Skip Navigation

Critical Infrastructure News

Researchers said Chinese intelligence officers are behind almost a decade's worth of network intrusions that use advanced malware to penetrate software and gaming companies in the US, Europe, Russia, and elsewhere. The hackers have struck as recently as March in a campaign that used phishing emails in an attempt to access corporate-sensitive Office 365 and Gmail accounts. In the process, they made serious operational security errors that revealed key information about their targets and possible location.

Researchers from various security organizations have used a variety of names to assign responsibility for the hacks, including LEAD, BARIUM, Wicked Panda, GREF, PassCV, Axiom, and Winnti. In many cases, the researchers assumed the groups were distinct and unaffiliated. According to a 49-page report published Thursday, all of the attacks are the work of Chinese government's intelligence apparatus, which the report's authors dub the Winnti Umbrella. Researchers from 401TRG, the threat research and analysis team at security company ProtectWise, based the attribution on common network infrastructure, tactics, techniques, and procedures used in the attacks as well as operational security mistakes that revealed the possible location of individual members.

Attacks associated with Winnti Umbrella have been active since at least 2009 and possibly date back to 2007. In 2013, antivirus company Kaspersky Lab reported that hackers using computers with Chinese and Korean language configurations used a backdoor dubbed Winnti to infect more than 30 online video game companies over the previous four years. The attackers used their unauthorized access to obtain digital certificates that were later exploited to sign malware used in campaigns targeting other industries and political activists.

Read more: Ars Technica 

Department store chains Saks Fifth Avenue, Saks Off Fifth and Lord & Taylor have suffered a data breach that apparently exposed details on 5 million payment cards for customers in North America, Toronto-based parent organization Hudson's Bay Company said on Sunday.

Stolen card data first appeared for sale last Wednesday. "On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7, announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web," Gemini Advisory says. "Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue Off 5th - a discounted offset brand of luxury Saks Fifth Avenue stores - as well as Lord & Taylor stores."

The JokerStash syndicate has been tied to previous sales of payment card data stolen in previous breaches, including a breach at Dallas-based luxury hotel chain Omni Hotels & Resorts that began in late 2015 and was discovered in May 2016 (see Omni Hotels & Resorts Hit by Hacker).

At the time, cybercrime intelligence firm Flashpoint told Information Security Media Group that the breach came to light after JokerStash began selling more than 50,000 payment cards stolen from Omni Hotels. At the time, Flashpoint said JokerStash was selling the stolen Omni Resorts cards data via its own website, but advertising them for sale on two Russian-language communities called Verified and Omerta.

Read more: Bank Info Security
 

A cloud environment owned and operated by Tesla was breached back hackers who used the company’s compromised machines and computer resources to mine for cryptocurrency, according to security researchers .

In a report published this week by security firm RedLock, it was revealed that Tesla suffered a breach as a result of the vehicle manufacturer failing to password protect an open-source system that contained keys to access the company’s cloud.

According to the report, once the attackers gained access to Tesla’s cloud servers, they began running a cryptocurrency mining protocol called Stratum to mine for valuable digital currency that they could pocket and profit off of.

“We maintain a bug bounty program to encourage this type of research, and we addressed this vulnerability within hours of learning about it," Tesla said in a statement provided to International Business Times. "The impact seems to be limited to internally-used engineering test cars only, and our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way.”

The attackers used Tesla’s cloud environment to do the dirty work of the mining process, essentially making the company’s computer do all the work while pocketing all of the profits generated from the operation.

A protocol called Stratum was used to carry out the attack, and the hackers managed to evade detection by obscuring the true IP address of the mining server and keeping the CPU usage low so as to not raise any suspicion.

Read more: International Business Times

Hackers running malvertising campaign on YouTube to mine cryptocurrency

Security researchers have revealed how hackers are now bombarding YouTube videos with fake antivirus ads and running crypto jacking codes without alerting users.

Malvertisers are running fake antivirus adverts on YouTube videos by abusing Google's Double Click ad platform and tricking users into downloading malware.

Security researchers at both Trend Micro and Adguard have unearthed a sophisticated malvertising operation that helped people run cryptomining software on systems without alerting users. Ideally, such cryptomining consumes CPU power in user systems, and thus creators are required to inform users about such operations. However, those behind the malvertising campaign did no such thing.

According to security firm Adguard, the campaign was exposed after YouTube users complained about their antivirus alerting about mining attempts while they were watching videos on YouTube. Following deep analysis, researchers concluded that malicious actors abused Google's Double Click ad platform to run fake antivirus ads on YouTube videos, thereby provoking people to download malware.

'We discovered that advertisements found on high-traffic sites not only used Coinhive, but also a separate web miner that connects to a private pool. Attackers abused Google’s DoubleClick, which develops and provides Internet ad serving services, for traffic distribution. Data from the Trend Micro™ Smart Protection Network™ shows affected countries include Japan, France, Taiwan, Italy, and Spain,' noted researchers Chaoying Liu and Joseph C. Chen at Trend Micro.

The malvertising campaign was launched on such a large scale that the researchers observed a 285% increase in the number of Coinhive miners on January 24.

'The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task. We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices,' they added.

Speaking with Gizmodo, YouTube acknowledged the operation and termed it 'a relatively new form of abuse'. However, it also claimed that the malicious adverts were blocked in less than two hours, thanks to a multi-layered detection system set up by the company.

'Mining cryptocurrency through ads is a relatively new form of abuse that violates our policies and one that we’ve been monitoring actively. We enforce our policies through a multi-layered detection system across our platforms which we update as new threats emerge. In this case, the ads were blocked in less than two hours and the malicious actors were quickly removed from our platforms,' said YouTube.

Hacker_laptop

Delaware hacker indicted in multimillion-dollar fraud scheme

His notoriety began seven years ago when he was arrested at a video game convention in Boston and accused of pirating $6 million in game code that was derived from a system used to train CIA agents for combat. May agreed to a Boston judge’s offer for pretrial probation in exchange for a dismissal of his case.

Last year evidence emerged that he was back on federal authorities' radar when police seized a $60,000 BMW Coupe and about $40,000 from his Brandywine Hundred residence. The FBI at the time declined to say why the assets had been seized.

The recent indictment against May states that the car was purchased through ill-gotten gains from the alleged fraud scheme.

That scheme began in April 2016 when May and other unnamed "co-schemers" obtained legitimate serial numbers to expensive Cisco computer hardware that they did not own, prosecutors say. The indictment does not state how they obtained those serial numbers. 

The group set up false online aliases to make it appear they worked for a legitimate company. They then submitted warranty claims for the equipment associated with the ill-gotten serial numbers, the indictment states. 

Their goal was to pose as legitimate owners of the computer components and present problems to Cisco engineers that they knew would require the company to replace the hardware through a warranty program. 

Through such misrepresentations, May and his conspirators were able to convince Cisco to ship approximately 169 pieces of computer hardware to replace technology they never owned. In all, May received some 155 pieces of computer hardware — valued at $2.3 million.  

He and his conspirators had submitted requests to replace some 266 pieces of equipment from Cisco, tot. It is unclear how the group's scheme was discovered. The indictment states that they agreed to return the equipment they had reported as broken, but never did.