MalwareDreamboat trojanProofpoint has reported that a variant of the Ursnif/Gozi banking trojan called Dreambot is currently active. Dreambot [1] is still being developed, but variants make use of a domain generation algorithm, TOR and P2P (for command and control communications). The malware has been distributed via the Niteris and Nuclear exploit kits, as well as email campaigns across many countries. More information [2].Ozone RATA spam campaign targeting German users is dropping the Ozone RAT [3] – a ‘legitimate’ remote control tool available for between $20-$50. The emails contain a Javascript file that, once clicked, installs a proxy auto-config file, a fake Comodo certificate and Ozone. The RAT can download and execute other files, and contains several features, including a keylogger, password dumper and hidden start-up routine. More information. [4]TwitoorESET have reported on the first Twitter-controlled Android botnet. Known as Twitoor [5], the trojan has not been detected on official app stores and is likely spread through SMS or malicious URLs. Twitoor receives commands by regularly checking a specific Twitter account and can download additional malicious apps onto compromised devices. More information [6].Fantom ransomwareSecurity researchers have discovered new ransomware based off the open-source EDA2 project. Entitled Fantom [7], the malware displays a fake Windows Update screen that suggests Windows is installing a critical security patch, while file encryption takes place. More information [8]. Hacker GroupsCozy BearDefense One has reported that APT29 [9] (aka Cozy Bear) has targeted five Washington-based think tanks in addition to the DNC. One confirmed target was the Center for Strategic and International Studies (CSIS) although the extent of the attack is unknown. More information. [10] Trending VulnerabilitiesNew information extraction method developedResearchers at Ben-Gurion University have developed yet another method of extracting information from air-gapped networks. USBee [11] is software that turns USB 2.0 complaint devices into transmitters that can project 80 bytes per second over a distance of 9 to 26 feet. The signal is received via a GNU-radio receiver and demodulator and would be most useful for exfiltrating information such as decryption keys. More information. [12] Ongoing CampaignsKelihos botnet revamps operationsThe Kelihos Botnet [13]has begun to revamp its operations. The botnet, also known as Waledec, has been operational since 2008, and in its prime was a major source of pump-and-dump spam. In recent years spam filters have become very adept at filtering out such messages, thereby reducing the system’s capabilities. Kelihos’s authors have therefore amended their delivery goals and begun distributing ransomware and banking trojans, in particular the WildFire ransomware and a currently unknown Zeus-based banking Trojan. The number of machines in Kelihos has hugely increased in recent months, with numbers tripling on August 22nd from 13,000 machines to 36,000. MalwareTech, which identified the resurgence, believe that the spamming of WildFire was likely a test of the bot’s new capabilities, noting that the authors will now focus on spam email campaigns utilizing some of the web’s more infamous trojans and ransomware. More information. [14]Ramnit trojan returnsLast seen targeting banks and e-commerce sites across Australia and North America, the Ramnit Trojan [15] has returned and is targeting the personal banking details of customers at six UK banks. The trojan is using the same, (albeit updated) attack vectors, with familiar encryption algorithms, data-grabbing and web injections discovered by IBM researchers. The re-emergence of Ramnit was observed when the malware’s operators set up a two new attack servers in addition to a fresh C&C server. The trojan is likely to be distributed via malvertising, spam campaigns and exploit kits. More information. [16]Ghost Squad Hackers continue campaignGhost Squad Hackers [17] (GSH) hit the Bank of Israel and Prime Minister’s Office with DoS attacks over the weekend. While the former recovered within six hours, the latter remains unavailable. The DoS was intended to draw attention to Israel’s policy in Gaza and against Palestinian settlements. GSH have confirmed that more attacks will follow.Anonymous join forces with anarchist groups to target Deutsche Bank subsidiaryOpAnarchists [18], a joint operation between Anonymous [19] and various anarchist groups, has targeted the official site of Deutsche Bank subsidiary, Deutsche Immobilien-Leasing Ltd. In addition to defacing the company site, a trove of data stolen from private servers was also leaked online. OpAnarchist was started in 2015 to protest against the arrest of anarchist Lisa Askatu. The data is only available via the use of a Tor browser, but is thought to contain the genuine personal details of over 900 employees. Hackers involved with the operation confirmed that Deutsche Bank were the primary target, due to their status as a major banking power in the ‘illegitimate capitalist system’.Anonymous' pipeline protest disavowed by Native AmericansAnonymous Group’s protests against the Dakota Access pipeline have been disavowed by local Native American groups, the very people Anonymous claim to be in contact with and trying to protect. OpNoDapl [20] emerged recently to protest against the construction of a thousand-mile pipeline across North Dakota, which native groups claim will disrupt farming and damage ancestral grounds. Despite this, local leaders have urged Anonymous to cancel their planned action, and asked them not to speak on their behalf. One prominent member of the community emphasised his desire for the protests to remain peaceful, and stated that Anonymous often do more harm than good. Perhaps unsurprisingly, Anonymous hackers have ignored these pleas, claiming to be in touch with ‘native American brothers’ who support their plans.Phishing scam targets GoDaddy customersA new phishing scam is targeting GoDaddy customers, according to Comodo Threat Research Labs. Scammers are using the legitimate-looking ‘support@godaddy.com’ address to tell customers to upgrade their email storage. A link then directs users to a phishing page where they can ‘log in’ and upgrade, thereby sending account details to the criminals running the site. Breaches & LeaksData leaked from Paraguay’s Secretary of National EmergencyShad0wS3C [21]has leaked data taken from Paraguay’s Secretary of National Emergency (SNE). The leak appears to contain billing and stock information, activity logs and personal information such as salary and contact details for SNE employees. The rationale for this breach is Paraguay’s human rights record. Shad0wS3C is a recently formed hacking group that has also leaked information from Swiss Certificate Authority EveryWare.Gaming company warns of possible compromiseGaming company Funcom has told players that their forum accounts may have been compromised by a third party. Leaked data includes email addresses, usernames and encrypted passwords for forum accounts associated with The Secret World, Age of Conan, Anarchy Online and The Longest Journey. Game accounts are believed to be secure.US Hotel chain latest victim of POS attacksThe US chain Noble Houses Hotels & Resorts [22] are the latest high profile victim of POS malware attacks. The company released a breach alert [23] where it admitted that any card payment made at its Florida Ocean Key Resort between April 26th, and June 8th could have resulted in compromised bank details. It is suspected that more than 12,000 payment cards have been affected. This is not the first time that the company has had security issues: in 2015 a breach at their Minneapolis property resulted in the details of over 19,000 cards being stolen. General NewsTop ransomware families localised for targets in the Asia-Pacific regionResearchers at SecureWorks have reported that the top four ransomware families (Locky, CryptXXX, Cerber and TorrentLocker) have been localised for targets in the Asia-Pacific region, including Japan and South Korea.FBI detects voter registration breaches The FBI has detected breaches in the Arizona and Illinois voter registration databases. Unnamed officials elaborated on the leaked August 18 Amber flash alert that did not allude to specific states, but mentioned a set of IPs and an SQL injection vulnerability. A penetration of the voter database does not necessarily imply an attempt to attack the voting process, and could simply be intended for intelligence collection. More information. [24]Iran removes malware from plantsIran has detected and removed ‘industrial’ malware discovered in two petrochemical plants, according to Reuters. An investigation found that the malware was inactive and not responsible for recent petrochemical fires; these were blamed on cuts to health and safety budgets.Online games taken downA number of online games published by DayBreak Gaming [25]- including H1Z1 and DC Universe Online - have been taken offline by a concerted cyberattack. This is not the first time DayBreak have been the victims of cyber vandalism - the hacker group Lizard Squad have targeted their games and their employees a number of times. The company took to social media to confirm that their platforms were being hit by a DDoS attack. The Silobreaker Team Disclaimer: Although Silobreaker has relied on what it regards as reliable sources while compiling the content herein, Silobreaker cannot guarantee the accuracy, completeness, integrity or quality of such content and no responsibility is accepted by Silobreaker in respect of such content. Readers must determine for themselves what reliance they should place on the compiled content herein.
[1] https://my.silobreaker.com/view360.aspx?item=11_1059277122#?q=Keyphrase:%22Dreambot%20Malware%22&rd=true
[2] https://www.proofpoint.com/us/threat-insight/post/new-ursnif-variant-dreambot-adds-tor-functionality
[3] https://my.silobreaker.com/view360.aspx?item=11_978322465#?q=Keyphrase:%22OZONE%20RAT%22
[4] https://blog.fortinet.com/2016/08/29/german-speakers-targeted-by-spam-leading-to-ozone-rat
[5] https://my.silobreaker.com/view360.aspx?item=11_1056852512#?q=Keyphrase:%22Twitoor%20Trojan%22
[6] http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/
[7] https://my.silobreaker.com/view360.aspx?item=11_1057137636#?q=Keyphrase:%22Fantom%20Ransomware%22&rd=true
[8] http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/
[9] https://my.silobreaker.com/view360.aspx?item=11_430103622#?q=Organization:%22APT29%22&rd=true
[10] http://information
[11] https://my.silobreaker.com/view360.aspx?item=11_1059277121#?q=Keyphrase:%22USBee%20Malware%22&rd=true
[12] http://arstechnica.com/security/2016/08/meet-usbee-the-malware-that-uses-usb-drives-to-covertly-jump-airgaps/
[13] https://my.silobreaker.com/view360.aspx?item=11_367309953#?q=Keyphrase:%22Kelihos%20Botnet%22&rd=true
[14] https://www.malwaretech.com/2016/08/significant-increase-in-kelihos-botnet-activity.html
[15] https://my.silobreaker.com/view360.aspx?item=11_153338292#?q=Keyphrase:%22Ramnit%22&rd=true
[16] https://securityintelligence.com/ramnit-rears-its-ugly-head-again-targets-major-uk-banks/
[17] https://my.silobreaker.com/view360.aspx?item=11_990520529#?q=Organization:%22Ghost%20Squad%20Hackers%22&rd=true
[18] https://my.silobreaker.com/view360.aspx?item=11_1059314318#?q=Keyphrase:%22OpAnarchists%22&rd=true
[19] https://my.silobreaker.com/view360.aspx?item=11_247827020#?q=Organization:%22Anonymous%20group%22&rd=true
[20] https://my.silobreaker.com/view360.aspx?item=11_1059319205#?q=Keyphrase:%22OpNoDapl%22&rd=true
[21] https://my.silobreaker.com/view360.aspx?item=11_1044979174#?q=Organization:%22Shad0wS3C%22&rd=true
[22] https://my.silobreaker.com/view360.aspx?item=11_23659517#?q=Company:%22Noble%20House%20Hotels%20%26%20Resorts%22&rd=true
[23] http://www.noblehousemenus.com/NobleHouse-CyberSecurityInformation_3.pdf
[24] https://s.yimg.com/dh/ap/politics/images/boe_flash_aug_2016_final.pdf
[25] https://my.silobreaker.com/view360.aspx?item=11_822753256#?q=Company:%22Daybreak%20Games%22&rd=true