image
A Dubai resident with an elaborate lifestyle that he touted on social media – think designer clothes, expensive watches, luxury cars and charter jets – has arrived in the United States to face criminal charges. He is charged with conspiring to engage in money laundering, as part of a business email compromise (BEC) and general fraud effort. According to an FBI affidavit filed in U.S. District Court, the Nigerian national, known as Ramon Olorunwa Abbas, allegedly conspired to launder hundreds of millions of dollars from BEC and other scams. According to the FBI, his campaigns targeted a New York law firm, a foreign bank and an English Premier League soccer club. In BEC scams, attackers can leverage compromised or spoofed accounts to request fraudulent wire transfers, redirect an employee’s paycheck or steal sensitive information housed within inboxes. In 2019 alone, the FBI recorded $1.7 billion in losses by companies and individuals victimized through BEC scams – and the trend shows no sign of abating. “BEC schemes are one of the most difficult cybercrimes we encounter as they typically involve a coordinated group of con artists scattered around the world who have experience with computer hacking and exploiting the international financial system,” said United States Attorney Nick Hanna, in a statement. The FBI believes that Abbas, a.k.a. “Ray Hushpuppi” and “Hush,” is one of the leaders of a transnational network that facilitates computer intrusions, BEC and other fraud…

Source

image
Since its launch three years ago, the Keeper threat group has compromised more than 570 e-commerce websites, from online liquor stores to Apple product resellers. And experts warn of future, increasingly sophisticated attacks against online merchants worldwide. The Keeper group, a faction of the Magecart umbrella, consists of an interconnected network of 64 attacker domains and 73 exfiltration domains. Researchers recently uncovered an unsecured access log on the Keeper control panel harboring 184,000 compromised payment cards, which had time stamps that ranged from July 2018 to April 2019. “Extrapolating the number of cards per nine months to Keeper’s overall lifespan, and given the dark-web median price of $10 per compromised card-not-present (CNP) card, this group has likely generated upwards of $7 million USD from selling compromised payment cards,” according to new research from Gemini Advisory on Tuesday. As is common for Magecart groups, Keeper attackers launched attacks by breaking into online store backends, altering their source code and inserting malicious scripts that log payment-card details entered by shoppers in checkout forms. Researchers say Keeper exfiltration and attacker domains use identical login panels and are all linked to the same dedicated server. This server hosts both the malicious payload and the exfiltrated data stolen from victim sites, they said. “The Gemini team has named this group ‘Keeper’ based on its repeated usage of a single domain…

Source

image
A malicious Android app has been uncovered on the Google Play app marketplace that is distributing the banking trojan, Cerberus. The app has 10,000 downloads. Researchers said that the trojan was found within the last few days, as it was being spread via a Spanish currency converter app (called “Calculadora de Moneda”), which has been available to Android users in Spain since March. Once executed, the malware has the capabilities to steal victims’ bank-account credentials and bypass security measures, including two-factor authentication (2FA). “As is common with banking malware, Cerberus disguised itself as a genuine app in order to access the banking details of unsuspecting users,” Ondrej David, with Avast, said in a Tuesday analysis. “What’s not so common is that a banking trojan managed to sneak onto the Google Play Store.” To avoid initial detection, the app hid its malicious intentions for the first few weeks while being available on Google Play. During this time, the app acted normally as a legitimate converter, and it not steal any data or cause any harm, David said. “This was possibly to stealthily acquire users before starting any malicious activities, which could have grabbed the attention of malware researchers or Google’s Play Protect team,” according to David. After a few weeks, newer versions of the currency converter included what researchers called a “dropper code,” but it still wasn’t activated. Then, the app deployed a second stage where it became a…

Source

image
Multiple vulnerabilities in the Citrix Application Delivery Controller (ADC) and Gateway would allow code injection, information disclosure and denial of service, the networking vendor announced Tuesday. Four of the bugs are exploitable by an unauthenticated, remote attacker. The Citrix products (formerly known as NetScaler ADC and Gateway) are used for application-aware traffic management and secure remote access, respectively, and are installed in at least 80,000 companies in 158 countries, according to a December assessment from Positive Technologies. Other flaws announced Tuesday also affect Citrix SD-WAN WANOP appliances, models 4000-WO, 4100-WO, 5000-WO and 5100-WO. Attacks on the management interface of the products could result in system compromise by an unauthenticated user on the management network; or system compromise through cross-site scripting (XSS). Attackers could also create a download link for the device which, if downloaded and then executed by an unauthenticated user on the management network, could result in the compromise of a local computer. “Customers who have configured their systems in accordance with Citrix recommendations [i.e., to have this interface separated from the network and protected by a firewall] have significantly reduced their risk from attacks to the management interface,” according to the vendor. Threat actors could also mount attacks on Virtual IPs (VIPs). VIPs, among other things, are used to provide users with a unique IP…

Source

image
Researchers have identified a credit-card skimming campaign that’s been active since mid-April that has a rather specific and unusual target: ASP.NET-based websites running on Microsoft Internet Information Services (IIS) servers. New research from Malwarebytes Labs recently uncovered the campaign, which already has compromised at least a dozen websites that range from sports organizations, health and community associations, and a credit union — all via a malicious code injected into existing JavaScript libraries on each of the sites. The campaign seems to be exploiting an older version of ASP.NET, version 4.0.30319, which is no longer officially supported and contains multiple vulnerabilities, according to the report by Malwarebytes director of threat research Jerome Segura. “This skimming campaign likely began sometime in April 2020 as the first domain (hivnd[.]net) part of its infrastructure (31.220.60[.]108) was registered on April 10 by a threat actor using a ProtonMail email address,” he wrote in the report. In most cases, attackers were seen injecting the skimming code directly into the compromised JavaScript library of the affected site, though in some cases it was loaded remotely, he said in the report. In the latter instance, attackers loaded the skimmer from the remote domain thxrq[.]com. Credit-card skimmers do basically what their name suggests—they read and record credit-card details from otherwise legitimate transactions for use by threat actors. The actors…

Source

image
Dr. Jesus Molina Railway systems are becoming increasingly digital – from digital signaling systems to remote monitoring functions – and this is opening the door for sophisticated bad actors to launch various malicious cyberattacks. Dr. Jesus Molina, director of Industrial IOT with Waterfall Security Solutions, talks to Threatpost host Cody Hackett about the risks that rail operators are facing – from the security issues in railways to the trains themselves – and how railways can stay up-to-date on the best cybersecurity measures by adopting unidirectional gateways and by separating enterprise and operational networks. Listen to the full podcast, below, or download direct here. [ ](http://iframe%20style=border:%20none%20src=//html5-player.libsyn.com/embed/episode/id/15105575/height/360/theme/legacy/thumbnail/yes/direction/backward/%20height=360%20width=100%%20scrolling=no%20%20allowfullscreen%20webkitallowfullscreen%20mozallowfullscreen%20oallowfullscreen%20msallowfullscreen/iframe) Also, check out our podcast microsite, where we go beyond the headlines on the latest…

Source

image
Researchers say they have discovered the first-ever Russian business email compromise (BEC) cybercriminal ring, showing that sophisticated attackers beyond the usual Nigerian scammers are setting their sights on the email-based attack vector. The BEC gang is called Cosmic Lynx, and has been associated with more than 200 BEC campaigns targeting senior-level executives in 46 countries since last July. The threat group sets itself apart from other run-of-the-mill BEC scams in that it uses extremely well-written emails, targets victims without DMARC policies and leverages a fake “merger-and-acquisition” scenario that allows it to steal larger sums of money from victims. “This is a historic shift to the global email threat landscape and portends new and sophisticated socially engineered phishing attacks that CISOs around the world must brace for now,” according to researchers with Agari, who published a Tuesday analysis on the new threat group. While many BEC groups are relatively target-agnostic, Cosmic Lynx has a well-defined victim profile, researchers say. It hunts out large, multinational organizations with a significant global presence, including many Fortune 500 or Global 2,000 companies. The target employees of Cosmic Lynx schemes are typically senior-level executives, with 75 percent holding the titles of vice president, general manager or managing director, according to Agari. The pretext in almost all attacks observed is that the victim’s company is preparing to…

Source

image
A healthy percentage of Android users targeted by mobile malware or mobile adware last year suffered a system partition infection, making the malicious files virtually undeletable. That’s according to research from Kaspersky, which found that 14.8 percent of its users who suffered such attacks were left with undeletable files. These range from trojans that can install and run apps without the user’s knowledge, to less threatening, but nevertheless intrusive, advertising apps. “A system partition infection entails a high level of risk for the users of infected devices, as a security solution cannot access the system directories, meaning it cannot remove the malicious files,” the firm explained, in a posting on Monday. Moreover, research found that most devices harbor pre-installed default applications that are also undeletable – the number of those affected varies from 1 to 5 percent of users with low-cost devices, and reaches 27 percent in extreme cases. “Infection can happen via two paths: The threat gains root access on a device and installs adware in the system partition, or the code for displaying ads gets into the firmware of the device before it even ends up in the hands of the consumer,” according to the firm. In the latter scenario, this could lead to potentially undesired and unplanned consequences. For instance, many smartphones have functions providing remote access to the device. If abused, such a feature could lead to a data compromise of a user’s device….

Source

image
Security experts are urging companies to deploy an urgent patch for a critical vulnerability in F5 Networks’ networking devices, which is being actively exploited by attackers to scrape credentials, launch malware and more. Last week, F5 Networks issued urgent patches for the critical remote code-execution flaw (CVE-2020-5902), which has a CVSS score of 10 out of 10. The flaw exists in the configuration interface of the company’s BIG-IP app delivery controllers, which are used for various networking functions, including app-security management and load-balancing. Despite a patch being available, Shodan shows almost 8,500 vulnerable devices are still available on the internet. Not long after the flaw was disclosed, public exploits were made available for it, leading to mass scanning for vulnerable devices by attackers and ultimately active exploits. Researchers warn that they’ve seen attackers targeting the flaw over the weekend for various malicious activities, including launching Mirai variant DvrHelper, deploying cryptocurrency mining malware and scraping credentials “in an automated fashion.” Rich Warren, principal security consultant for NCC Group, said Monday on Twitter that “as of this morning we are seeing an uptick in RCE attempts against our honeypots, using a combination of either the public Metasploit module, or similar via Python.” Ok, we are seeing active exploitation of CVE-2020-5902 Patch it today — Rich Warren (@buffaloverflow) July 4, 2020 The exploit of…

Source

image
The Lazarus Group, state-sponsored hackers affiliated with North Korea, has added digital payment-card skimming to their repertoire, researchers said, using Magecart code. Lazarus members are targeting online payments made by American and European shoppers. Among the victims is Claire’s, the fashion accessory chain that was attacked in June, according to an analysis from Sansec issued on Monday. Researchers said that the infrastructure used in the attacks is the same that has been seen in previous Lazarus operations; and that “distinctive patterns in the malware code were identified that linked multiple hacks to the same actor.” The analysis found that Lazarus was likely planting Magecart payment skimmers on major online retailer sites as early as May 2019. Magecart is an umbrella term encompassing several different threat groups who typically use the same card-skimming scripts on checkout pages. Magento-based attacks are seen most often, but Magecart also attacks other e-commerce platforms, including Opencart, BigCommerce, Prestashop and Salesforce. “In order to intercept transactions, an attacker needs to modify the computer code that runs an online store,” according to the writeup. “[Lazarus Group, a.k.a. Hidden Cobra] managed to gain access to the store code of large retailers such as international fashion chain Claire’s.” The researchers speculated that Lazarus is using spearphishing emails as its initial infection vector to compromise the sites – an effort ultimately…

Source