Weekly Executive Summary Week Ending July 15, 2016
By Joseph Lorenz on July 15, 2016
Targeted Industries
- Finance
- Software
- Banking
- Information Technology
- Telecommunications
Active Threats
- Anonymous
- Inj3ct0r Team
- APT18 Wekby
- OurMine Team
- Lizard Squad
Major Events
- Backdoored Pokemon GO App Infects Android Devices
- India-Linked Threat Actor Targets Military, Political Entities Worldwide
- Just Watching a YouTube Video Can Compromise Your Smartphone
- Malware offers backdoor to critical infrastructure targets
Conclusions
A mere three days after being released in the United States, Pokémon GO an augmented reality mobile game became one of the most used applications in the Google Play Store according to data from SimilarWeb(an online resource used to follow trends in the digital world). This was the first Pokémon game permitted by Nintendo for use on iOS and Android devices, though it has only been released in Australia, New Zealand, and the United States so far. Cybercriminals tend to follow these digital trends as well, and making a malicious mobile application is the perfect target for gamers and users who are outside of the three regions of availability. It isn’t uncommon for users to use sideloading(installation of an application on a mobile device without using the device’s official application-distribution method) for games or applications that aren’t available in their area. But it didn’t help that many large media outlets provided instructions on how to download the game from a third-party and how to install the downloaded APK. Less than 72 hours after the game was released a modified Pokémon GO APK was spotted containing DroidJack a remote access tool(RAT) which is also known as SandroRAT. The malware would request privileges once downloaded and installed, like read and edit text messages, make phone calls, record audio, modify contacts, read bookmarks and web history, connect to Wi-Fi, and retrieve running apps at startup. With these privileges accepted it could essentially give an attacker complete access to a victim’s phone. According to researchers at Proofpoint, the malicious game was designed to deceive users into believing it was the real game, and the start screen was identical in appearance. The researchers also mentioned that the RAT had been configured to communicate with a command and control(C&C) domain with an IP address in Turkey. Though this APK hasn’t been studied in the wild yet, it is an excellent example of why users should ALWAYS download applications from trusted sources.
Source: Backdoored Pokemon GO App Infects Android Devices, Playing Pokémon GO can lead to unexpected dangers
A new method of compromising a mobile device has recently been analyzed by researchers from Georgetown and UC Berkeley. It was based on using voice commands that could be hidden in YouTube videos. These types of attacks would only work with devices that have Apple Siri or Google Now feature activated, and the target device must be within a certain range(less than 3.5 meters). With many smartphones and wearable devices continuously listening for possible voice inputs, the researchers wanted to see if commands that are incomprehensible by humans could be picked up by devices. These hidden voice commands can be created with little knowledge about speech recognition systems, but an attacker that possessed the know-how could essentially craft hidden voice commands that humans cannot understand at all or might not even notice. Depending on what commands the target device would accept an attacker could compromise a device to leak information(posting a user’s location to Twitter), cause a denial of service attack(activating airplane mode), or continue with more attacks(opening a web page hosting drive-by malware).
Source: Just Watching a YouTube Video Can Compromise Your Smartphone, Proof-of-concept
There is a new threat actor known as Patchwork, that has been targeting victims worldwide since 2014. They have infected an estimated 2,500 victims since December 2015. Researchers at Cymmetria say that the group has mainly focused on personnel working on military and political assignments. The threat was detected during a spear phishing attack against a government organization in Europe late in May 2016. A PowerPoint presentation file was used as the attack vector, and the target was an employee working on Chinese policy research. An attempt to exploit the CVE-2014-4114 vulnerability(which affects unpatched versions of Microsoft Office PowerPoint 2003 and 2007)was used in the attack. According to the report written by Cymmetria, the Advanced Persistent Threat(APT) is a pro-Indian or an Indian entity. This conclusion was drawn due to many of the primary targets of this campaign being regional neighbors of India. Another indicator is the selection of targets, which appear to be of interest to the group if they are related to issues affecting India.
Source: India-Linked Threat Actor Targets Military, Political Entities Worldwide
Security researchers at SentinelOne labs have discovered a new form of malware dubbed SFG, which targets industrial automation control systems. It has already infected at least one European energy company, and could drop a payload that would extract data or potentially shut down an energy grid. It is being said that SFG is the mothership of a related malware known as Furtim, which is believed to just be a subset of the complete program. Researchers were able to reverse engineer the malware which revealed a very sophisticated piece of software. This malware will likely be used to form a multi-staged attack consisting of three stages. It has been designed to work on devices running any version of Microsoft Windows, and was developed to bypass traditional antivirus software and firewalls. If the malware detects that it’s being run in a sandbox environment(used to test and detect malware) or in a system that uses biometric access controls, it will re-encrypt itself until it is taken out of these environments. All of these techniques deployed by the malware are in an elaborate scheme to avoid detection. The chief executive officer at SentialOne, Udi Shamir mentioned that “The malware has all the hallmarks of a nation-state attack due to its extremely high level of sophistication and the cost associated with creating software of this advanced nature.”. Based on the analysis, the malware must have been constructed by multiple developers. These developers must have reverse engineered more than a dozen antivirus solutions, to give the malware the ability to disable antivirus services without the user knowing.
Source: Malware offers backdoor to critical infrastructure targets, SCADA malware caught infecting European energy company
Note: The purpose of the weekly executive summary is to provide useful information that a business or agency could use in both its cyber security and business strategies. In order for this website to serve the community, we need to know your concerns and questions about (for example) proper safeguards for the technology you’re looking into or what sets of compliance and governance policies would you need to operate a particular business. The CSCC openly invites you to send your inquiries. We’ll have students research your issues and provide an analysis of the information at hand to guide you with all things cybersecurity.
Mail us at: uhwocscc@hawaii.edu
-
Hackers Steal $500,000 from Australian Super Funds
Hackers Steal $500,000 from Australian Super Funds
4/11/2025 -
U.S. Department of Justice Seizes 8.2 Million in Cryptocurrency
U.S. Department of Justice Seizes 8.2 Million in Cryptocurrency
4/4/2025 -
Interpol Arrests Over 300 for Cyber Crimes in Africa
Interpol Arrests Over 300 for Cyber Crimes in Africa
4/4/2025