Cyber security weekly summary 3 - 9 July

Last week was still dominated by the echoes of the NotPetya malware, which has been reclassified by the security experts from a ransomware to a destructive cyber-tool. Ukrainian authorities have also encountered a second wave of attacks by the virus. A newly found malware and several other incidents also affected crypto-currencies.

On 30 June, an unknown perpetrator used social engineering to gain control over the domain of the Classic Ether Wallet, which serves as a wallet system for the Ethereum Classic (ETC) crypto-currency. The attacker tricked the web hosting provider into believing he is the real owner of the domain, which allowed him to access web traffic and redirect ongoing transactions to his account.

The same day a major Bitcoin exchange, Bithumb, reported a hack that has resulted in the theft of personal data of about 30,000 customers. This included their names, mobile phone numbers and email addresses. As a subsequent investigation revealed, hackers have compromised a Bithub's employee computer. Although the stolen data did not contain any passwords, some clients reported fund withdrawals from their electronic wallets. Some of the users became victims of telephone scams that tricked them into giving away their one-time passwords, which granted the attackers access to the accounts.

On July 4, the Ukrainian police, together with the local intelligence service SBU, stopped another campaign of the malware known as NotPetya. According to the Ukrainian Interior Minister Arsen Avakov, the attacks led through updates of the M.E. Doc accounting software. Based on the analyses of several security companies, including Kaspersky Lab and ESET, the vector was incorporated into the software by unknown attackers (the Ukrainian authorities are pointing towards the Russian Federation), who hacked the computer of one of the М.Е. Doc developers. The same backdoor also served to spread the original NotPetya infection - impacting transportation, banking and power infrastructure, and the XData virus. The software manufacturer, Intellect Service, who originally denied their role in the attacks, have eventually admitted that its products had been compromised.

Following the above-mentioned events and prior events, NATO Secretary General Jens Stoltenberg stated at a press conference held on 10 July at a meeting of the NATO-Ukraine Commission in Kyiv, that the alliance is hoping for mutually beneficial cooperation with Ukraine in the field of cyber security. According to Stoltenberg's further statements, the NATO is in the process of providing Ukraine with new equipment to help investigate who is behind the attacks and to increase the security of key government institutions against cyberspace threats.

Despite the views of experts that the creators of the NotPetya virus do not pursue financial gains but rather a disruptive effect, on 4 July someone, who is claiming to be behind NotPetya, demanded ransom. Hackers have expressed their readiness to release the key to recover all malware encrypted files on the condition that they receive 100 bitcoins (some $ 200,000). They did so via the message on online storages DeepPaste and Pastebin containing a link to a dark web forum. The Bitcoin wallet was quickly emptied of the deposits from original NotPetya victims. Based on a new analysis from the Cylance security company, NotPetya was not meant to be used as a ransomware, which suggests that current the recent ransom demand is just a mean to conceal this fact.

Another important event was the publication of new materials about cyber-tools allegedly belonging to the CIA by WikiLeaks. The documents describe a pair of hacking tools focused on the Secure Shell (SSH) protocol - BothanSpy and Gyrfalcon. The first one allows the Xshell client to capture credentials from an open SSH connection. The second tool is used to compress, encrypt and store data acquired on Linux platforms from data traffic within OpenSSH.

Check Point's researchers warned about the CopyCat virus, which has reportedly infected 14 million devices since 2016. The malware distributed through an unauthorised application is altering the code of Zygote, daemon responsible for launching the apps, which gives the virus a strong foothold on affected devices. In addition to accessing the activity of all running applications, CopyCat can also steal credits earned by advertisers whenever an advertised software is downloaded as a result of a click on their banner.

On 6 July, specialists from Palo Alto Networks revealed information about new Trojan called SpyDealer, which is designed for Android devices. The malware, which has originally been spreading via compromised Wi-Fi networks, exfiltrates private data from more than 40 apps and steals messages from communication programs such as Skype and Viber. SpyDealer also supports a wide spectrum of surveillance options and is thus able to monitor users of the infected devices by recording their phone calls and the surrounding audio and video, taking screenshots and estimate their current location.

On 9 July, United States President Donald Trump tweeted that the US may form a cybersecurity partnership with Russia to defend against serious cyber-attacks. Referring to the current ceasefire agreement in southwest Syria, Trump stated that it's the time to work closely with Russia. Russian President Vladimir Putin has reportedly vehemently denied that Russia intervened with the US election process via cyberspace during the meeting. Donald Trump later on 10 July denied any plans to form such a cyber unit with Russia

About author: Roman Šulc

Partners

Tento web používá k analýze návštěvnosti soubory cookie. Používáním tohoto webu s tím souhlasíte. Další informace