- BigBrothers -

Last update 09.10.2017 13:51:26

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6  7  8 


 


WikiLeaks Details Mac OS X Hacking Tools Used by CIA

29.7.2017 securityweek BigBrothers

The latest round of documents published by WikiLeaks as part of a leak dubbed by the organization “Vault 7” describes several tools allegedly used by the U.S. Central Intelligence Agency (CIA) to target Mac OS X and other POSIX systems.

The tools, said to be part of a CIA project named “Imperial,” are called Achilles, Aeris and SeaPea.

A “secret” document dated July 2011 reveals that Achilles is a tool that can be used to create trojanized OS X disk image installers (.dmg). The resulting DMG file will contain a legitimate application and malicious executables added by the user – these files will be executed only once after the real application has been launched.WikiLeaks leaks more alleged CIA hacking tools

SeaPea is an OS X rootkit designed to provide stealth and launching capabilities for other tools. Version 2.0 of SeaPea was detailed in documents previously dumped by WikiLeaks, but the new user guide provides information on version 4.0.

Finally, Aeris is an implant designed to target operating systems that are compliant with the Portable Operating System Interface for Unix (POSIX), including Debian, Red Hat, Solaris, FreeBSD and CentOS.

POSIX is a set of specifications for maintaining compatibility between Unix-like operating systems by defining the API for software compatibility. Apple’s operating systems are also POSIX-compliant.

The Aeris tool includes various features, including for automatically exfiltrating files and encrypted communications.

As with many of the other Vault 7 tools exposed by WikiLeaks, given that their user guides were written several years ago, it’s likely that these projects have either been improved considerably to keep up with the new security features introduced by the creator of the targeted software or they were abandoned altogether.

Other tools described in documents published by WikILeaks over the past few months are designed for intercepting SMS messages on Android devices (HighRise), redirecting traffic on Linux systems (OutlawCountry), stealing SSH credentials (BothanSpy), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).


British Hacker Convicted in Germany of Major Cyber Attack

29.7.2017 securityweek  BigBrothers

A British man was handed a suspended jail sentence by a German court Friday for a massive cyber attack against Deutsche Telekom last year.

The regional court in the western city of Cologne said it would suspend the sentence of one year and eight months against the defendant, Daniel Kaye, following pleas to this effect by both prosecutors and the defence.

The 29-year-old last week described as "the worst mistake of my life" the attack that knocked more than one million German households offline in November, carried out for money on behalf of a Liberian client.

He was detained in February at London's Luton airport on a European arrest warrant for attempted computer sabotage and extradited to Germany.

German police said the goal of the attack was to infect users' computers with a "botnet" -- a network of web-connected machines that can be manipulated with malware and used to assault other online targets.

Kaye told the court he was paid $10,000 (about 8,500 euros) by a Liberian telecom company which wanted to use the botnet to damage a local rival.

The attack, which the company said caused about two million euros of damage, ended when it advised customers to disconnect their routers and restart them after a software update.

The large-scale strike fuelled concerns over cyber security in Germany and officials have warned that more online assaults are possible ahead of a general election in September.

Although he will not face jail-time in Germany, Britain has opened probes against Kaye for alleged involvement in other hacking attacks and bank blackmail cases, German news agency DPA reported.


House Committee Passes Bills to Boost DHS Cyber Powers

28.7.2017 securityweek BigBrothers
DHS Gets More Cyber Power With New Bills

New Legislation Would Create Cybersecurity and Infrastructure Security Agency to Address Cyber Threats

Less than a week after the U.S. Department of Homeland Security (DHS) reauthorization act passed the House of Representatives, the House Homeland Security Committee on Wednesday passed two bills to reorganize the cybersecurity operations of the DHS and demand it to report on procedures used to disclose vulnerabilities.

The first of the bills that moved forward this week is the Cybersecurity and Infrastructure Security Agency Act (PDF), which creates a new agency within DHS to improve the Department’s cyber and infrastructure stance.

Sponsored by Homeland Security Committee Chairman Michael McCaul (R-Texas) and the committee’s ranking member Bennie Thompson (D-Miss), the bill states that DHS’s cyber operations division would retain most cybersecurity responsibilities, including the protection of federal networks. It would also be responsible with the sharing of cyber threat information with critical industry sectors--something the DHS has already been doing in various capacities.

Called the Cybersecurity and Infrastructure Security Agency, the new operational entity will be split in three divisions: cybersecurity, infrastructure security, and emergency communications. The bill also states that it will be led by a director who will report to the Homeland Security secretary, along with a deputy director who will assist in managing the Agency and will report to the director.

The second bill the Committee passed on Wednesday is the Cyber Vulnerability Disclosure Reporting Act (PDF). Sponsored by Rep. Sheila Jackson Lee (D-Texas), the legislation requires the Homeland Security secretary to report on how the Department is using vulnerability disclosure programs, with the first report set to be due eight months after the bill’s passage.

“To the extent possible, such report shall include an annex with information on instances in which such policies and procedures were used to disclose cyber vulnerabilities in the year prior to the date such report is required and, where available, information on the degree to which such information was acted upon by industry and other stakeholders,” the bill reads.

In the light of numerous software exploits associated with the National Security Agency made public over the past year by the Shadow Brokers hacking group, Microsoft has warned of the risks that zero-day exploits stockpiled by governments pose, and pushed for the adoption of a PATCH Act that would prevent occurrences such as WannaCry.

The numerous documents WikiLeaks has released over the past several months on CIA hacking tools also spurred debate on governments stockpiling software vulnerabilities instead of reporting them so they could be patched.

DHS Reauthorized

Both bills passed unanimously less than a week after the Department of Homeland Security Authorization Act of 2017 passed the House of Representatives on July 20. Not only did the bill reauthorizes the Department, but is represents the first actual authorization for some of its parts.

A bill outline (PDF) reveals the legislation meant to update DHS’ counterterrorism, emergency preparedness, and maritime security programs, bringing changes to the Federal Emergency Management Agency, Coast Guard, Transportation Security Administration, Secret Service, U.S. Citizenship and Immigration Services, and Immigration and Customs Enforcement.

Improved Airport Security

Also directing the streamlining and restructuring of TSA, the bill requires it to “develop and implement a preventative maintenance validation process for security-related technology deployed to airports.” The administration also has to “conduct a comprehensive, agency-wide efficiency review” to streamline and restructure operations to reduce spending.

TSA is also requested to conduct a broad assessment of cyber risks to aviation security, to vet airports and airlines if requested, and enhance cyber threat information sharing across the aviation sector.

The administration is required “to implement a secure, automated system at all airports, for verifying travel and identity documents of passengers who are not members of a Department of Homeland Security (DHS) trusted traveler programs,” and to improve the efficiency of traveler vetting programs such as TSA PreCheck and CBP Global Entry. Additionally, the agency would be required to test automated and biometric-based systems at airports to verify the identity memebers of the TSA PreCheck and other DHS trusted traveler programs.

“The committee believes that the minimum security standards for airport security set forth by the Chicago Convention established by the International Civil Aviation Organization are not robust enough in the current threat environment where we have repeatedly seen terrorist organizations planning attacks targeting aviation. Therefore, the committee believes the United States should take a leadership role at the ICAO in building consensus among member states to raise these standards,” section 1522 reads.

Cybersecurity at U.S. Ports

Section 1403 of the bill amends the Maritime Transportation Security Act (MTSA) and formally gives the U.S. Coast Guard (USCG) responsibility for cybersecurity at ports.

"While USCG does not currently have operational authority of cybersecurity at ports, it is responsible for ensuring that cybersecurity is part of the USCG approved facility security plan for ports," the bill reads.

The U.S. Coast Guard will also be tasked with stepping up cyber protections at U.S. ports and helping port operators share cyber threat information.

"The Committee believes that our ports and the automated systems that control them are vulnerable to cyber-attacks, which could be devastating to the transit of international commerce, says the bill. “While USCG inspects and approves what are known as “facility security plans” at ports twice a year, these plans are not currently required to have a cybersecurity strategy. The Committee believes that requiring facility operators to have a cybersecurity plan, and providing them with a mechanism to share best practices and receive current intelligence, is critical to maintaining the uninterrupted flow of maritime commerce and the security of our ports."

Emergency Preparedness, Response, and Communications

The bill also sets aside $800 million for each of the fiscal years from 2018 through 2022 for the Urban Area Security Initiative, designed to help urban areas better prepare to prevent and respond to acts of terrorism. The funds would be used “to (1) enhance medical preparedness, and (2) enhance cybersecurity,” section 1606 of the bill reads.

“The Committee has heard that, while improving, the flow of federal cyber threat and risk information to State and local emergency response providers is slow and overclassified. Additionally, for several years now, FEMA has released an annual National Preparedness Report, which highlights the States' 32 core capabilities, as defined by the National Preparedness Goal. Since the first National Preparedness Report was released in 2012, States have ranked their cybersecurity capabilities as one of their lowest,” the bill reads, noting that the current process of information sharings has "caused emergency response providers to be reactive rather than proactive" in addressing cyber threats.

The bill also requires the Director of the Office of Emergency Communications to submit an annual report that “must include specific information on the Office’s efforts to: promote communication among emergency response providers during disasters; conduct nationwide outreach to foster the development of interoperable emergency communications capabilities; and provide interoperable emergency communications technical assistance to State, regional, local, and tribal government officials.”

Secret Service

The DHS reauthorization act demands that the Secret Service increase the annual number of training hours for officers and agents. Additionally, it states that the Secret Service director has to be confirmed by the Senate, instead of being appointed directly by the president, and authorizes the construction of facilities to improve training.

According to Homeland Security secretary John Kelly, the bill should help DHS better carry tasks, suggesting that the reauthorization act would improve morale throughout the Department.

“[The bill] allows us to study disaster preparedness and response, so we can find ways to help communities recover faster, in a cost-effective way. It gives first responders the training and equipment they need to counter today’s terrorist threats. And it improves the Department’s information sharing capabilities, so our state, local, tribal and territorial partners can stay up to date on the threats facing our communities, in both the cyber and the physical world,” Kelly stated.

Now that it has passed the House of Representatives, the reauthorization bill heads to the Senate. However, there is no schedule yet for considering it.

In an official statement, President Donald J. Trump commended the House’s vote: “Since its formation nearly fifteen years ago in response to the terrorist attacks of September 11, 2001, DHS has been on the front lines of the Federal Government’s efforts to keep the American public safe. I look forward to signing this important legislation and I encourage the United States Senate to take it up without delay,” President Trump said.

The libertarian-leaning House Liberty Caucus, on the other hand, opposes the bill, suggesting it was rushed: “Such a vast, significant piece of legislation demands debate and input from the full membership of the House of Representatives. Instead, this bill overhauling the department and authorizing billions of dollars is being rushed to the floor, ensuring representatives have no time to vet its countless provisions,” the Liberty Caucus reportedly stated.


Wikileaks Vault 7 – Imperial projects revealed the 3 hacking tools Achilles, SeaPea and Aeris
28.7.2017 securityaffairs BigBrothers

Wikileaks published another batch of classified documents from the CIA Vault 7 leak, it includes details of the Imperial project.
Today another batch of classified documents from the CIA Vault 7 leak was published by Wikileaks. The documents are related to a CIA project codenamed ‘Imperial,’ they include details of three CIA hacking tools and implants that have been designed to compromise computers running Apple Mac OS X and different Linux distributions.

The three hacking tools are:

Achilles — A tool to trojanize a legitimate OS X disk image (.dmg) installer.
SeaPea — A Stealthy Rootkit For Mac OS X Systems
Aeris — An Automated Implant For Linux Systems
Wikileaks CIA Imperial project.

Achilles

Achilles is a hacking tool that allows CIA operators to package malicious codes with a legitimate Mac OS app into a disk image installer (.DMG) file. According to the documents, Achilles v1.0 was developed in 2011, the CIA experts only tested it on Mac OS X 10.6 (Apple Snow Leopard OS launched in 2009).

The tool is a shell script written in Bash that gives the operators “one or more desired operator specified executables” for a one-time execution.

In a classic attack scenario, the target individuals download an infected disk image on their computer, once they will open and install the software, the malware would run in the background.

Once the malware is executed, it will erase any trace of the Achilles from the downloaded application so that the file would “exactly resemble” the original legitimate software. This behavior makes hard the investigation of the malware from security experts and antivirus software.

SeaPea

The SeaPea hacking tool is a Mac OS X Rootkit that gives CIA operators stealth and tool launching capabilities by hiding important files, processes and socket connections from the users.

It was developed in 2011, according to the documents SeaPea works on computers running then-latest Mac OS X 10.6 (Snow Leopard) Operating System (32- or 64-bit Kernel Compatible) and Mac OS X 10.7 (Lion) Operating System.

CIA operators need a root access to infect the target Mac computer, the hacking tools can be removed reformatting the startup disk or upgrading the OS to the next version.

Aeris

The Aeris hacking tool is an automated implant written in C programming language that could be used to backdoor portable Linux-based Operating Systems, including Debian, CentOS, Red Hat, FreeBSD and Solaris.

Below the list of features implemented by Aeris:

Configurable beacon interval and jitterStandalone and Collide-based HTTPS LP support
Standalone and Collide-based HTTPS LP supportSMTP protocol support
SMTP protocol supportTLS Encrypted communications with mutual authentication
TLS Encrypted communications with mutual authentication
Compatibility with the NOD Cryptographic Specification
Structured command and control that is similar to that used by several Windows
implant-
Automated file exfiltration
Simple and flexible deployment and installation
Aeris is a builder that CIA operators can use to generate custom implants, it does not have a separate installer and in order to be deployed operators just need to place an Aeris binary in the desired directory.

“Aeris does not have a separate installer. To deploy it, simply place an Aeris binary in the desired directory. Rename the binary in any way that you wish. Note that the configuration is patched in at build time; hence, no additional files (beyond possibly those related to persistence — see the next section) are needed.” states the user guide.

Below the list of release published by Wikileaks since March:

Imperial – 27 July, 2017
UCL/RAYTHEON – 19 July, 2017
HighRise – 13 July, 2017
BothanSpy and Gyrfalcon – 06 July, 2017
OutlawCountry – 30 June, 2017
ELSA malware – 28 June, 2017
Cherry Blossom – 15 June, 2017
Pandemic – 1 June, 2017
Athena – 19 May, 2017
AfterMidnight – 12 May, 2017
Archimedes – 5 May, 2017
Scribbles – 28 April, 2017
Weeping Angel – 21 April, 2017
Hive – 14 April, 2017
Grasshopper – 7 April, 2017
Marble Framework – 31 March, 2017
Dark Matter – 23 March, 2017


3 New CIA-developed Hacking Tools For MacOS & Linux Exposed
27.7.2017 thehackernews BigBrothers

WikiLeaks has just published a new set of classified documents linked to another CIA project, dubbed 'Imperial,' which reveals details of at least three CIA-developed hacking tools and implants designed to target computers running Apple Mac OS X and different flavours of Linux operating systems.
If you are a regular reader of THN, you must be aware that this latest revelation by the whistleblower organisation is the part of an ongoing CIA-Vault 7 leaks, marking it as the 18th batch in the series.
If you are unaware of the Vault 7 leaks, you can head on to the second of this article for having a brief look on all the leaks at once.
Achilles — Tool to Backdoor Mac OS X Disk Images
Dubbed Achilles, the hacking tool allows CIA operators to combine malicious Trojan applications with a legitimate Mac OS app into a disk image installer (.DMG) file.
The binding tool, the shell script is written in Bash, gives the CIA operators "one or more desired operator specified executables" for a one-time execution.
As soon as an unsuspecting user downloads an infected disk image on his/her Apple computer, opens and installs the software, the malicious executables would also run in the background.
Afterwards, all the traces of the Achilles tool would be "removed securely" from the downloaded application so that the file would "exactly resemble" the original legitimate app, un-trojaned application, making it hard for the investigators and antivirus software to detect the initial infection vector.
Achilles v1.0, developed in 2011, was only tested on Mac OS X 10.6, which is Apple's Snow Leopard operating system that the company launched in 2009.
SeaPea — Stealthy Rootkit For Mac OS X Systems
The second hacking tool, called SeaPea, is a Mac OS X Rootkit that gives CIA operators stealth and tool launching capabilities by hiding important files, processes and socket connections from the users, allowing them to access Macs without victims knowledge.
Developed in 2011, the Mac OS X Rootkit works on computers running then-latest Mac OS X 10.6 (Snow Leopard) Operating System (32- or 64-bit Kernel Compatible) and Mac OS X 10.7 (Lion) Operating System.
The rootkit requires root access to be installed on a target Mac computer and cannot be removed unless the startup disk is reformatted or the infected Mac is upgraded to the next version of the operating system.
Aeris — An Automated Implant For Linux Systems
The third CIA hacking tool, dubbed Aeris, is an automated implant written in C programming language that is specifically designed to backdoor portable Linux-based Operating Systems, including Debian, CentOS, Red Hat — along with FreeBSD and Solaris.
Aeris is a builder that CIA operators can use to generate customised impacts, depending upon their covert operation.
"It supports automated file exfiltration, configurable beacon interval and jitter, stand-alone and Collide-based HTTPS LP support and SMTP protocol support — all with TLS encrypted communications with mutual authentication,"
"It's compatible with the NOD Cryptographic Specification and provides structured command and control that's similar to that used by several Windows implants."
Previous Vault 7 CIA Leaks
Last week, WikiLeaks revealed about CIA contractor Raytheon Blackbird Technologies, which analysed in-the-wild advanced malware and hacking techniques and submitted at least five reports to the agency for help develop their own malware.
Since March, the whistle-blowing group has published 18 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
Highrise Project — the alleged CIA project that allowed the spying agency to stealthy collect and forwarded stolen data from compromised smartphones to its server through SMS messages.
BothanSpy and Gyrfalcon — two alleged CIA implants that allowed the spying agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.
OutlawCountry – An alleged CIA project that allowed it to hack and remotely spy on computers running the Linux operating systems.
ELSA – the alleged CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
Brutal Kangaroo – A tool suite for Microsoft Windows used by the agency to targets closed networks or air-gapped computers within an organization or enterprise without requiring any direct access.
Cherry Blossom – An agency's framework, basically a remotely controllable firmware-based implant, used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Pandemic – A CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – A CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
Archimedes – Man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
Scribbles – A piece of software reportedly designed to embed 'web beacons' into confidential documents, allowing the agency to track insiders and whistleblowers.
Grasshopper – Framework which allowed the spying agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
Marble – Source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
Dark Matter – Hacking exploits the agency designed to target iPhones and Macs.
Weeping Angel – Spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
Year Zero – Alleged CIA hacking exploits for popular hardware and software.


Iranian Cyberspy Groups Share Malware Code

27.7.2017 securityweek BigBrothers
Two cyberspy groups believed to be operating out of Iran, tracked by security firms as OilRig and Greenbug, have apparently shared malware code, according to researchers at Palo Alto Networks.

While cyber espionage groups sponsored by the same government often try to keep their campaigns separate, in the past months, researchers found connections between several groups linked to Iran. Experts identified shared code, infrastructure and even operations where two actors apparently helped each other directly.

One threat group, tracked as OilRig, has been around since 2015 and it has targeted many organizations, particularly in the financial and government sectors, in the United States and Middle Eastern countries. The actor’s attacks have often involved weaponized Microsoft Excel spreadsheets tracked as Clayslide and a backdoor dubbed Helminth.

In attacks observed by Palo Alto Networks this summer, hackers used new versions of Clayslide to deliver their malware. However, instead of pushing Helminth, the malicious spreadsheet delivered a variant of ISMDoor, a remote access trojan (RAT) previously used by a group tracked as Greenbug.

The activities of Greenbug were brought to light in early 2017 by Symantec, which believes the group may have helped the Iran-linked hackers who launched the Shamoon 2.0 attacks against Saudi Arabia last year.

The new ISMDoor variant, dubbed ISMAgent by Palo Alto Networks, is similar to the old malware as they both use DNS tunneling, but there are some significant differences. According to experts, ISMDoor accepts a longer but more rigid list of commands, while ISMAgent accepts more limited but flexible commands.

Researchers previously found links between the Shamoon attacks and an Iran-linked group tracked as Magic Hound (aka Cobalt Gypsy and Timberworm), and between Magic Hound and other Iranian actors named Rocket Kitten and Newscaster (aka Charming Kitten and NewsBeef).

One hacker group that is also believed to be based in Iran, which has yet to be linked to other actors, is CopyKittens. CopyKittens has been around since at least 2013, targeting government organizations, academic institutions, IT firms, and defense companies in Israel, Saudi Arabia, the U.S., Jordan, Germany and Turkey.


North Korea's Elite More Connected Than Previously Thought

26.7.2017 securityweek BigBrothers

Telecommunications capability in North Korea is three-tiered. The vast majority of people have neither internet nor North Korean intranet connectivity -- they simply have mobile telephony voice, text and picture/video messaging within the domestic provider, Koryolink.

A small group of others, including university students, scientists and some government officials, can access the state-run North Korean intranet, Kwangmyong, that links libraries, universities and government departments and comprises a limited number of domestic websites.

A much smaller group from the ruling elite does, however, have full access to the internet. From April 1 through July 6, 2017, Recorded Future analyzed internet traffic from this small group of officials, and concluded that the standard view of North Korea is not entirely accurate: its leadership at least is not isolated from the rest of the world.

North Korea FlagIn a report and analysis conducted in partnership with Team Cymru and published today, Recorded Future notes that North Korean leadership's internet activity is little different to the rest of the world's internet activity: "North Koreans spend much of their time online checking social media accounts, searching the web, and browsing Amazon and Alibaba," notes the report. "Facebook is the most widely used social networking site for North Koreans, despite reports that it, Twitter, YouTube, and a number of others were blocked by North Korean censors in April 2016."

The researchers looked for any proof of the hypothesis that there may be a correlation between North Korean internet activity and North Korean missile tests; but could find none. While noting that the research data was too small to be conclusive, the report says, "if there is a correlation between North Korean activity and missile tests, it is not telegraphed by leadership and ruling elite internet behavior."

What is clear, however, is that there is virtually nil malicious cyber activity directly from the North Korean mainland, and that "most state-sponsored activity is perpetrated from abroad." While this has some advantages, it also demonstrates an operational weakness that Recorded Future suggests could be exploited to apply asymmetric pressure on the Kim regime. By operating outside of national boundaries state actors should, in theory, be more easily detected and held accountable for their actions.

Most of the extra-territorial malicious activity is likely to come from the countries that have a significant North Korean presence: India, Malaysia, New Zealand, Nepal, Kenya, Mozambique, and Indonesia. China is excluded from this because of the unique nature of the North Korean/China relationship and the lower likelihood of direct cooperation with the West -- even though 10% of all North Korean cyber activity is with China.

This figure, however, is dwarfed by that of India. "Nearly one-fifth [20%] of all activity observed during this time period involved India," says the report. This supports reports of an increasingly close diplomatic and trade relationship between North Korea and India.

With little malicious activity coming from the North Korean mainland, the report is unable to draw conclusions about the associated cyber threat. Nevertheless, it says, "there was a smaller, but significant, amount of activity that was highly suspect. One instance was the start of Bitcoin mining by users in North Korea on May 17."

The temporal relationship to WannaCry is clear. "It began," says Recorded Future, "very soon after the May WannaCry ransomware attacks, which the NSA has attributed to North Korea’s intelligence service, the Reconnaissance General Bureau (RGB), as an attempt to raise funds for the Kim regime. By this point (May 17) actors within the government would have realized that moving the bitcoin from the three WannaCry ransom accounts would be easy to track and ill-advised if they wished to retain deniability for the attack."

The implication is that bitcoin mining was chosen to replace the missing funds from the WannaCry ransomware -- however, it is also worth considering this in conjunction with Joe Carson's consideration of WannaCry as a bitcoin manipulation method.

"Team Cymru’s intelligence and Recorded Future’s analysis have revealed two separate realities," concludes the report. The first is that attempts to completely isolate North Korea simply have not worked. The second, however, is more positive: "new tools that do not focus on Pyongyang and territorial North Korea are needed to achieve a lasting negative impact on the current Kim regime." This could be achieved partnering with the countries that currently have internet activity with North Korea, such as India, Malaysia, Indonesia, and New Zealand.

Meanwhile, it says, "We continue to recommend that financial services firms and those supporting U.S. and South Korean military THAAD [Terminal High Altitude Area Defense] deployment as well as on-peninsula operations maintain the highest vigilance and awareness of the heightened threat environment to their networks and operations on the Korean peninsula."


Sweden Rattled by Massive Confidential Data Leak

26.7.2017 securityweeek BigBrothers

Sweden's minority government was battling to contain the fallout Monday after a massive leak that may have made confidential military information accessible abroad, as well as the private data of millions of citizens.

The leak made an entire database on Swedish drivers' licenses available to technicians in the Czech Republic and Romania, with media reporting that the identities of intelligence agents may have been jeopardized.

"What has happened is an accident," Prime Minister Stefan Lofven told a news conference in Stockholm, adding that an investigation has been launched.

"It has happened in violation of the law and exposed Sweden and Swedish citizens to harm," Lofven said.

One of the largest breaches of government information in Sweden in decades, the scandal may threaten the ruling Social Democrat-led coalition as opposition parties have said they could put the issue to a confidence vote in parliament.

The leak stems from the transport agency's hiring of IBM in 2015 to take over its IT operations.

IBM in turn used subcontractors in the Czech Republic and Romania -- making the sensitive information accessible by foreign technicians.

- 'Keys to the kingdom' -

The transport agency's director general Maria Agren resigned in January for unknown reasons, but she has since confessed to violating data handling and accepted a fine of 70,000 Swedish kronor (around 7,000 euros, $8,000), according to media reports earlier this month.

The Swedish military said in a statement Saturday that information on its personnel, vehicles and defense and contingency planning could have been amongst the leaked data.

But the transport agency has denied having a register on military vehicles and added that "nothing indicates" the leaked information has been "spread in an improper way".

An official at the agency told the Dagens Nyheter newspaper that carelessness with Swedes' data was like "giving away the keys to the kingdom".

Grilled by reporters on Monday, Lofven said he was told about the leak in January by his state secretary.

Defense Minister Peter Hultqvist and Interior Minister Anders Ygeman had known about it since 2016, according to several media reports.

And Infrastructure Minister Anna Johansson, who oversees the transport agency, told TT news agency on Sunday that her former state secretary had known about the leak but kept the information hidden from her -- triggering outrage among opposition parties.

"(The fact) that a responsible minister didn't know what happened within her own field provides no confidence at all," Jonas Sjostedt, leader of the Left party, told TT.

Annie Loof, leader of the Centre party, said in a statement Sunday that "a vote of no-confidence would not be excluded".


Sweden Accidentally Leaks Personal Details of Nearly All Citizens
24.7.2017 thehackernews  BigBrothers

Another day, Another data breach!
This time sensitive and personal data of millions of transporters in Sweden, along with the nation's military secrets, have been exposed, putting every individual's as well as national security at risk.
Who exposed the sensitive data? The Swedish government itself.
Swedish media is reporting of a massive data breach in the Swedish Transport Agency (Transportstyrelsen) after the agency mishandled an outsourcing deal with IBM, which led to the leak of the private data about every vehicle in the country, including those used by both police and military.
The data breach exposed the names, photos and home addresses of millions of Swedish citizen, including fighter pilots of Swedish air force, members of the military's most secretive units, police suspects, people under the witness relocation programme, the weight capacity of all roads and bridges, and much more.
The incident is believed to be one of the worst government information security disasters ever.
Here's what and How it Happened:
In 2015, the Swedish Transport Agency hand over IBM an IT maintenance contract to manage its databases and networks.
However, the Swedish Transport Agency uploaded IBM's entire database onto cloud servers, which covered details on every vehicle in the country, including police and military registrations, and individuals on witness protection programs.
The transport agency then emailed the entire database in messages to marketers that subscribe to it.
And what’s terrible is that the messages were sent in clear text.
When the error was discovered, the transport agency merely thought of sending a new list in another email, asking the subscribers to delete the old list themselves.
If you think the scandal ends there, you are wrong. The outsourcing deal gave IBM staff outside Sweden access to the Swedish transport agency's systems without undergoing proper security clearance checks.
IBM administrators in the Czech Republic were also given full access to all data and logs, according to Swedish newspaper Dagens Nyheter (DN), which analysed the Säpo investigation documents.
According to Pirate Party founder and now head of privacy at VPN provider Private Internet Access Rick Falkvinge, who brought details of this scandal, the incident "exposed and leaked every conceivable top secret database: fighter pilots, SEAL team operators, police suspects, people under witness relocation."
Tons of Sensitive Info Exposed about Both Individuals and Nation's Critical Infrastructures
According to Falkvinge, the leak exposed:
The weight capacity of all roads as well as bridges (which is crucial for warfare, and gives a lot idea about what roads are intended to be used as wartime airfields).
Names, photos, and home addresses of fighter pilots in the Air Force.
Names, photos, and home addresses of everybody in a police register, which are believed to be classified.
Names, photos, and residential addresses of all operators in the military's most secret units that are equivalent to the SAS or SEAL teams.
Names, photos, and addresses of everybody in a witness relocation program, who has been given protected identity for some reasons.
Type, model, weight, and any defects in all government and military vehicles, including their operator, which reveals a much about the structure of military support units.
Although the data breach happened in 2015, Swedish Secret Service discovered it in 2016 and started investigating the incident, which led to the fire of STA director-general Maria Ågren in January 2017.
Ågren was also fined half a month's pay (70,000 Swedish krona which equals to $8,500) after finding her guilty of being "careless with secret information," according to the publication.
What's the worrying part? The leaked database may not be secured until the fall, said the agency's new director-general Jonas Bjelfvenstam. The investigation into the scope of the leak is still ongoing.


Worst known governmental leak ever affected the Swedish Transport Agency. Homeland security at risk
24.7.2017 securityaffairs BigBrothers

Worst known governmental leak ever affected the Swedish Transport Agency, data includes records of members of the military secret units.
Sweden might be the scenario for the worst known governmental leak ever, the Swedish Transport Agency moved all of its data to “the cloud,” but it transferred it to somebody else’s computer.

The huge trove of data includes top secret documents related to the fighter pilots, SEAL team operators, police suspects, people under witness relocation.

“The responsible director has been found guilty in criminal court of the whole affair, and sentenced to the harshest sentence ever seen in Swedish government: she was docked half a month’s paycheck.” wrote

Full data of top-secret governmental individuals, including photo, name, and home address, was leaked.

Director General Maria Ågren in Sweden was fined half a month’s salary in a very short trial.

Further investigation in the governmental data leak revealed that the Swedish Transport Agency moved all its data to “the cloud”, as managed by IBM, two years ago, but suddenly the Director General of the Transport Agency, Maria Ågren, was quickly retired from her position in January 2017.

On July 6 it was disclosed the news that the Director was found guilty of exposing classified information in a criminal court of law.

“But on July 6th, she is known to be secretly investigated to have cleared confidential information. According to the Security Unit for Security Objectives, the data may damage the security of the country. She is ordered to pay 70,000 kronor in daily fines.” reported the website SvtNyHeater.se.

“Among other things, the entire Swedish database of driving license photos has been available to several Czech technologies, which have not been tested for security. This means that neither the SÄPO nor the Transport Agency had control over the persons who handled the information that could be said to damage the security of the country.“

Leaked data included information related to people in the witness protection program and similar programs. This information was wrongly included in the register distributed outside the Agency as part of a normal procedure. Another unacceptable mistake was discovered by the investigators when a new version without the sensitive identities was distributed, the Agency did not instruct recipients of destroying the old copy.

“Last March, the entire register of vehicles was sent to marketers subscribing to it. This is normal in itself, as the vehicle register is public information, and therefore subject to Freedom-of-Information excerpts.” continues the Swedish website. “What was not normal were two things: first, that people in the witness protection program and similar programs were included in the register distributed outside the Agency, and second, when this fatal mistake was discovered, a new version without the sensitive identities was not distributed with instructions to destroy the old copy. Instead, the sensitive identities were pointed out and named in a second distribution with a request for all subscribers to remove these records themselves. This took place in open cleartext e-mail.”

Swedish Transport Agency
Sensitive data on Swedish vehicles was released to companies with no security clearance. Credit: Jonas Ekströmer/TT

Leaked information is precious data for a foreign government in an Information warfare scenario, data includes records of fighter pilots in the Air Force, policemen, and members of the military’s most secret units.

The archive also includes any kind of information about any government and military vehicle, including their “operator, which says a ton about the structure of military support units;”

The PrivacyNewsOnline confirmed that the governmental data leak is still ongoing and that it can be expected to be fixed “maybe this fall”.

“Much of the available analysis of the leak is still in the form of fully-redacted documents from the Security Police and similar agencies.” concluded the news agency.


The UK continues to grant the export of surveillance equipment to countries like Turkey
24.7.2017 securityaffairs BigBrothers

According to the UK’s Department for International Trade, the country granted a license to export surveillance equipment to Turkey earlier this year.
The UK continues to be one of the most active countries involved in the trade of surveillance technology. British firms continue to export surveillance systems ranging from internet mass surveillance equipment to-catchers.
Surveillance equipment

According to the UK’s Department for International Trade, the country granted a license to export surveillance equipment to Turkey earlier this year, exactly while the Turkish Government for International Trade, the country granted a license to export surveillance equipment to Turkey earlier this year, exactly while the Turkish Government was conducting a severe repression against opposites, dissidents, journalists and human rights advocates.

Turkey today continues to be the country that arrests more journalists than any other state worldwide. Last week, a Turkish court ordered the arrest of Amnesty’s Turkey director along with other human rights activists.

While the UK government granted the above license export, the situation in Turkey became particularly worrying. On December, the Turkish authorities investigated more than 10000 individuals over online terror activities. The suspects were accused of being responsible for the sharing of material and post against government officials.

The Turkish Government applied restrictions on the Tor anonymity network, and more in general, on all VPN services, that could be used to avoid censorship.

The Turkish authorities questioned more than 3,000 people from June to December 2016, 1,656 of them have been arrested.

The Government dismissed 4,400 public servants, while Human Rights Watch claimed the Turkish government jailed members of the democratic opposition.

We cannot ignore that Turkey is under the constant threat of the terrorist organization due to its Geographic location.

A Department for International Trade spokesperson told Motherboard in an email, “The UK government takes its defence export responsibilities very seriously and operates one of the most robust export control regimes in the world.” The spokesperson said the UK examines each application on a case-by-case basis, and draws from NGO reports and other resources. “We have suspended or revoked licences when the level of risk changes and we constantly review local situations.”

I personally believe that is absurd that UK, and any other Government, still provides surveillance equipment to any states that don’t respect human rights.


A Russian man involved in the development and maintenance of Citadel was sentenced to five years in prison
23.7.2017 securityaffairs  BigBrothers
The Russian hacker Mark Vartanyan was sentenced to five years in prison for his involvement in the development and maintenance of the Citadel botnets.
It’s a terrific moment for cyber criminals, law enforcement worldwide continues their fight against illegal activities online and the recent shut down of AlphaBay and Hansa black markets demonstrate it.

The news of the day is that the Russian hacker Mark Vartanyan was sentenced to five years in prison for his involvement in the development and maintenance of the Citadel botnets.

Vartanyan, also known with the pseudonymous of “Kolypto” was arrested in Norway and extradited to the United States in December 2016.

Kolypto pleaded guilty in court in March 2017, he was charged with one count of computer fraud.

“Citadel caused vast amounts of harm to financial institutions and individuals around the world. Mark Vartanyan utilized his technical expertise to enable Citadel into becoming one of the most pernicious malware toolkits of its time, and for that, he will serve significant time in federal prison,” said US Attorney John Horn.

Citadel started being offered for sale in 2011 on invite-only, Russian cybercriminal forums, it is directly derived from the popular Zeus banking Trojan, in June 2013 Microsoft and the FBI carried out takedowns that eradicated more than 1,400 bots (nearly 88% of overall Citadel botnet) associated with this malware.

citadel panel

Experts estimated that the malware has been responsible for over $500 million in financial fraud.

Across the years, the Citadel malware affected more than 11 million computers globally, the most recent variant derived by Citadel is Atmos and it was spotted in April 2016 when he infected more than 1,000 bots.

The Vartanyan’s role was crucial for the malware distribution, the man was involved in the development and improving maintenance of Citadel. He was active from August 21, 2012 and January 9, 2013, while residing in Ukraine, and between on or about April 9, 2014 and June 2, 2014, while residing in Norway.

“Malicious software and botnets are rarely created by a single individual. Cybercrime is an organized team effort involving sophisticated, talented, and tech savvy individuals. Today’s sentencing of Mr. Vartanyan […] both removes a key resource from the cyber underworld and serves as a strong deterrent to others who may be contributing to the development of botnets and malware. The threat posed by cyber criminals in the U.S. and abroad is ever increasing,” David J. LeValley, Special Agent in Charge, FBI Atlanta Field Office, said.


Russia’s Duma has approved the bill to prohibit tools used to surf outlawed websites
23.7.2017 securityaffairs  BigBrothers

Russia is going to tighten controls on web services, on Friday, the parliament voted to prohibit web tools that could be used to surf outlawed websites.
Recently Russian authorities threatened to ban to ban Telegram because it refused to comply data protection laws.

On Friday, the Russia’s parliament voted to ban web tools that could be used by people to surf outlawed websites.


In the same day, the Duma also approved the proposed bill to oblige anyone using an online message service to identify themselves with a telephone number.

Russia is going to tighten controls on web services, for this reason, members the Duma passed the questionable bill. The bill will prohibit the use of any service from the Russian territory if they could be used to access blacklisted websites.

In case the law will be approved by the upper chamber of the Russian Parliament and by President Vladimir Putin, the Roskomnadzor will manage a list of anonymizer services and will ban them if they will be not compliant with access restrictions ordered by the Russian Government.

Privacy advocates groups fear the bill that is considered too restrictive and could open the door to a strict censorship, Government opposition groups heavily rely on such kind of technology to extend their protest abroad.

Let me close with a look at the Tor Metrics and Russia people accessing the popular anonymizing service.

Duma on outlawed websites Tor metrics

The data related to the top-10 countries by estimated number of directly-connecting clients shows that Russia is at the third place.

COUNTRY MEAN DAILY USERS
United States 437521 (20.01 %)
United Arab Emirates 320743 (14.67 %)
Russia 213318 (9.76 %)
Ukraine 180847 (8.27 %)
Germany 176053 (8.05 %)
France 87925 (4.02 %)
United Kingdom 75001 (3.43 %)
Canada 41001 (1.88 %)
Netherlands 40586 (1.86 %)
Italy 37230 (1.70 %)


Russia Moves to Ban Tools Used to Surf Outlawed Websites

22.7.2017 securityweek BigBrothers

Russia's parliament on Friday voted to outlaw web tools that allow internet users to sidestep official bans of certain websites, the nation's latest effort to tighten controls of online services.

Members of the lower house, the Duma, passed the bill to prohibit the services from Russian territory if they were used to access blacklisted sites.

The bill instructs Russia's telecommunications watchdog Roskomnadzor to compile a list of anonymizer services and prohibit any that fail to respect the bans issued in Russia on certain websites.

The proposed law still has to be approved by the upper chamber of parliament and then by President Vladimir Putin.

Several internet-based groups in Russia have condemned it as too vaguely formulated and too restrictive.

The Duma also approved moves Friday to oblige anyone using an online message service to identify themselves with a telephone number.

Russia's opposition groups rely heavily on the internet to make up for their lack of access to the mainstream media.

But the Russian authorities have begun to tighten controls on online services, citing security concerns.

In June, Russian officials threatened to ban the Telegram messaging app after the FSB security service said those behind April's deadly Saint Petersburg metro bombing had used it.


UK Spy Agency Warns of State-sponsored Hackers Targeting Critical Infrastructure

19.7.2017 securityweek  BigBrothers

The U.K. Government Communications Headquarters (GCHQ), Britain's secret eavesdropping agency, warns that 'a number of [UK] Industrial Control System engineering and services organisations are likely to have been compromised' following the discovery of 'connections from multiple UK IP addresses to infrastructure associated with advanced state-sponsored hostile threat actors.'

The warning comes from a National Cyber Security Centre (NCSC) memo obtained by Motherboard and confirmed by the BBC. NCSC is part of the UK's primary cyber intelligence agency, GCHQ.

From the little information available, it doesn't appear as if there are any specifically known compromises -- NCSC might simply be working from the statistical probability that if enough phishing attacks are launched, at least some will inevitably succeed.

Spear-phishing is not specifically mentioned within the memo, although it does mention a separate, non-public report from the FBI and DHS last month suggesting the same attackers were using spear-phishing to deliver poisoned Word documents. Motherboard also points to a paywalled report in the Times, Saturday, which states, "Hackers backed by the Russian government have attacked energy networks running the national grid in parts of the UK, The Times has learnt."

The clear unproven implication is that Russian state-backed actors are specifically targeting the western energy sector. Having said that, however, the Times report differs from the FBI/DHS and NCSC memos by stating that the intention was "to infiltrate control systems... This would also have given them the power to knock out parts of the grid in Northern Ireland."

Both the FBI/DHS and NCSC memos point to attacks against services organizations, indicating that in the UK and America, it is primarily the supply chain to the critical infrastructure that is being targeted. Indeed, the FBI/DHS statement comments, "There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks."

So, apart from the Times report, this would appear to be a large-scale campaign designed to find ways to infiltrate the critical infrastructure rather than anything designed to damage the critical infrastructure. This is probably standard practice for most cyber-advanced nations -- ensuring they have the capacity to respond to a potential enemy if it ever becomes necessary.

The importance to an enemy and the potential danger to the critical infrastructure should not, however, be underestimated. A known and ready access route into, for example, the power grid, would be similar to having a nuclear deterrent primed and ready -- there is no intention to use it, but accidents can happen.

Neither the FBI/DHS nor the NCSC names the attackers. The NSCS clearly has suspects since it recognizes the infrastructure used. The New York Times, however, implicates Russia. "Two people familiar with the investigation say that, while it is still in its early stages, the hackers' techniques mimicked those of the organization known to cybersecurity specialists as "Energetic Bear," the Russian hacking group that researchers have tied to attacks on the energy sector since at least 2012."


WikiLeaks Reveals CIA Teams Up With Tech to Collect Ideas For Malware Development
19.7.2017 thehackernews BigBrothers
As part of its ongoing Vault 7 leaks, the whistleblower organisation WikiLeaks today revealed about a CIA contractor responsible for analysing advanced malware and hacking techniques being used in the wild by cyber criminals.
According to the documents leaked by WikiLeaks, Raytheon Blackbird Technologies, the Central Intelligence Agency (CIA) contractor, submitted nearly five such reports to CIA as part of UMBRAGE Component Library (UCL) project between November 2014 and September 2015.
These reports contain brief analysis about proof-of-concept ideas and malware attack vectors — publically presented by security researchers and secretly developed by cyber espionage hacking groups.
Reports submitted by Raytheon were allegedly helping CIA's Remote Development Branch (RDB) to collect ideas for developing their own advanced malware projects.
It was also revealed in previous Vault 7 leaks that CIA's UMBRAGE malware development teams also borrow codes from publicly available malware samples to built its own spyware tools.
Here's the list and brief information of each report:
Report 1 — Raytheon analysts detailed a variant of the HTTPBrowser Remote Access Tool (RAT), which was probably developed in 2015.
The RAT, which is designed to capture keystrokes from the targeted systems, was being used by a Chinese cyber espionage APT group called 'Emissary Panda.'
Report 2 — This document details a variant of the NfLog Remote Access Tool (RAT), also known as IsSpace, which was being used by Samurai Panda, Identified as another Chinese hacking group.
Equipped with Adobe Flash zero-day exploit CVE-2015-5122 (leaked in Hacking Team dump) and UAC bypass technique, this malware was also able to sniff or enumerate proxy credentials to bypass Windows Firewall.
Report 3 — This report contains details about "Regin" -- a very sophisticated malware sample that has been spotted in operation since 2013 and majorly designed for surveillance and data collection.
Regin is a cyber espionage tool, which is said to be more sophisticated than both Stuxnet and Duqu and is believed to be developed by the US intelligence agency NSA.
The malware uses a modular approach that allowed an operator to enable a customised spying. Regin's design makes the malware highly suited for persistent, long-term mass surveillance operations against targets.
Report 4 — It details a suspected Russian State-sponsored malware sample called "HammerToss," which was discovered in early 2015 and suspected of being operational since late 2014.
What makes HammerToss interesting is its architecture, which leverages Twitter accounts, GitHub accounts, compromised websites, and Cloud-storage to orchestrate command-and-control functions to execute the commands on the targeted systems.
Report 5 — This document details the self-code injection and API hooking methods of information stealing Trojan called "Gamker."
Gamker uses simple decryption, then drops a copy of itself using a random filename and injects itself into a different process. The trojan also exhibits other typical trojan behaviours.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks revealed CIAs Highrise Project that allowed the spying agency to stealthy collect and forwards stolen data from compromised smartphones to its server through SMS messages.
Since March, the whistle-blowing group has published 17 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
BothanSpy and Gyrfalcon — two alleged CIA implants that allowed the spying agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.
OutlawCountry – An alleged CIA project that allowed it to hack and remotely spy on computers running the Linux operating systems.
ELSA – the alleged CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
Brutal Kangaroo – A tool suite for Microsoft Windows used by the agency to targets closed networks or air-gapped computers within an organisation or enterprise without requiring any direct access.
Cherry Blossom – An agency's framework, basically a remotely controllable firmware-based implant, used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Pandemic – A CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – A CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
AfterMidnight and Assassin – Two alleged CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
Archimedes – Man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
Scribbles – A piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.
Grasshopper – Framework that allowed the spying agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
Marble – Source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
Dark Matter – Hacking exploits the agency designed to target iPhones and Macs.
Weeping Angel – Spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
Year Zero – Alleged CIA hacking exploits for popular hardware and software.


Russian nation-state actors blamed for cyber attacks against Irish energy networks
18.7.2017 securityaffairs BigBrothers

Irish energy networks have been targeted by spear phishing attacks, Russian nation-state actors are the prime suspects for the cyber attacks.
Hackers have targeted Irish energy networks, senior engineers at the Electricity Supply Board (ESB), which supplies both Northern Ireland and the Republic, were targeted by spear phishing messages allegedly sent by a Russian threat actor linked to Russia’s GRU intelligence agency.
The news was reported by The Times, sources close to the newspaper confirmed that Russian nation state actors launched the attack to compromise control systems and take over the electricity grid.

“Hackers backed by the Russian government have attacked energy networks running the national grid in parts of the UK, The Times has learnt.” reported The Times.

“The hackers, who targeted the Republic of Ireland’s energy sector, intended to infiltrate control systems, security analysts believe. This would also have given them the power to knock out parts of the grid in Northern Ireland.”

Russian nation-state actors target ireland

Why Ireland?

Security experts believe that GRU hackers were testing their cyber capabilities against the country infrastructure. The nation state hackers may have been interested in destabilizing the country that also hosts European headquarters of IT giants like Apple, Google, and Facebook. US officials confirmed last week that Russian government hacking teams penetrated American nuclear and other energy companies.

The Ireland’s National Cyber Security Centre is investigating the cyber attack that according to the experts aimed to steal information and gather intelligence instead having sabotage purposes.

The news about the attack against the Irish energy networks was disclosed shortly after the FBI and Department of Homeland Security sent a joint alert to the energy sector warning of cyber attacks powered by Russian nation state actors against the US nuclear power plants.

According to the alert, “advanced, persistent threat actors” used spear phishing message to steal login credentials to access networks of companies in the energy industry,

According to a report on vulnerabilities in British defence released by the Royal United Services Institute (RUSI) earlier this month, the threat of cyber attacks continues to grow especially for Western satellite infrastructures. Military and civilian communications and GPS system could be targeted by hackers with a significant impact on the economy of the country.

Of course, Russia denied state-sponsored hackers have been involved in attacks against Western governments or Ukraine. President Putin blamed patriotic Russian hackers, for the interference with the 2016 Presidential Election.


Intel, Defense Bills Amended to Include Russian Hacking

17.7.2017 securityweek BigBrothers

Intelligence and defense policy legislation passed last week shows that the United States government is increasingly concerned about cyberattacks, particularly attacks coming from Russia.

The National Defense Authorization Act (NDAA), which the House of Representatives passed on Friday, specifies the budget and expenditures of the U.S. Department of Defense (DoD).

The list of amendments for the fiscal year 2018 includes several issues related to cyber capabilities. One of the adopted amendments requires the DoD to update its cyber strategy, to require the president to create a strategy for using offensive cyber capabilities, and providing technical assistance to NATO members.

Other amendments include improvements to training, recruitment and retention of cyber personnel; the possibility to request additional resources if the House of Representatives is the victim of a cyberattack; and banning the DoD from working with telecoms firms that were “complicit” with cyberattacks attributed to North Korea.

Another amendment requires the DoD to help Ukraine improve its cyber security capabilities. This comes after the country’s energy sector was hit two times by damaging cyberattacks believed to have been sponsored by the Russian government.

Russia is the focus of several amendments, including the cyberattacks believed to have been launched by state-sponsored actors and the country’s propaganda and disinformation initiatives. The Secretary of Defense and the Director of National Intelligence will be required to provide Congress a report on all attempts to hack DoD systems in the past two years by threat groups linked to Russia.

The Intelligence Authorization Act for Fiscal Year 2018, which the House Permanent Select Committee on Intelligence unanimously advanced on Thursday, also references Russia.

The Intelligence Authorization Act, which authorizes funding for the U.S. intelligence community, requires the Director of National Intelligence to submit a report assessing the most significant Russian influence campaigns aimed at foreign elections.

Without specifically naming Russia, the bill also requires an unclassified advisory report on foreign counterintelligence and cybersecurity threats to federal election campaigns. This comes after the U.S. officially accused Russia of attempting to interfere with last year’s presidential election.

There have been several incidents recently involving the leakage of classified information from the intelligence community, including the Vault7 files by WikiLeaks. An amendment to the Intelligence Authorization Act requires officials to submit semiannual reports on investigations into unauthorized public disclosures of classified information.

Another hot topic covered by the Intelligence Authorization Act is related to the retention of vulnerabilities. This has been a highly debated subject, particularly after the recent WannaCry ransomware attacks, which leveraged an exploit developed by the NSA. Following the attacks, a group of lawmakers introduced a new bill, the PATCH Act, whose goal is to help the government decide whether or not it should release vulnerability details to non-federal entities.


AlphaBay Shut Down After Police Raid; Alleged Founder Commits Suicide in Jail
14.7.2017 thehackernews  BigBrothers

AlphaBay Market — one of the largest Dark Web marketplaces for drugs, guns, and other illegal goods — that mysteriously went dark earlier this month without any explanation from its admins has reportedly been shut down by the international authorities.
On July 4th, the dark web marketplace suddenly went down without any explanation from its admins, which left its customers who have paid large sums in panic.
Some customers even suspected that the site's admins had pulled an exit scam to steal user funds.
However, according to the Wall Street Journal, the disappearance of the AlphaBay came after authorities in the United States, Canada, and Thailand collaborated to conduct a series of raids and arrest Alexandre Cazes, who allegedly was one of the AlphaBay's operators.
Citing "people familiar with the matter," the publication claims that Cazes, a resident of Canada, was arrested in Thailand and taken into custody in Bangkok on July 5th, the same day the police executed two raids on residences in Quebec, Canada.
The 26-year-old Canadian citizen was awaiting extradition to the United States when a guard found him hanged in his jail cell on Wednesday, the Chiang Rai Times confirms. Cazes is believed to have hanged himself using a towel.

Cazes had been living in Thailand for nearly 8 years. During his arrest, authorities also seized "four Lamborghini cars and three houses worth about 400 million baht ($11.7 million) in total."
AlphaBay, also known as "the new Silk Road," also came in the news at the beginning of this year when a hacker successfully hacked the AlphaBay site and stole over 200,000 private unencrypted messages from several users.
After the disappearance of Silk Road, AlphaBay emerged in 2014 and became a leader among dark web marketplaces for selling illicit goods from drugs to stolen credit card numbers, exploits, and malware.
Unlike dark web market 'Evolution' that suddenly disappeared overnight from the Internet, stealing millions of dollars worth of Bitcoins from its customers, AlphaBay Market was shut down by the law enforcement, suffering the same fate as Silk Road.
Silk Road was shut down after the law enforcement raided its servers in 2013 and arrested its founder Ross William Ulbricht, who has been sentenced to life in prison.
The FBI also seized Bitcoins (worth about $33.6 million, at the time) from the site. Those Bitcoins were later sold in a series of auctions by the United States Marshals Service (USMS).


How CIA Agents Covertly Steal Data From Hacked Smartphones (Without Internet)
14.7.2017 thehackernews BigBrothers

WikiLeaks has today published the 16th batch of its ongoing Vault 7 leak, this time instead of revealing new malware or hacking tool, the whistleblower organisation has unveiled how CIA operatives stealthy collect and forward stolen data from compromised smartphones.
Previously we have reported about several CIA hacking tools, malware and implants used by the agency to remotely infiltrate and steal data from the targeted systems or smartphones.
However, this time neither Wikileaks nor the leaked CIA manual clearly explains how the agency operatives were using this tool.
But, since we have been covering every CIA leak from the very first day, we have understood a possible scenario and have illustrated how this newly revealed tool was being used.
Explained: How CIA Highrise Project Works
In general, the malware uses the internet connection to send stolen data after compromising a machine to the attacker-controlled server (listening posts), but in the case of smartphones, malware has an alternative way to send stolen data to the attackers i.e. via SMS.
But for collecting stolen data via SMS, one has to deal with a major issue – to sort and analyse bulk messages received from multiple targeted devices.
To solve this issue, the CIA created a simple Android application, dubbed Highrise, which works as an SMS proxy between the compromised devices and the listening post server.
"There are a number of IOC tools that use SMS messages for communication and HighRise is a SMS proxy that provides greater separation between devices in the field ("targets") and the listening post" by proxying ""incoming" and "outgoing" SMS messages to an internet LP," the leaked CIA manual reads.
What I understood after reading the manual is that CIA operatives need to install an application called "TideCheck" on their Android devices, which are set to receive all the stolen data via SMS from the compromised devices.
The last known version of the TideCheck app, i.e. HighRise v2.0, was developed in 2013 and works on mobile devices running Android 4.0 to 4.3, though I believe, by now, they have already developed an updated versions that work for the latest Android OS.

Once installed, the app prompts for a password, which is "inshallah," and after login, it displays three options:
Initialize — to run the service.
Show/Edit configuration — to configure basic settings, including the listening post server URL, which must be using HTTPS.
Send Message — allows CIA operative to manually (optional) submit short messages (remarks) to the listening post server.
Once initialized and configured properly, the app continuously runs in the background to monitor incoming messages from compromised devices; and when received, forwards every single message to the CIA's listening post server over a TLS/SSL secured Internet communication channel.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped two alleged CIA implants that allowed the agency to intercept and exfiltrate SSH credentials from targeted Windows and Linux operating systems using different attack vectors.
Dubbed BothanSpy — implant for Microsoft Windows Xshell client, and Gyrfalcon — targets the OpenSSH client on various distributions of Linux OS, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.
Since March, the whistleblowing group has published 16 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
OutlawCountry – An alleged CIA project that allowed it to hack and remotely spy on computers running the Linux operating systems.
ELSA – Alleged CIA malware that tracks geo-location of targeted computers and laptops running the Microsoft Windows operating system.
Brutal Kangaroo – A tool suite for Microsoft's Windows used by the spying agency to target closed networks or air-gapped computers within an organisation or enterprise without requiring any direct access.
Cherry Blossom – An agency's framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Pandemic – A CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – An agency's spyware framework that has been developed to take full control of the infected Windows machines remotely, and works for every version of Microsoft's Windows operating systems, from XP to Windows 10.
AfterMidnight and Assassin – Two CIA malware frameworks for the Windows platform that has been designed to monitor activities on the infected remote host computer and execute malicious actions.
Archimedes – Man-in-the-middle attack tool allegedly developed by the CIA to target computers inside a Local Area Network (LAN).
Scribbles – Software reportedly designed to embed 'web beacons' into confidential documents, allowing the agency to track insiders and whistleblowers.
Grasshopper – Framework that allowed the CIA hackers to easily create their custom malware for breaking into Microsoft's Windows OS and bypassing antivirus protection.
Marble – Source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
Dark Matter – Hacking exploits the spying agency designed to target iOS and Mac systems.
Weeping Angel – Spying tool used by the CIA hackers to infiltrate smart TVs, transforming them into covert microphones.
Year Zero – Alleged CIA hacking exploits for popular software and hardware.


EFF Reviews Privacy Practices of Online Service Providers

14.7.2017 securityweek BigBrothers

During 2016, the US government made 49,868 requests to Facebook for user data; 27,850 requests to Google; and 9,076 requests to Apple. Governments will not stop making these requests, since the internet has become a major avenue for mass surveillance. The real issue is to what extent internet companies will seek to protect their users' data from unwarranted government intrusions.

Each year, the Electronic Frontier Foundation (EFF) publishes an annual 'Who Has Your Back' analysis of the basic privacy policy of major online service providers. It looks at five primary characteristics:

• Best privacy practices (including a satisfactory public, published policy and a published transparency rep ort)

• Informs users about government data requests (in advance of actually handing over any data)

• Refusal to hand over data without legal requirement (including by leakage or sale to third parties)

• Stands up National Security Letter (NSL) gag orders (with a public pledge to invoke the right to seek judicial review of all indefinite gag orders)

• Has a pro-user public policy (including support for reform of Section 702 of the FISA Amendments Act that will reduce the collection of information on innocent people).

A star is awarded for each category satisfied by the provider. This year (PDF), nine out of 26 evaluated companies have been awarded five stars: Adobe, Credo, Dropbox, Lyft, Pinterest, Sonic, Uber, Wickr, and Wordpress.

Telecoms companies generally perform poorly. "When it comes to adopting policies that prioritize user privacy over facilitating government data demands," notes the report, "the telecom industry for the most part has erred on the side of prioritizing government requests." Particularly at fault here are AT&T, Comcast, T-Mobile, and Verizon -- all with a single star in the 'best practices' category.

This is not, however, universal in telecoms. "Credo Mobile [5 stars] has repeatedly proven that telecom companies can adopt policies that earn credit in every category year after year. Similarly, Sonic [5 stars], an ISP competitor to AT&T, Comcast, TMobile, and Verizon, has now earned credit in every category of EFF's annual report for five years."

Some technology companies that have been high performers in previous years have dropped from that position this year -- for example, Facebook, Google and Twitter. All three have so far failed to publicly commit to requesting judicial review of all NSLs. Fewer than half of the reviewed companies have actually made that commitment: Adobe, Airbnb, Apple, Credo, Dropbox, Lyft, Pinterest, Slack, Sonic, Uber, Wickr, and WordPress.

"We applaud these companies that have taken a public stand to ensure judicial oversight of gag orders and urge others within the technology space to do the same," says EFF.

Failure to be awarded all five stars should not in itself suggest a complete failure in user privacy concern -- only that the company could do even better. For example, of Google, EFF says, "This is Google's sixth year in Who Has Your Back, and it has adopted a number of industry best practices, including publishing a transparency report, requiring a warrant for content, and publishing its guidelines for law enforcement requests. Google promises to inform users before disclosing their data to the government and supports substantive reforms to rein in NSA surveillance. Google prohibits third parties from allowing Google user data to be used for surveillance purposes."

Its failure to win five stars this year is solely down to the lack of a public policy to demand a judicial review on NSL letters. "We urge Google to create a public policy of requesting judicial review of all National Security Letters," says EFF. On its own, this doesn't mean that Google does not have such a policy (it may or it may not), it simply has not publicly avowed the policy.

Apple is another tech giant that just falls short of five stars. Unlike Google, it does have a publicly stated policy of demanding a judicial review on all NSLs. Apple's published policy states, "If Apple receives a National Security Letter (NSL) from the U.S. government that contains an indefinite gag order, Apple will notify the government that it would like the court to review the nondisclosure provision of the NSL pursuant to USA FREEDOM ."

Apple is not, however, specifically campaigning for the reform of Section 702.

Two companies criticized by EFF are Amazon and WhatsApp, both receiving just 2 stars. While EFF praises WhatsApp's move to adopt end-to-end encryption by default for its billion users, its policies still lag behind. Amazon has been rated number one in customer service, yet it hasn't made the public commitments to stand behind its users' digital privacy that the rest of the industry has.

"The tech industry as a whole has moved toward providing its users with more transparency," comments EFF senior staff attorney Nate Cardozo; but telecommunications companies -- which serve as the pipeline for communications and Internet service for millions of Americans -- are failing to publicly push back against government overreach. Both legacy telcos and the giants of Silicon Valley can and must do better. We expect companies to protect, not exploit, the data we have entrusted them with."


'HighRise' Android Malware Used by CIA to Intercept SMS Messages

13.7.2017 securityweek BigBrothers

WikiLeaks on Thursday published a user guide describing what appears to be a tool used by the U.S. Central Intelligence Agency (CIA) to intercept SMS messages on Android mobile devices.

Named HighRise, the version of the malware described in the WikiLeaks document is disguised as an app called TideCheck, and it only works on Android versions between 4.0 and 4.3.

According to its developers, the tool must be manually downloaded, installed and activated on the targeted device – this means that the attacker needs to have physical access to the smartphone or trick victims into installing it themselves.

The second scenario is less likely as activating the app requires the user to open the TideCheck app, enter the “inshallah” password (the Arabic expression for “God willing”), and select the “Initialize” option from the menu. The document shows that the app will automatically run in the background after a reboot once it has been manually activated.

HighRise can be used to proxy incoming SMS messages received by the compromised device to a remote server. The tool also includes functionality for sending messages to the server via a secure communications channel.

The user guide leaked by WikiLeaks is for version 2.0 of HighRise and it’s dated December 2013. Google has made numerous security improvements to the Android operating system since version 4 – the latest version is Android 7 Nougat – and malware such as HighRise may no longer work without significant updates.

On the other hand, cybercriminals have been keeping up with the improvements and they still manage to create profitable Android malware. Furthermore, given that HighRise requires a significant amount of user interaction, it’s possible that this or other similar projects are still successfully utilized by the CIA.

Over the past months, WikiLeaks has described several “Vault 7” tools allegedly used by the agency. The most recent leaks detail malware designed for redirecting traffic on Linux systems (OutlawCountry), stealing SSH credentials (BothanSpy), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).


Democracy at Risk from Poor Cybersecurity, Foreign Interference: Survey

13.7.2017 securityweek BigBrothers

Survey Shows Distinct Voter Concern for Elections and Cybersecurity

For more than a year, a single thread has dominated American news: foreign interference in US elections. It started in June 2016 in the run-up to the 2016 presidential election, when the Democratic National Committee (DNC) announced it had been hacked, and CrowdStrike accused Russia-based Cozy Bear (APT 29).

Since then, the ramifications have rarely been out of the news. In October 2016 the U.S. government formally accused Russia of being behind the cyberattacks, and by December it became known that the CIA believed that "Russia intervened in the 2016 election to help Donald Trump win the presidency, rather than just to undermine confidence in the U.S. electoral system," The Washington Post reported.

Since then, emphasis has switched to questioning the extent to which the Trump electoral team may or may not have known about or colluded with Russia in order to win the election; and whether it has or has not attempted to hinder or subvert subsequent law enforcement investigations. This has continued throughout 2017 until Wednesday this week when Rep. Brad Sherman (D-Calif.) formally introduced an article of impeachment against President Trump.

The article of impeachment revolves around Trump's dismissal of FBI director James Comey allegedly to hinder the FBI's investigation into former National Security Advisor, General Michael Flynn. "In all of this, Donald John Trump has acted in a manner contrary to his trust as President and subversive of constitutional government, to the great prejudice of the cause of law and justice and to the manifest injury of the people of the United States."

The huge and apparently unending ramifications of what started as just another cyber hack has caused cybersecurity firm Carbon Black to wonder what effect the cyber element has had on the American electorate. In June 2017, it conducted a nationwide survey (PDF) of 5,000 eligible U.S. voters, with particular reference to the upcoming midterm 2018 elections.

In an associated blog post Carbon Black CEO Patrick Morley commented, "In perhaps the most startling revelation from the survey, 1 in 4 voters said they will consider not voting in upcoming elections over cybersecurity fears."

In reality, this figure is easily covered by existing non-voters. Approximately only 57.9% of voters voted in the 2016 election, down less than 1% from the 58.6% that voted in 2012. So, while 25% of voters now say they may not vote in the midterms, this may have no effect on the actual voter turnout.

A second area where the obvious conclusion may not be the accurate conclusion can be seen in 'voter perception on election influence'. According to the survey, "47% of voters said they believe the 2016 U.S. election was influenced by foreign entities." However, there could be a strong element of 'sore loser' in these figures. There is an aspect of tribalism in political affiliation -- some people will always vote for one particular party simply because of tribal affiliations.

It is estimated that 48% of the electorate voted for Clinton (slightly more than the estimated 46% who voted Trump). There will be a strong incentive for the losing 48% to blame external causes on their loss -- and that could account for a large proportion of the 47% of responding voters who told Carbon Black that the result was influenced by foreign entities.

Despite not being able to definitively relate current sentiment to a past or future threat against electoral democracy, the Carbon Black survey nevertheless shows distinct voter concern for elections and cybersecurity. Several of the survey queries are unambiguous, and the results can be taken at face value. Forty-five percent of voters believe that Russia poses the biggest cybersecurity risk to U.S. elections. Of the remaining 55%, "20% said the United States itself; 17% said North Korea; 11% said China; and 4% said Iran. (3% answered 'other.')" notes the report.

Fifty-four percent of respondents "said the NSA leaks negatively impacted their trust in the U.S. election system to keep data safe;" and 44% "said they believe Russia will 'Be back' to influence future elections."

Carbon Black concludes, "Cyberattacks against our elections seed doubt in democracy. The idea that even a single voter is willing to forfeit their vote in fear of a cyberattack is startling. The fact that 1 in 4 voters said they would be willing to do so speaks volumes about how deeply this doubt has penetrated. The alleged cyberattacks surrounding the 2016 elections were a clarion call that foreign entities are motivated to disrupt U.S. elections." More starkly, it adds, "Our democracy is at risk."

Reality is probably not as extreme as this suggests. Political sentiment polling is very difficult, and Carbon Black has failed to eliminate 'other causes' in some of its questions. It might, for example, have been better to question 5,000 eligible voters that had actually voted in 2016 to get a more accurate picture of future voting intentions.

Nevertheless, it is clear that there is strong voter concern over the future of elections and cybersecurity. The report makes five proposals designed "to help restore voter confidence." The first is to implement stronger cybersecurity protection for online registration systems and voter databases. The second is to limit (or discontinue) the use of electronic voting machines. The third is to create an auditable paper trail of votes in every state and precinct. The fourth is to prohibit online voting.

The fifth is arguably the most important. In January 2017, then U.S. Homeland Security Secretary Jeh Johnson said, "I have determined that election infrastructure in this country should be designated as a subsector of the existing Government Facilities critical infrastructure sector. Given the vital role elections play in this country, it is clear that certain systems and assets of election infrastructure meet the definition of critical infrastructure, in fact and in law."

In its fifth recommendation, Carbon Black now calls for the government to "commit the same urgency and resources to protecting its elections as it does for 'traditional' critical infrastructure."


Wikileaks: CIA HighRise Android malware used to intercept and redirect SMSs
13.7.2017 securityaffairs BigBrothers

Wikileaks released the documentation for HighRise, an Android app used by the CIA to intercept and redirecting SMS messages to a CIA-controlled server.
WikiLeaks just published a new batch of documents related to another CIA hacking tool dubbed HighRise included in the Vault 7 released in partnership with media partners.

The tool is an Android application used by the US intelligence agents to intercept and redirecting SMS messages to a CIA-controlled server.

Below the list of features implemented by the Android malware:

Proxy “incoming” SMS messages received by HighRise host to an internet LP
Send “outgoing” SMS messages via the HighRise host
Provide a communications channel between the HighRise field operator & the LP
TLS/SSL secured internet communications
“HighRise is an Android application designed for mobile devices running Android 4.0 to 4.3. HighRise provides a redirector function for SMS messaging. There are a number of IOC tools that use SMS messages for communication and HighRise is a SMS proxy that provides greater separation between devices in the field (“targets”) and the listening post.” reads the manual.

According to a user manual leaked by Wikileaks, the malicious code only works on Android versions from 4.0 through 4.3 (Android Ice Cream Sandwich and Jelly Bean) that currently account for 8,8 percent of overall Android devices on the market.

Anyway, the document is dated back to December 2013, it is likely that the CIA has updated the tool in the meantime to target newer versions of the Android OS.

The HighRise tool is packaged inside an app named TideCheck (tidecheck-2.0.apk, MD5: 05ed39b0f1e578986b1169537f0a66fe).

HighRise Android hacking tool

The tool must be installed by CIA agents manually on the target system and need to be manually executed at least one time.

“Therefore, the HighRise application first must be manually run once before it will automatically run in the background or after a reboot. As a consequence, the HighRise application now shows up in the list of installed apps so it can be started by the HighRise operator. ” continues the manual.

When running the tool for the first time, CIA cyber spies must enter the special code “inshallah” (“God willing” in Arabic) to access its settings.

Once the code has been entered and the software is successfully activated, HighRise will run in the background listening for events. The hacking tool will automatically start every time the phone is powered on.

“Once activated, HighRise will run in the background listening for events. It will also automatically start when the phone is powered on. Activating HighRise multiple times will have no adverse affects.” continues the manual.

Below the list of release published by Wikileaks since March:

HighRise – 13 July, 2017
BothanSpy and Gyrfalcon – 06 July, 2017
OutlawCountry – 30 June, 2017
ELSA malware – 28 June, 2017
Cherry Blossom – 15 June, 2017
Pandemic – 1 June, 2017
Athena – 19 May, 2017
AfterMidnight – 12 May, 2017
Archimedes – 5 May, 2017
Scribbles – 28 April, 2017
Weeping Angel – 21 April, 2017
Hive – 14 April, 2017
Grasshopper – 7 April, 2017
Marble Framework – 31 March, 2017
Dark Matter – 23 March, 2017


US Government limits purchase of Kaspersky Lab solutions amid concerns over Russia ties
13.7.2017 securityaffairs BigBrothers

The US General Services Administration announced that the security firm Kaspersky Lab has been deleted from lists of approved vendors.
The US government bans Kaspersky solutions amid concerns over Russian state-sponsored hacking. Federal agencies will not buy software from Kaspersky Lab due to its alleged links to the Russian intelligence services.

This week, a Bloomberg News report, claimed internal company emails show that Kaspersky has a strict relationship with Russia secret services FSB.

The General Services Administration (GSA), which is the organization that handles federal government purchasing contracts, announced that cyber security firm Kaspersky Lab has been removed from the list of approved vendors.

“GSA’s priorities are to ensure the integrity and security of US government systems and networks and evaluate products and services available on our contracts using supply chain risk management processes,” reads the statement issued by the General Services Administration.

The decision doesn’t surprise the IT security industry, the US intelligence and Government officials have expressed concerns about the adoption of Kaspersky software several times.

It is important to highlight that the ban is not total, Government agencies will still be able to use Kaspersky software purchased separately from the GSA contract process.

According to the Reuters,

The company said in a statement to AFP , it had not received any updates from GSA or any other U.S. government agency regarding its vendor status.

“Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts,” the company said.

It added that it had been “caught in the middle of a geopolitical fight where each side is attempting to use the company as a pawn in their political game.”

Kaspersky added that “the company is being unjustly accused without any hard evidence to back up these false allegations.”

Kaspersky on Tuesday published statement in response to the Bloomberg’s report.

“While the U.S. government hasn’t disclosed any evidence of the ties, internal company emails obtained by Bloomberg Businessweek show that Kaspersky Lab has maintained a much closer working relationship with Russia’s main intelligence agency, the FSB, than it has publicly admitted.”

“Actually, the reported emails show no such link, as the communication was misinterpreted or manipulated to try to make the media outlet’s narrative work. Kaspersky Lab is very public about the fact that it assists law enforcement agencies around the world with fighting cyberthreats, including those in Russia, by providing cybersecurity expertise on malware and cyberattacks.” states Kaspersky.

“Kaspersky Lab regularly cooperates with law enforcement agencies, industry peers and victims of cybercrime.”

In May, the Senate Armed Services Committee passed a defense spending policy bill that would ban Kaspersky products from use in the US military. The decision was taken a day after the FBI interviewed several of the company’s U.S. employees at their private homes as part of a counterintelligence investigation into its operations.

“In May senior U.S. intelligence officials said in testimony before the Senate Intelligence Committee that they were reviewing government use of software from Kaspersky Lab.” reported the Reuters Agency.

“Lawmakers raised concerns that Moscow might use the firm’s products to attack American computer networks, a particularly sensitive issue given allegations by U.S. intelligence agencies that Russia hacked and leaked emails of Democratic Party political groups to interfere in the 2016 presidential election campaign. Russia denies the allegations.”


Following NotPetya NATO Increases Support for Ukraine’s Cyber Defenses
13.7.2017 securityaffairs BigBrothers

Following the massive NotPetya attack, NATO Increases Support for Ukrainian Cyber Defenses, Ukraine Considers Joining NATO.
“Critical Infrastructure” is one of the most sensitive elements of any country’s economy. Recent attacks against Ukraine’s infrastructure have many other countries taking note and have encouraged NATO to pitch in and help bolster Ukrainian cyber defenses.

In December 2015, Ukrainian power grid operators watched helplessly as hackers remotely logged into three power distribution centers and turned off power to over 230,000 residents. The hackers had started their plans many months earlier by sending carefully crafted phishing emails to key IT staff working for the target companies. The malicious attachments to these emails allowed the bad guys to gain a foothold in the networks and over the subsequent months they carefully gathered information and improved their remote capabilities until it was time to strike. Attribution is difficult, but given the patience and approaches demonstrated by the bad guys it is obvious that they are sophisticated and many people are pointing their finger at Russian-linked hacking groups.

Ukraine notpetya Petwrap ransomware

More recently, in June 2017, a ransomware attack was launched in Ukraine impacting transportation, banking and power infrastructure. Believed to be the Petya ransomware variant, the attack spread beyond the original targets and became a worldwide problem that has directly cost millions of dollars in lost production for many companies as well as untold costs in remediation and recovery efforts. As investigators began to dig deeper into the Petya attack it appears that it was only masquerading as ransomware. The primary function of ransomware is to generate revenue for the bad guys. However, this attack had a clunky mechanism for gathering the ransom so it appears its primary function was something else. Most experts now agree that this was another attack intended to disrupt Ukrainian infrastructure and have dubbed it the NotPetya attack. Again attribution is uncertain, but Russian-linked groups are suspected.

All other countries are keeping a close watch on these developments. It is reported that critical infrastructure protections in Ukraine are better than many other countries’ so it is conceivable that these same attacks will eventually be turned against new targets. In a demonstration of solidarity — and likely a lot of self-interest — NATO has agreed to provide Ukraine with support and equipment to “help Ukraine investigate who is behind the different attacks,” according to NATO secretary-general Jens Stoltenberg. In December 2014 NATO established the Cyber Defence Trust Fund with a mandate “to provide Ukraine with the necessary support to develop its strictly defensive, CSIRT-type technical capabilities, including laboratories to investigate cyber security incidents.” Since June 2016, €965,000 has been contributed by eight countries and while this helped to bolster Ukrainian cyber defenses, it is obvious that it isn’t enough.

Speaking on the topic of Ukraine formally joining the NATO union at a joint press conference with NATO on Monday, Ukrainian President Petro Poroshenko said,

“Today we clearly stated that we would begin a discussion about a membership action plan and our proposals for such a discussion were accepted with pleasure.”

Given the recent cyber attacks’ rumored source as Russian-linked hacking groups, the ongoing tensions between Russia and Ukraine as well Russia’s public stance against any NATO expansion this is unlikely to calm things down in the region. But with the sophistication of the cyber attacks and the apparent disregard for global impacts beyond Ukrainian borders, it is impractical for other countries to sit on the sidelines and let Ukraine attempt to protect themselves.


U.S. Bans Kaspersky Software Amid Concerns Over Russia Ties

12.7.2017 securityweek BigBrothers

Washington - The US government has moved to block federal agencies from buying software from Russia-based Kaspersky Lab, amid concerns about the company's links to intelligence services in Moscow.

The General Services Administration, which handles federal government purchasing contracts, said in a statement to AFP that Kaspersky Lab, a major global provider of cybersecurity software, has been removed from its list of approved vendors, making it more difficult to obtain Kaspersky products.

"GSA's priorities are to ensure the integrity and security of US government systems and networks and evaluate products and services available on our contracts using supply chain risk management processes," the agency said in a statement.

The action came weeks after top US intelligence agency and law enforcement officials publicly expressed concerns about use of Kaspersky software.

The officials, appearing at a congressional hearing in May, stopped short of offering specifics but appeared to suggest concerns over the computer security firm's alleged links to Russian defense and intelligence bodies.

The company said in a statement to AFP Wednesday, "Kaspersky Lab has no ties to any government, and the company has never helped, nor will help, any government in the world with its cyberespionage efforts."

It added that "the company is being unjustly accused without any hard evidence to back up these false allegations."

A Bloomberg News report this week meanwhile claimed internal company emails show that Kaspersky has maintained a closer working relationship with Russia's main intelligence agency, the FSB, than it has publicly admitted.

Kaspersky on Tuesday issued a statement disputing the Bloomberg accounting, saying "the communication was misinterpreted or manipulated," but did acknowledge that it "regularly cooperates with law enforcement agencies, industry peers and victims of cybercrime."

The company has repeatedly denied working with any government agency, and Russia-born founder Eugene Kaspersky has on several occasions sought to counter any such allegations.

In a June 30 blog post, Kaspersky wrote, "For some reason the assumption continues to resonate that since we're Russian, we must also be tied to the Russian government. But really, as a global company, does anyone seriously think we could survive this long if we were a pawn of ANY government?"


NATO Providing Cybersecurity Equipment to Ukraine

11.7.2017 securityweek BigBrothers

NATO Takes Steps to Bolster Ukrainian Cyber Security

Ukraine is an area of great geopolitical significance -- a sort of buffer zone between NATO and Russia -- that both sides seek to influence. Crimea aside, neither side wishes to be too overt with military intervention, and the result is tailor-made for modern cyber warfare.

What remains of Ukraine is politically west-leaning and NATO-cooperative. This places Russia in the position of protagonist; and while it should be said that there is little direct proof of Russia-led cyber warfare, there is equally little doubt in the minds of many security researchers.

Two examples will immediately come to mind: the power disruptions over the Christmas period of 2015, and the more recent NotPetya ransomware outbreak. The latter started in the Ukraine before spreading worldwide. It appears to have emanated from Ukrainian accounting software called MEDoc, but is now thought by some to be a wiper cyberweapon disguised as ransomware "apparently launched by the same threat group that initiated numerous other attacks against the country’s power grid, mining and railway systems, and Ukrainian government organizations."

NATO's official policy towards Ukraine is to bolster its independence.

"A sovereign, independent and stable Ukraine, firmly committed to democracy and the rule of law, is key to Euro-Atlantic security," it says. "Since 2014, in the wake of the Russia-Ukraine conflict, cooperation has been intensified in critical areas."

Cyber security is one of those critical areas. In December 2014, NATO established a Trust Fund designed "to provide Ukraine with the necessary support to develop its strictly defensive, CSIRT-type technical capabilities, including laboratories to investigate cyber security incidents."

By June 2016, eight nations had contributed a total of €965,000, plus in-kind contributions from Estonia and the USA. This week, the project appears to have moved to the next step at a joint briefing with NATO secretary general, Jens Stoltenberg, and Ukrainian president Petro Poroshenko in Kiev on Monday.

Ukrinform, the national news agency of Ukraine, reported Monday, "He [Stoltenberg] said that one of the areas where the alliance was paying more attention in its cooperation with Ukraine was the sector of cyber security. NATO is currently in the process of providing Ukraine with new equipment for some key government institutions and authorities, which will enable Ukraine to investigate who is behind certain cyber-attacks, because the response to them is extremely important, Stoltenberg said. And it should also help Ukraine protect its key government institutions from cyber-attacks, he added."

NotPetya is exactly the sort of cyber-attack that such defenses will need to prevent.


Russian Hacker Living in U.S. Sentenced to Prison

11.7.2017 securityweek BigBrothers

A Russian-born U.S. citizen has been sentenced to 110 months in prison for running a sophisticated cybercrime operation that involved botnets, stolen financial data and money laundering.

Alexander Tverdokhlebov, 29, has been living in Los Angeles. He emigrated from Russia in 2007 and later obtained U.S. citizenship.

According to U.S. authorities, Tverdokhlebov was an active member on several exclusive Russian-speaking cybercrime forums since at least 2008. He is said to have offered various services, including for laundering illegal proceeds.

The man also operated botnets that allowed cybercriminals to steal payment cards and other data. Investigators said Tverdokhlebov boasted about possessing 40,000 credit card numbers and controlling as many as half a million computers between 2009 and 2013.

The hacker sold the stolen card data to individuals who used it to make fraudulent purchases or withdrawals from the victims’ accounts. He is also said to have recruited Russian students visiting the U.S. to receive money from victims and then forward it to Tverdokhlebov and his accomplices.

Authorities believe Tverdokhlebov’s activities resulted in losses between $9.5 and $25 million. When he was arrested, investigators found $275,000 in cash distributed across several safety deposit boxes in Las Vegas and Los Angeles. They also seized Bitcoin and other assets valued at roughly $5 million.

Tverdokhlebov pleaded guilty to wire fraud in late March and he has now been sentenced to 110 months in prison and three years of supervised release, which includes the monitoring of his computer use.

Several Russian nationals have been charged or convicted recently for cybercrimes in the United States. Yevgeniy Aleksandrovich Nikulin has been charged for hacking into the systems of LinkedIn, Dropbox and Formspring and will be extradited from the Czech Republic, two Russian Federal Security Service (FSB) officers have been indicted over the 2014 Yahoo hack, and the author of the Citadel malware recently pleaded guilty.

A lengthy prison sentence was given recently to 32-year-old Roman Valeryevich Seleznev, convicted on 38 counts in relation to a point-of-sale (PoS) hacking scheme.


Template Injection Used in Attacks on U.S. Critical Infrastructure

10.7.2017 securityweek BigBrothers

U.S. energy facilities hit by cyberattacks

Cisco Shares Technical Details on Attacks Targeting U.S. Energy Facilities

The recent attacks aimed at energy facilities and other critical infrastructure organizations in the United States have leveraged a technique called template injection, according to Cisco’s Talos intelligence and research group.

The New York Times and Bloomberg revealed last week that the FBI and the DHS had issued a joint report warning of cyberattacks targeting manufacturing plants, nuclear power stations and other energy facilities in the U.S. and elsewhere. Unnamed officials said the attacks hit at least a dozen power firms in the United States, including the Wolf Creek nuclear facility in Kansas.

The U.S. Department of Energy said it was working with affected firms and pointed out that only administrative and business networks appeared to be impacted, not systems controlling the energy infrastructure.

Wolf Creek representatives told SecurityWeek that while they can’t make public comments on security issues, they can confirm that the attacks did not have any operational impact on the facility as control systems are completely separate from the corporate network.

According to the FBI/DHS report, the campaign has been active since at least May and an initial investigation showed that the techniques used by the hackers were similar to ones associated with a Russia-linked threat actor tracked as Crouching Yeti, Energetic Bear and Dragonfly. The group has been known to target industrial companies.

Russia has also been accused of orchestrating destructive attacks aimed at Ukraine’s power grid. Researchers have recently published an in-depth analysis of the malware believed to have been used in the latest of these attacks.

The FBI/DHS alert said the attackers sent malicious emails to senior industrial control engineers in an effort to deliver malware designed to harvest credentials and allow them to access the targeted organization’s network.

“As a class, engineering professionals may reasonably be expected to possess valuable intellectual property such as product or facility design, and have access to industrial control networks,” said Sean McBride, critical infrastructure lead analyst at FireEye.

Related: Learn More at SecurityWeek’s ICS Cyber Security Conference

The hackers reportedly also leveraged watering holes and man-in-the-middle (MitM) attacks in this campaign. McBride told SecurityWeek that the campaign has also targeted the users of government websites in other parts of the world, and some of the weaponized documents had no obvious connection to the energy sector.

Cisco Talos researchers have been monitoring these attacks and analyzed some of the malicious Word documents used by the hackers to gain access to the targeted organization’s network. The company has observed attacks aimed at critical infrastructure firms around the world, but the primary targets appear to be the United States and Europe.

The malicious documents, disguised as resumes and environmental reports, don’t rely on traditional methods, such as VBA macros or other embedded scripts, to deliver malware. Instead, when the decoy document is opened, while the Word application is in progress of being launched, a template file is loaded from an attacker-controlled SMB server.

Template injection attack

Loading the template file in what is known as a template injection attack allowed the attackers to silently harvest SMB credentials. The method can also be used to download other malicious payloads to the victim’s device, but the hackers’ SMB server was offline during Talos’ analysis and experts could not determine what other payloads may have been served.

Researchers have found a connection between the template injection used in this attack and an open source tool named Phishery. It’s unclear if the similarities are a coincidence, if the hackers behind the energy sector attacks modified the existing tool, or if they simply wanted to confuse investigators.

“We believe this campaign is likely designed to steal information enabling the attackers to gain future access to industrial control systems that run this critical infrastructure, rather than an espionage-type campaign designed to steal plans and other sensitive commercial information,” said Galina Antova, co-founder of Claroty, a cybersecurity company specialized in protecting industrial control systems.


Nato will respond with ‘conventional military assaults’ to future cyber attacks
10.7.2017 securityaffairs BigBrothers

NATO has warned that in the future any cyber attack against a member state could trigger a military response according to the mutual defence clause.
NATO has warned that in the future any cyber attack against a member state could trigger a military response according to the alliance’s Article 5, mutual defence clause.

The NATO announcement follows the massive NotPetya ransomware-based attacks that hit system worldwide. most of them in Ukraine.

The Petya ransomware hit systems in several industries, including banks, transport, telecommunications, and energy. Hackers Among the hardest hit were Ukr telecom, Dniproenergo, Ukrzaliznytsia, Kiev -Boryspil Airport, and the Cabinet of Ministers of Ukraine. Popular aircraft manufacturer Antonov was also reportedly hit.

According to NATO CCD COE, the recent massive attack based on NotPetya ransomware was powered by a “state actor.” The malware infected over 12,000 devices in around 65 countries, the malicious code hit major industries and critical infrastructure.

NATO

Experts from NATO CCD COE believe the attack was likely launched by a nation-state actor, or it was commissioned to a non-state actor by a state. The attackers were well funded and the attack they conducted was very complex and expensive.

The experts observed that despite the operation was complex, the attackers did not spend much effort for managing the payments, a circumstance that suggests hackers were not financially motivated.

“The operation was not too complex, but still complex and expensive enough to have been prepared and executed by unaffiliated hackers for the sake of practice. Cyber criminals are not behind this either, as the method for collecting the ransom was so poorly designed that the ransom would probably not even cover the cost of the operation,” NATO’s Cooperative Cyber Defense Centre of Excellence (CCD COE), said in a press release on Friday.
This declaration could have serious consequences, the cyber attack could be interpreted as an act of war, and can trigger a military response of the alliance under the Article 5 of the North Atlantic Treaty, the principal of collective defense.
According to the NATO secretary-general Jens Stoltenberg, NATO is threatening to respond to cyber-attacks against member states with a conventional military strike.

Stoltenberg highlighted that that NATO leaders officially recognized the cyberspace as the fifth domain of a warfare so the alliance could respond with conventional weapons in case of a powerful cyber attack.

“The attack in May and this week just underlines the importance of strengthening our cyber defences and that is what we are doing. We exercise more, we share best practices and technology, and we also work more and more closely with allies,” said Stoltenberg.

“Nato helps Ukraine with cyber defence and has established a trust fund to finance programs to help Ukraine improve its cyber defences. We will continue to do this and it is an important part of our cooperation,”.

The Ukrainian secret service launched an investigation to attribute the attack, the local authorities believe that a Russian APT was behind the attack. At the time I was writing, the Ukrainian authorities were not able to attribute the attack to Russia.


FBI and DHS warn of targeted attacks on US Nuclear Facilities
10.7.2017 securityaffairs BigBrothers

Since May, APT actors have been penetrating the networks of US companies that operate nuclear facilities and that works in the energy industry.
According to a joint report issued by the Department of Homeland Security and the FBI published last week, since May, hackers have been penetrating the networks of businesses that operate nuclear power stations, manufacturing plants and energy facilities in the United States and other countries.

The Wolf Creek Nuclear Operating Corporation is one of the companies hit by hackers, it runs a nuclear power plant near Burlington, Kan.

nuclear facilities Wolf Creek Nuclear Operating Corporation

The news was disclosed by The New York Times that obtained the report, the attack was also confirmed by security experts involved in the incident response procedures.

The document doesn’t provide information related to the motivation of the attacks (sabotage or cyber espionage), it is not clear if attackers were able to fully compromise the target network and access the control systems of the facilities.

The attackers appear as part of a reconnaissance activity of the target infrastructure aimed to gather information for future attacks.

“There is no indication of a threat to public safety, as any potential impact appears to be limited to administrative and business networks.” reads the joint statement from the FBI and the Department of Homeland Security,

“In most cases, the attacks targeted people — industrial control engineers who have direct access to systems that, if damaged, could lead to an explosion, fire or a spill of dangerous material, according to two people familiar with the attacks who could not be named because of confidentiality agreements.” states The New York Times.

The experts have not doubt, the attackers belong to an “advanced persistent threat” group linked to a foreign government.

The attackers’ TTPs mimicked those of the APT groups that in the past targeted the energy industry, such as the Russian Energetic Bear APT group.
The hackers launched spear phishing attacks on senior industrial control engineers that have access to the critical industrial control systems in the target plants. The phishing emails messages containing fake résumés for control engineering jobs, they are weaponized Microsoft Word documents used by hackers to steal victims’ credentials and make lateral movements in the target networks.

The hackers also powered watering hole attacks compromising legitimate websites visited by the victims and used to deliver malware.

The Department of Homeland Security consider cyberattacks on critical infrastructure “one of the most serious national security challenges we must confront.”


UK Police: Accessing the Darkweb could be a sign of terrorism
9.7.2017 securityaffairs BigBrothers

In a leaflet distributed by the UK authorities, the police tell citizens to be vigilant on anyone using the darkweb.
The widespread of terrorism in Europe has been very severe recently. As a way of effectively dealing with

In a wake of recent terror attacks, London authorities are conducting various initiatives to fight the threat. The police arrested several suspects, but the most curious initiative is the distribution of leaflets with listings of suspicious activities that are to be interpreted by the authorities as a sign of potential terrorism.

““Be aware of what is going on around you—of anything that strikes you as different or unusual, or anyone that you feel is acting suspiciously—it could be someone you know or even someone or something you notice when you are out and about that doesn’t feel quite right,” reads the leaflet.

Darkweb terrorism

Online communities play a significant role in radicalization, for this reason, the police decided to distribute the leaflet.

The listings include the item “visiting the Darkweb,” the authorities fear that terrorists and sympathizers could access darknet for propaganda, to smuggle weapons, and to raise funds.

The Dutch police confirmed that the situation in the country is very worrisome, according to a national threat assessment report published by the Dutch police on June 1, the trade of weapons on the darknet is increased.

According to the experts it is always easier to get a rifle than a pistol in the darkweb, law enforcement in the Netherlands seized hundreds of firearms in a few weeks.

According to the European authorities, Holland seems to be a hub in a network of international arms smugglers.

The use of Darknet in well known to law enforcement, some governments created specific units to infiltrate communities and prevent abuses.

In August 2016, the German Government announced last week the creation of a new cyber security unit named ZITiS to tackle terrorists online in a wake of terror attacks.

Early 2016, the Europol announced a new European counter-terrorism centre to fight the terrorism.

In November 2015, the GCHQ and NCA joined forces to fight illegal activities in the Dark Web and formed a new unit called the Joint Operations Cell (JOC).

In 2016, Bernard Cazeneuve, the Internal Affairs minister in France, said at a National Assembly meeting that the Darknet are abused by terrorist organizations for their outrageous activities.

“ISIL’s activities on the Surface Web are now being monitored closely, and the decision by a number of governments to take down or filter extremist content has forced the jihadists to look for new online safe havens.” She added that “The Dark Web is a perfect alternative as it is inaccessible to most but navigable for the initiated few – and it is completely anonymous.” reads a 2015 report published by Beatrice Berton on the use of the Darknet by ISIS.

Thomas Rid, the Professor of Security Studies at King’s College London, explained that despite more than 50 percent of what’s hosted in the dark web is illegal and illegitimate, terrorists do not find anonymizing network so useful.

“Militants and extremists don’t seem to find the Tor hidden services infrastructure very useful. So there are few jihadist and militants in the Darknet. It’s used for criminal services, fraud, extreme, illegal pornography, cyber-attacks and computer crime.” said Rid.

Anyway it is essential to monitor the use of Dark web by terrorists, anonymizing networks offers a privileged environments for extremists and cybercriminals.


GMR-2 issues allow satellite phone communications decryption in near real-time
9.7.2017 securityaffairs BigBrothers

Researchers have exploited vulnerabilities in the implementation of the GMR-2 cipher decrypt satellite phone communications in fractions of a second.
Two Chinese security researchers have exploited vulnerabilities in the implementation of the GMR-2 standard that could be exploited to decrypt satellite phone communications in fractions of a second.

The GMR-2 is a stream cipher with 64-bit key-length being used in some Inmarsat satellite phones.

It is possible to crack the GMR-2 cipher by using only one frame known keystream, but the process is time-consuming. The researchers devised a technique that for the first time allows a real-time inversion attack using one frame keystream.

“Then by introducing a new concept called “valid key chain” according to the cipher’s key schedule, we
for the first time propose a real-time inversion attack using one frame keystream. This attack contains three phases: (1) table generation (2) dynamic table looks-up, filtration and combination (3) verification.” reads the research paper.

The satellite phones of British Telecom Inmarsat use the GMR-2 standard,

In 2012, a group of German researchers demonstrated through a reverse engineering activity that both are weaker than other ciphers such as AES or PRESENT.

“With respect to the GMR-2 cipher, in a known-plaintext setting where approximately 50–65 bytes plaintext are known to the attacker, it is possible to recover a session key with a moderate computational complexity, allowing the attack to be easily performed with a current PC,” explained the German experts.

GMR-2 satellite mobile communications

The Chinese duo detailed a new real-time inversion attack against GMR-2 that allows attackers to obtain a real-time decryption of satellite communications.

Differently, from the previous attack method, the researchers don’t crack the cipher with a plaintext attack, instead, they reverse engineered the encryption process in order to extrapolate the encryption key directly from the output keystream.

“Our analysis shows that, using the proposed attack, the exhaustive search space for the 64-bit encryption key can be reduced to about 213 when one frame (15 bytes) keystream is available. Compared with previous known attacks, this inversion attack is much more efficient. Finally, the proposed attack are carried out on a 3.3GHz platform, and the experimental results demonstrate that the 64-bit encryption-key could be recovered in around 0.02s on average.” continues the paper.

The security of satellite communication is crucial and the choice strong algorithms is essential to avoid eavesdropping.

“Given that the confidentiality is a very crucial aspect in satellite communications, the encryption algorithms in the satellite phones should be strong enough to withstand various eavesdropping risks,” continues the analysis.

“Table 3 is the comparison between the known cryptanalytic results and ours, from which we can see
that the inversion attack proposed in this paper possesses evident superiority compared with the dynamic guess-and-determine attack and the read-collision based attack. Given one frame (15 bytes) of keystream, one can break the GMR-2 cipher with only 0.02s on a 3.3GHz platform. This again demonstrates that there exists serious security flaws in the GMR-2 cipher, and it is crucial for service providers to upgrade the cryptographic modules2 of the system in order to provide confidential communication.”

GMR-2 attacks

Of course, satellite phone providers must upgrade their systems in order to protect communications.


CIA Tools for Stealing SSH Credentials Exposed by WikiLeaks

7.7.2017 securityweek  BigBrothers

WikiLeaks has published documents detailing BothanSpy and Gyrfalcon, tools allegedly used by the U.S. Central Intelligence Agency (CIA) to steal SSH credentials from Windows and Linux systems.

A document dated March 2015 describes BothanSpy as a tool that steals credentials for active SSH sessions from Xshell, an SSH, telnet, and rlogin terminal emulator for Windows.

Using a mode dubbed by its developers “Fire and Collect,” BothanSpy collects SSH credentials and sends them to the attacker’s server without writing any data to the compromised machine’s disk. If the mode “Fire and Forget” is used, the stolen credentials are written to a file on the disk.

The other tool, Gyrfalcon 2.0, described in a document dated November 2013, is designed to steal SSH credentials from the OpenSSH client on Linux platforms.

Gyrfalcon is a library loaded into the OpenSSH client process address space. It collects OpenSSH session traffic, including usernames and passwords, compresses and encrypts the data, and stores it in a file. A third-party application is required to exfiltrate the file.

The documentation for Gyrfalcon 2.0 informed users that they must have a thorough understanding of the Linux/UNIX command line interface, and they must know standard procedures for masking their activity within certain shells.

Over the past months, as part of a leak dubbed “Vault 7,” WikiLeaks has described several tools allegedly used by the CIA. The list includes tools designed for redirecting traffic on Linux systems (OutlawCountry), spreading malware on an organization’s network (Pandemic), locating people via their device’s Wi-Fi (Elsa), hacking routers and access points (Cherry Blossom), and accessing air-gapped networks (Brutal Kangaroo).

WikiLeaks has also exposed tools designed for replacing legitimate files with malware, hacking smart TVs, launching MitM attacks, making malware attribution and analysis more difficult, and creating custom malware installers.

Researchers have found links between the tools detailed by Wikileaks and the malware used by a cyber espionage actor named “Longhorn” and “The Lamberts.”


Wikileaks: BothanSpy and Gyrfalcon CIA Implants steal SSH Credentials from Windows and Linux OSs
7.7.2017 securityaffairs BigBrothers

WikiLeaks leaked documents detailing BothanSpy and Gyrfalcon CIA implants designed to steal SSH credentials from Windows and Linux OSs.
WikiLeaks has published a new batch of documents from the Vault7 dump detailing two new CIA implants alleged used by the agency to intercept and exfiltrate SSH (Secure Shell) credentials from both Windows and Linux operating systems with different attack vectors.

The first implant codenamed BothanSpy was developed to target Microsoft Windows Xshell client, the second one named Gyrfalcon was designed to target the OpenSSH client on various Linux distros, including CentOS, Debian, RHEL (Red Hat), openSUSE and Ubuntu.

BothanSpy and Gyrfalcon are able to steal user credentials for all active SSH sessions and then sends them back to CIA cyber spies.

BothanSpy is installed as a Shellterm 3.x extension on the target machine, it could be exploited by attackers only when Xshell is running on it with active sessions.

Xshell is a terminal emulator that supports SSH, SFTP, TELNET, RLOGIN and SERIAL for delivering industry leading features including a tabbed environment, dynamic port forwarding, custom key mapping, user defined buttons, VB scripting, and UNICODE terminal for displaying 2 byte characters and international language support.

“BothanSpy only works if Xshell is running on the target, and it has active sessions. Otherwise, Xshell is not storing credential information in the location BothanSpy will search.” reads the user manual.

“In order to use BothanSpy against targets running a x64 version of Windows, the loader being used must support Wow64 injection. Xshell only comes as a x86 binary, and thus BothanSpy is only compiled as x86. Shellterm 3.0+ supports Wow64 injection, and Shellterm is highly recommended.“

The Gyrfalcon implant works on Linux systems (32 or 64-bit kernel), CIA hackers use a custom malware dubbed JQC/KitV rootkit for persistent access.
The implant could collect full or partial OpenSSH session traffic, it stores stolen information in a local encrypted file for later exfiltration.

“Gyrfalcon is an SSH session “sharing” tool that operates on outbound OpenSSH sessions from the target host on which it is run. It can log SSH sessions (including login credentials), as well as execute
commands on behalf of the legitimate user on the remote host.” reads the user manual of Gyrfalcon v1.0.

“The tool runs in an automated fashion. It is configured in advance, executed on the remote host and left running. Some time later, the operator returns and commands gyrfalcon to flush all of its collection to disk. The operator retrieves the collection file, decrypts it, and analyzes the collected data”

Wikileaks also published the user guide for Gyrfalcon v2.0, the implant in composed of two compiled binaries that should be uploaded by attackers to the target platform.

BothanSpy and Gyrfalcon

“The target platform must be running the Linux operating system with either 32- or 64-bit kernel
and libraries. Gyrfalcon consists of two compiled binaries that should be uploaded to the target
platform along with the encrypted configuration file. ” continues the malware.

“Gyrfalcon does not provide any communication services between the local operator computer and target platform. The operator must use a third-party application to upload these three files to the target platform.”

Below the list of release published by Wikileaks since March:

BothanSpy and Gyrfalcon – 06 July, 2017

OutlawCountry – 30 June, 2017

ELSA malware – 28 June, 2017

Cherry Blossom – 15 June, 2017

Pandemic – 1 June, 2017

Athena – 19 May, 2017

AfterMidnight – 12 May, 2017

Archimedes – 5 May, 2017

Scribbles – 28 April, 2017

Weeping Angel – 21 April, 2017

Hive – 14 April, 2017

Grasshopper – 7 April, 2017

Marble Framework – 31 March, 2017

Dark Matter – 23 March, 2017


Watch Out for Malware If You're Interested in North Korean Missile Program
6.7.2017 thehackernews BigBrothers

If you hold an interest in the North Korean Missile Program and are one of those curious to know capabilities of the recently tested North Korean long-range missile than you could be a target of a new malware campaign.
North Korea claims to have conducted the first test of an intercontinental ballistic missile (ICBM), the Hwasong-14, on 3rd July, and US officials believe the country may have fired a brand-new missile that has not been seen before.
Now, just a day after the test missile launch, hackers have started utilizing the news to target people interested in North Korean missile arsenal that has progressed over the decades from crude artillery rockets to testing what the country claims long-range missiles that could strike targets in the United States.
Security researchers at Talos Intelligence have discovered a new malware campaign that started on 4th July to target victims with KONNI, an unknown Remote Access Trojan (RAT) that has been in use for over three years.
The KONNI malware is a Remote Access Trojan designed to steal files, record keystrokes, perform screenshots, get the system information, including hostname, IP address, username, OS version and installed software, as well as execute malicious code on the infected computer.
How Does the KONNI Malware Work?
The hackers use an email attachment as the initial infection vector to deliver the Trojan through an executable file, which when opened displays an MS Office document that disguised as an article about the test missile launch.

However, the content of the document is copy/pasted from an article published on July 3rd by South Korean Yonhap News Agency.
In reality, the malicious executable drops two different versions of KONNI: event.dll and errorevent.dll.
On 64-bit versions of Windows, both binaries are dropped, while just errorevent.dll is dropped on 32-bit versions of Windows.
The dropped malware is then immediately executed to "ensure that the malware persists and is executed on rebooting the compromised system," the researchers say.
C&C Server Disguises as a Legitimate Climbing Club Website
The malware uses a new Command and Control server hosted on a website that disguises as a legitimate climbing club, but the site does not actually contain any real text, but the default text of the CMS (Content Management System).
The C&C traffic of the malware also takes place as "HTTP post requests to web pages hosted as /weget/download.php, /weget/uploadtm.php or /weget/upload.php on the domain itself."
In addition, the website also contains a contact section with an address in USA, but the map below the address points to a location in Seoul, South Korea.
"The threat actors associated with KONNI typically use decoy documents relating to North Korea, and this campaign is no exception. However, in contrast to the convincing decoy document lifted from a third party, the content of the decoy website hosted on the CnC server does not look legitimate," the researchers concluded.
"Nevertheless, this threat actor continues to remain active and continues to develop updated versions of their malware. Organizations which may have an interest in the contents of this decoy document and that used in previous campaigns should ensure that they are adequately protected against this and subsequent campaigns."
So, my advice for users to remain protected from such malware is always be suspicious of uninvited documents sent over an email and never click on links inside those documents unless verifying the source.
Additionally, keep your systems and antivirus updated to protect against any latest threat.


Understanding Geopolitics Key to Analyzing Cyber Espionage: German Intelligence Service

5.7.2017 securityweek BigBrothers

Understanding geopolitics is key to understanding the perpetrators and victims of cyber espionage. This is one of the key messages from the German federal domestic intelligence service (BfV) 2016 annual report (summary PDF).

"Germany," it notes, "is of interest in its role as a geopolitical player, as a member of NATO and the EU and on account of its economic strength and innovative businesses." For slightly different reasons, this makes Germany a nation of interest to the three primary cyber adversaries, Russia, China, and Iran.

Its relatively open attitude to immigration adds to the list of adversaries. "Oppositional groups in Germany from foreign intelligence services' home countries are another target of espionage activities," it adds.

Russia, suggests the BfV, advocates a multipolar world -- but is suffering economically from the EU's economic sanctions imposed over the Crimea/Ukraine crisis. A key driver in Russian foreign policy is to induce the West to lift these sanctions. "Obtaining advance information about the positions of the Federal Government and opposition parties increases Russia's leverage in negotiations and creates opportunities for counter-measures."

This has led the Russian intelligence services to focus in Europe on the strained relationship between the EU and Turkey, the EU post-Brexit, and the European policy on security and defense -- as well as keeping a close eye on Europe's position over Russia's military intervention in Iraq.

For example, the Russia-linked Sandworm malware has actively targeted government sites, the NATO military alliance, utilities and telecommunications firms in recent years.

Propaganda and disinformation are also key methods used by Russia. "Tools," says the BfV, "include social networks, the microblogging service Twitter, government-funded and private institutes and Russian state media. TV, radio and online channels worldwide are used for propaganda and disinformation campaigns." Internet trolls are used extensively to influence public opinion and push pro-Russian views.

APT 28 (Fancy Bear) has continued its activity against German political parties, and the BfV assumes that Russian state agencies are trying to influence parties, politicians and public opinion, with a particular eye to the 2017 parliamentary election.

Chinese activities, suggests the BfV, are guided by three key policies: territorial integrity and protecting the communist party's hegemony; expanding China's geopolitical and military power; and modernizing the economy. "For this reason," it says, "the intelligence services' activities abroad are primarily focused on gathering intelligence about political decision-making processes, on obtaining technological know-how and on the opposition to the system."

The importance of the Chinese intelligence services has grown since Xi Jinping came to power in 2013, and has shifted towards political espionage. "They are now trying to obtain more information about supranational entities such as the EU and about international conferences such as the G20 Summit. Moreover, the country is very interested in policy positions on China, e.g. recognition as a market economy or territorial disputes in the region of the South China Sea."

In Germany, the focus of attention is on industry, research, technology and modern weapons technology. China also monitors attitudes of and towards what it calls the 'Five Poisons'; comprising the ethnic minorities of the Uyghurs and Tibetans seeking autonomy, the anti-regime Falun Gong movement, the democracy movement, and proponents of sovereignty for the island of Taiwan.

China, warns, the BfV, uses LinkedIn and Facebook "to recruit informants on a large scale. Their approach is almost always the same: Ostensible researchers, recruiters and headhunters contact persons with promising profiles and try to lure them with attractive opportunities. Finally, they invite these persons to China where they are approached by the intelligence services."

The primary motivation for the Iranian intelligence services is to spy on and suppress opposition movements at home and abroad. In Germany, there is a focus on (pro-) Jewish and Israeli targets. Interestingly, however, the BfV has found less evidence of Iranian attempts to acquire proliferation-sensitive material for its nuclear program since the Joint Comprehensive Plan of Action was agreed. At the same time, attempts to obtain material for its missile program (not covered by the nuclear agreement) has remained constant.

In all of these activities, the importance of cyber as opposed to physical espionage has grown. "However, cyber-attacks may be used not only for espionage but also for sabotage purposes. This is a threat in particular with regard to critical infrastructures."

The BfV also warns that cyber activity hasn't completely replaced physical espionage. "Instead, both forms of espionage complement each other, thus producing an increased threat potential. The potential targets of espionage activities therefore need to safeguard their protected property both against attempted attacks from outside and against disloyal employees in their own organizations ('insider attacks') who are recruited, blackmailed or even specifically infiltrated into the organization by foreign intelligence services."

Protecting the private sector from economic espionage and sabotage is, says the BfV, the joint responsibility of government and industry. On 26 April 2016, the BfV and other authorities and industry associations, launched the Economic Security Initiative (Initiative Wirtschaftsschutz). Coordinated by the Federal Ministry of the Interior, stakeholders can jointly develop and implement measures to improve economic security."


China Shuts Down Popular VPN Services to Make Great Firewall Stronger
4.7.2017 thehackernews  BigBrothers
Online Privacy has been one of the biggest challenges in today's interconnected world, as the governments across the world have been found censoring the Internet, stealing information and conducting mass surveillance on innocent people.
China is one such nation which always wanted to have a tight hold on its citizen and has long been known for its strict Internet censorship laws through the Great Firewall of China.
The Great Firewall of China is the nation's Golden Shield project that employs a variety of tricks to censor Internet and block access to various foreign news and social media sites, including Google, Facebook, Twitter, Tumblr, Dropbox, and The Pirate Bay.
So, in order to thwart these restrictions and access blocked websites, hundreds of millions of Chinese citizens rely on virtual private networks (VPNs) which route their traffic to servers overseas free of the Great Firewall filters, but this may not be an option soon.
For those unfamiliar, Virtual Private Network (VPN) securely routes your Internet traffic through a distant connection, protecting your browsing, hiding your location data and accessing restricted resources.
Also Read: Use Secure VPNs (Lifetime Subscription) to Prevent ISPs From Spying On You
GreenVPN, one of the most popular VPN services in China, notified its customers on Monday that the company would stop its VPN service from July 1st, following orders by "regulatory departments" to cease its operation, Bloomberg reported.
However, not just GreenVPN, some users also stated that they were unable to use SuperVPN, another popular VPN service on their smartphones over the weekend, although it is unclear whether the service was down to a glitch or the government restrictions.
This restriction could be part of new rules by the China's Ministry of Industry and Information Technology announced at the beginning of this year, making it illegal to use or operate local VPNs without government approval from the government.
According to the ministry, "all special cable and VPN services on the mainland needed to obtain prior government approval—a move making most VPN service providers in the country of 730 million Internet users illegal."
This crackdown on VPN services has been designed to "strengthen cyberspace information security management," as said by the Chinese ministry.
The crackdown is yet one of the several priorities for controlling online content in China.


'OutlawCountry' Tool Used by CIA to Target Linux Systems

3.7.2017 securityweek BigBrothers

One of the tools used by the U.S. Central Intelligence Agency (CIA) to target Linux systems is named OutlawCountry, according to documents published by WikiLeaks.

OutlawCountry is described by its developers as a tool that uses a kernel module to create a hidden netfilter table on the targeted Linux system. The operator can then use this table to create new firewall rules with iptables commands and these rules will take precedence over existing ones. The rules can be used to redirect traffic from the infected machine to one controlled by the attacker.

OutlawCountry documentation dated June 2015 states that the tool’s user needs to have shell access and root privileges to the targeted machine. As for hiding on the infected system, the new rules created by the malware are only visible to an administrator who knows the name of the table, and the table is removed if the kernel module is deleted by the operator.

Since the documentation specifically names CentOS and Red Hat Enterprise Linux as the operating systems on which the tool works, Red Hat has published an advisory for users who may be concerned about the impact of OutlawCountry.

The organization is still analyzing the available information, and in the meantime it has advised users to look for the existence of a file named nf_table_6_64.ko and the presence of a hidden table called dpxvke8h18 in the iptable rules. Users can check for the presence of the kernel module with the following lsmod command: lsmod | grep nf_table.

Last month, WikiLeaks published documents detailing tools allegedly used by the CIA to spread malware on a targeted organization’s network (Pandemic), locate users via Wi-Fi (Elsa), hack routers and access points (Cherry Blossom), and hack air-gapped networks using USB drives (Brutal Kangaroo).

WikiLeaks has also detailed tools designed for replacing legitimate files with malware, hacking Samsung smart TVs and routers, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.

Security firms have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”


Telegram agrees to register in Russia, but it will not share private data
3.7.2017 securityaffairs BigBrothers

Telegram agrees to register with Russia authorities to avoid the local ban, but the battle is still ongoing because it won’t share user data.
The Russian Government threatened to ban Telegram because it refused to comply data protection laws.

“There is one demand, and it is simple: to fill in a form with information on the company that controls Telegram,” said Alexander Zharov, head of Roskomnadzor.

“And to officially send it to Roskomnadzor to include this data in the registry of organizers of dissemination of information. In case of refusal… Telegram shall be blocked in Russia until we receive the needed information.”

The Russian Personal Data Law was implemented since September 1st, 2015, it requests foreign tech companies to store the personal data of Russian citizens within the country. The Law was designed for protecting Russian citizens from surveillance activities of foreign agencies such as the NSA.

Telegram

Since January 1, the new Russian Data Protection Laws request foreign tech companies to store past six months of the personal data of Russians and encryption keys within the country. The companies are obliged to provide the access to the retained data if requested by authorities.

According to the FSB, the Russian intelligence agency, the terrorists who killed 15 people in Saint Petersburg in April were communicating through the Telegram encrypted messaging service.

The Russian intelligence asked Telegram to share users’ chats and crypto keys on demand to allow government investigations on terrorists abusing the instant messaging app as a communication channel.

The use of the popular encrypted messaging app is widespread among the militants of the terrorist organization in Russia and abroad, The use of Telegram has eclipsed the use of other social media platforms, including Twitter.

Now the company has agreed to register with new Russian Data Protection Laws, but its founder Pavel Durov clarified that his company doesn’t intend to share users’ confidential data with Russian authorities. Telegram wouldn’t store citizens’ information on servers located in Russian.

28 Jun
Marat Saytakov @m4rr
@durov Is it true?
"Once on the list, Telegram would have to store information about its users on Russian servers"
Follow
Pavel Durov ✔ @durov
@m4rr No, we won't ever comply with these laws, we only provided public data for registration. Full statement: https://vk.com/wall1_1854483
7:33 PM - 28 Jun 2017 · Paris, France
Pavel Durov
Глава Роскомнадзора открестился от желания получить доступ к личной переписке пользователей Telegram и заявил, что все, чего он ждет от нас для выполнения закона, – это предоставление информации о...
vk.com
8 8 Retweets 22 22 likes
Twitter Ads info and privacy
The Roskomnadzor announced on Wednesday that company had finally presented all the requirements.

Durov highlighted that Telegram takes care of the privacy of its users, the company will only share basic information as explained by the founder in a message published on VK.com.

“We will not comply with unconstitutional and technically impossible Yarovaya Package laws—as well as with other laws incompatible with the protection of privacy and Telegram’s privacy policy,” Durov said.


NATO attributed the massive NotPetya attack to a ‘state actor’ and call for a joint investigation
2.7.2017 securityaffairs BigBrothers

NATO attributed the massive NotPetya attack to a ‘state actor,’ NotPetya and WannaCry Call for a Joint Response from International Community.
According to NATO, the recent massive attack based on NotPetya ransomware was powered by a “state actor.” The malware infected over 12,000 devices in around 65 countries, the malicious code hit major industries and critical infrastructure.

Recently the analysis conducted by various groups of experts confirmed that ransomware was designed to look like ransomware but it was wiper malware designed for sabotage purpose.

Attackers might have used a diversionary strategy hide a state-sponsored attack on Ukraine critical infrastructure.

Experts from NATO believe the attack was likely launched by a nation-state actor, or it was commissioned to a non-state actor by a state. The attackers were well funded and the attack they conducted was very complex and expensive.
The experts observed that despite the operation was complex, the attackers did not spend much effort for managing the payments, a circumstance that suggests hackers were not financially motivated.

“The operation was not too complex, but still complex and expensive enough to have been prepared and executed by unaffiliated hackers for the sake of practice. Cyber criminals are not behind this either, as the method for collecting the ransom was so poorly designed that the ransom would probably not even cover the cost of the operation,” NATO’s Cooperative Cyber Defense Centre of Excellence (CCD COE), said in a press release on Friday.
This declaration could have serious consequences, the cyber attack could be interpreted as an act of war, and can trigger a military response of the alliance under the Article 5 of the North Atlantic Treaty, the principal of collective defense.
“The global outbreak of NotPetya malware on 27 June 2017 hitting multiple organisations in Ukraine, Europe, US and possibly Russia can most likely be attributed to a state actor, concluded a group of NATO CCD COE researchers Bernhards Blumbergs, Tomáš Minárik, LTC Kris van der Meij and Lauri Lindström. Analysis of both recent large-scale campaigns WannaCry and NotPetya raises questions about possible response options of affected states and the international community.” wrote Tomáš Minárik, researcher at NATO’s CCD COE law branch.
“As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures,”
Despite the WannaCry attack and the NotPetya one present many similarities, according to the NATO researchers, they were conducted by different threat actors.
“As the extortion of money seems to be just a negligently prepared cover according to various news then the question about the motivation behind NotPetya attack should be looked from other perspectives. Even though the same vulnerability was used by WannaCry, the actors behind these two similar attacks are likely not the same. In both cases a possible financial gain for attackers has been more than modest. However, an effect was achieved, a large-scale successful disruptive attack almost globally, is almost identical in both cases. ” continues the NATO release.
“NotPetya is a sign that after WannaCry, yet another actor has exploited vulnerability exposed by the Shadow Brokers. Furthermore, it seems likely that the more sophisticated and expensive NotPetya campaign is a declaration of power – demonstration of the acquired disruptive capability and readiness to use it,” concluded Lauri Lindström, researcher at NATO CCD COE Strategy Branch.

Gavin O’Gorman, the investigator in Symantec Security Response, made a couple of hypothesis about the motive behind the attack.
The first is that the attack was powered by technologically capable criminals but with poor operational abilities. Attackers used one bitcoin wallet and used a single email account to contact.
The second theory is that the real motivation behind the attack is sabotage on a large scale.

“Perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations. Launching an attack that would wipe victim hard drives would achieve the same effect, however, that would be an overtly aggressive action,” O’Gorman wrote in a blog post.

“Effectively wiping hard drives through the pretense of ransomware confuses the issue, leaving victims and investigators to ask: ‘Are the attackers politically motivated, or criminally motivated?'”

WannaCry and NotPetya raise again the question about the possible response options of the international community and the necessity of norms of state behavior in the cyber space.

Both arguments were discussed at the recent Italy G7 Summit, with my colleagues at the G7 cyber group we proposed a set of norms of state behavior to address these problems. The result was a voluntary, non-binding norms of State behavior during peacetime in the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE.

NATO call for a special joint investigation to attribute the attack to a specific actor and persecute it.

“WannaCry and NotPetya raise again the question about the possible response options of the international community. The number of affected countries shows that attackers are not intimidated by a possible global level investigation in response to their attacks. This might be an opportunity for victim nations to demonstrate the contrary by launching a special joint investigation.” concludes the press release.


Wikileaks – CIA developed OutlawCountry Malware to hack Linux systems
1.7.2017 securityaffairs BigBrothers

WikiLeaks released a new batch of documents that detail the CIA tool OutlawCountry used to remotely spy on computers running Linux operating systems.
WikiLeaks has released a new batch of documents from the Vault 7 leak that details a CIA tool, dubbed OutlawCountry, used by the agency to remotely spy on computers running Linux operating systems.
According to the documentation leaked by WikiLeaks, the OutlawCountry tool was designed to redirect all outbound network traffic on the targeted computer to CIA controlled systems for exfiltrate and infiltrate data.

The OutlawCountry Linux hacking tool consists of a kernel module for Linux 2.6 that CIA hackers load via shell access to the targeted system.

The principal limitation of the tool is that the kernel modules only work with compatible Linux kernel below the list of prerequisites included in the documentation:

(S//NF) The target must be running a compatible 64-bit version of CentOS/RHEL 6.x
(kernel version 2.6.32).
(S//NF) The Operator must have shell access to the target.
(S//NF) The target must have a “nat” netfilter table
The module allows the creation of a hidden Netfilter table with an obscure name on a target Linux user.

” The OutlawCountry tool consists of a kernel module for Linux 2.6. The Operator loads the module via shell access to the target. When loaded, the module creates a new netfilter table with an obscure name. The new table allows certain rules to be created using the “iptables” command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known.” reads the OutlawCountry User Manual. “When the Operator removes the kernel module, the new table is also removed.”

In the following diagram, the CIA operator loads OutlawCountry on the target (TARG_1), then he may add hidden iptables rules to modify network traffic between the WEST and EAST networks. For example, packets that should be routed from WEST_2 to EAST_3 may be redirected to EAST_4.

The manual doesn’t include information related to the way the attacker injects the kernel module in the targeted Linux OS. It is likely, the cyber spies leverage multiple hacking tools and exploits in its arsenal to compromise the target running the Linux operating system.
The OutlawCountry contains just one kernel module for 64-bit CentOS/RHEL 6.x that makes possible injection only in default Linux kernel.
“(S//NF) OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x.
This module will only work with default kernels. Also, OutlawCountry v1.0 only
supports adding covert DNAT rules to the PREROUTING chain.” continues the manual leaked by WikiLeaks.
A few days ago WikiLeaks has published a document detailing a tool allegedly used by the U.S. CIA to track people’s locations via their WiFi-enabled devices.

The malware codenamed Elsa implements geolocation feature, it scans visible WiFi access points and records their details, such as the ESS identifier, MAC address and signal strength at regular intervals.

Below the list of release published by Wikileaks since March:

OutlawCountry – 30 June, 2017
ELSA malware – 28 June, 2017
Cherry Blossom – 15 June, 2017
Pandemic – 1 June, 2017
Athena – 19 May, 2017
AfterMidnight – 12 May, 2017
Archimedes – 5 May, 2017
Scribbles – 28 April, 2017
Weeping Angel – 21 April, 2017
Hive – 14 April, 2017
Grasshopper – 7 April, 2017
Marble Framework – 31 March, 2017
Dark Matter – 23 March, 2017


Wikileaks Reveals CIA Malware that Hacks & Spy On Linux Computers
1.7.2017 thehackernews  BigBrothers
WikiLeaks has just published a new batch of the ongoing Vault 7 leak, this time detailing an alleged CIA project that allowed the agency to hack and remotely spy on computers running the Linux operating systems.
Dubbed OutlawCountry, the project allows the CIA hackers to redirect all outbound network traffic on the targeted computer to CIA controlled computer systems for exfiltrate and infiltrate data.
The OutlawCountry Linux hacking tool consists of a kernel module, which the CIA hackers load via shell access to the targeted system and create a hidden Netfilter table with an obscure name on a target Linux user.
"The new table allows certain rules to be created using the "iptables" command. These rules take precedence over existing rules, and are only visible to an administrator if the table name is known. When the Operator removes the kernel module, the new table is also removed," CIA's leaked user manual reads.
Although the installation and persistence method of the OutlawCountry tool is not described in detail in the document, it seems like the CIA hackers rely on the available CIA exploits and backdoors to inject the kernel module into a targeted Linux operating system.
However, there are some limitations to using the tool, such as the kernel modules only work with compatible Linux kernels.
"OutlawCountry v1.0 contains one kernel module for 64-bit CentOS/RHEL 6.x; this module will only work with default kernels. Also, OutlawCountry v1.0 only supports adding covert DNAT rules to the PREROUTING chain," WikiLeaks says.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped a classified CIA malware that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
Dubbed ELSA, the malware captures the IDs of nearby public hotspots and then matches them with the global database of public Wi-Fi hotspots' locations.
Since March, the whistleblowing group has published 14 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
Brutal Kangaroo – a CIA tool suite for Microsoft Windows that targets closed networks or air-gapped computers within an enterprise or organization without requiring any direct access.
Cherry Blossom – a CIA's framework, generally a remotely controllable firmware-based implant, used for monitoring the Internet activity of the target systems by exploiting flaws in WiFi devices.
Pandemic – a CIA's project that allowed the spying agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – an agency's spyware framework that has been designed to take full control over the infected Windows machines remotely, and works with every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
AfterMidnight and Assassin – Two apparent CIA's malware frameworks for the Microsoft Windows platform that is meant to monitor and report back actions on the infected remote host computer and execute malicious code.
Archimedes – A man-in-the-middle attack tool allegedly built by the spying agency to target computers inside a Local Area Network (LAN).
Scribbles – A piece of software reportedly designed to embed 'web beacons' into confidential documents, allowing the CIA hackers to track insiders and whistleblowers.
Grasshopper – A framework that allowed the CIA to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
Marble – The source code of a secret anti-forensic framework, primarily an obfuscator or a packer used by the spying agency to hide the actual source of its malware.
Dark Matter – Hacking exploits the agency designed and used to target iPhones and Mac machines.
Weeping Angel – Spying tool used by the CIA to infiltrate smart TV's, transforming them into covert microphones in target's pocket.
Year Zero – CIA hacking exploits for popular hardware and software.


UK.gov accidental data leak. Users’ details left publicly accessible on a third-party site
30.6.2017 Securityaffairs BigBrothers

UK.gov leaves data dashboard users’ details on publicly accessible on a third-party system. Users are urge to reset their password.
Are you a user of the UK Government website UK.gov? Change your password now!

Users of the government’s data dashboard have been notified that their information was accidentally made public so they urge to change their passwords.

The news was reported by The Register after it has seen an email that confirmed that a file containing names, emails and hashed passwords for the data.gov.uk site was left publicly accessible on a third-party system.

According to the email, users registered on gov.uk on or before 20 June 2015 have been affected.

“A recent routine security review discovered a file containing some users’ names, emails and hashed passwords was publicly accessible on a third-party system,” reads the email from the Government Digital Service.

The Government Digital Service confirmed that it immediately adopted the necessary actions to remove data from the public domain. The GDS also reported the data breach to data protection watchdog Information Commissioner’s Office.

UK.gov accidental data leak.

The UK Government suggests users reset their password for gov.uk and for any other website where they used the same login credentials.

“There is no evidence of misuse of anyone’s credentials,” states the email. “Resetting your password is purely a precautionary measure.”

The incident could have a severe impact on a large portion of Britons considering that the website Data.gov.uk was visited more than 200,000 times each month in 2017.


Shadow Brokers sent out first round of exploits and threaten to dox former NSA hacker
29.6.2017 securityaffairs BigBrothers

Shadow Brokers has sent out the first round of exploits to the subscribers of its service, the hackers also threaten to dox former NSA hacker.
In May the notorious Shadow Brokers group announced the launch of a monthly subscription model for its data dumps, 0-Day Exploit Subscriptions goes for $21,000 per month.

The group claimed to have exploit codes for almost any technology available on the market, including “compromised network data from more SWIFT providers and Central banks.”

TheShadowBrokers Monthly Data Dump could be being:

web browser, router, handset exploits and tools
select items from newer Ops Disks, including newer exploits for Windows 10
compromised network data from more SWIFT providers and Central banks
compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs
Now the Shadow Brokers has sent out its first round of exploits to the subscribers of its service, the hackers also claim to have many subscribers.

On Wednesday the group announced its June data dump and asked individuals and organizations that want next month’s archive for a double payment corresponding to 200 ZEC or 1,000 XMR (Monero).

The Shadow Brokers also announced the launch of a “VIP Service,” for subscribers that are interested in specific vulnerabilities or intel on a certain organization. The VIP Service goes for a one-time payment of 400 ZEC (roughly 130,000), and according to the hacker group, there are already members of this exclusive club.

“Another global cyber attack is fitting end for first month of theshadowbrokers dump service. There is much theshadowbrokers can be saying about this but what is point and having not already being said? So to business! Time is still being left to make subscribe and getting June dump. Don’t be let company fall victim to next cyber attack, maybe losing big bonus or maybe price on stock options be going down after attack. June dump service is being great success for theshadowbrokers, many many subscribers, so in July theshadowbrokers is raising price.” reads the statement published by the group.

“TheShadowBrokers July dump is 200 ZEC or 1000 XMR. Using same addresses as June same instructions.”

Shadow brokers tools

The ShadowBrokers sent a special message to someone that goes online with the moniker of the “doctor,” the hackers met him on Twitter and they believe he is a former member of the NSA-linked Equation Group.

“TheShadowBrokers is having special invitation message for “doctor” person theshadowbrokers is meeting on Twitter. “Doctor” person is writing ugly tweets to theshadowbrokers not unusual but “doctor” person is living in Hawaii and is sounding knowledgeable about theequationgroup. Then “doctor” person is deleting ugly tweets, maybe too much drinking and tweeting? Is very strange, so theshadowbrokers is doing some digging” states the message.

The Shadow Group threatening to dox the “doctor” if he doesn’t sign up for their next monthly dump.

“TheShadowBrokers is thinking this outcome may be having negative financial impact on new security companies international sales, so hoping ‘doctor’ person and security company is making smart choice and subscribe. But is being ‘doctor’ person’s choice. Is not being smart choice to be making ugly tweets with enough personal information to DOX self AND being former equation group AND being co-founder of security company,” the Shadow Brokers added.

The ShadowBrokers dumps are very interesting for IT security experts, a group of researchers evaluated the opportunity to launch a crowdfunding initiative aims to buy Shadow Brokers leak before threat actors will start using the hacking tools and exploits in the wild.

Ultimately, the group decided to cancel the project due to legal concerns.


Wikileaks – The Elsa malware allows CIA to locate users via WiFi-enabled devices
29.6.2017 securityaffairs BigBrothers

WikiLeaks published the manual of the ELSA malware, a tool allegedly used by the U.S. CIA to track people’s locations via their WiFi-enabled devices.
WikiLeaks has published a document detailing a tool allegedly used by the U.S. CIA to track people’s locations via their WiFi-enabled devices.
The malware code-named Elsa implements geolocation feature, it scans visible WiFi access points and records their details, such as the ESS identifier, MAC address and signal strength at regular intervals.

Wikileaks published the user manual as part of Vault 7 dump, the document is dated September 2013 and there is no other information about its improvements.

View image on TwitterView image on Twitter
Follow
WikiLeaks ✔ @wikileaks
RELEASE: CIA 'ELSA' implant to geolocate laptops+desktops by intercepting the surrounding WiFi signals https://wikileaks.org/vault7/#Elsa
2:19 PM - 28 Jun 2017
1,119 1,119 Retweets 1,029 1,029 likes
Twitter Ads info and privacy
The malware also works when the Wi-Fi enabled device is offline or isn’t connected to an access point.

When the device is connected online, the malware leverages public geo-location databases from Google or Microsoft to resolve the position.

The data recorded by the ELSA malware is encrypted and logged, CIA agents can access them only manually retrieving the log by connecting to the Wi-Fi connected device.

“ELSA is a geo-location malware for WiFi-enabled devices like laptops running the Micorosoft Windows operating system. Once persistently installed on a target machine using separate CIA exploits, the malware scans visible WiFi access points and records the ESS identifier, MAC address and signal strength at regular intervals.” reads the post published by Wikileaks. “To perform the data collection the target machine does not have to be online or connected to an access point; it only needs to be running with an enabled WiFi device. If it is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp. The collected access point/geo-location information is stored in encrypted form on the device for later exfiltration. The malware itself does not beacon this data to a CIA back-end; instead the operator must actively retrieve the log file from the device – again using separate CIA exploits and backdoors.”

ELSA malware

The data is encrypted and logged, and the malware’s operator can manually retrieve this log by connecting to the infected device. The ELSA malware could be customized by CIA operators in order to match the target environment and mission objectives.
“The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method,” continues WikiLeaks. “Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.”

Below the list of release published by Wikileaks since March:
ELSA malware – 28 June, 2017
Cherry Blossom – 15 June, 2017
Pandemic – 1 June, 2017
Athena – 19 May, 2017
AfterMidnight – 12 May, 2017
Archimedes – 5 May, 2017
Scribbles – 28 April, 2017
Weeping Angel – 21 April, 2017
Hive – 14 April, 2017
Grasshopper – 7 April, 2017
Marble Framework – 31 March, 2017
Dark Matter – 23 March, 2017


'Elsa' Tool Allows CIA to Locate Users via Wi-Fi

28.6.2017 securityweek  BigBrothers
WikiLeaks has published a document detailing “Elsa,” a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to track people’s locations via their laptop’s Wi-Fi.

According to its developers, Elsa provides geolocation data by recording the details of Wi-Fi access points, including signal strength, in range of the targeted Windows device. The user’s location and movements can be obtained after the data is sent to third-party location services.

Once Elsa is planted on the target’s computer, it monitors nearby Wi-Fi connections even if the device is not connected to the Internet. Once an Internet connection is available, the malware can send the collected Wi-Fi data to a database containing the geographical location of wireless access points.

The document made available by WikiLeaks showed that Elsa leveraged geolocation databases set up by Google and Microsoft.

The data is encrypted and logged, and the malware’s operator can manually retrieve this log by connecting to the infected device.

“The ELSA project allows the customization of the implant to match the target environment and operational objectives like sampling interval, maximum size of the logfile and invocation/persistence method,” WikiLeaks said. “Additional back-end software (again using public geo-location databases from Google and Microsoft) converts unprocessed access point information from exfiltrated logfiles to geo-location data to create a tracking profile of the target device.”

CIA Elsa tool

The user manual leaked by WikiLeaks as part of its Vault 7 dump is dated September 2013, which indicates that the tool may have been improved significantly if it’s still maintained by its developer.

7h
WikiLeaks ✔ @wikileaks
RELEASE: CIA 'ESLA' implant to track the location of laptops by intercepting the surrounding WiFi signals https://wikileaks.org/vault7/#Elsa pic.twitter.com/WwMnh9Qxvp
Follow
Kyle Olbert @realKyleOlbert
@wikileaks The #WiFi maps #Vault7 #ELSA appears to rely on have improved dramatically since 2013, theoretically making it far more precise today.
2:14 PM - 28 Jun 2017
1 1 Retweet 5 5 likes
Twitter Ads info and privacy

Earlier this month, WikiLeaks also published documents detailing tools allegedly used by the CIA to spread malware on a targeted organization’s network (Pandemic), hack routers and access points (Cherry Blossom), and hack air-gapped networks using USB drives (Brutal Kangaroo).

WikiLeaks has also detailed tools designed for replacing legitimate files with malware, hacking Samsung smart TVs and routers, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.

Security firms have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”


UK's Metropolitan Police Still Using 10,000 Windows XP Computers

28.6.2017 securityweek  BigBrothers
Legacy Windows XP systems used by public authorities in the UK remains a concern. The WannaCry outbreak last month followed by the current 'NotPetya' outbreak -- both using a vulnerability patched in newer versions of Windows, but initially unpatched in XP -- highlights the problem.

Information obtained by Steve O'Connell, a member of the London Assembly and a Conservative Party spokesperson for policing and crime, shows that the Metropolitan Police Service (MPS, or the Met) was still using 18,293 XP machines on their network at the time of providing the information. Since XP is no longer supported by Microsoft, it is left vulnerable to any new exploits such as EternalBlue and DoublePulsar -- and it appears that only the tendency for WannaCry to crash XP rather than infect it prevented the worldwide outbreak from being far worse than it was.

The Met's position is more precarious than implied by O'Connell's figures. Last month, the UK's data protection regulator, the ICO, published findings (PDF) from a consensual audit of the Met. While finding some areas of 'good practice', it also noted other areas in need of improvement.

In particular, one area for improvement includes the continued use of XP on some desktops and laptops leading to "a residual risk to personal data." But in relation to WannaCry and NotPetya, this risk is magnified by weaknesses in both the Met's backup and business continuity procedures. "Backup arrangements for file systems are not tested to ensure that they are recoverable in the event of a disaster."

Furthermore, "The database used to store BC information is unsupported and not backed up."

The ICO's conclusion was that "The audit has identified considerable scope for improvement in existing arrangements to reduce the risk of non-compliance [with the Data Protection Act]."

The combination of a vulnerable system and untested recovery capabilities is particularly susceptible to ransomware -- and even more so where the ransomware attacks are more intent on mischief than collecting ransoms, as seems to be the case with both WannaCry and NotPetya. The threat to, or potential loss of, personal data stored by the Metropolitan Police is particularly concerning.

"It is vital the Met is given the resources to step up its upgrade timeline before we see another cyber-attack with nationwide security implications," warns O'Connell. But, of course, things are never so simple. SecurityWeek reached out to the Met to confirm O'Connell's figures, and received the following statement:

"The MPS is undergoing a complete refresh of its information technology processes, infrastructure, and equipment - including its desktop computers.

"However, the upgrade programme is not as simple as it would be for many other organizations due to the amount of specialist legacy software upon which parts of the MPS still rely.

"Replacements or remediation for this software that are compatible with a more modern operating system have to be ready before the roll-out is completed to ensure continued operational effectiveness.

"We have completed the upgrade of just over 17,000 devices to Windows 8.1, and this reduces the number of desktops running Previous XP to around 10,000."

The spokesperson did not know, and was unable to find out in time for this article, whether the Met has patched all its Windows systems (not just the XP ones) against MS17-010 vulnerabilities (also known as the EternalBlue vulnerabilities) after the WannaCry outbreak. However, he did add, "The entire Met ICT estate has a number of layers of industry-leading security, which we have been monitoring closely over the past 24 hours. The MPS estate currently remains un-impacted by the cyber-attack and our security checks continue."

The complicating factor of legacy software on legacy systems is a problem, and not just for the Met. "I'm sympathetic to the fact that financially stretched government agencies and public services may not feel that an OS upgrade is the best use of scarce resources," independent security expert David Harley told SecurityWeek.

"Sometimes," he continued, "there are technical reasons for not upgrading a system required to run specific software or peripherals. There may be systems for which an OS upgrade is expected to damage functionality for other reasons, such as underpowered hardware. There are systems that may not require updating because they're fully air-gapped, I suppose. And the risk from running systems that can no longer be updated is sometimes overhyped: there's plenty of malware that doesn't rely on unpatched Windows versions to allow it to execute."

But none of this means that organizations can relax their efforts to upgrade XP systems. "Nonetheless," concluded Harley, "the risk of attack by malware that makes use of vulnerabilities in unpatched machines (such as the new Petya variant that apparently makes use of EternalBlue) is quite significant enough to make it unwise to rely on systems that are no longer normally updated, even if the agencies concerned are taking advantage of rare events like Microsoft's XP patch in May... After all, dangers to their data, systems and internal processes don't only affect their 'business' but all of us."

The bottom line is that 10,000 XP systems still in use by the Metropolitan Police Service is really 10,000 too many.


WikiLeaks Reveals How CIA Malware Tracks Geo-Location of its Targeted

28.6.2017 thehackernews BigBrothers

WikiLeaks has just published a new batch of the ongoing Vault 7 leak, and this time the whistleblowing website has unveiled a classified malware for that tracks geo-location of targeted PCs and laptops running the Microsoft Windows operating system.
In short, the malware does it by capturing the IDs of nearby public hotspots and then matching them with the global database of public Wi-Fi hotspots’ locations.
Dubbed ELSA, the alleged CIA's project consists of two main elements: the processing component (Operator Terminal) and the implant (Windows Target) which is typically being deployed on a target Windows host.
Here's How the CIA's ELSA Malware Works
The Elsa system first installs the malware on a targeted WiFi-enabled machine using separate CIA exploits to gain persistent access on the device.
The malware then uses Wi-Fi hardware of the infected computer to scan nearby visible WiFi access points (AP) and records their ESSID – stands for Extended Service Set Identifier (IEEE 802.11 wireless networking), MAC address and signal strength at regular intervals.
In order to perform this data collection, the ELSA malware does not require the targeted computer to be connected to the Internet. Instead, it only requires the malware to be running on a device with Wi-Fi enabled.
"If [the target device] is connected to the internet, the malware automatically tries to use public geo-location databases from Google or Microsoft to resolve the position of the device and stores the longitude and latitude data along with the timestamp," WikiLeaks notes.
The collected information is then stored in encrypted form on the targeted device for later exfiltration.
The CIA malware itself doesn't beacon (transfer) this data to the agency's server, instead, the operator (CIA hacker) downloads the encrypted log files from the device using separate CIA exploits and backdoors.
The operator then decrypts the log files and performs further analysis on their target.
The ELSA project allows CIA hackers to customize or modify the implant depending upon the target environment and operational objectives such as "sampling interval, the maximum size of the log file and invocation/persistence method."
The CIA hacker (operator) then uses additional back-end software to match collected access point data from exfiltrated log files with public geolocation databases (from Google and Microsoft) and finds the exact location of their target.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped an alleged CIA tool suite for Microsoft Windows, dubbed Brutal Kangaroo, that targets closed networks or air-gapped computers within an organization or enterprise without requiring any direct access.
Since March, the whistleblowing group has published 12 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
Cherry Blossom – a CIA's framework, basically a remotely controllable firmware-based implant, used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Pandemic – a CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – A CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
Archimedes – A man-in-the-middle attack tool allegedly developed by the agency to target computers inside a Local Area Network (LAN).
Scribbles – Software supposedly designed to embed 'web beacons' into confidential documents, allowing the CIA to track insiders and whistleblowers.
Grasshopper – A framework that allowed the CIA to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
Marble – Disclosed the source code of a secret anti-forensic framework used by the agency to hide the actual source of its malware.
Dark Matter – Hacking exploits the CIA designed to target iPhones and Macs.
Weeping Angel – Spying tool used by the spy agency to infiltrate smart TV's, transforming them into covert microphones.
Year Zero – CIA hacking exploits for popular hardware and software.


'Shadow Brokers' Threaten to Dox Former NSA Hacker

28.6.2017 securityweek  BigBrothers
The Shadow Brokers has sent out its first round of exploits and data as part of a recently announced monthly subscription service, and the group claims it has a significant number of subscribers.

The hackers, who claim to possess exploits and secret documents stolen from the U.S. National Security Agency (NSA), particularly the Equation Group actor linked to the agency, announced last month that anyone could obtain parts of the data for a monthly fee of 100 Zcash (ZEC), which at the time was worth roughly $20,000.

The group announced on Wednesday its data dump for the month of June and said that they had “many many subscribers.” As a result, individuals and organizations that want next month’s files will have to pay double – 200 ZEC or 1,000 XMR (Monero).

The Shadow Brokers also announced that following requests from several individuals, they have decided to launch a so-called “VIP Service.” Those who want the group’s attention – to learn if they have exploits for specific vulnerabilities or intel on a certain organization – have to make a one-time payment of 400 ZEC, which is currently worth roughly 130,000. The hackers claim someone has already signed up for the VIP service.

A significant part of the statement published on Wednesday by the Shadow Brokers is a message to an individual the hackers call “doctor.” This person, who they claim to have met on Twitter, sent the hackers some “ugly tweets” and later deleted them.

The hackers did some digging and they discovered that the “doctor” is a former member of the Equation Group and they believe he is responsible for building many tools and hacking organizations in China. They also claim that this individual is the co-founder of a new security company.

The Shadow Group told “doctor” that if he doesn’t sign up for their next monthly dump, they will dox him (i.e. expose his real identity).

“TheShadowBrokers is thinking this outcome may be having negative financial impact on new security companies international sales, so hoping ‘doctor’ person and security company is making smart choice and subscribe. But is being ‘doctor’ person's choice. Is not being smart choice to be making ugly tweets with enough personal information to DOX self AND being former equation group AND being co-founder of security company,” the Shadow Brokers said.

While many of the exploits leaked in the past months by the Shadow Brokers had little value, the recent WannaCry ransomware attacks demonstrated that the group’s leaks can lead to significant damage. The hackers’ requests for money were largely ignored until the WannaCry outbreak, but these attacks have made many realize that the group’s exploits can be highly valuable.

Some members of the infosec community decided to launch a crowdfunding initiative to acquire Shadow Brokers exploits via the monthly dump service in an effort to help prevent a future WannaCry-like incident, but they ultimately decided to cancel the project due to legal concerns.


'Shadow Brokers' Threatens to Unmask A Hacker Who Worked With NSA
28.6.2017 thehackernews BigBrothers
The Shadow Brokers, a notorious hacking group that leaked US cyberweapons — which were also abused by the recent ransomware disasters WannaCry and Petya or NotPetya — has now threatened to unmask the identity of a former hacker who worked for the NSA.
Besides this, the Shadow Brokers group has also doubled the price for its monthly subscription model of NSA's built hacking tools and zero-day exploits from 100 ZEC (Zcash) to 200 ZEC, which is around $64,400 USD.
Moreover, the hacking group has also announced a VIP service for people, who will be entertained by the group for their queries on the leaked hacking tools and exploits.
To subscribe to the VIP service, one has to make a one-time payment of 400 ZEC (around US$128,800).
Last month, the Shadow Brokers announced to release more zero-days exploits and hacking tools developed by the US spy agency every month from June 2017, but only to private members who will subscribe for receiving exclusive access to the future leaks.
The Shadow Brokers' June data dump costs 100 ZEC, but after looking at successful growth in the number of subscribers for this month, the group said it is raising the price for the next month's subscription.
Threatens to Unmask Equation Group Hacker
In typically broken English, the mysterious hacking group threatened to unmask a former member of the NSA's elite hacking group called Equation Group, who developed several hacking tools to break into Chinese organizations.
The Shadow Brokers did not reveal much about the former Equation Group member, expect that the person is living in Hawaii and currently a "co-founder of a new security company and is having much venture capital."
The group, who called the NSA Equation Group member as "doctor," threatened because of his/her "ugly tweets" targeting the Shadow Brokers.
"TheShadowBrokers is having special invitation message for 'doctor' person theshadowbrokers is meeting on Twitter. 'Doctor' person is writing ugly tweets to theshadowbrokers," the group said. "Then doctor person is deleting ugly tweets, maybe too much drinking and tweeting?"
"TheShadowBrokers is hoping 'doctor' person is deciding to subscribe to dump service in July. If theshadowbrokers is not seeing subscription payment with corporate email address of doctor@newsecuritycompany.com then theshadowbrokers might be taking tweets personally and dumping data of 'doctor' persons hacks of China with real id and security company name."
Well, that's enough of a threat.
Since June is going to end, it seems like the Shadow Brokers subscribers who paid in June will start receiving zero-day exploit and hacking tools from the first week of July.
Although what the June dump would contain is not clear at the moment, the group's last announcement claimed that the upcoming data dump would include:
Compromised data from banks and Swift providers.
Exploits for operating systems, including Windows 10.
Exploits for web browsers, routers, and smartphones.
Stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.
You can follow The Hacker News (on Facebook or Twitter) to receive the threat latest updates immediately.


Israeli Spy Agency Creates Fund to Invest in Tech Firms

28.6.2017 securityweek BigBrothers
Israel's Mossad spy agency is starting a fund to invest in technology firms creating products that could assist its work, including those involving robotics and encryption, the prime minister's office said Tuesday.

The fund, to be called Libertad, will invest in research and development programs at "cutting-edge technology startup companies," a statement said.

It said it was calling on firms to submit proposals, particularly in areas including robotics, encryption and personality profiling.

The statement said Mossad would not publicise the names of the firms in which it invests.

It said Libertad would be open to anyone and provided an email address to submit proposals (apply@libertad.gov.il), adding that it would offer up to two million shekels ($570,000, 500,000 euros) for projects.

More could be granted for exceptional cases, it said.

It will not act as a typical investor.

Libertad will not hold equity in the firms in which it invests and will instead receive a license to use the technology developed, it said.

The CIA in the United States has created a similar investment fund, known as In-Q-Tel.

Israel is seen as a global leader in the technology industry, particularly regarding cyber-defense.

Libertad was the name of a ship that carried Jewish emigrants to what was then British-mandate Palestine in 1940 before the creation of the state of Israel.


China Agrees to Fight Corporate Hacking in Canada

27.6.2017 securityweek BigBrothers
China has pledged not to carry out state-sponsored cyberattacks against the intellectual property of Canadian firms, the two sides said Monday.

The agreement was reached as part of ongoing bilateral security and trade talks.

Western governments have accused Chinese hackers of stealing valuable proprietary technologies and business secrets from high-tech and pharmaceutical companies, as well as manufacturers.

Beijing has publicly denied wrongdoing.

China and Canada "agreed that neither country's government would conduct or knowingly support cyber-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors," an official statement said.

Beijing has recently signed similar agreements with Australia, Britain, the United States and others -- all of which had accused China of wrongdoing.

In Canada, the most serious case involved the alleged hacking in 2014 of the National Research Council (NRC), which the country's electronic eavesdropping agency said was conducted by "a highly sophisticated Chinese state-sponsored actor."

The NRC partners with Canadian companies and academics on cutting-edge science and technology projects.

The deal comes as Canada and China consider entering free trade negotiations, and following blowback over China's recent purchases of Canadian companies.

Polls show Canadians are overwhelmingly wary of increased trade ties with China.

Opposition parties meanwhile raised concerns over the sale to China of two Canadian satellite and laser technology firms that also sell to Western militaries.

The bilateral security and trade talks held last week also touched on "mutual concerns" about rule of law issues, counter-terrorism, and combating transnational organized crime, the two sides said.

Beijing is pushing for an extradition treaty with Canada, but Ottawa has said it needs assurances that persons who are extradited get a fair trial and do not face the death penalty.


Russia Threatens to Ban Telegram Messaging App, Says It Was Used By Terrorists
26.6.2017 thehackernews BigBrothers
Russia has threatened a ban against Telegram end-to-end encrypted messaging app, after Pavel Durov, its founder, refused to sign up to the country's new data protection laws.
Russia's FSB intelligence service said on Monday that the terrorists who killed 15 people in Saint Petersburg in April had used the Telegram encrypted messaging service to plot the attacks.
According to the new Russian Data Protection Laws, since January 1, all foreign tech companies have been required to store past six months' of the personal data of its citizens and encryption keys within the country; which the company has to share with the authorities on demand.
"There is one demand, and it is simple: to fill in a form with information on the company that controls Telegram," Alexander Zharov said, head of communications regulator Roskomnadzor (state communications watchdog).
"And to officially send it to Roskomnadzor to include this data in the registry of organizers of dissemination of information. In case of refusal… Telegram shall be blocked in Russia until we receive the needed information."
Russian wants Telegram to share its users' chats and crypto keys if asked, as the encrypted messaging app has become widely popular among terrorists for operating inside Russia.
Founder Pavel Durov said on Twitter that Intelligence agencies had pressured the company to weaken its encryption or install a backdoor.
So far, Telegram has refused to comply with the requirements in order to protect the privacy of its more than 6 million Russian users.
November last year, LinkedIn, the world's largest online professional network, was also banned in Russia for not complying with the country's data protection laws.


UK Parliament Hit by Cyberattack, Up to 90 MPs' E-mail Accounts Hacked
26.6.2017 thehackernews BigBrothers
A cyber attack has hit the email system of UK Houses of Parliament on Friday morning that breached at least 90 emails accounts protected by weak passwords belonging to MPs, lawmakers, and other parliamentary staff.
Meanwhile, as a precaution, the Security service has temporarily shut down the remote access (outside the Westminster) to its network to protect email accounts.
Liberal Democrat Chris Rennard has advised on Twitter that urgent messages should be sent by text message.
"We have discovered unauthorized attempts to access accounts of parliamentary networks users and are investigating this ongoing incident, working closely with the National Cyber Security Centre," the spokesperson said.
"Parliament has robust measures in place to protect all of our accounts and systems, and we are taking the necessary steps to protect and secure our network."
The authorities found less than 1% of parliament’s 9,000 email addresses had been compromised using the brute-force attack that lasted for more than 12 hours.
But if the emails were successfully accessed, experts believe and have warned that politicians could be at risk of blackmail or terror attacks.
It is unclear who is responsible for the attack, but the breach has happened just two days after the passwords of British cabinet ministers and officials were reportedly being sold online by hackers on Russian underground forums.
However, most UK officials suspect Russia and North Korea for the British Parliament cyber-attack.
"We are continuing to investigate this incident and take further measures to secure the computer network, liaising with the Britain’s National Cyber Security Centre (NCSC)." spokeswoman said.


UK Parliament Cuts Email Access After Cyberattack

25.6.2017 securityweek BigBrothers
Britain's parliament shut down external access to e-mail accounts on Saturday following a cyberattack.

Parliamentary authorities described the attack as "sustained and determined", in an email sent to lawmakers and published by the Daily Telegraph.

"Earlier this morning we discovered unusual activity and evidence of an attempted cyberattack on our computer network," it read.

"Closer investigation by our team confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts.

"We have been working closely with the National Cyber Security Centre to identify the method of the attack and have made changes to prevent the attackers gaining access."

A House of Commons spokeswoman said that officials had taken "the necessary steps to protect our systems.

"Parliament has disabled remote access to protect the network," she said.

The threat follows reports in British media, including the Times, that hackers were selling passwords for MPs online.

The National Crime Agency said it was "aware of a possible cyber incident affecting parliament".

International Trade Minister Liam Fox told ITV News it was a "warning to everyone we need more security and better passwords"

Fox told the BBC: "We know that our public services are attacked so it is not at all surprising that there should be an attempt to hack into parliamentary emails".

A global ransomware attack last month hit hundreds of thousands of computers, including hospitals in Britain that were forced to shut down, divert emergency cases and postpone operations.

The so-called WannaCry ransomware locked access to user files and in an on-screen message demanded payment of $300 (275 euros) in the virtual currency Bitcoin in order to decrypt the files.


The CIA was aware of Putin’s order to support the Trump Presidential campaign candidacy
25.6.2017 securityaffairs BigBrothers
The CIA was aware since August that President Putin personally ordered an operation to support Donald Trump presidential race.
The intelligence shocked the White House and put US security chiefs on a top-secret crisis footing to figure out how to react.

According to the Washington Post, CIA was aware since August that President Putin personally ordered an operation to support Donald Trump in the 2016 Presidential Election.

According to the media outlet, the confidence that Democrat Hillary Clinton had won the election led the Obama administration to avoid take countermeasures.

After the shocking victory of Donald Trump, the US intelligence community had a great regreat for the missing action.

“From national security people there was a sense of immediate introspection, of, ‘Wow, did we mishandle this,'” a former administration official told the newspaper.

The Washington Post reports of a secret intelligence task force that was created by the US to firm up the information and respond to the Russian threat. The work of the experts was focused on preventing the hacking of voting systems undermining confidence in the vote tally itself.

The Obama administration opted to deliver a warning to the Russian government instead hacking back.

putin Trump

According to the Post, the US send at least four direct warnings to the Russians through different channels, including direct messages sent by Obama to Putin. The messages discouraged the Russian Government in hacking the US voting operations.

“We made the judgment that we had ample time after the election, regardless of outcome, for punitive measures,” a senior administration official told the Post.

Punitive measures range from sanctions to launching cyberattacks on Russian infrastructure, in December an executive order issued by President Obama applies sanctions on Russian military and intelligence officials. 35 Russian operatives were ejected.

The Post reports that Obama authorized a plan to implant malware in the systems of critical Russian infrastructure, but it is unclear if Trump has followed through with that.

Follow
Donald J. Trump ✔ @realDonaldTrump
Just out: The Obama Administration knew far in advance of November 8th about election meddling by Russia. Did nothing about it. WHY?
2:43 AM - 24 Jun 2017
28,233 28,233 Retweets 92,199 92,199 likes
Twitter Ads info and privacy
Trump criticized the response of the Obama administration to the alleged Russian threat.

“If he had the information, why didn’t he do something about it? He should have done something about it. But you don’t read that. It’s quite sad.” said Trump in an interview at a Fox News program.


CIA Knew in August that Putin Sought to Boost Trump: Report

24.6.2017 thehackernews BigBrothers
The CIA had top-level intelligence last August that Russian President Vladimir Putin personally ordered an operation to help Donald Trump win the US presidential race, the Washington Post reported Friday.

The intelligence shocked the White House and put US security chiefs on a top-secret crisis footing to figure out how to react.

But amid confidence that Democrat Hillary Clinton still had the election in the bag and worries over president Barack Obama himself being seen as manipulating the election, the administration delivered warnings to Moscow but left countermeasures until after the vote, the Post reported.

After Trump's shock victory, there were strong regrets among administration officials that they had shied from tough action.

"From national security people there was a sense of immediate introspection, of, 'Wow, did we mishandle this,'" a former administration official told the newspaper.

The Post said that as soon as the intelligence on Putin came in, the White House viewed it as a deep national security threat. A secret intelligence task force was created to firm up the information and come up with possible responses.

They couldn't do anything about embarrassing WikiLeaks revelations from hacked Clinton emails. The focus turned to whether Moscow could disrupt the November 8 vote itself by hacking voter registration lists or voting machines, undermining confidence in the vote tally itself.

Worried about making the situation worse, the administration put off retaliating, and instead delivered stiff warnings directly to the Russians not to go farther.

At least four direct warnings -- Obama to Putin, spy chief to spy chief, and via top diplomatic channels -- appeared to have an impact, officials told the Post. They believe that Moscow pulled back on any possible plans to sabotage US voting operations.

"We made the judgment that we had ample time after the election, regardless of outcome, for punitive measures," a senior administration official told the Post.

Options to retaliate were on the table early: more crippling sanctions on the Russian economy, leaking information that would embarrass Putin diplomatically, and launching cyberattacks on Russian infrastructure were high on the list.

But Trump's shock victory dampened the response.

Obama took modest measures at the end of December, expelling 35 Russians and adding to existing sanctions. He also, according to the Post, authorized a plan to place cyberattack implants in the systems of critical Russian infrastructure.

But it remains unclear, the Post said, whether Trump has followed through with that.

Trump on Friday questioned Obama's response to the Russian hacking crisis.

"Just out: The Obama Administration knew far in advance of November 8th about election meddling by Russia. Did nothing about it. WHY?" he posted on Twitter.

In an interview with Fox News program "Fox and Friends" that will air Sunday, Trump groused that Obama's response did not get more media coverage.

"The CIA gave him information on Russia a long time before they even -- before the election. And I hardly see it. It's an amazing thing," Trump said in an excerpt released by the program Friday evening.

"If he had the information, why didn't he do something about it? He should have done something about it. But you don't read that. It's quite sad."


WikiLeaks Details CIA's Air-Gapped Network Hacking Tool

23.6.2017 securityweek  BigBrothers
WikiLeaks published several documents on Thursday detailing a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to hack air-gapped networks through USB drives.

Dubbed “Brutal Kangaroo,” it has been described by its developer as a tool suite designed for targeting closed networks. The infected systems will form a covert network, and the attacker will be able to obtain information and execute arbitrary files.

One component of Brutal Kangaroo is called “Shattered Assurance” and it’s designed to automatically spread the tool to USB drives connected to a device within the targeted organization that was infected remotely via the Internet. Shattered Assurance relies on a tool named “Drifting Deadline” to infect thumb drives.

Once the victim connects the infected drive to an air-gapped network and Brutal Kangaroo is deployed, a component named “Broken Promise” is used to evaluate the harvested data. The last component, dubbed “Shadow,” acts as the primary persistence mechanism and command and control (C&C) server on the closed network.

The documents published by WikiLeaks show that Drifting Deadline and Shattered Assurance replaced two previous tools named “EZCheese” and “Emotional Simian.”

Brutal Kangaroo

Brutal Kangaroo infects USB drives by exploiting Windows vulnerabilities that allow an attacker to execute arbitrary DLL files using specially crafted shortcut (LNK) files. At least some of the exploits do not require users to actually run the malicious files.

Earlier versions of EZCheese leveraged a Windows vulnerability (CVE-2015-0096) discovered and patched in 2015. The flaw is a newer variant of CVE-2010-2568, which the notorious Stuxnet worm used in attacks aimed at Iran’s nuclear program.

One exploit used in later versions, dubbed “Lachesis” and designed for Windows 7, relies on autorun.inf to execute the malicious file as soon as the thumb drive is plugged in. Another exploit, named “RiverJack” and designed for Windows 7, 8 and 8.1, leverages library-ms functionality.

Microsoft said the vulnerabilities used by these exploits have already been patched in supported versions of Windows, but it’s unclear when. The company this month patched a LNK remote code execution flaw (CVE-2017-8464) that has been actively exploited, but no information has been provided on these attacks.

While the exploits may have been successful in some cases, the Brutal Kangaroo documents show that security products from Symantec, Avira, Avast, Bitdefender and Kaspersky did block at least some functionality and attack vectors.

WikiLeaks has been publishing CIA files, which are part of a leak dubbed “Vault 7,” nearly every week since March 23. The tools exposed by the whistleblower organization include ones designed for replacing legitimate files with malware, hacking Samsung smart TVs and routers, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.

Security firms have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”


Brutal Kangaroo: CIA-developed Malware for Hacking Air-Gapped Networks Covertly
22.6.2017 thehackernews BigBrothers

WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a tool suite – which is being used by the CIA for Microsoft Windows that targets "closed networks by air gap jumping using thumb drives," mainly implemented in enterprises and critical infrastructures.
Air-gapped computers that are isolated from the Internet or other external networks are believed to be the most secure computers on the planet have become a regular target in recent years.
Dubbed Brutal Kangaroo (v1.2.1), the tool suit was allegedly designed by the Central Intelligence Agency (CIA) in year 2012 to infiltrate a closed network or air-gapped computer within an organization or enterprise without requiring any direct access.
The previous version of Brutal Kangaroo was named as EZCheese, which was exploiting a vulnerability that was zero-day until March 2015, though the newer version was using "unknown link file vulnerability (Lachesis/RiverJack) related to the library-ms functionality of the operating system."
Here's How the Air-Gap Attack Works

Like most air-gapped malware techniques we reported on The Hacker News, this hacking tool first infects an Internet-connected computer within the target organization and then installs the Brutal Kangaroo malware on it.

Even if it's hard to reach an Internet-connected PC within the target organisation, they can infect a computer of one of the organisation's employees and then wait for the employee to insert the USB drive into his/her computer.
Now, as soon as a user (the employee of the organisation) inserts a USB stick into the infected computer, Shattered Assurance, a server tool infects the USB drive with a separate malware, called Drifting Deadline (also known as 'Emotional Simian' in the latest version).

The USB drive infects with the help of a flaw in the Microsoft Windows operating system that can be exploited by hand-crafted link files (.lnk) to load and execute programs (DLLs) without user interaction.
"The .lnk file(s) must be viewed in windows explorer, and the tool will be auto-executed without any further input." the manual says.
When the infected USB drive is used to share data with air-gapped computers, the malware spreads itself to those systems as well.
"If multiple computers on the closed network are under CIA control, they form a covert network to coordinate tasks and data exchange. Although not explicitly stated in the documents, this method of compromising closed networks is very similar to how Stuxnet worked," WikiLeaks said.
"Brutal Kangaroo components create a custom covert network within the target closed network and providing functionality for executing surveys, directory listings, and arbitrary executables," a leaked CIA manual reads.

The malware then starts collecting data from infected air-gapped computers (which utilizes Shadow, the primary persistence mechanism) covertly and a module within the Brutal Kangaroo suit, dubbed "Broken Promise," analyzes the data for juiceful information.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped an alleged CIA framework used for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Dubbed "Cherry Blossom," the framework was basically a remotely controllable firmware-based implant for wireless networking devices, including routers and wireless access points (APs), which exploits router vulnerabilities to gain unauthorized access and then replace the firmware with custom Cherry Blossom firmware.
Since March, the whistleblowing group has published 12 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
Pandemic – a CIA's project that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
Athena – a spyware framework that has been designed to take full control over Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
AfterMidnight and Assassin – Two apparent CIA malware frameworks for the Windows platform that has been designed to monitor and report back activities of the infected remote host computer and execute malicious actions.
Archimedes – Man-in-the-Middle attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
Scribbles – Software reportedly designed to embed 'web beacons' into confidential files and documents, allowing the agency to track whistleblowers and insiders.
Grasshopper – A framework which allowed the agency to easily create custom malware for breaking into Windows operating system and bypassing antivirus protection.
Marble – The source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the spying agency to hide the actual source of its malware.
Dark Matter – Revealed hacking exploits the CIA designed to target iPhones and Macs.
Weeping Angel – A spying tool used by the CIA to infiltrate smart TV's and then transform them into covert microphones.
Year Zero – Disclosed several CIA hacking exploits for popular hardware and software.


Russia Targeted Election-Related Networks in 21 States: DHS

22.6.2017 securityweek BigBrothers
Hackers believed to be working for the Russian government targeted election-related networks in 21 U.S. states, representatives of the Department of Homeland Security (DHS) told the Senate Intelligence Committee on Wednesday in a hearing on threats to election infrastructure.

DHS officials revealed that the agency’s Office of Intelligence and Analysis (I&A) published a report in October claiming that cyber actors possibly connected to the Russian government had targeted websites and other election-related systems in 21 states. The states have not been named, but some news organizations previously reported that the list includes Arizona and Illinois.

The DHS said only a “small number” of networks were compromised, but it did not find any evidence that vote tallies had been altered. In many cases, only attempts to scan election infrastructure were detected.

The DHS has admitted that cyberattack attribution is difficult, but the agency appears confident that the Russian government was involved in these operations.

A few months before last year’s presidential election, the DHS said there was no indication that cyber threat actors had been planning to attack election infrastructure in a way that would change the outcome of the vote, and noted that the checks and redundancies in the system made the task difficult. However, the agency warned at the time that “cyber operations targeting election infrastructure could be intended or used to undermine public confidence in electoral processes and potentially the outcome.”

In his statement before the Senate Intelligence Committee, Bill Priestap, Assistant Director of the FBI’s Counterintelligence Division, said “Russia’s 2016 presidential election influence effort was its boldest to date in the United States.”

“Moscow employed a multi-faceted approach intended to undermine confidence in our democratic process. Russia’s activities included efforts to discredit Secretary Clinton and to publicly contrast her unfavorably with President Trump,” Priestap stated. “This Russian effort included the weaponization of stolen cyber information, the use of Russia’s English-language state media as a strategic messaging platform, and the mobilization of social media bots and trolls to spread disinformation and amplify Russian messaging.”

The FBI is still investigating the extent of Russia’s interference, including whether or not any of President Donald Trump’s current or former associates aided Moscow’s efforts.

The United States has officially accused Russia of attempting to interfere with the November election, but the Kremlin has denied the allegations. Russian President Vladimir Putin recently admitted that patriotic hackers may have launched attacks, but denied government involvement and said hacking is unlikely to have a real impact on elections in a country.

Top secret documents leaked recently from the National Security Agency (NSA) also show that hackers affiliated with the Russian military had repeatedly attempted to break into U.S. voting systems before the election.


National Security Agency opens the NSA Github Account that already lists 32 Projects
21.6.2017 securityaffairs BigBrothers

It is official, the National Security Agency (NSA) has presented its GitHub page that includes 32 projects as part of the NSA Technology Transfer Program.
The National Security Agency has opened its GitHub account and presented an official GitHub page. The US intelligence agency employees numerous excellent experts that in the past demonstrated extraordinary abilities in developing hacking tools, exploits and surveillance solutions.

The work of the NSA experts was secret until the Snowden’s revelations, but now the Agency seems to be more social and the creation of the Github account demonstrates it.

Giving a look at the GitHub account we can notices that the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are ‘coming soon.’

“The NSA Technology Transfer Program (TTP) transfers NSA-developed technology to industry, academia, and other research organizations, benefitting the economy and the Agency mission. The program has an extensive portfolio of patented technologies across multiple technology areas” states the description of the NSA program.

Many projects shared by the NSA are very old and were already available online, such as the SELinux (Security-Enhanced Linux).

“The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace,” the agency wrote on the program’s page.

“OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community’s enhancements to the technology.”

NSA Github Account

Other NSA’s open source projects are below:
Certificate Authority Situational Awareness (CASA): A Simple tool that Identifies unexpected and prohibited certificate authority certificates on Windows systems.
Control Flow Integrity: A hardware-based technique to prevent memory corruption exploitations.
GRASSMARLIN: It provides IP network situational awareness of ICS and SCADA networks to support network security.
Open Attestation: A project to remotely retrieve and verify system integrity using Trusted Platform Module (TPM).
RedhawkSDR: It is a software-defined radio (SDR) framework that provides tools to develop, deploy, and manage software radio applications in real-time.
OZONE Widget Framework (OWF): It is basically a web application, which runs in your browser, allows users to create lightweight widgets and easily access all their online tools from one location.
The full list of NSA’s projects is available here.


NSA Opens Github Account — Lists 32 Projects Developed by the Agency
21.6.2017 thehackernews BigBrothers

The National Security Agency (NSA) — the United States intelligence agency which is known for its secrecy and working in the dark — has finally joined GitHub and launched an official GitHub page.
The NSA employs genius-level coders and brightest mathematicians, who continually work to break codes, gather intelligence on everyone, and develop hacking tools like EternalBlue that was leaked by the Shadow Brokers in April and abused by the WannaCry ransomware last month to wreak havoc worldwide.
The intelligence agency mostly works in secret, but after Edward Snowden leaks in 2013, the NSA has started (slowly) opening itself to the world. It joined Twitter in the same year after Snowden leaks and now opened a Github account.
GitHub is an online service designed for sharing code amongst programmers and open source community, and so far, the NSA is sharing 32 different projects as part of the NSA Technology Transfer Program (TTP), while some of these are 'coming soon.'
"The NSA Technology Transfer Program (TTP) works with agency innovators who wish to use this collaborative model for transferring their technology to the commercial marketplace," the agency wrote on the program's page.
"OSS invites the cooperative development of technology, encouraging broad use and adoption. The public benefits by adopting, enhancing, adapting, or commercializing the software. The government benefits from the open source community's enhancements to the technology."
Many of the projects the agency listed are years old that have been available on the Internet for some time. For example, SELinux (Security-Enhanced Linux) has been part of the Linux kernel for years.
Some of the NSA's open source projects are listed below:
Certificate Authority Situational Awareness (CASA): A Simple tool that Identifies unexpected and prohibited certificate authority certificates on Windows systems.
Control Flow Integrity: A hardware-based technique to prevent memory corruption exploitations.
GRASSMARLIN: It provides IP network situational awareness of ICS an
d SCADA networks to support network security.
Open Attestation: A project to remotely retrieve and verify system integrity using Trusted Platform Module (TPM).
RedhawkSDR: It is a software-defined radio (SDR) framework that provides tools to develop, deploy, and manage software radio applications in real-time.
OZONE Widget Framework (OWF): It is basically a web application, which runs in your browser, allows users to create lightweight widgets and easily access all their online tools from one location.
You can check out the full list of NSA's projects here.


Mexican Government was spying on Journalists and Activists with Pegasus Surveillance software
20.6.2017 securityaffairs BigBrothers

Journalists and activists in Mexico accused the government of spying on them with the powerful surveillance software Pegasus developed by the NSO Group.
Journalists and activists in Mexico accused the government of spying on them with a powerful surveillance software. According to the journalists, the authorities used an Israeli spyware to hack their mobile devices. The surveillance software is the questionable Pegasus that is developed by the Israeli surveillance NSO Group and sold exclusively to the governments and law enforcement agencies.

NSO Group is owned by US private equity firm Francisco Partners Management. it made the headlines after the investigation conducted by The New York Times.

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

“There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.”

The discovery is the result of an investigation conducted by Mexican NGOs and the CitizenLab organization.

R3D, SocialTic, Article 19 and CitizenLab published a report that details the surveillance illegally operated by the Mexican government through the spyware.

Authorities have been sending malicious links to individuals’ phones, in order to trick victims into opening the messages they were specifically crafted and in some cases, the attack involved also family members if the victims were not compromised.

“The targets received SMS messages that included links to NSO exploits paired with troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats.” states the report. “The operation also included more mundane tactics, such as messages sending fake bills for phone services and sex-lines. Some targets only received a handful of texts, while others were barraged with dozens of messages over more than one and a half years. A majority of the infection attempts, however, took place during two periods: August 2015 and April-July 2016″.

Mexican Govenment surveillance

The Pegasus spyware leverages zero-day exploits to compromise both iOS and Android devices.

The government targeted individuals that exposed evidence on government corruption and activists who revealed human rights violations by the Mexican Government.

The researchers observed at least two periods of intense targeting:

Period 1 (August 2015) when the Mexican President was officially exonerated for his role in the “Casa Blanca” scandal on which Carmen Aristegui, a well-known reporter, had first reported, and Carlos Loret de Mola was questioning the government’s role in extrajudicial killings. Aristegui revealed that President Enrique Pena Nieto’s wife had bought a $7 million Mexico City mansion from a government contractor.
Period 2 (April- July 2016) when revelations of government involvement in human rights abuses and extra-judicial killings were made public.
Mexican Government spyware

According to the New York Times report, at least three Mexican federal agencies have purchased some $80 million of spyware from NSO Group since 2011.

Companies like the NSO Group operate in the dark, in a sort of “legal gray area,” despite the Israeli government exercises strict control of the export of such kind of software, surveillance applications could be abused by threat actors and authoritarian regimes worldwide.

Let me close with Key Findings of the report

Over 76 messages with links to NSO Group’s exploit framework were sent to Mexican journalists, lawyers, and a minor child (NSO Group is a self-described “cyber warfare” company that sells government-exclusive spyware).
The targets were working on a range of issues that include investigations of corruption by the Mexican President, and the participation of Mexico’s Federal authorities in human rights abuses.
Some of the messages impersonated the Embassy of the United States of America to Mexico, others masqueraded as emergency AMBER Alerts about abducted children.
At least one target, the minor child of a target, was sent infection attempts, including a communication impersonating the United States Government, while physically located in the United States.


Mexican Journalists, Activists Accuse Govt of Spying on Them

20.6.2017 securityweek BigBrothers
A group of prominent journalists and activists in Mexico accused the government Monday of spying on them, saying their phones had been hacked with Israeli spyware sold exclusively to the state.

The group has pressed charges with the attorney general's office, accusing the government of illegally accessing private communications and other offenses, it announced at a press conference.

The nine plaintiffs at the press conference included journalists who have published embarrassing exposes on government corruption and activists who have investigated human rights violations by the state.

"This is an operation by the Mexican state, in which state agents -- far from doing what they should legally do -- have used our resources, our taxes, our money to commit serious abuses," said journalist Carmen Aristegui.

Aristegui, a well-known reporter, is known in Mexico for a 2014 expose revealing that President Enrique Pena Nieto's wife had bought a $7 million Mexico City mansion from a government contractor.

She is among the 76 cases the plaintiffs say they have documented of high-tech spyware being installed on their phones and those of their families and associates.

"What does the Mexican president have to say today about this treacherous, illegal spying?" Aristegui said.

Victims said they received text messages with eye-catching news headlines, social media posts or even communications from the United States embassy -- all of which were fake.

The messages would prompt users to click on a link that would secretly install the spyware on their phones.

The software in question, known as Pegasus, effectively turns a target's cell phone into a pocket spy, accessing the user's communications, camera and microphone to enable a highly detailed level of surveillance.

The accusation came as The New York Times published a report detailing how Pegasus was used against top human rights lawyers, journalists and anti-corruption activists in Mexico.

The spyware is made by a secretive Israeli firm called NSO Group, owned by US private equity firm Francisco Partners Management.

According to the Times report, at least three Mexican federal agencies have purchased some $80 million of spyware from NSO Group since 2011.

The company, which claims it only sells Pegasus to governments, says it has an agreement with clients that the software be used only to target terrorists and criminals.


Republican Party Contractor Exposes Details of 198 Million American Voters

20.6.2017 securityweek BigBrothers
More than 1 terabytes of data compiled by three contractors of the U.S. Republican Party, including the details of 198 million American voters, were stored in a misconfigured database that could have been accessed by anyone, according to cyber resilience startup UpGuard.

Researcher Chris Vickery, who recently joined UpGuard as a risk analyst, discovered the unprotected Amazon Web Services (AWS) S3 bucket containing the data on June 12. Federal authorities were notified on June 14 – after all the data was downloaded – and the database was secured on the same day.

The database included information such as name, date of birth, home address, phone number, voter registration status, political views, and data on race and ethnicity.American voter data exposed by Republicans

UpGuard’s analysis showed that the unprotected cloud server was managed by Deep Root Analytics, a company that offers a data management platform for targeted TV advertising. The firm, which bills itself as “the most experienced group of targeters in Republican politics,” has taken responsibility for the incident.

Deep Root Analytics said the exposed data included both proprietary information and publicly available voter data. The company said there was no evidence that anyone other than Vickery accessed the files.

According to UpGuard, the exposed files suggested that at least two other companies, TargetPoint Consulting and Data Trust, also contributed to the database. TargetPoint is a market research and knowledge management firm whose services were used by President George W. Bush in his 2004 campaign, and Data Trust is the “exclusive data provider” of the Republican National Committee (RNC).

Deep Root Analytics, TargetPoint Consulting and Data Trust all played an important role in the recent campaign of President Donald Trump.

“Like political operatives, hackers constantly search for ways to move a person to take a particular action. This database, with political preferences and other private information for millions of Americans, is a treasure trove for creative hackers,” said Adam Levin, chairman and founder of CyberScout. “They can pose as anyone from a political action committee or local voting board to the IRS or a bank in phishing emails, to coax additional information from voters, such as social security numbers for identity theft, or they can influence the voting process directly.”

“Any organization that collects and stores data such as voter information must exercise the highest level of cyber hygiene. This includes repeated penetration testing and searches for and patches to new vulnerabilities as well as continual monitoring for unusual data exfiltration,” Levin added.

As for Deep Root Analytics’ failure to secure the data, Paul Fletcher, cyber security evangelist at Alert Logic, pointed out that Amazon offers the tools needed to protect cloud instances.

“The fact that this exposure was discovered on a public cloud site is irrelevant, in fact, if the AWS suite of security tools and log collection capabilities were properly implemented, this massive data exposure could’ve been avoided. The Amazon S3 server comes by default with an access control list (ACL), which needs to be properly set up, maintained and audited by the organization (and in this case), the organization’s customer – the GOP,” Fletcher told SecurityWeek. “Extra security is also available using server side encryption, again offered by AWS, but the responsibility to implement this solution is up to the public cloud customer.”

This was not the first time Vickery discovered an exposed database containing the details of U.S. voters. Back in December 2015, he stumbled upon personal information on 191 million Americans. A few months later, he identified a database storing the records of Mexican voters.


European Parliament Proposes Ban On Encryption Backdoors
19.6.2017 thehackernews BigBrothers
Prime Minister Theresa May wants tech companies, like Facebook, Apple, and Google, to create controversial 'backdoors' for police, but even somewhere she knows that it's not that easy as it sounds.
The Civil Liberties, Justice and Home Affairs Committee of the European Parliament has released a draft proposal [PDF] for new laws on privacy and electronic communications, recommending end-to-end (E2E) encryption on all communications and forbidding backdoors that offer access to law enforcement.
"The protection of confidentiality of communications is also an essential condition for the respect of other related fundamental rights and freedoms, such as the protection of freedom of thought, conscience and religion, and freedom of expression and information," the draft reads.
Draft Says, Your Security is Our Top Priority
According to the draft, EU citizens need more protection, not less and they need to know that the "confidentiality and safety" of their data is "guaranteed," but software backdoors risk "weakening" that privacy.
What is backdoor? By definition, "Backdoor is a feature or defect of a computer system that allows surreptitious unauthorized access to data."
Many countries' government, including the US Defence Department, have forced major companies to provide backdoor access to their services, allowing the feds to intercept users' traffic and access everything from secure messages to their web activities.
But, "Technically, there is no such backdoor that only the government can access. If surveillance tools can exploit the vulnerability by design, then an attacker who gained access to it would enjoy the same privilege."
Draft Demands End-to-End Encryption & Ban On Backdoors
The proposed draft recommends the use of end-to-end encryption that would make it more difficult for federal officials to request data from tech companies.
The proposal would ban decryption of user data as well as the creation of backdoors in software or encryption technologies that could allow government access to users' private information.
So if the amendments pass, the ban on software backdoors would make it difficult for the government to enforce the Section 49 of the Regulation of Investigatory Powers Act (RIPA) 2000's requirement that companies remove "electronic protection" when possible.
For those unaware, end-to-end encryption is a secure communication that encrypts data on the sender's system before passing it to a company's server. The company then passes the encrypted data to the intended recipient, who is the only person who can decrypt it.
Nobody in between, be it an application service provider, an Internet service provider (ISP), hacker, or even law enforcement officials, can read or tamper with the data.
"When encryption of electronic communications data is used, decryption, reverse engineering or monitoring of such communications shall be prohibited," the draft reads.
"Member States shall not impose any obligations on electronic communications service providers that would result in the weakening of the security and encryption of their networks and services."
Securing the 'Internet of Things'
Similarly, the draft also says, the current law have not kept pace with how the machine-to-machine communications in the Internet of Things can expose citizens.
The connected devices and machines are increasingly communicating with each other today by using electronic communications networks.
So, according to the committee, this Regulation should also be applied to the machine-to-machine communications in order to "ensure full protection of the rights to privacy and confidentiality of communications, and to promote a trusted and secure Internet of Things in the digital single market."
In short, the committee wants that any future means of communication, such as "calls, internet access, instant messaging applications, email, internet phone calls and messaging provided through social media" are all protected from hackers, government and prying eyes.
The committee wants that applications, browsers, internet service providers, cars, smartphones or fitness trackers should also respect no-track requests from their customers, and snoop their data only after getting users' consent.
However, it should be noted that most technology companies fall under the United States court of law, and post-Snowden era proves that as long as your countries' data is stored out of your boundaries, your policies and regulations would hardly make any difference.


Mexican Govt. Allegedly Used Spyware Against Journalists, Activists & A Child
19.6.2017 thehackernews  BigBrothers

After the disclosure of sophisticated global espionage and disinformation campaign aimed to discredit enemies of the state, Citizen Lab researchers exposed the dirty game of the Mexican government and its politics.
The report — "Government Spy: Systematic monitoring of journalists and human rights defenders in Mexico" — published by Citizen Lab today revealed how the Mexican government used advanced spyware tools purchased from the NSO Group to target the country's most prominent human rights lawyers, anti-corruption activists, and journalists.
The NSO Group, an Israel-based company that produces the most advanced mobile spyware on the planet, sold the tool to governments with an explicit agreement that it should be used only to fight terrorists or criminal groups that have long kidnapped and killed Mexicans.
But, the Mexican government targets include:
Lawyers looking into the case of 43 Students disappeared in September 2014 from the town of Iguala.
Two Mexican most influential journalists.
An American who is representing victims of sexual abuse by the police.
A child, presumably in an attempt to spy on his mother.
"The targets share a basic connection: they have been involved in investigating or working on reports of high-level official corruption, or government involvement in human rights abuses," the report says.
According to the report, the purchase of the NSO Group's exploit "has been documented by at least three units in Mexico:
the National Defense Secretariat (SEDENA)
the Attorney General's Office (PGR)
the National Security and Investigation Center (CISEN)
Since 2011, the above three Mexican federal agencies have purchased nearly $80 Million worth of spyware from the NSO group.
The surveillance tool in question is the infamous mobile spyware 'Pegasus' that was also used in targeted cyber attacks against human rights activists in the United Arab Emirates last year.
Pegasus is one of the NSO group's most advanced mobile spyware tool that can infiltrate Android, as well as iPhones to monitor calls, texts, email, contacts, and calendars, as well as use the phone's microphone and camera for surveillance, turning a target’s smartphone into a sophisticated bugging device.
According to the report, the targets had received over 76 messages with links to the Pegasus exploit along with uniquely crafted social engineering messages, "troubling personal and sexual taunts, messages impersonating official communications by the Embassy of the United States in Mexico, fake AMBER Alerts, warnings of kidnappings, and other threats."
Once the victims open the link, Pegasus would then get downloaded onto their smartphones, turning the target's smartphone into a digital spying tool, which is in the pocket of victims, but fully under the control of the operator.


The malware allows the attacker to extract an incredible amount of data stored in files, contacts, messages, and emails and then forward them to a hidden server. It also takes control of the smartphone's microphone and camera — all without users’ knowledge.
Among those targeted by the government include:
Activists with the Centro Miguel Agustín Pro Juárez for Human Rights (Centro PRODH)
Members of the Mexican Institute for Competitiveness (IMCO)
TV personality and investigative journalist Carmen Aristegui, along with her son Emilio Aristegui (a teenager)
Other journalists working for the Mexican non-profit Against Corruption and Impunity
TV network Televisa anchor Carlos Loret de Mola
A majority of the infection attempts on victims were recorded under two separate events: in August 2015 and between April 2016 and July 2016.
The report asserts that all evidence points towards the Mexican government which itself is behind the cyber espionage.


Canada’ CSE warns of cyber attacks against next 2019 Election
19.6.2017 securityaffairs BigBrothers

The Canada Communications Security Establishment (CSE) published a report that reveals that hackers will attempt to hack into 2019 country’s Election.
The Canada Communications Security Establishment (CSE) published a report that reveals that cyber criminals and hacktivists had leaked sensitive government documents, and attempted to hack into 2015 country’s Election.

The hackers targeted candidates and spread disinformation and propaganda in order to influence the vote. According to the CSE, the “low sophistication” attacks “did not impact the outcome of the election.”

The CSE warns of possible interference in the forthcoming 2019 election, especially of hacktivist groups.

According to the CSE, 13 percent of countries holding national elections in 2017 are targets of cyber attacks even more sophisticated.

“We judge that, almost certainly, multiple hacktivist groups will deploy cyber capabilities in an attempt to influence the democratic process in 2019,” states the CSE report. The Canadian intelligence believes that hackers will increasingly adopt “more sophisticated” techniques threatening 2019 elections and politicians.

Clearly, Canadian Intelligence fears possible interference like the one observed in the US and French President campaigns. The Canadian intelligence avoided referring Russia or other states as potential opponents.

The Canadian intelligence believes that hackers will increasingly adopt “more sophisticated” techniques threatening 2019 elections and politicians.

The CSE report confirmed that the Anonymous collective leaked secret documents in 2015 on Canadian diplomatic missions and the size of Canadadia spy network overseas in order to damage the candidate Tories during the election campaign.

CSE
OTTAWA, ON: OCTOBER 8, 2012 : Communications Security Establishment Canada building on Heron Rd ( Chris Mikula / Ottawa Citizen) For NATIONAL story Assignment #110602

CSE report also warns of Nation-state actors that could launch for the first time their offensive against Canada’s democracy.

State-sponsored hackers may target politicians and parties involved in the 2019 election depending on “how Canada’s nation-state adversaries perceive Canada’s foreign and domestic policies, and on the spectrum of policies espoused by Canadian federal candidates in 2019.”

Foreign Affairs Minister Chrystia Freeland confirmed that threats to elections have been “energetically discussed” at meetings of NATO and the G7 group. Canada and its allies will no accept any attack against their voting machine.
“We are a member of the G7, we are a NATO country, we are an influential voice and a leader on the world stage and so therefore there is a significant interest in influencing the direction of Canadian elections,” Minister of Democratic Institutions Karina Gould told AFP.

“Regardless of who is behind these cyberthreats, it’s important that we can protect ourselves”.

The CSE analyzed dozens of cyber attacks against more than 40 states in the last decade and discovered that in almost 80 percent of the cases, the attacks have been powered by state actors.

The situation in Canada is worrisome, according to the CSE report, political parties, politicians and the media in Canada are under attack due to lack of proper security posture.

The Canadian election system itself still relies on paper ballots, provincial and municipal elections could suffer cyber attacks.

“In particular, we know that certain nation-states have core interests that can be affected by Canadian policies related to natural resources, which are often made at the provincial/territorial level,” said the report. “Hacktivists may begin to view subnational elections… as worthy targets.”


Canada: Hackers Targeted Country's 2015 Election, May Try Again

18.6.2017 securityweek BigBrothers
Canada's electronic eavesdropping agency warned Friday that hackers and foreign states may try to sway its elections in 2019, after so-called hacktivists tried but failed to influence the 2015 ballot that brought Justin Trudeau's Liberals to power.

In a report, the Communications Security Establishment (CSE) said hacktivists and cybercriminals had leaked sensitive government documents, and attempted to smear candidates and spread disinformation and propaganda ahead of the 2015 vote.

These "low sophistication" attacks "did not impact the outcome of the election," the CSE concluded.

But it added that hacktivists are likely to try again when Canadians return to the polls in 2019.

"We judge that, almost certainly, multiple hacktivist groups will deploy cybercapabilities in an attempt to influence the democratic process in 2019," the CSE said in the report, adding that these groups will adapt and increasingly adopt "more sophisticated" approaches.

The agency pointed to hacker group Anonymous, for example, leaking secret documents in 2015 on Canadian diplomatic missions and the size of Canada's spy network overseas to try to embarrass the incumbent Tories during the election campaign.

Nation-states have so far not targeted Canada's 150-year-old democracy, the CSE said.

But they may try in the next election, the agency said, depending on "how Canada's nation-state adversaries perceive Canada's foreign and domestic policies, and on the spectrum of policies espoused by Canadian federal candidates in 2019."

The report comes as US officials probe alleged Russian interference in last year's US presidential elections and after French President Emmanuel Macron's election campaign was subject to cyberattacks.

Canadian officials avoided naming Russia or other antagonists.

Foreign Affairs Minister Chrystia Freeland said interference in elections has been "energetically discussed" at meetings of NATO and the G7 group of leading industrial powers.

"We are a member of the G7, we are a NATO country, we are an influential voice and a leader on the world stage and so therefore there is a significant interest in influencing the direction of Canadian elections," Minister of Democratic Institutions Karina Gould told AFP.

"Regardless of who is behind these cyberthreats, it's important that we can protect ourselves," she said.

According to the CSE, 13 percent of countries holding national elections this year have had their democratic processes targeted, and the number and sophistication of the attacks are predicted to rise.

The agency analyzed dozens of incidents over the past decade that victimized almost 40 nations. It concluded that in almost 80 percent of the cases, state actors were behind attempts to influence the democratic process.

The rest mostly involved cybercriminals stealing voter information.

The CSE report said political parties, politicians and the media in Canada faced the greatest vulnerability to cyberthreats and "influence operations." The Canadian election system itself still relies on paper ballots.

The report noted that provincial and municipal elections could also be targeted.

"In particular, we know that certain nation-states have core interests that can be affected by Canadian policies related to natural resources, which are often made at the provincial/territorial level," said the report. "Hacktivists may begin to view subnational elections... as worthy targets."


Hacker Admits Stealing Satellite Data from DoD

16.6.2017 securityweek BigBrothers
A British man from Sutton Coldfield on Thursday pleaded guilty to stealing user accounts from a U.S. military communications system, the UK's National Crime Agency (NCA) announced.

Sean Caffrey, 25, admitted in court to accessing and stealing information pertaining to 800 users of a satellite communications system, including ranks, usernames and email addresses. Moreover, he stole information associated with 30,000 satellite phones, NCA says.

Caffrey pleaded guilty on Thursday at Birmingham Crown Court to an offense under the Computer Misuse Act: “Causing a computer to perform a function to secure unauthorized access to a program or data.”

Shortly after the hack, Caffrey posted a message online apparently condemning Lizard Squad, a known group of hackers previously associated with attacks on Microsoft and Sony and with various distributed denial of service incidents.

“We smite the Lizards, LizardSquad your time is near. We're in your bases, we control your satellites. Department of Defense has no Defenses,” the message, posted on Pastebin, said.

The hacker stole said data from the US Department of Defense (DoD) on June 15, 2014, but was arrested only in March 2015, after “intelligence showed the hack originated from his internet connection.” Officers from the NCA’s National Cyber Crime Unit (NCCU) and West Midlands Police made the arrest.

During forensic analysis of Caffrey’s computer, NCA officers found the stolen data on the hard drives, and also discovered that the PC was used to open and operate under a pseudonym an online messaging account linked to the attack.

“After strong partnership working between the NCA, the FBI and the DoD’s Defense Criminal Investigative Service there was very clear, very compelling evidence against Sean Caffrey. The NCA has people with skills like Caffrey’s, but they’re doing the opposite to him in detecting cyber criminals and bringing them to justice,” Janey Young, investigations manager at the NCA, said.

The financial damages incurred by the hacker’s intrusion amounted to approximately $628,000, the DoD said. Caffrey is scheduled for sentencing on August 14.


Wikileaks revealed CIA Cherry Blossom framework for hacking Wireless devices
16.6.2017 securityaffairs BigBrothers

WikiLeaks released documents detailing the Cherry Blossom framework which is being used by the CIA cyber spies to hack into Wi-Fi devices.
WikiLeaks released a new batch of documents belonging to the Vault 7 leak, the files provide details related to the Cherry Blossom framework which is being used by the CIA cyber spies to hack into Wi-Fi devices.

The framework was developed by the CIA, along with experts at the Stanford Research Institute (SRI International), for hacking hundreds of home router models.

The Cherry Blossom framework was developed under the ‘Cherry Bomb’ project.

Cherry Blossom is a remotely controllable firmware-based implant for wireless networking devices, it could be used to compromise routers and wireless access points (APs) by triggering vulnerabilities to gain unauthorized access and load the custom Cherry Blossom firmware.

“The Cherry Blossom (CB) system provides a means of monitoring the internet
activity of and performing software exploits on targets of interest. In particular, CB is
focused on compromising wireless networking devices, such as wireless (802.11) routers
and access points (APs), to achieve these goals” states the user manual.

“An implanted device [called Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest.” reads the CherryBlossom — Users Manual (CDRL-12).
“The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection,” WikiLeaks says.

The CherryBlossom is composed of four main components:

FlyTrap – beacon (compromised firmware) that runs on compromised device that communicates with the CherryTree C&C server.
CherryTree – C&C server that communicates with FlyTrap
CherryWeb – web-based admin panel running on CherryTree
Mission – a set of tasks sent by the C&C server to infected devices
CIA cyber spies use Cherry Blossom framework to compromise wireless networking devices on the targeted networks and then run man-in-the-middle attacks to eavesdrop and manipulate the Internet traffic of connected devices.
Cherry Blossom architecture

FlyTrap could perform the following malicious tasks:

Monitoring network traffic to gather data of interest such as email addresses, MAC addresses, VoIP numbers, and chat user names.
Hijack users to malicious websites.
Injecting malicious content into the data traffic to deliver malware.
Setting up VPN tunnels to access clients connected to Flytrap’s WLAN/LAN for further exploitation
According to the documents, the CherryTree C&C server must be located in a secure sponsored facility and deployed on Dell PowerEdge 1850 powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM.
The documents include a list of more 200 router models that CherryBlossom can target, experts noticed that most of them are older models from various vendors, including Belkin, D-Link, Linksys, Aironet/Cisco, Apple AirPort Express, Allied Telesyn, Ambit, AMIT Inc, Accton, 3Com, Asustek Co, Breezecom, Cameo, Epigram, Gemtek, Global Sun, Hsing Tech, Orinoco, PLANET Technology, RPT Int, Senao, US Robotics and Z-Com.

For the full list of devices in included in a WikiLeaks document .

 Cherry Blossom
Below the list of release published by Wikileaks since March:
Cherry Blossom – 15 June, 2017
Pandemic – 1 June, 2017
Athena – 19 May, 2017
AfterMidnight – 12 May, 2017
Archimedes – 5 May, 2017
Scribbles – 28 April, 2017
Weeping Angel – 21 April, 2017
Hive – 14 April, 2017
Grasshopper – 7 April, 2017
Marble Framework – 31 March, 2017
Dark Matter – 23 March, 2017


Wikileaks Unveils 'Cherry Blossom' — CIA's Wireless Router Hacking Framework
15.6.2017 thehackernews BigBrothers

WikiLeaks has published a new batch of the ongoing Vault 7 leak, this time detailing a framework – which is being used by the CIA for monitoring the Internet activity of the targeted systems by exploiting vulnerabilities in Wi-Fi devices.
Dubbed "Cherry Blossom," the framework was allegedly designed by the Central Intelligence Agency (CIA) with the help of Stanford Research Institute (SRI International), an American nonprofit research institute, as part of its ‘Cherry Bomb’ project.
Cherry Blossom project focuses on developing implanted firmware for wireless networking devices, including routers and wireless access points (APs).
It exploits router vulnerabilities to gain unauthorized access to the targeted wireless devices and then replace its firmware with an implant called Flytrap.
"An implanted device [called Flytrap] can then be used to monitor the internet activity of and deliver software exploits to targets of interest." a leaked CIA manual reads.
"The wireless device itself is compromised by implanting a customized CherryBlossom firmware on it; some devices allow upgrading their firmware over a wireless link, so no physical access to the device is necessary for a successful infection," WikiLeaks says.
According to Wikileaks, CIA hackers use Cherry Blossom hacking tool to hijack wireless networking devices on the targeted networks, such as wireless routers and access points (APs) and then perform man-in-the-middle attacks to monitor or manipulate the Internet traffic of the connected users.

Once it takes full control on the wireless device, 'Flytrap' reports back to its command and control server referred to as 'CherryTree,' from where it receives instructions and accordingly perform malicious tasks, which include:
Monitoring network traffic to collect email addresses, chat user names, MAC addresses, and VoIP numbers
Redirecting connected users to malicious websites
Injecting malicious content into the data stream to fraudulently deliver malware and compromise the connected systems
Setting up VPN tunnels to access clients connected to Flytrap's WLAN/LAN for further exploitation
Copying of the full network traffic of a targeted device
According to an installation guide, the CherryTree C&C server must be located in a secure facility and installed on Dell PowerEdge 1850 powered virtual servers, running Red Hat Fedora 9, with at least 4GB of RAM.
CIA Can Hack Wi-Fi Devices From Wide-Range Of Vendors

Cherry Blossom can exploit vulnerabilities in hundreds of Wi-Fi devices (full list here) manufactured by the following vendors:
Belkin, D-Link, Linksys, Aironet/Cisco, Apple AirPort Express, Allied Telesyn, Ambit, AMIT Inc, Accton, 3Com, Asustek Co, Breezecom, Cameo, Epigram, Gemtek, Global Sun, Hsing Tech, Orinoco, PLANET Technology, RPT Int, Senao, US Robotics and Z-Com.
Previous Vault 7 CIA Leaks
Last week, WikiLeaks dumped an alleged CIA project, dubbed Pandemic, that allowed the agency to turn Windows file servers into covert attack machines that can silently infect other computers of interest inside a targeted network.
The tool is a persistent implant for Microsoft Windows machines that has been designed to infect networks of Windows computers through the Server Message Block (SMB) file sharing protocol by replacing application code on-the-fly with a trojanized version of the software.
Since March, the whistleblowing group has published 11 batches of "Vault 7" series, which includes the latest and last week leaks, along with the following batches:
Athena – a CIA's spyware framework that has been designed to take full control over the infected Windows PCs remotely, and works against every version of Microsoft's Windows operating systems, from Windows XP to Windows 10.
AfterMidnight and Assassin – two apparent CIA malware frameworks for the Microsoft Windows platform that has been designed to monitor and report back actions on the infected remote host computer and execute malicious actions.
Archimedes – a man-in-the-middle (MitM) attack tool allegedly created by the CIA to target computers inside a Local Area Network (LAN).
Scribbles – a piece of software allegedly designed to embed 'web beacons' into confidential documents, allowing the spying agency to track insiders and whistleblowers.
Grasshopper – reveal a framework which allowed the agency to easily create custom malware for breaking into Microsoft's Windows and bypassing antivirus protection.
Marble – revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.
Dark Matter – focused on hacking exploits the agency designed to target iPhones and Macs.
Weeping Angel – spying tool used by the agency to infiltrate smart TV's, transforming them into covert microphones.
Year Zero – dumped CIA hacking exploits for popular hardware and software.


European police target anti-malware detection services and their customers
15.6.2017 securityaffairs BigBrothers

An international operation conducted by the European police targeted customers of counter antivirus and crypter services: 6 arrested and tens of interviewed
The Germany’s Kriminalinspektion Mayen along with the Europol’s European Cybercrime Centre (EC3) have arrested six individuals and interviewed dozens of suspects as part of an international law enforcement operation targeting the users of two tools designed to help malware evade detection by security software.

“Between 5 and 9 June, 6 suspects were arrested and 36 were interviewed during an internationally coordinated operation in 6 European countries.” states the announcement published by the Europol. “The targets are all suspected customers of a counter anti-virus platform and crypter service – two cybercriminal tools used for testing and clouding of malware samples to prevent security software solutions from recognising them as malicious.”

The authorities seized hundreds of desktop and laptop devices, smartphones, and storage devices.
The first phase of the police operation, codenamed Neuland, took place in April 2016 and targeted the operators of two anti-malware detection services, and their customers based in Germany.

“The first phase of the operation, also supported by Europol, was executed on 5 April 2016 and targeted the suspects behind a counter anti-virus and a crypter service , as well as the German customers of the two tools, through a large-scale coordinated action in all state criminal police offices in Germany.” continues the report.

The police arrested a 22-year-old individual and searched the homes of 170 other from Germany, law enforcement also searched home other countries, including France, the Netherlands, and Canada.

It is interesting to note that the average age of the suspects was 23-

On Wednesday, the Europol announced the second phase of the operation that took place last week when the police targeted the international customers of the two anti-malware detection services.

“The second phase of this operation, from 5 to 9 June 2017, specifically targeted the international customers of the same two services. The following countries participated in this phase: Cyprus, Italy, the Netherlands, Norway, and the United Kingdom. Police officers searched 20 houses and 6 suspects were arrested, while 36 additional suspects have been interviewed so far. A large number of devices have also been seized. ” states the Europol.

A joint operation conducted by police in Cyprus, Norway, the Netherlands, Italy and the UK resulted in the arrest six people, a and questioned 36 other suspects. Police searched 20 houses and also in this case they seized electronics equipment and devices.

This isn’t the first time, police targets operators on anti-malware detection services, in November 2015 the police in the United Kingdom arrested two individuals. arrested.


US Warns of 'DeltaCharlie' – A North Korean DDoS Botnet Malware
14.6.2017 thehackernews BigBrothers
The United States government has released a rare alert about an ongoing, eight-year-long North Korean state-sponsored hacking operation.
The joint report from the FBI and U.S. Department of Homeland Security (DHS) provided details on "DeltaCharlie," a malware variant used by "Hidden Cobra" hacking group to infect hundreds of thousands of computers globally as part of its DDoS botnet network.
According to the report, the Hidden Cobra group of hackers are believed to be backed by the North Korean government and are known to launch cyber attacks against global institutions, including media organizations, aerospace and financial sectors, and critical infrastructure.
While the US government has labeled the North Korean hacking group Hidden Cobra, it is often known as Lazarus Group and Guardians of Peace – the one allegedly linked to the devastating WannaCry ransomware menace that shut down hospitals and businesses worldwide.
DeltaCharlie – DDoS Botnet Malware
The agencies identified IP addresses with "high confidence" associated with "DeltaCharlie" – a DDoS tool which the DHS and FBI believe North Korea uses to launch distributed denial-of-service (DDoS) attacks against its targets.
DeltaCharlie is capable of launching a variety of DDoS attacks on its targets, including Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol (CGP) attacks.
The botnet malware is capable of downloading executables on the infected systems, updating its own binaries, changing its own configuration in real-time, terminating its processes, and activating and terminating DDoS attacks.
However, the DeltaCharlie DDoS malware is not new.
DeltaCharlie was initially reported by Novetta in their 2016 Operation Blockbuster Malware Report [PDF], which described this as the third botnet malware from the North Korean hacking group, after DeltaAlpha and DeltaBravo.
Other malware used by Hidden Cobra include Destover, Wild Positron or Duuzer, and Hangman with sophisticated capabilities, including DDoS botnets, keyloggers, remote access tools (RATs), and wiper malware.
Hidden Cobra's Favorite Vulnerabilities
Operating since 2009, Hidden Cobra typically targets systems running older, unsupported versions of Microsoft operating systems, and commonly exploits vulnerabilities in Adobe Flash Player to gain an initial entry point into victim's machine.
These are the known vulnerabilities affecting various applications usually exploited by Hidden Cobra:
Hangul Word Processor bug (CVE-2015-6585)
Microsoft Silverlight flaw (CVE-2015-8651)
Adobe Flash Player 18.0.0.324 and 19.x vulnerability (CVE-2016-0034)
Adobe Flash Player 21.0.0.197 Vulnerability (CVE-2016-1019)
Adobe Flash Player 21.0.0.226 Vulnerability (CVE-2016-4117)
The simplest way to defend against such attacks is always to keep your operating system and installed software and applications up-to-date, and protect your network assets behind a firewall.
Since Adobe Flash Player is prone to many attacks and just today the company patched nine vulnerability in Player, you are advised to update or remove it completely from your computer.
The FBI and DHS have provided numerous indicators of compromise (IOCs), malware descriptions, network signatures, as well as host-based rules (YARA rules) in an attempt to help defenders detect activity conducted by the North Korean state-sponsored hacking group.
"If users or administrators detect the custom tools indicative of HIDDEN COBRA, these tools should be immediately flagged, reported to the DHS National Cybersecurity Communications and Integration Center (NCCIC) or the FBI Cyber Watch (CyWatch), and given highest priority for enhanced mitigation," the alert reads.
Besides this, the agencies have also provided a long list of mitigations for users and network administrators, which you can follow here.


Anti-Detection Tool Users Targeted in International Police Operation

14.6.2017 securityweek BigBrothers
Six individuals have been arrested and dozens have been interviewed as part of an international law enforcement operation targeting the users of two tools designed to help malware evade detection by security software, Europol announced on Wednesday.

The operation, codenamed Neuland, was led by Germany’s Kriminalinspektion Mayen and supported by Europol’s European Cybercrime Centre (EC3).

The first phase of this action took place in April 2016 and it targeted the operators of counter antivirus and crypter services, and their Germany-based customers. One 22-year-old individual was arrested and 170 other suspects from all regions of Germany had their homes and offices searched. Searches were also carried out at the time in France, the Netherlands and Canada.

Hundreds of desktop computers, laptops, smartphones, and storage devices were seized in the first part of the campaign. German authorities said at the time that the average age of the suspects was 23.

The second phase of the operation, announced by Europol on Wednesday, took place last week and it targeted the international customers of the same two anti-malware detection services. Police in Cyprus, Norway, the Netherlands, Italy and the United Kingdom arrested six people and questioned 36 other suspects. Officers searched 20 houses and seized a large number of devices.

At around the time of the first phase of the law enforcement operation, a report from Dell SecureWorks on underground hacker markets revealed that the price of crypters, which provide a layer of defense for the malicious core of malware, had reached $80-$440, a significant increase from 2014, when they had been sold for only up to $150.

Two individuals suspected of running similar services were also targeted by law enforcement in the United Kingdom in November 2015. A man and a woman believed to be the operators of a counter antivirus service called reFUD.me and a crypter named Cryptex Reborn were arrested.


Report Highlights Business Risks Drawn From Geopolitical Flashpoints

14.6.2017 securityweek BigBrothers
Geopolitical Cyber Risks

Flashpoint's mid-year Business Risk Intelligence Report analyzes data from geopolitics and the deep and dark web to show how threat actors and their motivations have evolved over the first six months of 2017, and to provide insight into what new threats might appear in the coming months. It comprises sections covering both the primary nation-states and the main threat sub-sections.

Russia

The report notes the continuing Russian effort to interfere with western elections; especially during the approach to the German national elections in September 2017.

The Shadow Brokers (TSB) have re-emerged from dormancy, and are generally considered to be tied to the Russian state. Internally, Russia is tightening control over dissidents and internet usage. Ruslan Stoyanov was arrested over un-specified charges relating to 'treason'. From prison, he warned the regime against "the consequences of partnering with domestic 'patriot-thieves' (cybercriminals).

"Moscow is moving quickly towards establishing an unprecedented level of information control within the country's borders" warns Flashpoint, "...cementing the state's authority over online activities."

China

Chinese state-sponsored activity has remained low following the Xi-Obama agreement made in September 2015. Nevertheless, there has been some activity. In early March, a DHS report described activity under the 'Pleasantly Surprised' campaign spear-phishing commercial entities in the financial, retail and technology sectors. APT10 was also linked to a campaign targeting the National Foreign Trade Council around the time of the US/China summit in early April. Other probable Chinese activities included attacks against MSSPs and attempts to compromise South Korea's Terminal High Altitude Area Defense (THAAD) anti-ballistic missile system.

Flashpoint notes that China remains a potent cyber force, but seems to have turned the focus of its attention to Asian and geographically nearby targets. Internally it continues to increase control over cyber activities with new regulations on data flows and VPNs.

Five Eyes

The Five Eyes group of nations is described as the "pinnacle of cyber capabilities of all actors in cyberspace" -- but one that is not considered a 'threat actor' to other western nations. However, the NSA continues to be embarrassed by the TSB leaks, while the CIA has been embarrassed by WikiLeaks' Vault7 leaks. However, "Despite the synchronicity between the ShadowBrokers releases and the Wikileaks dump, there is no known connection between the two," says Flashpoint.

Iran

Iran is described as a 'moderately-capable threat actor in cyberspace', and one that has concentrated on exploiting vulnerabilities in critical infrastructure systems. While it has been relatively quiet in recent months, Flashpoint warns that any attempt by the US Administration to dismantle the Iranian nuclear accord is likely "to be accompanied by renewed Iranian efforts in the cyber domain." However, for the moment, it believes that the "re-election of Iranian President Hassan Rouhani is likely to have a stabilizing effect on Iranian cyber activities."

North Korea

North Korea is considered to be a potent threat, but one that has been relatively quiet this year following China's apparent withdrawal of political support. Nevertheless, there have been at least two spear-phishing campaigns: one against South Korean research organizations, and the other against North Korean defectors.

The report notes the suggested links of the WannaCry ransomware to the North Korean Lazarus Group. Its own findings suggest a Chinese-speaking author; but adds these two findings are not mutually exclusive.

Geopolitically, the Trump administration has said, the "era of strategic patience is over." Flashpoint concludes, "The North's current apparent quiescence in cyberspace may come to a swift end in the event that the United States reacts strongly to the country's sixth nuclear test, for which many analysts believe that Pyongyang is preparing."

Just this week, US-CERT released a technical alert on behalf of the DHS and the FBI to warn organizations of North Korea’s “Hidden Cobra” activities, particularly distributed denial-of-service (DDoS) attacks.

Disruptive and Attention-Seeking Actors

Such actors have been quieter than usual during the first half of 2017. Flashpoint believes it may be because they are starved of publicity due to the media's current focus on the new administration and the FBI/Russia probe. Other reasons may be industry's improving security stance and, for example, the increased awareness among police departments of SWATTING techniques.

Cybercriminals

Cybercriminals are continuing to innovate and evolve. The switch from targeting individuals to targeting organizations continues, and the focus on targeting healthcare remains. "Flashpoint has observed a variety of actors such as "svako," "hackworld," "covrig3500," and more targeting healthcare clinics across the United States in efforts to monetize the stolen data."

Business Email Compromise (BEC) is growing. In April, Google and Facebook became victims in a scam that netted $100 million for the scammers.

Hacktivists

Flashpoint notes a decline in western hacktivism. "Thus far in 2017," it says, "the hacktivist landscape has been dominated by a small subset of largely-ineffectual hacktivist operations linked to the Anonymous collective, as well as activity emanating out of Turkey and China in particular."

Jihadi Actors

Jihadi actors have shown little growth in technical skill over the first half of 2017. "Due to the lack of technical acumen within most jihadi hacker groups, their victims tend to be poorly-defended or smaller, low-hanging-fruit websites." The most active hacker group is the United Cyber Caliphate (UCC) which has called for all pro-ISIS hackers to unite under one banner, including the newly-created "Caliphate Cyber Terrorism Army (CCTA)." There is, however, no evidence that the group is directed or supported by ISIS itself. It has also suffered from the loss of at least three of its leaders to US airstrikes -- the most recent being Osed Agha in March 2017, and the most notable being Junaid Hussain, or "TriCk" of TeaMp0isoN.

The physical threat to western nations has, however, increased. As the strength of the Isis Caliphate has dwindled, it has turned to recruiting and encouraging the "lone mujahid in the West." Although not mentioned by Flashpoint as part of this report, this has led to increasing demands from western governments to curb end-to-end encryption, and for the social media giants to co-operate more closely with government.

Flashpoint believes that a deeper understanding of geopolitics and the interaction with cyber threats can help business better prepare for both current and future threats.


U.S. Warns of North Korea's 'Hidden Cobra' Attacks

14.6.017 securityweek  BigBrothers
The United States Computer Emergency Readiness Team (US-CERT) released a technical alert on Tuesday on behalf of the DHS and the FBI to warn organizations of North Korea’s “Hidden Cobra” activities, particularly distributed denial-of-service (DDoS) attacks.

The threat actor dubbed by the U.S. government “Hidden Cobra” is better known in the infosec community as Lazarus Group, which is believed to be behind several high-profile attacks, including the ones targeting Sony Pictures, Bangladesh’s central bank, and financial organizations in Poland. Links have also been found between the threat actor and the recent WannaCry ransomware attacks, but some experts are skeptical.

The joint alert from the FBI and the DHS provides indicators of compromise (IoC) associated with a botnet known as “DeltaCharlie.” The North Korean government has allegedly used DeltaCharlie, which has been detailed in Novetta’s “Operation Blockbuster” report, to launch DDoS attacks.US warns of North Korea's Hidden Cobra attacks

“DeltaCharlie is a DDoS tool capable of launching Domain Name System (DNS) attacks, Network Time Protocol (NTP) attacks, and Character Generation Protocol attacks,” US-CERT said. “The malware operates on victims’ systems as a svchost-based service and is capable of downloading executables, changing its own configuration, updating its own binaries, terminating its own processes, and activating and terminating denial-of-service attacks.”

US-CERT has shared information on exploits, malware, IP addresses, file hashes, network signatures, and YARA rules associated with Hidden Cobra in an effort to help defenders detect the group’s attacks. However, it noted that “further research is needed to understand the full breadth of this group’s cyber capabilities.”

The agency warned that, in some cases, the DDoS malware was present on victims’ networks for a significant period of time.

Network administrators have been advised to follow a series of recommendations for mitigating attacks and responding to unauthorized network access.

While North Korea is believed to be responsible for several major cyberattacks, experts have also observed sophisticated attacks aimed at the country. Last month, Cylance reported seeing a new fileless attack that seemed to have Chinese origins, and Cisco detailed a RAT used to spy on organizations linked to North Korea.


Israeli Intelligence Discovered IS Plans for Laptop Bomb: Report

13.6.2017 securityweek BigBrothers

Israeli government spies hacked into the operations of Islamic State bombmakers to discover they were developing a laptop computer bomb to blow up a commercial aircraft, the New York Times reported Monday.

The Times said the work by Israeli cyber operators was a rare success of western intelligence against the constantly evolving, encryption-protected and social-media-driven cyber operations of the extremist group.

It said the Israeli hackers penetrated the small Syria-based cell of bombmakers months ago, an effort that led to the March 21 ban on carry-on laptops and other electronics larger than cellphones on direct flights to the United States from 10 airports in Turkey, the Middle East and North Africa.

The Israeli cyber-penetration "was how the United States learned that the terrorist group was working to make explosives that fooled airport X-ray machines and other screening by looking exactly like batteries for laptop computers," the Times said.

The intelligence was so good that the detonation method for the bombs was understood, the Times said, citing two US officials familiar with the operation.

Following the US laptop ban, Britain announced a similar prohibition for flights originating from six countries.

Israel's contribution to the intelligence on the laptop bombs became public after President Donald Trump revealed details on it to Russian Foreign Minister Sergei Lavrov in a May 10 White House meeting.

Trump's disclosure "infuriated" Israeli officials, according to the Times.


Egypt blocks dozens of websites including ‘Medium’ without any official announcement
12.6.2017 securityaffairs BigBrothers
The Egyptian government blocked a number of websites in Egypt, including the publishing platform Medium, without any official announcement.
Egyptians users of the online publishing platform, Medium were not able to access the service from their country. Readers and bloggers using both desktop and mobile app suffered access problems, the reason of the blackout is still unclear but privacy advocates fear Government censorship.

Recently Egyptian Government blocked several news websites, including MadaMasr, Daily News Egypt, Al Borsa, Al Jazeera, Huffington Post Arabic and others, for supporting terrorism and Muslim Brotherhood.

From 24 May to 11 June, several websites that are licensed to work in Egypt have been blocked, a measured that is considered a violation of the Article 57 stipulating the freedom of media and public’s right to know and to access information.

Officially the Medium service was up & running, the there is no official report about blockage in the last 24 hours across the world, it is likely that the website has been blocked only in Egypt.

medium blockage egypt

Below a screenshot of the error page displayed to the users while trying to access Medium.com from Egypt.
medium blockage egypt

Below the tweet sent by the Radio Sawa Washington Correspondent, Zaid Benjamin about the alleged blockage.

Follow
Zaid Benjamin ✔ @zaidbenjamin
Reports of #Egypt blocking Medium, online publishing platform, which is used by pro-Muslim Brotherhood websites to bypass government block.
1:11 AM - 11 Jun 2017
23 23 Retweets 14 14 likes
Twitter Ads info and privacy
Medium Bloggers and readers in Egypt expressed frustration over the blockage operated by the Government.
Follow
hossam bahgat @hossambahgat
So today #Egypt also blocked @Medium bringing the number of sites blocked this month to 41 including @MadaMasr
9:26 PM - 10 Jun 2017
162 162 Retweets 38 38 likes
Twitter Ads info and privacy
“Blocking of websites in Egypt has continued with the ban of the online publishing platform “Medium” on Saturday.” states the Egyptianstreets.com.

“Al Bedaiah and El Badil news sites have been blocked on Sunday raising the number of blocked websites to 57, according to the Association of Freedom of Thought and Expression (AFTE).

In a span of 3 weeks, an unknown body gradually blocked news websites including independent news website “Mada Masr” and the privately-owned Daily News Egypt.”

According to AFTEs report. test conducted by the researchers suggest that Internet monitoring is operated through the Vodafone network,

During blocking tests, it was indicated that there might be Internet monitoring through Vodafone network, according to AFTEs report.

“AFTE has tested the accessibility of blocked sites through a variety of Internet service providers in Egypt (TE Data, Vodafone, Orange, Etisalat, LINKdotNET, NOOR). The association has used the Tor browser, various proxy services and websites, and VPN service to make sure that the sites work outside of Egypt.” states the report. “During OONI blocking tests, the (HTTP Invalid Request Line) test showed data that might indicate Internet monitoring on Vodafone network. The result shows that, based on the technique used in this test, the use of three spy software (BlueCoat, Squid, Privoxy) in 11 different countries, was detected.”

Several members of the press syndicate expressed their opposition to the ban decision.


US Defense is working on new multifactor authentication systems
11.6.2017 securityaffairs BigBrothers

DARPA is currently developing a multifactor authentication system that will replace the current common access card (CAC).
According to a report published by American Security Today, the DARPA High-Assurance Cyber Military Systems (HACMS) program is designing technology for the creation of safe and secure cyber-physical systems.

DARPA is currently developing a multifactor authentication system that aims to replace the current common access card (CAC) which leverages two-factor authentication.

The solution will verify the identity of the person using biometrics and behavioral analysis.

Behavioral analysis is based on the concept of “patterns of life,” an individual is identified by analyzing his actions and comparing them to a database of habits.

“The new system will employ behavioral analysis and biometrics to ensure that the identity of the person using the network is verified. This probably would feature “patterns of life,” in which a person’s actions are compared to their established habits, Gen. Lynn relates.” states Americansecuritytoday.com.

biometrics authentication

The Department of Defense (DoD) plans to adopt multi-factor authentication solutions including biometrics and other “patterns of life” technologies to replace access cards in the next months.

In April, Alfred Rivera, Defense Information Systems Agency’s (DISA) director at that time, confirmed that the agency was analyzing different solutions from several vendors and that was searching for innovative technologies.

Lt. Gen. Alan R. Lynn, who lead DISA and Joint Force Headquarters, Department of Defense Information Network (JFHQ-DODIN), announced that both agencies are searching for any solutions that could help to stay ahead of cyber adversaries

“The cyber battlefield is growing, it’s unending and it’s 24/7, and we have to keep a constant eye on it, and any tools that industry can bring, we’re interested in,” said Gen. Alan R. Lynn.

“If there is some technology that would allow us to provide more bandwidth, more capability, we’re interested in that as well.”

DISA representatives will discuss new cyber tools for the creation of safe and secure cyber-physical systems at the AFCEA International’s Defensive Cyber Operations Symposium, to be held June 13-15 at the Baltimore Convention Center.


Comey hearing: Former FBI director talks about Russia interference in US Presidential Election
9.6.2017 securityaffairs BigBrothers

Former FBI Director Comey hearing: Comey Has ‘No Doubt’ on the Russia’s Involvement in cyber attacks against 2016 US Presidential Election.
James Comey today testified before the Senate Intelligence Committee that he believes that Russia Government is behind the cyber attacks aimed to interfere with the 2016 US election.
Former FBI Director James Comey today declared he has “no doubt” about the involvement of the Russian government in the cyber attacks against the Hillary Clinton’s presidential campaign and the Democratic Party.

Comey hearing

When Sen. Richard Burr (R-NC) posed the question, “Do you have any doubt that the Russian government was behind the intrusions” of the email accounts, Comey replied: “No, no doubt,” reported the Washington Post.

Comey also added that there is no indication of alleged tampering of the ballots.

“I’d seen no indication of that whatsoever” before he was dismissed last month, Comey added.

According to The Washington Post, Comey also said that President Trump never asked him to abandon the investigation nor that any government official asked him to cover up the case and suspend the investigation.

“No,” he told Burr.
Former FBI Director James B. Comey explained he was surprised by the Trump’s behavior that has always appreciated his work at the Bureau.

Comey was surprised to hear Trump saying that he fired the Director while thinking about Russia.

“Comey also said he was surprised to hear the White House claim he was dismissed for his handling of the Hillary Clinton email probe.” states the Washington Post.

“The administration then chose to defame me and more importantly the FBI by saying that the organization was in disarray,” Comey said. “That it was poorly led. That the workforce had lost confidence in its leader. Those were lies, plain and simple.”

When asked why President Trump suddenly fired him last month, Comey explained that Russian investigation may have has a significant role.

“It’s my judgment that I was fired because of the Russia investigation,” Comey said. “I was fired in some way to change, or the endeavor was to change, the way the Russia investigation was being conducted.”
Follow
Washington Post ✔ @washingtonpost
Comey describes being “confused” by firing, “lies” about FBI being in disarray
4:25 PM - 8 Jun 2017
792 792 Retweets 1,750 1,750 likes
Twitter Ads info and privacy
Comey said he was ‘defamed’ by President Trump and White House.
“The administration then chose to defame me and more importantly the FBI by saying that the organization was in disarray, that it was poorly led,” Comey said. “Those were lies, plain and simple. And I’m so sorry that the FBI workforce had to hear them, and I’m so sorry the American people were told them.’”


Arrest in NSA News Leak Fuels Debate on Source Protection

8.6.2017 securityweek BigBrothers
It was a major scoop for The Intercept -- documents suggesting a concerted Russian effort to hack US election systems -- but the online news site is drawing fire in media circles following the arrest of the alleged source of the leak.

The Intercept, the investigative arm of the First Look Media organization created by eBay founder Pierre Omidyar, is being criticized for sharing information which may have led to the arrest this week of National Security Agency contractor Reality Leigh Winner.

Winner, 25, was arrested and accused of mailing classified NSA documents to "a news outlet," according to the US Justice Department, which said an investigation showed she had printed and shared the investigative report.

Did the news organization unwittingly provide clues to the government that led authorities to Winner? Some media analysts say the journalists were careless at best.

Some of the harshest criticism came from Washington Post reporter Barton Gellman, who called the case a "catastrophic failure of source protection" and argued that The Intercept "made egregious mistakes that doomed its source."

"It handed USG (US government) a color copy of original doc & told a clearance-holding contractor the doc was mailed from Augusta. Where source lived," tweeted Gellman, a two-time Pulitzer Prize winner who was part of a team reporting from documents leaked by former NSA contractor Edward Snowden.

Jake Swearingen, a technology writer for New York Magazine, said Winner made her own missteps by printing the documents in a way that could be tracked and mailing them to The Intercept.

But Swearingen added that The Intercept may have sealed Winner's fate by showing the document to a government official as part of an effort to verify its authenticity.

"It's quite reasonable for The Intercept to seek confirmation," Swearingen wrote. "But revealing the Augusta, Georgia, postmark to the third-party source clearly helped the government build its case."

The Intercept said in a statement the NSA document "was provided to us completely anonymously" and added that "we have no knowledge of the identity of the person who provided us with the document."

The news organization, which is headed by investigative reporter Glenn Greenwald, who was part of the team that first published the Snowden documents, cautioned against drawing any conclusions from FBI assertions on how it tracked Winner.

"Winner faces allegations that have not been proven. The same is true of the FBI’s claims about how it came to arrest Winner," the statement said.

- Connecting the dots -

Robert Graham of Errata Security said Winner may have been tracked by nearly invisible dots from the printer used that can determine who used the machine.

"Because the NSA logs all printing jobs on its printers, it can use this to match up precisely who printed the document," Graham said in a blog post.

"When they print things out, they includes these invisible dots, so documents can be tracked," Graham wrote, calling it "a violation of our (constitutional) rights."

Dan Gillmor, an Arizona State University journalism professor who blogs about media, said the case calls for more scrutiny.

"Hoping @theintercept will do a thorough self-examination of its source protection, or lack of it -- and make results loudly public."

Some were less charitable.

John Kiriakou, a former CIA analyst who went to jail after leaking information on US torture and waterboarding, tweeted "@theintercept should be ashamed of itself. (Reporter) Matthew Cole burns yet another source. It makes your entire organization untrustworthy."

WikiLeaks, the organization which is a conduit for secret documents, said it was offering a $10,000 reward "for information leading to the public exposure & termination of this 'reporter.'"

Others said the focusing on the role of the news organization distracts from the more question of whether the leak related to an important public issue.

Snowden, who has been given asylum in Russia and is also facing prosecution for divulging secret documents, said it is inappropriate to use the Espionage Act to prosecute "whistleblowers" who reveal important news to media.

"The prosecution of any journalistic source without due consideration by the jury as to the harm or benefit of the journalistic activity is a fundamental threat to the free press," Snowden said in a blog post.

Dan Kennedy, a Northeastern University journalism professor, said most sources of leaked information understand they will eventually face consequences.

Winner "does have an argument to make that what she did was in the public interest, but I don't know if she can convince a jury of that," Kennedy said.


ICIT Calls for Legislation to Enforce Encryption on Government Agencies

8.6.2017 securityweek BigBrothers

The starting point for a new study from the Institute for Critical Infrastructure Technology is not new: "There are only two types of networks, those that have been compromised and those that are compromised without the operator's awareness." Since it is impossible to defend the network, the solution is surely to defend the data. Here encryption can offer something more like a guarantee of security.

The study (PDF) is primarily directed at government networks, where it suggests "federal government breaches have eroded the public's confidence in the federal entities' ability to secure sensitive systems and data against adversarial compromise."

But just as it is self-evident that networks are regularly breached, so it is self-evident that encryption is not always used. An example presented by the study, that both demonstrates the absence of encryption and the misguided argument for not using it, can be found in the massive OPM breach of 2015. Here a series of breaches led to the theft of 4.2 million personal records and 21.5 million SF-86 forms -- the effect of which may be felt for many years to come.

OPM did not use best security practices. Most shockingly, the stolen data had not been encrypted. According to former OPM Chief Information Officer Donna Seymour, "Some legacy systems may not be capable of being encrypted." It is this supposition and attitude that the report's author, James Scott, says is not correct.

"Data," he claims, "can be encrypted on both legacy and modern systems using advanced encryption methodologies such as the Format Preserving Encryption (FPE) derivative of the AES algorithm."

But he takes his argument one step further: "Since agencies and other public entities have habitually failed to secure citizens' data, legislators and regulators must intervene to ensure that local, state, and federal entities possess the resources to secure and eventually modernize their architectures, and they must mandate that organizations secure data at-rest, in-transit, and during-processing to the best of their capabilities, according to available technologies, such as Format Preserving Encryption, and according to established legislation and regulation."

This is a complex issue. Security heads in government agencies are already required to update antiquated (legacy) systems, and to employ best security practices. Agency heads, says last month's presidential cybersecurity executive order, will "be held accountable by the President for ensuring that cybersecurity risk management processes are aligned with strategic, operational, and budgetary planning processes, in accordance with chapter 35, subchapter II of title 44, United States Code."

It is noticeable, that the executive order never once specifies the use of encryption. Is this an oversight; is it not considered as important as the ICIT claims; or is it simply too difficult or too costly for government agencies? Or is the use of encryption already implied in this and other existing requirements for government agencies?

Certainly, it is already required. "Federal agencies are required to use encryption by the Cybersecurity Act of 2015," Luther Martin, distinguished technologist at HPE, told SecurityWeek. "They use it, but not in meaningful ways. The main threats that they face are APT/malware. The main types of encryption that they use are TLS, full-disk encryption and transparent database encryption, none of which do anything useful against APT/malware."

This could have been rectified in the executive order, but was not. "For the Trump EO," continued Martin, "remember that encryption is a niche within a niche, security being a small part of IT spending and encryption being a small part of security spending. So, the most likely explanation is that it's just too small of a part to worry about at that level."

This view is supported by Ted Pretty, CEO and MD at Covata. "Encryption is a very powerful security tool, but is one part of an overall regime of security controls," he told SecurityWeek. "There may be other ways of mitigating risk that better suit some systems -- for example, better authentication and policy controls -- and this is probably why the executive order did not specifically reference encryption. Perhaps the reference to systems also refers to system condition at the network, infrastructure, platform and data level."

But the two basic arguments of the ICIT paper remain. Is FPE the right and adequate solution for legacy government databases, and should comparable encryption be explicitly required by law?

The advantage of FPE, suggests ICIT, is that it can granularly encrypt individual fields without altering the basic data format. This means that data can be moved between different databases while still encrypted. Furthermore, "FPE can leave a small portion of the data deciphered so that it can be used for identification and processing, but it cannot be used to compromise the user. A familiar example of this is being able to see the last four digits of the SSN or credit card number in private sector transactions. The government sector can similarly de-identify sensitive information without necessarily overhauling existing infrastructure."

Is this the right solution? "Yes," says Martin. "FPE really is as good as it sounds. Legacy environments are tricky and expensive to deal with. Perhaps very tricky and very expensive. Using FPE lets you adapt the data to the network instead of adapting the network to the encrypted data. If you're lucky enough to have an all-post-dot-com IT infrastructure then FPE may not matter to you. But to most of the world, it's a fantastic innovation."

"Encryption is unique," concludes the ICIT paper, "in that it is the only solution that definitely impedes an adversary's ability to exploit exfiltrated data... For the sake of consumers, critical infrastructure, and national security, public and private organizations must at least encrypt their data; even if legislators and regulators have to mandate encryption requirements."

According to Martin, the existing requirements of the Cybersecurity Act of 2015 are not sufficient. "This is unlikely to change without additional legislation," agrees Martin. A combination of FPE and explicit encryption legislation, says the ICIT, is what is needed to restore the public's faith in government agencies' use of personal data.


US intelligence officials believe Russian Hackers are behind the Qatar hack
8.6.2017 securityaffairs BigBrothers
US intelligence officials believe Russi-linked hackers are behind the Qatar hack and used false news to prompt a diplomatic crisis in the Gulf area.
Russian hackers have planted false story news raised the crisis in the Gulf among Qatar and other states, including Saudi Arabia, the United Arab Emirates, Egypt and Bahrain that cut ties to the country.

According to the US security agencies, Russian hackers were behind the intrusion reported by the Qatari government two weeks ago,

“The alleged involvement of Russian hackers intensifies concerns by US intelligence and law enforcement agencies that Russia continues to try some of the same cyber-hacking measures on US allies that intelligence agencies believe it used to meddle in the 2016 elections.” states the CNN.
The Gulf States accuses Qatar of supporting extremist groups, but the Qatari government denied any allegations.

Qatar asked for a help to US, a team of FBI experts went in the country in late May to find evidence of the attack and determine the author.

“Sheikh Saif Bin Ahmed Al-Thani, director of the Qatari Government Communications Office, confirmed that Qatar’s Ministry of Interior is working with the FBI and the United Kingdom’s National Crime Agency on the ongoing hacking investigation of the Qatar News Agency.” reported the CNN.

The crisis escalated after the so-called Qatar hack, cyber attacks hit the the Qatar’s state-run news agency. Qatar faced an unprecedented security breach, unknown attackers posted fake news stories attributed to its ruler on highly sensitive regional political issues.

Qatar hack - news agency hacked

The hackers hit the Qatar official news agency website and Twitter account causing serious problems to the country.

Hackers shared fake content supposedly addressed by Emir Sheikh Tamim bin Hamad Al-Thani, including the Palestinian-Israeli conflict, tensions with the Trump’s administration, strategic relations with Iran, and comments about Hamas.

“The Qatar News Agency website has been hacked by an unknown entity,” reported the Communications Office in a statement.

“A false statement attributed to His Highness has been published.”

Hackers also published on the hijacked Twitter account a fake story in Arabic apparently from the country’s foreign minister, Mohammed bin Abdulrahman Al-Thani, about Qatar withdrawing its ambassadors from several countries in other East Gulf states.

Qatari Foreign Minister Sheikh Mohammed Bin Abdulrahman al-Thani told CNN that the FBI experts confirmed the hack and the spreading of fake news via the hacker social media account.

“Whatever has been thrown as an accusation is all based on misinformation and we think that the entire crisis being based on misinformation,” he told CNN.

“Because it was started based on fabricated news, being wedged and being inserted in our national news agency which was hacked and proved by the FBI”

“The Ministry of Interior will reveal the findings of the investigation when completed,” he told CNN.
Despite Qatar is considered a good ally for the US due to its support to US military in the area, Trump do not exclude that state was funding extremism.

In the following tweet, Trump expressed its approval for the regional blockade in the effort of stopping terrorist funding.
Follow
Donald J. Trump ✔ @realDonaldTrump
So good to see the Saudi Arabia visit with the King and 50 countries already paying off. They said they would take a hard line on funding...
3:36 PM - 6 Jun 2017
40,643 40,643 Retweets 62,330 62,330 likes
Twitter Ads info and privacy
After Trump’s tweets, the US State Department announced that Qatar had made significant progress on stemming the funding of terrorists but that there was more to do.


Russian Hackers 'Planted False Story' Behind Mideast Crisis

7.6.2017 securityweek BigBrothers
US intelligence officials believe Russian hackers planted a false news story that led Saudi Arabia and several allies to sever relations with Qatar, prompting a diplomatic crisis, CNN reported Tuesday.

FBI experts visited Qatar in late May to analyze an alleged cyber breach that saw the hackers place the fake story with Qatar's state news agency, the US broadcaster said.

Saudi Arabia then cited the false item as part of its reason for instituting a diplomatic and economic blockade against Qatar, the report said.

Qatar's government said the May 23 news report attributed false remarks to the emirate's ruler that appeared friendly to Iran and Israel, and questioned whether US President Donald Trump would last in office, according to CNN.

Qatari Foreign Minister Sheikh Mohammed Bin Abdulrahman al-Thani told the broadcaster that the FBI has confirmed the hack and the planting of fake news.

"Whatever has been thrown as an accusation is all based on misinformation and we think that the entire crisis is being based on misinformation," he told CNN.

"It was started based on fabricated news, being wedged and being inserted in our national news agency, which was hacked and proved by the FBI," he added.

If accurate, the allegations would indicate Russian efforts to undermine US foreign policy, building on US intelligence concerns that Russian hackers attempted to influence last year's presidential election, won by Trump. The Kremlin denies meddling.

Saudi Arabia, Egypt, the United Arab Emirates and Bahrain announced Monday they were severing diplomatic relations and closing air, sea and land links with Qatar.

They accused the tiny Gulf state of harboring extremist groups and suggested Qatari support for the agenda of Saudi Arabia's regional archrival Iran. Qatar has strenuously denied the allegations.

Although Qatar hosts the largest American military airbase in the Middle East, Trump threw his weight behind the Saudi-led effort to isolate the emirate in a surprise move on Tuesday.

He suggested Qatar was funding extremism.

"So good to see the Saudi Arabia visit with the King and 50 countries already paying off," he tweeted in reference to his trip to Riyadh last month.

"They said they would take a hard line on funding... extremism, and all reference was pointing to Qatar. Perhaps this will be the beginning of the end to the horror of terrorism!"

The CNN report quoted the Qatari government communications office as saying it was working with the FBI and Britain's National Crime Agency on an ongoing hacking investigation.


Russian Hackers Target Montenegro as Country Joins NATO

7.6.2017 securityweek  BigBrothers
Hackers linked to Russia launched cyberattacks on the Montenegro government just months before the country joined the North Atlantic Treaty Organization (NATO) and experts believe these attacks will likely continue.

Despite strong opposition from Russia, Montenegro officially joined NATO on June 5. Russia has threatened to retaliate but it may have already taken action against Montenegro in cyberspace.

Attacks aimed at the Montenegro government spotted earlier this year by security firm FireEye leveraged malware and exploits associated with the Russia-linked threat group known as APT28, Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.

APT28 has been known to target Montenegro. In the latest attacks observed by researchers, the hackers used spear-phishing emails to deliver malicious documents pertaining to a NATO secretary meeting and a visit by a European army unit to Montenegro. Experts believe the latter document may have been stolen and weaponized by the attackers.

The malware delivered in these attacks is tracked by FireEye as GAMEFISH and it has been exclusively used by APT28. GAMEFISH is a backdoor that is tracked by other security firms as Sednit, Seduploader, JHUHUGIT and Sofacy.

The malicious documents delivered the malware via a Flash exploit framework. FireEye has privately informed its customers about this framework, but it has not detailed it in any public reports. However, the company told SecurityWeek that this framework is also known as DealersChoice, which Palo Alto Networks analyzed in October 2016.

FireEye analyst Ben Read told SecurityWeek that the malicious documents first profile the targeted system in an effort to determine which version of Flash Player is present. A command and control (C&C) server is then contacted and the appropriate Flash exploit is downloaded. The exploits, which can include CVE-2015-7645 and CVE-2016-7855, are used to deliver GAMEFISH.

Read said it was unclear if APT28’s attacks against the Montenegro government were successful.

“It’s likely that this activity is a part of APT28’s continued focus on targeting various NATO member states, as well as the organization itself,” said Tony Cole, VP and CTO for Global Government at FireEye.

“Russia has strongly opposed Montenegro's NATO accession process and is likely to continue using cyber capabilities to undermine Montenegro's smooth integration into the alliance,” Cole added. “Montenegro's accession could increase cyber threat activity directed toward NATO, and provide additional avenues for adversaries like Russia to illicitly access NATO information.”

APT28 has been known to target NATO member countries, including by leveraging zero-day vulnerabilities. The group has also been involved in the recent U.S. election attacks.

While the threat actor is widely believed to be sponsored by the Russian government, Moscow has repeatedly denied the accusations. The country’s president, Vladimir Putin, recently claimed that patriotic hackers from Russia could be behind these attacks, but denied that the government is involved in hacking activities.


Leaked Documents Show US Vote Hacking Risks

7.6.2017 securityweek  BigBrothers
Security experts have warned for years that hackers could penetrate electronic voting systems, and now, leaked national security documents suggest a concerted effort to do just that in the 2016 US election.

An intelligence report revealed this week showed a cyberattack that targeted more than 100 local election officials and software vendors, raising the prospect of an attempt, possibly led by Russia, to manipulate votes.

The top-secret document from the National Security Agency, published by online news outlet The Intercept, stops short of drawing any conclusions about the impact of the attacks and whether it affected any ballots. But it suggests hackers got deeper into US voting systems than previously believed.

"These are our worst fears," said Joseph Hall, chief technologist at the Center for Democracy and Technology, who researches voting systems.

"For over 15 years, I and a lot of other people have said we had never seen a confirmed hack of voting systems. We're not going to say that anymore."

Hall said systems could be vulnerable because localities that manage elections rely on private software sellers that may lack resources against a well-funded cyber adversary.

"A lot of those vendors are quite small," Hall said. "There's not a lot of hope when you have are going up against an 800-pound bear."

Russian President Vladimir Putin has denied any effort to influence the 2016 US election. But the report suggests meddling went beyond psychological warfare to an attack on voting systems themselves.

Hacking elections "has always been thought of as a theoretical possibility, but now we know it is a real threat," said Susan Greenhalgh, a researcher with the Verified Voting Foundation, an election systems monitor.

"We need to ensure our voting systems are resilient going into 2018 and 2020" elections, she added.

Alex Halderman, a University of Michigan computer scientist whose projects have included simulated hacking of voting machines, called the latest disclosures "significant."

"This shows Russia was interested in attacking the computer infrastructure that operated the election and raises important questions including how far they got," he told AFP.

While voting machines are not connected to the internet, most of the electronic systems need to be programmed with computers which are connected, opening up security holes.

"If you can manipulate that ballot programming you can often exploit the vulnerabilities," Halderman said, opening the door to vote tampering.

- Long-term impact -

Andrew Appel, a Princeton University computer science professor who has studied election systems, said that if the report is accurate and the cyberattack occurred days before the November vote, it would likely have been too late to affect the outcome.

But Appel said any tampering with vote systems could have serious and far-reaching effects.

"If this kind of attack had taken place weeks before the election, it would be cause for significant concern" for the outcome, he said.

"And it's many weeks now before the next election, and if there has been Russian penetration of our election software systems or anyone else's penetration, it could continue to affect vote counting for years."

Appel said that if ballots are manipulated within a voting machine, "it won't be obvious, people won't know about it" unless there is an audit or recount.

Most US states now use optical scanners with paper ballots that can be audited, but a handful employ paperless systems with no paper trail to verify the count.

"Internet elections are even more hackable, and I'm glad we're not doing that," Appel said.

Greenhalgh said that even though most jurisdictions have paper ballots which can be used for recounts, "the bad news is the vast majority of the country doesn't do an audit to catch any errors in the vote counting software."

Bruce Schneier, chief technology officer of IBM Resilient and a fellow at Harvard's Berkman Klein Center for Internet & Society, said the report shows the weaknesses of US election systems.

"This (attack) feels more exploratory than operational, but this is just one piece. There are lots of vulnerabilities," Schneier said. "Election officials are largely in denial. The next election will be no more secure than this election."


Leaked Documents Show US Vote Hacking Risks

7.6.2017 securityweek  BigBrothers
Security experts have warned for years that hackers could penetrate electronic voting systems, and now, leaked national security documents suggest a concerted effort to do just that in the 2016 US election.

An intelligence report revealed this week showed a cyberattack that targeted more than 100 local election officials and software vendors, raising the prospect of an attempt, possibly led by Russia, to manipulate votes.

The top-secret document from the National Security Agency, published by online news outlet The Intercept, stops short of drawing any conclusions about the impact of the attacks and whether it affected any ballots. But it suggests hackers got deeper into US voting systems than previously believed.

"These are our worst fears," said Joseph Hall, chief technologist at the Center for Democracy and Technology, who researches voting systems.

"For over 15 years, I and a lot of other people have said we had never seen a confirmed hack of voting systems. We're not going to say that anymore."

Hall said systems could be vulnerable because localities that manage elections rely on private software sellers that may lack resources against a well-funded cyber adversary.

"A lot of those vendors are quite small," Hall said. "There's not a lot of hope when you have are going up against an 800-pound bear."

Russian President Vladimir Putin has denied any effort to influence the 2016 US election. But the report suggests meddling went beyond psychological warfare to an attack on voting systems themselves.

Hacking elections "has always been thought of as a theoretical possibility, but now we know it is a real threat," said Susan Greenhalgh, a researcher with the Verified Voting Foundation, an election systems monitor.

"We need to ensure our voting systems are resilient going into 2018 and 2020" elections, she added.

Alex Halderman, a University of Michigan computer scientist whose projects have included simulated hacking of voting machines, called the latest disclosures "significant."

"This shows Russia was interested in attacking the computer infrastructure that operated the election and raises important questions including how far they got," he told AFP.

While voting machines are not connected to the internet, most of the electronic systems need to be programmed with computers which are connected, opening up security holes.

"If you can manipulate that ballot programming you can often exploit the vulnerabilities," Halderman said, opening the door to vote tampering.

- Long-term impact -

Andrew Appel, a Princeton University computer science professor who has studied election systems, said that if the report is accurate and the cyberattack occurred days before the November vote, it would likely have been too late to affect the outcome.

But Appel said any tampering with vote systems could have serious and far-reaching effects.

"If this kind of attack had taken place weeks before the election, it would be cause for significant concern" for the outcome, he said.

"And it's many weeks now before the next election, and if there has been Russian penetration of our election software systems or anyone else's penetration, it could continue to affect vote counting for years."

Appel said that if ballots are manipulated within a voting machine, "it won't be obvious, people won't know about it" unless there is an audit or recount.

Most US states now use optical scanners with paper ballots that can be audited, but a handful employ paperless systems with no paper trail to verify the count.

"Internet elections are even more hackable, and I'm glad we're not doing that," Appel said.

Greenhalgh said that even though most jurisdictions have paper ballots which can be used for recounts, "the bad news is the vast majority of the country doesn't do an audit to catch any errors in the vote counting software."

Bruce Schneier, chief technology officer of IBM Resilient and a fellow at Harvard's Berkman Klein Center for Internet & Society, said the report shows the weaknesses of US election systems.

"This (attack) feels more exploratory than operational, but this is just one piece. There are lots of vulnerabilities," Schneier said. "Election officials are largely in denial. The next election will be no more secure than this election."


Kremlin 'Resolutely' Denies Russia Hacked US Vote

6.6.2017 securityweek BigBrothers
The Kremlin on Tuesday strongly denied a leaked US report that Russian military intelligence hackers tried to infiltrate into US voting systems before last year's presidential election.

"Apart from this claim which absolutely does not conform to reality, we have not seen any other information nor heard any arguments for the reliability of this information," Kremlin spokesman Dmitry Peskov told journalists.

"We resolutely deny the possibility that such a thing could have happened," he said, adding that he had not read the report.

The report by the National Security Agency was allegedly leaked by a private contractor just over a month after it was written and published Monday on The Intercept, an online news website which focuses on national security issues.

It depicted a hacking operation tied closely to Moscow's GRU intelligence directorate that targeted private US companies providing voter registration services and equipment to local governments.

President Vladimir Putin last week said that hackers can come from any country since they are "free people like artists" and conceded it was theoretically possible that a "patriotically minded" hacker could decide to act against those critical of Russia.

He insisted however that "we never get involved in this on a state level."

The Kremlin strongman also suggested that attacks could be designed to appear to come from Russia in order to discredit the country, while saying that in his opinion hacking cannot influence electoral campaigns in Europe, Asia or America.


FBI Arrests NSA Contractor for Leaking Secrets – Here's How they Caught Her

6.6.2017 thehackernews  BigBrothers

The FBI arrested a 25-year-old NSA contractor on Saturday (3rd June) for leaking classified information to an online news outlet which published its report yesterday (5th June) — meaning the arrest was made two days before the actual disclosure went online.
Reality Leigh Winner, who held a top-secret security clearance and worked as a government contractor in Georgia with Pluribus International, was arrested from her home in Augusta on charges involving the leak of top-secret NSA files to 'The Intercept,' an online publication that has been publishing NSA documents leaked by Edward Snowden since 2014.
The Intercept published a report on Monday, 5th June, based upon a classified document it received anonymously, which claims in August 2016, Russia's military intelligence agency "executed a cyber attack on at least one U.S. voting software supplier and sent spear-phishing emails to more than 100 local election officials days before [the] election."
The NSA document (dated May 5, 2017) argues that hackers, believed to be associated with the Russian General Main Staff Intelligence Directorate (GRU), had attempted to break into VR Systems, a Florida company that sells voting registration equipment used in the 2016 US presidential election.

However, the document did not say whether the hack had any impact on the outcome of the election.
This is what the NSA document alleges about the Russian hacking into U.S. voting systems:
"Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations."
How FBI Caught the NSA Leaker, Reality Winner?

What's confusing in the whole incident is the fact that the arrest of Winner was made on Saturday, but the Top-Secret NSA report by The Intercept went online after two days of the arrest.
So, how the federal authorities identified that Winner was the one behind the leak?
The federal officials began their investigation after The Intercept contacted the NSA on May 30 and turned over a copy of the report to verify the authenticity of that document while asking for comment before publishing its report.
Winner did not mail the actual document (pdf) directly to The Intercept; instead, she took prints of the document and then emailed a scanned copy of it to the publication.
But, unfortunately, it seems like Winner was not aware of the fact "that most new printers print nearly invisibly yellow dots that track down exactly when and where documents, any document, is printed," Robert Graham of Errata Security said, explaining how the agency identified the leaker.
Graham explains step-by-step that how anyone can analyze the scanned copy of any printed document to retrieve secretly stored information, which in this case revealed:
"The document leaked by the Intercept was from a printer with model number 54, serial number 29535218. The document was printed on May 9, 2017, at 6:20. The NSA almost certainly has a record of who used the printer at that time."
Since the NSA logs all printing jobs on its printers, the NSA determined that only six employees had access to that document and that Winner was the person who printed and removed the document from a secure facility.

The agency also found that Winner "had email contact" with The Intercept and that no other employees had communicated with the news outlet.
Winner also allegedly "acknowledged that she was aware of the contents of the intelligence reporting and that she knew the contents of the reporting could be used to the injury of the United States and the advantage of a foreign nation," read criminal complaint [PDF] released by the DoJ on Monday.
"Exceptional law enforcement efforts allowed us quickly to identify and arrest the defendant," said Deputy Attorney Gen. Rod J. Rosenstein. "Releasing classified material without authorization threatens our nation's security and undermines public faith in government. People who are trusted with classified information and pledge to protect it must be held accountable when they violate that obligation."
Winner is facing a count of "gathering, transmitting or losing defence information," and up to 10 years behind bars if she is convicted.


NSA top-secret report details Russian cyber operations days before 2016 election
6.6.2017 securityaffairs BigBrothers

Russian intelligence powered a cyber attack on at least one US voting software supplier and sent spear-phishing emails to election officials just days before Election
The online news outlet The Intercept obtained access to a top-secret NSA report that shows Russian state-sponsored hackers tried repeatedly to hack the US voting systems before last 2016 Presidential election.

According to the NSA top-secret report, hackers tied to the Russian GRU intelligence directorate targeted private organizations and hacked voter registration services and equipment for months until just days before the election day.

It is not clear if the nation-state hackers had any effect on the election, US intelligence officials repeatedly excluded any interference with the final result of the vote.

The report comes a few days President Putin blamed patriotic hackers for the cyber attacks against foreign countries and denied Russia involvement.

“This useless and harmful chatter needs to stop.” President Putin said.

NSA top-secret report Presidential election

The report blames Russian President Vladimir Putin of directing a concerted effort to interfere with the election to help Trump.

The Russian effort involved cyber attacks and a strategic disinformation powered by the Russian Intelligence.

According to the document, Russian hackers used data-stealing malware launched spear-phishing attacks against people involved in the election to “obtained and maintained access to elements of multiple US state or local electoral boards.”

“The report indicates that Russian hacking may have penetrated further into U.S. voting systems than was previously understood. It states unequivocally in its summary statement that it was Russian military intelligence, specifically the Russian General Staff Main Intelligence Directorate, or GRU, that conducted the cyber attacks described in the document” states The Intercept.

NSA

“Russian General Staff Main Intelligence Directorate actors … executed cyber espionage operations against a named U.S. company in August 2016, evidently to obtain information on elections-related software and hardware solutions. … The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting U.S. local government organizations.” reads the NSA top-secret report.

It is still unclear which kind of information hackers have stolen neither the systems they have breached.


Russia Tried to Hack US Voting Systems for Months: Report

6.6.2017 securityweek BigBrothers
A top secret National Security Agency document shows that hackers from Russian military intelligence tried repeatedly to break into US voting systems before last year's presidential election, The Intercept reported Monday.

The NSA report depicts an operation tied closely to Moscow's GRU intelligence directorate targeting private companies that hacked voter registration services and equipment for months until just days before the November 8 election, the online news outlet said.

The Intercept, which focuses on national security issues, says the NSA document does not conclude whether the hackers had any effect on the election or whether its aims were accomplished.

US intelligence officials have repeatedly said hackers had no effect on vote tallies in the election, won in a shock upset by Donald Trump.

But the report expanded on US allegations that Russian President Vladimir Putin directed a concerted effort, involving hacking and disinformation, to interfere with the election to help Trump.

"Russian General Staff Main Intelligence Directorate actors ... executed cyber espionage operations against a named US company in August 2016, evidently to obtain information on elections-related software and hardware solutions," the NSA report says, according to The Intercept.

"The actors likely used data obtained from that operation to … launch a voter registration-themed spear-phishing campaign targeting US local government organizations."

The report was published just days after Putin denied allegations that the Russian state had meddled in the US election.

Putin conceded, however, that there may have been hacking by Russians unconnected with the government.

As for the charges of government involvement, he said: "This useless and harmful chatter needs to stop."

The NSA did not immediately reply to requests for comment on the report.

The Intercept said that the agency, Washington's most important signals intelligence body, sought first to dissuade them from publishing it, and then requested redactions of sensitive information.

The report shows that, by trying to steal log-in credentials and using spear-fishing emails to plant malware, the hackers "obtained and maintained access to elements of multiple US state or local electoral boards."

How successful that effort was, and what kind of data may have been stolen, remains an unanswered question, the NSA report says.

It also notes that despite then-president Barack Obama's warning to Putin in September last year to not interfere with the election, the hacking attack on voter systems continued through October.


NSA Exploit EternalBlue is becoming even common in hacking tools and malware
3.6.2017 securityaffairs BigBrothers

Security Experts are observing a significant increase in the number of malware and hacking tools leveraging the ETERNALBLUE NSA exploit.
ETERNALBLUE is the alleged NSA exploit that made the headlines with DOUBLEPULSAR in the WannaCry attack.

ETERNALBLUE targets the SMBv1 protocol and is has become widely adopted in the community of malware developers.

Investigations on WannaCry revealed that at least other 3 different groups have been leveraging the NSA EternalBlue exploit.

The UIWIX ransomware was one of the first threats discovered in the wild that was leveraging the NSA exploit for its attacks.

Now a new ransomware, dubbed UIWIX, was discovered to be using the NSA-linked EternalBlue exploit for distribution.

UIWIX is a fileless malware discovered by experts at Heimdal Security early this week while investigating on WannaCry.

Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.

Researchers from Proofpoint discovered ETERNALBLUE deployed with the Adylkuzz botnet that was spreading cryptocurrency miners, malware experts from Cyphort reported ETERNALBLUE was deployed with various RATs used by Chinese threat actors, and malware researchers at Secdo ETERNALBLUE found the exploit was used to deliver a datastealer developed by Russian hackers and by botnet in China.

Security firm Forcepoint found ETERNALBLUE deployed with various RATs.

“A number of Remote Access Tools have been identified using the EternalBlue exploit to spread. While the use of EternalBlue is common to all of the samples identified, the way the exploit is used varies with some samples (e.g. EternalRocks) taking the form of aggressively self-propagating worms, and others using a centralised scanning and distribution infrastructure similar to UIWIX and Adylkuzz.” reads the analysis published by Forcepoint.

The security researcher Miroslav Stampar found the ETERNALBLUE deployed with six other NSA hacking tools, part of the EternalRocks SMB worm.

Last discovery in order of time was made by experts from FireEye who observed threat actors using the exploit code to deliver non-WannaCry payloads, including the Gh0st RAT and the Backdoor Nitol.

“We observed lab machines vulnerable to the SMB exploit were attacked by a threat actor using the EternalBlue exploit to gain shell access to the machine,” reads the FireEye report.

EternalBlue SMB exploit.png

Gh0st RAT is a Windows malware that has been used in many espionage campaigns powered by nation-state actors.

“The initial exploit technique used at the SMB level (by Backdoor.Nitol and Gh0st) is similar to what we have been seen in WannaCry campaigns; however, once a machine is successfully infected, this particular attack opens a shell to write instructions into a VBScript file and then executes it to fetch the payload on another server,” FireEye researchers wrote.

Threat actors used the same EternalBlue and VBScript combination to distribute Gh0st RAT in Singapore and Backdoor.Nitol in the South Asia region, attackers are sending specially crafted messages to a Microsoft SMBv1 server.

“The attacker echoes instructions into a new ‘1.vbs’ file to be executed later. These instructions fetch the payload ‘taskmgr.exe’ from another server in a synchronous call. This action creates an ActiveX object ADODB.Stream, which allows reading the file coming from the server and writes the result of the binary data in a stream,” researchers said.

The EternalBlue exploit was also added to Metasploit making easy for attackers to exploit the flaw.

“The addition of the EternalBlue exploit to Metasploit has made it easy for threat actors to exploit these vulnerabilities. In the coming weeks and months, we expect to see more attackers leveraging these vulnerabilities and to spread such infections with different payloads,” states the post.

Follow
Christopher Glyer @cglyer
@FireEye found Gh0st RAT deployed by EternalBlue SMB exploit. Adding EB to Metasploit lowers the bar significantlyhttps://www.fireeye.com/blog/threat-research/2017/05/threat-actors-leverage-eternalblue-exploit-to-deliver-non-wannacry-payloads.html …
3:36 PM - 2 Jun 2017
32 32 Retweets 48 48 likes
Twitter Ads info and privacy
“While developed with good intentions, the framework’s exploit modules are often plundered by malware developers, who use them as the base for developing malware.” wrote Catalin Cimpanu bleepingcomputer.com.

To neutralize the threat, it is essential to install MS17-010 security updates.


Crowdfunding initiative aims to buy Shadow Brokers leak before threat actors
3.6.2017 securityaffairs  BigBrothers

Crowdfunding initiative aims to buy Shadow Brokers leak before threat actors will start using the hacking tools and exploits in the wild.
The Shadow Brokers hacker group is going to launch a monthly subscription model for its data dumps, 0-Day Exploit Subscriptions goes for (100 Zcash), approximately $24,450 per month.

The hacking tools and exploits that will be released by Shadow brokers in June to subscribers could have a catastrophic impact on every device and computer exposed on the Internet.

The analysis of such tools before they go in the wild is crucial, for this reason, experts launched a crowdfunding campaign to purchase the next batch of Shadow Brokers leaks.

The initiative was launched by the researcher Matthew Hickey of My Hacker House and a researcher who goes by the moniker x0rz. The goal is to raise $25,000 to buy the exploits, analyze them and allow affected vendors to patch the vulnerabilities in their products.

View image on TwitterView image on TwitterView image on Twitter
Follow
Hacker Fantastic @hackerfantastic
Whatever happened to NSA warez crowd funding idea? Statement on why we pulled the plug on the opensource crowdfunded #ShadowBrokers purchase
11:20 AM - 1 Jun 2017
355 355 Retweets 378 378 likes
Twitter Ads info and privacy
“If you ever want to hear a lawyer shout expletives at volume down a phone, you need to call him and tell him that you have created the first open source crowd-funded cyber arms acquisition attempt,” Hickey said in a statement via his Twitter account.

“It transpires that should funds change hands from ours to the Shadow Brokers, we would be certainly risking some form of legal complications,” Hickey said. “It was just too risky and the advice was under no circumstances to proceed further with this.”

Shadow Brokers
The initiative raised the debate on the ethics of buying hacking tools and exploits from groups like ShadowBrokers. Some experts believe that isn’t a good idea to deal with criminals even if the initiative aims to protect online users.

Below the Tweet published by x0rz, due to legal reasons, he is retracting from crowdfunding to acquire the Shadow Brokers dump.


x0rz @x0rz
I'm retracting from the crowdfunding of the #ShadowBrokers dump.
My statement here https://pastebin.com/raw/6VJ7XcM0
10:34 AM - 1 Jun 2017
263 263 Retweets 389 389 likes
Twitter Ads info and privacy
Hickey told ThreatPost “there were a number of considerations around the crowdfunding effort, such as keeping it open and allowing the ShadowBrokers to claim it on the condition they privately disclosed, that the data could be validated prior to payment and that the group would work with researchers on getting vulnerabilities patched and/or mitigated.”

“There is just no way around the complication of paying them and putting our own freedoms at risk, we have to respect that opinions are equally divided on this topic,” Hickey said.


Crowdfunding initiative aims to buy Shadow Brokers leak before threat actors
2.6.2017 securityaffairs  BigBrothers

Crowdfunding initiative aims to buy Shadow Brokers leak before threat actors will start using the hacking tools and exploits in the wild.
The Shadow Brokers hacker group is going to launch a monthly subscription model for its data dumps, 0-Day Exploit Subscriptions goes for (100 Zcash), approximately $24,450 per month.

The hacking tools and exploits that will be released by Shadow brokers in June to subscribers could have a catastrophic impact on every device and computer exposed on the Internet.

The analysis of such tools before they go in the wild is crucial, for this reason, experts launched a crowdfunding campaign to purchase the next batch of Shadow Brokers leaks.

The initiative was launched by the researcher Matthew Hickey of My Hacker House and a researcher who goes by the moniker x0rz. The goal is to raise $25,000 to buy the exploits, analyze them and allow affected vendors to patch the vulnerabilities in their products.


Hacker Fantastic @hackerfantastic
Whatever happened to NSA warez crowd funding idea? Statement on why we pulled the plug on the opensource crowdfunded #ShadowBrokers purchase
11:20 AM - 1 Jun 2017
350 350 Retweets 371 371 likes
Twitter Ads info and privacy
“If you ever want to hear a lawyer shout expletives at volume down a phone, you need to call him and tell him that you have created the first open source crowd-funded cyber arms acquisition attempt,” Hickey said in a statement via his Twitter account.

“It transpires that should funds change hands from ours to the Shadow Brokers, we would be certainly risking some form of legal complications,” Hickey said. “It was just too risky and the advice was under no circumstances to proceed further with this.”

Shadow Brokers
Below the Tweet published by x0rz:


x0rz @x0rz
I'm retracting from the crowdfunding of the #ShadowBrokers dump.
My statement here https://pastebin.com/raw/6VJ7XcM0
10:34 AM - 1 Jun 2017
254 254 Retweets 375 375 likes
Twitter Ads info and privacy
The initiative raised the debate on the ethics of buying hacking tools and exploits from groups like ShadowBrokers. Some experts believe that isn’t a good idea to deal with criminals even if the initiative aims to protect online users.

Hickey told ThreatPost “there were a number of considerations around the crowdfunding effort, such as keeping it open and allowing the ShadowBrokers to claim it on the condition they privately disclosed, that the data could be validated prior to payment and that the group would work with researchers on getting vulnerabilities patched and/or mitigated.”

“There is just no way around the complication of paying them and putting our own freedoms at risk, we have to respect that opinions are equally divided on this topic,” Hickey said.


CIA Tool 'Pandemic' Replaces Legitimate Files With Malware

2.6.2017 securityweek BigBrothers
Documents published by WikiLeaks on Thursday describe a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to spread malware on a targeted organization’s network.

The tool, named “Pandemic,” installs a file system filter driver designed to replace legitimate files with a malicious payload when they are accessed remotely via the Server Message Block (SMB) protocol.

What makes Pandemic interesting is the fact that it replaces files on-the-fly, instead of actually modifying them on the device the malware is running on. By leaving the legitimate file unchanged, attackers make it more difficult for defenders to identify infected systems.

“Pandemic does NOT//NOT make any physical changes to the targeted file on disk. The targeted file on the system Pandemic is installed on remains unchanged. Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the 'replacement' file,” the tool’s developers said.

Pandemic, which works on both 32-bit and 64-bit Windows systems, is initially installed on machines from which users download or execute files remotely via SMB. According to the documents leaked by WikiLeaks, the tool can replace up to 20 files at a time – each with a maximum size of 800Mb.

Pandemic developers also provide a DLL file that can be used to determine if the tool is installed, and uninstall it. The files published by WikiLeaks contain information that can be useful for checking a system for Pandemic infections. Experts also pointed out that there is an easy way to see if Pandemic is present on a device.


Giuseppe `N3mes1s` @gN3mes1s
Do you wanna know if you have Pandemic? REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\Null . #pandemic #WIKILEAKS https://wikileaks.org/vault7/document/#pandemic …
6:12 PM - 1 Jun 2017
32 32 Retweets 35 35 likes
Twitter Ads info and privacy

WikiLeaks has been publishing CIA files, which are part of a leak dubbed “Vault 7,” every Friday since March 23, except for last week. The tools exposed by the whistleblower organization include ones designed for hacking Samsung smart TVs, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.

The fact that WikiLeaks delayed last week’s dump until the day the Russian government once again denied interfering with U.S. elections has led some members of the infosec community to believe that the leaks may be timed to serve other purposes, not just to expose the CIA’s activities.

20h
Jake Williams @MalwareJake
@wikileaks Now @wikileaks releases #pandemic documentation. Two things in hacking news today: Russia claims they don't do it and US definitely does 6/n
Follow
Jake Williams @MalwareJake
@wikileaks As you read the #pandemic dumps,be mindful of the fact that you are being manipulated by whoever controls @wikileaks access to this data 7/n
8:04 PM - 1 Jun 2017
2 2 Retweets 10 10 likes
Twitter Ads info and privacy

Symantec and Kaspersky have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”


Putin: Patriotic Russians Could Be Behind Election Hacks

2.6.2017 securityweek BigBrothers
Russian President Vladimir Putin says patriotic citizens may have launched politically motivated cyberattacks against foreign countries, but denied any government involvement in such operations.

Following accusations that Russian state-sponsored hackers interfered with the recent elections in the United States, Putin was asked on Thursday at the International Economic Forum in St. Petersburg about the possibility of Russian hackers influencing the upcoming elections in Germany. Putin responded by comparing hackers to artists.

“If artists get up in the morning feeling good, all they do all day is paint,” Putin said. “The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia.”

The Russian president noted that while this is possible in theory, his country does not engage in such activities on a government level. Putin also highlighted that threat actors could launch attacks and make it look like the source was Russia – a task that he described as “very easy.”

On the other hand, Putin said he was convinced that hackers cannot have a real impact on an election campaign.

“We do not engage in this activity at the government level and are not going to engage in it. On the contrary, we try to prevent this from happening in our country,” he said. “At any rate, I believe that no hackers can affect the election campaign in any European country, nor in Asia or in America.”

The United States has officially accused Russia of attempting to interfere with recent elections and an investigation has been launched to assess the impact of the cyberattacks on their outcome.

Thomas Rid, a professor in the department of War Studies at King's College London, believes the comments made by Putin are strategic.

Thomas Rid comments on Putin statement

Russian hackers are also believed to have targeted the political campaign of French President Emmanuel Macron. The attacks were uncovered by security firms, but the U.S. National Security Agency (NSA) also claimed to have warned France of the attacks.

The threat groups tracked as Fancy Bear (aka APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) and Cozy Bear (aka APT29, Office Monkeys and Cozy Duke) are widely believed to be associated with Russia. While many security firms refrain from making statements on attribution or simply point out that the hackers speak Russian, some companies have gone as far as to link them to Russian government agencies, such as the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the military intelligence agency GRU.


Putin: Hackers Are Like Artists, Who Wake Up In A Good Mood & Start Painting

2.6.2017 thehackernews BigBrothers

Just control your laughter, while reading this article. I insist.
Talking to international media at the St Petersburg Economic Forum on Thursday, Russian President Vladimir Putin made a number of statement surrounding alleged Russia's involvement in hacking.
If you are not aware, Russia has been the focus of the U.S. investigations for its purported role in interfering with the 2016 US presidential election, which saw several major hacks, including Democratic National Committee and Hillary Clinton campaign emails.
The US authorities and intelligence community concluded in January that Mr. Putin had personally directed cyber attacks against Democrats and the dissemination of false information in order to influence US election and help Mr. Trump win the election.
Putin: Russia Has Never Been Involved in Hacking

Today Mr. Putin denied all the allegations of Russian engagement in the U.S. election hacking, saying that the Russian state had ever been involved in hacking.
I know you would take some time even to digest this statement, but trust me this one is nothing. You would start laughing after reading his other comments mentioned in this article.
"We don't engage in that at the state level," Mr. Putin said, according to the Associated Press.
"I'm deeply convinced that no hackers can radically influence another country's election campaign," Mr. Putin added. "No hackers can influence election campaigns in any country of Europe, Asia or America."
So, Putin, who limits the freedom of the press and is accused of killing political opponents and journalists to prevent them from reporting on topics that can anger the Kremlin, is saying that "no information will change the minds of the people or influence the outcome" of the election.
Putin: Patriotic Hackers May Have Targeted U.S. Election

Besides insisting that the Russian government has no involvement in such cyber attacks, Mr. Putin said that some individual "patriotic" hackers who love their country could mount such attacks against those who "speak negatively about" their country.
"If they are patriotically minded, they start making their contributions – which are right, from their point of view – to fight against those who say bad things about Russia," Mr. Putin said.
Is he just encouraging hackers to conduct cyber attacks against rival nations by making such comments?
As for his dealings with US President Donald Trump, Mr. Putin also said Moscow would wait for the current political storm in the United States to settle down before he attempts to forge constructive relations with Mr. Trump, whom he praised for being "straightforward" with "fresh set of eyes."
Putin: Hackers are Like Artists, Who Wake Up and Start Painting!

"Hackers are free people, just like artists who wake up in the morning in a good mood and start painting," Mr. Putin said.
"The hackers are the same, they would wake up, read about something going on in interstate relations and if they have patriotic leanings, they may try to add their contribution to the fight against those who speak badly about Russia."
So, Mr. Putin wants to say that hackers can contribute to their nation by attacking their country’s rivals. WOW!
Describing hackers as free-spirited artists acting according to their moods, Mr. Putin said cyber attacks on DNC and Hillary Clinton presidential campaign could be made to look like they had come from Russia when they hadn't actually.
"I can imagine that some do it deliberately, staging a chain of attacks in such a way as to cast Russia as the origin of such an attack," Mr. Putin added. "Modern technologies allow that to be done quite easily."
Mr. Putin's remarks are similar to the ones from Mr. Trump, who has previously dismissed accusations of Russian involvement in the DNC hack and said that the hacks could be by "somebody sitting on their bed that weighs 400 pounds."
While Mr. Putin may deny the hacking allegations, which he believes are "not based on facts," many cyber security and espionage experts have discovered that Russia has in the past "outsourced" its hacking efforts to state-sponsored criminal gangs.


#Vault7: CIA Pandemic implant turns file servers into malware infectors
2.6.2017 securityaffairs BigBrothers

Wikileaks released a new lot of documents belonging to the Vault7 dump that details the CIA project codenamed ‘Pandemic implant’
Wikileaks released a new batch of documents belonging to the Vault7 archive related to the CIA project codenamed ‘Pandemic.’


WikiLeaks ✔ @wikileaks
RELEASE: CIA 'Pandemic' Windows infection malware documentation #Vault7 https://wikileaks.org/vault7/#Pandemic …
7:34 PM - 1 Jun 2017
1,713 1,713 Retweets 1,554 1,554 likes
Twitter Ads info and privacy
The Pandemic CIA project refers a Windows persistent implant that share files (programs) with remote users in a local network. Pandemic is used by the cyber spies to infect remote users by replacing application code on-the-fly with a trojaned version if the application that is retrieved from the infected machine.

“Today, June 1st 2017, WikiLeaks publishes documents from the “Pandemic” project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network.” reads the description published by Wikileaks.”‘Pandemic’ targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine.”

The implant transforms file servers into machines that infect PCs which access them remotely.

A computer on a local network with shared drives that is infected with the Pandemic implant is the medical equivalent of a Patient Zero in Medical science that spreads a disease. It will compromise remote computers if the user executes applications stored on the pandemic file server.

pandemic implant

The Pandemic tool doesn’t change the file on the infected system when victims request a file from it, they will receive a trojanized replacement of the legitimate application.

The Pandemic implant can replace up to 20 programs, with a maximum size of 800MB.

“Pandemic is a tool which is run as kernel shellcode to install a file system filter driver. The filter will ‘replace’ a target file with the given payload file when a remote user accesses the file via SMB (read-only, not write).” reads the Pandemic Implant tool summary. “Pandemic will not ‘replace’ the target file when the target file is opened on the machine Pandemic is running on. The goal of Pandemic is to be installed on a machine where remote users use SMB to download/execute PE files. (S//NF) Pandemic does NOT//NOT make any physical changes to the targeted file on disk. The targeted file on the system Pandemic is installed on remains unchanged. Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the ‘replacement’ file.”

The Pandemic Data leak contains five files, the installation of the implant is very rapid. it just takes between 10 to 15 seconds.
The documentation does not provide information about the infection process, it is not specified if infected machines become new pandemic servers.

Let’s wait for the next Vault


U.S. Defense Contractor Exposes Sensitive Military Data

1.6.2017 securityweek BigBrothers

 Sensitive data belonging to the U.S. National Geospatial-Intelligence Agency (NGA) was left exposed on the Internet by defense and intelligence contractor Booz Allen Hamilton, a security firm revealed on Wednesday.

The NGA is a combat support and intelligence agency working under the Department of Defense. The geospatial intelligence provided by the organization is used by policymakers, the military, intelligence professionals and first responders.

Chris Vickery, a researcher who in the past identified billions of records exposed online due to weak configurations, discovered an unprotected Amazon S3 bucket containing tens of thousands of potentially sensitive files. Accessing the files did not require a password and all data was stored in clear text.

The data, belonging to the NGA, was connected – based on domain registration details and credentials – to Booz Allen Hamilton and another one of the agency’s contractors, Metronome. The files, some of which were marked as “top secret,” included military information, SSH keys belonging to a Booz Allen engineer, and admin credentials for a system housed by one of the contractor’s data centers.

Vickery, who recently joined cyber resilience firm UpGuard as a risk analyst, found the files on May 22 and notified Booz Allen two days later. After receiving no response from the company, Vickery alerted the NGA directly on May 25, and the exposed repository was secured within minutes. An unnamed government regulatory agency has asked UpGuard to hold on to the data.

The NGA said it immediately revoked affected credentials, but described the exposed files as “sensitive but unclassified information.” Booz Allen also claimed there was no evidence that any classified information or systems were exposed.

This is not the first time Vickery has discovered a data leak involving Booz Allen Hamilton. In late 2016, he reported that one of the company’s subcontractors, Potomac Healthcare Solutions, had leaked military healthcare worker data.

The intelligence contractor itself was involved in several security incidents in the past years, including a 2011 attack by Anonymous hacktivists, the Edward Snowden leaks, and the alleged theft of classified material by Harold Thomas Martin III.

The findings of Vickery and other researchers over the past years have demonstrated the risks posed by misconfigured AWS S3 buckets, but many organizations still fail to protect data stored in the cloud.

"AWS S3 is a very popular cloud based object storage service, and a staple of most AWS environments from the earliest days of the cloud service. Yet security of S3 buckets to prevent accidental data exposure is often poorly understood and badly implemented by their users, even someone as technically savvy as an engineer with one of the world’s leading defense contractors,” explained Zohar Alon, Co-Founder and CEO of Dome9.

“This type of oversight exemplifies the one-strike law for security in the public cloud. A single vulnerability, or security, or process lapse is all it takes to expose highly sensitive private data to the world and get data-jacked. Even with strict security controls in place, breaches such as this still occur due to very basic process failures, leaving extraordinarily sensitive information exposed to the world," Alon added.


Top Defense contractor left Pentagon docs unsecured on Amazon server
1.6.2017 securityweek BigBrothers

A top defense contractor left tens of thousands sensitive Pentagon documents on Amazon Server Without any protection in places.
The popular security expert Chris Vickery discovered more than 60,000 sensitive files belonging to a US military project for the National Geospatial-Intelligence Agency (NGA) left on Amazon cloud storage server without authentication.

The documents were reportedly left unsecured on a public Amazon server by one of the nation’s top intelligence defense contractor.

The files contain passwords to a US government system containing sensitive information and the security credentials of a senior employee of the top defense contractor Booz Allen Hamilton.

Vickery discovered the documents included login credentials for code repositories that could contain classified files and other credentials.

Digging the 28GB archive, the expert discovered the private Secure Shell (SSH) keys of a Booz Allen employee, and a half dozen plain text passwords belonging to government contractors with Top Secret Facility Clearance.

“A cache of more than 60,000 files was discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors.” reported Gizmodo.com “What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.”

The most disconcerting part of the discovery is that the archive The exposed data even contained master credentials granting administrative access to a highly-protected Pentagon system.

Defense contractor data leak

The files are no more available online but someone could have downloaded those sensitive documents with serious consequences for the US intelligence.

On May 24, Vickery first tried to notify the leak to Booz Allen Hamilton’s Chief Information Security Officer (CISO).

“In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level,” wrote Dan O’Sullivan, Cyber Resilience Analys at UpGuard.

Booz Allen promptly launched an investigation into the data leak.

“Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment,” a Booz Allen spokesman told Gizmodo. “We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”

The Geospatial-Intelligence Agency (NGA), which in March awarded Booz Allen an $86 million defense contract, is also forensic investigating the incident.

“We immediately revoked the affected credentials when we first learned of the potential vulnerability,” the NGA said in a statement. “NGA assesses its cyber security protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action.” states Booz Alle”Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment,” a Booz Allen spokesperson told Gizmodo.

“We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet.

In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

Vickery’s also disclosed a massive data breach at a U.S.-based data warehouse, Schoolzilla, which held personal information on more than a million American students (K-12).

adrotate banner=”9″]


US Defense Contractor left Sensitive Files on Amazon Server Without Password
1.6.2017 thehackernews BigBrothers
Sensitive files linked to the United States intelligence agency were reportedly left on a public Amazon server by one of the nation's top intelligence contractor without a password, according to a new report.
UpGuard cyber risk analyst Chris Vickery discovered tens of thousands of documents from a US military project for the National Geospatial-Intelligence Agency (NGA) left unsecured on Amazon cloud storage server for anyone to access.
The documents included passwords to a US government system containing sensitive information, and the security credentials of a senior employee of Booz Allen Hamilton, one of the country's top defense contractors.
Although there wasn't any top secret file in the cache Vickery discovered, the documents included credentials to log into code repositories that could contain classified files and other credentials.
Master Credentials to a Highly-Protected Pentagon System were Exposed
Roughly 28GB of exposed documents included the private Secure Shell (SSH) keys of a Booz Allen employee, and a half dozen plain text passwords belonging to government contractors with Top Secret Facility Clearance, Gizmodo reports.
What's more? The exposed data even contained master credentials granting administrative access to a highly-protected Pentagon system.
The sensitive files have since been secured and were likely hidden from those who didn't know where to look for them, but anyone, like Vickery, who knew where to look could have downloaded those sensitive files, potentially allowing access to both highly classified Pentagon material and Booz Allen information.
"In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level," Vickery says.
Vickery is reputed and responsible researcher, who has previously tracked down a number of exposed datasets on the Internet. Two months ago, he discovered an unsecured and publicly exposed database, containing nearly 1.4 Billion user records, linked to River City Media (RCM).
Vickery is the one who, in 2015, reported a huge cache of more than 191 Million US voter records and details of nearly 13 Million MacKeeper users.
Both NGA and Booz Allen are Investigating the Blunder
The NGA is now investigating this security blunder.
"We immediately revoked the affected credentials when we first learned of the potential vulnerability," the NGA said in a statement. "NGA assesses its cyber security protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action."
However, Booz Allen said the company is continuing with a detailed forensic investigation about the misstep.
"Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment," a Booz Allen spokesperson told Gizmodo.
"We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter."
Booz Allen Hamilton is the same consulting firm that employed whistleblower Edward Snowden when he disclosed the global surveillance conducted by the NSA. It is among top 100 US federal contractor and once described as "the world’s most profitable spy organisation."


China to Launch Cybersecurity Law Despite Concerns

31.5.2017 securityweek BigBrothers
Beijing - China will implement a controversial cybersecurity law Thursday despite concerns from foreign firms worried about its impact on their ability to do business in the world's second largest economy.

Passed last November, the law is largely aimed at protecting China's networks and private user information at a time when the recent WannaCry ransomware attack showed any country can be vulnerable to cyber threats.

But companies have pleaded with the government to delay the legislation's implementation amid concerns about unclear provisions and how the law would affect personal information and cloud computing.

The government appears to still be scrambling to finalize the rules.

Just two weeks ago, Zhao Zeliang, director of the cybersecurity bureau, gathered some 200 representatives from foreign and domestic companies and industry associations at the new headquarters of the Cybersecurity Administration of China (CAC) in Beijing.

The May 19 discussion centred on a draft of the rules for transferring personal data overseas, participants told AFP.

Attendees received an updated version of the document, as well as Zhao's assurance that regulators would remove some of the language that had received strong objections, they said.

The new document, obtained by AFP, removed a contentious requirement for companies to store customers' personal data in China.

- 'Headaches for companies' -

But concerns remain.

"The regulator is unprepared to enforce the law" and it is "very unlikely" anything will happen on June 1, said one participant, who asked for anonymity to discuss the sensitive issue.

That impression was only strengthened a few days after the meeting, when authorities issued 21 new draft documents describing national standards on topics from cloud computing to financial data, noting they would be available for public comment until July 7.

More new drafts, including detailed guidelines on cross-border data transfers, were published Saturday.

It is "crystal clear that the regulatory regime is evolving and does not simply switch on like a light June 1", said Graham Webster, an expert on Sino-US relations at Yale Law School.

Beijing, he said, is "wrestling with legitimate challenges that every country faces, and ... much of the caution and ambiguity comes from a desire to get things right."

But the process is causing "headaches for companies, Chinese and foreign alike".

- Protecting 'national honour' -

China already has some of the world's tightest controls over web content, protected by what is called "The Great Firewall", but even some of its universities and petrol stations were hit by the global ransomware attack in May.

The draft cybersecurity rules provided at the CAC meeting address only one part of the sweeping law.

The legislation also bans internet users from publishing a wide variety of information, including anything that damages "national honour", "disturbs economic or social order" or is aimed at "overthrowing the socialist system". Companies are worried that the new law could lock them out of the market.

Paul Triolo, a cybersecurity expert at the Eurasia Group, wrote in a research note that regulators will likely introduce "new hurdles for foreign company compliance and operations" in industries, such as cloud computing, where China is actively seeking a competitive advantage.

As a result, "companies with politically well-connected competitors could see their profile raised for things such as cybersecurity reviews".

The European Union Chamber of Commerce, among other groups, has urged Beijing to "delay the implementation of either the law or its relevant articles".

It "will impose substantial compliance obligations on industry" and "cautious, sound, consistent and fully reasoned supporting mechanisms related to its implementation are essential," the group said in a statement last week.

The chamber called on policymakers to follow a "transparent" process that will help eliminate "discriminatory market access barriers".

While there is no indication the law itself will be pushed back, the draft rules distributed at the CAC meeting says companies will have until December 31, 2018 to implement some of its requirements.

"It's been enormously difficult for our companies to prepare for the implementation of the cybersecurity law, because there are so many aspects of the law that are still unclear," said Jake Parker, vice president of the US-China Business Council.

"There's not enough information for companies to be able to develop internal compliance practices."


Hack DHS Act Establishes Bug Bounty Program for DHS

30.5.2017 securityweek  BigBrothers
Following what is now widespread practice among private industry tech giants, a new bill proposes to force the DHS to introduce its own public-sector bug bounty program.

Senators Maggie Hassan (D-NH) and Rob Portman (R-OH) introduced the Hack Department of Homeland Security (DHS) Act on 25 May. Designated S.1281, it is described as "A bill to establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes."

At the time of writing, there is no publicaly published text for the bill. Nevertheless, congress.gov lists it as having been read twice and referred to the Committee on Homeland Security and Governmental Affairs.

Hassan publicly announced the new bill on Friday. She described it as designed to "strengthen cyber defenses at DHS by utilizing 'white-hat' or ethical hackers to help identify unique and undiscovered vulnerabilities in the DHS networks and data systems." It is modeled on the bug bounty programs of the tech industry, and last year's 'hack the Pentagon' and 'hack the Army' programs.

Spanning April and May 2016, the Department of Defense (DoD) ran 'Hack the Pentagon' via HackerOne. It attracted more than 1400 hackers; 250 of whom submitted at least one vulnerability report. 138 were judged valid and eligible for a bounty from the program's $150,000 funding. Ash Carter, Secretary of Defense at the time, estimated that the program saved the department more than $800,000 against the cost of a similar exercise via the security industry.

Since then both the Army and the Air Force have engaged similar programs. Hack the Army ran from the end of November to 21 December 2016. 371 white-hat hackers registered and submitted a total of 471 vulnerability reports. Nearly 120 were adjudged actionable and were awarded a total of more than $100,000.

Hack the Air Force was announced in April 2017, and registrations opened on 15 May. The event will take place between May 30 and June 23, and is open to researchers from any of the Five Eyes nations: US, UK, Canada, Australia and New Zealand.

"Federal agencies like DHS are under assault every day from cyberattacks," explained Hassan in her statement Friday. "These attacks threaten the safety, security and privacy of millions of Americans and in order to protect DHS and the American people from these threats, the Department will need help. The Hack DHS Act provides this help by drawing upon an untapped resource -- patriotic and ethical hackers across the country who want to stop these threats before they endanger their fellow citizens."

"The networks and systems at DHS are vital to our nation's security," said Portman. "It's imperative that we take every step to protect DHS from the many cyber attacks they face every day. One step to do that is using an important tool from the private sector: incentivizing ethical hackers to find vulnerabilities before others do. I look forward to working with Senator Hassan to move this bipartisan bill forward and helping protect DHS from cyber threats."

The bill is getting cautious support from the private sector. "The proposed Hack DHS Act seems, on its surface, to be a very positive step forward to helping better secure the nation's websites and other web-facing infrastructure," Nathan Wenzler, chief security strategist at security consulting firm AsTech, told SecurityWeek. He pointed to the continuing success of bug bounties in the private sector. "Provided that appropriate measures are taken to vet the individuals who are performing the ethical hacking work, this could end up being a very valuable tool to help improve the security posture of some of the most heavily attacked sites out there."

Chris Roberts, chief security architect at threat detection firm Acalvio, takes a similar view. Provided that adequate checks are made against the registrants and strict rules are devised and enforced, then "yes, in the 'spirit' of hacking it's good."

But he warned, "Let's not devalue the red-team work and have someone hit the systems from all angles and all sides. That way there's a true perspective. The whole idea of hacking the DHS would be to focus on the weakest links, which are humans and third parties. I'm going to assume those are out of scope, which in reality, makes it kind of a waste of time. On paper, it's a good idea. But allow us to hit whenever and wherever we want, like a true attacker would and then let's talk. Until then, it's simply a face-saving thing which cheapens the whole assessment side of the world."


Shadow Brokers Launches 0-Day Exploit Subscriptions for $21,000 Per Month
30.5.2017 thehackernews BigBrothers
As promised to release more zero-days exploits and hacking tools for various platforms starting from June 2017, the infamous hacking group Shadow Brokers is back with more information on how to subscribe and become a private member for receiving exclusive access to the future leaks.
The Shadow Brokers is the same hacking group who leaked NSA's built Windows hacking tools and zero-day exploits in public that led to the WannaCry menace.
When the Shadow Brokers promised its June 2017 release two weeks ago, the group announced that it would sell new zero-day exploits and hacking tools only to the private members with paid monthly subscription, instead of making them public for everyone.
How to Become Member of the 'Wine of Month' Club?
Now, just a few minutes ago, the hacking collective has released details about how to participate in the monthly subscription model – or the "Wine of Month Club," as the group called it – to get exclusive access to the upcoming leaks each month starting from June.
So, those who are interested in buying the membership of the "wine of month club" would require to:
Send 100 ZEC (Zcash), which is around $21,519 USD, to this z_address (zcaWeZ9j4DdBfZXQgHpBkyauHBtYKF7LnZvaYc4p86G7jGnVUq14KSxsnGmUp7Kh1Pgivcew1qZ64iEeG6vobt8wV2siJiq) between 06/01/2017 and 06/30/2017.
Include a 'delivery email address' in the 'encrypted memo field' when sending Zcash payment.
Once done, the Shadow Brokers will send a payment confirmation email to "delivery email address" provided by all interested members.
Then between 07/01/2017 and 07/17/2017, the group will send another email to all confirmed members, containing a link and their unique password for the June 2017 data dump.
Launched in late October, Zcash is a new cryptocurrency currency that claims to be more anonymous than Bitcoin, as the sender, recipient, and value of transactions remain hidden. However, the group said, it doesn't even trust Zcash and Tor for absolute anonymity.
"Zcash is having connections to USG (DARPA, DOD, John Hopkins) and Israel. Why USG is "sponsoring" privacy version of bitcoin? Who the fuck is knowing? In defense, TOR is originally being by similar parties. TheShadowBrokers not fully trusting TOR either," the Shadow Brokers writes.
What is Going to be in the Next Data Dump?
The hacking collective says the membership has been kept expensive because the data dump has been intended for hackers, security companies, government, and OEMs.
"If you caring about losing $20k+ Euro then not being for you. Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments," the Shadow Brokers say.
Although what the June dump would contain is not clear at the moment, the Shadow Brokers' last announcement claimed that the upcoming data dump would include:
Exploits for operating systems, including Windows 10.
Exploits for web browsers, routers, and smartphones.
Compromised data from banks and Swift providers.
Stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.
Keeping in mind the last disaster caused due to the leaked NSA exploits, it would not be wrong if security companies buy the June dump for $21,000 per month and secure their products before hackers get their hands on new zero-day exploits to wreak havoc across the world.
The claims made by the Shadow Brokers remain unverified at the time of writing, but since its previously released dump turned out to be legitimate, the group's statement should be taken seriously, at least now, when we know the NSA's backdoors released by the group last month were used by WannaCry and other malware to cause chaos worldwide.
If the announcement made by the Shadow Brokers comes out to be true, the world should be well prepared for another WannaCry-like massive destroyer.
Shadow Brokers Emptied their Bitcoin Account
Before publicly dumping the stolen NSA zero-day exploits in April, the Shadow Brokers put an auction of those cyber weapons for 1 Million Bitcoin.
Although the auction did not go well, the Bitcoin address setup by the hacking collective to collect bids has received a total of 10.5 Bitcoin (around $24,000).
Finally, on Monday, the Shadow Brokers emptied their Bitcoin account, moving all the Bitcoins to subsidiary Bitcoin addresses.


Russian Hackers Made 'Tainted Leaks' a Thing — Phishing to Propaganda

29.5.2017 thehackernews BigBrothers

We came across so many revelations of sensitive government and corporate data on the Internet these days, but what's the accuracy of that information leaked by unknown actors? How much real are that information that you completely trust upon?
Security researchers have discovered new evidence of one such sophisticated global espionage and disinformation campaign with suspected ties to the Russian government that's been aimed to discredit enemies of the state.
Although there is no definitive proof of Russian government's involvement in the campaign, there is "overlap" with previously reported cyber espionage activities tied to a Russia-backed hacking group well known as APT28.
APT28 — also known as Fancy Bear, Sofacy, Sednit, and Pawn Storm — is the same group which was responsible for the Democratic National Committee (DNC) breach. The group has been operating since at least 2007 and has alleged tied to the Russian government.
A new report, titled Tainted Leaks, published this week by the Citizen Lab at the University of Toronto's Munk School of Global Affairs gives a new view on how Russian state-sponsored hackers targeted over 200 Gmail users, including journalists, activists critical of the Kremlin and those connected with the Ukrainian military to steal sensitive emails from their accounts.

The hackers then manipulate those stolen emails before being published on the Internet, planting disinformation alongside legitimate leaks.
"It provides evidence of how documents stolen from a prominent journalist and critic of Russia was tampered with and then "leaked" to achieve specific propaganda aims," the researchers wrote.
Citizen Lab researchers said that the hackers abused Google's own services and used phishing emails to steal Gmail credentials from 218 targets across 39 countries, including former US defense officials, a former Russian prime minister, and Ukrainian military official.
Researchers detected the campaign in October 2016, but the attacks were going on for several months before that.
Phishing Attack Abuses Google's Own Service

The attackers sent phishing emails that looked almost identical to the security warnings from Google, alerting victims that someone had obtained their passwords and that they should change it right away.
But, as soon as the victims visited the link and entered their login details, the hackers gained access to their accounts.
The phishing link was convincing to trick victims into handing over their credentials to the attackers because the campaign was abusing Google AMP's open redirect and short URL service in combination to hide their phishing pages.
https://www.google.com/amp/tiny.cc/(redacted)
Which redirects to:
hxxp://myaccount.google.com-changepassword-securitypagesettingmyaccountgooglepagelogin.id833[.]ga/security/signinoptions/password
The above landing URL looks like a Google's password-reset page, which captures users credentials as soon as it is entered.
"After highlighting the similarities between this campaign and those documented by previous research, we round out the picture on Russia-linked operations by showing how related campaigns that attracted recent media attention for operations during the 2016 United States presidential election also targeted journalists, opposition groups, and civil society," Citizen Lab wrote.
Citizen Lab researchers able to identify the campaign after analyzing two phishing emails sent to David Satter, an American journalist and Kremlin critic, and who has been banned from the country in 2014.

Connection with DNC and French President Leak
According to the security firm, the approach and techniques used in the campaign appear similar to the hacking attempts that hit Hillary Clinton presidential campaign chairman John Podesta last year and the recent one that targeted French President Emmanuel Macron.
"In the 2017 French presidential election, tainted leaks appear to have been used in an attempt to discredit the political party and candidate for election directly," the researchers said.
US intelligence officials have previously discovered that Russian government was behind the attacks on Podesta and other Democratic officials. Now, Citizen Lab said Russian government was behind the recent phishing campaign and subsequent manipulation of Satter's e-mail.
Besides Satter, the same phishing campaign also targeted 218 other individuals, including politicians and other government officials, members of cabinets from Europe and Eurasia, journalists, academics, CEOs of energy and mining companies, UN officials, and high-ranking military personnel from more than a dozen countries, including the United States and NATO.
Tainted Leaks: A New Threat
CyberBerkut, a self-described pro-Russian group, published some of the documents obtained from Satter email accounts, one of which was so much manipulated that it made Satter appeared to be paying Russian journalists and activists to post articles critical of the Russian government, which would subsequently be published by several media outlets.
"Tainted leaks are a growing and particularly troublesome addition to disinformation tactics, and in the current digital environment are likely to become more prevalent," the Citizen Lab researchers concluded.
"Tainted leaks—fakes in a forest of facts—test the limits of how media, citizen journalism, and social media users handle fact checking, and the amplification of enticing, but questionable information."
So next time, when you came across any widespread data leak, just do not trust it blindly before the authenticity of those leaked documents is not proved.


Austrian parties SPÖ and ÖVP want Whatsapp monitoring
29.5.2017 securityaffairs BigBrothers

Austrian SPÖ and ÖVP parties are fighting for WhatsApp instant messaging and plan further measures to fight the terrorism.
Both the Austrian Social Democratic Party of Austria (SPÖ) and the Austrian People’s Party (Österreichische Volkspartei; ÖVP) are fighting for instant messaging monitoring such as WhatsApp.

The experts believe that the Government will end anonymous mobile phone SIM cards after the election.

The recent terrorist attack at the Manchester Arena is fueling the discussion about state surveillance measures adopted in Austria to fight terrorism in the country.

According to the director of the Federal Office for Constitutional Protection and Terrorism, Peter Gridling, there is the concrete risk for an imminent attack.

“Concrete suspicious moments” for an imminent terrorist attack in Austria so far.” said Gridling on Friday evening in “ZiB2.

“The BAT director described it as an “illusion to believe that one succeeds in keeping 300 people around the clock under observation” “Priorities should be set. This could lead to situations where people classified as marginalized persons (…) are seen to be important actors, “he said, referring to the Manchester terrorist attack.”

Whatsapp monitoring surveillance

The ÖVP Chief Sebastian Kurz is urging an additional effort of law enforcement and intelligence agencies against terrorists. In March, the ÖVP presented a follow-up to the previous data retention and proposed an update to the law to allow the monitoring Whatsapp and Skype.

“We are waiting until now for a release to take the further steps to the implementation,” said Brandstetter spokesman Jim Lefebre to the STANDARD. SPÖ spokesman Johannes Jarolim was surprised at the statements.

SPÖ spokesman Johannes Jarolim was surprised at the statements.

The government has already approved a security package that may address Skype and Whatsapp monitoring without a Bundestrojaner that is the term used to indicate state-sponsored troja, aka Federal Trojan.

“Without the help of a Bundestrojaner, as Brandstetter has announced,” Jarolim said.

The principal problem is the impossibility in spying on end-to-end encrypted communications without the use of surveillance software of the presence of a backdoor in the encryption algorithms.

In Germany, authorities leverage on state surveillance software that is secretly installed on mobile devices to monitor the activities of the suspects and exfiltrate data.

Vice Chancellor Brandstetter assumes that Whatsapp users can be monitored that can be acquired with an international tender.

On the market, there are a number of applications that can be used to access Whatsapp chats from backups, one of them is the Elcomsoft Explorer for WhatsApp, but they can not be used to access communication in real-time.

Another measure under discussion that could be included in the security package is the regulation regarding an end of anonymous mobile SIM cards.

While SPÖ and ÖVP already agreed in extending monitoring methods, the parties are negotiating for the end of anonymous mobile SIM cards.

“The plans came from Interior Minister Wolfgang Sobotka (ÖVP) and Hans Peter Doskozil (SPÖ), who agreed on fewer negotiating hours.” reported the Austrian agency Derstandard.at.