Category Archives: News

BBC And ITV To Broadcast Exclusive Live Coverage Of The FIFA World Cup 2018

Ofcom has today approved requests from the BBC and ITV to broadcast exclusive live coverage of the FIFA World Cup 2018, which takes place from 14 June to 15 July 2018.

As the World Cup is a ‘listed event’ Ofcom’s approval is needed for exclusive live coverage. The broadcasting rules which apply to listed events are set out in the Code on Sports and Other Listed and Designated Events.

Having secured Ofcom’s consent, television coverage of the tournament will be shared between the BBC and ITV. The majority of matches broadcast by the BBC will be shown on either BBC One or BBC Two, with some on BBC Four or the BBC One interactive stream. The BBC also has national live radio rights for all matches.

ITV will show most matches on its main channel with the remainder on ITV4.

MoneyTaker Attacks Banks In The US, Russia And The UK

Group-IB, a high-fidelity threat intelligence and anti-fraud solutions vendor has released a report detailing the operations of a Russian-speaking targeted attack group dubbed by Group-IB as MoneyTaker.

In less than two years, Moneytaker group has conducted over 20 successful attacks on financial institutions and legal firms in the USA, UK and Russia. The group has primarily been targeting internal banking systems for theft, including the AWS CBR (Russian Interbank Transfer System) and attacks to steal from card payment processing systems in banks in the USA. Group-IB confirmed one attack on a financial and transaction software service provider in the United Kingdom, however, card processsing systems used inside banks was the group’s main target.

Although the group has been successful at targeting a number of banks in different countries, to date, they have gone unreported. In addition to banks, the MoneyTaker group has attacked law firms and also financial software vendors. In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on an IT-company (providing financial software) in the UK and 2 attacks on Russian banks. By constantly changing their tools and tactics to bypass antivirus and traditional security solutions and most importantly carefully eliminating their traces after completing their operations, the group has largely gone unnoticed.

MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations. – Dmitry Volkov – Group-IB Co-Founder and Head of Intelligence

The first attack in the US that Group-IB attributes to this group was conducted in the spring of 2016: money was stolen from the bank by gaining access to First Data’s “STAR” network operator portal. Since that time, the group attacked companies in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia and Florida.

In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on IT-company UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group‑IB.

In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and 1 bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.
Using the Group-IB Threat Intelligence system, Group-IB researchers have discovered connections between all 20 incidents throughout 2016 and 2017. Connections were identified not only in the tools used, but also the distributed infrastructure, one-time-use components in the attack toolkit of the group and specific withdrawal schemes – using unique accounts for each transaction. Another distinct feature of this group is that they stick around after the event, continuing to spy on a number of impacted banks and sending corporate emails and other documents to Yandex and free email services in the [email protected] format.

Important findings that enabled Group-IB to discover the links between crimes include privilege escalation tools compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016. Also, in some incidents, hackers used the infamous Citadel and Kronos banking Trojans. The latter was used to deliver Point-of-Sale (POS) malware dubbed ScanPOS.

By analyzing the attack infrastructure, Group-IB identified that they group continuously exfiltrates internal banking documentation to learn about bank operations in preparation for future attacks. Exfiltrated documents include: admin guides, internal regulations and instructions, change request forms, transaction logs, etc. A number of incidents with copied documents that describe how to make transfers through SWIFT are being investigated by Group-IB. Their contents and geography indicate that banks in Latin America may be targeted next by MoneyTaker.

Group-IB has provided Europol and Interpol with detailed information about the MoneyTaker group for further investigative activities as part of our cooperation in fighting cybercrime.

MoneyTaker: arsenal for attacks

Group-IB reports that MoneyTaker uses both borrowed and their own self-written tools. For example, to spy on bank operators they developed an application with ‘screenshot’ and ‘keylogger’ capabilities. This program is designed to capture keystrokes, take screenshots of the user’s desktop and get contents from the clipboard. The application is compiled in Delphi and contains 5 timers: functions of the application (such as taking screenshots, capturing keystrokes, disabling itself) are executed once the timer triggers. To circumvent antivirus and automated sample analysis, hackers again used ‘security measures’: they implemented the anti-emulation function in the timer code.

In an attack on a Russian bank through the AWS CBR, hackers used a tool called MoneyTaker v5.0, which the group has been named after. Each component of this modular program performs a certain action: searches for payment orders and modifies them, replaces original payment details with fraudulent ones, and then erases traces. The success of replacement is due to the fact that at this stage the payment order has not yet been signed, which will occur after payment details are replaced. In addition to hiding the tracks, the concealment module again substitutes the fraudulent payment details in a debit advice after the transaction back with the original ones. This means that the payment order is sent and accepted for execution with the fraudulent payment details, and the responses come as if the payment details were the initial ones. This gives cybercriminals extra time to mule funds before the theft is detected.

Leaving no trace behind

To conduct targeted attacks, MoneyTaker use a distributed infrastructure that is difficult to track. A unique feature of the infrastructure is a persistence server, which delivers payloads only to victims with an IP addresses in MoneyTaker’s whitelist.

To control the full operation, MoneyTaker uses a Pentest framework Server. On it, the hackers install a legitimate tool for penetration testing – Metasploit. After successfully infecting one of the computers and gaining initial access to the system, the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network. Hackers use Metasploit to conduct all these activities: network reconnaissance, search for vulnerable applications, exploit vulnerabilities, escalate systems privileges, and collect information.

The group uses ‘fileless’ malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts – they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code ‘on the fly’ – during the attack.

After successful infection, they carefully erase malware traces. However, when investigating an incident in Russia, we managed to discover the initial point of compromise: hackers penetrated the bank’s internal network by gaining access to the home computer of the bank’s system administrator.

In addition, to protect C&C communications from being detected by security teams, MoneyTaker employs SSL certificates generated using names of well-known brands: Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc.), instead of filling the fields out randomly. In the US, they used the LogMeIn Hamachi solution for remote access.

Attacks on card processing

The first attack on card processing that Group-IB specialists attribute to this group was conducted in May 2016. Having gained access to the bank network, the attackers compromised the workstation of First Data’s STAR network portal operators, making the changes required and withdrawing the money. In January 2017, the attack was repeated in another bank.

The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked. Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules. They removed overdraft limits, which made it possible to overdraw even with debit cards. Using these cards, the mules withdrew cash from ATMs, one by one. The average loss caused by one attack was about $500,000 USD.

Russian Hacker Arrested For Stealing $8000 Per Day Via Mobile Malware

Law enforcement, with support from Group-IB, has arrested a 32-year-old hacker, accused of stealing funds from Russian banks’ customers using Android mobile malware.

At the height of their activity, victims reportedly lost between 1,500 to 8,000 dollars daily and levered cryptocurrency for laundering.

Group-IB’s analysis reviewed the tools and techniques leveraged in the group’s attack revealing that the gang tricked customers of Russian banks into downloading malicious mobile applications “Banks at your fingertips”. The app claimed to be an aggregator of the country’s leading mobile banking systems and promised users a ‘one-click’ access to all bank cards to view balances, transfer money from card to card, and pay for online services. The app was first discovered in 2016 and was distributed through spam emails.

The criminal group’s approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.

Further details on this story here

Apple Launches New Privacy Portal – You Can Download A Copy Of Everything Apple Knows About You

Apple has today launched a new Data and Privacy website, allowing Apple users to download everything that Apple personally associates with your account, from Apple ID info, App Store activity, AppleCare history to data stored in iCloud like photos and documents. This is currently only available for European Union accounts, to comply with GDPR, and will roll out worldwide in the coming months.

How to download A Copy Of Your Data

To obtain a copy of your data, log in to

Select the Get started link under the ‘Obtain a copy of your data’ heading.

You can then simply tick the boxes of the categories of data you want to download. You can press ‘Select All’ to pick everything. iCloud Photos, Mail and Drive are separated into a separate list as this data may be exceptionally large. Then, press Continue.

After selecting the categories you’ll be asked how large the archives should be, you can choose 1GB, 2GB, 5GB, 10GB, or 25GB – then hit complete request. You’ll be emailed once the archives are ready to download.

It can take up to a week to prepare the downloads. Apple notifies you when the data is ready to download, and it is automatically deleted after 2 weeks.

Further details here on how to amend your data and make any changes.

AnyDesk Bundled with New Ransomware Variant

Trend Micro recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload.  This isn’t the first time that a malware abused a similar tool. TeamViewer, a tool with more than 200 million users, was abused as by a previous ransomware that used the victim’s connections as a distribution method.

In this instance, however, RANSOM_BLACKHEART bundles both the legitimate program and the malware together instead of using AnyDesk for propagation.

Although the specifics of how RANSOM_BLACKHEART enters the system remains unknown, we do know that users can unknowingly download the ransomware when they visit malicious sites.

Once downloaded, RANSOM_BLACKHEART drops and executes two files:

  • %User Temp%\ANYDESK.exe
  • %User Temp%\BLACKROUTER.exe

Trend Micro believe bundling AnyDesk with the ransomware might be an evasion tactic. Once RANSOM_BLACKHEART is downloaded, AnyDesk will start running in the affected system’s background — masking the true purpose of the ransomware while it performs its encryption routine. Cybercriminals may be experimenting with AnyDesk as an alternative because Teamviewer’s developers have acknowledged its abuse, and have also included some anti-malware protection in some of its tools.

Screenshot of the ransom note

Sky Now Showing 4K HDR Content In Italy – Is The UK Next ?

Sky Italia recently started broadcasting TV shows and films in 4K HDR for Sky Q users based in Italy, and we think that UK customers are next in line for the upgrade.

Back in February of this year Sky promised that an HDR update was on its way, but it is yet to confirm when this might happen.

What Is 4K HDR ?

HDR or High Dynamic Range is the latest revolution in the TV tech world that’s shaking up colour definition in a big way.

Whereas HD and 4K technology upped the number of pixels in our TVs, HDR takes things to a whole new level. Offering 64 times more colour than standard 4K screens, 4K HDR TV is all about bringing more vivid colour to your screen.

The Xbox Adaptive Controller [Pictures Included!]

Microsoft has unveiled a new Xbox and Windows 10 controller that lets people with disabilities plug in the assistive aids they already own to play games.

It has been welcomed by charities and gamers, as it allows those with limited mobility to use their own buttons, joysticks and switches to mimic a standard controller, so they can play any videogame.

This allows them to choose which assistive aid will make the character jump, run or shoot, for example, without relying on pressing specific buttons on the controller that came with the Xbox.

Click the pictures below to see the Xbox Adaptive Controller ( Click here to see full screen )

cURL FTP Shutdown Response Buffer Overflow Remote Code Execution Vulnerability [CVE-2018-1000300]

CVE Number – CVE-2018-1000300

A vulnerability in cURL could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to a heap-based memory buffer overflow condition that could occur when the affected software closes an FTP connection with long server command replies. An attacker could exploit this vulnerability by persuading a user to send a request to an attacker-controlled server. If successful, the attacker-controlled server could return a malicious FTP shutdown response, which could trigger a heap-based memory buffer condition that the attacker could use to execute arbitrary code.

The cURL Project has confirmed the vulnerability and released software updates.

  • To exploit this vulnerability, an attacker may use misleading language and instructions to persuade a user to send a request to an attacker-controlled server.
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Users are advised not to open email messages from suspicious or unrecognized sources. If users cannot verify that links or attachments included in email messages are safe, they are advised not to open them.

    Users are advised not to visit websites or follow links that have suspicious characteristics or cannot be verified as safe.

    Administrators are advised to use an unprivileged account when browsing the Internet.

    Administrators are advised to monitor critical systems.

Vendor Announcements
Fixed Software
  • The cURL Project has released software updates at the following link: cURL 7.60.0

Pivotal Software Spring Security OAuth Authorization Request Remote Code Execution Vulnerability [CVE-2018-1260]

CVE Number – CVE-2018-1260

A vulnerability in Pivotal Software Spring Security OAuth could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.

The vulnerability is due to improper validation of user-supplied input processed by the affected software. An attacker could exploit the vulnerability by sending an authorization request that submits malicious input to the targeted authorization endpoint. An exploit could allow the attacker to execute arbitrary code on the targeted system when the resource owner is forwarded to the approval endpoint.

Pivotal Software has confirmed the vulnerability and released software updates.

  • To exploit this vulnerability, an attacker must make an authorization request that submits malicious input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.
  • Administrators are advised to apply the appropriate updates.

    Administrators are advised to allow only trusted users to have network access.

    Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

    Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

    Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

    Administrators are advised to monitor affected systems.

Vendor Announcements
Fixed Software

Google And Microsoft Find New Strain Of Spectre And Meltdown [Variant 3a & 4]

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as Variant 3a

CVE-2018-3639 – Speculative Store Bypass (SSB) – known as Spectre Variant 4 or SpectreNG

Security researchers at Google and Microsoft have found a new variant of the Spectre security flaw that was first reported back in January this year.

To exploit either of these vulnerabilities, an attacker must be able to run crafted or script code on an affected device.

Security researchers identified two software analysis methods that, if used for malicious purposes, have the potential to improperly gather sensitive data from multiple types of computing devices with different vendors’ processors and operating systems.

Intel worked closely with other technology companies and several operating system and system software vendors, developing an industry-wide approach to mitigate these issues promptly.

To fix the problem, Intel has released beta microcode updates to operating system vendors, equipment manufacturers, and other ecosystem partners adding support for Speculative Store Bypass Disable (SSBD). SSBD provides additional protection by blocking Speculative Store Bypass from occurring. Intel hopes most major operating system and hypervisors will add support for Speculative Store Bypass Disable (SSBD) starting as early as May 21, 2018.


CVE-2018-3639 – Speculative Store Bypass (SSB) – also known as Variant 4

  • Systems with microprocessors utilizing speculative execution and speculative execution of memory reads before the addresses of all prior memory writes are known may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis.
  • 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

CVE-2018-3640 – Rogue System Register Read (RSRE) – also known as Variant 3a

  • Systems with microprocessors utilizing speculative execution and that perform speculative reads of system registers may allow unauthorized disclosure of system parameters to an attacker with local user access via a side-channel analysis.
  • 4.3 Medium CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Additional Information

Corresponding CVEs for Side-Channel Variants 1, 2, 3, 3a, and 4 are found below:

  • Variant 1: Bounds Check Bypass – CVE-2017-5753
  • Variant 2: Branch Target Injection – CVE-2017-5715
  • Variant 3: Rogue Data Cache Load – CVE-2017-5754
  • Variant 3a: Rogue System Register Read – CVE-2018-3640
  • Variant 4: Speculative Store Bypass – CVE-2018-3639

Patches For Variant 3a & 4

Link to Vendor Information Date Added
AMD May 21, 2018
ARM May 21, 2018
Intel May 22, 2018
Microsoft May 21, 2018
Redhat May 21, 2018