Pirate Bay compromised by MagnitudeThe Magnitude exploit kit [1] has been distributing ransomware on the Pirate Bay torrenting site.Cerber [2] was being served by Magnitude using pop-unders that redirected users to the malicious pages hosting the exploit kit. The majority of ads used in this malvertising campaign were delivered via Adsterra, a legitimate advertising network that has since removed the compromised pages.DNS Changer controller sentencedEstonian national Vladimir Tsastsin [3] has been sentenced to 7 years in prison for crimes that include fraud and malware distribution.From 2007 he was in charge of an Estonian company called Rove Digital which distributed the DNS Changer [4] malware to millions of computers across the world. As the name implies, DNS Changer alters the DNS entries of infected machines, redirecting legitimate browser queries to malicious or fraudulent domains hosted in various countries including Estonia. Rove Digital made at least $14 million from the advertising revenue illicitly gained by directing victims to the pages they hosted.Tsastsin, who will serve his sentence in the US, pleaded guilty to wire fraud and computer intrusion and will be fined $2.5 million in addition to his prison term. Dogspectus RansomwareDogspectus is a police-locker type ransomware that is most notable for its delivery system.Dogspectus [5] was loaded onto a test device in Blue Coat Labs by an advertisement containing malicious javascript. What's interesting about this particular compromise is that it was delivered silently, without any form of notification or interaction on the part of users. The exploit kit that dropped this payload was using the Towelroot/futex exploit plus another leaked in the wake of the Hacking Team breach.The compromised device was a Samsung tablet running the open-source Cyanogenmod 10 version of Android 4.2.2. Older devices such as this one that have not been updated will likely be vulnerable to malware droppers using these exploits.More information available here [6].PLATINUM groupMicrosoft's threat hunter team have discovered a new threat actor codenamed PLATINUM [7] that it believes to be state sponsored.The group has been active since at least 2009 and appears to be interested specifically in intellectual property owned by governments and telecoms, defence and intelligence organisations in Southeast Asia. PLATINUM is thought to have conducted several espionage campaigns since 2009, using spear-phishing to infect targets via private addresses, before moving onto their employers' systems. The group uses custom malware and 0-days (now patched) while attempting to remain undetected by limiting malicious activity to working hours and making an effort to cover its tracks.One of the more interesting techniques used by PLATINUM is a system feature called 'hot patching', which allows administrators to install updates to actively running processes without needing to restart them. This feature was discontinued in Windows 8 and subsequent versions, but has been used by the threat group to inject code into older system processes without alerting AV.More information is available here [8].The Silobreaker Team
[1] https://my.silobreaker.com/View360.aspx?Item=11_647832113&q=keyphrase%3a%22Magnitude+Exploit+Kit%22&rd=true
[2] https://my.silobreaker.com/View360.aspx?Item=11_975091619&q=keyphrase%3a%22Cerber+Ransomware%22&rd=true
[3] https://my.silobreaker.com/View360.aspx?Item=11_52564113&q=person%3a%22Vladimir+Tsastsin%22&rd=true
[4] https://my.silobreaker.com/View360.aspx?Item=11_175984474&q=keyphrase%3a%22DNSChanger%22&rd=true
[5] https://my.silobreaker.com/View360.aspx?Item=11_1000962421&q=keyphrase%3a%22Dogspectus+Ransomware%22&rd=true
[6] https://www.bluecoat.com/security-blog/2016-04-25/android-exploit-delivers-dogspectus-ransomware
[7] https://my.silobreaker.com/View360.aspx?Item=11_1002216708&q=organization%3a%22Platinum+Group+%28hacker+group%29%22&rd=true
[8] https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/
↧