Winter Olympics phishing campaign
The information security company, McAfee, recently identified spear-phishing activity targeting the February 2018 Winter Olympics due to be held in South Korea.
This highly tailored campaign was aimed at a number of South Korean organisations supporting the Games and made use of custom-made fileless malware and steganography. The phishing emails were written in the Korean language and purported to be from the South Korean National Counter Terrorism Centre, and coincided with drills being carried out in preparation for the Games. They contained a malicious Word document that, if opened, would run a hidden PowerShell script, enabling the attackers to execute commands and install further malware. The objectives of the campaign are unclear, but could include gaining access to data for financial gain, extortion, or gathering intelligence on the planning around the Games.
In addition to this specific campaign targeting organisations associated with the Games, events such as these are often used by cyber criminals and other cyber actors as a basis for phishing or social engineering attacks against the public. The NCSC has recently provided guidance on avoiding phishing attacks.
Undisclosed cryptocurrency mining software reported on apps downloaded from third-party app store
As noted in the NCSC Weekly Threat Report of 29 September 2017, CPU-based cryptocurrency-mining malware significantly increased in 2017. A recent open source report suggested that hundreds of malicious Android apps containing a hidden Coinhive cryptocurrency miner were available for download on the third-party app store, androidapk.world.
Coinhive uses website visitors' CPU resources to mine the cryptocurrency Monero, providing website owners with a legitimate alternative to advertising for monetising their websites. In October 2017, Coinhive acknowledged they had underestimated the extent of service misuse and launched a new version, AuthoredMine, with an opt-in screen which asked users for permission to borrow their computing power. Nevertheless, the original version of the service is still reportedly in circulation.
Cryptocurrencies rely on ‘miners’ to carry out a large number of calculations to verify transactions. In exchange for contributing computing power, miners are rewarded with cryptocurrency. A miner running in the background can significantly reduce the performance and battery life of a computer or device, and cause it to overheat.
The NCSC recommends that users only install apps from the official application store for their device. Malicious apps in official stores are more likely to be detected and subsequently removed from the store or device.
The Cyber Security Information Sharing Partnership (CiSP) is a great way of learning more about threat information as well as engaging with industry and government counterparts. Follow the link below for more information.