Aussies A Target With The Australian Taxation Office (ATO) Phishing Email

Erich Kron Leave a comment

A phishing campaign appearing to be from the The Australian Taxation Office (ATO) is targeting businesses right now. The email contains a link where folks are told they can review their Business Activity Statements (BAS) online, however the link downloads a trojan dropper that installs ransomware or some other malware. Keep an eye ope for emails saying they are from [email protected].

Erich’s “What in the (cyber security) world is going on?” 03-09-17 edition

Erich Kron Leave a comment

Another crazy week in the Cyberz. This is my recap of the last week worth of fun (and not) related to the world of cyber. To get updates more often, subscribe to my blog on the right.

I’ll be down by Ft. Lauderdale Thursday and Friday while speaking at the South Florida ISSA Conference. If you are around and want to meet up for a cold one, let me know.

 

 

I’m just going to start with Vault 7

I mean, really, how could I not? On Tuesday WikiLeaks dropped a bomb on the infosec world (perhaps the world in general) when they published roughly eleventy-trillion pages of data related to CIA offensive cyber capabilities. It’s full of 0-days and different vulnerabilities/hack with fun little names like “SnowyOwl” and “Weeping Angel”. For example, Weeping Angel can use Samsung Smart TVs to covertly record audio conversations. If/when it’s confirmed that this is really a legit CIA info dump (which it appears to be), it won’t be pleasant. As it is, a lot of people int he US Government are probably creating new grey hair and ulcers at this very moment. I am not going to try to analyze the whole dump, but I will say that some of this stuff is a bit spooky. Just remember, Don’t Blink!

 

Over 1 Biiiiiiiiilion email addresses exposed by spammers misconfigured backups 

Karma is a bitch. River City Media screwed up their Rsync configs and accidentally backed up their data to an internet-facing server, exposing all of the data where it was discovered by Chris Vickery, a security researcher for MacKeeper. He contacted the authorities and relevant orgs to help shut down the infrastructure. Hopefully that 1.3 billion records, some containing home addresses and IP’s, don’t drop in to the hands of other spamming orgs. Time will tell

 

TorrentLocker (aka Cryptolocker) is back and farming credentials as well.

After taking some time off, Cryptolocker appears to be back in a very aggressive campaign, and it has some new ‘features’. It’s sent via Word docs with a PowerShell script, infects and spreads via shared files, and it’s also grabbing credentials as well. Right now it appears to be targeting Europe, especially Italy, but we need to keep our eyes open regardless of where we live.

 

16 Senators and Staff In Pennsylvania Locked Out Of Their Systems By Ransomware

This happened to the Pennsylvania Senate Democratic Caucus on Friday and the website is still down as of the time of this post on Wednesday evening. This can’t be a fun day over there. As of Friday, Pennsylvania Democrats spokeswoman Stacey Witalec said, “At this point we are working with Microsoft to see where we’re at.”

Odds are, it was a phishing email some poor unsuspecting staffer clicked on. This is a good time to take them from unsuspecting, to a healthy level of paranoia by training them about the threat.

 

Dot ransomware – Coming soon to a network near you

Click to enlarge: Image thanks to Fortinet

I’ve mentioned Raas (Ransomware as a Service) before, but it’s really starting to show some growth potential. The “Dot” RaaS strain is currently being advertised on the dark web, so we can expect to see it hitting pretty soon. This one is a zero money down, profit-sharing strain with a 50/50 split. Expect more of this sort of thing to start rolling out in the near future. If it remains profitable, it will continue to grow.

 

Eyes Open Aussies – ASIC phishing email is spreading Cryptolocker

It looks like it’s hitting folks this morning (Monday), so keep an eye open for it. Cryptolocker attacks have been on the rise lately and are wreaking some havoc with new “features”. Stay sharp out there!

 

Shamoon 2 May Get a Ransomware Feature and StoneDrill Hides in Memory

This is a good read from DarkReading. In summary, Shamoon was Sha-sleep for quite Shum time (You see what I did there, right?) but returned last year to harass some folks in the Middle East. It is typically deployed as data wiping malware, but it seems as if the developer realized that there can be money in adding a ransomware feature in version 2.  While it’s not in the wild yet, it’s a lesson that malware devs are starting to see the value in coding a ransomware option in to what they are already distributing.

Also, StoneDrill is injecting itself into the memory process of the user’s browser and doing a good job of ducking under sandbox radars. It appears to share code with NewsBeef and/or Charming Kitten APTs which are generally affiliated with Iranian State-Sanctioned options. Currently these are still focused on the Middle East, but it appears at least one European org has been infected with it.

 

Mystery Shopper Email Scams – Yeah, They Still Happen

It’s important that we help educate others that these scams do still happen. Lower income, unemployed and retired people are especially prone to this sort of scam. It sounds like easy money, and even appeals to the undercover 007 type in most of us, but it can do a number on your bank account.

Key thing to remember is, if someone sends you a check and asks you to send the change, it’s a scam. This doesn’t matter if it’s a car purchase on ebay or craigslist, or anything else, don’t do it. Checks can take a long time to clear, or be found to be fake, and you are held holding the bag.

Mystery shopping is the SCAM OF THE WEEK here at KnowBe4, and there is some good info on what to look for, and something you can copy/paste for friends and family. Check it out.

 

W2 Scams are off the charts right now 

This week was just stupid, so I’m going to just group them together

Yet Another W2 Breach – 2,400 at Autoneum North America Inc. 

Sadly the Swiss company disclosed about 2,400 employees W2’s to scammers. The employees were in Jeffersonville, Indiana; Oregon, Ohio; Bloomsburg, Pennsylvania; and Aiken, South Carolina; and at its North American headquarters in Farmington Hills, Michigan. At least 1 employee already found their taxes having been filed by the scammers.

 

Daytona State College W2 Breach

Hundreds of current and former employees could be affected by the breach, although they are being very vague on how it happened. Gee, I wonder, could it possibly be a W2 phishing scam? Go figure.

 

Yukon Public Schools Hit With Data Breach

And again I find myself reporting on a W2 scam. This time, It’s Yukon Public Schools that fell for a phishing scam and emailed W2’s to scammers.  Superintendent Dr. Jason Simeroth said the email looked like it was sent from him, then later in the story it was mentioned that it was spoofed from an AOL email address. Really? AOL in this day and age? This is twice today I have heard of people using AOL email. I really thought it was dead.

Kids, today’s lesson is, if you are handling sensitive information or transferring money, you might want to pick up the phone BEFORE you hit send. Just sayin.

 

Groton Public Schools – Yet Another W2 Scam Victim 

This is really getting stupid. School after school are sending the teacher’s W2 to scammers. Groton Public Schools in Connecticut is the focus of this post. You know, because teachers don’t have enough to deal with, what with miniature humans eating the all of the paste and creating mayhem by the truckload.

 

Glastonbury, CT Public Schools Hit By W2 Scam

Another day, another district reporting a breach. This time it was Glastonbury Public Schools who did it. It was everyone but the food service personnel (the district appears to know enough NOT to mess with the folks that handle their food). How does anyone in the school systems not know about this scam already? Sheesh!

 

Tyler Independent School District Falls For W2 Scam

From Tyler, TX. They found out about it on Wednesday. I like that they are taking steps though, as the district said they will “continue and improve upon our information security awareness and training programs for all employees.”  Good, comprehensive awareness training IS how you combat this

 


1 Bitcoin is worth more than an ounce of gold

Pretty crazy that this unregulated vapor-currency is worth more than gold isn’t it?

 

 

Gas Pump Tamper Alarm May Have Foiled Skimmer Install

I am glad to see the new pumps have tamper alarms and that they may actually work. This one was an issue pretty close to home in Ocala, FL.

The tamper alarm went off and the clerk checked it out, possibly spooking a few guys that were acting weird. We need more of this sort of thing happening.

 

#MHN, #kippo and #Dionaea still cooking along. Now to capture binaries…

So, I’ve been playing with Kippo and Dionaea using the Modern Honey Network (MHN) tool and having some fun with it. At this point, I’m going to reload my Kippo box at home and deploy it with Dionaea as well rather than WordPot. I like being able to see the different types of attacks on FTP and HTTP, but I’m having some trouble with the config.

Currently, FTP will make a connection, but fails to send a directory listing. Likewise, I am not capturing any binaries right now. I tried making the folder wide open (777 & nobody:nogroup) but still no luck. If you have any ideas, let me know please. I want to start playing with captures. In the meantime, my pew pew map is about done collecting sources now. Few of the attacks come from a new place now.

Pew Pew Pew!

 

 

 

Mucho attacks, no binaries captured. I do have pcap’s, but I want some malware files! 🙂

My 2016 Unemployment Diaries Recap – Day 15 to Day 16. More to follow

Erich Kron Leave a comment

Please note, this is a reposting of some previous entries made in 2016 when my position was eliminated and I found myself unexpectedly unemployed. This is being reposted here simply for the purpose of preservation as I am not maintaining the old site much. In any case, enjoy if you feel like reading it:

Day 15 of unemployment – Blissful Undress

Today was great. Probably the greatest thing about today was wearing pajamas almost all day long. I don’t recall having done that before unless I was very sick. Even better, I actually left the house that way, several times.

Initially I only went to the convenience store to get a fountain drink. It was fine at 10am, people are still OK with pajamas at that time. Maybe not as much for 40-something year-old adults in PJs, but hey, sue me. I got my soda and the world was right.

Later on, I decided to venture to the Holy Grail of PJ-as-an-outfit stores. Yes folks, before I knew it, I was standing proudly in the local Walmart wearing my grey checkered PJ pants, a t-shirt, ball cap and shoes with no socks. I was in my element folks, I resisted the urge to grab one the electric carts and scoot my way around the cookie isle, but only just. I’m not sure I will have the fortitude to deny myself that in the future.

I can tell you that I strolled up to that Redbox machine like a boss! Once my movie was returned, I went and grabbed some crack-in-a-can (a.k.a. Razzleberry Peace Tea) while giving head nods to the other underdressed patrons. It was good, I was with my peeps.

Upon returning home I did some job searching and got to episode 7 of “Making a Murderer”.  I only stopped watching because I had one more trip to make and had to be there by 4pm.

For this trip, I did make a minor adjustment to my attire. I added socks. I have say, they joy of PJs can be somewhat impacted by the squish of sweaty toes in shoes. Nobody can say I don’t learn from my mistakes. I think I may have to burn those shoes.

My final trip in PJs today ended up being to the post office to pick up a letter for my mom. After a quick scan of the walls to make sure my picture wasn’t posted, I picked up the letter and headed back out to the parking lot. I have to tell you, there is something wonderful about standing in a parking lot at 3:30 in the afternoon in pajama pants. As an added bonus, this was also the parking lot of a gym. I felt like I was giving the whole protein-shake with extra whey crowd the finger, silently, without even having to raise my arm. It was blissful.

Other than that, I got invited back for a 5th interview with a certain company tomorrow morning. That’s 2 phone and 3 in-person interviews. I’m getting to know the reception staff pretty well. Wish me luck please! I’ll report back tomorrow.

Day 16 of unemployment – Duuuuude!

So today I find myself wearing a suit again at 9am. This is really starting to mess with me. First off, it was 9am and I was dressed. Second, did I mention that I was dressed in a SUIT? This is no way to spend my unemployment time.

If you have been following my little adventure here, then you know the suit was the result of interview #5 with a particular company. It went well and I felt that meeting the lawn maintenance team was a nice touch in the interview process. OK, I didn’t really meet them, but I think they may be the only ones I haven’t met. I’m still excited about this position, so I keep moving ahead. FWIW, I think the interview went well.

After the interview, I contacted my Belgian buddy who is visiting the US right now. We had made plans to go shooting this afternoon, because, well… Murica!. As it turned out, he was right across the street enjoying breakfast (no, he wasn’t eating waffles) with an old boss of mine. We chatted for a while about old times, new times and Donald Trump. It was great catching up.

From there we went to the shooting range. Well, we tried to, but it appears that GPS instructions don’t work for foreigners. I mean the place was right off the road in plain sight (down a road, behind a building, camouflaged and marked with signs that said “Toxic Waste! Do Not Enter!”* and with a digital sign at the street that changed between the businesses located there). I suppose in Belgium, where all of the businesses are housed in large buildings that look like 6th century castles**, it might have been hard to see.

We finally found the place. Upon exiting my truck, I could immediately smell gun smoke and testosterone*. I was in my element. I know not everyone likes guns, but I happen to really enjoy target shooting. It is relaxing for me and forces me to concentrate on what I am doing, control my breathing and focus on the target. For me it’s a lot like eating Ice Cream, only I don’t fatter. After shooting the variety pack of guns I brought along, we shot the coup de gras of bangsticks, a fully automatic AK47. It was phenomenal. I had a gungasm right there*.

I do want to say that I have a new appreciation for fully auto guns. I also realize that I SUCK at shooting them. There is a good chance that they will be able to patch the holes in the ceiling*. Just sayin. Two minutes after letting out the full-auto assault, my body was still shaking (not from fear or excitement, but because I’m fat). The man-silhouette target would have escaped with nothing more than a soiled pair of undies and possibly some temporary ear ringing*. I was that good a shot. Next on my bucket list is tossing a hand grenade. Always wanted to do that.

After that, we had lunch and chatted some more. I came home to attend a parent meeting at the local high school, then called it a day. I am hopeful that I will hear from one or more of the companies I have been interviewing with soon. Wish me luck!

* I might have exaggerated a tiny bit here

** So, this is purely speculation, but it is true that Belgium has almost 3000 castles, making it one of the highest density of castles per square km in the world. (totally NOT BS cuz the internet said so)

Dot ransomware – Coming soon to a network near you

Erich Kron Leave a comment
Click to enlarge: Image thanks to Fortinet

I’ve mentioned Raas (Ransomware as a Service) before, but it’s really starting to show some growth potential. The “Dot” RaaS strain is currently being advertised on the dark web, so we can expect to see it hitting pretty soon. This one is a zero money down, profit-sharing strain with a 50/50 split. Expect more of this sort of thing to start rolling out in the near future. If it remains profitable, it will continue to grow.

 

 

 

Shamoon 2 May Get a Ransomware Feature and StoneDrill Hides in Memory

Erich Kron Leave a comment

This is a good read from DarkReading. In summary, Shamoon was Sha-sleep for quite Shum time (You see what I did there, right?) but returned last year to harass some folks in the Middle East. It is typically deployed as data wiping malware, but it seems as if the developer realized that there can be money in adding a ransomware feature in version 2.  While it’s not in the wild yet, it’s a lesson that malware devs are starting to see the value in coding a ransomware option in to what they are already distributing.

Also, StoneDrill is injecting itself into the memory process of the user’s browser and doing a good job of ducking under sandbox radars. It appears to share code with NewsBeef and/or Charming Kitten APTs which are generally affiliated with Iranian State-Sanctioned options. Currently these are still focused on the Middle East, but it appears at least one European org has been infected with it.