Cyber Security News & Trends – 02-01-19

/0 Comments/in /by

This week, Collections #2-5 drop over 2 billion stolen logins, Bangladesh is suing a Philippines bank over cybertheft and SonicWall CEO Bill Conner discusses keeping up with the cybersecurity market.

SonicWall Spotlight

Could Cash-Rich Facebook Be Considering Acquisition Targets? – Real Money

  • SonicWall CEO Bill Conner is quoted by Real Money talking about Facebook’s need for cybersecurity acquisitions in a piece that speculates where the company might go next.

Are We Really Aware of What Mobile Malware Is? – VarIndia

  • SonicWall’s Debasish Mukherjee is interviewed as part of a panel discussing the mobile malware. He talks about the data SonicWall Capture Labs found on the Android platform throughout 2018.

SonicWall Aims to Build Brand in Critical Two Years – IT Europa

  • Bill Conner, CEO of SonicWall, lends his thoughts to IT Europa talking about the future of the fast-moving cybersecurity market and why not every security company is able to keep up.

Cyber Security News

Hackers are Passing Around a Megaleak of 2.2 Billion Records – Wired

  • After the leak of Collection # 1 earlier in the year Collections #2-5 continue the data dump of hacked records, largely information that has been leaked previously.

Airbus Reports Breach Into Its Systems After Cyber Attack – Reuters

  • Airbus detected a cyberattack which resulted in a data breach of mostly employee data. It says the incident did not affect commercial operations.

What Was the Cybersecurity Impact of the Shutdown? – FCW

  • With the Government shutdown over, the cybersecurity impact is still being worked out. FCW discuss the possible knock-on effects and how long they might last.

IT Spending Expected to Rise in 2019 Amid Shift to Cloud Services – Wall Street Journal

  • Forecasts for IT enterprise spending say there will be an 8.5% growth this year, and overall IT spending is expected to rise 3.2%.

Too Few Cybersecurity Professionals Is a Gigantic Problem for 2019

  • There is a global gap of nearly 3 million cybersecurity positions. In the USA alone 314,000 jobs were posted in a one-year period between 2017 and 2018. Cybersecurity training itself is a new area and almost no cybersecurity professional over 30 today has a formal cybersecurity degree.

Bangladesh to Sue Philippine Bank Over $81M Cyber Heist – Security Week

  • A digital heist in 2016 led to the successful theft of $81 million from the Bangladesh central bank’s account with the US Federal Reserve. Bangladesh is now attempting to retrieve the funds by suing the Philippines bank that facilitated the transfer. The Federal Reserve denies that it was hacked.

Massive DDoS Attack Generates 500 Million Packets per Second – Dark Reading

  • A DDos attack on Github in 2018 made headlines as the biggest ever DDos attack, but it was only a quarter of the size of the attack stopped earlier this month.

Cryptocurrency Thefts, Scams Hit $1.7 Billion in 2018: Report – Reuters

  • Cryptocurrency theft rose 400 percent in 2018, with up to $1.7 billion stolen by the end of the year. $950 million of this was theft from cryptocurrency exchanges and digital wallets.

In Case You Missed It

In the Field: Real-World Success with SonicWall Overdrive 2.0

/1 Comment/in /by

Effectively marketing and selling managed service provider (MSP) services can be a real uphill battle for many organizations. The competition is fierce and positioning your organization’s services or competitive advantages isn’t easy.

For many MSPs and MSSPs, the responsibility of envisioning, designing, developing and maintaining effective marketing materials falls on the shoulders of the sales team or the senior leadership team. But they don’t always have the time or skill to execute what’s needed to cut through the cacophony of marketing noise.

Fortunately, SonicWall has alleviated much of this burden.

SonicWall Overdrive 2.0 is a remarkable resource stocked with modern, appealing and relevant content to help MSPs and MSSPs generate demand and close more business.

If you haven’t spent time in Overdrive 2.0, you’re missing out; there is an incredibly diverse set of resources to assist and even automate things like email blasts, social media, thought-leadership content and promotional material.

In my experience, there are three foundational best practices you should implement as an MSP or MSSP, especially when you’re scratching and clawing for sales in the competitive cybersecurity landscape.

Set Your Goals

Let me take you back a few years. As SonicWall’s FY2016 drew to a close, ProviNET scheduled a meeting with our SonicWall territory account manager (TAM). He really challenged us to set a goal for FY2017 to move up a level in our SonicWall SecureFirst partnership.

He was right. We had been a SonicWall ‘Silver’ partner for several years and with our FY2016 sales, we weren’t too far away from being eligible for ‘gold’ if we also achieved some additional sales and technical certifications. But we weren’t quite sure how to push ourselves across that next threshold.

Our TAM had the answer. He turned us on to SonicWall Overdrive 2.0, the company’s fully automated partner marketing engine designed specifically around key go-to-market themes, campaigns and resources. He assured us that if we invested a little bit of time into marketing, we’d be able to elevate our partnership. With that, our goal was set: we were going to become a SonicWall gold partner in 2017.

SonicWall Overdrive offers turnkey campaigns SecureFirst partners can launch to build awareness, create pipeline and close deals.

Develop Your Strategy

Without a strategy, marketing is a lot like throwing bubble gum at the wall and seeing if it sticks. Spend some time intentionally thinking through four things:

  • Who your organization will target
  • What methods it will use to target
  • How often you will target potential buyers
  • How you will track and measure your efforts

If you have a dedicated marketing person, consider developing a multi-faceted campaign that the marketing team can execute. The campaign should include multiple touchpoints across a variety of channels. Overdrive is an easy-to-use tool, regardless of your resources, to reach your customers and prospects.

At a basic level, consider sending an email blast, posting on social media, sending a postcard, publishing whitepapers or case studies on the website, and using the Overdrive 2.0 content to educate customers and prospects.

SonicWall Overdrive 2.0 packages content and resources partners can leverage as part of one-off marketing efforts or fully integrated campaigns.

We had success using much of the Overdrive 2.0 content to point people to a dedicated SonicWall landing page within our own website where prospects could fill out a form and be contacted to learn more. And because these campaigns were launched by us, they were contacting us for more information (i.e., we received the lead and the opportunity to either nurture the prospect or close the deal).

Even sophisticated customers will not always be able to grasp the full advantages and capabilities of the Capture Cloud platform after just one touchpoint. It will be important to educate them on the advantages that the orchestration of these security products and services can provide to them.

But don’t forget about existing customers here, too. For us, the Overdrive 2.0 marketing content was a motivator to look across our existing SonicWall customer install base and look for opportunity to add additional services like the SonicWall Capture Advanced Threat Protection (ATP) sandbox service or secure email solutions.

Analyze Your Results

There is remarkably valuable information in marketing analytics reports. Whether you use a marketing automation tool, a website analytics engine or even just campaign reporting from Overdrive, it can help your sales staff be more efficient and effective in their sales efforts.

Our team uses a combination of HubSpot, Google Analytics, and the email reports from Overdrive 2.0 to glean insights into customers and prospects who may or may not have an interest in particular marketing campaigns.

We can track if an individual opened an email four times, clicked the link to our site, or engaged with us on social media on several occasions to gauge if there is a genuine interest. Our sales team then makes those prospects and customers the focus of contact for more direct conversations — and that often leads to close deals.

Bear in mind, the goal of marketing is not to sell. These are two very different activities. For ProviNET, we define marketing as a process where we:

Our sales team has a very different, yet complementary, function:

SonicWall Overdrive 2.0 has been an invaluable resource for our team to really accomplish all four of our marketing objectives. By using the assets available in Overdrive 2.0, we’re providing meaningful education about the necessity and value of security products and services. We can position those assets in a compelling and efficient manner to provide the most value to our prospects and customers.

Even better? All registered SonicWall SecureFirst Silver, Gold and Platinum partners in good standing are eligible to use the SonicWall Overdrive 2.0 platform, at no cost, through the SonicWall SecureFirst Partner Portal.

About ProviNET

ProviNET is a SonicWall SecureFirst Gold Partner. For nearly three decades, ProviNET has delivered trusted technology solutions for senior living and post-acute healthcare organizations. Whether it’s a single project or full-time onsite work, ProviNET designs and implements customized solutions so healthcare organizations can focus on core services.

ProviNET’s tight-knit group of experienced, industry-certified personnel are focused on customer satisfaction. They are a reputable organization, fulfilling immediate IT needs and helping plan for tomorrow. They are ready to put their extensive knowledge to work for healthcare, developing strategies and solving challenges with the latest technology.

To learn more about ProviNET, please visit www.provinet.com.

EdgeScheduler: A VBScript Bot in action

/in /by

In the race of complex malware, a simple malware can also be very destructive. A VBScript malware has been spotted by SonicWall which looks very simple but its capabilities are no lesser than any other predominant malware bots.

A VBScript malware with genuine looking file name is being distributed inside an archive file.


Figure 1

Decryption Mechanism

This VBScript malware works as a loader for the actual VBScript Bot which is decrypted in the memory and then executed as shown below:


Figure 2

The decryption logic being used in this particular malware is explained below:


Figure 3

File Level Activity

The VBScript Bot contains base64 encoded PowerShell script which is dropped into the %TEMP% directory after decoding. The PowerShell script has code to fetch user’s credentials from the “Credential Locker” using the PasswordVault class which is available in the Windows 8 and above versions. The stolen data is then sent to the CNC server.


Figure 4

The Bot then generates a random id which is 25 characters long. The random id is first saved into the registry as shown below:


Figure 5

Later, the random id is sent to the CNC server along with the other stolen data.

The Bot creates a sub-directory named “Edge” in the %APPDATA% directory where it copies wscript executable from system directory as “amsi.dll”. It also drops its copy in the same directory using the random id as the filename.


Figure 6

The Bot is now executed from the “Edge” directory using amsi.dll with two parameters as shown below:


Figure 7

The Bot verifies if it is being executed from the “Edge” directory with 2 arguments, then it enumerates processes to check if “amsi.dll” is already running as shown below:


Figure 8

If “amsi.dll” is not found, it adds a run entry into the registry for persistence as shown below:


Figure 9

Command & Control (C&C) Server connections

The Bot establishes connection with the C&C server and sends below mentioned data from the victim’s machine:

  • Operating system information.
  • Username and computer name.
  • Anti-Virus product information.
  • RAM, CPU and Virtual Machine Information.
  • Randomly generated id.
  • Processor architecture.



Figure 10

Code snippet which sends above information from victim’s machine to the C&C server is shown below:

Figure 11

If the length of the response data is more than 4 Bytes, the Bot assumes, the C&C server is running. Otherwise, it tries to establish communication with another server. If the C&C server is running, the Bot parses the response data to retrieve the command and its arguments which are separated by “!”. At the time of analysis, the C&C server sent the “nope” command which means “No Operation”.

The Bot is capable of performing the following actions based on the commands received from the C&C server:


The Bot also contains code to upload file from victim’s machine to the C&C server but that code has not been used this time. This gives us the impression that the Bot is still in development phase and can add more capabilities in future.

This threat was proactively detected by Capture ATP w/RTDMI engine.

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: EdgeScheduler.DEC (Trojan)

Hackers actively scanning for Horde IMP Vulnerability

/in /by

SonicWall Capture Labs Threat Research team has recently observed that attackers are actively exploiting Horde IMP vulnerability. Over 3,000 firewalls have been hit with 20,000+ requests in the last two days. Successful exploit could allow the attacker to execute arbitrary shell commands on the vulnerable systems.

Horde IMP:

Horde Groupware Webmail Edition is a free, enterprise ready, browser-based communication suite. It offers applications such as the Horde IMP email client, a groupware package (calendar, notes, tasks, file manager), a wiki and a time and task tracking software. It is written in PHP and provides all the elements required for rapid web application development.

Horde IMP (Internet Messaging Program), an application that comes with the Horde GroupWare is one of the popular and widely deployed open source webmail applications. It allows universal, web-based access to IMAP and POP3 mail servers in all possible browsers (desktop vs. mobile vs. tablet vs. text only).

Vulnerability:

Horde IMP exposes an unauthenticated debug page with a form that permits IMAP requests to arbitrary hosts. The debug page is at “http://horde_path/imp/test.php”. By leveraging the vulnerability (CVE 2018-19518) in imap_open function of PHP, unauthenticated remote attacker can execute arbitrary shell commands on a targeted system.


Fig 1: Snapshot from an active webmail that exposes the debug page

CVE 2018-19518:

Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. PHP has bunch of functions to support IMAP out-of-box. This vulnerability exists in the ‘imap_open’ function, that is being used for opening an IMAP stream to a mailbox. It is due to the imap_open function improperly filters mailbox names before passing them to the rsh or ssh commands. If the rsh and ssh functionalities are enabled and the rsh command is a symbolic link to the ssh command, an attacker could exploit this vulnerability by sending a malicious IMAP server name containing a -oProxyCommand argument to the targeted system. A successful exploit could allow the attacker to bypass other disabled exec functions in the affected software, which the attacker could leverage to execute arbitrary shell commands on the targeted system.

Exploit:

In this exploit request, malicious IMAP server name containing a -oProxyCommand is sent to the targeted system.

res = requests.post(target,headers=new_headers,data=[(‘server’, anyname + ‘ -oProxyCommand=echo$IFS$()’ + cmd + ‘|base64$IFS$()-d|sh}’),
(‘port’,’143′),
(‘user’,’a’),
(‘passwd’,’a’),
(‘server_type’,’imap’),
(‘f_submit’,’Submit’)
])

Server name anyname + ‘ -oProxyCommand=echo$IFS$()’ + cmd + ‘|base64$IFS$()-d|sh gets passed to the ssh command without proper input validation. With the help of ProxyCommand, any command can be executed in the context of the user.

Trend Chart:

Find below the attempts made in the last 48 hours. 

Attacker IP’s:

Given below are some of the source IP’s from which the exploit requests have been sent

109.237.27.71
98.6.233.234
173.8.113.97
34.195.252.116
85.25.198.121
103.233.146.6
98.188.240.147
162.158.63.144
203.180.245.92
173.237.133.206
23.210.6.109
45.33.62.197
85.25.100.197
162.243.224.192
212.48.68.180
200.160.158.244
149.126.78.3
162.158.154.95
81.169.158.6
23.35.150.55
51.254.28.132
150.95.169.224
162.158.77.240
139.99.5.223
185.18.197.75
162.158.90.10

Fix:

Upgrade to the latest PHP version  to resolve the issue.
Check for vulnerable PHP versions here: https://www.securityfocus.com/bid/106018
Delete the debug page test.php ‘http://horde_path/imp/test.php’ after installation

Sonicwall Threat Research Lab provides protection against this exploit with the following signatures:

  • IPS: 13996 Horde Imp Remote Code Execution 1
  • IPS: 13997  Horde Imp Remote Code Execution 2
  • IPS: 13998 Horde Imp Remote Code Execution 3
  • WAF: 1690 Horde Imp Remote Code Execution

Cyber Security News & Trends – 01-25-19

/0 Comments/in /by

This week, fears are growing that new 5G industrial robots are vulnerable to cyberattack, the numbers affected by a breach jump from 500 to over 500,000 and the government shutdown continues to worry cybersecurity experts.

SonicWall Spotlight

SonicWall on Winning the Cyber Arms Race on Winning the Cyber Arms Race – Tahawul Tech

  • SonicWall’s Michael Berg is interviewed talking SonicWall’s expansion in Dubai, the cyber arms race and where SonicWall is going in 2019.

Cyber Security News

Why Cybersecurity Must Be a Top Priority for Small & Midsize Businesses – Dark Reading

  • Big corporations seize the cyberattack headlines, but Dark Reading argues that cybersecurity must be a top priority for small and medium businesses, outlining the major security risks and methods of protection.

For Industrial Robots, Hacking Risks Are on the Rise  – Wall Street Journal

  • 5G and the Internet of Things promise to make factories a lot smarter, but also a lot more vulnerable to cyberattacks.

New Ransomware Poses as Games and Software to Trick You Into Downloading It – ZDNet

  • A Dangerous new ransomware dubbed Anatova that was found at the start of the new year is being watched closely by researchers. Its modular architecture makes it easily adaptable and potentially very dangerous in the hands of a skilled cybercriminal.

The Shutdown Is Exposing Our Economy to Crippling Cybersecurity Breaches – Salon

  • Salon details the infrastructural cybersecurity problems, many previously outlined by SonicWall, that have been growing with the ongoing government shutdown.

Proposed Law Classifies Ransomware Infection as a Data Breach – SecurityWeek

  • The Act to Strengthen Identity Theft Protections in North Carolina proposes widening the definition of a breach to include ransomware and even unauthorized access. The legislation requires tightened data protection and a quicker notifications period when there is a breach.

Online Casino Group Leaks Information on 108 Million Bets, Including User Details – ZDNet

  • The server details of an online casino were left exposed online, leaking information on 108 million bets, including complete customer data like real names and addresses, phone numbers, email addresses, birth dates, and more.

Victim Count in Alaska Health Department Breach Soars – BankInfoSecurity

  • It was originally thought to only affect 501 people but the numbers in the Alaska Health Department breach of June 2018 have soared to up to 700,000. The number has soared after months of analysis and confirmation, the DHSS says they always knew the number would rise dramatically after analysis.

Recession Is the Number One Fear for CEOs in 2019, Survey Says – CNBC

  • While recession is the number one fear worldwide, a survey of over 800 CEO’s found that cybersecurity was the number one fear for CEO’s in the U.S.

Cybercriminals Home in on Ultra-High Net Worth Individuals – Dark Reading

  • With a growing cybersecurity awareness in businesses new research is suggesting that some hackers are shifting their sights to the estates and businesses of wealthy families with personalized cyberattacks.

In Case You Missed It

CrypRAT Infostealer actively spreading in the wild.

/in /by

The SonicWall Capture Labs Threat Research Team observed reports of a new variant family of CrypRAT Infostealer  [CrypRAT.A] actively spreading in the wild.

 

Memory Snapshot of the CrypRAT Infostealer ( Raw and Encrypted Data )

Infection Cycle:

The Malware adds the following file to the system:

  • Malware.exe
    • %APPDATA%\roaming\system.exe

The Malware adds the following keys to the Windows registry:

  • HKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS
    • 1
  • [HKEY_CURRENT_USER\Software\061c2e9167603fb87dafebfaad0bb29a]
    • Keylogger data

Once the computer is compromised, the Malware installs following components to record the activity of the user via key logging and clipboard:

 

The Malware terminates the Self-Extractor process and installs the System.exe [Key logger module] on the target system.

 

The Malware saves raw data in the following registry:

The Malware checks if data is available for transfer to the command and control (C&C) server every 10 seconds.

The Malware uses base64 to encrypt its strings as well as its network communication, here an example:

 

Command and Control (C&C) Traffic

CrypRAT.A performs C&C communication over port 1177. The Malware transfers stolen data in Base64 format, here are some examples:

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: CrypRAT.A (Trojan)

 

.NET Nanocore Trojan

/in /by

Overview:

The SonicWall Capture Labs Threat Research Team would like to showcase the following spear phishing attempt with the attached .NET Nanocore Trojan. The following email details are below:

From: “E… V…”<a…@g…co.tz”
Subject: contract proposal
Date and Time: 03 Jan 2019 19:10:10 -0800

Dear sir/ma

Please find enclosed contract proposal for your reference with out legal teams input, please feel free to contract us if you have any question.

Regards,
E… V…
1… 25th St., MO xxx, MISSOURI, UNITED STATE
MOBILE NO: 1 8xx xxx xxxx

This picture explains the email in more detail:

This email was attached with the following binary data:
Content-Type: application/occtet-stream; name=”New Proposal_2019.lzh”
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=”New Proposal_2019.lzh”

Compressed Static Information:

Decompressed Static Information:

Decrypted Static Information:

Unpacking & Decrypting The Sample:

The encryption used is called “Rijndael” selected by (NIST) as the candidate for the Advanced Encryption Standard (AES). The key and IV, uses 16 bytes or you can say it’s 128 bit. The mode used is called “CBC” which stands for “Cipher Block Chaining”. The Sample also uses RSA Security LLC standard called “PKCS7”. The Cryptographic Message Syntax Standard.


Host-Based Persistence:

Once decrypted, it will copy the executable to the “Startup” Folder and add the “-boot” parameter.

Registry Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Application

It also copies itself to the following location and renames itself.

Registry Location: HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Subsystem

Active Network Information:

This sample, connects to (i.89.35.228.199.use.teentelecom.net:3365).
The port 3365 is known as a “Content Server”. This will download and upgrade files on the host machine.

SonicWall, Gateway Anti-Virus (GAV), provides protection against this threat:

  • GAV: NanoBot.RAR (Trojan)
  • GAV: NanoBot.RSM (Trojan)

Obfuscated JavaScript with debugging protection techniques being used to distribute GandCrab V5.1 ransomware

/in /by

SonicWall RTDMI engine has recently detected a surge in archive files (~9000-15000 Bytes in size) floating in the network. Below is a flow of execution for this threat:

 

Unavailability of the archive file in any of the popular threat intelligence sharing portals like the VirusTotal and the ReversingLabs indicates its uniqueness and limited distribution:


 

The archive files carry a JavaScript file:

The JavaScript file has obfuscated code:


The JavaScript file also contains debugging protection code which makes debugging more difficult as it generates “debugger” statements at runtime:



The JavaScript file uses PowerShell.exe to download a second stage malware which on further analysis is found to be a downloader:



The second stage downloader downloads a variant of a popular ransomware family “GandCrab”:



(Malicious URL seen in memory)

The GANDCRAB family is known for asking ransom from the victim after file encryption.



(Ransom note)

Evidence of the detection by RTDMI engine can be seen below in the Capture ATP report for this file:

 

Houdini and jRat Trojans found double teaming in the wild

/in /by

The Sonicwall Capture Labs Research team has come across a spam campaign distributing not just one but two Remote Access Trojans (RATs). Both RATs have historically been seen propagated through spam independently as an email attachment in a variety of forms such as benign looking shipment notification, payment notice, receipts, invoices, statements or quotations. This time, the propagation method was not any different.

Infection cycle:

The main installer file comes as an email attachment in a Java archive file format (JAR). Once executed,it will drop two remote access Trojans – Houdini and jRat. During our analysis it created the following files in the %APPDATA% and %USERS% directories.

  • %APPDATA% /microsoftkey.jar [Detected as GAV: jRat.A_3 (Trojan)]
  • %APPDATA% /ntfsmgr.jar [Detected as GAV: jRat.A_2 (Trojan)]
  • %APPDATA% /fifpdvUqdn.vbs [Detected as GAV: Houdini.VBS (Trojan)]
  • %USERS% /nixfeknwve.vbs [Detected as GAV: Houdini.VBS (Trojan)]

The two Trojans are then executed simultaneously using javaw.exe and wscript.exe. The following registry keys were also added to ensure persistence for both Trojans and will allow them to run after each reboot:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run fifpdvUqdn  exe //B “%APPDATA%\fifpdvUqdn.vbs”
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run ntfsmgr “C:\Program Files\Java\jre7\bin\javaw.exe” -jar “%APPDATA%\ntfsmgr.jar”

The jRAT components are easily identified by directory names – “blaz42” and “qt314” which contains class files.

In our example ntfsmgr.jar is the main file which then drops the secondary jar file – microsoftkey.jar. They contain several classes that are platform-specific implementations of the malware capabilities with the screenshot below showing supported platforms.

And below is a list of its functionalities which include playing sound/audio, sending files to remote servers, examining the victim’s network configurations, running arbitrary commands, image capturing, stealing passwords, etc.

While Houdini is a base64-encoded VB script that when decoded reveals the name “Houdini” within its code.

Upon execution it connects to a remote server goz.unknowncrypter.com.

Some of the sub function names within the script gives us a picture of this Trojan’s capabilities:

  • Information – operating system information gathering, get volume serial number
  • Site-send – send data to remote server
  • Cmd – execute commands using cmd.exe
  • Enumprocess – list all running processes
  • Uninstall – delete registry keys and delete files
  • Security – get OS version and security center info
  • Fileurl/filedir – http download and save file
  • Upload – send post data using http
  • set objwmiservice

SonicWall Capture Labs provide protection against this threat via the following signatures:

  • GAV: jRat.A_2 (Trojan)
  • GAV: jRat.A_3 (Trojan)
  • GAV: Houdini.VBS(Trojan)

Cyber Security News & Trends – 01-18-19

/0 Comments/in /by

This week, one city is back to using pen and paper after a ransomware attack, cybercriminals utilize popular video game Fortnite in a money laundering scam and construction industry cranes are alarmingly vulnerable to being hacked.

SonicWall Spotlight

SSL, TLS Certificates Expiring on US Government Sites During Federal Shutdown – SonicWall Blog

  • SonicWall’s Brook Chelmo explains why US Government websites are starting to suffer during the ongoing Government Shutdown, explaining that security certificates are not being updated and what kind of messages you might be seeing as a result.

Cyber Security News

Hack Brief: An Astonishing 773 Million Records Exposed in Monster Breach – Wired

  • Wired details the mega-breach where at least 773 million emails and 21 million unique passwords have been released in a folder called “Collection #1.” Some are calling this the largest collection of breached data ever found, although it should be noted that Collection #1 is a compilation of both old and new leaked details.

Fortnite Is Being Used by Criminals to Launder Cash Through V-Bucks – ZDNet

  • Criminals have been using the in-game currency in Fortnite for laundering money from stolen cards. It is not known exactly how much profit the cybercriminals have made, but Fortnite coins sold on eBay alone have grossed over $250,000 in two months.

Defense Department Continuously Challenged on Cybersecurity – Security Week

  • A report has revealed that while the U.S. Department of Defense has been making strides to improve their cybersecurity stance, they are still struggling. In September of last year there were 266 open cybersecurity‑related recommendations, some dating as far back as 2008.

NotPetya Victim Mondelez Sues Zurich Insurance for $100 Million

  • Zurich insurance rejected a $100 million claim by Mondelez saying that since the NotPetya ransomware attack has been seen by some, including the UK government, as a Russian military attack it is not covered by standard insurance against malware. Mondelez are taking legal action in response.

Oklahoma Gov Data Leak Exposes FBI Investigation Records, Millions of Department Files – ZDNet

  • A storage server belonging to the Oklahoma Department of Securities was found with terabytes of confidential data exposed and accessible to the public.

Yes, You Can Remotely Hack Factory, Building Site Cranes. Wait, What? – The Register

  • Cybersecurity protection on cranes, drilling rigs, and other heavy machinery has been found to be severely lacking with a report into the area finding that none of the radio remote controllers investigated had “implemented any protection mechanism to prevent unattended reprogramming.”

WEF: Cyber-Attacks a Major Global Risk for Next Decade – Infosecurity Magazine

  • The World Economic Forum released a reporting stating that cyberattacks remain as one of the risks facing the world today with 82 percent of those queried stating they expect data and monetary theft attacks to increase.

Ransomware Attack Sends City of Del Rio Back to the Days of Pen and Paper – ZDNet

  • Officials at Del Rio, Texas, had to abandon their computers and switch to pen and paper after a ransomware attack last week. It has not been revealed who is behind the ransomware but the FBI have been informed and are investigating.

Emotet Malware Returns to Work After Holiday Break – BankInfoSecurity

  • Whether coincidence or a sign that the criminals were actually on holidays, a number of malware strains including Emotet have returned in 2019 after falling out of use towards the end of the year. BankInfoSecurity trace the history and usage of Emotet, including information on where in the world it has and has not been striking.

In Case You Missed It