This Week in CyberSec Headlines. 09 FEB 2018

North Korea

2018 Winter Olympics

CSCC Article, Spearphising the Olympics

McAfee, Malicious Document Targets Pyeongchang Olympics

“McAfee Advanced Threat Research analysts have discovered a campaign targeting organizations involved with the Pyeongchang Olympics.”

AFP, Hackers Already Targeting Pyeongchang Olympics: Researchers

Security Week, Gold Dragon Implant Linked to Pyeongchang Olympics Attacks

North Korea targets South Korean Cryptocurrency Exchanges

Recorded Future, North Korea Targeted South Korean Cryptocurrency Users and Exchange in Late 2017 Campaign

“North Korea continued to target South Korea through late 2017 with a spear phishing campaign against both cryptocurrency users and exchanges, as well as South Korean college students interested in foreign affairs. The malware in this campaign utilizes a known Ghostscript exploit (CVE-2017-8291) and is tailored to target only users of a Korean language word processor, Hancom’s Hangul Word Processor.”

Reuters, South Korea Says North Stole Cryptocurrency Worth Billions of Won Last Year

“South Korea said on Monday that North Korea last year stole cryptocurrency from the South worth billions of won and that it was still trying to hack into its exchanges.”

Security Week, North Korean Hackers Prep Attacks Against Cryptocurrency Exchanges: Report

“North Korean hackers, loosely categorized as the Lazarus Group, have continued their attacks against South Korean interests, with particular emphasis on cryptocurrency exchanges.”

Bangladesh and Philippines Banks prepare to sue each other over cyber heist attributed to North Korean threat group

AFP, Bangladesh to File U.S. Suit Over Central Bank Heist

“Bangladesh’s central bank will file a lawsuit in New York against a Philippine bank over the world’s largest cyber heist, the finance minister said Wednesday.”

AFP, Philippine Bank Threatens Counter-Suit Over World’s Biggest Cyber-Heist

“The Philippine bank used by hackers to transfer money in the world’s biggest cyber heist warned of tit-for-tat legal action Thursday, after Bangladeshi officials said they would sue the lender.”

North Korean Cyber Capabilities

Talos, Korea In The Crosshairs

A one year review of campaigns performed by an actor with multiple campaigns mainly linked to South Korean targets.

“This actor was very active this year and continued to mainly focus on South Korea. The group leveraged spear phishing campaigns and malicious documents the contents of which included very specific language suggesting that they were crafted by native Korean speakers rather than through the use of translation services.”

Bloomberg, Inside North Korea’s Hacker Army

Breaches and Leaks

Apple iBoot Source Code Leak

The Hacker News, Apple’s iBoot Source Code for iPhone Leaked on Github

The Register, Apple’s top-secret iBoot firmware source code spills onto GitHub for some insane reason

Motherboard, Key iPhone Source Code Gets Posted Online in ‘Biggest Leak in History’

“Someone just posted what experts say is the source code for a core component of the iPhone’s operating system on GitHub, which could pave the way for hackers and security researchers to find vulnerabilities in iOS and make iPhone jailbreaks easier to achieve.

The GitHub code is labeled “iBoot,” which is the part of iOS that is responsible for ensuring a trusted boot of the operating system.”

Telegraph, Secret iPhone code published online in ‘biggest ever’ leak

Swisscom Breach

SC Media, Dial ‘B’ for Breach: Unauthorized party access data on 800K Swisscom customers

Reuters, Swisscom tightens security after sales partner breached

InfoSecurity Magazine, Swisscom Breach Hits 10% of Swiss Population

Sacramento Bee Breach and Ransomware

Sacramento Bee, Voter, Bee databases hit with ransomware attack

“The intrusion, which was discovered by a Bee employee last week, exposed one database containing California voter registration data from the California Secretary of State and another that had contact information for 53,000 current and former Bee subscribers who activated their digital accounts prior to 2017.”

SC Media, Ransomware attack on Sacramento Bee database exposes voter records of 19.5M Californians

“The Sacramento Bee deleted two databases hosted by a third party after a ransomware attack exposed the voter records of 19.5 million California voters and 53,000 current and former subscribers to the newspaper.”

Dark Reading, Sacramento Bee Databases Hit with Ransomware Attack

“An anonymous attacker demanded a Bitcoin ransom in exchange for the data. The Bee chose not to pay and has deleted both databases to prevent further attacks.”

Gizmodo, Sacramento Bee Leaks 19.5 Million California Voter Records, Promptly Compromised by Hackers

“The Sacramento Bee said in a statement that a firewall protecting its database was not restored during routine maintenance last month, leaving the 19,501,258 voter files publicly accessible. “

Crypotocurrency Mining Malware

Sewage Plant Targeted to Mine Cryptocurrency

SC Media, First SCADA cryptominer seen in the wild

“The first documented cryptominer attack on a SCADA network of a critical infrastructure operator was seen in the wild.Radiflow researchers spotted the malware attacking the OT network of a water utility company in order to mine the Monero cryptocurrency, according to a Feb. 8 press release.”

The Register, Now that’s taking the p… Sewage plant ‘hacked’ to craft crypto-coins

“Several servers used to monitor and regulate critical water supplies were found to have been infected with code that quietly harvested Monero cyber-dosh and sent the coins over the internet to its masterminds.”

Cryptomining Malware Infects Tennessee Hospital Server

SC Media, Adversary breaches Tennessee hospital’s medical records server to install cryptominer

“Decatur County General Hospital in Parsons, Tenn., has publicly disclosed that an unauthorized party accessed the server for its electronic medical record system and secretly implanted cryptomining malware.”

Decatur County General Hospital, Notice Letter PDF

“On November 27, 2017, we received a security incident report from our EMR system vendor indicating that unauthorized software had been installed on the server the vendor supports on our behalf. The unauthorized software was installed to generate digital currency, more commonly known as ‘cryptocurrency.’”

PZChao, Iron Tiger Connections

The Hacker News, Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware

“Security researchers have discovered a custom-built piece of malware that’s wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.” “Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.”

Bitdefender, Operation PZChao: a possible return of the Iron Tiger APT

“In the analysis process, we managed to retrieve the malware payloads hosted on one of the command and control servers along with some statistics, such as the total number of downloads and logs containing the targeted victims. Among the most-downloaded malicious files, we found variants of Gh0st RAT used in Iron Tiger APT operation. Interestingly enough, these new samples now connect to the new attack infrastructure.”

 

Air-Gaps and Faraday Cages Not Safe Enough

Infosecurity Magazine, Air Gaps, Faraday Cages Can’t Deter Hackers After All

“Conventional wisdom says that if something isn’t connected to the outside, it can’t be hacked. But research shows that Faraday rooms and air-gapped computers that are disconnected from the internet will not deter sophisticated cyber-attackers.”

The Hacker News, Hackers Can Now Steal Data Even From Faraday Cage Air-Gapped Computers

“A team of security researchers… have published another research showcasing that they can steal data not only from an air gap computer but also from a computer inside a Faraday cage.

Security Week, Stealthy Data Exfiltration Possible via Magnetic Fields

Gas Station Software Vulnerabilities

SecureList, Gas is too expensive? Let’s make it cheap!

“Before the research, we honestly believed that all fueling systems, without exception, would be isolated from the internet and properly monitored. But we were wrong. With our experienced eyes, we came to realize that even the least skilled attacker could use this product to take over a fueling system from anywhere in the world.”

Motherboard, Flaws in Gas Station Software Let Hackers Change Prices, Steal Fuel, Erase Evidence

“Earlier this week, security engineer Alec Muffett noticed that Reddit.co had turned into something altogether more troubling – a clone of Reddit.com, most likely intended to phish user credentials.”

FireEye, ReelPhish: A Real-Time Two-Factor Phishing Tool

US News

DHS Official: Russian Hackers Penetrated US Voter Systems in 2016 US Elections

Cyberscoop, DHS steadily moving state-by-state on election security outreach

SC Media, DHS Manfra says Russians successfully penetrated some state election systems

“Russian hackers successfully penetrated voter registration rolls in a number of U.S. states, Department of Homeland Security (DHS) cybersecurity chief Jeanette Manfra said Wednesday.”

NBC News, Russians penetrated U.S. voter systems, top U.S. official says

“We saw a targeting of 21 states and an exceptionally small number of them were actually successfully penetrated.”

Ukraine Cybersecurity Cooperation Act

CyberScoop, U.S. moves to develop grand cybersecurity partnership with Ukraine, a favorite target for Russian hackers

“During a week where multiple senior Ukrainian government officials came to visit Washington, a bill designed to foster further collaboration on cybersecurity efforts between the U.S. and Ukrainian governments passed the House of Representatives late Wednesday night.”

Congress.gov, H.R.1997 – Ukraine Cybersecurity Cooperation Act of 2017

Other US News

SC Media, Fancy Bear targets defense contractors email to steal tech secrets

“Russian hacking group Fancy Bear, whose interference in the U.S. presidential election set off a firestorm of concern in the security, defense and intelligence communities, has actively exploited weakspots in the email systems of defense contract workers to access top secret information on U.S. defense technology, including drones.”

Washington Post,  A sensitive DHS report about anthrax got outed — because it was left in a plane’s seat pocket

CyberScoop, Senators push bill banning Chinese tech firms Huawei and ZTE from being used in government

Middle East

Security Week, Actor Targeting Middle East Shows Excellent OPSEC

“An actor making extensive use of scripting languages in attacks on targets in the Middle East demonstrates excellent operational security (OPSEC), researchers from Talos say.”

Cisco, Talos, Targeted Attacks In The Middle East

“These campaigns show us that at least one threat actor is interested in and targeting the Middle East. Due to the nature of the decoy documents, we can conclude that the intended targets have an interest in the geopolitical context of the region. The attackers used an analysis report alleged to be written by Dar El-Jaleel, a Jordanian institute specialising in studies of the region. Some of these documents are tagged as confidential.”

“Researchers have demonstrated that a piece of malware present on an isolated computer can use magnetic fields to exfiltrate sensitive data, even if the targeted device is inside a Faraday cage.”

In Other News

SC Media, Malicious Reddit ‘twin’ discovered

Sophos, Naked Security, Reddit users, beware its evil twin

Sophos, Naked Security blog, Uber data breach aided by lack of multi-factor authentication

Graham Cluley, WordPress update stopped WordPress automatic updates from working. So update now

Palo Alto, Threat Brief: Hancitor Actors

“Hancitor is a malware that focuses getting other malware onto the victim’s system. In the case of Hancitor, it’s typically banking Trojans that steal the victim’s banking information.”

Crowdstrike, Meet CrowdStrike’s Adversary of the Month for February: MUMMY SPIDER

“MUMMY SPIDER is a criminal entity linked to the core development of the malware most commonly known as Emotet or Geodo. First observed in mid-2014, this malware shared code with the Bugat (aka Feodo) banking Trojan. However, MUMMY SPIDER swiftly developed the malware’s capabilities to include an RSA key exchange for command and control (C2) communication and a modular architecture.”