FBI charges Chinese national with distributing malware used in OPM hack attack

The malware has been linked to both the data breach of the US Office of Personnel Management as well as the Anthem breach.

The FBI has filed charges against a Chinese malware broker named Yu Pingan, alleging that he provided hackers with malware, including the Sakula trojan, to breach multiple computer networks belonging to companies in the US

The FBI alleges that Yu, also known as “GoldSun,” conspired with two unnamed hackers from around April 2011 through around January 2014 to maliciously target a group of US companies’ computer networks.

The complaint filed does not name which companies were targeted but notes that the different companies were headquartered in San Diego, California; Massachusetts; Los Angeles, California; and Arizona.

The rarely-used Sakula malware has been linked to both the 2014 breach of the US Office of Personnel Management as well as the 2015 breach of the health insurance firm Anthem.

The Anthem breach impacted 78.8 million current and former customers of the company, while the OPM hack affected more than 22 million records of Americans who had applied for security clearance to work for the government.

This Android hummingbad malware has infected 85 million devices and makes its creators $300,000 a month

Gang behind malware make money from fraudulent apps — but if they choose to use their reach for theft, corporations could be put at risk.

3d render

On top of that, experts have warned that the spread of the malicious HummingBad software could be used to do even worse damage by stealing victims’ data.

Android Trojan malware makes hackers $500,000

The irremovable Hummer is now the number one Trojan in the world, with over one million current victims.

The mobile malware has been analysed by security researchers at Check Point after it was found on Android devices belonging to two employees at “a large financial institution”. In-depth findings on the malware are laid out in the company’s ‘From HummingBad to Worse’ report. The gang behind the malware — thought to be located in China — are estimated to generate around $1m every quarter from fraudulent ad revenue and the installation of bogus apps.

Initially discovered in February, HummingBad infects Android devices via two methods: drive-by downloads and malicious payloads delivered by websites distributing adult content.

Once the attack is underway, HummingBad attempts to gain root access to the device using a rootkit, which if successful gives attackers full access to the infected phone. If that attack method fails, Hummingbad will also use a fake system update notification to trick users into giving it access to the entire Android system.

No matter which method of attack is used, a successful installation of HummingBad will see it install as many fraudulent apps on the infected device as possible, which is how the scheme generates revenue.

Researchers suggest that a total of 85 million Android devices across the globe have been infected in this way, with victims in China, India, the Phillipines, and Indonesia accounting for over half of those successfully targeted.

It’s estimated that 10 million victims are unwittingly using malicious apps, which in total deliver over 20 million advertisements a day, resulting in 2.5 million clicks every 24 hours. Engagement with these pop-up ads deliver around $10,000 per day, totalling about $300,000 each month.


Henry Sapiecha

Philippines bank attack same as Bangladesh Bank heist group says Symantec

hooded-hacker at work image

Before hitting the Bangladesh Bank’s US Federal Reserve account for $81 million in February, the group responsible for the attack tried their luck on a Philippine institution, Symantec has said.

In a blog post, the security vendor said that similarities in the code used in the malware in both attacks led it to conclude the attacks were from the one source.

“Symantec believes distinctive code shared between families and the fact that Backdoor.Contopee was being used in limited targeted attacks against financial institutions in the region, means these tools can be attributed to the same group,” it said.

The company said the attacks on the Philippine bank occurred from October last year, and represent the earlier known attacks from the group.

“The discovery of more attacks provides further evidence that the group involved is conducting a wide campaign against financial targets in the region,” Symantec said.

Some of the code similarities mean the malware can be traced to Lazarus, a group linked with a trojan that was used in the attack on Sony Pictures.

Since the attack on the Bangladesh Bank came to light, the central messaging service between the world’s banks, SWIFT, has said it plans to launch a new security program.

“There will be a before and an after Bangladesh. The Bangladesh fraud is not an isolated incident … this is a big deal. And it gets to the heart of banking,” SWIFT chief executive Gottfried Leibbrandt said earlier this week.

In February, the SWIFT system of the Bangladesh central bank was hacked into, with thieves sending messages to the Federal Reserve Bank of New York that allowed them to steal $81 million.

The attackers have also been blamed for a $12 million theft from an Ecuadorean bank last year, and an unsuccessful attack on Vietnam’s Tien Phong Bank.

Earlier this month, a trove of Symantec’s products were found to be vulnerable to a buffer overflow when parsing malformed portable-executable header files.

On Windows, thanks to Symantec’s scanning engine being loaded in to the kernel, the subsequent kernel memory corruption resulted in instant blue-screening. While on Linux, OS X, and other Unix-like systems, the buffer overflow resulted in a remote heap overflow as root in the Symantec or Norton process.

The attack could be invoked without any user interaction, and could occur via such events as receiving an email, downloading a document or application, or by visiting a malicious website.


Henry Sapiecha

Shellshock just one tool in hackers’ cyber arsenal

shellshock virus cartoon safe cracker image

Silent thief: The Shellshock vulnerability went unnoticed for more than 20 years.

Online shoppers need to be extra vigilant against malicious links during the holiday shopping season, warns Adam Turner.

Unwitting Australians click on more than 15 million malicious internet links every month, lured by increasingly sophisticated attempts to infect their computers and steal valuable information.

Australians clicked on more than 45.5 million malicious links in the third quarter of 2014, up from 39 million in the three months before, according to security vendor Trend Micro’s third-quarter security roundup┬áreport. This ranks Australia fifth in the world for countries with the highest number of visits to malicious sites after the United States, Japan, France and Italy.

The growing threat from malicious links is partly attributed to September’s discovery of the Shellshock security flaw in many web servers. Among other things, the Shellshock flaw lets attackers hijack legitimate web pages and secretly download malicious software on to the computers of people who visit the site, known as a drive-by download.

The Shellshock vulnerability went unnoticed for more than 20 years, suggesting the likelihood of more long-undiscovered vulnerabilities lurking within with operating systems and applications.

Meanwhile, the threat from vulnerabilities in mobile devices and apps is also increasing, with ransomware targeting mobile devices along with desktop computers.

Ransomware encrypts the contents of a device and demands a ransom for precious files, such as photographs, to be returned. One of the latest ransomware threats involved fake emails, purporting to be from Australia Post, with an attachment that claims to contain details of parcel deliveries but in fact encrypts the computer’s hard drive and demands payment.

The latest report is a clear indication that Australian consumers still need to be educated about their online vulnerability, especially as cyber threats become more complex, says Trend Micro’s Australia and New Zealand consumer director, Tim Falinski.

“Consumers need to be extra vigilant heading into the holiday shopping season and new year sales, which is typically a time of year that sees an increase in cyber crime.”

project & construction finance banner image (2)

Henry Sapiecha