Microsoft Windows Defender Research discovered an attack campaign that utilized spear phishing emails impersonating U.S. Department of State employees to gain remote access to victims’ machines.

Investigators said the majority of those targeted in the campaign, which began in mid-November, were public-sector institutions and non-governmental organizations based in the U.S. The spear phishing emails purported to be notifications from Microsoft’s cloud-based storage system, OneDrive, that indicated a State Department employee had a file they wanted to share.

Those who fell for the bait unleashed an obfuscated PowerShell command and a dynamic-link library (DLL) payload that gave threat actors the ability to control victims’ devices from a command-and-control (C&C) server.

What Happens When Threat Actors Use CobaltStrike

While threat actors often spend considerable time developing their own malicious software code, investigators said those behind this particular attack campaign also made use of CobaltStrike, a commercially available tool that is normally used for penetration testing.

If attackers gained access to a victim’s machine, they could use CobaltStrike to download and install additional software, capture what users input into their systems, execute arbitrary commands through Windows Management Instrumentation (WMI) or PowerShell, and escalate privileges.

While third-party analysts attributed the attacks to a group known as APT29, or CozyBear, which coincides with a group Microsoft calls YTTRIUM, Microsoft does not yet believe that enough evidence exists to attribute this campaign to YTTRIUM.

The Best Way to Shield Against Spear Phishing

As with similar spear phishing attacks, this campaign shows how adept cybercriminals have become in using what look like legitimate names and subject matter in their messages to compel a response — in this case, what looked like an important communication from the Department of State.

In a recent SecurityIntelligence podcast, IBM X-Force Red senior security consultant Chris Sethi described the need for an internal awareness program about adhering to IT security best practices, such as not clicking on potentially malicious links and attachments. The safest organizations take this one step further by having a third party conduct routine tests to ensure employees are putting the right behaviors into practice.


Researchers at the University of Waterloo have taken a huge step towards making smart devices that do not use batteries or require charging.

These battery-free objects, which feature an IP address for internet connectivity, are known as Internet of Things (IoT) devices. If an IoT device can operate without a battery it lowers maintenance costs and allows the device to be placed in areas that are off the grid.

Many of these IoT devices have sensors in them to detect their environment, from a room's ambient temperature and light levels to sound and motion, but one of the biggest challenges is making these devices sustainable and battery-free.

Professor Omid Abari, Postdoctoral Fellow Ju Wang and Professor Srinivasan Keshav from Waterloo's Cheriton School of Computer Science have found a way to hack radio frequency identification (RFID) tags, the ubiquitous squiggly ribbons of metal with a tiny chip found in various objects, and give the devices the ability to sense the environment.

"It's really easy to do," said Wang. "First, you remove the plastic cover from the RFID tag, then cut out a small section of the tag's antenna with scissors, then attach a sensor across the cut bits of the antenna to complete the circuit."

In their stock form, RFID tags provide only identification and location. It's the hack the research team has done -- cutting the tag's antenna and placing a sensing device across it -- that gives the tag the ability to sense its environment.

To give a tag eyes, the researchers hacked an RFID tag with a phototransistor, a tiny sensor that responds to different levels of light.

By exposing the phototransistor to light, it changed the characteristics of the RFID's antenna, which in turn caused a change in the signal going to the reader. They then developed an algorithm on the reader side that monitors change in the tag's signal, which is how it senses light levels.

Among the simplest of hacks is adding a switch to an RFID tag so it can act as a keypad that responds to touch.

"We see this as a good example of a complete software-hardware system for IoT devices," Abari said. "We hacked simple hardware -- we cut RFID tags and placed a sensor on them. Then we designed new algorithms and combined the software and hardware to enable new applications and capabilities.

"Our main contribution is showing how simple it is to hack an RFID tag to create an IoT device. It's so easy a novice could do it."

The research paper by Wang, Abari and Keshav titled, Challenge: RFID Hacking for Fun and Profit-ACM MobiCom, appeared in the Proceedings of the 24th Annual International Conference on Mobile Computing and Networking, October 29-November 2, 2018, New Delhi, India, 461- 70.


  • A new Android malware was hidden behind six different Android applications that were available in Google Play, out of which five apps were removed from Google Play in February 2018.
  • The applications have been downloaded 100,000 times by users in 196 countries, with the majority of victims residing in India.

Researchers spotted a new Android malware hidden behind six different Android applications that were available for download in Google Play. The six apps include Flappy Birr Dog, Flappy Bird, FlashLight, Win7Launcher, Win7imulator, and HZPermis Pro Arabe. Out of these six apps, five have been removed from Google Play since February 2018.

However, these applications have been downloaded at least 100,000 times by users across 196 countries with the majority of victims residing in India. The affected countries include India, Russia, Pakistan, Bangladesh, Indonesia, Brazil, Egypt, Ukraine, Turkey, United States, Sri Lanka, Italy, Germany, Saudi Arabia, and more.

Modus Operandi

Researchers from TrendMicro detected spyware dubbed as ANDROIDOS_MOBSTSPY which is capable of stealing information such as user location, call logs, SMS conversations, and clipboard items. The malware uses Firebase cloud messaging to send information to its C2 server.

  • Once the malicious application is installed and launched, the malware first checks for the device’s network availability.
  • The malware then reads and parses an XML configuration file from its C2 server.
  • Then, the malware collects device information such as the language used, its registered country, package name, device manufacturer, and more.
  • It then sends the collected information to its C2 server.
  • Once executed, the malware waits and then performs the command received from its C2 server via FCM.
  • The malware can steal call logs, SMS conversations, contact lists, user location etc based on the command it received from its C2 server.

Other capabilities of the Malware

The capabilities of the malware include,

  • Stealing and uploading files on the device.
  • Stealing additional credentials through phishing attacks.
  • Stealing user credentials by displaying fake Facebook and Google pop-ups and display screens.

Most users will not doubt the fake screens or pop-ups and are most likely to fall prey for the attack. When the users provide their username and password for the first time, the malware shows them that the log-in was unsuccessful, but the login credentials have already been stolen by the malware.


THIS YEAR THANKFULLY avoided any world-breaking ransomware attacks like NotPetya. It even had some small victories, like GitHub beating back the biggest DDoS attack in history. Still, online threats are manifold, lurking and evolving, making the internet a more hostile place than ever.

The biggest threats online continued to mirror the biggest threats in the real world, with nation states fighting proxy battles and civilians bearing the brunt of the assault. In many cases, the most dangerous people online are also the most dangerous in the real world. The distinction has never mattered less.

Donald Trump

On January 3 of 2018, at the height of tensions with North Korea, Donald Trump saw fit to send the following tweet:

Set aside, if you can, the deep absurdity of the language. The episode was a reminder that Trump is perhaps the only human on Earth who could quite literally start a nuclear war with a tweet, and that he seems decidedly not to care. While tensions with North Korea have subsided—for now—Trump has used the internet to other ill effects, from potential witnesses tampering in federal investigations, to constantly undermining the credibility of the media, to announcingunilateral military action without any apparent thought for the consequences. Trump has shown in 2018 that he doesn't need to cause Armageddon in a single tweet to do damage. He can simple use his social pulpit to whittle away at democratic norms, 280 characters at a time.

Vladimir Putin

Let the Russian president stand in for any number of his country's adept hackers. The country may have been relatively quiet—though not inactive—during the midterm elections, but Russia's hackers still caused all manner of trouble throughout the world. Upset over a doping-related ban, they hacked and released emails of the International Olympic Committee in January, then attacked the Pyeongchang Olympics themselves, wreaking havoc during the opening ceremonies with so-called Olympic Destroyer malware. When a lab investigated the nerve agent used in the attempted murder of former Russian double agent Sergei Skirpal, Russia tried to hack it, too. They continue to probe the US power grid for weaknesses. And on and on, all before you even get to Putin's continued, unprecedented cyberaggression against Ukraine. Russia has spent this year actively, opening lashing out at the world online—with Putin at the command.

Min Aung Hlaing

Facebook was tragically slow to recognize that its platform was being used in service of genocide in Myanmar. Indeed, it took a UN report before the company finally took action against the military leaders behind the most blatant abuses. Among the 20 individuals and organizations Facebook banned in that first wave was Min Aung Hlaing, head of the armed forces, who both used his personal account to spread hate speech and led a military that surreptitiously ran at least 425 Facebook pages, 17 Facebook groups, 135 Facebook accounts, and 15 Instagram accounts. "We want to prevent them from using our service to further inflame ethnic and religious tensions," Facebook wrote at the time. As The New York Times reported, it was quite a bit more serious than that: Myanmar military personnel, under Min Aung Hlaing's command, "turned the social network into a tool for ethnic cleansing."

Mark Zuckerberg

Min Aung Hlaing and his subordinates were the ones using Facebook in the service of genocide. But it was Facebook that let them get away with it for so long, just as it was Facebook that was slow to recognize Russian efforts to destabilize US democracy in 2016, and Facebook that let 30 million users get hacked with a vulnerability that took a year and a half to discover and fix. In fairness, many of the woes Facebook has faced in 2018 consist of revelations and repercussions of how the platform operated years ago, rather than today.