13.6 C
London
Tuesday, September 26, 2017
Home Tags Poland

Tag: Poland

Openetrsquo;s virtualized policy and charging solution with pre-packaged use cases provided the foundation that Orange Poland needed to get new services to market fastDUBLIN, Ireland – 15th August, 2017 – Openet, a global leader in the supply of digital BSS (business support systems) and Customer Engagement solutions, today announced that Orange Poland has implemented virtualized versions of its Policy Manager and Evolved Charging solutions.As the leading communications service provider in Poland, Orange offers a wide... Source: RealWire
Hamilton 68 tracks Russian state news and Twitter trolls, shows propaganda trends.
In mid-July 2017, we found a new modification of the well-known mobile banking malware family Svpeng – Trojan-Banker.AndroidOS.Svpeng.ae.
In this modification, the cybercriminals have added new functionality: it now also works as a keylogger, stealing entered text through the use of accessibility services.
Duke and Duchess of Cambridge meet UKrsquo;s vibrant Polish diasporaLondon/Warsaw 17th July, 2017 – On the first day of their trip to Poland, the Duke and Duchess of Cambridge visited ‘The Heartrsquo;, a start-up incubator in Warsaw, to celebrate business opportunities between UK and Poland.

The high-profile event was held by the British Embassy in Poland and hosted by Marta Krupińska, co-founder of Azimo, and Tomasz Rudolf, The Heartrsquo;s founder.Showcasing a selection of Polish start-ups... Source: RealWire
Juliusz Brzostek, director of Poland's NC Cyber, explains what the country's cybersecurity center has been up to in its first nine months of operation.
Customers in the UK and Poland may have had their bank account details compromised.
Azimo gives back control to often-forgotten recipients, using just a phone number.London, UK, Tuesday, 4th April, 2017 – Azimo, the international money transfer service, today launches an industry- first feature, revolutionising how money is shared internationally.

Azimo’s new app feature creates a fundamental change in the global remittances market.

Customers across Poland, the US and Canada will now be empowered to make requests for money from anywhere across the UK and Eurozone and receive it... Source: RealWire

Lazarus Under The Hood

Today we'd like to share some of our findings, and add something new to what's currently common knowledge about Lazarus Group activities, and their connection to the much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank.
Dozens of banks -- particularly in the United States and Poland -- have been targeted by newly identified malware.

Expensive free apps

This post is the result of collaboration between Elevenpaths (Telefónica Cyber Security Unit) and Kaspersky Lab.

Both companies have used their own expertise, researchers and tools, such as Tacyt (an innovative tool for the monitoring and analysis of mobile threats) and GReAT’s internal tools and resources.
Big Brother and Google Play Fraudulent apps trying to send Premium SMS messages or trying to call to high rate phone numbers are not something new.

Actually, it is easy to find them specially in Spain, Russia and some other european countries. Of course, it is much more interesting to talk about how certain groups bypass detection mechanisms such as those used by Google Play, since this has become difficult to achieve in the past few years. Some years ago it was pretty easy to upload a dialer (or other similar fraudulent app) to Google Play [1] [2], but new detection mechanisms made attacker to focus on alternative markets, at least for a period of time. Recently, we have found a Spanish group that successfully uploaded a non-official Big Brother (Gran Hermano) TV show app, which is one of the most popular TV shows in Spain even being on the air for 16 years now. [Analysis:cdd254ee6310331a82e96f32901c67c74ae12425] This was not a very sophisticated app, but they were able to upload it into Google Play using an old trick.

First, they uploaded a clean an innocuous version that of course passed or the security controls from Google Play.

Then, some days later, a new version was uploaded with a major features update, including subscription to paying services.

This trick was extremely simple but successful, since the app was in the Google Play for around two months (from mid September to mid November 2015). It seems this was not the first time this group tried to upload a Big Brother-like app. We have detected (via Tacyt [3]) at least another 4 similar applications that, regarding some particular logging messages we found in the code, could have the same origin: com.granhermano.gh16_1; from 2015-09-15 to 2015-09-22;com.granhermano162; from 2015-09-29 to 2015-11-14;com.granhermanodieciseis; from 2015-09-29 to 2015-11-11com.granh.gh16_3; from 2015-10-05 to 2015-10-15;com.hisusdk; from 2015-09-16 to 2015-11-14 (the one analyzed). As we said before, this group was found to be using a specific string “caca” as a logging tag, which is not something usual: The word “caca” is a colloquial word in Spanish referring to an excrement (very similar to the word “poo” in English). We could find it in certain testing code, referring to lines of code that should be removed later, but it is unusual to find it in such similar applications and used in the same way.

Because of that, it makes sense to think that those applications were developed by the same group. Other strings and function names used in the code make us conclude that those applications could be developer by native Spanish speakers. This app is using several commercial third party services such as Parse.com for the first network communication.

This first API call is used in order to get all the information necessary to run further actions (URLs, authentication, etc). {“results”:[{“Funcionamiento”:” Ahora la única pestaña importante es la de VOT.”,”action1″:”http://tempuri.org/getPinCode”,”action2″:”http://tempuri.org/crearSubscripcion”,”activa”:”si”,”createdAt”:”2015-09-08T16:17:24.550Z”,”estado”:true,”id_categoria”:”2608″,”id_subscripcion”:”400″,”metodo1″:”getPinCode”,”metodo2″:”crearSubscripcion”,”namespace”:”http://tempuri.org/”,”nombreApp”:”GH16 – españa”,”numero_corto”:”795059″,”numero_sms”:”+34911067088″,”objectId”:”tNREzkEocZ”,”password”:”15xw7v7u”,”updatedAt”:”2015-11-27T10:28:00.406Z”,”url”:”http://ws.alertas.aplicacionesmonsan.net/WebSubscription.asmx?WSDL”,”urlcode”:”http://spamea.me/getcode.php?code=”,”usuario”:”yourmob”,”vot”:true}]} As we can see above, it references to different URLs: spamea.me is service that no longer exists at the time of writing, but that used to be hosted on 107.6.184.212, which seems a hosting service shared with many other websites. ws.alertas.aplicacionesmonsan.net is legitimate service focused on mobile monetization, including SMS premium and direct carrier billing.
It is used from the app in order to subscribe the user to a service called “yourmob.com”. Of course, using paying services is not malicious itself, since it is legitimate that companies could bill for their services, but user should be clearly noticed about service cost and conditions beforehand. Despite we found a reference to “Terms and Conditions” (in Spanish) poiting to the website servimob.com , we could not verify that this information is shown to users and, anyway, users don’t have the opportunity to reject the agreement and don’t be subscribed. Presence outside Google Play It make sense that if a group have included this kind of app in Google Play, They were going to try something similar using other app sources (thanks to Facundo J.
Sánchez that spotted this). Analysis: 9b47070e65f81d253c2452edc5a0eb9cd17447f4 This app worked slightly different.
It uses other 3rd party services and it sends Premium SMSs for monetization.

They got from the server what number to use, for how many seconds and if the screen should be on or off. We found that they used very similar words for comments and method names (most of them in Spanish, including “caca”), same topic (Big Brother), references to “yourmob” and much more, so definitely we can link it with the Spanish group mentioned before. One of the webservices used by this application (http://104.238.188.38/806/) exposed a control panel showing information about people using this app: As you probably know, groups developing this kind of apps usually reuse their servers and supporting infrastructure for multiple apps, for example this one: https://www.virustotal.com/en-gb/file/cc2895442fce0145731b8e448d57e343d17ca0d4491b7fd452e6b9aaa4c2508a/analysis/ It was using this vps as well http://vps237553.ovh.net.
Some of the panels and services provided by the VPS were located here: http://vps237553.ovh.net/nexmo/getcode.php?code=http://vps237553.ovh.net/polonia/autodirect1.phphttp://vps237553.ovh.net/polonia/autodirect2.phphttp://vps237553.ovh.net/polonia/guardar_instalacion.phphttp://vps237553.ovh.net/polonia/guardar_numero.phphttp://vps237553.ovh.net/polonia/guardar_numero.php?androidID=http://vps237553.ovh.net/polonia/guardar_sms.phphttp://vps237553.ovh.net/polonia/push_recibido.phphttp://vps237553.ovh.net/polonia/panel.phphttp://vps237553.ovh.net/nexmo/ As we can see in their control panel, they have been quite successful in terms of spread, since there are registered phones from many different countries (Spain, Holland, Poland, etc). In addition, an iterative search on terms such as IP addresses, unique paths, etc, has shown that other apps could be using the same supporting infrastructure that was shown above, including the following IP addresses and domain names: In particular, 45.32.236.127 was pointed by different domain names in the past months: kongwholesaler.tk (2016-05-22) acc-facebook.com (2016-04-11) h-instagram.com (2016-04-11) msg-vk.com (2016-04-11) msg-google.ru (2016-04-10) msg-mail.ru (2016-04-10) iwantbitcoins.xyz (2015-11-04) These domains have probably been used for fraudulent initiatives such as phishing attacks, since they are very similar to well-known and legitimate services. Something that kept our attention was that “vps237553.ovh.net”, used from a sample and resolving to 51.255.199.164, was also used at some point (June 2016 regarding our passive DNS) by “servimob.com” domain (same domain referenced in the app from Google Play). Back to Google Play As you can imagine, they tried again to upload a new app to Google Play, following a similar philosophy and techniques that we have seen before. e49faf379b827ee8d3a777e69f3f9bd3e559ba0311a131c23e6427dd7e0e47280dd8f421febdc4f7 These apps were available in Google Play for a few weeks in September 2016, using similar techniques, especially to those applications that we found outside Google Play. Conclusions This Spanish group has been quite successful on uploading this kind of apps in Google Play, using interesting topics such as the Big Brother TV show.
Spain and Poland have been two countries traditionally targeted by SMS scams and similar malware. However, we have never seen in the past few years any group that was able to upload apps to legitimate markets in such an easy way. Perhaps the key point is that they try to be close enough to the border between a legitimate business and a malicious one.

The “EyePyramid” attacks

On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions. The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy.

These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank. The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer. During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims.

All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals. Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008. Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero. Investigation Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data. Excerpt from the Italian court order on #EyePyramid(http://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf) Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow: E-mail Addresses used for exfiltration gpool@hostpenta[.]com hanger@hostpenta[.]com hostpenta@hostpenta[.]com purge626@gmail[.]com tip848@gmail[.]com dude626@gmail[.]com octo424@gmail[.]com tim11235@gmail[.]com plars575@gmail[.]com Command-and-Control Servers eyepyramid[.]com hostpenta[.]com ayexisfitness[.]com enasrl[.]com eurecoove[.]com marashen[.]com millertaylor[.]com occhionero[.]com occhionero[.]info wallserv[.]com westlands[.]com Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples. Here’s how our initial “blind”-written YARA rule looked like: rule crime_ZZ_EyePyramid { meta: copyright = ” Kaspersky Lab”author = ” Kaspersky Lab”maltype = “crimeware”filetype = “Win32 EXE”date = “2016-01-11”version = “1.0” strings: $a0=”eyepyramid.com” ascii wide nocase fullword$a1=”hostpenta.com” ascii wide nocase fullword$a2=”ayexisfitness.com” ascii wide nocase fullword$a3=”enasrl.com” ascii wide nocase fullword$a4=”eurecoove.com” ascii wide nocase fullword$a5=”marashen.com” ascii wide nocase fullword$a6=”millertaylor.com” ascii wide nocase fullword$a7=”occhionero.com” ascii wide nocase fullword$a8=”occhionero.info” ascii wide nocase fullword$a9=”wallserv.com” ascii wide nocase fullword$a10=”westlands.com” ascii wide nocase fullword$a11=”217.115.113.181″ ascii wide nocase fullword$a12=”216.176.180.188″ ascii wide nocase fullword$a13=”65.98.88.29″ ascii wide nocase fullword$a14=”199.15.251.75″ ascii wide nocase fullword$a15=”216.176.180.181″ ascii wide nocase fullword$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword$a20=”gpool@hostpenta.com” ascii wide nocase fullword$a21=”hanger@hostpenta.com” ascii wide nocase fullword$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword$a23=”ulpi715@gmx.com” ascii wide nocase fullword$b0=”purge626@gmail.com” ascii wide fullword$b1=”tip848@gmail.com” ascii wide fullword$b2=”dude626@gmail.com” ascii wide fullword$b3=”octo424@gmail.com” ascii wide fullword$b4=”antoniaf@poste.it” ascii wide fullword$b5=”mmarcucci@virgilio.it” ascii wide fullword$b6=”i.julia@blu.it” ascii wide fullword$b7=”g.simeoni@inwind.it” ascii wide fullword$b8=”g.latagliata@live.com” ascii wide fullword$b9=”rita.p@blu.it” ascii wide fullword$b10=”b.gaetani@live.com” ascii wide fullword$b11=”gpierpaolo@tin.it” ascii wide fullword$b12=”e.barbara@poste.it” ascii wide fullword$b13=”stoccod@libero.it” ascii wide fullword$b14=”g.capezzone@virgilio.it” ascii wide fullword$b15=”baldarim@blu.it” ascii wide fullword$b16=”elsajuliette@blu.it” ascii wide fullword$b17=”dipriamoj@alice.it” ascii wide fullword$b18=”izabelle.d@blu.it” ascii wide fullword$b19=”lu_1974@hotmail.com” ascii wide fullword$b20=”tim11235@gmail.com” ascii wide fullword$b21=”plars575@gmail.com” ascii wide fullword$b22=”guess515@fastmail.fm” ascii wide fullword condition: ((uint16(0) == 0x5A4D)) and (filesize < 10MB) and((any of ($a*)) or (any of ($b*)) )} To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks. Once the YARA rule was ready, we’ve ran it on our malware collections.

Two of the initial hits were: MD5 778d103face6ad7186596fb0ba2399f2 File size 1396224 bytes Type Win32 PE file Compilation Timestamp Fri Nov 19 12:25:00 2010 MD5 47bea4236184c21e89bd1c1af3e52c86 File size 1307648 bytes Type Win32 PE file Compilation timestamp Fri Sep 17 11:48:59 2010 These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections. At the end of this blogpost we include a full list of all related samples identified. Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses. Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails.

For example: From: Di Marco GianmariaSubject: ricezione e attivazioneTime:2014/01/29 13:57:42Attachment: contatto.zip//Primarie.accdb (…) .exe From: Michelangelo GiorgianniSubject: R: Re: CONVOCAZIONE]Time: 2014/01/28 17:28:56]Attachment: Note.zip//sistemi.pdf (…) .exe Other attachment filenames observed in attacks include: Nuoveassunzioni.7z Assunzione.7z Segnalazioni.doc (…) 7z.exe Regione.7z Energy.7z Risparmio.7z Pagati.7z Final Eight 2012 Suggerimenti Uso Auricolari.exe Fwd Re olio di colza aggiornamento prezzo.exe Approfondimento.7z Allegato.zip Eventi.bmp (…) .exe Quotidiano.mdb (…) _7z.exe Notifica operazioni in sospeso.exe As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment.

The attachments were ZIP and 7zip archives, which contained the EyePyramid malware. Also the attackers relied on executable files masking the extension of the file with multiple spaces.

This technique is significant in terms of the low sophistication level of this attack. High profile victims Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi. It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted. Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers.

Further standout victims, organizations, and verticals include: Professional firms, Consultants Universities Vaticano Construction firms Healthcare Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland. Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015. Conclusions Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data. In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence. This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims. As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations. Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught. Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts: HEUR:Trojan.Win32.Generic Trojan.Win32.AntiAV.choz Trojan.Win32.AntiAV.ciok Trojan.Win32.AntiAV.cisb Trojan.Win32.AntiAV.ciyk not-a-virus:HEUR:PSWTool.Win32.Generic not-a-virus:PSWTool.Win32.NetPass.aku A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services.

Contact: intelreports (at) kaspersky [dot] com
. To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings References and Third-Party Articles Indicators of Compromise Hashes: 09ff13b020de3629b0547e0312a6c135102bccd95e5d8a56c4f7e8b902f5fb7112f3635ab1de63fbcb5e1c492424c6051391d37c6b809f48be7f09aa0dab76571498b8d6e946b5d6b529abea1359238114db577a9b0bfc62f3a25a9a51765bc517af7e00936dcc8af376ad899501ad8b192d5866cbfafae36d5ba321c817bc14325f5d379c4d091743ca8581f15d329536bd8feed1b17c59f3c653e6427661a4380b0f1921fed82e1b68b4e442b04f053c30f0114c600510fdb2573cc48d5c063fed695e2a6e63d971c16fd9e825fec547bea4236184c21e89bd1c1af3e52c8647dd1e017aae694abd2b7bc0b12cf1da47f1f9b1339147fe2d13772b4cb8103053b41dc0b8fd9663047f71bc91a317df5bc1b8c07c0f83d438a3e891dc3899545eb17f400f38c1b65990a8d60c298d956de1e478301d59ac14b8e9636b53815d75621de46a12234af0bec15620be6763778d103face6ad7186596fb0ba2399f2859f60cd5d0f0fbd91bde3c3914cbb188afb6488655cbea2737d2423843ea0779173aefe64b7704510c873e2ce7305e092c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da594eff87eca2f054aa5fbc1877a6cf91998825a1ce35f46d004c0839e87cc27789b8571b5281f3751750d3099049098e09c57839b3f8462bd6c2d36db80cd5ecc9d3ce3246975ae6d545ee9e8ba12d1649d4b46d3c389e0144238c821670f8537a41c5374a14a2c7cbe093ff6b075e8acb39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4bcfd544df7d8e9a2efe9d2ed32e74cadc0243741bfece772f02d1657dc057229c38e9edc0e4b18ff1fc5b61b771f7946ce76b690dc98844c721e6337cd5e7f4bcf391937d79ed6650893b1d5fbed0604d8432ddec880800bfa060af1f8c2e405eb604e7e27727a410fc226196c13afe9fafd293065daf126a9ad9562fc0b00b2 Related hashes identified by @GaborSzappanos: 014f69777d2e0c87f2954ad252d5281002965c8a593989ff7051ec24736da6bd04b3c63907c20d9be255e167de89a39804e949f64e962e757f5bb8566c07800b06e47736256c54d9dd3c3c533c73923e09ff13b020de3629b0547e0312a6c1350a80fd5abf270ddd8080f935058546840b3c1ff3b3b445f46594227ca2babdcd0c33c00a5f0f5bde8c426c3ce376eb110ded0389cbddeeb673836794269ffb3b0e19913ce9799a05ba97ac172ec5f0bc11062b36893c4ba278708ec3da07b1dd12b4d543ae1b98df15c8712d888c54f01334a7df1e59380206841d05d840077814cb305de2476365ef02d2226532dd341748c33cb5ac6f26d55cd1a58b68df8a18e24ef2791030693a4588bfcae1dec0192d5866cbfafae36d5ba321c817bc141b4d423350cd1159057dd7dbef4793281deb28ae7b64fb44358e69e5afd1f6002222a947ebccc8da16badeacca05df4b23beed8aaac883a5902039e6fd84ee5f2485e7ae3e0705898b7787ed0961878d2642990a46c434e7787a599f04742a32268698314c854bc483d05ffe459dc5402866ced99b46b39838f56fbe704d387b2896ae0489451d32f57c68b919b3fa7228ba7d1a4c5d64a65f2f2bf5f6ced12328e65b9577abaabf3f8c94d9fda50fc52a809644e6d07dc9fc111804a62b808930215197622f5c747fc869992768d9c6325f5d379c4d091743ca8581f15d329533890f9268023cd70c762ad2054078c73673c155eb6a0bd8a94bea265ebb8b76369cd42dfabea188fa57f802a83b55d9380b0f1921fed82e1b68b4e442b04f053a0af8bba61734b043edc0f6c61cd1893c30f0114c600510fdb2573cc48d5c063db711afc09c0a403a8ccff6a8a958df3e4365b079239b0a2451f48f337613323ebbae038d7bf19baa1bcfbc438bb5e73fed695e2a6e63d971c16fd9e825fec53ffcd0eedd79a9cc79c2c4a0f7e04b214025834a88dcfba3ed1774068c64c546417593eaf61d45e88adbad259d5585d0422fe9c78c71fb30d376e28ad1c4188444d91f49f261da6b1f183ea131d12a7f45dde4082c0407b9904c5f284080337f47bea4236184c21e89bd1c1af3e52c864a494c20bcfb77afd06908eb5a9718cb53b41dc0b8fd9663047f71bc91a317df5523aa1d4ee5f19522299be6f1111b895627cb8752c4c0774f822ccf8f1363eb56499e0b590857f73bb54f500008c656568895c8340a88316fdc0d77a7f2a91d5847072fd4db9e83d02d8b40a1d678505accd89d6483dec54acc7b1484dfbace5b5f3f65b372f9e24dbc50b21fe31f815bc1b8c07c0f83d438a3e891dc389954622fb530276a639892398410de03d05163d9e7cca593360411b5d05a555d52f36648a255610c5f60f580098bbc1d387c690cdf20faf470f828fe468a635da34e6c25a0974a907d368372ac460d8261d66c5693df933924e8a633ccfd7ef2635d6ff7876db06d9102786ae0e425aeaf3770882709d86e2a7396779f4111cd02e370f094e347d4088573c9af34430a3cd672ffb3418d3cde6fdef16b5b5db01127734cfa84d68506fe6e74eb1b038d9c707633748203b705109ededadfbe08dcfa778d103face6ad7186596fb0ba2399f277c2a369d0850c7a75487e8eee54b69e78b7d1caa4185f02b1c5ef493bf795297971c90d7533f2c69e33f2461434096a7aad90ce44e355f95b820fb59c9f5d567bf348005958658ba3fcf5ccb3e2ae227cddc3b26bb8f98e9b14d9c988f36f8f81624dc108e2d3dc712f3e6dd138736a820ca39f331f068cca71e7a7c281e4ac84c14a1327ae7c0e5a07a67a57451cc4860f607dbd0d6a2dc69cbc4f3b0eeeaf889c86aaf22876516964eafa475a2acd88c31f3b589d64a275608f471163989c89368652dc98b13f644ec2e356c7707c89696dbead484bf948c1dd86364672eb898150dea4d7275f996e7341463db21f8b27bcfa38205754c8e5fdf6a509d60e8f419bca20b767b03f128a19b82611ab915cc3c9c8cb8e200dbe04e425e7018b92c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da598825a1ce35f46d004c0839e87cc277898b1157b9f3f3ec183bf322615f1ce419b19729531bf15afc38dd73bcc0596f89c99ecf33301e4cafdd848a7d3d77ef99cf08b15724e0eaf69a63e47690cdee2a16d8cf9a7a52e5c2ad6519766ae6b92a35312a5c0b06ee89ddadaea9ca6bad2a4c551ec6d3b5ab08a252231439e099fa615a4f5e93a63682a8f25b331f62882a6c29f9680fe5ae10a9250e5431754d4ab71ca072d4b526e258c21bd84ec0632ac6fa4005e587ac4b3456a14bd741ff0afab0fcbf8bc6595f9f2c0051b975a4eb1ddec2f71727dcf747e1d385272e24db2a756f557d273d81a61edc9fbfc9dafb2e1663647addc92bf253f389ac98027b39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4b6e86ac7d3bbedf18b98437df49c1b60b70ddb9f6e4e2c85e80cf2079b10e762b89a8d3442d96161cef07552116407c3bb2a0aee38980aeb39cac06677936c96bc333001d3f458ff8fde9d989b53e16dbd7a2b795419c0b842fd041eaac36d7fbf850dcb074e0cf2e30fbee6bfaa4cd9c0d4e5ba26ef3c08dc1a29ac7496f015c38832f484645b516b57f6813c42d554c4abb3210f26d4a15a0d4fd41b47ee0ec547a30fa39f22e2093b51ed254bb1c2c69c370fcb7b645aaac086b2a3b18286c7ef4c7b12b5ad8198dafc58c4bea2a3c97ef1f13bf3d74c78f50fa7abe7766bca010bcdfe3c4965df0c6bc12b40db76ca243796e79c87c55f67a61bc3ee8ddcca9a7c6b231fadfae3466da890b434c5cf391937d79ed6650893b1d5fbed0604cf3b3c796114f6908a35542d4fd02b0ed034810ddab55c17dcddd2c2990b3ef3d1273537add3f2282391726489c65e38d20487e2d2f674bfd849cb8730225dded8432ddec880800bfa060af1f8c2e405d864ad5030d354c1e40a873a335b2611dac10dcede69eb9b4ccce8e6798f332cdb95221ebed1793bf5b5527ecb52eb0cdc64307ef67177449b31c6bb829edbf2dd734c07b94c8685bb809f83876c7193e0e862dbf001eb4a169d3340c200b501e727b444a6a9fa9d40a34a9508b1079fe7539ed9616b61c12028a663c298f6bee78ed9fac4f3e9b443abd02bfa9f3db2e85ff9e3a27899b0d1de8b958af5ad90eb604e7e27727a410fc226196c13afe9eba8aa2572cf0d6ccdf99c34cc26b6f3ec21252421f26072e9fe75586eb6b58aee9435593494f17f3efc3a795c45482eeeca6409dcf0e46d0182d53d230c701deff2d3f9f56e9aabcf970c4c09fe7ef8f0b61a531a72f0cc02d06d2ebfb935abf1a037e2edc5ddf4db4e1e7fcd33d5fbf3802442727c0b614482455d6ad9edc2f41be516fa8da87a269845c9ea688749f7d4742d2e746962440bf517b261f126f96335bf0512c6e65ea374a844ab7cebf9b4459f18ca9d2974cf5a58495c5879fa4266c305aa75a133ebae2a4dcc9b75fafd293065daf126a9ad9562fc0b00b2 Backdoor Filenames: pnbwz.exepxcfx.exeqislg.exerqklt.exerunwt.exeruzvs.exervhct.exevidhdw.exewinlng.exewxrun.exexddrv.exexdwdrv.exe Malicious attachments filenames (weak indicators): contatto.zip//Primarie.accdb (…) .exeNote.zip//sistemi.pdf (…) .exeNuoveassunzioni.7zAssunzione.7zSegnalazioni.doc (…) 7z.exeRegione.7zEnergy.7zRisparmio.7zPagati.7zFinal Eight 2012 Suggerimenti Uso Auricolari.exeFwd Re olio di colza aggiornamento prezzo.exeApprofondimento.7zAllegato.zipEventi.bmp (…) .exeQuotidiano.mdb (…) _7z.exe
Group-IB says both attacks were likely carried out by Cobalt group using malware "ATM spitter." Cybersecurity firm Group-IB has linked the July Taiwan ATM cyber heist to the ATM hacking spree in Europe last year, claiming the two were carried out by the same hacking group, dubbed Cobalt. Reuters reports that Group-IB’s conclusion is based on the fact that the hack technique used in both incidents match. A group of 22 foreign nationals are alleged to be behind the First Commercial Bank ATM hack in Taiwan, of which three Eastern Europeans are in custody. Most of the stolen money was recovered and Taiwan authorities believe the bank network was breached at a London branch. According to a Group-IB report, the hackers used malware “ATM spitter” in the Taiwan attack as well as in similar hacks carried out in Britain, Russia, Poland, Spain, Bulgaria, and many other European countries, Reuters adds. Click here for the full story. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights