Νέα Ασφάλειας

The US-CERT has released a joint technical alert from the DHS and the FBI, warning about two newly identified malware being used by the prolific North Korean APT hacking group known as Hidden Cobra.

Hidden Cobra, often known as Lazarus Group and Guardians of Peace, is believed to be backed by the North Korean government and known to launch attacks against media organizations, aerospace, financial and critical infrastructure sectors across the world.

The group was even associated with the WannaCry ransomware menace that last year shut down hospitals and businesses worldwide. It is reportedly also linked to the 2014 Sony Pictures hack, as well as the SWIFT Banking attack in 2016.

Now, the Department of Homeland Security (DHS) and the FBI have uncovered two new pieces of malware that Hidden Cobra has been using since at least 2009 to target companies working in the media, aerospace, financial, and critical infrastructure sectors across the world.

The malware Hidden Cobra is using are—Remote Access Trojan (RAT) known as Joanap and Server Message Block (SMB) worm called Brambul. Let’s get into the details of both the malware one by one.

Joanap—A Remote Access Trojan

According to the US-CERT alert, “fully functional RAT” Joanap is a two-stage malware that establishes peer-to-peer communications and manages botnets designed to enable other malicious operations.

The malware typically infects a system as a file delivered by other malware, which users unknowingly download either when they visit websites compromised by the Hidden Cobra actors, or when they open malicious email attachments.

Joanap receives commands from a remote command and control server controlled by the Hidden Cobra actors, giving them the ability to steal data, install and run more malware, and initialize proxy communications on a compromised Windows device.

Other functionalities of Joanap include file management, process management, creation and deletion of directories, botnet management, and node management.

During analysis of the Joanap infrastructure, the U.S. government has found the malware on 87 compromised network nodes in 17 countries including Brazil, China, Spain, Taiwan, Sweden, India, and Iran.

Brambul—An SMB Worm

Brambul is a brute-force authentication worm that like the devastating WannaCry ransomware, abuses the Server Message Block (SMB) protocol in order to spread itself to other systems.

The malicious Windows 32-bit SMB worm functions as a service dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware.

“When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets,” the alert notes.

“If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.”

Once Brambul gains unauthorized access to the infected system, the malware communicates information about victim’s systems to the Hidden Cobra hackers using email. The information includes the IP address and hostname—as well as the username and password—of each victim’s system.

The hackers can then use this stolen information to remotely access the compromised system via the SMB protocol. The actors can even generate and execute what analysts call a “suicide script.”

DHS and FBI have also provided downloadable lists of IP addresses with which the Hidden Cobra malware communicates and other IOCs, to help you block them and enable network defenses to reduce exposure to any malicious cyber activity by the North Korean government.

DHS also recommended users and administrators to use best practices as preventive measures to protect their computer networks, like keeping their software and system up to date, running Antivirus software, turning off SMB, forbidding unknown executables and software applications.

Last year, the DHS and the FBI published an alert describing Hidden Cobra malware, called Delta Charlie—a DDoS tool which they believed North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.

Other malware linked to Hidden Cobra in the past include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, like DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.

Here you can find some tips on how to secure your wireless home network.

Don’t leave the defaults!

When it’s fresh out of the box, your router will usually come preloaded with a default username and password used to access its configuration settings.

You might have only ever seen this once when setting up your router for the first time – or you might have simply “plugged in” and never needed it at all (lucky you)!

However, trouble can arise if you’ve never given your router’s details a second thought. With sites like RouterPasswords.com, you can easily look up defaults by brand, make and model.

Combined with the default network ID discussed below, this can be a ridiculously easy feat for a nosy neighbour or nefarious hacker to use your home network. Believe it or not, most hacking is simply cagey guesswork rather than genius feats!

Change the network name

The default name broadcast by your router can reveal key information to snoops: namely your router’s brand and model.

These details can be used in combination with the first security foible to look up your router’s default admin name and password. Sites like RouterPasswords.com make it almost trivially easy – test it out with your own router model and see for yourself!

Give your SSID (network name) a personal touch, and erase any mention of your device’s make and model. It’s a simple measure, yet it can eliminate the simplest attacks that target low-hanging fruit.

Ditch the guest networks

It might be nice to offer your guests free WiFi without needing to give them the password, however remember that you’re also offering the same courtesy to anyone else within range – even your neighbours!

They’re still using your Internet plan and monthly data allowance, so offering an easy way to bypass your password-protected network isn’t exactly the brightest idea. Turning off guest networks is a matter of delving into your particular router’s setup interface, so consult the documentation before poking around in the settings.

Keep the firmware current

It might seem pretty set-and-forget, but your router actually needs updating from time to time.
Firmware patches often address crucial security or performance flaws in your router, so failing to keep it up to date can undermine all your best efforts.

Updating your router’s firmware varies widely by manufacturer and model, so consult the documentation that came with your particular device to learn how to perform this step.

For a good starting point, take a look at the [Tom’s Guide roundup][rndup] for popular router manufacturers.

Try a VPN

A VPN, or Virtual Private Network, might seem like an overly complicated solution. However, if you want unparalleled privacy and anonymity while browsing, you can’t go past one.

In truth, there’s a variety of easy to use, fast and reliable VPNs on offer. Many are completely automatic, and are as simple to enable as clicking a button.

In summary, the way you’ve set up your home base station is fundamental to your Internet security. By ensuring you follow these tips as soon as you plug in your brand new router, you can stop Wifi thieves and other cybercriminals in their tracks.

 

The information contained in this website is for general information purposes only. The information is gathered from IT Security News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Just because it’s simple to use doesn’t mean the user is low-rent

The Poison Ivy Remote Access Tool (RAT) – often considered a tool for novice “script kiddies” – has become a ubiquitous feature of cyber-espionage campaigns, according to experts.

Research by malware protection firm FireEye has revealed that the tool served as lynchpin of many sophisticated cyber-attacks, including the compromise of RSA SecurID data in 2011 and the “Nitro” assault against chemical makers, government offices, defence firms and human-rights groups last year.

A Peeping Tom webcam sextortionist has been jailed for six years in the US after targeting several young women in attacks that relied on a modified version of Poison Ivy, an incident which shows that the tool has malign uses beyond cyber-espionage.

Poison Ivy remains popular and effective eight years after its original release. FireEye has compiled a list of nation state-type attackers making use of the utility. These include a group called admin@338, which specialises in attacks targeting the financial services industry; th3bug, who have been hammering universities and healthcare facilities since 2009, and menuPass, a group that has run cyberespionage attacks against defence contractors over the last four years.

Poison Ivy is the preferred RAT of several threat actors located in China. Over recent months other attackers elsewhere in the world have begun adopting the same methodology.

A campaign by a Middle East hacking group called “Molerats” (AKA Gaza Hackers Team) switched during June and July to using Poison Ivy to attack Israeli government targets. The latest malware was signed with a fake Microsoft certificate, similar to earlier attacks using the XtremeRat trojan.

FireEye has also intercepted Egyptian- and Middle Eastern-themed attacks using decoy content in Arabic whose targets remain uncertain but may include targets in the Palestinian authority.

“The cyber-attacks against Israeli and Palestinian targets that were first documented last year are ongoing,” FireEye concludes. “The attackers, which we have called ‘MoleRats’, have also targeted government entities in the UK and in the US. In addition to using XtremeRAT, which is popular among Middle Eastern attackers, we have found that Molerats have adopted the use of Poison Ivy RAT, which is traditionally favoured by Chinese attackers.”

“We do not know if this is an intentional attempt by MoleRats to deflect attribution to China-based threat actors, or if they have simply added another, effective, publicly-available RAT to their arsenal. However, this development should raise a warning flag for those who attribute all Poison Ivy attacks to threat actors based in China. The ubiquity of off-the-shelf RATs makes determining positive attribution an increasing challenge,” it adds.

RATs such as Poison Ivy require little technical savvy while offering unfettered access to compromised machines, hence their use by even well-resourced professional cyber-ninja types. It can be considered as the easy to use front end of attacks that might be actually quite sophisticated when viewed as a whole.

 

The information contained in this website is for general information purposes only. The information is gathered from The Register while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The IT security researchers at Radware have discovered a sophisticated malware campaign targeting unsuspecting Facebook users in the name of a painting application called ‘Relieve Stress Paint.’ As a result, tens of thousands Facebook accounts have been compromised in the last couple of days.

The application is available on a website which takes advantage of Unicode representation to appear in search engines including Google as Aol.net, a web portal, and online service provider originally known as America Online – It is noteworthy that a couple of weeks ago AOL’s advertising platform was hacked to mine cryptocurrency.

Additionally, malicious hackers were found using Unicode to run malware and phishing scam on fake Apple, and Google domains.

According to the Radware researchers, the application is being spread via a phishing email and upon installing it launches a legitimate looking program allowing users to change colours, line size and other features like the default Microsoft Paint app. However, in reality, the app steals data from Chrome browser including saved Facebook login credentials and cookies.

Radware researchers were able to access the control panel of the command-and-control server used by cybercriminals and noted that there were more than 40,000 devices infected with the malware. This means tens of thousands Facebook accounts are currently being compromised due to the ongoing campaign.
A Facebook malware has taken over thousands of accounts
Stolen user data (Radware)

Furthermore, researchers noted that the server is based on a Chinese CMS called Layuicms 2.0 and contains a category for Amazon, meaning that based on the recent incidents including exposed Amazon S3 buckets the next target of malicious hackers could be Amazon.

But it does not end here, researchers also identified a variant of this malware. It is unclear what the cybercriminals will do with the data however researchers believe that it can be sold to cybercriminals, used for identity theft, cyber espionage, and ransom scams.

It is advised that users should refrain from installing third-party apps. It was just yesterday when Minecraft users came under malware attack due to the use of malicious third-party skins. Moreover, avoid clicking on links and downloading attachments in unknown emails.

 

The information contained in this website is for general information purposes only. The information is gathered from BRICA while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

The Domain Name System (DNS) is the cornerstone of communication for the internet. Navigating to the sites, you access every day often starts with a DNS request. Cybercriminals recognise the value of DNS and may look for ways to abuse improperly secured DNS to compromise its uptime, integrity or overall response efficacy — which makes DNS an important area for enforcing security and protecting against threats.

 

When a DNS request is made, the query is routed to a recursive name server. If the domain name navigation information is cached, the recursive name server sends the response directly back to the user with the appropriate information so that they can go to the intended destination. If the information is not present in the cache, the recursive name server queries other DNS servers to find the information needed to answer the original query.

 

 

Cybercriminals understand how to manipulate DNS caching and may take advantage of unsecured servers through cache poisoning. Cache poisoning can occur when a cybercriminal sends fake (spoofed) DNS responses to a target recursive name server (resolver), pretending they came from an authoritative name server, a forwarder, or even a recursive name server to a client stub. When malicious information is cached on the recursive name server, the names on the server are considered “poisoned.”

Cybercriminals use cache poisoning to redirect traffic to fraudulent websites and other unintended destinations. Cache poisoning is considered dangerous because it does not require significant bandwidth, processing resources, or technical expertise to execute, and an attacker doesn’t need to be in the data path to launch cache poisoning attacks. Furthermore, a fraudulent address can reside on a recursive name server for hours, days or weeks before it is discovered.

When a poisoned cache connects an unsuspecting user or device to a fraudulent site, cybercriminals can do a variety of things. Few of them are, obtain sensitive data and other confidential information, steal user credentials and passwords, eavesdrop on communications, plant malicious software or display images and text that defame a legitimate brand or provide misleading information.

One solution to address cache poisoning is the implementation of DNS security extensions (DNSSEC). DNSSEC is the main security mechanism that protects the integrity of DNS records and helps safeguard the end-to-end integrity and authenticity of DNS responses.

As DNS attacks grow in frequency and impact, organisations can no longer afford to overlook DNS security as part of their overall defence-in-depth strategy. As with IT security in general, no single tactic can address the entire DNS threat landscape or secure the complete DNS ecosystem. The key is to assess risks, identify security gaps and develop a plan to strengthen the security of both your inbound and outbound DNS.

 

The information contained in this website is for general information purposes only. The information is gathered from ITSecurity News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.