As a supplement to the next McAfee Labs Threats Report, which will appear next month, we offer this timeline of leading cybercrime events that made news in the first quarter of 2014.
- January 2: A systems administrator at the Monju fast breeder reactor facility in Japan notices suspicious connections emanating from a machine in the control room, coinciding with what was meant to be a routine software update to a free media player.[1] Context names the attack, based on a Gh0st RAT variant, the Monju Incident.
- January 6: McAfee Labs describes a new Pony botnet variant (Backdoor-FJW) that attempts to steal Bitcoin wallets from infected systems.[2]
- January 16: Unknown hackers breach the Orange French website. Details of up to 800,000 customers of the multinational telecommunications company are compromised.[3]
- January 17: Researchers at Qihoo 360 Dr.Web announce the first Android bootkit. Android.Oldboot modifies a device’s boot partition and booting script file to launch a system service and extract a malicious application early in a system’s startup. Intended for Android devices in China, 92% of victims are located in this country.[4]
- January 22: Romanian authorities arrest Guccifer, a 40-year-old hacker suspected of breaching the social media and email accounts of several high-level individuals, including members of the Bush and Rockefeller families, officials of the Obama administration, former US Secretary of State Colin Powell, and George Maior, the head of the Romanian Intelligence Service SRI.[5]
- January 28: McAfee Labs reminds mobile users that scammers still target Japanese smartphones using apps (Android/BadPush, Android/OneClickFraud) that lead their owners to malicious one-click-fraud websites.[6] Other adult-oriented apps (Android/PhimSms) target Vietnamese users.[7]
- February 4: Adobe releases an out-of-band security update addressing a critical remote code execution vulnerability, CVE-2014-0497, being exploited in the wild.[8]
- February 4: German prosecutors arrest three suspects in the Netherlands. The alleged criminals are said to have stolen US$45 million from ATM machines in 27 countries between December 2012 and February 2013 by embezzling prepaid MasterCard debit card numbers.[9]
- February 10: Kaspersky Labs announces the discovery of a large number of malware infections across large parts of the globe.[10] McAfee Labs also details the attack, called Careto.[11]
- February 11: A new unpatched vulnerability, CVE-2014-0322, in Microsoft Internet Explorer 10 is found in the wild. FireEye announces it is actively exploited in a watering-hole attack (Operation SnowMan) targeting visitors to the official website of the US Veterans of Foreign Wars.[12]
- February 13: FireEye identifies a zero-day Adobe Flash exploit, CVE-2014-0502, that affects the latest version of the player. The exploit is used in Operation GreedyWonk, which affects several nonprofit and research organizations.[13]
- February 17: First discovered by Xylitol on January 15, researchers at Malwarebytes analyze a new variant of the banking Trojan ZeusVM. The crimeware uses the steganography to disguise its configuration code in a digital photo. The image contains data encrypted using Base64 encoding and RC4 and XOR encryption algorithms. The variant targets popular financial institutions including Barclays, Deutsche Bank, and Wells Fargo.
- February 28: Security experts at G Data say they have discovered a very complex and sophisticated rootkit designed to steal confidential data and exfiltrate them from targeted organizations. Uroburos takes its name from a mythical serpent or dragon that ate its own tail and from a sequence of characters concealed deep within the malware’s code: Ur0bUr()sGotyOu#. The authors appear to speak Russian and are from the same group that performed a cyberattack against the United States in 2008.[14]
- March 3: A McAfee Labs researcher describes Android/BadInst.A, a suspicious app on Google Play that almost automatically downloads, installs, and launches other apps from Google Play without user interaction.[15]
- March 3: Researchers at Team Cymru publish a white paper about a pharming attack hitting thousands small office/home office wireless routers around the world. Exploiting various vulnerabilities in more than 300,000 routers (Asus, D-Link, Cisco, Linksys, Micronet, Netgear, Tenda, TP-Link) to overwrite the DNS settings, the attackers redirected traffic to their sites and domains.[16]
- March 8: Cybercriminals take advantage of the disappearance of Malaysia Airlines Flight 370 to infect users with malware in scam messages.
- March 11: Russian-Moroccan hacker Farid Essebar, known online as Diabl0, is arrested in Bangkok.[17] He is suspected to have compromised computer systems and websites belonging to Swiss banks, causing damage of more than US$4 billion. Essebar was arrested in August 2005 for offenses related to the creation and distribution of W32/Zotob and was sentenced to two years in prison.[18]
- March 20: Microsoft warns of a zero-day vulnerability, CVE-2014-1761, in Word that is being actively exploited in targeted attacks and was discovered by the Google security team. This remote code execution vulnerability can be exploited via a malicious rich text format file.[19]
[6] https://www.mcafee.com/blogs/other-blogs/japanese-one-click-scammers-still-active-target-smartphone-users-2014
[7] https://www.mcafee.com/blogs/other-blogs/vietnamese-adult-apps-google-play-open-gate-to-sms-trojan
[8] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/flash-zero-day-vulnerability-cve-2014-0497-lasts-84-days/
[12] https://www.fireeye.com/blog/technical/cyber-exploits/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
[13] https://www.fireeye.com/blog/technical/targeted-attack/2014/02/operation-greedywonk-multiple-economic-and-foreign-policy-sites-compromised-serving-up-flash-zero-day-exploit.html
[14] https://public.gdatasoftware.com/Web/Content/INT/Blog/2014/02_2014/documents/GData_Uroburos_RedPaper_EN_v1.pdf
[15] https://www.mcafee.com/blogs/other-blogs/automatic-app-installation-google-play-store-poses-big-risk