Finished Intelligence

All Articles (115)

The US, Department of Homeland Security (DHS), Cyber Intelligence Network (CIN) is aware of a Thanksgiving Day-themed phishing email campaign with at least two variants targeting US government entities.  The campaign began on 19 November 2018, and the phishing emails include Thanksgiving Day-themed subject lines with holiday-themed titled documents.  The emails spoof legitimate government senders and attempt to deliver malware to legitimate government entities.  The reported…

Wapack Labs has identified 699 unique IP addresses believed to be infected by or associated with, possible delivery of Black Energy.  Some of these connections contained an href user agent (pointing at another location), others appeared infected with Black Energy and were identified checking into our Black Energy sinkholes.  Black Energy, as you may recall, was used against Ukraine on 23 December 2015, in coordinated attacks against multiple regional distribution power companies in…

Summary

On 10 October 2018, the FBI announced the arrest of Xu Yanjun, a Chinese intelligent agent who had been targeting an employee of GE Aviation to acquire trade secrets on the company’s jet engines.  The target employee had cooperated with the FBI during this operation, and when Xu arranged a meeting with the employee in Europe in April 2018, Xu was arrested.  He was extradited from Belgium to the United States in October and charged with economic…

Red Sky Alliance (RSAC) members have reported seeing and, or receiving fake sextortion scams.  These scam emails typically provide old password that was used by the user.  These emails are an attempt to extort money, claiming the sender has compromising information indicating the user was involved in viewing pornographic sites.  The sender claims to have compromising video recordings of the user and alleges to have additional “stolen secrets” of a compromising sexual nature.  An RSAC member…

A new advisory was issued by the US Department of Homeland Security (DHS) and US-CERT for Hidden Cobra.  This is the latest advisory in a string of advisories related to Hidden Cobra.  What is unique is that this is the first advisory from US-CERT related to automated teller machine (ATM) attacks, for what they refer to as an ATM cash-out scheme which is officially named, "FASTCash."  

US authorities report multiple vulnerabilities identified in Mozilla Thunderbird, the most severe of which could result in arbitrary code execution.  Mozilla Thunderbird is an email service.  Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution.  Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.  Users whose accounts…

MIT researchers have developed a system that reduces false positives for credit card frauds. Researchers call it automated feature engineering, which allows them to monitor the spending of an individual and add features based on their spending habits.[1]  To do this, they extract 200 detailed features per individual transaction to provide examples that would be available if the user was present.  It additionally would capture the average…

Recently the popular online retail service Craigslist was advertising servers and storage disks.  The seller was marketing Netlink Computer Inc. (NCIX) retail service new and used IT equipment.  The servers and storage disks being marketed included millions of unencrypted confidential records of employees, customers and business partners.   Up until 1 December 2017, when Canadian IT retail services NCIX filed for bankruptcy, they were a…

Cybersecurity researchers have unveiled, the first-ever, UEFI (Unified Extensible Firmware Interface) rootkit being used.  It allows hackers to implant persistent malware on targeted computers that could endure a complete hard-drive wipe.  Titled LoJax, the UEFI rootkit is part of a malware campaign conducted by the Sednit group, also known as APT28, Fancy Bear, Strontium, and Sofacy, who have targeted government organizations in the Balkans as well as in Central and Eastern Europe.…

Magento is an open source ecommerce platform that offers flexible solutions, is a vibrant extension marketplace, and has an open global ecosystem.  Magento is based off of the Zend Framework and PHP.  Magento is considered to be the leading platform within the ecommerce market.  In less than 10 years, Magento has had massive success rolling out its solutions to small at home/startup business to multinational conglomerates.  Magento's popularity is similar to that of other popular open-source…

Researchers at Bitdefender have identified a new Android malware titled, Triout which acts as a framework for turning legitimate applications into spyware.  It is used to inject extensive surveillance capabilities into seemingly benign applications.  Triout is found bundled with a repackaged app; with capabilities including recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates. Then broadcasting all of that back to an…

Government researchers believe Chinese state-sponsored actors (APT) are likely to engage in cyber espionage activities targeting the US semiconductor industry.  This to help improve domestic production and reduce China’s reliance on US-made semiconductors, as laid out in its “Made in China” (MIC) 2025 plan.  Recently lifted sanctions against Chinese company ZTE, highlight China’s reliance on US semiconductors.  The US blocking of Chinese acquisition of US semiconductor firms likely undercut…

Conventional cyber wisdom says that social engineering and phishing involves a user only clicking on bad links.   A large percentage of social engineering attacks do invite users to click on bad links and this action can definitely have consequences, yet many of the highest profile social engineering attacks have absolutely nothing to do with links and nothing to do with “clicking.”

Some of the most damaging social engineering attacks often consist of a hacker’s patient collection of…

PHP Code Execution Attack A new exploitation technique has been discovered that allow attackers to trigger critical deserialization vulnerabilities in PHP programming language using previously low-risk considered functions. The new technique leaves web applications open to remote code execution attacks, including websites powered by some popular content management systems like WordPress and Typo3. PHP unserialization was first discovered in 2009 which allows attackers to perform various attacks…
China’s newest and broadest Cybersecurity Law went into effect on 1 June 2017. When first implemented, it created significant concerns for foreign businesses in that it directed new cybersecurity practices and data restrictions that appeared to threaten the independence and competitiveness of foreign corporations operating in China.

DeepLocker is a class of malware that use AI (Artificial Intelligence) to infect a victim’s system.  DeepLocker was developed and launched by an IBM research group.[1]  Their concept is artificial intelligence can automatically detect and combat malware to effectively stop cyber-attacks before they impact an organization.  This positive concept can now theoretically be used in reverse and weaponized by bad actors.  This to…

Cyber actors are targeting US critical infrastructure using a malicious attachment leveraging the “shellshock” vulnerability based on historical and current investigative analysis. The same tactics, techniques and procedures (TTPs) could be used against other US critical infrastructure sectors.  US authorities are is providing the following indicators of compromise, identified malicious code, and suspect internet protocol (IP) addresses to assist receiving organizations’ computer network…

Foreshadow flaws are revealed in Intel’s Core and Xeon range of processors. Alternatively known as L1 Terminal Fault or L1TF include three new speculative execution[1] side channel vulnerabilities.  The Foreshadow attacks could allow a hacker or malicious application to gain access to the sensitive data stored in a computer's memory or third-party clouds, including files, encryption keys, pictures, or…

Small businesses account for almost 50% of all current cyber-attacks.  This is a growing trend.  Proper cyber protection is needed.

Some small-business owners assume that the size of their company makes it an unlikely target for cyber adversaries.  That may have been true in the past, but it is no longer the case.  The increase in targeting small business began around 2011 and counted for approximately one-fifth of all cyber-attacks.  Currently this number has risen to almost a half of…

A Great Britain researcher has discovered a combination of a 419 scam and a Java Adwind / Java Jrats trojan malware delivery.  Java Adwind delivered by fake financial emails or by fake parcel delivery notices is a common 419 tactic, yet this may be a new approach deploying a traditional scam with the Java Adwind malware.[1] 

Java Adwind[2] is a very…