Hackers Leak FSB Plan for IoT Botnet | Avast

This week, Russian hacking group Digital Revolution leaked documents it claims to have pilfered from a company building a cyberweapon for the FSB, the Russian intelligence agency. ZDNet reporters who have seen the leaked data said the documents charge Russian company InformInvestGroup CJSC with accepting an order from the FSB to create an IoT botnet inspired by the notorious Mirai botnet of 2016. Timestamps show the project, called “Fronton,” began in 2017. The documents themselves come from ODT (Oday) LLC, the subcontractor hired by InformInvestGroup CJSC to develop the malware. This type of governmental outsourcing is common, according to Avast security evangelist Luis Corrons. “While most countries in the world focus mainly on defense, a few others like the US, Russia, China, and North Korea, have powerful offensive capacities. This leak just confirms what we already knew – intelligence agencies outsource to develop the malware they use.”

The plans for the botnet show that its main targets would be security cameras and network video recorders (NVRs), devices that use robust communication channels. The botnet is designed to form 95% of itself strictly out of those two types of devices. According to the plans, each infected device in the botnet would get reprogrammed to carry out password attacks on other devices in order to keep the botnet alive and growing. With a large enough botnet, attackers can launch DDoS attacks that can jam up any online entity’s internet traffic. To hide the malware’s origin, the Fronton specs forbid the use of the Russian language and the Cyrillic alphabet in any of the source code or project documents. Digital Revolution has hacked subcontractors of the FSB in the past, leaking details of state-backed hacking plans such as social media monitoring, email monitoring, and a way to de-anonymize Tor users.

Early 2020 spike in Chinese nation-state hacking

Cybersecurity researchers have noted a sharp increase in cyberespionage campaigns by Chinese state-backed group APT41. Cyberscoop reported that between January 20 and March 11 this year, the infiltration campaign targeted 75 organizations, spanning a broad spectrum of industries including the banking sector, higher education, manufacturing, and technology. The end goal of the attacks is unclear, with researchers unsure whether or not any data was stolen in the operation. One expert told Cyberscoop the increased activity could be due to any number of reasons, such as the U.S.-China trade war, the COVID-19 pandemic, or simply reconnaissance for the future. The campaign focused on the exploitation of vulnerabilities in Cisco routers and specific software made by Citrix and Zoho.

This week’s quote

“The irony here is that disclosures that lead to fixes that we don’t implement leave us at more risk than ever.” 

– Avast guest blogger Kevin Towsend on the difficulties of vulnerability disclosure for both companies and users and what that means for the security of our devices. 

Sponsorships Available

Sponsorships Available

Sponsorships Available

GE data breach affects current and former employee’s

U.S. energy conglomerate General Electric disclosed that between February 3 and February 14, an authorized party gained access to an employee’s email account at Canon Business Process Services, one of GE’s service providers. The account contained sensitive information about GE employees past and present, as well as their beneficiaries. Documents such as direct deposit forms, driver’s licenses, birth certificates, and passports were among the exposed data. Neither GE nor Canon have announced how the data breach occurred, but one security expert told SC Magazine that the details released by GE seem to indicate it was a standard credential phishing attack or possibly a credential reuse from another site. 

More ransomware attackers start stolen-data websites

The trend continues as three more ransomware attackers have launched websites for the public posting of their victims’ data. Bleeping Computer reported that Nefilm Ransomware, CLOP Ransomware, and a new strain called Sekhmet have put up sites, each of which has at least one victim’s data posted. The three join other ransomware attackers like Maze and DoppelPaymer in adding extra pressure on their victims by threatening to make sensitive files public if the ransom is unpaid. This trend merges ransomware attacks with data breaches, creating a new compounded threat. 

This week’s stat

Almost 1 million – that’s the number of times malicious Android Apps with Tekya malware have been downloaded. 

New malware found in 56 Google Play apps

A new strain of malware dubbed “Tekya” has been discovered in 56 Google Play apps, roughly half of them children’s games such as puzzles and racing. The malware commits ad fraud by mimicking user actions to click advertisements, which makes money for the attacker. Aside from children’s games, the other infected apps were Android utility apps such as calculators, translators, and cooking apps. In total, the apps have been downloaded almost a million times. Upon learning of Tekya, Google Play removed all 56 apps from their shop. More info on this at Dark Reading. 

Hacked Tupperware website steals customer payment info

Security researchers spotted a malicious image file on the Tupperware website’s checkout page. Clicking on the image brought up a phony payment form that collected the user’s payment information. Upon submitting the form, the user got a bogus error message that time had expired and the page needed to refresh. Then, the user was taken to the legitimate Tupperware payment form. Researchers discovered the payment skimming scam on March 20 and reported their findings to Tupperware, but the company did not respond and has still not issued a statement acknowledging the hack. As of March 25, however, the malicious image file had disappeared from the website’s checkout page. More on this story at Silicon Angle. 

This week’s ‘must-read’ on The Avast Blog

If you’re looking to technology for help with your baby or your elderly parents, we’ve got you covered. Read these tips on how to pick the right baby monitor and these tips for how to use technology to improve your elderly parents’ lives. 

Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN. Get advertisers off your back and disguise your online identity for greater privacy with Avast AntiTrack.