Silobreaker Daily Cyber Digest – 23 November 2018
Bleeping Computer report on distribution of Aurora ransomware
- Aurora ransomware is being installed by attackers hacking into Internet-connected computers running Remote Desktop Services. By November 22nd, 2018, the hackers had received $12,000 worth of bitcoin from victims.
- The ransomware connects to a Command and Control server, in order to receive data and an encryption key. It checks victims’ IP addresses and avoids encrypting individuals residing in Russia.
Rotexy mobile trojan launches over 70,000 attacks in three months
- A mobile spyware, dubbed Rotexy, has been converted into a banking trojan with ransomware capabilities, and has been used to conduct over 70,000 attacks within the last three months. The trojan was known previously as the spyware SMSThief.
- The trojan uses three separate communication channels for receiving commands. The channels include the Google Cloud Messaging service that delivers messages in JSON to mobile devices, a C&C server, and SMS messages sent from the operator.
- The latest campaign was observed predominantly targeted users located in Russia, although Kasperksy has also noticed victims in Germany, Ukraine, Turkey and more. Rotexy is focused on stealing bank card data via phishing pages and HTML pages mimicking login forms for legitimate banks.
Symantec report on new and old threats to payment card data
- According to Symantec’s Deepsight team, threat actors are advertising access to Point-of-Sale (PoS) systems on dark web marketplaces, ranging from $12 for administrative access to a single PoS machine, to $60,000 for access to a large corporate network that contains thousands of PoS servers and terminals.
- Symantec also details the discovery of a new threat actor, Fleahopper, which has been observed using the Necurs botnet to infect victims in the latter half of 2018. The group deliver malware directly via Necurs bots, which subsequently drop malware from Fleahopper onto machines already infected by Necurs. Spam emails are also used to deliver malware from Fleahopper via attached malicious Microsoft .pub files.
- Symantec include further analysis of formjacking in their report, after a significant volume of high-profile attacks were carried out by Magecart group this year.
1,000 skimmers discovered at Florida gas pumps
- The Florida Department of Agriculture and Consumer Services reported an uptake in skimmers discovered at gas pumps in 2018, over previous years. Between January and October, 2018, inspectors found nearly 1,000 skimmers at gas pumps.
- In comparison, in 2017 only 655 skimmers were discovered, and in 2016 only 219 were discovered.
PageUp finds no evidence that data was stolen during malware infection in May 2018
- PageUp commissioned an independent forensic investigation into a malware incident, which reportedly found no evidence that data was exfiltrated from their systems.
- The Australian national cyber security adviser Alastair MacGibbon stated that PageUp had been victimised by data breach requirements in the UK, which forced the company to disclose its malware infection before the scale of the damage could actually be assessed.
Two-thirds of UK’s top retailers have not invested in secure web certificates
- Sectigo reported that only nine of 25 high street retailers audited used Extended Validation SSL certificates.
- Four of the retailers, including Selfridges, Dorothy Perkins, and Topshop, had no secure certificate for site visitors.
SIM-swapping attack steals $1 million from Silicon Valley executive
- Nicholas Truglia stole from Robert Ross’s Coinbase and Gemini accounts on October 26th, 2018 and converted the funds to cash. He also targeted the CEO of blockchain storage service OCHain, the vice president of Hall Capital Partners, the co-founder of startup SMBX and a hedge fund manager, but did not manage to steal any of their cryptocurrency funds.
Kaspersky Labs release cyber predictions for 2019
- Kaspersky has published a press release that contains their cyber predictions for 2019, on topics such as supply chain attack, APT groups, mobile malware, IoT botnets and spear-phishing.
The Silobreaker Team
Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.