Being ever-evolving as an attack tool, even the simplest form of ransomware can cost significant time and money, but more severe attacks can deal a crippling blow and even destroy a company completely, sparing no one — not even large, prominent organisations. Unprepared users and businesses can quickly lose valuable data and money from these attacks. This is especially dangerous in these days of economic uncertainty, as both individuals and businesses try to manage and mitigate their risks while planning ahead.

There is no easy win in the war on cyber extortion, and the only way to deal with this threat is to first have proper intelligence — understanding how ransomware works, who it targets, how, and where.

The following facts, statistics, and trends will help you realise how imminent the ransom threat is to your business and personal life.

images from Safety Detectives

The United States Department of Justice yesterday sentenced a 22-year-old Washington-based hacker to 13 months in federal prison for his role in creating botnet malware, infecting a large number of systems with it, and then abusing those systems to carry out large scale distributed denial-of-service (DDoS) attacks against various online service and targets.

According to court documents, Kenneth Currin Schuchman, a resident of Vancouver, and his criminal associates–Aaron Sterritt and Logan Shwydiuk–created multiple DDoS botnet malware since at least August 2017 and used them to enslave hundreds of thousands of home routers and other Internet-connected devices worldwide.

Dubbed Satori, Okiru, Masuta, and Tsunami or Fbot, all these botnets were the successors of the infamous IoT malware Mirai, as they were created mainly using the source code of Mirai, with some additional features added to make them more sophisticated and effective against evolving targets.

Even after the original creators of the Mirai botnet were arrested and sentenced in 2018, many variants emerged on the Internet following the leak of its source code online in 2016.

According to a press release published by the Department of Justice, thought the primary aim was to earn money by renting other cybercriminals access to their botnet networks, Schuchman and his hacking team themselves used the botnet to conduct DDoS attacks.

In late 2017, CheckPoint researchers spotted Mirai variant Satori exploiting a zero-day RCE vulnerability (CVE-2017-17215) in Huawei HG532 devices that infected more than 200,000 IP addresses in just 12 hours.

The report linked the malware to a hacker using the online alias ‘Nexus Zeta,’ who turned out Kenneth Currin Schuchman after the FBI’s investigation.

“Cybercriminals depend on anonymity, but remain visible in the eyes of justice,” said U.S. Attorney Schroder. “Today’s sentencing should serve as a reminder that together with our law enforcement and private sector partners, we have the ability and resolve to find and bring to justice those that prey on Alaskans and victims across the United States.”

images from Hacker News

The United States government has filed a superseding indictment against WikiLeaks founder Julian Assange accusing him of collaborating with computer hackers, including those affiliated with the infamous LulzSec and “Anonymous” hacking groups.

The new superseding indictment does not contain any additional charges beyond the prior 18-count indictment filed against Assange in May 2019, but it does “broaden the scope of the conspiracy surrounding alleged computer intrusions with which Assange was previously charged,” the DoJ said.

In May 2019, Assange was charged with 18 counts under the old U.S. Espionage Act for unlawfully publishing classified military and diplomatic documents on his popular WikiLeaks website in 2010, which he obtained from former Army intelligence analyst Chelsea Manning.

Assange has been alleged to have obtained those classified documents by conspiring with Manning to crack a password hash to a classified U.S. Department of Defence computer.

According to the new superseding indictment [PDF] unsealed Wednesday, Assange and others at WikiLeaks also recruited hackers at conferences in Europe and Asia and conspired with them to commit computer intrusions to benefit WikiLeaks.

Since the early days of WikiLeaks, Assange has spoken in conferences about his own history as a “famous teenage hacker in Australia” and encouraged others to hack to obtain information for WikiLeaks.

“In 2009, for instance, Assange told the Hacking At Random conference that WikiLeaks had obtained nonpublic documents from the Congressional Research Service by exploiting “a small vulnerability” inside the document distribution system of the United States Congress, and then asserted that “[t]his is what any one of you would find if you were actually looking.”,” the DoJ said.

Not just that, the indictment also accused Assange of gaining unauthorised access to a government computer system of a NATO country (30 member states from North America and Europe) in 2010.

Two years later, “Assange communicated directly with a leader of the hacking group LulzSec (who by then was cooperating with the FBI),” and provided him a list of targets to hack.

images from Hacker News

With Docker gaining popularity as a service to package and deploy software applications, malicious actors are taking advantage of the opportunity to target exposed API endpoints and craft malware-infested images to facilitate distributed denial-of-service (DDoS) attacks and mine cryptocurrencies.

According to a report published by Palo Alto Networks’ Unit 42 threat intelligence team, the purpose of these Docker images is to generate funds by deploying a cryptocurrency miner using Docker containers and leveraging the Docker Hub repository to distribute these images.

“Docker containers provide a convenient way for packaging software, which is evident by its increasing adoption rate,” Unit 42 researchers said. “This, combined with coin mining, makes it easy for a malicious actor to distribute their images to any machine that supports Docker and instantly starts using its compute resources towards cryptojacking.”

Docker is a well-known platform-as-a-service (PaaS) solution for Linux and Windows that allows developers to deploy, test, and package their applications in a contained virtual environment — in a way that isolates the service from the host system they run on.

The now taken down Docker Hub account, named “azurenql,” consisted of eight repositories hosting six malicious images capable of mining Monero, a privacy-focused cryptocurrency.

The malware author behind the images used a Python script to trigger the cryptojacking operation and took advantage of network anonymising tools such as ProxyChains and Tor to evade network detection.

The coin mining code within the image then exploited the processing power of the infected systems to mine the blocks.

images from Hacker News

GeoVision, a Taiwanese manufacturer of video surveillance systems and IP cameras, recently patched three of the four critical flaws impacting its card and fingerprint scanners that could’ve potentially allowed attackers to intercept network traffic and stage man-in-the-middle attacks.

In a report shared exclusively with The Hacker News, enterprise security firm Acronis said it discovered the vulnerabilities last year following a routine security audit of a Singapore-based major retailer.

“Malicious attackers can establish persistence on the network and spy on internal users, steal data — without ever getting detected,” Acronis said. “They can reuse your fingerprint data to enter your home and/or personal devices, and photos can be easily reused by malicious actors to perpetrate identity theft based on biometric data.”

In all, the flaws affect at least 6 device families, with over 2,500 vulnerable devices discovered online across Brazil, US, Germany, Taiwan, and Japan, aside from thousands of other devices capable of being remotely compromised.

The first issue concerns a previously undocumented root password that permits an attacker backdoor access to a device by simply using the default password (“admin”) and remotely log in to the vulnerable device (e.g., https://ip.of.the.device/isshd.htm).

A second flaw involves the use of hardcoded shared cryptographic private keys when authenticating via SSH, while a third vulnerability makes it possible to access system logs on the device (e.g., at https://ip.of.the.device/messages.txt and at https://ip.of.the.device/messages.old.txt) without any authentication.

images from Hacker News