ISSSource White Papers

Posts Tagged ‘UK’

Friday, November 20, 2015 @ 05:11 PM gHale

A 15-year-old boy from Plympton, Plymouth, UK, ended up busted at his parents’ house Monday for launching several distributed denial of service (DDoS) attacks from his home against companies and servers in Africa, Asia, Europe, and North America, British police said.

Additionally, the teen also made several bomb threats against North American airlines using social media to deliver his warnings, police said.

Hackers Breach FBI Information Portal
Boost in Printer Security
Unsupported ICS: Not an Easy Upgrade
Remedy to Fix Unsupported PKS Hole

Because he’s a minor, the Devon & Cornwall Police did not reveal his name, but the teenager’s parents scored his release on bail. He goes before a judge in Plymouth Youth Court December 18.

Charges brought against the teenager are two offenses for the bomb threats under Section 51 of the Criminal Law Act and three offenses for the DDoS attacks under Section 3 of the Computer Misuse Act.

Friday, September 18, 2015 @ 05:09 PM gHale

Two men ended up arrested suspected of being the authors of the CoinVault ransomware which managed to lock tens of thousands of users out of their sensitive files, Dutch police said.

CoinVault, first saw in action in November 2014, is a ransomware family that can encrypt a user’s files and then ask for payment in Bitcoin to decrypt them.

Trojan Suspects Arrested
Security Intern Guilty for Selling Malware
Guilty Plea in ATM Device Scam
Guilty: Darkode Member Faces 3 Years

Since its inception, Kaspersky Lab, which aided in the investigation, estimated around 1,500 Windows machines suffered from the malware, with most victims residing in Western European countries (France, Germany, UK, Netherlands) and the U.S., where affected users have enough funds at their disposal to pay the ransom.

As antivirus and security firms had a chance to analyze CoinVault, they eventually managed to provide decryption keys, which ended up made available in a public repository to help users get their files back.

CoinVault’s authors came out with various modifications to their malicious code, but most of the times, security firms were close on their heels, providing decryption keys a few days later.

This rush to upgrade CoinVault to constantly avoid antivirus detection has apparently been the downfall, leaving clues behind, which security researchers were quick to pick up.

According to Jornt van der Wiel, a security researcher at Kaspersky Lab, what tipped them off about the suspects’ country of origin was the presence of Dutch text in one of CoinVault’s binary files, which they discovered in April 2015.

“Dutch is a relatively difficult language to write without any mistakes, so we suspected from the beginning of our research that there was a Dutch connection to the alleged malware authors. This later turned out to be the case,” van der Wiel said.

Now, in a joint investigation between the National High Tech Crime Unit (NHTCU) of the Dutch Police and Russian-based Kaspersky Labs cyber-security firm, authorities arrested the two suspects in Amersfoort, Netherlands.

Kaspersky also credits Panda Security for helping with the investigation.

Monday, March 9, 2015 @ 03:03 PM gHale

The National Cyber Crime Unit (NCCU) of the National Crime Agency (NCA) in the UK spearheaded a nationwide cyber crime “strike week” last week resulting in the arrest of 57 people in 25 separate operations.

Those arrested have participated in DDoS attacks, phishing schemes, cyber-enabled fraud, theft of intellectual property, network intrusions, and the development and distribution of malware. Click here for more details on the arrests.

Guilty Plea in Data Smuggling Case
Hack Case: Russian Pleads Not Guilty
Silk Road Operator Guilty
Guilty Plea in ATM Skimming Plan

Among them is a 23-year old man from Sutton Coldfield, West Midlands UK, who police arrested for breaching the networks of the U.S. Department of Defense in June 2014.

“The network intrusion (hacking) attack occurred on June 15, 2014 and obtained data used as part of an international satellite message dissemination system (Enhanced Mobile Satellite Services) used by the U.S. Department of Defense to communicate with employees via email or phone around the world,” the NCA said.

“The data loss consisted of non-confidential contact information for approximately 800 people including name, title, email addresses and phone numbers. It also included device information for approximately 34,400 devices including IMEI numbers which are the unique codes used to identify a mobile device. No sensitive data was obtained and none of the data obtained could be used as personally identifiable information or compromise US national security interests.”

The suspect then posted evidence of the hack on Pastebin, along with a message taunting the Lizard Squad hackers.

This strike week worked in conjunction with Ten Regional Organized Crime Units, Police Scotland and Police Service of Northern Ireland visiting some 60 businesses whose servers within the UK ended up compromised.

“The compromises could be used to send out spam email, launch attacks against websites or servers, or install phishing websites to gain access to sensitive information. The NCA said organizations acting on this advice could, between them, clean up to half of the phishing attacks that typically originate from the UK each month,” they said.

Monday, March 9, 2015 @ 02:03 PM gHale

New versions of the Cryptowall ransomware hitting email inboxes may appear innocuous, but it can encrypt files on systems demanding money from victims to unlock the computer.

Cryptowall is an advanced version of Cryptolocker, a file-encrypting ransomware.

IL Police Meet Ransomware Demands
DDoS Attack Costs on Rise
Security a Differentiator for Users
Security: A Presidential Mandate

An email blast went out in February, targeting users from around the world, including the U.S., UK, the Netherlands, Denmark, Sweden, Slovakia and Australia, said researchers at Bitdefender Labs. Following analysis, the spam servers appear to be in Vietnam, India, Australia, U.S., Romania and Spain.

“Interestingly, in this instance, hackers have resorted to a less fashionable yet highly effective trick to automatically execute malware on a victim’s machine and encrypt its contents – malicious .chm attachments,” said Catalin Cosoi, chief security strategist at Bitdefender.

Chm is an extension for the Compiled HTML file format, a type of file used to deliver user manuals along with software applications. CHM files are highly interactive and run a series of technologies including JavaScript, which can redirect a user toward an external URL after simply opening the CHM.

“Attackers began exploiting CHM files to automatically run malicious payloads once the file is accessed,” Cosoi said.

HTML files end up compressed and delivered as a binary file with the .chm extension. This format consists of compressed HTML documents, images and JavaScript files, along with a hyperlinked table of contents, an index and full text searching. The fake incoming fax report email claims to be from a machine in the users’ domain. Bitdefender Labs researchers think the aim of this approach is to target employees from different organizations in order to infiltrate company networks.

Once the content of the .chm archive ends up accessed, the malicious code downloads from this location http:// *********/putty.exe, saves itself as %temp%\natmasla2.exe and executes the malware. A command prompt window opens during the process.

Wednesday, June 18, 2014 @ 04:06 PM gHale

XP may be gone in Microsoft’s eyes, but it is still going strong with small to medium businesses, a new study said.

Almost one in five small and medium businesses worldwide are currently exposed to major security risks as they are still using Windows XP after Microsoft ended support for the operating system in April, said security firm Bitdefender.

Warning over XP Update Trap
How to Mitigate Potential XP Vulnerabilities
Microsoft Extends Update Deadline
Microsoft Strengthens Cloud Security

The research, conducted in countries including the UK, Germany, Spain and the U.S., shows businesses still rely on the legacy Microsoft OS despite security concerns. Millions of malware attacks target companies every month and hackers try to steal confidential data by taking advantage of the system’s vulnerabilities.

The Bitdefender study, carried out from March to May 2014 on a sample of over 5,000 companies in areas including retail, healthcare and education, found enterprises that continue to run Windows XP since the April 8 end-of-support date are now more vulnerable to cyber attacks.

Users of the operating system no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates.

“A few weeks after the end of support announcement, a new Internet Explorer Zero Day vulnerability turned into a permanent threat for XP users,” said Catalin Cosoi, chief security strategist at Bitdefender. “That was until Microsoft issued a patch that was made available for Windows XP users as well. However, this was an exception that shouldn’t make enterprises believe it will happen again, so the swift migration from XP is a must for all users.”

The most targeted company in the three-month analysis was a web marketing business that had to deal with almost 800 million malware attacks. Other SMBs in the top targeted industries included a logistic services firm based in the UK and an Irish retail company.

Bitdefender’s research showed that 37 percent of SMB employees are working remotely or from home, increasing BYOD trends and security risks. At the same time, 17 percent of SMBs allow employee-owned mobile devices full access to the VPN.

The study also showed 53 percent of the companies upgraded to the more secure system Windows 7 Professional. Only a small percentage of the analyzed SMBs are using other Windows versions such as 7 Home Premium and Windows 8.1 Pro, while a few have also installed dedicated server products.

Wednesday, May 28, 2014 @ 06:05 PM gHale

Point of sale (PoS) terminals appear to still be some low hanging fruit for the bad guys as a global cybercriminal operation infected almost 1,500 terminals, accounting systems and other retail back-office platforms from businesses in 36 countries, researchers said.

The infected systems joined together in a botnet researchers from cybercrime intelligence firm IntelCrawler called Nemanja. The researchers believe the attackers behind the operation might be from Serbia.

Data Breach Leader: E-commerce Sites
Malware Attack Approach: Deceptive Tactics
Top Q1 Mobile Threat Target: Android
Firms Watch Data Walk Out the Door

The size of the botnet and the worldwide distribution of infected systems brings into perspective the security problems faced by retailers from around the world, problems also highlighted by PoS breaches at several large U.S. retailers.

Past incidents suggest an increased attention from cybercriminals toward retailers and small businesses that use PoS terminals, the IntelCrawler researchers said Thursday in a blog post.

“We predict an increasing number of new data breaches in both sectors in the next few years, as well as the appearance of new types of specific malicious code targeted at retailers’ backoffice systems and cash registers,” the researchers said.

The Nemanja botnet included 1,478 infected systems in countries on most continents including the U.S., the U.K., Canada, Australia, China, Russia, Brazil and Mexico, IntelCrawler said.

An analysis of the Nemanja botnet found the compromised systems were running a wide variety of PoS, grocery store management and accounting software popular in different countries. The IntelCrawler researchers identified at least 25 different such software programs used on those systems.

This doesn’t mean the identified applications are particularly vulnerable or insecure for further use, but shows the Nemanja PoS malware is able to work with different software. Despite the ability to collect credit card data, the malware also had keylogging functionality to intercept credentials that could provide access to other systems and databases that contained payment or personally identifiable information.

IntelCrawler predicts that very soon modern PoS malware will end up incorporated as modules into malicious remote access tools (RATs) or other Trojan programs and will see use along other components, like those for keylogging or network traffic sniffing.

The other countries where the Nemanja botnet ended up detected were Argentina, Austria, Bangladesh, Belgium, Chile, Czech Republic, Denmark, Estonia, France, Germany, Hong Kong, India, Indonesia, Israel, Italy, Japan, Netherlands, New Zealand, Poland, Portugal, South Africa, Spain, Switzerland, Taiwan, Turkey, Uruguay, Venezuela and Zambia.

Tuesday, May 27, 2014 @ 05:05 PM gHale

The iPhone hack that started in Australia and New Zealand is spreading to the United States and the United Kingdom.

In a forum thread Apple users said the widely-reported ransomware attack under the name of Oleg Pliss spread to the U.S. and the United Kingdom, in addition to Australia and New Zealand.

Siri Allows iPhone Break-in
AirPort Update to Fend Off Heartbleed
Galaxy S5 Fingerprint Scanner Hacked
Multiple Attacks for Android Trojan

“I’m in the US. Never been to Australia. Hacked last night by the Oleg Pliss nonsense. Currently restoring to try and get it back online,” said wheelman2188 on the Apple Support Communities forum thread.

This attack could spread globally, and many users could actually fall for the scam and pay up the $100/€100 without any guarantees that the crooks will unlock their Apple IDs.

The whole attack could have come about through a phishing email.

Phishing is a common practice used by cybercriminals to steal user names and passwords, and the Apple community has had its fair share these attacks for the past few years. Suffice to say iOS is on its way to becoming what Windows has been for the hacking community for the past decade: A sea of opportunities.

Earlier this month, an email purporting to be from Apple was sent to various iOS/OS X users with the following message:
“Dear Apple Customer,
“Your Apple ID has been Disabled for Security Reasons!
“Someone just tried to sign in into your Apple account from other IP Address.
Please confirm your identity today or your account will be Disabled due to concerns we have for the safety and integrity of the Apple Community.
“To confirm your identity, we recommend that you go to

This note came from a user who managed to avoid getting hit by the hack, but others may not be so fortunate. If you know you’ve answered to this email as instructed, change your Apple ID password ASAP.

Wednesday, May 21, 2014 @ 07:05 PM gHale

Cyber crime and investigations know no boundaries and last week 300 houses ended up raided and over 100 people arrested as part of an international law enforcement operation targeting people believed to be responsible for selling, creating and using the BlackShades Remote Access Trojan (RAT).

News of the operation came out last week, when the members of hacker forums said police raided them. On Monday, Europol confirmed the operation and provided more details.

Feds Charge 5 Chinese for Hacking
More Charges against Accused Hacker
Ex-Gore Engineer Faces IP Theft Charges
Windows Code Leaker Pleads Guilty

Raids took place in over 10 countries, including Belgium, France, the Netherlands, Germany, UK, Estonia, Austria, Canada, U.S., Denmark, Chile, Italy and Croatia.

Investigators seized over 1,000 computers, laptops, mobile phones, USB sticks, external hard drives and routers.

“This case is yet another example of the critical need for coordinated law enforcement operations against the growing number of cyber criminals operating on an EU and global level,” said Troels Oerting, head of the European Cybercrime Centre (EC3).

“EC3 will continue — together with Eurojust and other partners — to work tirelessly to support our partners in the fight against fraudsters and other cyber criminals who take advantage of the Internet to commit crime. The work is far from over, but our cooperation to work together across borders has increased and we are dealing with cases on an ongoing basis.”

The BlackShades RAT, which sells for between $40 and $100, is a popular tool among cybercriminals. The malware can hijack webcams, steal files, log keystrokes, and launch denial-of-service attacks against a designated target.

In a recent case in the Netherlands, an 18-year-old used it to infect over 2,000 computers. The teen hijacked the webcams of infected devices in an effort to capture intimate pictures of women.

The FBI arrested Michael Hogue, one of the creators of BlackShades, back in 2012. However, others continued to improve the RAT even after Hogue’s arrest. In November 2013, Symantec said the use of BlackShades had increased in the previous five months.

“This case is a strong reminder that no one is safe while using the Internet, and should serve as a warning and deterrent to those involved in the manufacture and use of this software,” said Koen Hermans, assistant to the National Member for the Netherlands.

“This applies not only to victims, but also to the perpetrators of criminal and malicious acts. The number of countries involved in this operation has shown the inherent value in Eurojust’s coordination meetings and coordination centers.”

Friday, April 25, 2014 @ 03:04 PM gHale

Nine members of a cybercrime group responsible for stealing $2.1 million from bank accounts received sentences totaling 24 years and 9 months by the United Kingdom’s Southwark Crown Court.

The group used KMW (Keyboard, Video, Mouse) switches to transfer money from bank accounts at Barclays and Santander. They also made fraudulent purchases with payment cards obtained after intercepting or stealing around one million letters.

Hacking Verdict Overturned on Appeal
Two Plead Guilty to Hacking Charges
Windows Code Leaker Pleads Guilty
Ex-Microsoft Worker Busted for Leak

They used the cards to purchase expensive watches, jewelry and other high-value items worth more than $1.68 million, court officials said.

Lanre Mullins-Abudu, 25, received eight years in prison for one count of conspiracy to commit fraud, two counts of conspiracy to steal and one count of possession of articles for use in fraud. Steven Hannah, 53, got 5 years and 10 months in prison for conspiracy to commit fraud and possession of drugs with intent to supply.

The list also includes Tony Colston-Hayter (5 years and 6 months in prison), Darius Valentin Boldor (2 years and 6 months in prison), Dean Outram (3 years in prison), Segun Ogunfidodo (9 months suspended, community work and tag-monitored curfew), Adam Raeburn Jefferson (1 year and 9 months suspended and tag-monitored curfew for 6 months), and Dola Leroy Oduns (9 months suspended, community work and curfew).

James Lewis Murphy received six months in prison, but he has already served his sentence while in custody.

“Today’s convictions are the culmination of a long and highly complex investigation into an organized crime group whose aim was to steal millions of pounds from London banks and credit card companies,” said Detective Chief Inspector Jason Tunn, of the MPS Cyber Crime Unit.

“Through working with industry partners such as Santander and Barclays, whose efforts in assisting us were immense, we have been able to bring this group to justice,” he said.

“This case demonstrates the sheer investigative skill we are able to apply to tackling cyber crime, as we continue working to keep London people and businesses safe from cyber criminals. We are determined to make London a hostile place for cyber criminals and not allow the Internet to be a hiding place for those who defraud people in the capital,” Tunn said.

Wednesday, March 19, 2014 @ 02:03 PM gHale

There is a new operation just discovered that has over 25,000 Unix servers suffering from an infection for the past two years.

Called “Windigo” after the mythical creature from Algonquian Native American folklore, the servers are sending out 35 million spam emails each day, putting around 500,000 computers at risk of malware infection.

“Each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.

Most of the infected servers are in the U.S., Germany, France and the UK. Many of the affected servers belong to hosting providers. The list of victims includes companies such as cPanel and

ESET has been investigating the campaign for around one year. In total, 25,000 servers suffered infection, of which 10,000 still have the issue.

Mac users are not out in the cold as Windows users end up directed to malware-serving exploit kits. People who visit the infected websites from Macs end up pushed to adult content or served ads for dating sites.

Léveillé highlights the Ebury backdoor deployed by the attackers doesn’t exploit Linux or OpenSSH vulnerabilities. Instead, it ends up planted manually.

“The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment,” Léveillé said.

Pierre-Marc Bureau, security intelligence program manager at ESET, said they are investigating the campaign because cybercriminal operations that rely on Linux malware are not something we get to see every day, particularly when it comes to an operation as complex as Windigo.

Bureau said this is the biggest botnet of servers they have ever seen. What they do know is the bot masters are very good in programming and the administration of Linux systems. Additionally, they probably have good connections in the underground, considering their capabilities to send spam and install malware.

The complete paper of the Windigo operation is available on ESET’s website.

Archived Entries