- SunTrust unfaithful employee may have stolen data on 1.5 Million customers
- Experts spotted spam campaigns delivering XTRAT and DUNIHI backdoors bundled with the Adwind RAT
- Security Affairs newsletter Round 159 – News of the week
- Unscrupulous crooks behind the RansSIRIA Ransomware try to exploit attentions on Syrian refugee crisis
Posted: 22 Apr 2018 10:25 AM PDT
SunTrust Banks Inc announced it discovered that a former employee may have attempted to download information on nearly 1.5 million clients and share it a criminal organization.
A former employee at the SunTrust Bank may have stolen data on 1.5 million clients, including names, addresses, phone numbers, and account balances.
“The company became aware of potential theft by a former employee of information from some of its contact lists. Although the investigation is ongoing, SunTrust is proactively notifying approximately 1.5 million clients that certain information, such as name, address, phone number and certain account balances may have been exposed.” reads the press release published by the bank.
“The contact lists did not include personally identifying information, such as social security number, account number, PIN, User ID, password, or driver’s license information. SunTrust is also working with outside experts and coordinating with law enforcement.”
The bank said it believes the information doesn’t include personally identifiable information, such as social security numbers, account numbers, pins, user IDs, passwords or driver's license numbers.
SunTrust is notifying approximately 1.5 million clients that certain information may have been exposed.
According to the Reuters agency, the unfaithful employee tried to download the client data a few weeks ago in an attempt to sell it to a criminal.
“Chief Executive Officer William Rogers brought the incident to light on a post-earnings call with analysts on Friday. He said the attempt to download client information was made six to eight weeks ago.” reported the Reuters.
SunTrust CEO William Rogers said that there was no indication of fraudulent activity using the exposed information, likely the data had not been sent outside the bank.
The SunTrust is now offering free identity protection services to all of its clients.
“SunTrust Banks, Inc. (NYSE: STI) is now offering Identity Protection for all current and new consumer clients at no cost on an ongoing basis. Experian IDnotify will be provided to those who sign up for the service.” continues the press release.
“The IDnotify product by Experian is being offered in addition to existing SunTrust security protocols: ongoing monitoring of accounts, FICO score program, alerts, tools and zero liability fraud protection.”
(Security Affairs – Bata Breach, cybercrime)
The post SunTrust unfaithful employee may have stolen data on 1.5 Million customers appeared first on Security Affairs.
Posted: 22 Apr 2018 06:57 AM PDT
Security experts at Trend Micro have spotted spam campaigns delivering XTRAT and DUNIHI Backdoors and Loki malware bundled with the Adwind RAT.
Malware researchers at Trend Micro have uncovered a spam campaign that delivers the infamous Adwind RAT (aka jRAT) alongside the XTRAT backdoor (aka XtremeRAT) and the Loki info stealer. In a separate Adwind RAT spam campaign, the researchers observed the use of the VBScript with backdoor tracked as DUNIHI.
Both campaigns abuse the legitimate free dynamic DNS server hopto[.]org.
“Notably, cybercriminals behind the Adwind-XTRAT-Loki and Adwind-DUNIHI bundles abuse the legitimate free dynamic DNS server hopto[.]org.” reads the analysis published by Trend Micro. “The delivery of different sets of backdoors is believed to be a ploy used to increase the chances of system infection: If one malware gets detected, the other malware could attempt to finish the job.”
Crooks behind the Adwind, XTRAT, and Loki used weaponized RTF document that triggers the CVE-2017-11882 vulnerability to deliver the Adwind, XTRAT, and Loki bundles.
Below the attack chain:
“The dropped files are effective RATs with multiple backdoor capabilities, anti-VM, anti-AV, and are highly configurable. Notably, Adwind and XTRAT connect to the same C&C server: junpio70[.]hopto[.]org.” continues the analysis.
Adwind is a cross-platform Java backdoor that has been observed in the wild since 2013. XTRAT shares similar capabilities with Adwind, it also implements features to control both device camera and microphone.
Loki was known as a password and cryptocurrency wallet stealer well-known in the cybercrime ecosystem.
The experts also observed Adwind bundled with DUNIHI backdoor, attackers used a JAR dropper that ships a VBS dropper delivered via spam mail. The VBS dropper download and execute both DUNIHI and Adwind.
DUNIHi connects to pm2bitcoin[.]com:62103, while the Adwind/jRAT variant contacts the badnulls[.]hopto[.]org:3011.
Experts suggest a multilayered approach to security when dealing with a cross-platform threat like Adwind.
“IT administrators should regularly keep networks and systems patched and updated.”
“Both variants of Adwind arrive via email, so it is imperative to secure the email gateway to mitigate threats that abuse email as an entry point to the system and network.” concluded Trend Micro.
“Businesses should commit to training employees, review company policies, and develop good security habits.”
(Security Affairs – Adwind RAT, cybercrime)
The post Experts spotted spam campaigns delivering XTRAT and DUNIHI backdoors bundled with the Adwind RAT appeared first on Security Affairs.
Posted: 22 Apr 2018 01:30 AM PDT
A new round of the weekly SecurityAffairs newsletter arrived!
The best news of the week with Security Affairs.
Let me inform you that my new book, “Digging in the Deep Web” is online
Once again thank you!
The post Security Affairs newsletter Round 159 – News of the week appeared first on Security Affairs.
Posted: 22 Apr 2018 01:08 AM PDT
Researchers at MalwareHunterTeam have discovered a new strain of ransomware called RansSIRIA that encrypts victim’s files and then states it will donate the ransom to Syrian refugees.
Unscrupulous cybercriminals try to exploit every situation, even the most dramatic incidents. In the past, crooks attempted to exploits the media attention on dramatic events such as the Boston Marathon, the MH17, and the Hurricane Matthew Marathon.
Now security experts at MalwareHunterTeam have discovered a new strain of ransomware called RansSIRIA that encrypts victim’s files and then states it will donate the ransom to Syrian refugees.
According to the experts, the RansSIRIA ransomware is a variant of the WannaPeace ransomware the campaign spotted by the researchers aimed at Brazilian users.
Once the ransomware is executed, it will display a fake Word window while the malware encrypts victim’s files.
When the encryption process is completed, the ransomware will display a ransomware note containing the instructions for the payment.
The ransom note also contains a singular message to explain the ransom will be used to help Syrian refugees.
The ransom note is written in Portuguese, below the translated text was published by experts at BleepingComputer:
The ransomware will show a gallery of cruel images that show the dramatic situation in Syria and will play a YouTube video of the “Save the Children” organization that shows the suffering of Syrian children and the effect of a stupid war that someone don’t want to stop.
If the victims chose to pay the ransom, the malware will decrypt the files and then open the short URL https://goo.gl/qNxDFP, that is the Google-translated version of the article published at Worldvision about Syrian refugee children.
Statistics on the short URL shows the RansSIRIA ransomware was created on March 15th and at the time of writing it was opened 64 times, a circumstance that suggests that the threat is currently not widespread.
Unfortunately, ransom paid by the victims will never support the Syrian refugees.
(Security Affairs – RansSIRIA ransomware, cybercrime)
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|