Information Technology

A hacking campaign has compromised VoIP (Voice over Internet Protocol) phone systems at over 1,000 companies around the world over the past year in a campaign designed to make profit from selling compromised accounts.
While the main purpose appears to be dialling premium rate numbers owned by attackers or selling phone numbers and call plans that others can use for free, access to VoIP systems could provide cyber criminals with the ability to conduct other attacks, including listening to private calls, cryptomining, or even using compromised systems as a stepping stone towards much more intrusive campaigns.

More on privacy

Detailed by cybersecurity researchers at Check Point, one hacking group has compromised the VoIP networks of almost 1,200 organisations in over 20 countries by exploiting the vulnerability, with over half the victims in the UK. Industries including government, military, insurance, finance and manufacturing are believed to have fallen victim to the campaign.
SEE: 10 tips for new cybersecurity pros (free PDF)
Other countries where organisations fell victim to these attacks include the Netherlands, Belgium, the United States, Columbia and Germany.
The attacks exploit CVE-2019-19006, a critical vulnerability in Sangoma and Asterisk VoIP phone systems that allows outsiders to remotely gain access without any form of authentication. A security patch to fix the vulnerability was released last year, but many organisations have yet to apply it – and cyber criminals are taking advantage of this by scanning for unpatched systems.
“The vulnerability is an authentication bypass flaw, and the exploit is publicly available. Once exploited, the hackers have admin access to the VoIP system, which enables them to control its functions. This will not be detected unless an IT team is specifically looking for it,” Derek Middlemiss, security evangelist at Check Point Research, told ZDNet.

One of the most common means the hacked systems are exploited for is making outgoing calls without the VoIP system being aware, which would allow attackers to secretly dial premium rate numbers they’ve set up in order to generate money at the expense of the compromised organisation. And because businesses make so many legitimate phone calls on these systems, it’d be difficult to detect if a server is being exploited.
The attackers also make money by selling access to the systems to the highest bidder, something that could potentially be used for other cyberattacks that could be more dangerous to victims.
“It’s likely that those attacks can be leveraged for other malicious activity such as cryptomining and for eavesdropping,” said Middlemiss.
And it’s potentially possible for attackers to use a compromised VoIP system as a gateway to the rest of the network, opening up the possibility of stealing credentials or deploying malware.
“That’s depending on how the server is configured and connected to the rest of the corporate network. If it is not segmented from the rest of the network, attackers could move laterally,” he added.
SEE: Mobile security: These seven malicious apps have been downloaded by 2.4m Android and iPhone users
It’s recommended that organisations change default usernames and passwords on devices so they can’t easily be exploited and, if possible, analyse call billings on a regular basis for potentially suspicious destinations, volumes of traffic or call patterns.
And most importantly, organisations should apply the required security patches to prevent known vulnerabilities from being exploited.
“Always look for and apply new patches for everything on your network to ensure vulnerabilities like this are closed off,” said Middlemiss.
MORE ON CYBERSECURITY More

A new, Chinese advanced persistent threat (APT) group making the rounds performs DLL side-loading attacks including the phrase “KilllSomeOne.”

According to Sophos researcher Gabor Szappanos, the group — suspected to be of Chinese origin — is targeting corporate organizations in Myanmar using poorly-written English messages relating to political subjects. 
Side-loading utilizes DLL spoofing to abuse legitimate Windows processes and execute malicious code. While nothing new, Sophos said in a blog post on Wednesday that this APT combines four separate types of side-loading attack when carrying out targeted campaigns. 
Each attack type is connected by the same program database (PDB) path, and some of the samples recorded and connected to the cybercriminals contain the folder name “KilllSomeOne.”
See also: Promethium APT attacks surge, new Trojanized installers uncovered
“Two of these delivered a payload carrying a simple shell, while the other two carried a more complex set of malware,” Sophos says. “Combinations from both of these sets were used in the same attacks.”
In the first scenario, a Microsoft antivirus component is used to load mpsvc.dll, a malicious loader for Groza_1.dat. While encryption is in play, it is nothing more than a simple XOR algorithm and the key is the string: “Hapenexx is very bad.”

The second sample leverages AUG.exe, a loader called dismcore.dll, and the same payload and key are used — but in this case, both the file name and decryption key are encrypted with a one-byte XOR algorithm.
The Groza_1.dat payload is PE shellcode which loads the final payload into memory for execution, connecting to a command-and-control (C2) server which could be used to issue commands or deploy additional malware. An unused string called “AmericanUSA” was also noted. 
The other two samples, using payload file names adobe.dat and x32bridge.dat, are more sophisticated and use a shell to establish persistence, for obfuscation, and to “prepare file space for collecting data,” the researchers say. 
CNET: Election still too close to call: How to spot misinformation while you wait for results
One notable difference is a change in the encryption key, using the string “HELLO_USA_PRISIDENT.”
The payloads will deploy an installer and additional components for another DDL side-loading set of attacks in a number of directories and will assign the files “hidden” and “system” attributes. 
“The installer then closes the executable used in the initial stage of the attack, and starts a new instance of explorer.exe to side-load the dropped DLL component,” the team says. “This is an effort to conceal the execution.”
The malware will also wipe out running processes that could interfere with side-loading attempts, creates a registry key to establish persistence, and begins to exfiltrate data.  
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
According to the researchers, the APT doesn’t fit in neatly with standard cyberattack group descriptives as the messages hidden in their samples and the simple implementation of much of their coding leans toward script-kiddie levels — but at the same time, the targeting and deployment strategy is more commonly associated with sophisticated APTs. 
“Based on our analysis, it’s not clear whether this group will go back to more traditional implants like PlugX or keep going with their own code,” Sophos says. “We will continue to monitor their activity to track their further evolution.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

US and Brazilian authorities have seized $24 million in cryptocurrency connected to an online scheme that allegedly defrauded “tens of thousands” of investors.
Upon request from the government of Brazil, US law enforcement participated in “Operation Egypto,” a Brazilian federal investigation into the suspected scam, the US Department of Justice (DoJ) said on Wednesday. 
The collaborative effort, made under the Mutual Legal Assistance in Criminal Matters treaty, tracked down suspect Marcos Antonio Fagundes, who is being charged with the operation of a financial institution without legal authorization, fraudulent management of a financial institution, misappropriation, money laundering, and the violation of securities law. 
See also: US unveils enforcement framework to combat terrorist, criminal cryptocurrency activities
Prosecutors allege that between August 2017 and May 2019, Fagundes and co-conspirators used the internet to find and solicit investors — sometimes together with communication over the phone — and convince them to invest in new financial “opportunities.”
The victims of the alleged scam would then part with funds in either Brazilian currency or cryptocurrency, believing that the investment would be poured into companies that Fagundes and his associates controlled. 
These companies, the DoJ says, were meant to then invest in virtual assets. However, only a “very small amount” of the funds were used for this purpose — while the rest went into the pockets of the alleged fraudsters. 

CNET: Election still too close to call: How to spot misinformation while you wait for results
As a result, investors saw close to nothing in return for their cash.
“To carry out the scheme, the conspirators are alleged to have made false and inconsistent promises to investors about the way the funds were invested and exaggerated the rates of return,” the DoJ added. 
Operation Egypto investigators estimate that tens of thousands of investors handed over more than $200 million. 
After the Brazilian court issued a seizure order for any cryptocurrency held by Fagundes in the US, $24 million was recovered with help from the cryptocurrency exchanges holding his wallets. 
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
The investigation is ongoing. However, Brazilian authorities, the FBI, and other parties intend to hold the cryptocurrency as part of future forfeiture proceedings to try and compensate the investors involved, at least, to some level. 
This week, the DoJ also announced the seizure of 27 web domains used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to spread propaganda and misinformation under the guise of legitimate news outlets. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Capcom has disclosed a cyberattack that impacted the company’s operations over the weekend. 

The Osaka, Japan-based video game developer said in a notice dated November 4 that two days prior, beginning in the early morning, “some of the Capcom Group networks experienced issues that affected access to certain systems” due to a cyberattack. 
Email and file servers were impacted. 
See also: Marriott fined £18.4 million by UK watchdog over customer data breach
Capcom has described the attack as “unauthorized access” conducted by a third-party. As the security incident took place, the company stopped some operations on its internal networks, likely to prevent the cyberattack from spreading further and potentially compromising additional corporate resources. 
Capcom claims that there is “no indication” that customer information has been accessed or compromised; at least, at this stage. 
“This incident has not affected connections for playing the company’s games online or access to its various websites,” the company said. “Capcom expressed its deepest regret for any inconvenience this may cause to its various stakeholders.”

CNET: Election still too close to call: How to spot misinformation while you wait for results
At the time of writing, Capcom says it is “unable to reply to inquiries and/or to fulfill requests for documents” made through the investor relations contact form.
The game developer is currently working toward restoring its systems and has reported the cyberattack to law enforcement. 
TechRepublic: It’s an urgent plea this Election Day: Don’t click on ransomware disguised as political ads
Capcom has not revealed any further details relating to the attack, but the company is not the only game developer targeted this year. In October, Ubisoft and Crytek were the victims of the Egregor ransomware gang, which attempted to extort a ransomware payment from the firms on the threat of the public release of proprietary data stolen during attacks. 
Egregor is an active ransomware group believed to be responsible for cyberattacks against GEFCO and Barnes & Noble. Researchers from Malwarebytes suspect that past affiliates of the Maze ransomware group — now retired from the scene — are now turning to Egregor as an alternative. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The GEO Group, a company known for running private prisons and illegal immigration detention centers in the US and other countries, says it suffered a ransomware attack over the summer.

Personal data and health information for some inmates and residents was exposed during the incident, which took place on August 19.
This includes data for inmates and employees at the South Bay Correctional and Rehabilitation Facility in Florida, a youth facility in Marienville, Pennsylvania, and a now-closed facility in California, the company told ZDNet.
“GEO implemented several containment and remediation measures to address the incident, restore its systems and reinforce the security of its networks and information technology systems,” the company said.
GEO said it recovered its data but did not say if this meant restoring from backups or paying the ransomware gang to decrypt its files.
In documents filed with the US Securities Exchange Commission on Tuesday, the GEO Group played down the security breach and said its aftermath won’t have any material impact on its business, operations, or financial results.
The company is now sending data breach notification letters to all impacted individuals.

Exposed personal details could include name, address, date of birth, Social Security number, employee ID number, driver’s license number, medical treatment information, and other health-related information.
The incident impacted only a small portion of the GEO Group’s network, which includes 123 private prisons, processing centers, and community reentry centers in the United States, Australia, South Africa, and the United Kingdom.
US government contracts amounted for more than half of the GEO Group’s 2019 revenue, according to the company’s yearly 10-K form filed with the SEC.
The company’s stock price fell 14% from $9.76 at the end of trading on Tuesday to $8.38 the next day, after GEO disclosed the incident. More

Image: Department of Justice
The United States announced on Wednesday it has seized 27 domains that were used by Iran’s Islamic Revolutionary Guard Corps (IRGC) to spread global covert influence campaigns.
According to the Department of Justice (DoJ), four of the 27 domain names — “rpfront.com”, “ahtribune.com”, “awdnews.com”, and “criticalstudies.org” — were seized as they breached the Foreign Agents Registration Act, which requires website holders to submit periodic registration statements containing truthful information about their activities and the income earned from them. 
The four domains purported to be genuine news outlets, but they were controlled by the IRGC and targeted audiences in the United States with pro-Iranian propaganda, the department said in a statement.
Meanwhile, the remaining 23 domains were seized as they targeted audiences in other parts of the world, the department added.
The domains were identified by the DoJ through ongoing collaboration with Google, Facebook, Twitter, and the Federal Bureau of Investigations (FBI).
This follows an earlier crop of similar seizures made by the DoJ last month. For that earlier crop, the DoJ shut down 92 domains that were also used by the IRGC for disinformation campaigns.
“Within the last month we have announced seizures of Iran’s weapons, fuel, and covert influence infrastructure,” said John Demers, assistant attorney general for National Security.  

“As long as Iran’s leaders are trying to destabilise the world through the state-sponsorship of terrorism and the taking of hostages, we will continue to enforce US sanctions and take other legal steps to counter them.”
In the past two months, the United States has made concerted efforts to publicly disclose Iranian foreign interference. In late October, the US Treasury department issued sanctions against five Iranian entities for allegedly attempting to influence the 2020 presidential elections. The five entities were allegedly controlled by the Iranian government and disguised themselves as news organisations or media outlets. 
On the same day of the sanctions being issued, high-ranking government officials accused Iran of being behind a wave of spoofed emails that were sent to US voters. Spoofing the identity of violent extremist group Proud Boys, the emails threatened registered Democrat voters with repercussions if they didn’t vote for Donald Trump in the upcoming US presidential election.  
Meanwhile, Twitter said at the start of October that it removed around 130 Iranian Twitter accounts as they attempted to disrupt the public conversation following the first presidential debate.
Twitter said it learned of the accounts following a tip from the FBI.
“We identified these accounts quickly, removed them from Twitter, and shared full details with our peers, as standard,” the social network said at the time.
RELATED COVERAGE More

Image: D-Keine / Getty Images
Russian authorities have arrested a malware author at the end of September, an action that is extremely rare in a country known to usually be soft on hackers.

According to the Russian Ministry of Internal Affairs, the suspect is a 20-year-old from the region of North Ossetia–Alania.
Russian authorities claim that between November 2017 and March 2018, the suspect created several malware strains, which he later used to infect more than 2,100 computers across Russia.
Authorities said that besides operating the malware himself, the suspect also worked with six other accomplices to distribute the malware, which eventually brought the group more than 4.3 million Russian rubles (~$55,000) in profit.
While Russian law enforcement did not share the malware author’s name, Benoit Ancel, a malware analyst at the CSIS Security Group, said last week and today on Twitter that the suspect is a Russian hacker he and other security researchers have been tracking under the nickname of “1ms0rry.”
Ancel is in the perfect position to identify this malware developer. In April 2018, Ancel worked together with other security researchers to track down 1ms0rry’s online operations and malware arsenal.
According to this report, Ancel linked 1ms0rry to malware strains such as:
1ms0rry-Miner: a trojan that, once installed on a system, starts secretly mining cryptocurrency to generate profit for its author.
N0f1l3: an info-stealer trojan that can extract and steal data from infected computers. Capabilities include the ability to steal browser passwords, cryptocurrency wallet configuration files, Filezilla FTP credentials, and specific files stored on a user’s desktop.
LoaderBot: a trojan that can be used to infect victims in a first stage and then deploy other malware on-demand during a second stage (aka a “loader”).

The French security researcher said 1ms0rry sold his malware strains on Russian-speaking hacker forums and that some of his creations were also eventually used to create even more powerful malware strains, such as Bumblebee (based on the 1ms0rry-Miner), FelixHTTP (based on N0f1l3), and EnlightenedHTTP and the highly popular Evrial (which shared some code with 1ms0rry’s creations).

LoaderBot control panel
Image: Benoit Ancel
The 2018 report also exposed 1ms0rry’s real-world identity as a talented young programmer from the city of Vladikavkaz, who at one point even received praises from local authorities for his involvement in the cyber-security field.
However, the young programmer made a major mistake by allowing his malware to infect Russian users.
It is no mystery by this point that Russian authorities will turn a blind eye to cybercrime operations as long as cybercriminals don’t target Russian citizens and local businesses.
For the past decade, Russian cybercrime groups have gone unpunished for operations carried out outside of Russia’s borders, with Russian officials declining to extradite Russian hackers despite repeated indictments by US authorities.
Today, all major Russian-speaking hacking forums and black market sites make it very clear in their rules that members are forbidden from attacking users in the former Soviet space, knowing that by not attacking Russian citizens, they will be left alone to operate undisturbed.
It’s because of these forum rules that a large number of malware strains today come hard-coded to avoid infecting Russian users.
However, 1ms0rry appears to have either not been aware of this rule or chose to willfully ignore it for additional profits, for which he appears to have paid the price. More

There’s been a massive increase in Emotet attacks and cyber criminals take advantage of machines compromised by the malware as to launch more malware infections as well as ransomware campaigns.
The October 2020 HP-Bromium Threat Insights Report reports a 1,200 per cent increase in Emotet detections from July to September compared to the previous three months in which deployment of the malware appeared to decline.
Since emerging in 2018, Emotet regularly sees surges in actively then seemingly disappears only to come back again, something which researchers suggest is going to continue well into 2021.
Emotet often gains a foothold into networks via phishing emails and those behind it have been seen to use thread hijacking in an effort to make the emails look more legitimate – people are more likely to download an attachment if it looks to come from a colleague or someone else they know.
The attacks and malicious attachments are customised depending on the location of the intended victim with phishing email templates and lures written in English, French, German, Greek, Hindi, Italian, Japanese, Spanish and Vietnamese.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Despite starting life as a banking trojan, the key for Emotet is now simply to compromise as many machines as possible, creating backdoors into networks which its operators can sell onto other malware operators as gateway for their own malicious campaigns. Emotet infections are a popular starting point for ransomware attacks.

“The targeting of enterprises is consistent with the objectives of Emotet’s operators, many of whom are keen to broker access to compromised systems to ransomware actors. Within underground forums and marketplaces, access brokers often advertise characteristics about organisations they have breached – such as size and revenue – to appeal to buyers,” said Alex Holland, senior malware analyst at HP.
“Ransomware operators in particular are becoming increasingly targeted in their approach to maximize potential payments, moving away from their usual spray-and-pray tactics,” he added. “This has contributed to the rise in average ransomware payments, which has increased by 60 per cent.”
To help protect against Emotet and other malware attacks, it’s recommended that organisations implement email content filtering in order to reduce the change of a malicious attachment successfully being delivered.
Organisations should also ensure that their network is patched with the latest security updates as it can go a long way to protecting against cyber attacks exploiting known vulnerabilities.
READ MORE ON CYBERSECURITY More