Bucbi ransomwareThe Bucbi ransomware [1] has received an update and is back in the wild, possibly thanks to a Ukrainian group known as Right Sector [2].Bucbi had not been seen since the early months of 2014, but was recently noticed by FOX-IT and Palo Alto [3] as part of a campaign to infect Remote Desktop Protocol (RDP) users. The ransomware itself is rather inefficient, despite the updates it has received. It makes use of the GOST block cypher – a symmetric key algorithm developed in the 1970s by the Soviet government and declassified in 1994. The Bucbi attacks are notable for a few reasons. Firstly, the infection vector is via RDP. Attackers are brute-forcing the web-facing RDP portals to infect users with Bucbi, possibly using a utility called RDP Brute. Secondly, several of the usernames used in brute-force attacks are related to POS devices (KahalaPOS, FocusPOS), implying that payment processing/storage servers were the original targets. Finally, while the ransom note left by the malware states that it is operated by a far-right Ukrainian nationalist party called ‘Right Sector’, there are numerous Russian-related strings in the code, making this conclusion somewhat ambiguous.Palo Alto note that the ransomware includes a decryption routine, potentially allowing users to recover their data without needing to pay a ransom.Data leak at UAE InvestBankThe hacking group that leaked 2 gigs of data from the Qatar National Bank may have struck again, this time against the UAE-based InvestBank [4].Bozkurtlar [5], AKA Grey Wolves, have been disseminating a URL linking to nearly 10GB worth of files from the bank. These include account statements, ID and passport scans, contact details and passwords, as well as more than 69,000 credit card details.What distinguishes this leak from the Qatar National Bank's is that Bozkurtlar may not have actually stolen the data at all. In December 2015 someone known as Hacker Huba [6] attempted to blackmail InvestBank for $3 million using stolen data, but the bank refused to pay and consequentially, Huba apparently dumped the information online. The location of this data, which amounts to far more than the ~10GB previously mentioned, was not actually discovered, but InvestBank claim that Bozkurtlar have simply released a chunk of this older leak.W-2 data stolen from Kroger employeesKrebs [7] has reported that salary and tax data has been stolen from credit bureau Equifax [8] by identity thieves. The news was gleaned from a letter sent by grocery company Kroger to its employees.The theft was made possible by using similar tactics to those that allowed compromise of the IRS and ADP. Thieves used often publicly available data such as birthdates and social security numbers to register as other users on tax portals, using the resulting data to file for fraudulent refunds. In this case, thieves accessed Equifax’s W-2Express site, and it’s unknown how many employees had their data compromised.Korger is offering credit monitoring services to those affected.Qualcomm vulnerability patchedGoogle has patched a five year-old vulnerability in Android versions 4.3 and earlier.CVE-2016-2060 was discovered by FireEye [9] in a software package created by Qualcomm [10]. The vulnerability allows for local privilege escalation via either physical access to the device, or through installing a malicious application. In theory, successful exploitation of this vulnerability would allow an attacker to extract SMS and phone call databases and access the internet amongst other capabilities. There is no evidence that this vulnerability has been exploited in practice however.OpIcarus (update 2)Anonymous have continued their OpIcarus [11] campaign against banks. Ghost Squad Hackers [12] hit websites belonging to the Dutch Central Bank, Central Bank of Guernsey and Maldives Monetary Authority with DDoS attacks, taking them down for nearly a day.The Silobreaker Team
[1] https://my.silobreaker.com/View360.aspx?Item=11_1007507734&q=keyphrase%3a%22Bucbi+Ransomware%22&rd=true
[2] https://my.silobreaker.com/View360.aspx?Item=11_689711730&q=organization%3a%22Ukrainian+Right+Sector%22&rd=true
[3] http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/
[4] https://my.silobreaker.com/View360.aspx?Item=11_924963058&q=company%3a%22Investbank+%28UAE%29%22&rd=true
[5] https://my.silobreaker.com/View360.aspx?Item=11_1004192723#?q=Organization:Bozkurt%20Hackers
[6] https://my.silobreaker.com/View360.aspx?Item=11_935681746&q=keyphrase%3a%22Hacker+Huba%22&rd=true
[7] http://krebsonsecurity.com/2016/05/crooks-grab-w-2s-from-credit-bureau-equifax/#more-34764
[8] https://my.silobreaker.com/View360.aspx?Item=11_769731&q=company%3a%22Equifax+Inc%22&rd=true
[9] https://www.fireeye.com/blog/threat-research/2016/05/exploiting_cve-2016-.html
[10] https://my.silobreaker.com/View360.aspx?Item=11_306409&q=company%3a%22QUALCOMM+Inc%22&rd=true
[11] https://my.silobreaker.com/View360.aspx?Item=11_963456195&q=keyphrase%3a%22OpIcarus%22&rd=true
[12] https://my.silobreaker.com/View360.aspx?Item=11_990520529&q=organization%3a%22Ghost+Squad+Hackers%22&rd=true
↧