Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry
https://arstechnica.com/?post_type=post&p=1098281#
The three bitcoin wallets tied to #WannaCry ransomware have received 216 payments totaling 34.6200695 BTC ($58,821.36 USD).
Printable View
Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry
https://arstechnica.com/?post_type=post&p=1098281#
The three bitcoin wallets tied to #WannaCry ransomware have received 216 payments totaling 34.6200695 BTC ($58,821.36 USD).
@DAlperovitch on lessons learned from the #WannaCry cyberattacks:
http://www.atlanticcouncil.org/blogs...ave-your-data#
Hackers mint crypto-currency with technique in global 'ransomware' attack
http://reut.rs/2pTagMh
#
The Electronic signature technology provider DocuSign suffered a data breach
Hackers broke into the system of the technology provider DocuSign and accessed customers email. The experts warn of possible spear phishing attacks. The#Electronic signature technology provider DocuSign suffered a data breach, hackers have stolen emails.
Shadow Brokers are back after WannaCry case, it plans to offer data dump on monthly subscription model
Shadow Brokers made the headlines once again, the notorious group plans to offer data dump on a monthly subscription model. The notorious Shadow Brokers hacking group made the headlines during the weekend#when systems worldwide were compromised by the WannaCry#ransomware..which they had released as part of their NSA data dump.....
Some machines can’t be infected by WannaCry because they have been already infected by Adylkuzz
Security experts at ProofPoint security discovered that many machines can't be infected by WannaCry because they have been already infected by Adylkuzz.
APT32, a new APT group alleged linked to the Vietnamese Government is targeting foreign corporations
APT32 is a new APT group discovered by security experts at FireEye that#is targeting#Vietnamese interests around the globe. The APT32 group, also known as OceanLotus Group, has been active since at least 2013, according to the experts it is a#state-sponsored hacking and cybercrime group........
WikiLeaks Reveals two distinct malware platforms codenamed AfterMidnight and Assassin used by the CIA operators to target Windows systems.
While critical infrastructure worldwide and private organizations were ridiculed by the#WannaCry attack,#WikiLeaks released a new batch of CIA documents from the#Vault 7 leaks.
The new dump included the documentation related to#two CIA frameworks used to create custom malware for Microsoft Windows platform.
The two frameworks are codenamed#AfterMidnight#and#Assassin, both malware implements classic backdoor features that allowed the CIA to take control over the targeted systems.
EU fines Facebook 110 million euros over misleading WhatsApp data
http://reut.rs/2pWdMWj
#
When ransomware guys provide better customer support than most companies #WannaCry
French security researchers say they have found a method to decrypt Windows files locked by WannaCry ransomware.
UIWIX, the Fileless Ransomware that leverages NSA EternalBlue Exploit to spread
experts discovered a new ransomware family, dubbed UIWIX, that uses the NSA-linked EternalBlue exploit for distribution The effects of the militarization of the cyberspace are dangerous and unpredictable. A malicious code developed by a government...
WikiLeaks revealed CIA Athena Spyware, the malware that targets all Windows versions
Wikileaks released the documentation for the Athena Spyware, a malware that could infect and remote control almost any Windows machine. Last Friday, Wikileaks released#the#documentation for AfterMidnight and Assassin malware platforms
HTTPs Phishing sites are increasing, it is the reaction to browser improvements
The number HTTPs Phishing sites continues to increase, it is the response of phishers to the improvements implemented by Browser-makers. If you believe that the HTTPs could protect you from phishing attacks you are wrong, in 2014#TrendMicro warned of the increase#in this ability.....
CISCO start assessing its products against the WannaCry Vulnerability
The tech giant Cisco announced an investigating on the potential impact of WannaCry malware on its products. Recent massive WannaCry#ransomware attack highlighted the importance of patch management for any organization and Internet users.
Microsoft Patch Tuesday updates for May 2017 fix Zero Days exploited by Russian APT groups
Microsoft Patch Tuesday for May 2017 address tens security vulnerabilities, including a number of zero-day flaws exploited by Russian APT groups. Microsoft Patch Tuesday updates for May 2017 fix more than 50 security flaws, including a number of zero-day...
Exclusive: North Korea's Unit 180, the cyber warfare cell that worries the West
http://www.reuters.com/article/us-cy...idUSKCN18H020#
Buckle-up for another cyber ride
https://www.wired.com/2017/03/wikile...a-hacks-dump/#
Another datadump of CIA hacked tools...by the Russian intel org Wikileaks...
Security experts at threat intelligence firm Record Future have found a clear link between APT3 cyber threat group and China’s Ministry of State Security.
Quote:
The curtain has been pulled back a little on the Chinese Intelligence Agency intelligence gathering structure — and it includes private security contractors and the network vendor supply chain.
In 2010, security vendor FireEye identified the Pirpi Remote Access Trojan (RAT) which exploited a then 0-day vulnerability in Internet Explorer versions 6, 7 and 8. FireEye named the threat group APT3 which has also been described as TG-0100, Buckeye, Gothic Panda, and UPS and described them as “one of the most sophisticated threat groups” being tracked at the time.
Since then, APT3 has been actively penetrating corporations and governments in the US, UK and most recently Hong Kong — and everyone has been trying to figure out who they are. APT3 functions very differently than 3LA, the former Chinese military hacking organization leading to the assumption that APT3 is not part of the military complex. At least not officially.
On May 9th, 2017, an unknown party using the alias ‘intrusiontruth’ published a series of blogs posts describing connections between the Pirpi RAT command and control components and shareholders of the Chinese security contractor Guangzhou Boyu Information Technology Company, aka Boyusec.
“On May 9, a mysterious group calling itself “intrusiontruth” identified a contractor for the Chinese Ministry of State Security (MSS) as the group behind the APT3 cyber intrusions.” states the analysis published by Recorder Future.
The names of two specific shareholders of Boyusec appear in the domain registration for the Pirpi C&C servers.##This is particularly interesting because Boyusec supports the Chinese Ministry of State Security (MSS) by collecting civilian human intelligence. Think of them as an outsourcer for a government agency like the United States’ National Security Agency (NSA).
Also interesting is that in 2016 a Pentagon report described the relationship between Boyusec and network equipment manufacturer, Huawei. According to the report, the two companies were colluding to develop security equipment with embedded backdoors which would likely be used by Boyusec to compromise Huawei customers.
“In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing.” continues the analysis.”According to the Pentagon’s report, the two companies were working together to produce security products, likely containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.”
To protect our networks, it is important to assess the threats. An important part of threat assessment is to anticipate the motivation of the attackers. APT3 has demonstrated above average skills and has been active for a long time. Add ties to the network vendor supply chain and you have the makings of a dangerous adversary. As part of the Chinese MSS structure you can start to guess at motivation. With this new information, it is a good time to reassess your threat model.
Europol supported the Slovak NAKA crime unit in an operation that resulted in the seizure of the Bloomsfield darknet marketplace.
Another success of the European#police, last week#Europol supported the Slovak NAKA crime unit in the arrest of a Slovak national believed to operate the Bloomsfield#darknet marketplace dealing in drugs and arms.
“Bloomsfield started its marketplace around two years ago, but remained throughout its shelf life a rather small market with few listings and users.” reported website darkweb.world.
The police took into custody the suspect and several of his premises have been searched.
“Europol has supported the Slovak authorities in their investigation into a Slovak national who had been trading firearms, ammunition, and drugs on the Darknet.” reads the statement published by the Europol.
“In one of the locations searched, Slovak authorities discovered and seized five firearms and approximately 600 rounds of ammunition of different calibers. The investigators also found a sophisticated indoor cannabis plantation, 58 cannabis plants and a Bitcoin wallet containing bitcoins worth EUR 203 000, which is thought to have been obtained from illegal online activities.”
The law enforcement has seized the server running the darknet marketplace, experts are analyzing it searching for evidence and other information useful for the investigation.
“The server used by the suspect to host the Darknet marketplace was also seized during the raids and is currently being forensically analysed. Slovak authorities and Europol have extended the investigation into the users and vendors who utilised the marketplace.” states Europol
Bloomsfield was launched around two years ago but is considered a very small market with few listings and users.#It started as the vendor shop of the vendor ‘Biocanna‘ and later other vendors have#joined the darknet market.
Biocanna has shared a portion of a conversation on Twitter concerning the ‘owner of the failing Bloomsfield market.’
Best I've ever seen pic.twitter.com/yKxkNvQ43G
— C (@2ctfm) May 4, 2017
It the above#claims are correct the Europol will have no difficulties to track the other operators of the black market.
“Europol supported Slovakia throughout the entire investigation by providing its analytical and financial intelligence capabilities.” reads the Europol’s announcement. “Also, across-check performed during the house searches generated a hit on Europol’s databases which helped investigators identify a
Darknet vendor living in another EU country. The individual was suspected of supplying one of the firearms found during the house searches in Bratislava.”
Darknet marker places are important facilitators of criminal activities, the monitoring of this ecosystem is crucial for law enforcement.
The Stegano exploit kit, also known as Astrum, continues to evolve, recently its authors adopted the Diffie-Hellman algorithm to hinder analysis.
The Stegano exploit kit made was associated in the past with a massive AdGholas malvertising campaign that delivered malware, mostly Gozi and RAMNIT trojans. Experts at TrendMicro also observed the exploit kit in the Seamless malvertising campaign.
“Astrum’s recent activities feature several upgrades and show how it’s starting to move away from the more established malware mentioned above.
It appears these changes were done to lay the groundwork for future campaigns, and possibly to broaden its use.
With a modus operandi that deters analysis and forensics by#abusing the Diffie-Hellman key exchange, it appears Astrum is throwing down the gauntlet.” reads the analysis published by Trend Micro.
In March, the French research Kafeine#reported the Stegano EK exploiting the information disclosure vulnerability tracked as CVE-2017-0022. Hackers exploited the#flaw#to evade antivirus detection and analysis.
A month later, the Stegano exploit kit was updated to#prevent security researchers from replaying the malicious network traffic.
“We found that this anti-replay feature was designed to abuse the Diffie-Hellman key exchange—a widely used algorithm for encrypting and securing network protocols. Angler was first observed doing this back in 2015.” continues the analysis.
“Implementing the Diffie-Hellman key exchange prevents malware analysts and security researchers from getting a hold of the secret key Astrum uses to encrypt and decrypt their payloads. Consequently, obtaining the original payload by solely capturing its network traffic can be very difficult.”
According to the experts, the#Astrum/#Stegano exploit kit includes exploit codes for a number of vulnerabilities in Adobe Flash, including the CVE-2015-8651#RCE, the#CVE-2016-1019 RCE, and the out-of-bound read bug flaw tracked as#CVE-2016-4117.
Experts highlighted that#currently the Stegano#Exploit Kit isn’t used to deliver malware and associated traffic is very low, both circumstances suggest we can soon observe a spike in its activity.
“It wouldn’t be a surprise if [Astrum/Stegano’s] operators turn it into an exclusive tool of the trade—like Magnitude and Neutrino did—or go beyond leveraging security flaws in Adobe Flash. Emulating capabilities from its predecessors such as fileless infections that can fingerprint its targets and deliver encrypted payloads shouldn’t be far off,” concluded Trend Micro.
Hacking #IoT Devices: The Alarming Internet of Things #CyberSecurity MT @ipfconline1