patchwork_cyber_espionage.jpg

In this week’s news we discovered that Patchwork cyberespionage group moves its target toward the private sector, malvertising campaigns are getting more sophisticated by rogue ads being implanted using steganography hiding malicious code in images, and a rivalry may have started with a ransomware writer, publishing a decryption key for a ransomware that he/she did not write.

Highlighting the cyber-security news from the past week in a 120 sec. read. Starting now.


Cyberespionage

The Patchwork cyberespionage group shifts gears from their more recent government target to the private sector.

why is this signficant?

  • The Patchwork cyberespionage group looks to be changing their target from the government and moves the cross hairs to the private sector across the globe, including those in aviation, energy, financial and publishing industries.
  • Patchwork works by injecting newsletters with containing malicious links/powerpoint presentations that leveraged a “vulnerability by design”, aka Sandworm.  
  • Sandworm leveraged the fact that PPT inherently and by design added a feature which allowed the execution of remote scripts, thus leveraged by threat actors to run malicious code. Given that Sandworm was a vulnerability by design , no AVs could detect it (no signature as there’s nothing malicious), anti-exploitation tools couldn’t defend against it (no exploit, just a leveraging of a feature), nor could behavioral technologies help(after all, the behavior was as intended).
    /** For more background, download this research report on Vulnerabilities by Design**/

Read the full story on SC Magazine

Malvertising

A malvertising campaign named AdGholas was brought down after infecting thousands of computers a day since at least Oct. 2015.

why is this signficant?

  • These malicously-laced advertisements (“malvertisements”) had a success rate of 100 ad exchanges a day, resulting in 1 million and 5 million page hits per day.  
  • The malvertising code used was written to detect if the machine hit was a virtual machine or not to avoid researchers’ activity.   10-20%  of the user’s devices ran rogue ads then were redirected to servers holding exploit kits. The malware was then able to exploit vulnerabilities within applications in order to install the malware.
  • The AdGholas group used steganography, which is hiding malicious code within images that were viewed in the rogue ads with encrypted Java code. This was the first reported case of steganography being used in a malvertising campaign.

Read the full story on PCWorld

Ransomware

Honor among thieves? Decryption keys for Chimera ransomware were released by another ransomware author.

why is this signficant?

  • The battle between cyber security and threat actors has a new twist that is soaked with a little competition.  It seems as though the ransomware writer for Petya & Mischa Ransomware-as-a-Service (RaaS) stole parts of Chimera’s source code to create Petya & Mischa.  
  • The ransomware writer created tension for ransomware writers, by publishing the decryption keys on Twitter, only to do some promotion for the newest Petya & Mischa RaaS.  It will be interesting to sit on the sidelines to watch the domino effect that this may cause.
  • While tension continues, we can expect ransomware to become more stealthy and difficult to break as they’re fighting a new “field” – the one of their rival ransomware authors. This (dis)honor among thieves is reminiscent of the war between the authors of Remote Access Trojans (RATs) several years ago where the notorious SpyEye RAT included a “Zeus-Killer” which looked to check if the infected computer already contained the rival Zeus RAT, and if so, removed Zeus before installing itself.
Read the full story on Softpedia