On 12 May 2017, the cryptoworm WanaCrypt0r 2.0, also known as WannaCry, infected hundreds of thousands of computers around the world. Our investigation into this ransomware reveals some worrying trends.

Read More

Suggestions

On April 26, the site Cryptome.org published an archive of 500 MB of data from the Bank of Qatar (Qatar National Bank, QNB). In total, 1.4 GB of files containing more than 15,000 documents was published, including IDs and banking transactions.

Among the documents is indeed a database containing over one million debit cards, including the owners’ names, expiration dates and the withdrawal limits.

In another file from the data leak is a list of unique clients, such as members of the Al Thani royal family of Qatar, employees of the Al Jazeera television channel, the U.S. Department of Defense, and also spies from MI6 and the DGSE.

Read More

Suggestions

After several months of investigation, the FBI has revealed that the method used to access the iCloud accounts of several hundred celebrities in “the Fappening” was a simple phishing campaign. No vulnerability in the Apple iCloud accounts, but one more example of the effectiveness and danger of social engineering.

Social engineering consists of pretending to be a person or a service in order to obtain information. Although this method is nothing new, it is becoming ever-easier to carry out, due to the constant daily growth of our digital footprint.

The targets are also becoming clearer: in recent months, a cybercriminal called Cracka succeeded in stealing the e-mail accounts of CIA Director John Brennan and the American intelligence chief James Clapper. He also managed to divert Clapper’s telephone line.

Read More

Suggestions

On 23 December 2015, power cuts took place in parts of Western Ukraine following a cyber attack. Right from the day of the cuts, the company Prykarpattyaoblenergo declared that this incident was caused by outside intervention, but did not say by whom. The Ukrainian security services (SBU) accused the attackers of close involvement with Russia.

With relations between the two countries particularly tense due to the civil war raging through Eastern Ukraine, cyber attacks from both camps are common, as are hasty accusations. However, in this case the effects of the attack are real, with several hundred thousand people suffering power cuts lasting several hours.

Read More

Suggestions

A new version of the “Carbanak” malware has recently been analysed by cyber-security researchers. Such versions of Carbanak have appeared in Europe and the United States, which are priority targets for the hackers.

We already know that Carbanak, aka “Anunak”, is a virus which has been used to steal approximately one billion dollars since its appearance. The hackers who distribute it are believed to operate from Russia, Ukraine and (possibly) China.

The targets are in fact businesses directly, not their users: more than a hundred banks, e-payment systems and financial institutions, in some thirty countries, have fallen victim to the hackers.

Targets are investigated and sorted prior to an attack. To avoid attracting attention, the malware is only deployed on a small population of computers.

Read More

Suggestions

A hacker group dubbed “APT 29” and suspected of collaborating with the Russian government has devised malware known as Hammertoss, which can conceal itself within legitimate Internet traffic in order to communicate with its Command & Control server.

  • Once installed on a target machine, the malware uses sites such as Twitter and GitHub to communicate with the hackers. It uses an algorithm to generate Twitter handles, daily and randomly. Since the hacker group knows the algorithm, it can use the account to post a tweet containing a hashtag (which in turn contains a decryption key) and a link. The malware then follows a link towards a legitimate page (GitHub in particular) generated by the group and containing an image. This image contains coded instructions inserted by steganography (the art of concealing one message within another). Once the instructions have been found, the malware decodes them by using a key located in the hashtag, and then executes them.
  • The instructions are varied and can in particular lead the malware to upload data from the target machine to cloud storage, from where the hackers can retrieve them.
  • Hammertoss can also be programmed to trigger the process after a specific date, typically during the victim’s working hours.
  • This method enables malware to insert itself in legitimate traffic and thus avoid detection, which complicates the task of identifying toxic traffic. Furthermore, images containing instructions vary considerably in size, which makes them more difficult to detect.

Read More

Suggestions

On 5 July, a hacker published approximately 400 GB of data that he claimed to have stolen from Hacking Team, a company that produces software such as spyware and keyloggers and supplies it to governments and state agencies.

  • The stolen data include in particular contracts, invoices, client lists and e-mails, as well as passwords for the company’s accounts on social media.
  • The hackers released the data through BitTorrent and Pastebin. Technical data were also published. In particular, zero-day vulnerabilities used by spywares were divulged, concerning Adobe Flash and Windows. These have now been patched by the two companies.
  • The cyber-attacker known as Phineas Fisher, a hacktivist opposed to surveillance of the Internet, claimed to be the author of the attack. He is also thought to have carried out a cyber-attack in August 2014 against Gamma International, a company based in Great Britain that offers similar products.
  • This leakage of data could have two main harmful consequences for Hacking Team. The relationships between Hacking Team and several of its clients were disclosed. The company had previously denied having any link with governments or governmental agencies blacklisted by States or by organisations such as the United States, the European Union or the United Nations. However, some of the stolen documents reveal the supposed existence of commercial relationships with some of these, including a Russian company linked to the FSB, which could damage the reputation of Hacking Team. Secondly, the partial publication of the source code of certain software products, together with particularly simplistic passwords supposedly used by the CEO of the company, could have an impact on the credibility of the company’s expertise.

Read More

Suggestions