Cryptocurrency miners go nuclear, RSA blunder, Winner back in court, and plenty more

The ups and downs of security this week

Roundup Here's a quick summary of infosec news from this week, beyond what we've already covered.

Cloud security shop Cyren surveyed 500,000 websites over the past four months, and said it saw a 725 per cent increase in the use of surreptitious crypto-coin mining code. The bulk of that code has shown up in the past two months, and it's clear the rising price of Monero and the ease of installation of JavaScript mining code on pages is proving an attractive combination.

We're still only talking about 1.4 per cent of the websites surveyed actually running coin-crafting scripts, but in some areas the use of coin mining software is becoming very popular. Based on numerous reports, if you're visiting illegal streaming sites or pornography channels, it's likely that your PC will be running on overdrive making coin for others.

But that's not enough for some. The Qihoo 360 Netlab team has found an advertising network that is also bundling currency mining code in adverts – it's not enough to bombard you with pitches it seems, now these people want more.

The sneaky scumbags at this ad network use an algorithm to obtain and use randomly generated web domains, evading ad blockers that filter out adverts and mining code by domain name.

It's clear crypto-mining code isn't a fad anymore, and the easy availability of the software to do it from Coin Hive (who despite their protestations are making bank from its customers) is making it very easy indeed.

All change on the job front

There has been a crushing lack of good security staff around, which has had companies complaining and cybersec professionals grinning as salaries and bonuses rise.

This week (ISC)² published the details [PDF] of its latest survey of IT security staff and the results aren't looking good for their employers. 84 per cent of those surveyed said that they were open to new job opportunities and 14 per cent of those said they were actively on the hunt for pastures new, with only 15 per cent saying they were happy where they were.

The former group certainly has temptations, since recruitment consultants are hunting hard for them. Of those security gurus not looking for jobs, 18 per cent reported getting multiple recruitment calls a day from headhunters looking to see if they'd jump ship and about a third of all staff get at least a couple of calls a week.

One slightly surprising finding came in the choice of future employers. 54 per cent said they would be fine working for a firm that had suffered a data breach in the past, but this rose to 64 per cent if the company in question publically disclosed the breach. People like forthright employers it seems.

Furthermore, a whopping 85 per cent of those surveyed said that they would do an in-depth scan of a potential employer's networks before considering working there. The message is clear – pay recruits well, be honest, and make sure you have your house in order before pitching for new staff.

Red faces at RSA

Another year, another RSA conference and the city of San Francisco is about to get flooded out by security salesfolks, grandstanding CEOs, and the occasional person who knows what they are talking about when it comes to locking down networks and catching crooks.

As someone who has been going to RSA conferences for nearly 20 years, the show has been fairly useless for years from a security news standpoint. The keynotes are largely self-serving drivel, the few interesting talks are drowned out in a sea of crap, and the exhibition floor is a zoo.

The conference has had its problems in the past. Back in 2014, after it came out that RSA may have been paid $10m by the NSA to push a backdoored encryption engine, an alternative conference was organized.

But this year the organizers blundered into a tone-deaf cockup. After a year where more and more attention has been focused on diversity, opportunities for women in the industry, and the #metoo movement, the conference organizers only managed to find and book one woman headliner. And that woman was none other than Monica Lewinsky.

Now Lewinsky is an excellent speaker in her area – namely online harassment. She was one of the first people in the internet age to be monstered online, and has gained considerable knowledge on tackling cyber-abuse, as well as a firm understanding of never trusting your friends and the importance of using a dry cleaner once in a while.

But at a computer security conference it was a tad disappointing that this was the best RSA could come up with. Facebook's chief security officer Alex Stamos wasn't alone in pointing out that RSA had missed out on some serious talent and even Lewinsky expressed her surprise at being the only one at the show's main presentations.

The outcry caused a fast reverse ferret from the organizers, who said the keynote list wasn't final and it had other women on the shortlist, notably US Homeland Security Secretary Kirstjen Nielsen. It then went on to blame the industry.

"A diverse speaking program starts with increasing diversity within the technology sector, which needs to be addressed by the industry as a whole," spokesman Ben Waring told USA Today.

If that's the best the organizers could come up with then this year's conference looks to be even more awkward and stunted than usual. Thankfully BSides is also running, so we'll have some good security news that week as well.

Reality not a Winner over court smears

Meanwhile, Reality Winner was also in court this week fighting her prosecution under America's Espionage Act.

Winner is accused of smuggling a classified NSA memo out of her job which detailed election machine hacking. She leaked it to The Intercept, which gave a copy to the authorities to verify, making it easy for agents to apparently identify her.

On Tuesday Winner was back in court and – extraordinarily – was led in clad in an orange jumpsuit and manacled at the hands and feet. As national security journalist Kevin Gosztola noted, that's highly unusual – even Chelsea Manning didn’t get that kind of treatment, and it looked like a ploy to make her seem guilty in the judge's eyes.

Winner's lawyers argued that when 11 FBI agents turned up at Winner's house to interview her, she wasn't read her Miranda rights – and her confession to the g-men at the time, that she stole and leaked the document, is inadmissible.

The FBI admitted that she wasn't read her rights: for example, she was not told she was "free to leave." The agents felt it wasn't necessary.

In any case, the judge refused to grant Winner bail, and with her trial being pushed into early 2019, it means Winner will likely spend another year behind bars before her fate is even decided.

Memcachers take to ransoms

Finally this week has seen the largest-ever distributed denial of service attack, with GitHub the unlucky recipient of 1.35 terabits per second of network traffic. But on Friday, hackers went nuclear.

The attack exploits unsecured internet-facing memcached database servers, tricking them into amplifying small network packets into a tsunami against a victim. This hands criminals massive denial of service capabilities.

As the day progressed it became clear that lots of people had got the wrong sort of message from the GitHub attack, and decided to get in the game, blasting sites and servers using commandeered memcached databases. To add insult to injury, ransom demands were also included in the attack payloads.

The demand, for over $17,000 in Monero to end the attacks, is very steep and there's no reason why you should pay it. Simply block off traffic on UDP port 11211 at the border, or upstream, and watch the assault die. ®

Other stories you might like

  • Even Russia's Evil Corp now favors software-as-a-service
    Albeit to avoid US sanctions hitting it in the wallet

    The Russian-based Evil Corp is jumping from one malware strain to another in hopes of evading sanctions placed on it by the US government in 2019.

    You might be wondering why cyberextortionists in the Land of Putin give a bit flip about US sanctions: as we understand it, the sanctions mean anyone doing business with or handling transactions for gang will face the wrath of Uncle Sam. Evil Corp is therefore radioactive, few will want to interact with it, and the group has to shift its appearance and operations to keep its income flowing.

    As such, Evil Corp – which made its bones targeting the financial sector with the Dridex malware it developed – is now using off-the-shelf ransomware, most recently the LockBit ransomware-as-a-service, to cover its tracks and make it easier to get the ransoms they demand from victims paid, according to a report this week out of Mandiant.

    Continue reading
  • HelloXD ransomware bulked up with better encryption, nastier payload
    Russian-based group doubles the extortion by exfiltrating the corporate data before encrypting it.

    Windows and Linux systems are coming under attack by new variants of the HelloXD ransomware that includes stronger encryption, improved obfuscation and an additional payload that enables threat groups to modify compromised systems, exfiltrate files and execute commands.

    The new capabilities make the ransomware, first detected in November 2021 - and the developer behind it even more dangerous - according to researchers with Palo Alto Networks' Unit 42 threat intelligence group. Unit 42 said the HelloXD ransomware family is in its initial stages but it's working to track down the author.

    "While the ransomware functionality is nothing new, during our research, following the lines, we found out the ransomware is most likely developed by a threat actor named x4k," the researchers wrote in a blog post.

    Continue reading
  • Unpatched Exchange server, stolen RDP logins... How miscreants get BlackCat ransomware on your network
    Microsoft details this ransomware-as-a-service

    Two of the more prolific cybercriminal groups, which in the past have deployed such high-profile ransomware families as Conti, Ryuk, REvil and Hive, have started adopting the BlackCat ransomware-as-as-service (RaaS) offering.

    The use of the modern Rust programming language to stabilize and port the code, the variable nature of RaaS, and growing adoption by affiliate groups all increase the chances that organizations will run into BlackCat – and have difficulty detecting it – according to researchers with the Microsoft 365 Defender Threat Intelligence Team.

    In an advisory this week, Microsoft researchers noted the myriad capabilities of BlackCat, but added the outcome is always the same: the ransomware is deployed, files are stolen and encrypted, and victims told to either pay the ransom or risk seeing their sensitive data leaked.

    Continue reading
  • DeadBolt ransomware takes another shot at QNAP storage
    Keep boxes updated and protected to avoid a NAS-ty shock

    QNAP is warning users about another wave of DeadBolt ransomware attacks against its network-attached storage (NAS) devices – and urged customers to update their devices' QTS or QuTS hero operating systems to the latest versions.

    The latest outbreak – detailed in a Friday advisory – is at least the fourth campaign by the DeadBolt gang against the vendor's users this year. According to QNAP officials, this particular run is encrypting files on NAS devices running outdated versions of Linux-based QTS 4.x, which presumably have some sort of exploitable weakness.

    The previous attacks occurred in January, March, and May.

    Continue reading
  • Costa Rican government held up by ransomware … again
    Also US warns of voting machine flaws and Google pays out $100 million to Illinois

    In brief Last month the notorious Russian ransomware gang Conti threatened to overthrow Costa Rica's government if a ransom wasn't paid. This month, another band of extortionists has attacked the nation.

    Fresh off an intrusion by Conti last month, Costa Rica has been attacked by the Hive ransomware gang. According to the AP, Hive hit Costa Rica's Social Security system, and also struck the country's public health agency, which had to shut down its computers on Tuesday to prevent the spread of a malware outbreak.

    The Costa Rican government said at least 30 of the agency's servers were infected, and its attempt at shutting down systems to limit damage appears to have been unsuccessful. Hive is now asking for $5 million in Bitcoin to unlock infected systems.

    Continue reading
  • Now Windows Follina zero-day exploited to infect PCs with Qbot
    Data-stealing malware also paired with Black Basta ransomware gang

    Miscreants are reportedly exploiting the recently disclosed critical Windows Follina zero-day flaw to infect PCs with Qbot, thus aggressively expanding their reach.

    The bot's operators are also working with the Black Basta gang to spread ransomware in yet another partnership in the underground world of cyber-crime, it is claimed.

    This combination of Follina exploitation and its use to extort organizations makes the malware an even larger threat for enterprises. Qbot started off as a software nasty that raided people's online bank accounts, and evolved to snoop on user keystrokes and steal sensitive information from machines. It can also deliver other malware payloads, such as backdoors and ransomware, onto infected Windows systems, and forms a remote-controllable botnet.

    Continue reading

Biting the hand that feeds IT © 1998–2022