Hamas is Targeting Soldiers with a World Cup App – Israeli Accusation
Israeli military intelligence, Tel Aviv accused Hamas hackers of creating a World Cup app and two online dating sites to tempt soldiers into downloading spyware onto their phones.
Briefing journalists at national defense headquarters in Tel Aviv, army intelligence officers said the scam by members of the Palestinian Islamist movement that runs the Gaza Strip failed to damage military security. “No damage was done, as we stopped it in time,” one of the officers said, with the military’s response codenamed “Operation Broken Heart”.
But he said the attempt showed the Islamist militants had adopted new tactics since a similar attempt was revealed in January 2017. The emphasis then was solely on the dating game, with the hackers posing online as attractive young women seeking to lure men in uniform into long chats.
This time the traps were aimed at both sexes and there was the additional bait of World Cup action with an app offering “HD live streaming of games, summaries and live updates”. Attackers used stolen identities to create more convincing fake Facebook profiles of young Israelis, written in fluent Hebrew studded with current slang.
“What Hamas is bringing to the table is a very good knowledge of our young people and their state of mind,” another officer said. Asked how he could be sure Hamas was behind the online offensive, he declined to say but insisted there was no doubt.
They said that awareness of the potential risk had soared since the army publicised the previous attempts. “Thanks to the soldiers’ vigilance, Hamas’ intelligence infrastructure was exposed before it caused actual security damage,” army briefing notes said. Israel and Palestinian militants in Gaza have fought three wars since 2008.
Crypto-Currency Users Targeted by New macOS Malware
Security researchers have warned about a new piece of macOS malware that is being distributed via crypto-currency related Slack or Discord chat groups.
First detailed late last month, the malware is being distributed by malicious actors who impersonate admins or key people. The actors share small snippets of code with the members of said chat groups and attempt to convince them into running the code in a terminal. Upon execution of the code, a malicious binary is downloaded and executed onto the victim’s machine. Although the social engineering trick isn’t as sophisticated, some users apparently fall for it.
The downloaded payload is rather large, at 34MB. As of Friday, the malware wasn’t being detected by any of the 60 anti-virus engines in VirusTotal, Remco Verhoef, ISC Handler and Founder of DutchSec, explains. The malicious binary is not signed and Gatekeeper would normally flag and block it, but it appears that Apple’s protection measure does not work for files that are executed directly via terminal commands.
The reason the binary is so large is that the author apparently packed in it libraries such as OpenSSL and V8, Objective-See’s Patrick Wardle, who named the malware OSX.Dummy, points out. When executed on the target machine, the malware first sets the script to be owned as root. When the threat executes sudo to change the file’s permissions, the user is prompted to enter their password in the terminal, and the malware steals it and saves it to /tmp/dumpdummy.
Next, OSX.Dummy sets the script to be executable via chmod +x, moves the script to a new directory, dumps a plist file to /tmp/com.startup.plist and then moves it to the LaunchDaemons directory, sets the owner of the file to root, and then launches the plist launch daemon, for persistency. At this point, the malware has ensured that the malicious script is automatically executed by the OS whenever the system is rebooted.
The Python script, the security researchers discovered, attempts to connect to 185.243.115[.]230 on port 1337, then “duplicates stdin, stdout and stderr to the socket, before executing /bin/sh with the -i flag. In other words, it’s setting up an interactive reverse shell,” Wardle notes. Once the connection to the remote command and control (C&C) server is established, the attacker can execute arbitrary commands on the infected machine, as root.
The malware’s capabilities, however, are limited, and every step of the infection process is rather trivial to detect, Wardle says.
Iranian Hackers Tried to Impersonate Israeli Cyber-security Company
The Israeli cybersecurity firm ClearSky has exposed several cases in which Iranian hackers impersonated legitimate websites. In February, for instance, it revealed an operation it called Ayatollah BBC – a series of Iranian-run websites impersonating foreign or even Iranian media outlets.
But earlier this month, it reported that it, too, has joined the list of victims of these Iranian “copy and paste” operations. Last month, the company discovered that a hacker group called Charming Kitten, which had perpetrated previous attacks, was still operating. The group is connected to the Iranian government and is deemed an “advanced persistent threat,” meaning it comprises sophisticated hackers.
The group often uses “watering hole” attacks, which utilize either legitimate sites or seemingly innocent but malicious sites to infect users with malware that the hackers can then use to spy on them. For instance, ClearSky researchers discovered the group had created a website which impersonated the German paper Deutsche Welle’s site.
ClearSky’s most entertaining discovery so far, however, relates directly to the company. As the website Bleeping Computer reported last week, the Charming Kitten group impersonated ClearSky itself by creating a website almost identical to that of the Israeli firm, with a slightly different address; the imposter site ended in “.net” rather than “.com.”
The obvious question is what the Iranian hackers hoped to achieve with this impersonation. The answer lies in one very significant difference between the two sites: Unlike the original site, the Iranian version allows users to register. This would enable the hackers to steal information from ClearSky’s customers, who would think they were merely registering to receive site updates. The moment a user clicked on the registration link, the hackers would be able to steal his or her personal information, including passwords for service providers.
Financial Frauds have Increased due to Digital banking, say PSBs
The landscape of financial transactions in India has been transformed over the last couple of years as the leap from manual to a digital system has been made successfully. However, this change has also caused incidents of financial frauds to rise.
The effect has been so negative that the Public sector banks (PSBs) have even gone to the extent of informing the Parliamentary panel on finance about it. Sources close to the development have informed a leading news channel that banks have informed the Parliamentary panel that cyber-attack incidents have risen and led to an increase in fraudulent transactions. The information was passed on to the panel during a recently concluded meet.
It said that the banking system is under constant attack by organized gangs. FSR said that cyber-attacks are the biggest threat to the Indian banking sector. The panel was also informed that maximum financial frauds are committed by big borrowers who use technical loopholes in the banking system to commit such fraud. In addition, the banks also informed the panel that the number of financial frauds, as well as amounts involved, have gone up.
RBI data also suggests that banking fraud has increased by a staggering 19.4 percent in the last five years.
Prevent Misuse – Indian Government to Whatsapp, after Mob Killings
India’s government says it has asked WhatsApp to take “immediate action” to prevent the social media platform from being misused to spread rumors and irresponsible statements like those blamed for recent deadly mob attacks in the country.
At least 20 people have been killed in mostly rural villages in several Indian states in attacks by mobs that had been inflamed by social media. Victims were accused in the viral messages of belonging to gangs trying to abduct children. The brutal attacks, which began in early May, have also left dozens of people injured.
Although Indian authorities have clarified that there was no truth to the rumors and that the targeted people were innocent, the deadly and brutal attacks, often captured on cellphones and shared on social media, have spread across the country.
India’s ministry of electronics and information technology said in a statement late Tuesday that the lynchings were tied to “irresponsible and explosive messages” circulated on WhatsApp. It wasn’t specific on the preventative measures it expected to be taken by WhatsApp, which is owned by Facebook.
“While the law and order machinery is taking steps to apprehend the culprits, the abuse of platforms like WhatsApp for repeated circulation of such provocative content are equally a matter of deep concern,” the ministry said. It said WhatsApp “cannot evade accountability and responsibility.”
WhatsApp said in a blog post that it would institute awards for research on “spread of misinformation” on its platform. “We will seriously consider proposals from any social science and technological perspective that propose projects that enrich our understanding of the problem of misinformation on WhatsApp,” the post said.
The Indian Express, an English-language daily newspaper, quoted a WhatsApp official as saying, “The situation is a public health problem which will require solutions from outside the company as well, including the government.” The official said that the “responsibility is beyond any one technology company” and “requires partners,” according to the paper.
“I think it’s up to the Indian government to decide what is the right mechanism to address the spate of killing that is occurring. It is going to have to be a collaboration,” the official said.
Pavan Duggal, a cyber expert and an attorney, said WhatsApp needs to comply with Indian laws and also adopt a “more sensitive and customized approach” for the country to reap the benefits of the vast Indian market.
Closer International Cybersecurity Cooperation Needed – Putin
President Vladimir Putin today called for closer international cooperation in fending off cyberattacks. Addressing a cybersecurity conference in Moscow, Putin said it’s important to develop common cybersecurity standards that take into account the interests of all nations. He noted that cyberthreats have mounted around the world. “Cyberthreats have reached such a scale that they could only be neutralized by combined efforts of the entire international community,” Putin said.
“We have repeatedly seen that some nations’ egoism, their attempts to act squarely to their own advantages, hurt the global information stability,” he added without specifying. Putin pointed at Russia pooling efforts with European nations to work out an agreed mechanism of protection of personal data rules, citing it as a positive example of international cooperation.
Putin noted that the number of cyberattacks on Russia has increased by one-third in the first quarter of 2018, compared to the same period last year. He said Russia would work to develop an automated system facilitating information exchange between businesses and law enforcement agencies to help enhance cybersecurity.
New Variant of Rakhni Malware Found
Rakhni is one of the oldest ransomware strains affecting devices. Partly this is due to it self-updating with the latest patches. The creators of the malware have added the cryptocurrency mining component lately which only deploys on selected PCs.
The ransomware has been in the wild since 2013 and remained alive by keeping a low profile. The security experts at Kaspersky Labs have found a new variant of Rakhni which allows scanning of the user’s machine before actually infecting the computer with a crypto miner using a remote server. If the malware finds a folder named Bitcoin it executes a component on the PC which will encrypt the private key of the Bitcoin wallet in the user’s PC.
If the malware doesn’t find the Bitcoin folder it will then deploy a Cryptocurrency miner from the remote server and install it so the PC affected can mine the cryptocurrency. The report from Kaspersky also said the miner is mining Monero, Monero Original and Dashcoin.
The new version of Rakhni is being distributed via spam Emails with the infection spreading fast in Russia, Kazakhstan, Ukraine, Germany and India.
Weak Admin Password Compromised Gentoo GitHub Repository
Gentoo has finished its investigation of the hack that affected its project last week on GitHub. The point of vulnerability has turned out to be a weak Administrator password. upon compromise the hackers added the Linux killer command “rm -rf /” so when users cloned the project to their computers all their data will be erased.
After the unknown individuals gained control over the Gentoo Organisation’s GitHub repository they locked out the administrators. Then the hacker group began adding the killer command to the various repositories.
Fortunately, there are various mitigations that were preventing the code from running on client machines. The main master Gentoo repository is not affected therefore users who have used the rsync or websync were not affected.
The logs also indicated that attackers have brute forced using many accounts before discovering the administrative password and altering legitimate code. The evidence also suggested that the Administrator has been using the same password in all their accounts which might have aided in the successful exploitation.
The GitHub repos of Gentoo organization were unavailable for five days and the organization has made sure the all the employees are using unique and complex passwords for their work accounts and also made sure that every employee has opted for the 2FA.
Hacking Press Releases Generates $100 million of Illegal Profit
More than 150,000 press releases from Business Wire, Marketwired and PR Newswire were stolen by two men to make more than $100 million profit by trading in these PRs with other companies.
Two men were found guilty in this hacking press releases case. One was a 53-year-old man from Glen Mills, Pennsylvania, named Korchevsky, and the other was Khalupsky, aged 48, living in Ukraine. They both are said to have hired hackers to hack into unreleased press releases from very well known sites so they could be sold to other companies.
The two convicts had made huge profits by selling the PRs stolen from some well-known companies including Home Depot Inc., Advanced Micro Devices Inc., Caterpillar Inc, Panera Bread Co., Qualcomm Inc., and Weight Watchers International Inc.
It’s not yet mentioned by the jury if they hacked into the above-mentioned press releases before beginning to trade in them but investigation sure lead to the fact that they hired hackers and gave them “shopping lists” of all the companies whom they wanted to hack and get their press releases.
It is believed that the hackers have been running this scam for years, and have made around $100 million by doing so. Whilst it might seem like a huge amount, it is plausible since press releases are hugely in demand and each can be sold for a few thousand dollars.
According to the US authorities, this is so far the biggest hack of its kind. With the proceedings occurring in the US, it is hoped that the culprits will be punished severely and more people behind the attack will also be caught. A total of 10 men were named in this case, including hackers and planners.
Hide-N-Seek Botnet Now Targeting IoT Devices
HNS (Hide-N-Seek), a Botnet discovered earlier this year, has now started infecting Internet of Things devices. It is also known to target cross-platform database solutions. The latest version seems to have made significant improvements, one such example would seem it is capable of surviving device reboots.
The research team at Netlab and Qihoo 360 said that the HNS has started expanding beyond the scope of routers and DVRs and is currently operating to exploit database systems too
The Botnet can utilize the following exploits:
- TP-Link-Routers RCE
- Netgear RCE
- (new) AVTECH RCE
- (new) CISCO Linksys Router RCE
- (new) JAW/1.0 RCE
- (new) OrientDB RCE
- (new) CouchDB RCE
The HNS botnet utilizes greater processing power than before since it now scans the following ports for potential exploitation:
- 23 Telnet
- 80 HTTP Web Service
- 2480 OrientDB
- 5984 CouchDB
- 8080 HTTP Web Service
It has also been known to scan for other random ports.
HNS is easy to spot since it is the second most prevalent botnet after Hajime. Most of these botnets are trying to infect OrientDB servers. In particular, with the added support of OrientDB and CouchDB database servers, HNS is no longer just an IoT botnet, but a cross-platform botnet now.