February 2018: Threats in Review
You’ll be excited to hear in February events were queuing up to be in our top 5. As always it takes some confidence and subjectivity to single out threats and rank them. We’d like to give a shout out to our German colleagues contributing to Cubespotter, which did some of the heavy lifting for this one.
1. Cryptojacking attacks
As friendly as it seems, “borrowing your CPU”, to mine for cryptocurrency, is increasing tremendously. SecureLink’s cyber defense center statistics are showing Cryptojacking is rapidly overtaking ransomware as aspiring criminals’ weapon of choice. In the news, Tesla was hit (according to them, no data was stolen). At SecureLink, we’ve helped several customers with Cryptojacking malware outbreaks. The Smominru botnet reaches over half a million infected Windows servers. Let’s just contemplate for a moment. Half a million is a lot. Granted, it’s not the size of the 2010 Bredolab, but Wannacry was just 300.000 and Notpetya was around 16.000.
As Cryptojacking shifts the risk model, we’ve dedicated a long read to this topic, as we’re following the events closely.
2. Trustico SSL certificate drama
A soap-like drama in happened in PKI land, involving Trustico, an SSL reseller, and DigiCert. In order to force a revocation of issued certificates (likely to accommodate a new certificate supplier) the Trustico CEO e-mailed over 20 thousand private keys to DigiCert, thereby forcing them to revoke the certificates associated, according to the procedures. You can read an educated guess on the origins of this brazen action here, just before you face palm, bow your head, and acknowledge PKI is very much broken. Remember that the next time you observe a green padlock in your browser bar.
3. Olympic destroyer
Cyber sleuths had a fantastic time attributing Olympic Destroyer. This malware is a wiper, targeting the 2018 Winter Olympics, managing to affect non-critical systems.Olympic Destroyer wasn’t the biggest attack ever, and the risk to you was probably close to zero, but it’s a very interesting attack due to 2 reasons.
Last year, the largest destructive attacks masqueraded as ransomware. Wannacry, Notpetya, (and to some content Badrabbit) all caused destruction. But essentially they were wipers. Olympic Destroyer didn’t even pretend to be ransomware anymore, it started by deleting Windows Shadow copies and then continued it’s path of destruction. This indicated ransomware seems to be disappearing as a criminal business model and evolves into a nation state weapon or an activist tool.
There were false flags planted inside the malware, pointing to what the Register calls “the Norks” (or as the infosec industry calls them: Lazarus). Lazarus group, loosely attributed to work with or in North Korea, seems to become the ultimate scapegoat for cyber operations. Attackers imitated some technical fingerprints in the malware, but researchers found these so blatantly obvious they didn’t buy them.
So someone’s trying to blame “The Norks”, but that’s pretty much all we know. As attackers get bolder and more creative in their approach, we flag this type of destructive attack for the future: which is why this is #3.
4. All the other stuff
Next month, there will be more.
5. Bonus: vulnerabilities in bittorrent client µTorrent
We know you use µTorrent only to download public domain content and open source software. It’s not about that. The issue is there were remote code execution vulnerabilities in the client, the worst kind. It would be so unfair if sharing and downloading open source and public domain content would lead to your machine being completely pwned. So please update your µTorrent client, and don’t worry about the fact the initial fixes didn’t completely fix the vulnerability. Also, don’t use Russian bittorrent clients such as, say, mediaget. They might have been poisoned to distribute malware. Happy sharing!
References and more reading:
- Mashable – Someone hacked a Tesla cloud account to mine cryptocurrency
- ZDNet – A giant botnet is forcing Windows servers to mine cryptocurrency
- Wikipedia – Bredolab botnet
- DigiCert – DigiCert Statement on Trustico Certificate Revocation
- Twitter – Geoffrey Thomas
- The Register – Suprise: Norks not actually behind Olympic Destoyer malware outbreak
- Business Insider – Winter Olympics organizers say the ‘Olympic Destoyer’ cyberattack took down their computer servers during opening ceremonies
- Forbes – How Similar Are WannaCry and Petya Ransomware?
- ZDNet – Mett coldroot, a nasty Mac trojan that went undetected for years
- The Hacker News – Hackers Exploit ‘Telegram Messenger’ Zero-Day Flaw to Spread Malware
- Chromium – utorrent: various JSON-RPC issues resulting in remote code execution, information disclosure, etc.
- TripWire – Poisoned BitTorrent client kickstarted malware outbreak that tried to infect 400,00 PCs