Viewing entries in
cyber security


Two major US technology firms 'tricked out of $100m'

Evaldas Rimasauskas posed as Asian-based hardware manufacturer to trick staff into wiring him money

Evaldas Rimasauskas posed as Asian-based hardware manufacturer to trick staff into wiring him money

A Lithuanian man has been charged with tricking two US technology firms into wiring him $100m (£80.3m) through an email phishing scam.

Posing as an Asian-based manufacturer, Evaldas Rimasauskas tricked staff into transferring money into bank accounts under his control, US officials said.

The companies were not named but were described as US-based multinationals, with one operating in social media.

Officials called it a wake-up call for even "the most sophisticated" firms.

According to the US Department of Justice, Mr Rimasauskas, 48 - who was arrested in Lithuania last week - deceived the firms from at least 2013 up until 2015.

He allegedly registered a company in Latvia which bore the same name as an Asian-based computer hardware manufacturer and opened various accounts in its name at several banks.

'Fake email accounts'

The DoJ said: "Thereafter, fraudulent phishing emails were sent to employees and agents of the victim companies, which regularly conducted multimillion-dollar transactions with [the Asian] company."

The emails, which "purported" to be from employees and agents of the Asian firm, and were sent from fake email accounts, directed money for legitimate goods and services into Mr Rimasauskas's accounts, the DoJ said.

The cash was then "wired into different bank accounts" in locations around the world - including Latvia, Cyprus, Slovakia, Lithuania, Hungary and Hong Kong.

He also "forged invoices, contracts and letters" to hide his fraud from the banks he used.

Officials said Mr Rimasauskas siphoned off more than $100m in total, although much of the stolen money has been recovered.

Acting US Attorney Joon H Kim said: "This case should serve as a wake-up call to all companies... that they too can be victims of phishing attacks by cybercriminals.

"And this arrest should serve as a warning to all cybercriminals that we will work to track them down, wherever they are, to hold them accountable."

The DoJ would not comment on possible extradition arrangements and said that no trial date had been set.


.author-name { display: none; }


NCSC- Weekly Threat Report 17th February 2017

Official Launch of the National Cyber Security Centre

February 14th marked the official launch of the National Cyber Security Centre (NCSC) HQ by Her Majesty the Queen. The Centre will work to make the UK the safest place to live and do business online.

In acknowledgement that Government alone cannot protect the public from cyber attacks, the Chancellor announced the launch of the Industry 100 initiative. Industry 100 will see the center invite expertise from industry to collaborate with the NCSC in achieving its mandate of enhancing the cyber security of the UK.

A reflection on the diversification of cyber crime

The nature of the cyber-criminal threat to the UK is diversifying: highly skilled actors are becoming increasingly competent and targeted in their attacks, while the barriers to entry for less-skilled actors are lowering.

At the high capability end of the spectrum, banking Trojans are reportedly becoming increasingly targeted, with a focus on financial institutions which offer larger relative rewards than end-user customers. Meanwhile, ransom-ware attacks are said to be specifically targeting those organisations perceived as being more likely to pay due to their timely requirement to access sometimes time-critical data.

At the other end of the skill spectrum, individuals with minimal cyber capability can carry out nefarious activities online using Crimeware-as-a-Service tools. DDoS attacks, email compromises, criminal infrastructure and more can be bought or rented at minimal cost. Notably, sites now offer live chats with support agents, and collect marketing information to better understand their customers. This trend risks further normalizing low level cyber crime.

The diversification of the cyber-crime threat poses challenges for law enforcement and security professionals, who will face highly skilled, targeted threats. Simultaneously, resources are increasingly consumed by low-skilled attackers using services offered by more competent actors. Detailed analysis of this changing cyber-criminal landscape will be published in NCSC Assessment's Annual Report.

Warning of cyber threat from building owners

The US Government Accountability Office (GAO) has warned of the potential threat of cyber intrusions from foreign owners of office buildings. Numerous properties occupied by US law enforcement agencies are owned by firms domiciled abroad, including in China, Israel, South Korea and Japan. Some of the buildings are used for sensitive activities including managing classified operations, hosting data centres and storing high-security material. Most of the agencies were unaware that their buildings were foreign-owned.

The GAO's report highlights concerns from the Department of Homeland Security that "threat actors could coerce owners into collecting intelligence about the personnel and activities of the facilities when maintaining the property." This could potentially include exploiting building infrastructure to facilitate cyber intrusions. The GAO recommends that US government agencies should be informed if their buildings are foreign-owned, so that appropriate security measures can be implemented, where necessary.

While the report focuses on the threat to official bodies, the concerns it raises may also apply to commercial organisations dealing with corporate-sensitive information. Although there are no reported instances so far of such intrusions taking place in the US or UK, this issue highlights the need for precautions regarding landowners' access to buildings hosting sensitive activities.

Weaponised Macros targeting Mac users

Security researchers have reportedly identified the emergence of Microsoft Word documents containing malware-infected macros for installing malicious software on macOS devices.

This technique has been used for some time to infect Windows users with malware. However, it is the first reported in-the-wild instance for Word documents containing malicious macros that execute solely on macOS. When users attempt to open the attachment, they are prompted to enable macros. If macros are enabled the malware executes its payload.

Although not a particularly sophisticated attack technique, this methodology has been successful in delivering ransomware and banking Trojans to Windows users worldwide. It looks like Microsoft Word users on MacOS may also now be victim to such attacks. This is a timely reminder that cyber criminals are regularly looking to enhance their pool of potential victims; regardless of software and hardware, users must be vigilant of the risks.

Watering hole attacks infected a larger pool of victims than first thought

Last week it was reported that the Polish financial sector had been the victim of a malware attack, where the attackers used the web server of the Polish financial regulator as a watering hole. Further investigation has revealed that the attackers intended to target over 100 organisations, mainly banks, in 31 different countries, including the UK.

Vulnerabilities Report

A number of cross-platform updates this week, with a predominant focus on Linux ad Unix-based systems. Microsoft held back their Patch Tuesday release cycle due to last minute complications. The most publicized vulnerability this week concerned F5’s BIG-IP and the ‘TicketBleed’ vulnerability. Adobe released updates for Flash Player and Digital Editions to fix remote code execution vulnerabilities. Elsewhere this week there were updates to BIND, Cisco AnyConnect and Cisco ASA, IBM WebSphere, HPE NonStop Server, Xen and Google’s Android.


.author-name { display: none; }


NCSC - Weekly Threat Report 3rd February 2017

This report is drawn from recent open source reporting.

Shamoon 2

The Saudi Arabian Government warned on 23 January that the destructive wiper malware Shamoon 2 had been detected on its government networks.

Shamoon 2 is an updated version of Shamoon, the disk-wiping malware that disabled thousands of computers at Saudi state-linked energy company Saudi Aramco in 2012.

The Saudi authorities are reporting on these latest compromises publicly and have provided reassurance that the damage is currently limited and mitigation is in place.

The re-emergence of Dridex

The notorious Dridex banking Trojan has returned. Flashpoint researchers observed a small Dridex spear-phishing campaign targeting UK financial institutions on 25 January. This is not the first time Dridex has made a reappearance; there have been peaks and troughs in the distribution of this Trojan since it first emerged in 2014. What has remained consistent, however, is the upgraded capability seen within the malware upon its return.

This Dridex re-emergence is no exception: Flashpoint researchers identified a previously unobserved User Account Control bypass mechanism in the most recent iteration of the malware. This bypass means the Windows user prompt requesting administration access for an application is not displayed, enabling Dridex to gain administrative system access without user approval.

This frequent evolution ensures infection levels are kept high, whilst frustrating the capability of network defenders to respond to attacks. Although relatively resource intensive, these regular changes have so far been worthwhile in establishing Dridex's status as one of the most prolific banking Trojans to feature in the UK, as well as yielding estimated profits of upwards of £20 million.

The Evolution of Ransomware

An earlier weekly threat report predicted further innovations in ransomware, and this has already happened with the targeting of internet-connected devices to create a “Ransomware of Things”. 

Internet of Things (IoT) devices are increasing, many with poor security, which presents opportunities for exploitation by cyber criminals. According to research company, Gartner, there will be more than 26 billion IoT devices by 2020.

Researchers from IT security company ESET predict that the next step in the evolution of ransomware is "jackware" where internet-connected devices are targeted to create a Ransomware of Things (RoT). Recent RoT incidents have locked people out of hotel rooms and left a family unable to access their smart TV.

2016 was dubbed "The Year of Ransomware", but as the number of connected devices continues to increase, this phenomenon will only continue to gather pace.  

Hiding in Plain Sight

According to recent research by Forcepoint Security Labs, the Carbanak Group is now using malware that uses Google cloud services for command and control infrastructure. The group is named after Carbanak (aka Anunak) malware, which is a banking Trojan that has been used to steal hundreds of millions of pounds from international financial institutions.

The new malware issues command and control instructions to and from Google Forms Services, Google Apps Script and Google Sheets to manage infected computers. Investigations suggest that a trojanised RTF document was likely responsible for infecting the computers with the malware.

Using a legitimate third party service like Google helps the attacker hide their communications in plain sight amongst regular traffic that is unlikely to be blocked by an organisation or identified by intrusion detection systems. Detecting such threats will therefore require an evolution in protective monitoring.

This isn't the first time that cloud hosting services have been used as an attack vector, services like DropBox have been used in the past, but it is likely to become more popular as individual users, government departments and industry organisations make increasingly greater use of the cloud.


This was a relatively quiet week for vulnerabilities, with mainly platform-agnostic updates issued for Linux and Unix systems. Google Chrome, OpenSSL and WordPress each fixed multiple flaws addressing remote access, bypassing of security controls, and spoofing of the user interface, among other issues.  Elsewhere there were updates from F5 Networks, RSA, and IBM. No one sector was disproportionately affected this week.


.author-name { display: none; }
NCSC - Weekly Threat Report 27th January 2017


NCSC - Weekly Threat Report 27th January 2017

Twitterbots spreading fake news on the internet

Recent reports suggest social media bots are widely spreading fake news on the Internet.

A Twitterbot is a bot program used to create accounts and automated tweets that requires little or no human intervention. This typically means that not all accounts have to be created by humans. Twitterbots can be used for entertainment, marketing, spamming, manipulating Twitter's trending topics list and public opinion, trolling, fake followers, malware distribution, and data set pollution, among other things.

A 'Star Wars' botnet of 350,000 accounts secretly infiltrated Twitter in 2013 and has laid dormant ever since. The Star Wars botnet randomly tweeted quotes from Star Wars novels.

This comes after the reports in June 2016 that a botnet of 3 million accounts, which was created earlier in April 2014, is responsible for a total of 2.6 billion tweets with a daily activity of 500 million tweets. Volumes of this amount could be used to influence public opinion.

It is in Twitter's best interest to monitor accounts and make sure they are legitimate but, with a monthly average of 313 million users, this is almost impossible. Hardware and software is now readily available so that bots can be modified to avoid detection. In the Star Wars example, by tweeting quotes from novels, the bots are able to avoid machine-generated language detection tools.


.author-name { display: none; }
NCSC - Weekly Threat Report 20th January 2017

NCSC - Weekly Threat Report 20th January 2017

This report is drawn from recent open source reporting.

Password security

In November 2016, a study of user passwords exposed by a Yahoo data breach revealed that "123456" was the most common password, followed closely by "password" at number two. A more recent report on the most commonly used passwords revealed that "123456" was still number one, followed by the 'more complex' "123456789".

These reports highlight ongoing problems associated with conventional password policies, which tend to promote the use of complicated passwords that are harder for attackers to discover, but which also place greater burdens on users. This approach may therefore be counterproductive, leading users to opt for simple password strategies, which will also be easy for attackers to guess or brute force. In many cases, imposing technical controls such as blacklisting the most common passwords is a far more effective measure.

Mobile forensics company hacked

The Israeli mobile forensics company, Cellebrite, reports that it has become the latest in a long line of companies to have its data hacked and published online. Cellebrite is a major supplier of forensic tools to law enforcement and other security organisations worldwide. Cellebrite states that it experienced 'unauthorised access to an external web server' and that it is known the information accessed includes 'basic contact information' and 'hashed passwords'. The company advises users to change their passwords as a precaution.

The company's investigation is ongoing. Without commenting on the specifics of this case, the compromise highlights the broader issue that companies must ensure that they protect themselves and customers in a way commensurate to the threat that they face and the sensitivity of the data that they hold. Reporting data breaches is to be strongly encouraged, enabling those affected to take appropriate action, such as changing passwords.

.author-name { display: none; }