Monthly Cyber Summary – May 2016
Our Monthly Cyber Summary reports a selection of the top trending stories in cyber security from the last calendar month. Keep up to date with the top trending malware, hacker groups, hacker ops, attack types, vulnerabilities picked up by Silobreaker in the May.
To find out more about how Silobreaker identifies threats and see the application in action, you can book an online demo here.
Viking Horde malware – Check Point discovered a new Android malware on the Google Play store that it named Viking Horde after one of the games it uses to disguise itself (‘Viking Jump’). The malware is mainly used for click fraud, although it has numerous other capabilities and acts as part of a botnet on infected devices. Details.
Android.SmsSpy – A two year-old Android trojan called Android.SmsSpy.88 added a ransomware component to its attack capabilities. The malware is able to intercept phone calls and SMS messages, phish for banking credentials with customisable (fake) entry fields and can also act as a screen-locking ransomware. Details.
Furtim malware – Furtim (Latin for ‘stealthily’/’furtively’) checks for over 400 security products and blocks 250 security-related websites before installing itself on a victim’s computer. Sporting a 0% detection rate on VirusTotal when discovered, Furtim is linked to Russia and Ukraine and extracts information via the Pony datastealer. Details.
Fanta SDK – Trend Micro discovered a fake banking application called Fanta SDK that possesses an interesting defensive mechanism similar to that displayed during Operation Emmental: it uses administrative privileges to lock users out of their devices. Details.
Infy malware – PaloAlto Network’s Unit 42 announced the discovery of a previously unpublished malware family called Infy, which is likely to have been used in targeted attacks from as early as 2007. Infy is believed to be used by Iranian actors for an ongoing espionage operation. Details.
Jaku botnet – Jaku is an ongoing campaign that uses thousands of victims to target a small number of NGO members, academics, scientists and government employees involved in some way with North Korea. Details.
CryptMix – Discovered by Heimdal Security and MalwareHunterTeam, CryptMix is spread via spam emails that redirect users to malicious domains hosting exploit kits. The ransomware is able to encrypt up to 862 different file types, appending the extension .code to the files it has hit.
Enigma – Enigma is distributed via HTML attachments and targets Russian users. The ransomware uses AES encryption and asks for a ransom of close to $200. Enigma was discovered by malware analyst Jakub Kroustek.
Mischa – Petya ransomware was upgraded, adding Mischa to its line of execution. The ransom payment is $875/1.93BTC and unfortunately no decryptor is currently available.
TelsaCrypt – The developers behind TeslaCrypt shuttered their operation and published a decryption key for the widely spread ransomware.
DMA Locker – A new version of the DMA Locker (Ver. 4.0) is being distributed by the Neutrino exploit kit. Starting from 2016 DMA Locker has gone through several phases of development, making it a more efficient and resilient threat.
TorrentLocker – The TorrentLocker ransomware was being distributed in emails purporting to come from telecoms giant Telia, Heimdal Security reports.
Tick Group – Tick is believed to have existed since at least 2006 and uses its own customised trojan known as Daserf, in addition to a range of other tools. An espionage group, Tick has been observed stealing information from Japanese technology, engineering and broadcasting companies, and was last picked up in July of 2015. Details.
Bozkurt Hackers – The Bozkurt hacking group were busy in May. The Turkey-based unit have been linked to the release of credit card and financial data from the Qatari National Bank, UAE InvestBank and five more South Asian banks. In several of these cases it’s believed that the information released was already available and the not the result of Bozkurt’s hacking.
Anonymous – The global hacktivist collective were active throughout May. Chief amongst them was the beginning of #OpIcarus, the Anonymous campaign against banks. DDoS attacks took place against multiple banks, including those of Greece, the Netherlands, Guernsey and the US Central Reserve system.
Pawn Storm APT – Pawn Storm, also known as Sofacy and APT28, has been conducting coordinated phishing attacks against members of Germany’s Christian Democratic Union using imitation ‘official’ webmail servers in Latvia and phishing sites hosted in the Netherlands. The purpose appears to be the collection of credentials, which are likely to be used in further attacks at a later date. Details.
Operation Groundbait – Researchers at ESET discovered a malware named “Prikormka” or “Groundbait” in English, and a corresponding APT campaign targeting specific individuals primarily via spear phishing. Thought to have originated in Ukraine back in 2008, Groundbait’s targets and victims include various pro-Russia anti-government separatists, Ukrainian politicians, officials and journalists. Details.
Ke3chang – Palo Alto’s Unit 42 discovered a new malware family called TidePool that it has tied to actors responsible for Operation Ke3chang, a two-year old (possibly Chinese) APT that targets Indian actors and ministries of foreign affairs in Europe. In this case, TidePool is being aimed at Indian embassies using spear phishing emails that persuasively reference real reports and pertinent individuals. Details.
Danti – Danti is a new group which appears to be targeting diplomatic entities in India, Kazakhstan, Kyrgyzstan, Uzbekistan, Myanmar, Nepal and the Philippines. The group uses spear phishing emails to deliver its exploits and uses the names of high-ranking government officials to make the messages appear genuine. Details.
Stealth Falcon – Stealth Falcon was discovered after contacting a UK based journalist on behalf of a fake organisation called ‘Right to Fight’. The journalist, Rori Donaghy, reported on human rights abuses in the UAE and, like activist Ahmed Mansoor and others, was probably targeted for this reason. The email he received contained spyware (in a malicious Word document) and a shortened URL that profiled his machine’s systems before redirecting to a site filled with human rights related content. Details.
World Hacker Team – The World Hacker Team, a group linked to Anonymous, posted a database dump of a site used by the National Oil Corporation of Kenya.
A bug in the popular software tool ImageMagick put web services that process user submitted images in danger of remote code execution.
ImageMagick is an open-source software suite used by many sites to display, convert and edit image files. The vulnerability goes under the name ImageTragick, and involves the submission of ‘poisoned’ image files to services using the open-source tools. Details of this particular vulnerability, which has been allocated CVE-2016-3714, have not been released in order to allow patching, although the exploit has been described as ’trivial’.
CERT reports possible WPAD issues
USCERT issued an advisory regarding the Web Proxy Auto-Discovery (WPAD) protocol for Domain Name System (DNS) queries.
WPAD is used to automatically configure web proxies across all systems within an organisation and is enabled by default on Windows and IE. CERT has observed WPAD configured proxies that are intended to resolve on private or enterprise servers reaching public domains – when a work computer is connected to the internet from a home address for example.
It’s believed that the new generic top level domains (gTLD) program may give threat actors the potential to exploit this resolution issue; registering a known WPAD query as a public domain and configuring a proxy could allow attackers to conduct man-in-the-middle attacks.
Other Top Stories
US Water/Power company hit by ransomware
The Lansing Board of Water and Light (BWL) was crippled by an unnamed ransomware that encrypted files on corporate servers.
BWL is the public supplier of water and electricity to Lansing, Michigan, and was compromised in a familiar fashion when an employee opened a malicious email attachment. The company was forced to shut down its accounting system and email as a result of the ransomware, which spread across corporate servers. BWL’s ability to deliver water and power to residents was unaffected.
SWIFT reports banking malware campaign
The international bank payment organisation SWIFT made the first (later corroborated) claim that the attack on Bangladesh Bank was merely one of an ongoing campaign targeting banks.
In a public statement, SWIFT assured customers that their own systems have not been compromised, but that “attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT.”
Gatecoin loses $2 million
Currency exchange Gatecoin reported that they had lost 15% of their crypto-asset deposits after a hack, totalling $2 million.
The exchange, based in Hong Kong, was breached on May 9th and the theft continued until May 12th. The May 9th incursion took place at the same time as a server reboot that is believed to be connected to the event. While the majority of deposits at Gatecoin are placed in cold storage and require multiple authentication, it appears that the hackers in question were able to temporarily divert currency to exchange’s ‘hot wallet’ where they were transferred out.
Phineas Phisher strikes again
Phisher, the hacktivist who claimed to have hacked both Hacking Team and the Gamma Group sent £8k worth of Bitcoin to Kurdish anticapitalists in Rojava, Syria. The group benefiting from the donation exist in an autonomous region of Syria flanked by ISIS on one side and US-allied Turkey on the other.
Condemned by some and lauded by others, Rojava are have a constitution that mandates gender equality and freedom of religion. On the subject of their crowdfunding page, they communicate a plan to purchase, among other things, two trucks, a small bulldozer, and a hangar. Their stated goal is to recycle human and animal waste as ecological fertiliser for the region’s wheat farms.
Phineas Phisher claimed that this initial donation was only the start and plans to give a further one million Euros to the project. This donation completely dwarfs the 27 thousand Euros or so that had been raised before it.
Potty-mouthed worm attacks ISPs
A self-replicating malware that has been attacking ISPs all over the world and taking complete control of wireless networking equipment was discovered.
Ubiquiti Networks, whose products were breached, confirmed that the worm’s operators were looking to target a flaw in the Linux firmware, AirOS. The vulnerability enabled attackers to gain access to devices over HTTP and HTTPS connections without authentication.
Nico Waisman, a researcher at security firm Immunity who has examined the attack, claimed that after breach, the worm replaced the password files of an infected device and then scans the network for more vulnerable devices. The worm then reset infected devices to their factory default configurations, with the exception of leaving behind a backdoor account, and then vanished.
Kansas Heart Hospital hit by ransomware
Systems at Witchita’s Kansas Heart Hospital were infected with an undisclosed type of ransomware. Administrators decided to pay the ransom, though they claim that defences were in place for such a scenario.
In any event, the ransomware’s controllers realised that they had infected a hospital and thought they could extort a little more than the apparently low initial payment. The second ransom demand was refused.
Hospital President Dr. Greg Duick memorably described the ransomware as “like you’re working on your computer and all of a sudden, your computer says, sorry can’t help you anymore. It became widespread throughout the institution.”
Japan ATM theft
South Africa’s Standard Bank confirmed that it was the victim of the theft of nearly $20 million from ATMs in Japan.
The money was withdrawn from 1,400 ATMs across Japan within the space of two to three hours, likely by more than 100 individuals. South African authorities have not commented as of yet.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.