AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 11/15/2021

China’s next generation of hackers won’t be criminals. That’s a problem.

Criminals have a long history of conducting cyber espionage on China’s behalf. Protected from prosecution by their affiliation with China’s Ministry of State Security (MSS), criminals turned government hackers conduct many of China’s espionage operations. Alarming as it may sound, this is not a new phenomenon. An indictment issued by the U.S. Department of Justice last year, for example, indicated that the simultaneous criminal-espionage activity of two Chinese hackers went back as far as 2009. In another case, FireEye, a cybersecurity company, alleges that APT41, a separate cohort of MSS hackers, began as a criminal outfit in 2012 and transitioned to concurrently conducting state espionage from 2014 onward. But there’s reason to believe that since then, China has been laying the groundwork for change.


Internet Explorer is still causing trouble, even from the grave

Despite the fact that the end of life date for Internet Explorer is fast approaching, the Magniber ransomware gang has begun exploiting two patched vulnerabilities in Microsoft’s legacy browser to launch attacks on unsuspecting users. According to a new report from Bleeping Computer, the group has begun exploiting Internet Explorer vulnerabilities using malvertising that push exploit kits to businesses operating in Asia. Magniber started in 2017 as the successor to another ransomware strain called Cerber and the group initially only targeted users in South Korea. In the time since though, the ransomware gang has expanded the scope of its operations to infect systems in China, Taiwan, Hong Kong, Singapore and Malyasia.


AT&T Reveals Malware Targeting Millions of Routers, IoT Devices

AT&T has revealed malware that could affect millions of routers and Internet of Things devices. The company’s Alien Labs threat intelligence unit dubbed the malware BotenaGo because it’s written in Go, a programming language that Google designed specifically with networking in mind. It’s also capable of creating botnets that function across a variety of device types. AT&T Alien Labs says BotenaGo can exploit up to 30 different vulnerabilities against its targets. The company used Shodan, a search engine used to look up internet-connected devices, to determine that millions of devices could be affected by at least some of the malware’s functions. Unfortunately, the number of antivirus solutions that can defend against the malware—at least at time of writing—is much lower. AT&T Alien Labs says that just six of the 62 vendors used by the malware-scanning VirusTotal platform identified BotenaGo as malware when it was discovered. Several of the ones that did identify BotenaGo as malware identified it as Mirai, a well-known piece of malicious software that is used to create botnets so its operators can conduct distributed denial of service attacks. But AT&T Alien Labs says it believes that assessment is incorrect.


Hoax Email Blast Abused Poor Coding in FBI Website

The Federal Bureau of Investigation (FBI) confirmed today that its fbi.gov domain name and Internet address were used to blast out thousands of fake emails about a cybercrime investigation. According to an interview with the person who claimed responsibility for the hoax, the spam messages were sent by abusing insecure code in an FBI online portal designed to share information with state and local law enforcement authorities. Late in the evening on Nov. 12 ET, tens of thousands of emails began flooding out from the FBI address eims@ic.fbi.gov, warning about fake cyberattacks. Around that time, KrebsOnSecurity received a message from the same email address. “Hi its pompompurin,” read the missive. “Check headers of this email it’s actually coming from FBI server. I am contacting you today because we located a botnet being hosted on your forehead, please take immediate action thanks.” A review of the email’s message headers indicated it had indeed been sent by the FBI, and from the agency’s own Internet address. The domain in the “from:” portion of the email I received — eims@ic.fbi.gov — corresponds to the FBI’s Criminal Justice Information Services division (CJIS).


Costco discloses data breach after finding credit card skimmer

Costco Wholesale Corporation has warned customers in notification letters sent this month that their payment card information might have been stolen while recently shopping at one of its stores. The retail giant (also known as Costco Wholesale and Costco) is an American multinational that operates a large chain of membership-only retail stores, the fifth-largest retailer worldwide, and the tenth-largest corporation in the US by total revenue according to Fortune 500 rankings. It has 737 warehouses worldwide, and it also operates e-commerce websites targeting multiple world regions, including the Americas, Europe, and Asia. Costco discovered the breach after finding a payment card skimming device in one of its warehouses during a routine check conducted by Costco personnel.


Cloudflare blocks an almost 2 Tbps multi-vector DDoS attack

Earlier this week, Cloudflare automatically detected and mitigated a DDoS attack that peaked just below 2 Tbps — the largest we’ve seen to date. This was a multi-vector attack combining DNS amplification attacks and UDP floods. The entire attack lasted just one minute. The attack was launched from approximately 15,000 bots running a variant of the original Mirai code on IoT devices and unpatched GitLab instances. Last quarter, we saw multiple terabit-strong DDoS attacks and this attack continues this trend of increased attack intensity. Another key finding from our Q3 DDoS Trends report was that network-layer DDoS attacks actually increased by 44% quarter-over-quarter. While the fourth quarter is not over yet, we have, again, seen multiple terabit-strong attacks that targeted Cloudflare customers.

Related Posts