Ukrainian Police Arrest 6 Hackers Linked to DDoS and Financial Attacks

Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively.

According to the authorities, the four suspected hackers they arrested last week, all aged from 26 to 30 years, stole more than 5 million Hryvnia (around 178,380 USD) from the bank accounts of Ukrainian citizens by hacking into their computers.

The suspects carried out their attacks by scanning vulnerable computers on the Internet and infecting them with a custom Trojan malware to take full remote control of the systems

The group then apparently enabled key-logging on the infected computers in an attempt to capture banking credentials of victims when the owners of those infected computers fill in that information on any banking site or their digital currency wallet.

Once getting a hold on the victims banking and financial data, the attackers logged into their online banking accounts and transferred the funds or cryptocurrencies to the accounts controlled by the attackers.

Besides stealing money, the suspects also left the backdoor on the victims’ computers for further control, so that they can use them in the future for carrying out other illicit activities.

Criminal proceedings against all the four people have been initiated under several articles of the Criminal Code of Ukraine, including theft and unauthorized interference with the work of computers, automated systems, computer networks or telecommunication networks.

Two Ukrainian DDoS Hackers Arrested

In a separate press release, Police today announced the arrest of two other hackers, 21- and 22-years-old, suspected of performing DDoS attacks against several critical Ukrainian resources, including news sites of the city of Mariupol and several state educational institutions.

According to the authorities, the duo developed two DDoS hacking tools which they used to send hundreds of automatic queries to their targeted regional information resources every second, eventually making their service unavailable.

The pair is currently facing up to six years in prison under article 361 of the Criminal Code of Ukraine, which includes unlawful interference with the work of computers, automated systems, computer networks or telecommunication networks.

LAW ENFORCEMENT AGENCIES ACROSS THE EU PREPARE FOR MAJOR CROSS-BORDER CYBER-ATTACKS

The possibility of a large-scale cyber-attack having serious repercussions in the physical world and crippling an entire sector or society, is no longer unthinkable. To prepare for major cross-border cyber-attacks, an EU Law Enforcement Emergency Response Protocol has been adopted by the Council of the European Union. The Protocol gives a central role to Europol’s European Cybercrime Centre (EC3) and is part of the EU Blueprint for Coordinated Response to Large-Scale Cross-Border Cybersecurity Incidents and Crises1. It serves as a tool to support the EU law enforcement authorities in providing immediate response to major cross-border cyber-attacks through rapid assessment, the secure and timely sharing of critical information and effective coordination of the international aspects of their investigations.

In 2017, the unprecedented WannaCry and NotPetya cyber-attacks underlined the extent to which incident-driven and reactive responses were insufficient to address rapidly evolving cybercriminal modus operandi effectively.

The EU Law Enforcement Emergency Response Protocol determines the procedures, roles and responsibilities of key players both within the EU and beyond; secure communication channels and 24/7 contact points for the exchange of critical information; as well as the overall coordination and de-confliction mechanism. It strives to complement the existing EU crisis management mechanisms by streamlining transnational activities and facilitating collaboration with the relevant EU and international players, making full use of Europol’s resources. It further facilitates the collaboration with the network and information security community and relevant private sector partners.

Only cyber security events of a malicious and suspected criminal nature fall within the scope of this Protocol; it will not cover incidents or crises caused by a natural disaster, man-made error or system failure. Therefore, in order to establish the criminal nature of the attack, it is fundamental that the first responders perform all required measures in a way to preserve the electronic evidence that could be found within the IT systems affected by the attack, which are essential for any criminal investigation or judicial procedure.

MULTI-STAKEHOLDER PROCESS

The protocol is a multi-stakeholder process and entails in total seven possible core stages from the early detection and the threat classification to the closure of the Emergency Response Protocol.

“It is of critical importance that we increase cyber preparedness in order to protect the EU and its citizens from large scale cyber-attacks”,  Wil van Gemert, Deputy Executive Director of Operations at Europol, said. “Law enforcement plays a vital role in the emergency response to reduce the number of victims affected and to preserve the necessary evidence to bring to justice the ones who are responsible for the attack.”

Chinese government departments targeted with GandCrab v5.2 ransomware

  • The malware comes concealed as an archive named ‘03-11-19.rar’.
  • The phishing attack has started since March 11, 2019.

A new phishing campaign that leverages GandCrab v5.2 ransomware to infect the Chinese government officials has been discovered recently. The malware comes concealed as an archive named ‘03-11-19.rar’.

How does it work – According to China’s Internet Network Information Center, the phishing attack has started since March 11, 2019. The hackers are targeting the websites of relevant government departments in China with emails containing ransomware. The emails are sent by different senders such as ‘Min, Gap Ryong’. Going by the sender’s name, it is believed that the operators are from North Korea.

“According to the monitoring of the China Internet Network Information Center, starting from March 11, 2019, a hacker organization outside the country launched a ransomware mail attack on relevant government departments in China. After analysis and analysis, the ransomware version number is GANDCRABV5.2, which is the latest upgraded ransomware version in February 2019,” said the report.

What does the ransomware do – Once installed, GandCrab v5.2 encrypts the hard disk data of the user host and redirects the users to download the Tor browser. The Tor browser later logs into the attacker’s digital currency payment window and asks the victim to pay the ransom.

What steps are taken – Following the discovery, all units of the Chinese government have been asked to monitor their systems and report any future attacks. Other crucial measures have also been recommended to mitigate the attack. This includes –

  • Keeping the antivirus up-to-date;
  • Disabling automatic functions for USB ports;
  • Disconnecting infected hosts or servers;
  • Upgrading the operating systems to latest versions.

GandCrab v5.2 is the latest version of the ransomware family. No decryption keys are currently available for this version of the GandCrab.

‘Gnosticplayers’ is now selling another 26 million user records on the Dark Web

  • Gnosticplayers had earlier exposed more than 840 million user records during the month of February.
  • This is the fourth time the attacker has put a trove of sensitive information out in the open.

Gnosticplayers, the infamous hacker who exposed and sold millions of user records in early 2019, has yet again come out with a new batch of user records for sale. This fresh wave of user data dump contains over 26 million records which belong to customers of six companies across the world.

Worth noting

  • According to ZDNet, the six companies impacted are GameSalad, Estante Virtual, Coubic, LifeBear, Bukalapak, and YouthManual.
  • The largest number of user records (13.2 million) leaked was from Bukalapak, an Indonesian e-commerce company, while the smallest portion (1.12 million) of the dump was from YouthManual, a website aimed to help Indonesian students in their career.
  • GameSalad, Estante Virtual, Coubic, and LifeBear each leaked 1.5, 5.45, 1.5 and 3.86 million records respectively.
  • Gnosticplayers cites poor security implementations by these companies as the reason for their breaches.

Why it matters – This is the fourth in a series of user record dumps put up for sale by the same individual. The first batch contained 620 million user records, while the second and third batches contained 127 million and 93 million records respectively.

Though the data released by the hacker mostly contains records from previous breaches, the combined sale of such a large amount of data means other cybercriminals could leverage it for future credential stuffing attacks, leading to further damage. Interestingly, the hacker claims that he has sold only a portion of the data in his possession.

Moreover, Gnosticplayers told ZDNet, “I came to an agreement with some companies, but the concerned startups won’t see their data for sale. I did it that’s why I can’t publish the rest of my databases or even name them.”

Although this time it was comparatively smaller in scale compared to three previous batches, this is a tell-tale sign of how many companies fail to implement rigid security measures when it comes to protecting vast amounts of user data.

Juniper Networks boosts firewall performance with new processing card

Juniper Networks is upgrading its services processing card to try and keep up with increasingly complicated security demands that come with the rise of IoT, 5G and the enterprise edge.

The networking product company announced last week their latest services processing card for the SRX5400, 5600 and 5800 next-generation firewalls, the SPC3. In an Aug. 7 press release, Juniper said the new card transforms the SRX5000 line into “one of the most powerful firewalls on the market.”

The SPC3 will allow customers to tap into more efficient operations, reduce energy and cooling costs and over time even scale their capabilities without service interruptions, said Amy James, director of security portfolio marketing for Juniper Networks, in a statement.

“With the rise of IoT, 5G and hybrid cloud network environments, many of our customers are faced with rapidly increasing bandwidth demands that necessitate a security platform that can scale while protecting the network against an advanced and high-volume cyberattack landscape,” she said. “Juniper’s SRX5000 line of firewalls with SPC3 Advanced Security Acceleration ensures our customers have powerful security without sacrificing the performance, scale and agility needed to stay aligned with changing business needs.”

 

IT Act Amendment Bill to be tabled in ongoing winter session of Parliament

With social media gaining prominence, the Union Ministry of Electronics and IT has made amendments to Information Technology (IT) Act 2000, which is likely to be introduced in the ongoing winter session of Parliament.

A Cabinet note has been readied by the ministry. The note has already received a legal vetting from the law ministry, a senior government official told DNA Money. The Cabinet note is expected to come up for approval next week.

The Information Technology (Amendment) Bill, 2018, has already been listed in one of the upcoming Bills for consideration in the winter session.

The IT Act was last amended in 2008 and it’s been a decade since then. Technology has changed rapidly and with government’s thrust on digital India, cyber safety and data protection, there was a dire need of changes in the Act, the official said.

The current IT Act is a thoroughly outdated legislation. The last amendments were done in 2008, that were too less changes and all issues were not addressed. The amendments may include a framework for strengthening of cyber security standards.

Though the plans of introducing the data protection Bill in this session have been postponed.

The ministry had as many as 650 responses so far to the draft version of the data protection Bill submitted by Justice BN Srikrishna Committee in July this year. The Srikrishna committee had recommended storing one copy of all personal data in India, while critical information can be stored only locally.

However, the definition of ‘critical personal data’ has been left for the government to decide. It was open for public comments, but the inter-ministerial consultations are yet to be completed. The draft Bill had suggested measures for safeguarding personal information, defines obligations of data processors as also rights of individuals, and proposes penalties for violation.

Minister for IT and Electronics Ravi Shankar Prasad had earlier said digital medium has to be safe and secure to ensure equitable spread of benefits. India’s digital inclusion initiative is already being acknowledged globally. In less than five years, the government has made 307 government services available on the Umang platform and efforts are on to bring all central and state services on it.

HOW DISRUPTIVE TECHNOLOGIES ARE TRANSFORMING THE CYBER SECURITY LANDSCAPE

In this digital savvy world, what could be the most daunting nightmare of a technophile? Cyber-crime, evidently! Yes, online privacy and data breaches can shoot nervous breakdown of a tech-geek. And the way to ride out this issue is efficient cyber security, for sure! The nexus of techniques and tools to protect computer networks, programs, and data from illegitimate access or attacks is termed as cyber security.

With an influx of prevailing disruptive technologies such as artificial intelligence (AI), machine learning, and IoT, cyber security has attained yet another height of confidence in digital space. Rather than being a damage controller, it has become a prioritized commercial investment for a number of businesses. Organizations dealing in IT technologies in any form are enforcing artificial intelligence in the very security surface for enriched outcomes.

Observing the recent developments in AI, we can say that it can bring something great to the table. The technology has driven smart autonomous security systems which are able to learn themselves. Exploiting the flavors of machine learning and apt AI software, drawing the parallels alongside big data has become simpler. For a fact, AI algorithms are valuable for recognizing oddities from regular arrangements. The combination of cyber security and AI provides the path in creating a guideline of what is normal and what’s going wrong with the pattern. Other than this, AI with its supervised algorithms is capable of detecting threats on which they have been trained.

Advancements of such technologies in reference to global cyber security trends have played the role of market drivers as well.

Some of the major market players who have leveraged AI/ML for cyber defense are contributing significantly to the global plethora of cyber security. These tycoons are definitely setting the cyber security market stats to new bars. A recent report projects the cyber security market to be around $245 billion by 2023 globally.

In the next couple of years, the market size of cyber security is expected to show a positive acceleration in India as well. The country is amongst the fastest growing region for the cyber-companies and technologies which lures a hefty investment overall. India is undoubtedly well-geared in taking possible measures in securing networks across cyber space.

Widening the lenses, if we zoom into region-wise shielding for cyber-attacks, the US followed by Israel and Russia leads the strive for network security. The urge to survive in the rush of cyber-crimes has prepared these countries in the best way possible to discover and protect cyber threats. Canada, UK, Malaysia, China, France, Sweden, and Estonia are stationed next to them in curbing malware infections.

Cyber risk possesses a serious threat to a nation affecting the government, economic, organizational and citizen’s affair. Enterprises across the globe are emerging as countermeasure sheriffs for cyber-attacks. Understanding the certitude of network threats, cyber security is no longer a national affair, rather it has emerged out as an international concern where every commercial, non-commercial, governmental or non-governmental entity needs to adopt disruptive technologies to outperform profanity of malicious maneuver.

DLL Hijacking attacks: What is it and how to stay protected?

  • DLL Hijacking attacks are broadly categorized into three types – DLL search order attack, DLL side-loading attack, and Phantom DLL Hijacking attack.
  • For DLL hijacking attack to be successful, it would require an attacker to trick victims to open a file using a vulnerable application from a remote network location.

DLL Hijacking is an attack vector that could allow attackers to exploit Windows applications search and load Dynamic Link Libraries (DLL). If a web app is vulnerable to DLL Hijacking, attackers can load malicious DLLs in the PATH or other location that is searched by the application and have them executed by the application.

Types of DLL Hijacking attacks

DLL Hijacking attacks are broadly categorized into three types,

  • DLL search order attack
  • DLL side-loading attack
  • Phantom DLL Hijacking attack

DLL search order attack – If Windows OS search for the malicious DLL path in a specific order then it is DLL search order attack. Therefore, a malicious DLL can be placed in the search order, and the executable will load it.

DLL side-loading attack – DLL side-loading attack leverages WinSxS directory.

Phantom DLL Hijacking – Phantom DLL Hijacking attack uses very old DLLs that are still attempted to be loaded by apps. Attackers use this tactic and give the malicious DLL name in the Search Path and the new malicious code will be executed.

How does it work?

For DLL hijacking attack to be successful, it would require an attacker to trick victims to open a file using a vulnerable application from a remote network location. If the vulnerable application tries to load an external DLL from the same location, the attack will most likely be successful.

Examples of DLL Hijacking

Example 1 – Farseer malware employs DLL sideloading technique

Unit 42 research team recently uncovered a new malware dubbed Farseer that frequently-targets the Microsoft Windows operating system. Farseer malware leverages the ‘DLL sideloading’ technique to drop legitimate, signed binaries to the host. The malware uses ‘DLL sideloading’ to evade detection from antivirus software.

Example 2 – KerrDown distributed via DLL side-loading

Researchers recently spotted a custom downloader ‘KerrDown’ which is used by the OceanLotus threat actor group to infect victims with payloads such as Cobalt Strike Beacon.

OceanLotus was responsible for multiple attack campaigns against private sectors across multiple industries, foreign governments, activists, and dissidents connected to Vietnam.

Ocean Lotus threat actors leveraged two methods to deliver the ‘KerrDown’ downloader to the victims

  • Microsoft Office document with malicious macro, and
  • RAR archive which contains a legitimate program with DLL side-loading.

How to stay protected?

  • Researchers recommend enabling SafeDllSearchMode to prevent attackers from exploiting the search path.
  • It is also recommended to ensure that only signed DLLs are loaded for most systems process and applications.
  • In order to avoid DLL Hijacking, it is best to write secure code for loading DLL from specified path only.

Fireware 12.4 Beta Release

WatchGuard's Solutions

Fireware 12.4 Beta
We’ve just posted the latest update to our Fireware 12.4 Beta release. This release, which is available for all Firebox appliances, continues WatchGuard’s commitment to building out our SD-WAN roadmap. We’ve seen very positive reaction to the features that we introduced in 12.3, and there has been lots of great feedback on 12.4 in the Beta forum so far. Some of the key highlights in 12.4 include:

  • SD-WAN for VPN and Private Lines: Extends SD-WAN benefits to more than just external WAN connections, allowing organizations to cut back on expensive MPLS connections. You can now measure loss/latency/jitter on Virtual Interface VPNs and internal interfaces.
  • DNSWatch in Bridge Mode: Full DNS security applied in our simplest deployment option where the Firebox does not act as a gateway.
  • Syslog export to two servers: Simultaneously send logs to two different syslog servers. Enables export to third party SIEM and also a local syslog server for log retention.
  • TLS 1.3 Support: Continued compliance and support for latest standards with full inspection of HTTPS traffic using TLS 1.3.

Full details on these and other features in Fireware 12.4 are available in the What’s New presentation, which is posted at the Beta site. We’ve been in Beta for a couple of months now, and we are getting close to a stable final release, but we’d like to hear from more people.

Sign up to participate in the Fireware 12.4 Beta program today if you are not already in the program.

WatchGuard Beta Testing
By being a WatchGuard Beta tester, you get to see products in early stages of development, and your feedback will influence this release and the course of future products. Broad participation in our Beta programs also helps us to deliver high quality final releases. There are open Beta programs across 4 different product areas at the moment. You can always find out more at our Beta program page. If you’ve never joined a WatchGuard Beta program, this is a great time to jump in!

Cybercriminals leverage ‘Fake CDC Flu’ warning to distribute GandCrab 5.2 ransomware

  • The attack begins with users receiving a fake CDC email.
  • In order to make it less suspicious, the email is distributed under the subject line of ‘Flu Pandemic Warning’.

The infamous GandCrab is back in a new phishing campaign. Here, the attackers are using fake Center for Disease Control (CDC) warning to distribute the GandCrab 5.2 ransomware onto the victims’ systems.

How does it work – As per My Online Security, the attack begins with users receiving a fake CDC email. In order to make it less suspicious, the email is distributed under the subject line of ‘Flu Pandemic Warning’. However, a close look reveals that the email comes from a sender ‘Peter@eatpraynope[.]com’ which has nothing to do with the CDC.

“To confuse the issue even more the subject line was written in what looks like a mix of cyrillic & western characters & encoded in UTF8 format so a computer will automatically translate / decode it. When I first tried to post this, I got a garbled mess of characters in the url to this post where the Copy & pasting from the email picked up the utf8 format,” the researchers explained.

The email includes a malicious doc that appears to contain the instructions on how to prevent flu. When users click the doc, the GandCrab 5.2 is unleashed and gets installed on the computers.

“The Word doc attachment is almost empty with just an Urgent Notice Heading. The scumbags trying to compromise you are hoping that you will enable content & editing to enable the macros that let this run,” said researchers.

Encryption process – Once installed, the ransomware encrypts the victims’ files and leaves behind a warning note, asking for ransom.

“The C2 for this is a well known site ‘https[:]//www.kakaocorp.link/static/tmp/eshe[.]png’ where the ransomware posts encrypted / encoded details about the compromised computer,” read the report.

In order to stay safe, users are urged to ignore such emails and should not click on the link or malicious doc as it can infect the systems.

Sizmek reviews account breach that enable attackers to modify existing ads and offers

  • The credential of the affected user account is being sold on the dark web for a price starting from $800.
  • Following the discovery, Sizmek has forced a password reset on all internal employee accounts.

Sizmek, an American online advertising platform is investigating a security incident in which hackers have gained access to one of the firm’s user account. The credential of the affected user account is being sold on the dark web for a price starting from $800.

What is the matter – Security research Brian Krebs discovered that the compromised account has been put up for sale on a Russian-language cybercrime forum. The account can allow the attackers to modify ads and analytics of big-name advertisers such as Gannett and Fox Broadcasting. The bidding of the stolen account starts at $800.

What is the impact – If threat actors buy access to these type of accounts, they can use it as a platform to add new users to the ad system and infect both the existing ads and offers. They can do this by injecting malicious scripts into the HTML code of ads that run on popular sites.

Citing further on threat actors’ nefarious activities, Kreb said, “They could hijack referral commissions destined for others and otherwise siphon ad profits from the system.”

George Pappachen, Sizmek’s general counsel, confirmed the breach and said that the account that is being resold on the dark web is a regular user account for Sizmek Advertising Suite (SAS).

“Or someone who is looking to sabotage our systems in a bigger way or allow malicious code to enter our systems,” George Pappachen, added.

What actions were taken – Following the discovery of the breach, Sizmek has forced a password reset on all internal employee accounts. In addition, the company is also working on deleting details of ex-employees, partners and vendors whose accounts may have been hijacked, from the SAS user database.

“We’re now doing some level of screening to see if there’s been any kind of intrusion we can detect. It seemed like [the screenshots were accounts from] past employees. I think there were even a couple of vendors that had access to the system previously,” Pappachen explained.

The company performed an extensive review in order to confirm that no unauthorized logins or accounts appeared in its systems. It is also monitoring for signals of irregular or unusual activities its platforms, Computer Business Review reported.