- Email: [email protected]
Child exploitation site is shut down
NEWS/THREATWATCH
Threatwatch Raccoon infestation The Cybereason Nocturnus team is warning of a rapid rise in infections using the Raccoon information-stealing malware. It has seen more than 100,000 endpoints falling victim to the malware within a few months, based on logs for sale on underground forums. Raccoon has quickly become one of the top 10 most frequently discussed malware variants in the underground community, said Cybereason. It collects a wide swath of information, including credit card details, crypto-currency wallets, usernames and passwords. The stolen data is often used for blackmail or is traded in cybercrime communities. MSSQL backdoor New malware, discovered by ESET, gives attackers persistent backdoor access to servers running Microsoft SQL Server (MSSQL). Dubbed skip-2.0, the tool allows attackers to access any account on MSSQL 11 and 12 installations using a so-called ‘magic password’, while their activities are not recorded in security logs. ESET believes the tool was created by a state-backed hacking group in China, variously known as Winnti, Wicked Panda
RegDuke and FatDuke. These, the firm says, have been deployed in ‘Operation Ghost’ against foreign ministries in at least three different countries in Europe and a Washington DC-based embassy of a European Union country. “We found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation: however, this campaign started while only a small portion of the Dukes’ arsenal was known,” ESET said. There’s more information here: http:// bit.ly/2qYJIP3. Meanwhile, the US mounted secret cyber attacks against computer targets in Iran in response to physical attacks against Saudi oil facilities on September 14, according to a report by Reuters. The strikes against the oil facilities were widely believed to have been backed by Tehran, although the Iranian Government denied any involvement. A Houthi militant group in Yemen, which is said to be aligned with Iran, claimed responsibility. Unnamed US officials told Reuters that, shortly after the attacks, the US targeted IT facilities used to disseminate
November 2019
and APT41, because of similarities with other malware attributed to the group. The skip-2.0 tool injects malicious code into the sqlserv.exe process via the sqllang.dll, hooking into multiple functions used for logging and authentication. This done, the malware can bypass the server’s built-in authentication mechanism, eliminating the need for a valid password. There’s more information here: http://bit. ly/2C6JVSu. NAS infections Researchers at Finland’s National Cyber Security Centre (NCSC-FI) have issued a warning about malware that is specifically targeting network attached storage (NAS) products sold by QNAP Systems. The malware, dubbed Qsnatch, steals usernames and passwords, sending them to a command and control server. It’s likely that the people responsible for the malware will attempt to use these credentials to attack other assets within the organisation. It can then download new payloads. The infection vector is not known. However, the researchers have found that the malware injects itself into the device’s firmware, with one of the consequences being
Iranian propaganda. Iran has denied the attack took place. No other details about the nature or scale of the attack were revealed, but it seems to have been relatively modest.
Child exploitation site is shut down
A
n analysis of Bitcoin payments allowed law enforcement investigators to locate a major child exploitation website, shut it down and make hundreds of arrests.
A combined operation by the US Homeland Security Investigations (HIS), Internal Revenue Service Criminal Investigation (IRS-CI), as well as the UK’s National Crime Agency (NCA) and Korean National Police resulted in a raid that led to the seizure of 8TB of child exploitation videos and the arrest and conviction, in South Korea, of Jong Woo Son – the operator of the ‘Welcome to Video’ site. The agencies also arrested and charged 337 users of the site who were based in the US, UK, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland,
that the NAS box’s firmware updater will not work. This makes it impossible to issue a remote fix, and even manually re-installing the firmware may not completely remove the malware. There’s more here: http://bit. ly/2WAiSbU. Mysterious malware Malware that has infected more than 45,000 Android devices in the past six months is causing some consternation among security researchers. Although the number of infections is small, the method by which the malware, dubbed Xhelper by Symantec, finds its way on to mobile devices remains elusive. The malware causes devices to download malicious apps, which may remain hidden from users, and to display pop-up advertisements. It is also persistent, re-installing itself even after users think they have removed it. No apps containing Xhelper have been found in the Google Play Store, and researchers think it’s possible that it is an application component that is being pre-installed on some devices, or that it is being spread via web directors or malicious websites prompting users to download untrusted apps. There’s more here: https:// symc.ly/2qfUOPu.
Spain, Brazil and Australia. Leads arising from the seized servers have been sent to authorities in 38 countries worldwide. Authorities used the Chainalysis Reactor tool to analyse the flow of funds to and from the site, via Bitcoin exchanges. “Because exchanges typically perform Know Your Customer (KYC) processes, many were able to provide copies of identification, addresses, and other relevant transactions associated with those accounts,” explained Chainalysis. “While in many cases the information supplied by the exchanges was enough to identify WTV users, in other cases IRS-CI was able to combine the account information with open source intelligence and standard investigative techniques to identify users.” The site is believed to have been the largest of its kind. The IS National Center for Missing and Exploited Children (NCMEC) is currently analysing the seized material, which includes more than 250,000 unique videos. Some 45% of the videos analysed so far contained images not previously known. There’s more information here: http://bit.ly/2C4q1b4.
Network Security
3
Threatwatch Raccoon infestation The Cybereason Nocturnus team is warning of a rapid rise in infections using the Raccoon information-stealing malware. It has seen more than 100,000 endpoints falling victim to the malware within a few months, based on logs for sale on underground forums. Raccoon has quickly become one of the top 10 most frequently discussed malware variants in the underground community, said Cybereason. It collects a wide swath of information, including credit card details, crypto-currency wallets, usernames and passwords. The stolen data is often used for blackmail or is traded in cybercrime communities. MSSQL backdoor New malware, discovered by ESET, gives attackers persistent backdoor access to servers running Microsoft SQL Server (MSSQL). Dubbed skip-2.0, the tool allows attackers to access any account on MSSQL 11 and 12 installations using a so-called ‘magic password’, while their activities are not recorded in security logs. ESET believes the tool was created by a state-backed hacking group in China, variously known as Winnti, Wicked Panda
RegDuke and FatDuke. These, the firm says, have been deployed in ‘Operation Ghost’ against foreign ministries in at least three different countries in Europe and a Washington DC-based embassy of a European Union country. “We found strong code similarities between already documented samples and samples from Operation Ghost. We cannot discount the possibility of a false flag operation: however, this campaign started while only a small portion of the Dukes’ arsenal was known,” ESET said. There’s more information here: http:// bit.ly/2qYJIP3. Meanwhile, the US mounted secret cyber attacks against computer targets in Iran in response to physical attacks against Saudi oil facilities on September 14, according to a report by Reuters. The strikes against the oil facilities were widely believed to have been backed by Tehran, although the Iranian Government denied any involvement. A Houthi militant group in Yemen, which is said to be aligned with Iran, claimed responsibility. Unnamed US officials told Reuters that, shortly after the attacks, the US targeted IT facilities used to disseminate
November 2019
and APT41, because of similarities with other malware attributed to the group. The skip-2.0 tool injects malicious code into the sqlserv.exe process via the sqllang.dll, hooking into multiple functions used for logging and authentication. This done, the malware can bypass the server’s built-in authentication mechanism, eliminating the need for a valid password. There’s more information here: http://bit. ly/2C6JVSu. NAS infections Researchers at Finland’s National Cyber Security Centre (NCSC-FI) have issued a warning about malware that is specifically targeting network attached storage (NAS) products sold by QNAP Systems. The malware, dubbed Qsnatch, steals usernames and passwords, sending them to a command and control server. It’s likely that the people responsible for the malware will attempt to use these credentials to attack other assets within the organisation. It can then download new payloads. The infection vector is not known. However, the researchers have found that the malware injects itself into the device’s firmware, with one of the consequences being
Iranian propaganda. Iran has denied the attack took place. No other details about the nature or scale of the attack were revealed, but it seems to have been relatively modest.
Child exploitation site is shut down
A
n analysis of Bitcoin payments allowed law enforcement investigators to locate a major child exploitation website, shut it down and make hundreds of arrests.
A combined operation by the US Homeland Security Investigations (HIS), Internal Revenue Service Criminal Investigation (IRS-CI), as well as the UK’s National Crime Agency (NCA) and Korean National Police resulted in a raid that led to the seizure of 8TB of child exploitation videos and the arrest and conviction, in South Korea, of Jong Woo Son – the operator of the ‘Welcome to Video’ site. The agencies also arrested and charged 337 users of the site who were based in the US, UK, South Korea, Germany, Saudi Arabia, the United Arab Emirates, the Czech Republic, Canada, Ireland,
that the NAS box’s firmware updater will not work. This makes it impossible to issue a remote fix, and even manually re-installing the firmware may not completely remove the malware. There’s more here: http://bit. ly/2WAiSbU. Mysterious malware Malware that has infected more than 45,000 Android devices in the past six months is causing some consternation among security researchers. Although the number of infections is small, the method by which the malware, dubbed Xhelper by Symantec, finds its way on to mobile devices remains elusive. The malware causes devices to download malicious apps, which may remain hidden from users, and to display pop-up advertisements. It is also persistent, re-installing itself even after users think they have removed it. No apps containing Xhelper have been found in the Google Play Store, and researchers think it’s possible that it is an application component that is being pre-installed on some devices, or that it is being spread via web directors or malicious websites prompting users to download untrusted apps. There’s more here: https:// symc.ly/2qfUOPu.
Spain, Brazil and Australia. Leads arising from the seized servers have been sent to authorities in 38 countries worldwide. Authorities used the Chainalysis Reactor tool to analyse the flow of funds to and from the site, via Bitcoin exchanges. “Because exchanges typically perform Know Your Customer (KYC) processes, many were able to provide copies of identification, addresses, and other relevant transactions associated with those accounts,” explained Chainalysis. “While in many cases the information supplied by the exchanges was enough to identify WTV users, in other cases IRS-CI was able to combine the account information with open source intelligence and standard investigative techniques to identify users.” The site is believed to have been the largest of its kind. The IS National Center for Missing and Exploited Children (NCMEC) is currently analysing the seized material, which includes more than 250,000 unique videos. Some 45% of the videos analysed so far contained images not previously known. There’s more information here: http://bit.ly/2C4q1b4.
Network Security
3