15 U.S. organizations in 3 months, researchers say

Posted on by

An ongoing campaign using the BitPaymer ransomware has targeted at least 15 U.S. organizations in the last three months across the financial, agricultural, technology and government sectors, researchers said Thursday. In an operation marked by meticulous planning, the hackers are phishing their targets with emails laced with the Dridex malware, another one of their staple tools, according to Israeli cybersecurity company Morphisec. After surveying the network, they deploy BitPaymer over a weekend, when employees are out. The ransomware spreads as people get back to work on Monday, Morphisec said. Morphisec would not name any of the affected organizations, but CTO Michael Gorelik told CyberScoop that i has dealt directly with two of them. He declined to offer more details, and he would not elaborate on the “supply chain solution provider” that his company said was also attacked. On average, the organizations targeted had between 200 and 1,000 employees, Gorelik said. The findings are the latest example […]

The post BitPaymer targets 15 U.S. organizations in 3 months, researchers say appeared first on CyberScoop.

Continue reading BitPaymer targets 15 U.S. organizations in 3 months, researchers say

This firmware flaw was bad enough, but then researchers looked at the supply chain

Posted on by

When researchers first found critical vulnerabilities in the firmware of Lenovo computer servers, it looked like a fairly straightforward issue. The problem, however, involved far more than the Hong Kong-based PC giant. The vulnerabilities were in the software of baseboard management controllers (BMC), the small processors used to remotely manage servers at an organization. The flaws could allow an attacker to run arbitrary code within the BMCs to retain persistent access to a computer system, or to “brick” the BMC entirely, rendering it inoperable. Those facts alone were cause for concern, but specialists at hardware-security company Eclypsium discovered a bigger story. The firmware in question was actually sourced from another company — Ohio-based Vertiv — and it was present in servers made by at least seven other vendors. “That’s when we realized just how complex and vulnerable the BMC supply chain is,” said Jesse Michael, principal security researcher at Eclypsium. The […]

The post This firmware flaw was bad enough, but then researchers looked at the supply chain appeared first on CyberScoop.

Continue reading This firmware flaw was bad enough, but then researchers looked at the supply chain

‘StrongPity’ hacking group does just enough to get around defenses

Posted on by

Rather than expend resources on creating fancy new tools, malicious hackers often do the bare minimum needed to breach their targets. That means that when researchers expose their malware, the groups tend to only slightly modify their code to keep it effective. The latest activity from an advanced persistent threat known as StrongPity is a prime example. After having its actions called out last year, StrongPity has come up with new malware samples it is using in a month-long, ongoing campaign against users in Turkey, according to research published Wednesday by AT&T Alien Labs. Although the code has been altered, the general attack method remains the same: go after users who download router management software to infect target organizations, and use the popular file archiver WinRAR for delivery. The spyware delivered to the organizations, which is also called StrongPity, hunts for documents on an infected network and lingers on, retaining […]

The post ‘StrongPity’ hacking group does just enough to get around defenses appeared first on CyberScoop.

Continue reading ‘StrongPity’ hacking group does just enough to get around defenses

Russia’s Turla group goes trolling with code labeled “TrumpTower”

Posted on by

It’s a common practice: Researchers digging through malware find legitimate clues that point to its authors or data that are false flags meant to throw researchers off the right path. In the case of the Turla hacking group, which is reportedly tied to Russia’s FSB intelligence service, it is unclear why the group decided to name one of its code strings “TrumpTower” or another “RocketMan!” – presumably a reference to U.S. President Donald Trump’s nickname for North Korean dictator Kim Jong Un. Regardless of whether or not Turla was trolling, it’s clear to researchers from cybersecurity company Kaspersky that the new code was built for an ongoing hacking campaign aimed at a narrow set of unnamed government organizations. To deliver the malicious code to its targets, Turla used legitimate software downloaders, such as tools to evade internet censorship, that were infected with a “dropper” to install the malware. While not saying where the targeting […]

The post Russia’s Turla group goes trolling with code labeled “TrumpTower” appeared first on CyberScoop.

Continue reading Russia’s Turla group goes trolling with code labeled “TrumpTower”

TA505 launches fresh attacks on financial organizations in Singapore, UAE and U.S.

Posted on by

A criminal hacking group known for authoring the widely used Locky ransomware appears to have new targets in its sights: financial institutions in Singapore, the United Arab Emirates and United States, as well as manufacturing and retail organizations in South Korea. The TA505 group began the campaign last month through tens of thousands of malicious emails, according to researchers at cybersecurity company Proofpoint. The new code is the latest innovation from the group, which is one of the more prolific and adept financially motivated cybercrime organizations. The Windows-based Locky, which emerged in 2016, yielded more than $200 million in ransom payments at its height, according to one estimate. This time, the group is deploying a new piece of malware to download an old remote access tool (RAT) that could have let it steal credentials from a target computer, Proofpoint said. The malware was downloaded in quarantined environments and not at customer sites, meaning there is no evidence that it compromised target […]

The post TA505 launches fresh attacks on financial organizations in Singapore, UAE and U.S. appeared first on CyberScoop.

Continue reading TA505 launches fresh attacks on financial organizations in Singapore, UAE and U.S.

Popular genetic-mapping software potentially exposed patients’ data

Posted on by

Security researchers have helped fix a flaw in genetic-mapping software that could have allowed a hacker to manipulate the results of a person’s DNA analysis, showing the challenges of securing code in an industry that is crunching ever-larger sets of data. The bug in the open-source Burrows-Wheeler Aligner (BWA) allowed genetic data to be sent over insecure channels, potentially exposing it to interception and manipulation. Genetic mapping involves replicating information from a person’s cells and comparing that to a standardized human genome, helping a doctor identify traits associated with a disease. In practice, a doctor receiving erroneous data from the software could have prescribed the wrong medication to a patient, warned analysts from the government-funded Sandia National Laboratories, who discovered the vulnerability. BWA is one of the most widely used programs for genetic mapping. A patch has been issued for the flaw. There is no evidence that the vulnerability has been exploited in the wild, researchers said. […]

The post Popular genetic-mapping software potentially exposed patients’ data appeared first on CyberScoop.

Continue reading Popular genetic-mapping software potentially exposed patients’ data

Vietnamese hacking group has a ‘Swiss Army knife’ of tools at its disposal

Posted on by

A set of remote access tools used by Vietnam’s top hacking group remained largely undetected for years despite their reliance on sloppy code and other hacking techniques that fall short of the group’s normally high standard, according to research published Monday by BlackBerry Cylance. The OceanLotus group, also known as APT32, has gained notoriety in recent years for using carefully crafted tools to breach companies with business interests in Vietnam, particularly in the manufacturing and hospitality sectors. But use of the newfound remote access trojans (RATs), known as Ratsnif, is out of character for OceanLotus, a technically advanced group that projects power in cyberspace in support of Vietnamese interests. BlackBery Cylance’s new analysis shows how state-aligned groups can select from a range of malware that varies in sophistication, only using what is necessary against a target organization. There is “sloppy code [and] programmatical errors and debug messages not typically present in OceanLotus malware,” said Tom Bonner, BlackBerry Cylance’s director of threat research […]

The post Vietnamese hacking group has a ‘Swiss Army knife’ of tools at its disposal appeared first on CyberScoop.

Continue reading Vietnamese hacking group has a ‘Swiss Army knife’ of tools at its disposal

What happens when one APT hijacks another’s infrastructure

Posted on by

Like any group of spies or soldiers, state-sponsored hacking groups are acutely interested in what their peers are using. Servers, domains and other digital tools can be contested resources just like others in in espionage or warfare. And there’s no guarantee that any group can keep a tight grip on its own internet infrastructure. In documenting how Turla, a Russia-linked outfit, hijacked the server of OilRig, a group associated with Iran, new research from Symantec shows what that overlap looks like in action. “This is the first time Symantec has observed one actor hijack another’s infrastructure,” said Alexandrea Berninger, senior cyber intelligence analyst at Symantec. “Although we don’t expect this to become a common tactic, we do expect to see deceptive operations like this amongst the most capable threat actor groups.” The apparently hostile takeover took place in January 2018, when a computer in a Middle Eastern government organization downloaded a variant of the […]

The post What happens when one APT hijacks another’s infrastructure appeared first on CyberScoop.

Continue reading What happens when one APT hijacks another’s infrastructure

A bug in Wi-Fi ‘extenders’ could give a hacker full control over the devices

Posted on by

If you’re looking to strengthen the Wi-Fi signal in your home or business, be sure the equipment you use doesn’t have a vulnerability that could give free rein to hackers. IBM X-Force researcher Grzegorz Wypych has found such a firmware flaw, one that would let an attacker execute code remotely without having to log into the wireless device. The vulnerability is in an “extender” — a piece of gear used to expand Wi-Fi coverage — made by networking company TP-Link Technologies. Often available for cheap through electronics retailers, Wi-Fi extenders are used in homes and small businesses to boost connectivity. But, as Wypych pointed out, the extenders can also make their way into larger businesses looking for easy internet access for employees. The research is another reminder that internet of things (IoT) devices, although prized for their convenience, can come with big security risks. Wypych found that by altering an HTTP request […]

The post A bug in Wi-Fi ‘extenders’ could give a hacker full control over the devices appeared first on CyberScoop.

Continue reading A bug in Wi-Fi ‘extenders’ could give a hacker full control over the devices