U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Operation Black Atlas, PoS malware is flooding network worldwide

Trend Micro uncovered a large-scale operation dubbed Black Atlas operation, in reference to notorious BlackPOS PoS malware. It’s Christmas time also for crooks, in this period the number of credit card breaches and scams increases with alarming punctuality. In the US, we use to assist an increase of credit card breaches involving PoS malware, last victims in […]

Operation Black Atlas, PoS malware is flooding network worldwide

Trend Micro uncovered a large-scale operation dubbed Black Atlas operation, in reference to notorious BlackPOS PoS malware.

It’s Christmas time also for crooks, in this period the number of credit card breaches and scams increases with alarming punctuality. In the US, we use to assist an increase of credit card breaches involving PoS malware, last victims in order of time are Hilton Hotel and Starwood hotel chains.

In the last weeks, security experts detected a number of new threats in the wild such as Cherry PickerModPoS, and Pro Pos.

Not only US retailers are at risk, new threat seeks out PoS systems within targeted networks, small and medium sized business networks all over the world belonging to any  various industries.

Experts at Trend Micro uncovered a large-scale operation dubbed operation Black Atlas, in reference to notorious BlackPOS PoS malware that is the threat primarily used in these attacks.

My readers will surely remember that BlackPOS, also known as  Kaptoxa, was the malware used during the Target breach in 2013 and attacks on retail accounts in 2014.

Threat actors behind the operation have developed a set of hacking tools used in their operations.

“Operation Black Atlas has been around since September 2015, just in time to plant its seeds before the holiday season. Its targets include businesses in the healthcare, retail, and more industries which rely on card payment systems.” reads a blog post published by Trend Micro. “The operation is run by technically sophisticated cybercriminals who are knowledgeable in a variety of penetration testing tools and possess a wide network of connections to PoS malware in the underground market.”

Malware utilized in Black Atlas included a number of popular PoS malware, including Alina, NewPOSThings, a Kronos backdoor, and of course the BlackPOS threat.

Bad actors behind the Black Atlas operation have been able to steal user login credentials of the victims, email accounts, and other sensitive information. The experts also discovered a live video feed of closed-circuit television (CCTV) cameras in a gasoline station, evidence that crooks are collecting whatever information is available.

“Similar to GamaPoS, the Black Atlas operators employed a “shotgun” approach to infiltrate networks as opposed to zeroing in on specific targets. They basically checked available ports on the Internet to see if they can get in, ending up with multiple targets around the world.” continues the post.

The experts at Trend Micro observed that Black Atlas operators used the botnet Gorynych or Diamond Fox in a number of installations.

In the following image has reported the distribution of Gorynych targets in Operation Black Atlas.

Black Atlas operation 001

The Operation Black Atlas involved numerous healthcare organization in the US, the experts explained that threat actors use to run an initial  intelligence gathering or reconnaissance activity to identify the best system to compromise, that they used the tools to run the attack (i.e. Brute force or dictionary attack).

“Networks with weak password practices are likely to fall victim to this initial penetration testing stage. Many of these tools are easily downloaded from various sites on the Internet. The cybercriminals will then create a test plan based on the initial probe, and then use a second set of tools to execute the said plan.”

Black Atlas _02

In the attack stage the crooks utilized remote access tools to steal more information and move laterally within the network, one inside they inject the PoS threats.

Trend Micro announced it will provide further details about the Black Atlas Operation.

Pierluigi Paganini

(Security Affairs – Black Atlas Operation, Pos Malware botnet)