The Hacker News - Cybersecurity News and Analysis: malware protection

A malware campaign targeting South Korean entities that came to light earlier this year has been attributed to a North Korean nation-state hacking group called Andariel, once again indicating that  Lazarus  attackers are following the trends and their  arsenal  is in  constant development . "The way Windows commands and their options were used in this campaign is almost identical to previous Andariel activity," Russian cybersecurity firm Kaspersky  said  in a deep-dive published Tuesday. Victims of the attack are in the manufacturing, home network service, media, and construction sectors. Designated as part of the Lazarus constellation, Andariel is known for unleashing attacks on South Korean organizations and businesses using specifically tailored methods created for maximum effectivity. In September 2019, the sub-group, along with Lazarus and Bluenoroff, was  sanctioned by the U.S. Treasury Department  for their malicious cyber activity on critical infrastructure. Anda

Researchers have disclosed significant security weaknesses in popular antivirus software applications that could be abused to deactivate their protections and take control of allow-listed applications to perform nefarious operations on behalf of the malware to defeat anti-ransomware defenses. The twin attacks,  detailed  by academics from the University of Luxembourg and the University of London, are aimed at circumventing the protected folder feature offered by antivirus programs to encrypt files (aka "Cut-and-Mouse") and disabling their real-time protection by simulating mouse "click" events (aka "Ghost Control"). "Antivirus software providers always offer high levels of security, and they are an essential element in the everyday struggle against criminals,"  said  Prof. Gabriele Lenzini, chief scientist at the Interdisciplinary Center for Security, Reliability, and Trust at the University of Luxembourg. "But they are competing with cri

Intel and Cybereason have partnered to build anti-ransomware defenses into the chipmaker's newly announced 11th generation Core  vPro  business-class processors. The hardware-based security enhancements are baked into Intel's vPro platform via its  Hardware Shield  and  Threat Detection Technology  (TDT), enabling profiling and detection of ransomware and other threats that have an impact on the CPU performance. "The joint solution represents the first instance where PC hardware plays a direct role in ransomware defenses to better protect enterprise endpoints from costly attacks," Cybereason  said . Exclusive to vPro, Intel Hardware Shield provides protections against firmware-level attacks targeting the  BIOS , thereby ensuring that the operating system (OS) runs on legitimate hardware as well as minimizing the risk of malicious code injection by locking down memory in the BIOS when the software is running to help prevent planted malware from compromising the OS

Cybersecurity agencies in the US and UK yesterday issued a joint advisory about a massive ongoing malware threat infecting Taiwanese company QNAP's network-attached storage (NAS) appliances. Called QSnatch (or Derek), the data-stealing malware is said to have compromised 62,000 devices since reports emerged last October, with a high degree of infection in Western Europe and North America. "All QNAP NAS devices are potentially vulnerable to QSnatch malware if not updated with the latest security fixes," the US Cybersecurity and Infrastructure Security Agency (CISA) and the UK's National Cyber Security Centre (NCSC) said in the alert. "Further, once a device has been infected, attackers can prevent administrators from successfully running firmware updates." The mode of compromise, i.e., the infection vector, still remains unclear, but CISA and NCSC said the first campaign likely began in 2014 and continued till mid-2017 before intensifying over th

Cybersecurity researchers on Tuesday detailed as many as four different families of Brazilian banking trojans that have targeted financial institutions in Brazil, Latin America, and Europe. Collectively called the "Tetrade" by Kaspersky researchers, the malware families — comprising Guildma, Javali, Melcoz, and Grandoreiro — have evolved their capabilities to function as a backdoor and adopt a variety of obfuscation techniques to hide its malicious activities from security software. "Guildma, Javali, Melcoz and Grandoreiro are examples of yet another Brazilian banking group/operation that has decided to expand its attacks abroad, targeting banks in other countries," Kaspersky said in an analysis . "They benefit from the fact that many banks operating in Brazil also have operations elsewhere in Latin America and Europe, making it easy to extend their attacks against customers of these financial institutions." A Multi-Stage Malware Deployment Process

Cybersecurity researchers today uncovered new details of watering hole attacks against the Kurdish community in Syria and Turkey for surveillance and intelligence exfiltration purposes. The advanced persistent threat behind the operation, called StrongPity , has retooled with new tactics to control compromised machines, cybersecurity firm Bitdefender said in a report shared with The Hacker News. "Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking," the researchers said. With the timestamps of the analyzed malware samples used in the campaign coinciding with the Turkish offensive into north-eastern Syria (codenamed Operation Peace Spring )

VirusTotal, the famous multi-antivirus scanning service owned by Google, recently announced new threat detection capabilities it added with the help of an Israeli cybersecurity firm. VirusTotal provides a free online service that analyzes suspicious files and URLs to detect malware and automatically shares them with the security community. With the onslaught of new malware types and samples, researchers rely on the rapid discovery and sharing provided by VirusTotal to keep their companies safe from attacks. VirusTotal relies on a continuous stream of new malware discoveries to protect its members from significant damage. Cynet , the creator of the autonomous breach protection platform, has now integrated its Cynet Detection Engine into VirusTotal. The benefits of this partnership are twofold. First, Cynet provides the VirusTotal partner network cutting-edge threat intelligence from its ML-based detection engine (CyAI) that actively protects the company's clients around th

Cybersecurity researchers today uncovered the modus operandi of an elusive threat group that hacks into the high-profile military and diplomatic entities in Eastern Europe for espionage. The findings are part of a collaborative analysis by cybersecurity firm ESET and the impacted firms, resulting in an extensive look into InvisiMole's operations and the group's tactics, tools, and procedures (TTPs). "ESET researchers conducted an investigation of these attacks in cooperation with the affected organizations and were able to uncover the extensive, sophisticated tool-sets used for delivery, lateral movement, and execution of InvisiMole's backdoors," the company said in a report shared with The Hacker News. Cooperation with the Gamaredon Group First discovered in 2018 , InvisiMole has been active at least since 2013 in connection with targeted cyber-espionage operations in Ukraine and Russia. After slipping under the radar, the threat actor returned late

Cybersecurity researchers today took the wraps off a new sophisticated cyber-espionage campaign directed against aerospace and military organizations in Europe and the Middle East with an aim to spy on key employees of the targeted firms and, in some case, even to siphon money. The campaign, dubbed " Operation In(ter)ception " because of a reference to "Inception" in the malware sample, took place between September to December 2019, according to a new report cybersecurity firm ESET shared with The Hacker News. "The primary goal of the operation was espionage," the researchers told The Hacker News. "However, in one of the cases we investigated, the attackers tried to monetize access to a victim's email account through a business email compromise (BEC) attack as the final stage of the operation." The financial motivation behind the attacks, coupled with similarities in targeting and development environment, have led ESET to suspect Laz

Chinese security firm Qihoo 360 Netlab said it partnered with tech giant Baidu to disrupt a malware botnet infecting over hundreds of thousands of systems. The botnet was traced back to a group it calls ShuangQiang (also called Double Gun ), which has been behind several attacks since 2017 aimed at compromising Windows computers with MBR and VBR bootkits , and installing malicious drivers for financial gain and hijack web traffic to e-commerce sites. In addition to using images uploaded to Baidu Tieba to distribute configuration files and malware — a technique called steganography — the group has begun using Alibaba Cloud storage to host configuration files and Baidu's analytics platform Tongji to manage the activity of its infected hosts, the researchers said. The initial compromise relies on luring unsuspecting users to install game launching software from sketchy game portals that contain malicious code under the guise of a patch. Once the user downloads and inst

Cybersecurity researchers from ESET on Thursday said they took down a portion of a malware botnet comprising at least 35,000 compromised Windows systems that attackers were secretly using to mine Monero cryptocurrency. The botnet, named "VictoryGate," has been active since May 2019, with infections mainly reported in Latin America, particularly Peru accounting for 90% of the compromised devices. "The main activity of the botnet is mining Monero cryptocurrency," ESET said . "The victims include organizations in both public and private sectors, including financial institutions." ESET said it worked with dynamic DNS provider No-IP to take down the malicious command-and-control (C2) servers and that it set up fake domains (aka sinkholes) to monitor the botnet's activity. The sinkhole data shows that between 2,000 and 3,500 infected computers connected to the C2 servers on a daily basis during February and March this year. According to ESET res

Cybersecurity researchers have spotted a new variant of the Snatch ransomware that first reboots infected Windows computers into Safe Mode and only then encrypts victims' files to avoid antivirus detection. Unlike traditional malware, the new Snatch ransomware chooses to run in Safe Mode because in the diagnostic mode Windows operating system starts with a minimal set of drivers and services without loading most of the third-party startup programs, including antivirus software. Snatch has been active since at least the summer of 2018, but SophosLabs researchers spotted the Safe Mode enhancement to this ransomware strain only in recent cyber attacks against various entities they investigated. "SophosLabs researchers have been investigating an ongoing series of ransomware attacks in which the ransomware executable forces the Windows machine to reboot into Safe Mode before beginning the encryption process," the researchers say . "The ransomware, which calls it

Targeted ransomware attacks on banking and finance, government , healthcare , and critical infrastructure are on the rise, with the latest victim being the state government of Louisiana. The state government of Louisiana was hit by a large-scale coordinated ransomware attack yesterday, which forced the state to take several state agency servers offline, including government websites, email systems, and other internal applications, to mitigate the risk of the malware's infection from spreading. The Monday's ransomware attack resulted in the subsequent shutdown of a majority of large state agencies, including the Office of the Governor, the Office of Motor Vehicles, the Department of Health, the Department of Children and Family Services, and the Department of Transportation and Development, among others. Louisiana Gov. John Bel Edwards revealed the incident in a series of tweets, saying that he had activated the state's cybersecurity team in response to the cyber

There has been no shortage of massive security breaches so far this year. Just last July, Capital One disclosed that it was hit by a breach that affected more than 100 million customers. Also recently, researchers came across an unsecured cloud server that contained the names, phone numbers, and financial information of virtually all citizens of Ecuador – around 20 million people . These are just the latest in a long line of security breaches affecting enterprises over the past few years. The Yahoo!, Equifax, and Marriott hacks and Facebook's scandal should still be fresh in people's memories, reminding everyone that even large corporations with budgets for enterprise cybersecurity may not be secure enough to protect customer information. These records are now out there, stored in hackers' data dumps , and are potentially tradable over the Dark Web. The availability of such information online increases a person's risk of being victimized through fraud and iden

Cases of document-based malware are steadily rising. 59 percent of all malicious files detected in the first quarter of 2019 were contained in documents. Due to how work is done in today's offices and workplaces, companies are among those commonly affected by file-based attacks. Since small to medium businesses (SMBs) usually lack the kind of security that protects their larger counterparts, they have a greater risk of being affected. Falling victim to file-based malware can cause enormous problems for SMBs. An attack can damage critical data stored in the organization's computers. Such loss can force a company to temporarily halt operations, resulting in financial losses. If a customer's private and financial information is compromised, the company may also face compliance inquiries and lawsuits. Their reputations could also take a hit, discouraging customers from doing business with them. But despite these risks, SMBs still invest very little in cybersecurity