Malware & other nasty IT / cyber things

[OUTLAW 09]

Moderator's Note

A number of posts have appeared recently in another thread, which advertise malware and other nasty IT things and they deserve their own thread. So I will move eight readily id'd posts that are not Russian focused here, all of them by Outlaw09 who works in the cyber arena. It may help to watch the Russian Cyber & Disinformation thread for background and other matters: Russian Info, Cyber and Disinformation (Catch all 2017 onwards).
(Mod Ends)

ALERT....I had posted this previously but am doing it again as it spreading fast now world wide

Philadelphia Ransomware, a new threat targets the Healthcare Industry

Security experts from Forcepoint have discovered a new strain of ransomware dubbed Philadelphia that is targeting organizations in the healthcare industry.

The Philadelphia ransomware is a variant of the Stampado ransomware, a very cheap malware offered for sale on the Dark Web since June 2016 at just 39 USD for a lifetime license.

Last month the popular expert Brian Krebs discovered on YouTube an ad Philadelphia.

According to the researchers, thePhiladelphia ransomware is distributed via spear-phishing emails sent to the hospitals. The messages contain a shortened URL that points to a personal storage site that serves a weaponized DOCX file containing the targeted healthcare organization’s logo.

The file includes three document icons apparently related to patient information, and attempt to trick victims to click on them.

Philadelphia ransomware

If the victims click on the icon, a Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.

This tactic was already used to infect a hospital from Oregon and Southwest Washington.

“However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.” reads the analysis published by ForcePoint.

“In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization’s logo and a signature of a medical practitioner from that organization as bait.”

Once the ransomware infected the system it contacts the C&C server and sends various details on the target machine, including operating system, username, country, and system language. The C&C server responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.

The Philadelphia ransomware used AES-256 to encrypt the files, when the operation is completed it displays a request for 0.3 Bitcoins ransom to the victims.

The analysis of the malicious code revealed a couple of interesting things:
•the encrypted JavaScript contained a string “hospitalspam” in its directory path.
•the ransomware C&C also contained “hospital/spam” in its path.

The presence of the words suggests the attackers are specifically targeting hospitals using spear phishing emails.

“Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business” concluded Forcepoint. “Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,”

[OUTLAW 09]

The Russian group Turla has continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.

The Russian APT group known as Turla (also known as Waterbug, KRYPTON and Venomous Bear) has continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.

Carbon is a second-stage backdoor that is used after an initial reconnaissance phase of an attack, it involves malware such as Tavdig.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents.

Last time the researchers reported Turla‘s activities was February 2017, when experts at Kaspersky Lab have discovered a new piece of JavaScript malware linked to the group targeting organizations in Greece, Qatar, and Romania.

Turla has been active since at least 2007, the hackers launched several high-profile attacks against targets worldwide, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command.

Carbon, aka Pfinet, is once of the tool in the arsenal of the hacking crew, researchers from ESET described it as a lite version of Uroburos.

Carbon is a second-stage backdoor that is typically deployed after the reconnaissance phase of an attack, it has several components, including a dropper, a command and control (C&C) communications element, an orchestrator, and a loader that executes the orchestrator.

The orchestrator is used to inject the C&C communications library into a legitimate process, and dispatch the tasks received via the C&C library to other bots that are located on the network.

Turla

ESET has identified several versions of Carbon compiled last year; the most recent one was compilated on October 21, 2016. The newer versions of the Carbon malware make a massive use of encryption.

Almost any component is a DLL file, except for the loader, which is an EXE file.

“The Turla group is known to be painstaking and work in stages, first doing reconnaissance on their victims’ systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spearphishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack.” reads the analysis shared by ESET.

“After a successful attack, a first stage backdoor — such as Tavdig or Skipper — is installed on the user machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.”

Threat actor behind Turla have modified their tools everytime they were detected in the wild. Researchers observed that in the case of Carbon, the hackers changed file names and mutexes in the version 3.8 released in the summer of 2016.

Experts noticed that before the malware start communicating with C&C, it checks the infected system for the presence of packet capture software, such as Wireshark and Tcpdump.


“Before communicating with the C&C server or with other computers, the malware ensures that none of the most common packet capture software is running on the system:

•TCPdump.exe
•windump.exe
•ethereal.exe
•wireshark.exe
•ettercap.exe
•snoop.exe
•dsniff.exe”

[OUTLAW 09]

Over 20 million Gmail and 5 million Yahoo accounts available for sale on the Dark Web

The vendor "SunTzu583" is offering for sale over 20 million Gmail and 5 million Yahoo login credentials on the Dark Web A vendor with the online moniker "SunTzu583" is reportedly selling millions of login credentials for Gmail and Yahoo accounts on a

A vendor with the online moniker “SunTzu583” is reportedly selling millions of login credentials for Gmail and Yahoo accounts on a black market in the dark web. Over 20 million Gmail accounts and 5 million Yahoo accounts are available for sale, the huge trove of data is the result of previous massive data breaches.

SunTzu583 is known to security experts, he was specialized in the sale of stolen login credentials.

A couple of weeks ago the colleagues at HackRead reported the sale of more than 1 million Gmail and Yahoo accounts by the same seller and a few days later, SunTzu583 started selling PlayStation accounts.

Dark web Playstation accounts

SunTzu583 offered 640,000 PlayStation accounts for USD 35.71 (0.0292 BTC), the dump includes emails and clear-text passwords.

SunTzu583 confirmed that the archive was not directly stolen from PlayStation network, but it does contain unique accounts of PlayStation users. The seller added that even if the accounts may work for other web services they are first of all PlayStation accounts.

Back to the present, the seller SunTzu583 is offering in separate listings millions of Gmail accounts.

In three different listings, he is offering 4,928,888 accounts.

“The total number of Gmail accounts being sold are 4,928,888 which have been divided into three different listings. All three listings contain 2,262,444 accounts including emails and their clear text passwords.” reports the analysis published by HackRead. “In the description of these listings, SunTzu583 has mentioned that “Not all these combinations work directly on Gmail, so don’t expect that all these email and passwords combinations work on Gmail.””

The researchers at HackRead who have compared the listings with Hacked-DB and Have I been pwned repositories confirmed that the sources of the data are past data breaches including LinkedIn (117 million accounts), Adobe (153 million accounts) and Bitcoin Security Forum (5 million Gmail passwords).

[OUTLAW 09]

Experts from security firm Sixgill have discovered a new strain of the macOS Proton RAT that is offered for sale on Russian cybercrime underground.

The Dark Web is the right place where to find any kind of illegal products and services, malware such as banking trojan and spyware are very popular in cyber criminal underground.

Recently a new remote access tool (RAT) specifically designed to infect macOS systems is currently being advertised on Russian cybercrime underground. The researchers at security firm Sixgill discovered the advertising on crime forums and on a custom website, this threat is also described in videos published on YouTube.

https://youtu.be/JA7sfDc9Ad0

The Proton homepage went down just after the experts at Sixgill published the report.

“Sixgill researchers have encountered a post in one of the leading, closed Russian cybercrime message boards. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. The author offered this product in one of the leading underground cybercrime markets.” reads a report published by Sixgill.

The Proton RAT first appeared in the threat landscape last year, the variant recently advertised on hacking forums includes many features such as the ability to execute console commands, access the user’s webcam, log keystrokes, capture screenshots and open SSH/VNC remote connections. The malicious code is also able to inject malicious code in the user’s browser to display popups asking victims information such as credit card numbers, login credentials, and others.

“The malware includes root-access privileges and features allowing an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, keylogging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.” continues the report.

According to the author, macOS Proton RAT is written in native Objective-C and it is fully undetected by any existing MAC OS antivirus solution.

Below the list of features described in the ad:

macOS Proton RAT

The Proton RAT has root access and is able to elude standard macOS security features, it is also able to bypass two-factor authentication on iCloud accounts.

Researchers speculate macOS Proton RAT leverages a zero-day vulnerability in macOS, but most interesting characteristic of the threat is that the malicious code is signed with genuine Apple code-signing certificates. It is likely the author has managed to falsify registration to Apple Developer ID Program or has stolend the credentials to an apple developer.

“The real threat behind the software is this: The malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Sixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose.” reads the report.

The price for the macOS Proton RAT ranged from $1,200 to $830,000 for the entire project (an absurd price). Below the version advertised on the Proton websites:

Standard Edition

I) License to control only ONE remote machine 1) 1 BTC — unsigned 2) 2 BTC — signed
II) License to control 20 remote machines 1) 10 BTC — unsigned 2) 11 BTC — signed
III) License to control infinite remote machines 1) 66 BTC — unsigned 2) 76 BTC — signed

Extended edition

I) License to control infinite remote machines 1) 166 BTC — unsigned 2) 200 BTC — signed
II) License to control infinite remote machines on your own server 1) 366 BTC — without source code 2) 666 BTC — with full source code

Researchers noticed that the authors of the malware try to disguise their spyware as legitimate surveillance software.

[OUTLAW 09]

The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.

One year ago the Angler EK and Nuclear EK disappeared from the threat landscape, while the Sundown EK was conquering the criminal underground.

What’s happening now?

The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.

Last week, Cisco Talos published an analysis of Sundown EK, the expert detailed the improvements of the EK that presented many similarities with the RIG exploit kit.

“Sundown is an exploit kit in transition, it has stopped using calling cards and other easily ways to identify its activity. It is one of the few exploit kits adding any new exploits to their arsenal, albeit stolen. At the same time they consistently steal exploits and technologies from other people and competitors.” reads the analysis of the Talos group. “The exploit kit landscape has been struggling to find its footing since the major players have left. It still appears to be in transition with RIG and Sundown being the primary players left as an option for those looking to compromise random victims while browsing the web.”

The Sundown EK was not sophisticated like other large exploit kits.

Security experts at Talos were noticing a long inactivity of the Sundown EK, also variant of the kit was disappeared from the scene, including Bizarro and Greenflash.

This silence leads the experts into believing that threat actor ceased the operations.

“Many security researchers tracking exploit kits have noted the lack of Sundown EK activity for several weeks now. A post from Cisco’s Talos team came off as a bit of a surprise at the end of March (Threat Spotlight: Sundown Matures), but any doubts were squashed by this tweet on April 8th (Sundown (Beps) and Nebula out ? More than one month since last hits).” reads a blog post published by MalwareBytes.

“Also, whatever happened to Bizarro and Greenflash Sundown EKs? Whether this is a temporary break or yet another dead EK, time will tell.”

Recently experts observed a significant increase of hacking campaigns leveraging the Terror EK.

Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).

The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).

Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.

The Terror EK was also involved in a newer campaign using a different landing page that distributes the Andromeda malware.

The compromised websites are leveraged to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.

Terror EK

“Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here,” Malwarebytes concludes.

[OUTLAW 09]

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance

On the front lines of the antivirus industry's "testing wars."
Sean Gallagher - 4/17/2017, 1:00 PM

https://arstechnica.com/information-...re-that-wasnt/

[OUTLAW 09]

IoT malware clashes in a botnet territory battle
http://www.cio.com/article/3190179/s...y-battle.html#
… via @CIOonline

Hajime IoT malware, is it the work of vigilante hacker?

Mirai -- a notorious malware that's been enslaving IoT devices -- has competition.
A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers.
"You can almost call it Mirai on steroids," said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS)#attacks.
[ Your guide to top tech conferences 2017 ]
Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it's been spreading unabated and creating a botnet. Webb estimates it's infected about 100,000 devices across the globe. ###

These botnets, or networks of enslaved computers, can be problematic. They're often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure.
That’s how the Mirai malware grabbed headlines last October. A DDoS attack from a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S.
Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious.
Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations#and then transferring a malicious program.

However, Hajime doesn’t take orders from a command-and-control server like Mirai-infected devices do. Instead, it communicates over a peer-to-peer network built off protocols used in BitTorrent, resulting in a botnet that's more decentralized -- and harder to stop.
"Hajime is much, much more advanced than Mirai," Webb said. "It has a more effective way to do command and control."
Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts.

Who's behind Hajime? Security researchers aren’t sure. Strangely, they haven't observed the Hajime botnet launching any DDoS attacks -- which is good news. #A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done.
"There’s been no attribution. Nobody has claimed it," said Pascal Geenens, a security researcher at security vendor Radware. #
However, Hajime does continue to search the internet for vulnerable devices. Geenens' own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said.
So the ultimate purpose of this botnet remains unknown.#But one scenario is it'll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud. #
"It's a big threat forming," Geenens said. "At some point, it can be used for something dangerous."
It’s also possible Hajime might be a research project. Or in a possible twist, maybe it's a vigilante security expert out to disrupt Mirai.
So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria's National Laboratory of Computer Virology.
However, there's another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture.
That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware.#Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms.
That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion.
"There's definitely an ongoing territorial conflict," said Allison Nixon, director of security research at Flashpoint.
To stop the malware, security researchers say it's best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said.
That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired.
"It will keep going," Nixon said. "Even if there's a power outage, [the malware] will just be back and re-infect the devices. It's never going to stop."

[OUTLAW 09]

IMPORTANT for providers of critical infrastructure....

Severe vulnerability in GE Multilin SR poses a serious threat to Power Grid
Security experts discovered a critical vulnerability in GE Multilin SR that poses a serious threat to the power grid worldwide. A team of researchers from New York University has found a serious vulnerability in some of GE Multilin SR protection relays...

The experts will provide further details about the vulnerability at the upcoming Black Hat conference in Las Vegas,#below an excerpt from the#abstract#published on the conference website.
“Essentially, we completely broke the homebrew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations,” explained the experts in their abstract. “Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack.”
The experts will propose also a live demo showcasing exploitation of the vulnerability during their talk anticipating that an attack leveraging on the issue would have a significant impact on a nation.
The#ICS-CERT published a security advisory#on this threat that was tracked as CVE-2017-7095.
An attacker can obtain the password either from the front LCD panel or via Modbus commands and use it to gain unauthorized access to vulnerable products.
“Successful exploitation of this vulnerability may allow a remote attacker to obtain weakly encrypted user passwords, which could be used to gain unauthorized access to affected products.” reads the advisory.#
“Cipher text versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Cipher text of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.”

The following versions of GE Multilin SR relays are affected by the flaw:
750 Feeder Protection Relay, firmware versions prior to Version 7.47,
760 Feeder Protection Relay, firmware versions prior to Version 7.47,
469 Motor Protection Relay, firmware versions prior to Version 5.23,
489 Generator Protection Relay, firmware versions prior to Version 4.06,
745 Transformer Protection Relay, firmware versions prior to Version 5.23, and
369 Motor Protection Relay, all firmware versions.
GE has promptly released firmware updates that fix the vulnerability for most of the above products. The firmware updates for 369 Motor Protection Relays are expected to be released in June.
To mitigate the vulnerability#GE recommends that users apply updated firmware versions to affected products, as well as implement the following best practices:
Control access to affected products by keeping devices in a locked and secure environment,
Remove passwords when decommissioning devices,
Monitor and block malicious network activity, and
Implement appropriate network segmentation and place affected devices within the control system network, behind properly configured firewalls. Protection and Control system devices should not be directly connected to the Internet or business networks.
While the recent disruptions to Ukraine’s energy supply have clearly demonstrated that attacks on the power grid are a reality, it’s not uncommon for cybersecurity researchers to exaggerate the impact of their findings. It remains to be seen exactly how easily this flaw can be exploited after more information is made available.

[AdamG]

(CNN)White House homeland security adviser Tom Bossert said Monday the United States believes North Korea was behind the "WannaCry" cyberattack earlier this year.
"After careful investigation, the US today publicly attributes the massive 'WannaCry' cyberattack to North Korea," Bossert wrote in a Wall Street Journal op-ed.
He continued, "The attack was widespread and cost billions, and North Korea is directly responsible."

http://www.cnn.com/2017/12/18/politi...cry/index.html

Previous posts-in-thread on WannaCry.
http://council.smallwarsjournal.com/...archid=6713937
You're welcome.