The Colonial Pipeline Hackers Are One Of The Savviest Criminal Startups In A $370 Million Ransomware Game

US-IT-OIL-CRIME-PIPELINE-HACKER

When Colonial Pipeline took its gasoline lines down following a successful cyberattack last week, it became the most high-profile victim of a hacking group called DarkSide.

But DarkSide isn’t a single entity. It’s a media-savvy, semiprofessional startup and software supplier for an illicit market of hackers looking for a quick easy way to breach and extort large businesses. In a ransomware game that, according to data from cryptocurrency tracker Chainalysis, has seen $370 million 2020 revenue for the criminals in the form of ransom payments, DarkSide and its partners represent a dangerous new breed of underground businesses that are working together to menace legitimate organizations, across public and private sectors.

The security industry calls DarkSide’s business model “ransomware-as-a-service,” as it mimics the software-as-a-service model. First, provide financially motivated cybercriminals with the best software for stealing data and encrypting victims’ files over the internet via an easily accessible dark website. Second, provide the services around that software, such as tools that allow digital extortionists to communicate directly with their victims or get IT support. Third, share the rewards if a target pays the ransom.

DarkSide takes most of the cut. According to FireEye, the security company whose Mandiant division is helping the Colonial Pipeline recover, DarkSide takes 25% of ransom fees less than $500,000 and 10% of ransom fees above $5 million. Though that’s a sizable cut of the proceeds, the DarkSide operators make ransomware attacks so simple, customers keep coming. “It’s a great way of making quick money,” says Peter Kruse, founder and CEO of CSIS Security Group, which says it has seen various cybercrime actors using the DarkSide ransomware service. In the case of the Colonial Pipeline, DarkSide says a client using its software mounted the attack that shut the pipeline down.

To stand out from the crowd, DarkSide has promised the best encryption speeds to lock up computers faster than anyone else. It also supports attacks on both Microsoft Windows and Linux operating systems. Its marketing is working. Since emerging in August 2020, it’s leaked the data of more than 80 organizations. The identities of those who paid may never be known, notes ransomware tracker Brett Callow. “They’ve hit at least 114 organizations and they’ve published data from 83, so these didn’t pay (the ransom).

Which means at least 31 did,” Callow says. Given DarkSide users’ ransom demands range between $200,000 to $2 million, according to security startup CyberReason, it’s possible they’ve collectively made more than $30 million in just half a year. And, with KrebsOnSecurity reporting that the group negotiated an $11 million ransom with one victim company, it’s likely higher than that estimate. (A message to the DarkSide crew didn’t receive a response.)

Lax security may be helping the hackers. Before DarkSide’s malware can be deployed, its customers first need to have broken into a network, and DarkSide doesn’t provide that service. Kruse says DarkSide’s partners look for vulnerable devices that can be found by scanning the web. Once those systems are found, they can be exploited and leverage gained on a target’s network. They then need to take control of other connected computers and install the DarkSide software, which wraps the victims’ data and locks it with keys targets must pay ransom to use.

Colonial Pipeline hasn’t yet revealed exactly how it was breached, though analyses of the company’s servers from security experts discovered a few avenues hackers could have used to poke holes in its defenses. There were, for instance, a large number of surveillance cameras attached to the company’s IT infrastructure, according to Derek Abdine from security company Censys.

And Bob Maley, a former PayPal security lead and now chief security officer at cyber defense startup Black Kite, says he saw open remote management and file sharing servers, which, if the hackers had somehow acquired logins, could have provided a path onto Colonial’s network.

“If I was going to hack that… I’d simply use a publicly available tool to connect to that port, run a little script and try all the credentials that I have, plus some of the common … default usernames and passwords,” Maley added. That “credential stuffing” attack could then provide enough network access to start finding a way to plant the ransomware.

There’s long been concern that critical infrastructure businesses aren’t well-prepared for the kinds of attack described by Maley, even if they’re far from the most sophisticated attacks the internet sees every day. “Legacy industrial control systems and other similar infrastructures were primarily designed to keep information in and execute their control tasks dependably and consistently.  Unfortunately, there were little or no provisions built in to adequately secure the systems and keep people out,” says Chris Piehota, a former FBI technology director.

Personnel is another issue. Kruse and Maley noted that Colonial didn’t appear to have anyone in charge of cybersecurity. Colonial said its chief information officer, hired in 2017, led cybersecurity efforts, undertaking a review of its defenses and increasing total spending on IT, including cybersecurity, by more than 50% in the past four years.

A spokesperson told Forbes it had “robust protocols and software in place to detect and address threats proactively and reactively,” and that its third-party incident response team determined it was following “best practices” before the breach. Any speculation about the root cause of the incident would be premature and not informed by the facts, they added. They declined to comment on whether or not a ransom had been paid, and wouldn’t say how much the hackers had demanded.

The hack itself is just the first part of a modern-day ransomware swindle. DarkSide and similar groups have realized that they need to control the story, play the press and apply as much pressure to victims as possible to extract a ransom.

The added threat on top of all that data loss is public shaming. DarkSide and other groups’ dark websites aren’t just spaces for them to expose victims’ data. They’re places where they can attract media attention to amplify successes and, possibly, increase the ransoms as companies pay up to avoid reputational damage. The first of this new breed of publicity-friendly ransomware extortionist came in late 2019, with the emergence of Maze, which became infamous for attacks on U.S. schools. According to Callow, from security company Emsisoft, there are now about 30 doing much the same.

Another group, Babuk, has shown in the past month how devastating public shaming can be, after it hacked into the Washington, D.C., Metropolitan Police Department. When the police didn’t pay the $4 million ransom, Babuk started releasing the personal information of officers. In a new batch of data on 22 police officers released this week, the leaked information included psychological assessments, social security numbers, financial data and marriage histories. Babuk even posted conversations between itself and the department, in which the latter apparently tried to lowball the crew with a $100,000 ransom offer. Babuk rejected the offer. The police department has previously acknowledged the attack but hadn’t responded to requests for comment at the time of publication.

DarkSide has used a different tactic to try to improve its public image, presenting itself as a kind of Robinhood hacking organization, giving a small portion of stolen funds to charity, offering short-sellers advance information so they can bet on a victim’s stock tanking, and promising not to attack certain industries: hospitals, funeral services, schools, universities, nonprofits and government organizations. It even claims to only permit attacks on companies it knows can afford to pay, saying, “We do not want to kill your business.”

As the group wrote on its dark web “press center” earlier this week: “Our goal is to make money, and not creating [sic] problems for society.” One victim, Dalton, Georgia-based carpet manufacturer Dixie Group Inc., disclosed a ransomware attempt affecting “portions of its information technology systems” earlier this year.

With the Colonial Pipeline, DarkSide apparently realized too late that one of its partners had targeted an industry that served a huge number of consumers with gasoline and subsequently promised to “introduce moderation and check each company that our partners want to encrypt to avoid social consequences in the future.” Now the world has its eyes on the hacking group. In a “flash notice” to the cybersecurity industry and government agencies this week, the FBI said it has been investigating DarkSide since October, just two months after it emerged.

Its investigators and global partners have had increasing success against malware operators in recent months, the most significant in January, in which the U.S. Justice Department said it had participated in a multinational operation to disrupt and take down infrastructure of the malware and botnet known as Emotet. Described by experts as the most dangerous malware in the world, Emotet offered criminals access to personal and company computers. As with DarkSide, many criminals paid Emotet’s operators to install ransomware. Authorities made arrests of alleged administrators, who face charges in Ukraine, though they’ve yet to go on trial.

Despite that case and the blueprint it laid down for future cyber investigations, the only authorities DarkSide appears to fear are Russian-speaking: Its malware won’t work if it detects its victim is Russian. This has led to accusations that the Kremlin either supports or harbors criminals that target Western businesses, something Putin’s government has staunchly denied.

Dmitri Alperovitch, cofounder of cybersecurity company CrowdStrike and now executive chairman at the Silverado Policy Accelerator nonprofit, says there’s no evidence DarkSide has obvious links to Russian intelligence, adding, “Given their long past history of willful harboring of cybercrime, I don’t think it matters.”

Follow me on Twitter. Check out my website. Send me a secure tip.

I’m associate editor for Forbes, covering security, surveillance and privacy. I’m also the editor of The Wiretap newsletter, which has exclusive stories on real-world surveillance and all the biggest cybersecurity stories of the week. It goes out every Monday and you can sign up here: https://www.forbes.com/newsletter/thewiretap

I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice, Wired and the BBC, amongst many others.

Tip me on Signal / WhatsApp / whatever you like to use at +447782376697. If you use Threema, you can reach me at my ID: S2XY9B9U.

If you want to tip me with something sensitive? Get in contact on Signal or Threema, and we can use OnionShare. It’s a great way to share documents privately. See here: https://onionshare.org/

Source: The Colonial Pipeline Hackers Are One Of The Savviest Criminal Startups In A $370 Million Ransomware Game

.

References

Bomey, Nathan. “Colonial Pipeline looking to ‘substantially restore operations by end of week”. USA TODAY. Archived from the original on May 10, 2021. Retrieved May 10, 2021.

Cyber Attackers Leaked Covid-19 Vaccine Data After EU Hack

The European Medicines Agency (EMA) has reported that some of the data on the Pfizer/BioNTech COVID-19 vaccine that was stolen during a cyber-attack in early December 2020 was released online illegally shortly after the attack. 

The leak was discovered during an investigation that was launched into the attack by the EMA and law enforcement. It is claimed that evidence of the stolen data was found on various hacking forums as early as 31 December. The EMA stated yesterday (13 January) that action is being taken by authorities.

The EMA is a decentralized agency responsible for evaluating, monitoring and supervising new medicines introduced to the EU. As such, it is accountable for approving any COVID-19 vaccines. On 9 December 2020, the EMA released a statement alerting that it had been subject to the cyber-attack. 

Pfizer and BioNTech then released a joint statement outlining the nature of the breach: “Today, we were informed by the European Medicines Agency (EMA) that the agency has been subject to a cyber-attack and that some documents relating to the regulatory submission for Pfizer and BioNTech’s COVID-19 vaccine candidate, BNT162b2, which has been stored on an EMA server, had been unlawfully accessed.”

At the time, it was concluded that only a small number of documents had been accessed, limited to a single IT application as the hackers targeted data relating specifically to the Pfizer/BioNTech COVID-19 vaccine. Nevertheless, according to sources on technology and cybersecurity website BleepingComputer, the threat actors accessed Word documents, PDFs, email screenshots, PowerPoint presentations and EMA peer review comments.

The EMA assured that, despite the breach, its regulatory network is fully operational and that the evaluation and approval of COVID-19 medicines have not been affected by the incident.

THE LARGER PICTURE

The breach of the EMA server is not the only cyber-attack related to COVID-19 vaccines. There has been increasing concern about the safe deployment of the vaccine as cybercriminals attack the vaccine “cold chain”, launching what has been called a “global phishing campaign” against organizations responsible for the transport and sub-zero storage of the vaccine, supposedly in an attempt to gain unauthorized access to private credentials and sensitive information regarding the vaccine’s distribution.

Experian also released a report at the end of 2020 warning of the potential security risks that accompany the technological diversification in healthcare affected by COVID-19. It highlighted the potential risks of overlooking cybersecurity and the increased possibility of misinformation, particularly regarding the COVID-19 vaccine, while Dr Saif Abed also outlined the challenges of cybersecurity during the global mass rollout of the vaccine in a blog for Healthcare IT News.

ON THE RECORD

Responding to the announcement, chief security officer at Cybereason, Sam Curry, called security breaches surrounding the COVID-19 vaccine “diabolical”.

He continued: “Hackers today still see COVID-19 as a strategically valuable asset and it’s likely they will for the foreseeable future. Kudos to the pharma and research companies for working with law enforcement agencies to face these threats head on with advanced cyber tools and improved security hygiene. These companies face a new reality each and every day that motivated hackers will be successful every time they attempt to hack a company because they are well funded and are looking to reap both financial and political fame.

As the protection surface expands to mobile, the cloud and other potential attack vectors, those companies that can detect a breach quickly and understand as much as possible about the hacking operation itself, will be able to stop the threat and minimize or eliminate the risk all together.”

By Sophie Porter

.

More Contents:

.

Bloomberg Quicktake: Now

Hackers posted confidential documents regarding Covid-19 medicines and vaccines on the internet after a data breach late last year at the European Medicines Agency. Timelines related to evaluating and approving Covid medicines and vaccines haven’t been affected, the EMA said in a statement on Tuesday. The agency said it remains fully functional and that law enforcement authorities are taking action on the breach. Caught up in the hack were some documents submitted by Pfizer Inc. and BioNTech SE during regulatory review of their vaccine, approved last month.

The EMA said it would notify any additional entities and individuals whose documents and personal data may have been subject to unauthorized access. Pfizer shares fell 2.2% in New York, with BioNTech’s American depositary receipts down 5.1%. Subscribe to our YouTube channel: https://bit.ly/2TwO8Gm Bloomberg Quicktake brings you live global news and original shows spanning business, technology, politics and culture. Make sense of the stories changing your business and your world. To watch complete coverage on Bloomberg Quicktake 24/7, visit http://www.bloomberg.com/qt/live, or watch on Apple TV, Roku, Samsung Smart TV, Fire TV and Android TV on the Bloomberg app. Have a story to tell? Fill out this survey for a chance to have it featured on Bloomberg Quicktake: https://cor.us/surveys/27AF30 Connect with us on… YouTube: https://www.youtube.com/user/Bloomberg Breaking News on YouTube: https://www.youtube.com/c/BloombergQu… Twitter: https://twitter.com/quicktake Facebook: https://www.facebook.com/quicktake Instagram: https://www.instagram.com/quicktake

.

Coronavirus Fighting Supercomputers Cryptojacked to Mine Privacy Coin Monero (XMR)

1

An array of supercomputers hosted at universities across Europe have been hijacked (or “cryptojacked”) in order to mine the privacy coin Monero (XMR).

Even worse, some of these computers had been dedicated to crunching numbers for research on COVID-19.

The intrusions occured on supercomputer clusters in the UK, Germany, Switzerland, and probably Spain, according to a report by ZDnet.

Some of the compromised universities include Stuttgart, Ulm, Karlsruhe Institute of Technology, Tübingen University, the Bavarian Academy of Sciences, the Technical University of Dresden, the Ludwig-Maximilians University of Munich, and the Swiss Center of Scientific Computations.

The attackers likely gained access from compromised SSH login credentials given out to other universities in Canada, China and Poland, in order to access the supercomputing arrays. There is some evidence that the attacks were all carried out by the same group, although it is not conclusive.

A look at the recent hashrate on the Monero network shows a healthy pair of spikes in May to about 1.4 gigahashes/second, although this jump does not seem outside the realm of normalcy.

Not much change(source: Bitinfocharts.com)

CryptoGlobe recently reported that the hashrate on the Monero network had been mostly static even as the network’s transaction rate was on the rise.

Featured Image Credit: Photo via Pixabay.com

By Colin Muller

Source: https://www.cryptoglobe.com

GM-980x120-BIT-ENG-Banner

Cryptojacking has shaken up the cyber security landscape over the last two years. Here, we take an in-depth look at this cyber-crime trend. Download this report for more information on cryptojacking: https://resource.elq.symantec.com/cry…

Hackers Threatening to Release ‘Dirty Laundry’ of Celebrities If Ransom Not Paid

1

Hackers have doubled their original ransom demand in exchange for the data belonging to U.S. entertainment law firm Grubman Shire Meiselas & Sacks, which represents many celebrities, such as Lady Gaga, Lizzo, and Madonna.

According to a report by Fox News, the hacking group REvil ( updated their ransom demand to $42 million in exchange for the stolen files containing personal information on high-profile celebrities such as Lady Gaga, U2 and President Donald Trump. The files belonged to attorney Allen Grubman.

The hackers claim to have stolen 756GB of data that includes the firm’s contracts, personal emails, and correspondence with clients.

The hackers also deleted or encrypted the firm’s backup files and are demanding a ransom for the decryption key.

Grubman has refused to negotiate with the hacking group. The report cites an anonymous source close to the matter saying,

“His view is, if he paid, the hackers might release the documents anyway. Plus the FBI has stated this hack is considered an act of international terrorism, and we don’t negotiate with terrorists.”

The hacking group released a statement on Thursday threatening to release to the “dirty laundry” of President Donald Trump if the ransom was not paid.

Well, acording to a report published in Mail Online on Sunday (May 17), the hackers have “released a trove of emails mentioning President Donald Trump, and claim that they will publish much more damaging material if they aren’t paid a ransom of $42 million.”

By Michael LaVere

Featured Image Credit: Photo via Pixabay.com

Source: https://www.cryptoglobe.com

728x90-1-1

“The US Secret Service and the FBI are continuing to probe hacking group REvil, who attacked the server of attorney Allen Grubman’s NYC firm and stole 756 gigabytes of confidential documents relating to his firm’s clients including Lady Gaga, Madonna, Mariah Carey, Priyanka Chopra and Bette Midler. On Thursday the hackers upped the ante by doubling their ransom demands and threatening to publish “a ton of dirty laundry” on President Donald Trump — who is not a client of the NYC law firm Grubman, Shire, Meiselas and Sacks — next week if the law firm did not pay in full. It remains unclear if the hackers claims to have dirt on Trump are true.

Hackers Sell Data of 129 Million Russian Car Owners for Bitcoin

1

A database of 129 million Russian car drivers is being exposed on the darknet for just 0.3 Bitcoin or about $2,900.

The major cryptocurrency, Bitcoin (BTC), continues to be actively used for illicit activity. Anonymous hackers have taken the data of over 129 million Russian car owners to expose it on the darknet in exchange for cryptocurrency.

The leaked information includes the full names, addresses, passport numbers and other data belonging to millions of Russian car drivers, Russian news agency RBC reported May 15.

The stolen data is claimed to be leaked from the registry of Russia’s patrol jurisdiction, the General Administration for Traffic Safety of the Ministry of Internal Affairs of Russia. The authenticity of data has reportedly been confirmed by an employee of a local car sharing company.

The leaked data is being sold for cryptocurrency, RBC said, citing an original report by local publication Vedomosti. As such, the full version of the database costs 0.3 BTC, which amounts to about $2,900 as of press time. The hackers also offered to buy some “exclusive” data for 1.5 BTC ($14,400), the report notes.

Cryptocurrencies are being increasingly used for illicit activity on darknet markets. According to Chainalysis — a New York-based blockchain analytics firm — the volume of darknet markets’ crypto flows doubled in 2019 for the first time in four years.

Cybercriminals often sell stolen data on the darknet for almost nothing or even give it away for free. In mid-April 2020, hackers were selling over 500,000 accounts of popular video conferencing platform Zoom for less than a penny each.

In March, cryptocurrency fund Trident Crypto Fund suffered a major security breach, resulting in the theft of 266,000 usernames and passwords.

By:

Source:https://cointelegraph.com

GM-980x120-BIT-ENG-Banner-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-2-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-1-2-1

Hello World’s host Ashlee Vance traveled to Moscow and got a rare glimpse into the heart of Russia’s hacker underworld and the latest techniques in investigating cybercrime. #BloombergHelloWorld Watch the full episode of ‘Hello World: Russia’: https://www.youtube.com/watch?v=tICL-… Read more about FindFace on Bloomberg.com: http://bloom.bg/2h1VPSy Like this video? Subscribe to Bloomberg on YouTube: http://www.youtube.com/Bloomberg?sub_… And subscribe to Bloomberg Politics for the latest political news: http://www.youtube.com/BloombergPolit… Bloomberg is the First Word in business news, delivering breaking news & analysis, up-to-the-minute market data, features, profiles and more: http://www.bloomberg.com Connect with us on… Twitter: https://twitter.com/business Facebook: https://www.facebook.com/bloombergbus… Instagram: https://www.instagram.com/bloombergbu… Bloomberg Television brings you coverage of the biggest business stories and exclusive interviews with newsmakers, 24 hours a day: http://www.bloomberg.com/live Connect with us on… Twitter: https://twitter.com/bloombergtv Facebook: https://www.facebook.com/BloombergTel… Instagram: https://www.instagram.com/bloombergtv

CEOs Are Feeling Better About Data Security–but Hackers Aren’t Far Behind

No matter what you do to protect your business from hackers, cybersecurity will always be a moving target.

Increasingly sophisticated hacking techniques mean CEOs always have to stay one step ahead of the latest ploys. A November Inc. survey of CEOs and other senior executives from more than 150 Inc. 5000 companies asked respondents about their level of confidence in the security of both their company and personal data. The results: 53 percent of respondents said they feel more confident about the security of their company’s data now compared to five years ago, while just 28 percent said the same about their personal data.

Matt Singley, founder of Chicago real estate firm Pinnacle Furnished Suites, is concerned about new methods being used by hackers, but feels confident in his company’s defenses against them. One way the company minimizes the potential impact of a breach is by storing customer information only when necessary. Pinnacle also performs regular audits to purge its system of data it doesn’t need. “The only way to be completely secure with your data,” he says, “is to not store it.”

John Kailunas II, CEO of wealth management firm Regal Financial Group, says that the external threats his company faces have increased in both quantity and complexity. The company has countered this by adding required security awareness training for every employee and hiring cybersecurity consultants to recommend changes. Kailunas says cybersecurity is an issue that requires constant examination. “Still,” he adds, “we have seen a significant improvement in our ability to identify potential threats.”

Advances in hacking practices aren’t the only factor that have made security more challenging. “More and more, people are working from different devices that companies own,” says Shana Cosgrove, CEO of cloud software firm Nyla Technology Solutions, which provides software and cybersecurity services to the Department of Defense. “It’s a lot harder to handle security when you don’t own the entire platform.”

Jack Wight, CEO of device rebate company Buyback Boss, says his company is under near-constant attack from hackers trying to access bank account information. Scammers will spoof the company’s vendors over email and ask for wire payments, so Buyback Boss has implemented a policy of always calling vendors before sending payments. “Five years ago there just wasn’t as much of this going on,” he says. “Now we’re dealing with scammers almost on a daily basis.”

Claude Burns used to work in data security for the U.S. Navy before founding corporate beverage service Office Libations. He says his knowledge of the cybersecurity field has led him to be constantly on guard. “I don’t think any information is safe or secure,” he says. “Your personal information is out there. Companies whose whole job is to protect it, like Equifax, are getting breached and hacked repeatedly.”

Burns compares being hacked to getting in a car accident: Drive enough miles, and it’s going to happen eventually. For him, the key is making sure that if something does look weird, his team can detect it quickly. “That way,” he says, “when something does happen, you’re able to mitigate the damage from it. In other words, wear your seat belt.”

Source: CEOs Are Feeling Better About Data Security–but Hackers Aren’t Far Behind

Thanks Bitdefender for sponsoring this video! Try Bitdefender Total Security 2019 FREE for 90 days at https://lmg.gg/tqbitdefender There have been plenty of headlines about data breaches lately…but where does all that data go once it’s been stolen? Techquickie Merch Store: https://www.lttstore.com Follow: http://twitter.com/linustech Join the community: http://linustechtips.com Leave a reply with your requests for future episodes, or tweet them here: http://twitter.com/jmart604

Microsoft Issues Excel Security Alert As $100 Million ‘Evil Corp’ Campaign Evolves

Russian cybercriminal group Evil Corp is using Microsoft Excel to infect victims

Evil Corp may well be best known to millions of viewers of the Mr. Robot TV drama as the multi-national corporation that Elliot and FSociety hack. However, back in the real world, Evil Corp not only exists but is weaponizing Microsoft Excel to spread a malware payload. Researchers from Microsoft Security Intelligence have this week taken to Twitter to warn users to be alert to the ongoing campaign being run by Evil Corp, also known as TA505. Like most successful cybercriminals, Evil Corp is constantly evolving in terms of techniques and tools. The latest twist in this felonious tale involves Microsoft Excel as a payload delivery vehicle.

Who or what is Evil Corp?

Evil Corp, or TA505, is a Russia-based hacking group that has been credited with being the mastermind behind a $100 million (£76 million) global bank fraud. Two alleged members of Evil Corp were charged by U.S. prosecutors with bank fraud in December 2019, although both remain at large. One of them, Moscow-based Maksim Yakubets, is thought to be the Evil Corp leader and currently carries a $5 million (£3.8 million) bounty issued by the U.S. Justice Department. Meanwhile, the U.S. Department of the Treasury has stated that Yakubets is believed to provide “direct assistance to the Russian government’s malicious cyber efforts.”

Thought to have been active since at least 2014, Evil Corp shows little sign of reigning back on the cybercrime activities it is renowned for: the distribution of banking Trojans and ransomware malware. New research from cyber-intelligence outfit Prevailon suggests that TA505 has compromised more than 1,000 organizations. Organizations that include two U.S. state government networks, two U.S. airlines and one of the world’s top 25 banks.

What is the Excel alert that Microsoft Security Intelligence researchers have tweeted?

In something of a tweetstorm on January 30, the Microsoft Security Intelligence team alerted users to a new and active malware campaign from the Evil Corp actors. After what the Microsoft researchers referred to as “a short hiatus” by Evil Corp, they warned that a new “Dudear” phishing campaign was up and running, still deploying an information-stealing Trojan known as GraceWire but doing so using tweaked tactics.

The use of HTML redirectors, to avoid having to use malicious links in emails or infected attachments, means that the threat actors can directly download a malicious Excel file on the victim to drop the Trojan payload. Not that there is no interaction from the user required, of course. The victim still needs to open the Excel file that is automatically downloaded, and they will still have to enable editing and enable content in order to be infected.

How can you mitigate against the Evil Corp Excel threat?

Microsoft is proving to be more than just reactive to malware threats, adopting a proactive position as far as these kinds of phishing campaigns are concerned. When the Microsoft Digital Crimes Unit and the Microsoft Threat Intelligence Center discovered an advanced persistent threat (APT) hacking group, thought to be operating out of North Korea, using carefully constructed fake domains to spoof victims into thinking they were dealing with Microsoft, a powerful legal counterpunch soon closed them down.

As far as this latest Evil Corp campaign is concerned, however, the biggest mitigation clue has already been given in my last paragraph: don’t enable editing of that Excel file you didn’t ask for, and certainly don’t enable content. Microsoft Security Intelligence has confirmed that Microsoft Threat Protection will stop this latest attack threat, Office 365 also detects malicious attachments and URLs used in such phishing emails. Finally, Microsoft Defender ATP will detect and block the Evil Corp threat trinity of malicious HTML, Excel file and payload.

Follow me on Twitter or LinkedIn. Check out my website.

I’m a three-decade veteran technology journalist and have been a contributing editor at PC Pro magazine since the first issue in 1994….

Source: Microsoft Issues Excel Security Alert As $100 Million ‘Evil Corp’ Campaign Evolves

Exclusive: A ‘Magic’ iPhone Hacking Startup Bites Back At Apple Lawyers — And Demands $300,000

In mid-August, Amanda Gorton and Chris Wade sat dumbfounded in their Boynton Beach, Florida, offices. They had just been sent a lawsuit that might yet kill their startup.

Within Gorton’s inbox was an email sent by a reporter containing a complaint filed by tech titan Apple against the married couple’s company, Corellium. The suit’s unceremonious appearance belied the gravity of the allegations they were facing: that they’d illegally copied the world’s most famous tech device, the iPhone.

Dubbed “magic” by some users, Corellium “virtualizes” iPhones, turning Apple phones into something you can play with on a PC. For Corellium customers, it lets them tinker with the iOS operating system to find functional problems or security vulnerabilities, all without risking breaking the iPhone, a famously locked-down device that doesn’t welcome anything not approved Apple. Unlike testing with the real thing, if the phone suddenly dies, you can just load up another one, making it useful for security researchers, developers and hobbyists, known as jailbreakers, who want to wrest back control of their iPhone. For Apple, though, this amounted to a copyright infringement of its product by “replicating” it without permission.

Today In: Innovation

To Wade, a curly-haired, bespectacled Australian with the wide, intense eyes of a wired tech guy, and the more composed Yale-educated partner Gorton, the news that Apple was suing landed like a “gut punch.” Via exclusive interviews with the founders and documents they provided ahead of their legal response to Apple filed late Monday night, Forbes has learned the iPhone maker was considering buying Gorton and Wade’s first startup, a Corellium predecessor called Virtual. And it appears subsequent years-long relations between the parties were ostensibly amicable before the big bust up in August.

When Wade first heard about the suit he thought it was a joke. It’s no joke. Onlookers who spy a Goliath flexing its muscles against a plucky David are hoping, for the sake of iPhone security, an agreement is found. “As I understand it, many security researchers have used Corellium and submitted bugs to Apple,” said Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation.

Apple declined to comment on the claims made in this article. It pointed Forbes to the original complaint against Corellium, in which it said the suit was not trying to “encumber good-faith security research, but to bring an end to Corellium’s unlawful commercialization of Apple’s valuable copyrighted works.” Summing up Apple’s withering opinion of Corellium, the Cupertino company wrote: “Corellium’s true goal is profiting off its blatant infringement. Far from assisting in fixing vulnerabilities, Corellium encourages its users to sell any discovered information on the open market to the highest bidder.”

Cutting to the Apple core

Gorton and Wade’s long relationship with Apple can be dated back to at least the early 2010s. At the time the couple were working at OpenPeak, an enterprise mobile management company that had caught the attention of Mark Templeton, then Citrix CEO, who was considering an acquisition. Not long after Templeton met Wade, saying he was impressed by the Australian’s ability to do things considered “impossible,” Citrix bought Virtual, a startup founded by the married couple in 2014.

But in selling to Templeton, Virtual had to snub another suitor: Apple. A document outlining an agreement between Apple and Virtual, seen by Forbes, prevented the latter from talking to any other company about an acquisition for 45 days as the Cupertino company considered whether it wanted to splurge.

Did that upset the Apple cart? Is this a revenge story? Wade and Gorton aren’t sure. Gorton says she and her husband were excited such a formidable company was interested in their embryonic business.

The pair paints a picture of friendly Apple relations. Wade says he’s consistently handed details of security weaknesses to Apple. In 2016, after Apple announced it was launching a so-called Bug Bounty, where researchers are given monetary reward for disclosing vulnerabilities in iOS (now up to $1.5 million), Wade planned on partly funding Corellium with those bounties. He wanted to do it transparently, he says, and in one email dated September 27 2017, Wade explicitly told Apple’s manager for security and privacy programs, Jason Shirk, that he would start submitting bugs to fund his iPhone virtualizing startup.

The filing also suggests Apple encouraged Corellium’s early business. Emails provided to Forbes indicate Apple was at least impressed. Just as Corellium was getting started, in August 2017, Apple hosted a dinner in China for the Tencent Security Conference. Wade and Shirk dined together on Apple’s dime and later exchanged messages, according to the email threads. In one Wade boasted that he could virtualize the latest iPhone. Shirk’s response? “Wow! You got iOS 10.3 running virtually?” Wade cheekily messaged back: “Actually, we’re running iOS 11 :).”

At some point in the last year, something soured. In its filing on Monday, Corellium said that it hasn’t been paid for any of the vulnerabilities it submitted. In a counterclaim, the startup said that rather than it owing Apple anything, the Cupertino company owed it more than $300,000. And Corellium claimed Apple had launched a rival product in handing out custom iPhones for security researchers, letting them dive deeper into iOS.

Right now, Gorton says the bootstrapped Corellium is profitable, with a handful of customers across government and private industry paying thousands for its products: up to $62,500 for an on-site appliance and $575 a month for a cloud-based, single-user license for a month. But with legal fees mounting and the threat of being forced to kill the killer feature of its product, that profit could dwindle and leave Corellium facing collapse.

Apple, meanwhile, might be facing a backlash from the cybersecurity community. It’s already faced criticism this year. When Google released research in September regarding attacks on iPhone users from the persecuted Uighur community in China, Apple’s response was controversial. In a rare public post, it sought to downplay what happened. To some onlookers, including former Facebook chief security officer Alex Stamos, Apple was suggesting that attacks on Uighurs weren’t “as big a deal as Google makes it out to be.” “Apple’s response to the worst known iOS attack in history should be graded somewhere between ‘disappointing’ and disgusting,’” Stamos tweeted.

There’s the sense that after having opened up in the post-Steve Jobs years—with its industry-leading bug bounty and Tim Cook’s ostensibly aggressive stance on protecting user privacy—Apple is taking a few steps back. And one of those steps might squish one of the more intriguing startups to enter the often mundane cybersecurity market.

Follow me on Twitter. Check out my website. Send me a secure tip.

I’m associate editor for Forbes, covering security, surveillance and privacy. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist of the year in 2012 and 2013 for a range of exclusive articles, and in 2014 was handed Best News Story for a feature on US government harassment of security professionals. I like to hear from hackers who are breaking things for either fun or profit and researchers who’ve uncovered nasty things on the web. Tip me on Signal at 447837496820. I use WhatsApp and Treema too. Or you can email me at TBrewster@forbes.com, or tbthomasbrewster@gmail.com

Source: Exclusive: A ‘Magic’ iPhone Hacking Startup Bites Back At Apple Lawyers — And Demands $300,000

500K subscribers
A 16-year-old hacked Apple and stole 90GB of data over the period of one year. You know the best part is that he stored it all in a folder called “hacky hack hack.” It would make my day if you could also follow me on: Instagram: https://www.instagram.com/mrtechtalktv/ Twitter: https://twitter.com/Mr_TechTalkTV Music used: ‘beatsbyNeVs-Ridin’ https://youtu.be/bbtzvwKwql8 Thanks for watching and have a blessed day. Be sure to like, comment, share, and subscribe! Subscribe to TechTalkTV: https://goo.gl/9j4P1c IMPORTANT: Don’t forget to click the “bell” next to the subscribe button and select “Send me all notifications for this channel”. Otherwise, you may not receive notification when I upload.

New Android Warning: These 15 Malicious Apps May Be Hiding On Your Phone—Uninstall Now

As the stories keep coming about malicious apps finding their way onto Google’s Play Store, one serious concern is the increasingly sophisticated efforts made by those apps to hide their intent from users. Well, the latest report from the team at Sophos has found 15 harmful apps that have gone a stage further—literally “hiding their app icons in the launcher… or disguising themselves in the phone’s App settings page.”

Put simply, apps have been found that trick users into installing them to perform a trivial service. The app disappears from view, but it is actually running, disguised under a system name, making it impossible to detect and stop without effort. Users are urged to specifically root these apps out, stop them, then delete them completely.

If the apps aren’t seen, then they won’t trigger user concerns and they become much more difficult to casually delete without making the effort to find them. That’s the theory. But now those apps have been exposed. Users have been warned.

Today In: Innovation

Yet again, these latest apps join the countless others delivering adware—generating fraudulent revenue for their operators. Let’s be clear, free apps that deliver ads in their unpaid versions might be irritating, but they’re not necessarily fraudulent. But here we are talking about apps designed to deliver ads—it’s their sole purpose. It is the direct opposite of free apps, the ads are the focus, the app itself a wraparound.

The 15 apps discovered and disclosed by Sophos have been installed on more than 1.3 million devices—that’s a lot of ads, a lot of fraudulent revenue. And this is likely the tip of the iceberg for this new “icon hiding” threat category. “If history is any indication,” Sophos warns, “there are likely many more waiting to be found.”

The “dirty tricks” pulled off by these apps include various ruses to hide away—either on install or shortly afterward, and installing two apps at once—a benign app that is visible as per normal, and a malicious app that remains hidden. Most phones these days have a wide range of legacy and unused apps—we don’t notice what’s there and how many of us ever purge our devices? That’s the social engineering taking place here—if the app can hide initially, it will likely hang around for some time.

“Nine of the 15 apps used deceptive application icons and names, most of which appeared to have been chosen because they might plausibly resemble an innocuous system app,” Sophos explained. But they cannot hide completely if you know what you’re looking for—and Android users are urged to check their phones for these apps—and if you find them, delete them. “The app icon is still visible in the phone’s ‘gear’ Settings menu, under Apps.”

Here are the 15 apps exposed by Sophos—you’ll notice the poor reviews, often a sign that an app of this kind is best avoided.

As so often with adware apps, most are designed around trivial utilities—QR readers and image editors, for example. “Most ironically,” Sophos reports, one of the malicious apps is designed “to scrub your phone of private data.” You couldn’t make this up. The mindset to download an app of unknown provenance for such a delicate purpose we won’t get into—the warnings here basically go without saying.

Once installed, the apps use innocuous names to ensure they don’t trigger suspicions. And, arguably, the most worrying finding is that all 15 apps appeared this year—that means there are still gaping holes in Play Store security and there are adware factories churning out such apps and pushing them into the public domain. Sophos believes that similarities in coding structure and user interfaces suggests this batch of apps might all be related, despite appearing to come from different publishers.

Sophos says that Google was notified about the apps and they seem to have been removed—the underlying threat and coding techniques will remain in other as yet unidentified apps in the store and the myriad apps likely still to come.

The package names of the 15 apps are here:

Andrew Brandt, a principal researcher at Sophos, warns that “while these apps have been removed from the Google Play Store, there may be others we haven’t yet discovered that do the same thing.”

Brandt also explains that if uses suspect an app might be hiding, or to check against the published list, “tap Settings, then Apps & Notifications. The most recently opened apps appear in a list at the top of this page. If any of those apps use the generic Android icon (which looks like a little greenish-blue Android silhouette) and have generic-sounding names (‘Back Up,’ ‘Update,’ ‘Time Zone Service’) tap the generic icon and then tap ‘Force Stop’ followed by ‘Uninstall’.” Real system apps won’t offer an ‘uninstall’ option but will have a ‘disable’ option instead.

Ultimately, the usual advice applies here. Don’t download trivial utility apps because they seem nifty and free—they’re free for a reason. Even if the downside is simply unwanted ads, the fact is that malicious apps can often be hiding more dangers than that. Given how much private information we carry on our devices, don’t casually leave the backdoor open to anyone with a shiny app and a free install.

Follow me on Twitter or LinkedIn.

I am the Founder/CEO of Digital Barriers, supplying AI surveillance tech to defence, national security, counter-terrorism and critical infrastructure entities in the U.S., EMEA and Asia. I write about the intersection of geopolitics and cybersecurity, as well as breaking security and surveillance stories. I also focus on the balance of privacy and public safety. Contact me at zakd@me.com.

Source: New Android Warning: These 15 Malicious Apps May Be Hiding On Your Phone—Uninstall Now

714K subscribers
These are 20 dangerous Android Apps that trap users of Android smartphones to mine the various cryptocurrencies using their devices computing power. The security solutions company Sophos has identified malicious apps on the Google Play store and on a Russian download site called “Coandroid” that tap into a smartphones CPU to mine for cryptocurrency that can cause your device to overheat and become slow, which could also lead to permanent damage to your smartphone. Some of these apps are very popular. If you have them installed on your phone, you should uninstall them immediately. If you’re new, Subscribe! ▶ https://www.youtube.com/techgumbo Share This Video ▶ https://youtu.be/WfTaXq_mbvM “Android Apps” Series https://www.youtube.com/playlist?list… Those listed below with “Coandroid” next to their name are safe to download from the Google Play store. Do not download from the “Coandroid” website. 0:41 AIMP (Coandroid) 1:23 Block Strike (Coandroid) 1:45 Parkour Simulator 3D (Coandroid) 1:54 Skanvord 2:08 NeoNeonMiner 2:24 Others 2:46 Wrestling Apps CoinMiner and other malicious cryptominers targeting Android https://www.sophos.com/en-us/medialib… TechGumbo is a leading source for the technology that we use each day. Whether it’s discussing computer operating system tricks, the latest tips for your mobile phone, finding out about the newest gadgets, or letting you know about the best Android Apps for your smartphone, TechGumbo has boundless topics on technology for the astute YouTube viewer.
%d bloggers like this: