Email continues to be the favorite attack vector, even for "Nation State Attacks" - The APT10 (Chinese hacker) group did used the same method with a twist and were successful. They targeted the MSPs (not, their direct targets) to hack industries as varied as banking and finance, biotech, consumer electronics, health care, manufacturing, oil and gas, telecommunications, and ultimately made off with hundreds of gigabytes of data from dozens of companies.

As usual, it just starts with a carefully crafted email. “C17 Antenna problems,” read the subject line of one APT10 message that hit the inbox of a helicopter manufacturer, part of the 2006 campaign. The body copy was a simple request to open the attached file, a Microsoft Word doc called “12-204 Side Load Testing.”.  Once someone opens the attachment, it is game over.


The malware posed as legitimate on a victim’s computer to avoid antivirus detection, and communicated with any of the 1,300 unique domains APT10 registered for the campaign.

APT hackers put themselves in a position where they not only had access to MSP systems, but could move through them as an administrator might. Using those privileges, they would initiate what’s known as Remote Desktop Protocol connections with other MSP computers and client networks

The hackers would encrypt the data and use stolen credentials to move it to a different MSP or client system before jettisoning it back to an APT10 IP address. They’d also delete the stolen files from the compromised computers, all in an effort to avoid detection. Anytime a private security company would identify APT10 domains, the group would quickly abandon them and move on to others

https://www.wired.com/story/doj-indictment-chinese-hackers-apt10/

Skype and Data Exfiltration.

A detailed SANS Document (PDF) on everything you wanted to know about Skype

Link to PDF
https://www.sans.org/reading-room/whitepapers/covert/skype-data-exfiltration-34560

Jail broken iPhones have a new app "UNFLOD" - A Malware that steals Apple passwords.

According to the article:-

readers reported their jailbroken iOS devices recently started experiencing repeated crashes, often after installing jailbroken-specific customizations known as tweaks that were not a part of the official Cydia market, which acts as an alternative to Apple's App Store.

security researcher Stefan Esser has performed what's called a static analysis on the binary code that the reddit users isolated on compromised devices. In a blog post reporting the results, he said unflod hooks into the SSLWrite function of an infected device's security framework. It then scans it for strings accompanying the Apple ID and password that's transmitted to Apple servers. When the credentials are found, they're transmitted to attacker-controlled servers.

reddit readers said unflod infections can be detected by opening the SSH/Terminal and searching the folder /Library/MobileSubstrate/DynamicLibraries for the presence of the Unflod.dylib file. Compromised devices may possibly be disinfected by deleting the dynamic library, but since no one so far has been able to figure out how the malicious file is installed in the first place, there's no guarantee it won't somehow subsequently reappear.

The link below has more information:-

http://arstechnica.com/security/2014/04/active-malware-campaign-steals-apple-passwords-from-jailbroken-iphones/