Iranian Hackers Steal Academic Research Papers From Over 70 Universities

By: Brent Burgess                                                                                                                9/18/201

Around three weeks ago SecureWorks, a cybersecurity research group, discovered a massive phishing scheme that has been recently targeting many universities. This phishing attack has targeted over 76 universities in 14 countries, including Australia, Canada, China, Israel, Japan, Switzerland, Turkey, the United Kingdom, and the United States. Most of these spoof sites had domains which attempted to replicate the universities’ library pages, getting access to accounts attempting to enter their library resources, and obtaining 31 terabytes of academic knowledge. When the information was entered, they were redirected to the actual university library site where they either were signed in or asked to repeat their credentials. The 16 domains were created between May and August of this year. Many of these stolen research papers were then sold by texting an encrypted message to WhatsApp or Telegram.

These phishing attacks were found to be perpetrated by the Cobalt Dickens hacking group which has been found to be closely associated with the Iranian government. In March of this year, the United States had indicted the Mabna hacking group and nine members in connection with the group. This group’s previous attacks appeared to have the same infrastructure as the Cobalt Dickens attacks, implying some of the same members were involved. These universities which create cutting-edge research are high priority targets due to the value of their information presents as well as the difficulty of securing them. This hack has taken place shortly after the United States decided to re-establish economic sanctions with the United States implying a potential political motivation.

“This widespread spoofing of login pages to steal credentials reinforces the need for organizations to incorporate multi-factor authentication using secure protocols and          implement complex password requirements on publicly accessible systems.”                  -SecureWorks

Sources:

https://www.zdnet.com/article/iran-hackers-target-70-universities-in-14-countries/ https://www.express.co.uk/news/world/1017903/US-sanctions-Iran-hackers-nuclear-power-cybersecurity-donald-trump/                                    https://www.securityweek.com/iranian-hackers-target-universities-large-attack-campaign-secureworks                                                https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities

 

 

Instant Messaging? How About “Instant Malware”

Telegram LogoIf you’ve never heard of Telegram, it’s an instant messaging platform that’s quickly gaining popularity for its emphasis on secure, private chats. In fact, the developers of Telegram are so confident in its security, that they’ve announced multiple hacking contests with six figure bounties. So far, none of the contests have found a winner.

One of the features that makes Telegram so nice to use is the ability to instantly share files with your friends. Pictures, word documents, PDFs, those sorts of things. But what if someone sent you an executable program. Would you run it? Probably not — but what if it looked like a picture, or a word document, or a PDF?

Beginning March 2017, many unsuspecting users fell victim to a vulnerability in how Telegram handled Unicode, specifically the “right-left override” character (or RLO). The RLO character is intended to reverse any text that precedes it. In some applications, the RLO is improperly handled and can cause the characters after the RLO to not be displayed. Telegram, however, displays strings with an RLO character correctly. So what’s the big deal?

It turns out that applying this to filenames can be disastrous. By cleverly naming a file to hide the real extension, it’s possible to trick someone into downloading something that appears harmless. For example, if an attacker wanted to send you a malicious javascript file, they could send you a file named “photo_high_re\U+202Egnp.js” and Telegram would display it as “photo_high_resj.png“.

This exploit was used to install malware such as backdoors and spyware, though some craftier attackers were using Telegram to trick people into running cryptominers. Kaspersky Labs uncovered the vulnerability in October 2017, which means this vulnerability existed for at least 8 months. Kaspersky Labs also noted that this was an increasingly popular exploit for 2017. Kaspersky Labs alleges that the source of the attack was Russian cybercriminals, and that no evidence was found to suggest the exploit was known outside of the Russian cybercriminal community.

Victims of this attack actually would have been somewhat protected if the security confirmations on Windows were still enabled. When executing the file, Windows correctly displays what type of file it is (javascript, exe, etc). However, even for the users that still have this feature enabled, I think it’s fair to say that most people have trained their muscle memory to click “Run” when that popup appears. This serves as a good reminder to always take a moment to verify what you’re doing.

Original article: https://www.csoonline.com/article/3254139/security/hackers-exploit-zero-day-flaw-in-telegram-to-mine-cryptocurrency.html
Telegram: https://telegram.org/
Kaspersky Labs: https://securelist.com/zero-day-vulnerability-in-telegram/83800/

Written by Jesse R.

“Faceliker” Facebook Trojan Making Comeback

“Faceliker” is malware that has been around for a few years, but recently in 2017 McAfee is reporting surges in the use of Faceliker (9.8% of all new malware in Q1/Q2 are Faceliker strains). Faceliker uses JavaScript to basically hijack the users’ clicks and generates likes on Facebook. The malware is becoming increasingly common to be embedded within malicious Chrome extensions.

Why would someone want to hijack clicks from users? Well, it seems as though Faceliker is being used to promote “fake news” (*cough* propaganda), and is also used to promote advertisements and games that aren’t popular, but seem popular due to the likes accumulated by Faceliker. It also can promote fake pages of companies or users in order to make them seem real or reputable, and possibly result in possible catfishing.

McAfee is not certain, but it appears that Faceliker is only being used to promote content by spoofing likes. It is possible different Faceliker strains are being used to steal passwords or other sensitive data, but there isn’t a clear cut answer.

-Ryan Corrao

https://www.komando.com/happening-now/422202/watch-out-facebook-hijacking-malware-is-spreading

https://themerkle.com/faceliker-facebook-malware-makes-a-surprising-comeback/

The Hard Apple: Why It’s Difficult to Acquire Malware on a Mac

It always seems like there is a new virus, new malware, new adware, that happens to pop up on a computer running Windows. But why do we not here about this happening on a Mac? The answer is hidden under the operating system, tracing it to it’s roots, along with the attacker’s target audience.

Apple Mac computers are a Unix based operating system. Unix is normally a very secure operating system with their own built in features. Along with this, Apple has added its own type of security features along with this. One of these features is called Gatekeeper. Gatekeeper blocks any software than hasn’t been digitally signed and approved by Apple. A second feature  used by Mac’s is known as the act of Sandboxing. The process involves the checking of applications to confirm that they are only doing what they’re supposed to be doing. Sandboxing also isolates the applications from system components and other parts of the computer that do not have anything to do with the app’s initial designed purpose. The final security that is used by Apple is called FileVault2, which is a simple file management system that encrypts all of the files on the Mac computers. These embedded securities created by Apple help to create a more secure system for their users.

Normally, it would be thought that Mac users would be an easy group to target, but based on recent data, it is seen by most attackers that the amount of people present in the Apple community is not worth the overall effort of making a virus or malware that can be successful for passing through all of the Apple security obstacles. The reason why there are very limited viruses/malware for Mac devices, is because the attackers have a greater and easier target audience for Windows users.

Regardless of the very few amount of Mac related viruses and malware, there have still been instances of them occurring. In just 2017, there has been a 230% increase in Mac malware. An example of this is the OSX/Dok malware. OSX/Dok occurred in April 2017 and was a trojan that would hijack all incoming and outgoing traffic with the Mac computer. The trojan was signed with a valid certificate from Apple, meaning that the hackers could have used a legitimate developers account to initialize this attack. Another attack that took place in February of 2017 was called MacDownloader. This adware would display to a user as a free update for the Adobe Flash Player. When the installer ran, the program would prompt the user that there is adware on the Mac and would prompt for the system password. This would then begin the process of transmitting data (ie. usernames, passwords, etc.) to a remote server. The final example of successful Mac malware would be one called Safari-Get. Happening in November of 2016, this was a type of social engineering that involved sending out links through emails and the link either opening multiple iTunes windows, or multiple draft emails (just depending on the Mac operating system version). This would cause the system to freeze or cause a memory overload and force a shutdown.

Regardless of the lack of effort put forth by attackers towards Mac users, there still should be some safety concern for users. This can be made easily by updating applications and being careful when clicking links or even opening certain files.

-Ryan Keihm

Sources

Do Macs get viruses, and do Macs need antivirus software?

16 Apple Security Advances to Take Note of in 2016

Tesco bank hacked, hackers attempt money transfer from around 20,000 compromised accounts

imgres

Tesco banks has recently announced that it has seen “suspicious transactions” from around 40,000 accounts over the weekend, and this has led them to actually shut down their site while they look into it.  At the moment of writing it is not known how much (if any) money was taken from the 20,000 of the aforementioned 40,000 account where withdrawals were attempted.

This has been called a much more recent and unique attack since most of the time when a bank is hacked only the larger accounts are compromised, and the attackers don’t bother with smaller accounts, in order to avoid a better chance of getting caught.  This also means that a hacked bank doesn’t have to shut down their site to investigate it, though in this instance it was so widespread the bank itself had to briefly shut down.

Apparently it is suspected that intruders found their way in via either a bug that was introduced with a website update, or through some third party connected to Tesco, as the attack was clearly done to the website, and not the core computer systems that provide most of the heavy lifting for the bank’s systems.

-jes5746

Source: http://www.bbc.com/news/business-37891742