Tag Archives: The

PyeongChang 2018 Winter Olympics Opening Ceremony Disrupted by Malware Attack

PyeongChang-2018-Winter-Olympics

The Pyeongchang Winter Olympics taking place in South Korea was disrupted over the weekend following a malware attack before and during the opening ceremony on Friday.

The cyber attack coincided with 12 hours of downtime on the official website for the Winter Games, the collapse of Wi-Fi in the Pyeongchang Olympic stadium and the failure of televisions and internet at the main press center, leaving attendees unable to print their tickets for events or get venue information.

The Pyeongchang Winter Olympics organizing committee confirmed Sunday that a cyber attack hit its network helping run the event during the opening ceremony, which was fully restored on 8 am local time on Saturday—that’s full 12 hours after the attack began.

Multiple cybersecurity firms published reports on Monday, suggesting that the cause of the disruption was “destructive” wiper malware that had been spread throughout the Winter Games’ official network using stolen credentials.

Dubbed “Olympic Destroyer” by the researchers at Cisco Talos, the wiper malware majorly focuses on taking down networks and systems and wiping data, rather than stealing information.

The Talos researchers would not comment on attribution, but various security experts have already started attributing the Olympic Destroyer malware to hackers linked to either North Korea, China or Russia.

According to the analysis by Cisco Talos, the attacker had intimate knowledge of the Pyeongchang 2018 network’s systems and knew a “lot of technical details of the Olympic Game infrastructure such as username, domain name, server name, and obviously password.”

“The other factor to consider here is that by using the hard-coded credentials within this malware it’s also possible the Olympic infrastructure was already compromised previously to allow the exfiltration of these credentials,” researchers said.

The Olympic Destroyer malware drops two credential stealers, a browser credential stealer and a system stealer, to obtain required credentials and then spreads to other systems as well using PsExec and Windows Management Instrumentation (WMI), two legitimate Windows administration tools used by network admins to access and carry out actions on other PCs on a network.

The researchers noted that both built-in tools were also abused by the Bad Rabbit ransomware and NotPetya wiper malware last year.

Once installed, the malware then first deletes all possible “shadow” copies of files and Windows backup catalogs, turn off recovery mode and then deletes system logs to cover its tracks and making file recovery difficult.

“Wiping all available methods of recovery shows this attacker had no intention of leaving the machine useable. The sole purpose of this malware is to perform destruction of the host and leave the computer system offline,” reads the Talos blog post.

It’s difficult to accurately attribute this cyber attack to a specific group or nation-state hackers due to sparse of technical evidence to support such a conclusion as well as hackers often employing techniques to obfuscate their operations.

How to Mitigate the Threat Cryptocurrency Mining Poses to Enterprise Security

cryptocurrency-mining-attack

The growing popularity of Bitcoin and other cryptocurrencies is generating curiosity—and concern—among security specialists. Crypto mining software has been found on user machines, often installed by botnets. Organizations need to understand the risks posed by this software and what actions, if any, should be taken.

To better advise our readers, we reached out to the security researchers at Cato Networks. Cato provides a cloud-based SD-WAN that includes FireWall as a Service (FWaaS). Its research team, Cato Research Labs, maintains the company’s Cloud IPS, and today released a list of crypto mining pool addresses that you can use as a blacklist in your firewall. (To download the list, visit this page.)

Cato Research Labs determined crypto mining represents a moderate threat to the organization. Immediate disruption of the organization infrastructure or loss of sensitive data is not likely to be a direct outcome of crypto mining.

However, there are significant risks of increased facility cost that must be addressed.

Understanding Blockchain and Crypto Mining

Crypto mining is the process of validating cryptocurrency transactions and adding encrypted blocks to the blockchain. Miners solve a hash to establish a valid block, receiving a reward for their efforts. The more blocks mined, the more difficult and resource-intensive becomes solving the hash to mine a new block.

Today, the mining process can require years with an off-the-shelf computer. To get around the problem, miners use custom hardware to accelerate the mining process, as well as forming “mining pools” where collections of computers work together to calculate the hash.

The more compute resources contributed to the pool, the greater the chance of mining a new block and collecting the reward. It’s this search for more compute resources that have led some miners to exploit enterprise and cloud networks.

Participating in mining pools requires computers run native or JavaScript-based mining software (see Figure 1). Both will use the Stratum protocol to distribute computational tasks among the computers in the mining pool using TCP or HTTP/S (technically, WebSockets over HTTP/S).

Cryptocurrency Mining Threat
Figure 1: An example of a website running JavaScript-based mining software. Typically, websites do not ask for permission.

Native mining software will typically use long-lasting TCP connections, running Stratum over TCP; JavaScript-based software will usually rely on shorter-lived connections and run Stratum over HTTP/S.

The Risk Crypto Mining Poses to the Enterprise

Mining software poses a risk to the organization on two accounts. In all cases, mining software is highly compute-intensive, which can slow down an employee’s machine. Running CPUs with a “high-load” for an extended period of time will increase electricity costs and may also shorten the life of the processor or the battery within laptops.

Mining software is also being distributed by some botnets. Native mining software accesses the underlying operating system in a way similar to how botnet-delivered malware exploits a victim’s machine. As such, the presence of native mining software may indicate a compromised device.

How To Protect Against Crypto Mining

Cato Research Labs recommends blocking crypto mining on your network. This can be done by disrupting the process of joining and communicating with the mining pool.

The deep packet inspection (DPI) engine in many firewalls can be used to detect and block Stratum over TCP. Alternatively, you can block the addresses and domains for joining public mining pools.

Approach 1: Blocking Unencrypted Stratum Sessions with DPI

DPI engines can disrupt blockchain communications by blocking Stratum over TCP. Stratum uses a publish/subscribe architecture where servers send messages (publish) to subscribed clients. Blocking the subscription or publishing process will prevent Stratum from operating across the network.

DPI rules should be configured for JSON. Stratum payloads are simple, readable JSON-RPC messages (see Figure 2).

Stratum uses a request/response over JSON-RPC:

Cryptocurrency Mining Threat
Figure 2: Detail of a JSON-RPC batch call (reference: http://www.jsonrpc.org/specification)

A subscription request to join a pool will have the following entities: id, method, and params (see Figure 3). Configure DPI rules to look for these parameters to block Stratum over unencrypted TCP.


{“id”: 1, “method”: “mining.subscribe”, “params”: []}

Three parameters are used in a subscription request message when joining a pool.

Approach 2: Blocking Public Mining Pool Addresses

However, some mining pools create secure, Stratum channels. This is particularly true for JavaScript-based applications that often run Stratum over HTTPS.

Detecting Stratum, in that case, will be difficult for DPI engines who do not decrypt TLS traffic at scale. (For the record, Cato IPS can decrypt TLS sessions at scale.) In those cases, organizations should block the IP addresses and domains that form the public blockchain pools.

To determine the IP addresses to block, look at the configuration information needed to join a mining pool. Mining software requires miners to fill in the following details:

  • the appropriate pool address (domain or IP)
  • a wallet address to receive equity
  • the password for joining the pool

The configuration information is usually passed via JSON or via command-line arguments (see Figure 3).
Cryptocurrency Mining Threat
Figure 3: A JSON file providing the necessary miner pool configuration

Organizations could configure firewall rules to use a blacklist and block the relevant addresses. In theory, such a list should be easy to create as the necessary information is publicly available. Most mining pools publish their details over the Internet in order to attract miners to their networks (see Figure 4).

Cryptocurrency Mining Threat
Figure 4: Public addresses for mining pools are well advertised as demonstrated by mineXMR.com’s “Getting Started” page

Despite extensive research, though, Cato Research Labs could not find a reliable feed of mining pool addresses. Without such a list, collecting the target mining pool addresses for blocking would be time-consuming.

IT professionals would be forced to manually enter in public addresses, which will likely change or increase, requiring constant maintenance and updates.

Cato Research Labs Publishes List of Mining Pool Addresses

To address the issue, Cato Research Labs generated its own list of mining pool addresses for use by the greater community. Using Google to identify sites and then employing scraping techniques, Cato researchers were able to extract pool addresses for many mining pools.

Cryptocurrency Mining Threat
Figure 5: Partial list of mining pool addresses compiled by Cato Research Labs

Cato researchers wrote code that leveraged those results to develop a mining-pool address feed. Today, the list identifies hundreds of pool addresses (see Figure 5) and should be suitable for most DPI rule engines. See here for the full list.

Final Thoughts

The combined risk of impairing devices, increasing costs, and botnet infections led Cato Research Labs to strongly recommend IT prevent and remove crypto mining from enterprise networks.

Should software-mining applications be found on the network, Cato Research Labs strongly recommends investigating active malware infections and cleaning those machines to reduce any risk to organization’s data.

Cato Research Labs provided a list of address that can be used towards that goal, blocking access to public blockchain pools. But there’s always a chance of new pools or addresses, which is why Cato Research Labs strongly recommend constructing rules using a DPI engine with sufficient encrypted-session capacity.

EU Antitrust Regulators Fine Qualcomm $1.2 Billion Over Apple Deal

The antitrust fine has hit Qualcomm badly.

The European Commission has levied a fine of €997 Million, approximately $1.2 Billion, against U.S. chipmaker Qualcomm Inc. for violating antitrust laws in a series of deals with Apple by “abusing its market dominance in LTE baseband chipsets.”

According to the European Union (EU), Qualcomm paid Apple billions of dollars to make the iPhone-maker exclusively use its 4G chips in all its iPhones and iPads, reducing competition from other competing manufacturers in the LTE baseband chip industry like Intel.

The European Commission launched an investigation in 2015, which revealed that Qualcomm abused its market dominance in LTE baseband chipsets and struck a deal with Apple in 2011, which meant the iPhone maker would have to repay Qualcomm if it decided to use a rival’s chipsets until the end of 2016, hurting innovation in the chip sector.

“This meant that no rival could effectively challenge Qualcomm in this market, no matter how good their products were. This is illegal under EU antitrust rules and why we have taken today’s decision,” EU competition commissioner Margrethe Vestager said in a press statement.

Apple received payments from Qualcomm for approximately 5 years between 2011 and 2016. The company still uses Qualcomm components in its iPhones and iPads, but it began using Intel LTE modems in its iPhone 7 and 7 Plus devices after the agreement ended.

The fine imposed on the chip maker is hefty, but won’t hurt Qualcomm’s bottom line significantly as it represents 4.9 percent of the company’s turnover in 2017, according to the EU’s antitrust commission.

Qualcomm said it ‘strongly disagrees’ with the European Commission’s decision and will ‘immediately appeal’ it at the General Court of the European Union. The company also believes its agreement with Apple does not violate European Union competition law.

“We are confident this agreement did not violate EU competition rules or adversely affect market competition or European consumers,” Qualcomm General Counsel Don Rosenberg said in a statement. “We have a strong case for judicial review, and we will immediately commence that process.”

Not just one, Qualcomm is facing a patent fight with Apple over chip royalties, and simultaneously fending off a $100 billion hostile takeover from rival chipmaker Broadcom, but it rejected the bid last November, saying it ‘dramatically undervalued’ the company.

Cybersecurity Certification Courses – CISA, CISM, CISSP

Cybersecurity Certifications Training Courses

The year 2017 saw some of the biggest cybersecurity incidents—from high profile data breaches in Equifax and Uber impacting millions of users to thousands of businesses and millions of customers being affected by the global ransomware threats like WannaCry and NotPetya.

The year ended, but it did not take away the airwaves of cybersecurity incidents, threats, data breaches, and hacks.

The scope and pace of such cybersecurity threats would rise with every passing year, and with this rise, more certified cybersecurity experts and professionals would be needed by every corporate and organisation to prevent themselves from hackers and cyber thieves.

That’s why jobs in the cybersecurity field have gone up 80 percent over the past three years than any other IT-related job. So, this is the right time for you to consider a new career as a cybersecurity professional.

But before getting started, you need to gain some valuable cyber security certifications that not only boost your skills but also verify your knowledge and credibility as a cybersecurity expert.

THN Deals Store this week brings you the Cybersecurity Certification Mega Bundle, which will help you master three elite cybersecurity certification exams—CISA, CISM, and CISSP.

Online Cyber Security Courses for CISA, CISM, CISSP Certifications

This online training course provides you with the best-selling study materials to pass the CISA, CISM, and CISSP certification exams. It dives deep into the most proven and practical methods for protecting vulnerable networks in any business environment.

From the fundamentals of cryptography and encryption to the security holes in computer networks and mobile apps, this online course will help you learn about information security audits, assurance, guidelines, standards, and best cybersecurity practices in the industry.

At the end of this course, you would develop the expertise to manage, design, oversee, and assess an enterprise’s information security, as well as maintain a secure business environment using globally approved Information Security standards.

If you do not know what CISA, CISM, and CISSP certifications are, below, you can find brief information about the courses and their importance in the IT industry.

1) CISA – Certified Information Systems Auditor

The CISA certification is renowned across the world as the standard of achievement for those who audit, monitor, access and control information technology and business systems.

Being CISA-certified showcases candidates for their audit experience, skills, and knowledge, and signifies that you are an expert in managing vulnerabilities, instituting controls and ensuring compliance within the enterprise.

2) CISM – Certified Information Security Manager

The demand for skilled information security managers is on the rise, and CISM is the globally accepted certification standard of achievement in this area.

The uniquely management-focused CISM certification ensures you are re-equipped with the best practices in the IT industry and recognises your expertise to manage, design, and oversee and assess an enterprise’s information security.

3) CISSP – Certified Information Systems Security Professional

The CISSP certification is a globally-recognised certification in the field of information security and has become a standard of achievement that is acknowledged worldwide.

Offered by the International Information Systems Security Certification Consortium, commonly known as (ISC)², CISSP is an objective measure of excellence, which requires a broad level of knowledge.

THN Offer: How To Avail 93% Discount on Cybersecurity Certification Training

If you want to select the best and cost-efficient course to pass CISA, CISM, and CISSP certifications, the Cybersecurity Certification Mega Bundle course is the one for you to begin with.

You can get Cybersecurity Certification Mega Bundle for just $69 (after 93% discount) at the THN Deals Store.

So, to Sign-up for the Cybersecurity Certification Mega Bundle course, click on this link and get your online course now.

Buying this course will not be a wrong decision. In case, you are not satisfied with this course for any reason, our training partner also provides a 15-day money back guarantee and will issue a refund.

So, what you are now waiting for? Grab the course Now!

New Mirai Okiru Botnet targets devices running widely-used ARC Processors

mirai-okiru-iot-botnet-elf-malware-arc-cpu

The cybersecurity threat landscape has never been more extensive and is most likely to grow exponentially in 2018.

Although the original creators of Mirai DDoS botnet have already been arrested and jailed, the variants of the infamous IoT malware are still in the game due to the availability of its source code on the Internet.

Security researchers have spotted a new variant of infamous Mirai IoT malware designed to hijack insecure devices that run on ARC embedded processors.

Until now, Mirai and its variants have been targeting CPU architectures—including x86, ARM, Sparc, MIPS, PowerPC and Motorola 6800—deployed in millions of Internet of Things (IoT) devices.

New Mirai Okiru Botnet

Dubbed Okiru, the new Mirai variant, first spotted by @unixfreaxjp from MalwareMustDie team and notified by independent researcher Odisseus, is a new piece of ELF malware that targets ARC-based embedded devices running Linux operating system.

This is the FIRST TIME ever in the history of computer engineering that there is a malware for ARC CPU, & it is #MIRAI OKIRU!! Pls be noted of this fact, & be ready for the bigger impact on infection Mirai (specially #Okiru) to devices hasn’t been infected yet,” Odisseus tweeted.

ARC (Argonaut RISC Core) embedded processor is the world’s second-most-popular CPU core that’s being shipped in more than 2 billion products every year, including cameras, mobile, utility meters, televisions, flash drives, automotive and the Internet of Things.

mirai-okiru-satori-iot-botnet-malware

However, this isn’t first Mirai botnet variant based on Linux ELF malware. Mirai also has another ELF-based variant, which was designed to target devices running MIPS and ARM processors.

It should also be noted that Okiru, which has previously been also named as Satori IoT botnet (another Mirai variant discovered late last year), is “very different” from Satori despite having several similar characteristics, as explained in a Reddit thread.

Record-Breaking DDoS? The Calm Before The Storm

IoTs are currently being deployed in a large variety of devices throughout your home, businesses, hospitals, and even cities (smart cities), but they’re routinely being hacked and used as cyber weapons due to lack of stringent security measures and insecure encryption mechanisms.

If you are unaware, the world’s largest 1 Tbps DDoS attack so far was launched from just 152,000 infected IoT devices using Mirai botnet, and in a separate attack, just 100,000 devices took down the popular DynDNS service in late 2016.

Since Okiru has been ported to target a new range of millions of “expectedly insecure” devices running ARC processors, the DDoS attack going to be generated by Okiru botnet would probably be the biggest cyberattack ever.

“From this day, the landscape of #Linux #IoT infection will change. #ARC CPU has produced #IoT devices more than 1 billion per year. So these devices are what the hackers want to aim to infect #ELF #malware with their #DDoS cannons. It’s a serious threat will be,” Odisseus tweeted.

The fresh arrival of ARC-based IoT devices into botnet scheme will exponentially raise the number of insecure devices to an unprecedented size, making it easy for hackers to gain control over a large number of poorly configured and vulnerable IoT devices.

macOS Malware Creator Charged With Spying on Thousands of PCs Over 13 Years

macos-malware-hacker

The U.S. Justice Department unsealed 16-count indictment charges on Wednesday against a computer programmer from Ohio who is accused of creating and installing spyware on thousands of computers for more than 13 years.

According to the indictment, 28-year-old Phillip R. Durachinsky is the alleged author of FruitFly malware that was found targeting Apple Mac users earlier last year worldwide, primarily in the United States.

Interestingly, Durachinsky was just 14 years old when he programmed the first version of the FruitFly malware, and this full-fledged backdoor trojan went largely undetected for several years, despite using unsophisticated and antiquated code.

The malware was initially discovered in January 2017 by Malwarebytes and then Patrick Wardle, an ex-NSA hacker, found around 400 Mac computers infected with the newer strain of FruitFly. However, Wardle believed the number of infected Macs would likely be much higher.

The malware is capable of advanced surveillance on macOS devices with the ability to remotely take control of webcams, microphones, screen, mouse, and keyboards, as well as install additional malicious software.

Since the source code of Fruitfly also includes Linux shell commands, the researchers believe the malware would work just fine on Linux operating system.

From 2003 to January 2017, Durachinsky used spyware, which was later named FruitFly, to gain access to thousands of computers belonging to individuals, companies, schools, a police department, and a subsidiary of the U.S. Department of Energy.

Durachinsky allegedly used the malware to steal the personal data of victims, including their tax records, banking records, medical records, login credentials, photographs, Internet searches, and potentially embarrassing communications.

“He is alleged to have developed computer malware later named “Fruitfly” that he installed on computers and that enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio,” the DoJ says.

Besides installing Fruitfly, Durachinsky is also accused of producing child pornography, as in some cases, the malware alerted him if a user typed any pornography term. It’s likely such action would prompt recording.

Durachinsky is facing charges of Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography, and aggravated identity theft.

However, the charges are merely allegations at this time, and the defendant is presumed innocent unless proven guilty beyond a reasonable doubt in a court of law.

Wi-Fi Alliance launches WPA3 protocol with new security features

wpa3-wifi-security

The Wi-Fi Alliance has finally announced the long-awaited next generation of the wireless security protocol—Wi-Fi Protected Access (WPA3).

WPA3 will replace the existing WPA2—the network security protocol that has been around for at least 15 years and widely used by billions of wireless devices every day, including smartphones, laptops and Internet of things.

However, WPA2 has long been considered to be insecure due to its common security issue, that is “unencrypted” open Wi-Fi networks, which allows anyone on the same WiFi network to intercept connections on other devices.

Most importantly, WPA2 has also recently been found vulnerable to KRACK (Key Reinstallation Attack) that makes it possible for attackers to intercept and decrypt Wi-Fi traffic passing between computers and access points.

The new standard of Wi-Fi security, which will be available for both personal and enterprise wireless devices later this year, offers improved security and privacy.

  • WPA3 protocol strengthens user privacy in open networks through individualised data encryption.
  • WPA3 protocol will also protect against brute-force dictionary attacks, preventing hackers from making multiple login attempts by using commonly used passwords.
  • WPA3 protocol also offers simplified security for devices that often have no display for configuring security settings, i.e. IoT devices.
  • Finally, there will be a 192-bit security suite for protecting WiFi users’ networks with higher security requirements, such as government, defence and industrial organisations.

Wi-Fi security technologies may live for decades, so it’s important they are continually updated to ensure they meet the needs of the Wi-Fi industry,” said Joe Hoffman, SAR Insight & Consulting. “Wi-Fi is evolving to maintain its high-level of security as industry demands increase.

Since hardware must get certified by the Wi-Fi Alliance to use WPA3 security protocol, the new security standard won’t arrive overnight.

It could take months for device manufacturers to support the new wireless security standard, but the first WPA3-certified devices are expected to ship later this year. More details about WPA3 have yet to be released.

Huge Flaw Found in Intel Processors; Patch Could Hit 5-30% CPU Performance

intel-hacking

The first week of the new year has not yet been completed, and very soon a massive vulnerability is going to hit hundreds of millions of Windows, Linux, and Mac users worldwide.

According to a blog post published yesterday, the core team of Linux kernel development has prepared a critical kernel update without releasing much information about the vulnerability.

Multiple researchers on Twitter confirmed that Intel processors (x86-64) have a severe hardware-level issue that could allow attackers to access protected kernel memory, which primarily includes information like passwords, login keys, and files cached from disk.

The security patch implements kernel page-table isolation (KPTI) to move the kernel into an entirely separate address space and keeps it protected and inaccessible from running programs and userspace, which requires an update at the operating system level.

“The purpose of the series is conceptually simple: to prevent a variety of attacks by unmapping as much of the Linux kernel from the process page table while the process is running in user space, greatly hindering attempts to identify kernel virtual address ranges from unprivileged userspace code,” writes Python Sweetness.

It is noteworthy that installing the update will hit your system speed negatively and could bring down CPUs performance by 5 percent to 30 percent, “depending on the task and processor model.”

“With the page table splitting patches merged, it becomes necessary for the kernel to flush these caches every time the kernel begins executing, and every time user code resumes executing.”

Much details of the flaw have been kept under wraps for now, but considering its secrecy, some researchers have also speculated that a Javascript program running in a web browser can recover sensitive kernel-protected data.

AMD processors are not affected by the vulnerability due to security protections that the company has in place, said Tom Lendacky, a member of the Linux OS group at AMD.

“AMD processors are not subject to the types of attacks that the kernel page table isolation feature protects against,” the company said. 

“The AMD microarchitecture does not allow memory references, including speculative references, that access higher privileged data when running in a lesser privileged mode when that access would result in a page fault.”

The Linux patch that is being released for ALL x86 processors also includes AMD processors, which has also been considered insecure by the Linux mainline kernel, but AMD recommends specifically not to enable the patch for Linux.

Microsoft is likely to fix the issue for its Windows operating system in an upcoming Patch Tuesday, and Apple is also likely working on a patch to address the vulnerability.

Greedy North Korean Hackers Targeting Cryptocurrencies and Point-of-Sale Terminals

korea-hacker-lazarus-ratankba-cryptocurrency

The North Korean hacking group has turned greedy.

Security researchers have uncovered a new widespread malware campaign targeting cryptocurrency users, believed to be originated from Lazarus Group, a state-sponsored hacking group linked to the North Korean government.

Active since 2009, Lazarus Group has been attributed to many high profile attacks, including Sony Pictures Hack, $81 million heists from the Bangladesh Bank, and the latest — WannaCry.

The United States has officially blamed North Korea for global WannaCry ransomware attack that infected hundreds of thousands of computers across more than 150 countries earlier this year.

In separate news, security experts have blamed Lazarus group for stealing bitcoins worth millions from the South Korean exchange Youbit, forcing it to shut down and file for bankruptcy after losing 17% of its assets.

Researchers from security firm Proofpoint have published a new report, revealing a connection between Lazarus Group and a number of multistage cyber attacks against cryptocurrency users and point-of-sale systems.

“The group has increasingly focused on financially motivated attacks and appears to be capitalizing on both the increasing interest and skyrocketing prices for cryptocurrencies,” the researchers said. “The Lazarus Group’s arsenal of tools, implants, and exploits is extensive and under constant development.”

After analyzing a large number of spear phishing emails with different attack vectors from multiple spear phishing campaigns, researchers discovered a new PowerShell-based reconnaissance implant from Lazarus Group arsenal, dubbed PowerRatankba.

Encryption, obfuscation, functionality, decoys, and command-and-control servers used by PowerRatankba closely resembles the original Ratankba implant developed by Lazarus Group.

The PowerRatankba implant is being spread using a massive email campaign through the following attack vectors:

  • Windows executable downloader dubbed PowerSpritz
  • Malicious Windows Shortcut (LNK) files
  • Several malicious Microsoft Compiled HTML Help (CHM) files
  • Multiple JavaScript (JS) downloaders
  • Macro-based Microsoft Office documents
  • Backdoored popular cryptocurrency applications hosted on fake websites
PowerRatankba, with at least two variants in the wild, acts as a first-stage malware that delivers a fully-featured backdoor (in this case, Gh0st RAT) only to those targeted companies, organizations, and individuals that have interest in cryptocurrency.

“During our research, we discovered that long-term sandboxing detonations of PowerRatankba not running cryptocurrency related applications were never infected with a Stage2 implant. This may indicate that the PowerRatankba operator(s) were only interested in infecting device owners with an obvious interest in various cryptocurrencies,” reads the 38-page-long report [PDF] published by Proofpoint.

Once installed, Gh0st RAT allows cybercriminals to steal credentials for cryptocurrency wallets and exchanges.

It’s notable that PowerRatankba and Gh0st RAT don’t exploit any zero-day vulnerability; instead, Lazarus Group relies on mixed programming practices, like C&C communication over HTTP, use of Spritz encryption algorithm and the Base64-encoded custom encryptor.

“It is already well-known that Lazarus Group has targeted and successfully breached several prominent cryptocurrency companies and exchanges,” the researchers say. “From these breaches, law enforcement agencies suspect that the group has amassed nearly $100 million worth of cryptocurrencies based on their value today.”

Besides stealing cryptocurrencies, the group was also found infecting SoftCamp point-of-sale (POS) terminals, largely deployed in South Korea, using RatankbaPOS malware for stealing credit card data.

Since RatankbaPOS was sharing same C&C server as the PowerRatankba implant, it is believed that both the implants are linked to Lazarus Group.

The explosive growth in cryptocurrency values has motivated not only traders but also hackers to invest all their time and resources in making digital wealth.

More details about the new malware campaigns run by Lazarus Group can be found in the in-depth report [PDF], titled “North Korea Bitten by Bitcoin Bug—Financially motivated campaigns reveal a new dimension of the Lazarus Group,” published by PowerPoint on Wednesday.

Two Hackers Plead Guilty to Creating IoT-based Mirai DDoS Botnet

Mirai-Botnet

The U.S. federal officials have arrested two hackers who have pleaded guilty to computer-crimes charges for creating and distributing Mirai botnet that crippled some of the world’s biggest and most popular websites by launching the massive DDoS attacks last year.

According to the federal court documents unsealed Tuesday, Paras Jha and Josiah White were indicted by an Alaska court last week on six charges for their role in massive cyber attacks conducted using Mirai botnet.

Mirai is a piece of nasty IoT malware that scans for insecure routers, cameras, DVRs, and other Internet of Things devices which are still using their default passwords and then add them into a botnet network, which is then used to launch DDoS attacks on websites and Internet infrastructure.

Jha and his co-conspirators successfully infected hundreds of thousands of internet-connected computing devices, including computers in Alaska and other states, with malicious software,” the plea agreement said.

Paras Jha and his business partner Josiah White are the same people who were outed by blogger Brian Krebs earlier this year after his blog was also knocked offline by a massive 620 Gbps of DDoS attack using Mirai botnet.

Paras-Jha-Mirai-botnet

According to Jha’s LinkedIn profile, he is a 21-year-old passionate programmer from Fanwood, U.S., who knows how to code in multiple programming languages and is positioned as president of a DDoS mitigation firm, ProTraf Solutions.

A week after the massive DDoS attack, the source code of Mirai was released on the widely used hacker chat forum Hackforums by Jha who, under the name Anna-senpai, wrote he had “made their money…so it’s time to GTFO.”

“So today, I have an amazing release for you,” he wrote. “With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”

Once Mirai source code was out, various cyber criminals started exploiting the IoT malware to launch powerful DDoS attacks against websites and Internet infrastructure, one of which was the popular DNS provider Dyn, which was DDoSed by a botnet of an around 100,000 Mirai malware-infected devices.

The U.S. Department of Justice has not released more details about the case yet. We will update this article with new information. Stay Tuned!