Silobreaker Daily Cyber Digest – 4 March 2016
Triada has been described by Kaspersky as “the most sophisticated mobile trojan [they’ve seen]” and is as complex as any Windows malware. It appears to gain access to devices via an existing infection that has root access – in one observed case, this was an advertising botnet that disseminated various types of malware across a network of compromised devices.
Triada penetrates nearly all running processes by exploiting the Zygote parent process that contains libraries and frameworks for Andoird applications. Triada also hides its own processes from apps and users, and exists almost entirely in the infected device’s RAM, making it extremely difficult to detect.
The trojan’s purpose is to redirect SMS transactions. When a user makes an online purchase via a legitimate app, Triada will seamlessly redirect the payment to the malware’s controller. The complexity and modular architecture of Triada suggest that it has been designed by experienced criminals who understand the Android platform very well.
Cerber has the dubious distinction of being the first ransomware with a text-to-speech feature. After encrypting data, a VBS file left inside each folder will dictate a ransom note to the user.
Cerber is advertised under the ransomware-as-a-service (RaaS) business model, and is available on underground Russian forums. Like several other recent types of malware, Cerber is made to avoid systems using Russian as the default language.
Files encrypted by Cerber are currently not decryptable.
Operation 8651 (DarkHotel)
Beijing-based threat intelligence company ThreatBook claim that the DarkHotel APT has started a spear phishing campaign targeting executives at telecommunications companies in North Korea and China.
ThreatBook have called the campaign Operation 8651, probably because the hackers in question use CVE-2015-8651 (a Flash vulnerability) and an SWF file to attack targets. DarkHotel operators are believed to be Korean-speaking.
DROWN is a vulnerability affecting HTTPS and services that rely on SSL and TLS – cryptographic protocols that are meant to prevent third parties snooping on users’ browsing sessions.
A DROWN attack works by exploiting servers that support SSLv2, a predecessor to TLS that fell out of use because it was insecure – something we can blame on US export restrictions. Modern clients do not use SSLv2, but servers that support SSLv2 connections (around 17% of HTTPS servers) allow attackers to decrypt TLS traffic between clients and up-to-date servers, as long as both sets of servers use the same private key.
Watch out for Cyber Pathogens!
We have no idea what ‘cyber pathogens’ are (and neither does Google), but the San Bernadino DA has decided that one could be on Syed Farouk’s phone.
A recent brief filed by the DA states that:
“The iPhone is a county owned telephone that may have connected to the San Bernadino County computer network. The seized IPhone [sic] may contain evidence that can only be found on the seized phone that it was used as a weapon to introduce a lying dormant [sic] cyber pathogen that endangers San Bernadino County’s infrastructure […] and poses a continuing threat to the citizens of San Bernadino County.”
No matter where you stand on the Apple/FBI encryption debate, this is just sad.
The Silobreaker Team