Le 17 juillet dernier, Proofpoint annonçait le retour d’Emotet après plus de 160 jours d’absence.
The post Cybersécurité : après un retour remarqué en juillet, le malware Emotet prend de l’ampleur first appeared on UnderNews.
Le 17 juillet dernier, Proofpoint annonçait le retour d’Emotet après plus de 160 jours d’absence.
The post Cybersécurité : après un retour remarqué en juillet, le malware Emotet prend de l’ampleur first appeared on UnderNews.
An Iranian cyberespionage group known for targeting government, defense technology, military, and diplomacy sectors is now impersonating journalists to approach targets via LinkedIn and WhatsApp and infect their devices with malware. Detailing the new tactics of the « Charming Kitten » APT group, Israeli firm Clearsky said, « starting July 2020, we have identified a new TTP of the group,
Source de l’article sur The Hacker News
Yubico, leader des clés de sécurité pour l’authentification matérielle, présente le programme « Yubico pour la liberté d’expression », une initiative conçue pour défendre la confidentialité digitale, la sécurité en ligne et la liberté d’expression des personnes à risque et des organisations à but non lucratif. Communiqué – Depuis le 1er juillet 2020, Yubico s’engage à faire don d’une […]
The post Le nouveau programme « Yubico pour la liberté d’expression » dote les organisations à but non lucratif d’une authentification forte first appeared on UnderNews.
A notorious banking trojan aimed at stealing bank account credentials and other financial information has now come back with new tricks up its sleeve to target government, military, and manufacturing sectors in the US and Europe, according to new research. In an analysis released by Check Point Research today, the latest wave of Qbot activity appears to have dovetailed with the return of
Source de l’article sur The Hacker News
Outil d’Administration à Distance, Chevaux de Troie, Trojan, RAT… il existe de nombreuses manières de qualifier cette technique d’attaque particulièrement efficace dont les cybercriminels raffolent. Pour rappel, le Cheval de Troie est un programme d’apparence sans danger, qui cache en fait un programme malveillant.
The post Quand les cybercriminels se font passer pour la police (TA2719) first appeared on UnderNews.
Hackers always find a way in, even if there’s no software vulnerability to exploit. The FBI has arrested a Russian national who recently traveled to the United States and offered $1 million in bribe to an employee of a targeted company for his help in installing malware into the company’s computer network manually. Egor Igorevich Kriuchkov, 27-year-old, entered the United States as a tourist
Source de l’article sur The Hacker News
Original release date: August 26, 2020
This Alert uses the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK®) framework. See the ATT&CK for Enterprise framework for all referenced threat actor techniques.
This joint advisory is the result of analytic efforts among the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), the Federal Bureau of Investigation (FBI) and U.S. Cyber Command (USCYBERCOM). Working with U.S. government partners, CISA, Treasury, FBI, and USCYBERCOM identified malware and indicators of compromise (IOCs) used by the North Korean government in an automated teller machine (ATM) cash-out scheme—referred to by the U.S. Government as “FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks.”
CISA, Treasury, FBI, and USCYBERCOM highlight the cyber threat posed by North Korea—formally known as the Democratic People’s Republic of Korea (DPRK)—and provide recommended steps to mitigate the threat.
Refer to the following Malware Analysis Reports for associated IOCs: CROWDEDFLOUNDER, ECCENTRICBANDWAGON, ELECTRICFISH, FASTCash for Windows, HOPLIGHT, and VIVACIOUSGIFT.
Click here for a PDF version of this report.
North Korea’s intelligence apparatus controls a hacking team dedicated to robbing banks through remote internet access. To differentiate methods from other North Korean malicious cyber activity, the U.S. Government refers to this team as BeagleBoyz, who represent a subset of HIDDEN COBRA activity. The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as Lazarus, Advanced Persistent Threat 38 (APT38), Bluenoroff, and Stardust Chollima and are responsible for the FASTCash ATM cash outs reported in October 2018, fraudulent abuse of compromised bank-operated SWIFT system endpoints since at least 2015, and lucrative cryptocurrency thefts. This illicit behavior has been identified by the United Nations (UN) DPRK Panel of Experts as evasion of UN Security Council resolutions, as it generates substantial revenue for North Korea. North Korea can use these funds for its UN-prohibited nuclear weapons and ballistic missile programs. Additionally, this activity poses significant operational risk to the Financial Services sector and erodes the integrity of the financial system.
The BeagleBoyz’s bank robberies pose severe operational risk for individual firms beyond reputational harm and financial loss from theft and recovery costs. The BeagleBoyz have attempted to steal nearly $2 billion since at least 2015, according to public estimates. Equally concerning, these malicious actors have manipulated and, at times, rendered inoperable, critical computer systems at banks and other financial institutions.
North Korea’s widespread international bank robbery scheme that exploits critical banking systems may erode confidence in those systems and presents risks to financial institutions across the world. Any BeagleBoyz robbery directed at one bank implicates many other financial services firms in both the theft and the flow of illicit funds back to North Korea. BeagleBoyz activity fits a known North Korean pattern of abusing the international financial system for profit.
FASTCash Update North Korea’s BeagleBoyz are responsible for the sophisticated cyber-enabled ATM cash-out campaigns identified publicly as “FASTCash” in October 2018. Since 2016, the BeagleBoyz have perpetrated the FASTCash scheme, targeting banks’ retail payment system infrastructure (i.e., switch application servers processing International Standards Organization [ISO] 8583 messages, which is the standard for financial transaction messaging). Since the publication of the in October 2018, there have been two particularly significant developments in the campaign: (1) the capability to conduct the FASTCash scheme against banks hosting their switch applications on Windows servers, and (2) an expansion of the FASTCash campaign to target interbank payment processors.
For more information about FASTCash, please see https://www.us-cert.gov/ncas/alerts/TA18-275A. |
The BeagleBoyz, an element of the North Korean government’s Reconnaissance General Bureau, have likely been active since at least 2014. As opposed to typical cybercrime, the group likely conducts well-planned, disciplined, and methodical cyber operations more akin to careful espionage activities. Their malicious cyber operations have netted hundreds of millions of U.S. dollars and are likely a major source of funding for the North Korean regime. The group has always used a calculated approach, which allows them to sharpen their tactics, techniques, and procedures while evading detection. Over time, their operations have become increasingly complex and destructive. The tools and implants employed by this group are consistently complex and demonstrate a strong focus on effectiveness and operational security.
The BeagleBoyz overlap to varying degrees with groups tracked by the cybersecurity industry as: APT38 (FireEye), Bluenoroff (Kaspersky), Lazarus Group (ESTSecurity), and Stardust Chollima (CrowdStrike).
The BeagleBoyz likely have targeted financial institutions in the following nations from 2015 through 2020: Argentina, Brazil, Bangladesh, Bosnia and Herzegovina, Bulgaria, Chile, Costa Rica, Ecuador, Ghana, India, Indonesia, Japan, Jordan, Kenya, Kuwait, Malaysia, Malta, Mexico, Mozambique, Nepal, Nicaragua, Nigeria, Pakistan, Panama, Peru, Philippines, Singapore, South Africa, South Korea, Spain, Taiwan, Tanzania, Togo, Turkey, Uganda, Uruguay, Vietnam, Zambia (figure 1).
Figure 1: Nations probably targeted by BeagleBoyz since 2015
Figure 2 provides a graphical depiction of a BeagleBoyz bank heist. The next section describes in detail the end-to-end actions the BeagleBoyz take to rob financial institutions with a malicious cyber operation.
Figure 2: BeagleBoyz Bank Heist overview
The BeagleBoyz use a variety of tools and techniques to gain access to a financial institution’s network, learn the topology to discover key systems, and monetize their access. The technical analysis below represents an amalgamation of multiple known incidents, rather than details of a single operation. These findings are presented to highlight the group’s ability to tailor their techniques to different targets and to adapt their methods over time. Consequently, there is a need for layered mitigations to effectively defend against this activity, as relying solely on network signature detection will not sufficiently protect against North Korea’s BeagleBoyz.
The BeagleBoyz have used a variety of techniques, such as spearphishing and watering holes, to enable initial access into targeted financial institutions. Towards the end of 2018 through 2019 and in early 2020, the BeagleBoyz demonstrated the use of social engineering tactics by carrying out job-application themed phishing attacks using the following publicly available malicious files.
The BeagleBoyz may also be working with or contracting out to criminal hacking groups, like TA505, for initial access development. The third party typically uses commodity malware to establish initial access on a victim’s network and then turns over the access to the BeagleBoyz for follow-on exploitation, which may not occur until months later.
The BeagleBoyz have also used the following techniques to gain an initial foothold on a targeted computer network (Initial Access [TA0001]).
The BeagleBoyz selectively exploit victim computer systems after initially compromising a computer connected to a financial institution’s corporate network. After gaining initial access to a financial institution’s corporate network, the BeagleBoyz are selective in which victim systems they further exploit. The BeagleBoyz use a variety of techniques to run their code on local and remote victim systems [Execution [TA0002]).
The BeagleBoyz use many techniques to maintain access on compromised networks through system restarts, changed credentials, and other interruptions that could affect their access (Persistence [TA0003]).
The BeagleBoyz often seek access to financial institutions’ systems that have tiered user and system accounts with customized privileges. The BeagleBoyz must overcome these restrictions to access necessary systems, monitor normal user behavior, and install and execute additional malicious tools. To do so, the BeagleBoyz have used the following techniques to gain higher-level permissions on a system or network (Privilege Escalation [TA0004]).
Throughout their exploitation of a financial institution’s computer network, the BeagleBoyz have used different techniques to avoid detection by OS security features, system and network security software, and system audits (Defense Evasion [TA0005]).
The BeagleBoyz may use malware like ECCENTRICBANDWAGON to log key strokes and take screen captures. The U.S. Government has identified some ECCENTRICBANDWAGON samples that have the ability to RC4 encrypt logged data, but the tool has no network functionality. The implant uses specific formatting for logged data and saves the file locally; another tool obtains the logged data. The implant also contains no mechanism for persistence or self-loading and expects a specific configuration file to be present on the system. A full technical report for ECCENTRICBANDWAGON is available at https://us-cert.cisa.gov/northkorea.
The BeagleBoyz may not always need to use custom keyloggers like ECCENTRICBANDWAGON or other tools to obtain credentials from a compromised system. Depending on the victim’s environment, the BeagleBoyz have used the following techniques to steal credentials (Credential Access [TA0006]).
Once inside a financial institution’s network, the BeagleBoyz appear to seek two specific systems—the SWIFT terminal and the server hosting the institution’s payment switch application. As they progress through a network, they learn about the systems they have accessed in order to map the network and gain access to the two goal systems. To do so, the BeagleBoyz have used the following techniques to gain knowledge about the systems and internal network (Discovery [TA0007]).
To access a compromised financial institution’s SWIFT terminal and the server hosting the institution’s payment switch application, the BeagleBoyz leverage harvested credentials and take advantage of the accessibility of these critical systems from other systems in the institution’s corporate network. Specifically, the BeagleBoyz have been known to create firewall exemptions on specific ports, including ports 443, 6443, 8443, and 9443. Depending on the configuration of compromised systems and the security environment of the victim’s computer network, the BeagleBoyz have used the following techniques to enter and control remote systems on a compromised network (Lateral Movement [TA0008]).
Depending on various environmental attributes the BeagleBoyz encounter during their exploitation, they may deploy a variety of reconnaissance tools or use commonly available administrative tools for malicious purposes.
The BeagleBoyz, like other sophisticated cyber actors, also appear to use resident, legitimate administrative tools for reconnaissance purposes when they are available; this is commonly known as “living off the land.” PowerShell appears to be a popular otherwise-legitimate tool the BeagleBoyz favor for reconnaissance activities. For example, the BeagleBoyz often use publicly available code from PowerShell Empire for malicious purposes.
The BeagleBoyz have used the following techniques to gather information from exploited systems (Collection [TA0009]).
The BeagleBoyz likely change tools—such as CROWDEDFLOUNDER and HOPLIGHT—over time to maintain remote access to financial institution networks and to interact with those systems.
Analysis of the following CROWDEDFLOUNDER samples was first released in October 2018 as part of the FASTCash campaign.
MD5 hash: 5cfa1c2cb430bec721063e3e2d144feb
MD5 hash: 4f67f3e4a7509af1b2b1c6180a03b3e4
The BeagleBoyz have used CROWDEDFLOUNDER as a remote access trojan (RAT) since at least 2018. The implant is designed to operate on Microsoft Windows hosts and can upload and download files, launch a remote command shell, inject into victim processes, obtain user and host information, and securely delete files. The implant may be packed with Themida to degrade or prevent effective reverse engineering or evade detection on a Windows host. It can be set to act in beacon or listening modes, depending on command line arguments or configuration specifications. The implant obfuscates network communications using a simple encoding algorithm. The listening mode of CROWDEDFLOUNDER facilitates proxies like ELECTRICFISH (discussed below) with tunneling traffic in a victim’s network.
More recently, the U.S. Government has found HOPLIGHT malware on victim systems, suggesting the BeagleBoyz are using HOPLIGHT for similar purposes. HOPLIGHT has the same basic RAT functionality as the CROWDEDFLOUNDER implant. In addition, HOPLIGHT has the capability to create fraudulent Transport Layer Security (TLS) sessions to obfuscate command and control (C2) connections, making detection and tracking of the malware’s communications difficult.
Full technical reports for CROWDEDFLOUNDER and HOPLIGHT are available at https://us-cert.cisa.gov/northkorea.
The BeagleBoyz use network proxy tunneling tools—including VIVACIOUSGIFT and ELECTRICFISH—to tunnel communications from non-internet facing systems like an ATM switch application server or a SWIFT terminal to internet-facing systems. The BeagleBoyz use these network proxy tunneling tools, likely placed at or near a victim’s network boundary, to tunnel other protocols such as RDP and Secure Shell or other implant traffic out from the internal network.
It appears that as the BeagleBoyz change proxy tools, there is some overlap between their use of older and newer malware. For example, the BeagleBoyz appear to have begun using ELECTRICFISH as they wound down use of VIVACIOUSGIFT. There has been a noticeable decline in ELECTRICFISH use following the U.S. Government’s disclosure of it in May 2019.
Full technical reports for VIVACIOUSGIFT and ELECTRICFISH are available at https://us-cert.cisa.gov/northkorea.
In addition to these tools, the BeagleBoyz have used the following techniques to communicate with financial institution victim systems under their control (Command and Control [TA0011]).
Cryptocurrency Exchange Heists In addition to robbing traditional financial institutions, the BeagleBoyz target cryptocurrency exchanges to steal large amounts of cryptocurrency, sometimes valued at hundreds of millions of dollars per incident. Cryptocurrency offers the BeagleBoyz an irreversible method of theft that can be converted into fiat currency because the permanent nature of cryptocurrency transfers do not allow for claw-back mechanisms. Working with U.S. Government partners, CISA, Treasury, FBI, and USCYBERCOM identified COPPERHEDGE as the tool of choice for the BeagleBoyz to exploit cryptocurrency exchanges. COPPERHEDGE is a full-featured remote access tool capable of running arbitrary commands, performing system reconnaissance, and exfiltrating data. Full technical analysis of COPPERHEDGE is available at https://us-cert.cisa.gov/northkorea. |
During a cyber operation, the BeagleBoyz need to exfiltrate a variety of data from compromised systems. In addition to the C2 tools noted that have built-in exfiltration features, such as CROWDEDFLOUNDER and HOPLIGHT, the BeagleBoyz use the following techniques to steal data from a network (Exfiltration [TA0010]).
The U.S. Government has observed the BeagleBoyz successfully monetize illicit access to financial institutions’ SWIFT terminals to enable wire fraud and gain access to the institutions’ payment switch application servers, which allowed fraudulent ATM cash outs. After gaining access to either one or both of these operationally critical systems, the BeagleBoyz monitor the systems to learn about their configurations and legitimate use patterns, and then they deploy bespoke tools to facilitate illicit monetization.
The cybersecurity community and Financial Services sector have released substantial information on the BeagleBoyz manipulation of compromised SWIFT terminals, describing their ability to monitor these systems, send fraudulent messages, and attempt to hide the fraudulent activity from detection. The discussion below focuses on the custom tools used to manipulate payment switch applications for ATM cash outs.
The BeagleBoyz use FASTCash malware to intercept financial request messages and reply with fraudulent but legitimate-looking affirmative response messages in the ISO 8583 format. The BeagleBoyz have functionally equivalent FASTCash malware for both UNIX and Windows that they deploy depending on the operating system running on the server hosting the bank’s payment switch application.
FASTCash for UNIX is composed of AIX executable files designed to inject code and libraries into a currently running process. One AIX executable provides export functions, which allows an application to manipulate transactions on financial systems using the ISO 8583 international standard for financial transaction card-originated interchange messaging. The injected executables interpret financial request messages and construct fraudulent financial response messages. For more details on FASTCash for UNIX malware, please see the FASTCash report at https://www.us-cert.gov/ncas/alerts/TA18-275A.
The BeagleBoyz use FASTCash for Windows to manipulate transactions processed by a switch application running on a Windows box. FASTCash for Windows is also specific to the ISO 8583 message format. The BeagleBoyz appear to have modified publicly available source code to write parts of the tool, likely to speed development. The malware contains code probably taken from open-source repositories on the internet to create hashmaps and hook functions and to parse ISO 8583 messages.
FASTCash for Windows injects itself into software running on a Windows platform. The malware then takes control of the software’s network send and receive functions, allowing it to manipulate ISO 8583 messages. The U.S. Government has identified two variants of FASTCash for Windows. One variant supports ASCII encoding. The BeagleBoyz appear to have modified the second variant’s message parsing code to support Extended Binary Coded Decimal Interchange Code (EBCIDC) encoding. Both ASCII and EBCDIC are character encoding formats.
FASTCash for Windows malware uses code from github.com/petewarden/c_hashmap for hashmaps, code from Microsoft’s Detours Library at github.com/Microsoft/Detours for hooking, and code from to parse ISO 8583 messages.
The malware hooks onto the send and receive function of the switch application so that it can process inbound request messages as they are received. FASTCash for Windows inspects the inbound message, probably looking for specific account numbers. If the account number matches an expected number, the malware constructs a fraudulent response message. If the account number does not match an expected number, the malware allows the request to pass through normally. If the malware constructs a fraudulent response message, it then sends it back to the acquirer without any further processing by the switch application, leaving the issuer without any awareness of the fraudulent transaction.
Full technical reports for FASTCash and FASTCash for Windows malware are available at https://us-cert.cisa.gov/northkorea.
The BeagleBoyz have used the following techniques to manipulate business and operational processes for monetary or destructive purposes (Impact [TA0040]).
Require chip and personal identification number (PIN) cryptogram validation.
Isolate payment system infrastructure.
Logically segregate your operating environment.
Encrypt data in transit.
Monitor for anomalous behavior as part of layered security.
Validate issuer responses to financial request messages.
Users and administrators should use the following best practices to strengthen the security posture of their organization’s systems:
Additional information on malware incident prevention and handling can be found in National Institute of Standards and Technology Special Publication 800-83, Guide to Malware Incident Prevention and Handling for Desktops and Laptops.
Recipients of this report are encouraged to contribute any additional information that they may have related to this threat.
For any questions related to this report or to report an intrusion and request resources for incident response or technical assistance, please contact:
The United States Government does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by the United States Government.
This product is provided subject to this Notification and this Privacy & Use policy.
Les vulnérabilités détectées dans les décodeurs DVB-T2 conçus par THOMSON et Philips mettent en lumière les négligences des fabricants en matière de sécurisation des appareils connectés.
The post Avast met à jour des failles de sécurité dans des décodeurs first appeared on UnderNews.
It’s one thing for APT groups to conduct cyber espionage to meet their own financial objectives. But it’s an entirely different matter when they are used as « hackers for hire » by competing private companies to make away with confidential information. Bitdefender’s Cyber Threat Intelligence Lab discovered yet another instance of an espionage attack targeting an unnamed international
Source de l’article sur The Hacker News
« In today’s knowledge economy, continual learning is an imperative. » — Those words from Aytekin Tank, the founder of JotForm, are particularly important for anyone working in IT or development. With over 1,000 premium courses (complete list) from top instructors, StackSkills Unlimited provides endless learning opportunities. Right now, you can grab lifetime membership for $59. Categories of
Source de l’article sur The Hacker News
En continuant à naviguer sur le site, vous acceptez que nous utilisions quelques cookies.
OKPlus d'infoNous utilisons les cookies pour nous faire savoir quand vous visitez nos sites Web, comment vous interagissez avec nous, pour enrichir votre expérience utilisateur et pour personnaliser votre relation avec notre site Web.
Cliquez sur les différents titres de catégories pour en savoir plus. Vous pouvez également modifier certaines de vos préférences. Notez que le blocage de certains types de cookies peut avoir un impact sur votre expérience sur nos sites Web et les services que nous sommes en mesure d'offrir.
These cookies are strictly necessary to provide you with services available through our website and to use some of its features.
Because these cookies are strictly necessary to deliver the website, you cannot refuse them without impacting how our site functions. You can block or delete them by changing your browser settings and force blocking all cookies on this website.
Ces cookies recueillent des renseignements qui sont utilisés sous forme agrégée pour nous aider à comprendre comment notre site Web est utilisé ou l'efficacité de nos campagnes de marketing, ou pour nous aider à personnaliser notre site Web et notre application pour vous afin d'améliorer votre expérience.
Si vous ne voulez pas que nous suivions votre visite sur notre site, vous pouvez désactiver le suivi dans votre navigateur ici :
Nous utilisons également différents services externes comme Google Webfonts, Google Maps et les fournisseurs externes de vidéo. Comme ces fournisseurs peuvent collecter des données personnelles comme votre adresse IP, nous vous permettons de les bloquer ici. Veuillez noter que cela pourrait réduire considérablement la fonctionnalité et l'apparence de notre site. Les changements prendront effet une fois que vous aurez rechargé la page.
.
Paramètres de Google Webfont Settings :
Google Map :
Vimeo et Youtube :
Vous pouvez lire nos cookies et nos paramètres de confidentialité en détail sur la page suivante