Thursday December 14, 2017
Home Science & Technology Wild Neutron:...

Wild Neutron: A powerful threat returns with new tricks and victims

0
37

In 2013, a hacker group known to Kaspersky Lab as “Wild Neutron” (also known as “Jripbot” and “Morpho”) attacked several high profile companies including Apple, Facebook, Twitter and Microsoft. After the incident was widely publicized, the threat actor went dark for almost a year. However, in late 2013 and early 2014, the attacks resumed and have continued in 2015.

The actor uses a stolen valid code verification certificate and an unknown Flash Player exploit to infect companies and private users around the world and steal sensitive business information.

Kaspersky Lab researchers were able to identify targets of Wild Neutron in 11 countries and territories, including France, Russia, Switzerland, Germany, Austria, Palestine, Slovenia, Kazakhstan, UAE, Algeria and the United States.

They include:

• Law firms
• Bitcoin-related companies
• Investment companies
• Groups of large companies often involved in M&A deals
• IT companies
• Healthcare companies
• Real estate companies
• Individual users

The focus of the attacks suggests that this is not a nation-state sponsored actor. However, the use of zero-days, multi-platform malware as well as other techniques makes Kaspersky Lab researchers believe it’s a powerful entity engaged in espionage, possibly for economic reasons.

Map_Wild Neutron Hacker group Victims

The attack

The initial infection vector of the recent attacks is still unknown, although there are clear indications that victims are exploited by a kit that leverages an unknown Flash Player exploit through compromised websites. The exploit delivers a malware dropper package to the victim.

In the attacks observed by Kaspersky Lab researchers, the dropper was signed with a legitimate code verification certificate. The use of certificates allows malware to avoid detection by some protection solutions. The certificate used in the Wild Neutron attacks appears to be stolen from a popular manufacturer of consumer electronics. The certificate is now being revoked.

After getting in the system, the dropper installs the main backdoor.

In terms of functionality, the main backdoor is no different to many other Remote Access Tools (RATs). What really stands out is the attacker’s care in hiding the command and control server (C&C) address and its ability to recover from a C&C shutdown. The command and control server is an important part of the malicious infrastructure as it serves as a “Homebase” for the malware deployed on victims’ machines. Special measures built into the malware help the attackers to protect the infrastructure from any possible C&C-takedowns.

Mysterious origin

The origin of the attackers remains a mystery. In some of the samples, the encrypted configuration includes the string “La revedere” (“Good bye” in Romanian) to mark the end of the C&C communication.

“Wild Neutron is a skilled and quite versatile group. Active since 2011, it has been using at least one zero-day exploit, custom malware and tools for Windows and OS X. Even though in the past it has attacked some of the most prominent companies in the world, it has managed to keep a relatively low profile via solid operational security which has so far eluded most attribution efforts. The group’s targeting of major IT companies, spyware developers (FlexiSPY), jihadist forums (the “Ansar Al-Mujahideen English Forum”) and Bitcoin companies indicate a flexible yet unusual mind-set and interests,” said Costin Raiu, Director Global Research and Analysis Team at Kaspersky Lab.

Kaspersky Lab products successfully detect and block the malware used by the Wild Neutron threat actor with the following detection names:

Trojan.Win32.WildNeutron.gen,
Trojan.Win32.WildNeutron.*,
Trojan.Win32.JripBot.*,
Trojan.Win32.Generic

Next Story

‘Digital drive brings India closer to cyber attack risk’

"Countries like India are developing very fast which opens doors for more cyber attacks," MD of Kaspersky Lab Asia Pacific added.

0
22
  • India remains one of the prey of hackers
  • One of the recent attacks included WannaCrypt
  • The most vulnerable targets are the financial institutions

Rajnish Singh

Singapore, July 16: India’s growing economy and digital push have caught the attention of hackers and an increasing wave of cyber attacks could soon badly impact the country, experts from Russian cyber security firm Kaspersky Lab have warned.

India and other South Asian countries are now on the radar of cyber attackers, said experts, adding that the government and corporates need to procure state-of-the-art, New Age security solutions to thwart their plans.

The impact of recent global cyber attacks were clearly visible in India as “WannaCrypt” — that affected 150 countries globally — and the recent “Petya” malware attack hit computers in the country.

“India’s growing economy and digitalisation are really a big concern as cyber attackers have now begun focusing on developing countries with big populations and average incomes,” Eugene Kaspersky, Chairman and Chief Executive of Kaspersky Lab, told IANS on the sidelines of the recently-concluded “Interpol World 2017” conference in Singapore’s Suntec City.

His comments came as the Moscow-based cyber security firm found that the “Petya” attack hit Gateway Terminal India operated by AP Moller-Maersk at the Jawaharlal Nehru Port Trust (JNPT), a facility near Mumbai which is India’s biggest container port.

Cyber attacks
There are considerable hike in malware attacks due to rampant digitization

The terminal was unable to load or unload because of the attack as it failed to identify which shipment belongs to whom.

According to Vitaly Kamluk, Director of Global Research and Analysis Team for APAC at Kaspersky Labs, there was no cyber security threat till 2010 and India was quite safe till then.

But now, India and other “developing countries are most vulnerable, especially the financial sector. We perceive that banks are most vulnerable in India”, Kamluk told IANS.

Stephan Neumeier, Managing Director of Kaspersky Lab Asia Pacific, stressed the need to educate people to save them from becoming victims of cyber attacks.

“As India’s economy is growing fast, more and more people are now getting access to Internet. They have 4G access and Android devices are becoming popular. They need to be educated about anti-virus solutions as mandatory for devices and be made aware about not falling for phishing attacks,” Neumeier emphasised.

He suggested that malicious emails or links should also be part of the awareness process.

“Countries like India are developing very fast which opens doors for more cyber attacks,” Neumeier added.

The experts also recalled how over 200,000 users were affected in 150 countries after the “WannaCrypt” virus attack which paralysed computers — with a demand being made for a payment of $300 in bitcoins (crypto-currency or virtual currency) for a system to be unblocked.

Citing reports, Kaspersky Lab said that cyber crime costs the world $450 billion per year, which is almost the annual budget of Russia, China and Japan.

The experts said the hackers target government ministries, banks, utilities, other key infrastructure and companies nationwide, demanding ransom in crypto-currency.

Giving the example of Bangladesh, the experts said the hackers recently made a bank heist in the country and made away with $1 billion in one attack, since the security was vulnerable.

Next Story

Think Twice before Clicking Casually! A set of Precautions to avoid Cyber Fraud in Card Transaction

To secure the POS system, any Wi-Fi systems should be password-protected, and each Internet connection with a firewall

0
83
Representational image. Flickr

New Delhi, November 18, 2016: With a spurt in card transaction after demonetisation in India, Russia-based software security company Kaspersky Lab has asked people to remain vigilant, listing a set of precautions to avoid any cyber fraud.

NewsGram brings to you latest new stories in India.

Attacks on point-of-sale (POS) systems have been growing over the past few years, as physical POS contains the all-important information found on the magnetic strip of a credit card, meaning it can be cloned and used for fraudulent purchases.

“Make sure your employees think twice about their behavior around your POS systems and ensure that they understand that casually clicking on social media links and email attachments in the workplace, especially on any POS-equipped machines, is unacceptable,” suggested Altaf Halde, Managing Director, Kaspersky Lab (South Asia).

Go to NewsGram and check out news related to political current issues

Halde advised that once a POS system is installed, password should be changed from the default system and ensure that each employee has their own login to the machine, so that individual passwords are not shared.

“These passwords are changed regularly. If an employee ceases to work for the business, make sure their password is removed from the system,” Halde added.

Look for latest news from India in NewsGram.

To secure the POS system, any Wi-Fi systems should be password-protected, and each Internet connection with a firewall.

Halde also recommended encrypting sensitive payment data of customers. (IANS)