image
When law enforcement agencies tout their latest cybercriminal arrest, the defendant is often cast as a bravado outlaw engaged in sophisticated, lucrative, even exciting activity. But new research suggests that as cybercrime has become dominated by pay-for-service offerings, the vast majority of day-to-day activity needed to support these enterprises is in fact mind-numbingly boring and tedious, and that highlighting this reality may be a far more effective way combat cybercrime and steer offenders toward a better path. Yes, I realize hooded hacker stock photos have become a meme, but that's the point. The findings come in a new paper released by researchers at Cambridge University's Cybercrime Centre, which examined the quality and types of work needed to build, maintain and defend illicit enterprises that make up a large portion of the cybercrime-as-a-service market. In particular, the academics focused on botnets and DDoS-for-hire or "booter" services, the maintenance of underground forums, and malware-as-a-service offerings. In examining these businesses, the academics stress that the romantic notions of those involved in cybercrime ignore the often mundane, rote aspects of the work that needs to be done to support online illicit economies. The researchers concluded that for many people involved, cybercrime amounts to little more than a boring office job sustaining the infrastructure on which these global markets rely, work that is little different in character from the…

Source

image
A targeted series of attacks on suppliers of equipment and software for industrial enterprises is playing out globally, researchers said, hinging on phishing and a steganography tactic to hide malware on public, legitimate image resources. According to Kaspersky ICS CERT, the attacks seem bent on stealing Windows credentials in order to lay the groundwork for lateral movement inside a target network and follow-on activity. They have so far been seen being mounted on systems in Germany, Italy, Japan and the U.K. The kill chain starts with phishing emails, which are tailored and customized to the specific language for each victim. “For example, in the case of an attack on a company from Japan, the text of a phishing email and a Microsoft Office document containing a malicious macro were written in Japanese,” researchers explained, in an analysis on Thursday. “Also, to successfully decrypt the malware module, the operating system must have had a Japanese localization as well.” The emails contain an “urgent request” to open an attached document. It’s an Excel spreadsheet with a malicious macro; users are requested to enable active content, which triggers the malicious PowerShell script. “The script is executed in spite of the configured policy, in a hidden window and without loading the user configuration,” according to Kaspersky. It goes on to randomly select one of the URL addresses included in the coding – which leads to the legitimate public image hosting services called…

Source

image
Japan-based systems integrator NTT Communications has disclosed a recent data breach that it said impacted hundreds of customers. The total affected comes to as many as 621 customers, the company said, but security experts worry about the impacts of the data breach due to the company’s positioning as a systems integrator, which could create widespread ramifications for its supply-chain partners. NTT Communications is a subsidiary of Fortune 500 company Nippon Telegraph and Telephone Corp., the largest telecommunications company in Japan (and one of the largest worldwide). “At this point, we have completed initial actions such as stopping the server that served as a stepping stone [for the breach], but we will contact customers who may have been affected in order. At the same time, we are implementing measures to prevent recurrence,” according to the company’s translated data-breach disclosure. The company said on Thursday that the data breach occurred on May 7. The hack was detected by the company on May 11 and has since been remediated. NTT Communications did not clarify what kind of data may have been accessed, nor did it mention how attackers were able to move laterally on the network. Threatpost has reached out for further clarification. However, local media reports say that information leaked may have involved the Japan Self-Defense Forces (i.e., Japan’s military forces). NTT Communications first discovered the intrusion after detecting suspicious activity on its…

Source

image
The Russia-linked APT group Sandworm has been spotted exploiting a vulnerability in the internet’s top email server software, according to the National Security Agency (NSA). The bug exists in the Exim Mail Transfer Agent (MTA) software, an open-source offering used on Linux and Unix-like systems. It essentially receives, routes and delivers email messages from local users and remote hosts. Exim is the default MTA included on some Linux distros like Debian and Red Hat, and Exim-based mail servers in general run almost 57 percent of the internet’s email servers, according to a survey last year. The bug (CVE-2019-10149) would allow an unauthenticated remote attacker to execute commands with root privileges on an Exim mail server, allowing the attacker to install programs, modify data and create new accounts. It’s also wormable; a previous campaign spread cryptominers automatically from system to system using a port sniffer. The bug was patched last June. The NSA this week released a cybersecurity advisory on new exploit activity from Unit 74455 of the GRU Main Center for Special Technologies (GTsST), a division of the Russian military intelligence service, a.k.a. Sandworm, a.k.a. BlackEnergy. The APT has been linked to the Industroyer attack on the Ukrainian power grid as well as the infamous NotPetya attacks. According to Kaspersky, the group is part of a nexus of related APTs that also includes a recently discovered group called Zebrocy. The flaw can be exploited using a…

Source

image
“Hack-for-hire” organizations are the latest group of cybercriminals to take advantage of the ongoing coronavirus pandemic, using COVID-19 as a lure in phishing emails bent on stealing victims’ Google credentials. Researchers with Google’s Threat Analysis Group (TAG) warned that they’ve spotted a spike in activity from several India-based firms that have been creating Gmail accounts that spoof the World Health Organization (WHO) to send coronavirus-themed phishing emails. “The lures themselves encourage individuals to sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to attacker-hosted websites that bear a strong resemblance to the official WHO website,” according to Shane Huntley, in Google’s TAG bulletin for the first quarter of 2020. These websites purport to be fake login pages, that then convince victims to hand over their Google account credentials and personal identifiable information (PII), like their phone numbers. The accounts have largely targeted business leaders in financial services, consulting and healthcare corporations within numerous countries, including the U.S., — as well as Bahrain, Canada, Cyprus, India, Slovenia and the U.K. Over the last months, Google said they sent 1,755 warnings to users whose accounts were targets of government-backed attackers in coronavirus-related campaigns. These included attacks from advanced persistent threat (APT) group Charming Kitten on medical and healthcare…

Source

image
The American Civil Liberties Union (ACLU) has sued a New York-based startup for amassing a database of biometric face-identification data of billions of people and selling it to third parties without their consent or knowledge The U.S. citizens’-rights watchdog organization has filed suit in the Circuit Court of Cook County in Illinois against Clearview AI, on behalf of a number of organizations comprised of vulnerable communities—such as survivors of sexual assault or domestic violence and undocumented immigrants—for violating the the Illinois Biometric Information Privacy Act (BIPA). Clearview has been collecting what are called “faceprints,” or unique biometric identifiers similar to someone’s fingerprint or DNA profile, and then selling them to “private companies, police, federal agencies and wealthy individuals, allowing them to secretly track and target whomever they wished using face recognition technology,” ACLU Staff Attorney Nathan Freed Wessler wrote in a blog post published Thursday.“The company has captured these faceprints in secret, without our knowledge, much less our consent, using everything from casual selfies to photos of birthday parties, college graduations, weddings and so much more,” he wrote, adding that Clearview “will end privacy as we know it if it isn’t stopped.” BIPA is an Illinois law aimed at protecting people “against the surreptitious and nonconsensual capture of their biometric identifiers, including faceprints,” according to the ACLU’s…

Source

image
The Hoaxcalls botnet, built to carry out large-scale distributed denial-of-service (DDoS) attacks, has been actively in development since the beginning of the year. One of its hallmarks is that it uses different vulnerability exploits for initial compromise. Researchers, however, have discovered that it’s been a hit-or-miss journey for its operators when it comes to the bugs they choose – while at the same time, they’ve had to reboot after takedowns. “The Hoaxcalls campaign has provided researchers with a number of opportunities over the last several months to explore the trials and errors in researching, developing and building a botnet campaign and the abandoned infrastructure that are left behind,” explained Daniel Smith, researcher with Radware, in a Thursday posting. “Like derelict satellites that orbit the earth, these bots skim and crawl vulnerable internet devices without a real objective.” The Hoaxcalls operators are among those botherders that differentiate themselves from amateur actors with the use of exploits – most of those with fewer technical skills tend to brute-force SSH and Telnet credentials in order to compromise devices and add them to their botnets. However, that strategy has its downsides, Smith noted. “Botherders also have to compete with each other for their share of vulnerable resources,” he wrote. “If there are only 400 vulnerable devices for a given exploit, it’s first-come, first-serve. Those that leverage recent or undisclosed exploits stand…

Source

image
Cisco said attackers have been able to compromise its servers after exploiting two known, critical SaltStack vulnerabilities. The flaws exist in the open-source Salt management framework, which are used in Cisco network-tooling products. Two Cisco products incorporate a version of SaltStack that is running the vulnerable salt-master service. The first is Cisco Modeling Labs Corporate Edition (CML), which gives users a virtual sandbox environment to design and configure network topologies. The second is Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), used to design, configure and operate networks using versions of Cisco’s network operating systems. Hackers were able to successfully exploit the flaws incorporated in the latter product, resulting in the compromise of six VIRL-PE backend servers, according to Cisco. Those servers are: us-1.virl.info, us-2.virl.info, us-3.virl.info, us-4.virl.info, vsm-us-1.virl.info and vsm-us-2.virl.info. “Cisco infrastructure maintains the salt-master servers that are used with Cisco VIRL-PE,” according to Cisco’s Thursday alert. “Those servers were upgraded on May 7, 2020. Cisco identified that the Cisco maintained salt-master servers that are servicing Cisco VIRL-PE releases 1.2 and 1.3 were compromised.” Cisco said the servers were remediated on May 7. The company also released software updates for the two vulnerable products. Cisco said that the update is “critical,” ranking it 10 out of 10 on the CVSS scale. The SaltStack…

Source

image
The United Kingdom's anti-cybercrime agency is running online ads aimed at young people who search the Web for services that enable computer crimes, specifically trojan horse programs and DDoS-for-hire services. The ad campaign follows a similar initiative launched in late 2017 that academics say measurably dampened demand for such services by explaining that their use to harm others is illegal and can land potential customers in jail. For example, search in Google for the terms "booter" or "stresser" from a U.K. Internet address, and there's a good chance you'll see a paid ad show up on the first page of results warning that using such services to attack others online is illegal. The ads are being paid for by the U.K.'s National Crime Agency, which saw success with a related campaign for six months starting in December 2017. A Google ad campaign paid for by the U.K.'s National Crime Agency. NCA Senior Manager David Cox said the agency is targeting its ads to U.K. males age 13 to 22 who are searching for booter services or different types of remote access trojans (RATs), as part of an ongoing effort to help steer young men away from cybercrime and toward using their curiosity and skills for good. The ads link to advertorials and to the U.K.'s Cybersecurity Challenge, which tries gamify computer security concepts and highlight potential careers in cybersecurity roles. "The fact is, those standing in front of a classroom teaching children have less information about…

Source

image
Google has been hit by a lawsuit alleging that it violates user privacy by collecting location data via various means – and claiming that Google makes it nearly “impossible” for users to opt out of such data tracking. The lawsuit, filed by Arizona Attorney General Mark Brnovich, alleges that Google uses “deceptive and unfair conduct” to obtain Android users’ location data via various applications, services and technologies, which is then used for advertising purposes. The alleged data collection would violate the Arizona Consumer Fraud Act, a set of laws that give protections to consumers in various transactions related to the sale or advertisement of merchandise. “Google has engaged in these deceptive and unfair acts and practices with the purpose of enhancing its ability to collect and profit from user-location information,” according to the 50-page complaint, which was filed Wednesday in the Maricopa County Superior Court. “And profited it has, to the tune of over $134 billion in advertising revenue in 2019 alone. On information and belief, hundreds of millions of dollars of these advertising revenues were generated from ads presented to millions of users in the State of Arizona.” Public consternation around Google’s data-collection policies was first set off by a 2018 Associated Press report, which claimed that Google services that are prevalent on both Android and iOS phones all store location data. The report alleged that Google would track users’ data even when they…

Source