AT&T insider ring charged with unlocking over 2M phones

Plus, two new ransomware strains and another important reminder to change IoT passwords.

A seven-year mystery surrounding the unlocking of over 2 million AT&T phones has culminated in the arrest and trial of 34-year-old Muhammad Fahd. Wired reported that Fahd stands accused of bribing AT&T employees to unlock phones – an illegal uncoupling of the phone from the AT&T service, thereby allowing the device to function with any carrier. 

The Department of Justice alleges that Fahd and a partner began recruiting AT&T employees in 2012, offering them money to unlock phones. As the scheme went on, Fahd allegedly had the insiders also plant malware in the AT&T system. The first wave of malware was designed simply to observe how the system worked. Armed with that knowledge, Fahd is charged with developing a second wave that allowed him to unlock phones remotely. AT&T soon discovered the malware in their system and fired several employees, but Fahd is charged with continuing to recruit workers for several years. The DOJ estimates Fahd paid in excess of $1 million dollars to insider accomplices. Fahd was finally arrested in Hong Kong in February 2018. He was extradited to the U.S. this month, and his case is being heard in a Seattle federal court. 

GermanWiper destroys files but still demands ransom 

A new ransomware strain has been confronting users in Germany since July 31, reported ZDNet. Researchers have dubbed the new malware GermanWiper first, because it appears to be limiting its attacks to German-speaking countries, and second, because it wipes out the data of the files it ransoms. Instead of encrypting files, holding them ransom until the victim pays, GermanWiper rewrites the contents of the files it encrypts, deleting the original data. This means that even victims who pay the ransom are unable to retrieve their files. 

The ransomware is spread through an email scam purporting to be a job application from an attractive woman. A ZIP file labeled as the woman’s resume is attached, but it is actually a malicious file that downloads GermanWiper. Once on the machine, the ransomware targets local files, wipes out their content, then launches the ransom note in the victim’s browser. Victims are told to pay within seven days, and there is no mention in the ransom note, of course, that their data has already been destroyed.

Avast has stopped Germanwiper from the beginning, says Avast Security Evangelist Luis Corrons. “We have detected and blocked more than 1,300 GermanWiper attacks since the malware campaign started. 96% of attacks were in Germany, followed by Austria and Switzerland.”

This week’s stat

70% of businesses infected with ransomware have paid ransom to regain access to business data and systems, a survey found. Read more in “How ransomware rose to become an enduring scourge.”

MegaCortex ransomware just got automated

Ransomware that caused costly damage to organizations throughout North America and Europe over the past year has shown up in a new iteration, Dark Reading reported. MegaCortex is a sophisticated ransomware designed to target large enterprises for high-priced payouts, including one ransom demand for $5.8 million. The new version of MegaCortex has features that make it both easier for a cybercriminal to use and harder for a security network to detect. 

One critical difference is that the original version required the attacker to manually enter a password in order to execute the final stage of the attack, while this new version does not. Because this more automated MegaCortex does not require as much time or attention from the attacker, researchers worry there may be a spike in its usage. The new version also includes several anti-analysis features, making it harder to detect in real time while it is infecting a system. 

This week’s quote

“This active arms race makes AI in security particularly challenging. We must teach our AI to look for those disguised threats, and always stay a step ahead.” – Rajarshi Gupta and Sadia Afroz in “AI vs. AI – a fascinating slice of the future of cybersecurity.”

STRONTIUM targets corporate IoT

Cybersecurity researchers found evidence that the Russian hacking group STRONTIUM gained access to corporate networks by hacking company IoT devices. SC Magazine reported that STRONTIUM hacked Voice over Internet Protocol phones, office printers, and video decoders to gain initial access to the corporate networks. From those devices, the hackers found other connected devices and areas of the network. They moved through the network this way, device by device, in search of valuable data. The hacking group was able to compromise those IoT devices that hadn’t been updated and those that hadn’t had their default passwords changed.  “IoT devices in businesses increase the attack surface, and attackers can use them as a point of entrance. It is essential to have all devices protected with strong credentials, and to have them updated to fix any known security holes,” Corrons said. 

This week’s ‘must-read’ on The Avast Blog

Microsoft, Facebook and Google have all come out in support of bringing GDPR-style regulation to the U.S. Are they right? Kevin Townsend answers the question “Does the U.S. need its own privacy law?”


Learn more about products that protect your digital life at avast.com. And get all the latest news on today's cyberthreats and how to beat them at blog.avast.com. Avast is a global leader in cybersecurity, protecting hundreds of millions of users around the world. Protect all of your devices with our award-winning free antivirus. Safeguard your privacy and encrypt your online connection with SecureLine VPN.

--> -->