Cybersecurity Operational Tests And Assessments – US Defence can’t check F-35 data due to insecure systems
Cybersecurity Operational Tests And Assessments conducted by the US Defence are essential to improve overall security … and discover that US Govt can’t check F-35 data due to insecure systems.
It is difficult to understand the importance of concept like information sharing when dealing with daily work, but officers at the Pentagon are learning at their own expense. The Pentagon is currently unable to check in on key maintenance of the F-35 joint strike fighter (JSF) because the data are stored in an insecure database managed by the Giant Lockheed Martin.
The precious information related to F-35 components and air-frame maintenance data is contained in the database that is non-compliant with August US Cyber Command security requirements, for this reason, the Government personnel cannot access the archive from government networks.
According to the “FY 2015 Annual Report for the Office of the Director, Operational Test & Evaluation,” the Government staff cannot access non-compliance systems via government networks for security reasons.
Michael Gilmore, Defense Department operational test and evaluation chief, also discovered a number of security issues affecting the Defence architectures, including misconfigured and unpatched systems, and poorly authentication process.
This is disconcerting is we consider the effort of the Department of Defense (DOD) in the Cybersecurity Operational Tests And Assessments In FY15.
“DOD cyber teams include organizations that provide OPFOR aggressors (Red Teams) as well as penetration testers and teams that perform other cybersecurity assessments (Blue Teams). DOT&E guidance establishes data and reporting requirements for cyber team involvement in both operational tests of acquisition systems and exercise assessments. The demand on DOD-certified Red Teams, which are the core of the cyber OPFOR teams, has increased significantly in the past 3 years.” states a report on cyber security and operational tests “In the same timeframe, the Cyber Mission Force and private sector have hired away members of Red Teams, resulting in staffing shortfalls at a time when demand is likely to continue to increase. This trend must be reversed if the DOD is to retain the ability to effectively train and assess DOD systems and Service members against realistic cyber threats.”
Despite the Defence is largely investing in operational tests, it often limits the red teams full scope to operate as opposing forces (OPFOR) during training because it fears possible effects.
“DOT&E believes the reluctance by Combatant Commands (CCMDs) and Services to permit realistic cyber effects during major exercises is due to the requirement to achieve numerous other training objectives in those exercises. Additionally, exercise authorities have stated they fear that cyber attacks could distract from—and possibly preclude—achieving these objectives. “
This is a totally wrong approach, threat actors would attack Defense and mission-critical systems by using any method and in any moment, it is important to stress systems in an attempt to find flaws before the intruders.
Gilmore explained that Defence red teams, read OPFOR (opposing forces in war games), are deployed in only the most security-savvy organisations.
“In order to attain a high state of mission readiness, CCMDs (Combatant Commands) and supporting defenders should conduct realistic tests and training that include cyber attacks and effects representative of those that advanced nation states would execute,” Gilmore writes.
Training effort and cyber security assessments are crucial to have an architecture resilient to cyber attacks, the US government is aware of this and has already planned cyber security tests in 2016.
Wikileak's Julian Assange Could Be Set Free On Friday by United Nation
The decision of the United Nations investigation into the Julian Assange case is set to be revealed and could order the release of Wikileaks founder on February 5.
"BREAKING: UN set to announce decision on #Assange's release on Friday,"BREAKING: UN set to announce decision on #Assange's release on Friday," Wikileaks has tweeted.
Assange has been living in the Ecuadorian embassy in London for over 3 years, after being granted political asylum by the Ecuadorian government of the South American country.
Assange has been residing in the embassy since 2012 to avoid extradition:
First to Sweden where he is facing sexual assault allegations, which he has always denied.
Ultimately to the United States where he could face cyber espionage charges for publishing classified US military and diplomat documents via his website Wikileaks.
The leak of publishing secret documents has amounted to the largest information leak in United States history. The US also launched a criminal case against Assange following the leak.
However, Assange filed a complaint against Sweden and the United Kingdom in September 2014 that has been considered by the UN Working Group on Arbitrary Detention.
The decision on the case will be published on Friday, and if the group concludes that Assange is being illegally detained, the UN is expected to call on the UK and Sweden to release him.
Hidden tear and its spin offs
2.2.2016 Zdroj: Kaspersky
A while ago Turkish security group Otku Sen created the hidden tear ransomware and published the source code online. Idea behind it was to “teach” security researchers how ransomware works. Right from the beginning the reaction of various security professionals was negative. And we were right, it didn’t take long before the first ransomware variants arrived based on the hidden tear source code (, ) and of course, things escalated a bit.
Wondering what else there was, I decided to analyze the samples in the Trojan-Ransom.MSIL.Tear class and was amazed to find 24 additional samples.
The spin offs
Hidden tear only encrypts files located on the user’s desktop in the “\test” directory. If such a directory doesn’t exist, then no files are encrypted and no harm is done. In one of the first samples we classified as hidden tear Trojan-Ransom.MSIL.Tear.c, they removed the “\test” directory, so in this case all the files (with a certain extension) located on the Desktop are encrypted.
Another sample, Trojan-Ransom.MSIL.Tear.f calls itself KryptoLocker. According to the message, public key cryptography was used, but when we look at the code, we see something different. The author also didn’t use a CnC this time, but asked the victims to e-mail him, so he could ask for the ransom.
The next variants, Trojan-Ransom.MSIL.Tear.g and Trojan-Ransom.MSIL.Tear.h , are the first versions that use a proper CnC (previous samples used a server with an internal IP address as the CnC server). Other samples, such as Trojan-Ransom.MSIL.Tear.i and Trojan-Ransom.MSIL.Tear.k share the same CnC, while Trojan-Ransom.MSIL.Tear.j uses another one.
Interesting is also Trojan-Ransom.MSIL.Tear.m. This variant is specifically looking for files located in the “Microsoft\Atom” directory.
Variants Trojan-Ransom.MSIL.Tear.n , Trojan-Ransom.MSIL.Tear.o, Trojan-Ransom.MSIL.Tear.p, Trojan-Ransom.MSIL.Tear.q, on the other hand just encrypt your files and doesn’t store the key anywhere.
Variants Trojan-Ransom.MSIL.Tear. r to Trojan-Ransom.MSIL.Tear.v are all more or less the same. The location of the c2 is often example.com. This of course does not work.
The last samples, Trojan-Ransom.MSIL.Tear.w, Trojan-Ransom.MSIL.Tear.x and Trojan-Ransom.MSIL.Tear.y all store the password on the hard drive and was also described earlier here.
As always, when malware gets open sourced, we see an increase in variants of that specific malware. We can therefore conclude that hidden tear completely missed its purpose. Researchers don’t need hidden tear to understand how ransomware works. Luckily enough, in this case, the copy cats didn’t fix the bugs in hidden tear. Therefore it is actually possible (with some computation) to recover your key and decrypt your files for free. More worrisome is when copy cats use well developed and sophisticated malware and start using that.
The samples discussed in this post were all samples that were not often spotted in the wild. This means the number of victims remains relatively low.
Nevertheless, bugs can be fixed and the malware can be enhanced without much effort. After this point, it is just waiting for future victims who might lose their files forever.
NASA HACKED! AnonSec tried to Crash $222 Million Drone into Pacific Ocean
Once again the Red Alarm had been long wailed in the Security Desk of the National Aeronautics and Space Administration (NASA).
Yes! This time, a serious hacktivism had been triggered by the Hacking group named "AnonSec" who made their presence in the cyber universe by previous NASA Hacks.
The AnonSec Members had allegedly released 276 GB of sensitive data which includes 631 video feeds from the Aircraft & Weather Radars; 2,143 Flight Logs and credentials of 2,414 NASA employees, including e-mail addresses and contact numbers.
The hacking group has released a self-published paper named "Zine" that explains the magnitude of the major network breach that compromised NASA systems and their motives behind the leak.
Here’s How AnonSec Hacked into NASA
The original cyber attack against NASA was not initially planned by AnonSec Members, but the attack went insidious soon after the Gozi Virus Spread that affected millions of systems a year ago.
After purchasing an "initial foothold" in 2013 from a hacker with the knowledge of NASA Servers, AnonSec group of hackers claimed to pentested the NASA network to figure out how many systems are penetrable, the group told InfoWar.
Bruteforcing Admin's SSH Password only took 0.32 seconds due to the weak password policy, and the group gained further indoor access that allowed it to grab more login information with a hidden packet sniffing tool.
They also claimed to successfully infiltrate into the Goddard Space Flight Center, the Glenn Research Center, and the Dryden Research Center.
Hacker Attempted to Crash $222 Million Drone into the Pacific Ocean
Three NAS Devices (Network Attached Storage) which gathers aircraft flight log backups were also compromised, rapidly opening a new room for the extended hack:
Hacking Global Hawk Drones, specialized in Surveillance Operations.
Hackers have tried to gain the control over the drone by re-routing the flight path (by Man-in-the-Middle or MitM strategy) to crash it in the Pacific Ocean, but…
…the sudden notification of a security glitch in the unusual flight plan made the NASA engineers to take the control manually that saved their $222.7 Million drone from drowning in the ocean.
This hacking attempt had happened due to the trivial routine of drone operators of uploading the drone flight paths for the next fly, soon after a drone session ends.
After this final episode, AnonSec lost their control over the compromised NASA servers and everything was set to normal by NASA engineers as before.
This marked the attack's magnitude at a steep height by infecting into other pipelines of NASA, leading to this nasty situation.
However, in a statement emailed to Forbes, NASA has denied alleged hacking incident, says leaked information could be part of freely available datasets, and there is no proof that a drone was hijacked.
“Control of our Global Hawk aircraft was not compromised. NASA has no evidence to indicate the alleged hacked data are anything other than already publicly available data. NASA takes cybersecurity very seriously and will continue to fully investigate all of these allegations.”
Why Did AnonSec Hack into NASA?
If you are going to point your fingers against the AnonSec Hackers, then Wait! Here's what the group of hackers wants to highlight:
"One of the main purposes of the Operation was to bring awareness to the reality of Chemtrails/CloudSeeding/Geoengineering/Weather Modification, whatever you want to call it, they all represent the same thing."
"NASA even has several missions dedicated to studying Aerosols and their affects (sic) on the environment and weather, so we targeted their systems."
And Here's What NASA was actually doing:
Cloud seeding: A weather alteration method that uses silver iodide to create precipitation in clouds which results to cause more rainfall to fight carbon emission which ultimately manipulates the nature.
Geoengineering: Geoengineering aims to tackle climate change by removing CO2 from the air or limiting the sunlight reaching the planet.
Similar projects are running on behalf of the US Government such as Operation Icebridge [OIB], Aerosol-Cloud-Ecosystem (ACE) which are dedicated to climate modeling.
This security breach would be a black label for the Security Advisory Team of NASA and became a warning bell to beef up the security.
They Named it — Einstein, But $6 Billion Firewall Fails to Detect 94% of Latest Threats
The US government's $6 Billion firewall is nothing but a big blunder.
Dubbed EINSTEIN, the nationwide firewall run by the US Department of Homeland Security (DHS) is not as smart as its name suggests.
An audit conducted by the United States Government Accountability Office (GAO) has claimed that the firewall used by US government agencies is failing to fully meet its objectives and leaving the agencies open to zero-day attacks.
EINSTEIN, which is officially known as the US' National Cybersecurity Protection System (NCPS) and has cost $5.7 Billion to develop, detects only 6 percent of today's most common security vulnerabilities and failed to detect the rest 94 percent.
How bad is EINSTEIN Firewall in reality?
In a series of tests conducted last year, Einstein only detected 29 out of 489 vulnerabilities across Flash, Office, Java, IE and Acrobat disclosed via CVE reports published in 2014, according to a report [PDF] released by the GAO late last year.
Among the extraordinary pieces of information revealed are the fact that the system is:
Unable to monitor web traffic for malicious content.
Unable to uncover malware in a system.
Unable to monitor cloud services either.
Only offers signature-based threat and intrusion detection, rather than monitoring for unusual activity.
Yes, Einstein only carries out signature-based threat and intrusion detection, which means the system acts like a dumb terminal that waits for the command what to find, rather than to search itself for unusual activity.
Einstein Uses Outdated Signatures Database
In fact, more than 65 percent of intrusion detection signatures (digital fingerprints of known viruses and exploit code) are outdated, making Einstein wide open to recently discovered zero-day vulnerabilities.
However, in response to this, DHS told the office Einstein was always meant to be a signature-based detection system only. Here's what the department told the auditors:
"It is the responsibility of each agency to ensure their networks and information systems are secure while it is the responsibility of DHS to provide a baseline set of protections and government-wide situational awareness, as part of a defense-in-depth information security strategy."
Einstein is Effectively Blind
If this wasn't enough to figure out the worth of the $6 Billion firewall, Einstein is effectively Blind.
The Department of Homeland Security (DHS), which is behind the development of Einstein, has not included any feature to measure the system's own performance, so the system doesn't even know if it is doing a good job or not.
So, "until its intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies," reads the report.
Einstein was actually developed in 2003 to automatically monitor agency network traffic, and later in 2009 expanded to offer signature-based detection as well as malware-blocking abilities.
Most of the 23 agencies are actually required to implement the firewall, but the GAO found that only 5 of them were utilising the system to deal with possible intrusions.
Despite having spent $1.2 Billion in 2014 and $5.7 Billion in total project, Einstein still only monitors certain types of network flaws along with no support for monitoring web traffic or cloud services.
DropboxCache Backdoor, a new Cross-Platform threat
Security experts at Kaspersky Lab have discovered a new Cross-Platform backdoor dubbed DropboxCache Backdoor ported from Linux to Window.
Security experts at Kaspersky Lab have discovered a new Cross-Platform backdoor dubbed DropboxCache (Backdoor.Linux.Mokes.a), initially affecting Linux systems and now migrated to Windows. The backdoor allows attackers to gain complete control over the victim’s machine, it also implements a capture audio feature. To achieve the portability of the DropboxCache backdoor, authors have used C++ and Qt, a common choice in the development community.
The experts at Kaspersky noticed that the authors didn’t put effort into implement obfuscating techniques, the analysis of the source code allowed investigators to find the IP address of the command and control (C&C) server hardcoded into the source code, the malware contact the server every minute.
The authors digitally signed the code with a trusted certificate issued by COMODO RSA Code Signing CA, but Kaspersky did reveal the name of the entity that issued the certificate.
“Next, it connects to its hardcoded C&C Server. From this point, it performs an http request every minute. This “heartbeat” request replies with a one-byte image. To upload and receive data and commands, it connects to TCP port 433 using a custom protocol and AES encryption.”
A few days ago, the experts spotted a second backdoor called OLMyJuxM.exe(Backdoor.Win32.Mokes.imv) infecting Windows machine. The analysis of this strain of malware allowed the experts at Kaspersky to discover that this backdoor is a 32-bit Windows variant of the DropboxCache backdoor.
“Just a few days ago, we came across a rather familiar looking sample, although it was compiled for machines running Microsoft Windows. It quickly turned out to be a 32-bit Windows variant of Backdoor.Linux.Mokes.a.” continues the post.
The Windows variant of the DropboxCache backdoor uses the same filename templates to save the obtained audio captures, screenshot, keylogs and other data. Unilike the Linux variant, the strain for Windows enable the Keylogging feature at the startup.
What about the future?
Experts speculate that we will find soon a Mac OS X variant in the wild.
Bezpečnější firemní data v soukromých mobilech slibuje novinka Sophosu
Dostupnost řešení Mobile Control 6.0, řešení pro správu podnikové mobility, oznámil Sophos. Novinkou je mj. kontejnerové řešení Secure Email, které na mobilních zařízeních chrání podniková data a izoluje je od soukromých informací.
Secure Email je kontejnerové řešení pro správu osobních informací (personal information management, PIM), tedy elektronické pošty, kalendářů i kontaktů. Díky oddělení osobních a firemních informací mohou organizace zajistit ochranu svých dat bez jakéhokoli dopadu na soukromí uživatelů. IT administrátoři mohou zpřístupnit elektronickou poštu na mobilních zařízeních zaměstnanců vzdáleně, a to na všech hlavních platformách včetně iOS, Windows 10 Mobile i různých verzích operačního systému Android.
Zdokonalení se dočkalo i řešení Secure Workspace, jehož součástí je nově i prohlížeč Corporate Browser, díky kterému je přístup k často používaným firemním stránkám i aplikacím jednoduchý a bezpečný. Řešení zajišťuje zaměstnancům bezproblémový a bezpečný přístup k dokumentům včetně podpory týmové spolupráce kdykoliv je potřeba.
V případě cloudových úložišť jako je Dropbox, Google Drive, Microsoft OneDrive nebo Egnyte mají navíc uživatelé pod kontrolou jak přístupová, tak i publikační práva. A díky vestavěné podpoře šifrování souborů Safeguard pak mohou uživatelé dokumenty a data přenášet bezpečně mezi mobilními zařízeními, cloudovými úložišti i firemními koncovými body.
Mobile Control 6.0 vedle malwaru a potenciálně nežádoucích aplikací dokáže detekovat i zařízení se systémem odemčeným pomocí tzv. jailbreakingu nebo rootování. Nová verze odstíní infikovaná a nekompatibilní zařízení od firemní sítě jako celku a automaticky zablokuje přístup na škodlivé nebo nežádoucí webové stránky.
Funkce řešení Sophos Mobile Control 6.0 podle výrobce:
Bezpečné oddělení podnikové a osobní elektronické pošty, kalendářů a kontaktů
Šifrování souborů umožňující bezpečný přesun dat mezi mobilními zařízeními a cloudovými úložišti
Vyšší produktivita zaměstnanců díky bezpečnému prohlížeči
Komplexní podpora zařízení
Google Patches Critical Remotely-exploitable Flaws in Latest Android Update
Google has released the February Security Update for Android that patches multiple security vulnerabilities discovered in the latest version of Android operating system.
In total, there were five "critical" security vulnerabilities fixed in the release along with four "high" severity and one merely "moderate" issues.
Remote Code Execution Flaw in WiFi
A set of two critical vulnerabilities has been found in the Broadcom WiFi driver that could be exploited by attackers to perform Remote Code Execution (RCE) on affected Android devices when connected to the same network as the attacker.
The vulnerabilities (CVE-2016-0801 and CVE-2016-0802) can be exploited by sending specially crafted wireless control message packets that can corrupt kernel memory, potentially leading to remote code execution at the kernel level.
"These vulnerabilities can be triggered when the attacker and the victim are associated with the same network," reads the advisory. "This issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction."
Remote Code Execution Flaw in Mediaserver
Another set of two critical security vulnerabilities were discovered in Mediaserver that was targeted last summer by critical Stagefright vulnerabilities and exploits, allowing anyone to compromise an Android device by sending just a specially crafted MMS message.
The recently discovered flaws (CVE-2016-0803 and CVE-2016-0804) in Mediaserver could enable remote code execution (RCE) on affected Android devices through email, web browsing, or MMS files when processing media files.
Moreover, a separate vulnerability called elevation of privilege (CVE-2016-0810) was also discovered in Mediaserver that could be exploited to gain elevated capabilities, including Signature or SignatureOrSystem permissions privileges, that aren’t accessible to third-party apps.
Two Elevation of Privilege vulnerabilities has also been found in Qualcomm components: the Qualcomm Performance Module (CVE-2016-0805) and the Qualcomm Wi-Fi Driver (CVE-2016-0806). Both the flaws, rated as critical, leveraged an attacker to launch further attacks.
Another critically rated bug (CVE-2016-0807) discovered in the Debuggerd component could open the door to execute arbitrary code within the device's root level. Debuggerd is a software tool used for debugging and analyzing Android crashes.
Other high severity bugs include:
An elevation of privilege vulnerability in the Android Wi-Fi component
A denial-of-service vulnerability in the Minikin library
An information disclosure bug in libmediaplayerservice
The final set of vulnerabilities is an Elevation of Privilege flaw in Setup Wizard that could allow a hacker to bypass the Factory Reset Protection and gain access to the affected device.
All the Security patches are currently made available for Nexus devices only. Google also shared the patches with carrier and manufacturer partners on January 4, but users of other Android devices should have to wait until their devices receive an update.
Nexus device users are advised to patch the flaws by flashing their devices to this new build immediately. Users can also wait for the OTA (Over-the-Air) update that will be out in the next week or so.
Microsoft Starts automatically Pushing Windows 10 to all Windows 7 and 8.1 Users
As warned last year, Microsoft is pushing Windows 10 upgrades onto its user's PCs much harder by re-categorizing Windows 10 as a "Recommended Update" in Windows Update, instead of an "optional update."
Microsoft launched Windows 10 earlier last year and offered the free upgrade for Windows 7 and Windows 8 and 8.1 users. While the company has been successful in getting Windows 10 onto more than 200 Million devices, Microsoft wants to go a lot more aggressive this year.
So, If you have enabled Automatic Windows Update on your Window 7, 8 or 8.1 to install critical updates, like Security Patches, you should watch your steps because…
...From Monday, Windows Update will start upgrading your PC to the newest Windows 10 as a recommended update, Microsoft confirmed.
Must Read: How to Stop Windows 7 or 8 from Downloading Windows 10 Automatically.
This means Windows 10 upgrade process will download and start on hundreds of millions of devices automatically.
The move is, of course, the part of Microsoft's goal to get Windows 10 running on 1 Billion devices within 2-3 years of its actual release.
Market Share of Windows 10 is on the rise. It has already grabbed a market share of 11.85% as of January 2016, increasing from 9.96% in December. But, Windows 7 is still running on over 50% of all PCs in the world, so targeting even half of its user base would bring Microsoft very near to its goal.
"As we shared in late October on the Windows Blog, we are committed to making it easy for our Windows 7 and Windows 8.1 customers to upgrade to Windows 10," a Microsoft spokesperson said. "We updated the update experience today to help our clients, who previously reserved their upgrade, schedule a time for their upgrade to take place."
Also Read: If You Haven't yet, Turn Off Windows 10 Keylogger Now.
This means if the 'Give me recommended updates the same way I receive important update' option in Windows Update section is enabled on your PC, the Windows 10 update will not only be downloaded but also, the installation will be started automatically.
You are also required to stay alert because even if you have adopted manual updates you may still end up downloading Windows 10 anyway. As Windows Update is automatically pre-selecting the option for you, without your need to click on the box to get it.
Must Read: Just Like Windows 10, Windows 7 and 8 Also Spy on You – Here's How to Stop Them.
However, the company says that you won't be forced to upgrade the creepy OS as there will still be a prompt window that will require you to click through and confirm the Windows 10 upgrade after the files have silently been downloaded and unpacked in the background.
Even if the Windows 10 upgrade is accidentally completed, there is still a way to opt out of it. Microsoft is offering a 31 day grace period in which you will be able to revert to your old installation after trying Windows 10 and deciding you not like the operating system.
Though we know this revert will also be an aggressive push by Microsoft.
NASA hacked by AnonSec that hijacked a $222m Global Hawk drone
Anonsec group hacked NASA network and released a data dump of data online. The hackers also hijacked a Global Hawk drone.
Hackers belonging to the AnonSec group have released online 250GB of data stolen from systems at the NASA, the hackers revealed to have hijacked a drone the Agency uses to run high-altitude testing and sampling missions.
“So yeah, we know what you’re thinking, hacking NASA? How fucking cliche… If only I had a Dogecoin for every time someone claimed that, amiright?” the group wrote on PasteBin. ” Its like the boy who cried wolf but with hacking NASA instead lol But you might be surprised how low govt security standards can be, especially with a limited budget and clueless boomers controlling the network. NASA has been breached more times than most people can honestly remember (our favorites were Gary McKinnon && Mendax’s milw0rm) //you know, when people used to have legit reasons for their hacks. Reasons from searching for hidden evidence of UFO technology to protesting use of Uranium based rocket fuel ^_^”
The stolen data includes names, email addresses and numbers of 2,414 NASA employees, as well as more than 2,000 flight logs and 600 video feeds from the aircraft used by the NASA during its missions.
The Anonsec hackers haven’t hacked the NASA systems, they revealed to have paid other hackers for the access to an agency system. Anonsec gained a user account running on a fully patched version of Debian, but the group used it for lateral movements inside the systems at the Agency.
Also in this case, poor security advantaged the work of the hackers that scanned the NASA network searching for accounts using the login and password “root.”
Surprisingly it took only a few tenths of a second to find systems with so poor configurations, by exploiting these systems the hackers designed a map of NASA network.
The Anonsec hackers breached the networks at the NASA’s Glenn Research Center, Goddard Space Flight Center, and Dryden Flight Research Center.
Scanning the networks they were able to gain full root access to three network-attached storage (NAS) devices used by the Agency to store the aircraft flight logs.
The Anonsec group seems to be interested in finding evidence of the chemtrail conspiracy theory. According to the theory, some governments are using aircraft to spread chemical or biological agents to influence the weather for various purposes, including the war.
“One of the main purposes of the Operation was to bring awareness to the reality of Chemtrails/CloudSeeding/Geoengineering/Weather Modification, whatever you want to call it, they all represent the same thing. NASA even has several missions dedicated to studying Aerosols and their affects (sic) on the environment and weather, so we targeted their systems,” the group states.
The hacking crew speculates that the US government is distributing heavy metals throughout the atmosphere to control the weather, but these chemical agents have a devastating effect on the human health.
The group explicitly refers GeoEngineering and Genetically Modified Organisms(GMOs) produced by Monsanto.
“Here is a patent titled “Stress tolerant plants and methods thereof,” that is owned by Monsanto, and seems to address all forms of abiotic stress that weather manipulation and chemtrails can cause: Monsanto Drought and Abiotic Resistant Corn http://www.google.com/patents/US7851676“
“Since organic plants (non-GMO) can’t grow in harsh environments like GMOs they are forced to use Monsanto’s seeds,” the group said.
“However they are Terminator Seeds, which means they don’t reproduce any usable seeds for the farmer, they have to keep buying more. So no more independent farmers and Monsanto controls a majority of the food supply through the farmers.”
The group claimed to have hijacked a Global Hawk drone used by the NASA while it was on a flight over the Pacific.
According to the hackers the hack of the drone was quite easy, they discovered that the Global Hawk UAV follows a flight plan provided by the control center, it is a .gpx file uploaded to the vehicle.
It was a joke for the hackers to write their own flight plan and upload it to the drone. The hackers tried to force the crashing of the drone into the sea, but the controllers at the NASA noticed changes in the path and took manual control avoiding problems and locking out of the hackers from the system.
Default conf on Apache Web servers can de-anonymize your hidden service
A default setting in Apache Web servers can de-anonymize the hidden service allowing an attacker to obtain details on the hosting.
An unknown student has discovered a serious issue in Apache Web Server that could potentially de-anonymize .onion-domains and servers hidden behind the Tor-network. The student already reported the issue to the Tor Project development team for some months
“Tor makes it possible for users to hide their locations while offering various kinds of services, such as web publishing or an instant messaging server. Using Tor “rendezvous points,” other Tor users can connect to these hidden services, each without knowing the other’s network identity. ” is the description provided by the official Tor Project for the hidden service protocol.
Web sites hosted on the Tor Network could run on different web services, including an Apache Web Server, in this case anonymity of users is at risk.
The issue affects the configuration of Apache Web servers that come with the mod_status module enabled by default. The student discovered that the mod_status module could disclose the real IP address of .onion domains, allowing attackers to de-anonymize Onion Servers.
The Apache Status module allows monitoring activities of an Apache Web Server, it displays a sort of cockpit including current server statistics. The current server state includes the following information:
The number of worker serving requests
The number of idle worker
The status of each worker, the number of requests that worker has performed and the total number of bytes served by the worker (*)
A total number of accesses and byte count served (*)
The time the server was started/restarted and the time it has been running for
Averages giving the number of requests per second, the number of bytes served per second and the average number of bytes per request (*)
The current percentage CPU used by each worker and in total by Apache (*)
The current hosts and requests being processed (*)
By enabling the mod_status module, the output produced by the module would be available when accessing the URL:http://website.com/server-status/, this means that in case your .onion domain may result in exposing ‘server-status’ page.
This page would spit the sensitive backend data like server’s settings, uptime, resource usage, total traffic, virtual hosts, and active HTTP requests if enabled by default which is enough to figure out the Server location.
“On most distributions, Apache ships with a handy feature called mod_status enabled. It’s a page located at /server-status that displays some statistics, like uptime, resource usage, total traffic, enabled virtual hosts, and active HTTP requests. For security reasons, it’s only accessible from localhost by default.
This seems fairly reasonable, until you realize the Tor daemon runs on localhost. Consequently, any hidden service using Apache’s default config has /server-status exposed to the world. What could a malicious actor do in that case? They could spy on potentially sensitive requests. They could deduce the server’s approximate longitude if the timezone is set. They could even determine its IP address if a clearnet Virtual Host is present.” reads the blog post about the issue.
Operators behind hidden services running on the Apache Server need to disable the mod_status to avoid the disclosure of their identity.
To disable to mod_status run the following code:
sudo ap2dismod status
Once disabled the mod_status, users will be displayed a 403 or 404 Error message.
Dutch Police Training Eagles to Take Down Rogue Drones
You may have seen number of viral entertainment videos on the Internet, titled:
Hawk attacks Drone!
Angry Bird takes down Quadcopter,
and the best one…
Eagle attack: Drone Kidnapped by two Eagles,
...showing eagles, not-so-natural predators, attacking and bringing down drones when someone with a camera tries to invade their private airspace.
Inspired from this:
Dutch Police Training Eagles to Take Down Rogue Drones
The Dutch National Police force is training eagles to take down rogue drones, instead of shooting them, using radio jammers, net-wielding interceptor drones or anti-drone rifle.
We already know the role Sniffer Dogs play for Anti-Bomb squads in detecting hidden bombs and weapons.
If dogs can be trained, so can eagles. Keeping this in mind, it is the first time any police authority has trained eagles to safely bring down bad quadcopters in emergency cases.
Dutch police reportedly collaborated with a raptor training company called 'Guard From Above', to train eagles to recognise drones and then snatch it with its talons.
Check it out in action:
The Police are hoping to get these trained-eagles into their force within next few months.
Hacking Smartphones Running on MediaTek Processors
A dangerous backdoor has been discovered in the MediaTek processor that could be exploited to hack Android devices remotely.
MediaTek is a Taiwan-based hardware company that manufacture hardware chips and processor used in the smartphones and tablets.
The backdoor was discovered by security researcher Justin Case, who already informed MediaTek about the security issue via Twitter, as the chipset manufacturer had no proper vulnerability reporting mechanism in place.
The vulnerability is apparently due to a debug tool that was opened up for carriers to test the device on their networks, but unfortunately, it was left open in the shipped devices, thus leaving the serious backdoor open to hackers.
If exploited, the debug feature could allow hackers to compromise personal data of an Android device, including user’s private contacts, messages, photos, videos and other private data.
MediaTek acknowledged the issue, saying "We are aware of this issue, and it has been reviewed by MediaTek’s security team. It was mainly found in devices running Android 4.4 KitKat, due to a debug feature created for telecommunication inter-operability testing in China."
The issue actually resides in MediaTek MT6582 processor, which worryingly is being used in many high profile Android devices.
So, if your smartphone is using this processor, the only thing you can do for now is to…
...Keep your Android device off the Internet in an effort to protect yourself.
The company also said that it has notified all OEMs of the potential loophole, so it's now up to the affected OEMs to issue a security patch to close the backdoor.
"While this issue affected certain manufacturers, it also only affected a portion of devices for those manufacturers. We have taken steps to alert all manufacturers and remind them of this important feature," MediaTek spokesperson released a statement.
Audit shows Department of Homeland Security 6 billion U.S. Dollar firewall not so effective against hackers
A multi-billion U.S. Dollar firewall run by the Department of Homeland Security meant to detect and prevent nation-state hacks against the government functions ineffectively, according to a sanitized version of a secret federal audit.
The National Cybersecurity Protection System (NCPS), also known as EINSTEIN, is a firewall run by the Department of Homeland Security. It’s goal: to detect and prevent nation-state hacks against the U.S. Government functions.
However, according to a sanitized version of a secret federal audit, EINSTEIN does an ineffective job. The audit was described in a ‘for official use only’ Government Accountability Office Report, which was sanitized (public version) and released on Thursday 28 January 2016.
In November 2015 the U.S. Senate Homeland Security and Governmental Affairs Committee suggested the then-confidential audit of EINSTEIN would prove the hacker surveillance system is not governmentwide.
The newly released audit strengthens their views and points out other misaligned objectives and technologies in the 6 billion U.S. Dollar EINSTEIN project (not acknowledged by DHA)
Gregory C. Wilshusen , GAO director of information security issues, and Nabajyoti Barkakati, director of the GAO Center for Technology and Engineering, said in the report:
“Until NCPS’ intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies,”
The prevention feature of the system is only deployed at 5 of the 23 major nondefense agencies.
Therefore the U.S. Departments involved in the audit were the departments of Energy and Veterans Affairs, the General Services Administration, the National Science Foundation and the Nuclear Regulatory Commission. The audit report shows the following findings.
EINSTEIN does Not Cover Nation-State ‘Advanced Persistent Threats’
“The overall intent of the system was to protect against nation-state level threat actors,”
EINSTEIN did not protect against nation-state Ádvanced Persistent Threats'(APT) by foreign adversaries.
“EINSTEIN did not possess intrusion detection signatures that fully addressed all the advanced persistent threats we reviewed,”
In reaction to this DHS officials said EINSTEIN is only one technology of many that each department uses to protect its sensitive data. Every agency should keep its own IT and data safe, while DHS should provide the baseline protections and the big-picture perspective of security controls governmentwide.
EINSTEIN doesn’t Know Common Security Vulnerabilities
EINSTEIN works by sending out signatures of known attack patterns to 228 intrusion-detection sensors placed throughout the dot-gov network. These sensors analyze patterns in agency traffic flows to see if there is a match with any of the signatures.
“However, the signatures supporting NCPS’s intrusion detection capability only identify a portion of vulnerabilities associated with common software applications,”
5 client applications were reviewed – Adobe Acrobat, Flash, Internet Explorer, JAVA and Microsoft Office – and only 6 percent 0f all the security bugs tested were flagged (29/489 vulnerabilities).
According to the report a possible reason might be that EINSTEIN doesn’t sync with the standard national database of security flows maintained by NIST (National Institute of Standards and Technology).
DHS officials claim in the report this was not required for the first draft of EINSTEIN, but ‘acknowledges this deficiency’ and plan to address it in the future.
EINSTEIN has no Way to Spot Unknown Zero Days until ‘Announced’
The report states “Regarding zero day exploits,” DHS officials stated “there is no way to identify them until they are announced,”. Once they are disclosed (sometimes with the help of intelligence community partners), DHS can mold a signature to the attack pattern and feed it into EINSTEIN.
Information Sharing with EINSTEIN is Often A Waste
“DHS’s sharing of information with agencies has not always been effective, with disagreement among agencies about the number of notifications sent and received and their usefulness,”
Regarding the reviewed departments, it did not receive 24 percent of the notifications DHS said it had sent in fiscal 2014. The ones that did often served no purpose. Of the 56 alerts communicated successfully, 31 were timely and useful, while the rest were too slow, useless, false alarms or unrelated to intrusion detection.
Besides this, the DHS has created metrics related to EINSTEIN, “None provide insight into the value derived from the functions of the system,” the auditors said.
The findings of the audit report show EINSTEIN MUST be changed to be effective against hackers and foreign adversaries, its primary goal. Otherwise, 6 billion U.S. Dollars is spent on a system not up for its job, resulting in a danger for national security.
About the author
Software test engineer, Founder TestingSaaS, a social network about researching cloud applications with a focus on forensics, software testing and security.
Warning — Popular 'Hot Patching' Technique Puts iOS Users At Risk
Do you know?… Any iOS app downloaded from Apple’s official App Store has an ability to update itself from any 3rd-party server automatically without your knowledge.
Yes, it is possible, and you could end up downloading malware on your iPhone or iPad.
Unlike Google, Apple has made remarkable efforts to create and maintain a healthy and clean ecosystem of its official App Store.
Although Apple's review process and standards for security and integrity are intended to protect iOS users, developers found the process time consuming and extremely frustrating while issuing a patch for a severe bug or security flaw impacting existing app users.
To overcome this problem, Apple designed a set of solutions to make it easier for iOS app developers to push straightway out hotfixes and updates to app users without going through Apple's review process.
Sounds great, but here's the Kick:
Malicious app developers can abuse These solutions, potentially allowing them to circumvent effectively the protection given by the official App Store review process and perform arbitrary actions on the compromised device, FireEye has warned.
How Does JSPatch Work?
Developed by a Chinese developer, JSPatch is utilised in as many as 1,220 iOS apps in the App Store, according to researchers. Although they failed to name the apps, the researchers claim that they have already notified the app providers.
How to Exploit the JSPatch Framework?
There are two ways to abuse this framework:
If the Developer is with malicious intention.
If developer loads this framework via an unencrypted channel, allowing Man-in-the-Middle attacks.
What if the app developer has bad intention?
A malicious developer can first submit a harmless JSPatch integrated application to the Apple App Store.
"JSPatch is a boon to iOS developers," FireEye researchers said in a blog post. "In the right hands, it can be used to quickly and effectively deploy patches and code updates. However, in a non-utopian world like ours, we need to assume that bad actors will leverage this technology for unintended purposes."
What if the app's developer loads JSPatch via an unencrypted channel?
If an application developer uses JSPatch without any malicious intentions, even then the users security is at risk. The developers who load JSPatch via an unencrypted (HTTP) channel could leave communications between the client and the server unprotected.
Access to sensitive information, such as media files and the pasteboard content.
Change system properties.
Load arbitrary public frameworks into the app process.
This isn't the very first-time iOS users are facing such problems. Last October, hundreds of iOS apps in the App Store were found collecting user's private data while violating security and privacy guidelines of Apple.
The discovery came just a month after the XcodeGhost malware was distributed through legitimate iOS Apps via counterfeit versions of Apple's app developer toolkit called Xcode. Here's how to protect yourself against XCodeGhost like iOS flaws.
How to Protect Yourself?
The recommendations to protect yourself against this flaw are standard:
Download apps only from the official App Store, that you need, that you know, and that you trust.
Beware of applications that ask for an extensive amount of permissions and only grant the apps permissions that are necessary.
Manually review "everything" to discover anything malicious in your devices. Rest is up to the company if it wants to improve its application update process to make it speedier, or to allow potential attack vectors that could affect most of its apps and their users.
How Spy Agencies Hacked into Israeli Military Drones to Collect Live Video Feeds
Featured Image Only. See Original leaked images below.
In a joint surveillance program, the US intelligence agency NSA (National Security Agency) and the British intelligence agency GCHQ (Government Communications Headquarters) hacked into, decrypted, and tracked live video feeds of Israeli Military Drones and Fighter Jets.
This could be one of the most shocking and embarrassing disclosures for Israel, who is the United States’ ally and prides itself on its technical capabilities.
Published by The Intercept, the newly released documents from the former NSA contractor Edward Snowden revealed that in an operation dubbed "Anarchist," UK and US intelligence officials have been…
...regularly accessing Israeli drone cameras, allowing them to watch live video feeds from drones and fighter jets while Israel bombed Gaza and spied on Syria.
But, how the intelligence officials were able to do so.
Also Read: Google Wants to Fly Drones Over Your Head to Deliver High Speed 5G Internet.
How did the Intelligence Agencies Hack into Israeli Drones?
The Documents revealed that British Intelligence agency has installed Military-grade Interception systems at Royal Air Force compound in the Troodos Mountains (Cyprus), which is geographically very near to Israel and Syria.
These Surveillance tools are capable of intercepting analog video feeds from Israeli and Syrian drones.
With the help of some open-source software like Image Magick and AntiSky, agencies were able to decrypt and convert scrambled data from remotely piloted aircraft in order to track the movement of drones.
Must Read: Police Using Planes Equipped with Dirtbox to Spy on your Cell Phones.
The report includes several snapshots of Israeli drones collected in 2009 and 2010 that clearly indicates that Israel has drones with missiles and attack capabilities, which Israel doesn't publicly acknowledge.
One snapshot revealed by The Intercept shows an Israeli IAI Heron Drone — a high-altitude strike drone with 350 kilometers range that is capable of carrying a weapon of a 1-ton load and staying aloft for more than 40 hours.
Despite these leaked images offer the first direct public evidence that Israel flies attack drones, they provide rare visual evidence to support reports that aren't clear enough to conclude anything right now.
For in-depth information, you can read the detailed report here.
Default Apache Configuration Can Unmask Tor Hidden Services
Default Apache Configuration Can Unmask Tor Hidden Services
Attention Tor Onion Hosters!
A year old loophole in Apache Web Server, uncovered by an unknown Computer Science Student, could potentially unmask the real identity of .onion-domains and servers hidden behind the Tor-network.
Although the loophole was reported on Reddit and to the Tor Project months back, it recently came to the limelight soon after a tweet by Alec Muffet, a well-known security enthusiast and current software engineer at Facebook.
What is Tor Hidden (.onion) Service? Dark Web websites (generally known as 'onion services') with a special domain name that ends with .onion, are called Tor Hidden Service and reachable only via the Tor network.
Tor Hidden Service is a widely popular anonymity network used by Whistleblowers, Underground Markets, Defense Networks and more in order to maintain secrecy over the Internet.
An Onion Website can be hosted on the top of any web servers. But, if you are choosing Apache, then you need to rethink.
Apache Misconfiguration Exposes Tor Hidden Servers
According to the report, most distributions of Apache Server ship with mod_status module, enabled by default, which could disclose the real identity of the .onion domains, placing the Onion Servers at risk of being identified.
Apache's mod_status module helps server administrators to monitor the health of web server with an HTML interface and is accessible via a web browser on its localhost only.
The Output of this module would be available on every server when accessing the URL: http://website.com/server-status/
However, running mod_status module with Tor hidden service may result in exposing ‘server-status’ page to the world via Tor daemon service.
This page would spit the sensitive backend data like server's settings, uptime, resource usage, total traffic, virtual hosts, and active HTTP requests if enabled by default which is enough to figure out the Server location.
"What could a malicious actor do in that case? They could spy on potentially sensitive requests," reads the blog post regarding the issue. "They could deduce the server's approximate longitude if the timezone is set. They could even determine its IP address if a clearnet Virtual Host is present."
How to Disable mod_status on Apache
Now, if you run a .onion domain on top of any Apache Server, then make sure that the mod_status is disabled.
For this, you may need to run this code in shell command:-
sudo ap2dismod status
"ap2" stands for Apache 2.x
"dis" stands for disable
"mod" stands for module
Soon after this, if you reload, then you would be prompted by a 403 or 404 Error Prompt. The Error message would ensure that you are no longer vulnerable to that Risk.
27% of all detected malware appeared in 2015
According to a new report from Panda Security more than 84 million new malware samples were detected over the 2015, 27% of all malware of ever.
In 2015, security experts have detected the a record number of new malware, according to a report published by Panda Security more than 84 million new malware samples were collected.
It is an impressive number considering that corresponds to the 27 percent of all malware ever created.
“Last year saw the greatest number of cyberattacks recorded around the world, with a total of 304 million samples, which means that more than a quarter of all malware samples ever recorded were produced in 2015 (27.63%).” states the report.
Giving a closing look at the report it is possible to note that Trojans are the main threats, they account for 51.45 percent, followed by viruses at 22.79 percent, worms at 13.22 percent, potentially unwanted programs such as adware at 10.71 percent and cases of spyware at 1.83 percent.
The spike in the number of threats despite the improvement of Antivirus solution is mainly caused by an intensification of the activities of malware authors. Threat actors are spreading more variations on the same strain of malware with the intent to avoid detection, an operation that benefits of the availability of automated software slightly modify the malicious code.
Fortunately, antivirus vendors are getting smarter improving detection mechanisms and a rapid information sharing that allows them to promptly respond to new threats.
Panda Security confirmed to have a dedicated infrastructure to share malicious code samples with other vendors.
Looking at the geography of the infections, China remains one of the most infected countries in the world (57.24%). The number of infections in China increased nearly 30% more than in 2014. Taiwan was the second with an infection rate of 49.15%, followed by Turkey (42.52%).
New docs confirm CIA planned to kidnap Snowden
Documents obtained by Denfri.dk media confirm rendition flight used Copenhagen Airport for mission to kidnap Edward Snowden.
According to documents obtained by the Danish media outlet Denfri.dk, the US CIA agency is planning to kidnap Edward Snowden. The documents were obtained by Denfri through a Freedom of Information Act suit in August 2015.
A paramilitary team belonging to the CIA is operative in Copenhagen, ready to kidnap the popular whistleblower and bring him in the US with an aircraft already in the same city.
The CIA agents are following the moves of Snowden trying to exploit a trip in one of the European countries, it would be the moment when kidnaps the man.
The presence of a CIA plane in Copenhagen was first reported in 2014 by The Register, it is a Gulfstream V, registered under the number N977GA.
“On the evening of 24 June 2013, as Snowden arrived in Moscow from Hong Kong intending to fly on to Cuba, an unmarked Gulfstream V business jet – tail number N977GA – took off from a quiet commercial airport 30 miles from Washington DC. Manassas Regional Airport discreetly offers its clients “the personal accommodations and amenities you can’t find at commercial airports”. wrote The Register.
“Early next morning, N977GA was detected heading east over Scotland at the unusually high altitude of 45,000 feet. It had not filed a flight plan, and was flying above the level at which air traffic control reporting is mandatory.”
The same aircraft has been used by the CIA to transport captives to the CIA’s secret prisons set up since 9/11.
The documents obtained by the Denfri confirmed the circumstance revealing that Danish police and government officers approved the positioning of the CIA plane in Copenhagen for unspecified “state purposes.”
The documents include a government letter from FBI representatives that ask for support of the Norwegian government. The law agency requested the Norwegian authorities immediately notify US intelligence agencies in the event that Snowden crossed to Norway, Finland, Sweden or Denmark.
The Danish intelligence has sought to preserve total secrecy in relation to the stationing of the CIA aircraft in Copenhagen .
“Denmark’s relationship with the USA would be damaged if the information [content redacted from the documents] becomes public knowledge,” The Denmark’s interior ministry told Denfri.
I think that the kidnapping Snowden would be a serious error for the US intelligence, according to former NSA Director Keith Alexander, Snowden downloaded more than 1 million secret US government documents, it is likely that those documents are already in the hands of a network of journalist ready to disclose them in case of problems.
Facebook XSS could have allowed attackers to take over users’ accounts
A security researcher has discovered a serious XSS flaw that could have allowed attackers to take over users’ Facebook accounts.
The security expert Jack Whitton reported a critical XSS vulnerability to Facebook that could be exploited by hackers to take over users’ Facebook accounts. The researchers reported the flaw to Facebook in July 2015, and the company fixed the problem in just 6 hours.
Facebook rewarded $7,500 the expert for the flaw under its bounty program.
The researcher’s attack method has two main aspects: one related to content types and a DNS issue.
Whitton first attempted to get an uploaded file to be interpreted and he discovered that under specific conditions it’s possible by changing the file extension to .html.
Whitton discovered that while the extensions of photos and videos uploaded to Facebook cannot be modified, the extensions of advertising images uploaded via the Ads Manager could be changed.
The expert wrote embedded an XSS payload into a PNG image’s IDAT chunk, which differently from Exif and iTXt data, were not removed by Facebook.
However, files are stored on Facebook’s content delivery network (CDN), which is sandboxed, this means that malicious code in the image can’t read web data such as session cookies from facebook.com due to the same-origin policy.
Whitton discovered a way to upload a hidden script to the CDN, and then to retrieve that script via specific crafted URL that looks like harmless that a user could be tricked into clicking from a facebook.com domain.
In order to make requests to facebook.com directly, Whitton found several Facebook plugins that are designed to be included in an iframe, which bypasses CSRF protections and allows an attacker to steal authentication token and act on the user’s behalf simply by getting the victim to click on a link.
“What we now need to do is load the plugin inside an iframe, wait for the
event to fire, and extract the token from the content.” Whitton explained in a blog post. £We now have access to the user’s CSRF token, which means we can make arbitrary requests on their behalf (such as posting a status, etc).”
If the user were logged in, the malicious script could allow impersonating the victim and access his data.
Dozens of games infected with Xiny available on the Google Play
Experts at Dr Web discovered dozens of Android game apps in the Google Play Store have been infected with the Android.Xiny Trojan.
Bad news for Android users, according to the security Doctor Web firm dozens of game apps in the Google Play Store have been infected with the Android.Xiny.19.origin Trojan. The malware could allow attackers to control the victim’s mobile device, by installing and running any kind of software (apk files), it also allows to display annoying advertisements.
“However, the main threat of Android.Xiny.19.origin lies in its capability to download and dynamically run arbitrary apk files upon cybercriminals’ command. However, the way it is carried out is rather unique.” states a blog post published by Doctor Web.
The malware collects information from the infected device and sends them back to the command and control server, it gathers the IMEI identifier, the MAC address, version and language of the operating system and the mobile network operator’s name.
Experts at Doctor Web discovered more than 60 games infected by the Android.Xiny distributed in the Official Android Google Play Store. The malicious app were apparently deployed by over 30 different that used different names, including Conexagon Studio, Fun Color Games and BILLAPPS.
“At first glance, these affected games look similar to numerous such-like applications; and they are games indeed, with just one difference—while a user is playing a game, the Trojan is performing its malicious activity.” states Doctor Web.
Another interesting feature implemented by the authors of Android.Xiny is that the malware hides malicious program in specially created images by using steganography. Android.Xiny receives malicious images from the server and then retrieves the apk they contain.
The Android.Xiny malware is able to perform many other malicious operations without the user’s consent. The researchers noticed that despite it is not yet able to gain root privileges, it has the ability to download the proper exploit in order to gain root access to the device.
“Android.Xiny.19.origin can perform other malicious functions, such as to download and prompt a user to install different software, or to install and delete applications without the user’s knowledge if root access is available on the device.” continues the post.
“it can download a set of exploits from the server in order to gain root access to the device for covert installation or deletion of applications.”
Doctor Web has already reported the discovery to Google.
Unfortunately, the fact that the malware author chose the Google Play to distribute the malware is not a novelty, in January Lookout firm discovered 13 Android apps infected with the Brain Test malware and available for download on the official Google Store.
JSPatch hot patching technique puts iOS users at risk
Security experts at FireEye are warning attackers can exploit the JSPatch hot patching technique to serve malicious code and put iOS users at risk
The release of hot patches for apps already deployed in the official App Store is a time-consuming procedure that results frustrating for developers.
Apple is aware of this drawback, for this reason designed specific solutions to address the issue and make it easier for iOS app developers to release a hotfix patch without passing the strict controls implemented under the Apple’s review process.
Unfortunately, this ‘alternative’ process expose Apple users to the risk of cyber attacks.
The technology under scrutiny is JSPatch, experts at FireEye warn about possible abuse that could allow attackers to push malicious updates for mobile apps in the Official store.
According to the experts at FireEye, attackers could exploit the JSPatch technology to serve malicious updates that could allow the apps to carry out a number of malicious activities.
“The JSPatch technology potentially allows an individual to effectively circumvent the protection imposed by the App Store review process and perform arbitrary and powerful actions on the device without consent from the users. The dynamic nature of the code makes it extremely difficult to catch a malicious actor in action.” states a blog post published by FireEye.
In one case presented as a proof-of-concept by the experts the attackers can exploit the iOS Pasteboard, commonly used to copy and paste content between different apps, exfiltrate personal data from victims mobile device.
There are two possible attack scenarios that exploit the JSPatch Framework, in one case malicious developers could initially deploy a harmless app on the store and later update it with malicious code through the JSPatch Framework, in a second scenario the attackers can run a Man-in-the-Middle attacks against a developer loads the framework via an unencrypted channel.
If you want further details on the JSPatch Framework and possible attack methods give a look to the post published by Fire Eye.
Mobilní zabezpečení budov i majetku usnadní novinka Mark2
Řešení integrovaného facility managementu prostřednictvím bezpečnostní mobilní aplikace M2C Support představila pro své klienty firma M2C. Vhodná je prý nejen pro provozovatele logistických a průmyslových skladů, ale i pro správu administrativních budov a obchodních center.
Účelem mobilní aplikace je individuální podpůrný a zároveň kontrolní systém při komunikaci běžných i kritických situací na objektech dle preference jejich důležitosti. Určená je pro zařízení s operačními systémy iOS 7 a vyšší, respektive Android 4 a vyšší .
Zároveň aplikace slouží k pravidelnému zasílání novinek v oblasti facility a bezpečnosti, přičemž jejich publikace probíhá přes protokol RSS (Rich Site Summary). Klienti tak mají díky aplikaci i všechny aktuální kontakty svého poskytovatele služeb a osob zodpovědných právě za jejich objekt.
Aplikace pracuje v on-line režimu přes API (Application Programming Interface), který zajišťuje přenos dat s tzv. backendem, což je v tomto případě bezpečnostní software M2C.
A FOP data dump leaked online, 2.5GB of police contracts and data
The Fraternal Order of Police (FOP), a US Police Organisation, has been hacked and 2,5GB data dump leaked online.
A data dump related to a US police association has been leaked online, as well as a backup containing personal information belonging to the member of a forum.
The data dump results from the data breach suffered by the “Fraternal Order of Police” (FOP) organization, which is “the world’s largest organization of sworn law enforcement officers, with more than 325,000 members in more than 2,100 lodges.”
This FOP’s data dump, a 273MB zip archive, includes hundreds of police contracts and thousands of private forum posts by US law enforcement members. The zip file contains two database backups of the forum and entire website of the Fraternal Order of Police (FOP). The total amount of data leaked is roughly 2.5GB in size, but White claims to have 18TB of sensitive material that he has not released.
The man posted an encrypted data dump as insurance, giving the password revealing that password to access it is held by an unnamed third party who will release the precious data if anything happens to White.
The file is shared online as a Magnet/Torrent file, the data dump is served by the Thomas White website, a Briton who goes under the handle The Cthulhu.
“Today I released some files from the Fraternal Order of Police, allegedly the largest union-type body in the US representing sworn-in police officers. Since then, many groups have shared it over social media and other means, for which I thank all who have donated their bandwidth to seed the files over the torrent.” states White’s blog post.
The White’s website is known to security experts, it hosted in the past data resulting from the Hacking Team hack, Ashley Madison and crowd-funding site Patreon data breaches.
This data breach is creating havoc among US law enforcement, because of the content of some posts. Someone tried to threaten White that ignored the menaces and tweeted screenshots of threatening emails he received.
White avoided providing details on the origin of the source, in a message to law enforcement he said:
“I understand you are investigating the case. You are free to email me at any point with any questions you may have and we can arrange a time to talk in a civil manner if you desire, but the meeting is to take place within the UK, as I am a UK citizen. Furthermore, as I am liberty to post the data, I advise against seeking any kind of revenge action as it will be quite fruitless. I have removed all traces back to the source and so investigating me will not lead back to whomever carried out the attack. Furthermore, due to the confidentiality I owe my source, I will not be revealing him/her or any further details of our connection or conversation either.”
The FBI is currently investigating the hack.
The archive is available at the following link:
Now VirusTotal can scan your firmware image for bad executables
VirusTotal presented a new malware scanning engine that allows users to analyze their firmware images searching for malicious codes.
VirusTotal has recently announced the launch of a new malware scanning service for firmware images. The intent is to allow users to identify malicious firmware images.
Threat actors could exploit vulnerabilities in firmware to hack systems or inject malicious code. The revelation about the NSA catalog confirmed the existence of software implants used by the NSA for surveillance activities.
BIOS is the firmware component most targeted by hackers, threat actors could exploit it to malicious to hide their malware, avoid detection and gain persistence on the infected machine.
“Firmware malware has been a hot topic ever since Snowden’s leaks revealed NSA’s efforts to infect BIOS firmware. However, BIOS malware is no longer something exclusive to the NSA, Lenovo’s Service Engine or Hacking Team’s UEFI rootkit are examples of why the security industry should put some focus on this strain of badness.” Google-owned VirusTotal explains in a blog post.
Malware deployed in firmware can survive reboots and system wiping.
“To all effects BIOS is a firmware which loads into memory at the beginning of the boot process, its code is on a flash memory chip soldered onto the mainboard. Since the BIOS boots a computer and helps load the operating system, by infecting it attackers can deploy malware that survives reboots, system wiping and reinstallations, and since antiviruses are not scanning this layer, the compromise can fly under the radar.”
Malware deployed in the firmware can survive reboots, system wiping and reinstallations, and avoids antivirus scanning, which leads to persistent compromise.
The new service launched by VirusTotal performs the following tasks:
Apple Mac BIOS detection and reporting.
Strings-based brand heuristic detection, to identify target systems.
Extraction of certificates both from the firmware image and from executable files contained in it.
PCI class code enumeration, allowing device class identification.
ACPI tables tags extraction.
NVAR variable names enumeration.
Option ROM extraction, entry point decompilation and PCI feature listing.
Extraction of BIOS Portable Executables and identification of potential Windows Executables contained within the image.
SMBIOS characteristics reporting.
As explained in the blog post, users can extract the UEFI Portable Executables and use the service to analyze the image identifying potential Windows Executables used to inject malicious code.
“What’s probably most interesting is the extraction of the UEFI Portable Executables that make up the image, since it is precisely executable code that could potentially be a source of badness. These executables are extracted and submitted individually to VirusTotal, such that the user can eventually see a report for each one of them and perhaps get a notion of whether there is something fishy in their BIOS image.”
Users can view details on the firmware they have submitted for scanning by clicking on the Additional information tab, which also has a new Source Details field. The File Detail tab will also provide various details on the characteristics of the submitted firmware image.
Users are invited to remove any private information from BIOS dumps before uploading them to VirusTotal.
Kaspersky DDoS Intelligence Report for Q4 2015
30.1.2016 Zdroj: Kaspersky
Of all the Q4 2015 events in the world of DDoS attacks and the tools used to launch them, we picked out those that, in our opinion, best illustrate the main trends behind the evolution of these threats.
Emergence of new vectors for conducting reflection DDoS attacks;
Increase in number of botnets composed of vulnerable IoT devices;
Application-level attacks – the workhorse behind DDoS attack scenarios.
Attacks using compromised web applications powered by WordPress
Web resources powered by the WordPress content management system (CMS) are popular with cybercriminals who carry out DDoS attacks. This is because WordPress supports the pingback function that notifies the author of a post published on a WordPress site when someone else links to that post on another site running the same CMS. When the post containing the link to the other web resource is published on a site with the enabled pingback function, a special XML-RPC request is sent to the site where the link leads and that resource receives and processes it. During processing, the recipient site may call the source of the request to check for the presence of the content.
This technology allows a web resource (victim) to be attacked: a bot sends a specially formed pingback request specifying the address of the victim resource as the sender to a WordPress site with the pingback function enabled. The WordPress site processes the request from the bot and sends the reply to the victim’s address. By sending pingback requests with the victim’s address to lots of WordPress resources with pingback enabled, the attackers create a substantial load on the victim resource. This is why web resources running WordPress with the pingback function enabled are of interest to cybercriminals.
In Q4 2015, resources in 69 countries were targeted by DDoS attacks #KLReport
The power of one such DDoS attack registered by Kaspersky Lab experts amounted to 400 Mbit/sec and lasted 10 hours. The attackers used a compromised web application running WordPress as well as an encrypted connection to complicate traffic filtering.
In October 2015, experts registered a huge number of HTTP requests (up to 20,000 requests per second) coming from CCTV cameras. The researchers identified about 900 cameras around the world that formed a botnet used for DDoS attacks. The experts warn that in the near future new botnets utilizing vulnerable IoT devices will appear.
Three new vectors for carrying out reflection DDoS attacks
Reflection DDoS attacks exploit weaknesses in a third party’s configuration to amplify an attack. In Q4, three new amplification channels were discovered. The attackers send traffic to the targeted sites via NetBIOS name servers, domain controller PRC services connected via a dynamic port, and to WD Sentinel licensing servers.
Attacks on mail services
In Q4 2015, mail services were especially popular with DDoS attackers.
In particular, activity was detected by the Armada Collective cybercriminal group, which uses DDoS attacks to extort money from its victims. The group is suspected of being involved in an attack on the ProtonMail secure e-mail service in which the cybercriminals demanded $6000 to end the DDoS attack.
In Q4 2015, the largest numbers of DDoS attacks targeted victims in China, the US and South Korea. #KLReport
As well as the ProtonMail encrypted email service, the FastMail and the Russian Post e-mail services were also targeted.
Statistics for botnet-assisted DDoS attacks
Kaspersky Lab has extensive experience in combating cyber threats, including DDoS attacks of various types and levels of complexity. The company’s experts monitor botnet activity with the help of the DDoS Intelligence system.
The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.
This report contains the DDoS Intelligence statistics for the fourth quarter of 2015.
In the context of this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.
The geographic distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.
It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.
In Q4, resources in 69 countries were targeted by DDoS attacks.
94.9% of the targeted resources were located in 10 countries.
The largest numbers of DDoS attacks targeted victims in China, the US and South Korea.
The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days).
SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios.
The popularity of Linux-based bots continued to grow: the proportion of DDoS attacks from Linux-based botnets in the fourth quarter was 54.8%.
Geography of attacks
By the end of 2015, the geography of DDoS attacks narrowed to 69 countries. 94.9% of targeted resources were located in 10 countries.
Q4 saw a considerable increase in the proportion of DDoS attacks targeting resources located in China (from 34.5% to 50.3%) and South Korea (from 17.7% to 23.2%).
Distribution of unique DDoS attack targets by country, Q3 vs Q4 2015
The share of DDoS targets located in the US dropped by 8 percentage points, which saw it move down to third place and South Korea climb to second.
Croatia with 0.3% (-2.5 percentage points) and France, whose share fell from 1.1% to 0.7%, left the Top 10. They were replaced by Hong Kong, with the same proportion as the previous quarter, and Taiwan, whose share increased by 0.5 percentage points.
The statistics show that 94% of all attacks had targets within the Top 10 countries:
Distribution of DDoS attack by country, Q3 vs Q4 2015
In the fourth quarter, the Top 3 ranking remained the same, although the US and South Korea swapped places: South Korea’s contribution grew by 4.3 percentage points, while the US share dropped by 11.5 percentage points. The biggest increase in the proportion of DDoS attacks in Q4 was observed in China – its share grew by 18.2 percentage points.
Changes in DDoS attack numbers
In Q4 2015, DDoS activity was distributed more or less evenly, with the exception of one peak that fell in late October and an increase in activity in early November.
The peak number of attacks in one day was 1,442, recorded on 2 November. The quietest day was 1 October – 163 attacks.
Number of DDoS attacks over time* in Q4 2015.
* DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration.
Monday and Tuesday were the most active days of the week in terms of DDoS attacks. In Q4, the number of attacks carried out on a Monday was 5.7 percentage points more than in the previous quarter. The figure for Tuesdays changed slightly (-0.3 percentage points).
Distribution of DDoS attack numbers by day of the week, Q4 2015
Types and duration of DDoS attacks
97.5% of DDoS targets in Q4 2015 (vs. 99.3% in Q3) were attacked by bots belonging to one family. In just 2.4% of all cases cybercriminals launched attacks using bots from two different families (used by one or more botnet masters). In 0.1% of cases three or more bots were used, mainly from the Sotdas, Xor and BillGates families.
The longest DDoS attack in Q4 2015 lasted for 371 hours (or 15.5 days). #KLReport
The ranking of the most popular attack methods remained unchanged, although SYN DDoS (57%) and TCP DDoS (21.8%) added 5.4 and 1.9 percentage points respectively.
The distribution of DDoS attacks by type
Once again, most attacks lasted no longer than 24 hours in Q4 2015.
The distribution of DDoS attacks by duration (hours)
The maximum duration of attacks increased again in the fourth quarter. The longest DDoS attack in the previous quarter lasted for 320 hours (13.3 days); in Q4, this record was beaten by an attack that lasted 371 hours (15.5 days).
C&C servers and botnet types
In Q4 2015, South Korea maintained its leadership in terms of the number of C&C servers located on its territory, with its share growing by 2.4 percentage points. The US share decreased slightly – from 12.4% to 11.5%, while China’s contribution grew by 1.4 percentage points.
In Q4 2015, SYN DDoS, TCP DDoS and HTTP DDoS remain the most common DDoS attack scenarios. #KLReport
The Top 3 ranking remained the same. The countries in fourth and fifth switched places – Russia’s share increased from 4.6% to 5.5%, while the share of the UK declined from 4.8% to 2.6%.
Distribution of botnet C&C servers by country in Q4 2015
The proportion of DDoS attacks from Linux-based botnets in Q4 2015 was 54.8% #KLReport
In Q4, the correlation between active bots created from Windows and Linux saw the proportion of attacks by Linux bots grow from 45.6% to 54.8%.
Correlation between attacks launched from Windows and Linux botnets
Events in Q4 2015 demonstrated that the cybercriminals behind DDoS attacks utilize not only what are considered to be classic botnets that include workstations and PCs but also any other vulnerable resources that are available. These include vulnerable web applications, servers and IoT devices. In combination with new channels for carrying out reflection DDoS attacks this suggests that in the near future we can expect a further increase in DDoS capacity and the emergence of botnets consisting of new types of vulnerable devices.
From Linux to Windows – New Family of Cross-Platform Desktop Backdoors Discovered
30.1.2016 Zdroj: Kaspersky
Recently we came across a new family of cross-platform backdoors for desktop environments. First we got the Linux variant, and with information extracted from its binary, we were able to find the variant for Windows desktops, too. Not only that, but the Windows version was additionally equipped with a valid code signing signature. Let´s have a look at both of them.
DropboxCache aka Backdoor.Linux.Mokes.a
This backdoor for Linux-based operating systems comes packed via UPX and is full of features to monitor the victim’s activities, including code to capture audio and take screenshots.
After its first execution, the binary checks its own file path and, if necessary, copies itself to one of the following locations:
One example would be this location: $HOME/.local/share/.dropbox/DropboxCache. To achieve persistence, it uses this not very stealthy method: it just creates a .desktop-file in $HOME/.config/autostart/$filename.desktop. Here’s the template for this:
Next, it connects to its hardcoded C&C Server. From this point, it performs an http request every minute:
This “heartbeat” request replies with a one-byte image. To upload and receive data and commands, it connects to TCP port 433 using a custom protocol and AES encryption. The binary comes with the following hardcoded public keys:
The malware then collects gathered information from the keylogger, audio captures and screenshots in /tmp/. Later it will upload collected data to the C&C.
/tmp/ss0-DDMMyy-HHmmss-nnn.sst (Screenshots, JPEG, every 30 sec.)
/tmp/aa0-DDMMyy-HHmmss-nnn.aat (Audiocaptures, WAV)
/tmp/dd0-DDMMyy-HHmmss-nnn.ddt (Arbitrary Data)
DDMMyy = date: 280116 = 2016-01-28
HHmmss = time: 154411 = 15:44:11
nnn = milliseconds.
This part of the code is able to capture audio from the victim’s box.
However, audio capturing is not activated in the event timer of this binary, just like the keylogging feature. Since the authors have statically linked libqt, xkbcommon (the library to handle keyboard descriptions) and OpenSSL (1.0.2c) to the binary, the size of the binary is over 13MB. The criminals also didn’t make any effort to obfuscate the binary in any way. In fact, the binary contains almost all symbols, which is very useful during analysis.
There are also references to the author’s source files:
Apparently, it’s written in C++ and Qt, a cross-platform application framework. According to the binary’s metadata it was compiled using “GCC 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)” on Ubuntu 14.04 LTS “Trusty Tahr”. According to the qt_instdate timestamp, the last time the Qt sources were configured was on 2015-09-26 (qt/qtbase.git: deprecated), which implies the compilation time of the malware to be not earlier than end of September 2015.
We detect this type of malware as Backdoor.Linux.Mokes.a.
OLMyJuxM.exe aka Backdoor.Win32.Mokes.imv
Just a few days ago, we came across a rather familiar looking sample, although it was compiled for machines running Microsoft Windows. It quickly turned out to be a 32-bit Windows variant of Backdoor.Linux.Mokes.a.
After execution, the malware randomly chooses one of nine different locations in %AppData% to persistently install itself on the machine. The binary also creates a “version”-file in the same folder. As its name implies, it stores just version information, together with the full installation path of the malware itself:
Then the corresponding registry keys are created in HKCU\Software\Microsoft\Windows\CurrentVersion\Run to ensure persistence in the system.
After the malware has executed its own copy in the new location, the SetWindowsHook API is utilized to establish keylogger functionality and to monitor mouse inputs and internal messages posted to the message queue.
The next stage in its operation is to contact the hardcoded C&C server. Besides the different IP addresses and encryption key, we see almost identical behavior.
However, this particular variant uses a slightly different implementation and tries to obtain the default Windows user-agent string.
If this is not successful, the sample uses its hardcoded version:
Like the Linux variant, it connects to its C&C server in the same way: once per minute it sends a heartbeat signal via HTTP (GET /v1). To retrieve commands or to upload or download additional resources, it uses TCP Port 433.
It uses almost the same filename templates to save the obtained screenshots, audiocaptures, keylogs and other arbitrary data. Unlike the Linux variant, in this sample the keylogger is active. Below you can see the content of a keystroke logfile, located in %TEMP% and created by this sample:
And again, we spotted some unexpected code. The following screenshot shows references to code which is able to capture images from a connected camera, such as a built-in webcam.
Similar to the Linux version, the author left quite a number of suspicious strings in the binary. The following string is surprisingly honest.
From the criminal’s point of view, it’s important that the software looks legitimate and that Windows doesn’t asks the user for confirmation prior to execution of unknown software. On Windows machines this can be achieved by using Trusted Code Signing Certificates. In this particular case, the criminal managed to sign the binary with a trusted certificate from “COMODO RSA Code Signing CA”.
We detect this type of malware as Backdoor.Win32.Mokes.imv.
Since this software was intentionally designed to be platform independent, we might see also corresponding Mac OS X samples in the future.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “%PERSISTENT-FILENAME%”, “%PERSISTENT-FILEPATH%”
where %PERSISTENT-FILENAME% is one of the filenames above
and %PERSISTENT-FILEPATH% is the corresponding path
WhatsApp to Share your Personal Data With Facebook
WhatsApp to Share your Personal Data With Facebook
Recently the Facebook-owned messaging app dropped its $1 annual subscription fee to make WhatsApp Free for Lifetime.
Now, WhatsApp has plans to introduce a new feature that would allow its users to integrate their Facebook accounts with the most widely used messaging app.
So far, the social media giant has been focusing on its own messaging platform, Messenger and both WhatsApp and Facebook have been working separately in terms of adding new features.
WhatsApp to Share User Data With Facebook
Android developer Javier Santos spotted a new feature in the latest beta build of WhatsApp, which indicates that soon you’ll start seeing some features interconnected between WhatsApp and Facebook.
The feature (optional, for now), dubbed "Share my account info," when selected will share your personal WhatsApp account information with Facebook in order "to improve your Facebook experience," according to the description.
Although it's unclear how exactly the new feature works, it is believed that the feature may help you share photos to your timeline and create an album shortcut via WhatsApp or vice versa.
Facebook-WhatsApp Deeper Integration
From past two years, we haven't noticed any Facebook and WhatsApp integration, but this minor change made by WhatsApp raised doubt in our minds that Why the social media giant is merging WhatsApp with Facebook.
When Facebook acquired WhatsApp in 2014 for over $20 Billion, CEO Mark Zuckerberg confirmed that Facebook and Whatsapp would continue to co-exist as separate platforms.
At that time, WhatsApp team also assured its users that nothing would change and that the popular messaging app would operate independently.
However, this recent update considered being the first step towards merging the two popular platforms in an effort to take control of the popular messaging market and sustain growth together.
WhatsApp to Offer End-to-End Encryption
Moreover, The beta build of WhatsApp also includes a new section completely focused on users' privacy, indicating that the popular messaging service is looking to bolster security in order to make its user conversations more secure.
The new feature, dubbed "Show Security Indicators," will be imbibed in WhatsApp in an impending update. The feature is similar to the one Apple uses in its iMessage.
When enabled, the feature will encrypt all your chats and calls with End-to-End encryption, meaning users' conversations cannot be spied on; not even by WhatsApp itself.
This could be just a start, and we could see a deeper Facebook-WhatsApp integration in future that could even allow users to send messages between WhatsApp and Facebook Messenger.
Google Wants to Fly Drones Over Your Head to Deliver High Speed 5G Internet
Would you enjoy If Drones hovering outside your window or above your head, just because it is offering High-Speed Internet Service?
Most Americans may simply prefer to "Shoot Down" unwelcome items.
Well, Google is working on a similar secret project, codenamed Project Skybender, to beam faster internet service, as fast as 5G, from the air.
Google is currently testing multiple prototypes of Solar-powered Internet Drones in the New Mexico desert, as per some documents obtained by the Guardian under public records laws.
To ensure security, Google is also said to have installed its own dedicated flight control centre near Spaceflight Operations Center at the Spaceport America facility in the town of Truth or Consequences, New Mexico.
Google's Project SkyBender Drones are equipped with millimetre-wave radio transmissions to deliver next generation 5G wireless Internet, up to 40 times faster than 4G LTE systems.
Drones — Privacy Nightmare
Drones — Privacy Nightmare
If it sounds like really exciting to you…
...wait! Actually, it could be a privacy nightmare.
Don't you think, these drones are the most dangerous toys yet? The increasing popularity of Drones — domestic, commercial, and military — has raised national debates over rights to privacy and self-defense.
We've already seen reports of drones being used to:
Spy on Cell Phone Users by Advertisers.
Spy on Sensitive Targets (Cyber Weaponized Drones) by Intelligence Agencies.
Infiltrate Your Home/Corporate Networks by Anyone.
Hack Smartphones by Hackers.
Map and Scan Internet-of-Things from Sky.
Legally Hunt down Criminals with Weaponized Drones.
No one wants to be spied on. Google's Project SkyBender is sensitive and controversial that could be misused in many different ways.
Just yesterday, we reported that the police departments in California are using Cell Phone surveillance technology, known as DirtBox, mounted on small aircraft (even drones) to track, intercept thousands of cellphone calls and quietly eavesdrop on millions of conversations, emails, and text messages.
Project SkyBender is part of Google's Project Loon, another move by the tech giant to deliver internet access down to earth using hot air balloons floating through the stratosphere.
Project Skybender is being tested with two kinds of Aircrafts:
Solar-powered drones developed by Google's Titan Aerospace team
Aircraft called Centaur
Google is already running out of time as the Federal Communications Commissions (FCC) has granted permission for airborne testing only until July 2016.
What do you think about Google's secret project? Share your comments below.
HSBC online banking services offline due to a DDoS attack
The British branch of the HSBC bank has suffered for the second time in a month a cyber attack that brought its services offline.
It’s happened again, HSBC customers were not able to access the online services of the bank due to a DDoS attack that hit the financial institution.
“HSBC UK internet banking was attacked this morning. We successfully defended our systems.” states a Tweet sent by the official account of the bank.
“We are working hard to restore services, and normal service is now being resumed. We apologise for any inconvenience.”
A spokesperson for HSBC confirmed to the BBC that a DDoS attack hit the bank:
“HSBC internet banking came under a denial of service attack this morning, which affected personal banking websites in the UK.”
According to media, users were not able to access bank services, including the personal banking app since 8.30am this morning. Some users reported they have been redirected to “www.security.hsbc.co.uk” while trying to login via their browser.
Curiously the security team at HSBC is claiming to have “successfully defended” the attack despite the serious outage suffered by its services.
This is the second time the services of the bank were not accessible this month, on January 4th the chief operating officer profoundly apologised for an online outage that lasted two entire days.
A severe flaw in OpenSSL allows hackers to decrypt HTTPS traffic
Developers of OpenSSL issued a patch that fixes a high-severity vulnerability that allows attackers to decrypt secure traffic.
The development team at the OpenSSL has issued a security patch to fix a flaw, coded as CVE-2016-0701, that could be exploited by hackers to decrypt secure traffic.
The flaw was reported on January 12 by Antonio Sanso of Adobe who elaborated an attack method based on a key recovery method described in a paper published in 1997.
The developers have patched two separate vulnerabilities in OpenSSL, the most severe affects the implementations of the Diffie-Hellman key exchange algorithm presents only in OpenSSL version 1.0.2.
The OpenSSL 1.0.2 includes the support for generating X9.42 style parameter files as required in RFC 5114, unfortunately, the primes in these files may not be “safe,” which allows in certain circumstances attackers to obtain the key needed to decrypt traffic.
Let me remind you that the OpenSSL Project doesn’t support the versions 0.9.8 and 1.0.0 since December 31, 2015, and they don’t receive security updates.
OpenSSL is widely used in applications for secure data traffic, most websites use the library to enable the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.
Connections that rely on TLS configured with parameters based on unsafe primes are open to eavesdropping because the attacker could obtain information to recover the private DH exponent.
“If an application is using DH configured with parameters based on primes that are not“safe” or not Lim-Lee (as the one in RFC 5114) and either Static DH ciphersuites are used or DHE ciphersuites with the default OpenSSL configuration (in particular SSL_OP_SINGLE_DH_USE is not set) then is vulnerable to this attack.” states a blog post published by Sanso.
“It is believed that many popular applications (e.g. Apache mod_ssl) do set the SSL_OP_SINGLE_DH_USE option and would therefore not be at risk (for DHE ciphersuites), they still might be for Static DH ciphersuites.”
OpenSSL usually uses short-lived DH exponents in TLS, namely SSL_OP_SINGLE_DH_USE, that is not enabled by default,
There are various solutions to mitigate the risk, the developers of LibreSSL deprecated the use of the SSL_OP_SINGLE_DH_USE, meanwhile the developers at the OpenSSL Project added a check to detect attacks in the case of static ciphersuites and by enabling the SSL_OP_SINGLE_DH_USE option.
This week OpenSSL also released the 1.0.1r version to fix a second low severity SSLv2 cipher issue coded as CVE-2015-3197.
The new release also included other code developed to harden the systems against the Logjam attack.
“Logjam vulnerability can be triggered through man-in-the-middle (MitM) attacks to downgrade connections to 512-bit export-grade cryptography. Logjam could be exploited on the servers that support the “Diffie-Hellman key exchange” cryptographic algorithm, which is used by protocols like HTTPS, SSH, SMTPS, IPsec to negotiate a secret key and establish a secure connection.” states my previous blog post“
Once the attacker downgrades encrypted connections between a user and the web server to use weaker 512-bit keys which can be easily decrypted.”
Summarizing, if you still use OpenSSL version 1.0.2, upgrade to 1.0.2f, while if you are still using version 1.0.1 should install 1.0.1r.
ISIS – The first man charged of cyber terrorism has been extradited to the US
Malaysia extradited a hacker charged by DoJ with stealing the personal data of US members and passing it to the ISIS.
A former computer science student accused of supporting the ISIL terrorist group has arrived in the US to face charges.
The former computer science student Ardit Ferizi is charged with hacking crimes and providing support to a terrorist organization. The 20-year-old man is accused of supporting the ISIS terrorist organization, he was the subject of extradition from the Malaysian government, where he lived. The man of Kosovar origin was studying computer science in Malaysia.
He was arrested in Malaysia in September and now he was transferred to the US to face trial. He is being tried in the US Eastern District Court in Virginia
If the accusation from the US Department of Justice is confirmed he risks 35 years of imprisonment.
According to the US investigators, he provided the data to the popular IS militant Junaid Hussain, which disclosed it on the web. The collaboration between the IS hackers Hussain and Ferizi started in April according to the US authorities.
Data included names, e-mail addresses, passwords, locations and phone numbers of 1,351 U.S. military and other government personnel.
The stolen data included names, physical addresses, phone numbers, email addresses, and passwords.
“Ardit Ferizi is a terrorist hacker who provided material support” said the Assistant Attorney General John Carlin. “This case is a first of its kind and, with these charges, we seek to hold Ferizi accountable for his theft of this information and his role in ISIL’s targeting of U.S. government employees,” Carlin said, using an acronym for the Islamic State.
He passed the precious information to members of the ISIS to hit personnel of the US Government.
“Specifically, the [data] stolen by Ferizi was knowingly provided to ISIL to be used by ISIL members and supporters to conduct terrorist attacks against the US government employees whose names and addresses were published,” the DOJ charges in its complaint.
The US authorities suspect that Ferizi is a member of a Kosovan hacking team known as KHS, he used the pseudonymous of “Th3Dir3ctorY”. The KHS breached a database of a US retailer was able to identify the records belonging to military and government personnel.
I wrote about Ferizi in October 2016, when the man was arrested by Malaysian authorities because for the first time ever the US Justice Department has charged a suspect for terrorism and hacking (cyber terrorism).
The Kosova Hacker’s Security (KHS) hit numerous organizations across the world, including Serbian Government websites, Israeli websites under the #OpIsrael campaign, The Interpol, IBM Research, Hotmail, US National Weather Service Website and numerous targets in Ukraine.
Police Using Planes Equipped with Dirtbox to Spy on your Cell Phones
California Police Using Planes Equipped with Dirtbox to Spy on your Cell Phones
The Anaheim Police Department of California — Home of Disneyland — admitted that they used special Cell Phone surveillance technology, known as DirtBox, mounted on aircraft to track millions of mobile users activities.
More than 400 pages of new documents [PDF] published Wednesday revealed that Local Police and federal authorities are using, DRTBox, an advanced version of Dirtbox developed by Digital Receiver Technology (Boeing Company subsidiary).
DRTBox — Spies in the Sky
DRTBox is a military surveillance technology that has capabilities of both Stingray as well as Dirtbox, allowing the police to track, intercept thousands of cellphone calls and quietly eavesdrop on conversations, emails, and text messages.
According to the report, DRTBox model is also capable of simultaneously breaking the encryption hundreds of cellphone communications at once, helping Anaheim Police Department track criminals while recording innocent citizens' information.
"This cell phone spying program – which potentially affects the privacy of everyone from Orange County’s 3 million residents to the 16 million people who visit Disneyland every year – shows the dangers of allowing law enforcement to secretly acquire surveillance technology," said Matt Cagle, technology and civil liberties policy attorney for ACLU-NC.
Besides Dirtbox, the police also purchased multiple Stingray devices, including one that can monitor LTE (Long Term Evolution) networks.
How does DRTBox Work?
DRTBox is capable of retrieving data from tens of thousands of mobile phones during a single flight in order to target criminals and suspects. However, the data on a vast number of innocent people are also being collected.
"Our products are lightweight, low power, small, and are supportable on multiple platforms. Our products are featured in UAVs, planes, helicopters, vehicles, towers, and on walk-tests, submarines, and boats." DRT website claims.
Generally, DRTBox works by masquerading as a cell phone tower. All the mobile phones, within the range that automatically connect to the strongest and nearest cell tower, respond to this signal and trick victims into connecting to it.
DRTBox also collects Hardware Numbers (registration information and identity data) associated with the phone – uniquely identifying IMEI numbers stored in every mobile device.
DRTBox surveillance device runs a Man In the Middle (MITM) attack that could not be detected by the users easily and thus, allows Police to track and catch criminals like drug-traffickers.
As it targets all nearby cellular devices, so Law Enforcements are able to get information from hundreds of devices concurrently.
How does DRTbox Crack Carrier-based Encryption?
Wireless Carriers are using various Encryption technologies to protect the privacy of cellphone communications, which is built into modern GSM 2G, 3G, 4G and LTE networks.
Since GSM is nearly 30 years old and deprecated over the time because of lack of tower authentication, bad key derivation algorithms and terrible encryption algorithms, it is easily crackable.
However, 3G, 4G and LTE networks use strong encryption to encrypt all communication between the handset and the local tower.
If you are using 3G/4G SIM, then you must be aware, in the case of network unavailability, your 3G/4G connections automatically drop down (failover or fallback) to GSM connection.
It seems that DRTbox exploits this fallback feature to implement a rollback attack -- jamming 3G/4G connection and thus re-activating all of the GSM attacks to crack encryption easily in order to intercept calls and other data that would have been harder to break, particularly in bulk.
The government can then figure out who, when and to where a target is calling from, the precise location of every device within the range and even capture the content of your communication.
In this way, the federal agencies and local police can safely engage in passive, bulk surveillance without having original decryption keys and without leaving any trace whatsoever.
Last year, the Department of Justice that oversees the FBI as well as the Department of Homeland Security announced a policy that required the Federal Investigation of Bureau and other federal authorities to obtain a court authorization or warrant before deploying these tracking devices.
Moreover, some individual states, including California, also passed a law that requires a warrant for the use of Stingrays and similar tracking devices.
Still, these spying devices continue to be used without the knowledge of citizens.
According to the documents, the police force lent its technology to police departments all over Orange County, thus, it impacted not only local residents but also 3 Million people live in Orange County and 16 Million people visiting Disneyland every year.
Anarchist operation, US and UK spied on Israeli UAVs and fighter jets
Anarchist operation – US and UK intelligence secretly tapped into live video feeds from Israeli UAVs and fighter jets, monitoring military operations.
According to a new lot of documents leaked by the popular whistleblower Edward Snowden, the US and British intelligence agencies have hacked for years into Israeli Air Surveillance under an operation codenamed Anarchist. Snowden, who served as an intelligence contractor for the NSA, leaked the secret documents in 2013.
Yediot Aharonot that reported the news, revealed that the Anarchist operation began in 1998 at the US National Security Agency (NSA) site at Menwith Hill (UK) and at the British facility in the Troodos mountains of Cyprus. The Western intelligence was monitoring the Israeli surveillance operations conducted in the Middle East involving a fleet of drones.
“Under a classified program code-named “Anarchist,” the U.K.’s Government Communications Headquarters, or GCHQ, working with the National Security Agency, systematically targeted Israeli drones from a mountaintop on the Mediterranean island of Cyprus.” states The Intercept.
The Yediot first reported the information in the documents to the Israeli military censor, later it decided to publish them.
“From the documents it emerges that Israel operates a large fleet of unmanned aerial vehicles,” states the Yediot. “They collect intelligence in the Gaza Strip, the West Bank and throughout the Middle East and were even used according to the editors (of the Snowden files) for gathering intelligence to plan the bombing of Iran.”
The secret documents for the first time published images of armed Israeli drones, they also revealed that UK and British spies breached the F16 fighter pilots’ heads-up display.
“It’s as if they sat with them in the cockpit,” the paper wrote. “It’s a look into the secret Israeli combat world,” it said. “Potential targets, aims, priorities and capabilities, from Israel’s view of its enemies. The United States and Britain profited from Israel’s superb intelligence abilities and saw everything that Israel saw.”
“On January 3, 2008, as Israel launched airstrikes against Palestinian militants in Gaza, U.S. and British spies had a virtual seat in the cockpit.” continues The Intercept. “Satellite surveillance operators at Menwith Hill, an important NSA site in England, had been tasked with looking at drones as the Israeli military stepped up attacks in Gaza in response to rockets fired by Palestinian militants, according to a 2008 year-end summary from GCHQ. In all, Menwith Hill gathered over 20 separate drone videos by intercepting signals traveling between Israeli drones and orbiting satellites.”
The Israeli authorities don’t provide any official comments to the document, Yuval Steinitz, minister of energy and a former intelligence minister, expressed his disappointment:
“We are not surprised. We know that the Americans spy on everyone including us, their friends,” he told Israeli army radio. “It’s disappointing nonetheless because of the fact that for decades we haven’t spied or gathered intelligence or broken codes in the United States.”
According to the Yediot, these last collection of documents will have a serious impact on the Israeli intelligence, it quoted an unnamed senior Israeli intelligence official describing the latest report as “an earthquake.”
“Apparently none of our encoded communications devices are safe from them,” states an unnamed senior Israeli intelligence official quoted by the Yediot.
CenterPOS – The evolution of POS malware
Security Experts at FireEye discovered a new strain of POS malware dubbed CenterPOS that is threatening the retail systems.
In the last 2/3 years, we have seen a significant increase in the number of POS malware, their diffusion is becoming even more worrying. We read about many high-profile breaches that involved high-complex malware targeting payment systems worldwide.
Today we catch up with CenterPOS, a malicious code under investigation of FireEye experts. This fairly new malware was discovered in September 2015 in a folder that contained other POS malware, including NewPoSThings, two Alina variants known as “Spark” and “Joker,” and the infamous BlackPOS malware.
The sample analyzed by FireEye is identified with an internal version number 1.7 and contains a “memory scraper that iterates through running processes in order to extract payment card information. The payment card information is transferred to a command and control (CnC) server via HTTP POST”:
Many variants of the malware version 1.7 were found, associated with different CC locations:
FireEye even discovered a live CnC server that show that in the underground the malware is known as “Cerebrus”( don’t mix it with the RAT also known as Cerberus):( don’t mix it with the RAT also known as Cerberus):
Besides the version 1.7, a version 2.0 was found, and it’s very similar with 1.7 with the difference that in version 2.0 its used a config file to store the information related to the CC server.
“The malware contains two modes for scraping memory and looking for credit card information, a “smart scan” mode and a “normal scan” mode. The “normal scan” mode will act nearly the same as v1.7”
The CenterPOS scans all processes searching for those that meets the following criteria:
The process is not the current running process.
The process name is not in the ignore list.
The process name is not “system,” “system idle process,” or “idle.”
The process file version info does not contain “microsoft,” “apple inc,” “adobe systems,” “intel corporation,” “vmware,” “mozilla,” or “host process for windows services.”
The process full path’s SHA-256 hash is not in the SHA-256 blacklist.
If a process meets the criteria ” the malware will search all memory regions within the process searching for credit card data with regular expressions in the regular expression list.”
Moving on to the “smart scan”, this scan is initiated with a normal scan, and “any process that has a regular expression match will be added to the “smart scan” list. After the first pass, the malware will only search the processes that are in the “smart scan” list.”
“After each iteration of scanning all process memory, the malware takes any data that matches and encrypts it using TripleDES with the key found in the configuration file.”
The malware sends information to the CC server about the “hacked” system including the current settings, always after a performed scan. The collected info includes all system users, logged in users, sessions, process list, and current settings list. The info is send by a separate HTTP POST request.
” The malware primarily sends data to the CnC server, but can also receive commands and in addition to processing commands, the malware also accepts commands to update its current settings.”
The next table includes data related the variants of the CenterPOS version 2.0 found by FireEye:
As I referred in the beginning of the article, many POS malware were found in the last 2/3 years and this is related with the huge demand criminal underground. Retailers represent a privileged target to steal payment card information and get money.
CenterPOS or Cerebrus, as will likely continue to evolve, their authors will include more functionalities in future versions.
If you feel interested to get more details, please visit FireEye blog, here.
Critical OpenSSL Flaw Allows Hackers to Decrypt HTTPS Traffic
The OpenSSL Foundation has released the promised patch for a high severity vulnerability in its cryptographic code library that let attackers obtain the key to decrypt HTTPS-based communications and other Transport layer security (TLS) channels.
OpenSSL is an open-source library that is the most widely used in applications for secure data transfers. Most websites use it to enable Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.
However, after serious security vulnerabilities were discovered in OpenSSL over the last few years, the crypto library has been under much investigation by security researchers.
The latest bugs affect OpenSSL versions 1.0.1 and 1.0.2, which has been patched in new releases of OpenSSL, versions 1.0.1r and 1.0.2f.
The team has patched two separate vulnerabilities in OpenSSL. The "high severity" bug, identified as CVE-2016-0701, addresses issues in the implementations of the Diffie-Hellman key exchange algorithm presents only in OpenSSL version 1.0.2.
Re-Use of Encryption Keys
Diffie-Hellman (DH) is a common means of exchanging cryptographic keys over untrusted channels, allowing protocols like HTTPS, SSH, SMTPS, IPsec to negotiate a secret key and create a secure connection.
However, the applications that rely on the DH key exchange algorithm generate ephemeral keys using only "safe" prime numbers, but servers that do this reuse the same primes by default, which makes them vulnerable to the key-recovery attack.
Attackers could exploit this flaw by potentially making multiple connections with a vulnerable server and searching for TLS server's private Diffie-Hellman key if the server was re-using the private key or using a static Diffie-Hellman ciphersuite.
However, OpenSSL has the SSL_OP_SINGLE_DH_USE option for ephemeral Diffie-Hellman in TLS. But the option was turned OFF by default that made the server reuse the same private exponent, making it vulnerable to this type of attack.
Must Read: How NSA successfully Broke Trillions of Encrypted Connections.
Fortunately, many mainstream applications, like The Apache Web server that rely on OpenSSL and use Diffie-Hellman, turns ON SSL_OP_SINGLE_DH_USE, causing different private exponents to be used.
OpenSSL said in an advisory published today that the team has turned ON SSL_OP_SINGLE_DH_USE option by default. You can go to OpenSSL official blog post to know additional details about the flaw.
Force to Use Weaker SSLv2 Ciphers
The "low severity" vulnerability, CVE-2015-3197 that affects versions 1.0.2 and 1.0.1, has also been patched in the latest release, which allows attackers to force SSLv3 connections through the weaker SSLv2 ciphers.
"A malicious client can negotiate SSLv2 ciphers that have been disabled on the server and complete SSLv2 handshakes even if all SSLv2 ciphers have been disabled, provided that the SSLv2 protocol was not also disabled via SSL_OP_NO_SSLv2," the team said.
However, the team said that disabling SSLv2 ciphers on your server will not help and that incoming client can still complete SSL handshakes with the server, thereby establishing a non-secure SSLv2 connection.
Remember Logjam Downgrade Flaw?
The project team said the Thursday's release also contained an enhancement to strengthen cryptography against LogJam, an HTTPS-crippling vulnerability in TLS disclosed last May.
Logjam downgrade vulnerability allowed hackers to downgrade Diffie-Hellman-generated encrypted connections between a user and a Web or email server to use extremely weaker 512-bit keys that can be easily decrypted.
The previous patch had increased the limit of Diffie-Hellman parameters to 768 bits, but OpenSSL has now increased this limit to 1,024 bits.
If you are using OpenSSL version 1.0.2, it's time for you to upgrade to version 1.0.2f. While those still using OpenSSL version 1.0.1 should install version 1.0.1r.
Among other recommendations, Thursday's OpenSSL advisory also warns that the patch may compromise performance, along with reminding users that support for OpenSSL version 1.0.1 will end at the end of this year, after which no security updates will be available.
However, Support for OpenSSL versions 0.9.8 and 1.0.0 already ended in December.
ATP group uses Word Docs to drop BlackEnergy Malware
The APT group behind the attacks against critical infrastructure in Ukraine is spreading BlackEnergy malware through specially crafted Word documents.
Malicious campaigns leveraging the BlackEnergy malware are targeting energy and ICS/SCADA companies from across the world. The threat actors behind the recent attacks based on the popular malware are now targeting critical infrastructure in Ukraine.
In December 2015, a cyber attack contributed to a power outage in the Ivano-Frankivsk region. The last variant spread in Ukraine included the KillDisk module that is designed to wipe the targeted systems and make systems inoperable.
The experts at the Ukrainian security firm Cys Centrum discovered that the APT group behind the attack against the Ukraine infrastructure had leveraged PowerPoint presentations to spread the BlackEnergy Trojan. Experts at Kaspersky confirmed that the APT group started using macros in specially crafted Excel spreadsheets to serve the malware on the infected systems. The attackers also used World document in their attacks.
“Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document: “$RR143TB.doc” (md5: e15b36c2e394d599a8ab352159089dd2)” states Kaspersky.
The ICS-CERT confirmed the use of Word documents to spread the malware.
“Recent open-source reports have circulated alleging that a December 23, 2015, power outage in Ukraine was caused by BlackEnergy Malware. ICS-CERT and US-CERT are working with the Ukrainian CERT and our international partners to analyze the malware and can confirm that a BlackEnergy 3 variant was present in the system. ” states the US-CERT”
“in this case the infection vector appears to have been spear phishing via a malicious Microsoft Office (MS Word) attachment. ICS-CERT and US-CERT analysis and support are ongoing, and additional technical analysis will be made available on the US-CERT Secure Portal.”
The experts at Kaspersky confirmed that a malicious word document referenced the Ukrainian nationalist party Pravyi Sektor, was uploaded to an online scanner service on January 20, but only a few security solutions were able to detect the threat.
To trick users into enabling the macro, the victims open the document are displayed a message that requests to enable the macros.
When victims enable macros, an executable file named “vba_macro.exe” is written to the disk, it is the BlackEnergy dropper.
“As we can see, the macro builds a string in memory that contains a file that is created and written as “vba_macro.exe”.
The file is then promptly executed using the Shell command. The vba_macro.exe payload (md5: ac2d7f21c826ce0c449481f79138aebd) is a typical BlackEnergy dropper.”
According to the experts at Kaspersky, the BlackEnergy malware was created by a hacker known as Cr4sh that sold the code in 2007 for $700. The source code was used for numerous attacks, including the DDoS cyber attacks that targeted the Georgia in 2008, while the country was invaded by the Soviet Russian (RSFSR) Red Army.
The APT group behind the attack continued using the BlackEnergy malware against critical infrastructure in Ukraine
“BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda, in addition to compromising industrial control installations and espionage activities”
Two thirds of the Android devices are vulnerable to Lockdroid ransomware
Experts at Symantec detected Lockdroid a new piece of Android ransomware capable of locking devices and fully wiping user data via factory resets.
A new strain of ransomware called Lockdroid (Android.Lockdroid.E) is threatening Android users. The mobile ransomware has been detected by experts at Symantec, it is able to lock the device, change the PINs, encrypt user data, and perform other operation including fully wiping data forcing a factory reset.
Lockdroid is also able to prevent victims from uninstalling it, even through the command line interface.
“Symantec has found an Android ransomware variant (Android.Lockdroid.E) that uses new tactics, involving a fake package installation, to trick users into giving the malware device administrator rights. As well as encrypting files found on the compromised device, if administrator rights are obtained, the malware can lock the device, change the device PIN, and even delete all user data through a factory reset.” Symantec’s Martin Zhang wrote in a blog post.
This strain of Android ransomware uses clickjacking to become device administrator. It is important to highlight that clickjacking attacks are effective only in versions prior to 5.0 Lollipop that by prevents dialog messages from displaying over the system permission dialog.
This means that at the time I was writing, 67,4% of Android systems are vulnerable to clickjacking.
The experts discovered Lockdroid tricking users into providing it with device administrator rights, it poses as an application for viewing adult content. The application displays a fake “Package Installation” window that tricks users into giving administrator privileges in order to launch malicious operations.
The Lockdroid ransomware displays a TYPE_SYSTEM_ERROR window on the highest layer on the screen to hide the call to the device administrator requesting API, after the user clicks the “Continue” button it displays a fake “Unpacking the components” dialog. The malware wait a few seconds without doing anything, then it displays a final “Installation is Complete” dialog, in this case, it uses a TYPE_SYSTEM_OVERLAY window to hide the window that asks for the activation of administrative privileges.
When the device is infected, users will be prompted to pay a ransom, threatened by the loss of the encrypted data and the submission of the user’s browsing history to all their contacts.
Experts at Symantec observed that the ransomware uses the clickjacking technique to perform other activities, including root permission management on rooted devices.
“An example is root permission management, a tool that is ubiquitous among the growing rooted device user base. This tool listens on the system for any app trying to elevate its privileges to root (by calling “su”) and presents a dialog to the user asking permission on behalf of the app before allowing it to proceed. Using the above window overlaying trick, malware could circumvent this safety feature and operate freely.” continues the post.
Fortunately the malicious application used as the attack vector, the Porn ‘O’ Mania, is not available on the official Google Play, as usual let me suggest to users to download and install applications only from trusted app stores.
Tails 2.0 is out to protect your privacy and anonymity
Tails 2.0 is available for download, it implements new features, including security improvements.
Speaking about privacy and operating system, we are obliged to mention the popular Debian-based distribution Tails “The Amnesiac Incognito Live System.” Now the version 2.0 is available online! Tails is a popular live operating system specifically designed to protect user privacy and anonymity online.
Tails 2.0 was upgraded to Debian 8.0, considered more stable and that fix a number of issues affecting the previous version of Debian.
The live Tails distro can start on almost any computer from removable devices like a DVD, USB stick, and SD card leaving no trace of the user’activity.
The Tails distribution is also famous because the famous whistleblower Edward Snowden is one the most important users.
Tails offers better protection than just using the Tor browser alone on a typical operating system, is also includes a set of tools to protect the user anonymity, such as the Tor Browser and the I2P anonymizing software. The Tails live OS is designed to route all the user traffic over the Tor network to prevent applications from eavesdropping the user’s traffic.
Tails 2.0 includes the latest version of the Tor Browser (5.5).
The most important improvement implemented in the Tails 2.0 is the addition of the Gnome Shell desktop environment in its Classic Mode, which makes very user-friendly the distribution, with classic places menu, and windows list.
“Tails now uses the GNOME Shell desktop environment, in its Classic mode. GNOME Shell provides a modern, simple, and actively developed desktop environment. TheClassic mode keeps the traditional Applications, Places menu, and windows list. Accessibility and non-Latin input sources are also better integrated.” states the official post published by the TorProject.
Of course, Tails 2.0 is considered even more secure, the new version implements a sandboxing mechanism for a number of services to make them more resilient to exploits and other forms of attacks.
Among the upgrades, the change to
as init system and use it to:
Sandbox many services using Linux namespaces and make them harder to exploit.
Make the launching of Tor and the memory wipe on shutdown more robust.
Sanitize our code base by replacing many custom scripts.
The new Tails 2.0 includes the update for most firmware packages which might improve hardware.
Tails 2.0 includes a redesigned download and installation process, it is quite easy to install Tails safely such as its components, avoiding tampering of packages.
Be aware, it is impossible to upgrade the existing Tails distro to the 2.0 version due to the improvement implemented.
Caution, Hackers targeted the cPanel Database
The cPanel Inc. company that manages the popular web hosting account management tool is warning customers about a possible data breach occurred over the weekend.
According to the cPanel firm customers’ account information may have been compromised, hackers tried to access a database containing users’ data, including names, salted passwords, and contact information. cPanel Inc. added that financial have not been accessed because are stored on a different server. The company said it interrupted the breach, but the hackers might have still gained access to the details of cPanel Store and Manage2 users.
“I am writing to let you know that one of our user databases may have been breached. Although we successfully interrupted the breach, it is still possible that user contact information may have been susceptible.” states the official cPanel’s statement.
“The customer contact information that may have been susceptible is limited to names, contact information, and encrypted (and salted) passwords. Please note that our credit card information is stored in a separate system designed for credit card storage and is not impacted by this possible breach.”
The company announced the adoption of further measures to protect its systems and customers, it will force a password reset to limit the impact of the alleged security breach.
“Although current passwords are stored salted and encrypted, we are accelerating our move to stronger password encryption at the same time in order to minimize disruption. In order to safeguard the system, we will force all users with older password encryption to change their passwords,” says Aaron Stone, director of internal development at cPanel.
A couple of weeks ago, cPanel released new builds that fix dozen vulnerabilities in both cPanel & WebHost Manager versions, some of the flaws are critical and could be exploited by hackers to execute arbitrary code.
“It is important to highlight that this incident was not related to cPanel products or the Targeted Security Release published on January 18th.”
cPanel urges customers to change passwords provided to cPanel tech support via the ticket system.
ISIS offers hackers up to $10,000 to hack govt websites
The ISIS radical group is trying to infiltrate the Indian hacking community by offering money to hack government websites. 30,000 people on social media have been already contacted by the group.
Members of the ISIS are willing to pay Indian hackers to hack into government websites and gain access to sensitive documents. The radical organization is offering money to create a database of potential Indian candidates from social media, who will hack government websites will receive up to $10,000 for every successfully cyber attack.
“There are various underground communities online where hackers interact regularly. Our investigation reveals that for the past six months, lucrative offers for stealing government data came pouring in and hackers were offered a huge sum. Such amount has never been offered to any Indian hacker before. We found that the offers were being made to spread ISIS reach in the country,” said the cyber crime expert Kislay Choudhary.
The theft of Government data through cyber attacks against its systems is a strategic intelligence activity conducted by the Daesh organization. The ISIS is already conducting a massive campaign through social media, over 30,000 youngsters have reportedly been in contact with members of the organization.
The Daesh is focusing its recruiting activity on the Indian hacking community, many hackers are based out of various parts of south India, including Kashmir, Maharashtra, and Rajasthan.
“Indian handlers are now creating local content to spread their propaganda in Hindi, Tamil, Gujarati, Urdu and other vernacular languages on cyberspace. In the past, Bangla has also been used to spread ISIS’ hate propaganda, targeting vulnerable youths in Bangladesh and India.” continues the post published by the DailyMail.
Intelligence agencies have already arrested twelve suspects in India, the individuals were in contact with the active members of ISIL in Syria and were planning an attack ahead of Republic Day.
“The work of Indian handlers is to identify people who tweet or share pro- ISIS and anti-West posts. Such users are potential ISIS sympathisers. Such people are contacted by ISIS members on social media and engaged in religious conversations. After assessing their mindset, pro-ISIS content and videos are shared. If they show interest, they are enrolled into the terror outfit.” a senior officer of a central security agency.
The IS propaganda aims to influence the sentiment of the young hackers on the jihad and operates through social media.
“They spread their message with popular keywords and hashtags to reach a wider audience,” a security official said.
In response to the online activity in India, security agencies have taken down IS-related content on the Internet, 94 websites that were connected with the ISIL have been already blocked according to the Maharashtra ATS.
The Indian government is planning a 24/7 war room to monitor social media activities of the group.
BlackEnergy APT Attacks in Ukraine employ spearphishing with Word documents
Late last year, a wave of cyber-attacks hit several critical sectors in Ukraine. Widely discussed in the media, the attacks took advantage of known BlackEnergy Trojans as well as several new modules.
BlackEnergy is a Trojan that was created by a hacker known as Cr4sh. In 2007, he reportedly stopped working on it and sold the source code for an estimated $700. The source code appears to have been picked by one or more threat actors and was used to conduct DDoS attacks against Georgia in 2008. These unknown actors continued launching DDoS attacks over the next few years. Around 2014, a specific user group of BlackEnergy attackers came to our attention when they began deploying SCADA-related plugins to victims in the ICS and energy sectors around the world. This indicated a unique skillset, well above the average DDoS botnet master.
For simplicity, we’re calling them the BlackEnergy APT group.
One of the prefered targets of the BlackEnergy APT has always been Ukraine. Since the middle of 2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros that drop the Trojan to disk if the user chooses to run the script in the document.
A few days ago, we discovered a new document that appears to be part of the ongoing BlackEnergy APT group attacks against Ukraine. Unlike previous Office files used in previous attacks, this is not an Excel workbook, but a Microsoft Word document. The lure used a document mentioning the Ukraine “Right Sector” party and appears to have been used against a television channel.
At the end of the last year, a wave of attacks hit several critical sectors in Ukraine. Widely discussed in the media and by our colleagues from ESET, iSIGHT Partners and other companies, the attacks took advantage of both known BlackEnergy Trojans as well as several new modules. A very good analysis and overview of the BlackEnergy attacks in Ukraine throughout 2014 and 2015 was published by the Ukrainian security firm Cys Centrum (the text is only available in Russian for now, but can be read via Google Translate).
In the past, we have written about BlackEnergy, focusing on their destructive payloads, Siemens equipment exploitation and router attack plugins. You can read blogs published by my GReAT colleagues Kurt Baumgartner and Maria Garnaeva here and here. We also published about the BlackEnergy DDoS attacks.
Since mid-2015, one of the preferred attack vectors for BlackEnergy in Ukraine has been Excel documents with macros which drop the trojan to disk if the user chooses to run the script in the document.
For the historians out there, Office documents with macros were a huge problem in the early 2000s, when Word and Excel supported Autorun macros. That meant that a virus or trojan could run upon the loading of the document and automatically infect a system. Microsoft later disabled this feature and current Office versions need the user to specifically enable the Macros in the document to run them. To get past this inconvenience, modern day attackers commonly rely on social engineering, asking the user to enable the macros in order to view “enhanced content”.
Few days ago, we came by a new document that appears to be part of the ongoing attacks BlackEnergy against Ukraine. Unlike previous Office files used in the recent attacks, this is not an Excel workbook, but a Microsoft Word document:
“$RR143TB.doc” (md5: e15b36c2e394d599a8ab352159089dd2)
This document was uploaded to a multiscanner service from Ukraine on Jan 20 2016, with relatively low detection. It has a creation_datetime and last_saved field of 2015-07-27 10:21:00. This means the document may have been created and used earlier, but was only recently noticed by the victim.
Upon opening the document, the user is presented with a dialog recommending the enabling of macros to view the document.
Interestingly, the document lure mentions “Pravii Sektor” (the Right Sector), a nationalist party in Ukraine. The party was formed in November 2013 and has since played an active role in the country’s political scene.
To extract the macros from the document without using Word, or running them, we can use a publicly available tool such as oledump by Didier Stevens. Here’s a brief cut and paste:
As we can see, the macro builds a string in memory that contains a file that is created and written as “vba_macro.exe”.
The file is then promptly executed using the Shell command.
The vba_macro.exe payload (md5: ac2d7f21c826ce0c449481f79138aebd) is a typical BlackEnergy dropper. It drops the final payload as “%LOCALAPPDATA%\FONTCACHE.DAT”, which is a DLL file. It then proceeds to run it, using rundll32:
To ensure execution on every system startup, the dropper creates a LNK file into the system startup folder, which executes the same command as above on every system boot.
The final payload (FONTCACHE.DAT, md5: 3fa9130c9ec44e36e52142f3688313ff) is a minimalistic BlackEnergy (v2) trojan that proceeds to connect to its hardcoded C&C server, 22.214.171.124, on Port 80. The server was previously mentioned by our colleagues from ESET in their analysis earlier this month. The server is currently offline, or limits the connections by IP address. If the server is online, the malware issues as HTTP POST request to it, sending basic victim info and requesting commands.
The request is BASE64 encoded. Some of the fields contain:
The b_id contains a build id and an unique machine identifier and is computed from system information, which makes it unique per victim. This allows the attackers to distinguish between different infected machines in the same network. The field b_gen seems to refer to the victim ID, which in this case is 301018stb. STB could refer to the Ukrainian TV station “STB”, http://www.stb.ua/ru/. This TV station has been publicly mentioned as a victim of the BlackEnergy Wiper attacks in October 2015.
BlackEnergy is a highly dynamic threat actor and the current attacks in Ukraine indicate that destructive actions are on their main agenda, in addition to compromising industrial control installations and espionage activities.
Our targeting analysis indicates the following sectors have been actively targeted in recent years. If your organization falls into these categories, then you should take BlackEnergy into account when designing your defences:
ICS, Energy, government and media in Ukraine
ICS/SCADA companies worldwide
Energy companies worldwide
The earliest signs of destructive payloads with BlackEnergy go back as far as June 2014. However, the old versions were crude and full of bugs. In the recent attacks, the developers appear to have gotten rid of the unsigned driver which they relied upon to wipe disks at low level and replaced it with more high level wiping capabilities that focus on file extensions as opposed on disks. This is no less destructive than the disk payloads, of course, and has the advantage of not requiring administrative privileges as well as working without problems on modern 64-bit systems.
Interestingly, the use of Word documents (instead of Excel) was also mentioned by ICS-CERT, in their alert 14-281-01B.
It is particularly important to remember that all types of Office documents can contain macros, not just Excel files. This also includes Word, as shown here and alerted by ICS-CERT and PowerPoint, as previously mentioned by Cys Centrum.
In terms of the use of Word documents with macros in APT attacks, we recently observed the Turla group relying on Word documents with macros to drop malicious payloads (Kaspersky Private report available). This leads us to believe that many of these attacks are successful and their popularity will increase.
We will continue to monitor the BlackEnergy attacks in Ukraine and update our readers with more data when available.
More information about BlackEnergy APT and extended IOCs are available to customers of Kaspersky Intelligence Services. Contact firstname.lastname@example.org.
Kaspersky Lab products detect the various trojans mentioned here as: Backdoor.Win32.Fonten.* and
Indicators of compromise
Word document with macros (Trojan-Downloader.Script.Generic):
Dropper from Word document (Backdoor.Win32.Fonten.y):
Final payload from Word document (Backdoor.Win32.Fonten.o):
BlackEnergy C&C Server:
ENISA Threat Landscape 2015, a must reading
ENISA has issued the annual ENISA Threat Landscape 2015 a document that synthesizes the emerging trends in cyber security
I’m very happy to announce the publication of the annual ENISA Threat Landscape 2015 (ETL 2015), this is the fifth report issued by the European Agency. The ENISA Threat Landscape 2015 summarizes top cyber threats, experts have identified during the last 12 months.
The document synthesizes the emerging trends in cyber security, it is a must reading for the experts in the industry and executives of any sector.
In 2015, we have assisted a greater effort of law enforcement in the fight against criminal organizations that are becoming even more advanced.
The experts at ENISA analyzed the Top 15 cyberthreats, identifying the threat trends, trends of threat agents and trends for emerging technologies, the report also includes for each cyber-threat a list of mitigation controls.
Malware remains the principal cyber-threat in 2015, they have increased in the number of instances detected and the level of sophistication, albeit mobile malware may not have reached expected levels of growth.
Web based attacks and web application attacks are in second and third place, no change has been observed respecting the previous report. Web based attacks include malicious URLs, compromised domains, browser exploits and drive-by attacks.
The category of web application attacks includes classic techniques like cross-site scripting and SQL-injection (SQLi). In the fourth place there are the Botnets, these infrastructures an essential component for a large number of cyber attacks, but in the last year law enforcement has coordinated a significant number of takedowns against many malicious architectures.
In 2015, the number of DDoS attacks continues to increase, the attacks increased with the volume and also their average duration has increased.
Giving a look at the table below, we can verify that in 2015 the spam decreased once again, despite it still represents a valid vector to spread malware malicious links.
“Spam is in a declining trend since some years now, its importance in the malicious arsenal remained at least almost equal: new methods of “weaponization” of this threat make it a serious threat. During the reporting period we have assessed that spam is an effective means for malware distribution. Ca. 6% of overall spam volume included malicious attachments or links” states the ENISA Threat Landscape 2015 report.
The overall situation is very concerning, cyber threats are influencing also new technologies and paradigms, as explained in a specific session of the report entitled “Emerging Threat Landscape.”
The emerging technology areas considered in this ETL are:
Cyber Physical Systems (CPS)
Internet of Things (IoT)
Network Virtualization and Software Defined Networks (SDN / 5G)
For each technology the report provides the Top 10 Emerging threats, but I don’t want to tell you more about the document, I invite you to carefully read the ENISA Threat Landscape 2015.
Udo Helmbrecht, ENISA’s Executive Director provided the following comment on the project:
“Identification of threats and their dynamics in cyber-space is key in understanding asset exposure and risks. It is an important piece of knowledge that allows for understanding protection requirements, raising awareness and allowing for a better, yet more efficient assessment of risks. ENISA continues with providing strategic information in that area through its ENISA Threat Landscape. Together with the thematic landscapes, this work is a unique publicly available source providing both strategic and tactical intelligence on cyber-threats, tailored to the specific needs of a large amount of stakeholders.”
Nuclear Threat Initiative says nations not prepared to repel cyber attacks on nuclear facilities
According a report from the Nuclear Threat Initiative, numerous nations are not prepared’ to handle the cyber attacks focusing on their nuclear facilities.
Numerous nations are not “prepared” to handle the cyberattacks focusing on their facilities linked to nuclear programs, as per a recent report from the NTI (Nuclear Threat Initiative).
The Nuclear Threat Initiative is a non-fanatic, non-benefit association that focuses to fortify worldwide security the danger of utilization and keeping the spread of concoction, atomic and biological weapons.
The association’s third Nuclear Security Index evaluates the readiness of nations with regards to ensuring their atomic programs against targets and digital assaults.
The 2010 Stuxnet episode in Iran unmistakably showed the risk postured by cyberattacks to the atomic facilities. Be that as it may, as indicated by the 2016 NTI Index, while a few nations have begun finding a way to ensure atomic facilities against cyber assaults, numerous still don’t have legitimate laws and regulations set up.
A cyberattack on an atomic facility could have extreme results as it could be utilized to encourage the burglary of atomic materials or to attack the facility.
“For example, access control systems could be compromised, thus allowing the entry of unauthorized persons seeking to obtain nuclear material or to damage the facility,”. States the report issued by NTI. “Accounting systems could be manipulated so that the theft of material goes unnoticed. Reactor cooling systems could be deliberately disabled, resulting in a Fukushima-like disaster.”
The Nuclear Threat Initiative has verified that of the 24 nations with atomic materials’ weapons-usable and 23 states with atomic facilities, just 13 merit the most extreme cyber security score of “4”. These nations are the Australia, United States, Canada, Russia, Belarus, the United Kingdom, Finland, France, Taiwan, Bulgaria, the Netherlands, Hungary and Switzerland.
Then again, 20 nations got the base score as they don’t have even the fundamental necessities for shielding their atomic facilities against assaults over the Internet. Worryingly, a portion of the states that scored 0 have been extending the utilization of atomic force.
These scores depend on the responses to a progression of inquiries concentrating on a state’s digital security prerequisites for atomic assets, including assurance for basic advanced resources, consideration of digital dangers in risk appraisals, and the presence of an execution based project.
In the course of recent years, eight states have passed new laws and regulations or upgraded existing ones to fortify cybersecurity prerequisites, which has brought about enhanced scores in the NTI Index for them. The rundown incorporates the United Kingdom, South Africa, Russia, France and Pakistan.
“Given the potential consequences, all states must work aggressively to ensure that their nuclear facilities are protected from cyber attacks. Governments should include the cyber threat within the national threat assessment for their nuclear facilities, and they should put in place a clear set of laws, regulations, standards, and licensing requirements for all nuclear facilities that require protection of digital systems from cyber attacks”. Adding further, “At the facility level, leadership must prioritize cybersecurity, determine potential consequences, and implement a program that ensures that digital assets and networks are characterized and secured and that the security is routinely tested.” states the Nuclear Threat Initiative.
A report published in the October 2015 by Chatham House uncovered that the worldwide atomic industry still doesn’t completely comprehend the danger postured by the cyberattacks. And given the fact that the Internet is becoming Internet of dangerous things (because of the Internet of things/connected devices’ wild spread somehow, I’d say), anyone can get infected over it – anytime!. The study, concentrating on common atomic facilities, demonstrated that this part had fallen behind different commercial ventures.
ICS-CERT, The Industrial Control Systems Cyber Emergency Response Team in the United States said not long ago that of the 295 basic framework episodes answered to the association in the monetary year 2015, two percent was recorded in the atomic reactors, materials and waste segment.
Chyba krvácejícího srdce podruhé? Šifrovací knihovna OpenSSL má další závažnou chybu
V šifrovací knihovně OpenSSL, která patří k nejrozšířenějšímu kryptovacímu softwaru na internetu, byly nalezeny dvě zranitelnosti. Jedna z nich je přitom označována za velice vážnou. Mohou ji tedy zneužít počítačoví piráti k proniknutí do cizích systémů, podobně jako tomu bylo předloni u Chyby krvácejícího srdce (The Heartbleed Bug).
Detaily o chybě tvůrci zatím tají. To je ale vcelku logické, protože počítačoví piráti by je mohli zneužít k útokům na dosud nezáplatované systémy.
Jisté je tak v současnosti pouze to, že trhlina má „vysokou závažnost“. Je tedy o něco méně nebezpečná než kritické chyby, ale stejně tak ji mohou kyberzločinci zneužít. U takovýchto chyb se pouze nepředpokládá, že by je mohli hackeři snadno odhalit sami.
Záplata nicméně vyjde ještě tento týden. „Nová verze, ohlášená na čtvrtek 28. ledna, bude opravovat obě zranitelnosti,“ konstatoval Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.
Otázka je, jak rychle dokážou poskytovatelé jednotlivých služeb zareagovat a systémy využívající knihovnu OpenSSL skutečně opravit.
Chyba se dotkla dvou třetin internetu
Bezpečnostní experti o tom vědí své, i přes závažnost Chyby krvácejícího srdce příslušnou záplatu nenainstalovala ani rok po objevení více než polovina firem po celém světě. Ta byla rovněž objevena v knihovně OpenSSL a dotkla se dvou třetin celého internetu, protože OpenSSL patří k nejrozšířenějšímu kryptovacímu softwaru na internetu. [celá zpráva]
Kvůli Chybě krvácejícího srdce mohli útočníci disponovat například přihlašovacími uživatelskými údaji, a to včetně soukromých hesel k e-mailům, sociálním sítím, on-line bankovnictví nebo nejrůznějším internetovým obchodům. Vzhledem k tomu, že řada účtů je navázána na platební karty, byla hrozba nebezpečí o to závažnější.
Mezi postiženými byly i velké portály, jako jsou například Yahoo.com, Flickr.com či Mail.com. I proto se podle BBC jednalo o jednu z nejzávažnějších bezpečnostních trhlin v historii internetu. Chyba, která by v takovém rozsahu vystavila internet potenciálním útokům, se totiž zatím nikdy neobjevila.
Critical Flaws in Magento leave Millions of E-Commerce Sites at Risk
Critical Flaw in Magento leave Millions of E-Commerce Sites at Risk
If you are using Magento to run your e-commerce website, it's time for you to update the CMS (content management system) now.
Millions of online merchants are at risk of hijacking attacks due to a number of critical cross-site scripting (XSS) vulnerabilities in the Magento, the most popular e-commerce platform owned by eBay.
Why the Bugs are So Serious?
Virtually all versions of Magento Community Edition 126.96.36.199 and earlier as well as Enterprise Edition 188.8.131.52 and earlier, are vulnerable to the Stored Cross-Site Scripting (XSS) flaws.
The stored XSS flaws are awful as they allow attackers to:
Effectively take over a Magento-based online store
Escalate user privileges
Siphon customers’ data
Steal credit card information
Control the website via administrator accounts
However, the good news is that the vulnerabilities are patched, and an update has been made available to the public after security firm Sucuri discovered and privately reported the vulnerability to the company.
How Easy it is to Exploit the Flaw
Cybersecurity firm Sucuri describes the bug as the worst hole, saying:
"The buggy snippet is located inside Magento core libraries, more specifically within the administrator's backend. Unless you are behind a WAF or you have a very heavily modified administration panel, you are at risk."
"As this is a Stored XSS vulnerability, this issue could be used by attackers to take over your site, create new administrator accounts, steal client information, anything a legitimate administrator account is allowed to do."
Patch your Software Now!
To prevent websites from exploitation, webmasters are recommended to apply the latest patch bundle SUPEE-7405 as soon as possible.
Since the latest patch resolves the issue for Magento version 1.14.1 and 1.9.1 and earlier, problems impacting Magento versions 184.108.40.206 and 220.127.116.11 have already been resolved.
With Alexa top one million e-commerce websites and over all ten Million websites using the internet's fourth most popular CMS, Magento has become a valuable target for attackers nowadays.
So, patch your websites now to stay safe!
Oh Snap! Lenovo protects your Security with '12345678' as Hard-Coded Password in SHAREit
What do you expect a tech giant to protect your backdoor security with?
Holy Cow! It's "12345678" as a Hard-Coded Password.
Yes, Lenovo was using one of the most obvious, awful passwords of all time as a hard-coded password in its file sharing software SHAREit that could be exploited by anyone who can guess '12345678' password.
The Chinese largest PC maker made a number of headlines in past for compromising its customers security.
It had shipped laptops with the insecure SuperFish adware, it was caught using Rootkit to secretly install unremovable software, its website was hacked, and it was caught pre-installing Spyware on its laptops. Any of these incidences could have been easily prevented.
Now, Research center of Core Security CoreLabs issued an advisory on Monday that revealed several software vulnerabilities in Lenovo SHAREit app for Windows and Android that could result in:
Security protocol bypass
Man-in-the-middle (MITM) attacks
Critical Vulnerabilities in SHAREit
SHAREit is a free file sharing application that is designed to allow people to share files and folders from Android devices or Windows computers over a local LAN or through a Wi-Fi hotspot that's created.
All the vulnerabilities were remotely exploitable and affected the Android 3.0.18_ww and Windows 18.104.22.168 versions of SHAREit.
Here's the list of four vulnerabilities:
Use of Hard-coded Password [CVE-2016-1491]
Missing Authorization [CVE-2016-1492]
Missing Encryption of Sensitive Data [CVE-2016-1489]
Information Exposure [CVE-2016-1490]
The first vulnerability (CVE-2016-1491) would make you scream… How Dare You!
Using '12345678' as Hard Coded Password
Lenovo was using '12345678' as a hard-coded password in SHAREit for Windows that has been awarded the title of the Third Worst Password of 2015 by the password management firm SplashData.
Here's what Core Security researchers explain:
"When Lenovo SHAREit for Windows is configured to receive files, a Wi-Fi HotSpot is set with an easy password (12345678). Any system with a Wi-Fi Network card could connect to that Hotspot by using that password. The password is always the same."
This is ridiculous especially when the passwords in any application are hard-coded and unchangeable by an average user, putting its consumers and their data at risk.
Other Critical Flaws Left Millions of Users at Risk
However, the issue got worse when the second vulnerability (CVE-2016-1492) came into play. In the second flaw, that applied only to SHAREit for Android, an open WiFi hotspot is created without any password when the app is configured to receive files.
This could have allowed an attacker to connect to that insecure WiFi hotspot and capture the data transferred between Windows and Android devices.
Also Read: Password Security — Who's to Blame for Weak Passwords? Users, Really?
This didn't end here. Both Windows and Android were open to the third flaw (CVE-2016-1489) that involved the transfer of files via HTTP without encryption.
This allowed hackers to sniff the network traffic and view the data transferred or perform Man-in-the-Middle (MitM) attacks in order to modify the content of the transferred files.
Finally, the last but not the least, fourth vulnerability (CVE-2016-1490) discovered by CoreLabs relates to the remote browsing of file systems within Lenovo ShareIt and builds upon the default 12345678 Windows password issue reported above.
"When the Wi-Fi network is on and connected with the default password (12345678), the files can be browsed but not downloaded by performing an HTTP Request to the WebServer launched by Lenovo SHAREit," says the advisory.
The researchers at Core Security privately reported the flaws to Lenovo back in October last year, but the tech giant took three months to patch the flaws.
Patches for both Android as well as Windows phone are made available on the Google Play Store and here, respectively. So, SHAREit users are advised to update their apps as soon as possible.
Israeli Electrical Power Grid Suffers Massive Cyber Attack
The country which built a Digital Iron Dome, Israel had undergone one of the largest serious cyber attack this year.
This time, the name of Israel is being popped up in the current headlines is for the massive cyber attack which triggered against the Nation's Electrical Power Grid.
"Yesterday we identified one of the largest cyber attacks that we have experienced," Energy Minister Yuval Steinitz confirmed at the CyberTech 2016 Conference at the Tel Aviv Trade Fair and Convention Center on Tuesday, according to an article published by The Times of Israel.
"The virus was already identified and the right software was already prepared to neutralize it," Steinitz added. "We'd to paralyze many of the computers of the Israeli Electricity Authority. We are handling the situation and I hope that soon, this very serious event will be over...but as of now, computer systems are still not working as they should."
Severe Cyber Attack on Israel Electricity Infrastructure
The 'severe' attack occurred earliest this week, as Israel is currently undergoing record-breaking electricity consumption for last two days with a demand of 12,610 Megawatts due to the freezing temperature, confirmed by Israel Electric Corporation.
However, the officials did not comment upon the perpetrators as they do not suspect any currently, but they did tell Israeli newspaper Haaretz that '[they] are going to solve this problem in the coming hours.'
In Mid-July 2015, the Israel's National Cyber Bureau had already warned about the computer-based hacking attacks, which shut down portions of the country's electricity grid.
The identity of the suspects behind this attack has not been known, neither the energy ministry provides any details about how the attack was carried out.
However, a spokesperson for Israel's Electricity Authority confirmed some of its computer systems had been shut down for two days due to the cyber attack.
Previous Known Cyber Attacks on SCADA Systems
Israel had been the continual victim for many of the cyber attacks previously like OpIsrael (a coordinated attack by anti-Israeli Groups & Palestinians), which was conducted on 7th April 2013, on the eve of Holocaust Remembrance Day with the goal of "Erase Israel from Internet."
Another attack on the Israeli Civilian communication was carried out by Iran & Hezbollah Group last year.
In response to these attacks, Israel had broadened their skills to combat cyber war and become a center for cybersecurity, R&D Labs with multinationals from the US, Europe, and Asia. Israeli Cyber Security firms claimed to export $3 Billion last year.
A similar incident of power outbreak took place a couple of months back in Ukraine on 23rd December, when the country's SCADA system was hit with a trojan named BlackEnergy that resulted in the total power cut across the region named Ivano-Frankivsk of Ukraine.
Government Agencies probed over use of backdoored Juniper equipment
The U.S. House Oversight and Government Reform Committee is probing US Government Agencies over use of backdoored Juniper equipment.
A number of US Government Agencies are concerned about the use of Juniper firewalls affected by the recently uncovered backdoor.
The U.S. House Oversight and Government Reform Committee has sent letters to dozens of government agencies and departments asking more information about the use and patching of vulnerable Juniper Networks solutions.
The list of recipients includes the Securities and Exchange Commission (SEC), the Secretary of Agriculture, GSA, the Secretary of Commerce, the Secretary of Labor, the Department of Energy, Veterans Affairs, the Environmental Protection Agency (EPA), the Treasury Secretary, the United States Agency for International Development (USAID), the Department of the Interior, the Department of Transportation, and the Department of Education.
It is crucial for the U.S. House Oversight and Government Reform Committee understand how the Government agencies used the backdoored systems, whether any vulnerable devices were used, which data they managed.
In December 2015, an “unauthorized code” was discovered in the operating system for Juniper NetScreen firewalls. The company admitted the presence of the “unauthorized code” that could allow an attacker to decrypt VPN traffic.
The presence of the unauthorized code could date back to 2008, the experts referred a 2008 notice issued by Juniper’s about a security issued that impacts ScreenOS 6.2.0r15 through 6.2.0r18 and 6.3.0r12 through 6.3.0r20. ScreenOS 6.2 was released. The Screen OS 6.3 was presented in 2009.
“During a recent internal code review, Juniper discovered unauthorized code in ScreenOS that could allow a knowledgeable attacker to gain administrative access to NetScreen devices and to decrypt VPN connections,” Juniper Chief Information officer Bob Worrall wrote. “Once we identified these vulnerabilities, we launched an investigation into the matter, and worked to develop and issue patched releases for the latest versions of ScreenOS.” states the advisory.
The experts explained that there are several releases with numerous versions of the Juniper products and the unauthorized code was only found in some of them. Later, security researchers confirmed the presence of two vulnerabilities that can be respectively exploited to remotely gain administrative access to a device via telnet or SSH (CVE-2015-7755) and to decrypt VPN traffic (CVE-2015-7756).
Many experts speculate the involvement of the NSA, one of the documents leaked by Edward Snowden and disclosed by the German Der Spiegel revealed that the US intelligence had the ability to plant a backdoor in various network equipment, including Juniper firewalls.
The U.S. House Oversight and Government Reform Committee requests the Government agencies to audit their use of Juniper ScreenOS firewalls, the deadline is February 4.
The Committee urges to know the measures adopted by IT staff to address the vulnerabilities.
Israeli Public Utility Authority hit by a severe cyber attack
The Israeli Public Utility Authority is suffering one of the largest cyber attack that the country has experienced, Minister of Infrastructure, Energy and Water Yuval Steinitz said on Tuesday.
The Israel’s Minister of Infrastructure, Energy and Water, Yuval Steinitz, told CyberTech 2016 attendees in Tel Aviv that the Israeli Public Utility Authority suffered a severe cyber attack. The threat actors hit the Public Utility Authority with a malware caused problems with the internal systems, some of them still not working properly.
The country’s energy minister said Tuesday that officials are still working to neutralize it, meanwhile, The Jerusalem Post describes the incident as one of the biggest cyber attack suffered by the Public Utility Authority
“Yesterday we identified one of the largest cyber attacks that we have experienced,” Steinitz said. “The virus was already identified and the right software was already prepared to neutralize it. We had to paralyze many of the computers of the Israeli electricity authorities. We are handling the situation and I hope that soon, this very serious event will be over … but as of now, computer systems are still not working as they should.” states the article published Tuesday by The Times of Israel.
The attack was spotted on Monday when the temperatures in Jerusalem dropped to below freezing, this circumstance caused a record in electricity consumption. In response, the country’s National Cyber Bureau shut down portions of Israel’s electricity grid.
According to Ars Technica, there is no evidence of the attack against the Israel’s power grid.
“Contrary to a previous version of this post, there’s no indication Israel’s power grid was attacked.” states Ars.
As usually happens in these cases, it is very difficult to attribute the attack to a specific threat actor, the Israeli energy minister didn’t identify any suspects and probably we will have to wait for further analysis on the malware used by attackers.
Robert M. Lee, the CEO of Dragos Security, published an interesting post on the SANS ICS blog which confirms the difficulty in attributing such kind of cyber attacks to a specific threat actor.
“Israel has threats that it must consider on a day-to-day basis. Critical infrastructure is constantly the focus of threats as well although there are a lack of validated case-studies to uncover the type of activity much of the community feels is going on in large quantities. However, reports of cyber attacks must be met with caution and demands for proof due to the technical and cultural challenges that face the ICS security community,” Lee wrote.
“Simply put, there is a lack of expertise in the quantity required alongside the type of data needed to validate and assess all of the true attacks on infrastructure while appropriately classifying lesser events. Given the current barriers present in the ICS community the claims of attacks should be watched diligently, taken seriously, but approached with caution and investigated fully.”
The attack raises the attention about the level of security for critical infrastructure worldwide. Cyber attacks are becoming even more insidious and sophisticated and the risk for a major incident is concrete.
Israeli Public Utility Authority
Steinitz added that the attack suffered by the Israeli Public Utility Authority was an example “of the sensitivity of infrastructure to cyber-attacks, and the importance of preparing ourselves in order to defend ourselves against such attacks.”
“We need cyber tech to prevent such attacks. Cyber-attacks on infrastructure can paralyze power stations and the whole energy supply chain from natural gas, oil, petrol to water systems and can additionally cause fatalities. Terrorist organizations such as Daesh, Hezbollah, Hamas and Al Qaeda have realized that they can cause enormous damage by using cyber to attack nations,” Steinitz added.
The attack comes a few weeks after Ukraine’s power outage, and the incident that was caused by a concomitant of factors, including a cyber attack based on the BlackEnergy malware that targeted industrial control systems of the regional power authorities.
Regarding the Ukraine power outage the experts suspect the involvement of a nation-state actor due to the level of sophistication of the attack and the fact that the operation was extremely well coordinated.
According to a report published by experts at eiSight Partners the cyber attack against a Ukraine power station has been managed by a Russian group called Sandworm.
A recent update about the cyber attack against the Israeku Public Utility Authority downgrades the incident, it seems that a ransomware spread via email has locked the systems in the organization.
“However, new reporting shows that the “cyber attack” was simply ransomware delivered via phishing emails to the regulatory body’s office network and it appears in no way endangered any infrastructure.This once again stresses the importance around individuals and media carefully evaluating statements regarding cyber attacks and infrastructure as they can carry significant weight.” states Lee.
Hackers are blackmailing the creator of Open-Source Ransomware
The Turkish security researcher Utku Sen was blackmailed by hackers behind the Magic ransomware to close his projects.
The developers behind the open source-based “Magic” ransomware are blackmailing the creator of Hidden Tear and EDA2 in order to force the developer to abandon the projects.
Recently I have written about the RANSOM_CRYPTEAR.B ransomware developed Utku Sen starting from a proof-of-concept code available online.
According to the experts at TrendMicro, Utku Sen made a serious error in the development, resulting in victims’ files being completely unrecoverable. Researchers who analyzed the source code discovered that it was a modification of a proof-of-concept ransomware dubbed Hidden Tear that was leaked online by the Turkish coder Utku Sen for educational purpose.
It is not surprising that crooks have not missed the occasion as remarked by TrendMicro.
“Unfortunately, anyone on the internet can disregard this warning. This became evident when Trend Micro discovered a hacked website in Paraguay that distributed ransomware detected as RANSOM_CRYPTEAR.B. Our analysis showed that the website was compromised by a Brazilian hacker, and that the ransomware was created using a modified Hidden Tear code.” states a blog post published by TrendMicro.
The “Hidden Tear” is available on GitHub and it’s fully functional, it uses AES encryption to encrypt the files and displays a warning to users to pay up to get their data back.
“While this may be helpful for some, there are significant risks. The Hidden Tear may be used only for Educational Purposes. Do not use it as a ransomware!” explained utkusen.
The hacker also developed a second open-source project for a ransomware dubbed EDA2. When the problem was discovered, Utku Sen removed all the files from the EDA2 project.
Recently another ransomware, based on the open-source code, has been detected in the wild, it has been dubbed “Magic” because it encrypts user files and adds a “.magic” extension to them.
Now the criminal gang behind the Magic ransomware began blackmailing the hacker Sen in an effort to shut down the Hidden Tear. The group announced that in a forum post that they are willing to provide victims with the decryption keys for free in case Sen agrees to close his open source ransomware projects.
Sen refused the condition and declared war on the blackmailers.
According to Sen, he deliberately inserted security flaws in both the Hidden Tear and EDA2 to sabotage cybercriminals using the proof-of-concept ransomware.
The Sen’s plan worked with the Hidden Tear allowing the recovery of the file encrypted by the Linux.Encoder and Cryptear.B ransomware, meanwhile failed with EDA2.
Sen inserted vulnerabilities in the EDA2’s control script in order to retrieve decryption keys. The problem is that despite the presence of the flaws, the unique way to obtain the keys to recover the files was to access the database that was left in crooks’ hands. He has forgotten to implement a mechanism to copy the database of the keys of the storage used by the crooks to another archive managed by the researcher.
It is not clear why the hackers behind the Magic ransomware blackmailed Sec, the unique certainty is that that don’t want the Hidden Tear project online. They also offered support to the victims if Sen will remove the Hidden Tear.
Victims should send an email to viper1990[at]safe-mail[dot]net in the next 15 days to receive their decryption keys.
Password Security — Who's to Blame for Weak Passwords? Users, Really?
The majority of Internet users are vulnerable to cyber threats because of their own weaknesses in setting up a strong password. But, are end-users completely responsible for choosing weak passwords?
Give a thought.
If the end-user is to blame for weak password security, then the solution is to educate each and every Internet user to follow the best password security practice.
But is that really possible? Practically, No.
Even after being aware of best password security measures, do we really set strong passwords for every website? I mean EVERY. Ask yourself.
Who's Responsible for allowing Users to Set a Weak Password?
It's the websites and their developers, who didn't enforce a strong password policy on their users and allow them to sign up with weak passwords.
So what should be the perfect solution, where every registered member of a website or service should have a strong password that can't be cracked?
Most of the Internet users get annoyed while signing up with a website that tells them their password:
Must be at least 8 characters long
Must include both uppercase and lowercase
Must contain at least one special character
Must have at least one numeric character
Don't get annoyed of such website, because that website, at least, has its users' safety and security in mind.
However, not every site provides a strong password setting mechanism, and this is why users are taking advantage of by relying on absolutely awful passwords.
Recently we wrote an article revealing the list of Worst Passwords of 2015 that proved most of us are still using bad passwords, like '123456' or 'password,' to secure our online accounts that when breached could result in critical information loss.
"In this age, knowing all we know now, it's negligent of websites to allow users to choose “password” “1234567” and millions of known weak passwords," Dan Goodin, Security Editor at Ars Technica told THN.
"Security researchers have often talked about developing a means for allowing websites to blacklist a large body of weak passwords — say, every single password in the RockYou dump and other major password breach — but so far I'm not aware of any websites that use something like this. Until they do, passwords will continue to be cracked," he said.
After Data Breaches, the organizations tend to blame the end user for poor password security. However, they themselves forget to provide them one.
Even Google and Facebook allows users to set a weak password for their accounts, with just minimum 8 character condition, in order to target mass audience with better usability.
Microsoft MVP of developer security and creator of Have I Been Pwned, Troy Hunt agrees to this by saying:
"The problem is that website operators are faced with this paradox of security versus usability. If they enforced a minimum of 30 characters they'd be enormously secure... and have no customers."
"They're forced to dumb down requirements in order to make the system appealing to the vast majority of people who don't use password managers."
However, to be very clear, there is really no such thing as an unbreakable password. Yes, you heard me right…
...even Strong Passwords are Crackable.
Hackers Can Crack Every Single Password
Stealing password is one of the oldest moves in hackers' book. And before proceeding, you also need to know that how they are able to crack every password that you can ever think of.
There is a password brute-force technique, where a simple password-cracking tool can test or try every possible combination of letters, numbers, and symbols until it matches your secret or encrypted (hashed) password.
It requires more computing power to do so, but for shorter passwords, it's a pretty reliable and faster technique.
However, if your password is strong (with uppercase, lowercase, special and numeric characters), it will be much harder for hackers to break it within reasonable time period — and, therefore, strong passwords are much safer.
The more complex your password is, the harder it is to guess and the more secure it is.
How to Create and Manage Strong Passwords
So, until every or most of the organizations make themselves strong enough to accept only strong passwords from their customers, you need to make a hobby of setting up strong passwords for your online safety.
Here's How to create strong passwords, which are easy to remember as well.
Beside this, always remember to create different passwords for different sites. So that if one website is breached, your other online accounts on other sites are secure enough from being hacked.
"Even when we see fairly stringent minimum requirements, they have no way of enforcing uniqueness, and inevitably many of the passwords they hold have been reused across other services," Hunt added.
I know this is a real pain to memorize 15+ uniquely random alphanumeric and special character strings like this, '$#%fa4$0', which is only 8 characters in length.
Can it really be done?
Yes, there is a solution, i.e. Password Manager, available to you that can significantly reduce the password memorizing problem, along with a cure for users' bad habit of setting weak passwords.
Password managers exist and have come a very long way in the past few years to help resolve this issue.
Why Some Websites Block 'Password Managers'?
Typically, Password Managers generate long, complex, and – most importantly – unique passwords for you, and then store them in encrypted form on either your computer or a remote service. All you need to do is remember one master password to enter all of your others.
However, the problem is, there are a number of websites, especially banking and financial, that intentionally block password managers, making it difficult for people to use stronger passwords more easily.
Those sites don't allow you to paste passwords into the login screens, instead forcing you to type the passwords by yourself.
"Some websites actively block users from creating credentials with password managers," Joseph Cox, freelance security journalist for Motherboard, told The Hacker News.
"This is because they stop users pasting passwords into the login page, sometimes making it a real hassle to use strong, and more importantly, unique passwords generated by managers. There are some workarounds, but when dealing with something as important as passwords, why to make it harder for users at all?"
So why do these companies stop users from copying and pasting their passwords?
These companies say that disabling the pasting of passwords is a security feature that prevents password phishing as well as brute force attacks.
Although the companies may give a reason that by doing so, they are helping their customers, preventing users from pasting passwords into the login page is pretty weak practice overall.
"Websites sometimes say they have disabled the pasting of passwords to stop certain types of malware, for example," Cox added. "But the fact is that re-using password is a much, much more common problem than password stealing malware."
Advanced Password Security Practices
Both weak and strong passwords are vulnerable to human error, so you need to keep some points in your mind in order to keep your data safe from hackers.
Use Different Passwords On Different Accounts:
If you are using the same password twice, it is an invitation for hackers to double-dip into your data.
If you are reusing your passwords on multiple websites, and a hacker steals one of your passwords, they have got access to all other accounts that use the same password.
Therefore, mix things up to stay safe. Use different passwords on different websites and accounts.
Also, you are recommended to change your password every few months, which limits how long a stolen password is useful to a hacker.
Use a Good Password Manager:
Password Manager is an excellent solution to your failure to keeping a strong password for different accounts. The issue is that today lots of people subscribe to a lot of different services, and it is usually hard to generate different passwords for every single account.
Password manager creates a random, different password strings for every website you visit, and then saves them for you, and in general, you only need to remember one master password to open your password manager or vault.
To do so, you need a good password management tool. Dashlane, KeePassX, and LastPass are some good options for password managers that are free, and you should try one.
Use Two-Factor Authentication:
Two-Factor Authentication has always been a hurdle for hackers who managed to steal your account credentials.
"Instead of tackling the problem with minimum requirements, using approaches such as two-step verification and other fraud detection methods are a more palatable approach to increasing security without losing customers," says Hunt.
Many websites, like Google and Facebook, offer a mechanism known as Two-factor authentication that besides verifying your password, generates an OTP (One Time Password) verification code that is either sent to your mobile via SMS or phone call.
Even hackers with your passwords can not easily access your accounts if you are using two-factor authentication.
A new wave of attacks linked to the Codoso ATP Group
According to Palo Alto Networks’ Unit 42 the Chinese APT group Codoso has been targeting organizations in various industries in a new wave of cyber attacks.
The group of experts at Palo Alto Networks Unit 42 have uncovered a new cyber espionage operation conducted by the Chinese AT Codoso (aka C0d0so0 or Sunshop Group).
The Codoso hacking crew has been around since at least 2010 and targeted organizations in different industries, including the defense, energy, finance, government sectors and also political dissidents and think tanks. The researchers at Palo Alto Networks sustain that the Codoso group’s tactics, techniques, and procedures are more sophisticated compared to other APTs.
Early 2015, researchers from iSIGHT Partners published a detailed report on the cyber espionage campaigns managed by the Codoso group.
Security experts at Invincea and iSIGHT Partners in a joint investigation profiled the Chinese APT group that used two distinct zero-day flaws to compromise Forbes.com website. The intent of the group was to run a watering hole attack by exploiting the zero-day vulnerabilities in Adobe’s Flash Player and Microsoft’s Internet Explorer 9.
Among the objectives of the group was to gain access to computers at several U.S. defense and financial companies by exploiting the watering hole methodology, a technique that could be devastating if attackers had also access to zero-day flaws.
The hackers compromised a part of the Forbes.com’s website that displays to visitors before they’re redirected to articles they’ve clicked on, the segment of the web portal known as Forbes.com’s Thought of the Day is powered by a Flash widget.
The Chinese hackers were able to exploit a zero-day vulnerability to hijack the widget from Nov. 28 to Dec. 1. In this time frame, the APT group targeted visitors who worked at a few unnamed financial firms and US Defense.
Now experts at Palo Alto Networks discovered a new wave of attacks linked to the Codoso APT group against organizations in the telecommunications, high-tech, legal services, education, and manufacturing industries. The attackers leveraged spear phishing emails and compromised websites used for watering hole attacks.
The new attacks mainly targeted server systems, instead of user endpoints, likely to reuse the same infrastructure for other attacks in the future. Also in this case, the hackers launched spear-phishing attacks and watering hole attacks against the victims.
The researchers analyzed also the C&C infrastructure composed of three domains belonging to the Chinese address space and all resolving to a Hong Kong IP.
“In these newly discovered C0d0s0 attacks, several of the targeted hosts were identified as server systems, instead of user endpoints, suggesting the possibility that these specific targets will be used in future attacks as additional watering holes. Both of the malware variants encoded and compressed the underlying network traffic to bypass any network-based security controls that were implemented,” experts noted.
The attacks leveraged at least on two strains of malware never seen before, but with many similarities with the Derusbi malware used by Comodo hackers in the past.
“The malware variants in question do not appear to belong to any known malware family, although the structure of the network communication does bear a resemblance to the Derusbi malware family, which has shown to be unique to Chinese cyber espionage operators. Past observations of Derusbi in various attack campaigns indicate the version used was compiled specifically for that campaign. Derusbi has had both the client and server variants deployed, using different combinations of configurations and modules. The newly discovered activity is consistent with this procedure, with compile times only a few days prior to the observed attacks” states a blog post from Palo Alto Networks.
In one case the hackers disguised the malware as a serial number generator for AVG AntiVirus, once it infects a system it gathers information on the target and tries to download additional plugins from the C&C server.
Another strain of the malware recently used by the Codoso ATP, dubbed PORT 22 variant, is disguised as a DLL file that is side-loaded by a legitimate McAfee application.
“This variant, which appears to be more recent than the HTTP variant, is delivered via the filename of ‘McAltLib.dll’ and is configured to be side-loaded with the legitimate McAfee mcs.exe executable.” continues the post.
The DLL file loaded by the legitimate McAfee application appears to be a newer variant of a DLL used by the Codoso ATP in the attack against Forbes, the researchers also discovered the same unique strings in both samples.
Experts at PaloAlto will continue to monitor the group’s activity because they suspect this may be the beginning of a new wave of cyber-espionage operations.
Máte novou zvukovou zprávu, zkoušejí podvodníci nový trik
26.1.2016 Sociální sítě
S novým způsobem, jak se dostat do cizích počítačů vyrukovali v posledních dnech počítačoví piráti. Lidem rozesílají podvodné e-maily, ve kterých se vydávají za zaměstnance Facebooku. Příjemcům tvrdí, že mají pro ně novou zvukovou zprávu. Ve skutečnosti se však snaží do jejich počítačů propašovat škodlivý virus.
Celý útok má prakticky vždy stejný scénář. Uživateli přijde e-mail, který na první pohled vypadá, jako by byl odeslán přímo z Facebooku. Pozornější příjemci si ale mohou všimnout, že e-mailová adresa je odlišná a zpravidla na úplně jiné doméně.
I odesílatele ale zvládnou počítačoví piráti ve dnešní době bez větších obtíží zamaskovat. Není tedy vyloučeno, že se v nadcházejících dnech objeví podvodné zprávy, jejichž legitimitu nebude možné ověřit podle odesílatele.
Nezvaný návštěvník zablokuje firewall, a dokonce i některé antivirové programy.
V podvodné zprávě kyberzločinci tvrdí, že uživatel obdržel na Facebooku novou audiozprávu. Ta má být údajně uložena v archivu v příloze e-mailu. Ve skutečnosti se však v ní ukrývá nebezpečný malware, který příjemce aktivuje otevřením archivu.
Tento nezvaný návštěvník dokáže v počítači udělat pěknou neplechu. Zablokuje firewall, a dokonce i některé antivirové programy a zároveň uživateli znemožní přístup na internetové stránky prodejců bezpečnostních utilit.
Falešný pocit bezpečí
Tímto způsobem mohou útočníci propašovávat do počítačů stále další a další viry, aniž by si toho uživatel všiml. Kvůli zablokovaným bezpečnostním programům má totiž většina lidí falešný pocit bezpečí.
Na nový trik upozornili výzkumníci z bezpečnostní laboratoře Comodo Threat. Ti zároveň poukázali na to, že hrozba se netýká pouze uživatelů Facebooku, ale že stejným způsobem se piráti snaží napálit také uživatele aplikace WhatsApp. Právem tak předpokládají, že za podvodem stojí stejný kyberzločinec nebo stejná skupina hackerů.