STE WILLIAMS

The takedown of the Hansa dark web marketplace, done live on national TV by Dutch police, was possible because officers had been running the site themselves – and on Thursday they detailed how they did it.

In 2016, security shop Bitdefender tipped off the Dutch plod that Hansa, one of the most popular dark web markets, was being hosted in the Netherlands. Hansa’s popularity was largely down to its multi-signature Bitcoin handling, which stopped buyers getting ripped off by not releasing payment until an order arrived.

Dark web markets like Hansa, which sell drugs, stolen credit card data, and other forms of nastiness, have been a frustration for police around the world. Thanks to Tor, these online souks are difficult to trace and shut down but – after getting the tip – the Dutch decided to go several stages further and try to destroy the reputation of these kinds of markets, get all of the vendors, and confiscate their Bitcoin.

“We wanted the world to know that you cannot count on staying anonymous online and commit a crime – even on the dark web,” Gert Ras, head of the Netherlands National High Tech Crime Unit, told the Kaspersky Security Analyst Summit this week.

Digging

In October 2016, the cops managed to make a copy of the Hansa private server and reconstructed it on their own network. By digging around they worked out how to use the administrator’s pages and found chat logs that identified two individuals running the site as German nationals.

After contacting the German police, they were told that the two were already under investigation for running an ebook pirating operation. But the scan also tipped off the Hansa administrators that something could be wrong and they shut down the Dutch operation and moved it elsewhere out of the jurisdiction of the Netherlands.

However, the authorities got lucky. The admins sloppily used the same Bitcoin wallet to pay their new hosting company as they did for their Dutch hosting supplier, and the site was traced to Lithuania.

The police managed to get a wiretap on those involved and found out a host of information, including the amount of traffic from the Hansa servers, the names of four site moderators, and the login details for the private chat service they used.

A cunning plan

Around this time the FBI got in contact. The Feds were going after the biggest dark web market, Alphabay, and had found out that some of its infrastructure was hosted in the Netherlands. The two forces agreed to cooperate and hatched a cunning plan – they would publicly shut down Alphabay, wait until everyone flooded to the Hansa site, and catch them at it.

On June 20 last year, the police acted. The two German administrators were arrested at their homes and interrogated. They quickly admitted to running the site and handed over login credentials for their accounts, allowing the police to take full control and move the Hansa servers back to their jurisdiction.

“We copied over the web server, did the same with the coin service and started a new Bitcoin wallet, and linked it to Hansa database,” investigator Marinus Boekelo said. “We only suffered three minutes downtime, but that wasn’t easy. It took three days of 16-hour shifts to get it done.”

Hansa was now being run by the police, but official drug dealing is frowned upon. So they altered the administrator’s page to include boxes for shipment tracking numbers, shipping addresses and extra information, and advised sellers to keep it updated.

Intercepted

When dealers entered information, a special drug squad unit intercepted the packages and the information was also spread around EUROPOL so other EU police forces could make their own arrests. They also set a backup Excel spreadsheet for dealers on the site, added lots of business information like turnover a and sales rates, and bundled in a “beacon” that revealed the dealer’s IP address.

They also claimed that a hard drive containing the images of illegal products had crashed, and asked dealers to resend in pic of their merchandise. Very few stripped out the image’s metadata and some even had the geolocation data in place, showing exactly where it had been taken.

On July 4, the feds moved and arrested the administrator of Alphabay, getting not only the man behind the site but also his unencrypted laptop and passwords. The following day the site was taken down and people flooded to Hansa.

Membership of the market jumped sevenfold and traffic was so heavy they had to close new registrations for a while because the servers couldn’t cope. The cops kept all message logs, encryption keys and currency transactions.

On July 20, during simultaneous press conferences in the Netherlands and US, the servers were shut down on air. The police seized over 2,500 Bitcoins and details of over 26,000 transactions. Hundreds of arrests followed and Ras has promised to share the data with whichever police force wants it. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/08/dutch_police_detail_how_they_became_the_admins_for_hansa_dark_web_market/

Carnegie Mellon University has named computer science professor and Arbor Networks founder Farnam Jahanian as its new president.

The researcher-turned-entrepreneur-turned-administrator takes over the permanent position after an eight-month temporary turn as president. Previously, he had lead the university’s academic department as provost of the school.

“A rigorous, international search has made it clear that Dr. Jahanian possesses a rare set of qualities and experiences that make him exactly the right leader for this university at this extraordinary moment in its history,” Carnegie Mellon board of trustees chair James Rohr said of the move.

“Dr. Jahanian embodies a bold, boundary-crossing, creative approach to the most important issues of our time — the very qualities that define and differentiate Carnegie Mellon, positioning this university to shape our world at the nexus of technology and human life.”

Jahanian made his name in the network security markets and previously served as head of the National Science Foundation’s Directorate for Computer and Information Science and Engineering.

In 2001, he co-founded network security company Arbor Networks, chairing the board of directors up to its 2010 acquisition by Tektronix (now owned by Netscout).

He was also the chair for computer science and engineering at the University of Michigan from 2007 to 2011 and helped coordinate the US government’s networking and information technology RD programs through the National Science and Technology Council Committee on Technology.

“It’s a remarkable honor and privilege to work with the students, faculty and staff who are seizing the possibilities of this century and solving its problems,” Jahanian said of his appointment.

“As data and digital technology transform our world, Carnegie Mellon is positioned like no other institution to bring about world-leading breakthroughs in those realms, but also in the fields that help humanity benefit from this revolution, from policy to ethics, business to the arts and humanities.”

Jahanian will be formally inaugurated into the position in the Fall. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/08/carnegie_mellon_makes_network_security_guru_farnam_jahanian_president/

The takedown of the Hansa dark web marketplace, done live on national TV by Dutch police, was possible because officers had been running the site themselves, and on Thursday they detailed how they did it.

In 2016, security shop Bitdefender tipped off the Dutch police that Hansa, one of the most popular dark web markets, was being hosted in the Netherlands. Hansa’s popularity was largely down to its multi-signature BitCoin handling, which stopped buyers getting ripped off by not releasing payment until the order arrived.

Dark web markets like Hansa, which sell drugs, stolen credit card data, and other forms of nastiness, have been a frustration for police around the world. Thanks to Tor, these online souks are difficult to trace and shut down but – after getting the tip – the Dutch decided to go several stages further and try to destroy the reputation of these kinds of markets, get all of the vendors, and confiscate their BitCoin.

“We wanted the world to know that you cannot count on staying anonymous online and commit a crime – even on the dark web,” Gert Ras, head of the Netherlands National High Tech Crime Unit, told the Kaspersky Security Analyst Summit.

In October 2016, the cops managed to make a copy of the Hansa private server and reconstructed it on their own network. By digging around they worked out how to use the administrator’s pages and found chat logs that identified two individuals running the site as German nationals.

After contacting the German police they were told that the two were already under investigation for running an ebook pirating operation. But the scan also tipped off the Hansa administrators that something could be wrong and they shut down the Dutch operation and moved it elsewhere out of the jurisdiction of the Netherlands.

However, the authorities got lucky. The admins sloppily used the same BitCoin wallet to pay their new hosting company as they did for their Dutch hosting supplier, and the site was traced to Lithuania.

The police managed to get a wiretap on those involved and found out a host of information, including the amount of traffic from the Hansa servers, the names of four site moderators, and the login details for the private chat service they used.

A cunning plan

Around this time the FBI got in contact. The Feds were going after the biggest dark web market, Alphabay, and had found out that some of its infrastructure was hosted in the Netherlands. The two forces agreed to cooperate and hatched a cunning plan – they would publicly shut down Alphabay, wait until everyone flooded to the Hansa site, and catch them at it.

On June 20 last year, the police acted. The two German administrators were arrested at their homes and interrogated. They quickly admitted to running the site and handed over login credentials for their accounts, allowing the police to take full control and move the Hansa servers back to their jurisdiction.

“We copied over the web server, did the same with the coin service and started a new BitCoin wallet, and linked it to Hansa database,” investigator Marinus Boekelo said. “We only suffered three minutes downtime, but that wasn’t easy. It took three days of 16-hour shifts to get it done.”

Hansa was now being run by the police, but official drug dealing is frowned upon. So they altered the administrator’s page to include boxes for shipment tracking numbers, shipping addresses and extra information, and advised sellers to keep it updated.

When dealers entered information, a special drug squad unit intercepted the packages and the information was also spread around EUROPOL so other EU police forces could make their own arrests. They also set a backup Excel spreadsheet for dealers on the site, added lots of business information like turnover a and sales rates, and bundled in a “beacon” that revealed the dealer’s IP address.

They also claimed that a hard drive containing the images of illegal products had crashed, and asked dealers to resend in pic of their merchandise. Very few stripped out the image’s metadata and some even had the geolocation data in place, showing exactly where it had been taken.

On July 4, the feds moved and arrested the administrator of Alphabay, getting not only the man behind the site but also his unencrypted laptop and passwords. The following day the site was taken down and people flooded to Hansa.

Membership of the market jumped sevenfold and traffic was so heavy they had to close new registrations for a while because the servers couldn’t cope. The cops kept all message logs, encryption keys and currency transactions.

On July 20, during simultaneous press conferences in the Netherlands and US, the servers were shut down on air. The police seized over 2,500 BitCoins and details of over 26,000 transactions. Hundreds of arrests followed and Ras has promised to share the data with whichever police force wants it. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/08/dutch_police_detail_how_they_became_the_admins_for_hansa_dark_web_market/

Carnegie Mellon University has named computer science professor and Arbor Networks founder Farnam Jahanian as its new president.

The researcher-turned-entrepreneur-turned-administrator takes over the permanent position after an eight-month temporary turn as president. Previously, he had lead the university’s academic department as provost of the school.

“A rigorous, international search has made it clear that Dr. Jahanian possesses a rare set of qualities and experiences that make him exactly the right leader for this university at this extraordinary moment in its history,” Carnegie Mellon board of trustees chair James Rohr said of the move.

“Dr. Jahanian embodies a bold, boundary-crossing, creative approach to the most important issues of our time — the very qualities that define and differentiate Carnegie Mellon, positioning this university to shape our world at the nexus of technology and human life.”

Jahanian made his name in the network security markets and previously served as head of the National Science Foundation’s Directorate for Computer and Information Science and Engineering.

In 2001, he co-founded network security company Arbor Networks, chairing the board of directors up to its 2010 acquisition by Tektronix (now owned by Netscout).

He was also the chair for computer science and engineering at the University of Michigan from 2007 to 2011 and helped coordinate the US government’s networking and information technology RD programs through the National Science and Technology Council Committee on Technology.

“It’s a remarkable honor and privilege to work with the students, faculty and staff who are seizing the possibilities of this century and solving its problems,” Jahanian said of his appointment.

“As data and digital technology transform our world, Carnegie Mellon is positioned like no other institution to bring about world-leading breakthroughs in those realms, but also in the fields that help humanity benefit from this revolution, from policy to ethics, business to the arts and humanities.”

Jahanian will be formally inaugurated into the position in the Fall. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/08/carnegie_mellon_makes_network_security_guru_farnam_jahanian_president/

Kaspersky Lab researchers uncover evidence of how the attackers who targeted the Winter Olympic Games impersonated an infamous North Korea hacking team.

KASPERSKY LAB SECURITY ANALYST SUMMIT 2018 – Cancun – Researchers from Kaspersky Lab here today revealed new details on how a sophisticated attack group behind the cyberattacks against the recent 2018 Winter Olympics’ network posed as an infamous North Korean nation-state group to throw off investigators.

The crippling Olympic Destroyer attack that hit several systems supporting the Pyeongchang Winter Olympics last month may have forever changed the game of attack attribution: the sophisticated attackers created a convincing forgery of malware associated with the North Korean nation-state Lazarus Group, fooling several experts who initially pinned the blame for the attacks on the DPRK.

Olympic Destroyer temporarily disabled the Olympics IT systems, shutting down WiFi, monitors, and the Olympics website such that ticketholders were unable to print their tickets. Kaspersky researchers also found the destructive worm also hit several ski resorts near the Olympics, where it disabled gates and lifts.

Vitaly Kamluk, head of Kaspersky Lab’s Asia Pacific research team, said in an interview that his team can’t positively identify the real attackers, but they found that the attackers used several TTPs normally associated with Sofacy, aka Fancy Bear, a nation-state attack group. The researchers classify Sofacy as a Russian-speaking group, but stop short of calling them a Russian nation-state operation. “We didn’t attribute this [Olympic Destroyer] to Sofacy. We looked at the [attack] infrastructure” and spotted TTPs associated with the Russian-speaking attack group, he said.

A Washington Post report late last month said US intelligence officials have ID’ed Russia’s GRU military hacking unit as the perpetrators of Olympic Destroyer, posing as attackers out of North Korea by using North Korean IP addresses and other false flags.

Kamluk says Olympic Destroyer employed the Proton email service, the NordVPN service as well as a hosting provider, MonoVM, all of which Sofacy has been known to use. There were other TTPs his team found as well, but he declined to disclose them for now.

In all, Olympic Destroyer hit not only the Pyeongchang2018.com network, but also IT service provider Atos in France, a software vendor that automates some functions at ski resorts, and two ski resort hotels, according to Kaspersky’s research. “At those hotels we helped, we found backdoors to deploy the propagation of the worm,” Kamluk said.

Header Mismatch

Igor Soumenkov, principal security researcher at Kaspersky Lab, noticed something was fishy about the Lazarus Group malware in the attacks. Looking more closely at the malware wiper file headers, he discovered one of the headers had been forged: it didn’t belong to Lazarus. That header was proof that the attackers had tried to hide behind the Lazarus malware as a false flag operation. “We have 100% confidence this is not Lazarus Group,” Soumenkov said in a presentation here today.

Turns out the attackers may have inadvertently forgotten to encrypt some of the code, leaving it exposed as a fake, according to the researchers. “After the Olympics attacks they made another binary attack and forgot to encrypt, I think,” Soumenkov said.

But the attacks initially appeared to have all the earmarks of Lazarus Group.

“They fooled a lot of smart people,” Kamluk said of the attackers. “They wanted to be discovered. They didn’t clean up after themselves and made the malware easily discoverable. They wanted it to be discovered as Lazarus Group,” he said.

“They were not just relying on simulation” of Lazarus Group, he said. “This was a game-changer.”

The researchers pointed out that the attackers didn’t wreak the amount of destruction they could have with the systems they infected and the administrative accounts that had obtained. They wiped files in Windows shares, disabled Windows services, rendered some systems unbootable, reset event logs, and deleted some backups. “By deleting and destroying all local data, they could have easily devastated the Olympic infrastructure. Instead, they decided to do some ‘light’ destruction,” the researchers wrote in a blog post today.

Kamluk speculates that the attackers had set the stage for another campaign, given the additional code and clues his team found.

Related Content:

• Cyberattack Aimed to Disrupt Opening of Winter Olympics
• Emailed Cyberattack Targets 2018 Pyeongchang Olympics
• Nation-State Hackers Adopt Russian ‘Maskirovka’ Strategy
• 8 Nation-State Hacking Groups to Watch in 2018 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/olympic-destroyers-false-flag-changes-the-game/d/d-id/1331222?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Hidden Cobra appears to be collecting information for a later strike, McAfee says.

Hidden Cobra, a threat group that the US government previously has linked to North Korea, appears to have turned its sights on financial institutions in Turkey.

Security vendor McAfee Thursday reported finding malware associated with the group surfacing on systems belonging to three large financial organizations and at least two major government-controlled entities involved in finance and trade in Turkey.

The malware, dubbed Bankshot, was last seen in 2017 and is designed to persist on compromised systems for further exploits. Its presence on the systems in Turkey suggests the Hidden Cobra operation is intended to gather specific information that can be used to launch more damaging attacks later, McAfee said.

“While we can’t definitively establish motivations, it’s likely these attacks are part of an ongoing effort on the part of the attackers to compromise major financial institutions,” says Ryan Sherstobitoff, McAfee’s senior analyst of major campaigns. The goal could be to “surveil their operations, establish functions of their processes, and ultimately compromise funds,” he says.

Hidden Cobra, also referred to as the Lazarus Group and Guardians of Peace, is believed responsible for the attacks on the SWIFT financial network in 2016 that resulted in over $80 million being looted from the Bangladesh Bank. It has also been linked to numerous other attacks on media, aerospace, and critical infrastructure organizations in recent years.

The FBI and the US Department of Homeland Security have described the group as being sponsored by the North Korean government and having a wide array of attack tools at its disposal, including distributed denial-of-service botnets, wiper malware, and remote access Trojans. Tools associated with the group include Destover, a wiper malware used in the 2014 attacks on Sony Pictures, and Hangman, a malware used in targeted attacks.

Bankshot, the group’s tool of choice in the Turkey campaign, was previously used in a major Korean bank attack and has been seen on documents purportedly from banks in Latin America.

McAfee’s investigation shows that the Bankshot implants that Hidden Cobra is using in its campaign against Turkish financial institutions were distributed via sophisticated phishing emails. The emails have contained a malicious Word document with an embedded exploit for a recently disclosed Adobe Flash vulnerability.

The exploit basically allows an attacker to execute arbitrary code — Bankshot, in this case — on compromised systems. Available telemetry shows that that first infections in Turkey happened around March 2 and March 3, McAfee said.

Sherstobitoff says this is the first time McAfee has observed Hidden Cobra deploying Bankshot in Turkey. It is also the first time that McAfee has seen an entire country’s financial system being targeted so systematically.

“Bankshot is a fully capable implant which grants attackers full capability on a victim’s system. It is possible the attackers are in an early data-gathering stage for future heists,” he says. In addition to stealing data, Bankshot also has a function to wipe files that can be remotely executed to erase evidence he says.

North Korea threat actors have been linked to a recent string of attacks — including numerous cryptocurrency mining campaigns and ransomware campaigns such as WannaCry. Many believe the campaigns are state sponsored and are likely designed to raise money for a government under increasing economic pressure from sanctions.

There are some, though, who believe that at least some of the attacks have involved false-flag campaigns. The most notable example is an attack on networks and servers during the opening of the Winter Olympics in South Korea that originally appeared to be the handiwork of North Korea but which many believe actually originated in Russia.

According to Sherstobitoff, however, there appears to be little doubt about who is behind the campaign in Turkey. “McAfee takes attribution very seriously. As such, McAfee Advanced Threat Research analysis and conclusions are based on multiple indicators,” he says.

While 100% attribution is always going to be hard, the code and target similarities between the malicious files uncovered in this campaign and earlier attacks publicly attributed to Hidden Cobra are strong indicators of North Korean involvement, he says.

Related Content:

• North Korean APT Group Employed Rare Zero-Day Attack
• North Korea-Linked Cyberattacks Spread Out of Control: Report
• Threats from Russia, North Korea Loom as Geopolitics Spills into Cyber Realm
• Cybercrime and Hacking Atlas 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/north-korea-threat-group-targeting-turkish-financial-orgs/d/d-id/1331223?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

The Information Commissioner’s Office has raided two companies thought to be behind 11 millions nuisance texts sent to the public.

Computer equipment and documents were seized for analysis at two Greater Manchester-based premises of the unnamed entities, the ICO said.

The perpetrators are understood to have sent the text messages to UK mobile numbers between January 2017 and January 2018. As a result the ICO received 3,297 separate complaints.

The text messages mainly promoted financial management services such as pensions, loans and claims for issues such as PPI and flight cancellations. The recipients were unable to identify who the texts were from or opt out of them, which is also against the law.

Andy Curry, the ICO’s enforcement group manager, said:

“Nuisance text messages like this are a real problem for people as seen in the number of complaints we have received in this case alone. Businesses and individuals who carry out this type of marketing should be assured that we will carry out thorough investigations and take tough action against them where necessary.

He hoped the “existing evidence”, along with that seized in the raids, would stop the businesses activities, “and act as a deterrent to others.”

In 2017, the ICO issued 29 civil monetary penalties totalling £2.8m. The largest penalty – of £400,000 – was against Keurboom Communications Ltd for making over 99 million unlawful automated marketing calls.

However, nuisance calls remains a scourge of the UK populous, totalling 3.9 billion last year. That was something the ICO recently gave itself a pat on the back for, having brought it down from 4.8 billion in 2015.

Still, that’s a few more doors to kick in. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/08/ico_raids_premises_of_companies_behind_11_million_nuisance_calls/

A close analysis of the code that took down part of the 2018 Winter Olympics infrastructure appears to show a cunning plan to make it look as though the culprit was North Korea.

On the first day of the games in PyeongChang, the main website crashed, Wi-Fi networks around the events became unusable and data was wiped from servers by malware later dubbed Olympic Destroyer. Security firms had warned of an attack before the event, after a phishing campaign was spotted, and the attack was beaten off rather quickly.

In the weeks that followed, several analyses suggested that the attack was the work of the North Korean state-sponsored hacking team known as the Lazarus Group. However, an analysis by Kaspersky Lab engineers suggests that Lazarus didn’t write the code, despite appearances to the contrary.

Vitaly Kamluk, head of the APAC research team at Kaspersky Lab, told the company’s Security Analysts Summit that the misattribution was understandable. The data wiping part of Olympic Destroy looks, at first glance, exactly the same as the Lazarus Group wiper used in the Bluenoroff malware responsible for the $81m cyber-heist against the Central Bank of Bangladesh last year – even down to the header.

“We can say with 100 per cent confidence that the attribution to Lazarus is false,” he said.

But the wiper function’s rich header, which contains some metadata, including hints to the development environment the code was written in. The Lazarus Group malware is a C++ application, but the Olympic Destroyer code showed it was developed using Visual Studio 10 and made to look as though the code was the same as Bluenoroff.

“The only reasonable conclusion that can be made is that the rich header in the wiper was deliberately copied from the Bluenoroff samples; it is a fake and has no connection with the contents of the binary,” the technical report states.

“It is not possible to completely understand the motives of this action, but we know for sure that the creators of Olympic Destroyer intentionally modified their product to resemble the Bluenoroff samples produced by the Lazarus group.”

So who did write the code? Kamluk said he didn’t know for sure, but that some of the methods of propagation and the VPNs used in the attack could link it to the Russian state-sponsored APT28 group.

Costin Raiu, Kaspersky’s director of global research and analysis, warned the conference that attribution is going to get tricky in the next couple of years. Security firms are building code databases that could automate the attribution of malware samples, but at the same time coders are getting smarter and we could see similar false flag operations in the future. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/08/analysis_suggests_norks_not_behind_olympic_destroyer_malware_attack/

The Utah State Bar is investigating how a picture of a topless woman appeared in an email sent to all its members earlier this week.

There was little to alert lawyers about what they were about to see when the email, titled “2018 Spring Convention Walk-Ins Welcome! Learn How!”, popped up in inboxes.

Those who did open it were in for a surprise however when, instead of receiving attendance information on the association’s convention, they were greeted by a pair of perky private parts.

It didn’t take long for members to react.

At 1432, one recipient, Chase Thomas, tweeted: “If you recently got an email from the Utah Bar, be careful opening it! There may or may not be a naughty picture in it… Guessing they got hacked?”

Another posted a titillating screengrab of the email, cut off before anything too revealing appeared.

At 1435, the association tweeted: “Apologies to all who received an inappropriate email from the Utah State Bar. We are aware of the situation and are investigating the matter.”

And shortly after, a second email was sent to everyone in the organization from IT director Lincoln Mead, apologizing for the “offensive image” and promising an investigation. Utah State Bar executive director John Baldwin also chimed in: “We are horrified,” he said in a statement. “We are investigating to discover how this occurred. Our goal is to find out what happened and ensure it never happens again.”

So, um, how?

As to how that investigation is proceeding, we reached out to the organization’s communications director, Matt Page, on Thursday morning and he told us it was still ongoing.

Having initially suggested it may have been hacked, the association has now admitted that the email was created in-house and that to the breast of their knowledge no one was aware of the image when it was previewed before being sent out.

The association has promised it will release its findings to members when the inquiry is complete. Meanwhile, someone in IT is rapidly scrubbing a browser history… ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/03/08/will_the_defendant_please_rise_utah_state_bar_hunts_for_sender_of_topless_email/

Gozi IFSB banking Trojan has rolled out new code, a new botnet and a high level of customization in the latest wave of attacks.

Gozi IFSB, a banking Trojan that has been making the rounds of the internet for several years, is back with new targets, new characteristics, and a new botnet for distribution. The changes, detailed by Talos Intelligence on Tuesday, serve to make the Trojan a more dangerous threat to a select group of victims.

Gozi IFSB has begun to use the Dark Cloud botnet in recent campaigns, a development that shows the attackers are moving to infrastructures that are associated with widespread criminal and malicious activity. Dark Cloud, which uses compromised personal computers as hosts for websites that change addresses every few minutes, is based primarily in Eastern Europe and Russia.

The most recent campaign uses individually targeted email messages with malicious Microsoft Word files as the delivery mechanism for the malware payload. 

“It’s likely they built emails to resemble realistic email threads, appearing to reply to a victim’s previous question or request,” says Talos threat researcher Holger Unterbrink, in an email interview with Dark Reading. “In other cases, they crafted email messages that are somehow related to the victims interests such as company-related information.”

The level of customization indicates a high level of human involvement with the messages, rather than a mass spam email campaign. “We believe that they are using an obfuscator script/program. In many cases we looked at, they built different obfuscated docs for every single victim,” says Unterbrink.

While there are a variety of different malicious payloads attached to the delivery systems, almost all are based on VBA scripts that use various methods of obfuscation and different execution patterns in attempts to evade detection in sandbox environments. Sophisticated current sandboxes and malware detection routines would almost certainly detect the activity, but simple or older technology could easily miss the operations.

Given the new payload and delivery mechanisms, what should organizations do to protect themselves from the latest wave of Gozi IFSB? “Use a multi-layer security architecture approach,” says Unterbrink. “This means a mix of security protection devices/applications which are capable of communicating with each other. Companies need to realize that some attackers are using extremely sophisticated methods and/or rely on victims making mistakes (e.g. opening phishing emails). In a multi layer protected environment, even the side effects of successful attacks can be detected.”

“Another important recommendation,” he says, “is to focus on user education. Setup [sic] fake phishing campaigns or buy similar services to make your user aware of this threat.”

Related Content:

• Gozi Creator Released From Prison
• Alleged Gozi Trojan Creator Among Three Charged by Authorities
• As Dyre Goes Quiet, Focus Turns On Other Banking Trojans

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry’s most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Curtis Franklin Jr. is executive editor for technical content at InformationWeek. In this role he oversees product and technology coverage for the publication. In addition he acts as executive producer for InformationWeek Radio and Interop Radio where he works with … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/gozi-trojan-using-dark-cloud-botnet-in-new-wave-of-attacks/d/d-id/1331214?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple