The Cybereason Nocturnus Research Team is following an active campaign to deliver multiple different types of malware and infect victims all over the world. Due to the unprecedented number of malware types deployed in this attack, the attackers are able to steal a wide variety of sensitive data, mine for Monero, and ultimately deploy ransomware. All of the payloads observed in this campaign originated from a code repository platform, Bitbucket, which was abused as part of the attackers delivery infrastructure.
- Abuses resource sharing platforms: TheCybereason Nocturnus team is investigating an ongoing campaign that abuses the Bitbucket infrastructure to store and distribute a large collection of different malware. The attackers aren’t satisfied with one payload, they want to use multiple to maximise their revenue.
- Attacks from all sides: This campaign deploys seven different types of malware for a multi-pronged assault on businesses. It is able to steal sensitive browser data, cookies, email client data, system information, and two-factor authentication software data, along with cryptocurrency from digital wallets. It is also able to take pictures using the camera, take screenshots, mine Monero, and ultimately deploy ransomware.
- Far Reaching: This ongoing campaign has infected over 500,000 machines worldwide thus far.
- Modular and Constantly Updating: The attackers leverage Bitbucket to easily update payloads and distribute many different types of malware at once. In order to evade detection, they have an array of user profiles and continuously update their repositories, at times as often as every hour.
- Many kinds of malware: The attackers use the Evasive Monero Miner to steal a combination of data, mine cryptocurrency, and deploy other malware including the Vidar stealer, Amadey Bot, and IntelRapid. They also use Predator the Thief, Azorult, and the STOP ransomware over the course of their activities.
- Devastating impact: The combination of so many different types of malware exfiltrating so many different types of data can leave organisations unworkable. This threat is able to compromise system security, violate user privacy, harm machine performance, and cause great damage to individuals and corporations by stealing and spreading sensitive information, all before infecting them with ransomware.
This highlights an ongoing trend with cybercriminals, where they abuse legitimate online storage platforms like Github, Dropbox, Google Drive, and Bitbucket to distribute commodity malware.
A recently uncovered phishing campaign, targeting PayPal users, pulls out all the stops and asks victims for the complete spectrum of personal data – even going so far as to ask for social security numbers and uploaded photos of their passports. The campaign starts with a fairly run-of-the-mill phishing email, purporting to be from the online payment company’s notifications center, which warns victims that their account has been limited because it was logged into from a new browser or device. The email recipient must verify his or her identity by clicking on a button, which is a bit.ly address that then redirects the browser to an attacker-owned landing page, which asks for a complete rundown of personal data.
Commenting on the news is Javvad Malik, security awareness advocate at KnowBe4:
We are seeing the criminals becoming more and more brazen in their attacks and methods. The key is to dupe someone to click on a phishing link, once that has happened then the criminal can ask for whatever they wish.
This is not uncommon as we have seen this evolution in ransomware. Whereas previously ransomware only encrypted files now criminal look to steal data and logins and as much information as possible.
Similarly, we could be seeing the emergence of a trend where phishing attacks will look to gather more and more information.
It is why organisations need to ensure staff receive effective and timely security awareness and training so that they can spot phishing emails and report them appropriately.
It has been reported that the Metamorfo banking Trojan has expanded its campaign to target online users’ banking services around the world, with the aim of stealing credit card information, finances and other personal details. Like many other hacking campaigns, Metamorfo begins with phishing emails that in this case claim to contain information about an invoice and invite the user to download a .ZIP file. By downloading and running the file, the victim allows Metamorfo to execute and run on a Windows machine.
Commenting on this, Justin Fox, director of DevOps engineering at NuData Security, a Mastercard company, said “Banks and consumers are under continuous attacks by cybercriminals that will try to find any crack in defences to track and step in the middle between consumers and banks. While banks are employing various technologies to identify the true customer online, they just can’t protect them when hackers target consumers. Experts advise never to click on an attachment sent to you, but time and again cybercriminals come up with the most sophisticated method to trick the end user into clicking. From the moment a user receives the malicious email in their inbox, the clock is ticking – most users will click on links and provide their information, or open a malware infected document without thinking twice. Once they do, their credentials are immediately harvested for hackers to leverage or sell on the Dark Web. Educating end users is clearly not enough, nor is the deployment of technical countermeasures to protect end users.”
As reported by the BBC, bus and train operator Translink has reported a suspected hack of its internal IT systems to the police. The firm confirmed it has reported an “incident” to the Police Service of Northern Ireland (PSNI) after experiencing difficulties with its internal IT systems. Bus and train services have not been affected, a spokesperson said.
Jake Moore, Cybersecurity Expert at ESET:
“I applaud organisations that report cyberattacks at the earliest opportunity, which in turn gives them the best chance of quicker recovery. Attacks such as ransomware are not legally required to be reported as usually personal data isn’t compromised in this way, but holding your hands will usually attract external expert support.
After the wake of the Travelex cyberattack, it has been proven that the reporting aspect of the situation is just as important as getting back to business as usual. Ransomware, although hugely impactful on a company, needn’t be embarrassing and we need to steer away from the stigma of damaging the brand or being further targeted. Cyberattacks are unfortunately inevitable but it’s the honesty from the start, including learning from what has happened, that will help put a company back on its feet with a stronger defence.”
It has been reported that security researchers taking a closer look at the Philips Hue smart bulbs and the bridge device that connects them discovered a vulnerability that helped them compromise more meaningful systems on the local network.
Commenting on this, Boris Cipot, senior security engineer at Synopsys, said “IoT devices, be it bulbs, door locks, home assistants, switches etc., are a common utility in many households today. This is due to their versatility of use, which also helps to make life easier and more comfortable. They can be controlled by devices like our phones and other IOT devices in the same network, so we can use our voice to turn them on and off, or in the case of the Philips Hue bulbs, change the colour or intensity of light. The communication protocol used for giving commands to the Philips Hue bulbs and receiving information from them is called ZigBee, a standardized protocol used by many other IoT devices. Unfortunately, this protocol has a vulnerability enabling an attacker to exploit these IoT devices, including the Philips Hue bulbs and the Philips Hue Bridge model 2.x.
The UK Government has unveiled new regulatory proposals for the consumer Internet of Things (IoT), forcing the IoT ecosystem to take a more rigorous and conscious approach to cybersecurity. With an estimated 75 billion internet connected devices worldwide forecasted for 2025, there is no denying that the scope of IoT is becoming a more integral part of our lives; yet with this comes the increased security risks.
Whilst the new law outlines requirements for unique passwords, no ‘factory reset’ options, vulnerability reporting functions and minimum timeframes for security updates, Paul Farrington, CTO of EMEA at Veracode believes that as some of the worst offenders when it comes to fixing flaws, the proposal should be extended to ensure manufacturers are building in software security at the early stages.
Below is a comment from Paul on the topic. Please let me know if you’re interested in running it in a story. Alternatively, we can offer you a briefing or opinion piece from Paul to discuss this issue further.
Paul Farrington, CTO of EMEA at Veracode:
“The outcome of the consultation will provide a necessary first-step in enhancing IoT device security. The Government has attempted to balance the needs of industry with those of users. Removing default passwords, coordinating vulnerability reporting and bringing clarity to technical support coverage is progress. These measures do fall well short of what is necessary to protect users. Research shows that the manufacturing is one of the worst sectors at dealing with security bugs. 83% of software apps have at least one security issue. On average, firms take 171 days to fix a security defect. Improving ways for people to report problem is really a bare minimum. What we really need is a way for IoT device manufacturers to evidence how they are building security to the process, at the earliest stages. The toy industry has had to do something similar around safety-testing for decades. The Government will need to revisit IoT security legislation again before too long.”
Professional services firm PwC surveyed over 1,600 CEOs from around the world and found that cyber attacks have become the most feared threat for large organisations – and that many have taken actions around their personal use of technology to help protect against hackers.
A total of 80 per cent of those surveyed listed cyber threats as the biggest threat to their business, making it the thing that most CEOs are worried about, ranking ahead of skills (79 per cent) and the speed of technological change. (75 per cent)
48 per cent CEOs surveyed said the risk of cyber attacks had caused them to alter their own personal digital behaviour, such as deleting social media accounts or virtual assistant applications or requesting a company to delete their data.
The full story can be found here: https://www.zdnet.com/article/ceos-are-deleting-their-social-media-accounts-to-protect-against-hackers/
Saryu Nayyar, CEO of Gurucul comments:
“The fact that CEOs are becoming more aware of the danger of cyberattacks is encouraging. With the staggering costs that data breaches have incurred – lost money, lost reputation, lost jobs – cybersecurity is now a big enough issue to be elevated to the c-suite and the boardroom. It can no longer be ignored or relegated to second tier status or dropped into the laps of low level employees. Defining and implementing an effective cybersecurity program starts at the very top. The CEOs who recognise this will be rewarded by staying out of the data breach headlines.”