Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Information Security News - SANS Internet Storm Center Information Security News

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Popular News

9 hours ago Atlanta Ransomware Attack Freezes City Business

InfoRiskToday View Synopsis+1
Damage Assessment is Underway, But Backups Are in Place, Officials SayRansomware has struck the city of Atlanta and frozen internal and customer-facing applications, hampering residents from paying bills or accessing court information. But the city says it has working backups and expects to pay employees on time.

8 hours ago It's Never Too Early To Pick Your First Username

Forbes View Synopsis+1
Just keep in mind that using the same username for everything can put you at a significant online security risk.

10 hours ago Microsoft to re-enforce March patch that owns Windows over RDP

The Register View Synopsis+1
Firm that found flaw says un-patched RDP clients face lockout

Black Hat Asia Microsoft will soon prevent Windows from authenticating un-patched RDP clients to cap a March patch addressed a flaw that can allow lateral movement across a network from a compromised remote desktop protocol session.…

8 hours ago Operator In Uber Self-Driving Crash Is A Felon. That's Not Why Elaine Herzberg Is Dead

Forbes View Synopsis+1
There are tens of thousands of traffic fatalities every year in the U.S., and each is uniquely terrible. This one was historic,. And a terrible irony as technology is being developed in hopes of bringing dramatic reductions in on-road fatalities.

7 hours ago How companies like Accenture are creating AI tools that lighten your workload

TechRepublic View Synopsis+1
Artificial intelligence and machine learning are beginning to make business processes more efficient. Here's how.

Top News

6 hours ago TrickBot Gets Computer Locking Capabilities

SecurityWeek View Synopsis+1

A recently observed variant of the TrickBot banking Trojan has added a new module that can lock a victim's computer for extortion purposes, Webroot reports.

First observed in late 2016 and said to be the work of cybercriminals behind the notorious Dyre Trojan, TrickBot has seen numerous updates that expanded not only its capabilities, but also its target list.

Last year, the malware received an update that added worm-like capabilities, allowing it to spread locally via Server Message Block (SMB).

Webroot now says that the malware attempts to leverage NSA-linked exploits released by Shadow Brokers last year in order to move laterally within compromised networks.

The new TrickBot variant installs itself into the %APPDATA%\TeamViewer\ directory, and once up and running, creates a "Modules" folder to store encrypted plug and play modules and configuration files.

While many of the modules have been already documented, the new Trojan variant also includes a module internally called spreader_x86.dll that Webroot hasn't seen before. Featuring a large rdata section that contains two additional files, the spreader module contains an executable called SsExecutor_x86.exe and an additional module named screenLocker_x86.dll.

Spreader_x86.dll, the security researchers have discovered, was clearly designed to allow the malware to spread laterally through an infected network by leveraging the NSA-linked exploits.

"This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub," Webroot notes.

The SsExecutor_x86.exe part of the new module is meant to be executed after exploitation, to achieve persistence by modifying registry to add a link to the copied binary to the start-up path of each user account.

Written in Delphi, ScreenLocker_x86.dll represents TrickBot's first ever attempt at "locking" the victim's machine. The module exports two functions: a reflective DLL loading function and MyFunction, which appears to be the work in progress.

Should TrickBot indeed gain the locking functionality, it would mean that its developers have decided to switch to a new business model, similar to that employed by ransomware operators.

Locking the computer before stealing the victim's banking credentials would prevent the credit card or bank theft, which suggests that the cybercriminals might be planning to extort victims to unlock their computers.

The security researchers suggest that, in corporate networks where users are unlikely to be regularly visiting targeted banking URLs, TrickBot would find it difficult to steal banking credentials. Thus, the potential of locking hundreds of machines could prove a more successful money-making model.

"It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them," Webroot points out.

5 hours ago Hacker vs hacker: This cryptojacking malware kills off its rivals to ensure maximum profit

ZDNet View Synopsis+1
The cryptocurrency-mining malware uses highly aggressive tactics -- which researchers have reverse engineered to help provide protection.

Latest News

7 minutes ago Report: Guccifer 2.0 Unmasked at Last

InfoRiskToday View Synopsis+1
VPN Fail Reportedly Reveals IP Address at Russia's GRU Military Intelligence HeadquartersThe notorious "lone hacker" known as "Guccifer 2.0," who claimed credit for breaching the Democratic National Committee and dumping stolen emails, failed to activate a VPN client at least once, revealing an IP address at the headquarters of Russia's GRU military intelligence agency, the Daily Beast reports.

22 minutes ago Will Facebook Chief Zuckerberg's Response Over Cambridge Analytica Data Scandal Suffice?

Forbes View Synopsis+1
With Facebook CEO Mark Zuckerberg breaking his silence in the wake of the Cambridge Analytica scandal in an interview with CNN and saying the social media giant needed to "get in front" of secret plots to influence millions of voters and destablize democracies around the globe, will it be enough?

1 hour ago 9 Iranians Indicted for Massive Hacking Scheme

InfoRiskToday View Synopsis+1
Thousands of Professors Worldwide Among Allegedly Those TargetedThe U.S. Department of Justice has announced the indictment of nine Iranians alleged to have penetrated systems belonging to hundreds of U.S. and foreign universities, government entities and private companies to steal more than 31 terabytes of documents and data.

1 hour ago GhostMiner fileless cryptomining malware has code that kills itself and other strains

TechRepublic View Synopsis+1
Monero-mining malware GhostMiner is fileless, nearly undetectable, removes competing cryptominers, and may have provided experts with a way to eliminate cryptomining infections.

1 hour ago How a recently discovered malware may save you from cryptomining infections

TechRepublic View Synopsis+1
GhostMiner is an advanced cryptomining malware, but it contains code that can kill it and others like it.

2 hours ago Singapore questions social media giants over 'online falsehoods'

ZDNet View Synopsis+1
Twitter, Google, and Facebook faced a parliamentary committee set up to examine the impact of "deliberate online falsehoods"--with Facebook, specifically, grilled over the Cambridge Analytica breach.

3 hours ago City Of Atlanta Computers Hit By Ransomware Attack

Forbes View Synopsis+1
Municipal government networks have been victimized by ransomware attacks before, but Atlanta might be one of the biggest targets yet.

3 hours ago DoJ indicts Iranian hackers for stealing data from 144 US universities

ZDNet View Synopsis+1
In all, 320 universities around the world were attacked and the 31.5 terabytes of stolen data was sold for profit in Iran.

3 hours ago Stingray spying: 5G will protect you against surveillance attacks, say standards-setters

ZDNet View Synopsis+1
It looks likely that 5G will sideline IMSI catcher, or stingray, fake mobile base stations.

3 hours ago U.S. Imposes Sanctions on Iranians for Hacking

SecurityWeek View Synopsis+1

The United States imposed sanctions on Friday on 10 Iranians and an Iranian company for alleged hacking of hundreds of universities in the US and abroad and the theft of "valuable intellectual property and data."

The Mabna Institute "engaged in the theft of personal identifiers and economic resources for private financial gain" and for the benefit of Iran's Islamic Revolutionary Guard Corps, the US Treasury Department said.

The two founders of the Mabna Institute were among the 10 people whose assets are subject to US seizure, it said.

The Justice Department said nine of the 10 had been indicted separately for conspiracy to commit computer intrusions and other crimes.

Since 2013, the Mabna Institute carried out cyber intrusions into the computer systems of 144 US universities, the Treasury Department said, and 176 universities in 21 foreign countries.

"For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps, Deputy Attorney General Rod Rosenstein said in a statement.

"The Department of Justice will aggressively investigate and prosecute hostile actors who attempt to profit from America's ideas by infiltrating our computer systems and stealing intellectual property," Rosenstein added.

Tweet © AFP 2018Previous Columns by AFP: U.S. Imposes Sanctions on Iranians for HackingWorried About Being on Facebook? Some Options ExplainedGrowing Mistrust Threatens Facebook After Data Mining ScandalU.S. Military Should Step Up Cyber Ops: GeneralTelegram Must Give FSB Encryption Keys: Russian Court

2018 ICS Cyber Security Conference | Singapore [April. 24-26]

Register for the 2018 CISO Forum at Half Moon Bay

2018 ICS Cyber Security Conference | USA [Oct. 22-25]

sponsored links Tags:
  • Cyberwarfare
  • Cybercrime

5 hours ago Lawmakers Tell Facebook's Zuckerberg: You Will Testify

InfoRiskToday View Synopsis+1
As the Cambridge Analytica scandal continues to unfold, Congress seeks answers from Facebook, calling on CEO Mark Zuckerberg to testify. Also in the latest edition of the ISMG Security Report: Is it possible to build a secure digital wallet for storing cryptocurrency?

5 hours ago Self-driving Uber crash that killed pedestrian should have been avoided, experts say

TechRepublic View Synopsis+1
It is not yet known why the software in the Uber driverless car did not register the pedestrian or stop, according to experts.

5 hours ago Pwner of a Lonely Heart: The Sad Reality of Romance Scams

SecurityWeek View Synopsis+1

Valentine's Day is a special holiday, but for victims of romance scams it is a tragic reminder, not only of love lost, but financial loss as well. According to the FBI Internet Crime Complaint Center (IC3), romance scams accounted for $230 million in losses in 2016.

Men and women may jokingly refer to their significant other as their "partner in crime," but when it comes to romance scams, this joke may become a sad reality. In additional to financial losses, many scammers may convince their victims to become money mules or shipping mules, directly implicating them in illegal behavior.

Recently, Agari researchers identified a woman in Los Angeles that has sent nearly half a million dollars to a scammer that she has never even met. Even worse, this woman knowingly cashes bad checks and fake money orders on his behalf. The FBI has warned her to stop, yet it is unlikely she will do so.

The victims of romance scams are typically women in their 40s to 50s, usually divorced or widowed and looking for a new relationship. They are targeted by scam artists on dating web sites, who have the ability to refine their searches for women that fit their target demographics. 

The scam artists create profiles of charming and successful men to engage these lonesome women. Dating sites frequently ask what women are looking for in a partner, so it is easy for the scammer to say exactly what they need to seem like "Mr. Right."

Once these scammers engage with their victims, there are an inevitable variety of excuses why they can't meet - claims of overseas military service or mission trips are common, and help to further cement the supposed righteousness of the scammer. After a few months of correspondence, the scammer will claim a supposed tragedy: a lost paycheck or medical fees are common - and request a small loan. The typical loss in these scams is $14,000, not to mention the considerable psychological damage - victims of romance scams frequently withdraw from their social circles, embarrassed by the stigma.

Even worse, such as the case of our anonymous victim, some of these scams can continue on for years, with frequent requests for financial support. Once trust is established with their victims, these scammers may also to begin to use them as "mules" to cash fake checks, make deposits, accept shipment of stolen goods, and more. In the case of our anonymous victim, her family has pleaded with her to stop sending her suitor more money, and the FBI has warned her that her behavior is illegal; and yet she persists.

Tweet Markus Jakobsson, Chief Scientist for Agari, has spent more than 20 years as a security researcher, scientist and entrepreneur, studying phishing, crimeware and mobile security. Prior to Agari, Jakobsson spearheaded research in malware, authentication, fraud, user interfaces and security technologies for Qualcomm. He also co-founded three digital startups - ZapFraud, RavenWhite and FatSkunk. Jakobsson has held key roles as Principal Scientist at PayPal, Xerox PARC and RSA Security. He holds more than 100 patents and is a visiting research fellow of the Anti-Phishing Working Group (APWG). He holds a Ph.D. in computer science from the University of California, San Diego and master's degrees from both the University of California, San Diego and Lund University in Sweden. Previous Columns by Markus Jakobsson:Pwner of a Lonely Heart: The Sad Reality of Romance ScamsIt Takes a Village: The Importance of Security StandardsThe Cumulative Effect of Major Breaches: The Collective Risk of Yahoo & EquifaxThe Challenge of Training AI to Detect Unique ThreatsTrouble in Paradise as Cyber Attackers Circumvent 2FA

2018 ICS Cyber Security Conference | USA [Oct. 22-25]

2018 ICS Cyber Security Conference | Singapore [April. 24-26]

Register for the 2018 CISO Forum at Half Moon Bay

sponsored links Tags:
  • Cybercrime

9 hours ago #DeleteFacebook Highlights The Benefits Of Blockchain

Forbes View Synopsis+1
Distributed ledgers and the uprise in blockchain technology challenge the concept of the trust held by centralized authorities, such as banks and governments as well as data-collecting mega corporations looking to make a quick buck from analytics firms or third-party app developers.

11 hours ago Your code is RUBBISH, says GitHub. Good thing we're here to save you

The Register View Synopsis+1
Dependency scanner turned up FOUR MEEELLION vulns from October to December 2017

Last year, GitHub added security scanning to its dependency graph and flicked the lid off a can absolutely crawling with bugs.…