TrickBot Evolves to Go After SSH Keys
The info-stealing malware has updated its password-grabbing module. Continue reading TrickBot Evolves to Go After SSH Keys
Category Archives: Unit 42
Docker Containers Riddled with Graboid Crypto-Worm
A worm with a randomized propagation method is spreading via the popular container technology. Continue reading Docker Containers Riddled with Graboid Crypto-Worm
Researchers suggest Gorgon Group behind hacking spree that abused Bit.ly and Blogspot functionalities
A hacking campaign that targeted victims around the world used Blogspot, Pastebin and the link-shortening service Bit.ly to carry out its attacks, according to research published Wednesday by the security vendor Palo Alto Networks. Palo Alto’s Unit 42 research group in March uncovered what it has called the Aggah campaign, a digital crime spree focused on organizations in the U.S., Middle East, Europe and throughout Asia. The group distributes malicious macro-enabled documents which rely on Blogspot posts and multiple Pastebin posts for a command-and-control infrastructure. Researchers suggested the hacking campaign originated with the Gorgon Group, a collective that’s carried out a string of attacks from Pakistan over the past year, though Unit 42 said it’s too soon to directly attribute the Gorgon Group with any level of certainty. “Unfortunately, our current data set does not afford insight into the attackers’ motivation other than to compromise a large number of victims,” […]
The post Researchers suggest Gorgon Group behind hacking spree that abused Bit.ly and Blogspot functionalities appeared first on CyberScoop.
Mirai offshoot offers ‘greater firepower’ for DDoS attacks, researchers warn
A new variant of the infamous Mirai botnet is targeting embedded devices like routers and internet-connected cameras with new exploits, security researchers have concluded. By taking aim at enterprises with large network bandwidths, the Mirai offshoot could give the botnet “greater firepower” to orchestrate distributed denial-of-service attacks, said researchers at Unit 42, Palo Alto Networks’ threat intelligence unit. Operators of the new variant have gone after devices that are popular with businesses, such as wireless presentation systems, according to Unit 42. “IoT/Linux botnets continue to expand their attack surface, either by the incorporation of multiple exploits targeting a plethora of devices, or by adding to the list of default credentials they brute force, or both,” Ruchna Nigam, senior threat researcher at Unit 42, wrote in a blog post. Either patch your devices or get them off the network, Nigam advised. Mirai is a multi-part cautionary tale in the vulnerability of […]
The post Mirai offshoot offers ‘greater firepower’ for DDoS attacks, researchers warn appeared first on CyberScoop.
Continue reading Mirai offshoot offers ‘greater firepower’ for DDoS attacks, researchers warn
Cryptojacking malware gets past cloud security programs by uninstalling them
Why break through a barrier if you can just remove it? A piece of cryptojacking malware observed by Palo Alto Networks researchers is equipped to completely uninstall cloud security services from Linux-based servers before carrying out its malicious coin-mining. In a report published Thursday, Palo Alto Networks’ Unit 42 research team said the malware is spread by the cyberthreat group “Rocke,” whose cryptojacking activity was initially documented by Cisco Talos. A Chinese-speaking threat actor, the Rocke group is known for using the computing power of infected Linux-based systems to mine the cryptocurrency Monero. Whereas past versions of the Rocke group’s malware tried to evade detection by disabling only certain aspects of a cloud security service, the new variant simply removes the entire program, according to Palo Alto Networks. The researchers say Rocke added code that can gain administrative access on the infected server and uninstall five different cloud security and monitoring […]
The post Cryptojacking malware gets past cloud security programs by uninstalling them appeared first on CyberScoop.
Continue reading Cryptojacking malware gets past cloud security programs by uninstalling them
Russian APT activity is resurgent, researchers say
Cybersecurity researchers have detected new spearphishing and malicious-email campaigns associated with two Russian-government-linked hacking groups known for breaching the Democratic National Committee in 2016. One campaign spotted by Palo Alto Networks featured a wave of malicious documents targeting government organizations in Europe, North America, and an unnamed former Soviet state. The documents, which researchers intercepted in late October and early November, included a variant of the Zebrocy Trojan that sends screenshots of a victim’s network back to a command-and-control server. Unit 42, Palo Alto Networks’ intelligence team, tied the malicious-email campaign to the Sofacy Group, a Russian hacking outfit also known as APT28 and Fancy Bear, which has deployed Zebrocy. Meanwhile, FireEye researchers on Monday published details on a spearphishing offensive that had technical similarities with a 2016 campaign from the APT29 Russian hacking group. Western governments have attributed APT28 and APT29 to different parts of Russia’s intelligence services. The campaign tracked by FireEye sent malicious […]
The post Russian APT activity is resurgent, researchers say appeared first on Cyberscoop.
Continue reading Russian APT activity is resurgent, researchers say
Cobalt Group tries to slip malicious PDFs past bank employees, researchers say
A financially-motivated hacking group is trying to evade detection while it targets bank employees across the globe, according to research from cybersecurity company Palo Alto Networks. The Cobalt Group (also known as the Cobalt Gang) this month sent PDF files to bank employees to try to get them to download malicious macros, said researchers from Palo Alto Networks’ Unit 42 threat intelligence team. It is just the latest in a series of activities from a group known for its brazen multimillion-dollar heists on ATMs and the SWIFT banking-transaction system. The recent attack tracked by Unit 42 is simple – the PDF document doesn’t have code or an exploit. Instead, the attackers use social engineering to try to get the bank employees to download the macros. A link embedded in the PDF redirects the target to a malicious document. “Hiding in plain sight is a well-known tactic and that’s what we see these attackers […]
The post Cobalt Group tries to slip malicious PDFs past bank employees, researchers say appeared first on Cyberscoop.
Continue reading Cobalt Group tries to slip malicious PDFs past bank employees, researchers say
‘Tick’ espionage group is likely trying to hop air gaps, researchers say
A cyber espionage group known for attacking organizations in Japan and South Korea has targeted USB drives in a likely effort to infect “air gapped” systems, according to new research. The so-called Tick hacking group has gone after a specific type of USB drive made by an unnamed South Korean defense company, said researchers with cybersecurity company Palo Alto Networks. The newly revealed malware isn’t part of an active campaign and was likely used in attacks years ago, according to the researchers. Nonetheless, the apparent effort to infiltrate air-gapped systems speaks to the lengths to which advanced hackers will go to reach sensitive infrastructure. Whereas other malware used by Tick requires an internet connection to reach a command-and-control server, the group’s “SymonLoader” malware needs no such connectivity, according to the researchers. Instead, the malware tries to extract a hidden payload from a plugged-in USB drive – a technique that is […]
The post ‘Tick’ espionage group is likely trying to hop air gaps, researchers say appeared first on Cyberscoop.
Continue reading ‘Tick’ espionage group is likely trying to hop air gaps, researchers say
As Trump promises ‘fire and fury,’ North Korean hackers target U.S. defense contractors
Hackers linked to a North Korean cyber espionage group — best known for a global ransomware attack dubbed “WannaCry” — are now actively targeting U.S. defense contractors as part of an apparent, ongoing intelligence gathering operation, according to new research published by U.S. cybersecurity firm Palo Alto Networks. The findings come at time of heightened tension between the U.S. and North Korea while the leaders of each nation have exchanged threats of nuclear warfare. North Korea is a known and well-established adversary of the U.S. in cyberspace. The group responsible for both WannaCry and this newly uncovered intelligence operation is codenamed Lazarus Group by the security research community. Analysts with Palo Alto Network’s Unit 42 found that Lazarus Group recently sent a barrage of spear phishing emails with booby-trapped Microsoft Word attachments to several individuals involved with different U.S. defense contractors. The hackers did very little to obfuscate their identity; they relied on tools, […]
The post As Trump promises ‘fire and fury,’ North Korean hackers target U.S. defense contractors appeared first on Cyberscoop.
DualToy Windows Trojan Attacks Android, iOS Devices
Researchers have found a malware family called DualToy that infects Windows PCs and sideloads malware onto connected Android and iOS devices. Continue reading DualToy Windows Trojan Attacks Android, iOS Devices