Saturday, 31 December 2016

U.S. Government Maps Election Hacks to Russian Threat Groups

The Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) on Thursday published a Joint Analysis Report (JAR) to detail the tools and infrastructure that Russian hackers used in attacks against the United States election.

The JAR was meant to offer technical details on the cyber activities of Russian civilian and military intelligence Services (RIS), some of which targeted the US government and political and private entities. This is the first time the malicious cyber activity, which the US calls GRIZZLY STEPPE, has been officially attributed to a specific hacking group.

As expected, U.S. President Barack Obama on Thursday announced several retaliatory actions against Moscow, imposing sanctions on two intelligence agencies, expelling 35 diplomats and denying access to two Russian compounds inside the United States.

In October this year, the US government officially accused Russia of involvement in the cyber-attacks against US political organizations, saying that some states had seen scanning and probing activity originating from servers operated by a Russian company, but no attribution was made at the time. The report (PDF) not only makes an attribution, but also provides recommended mitigations and suggested actions to take in response to indicators provided.

The JAR reveals that two different actors participated in the intrusion into a U.S. political party, one in the summer of 2015, namely Advanced Persistent Threat (APT) 29, and the other in spring 2016, namely APT28. The former is also known as Cozy Bear, or CozyDuke, while the latter is referred to as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team.

This falls in line with what intelligence firm CrowdStrike revealed in June, after assisting the Democratic National Committee (DNC), the formal governing body for the U.S. Democratic Party, to investigate cyber-attacks against its network. Later during summer, two security firms uncovered evidence that Fancy Bear breached the U.S. Democratic Congressional Campaign Committee (DCCC) as well.

Both Cozy Bear and Fancy Bear were previously linked to attacks against US government organizations and other governments worldwide. Their attack methods include spearphishing to deliver malicious droppers to the victims’ computers, or the use of short URLs upon the creation of domains closely resembling those of targeted organizations.

“Once APT28 and APT29 have access to victims, both groups exfiltrate and analyze information to gain intelligence value. These groups use this information to craft highly targeted spearphishing campaigns. These actors set up operational infrastructure to obfuscate their source infrastructure, host domains and malware for targeting organizations, establish command and control nodes, and harvest credentials and other valuable information from their targets,” the JAR reads.

Previously, security researchers managed to identify some of the tools that these actors use, such as the XTunnel malware that is believed to have been specifically created for the DNC hack. Other malicious applications include the Fysbis backdoor to target Linux machines, the Komplex Trojan targeting OS X systems, and the Carberp malware to compromise Windows computers.

While many in the cybersecurity understandably question the lack of appropriate details to sufficiently attribute the attacks to Russia, the US government claims that it has enough evidence to link RIS to the recent attacks. Moreover, it says that these aren’t isolated incidents, but that they are part of ongoing campaigns targeting the nation. The security industry, however, has widely criticized IOC-based attribution as a weak “evidence” to confidently point a finger.

In October, Kaspersky Lab security researchers warned of the deep implications of misattribution, suggesting that attribution is difficult, mainly because of the widespread use of sophisticated deception tactics among hacking groups.

“This activity by RIS is part of an ongoing campaign of cyber-enabled operations directed at the U.S. government and its citizens. These cyber operations have included spearphishing campaigns targeting government organizations, critical infrastructure entities, think tanks, universities, political organizations, and corporations leading to the theft of information,” the report claims.

For US organizations to better protect themselves against such attacks, the JAR provided a list of alternate names associated with RIS, along with Indicators of Compromise (IOCs), which can be found in the accompanying CSV and STIX xml files, and recommendations regarding the actions that network administrators should take to detect compromise and secure perimeters.

While some industry experts applauded the GRIZZLY STEPPE indicators provided by the U.S. Government, some experts urged caution for those quickly integrating them into their cyber defense measures.

“Be careful using the DHS/FBI GRIZZLY STEPPE indicators. Many are VPS, TOR relays, proxies, etc. which will generate lots of false positives,” Robert M. Lee, founder and CEO of Dragos Security and a former member of the intelligence community, Tweeted.

Sunday, 25 December 2016

DirtyCow and Drammer vulnerabilities "hijack Android devices"

The vulnerabilities are known colloquially as DirtyCow (CVE-2016-5195) and Drammer (CVE-2016-6728). While they are unrelated, they both represent a real risk to Android users as individuals have already published proof-of-concept exploit code online for both vulnerabilities, thus minimizing the time attackers would need  to understand and develop their own exploits from scratch. Additionally, industry researchers have already seen attackers using DirtyCow  to exploit Linux-based systems in the wild.


Given that the CVEs and the POC code are publicly available, enterprises should see this as a concern. If an attacker roots a device, she has full control over it, which means she may also be able to collect sensitive data from the device. If the victim is an employee, that may mean company information is being leaked. Having visibility into the kinds of apps, rooted devices, or outdated software running on the corporate network is critical.

DirtyCow

The vulnerability extends back nine years and affects all versions of Android including the latest Android 7.0 Nougat. While Linus Torvalds created and released a patch for the Linux Kernel – which Android uses – the patch has not been released as a security update for Android users yet.

DirtyCow is an easy vulnerability to understand and proof-of-concept exploit code is already in the wild, available to researchers and attackers alike. . We expect to to see this issue patched in the November 2016 Android Security Update at the earliest.

Drammer

The second vulnerability, called Drammer and discovered by VUSec, is the first time the Rowhammer vulnerability has been applied to ARM-based devices, in this case Android devices. Drammer is a hardware bug that can manipulate memory it doesn’t control by reading or “hammering” a row in memory to effectively induce another spot in memory to have its bit “flip” or change value. If an attacker does this hammering enough times, he or she can control which space in memory it points to so that a device can eventually be compromised and rooted. Drammer likely works on all versions of Android including the latest, but the mileage may vary.

Patches

They have banned the Drammer POC app from the Google Play Store. Lookout customers are protected from this test app. Our investigation revealed that the banned POC app published by the academic researchers is not overtly malicious, but it does exploit the vulnerability and has been observed to cause local denial-of-service on failed exploit attempts.

Enterprises should use a mobile security partner to gain awareness into the apps running on their employees’ devices and to receive timely alerts when one of those apps is risky or malicious.

Indian arrested in US for cyber attack

An Indian-origin teenager has been arrested in the US for carrying out a cyber-attack that swamped Arizona's emergency services with several bogus calls, an incident he claimed was a non-harmful joke gone wrong. Meetkumar Hiteshbhai Desai was taken into custody after the Surprise Police Department, Arizona, notified the Sheriff's Office of more than 100 hang-up 911 calls.

The Maricopa County Sheriff's Office arrested the 18-year-old, accusing him of carrying out a cyber-attack on the 911 system, according to a Sheriff's Office statement. Desai was booked into a Maricopa County jail on suspicion of three counts of computer tampering.

Interference with critical infrastructure could have disrupted the 911 system in the Phoenix area and potentially other states, The Arizona Republic reported. Investigators traced the calls and discovered they originated from a link posted to Twitter, according to the statement.

The link was to a site named "Meet Desai" and its domain was hosted out of San Francisco. When the link was clicked, it continually called 911 and would not let the caller hang up. Peoria police and the MCSO also received a large number of calls, and the volume had the potential to shut down 911 service across Maricopa County, the Sheriff's Office said. MCSO detectives identified 'Meet' and took him in for questioning last Wednesday.
"Meet claims that his intention was to make a non-harmful, but annoying bug that he believed was 'funny'," the Sheriff's Office statement said.

Desai told investigators that he was approached by an online friend with a bug. Desai then tweaked the bug so it would add pop-ups, prompts to open e-mail applications and activation of automatic telephone dialling on iOS devices, all via coding that Desai wrote himself.

Desai told sheriff's detectives that he was interested in programmes, bugs and viruses that he could manipulate and change. Desai said Apple Inc., the hardware and software company, would pay and credit him for discovering such bugs and viruses. The MCSO cyber crimes unit executed a search warrant and seized multiple items at Desai's residence that will be forensically examined, the Sheriff's Office said.




Wednesday, 21 December 2016

"Alice" Malware Drains All Cash from ATMs

Dubbed Alice, the malware is the most stripped down ATM threat seen to date. The malware has no information stealing capabilities and can’t even be controlled via the ATM’s numeric keypad. Initially discovered in November 2016, Alice is believed to have been around since 2014, and Trend Micro says that it is only the eighth ATM malware family seen to date, although such threats have been around for over nine years.

Use of the malware requires physical access to an ATM, and Trend Micro suggests that it has been designed for money mules to steal all the money available in an attacked cash machine, something that malware such as GreenDispenser was seen doing last year.
Unlike that piece of malware, however, the new threat doesn’t connect to the ATM’s PIN pad and can also be used via Remote Desktop Protocol (RDP), although Trend Micro says that there’s no evidence of such use as of now.

Malware analysis revealed that Alice (the name was included in the version information of the binary) was packed with a commercial, off-the-shelf packer/obfuscator called VMProtect, which prevents execution inside debuggers. Further, the malware checks its environment before execution and terminates itself if it determines it isn’t running on an ATM (it checks for a couple of registry keys and also requires specific DLLs to be installed on the system).

When running on a machine, Alice writes two files in the root directory, namely an empty 5 MB+ sized file called xfs_supp.sys and an error logfile called TRCERR.LOG. Next, it connects to the CurrencyDispenser1 peripheral, which is the dispenser device in the XFS environment and, if a correct PIN is provided, it displays information on the various cassettes with money loaded inside the machine.

Because the malware only connects to the CurrencyDispenser1 peripheral and doesn’t attempt to use the machine’s PIN pad, the researchers believe that the attackers physically open the ATM and infect it via USB or CD-ROM. Moreover, they suggest that the actors connect a keyboard to the machine’s mainboard and operate the malware through it.

The security researchers discovered that Alice supports three commands, each issued via specific PINs: one to drop a file for uninstallation, another to exit the program and run the uninstallation/cleanup routine, and a third to open the “operator panel.” This panel is where information on the cash available inside the ATM is displayed.

The attacker simply needs to enter the cassette’s ID for the ATM to dispense the money in it. The dispense command is sent to the CurrencyDispenser1 peripheral via the WFSExecute API. With ATMs typically having a 40-banknote dispensing limit, the attacker might have to perform the same operation multiple times to empty all the cash stored in a cassette. Information on the available cash is dynamically updated on the screen, so the attacker knows when a cassette is empty.

Trend Micro believes that the attackers manually replace the Windows Task Manager on the targeted machines with Alice, because the malware is usually found on infected systems in the form of taskmgr.exe. The malware doesn’t have a persistence method, but having it run as Task Manager means that Alice is invoked every time a command is issued to invoke the Task Manager.

“The existence of a PIN code prior to money dispensing suggests that Alice is used only for in-person attacks. Neither does Alice have an elaborate install or uninstall mechanism - it works by merely running the executable in the appropriate environment,” the researchers say.

The PIN authentication system is similar to that used by other ATM malware families, but it also provides the malware author with control over who has access to Alice. By changing the access code between samples, the author either prevents money mules from sharing the code or keeps track of individual money mules, or both.

The analyzed sample used a 4-digit passcode, but other samples could use longer PINs. The PIN cannot be brute-forced, as the malware would accept a limited number of inputs before terminating itself and displaying an error message. The researchers also believe that Alice was designed to run on any vendor’s hardware configured to use the Microsoft Extended Financial Services middleware (XFS).

“Up until recently, ATM malware was a niche category in the malware universe, used by a handful of criminal gangs in a highly targeted manner. We are now at a point where ATM malware is becoming mainstream,” Trend Micro researchers say.

Tuesday, 20 December 2016

Cyberattack may have caused the power outage that occurred in Ukraine

Ukrenergo said the outage occurred on Saturday, near midnight, at the North (Petrivtsi) substation, causing blackouts in the capital city of Kiev and the Kiev region.

Ukrenergo Acting Director Vsevolod Kovalchuk said workers switched to manual mode and started restoring power after 30 minutes. Power was fully restored after just over an hour, Kovalchuk said.
The statement published by Ukrenergo names equipment malfunction and hacking as the possible causes. However, in a message posted on Facebook, Kovalchuk said the main suspect was “external interference through the data network.” The organization’s cybersecurity experts are investigating the incident.

Roughly one year ago, the Ukrainian security service SBU accused Russia of causing outages with the aid of malware planted on the networks of several regional energy companies.

Researchers determined that these attacks involved two main pieces of malware: the BlackEnergy Trojan and KillDisk, a plugin designed to destroy files and make systems inoperable. The attackers directly interacted with the system in order to cut off the power supply, and they used KillDisk to make recovery more difficult, experts said.

In the 2015 attacks, power companies restored service within 3-6 hours by switching to manual mode, just like in the latest incident.

A report published recently by Booz Allen Hamilton revealed that the 2015 cyberattacks were likely part of a two-year campaign that targeted several sectors in Ukraine. Researchers identified 11 attacks aimed at the electricity, railway, media, mining and government sectors.

While experts have not found any hard evidence linking these attacks to Russia, the attackers’ significant resources appear to indicate the involvement of a nation state, and the threat actor’s goals align with Russian political interests.

Friday, 16 December 2016

Yahoo's billion-user database was sold on the Dark Web last August for $300,000.

The New York Times reports that a billion-user database was sold on the Dark Web last August for $300,000.

That’s according to Andrew Komarov, chief intelligence office at security firm InfoArmor. He told NYT that three buyers, including two prominent spammers and another who might be involved in espionage tactics purchased the entire database at the aforementioned price from a hacker group believed to based in Eastern Europe.

It’s lovely to know that it only costs $300,000 to be able to threaten a billion people’s online existence – which means each account is only worth $0.0003 to hackers who can ruin your life online in a matter of minutes.
Yahoo also doesn’t yet know who made off with all the data from the attack in 2013, which is said to be the largest breach of any company ever.
In addition to full names, passwords, birth dates and phone numbers, the database also contains security questions and backup email addresses that could help with resetting forgotten passwords.
That’s worrying, because these details may be common to several other online services and accounts, and could make many users vulnerable to phishing attacks which can feature accurate personal information in scammy emails to coax them into handing over things like their bank account, credit card and social security numbers.
Yahoo has said that it hasn’t been able to verify Komarov’s claims yet; meanwhile, the FBI said in a statement that it’s investigating the breach.
Komarov noted that the database is still up for sale, though bids for it have nove plummeted as low as $20,000 as Yahoo has forced a password reset.
It’ll be interesting to see what this revelation spells for the future of Yahoo, which is set to be sold to Verizon for $4.8 billion. Following the news of the 500 million-user breach earlier this year, the telcom giant said it wanted a billion-dollar discount on the deal. At this point, though, it seems like it might be better off walking away empty-handed.

Monday, 12 December 2016

Hackers to read any email ,Yahoo patches critical XSS vulnerability

The flaw was discovered and reported by Finland-based security researcher Jouko Pynnonen who earned $10,000 for the feat from Yahoo’s bug bounty program. The flaw allowed an attacker to read a victim’s email or create a virus infecting Yahoo Mail accounts among other things.
Unlike other email phishing scams and ransomware attacks, there is no need for the hacker to send a virus or trick the victim into clicking a specific link. Attackers would just send a mail to victims to access their emails.
#Yahoo #XSS #Hacking – Yahoo patches critical XSS vulnerability that would allow hackers to read any email – Yahoo, which was in the limelight for revealing a massive hack on its users earlier this year, has fixed a highly critical cross-site scripting (XSS) security flaw in its email system that would have allowed attackers to access any email.
An investigation, however, showed that attackers could very well bypass the filtration process by sending a YouTube link in the email that allows the hacker to execute JavaScript code and read user’s emails.
The report of the critical flaw comes just months after the tech giant admitted that massive data breach in 2014 gave access to information of more than 500 million user accounts. The attack, which is the largest in the history of the Internet, gave hackers access to names, email addresses, telephone numbers, encrypted or unencrypted security questions and answers, dates of birth, and encrypted passwords of users. The company later blamed the attack on state-sponsored parties but did not name any country.
The bug in this case resided in the email’s HTML filtering. When someone sends an email with different kinds of attachments to inspect the “raw” HTML of that email for security reasons, Yahoo uses the filtering process for HTML messages to keep malicious codes at bay.

Friday, 9 December 2016

ESET:Internet Users Possibly Exposed to Malicious Malvertising Campaign

The firm says that the cyber-criminals behind the campaign have been, since as least the beginning of October, distributing malicious ads promoting applications calling themselves “Browser Defence” and “Broxu” which redirect users to the Stegano exploit kit.
ESET added:
“Without requiring any user interaction, the initial script reports information about the victim’s machine to the attacker’s remote server. Based on server-side logic, the target is then served either a clean image or its almost imperceptibly modified malicious evil twin.
“Using the known Internet Explorer vulnerability CVE-2016-0162, the encoded script attempts to verify that it is not being run in a monitored environment such as a malware analyst’s machine,” and if the script does not detect any signs of monitoring, it redirects to the Stegano exploit kit’s landing page.
Upon successful exploitation, the executed shell code collects information on installed security products and performs – as paranoid as the cyber-criminals behind this attack – yet another check to verify that it is not being monitored. If results are favorable, it will attempt to download the encrypted payload from the same server again, disguised as a gif image.
Apparently, payloads detected so far include backdoors, banking trojans, spyware, file stealers and various trojan downloaders.
“This type of malicious activity shows clearly how cyber-criminals are adapting to the best means to distribute and infect as many as possible through the platforms that work," Mark James, IT security specialist at ESET, told Infosecurity. "There is a misconception that you have to visit ‘dodgy’ websites to get infected, but cyber-criminals are not stupid, why infect somewhere with a relatively small footfall when you can infect a website with infinitely more visitors thinking they are safe because they trust the name of the vendor?
“Some users still believe you actually have to click on a link or run a file to actually start the infection process, and what’s worse is in most cases the actual owner of the website is totally unaware they have a problem.”
The key to defending yourself, added James, is making sure you have a good regular updating internet security product installed along with keeping your operating system and applications patched and up-to-date.
"A lot of websites use ads to help fund the free content we want and using things like ad blockers can have an adverse effect on this revenue stream but is a means of defense that could stop this type of attack.”

Wednesday, 7 December 2016

Visa credit card will be hacked few second :researchers explained the main problem

A paper from Newcastle University’s Mohammed Aamir Ali, Budi Arief, Martin Emms and Aad van Moorsel describes how they were able to launch a “distributed guessing attack” against Alexa top-400 online merchants’ payment sites to work out expiry dates and CV2 values.

"Researchers have warned that deficiencies in Visa’s e-commerce payment network could allow attackers to brute force credit card details in as little as six seconds."

As different sites perform different security checks to validate card details, hackers can launch mass attempts across a range of sites to work out the key verification details.

MasterCard is not affected as it enforces centralized checks across transactions from different sites and so detects the guessing attack after fewer than 10 attempts, but Visa’s payment ecosystem does not, and so is wide-open to attack, the report claimed.

The researchers explained the main problem:

“The first weakness is that in many settings, the current online payment system does not detect multiple invalid payment requests on the same card from different websites. Effectively, this implies that practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts.

"Secondly, the attack scales well because different web merchants provide different fields, and therefore allow the guessing attack to obtain the desired card information one field at a time.”

Guessing an expiry date using the methodology detailed in the report would take at most 60 attempts, with the three-digit CV2 taking fewer than 1000.

The researchers also showed that in some cases even addresses could be guessed by the same method.

However, the attackers must already know the long card number.

It should also be noted that websites running the 3D Secure system are immune to attack as this pop up window mandates the user fill in a separate secret password and CV2 to complete an order

Tuesday, 6 December 2016

Millions of Android Users at Risk of MitM(man-in-the-middle) Attacks

The news has potential implications for users around the world, since AirDroid has an estimated user base of between 10 and 50 million devices, according to the Google Play Store. IT managers should see the news of a potential MitM attack as another reason to check the relevance of their security policies and mobile strategies.

Android Users at Risk

AirDroid sends the device authentication information to its statistics server through communication channels and encrypts it with Data Encryption Standard (DES) in the Electronic Codebook (ECB) mode, researcher Simone Margaritelli explained on the Zimperium blog. The problem is that fraudsters are able to access the encryption key since it’s hardcoded into the app. A nefarious actor on the device’s network could launch a MitM attack to steal authentication data and impersonate the victim for future requests.
A MitM attack is one where an attacker secretly relays and possibly alters the interaction between two parties. In this case, Margaritelli explained, an attacker could alter the response to the /phone/vncupgrade request. The app typically uses this request to scan for updates.

Don’t Snooze on MitM Attacks

The news will be of interest to IT and security managers in organizations that are evaluating the relative strengths of different mobile operating systems and devices, such as smartphones running Android and Apple devices running iOS.
According to InfoWorld, iPhones account for roughly 70 to 90 percent of devices used in the enterprise. Executive editor Galen Gruman advised businesses to hold back on Android due to security concerns, lack of application choices and the diffuse nature of the operating system.
However, more organizations are allowing workers to embrace bring-your-own-device (BYOD) or choose-your-own-device (CYOD) policies, ZDNet reported. To properly serve all employee types, enterprise mobility leaders must support both BYOD and CYOD and include corporate-owned, privately enabled elements.

MitM Mitigation

Margaritelli advised AirDroid users to use HTTPS channels exclusively, double-check the remote public key and always use digital signatures when updating. Additionally, users should adopt safe key exchange mechanisms instead of relying on encryption keys hardcoded within the app.
After Margaritelli persistently alerted the vendor of the exploit in May, the company issued updated versions 4.0.0 and 4.0.1. No security patch was issued, however. Margaritelli advised AirDroid users to uninstall the app until the vendor issues a fix.

Monday, 5 December 2016

Android malware steals access to more than one million Google account

 We believe that it is the largest Google account breach to date,” the security firm said in a blog post.

A new Android malware has managed to steal access to more than 1 million Google accounts, and it continues to infect new devices, according to security firm Checkpoint.


Simplify your security with 8 password managers for Windows, MacOS, iOS, and Android. 
The malware, called Gooligan, has been preying on devices running older versions of Android, from 4.1 to 5.1, which are still used widely, especially in Asia.

Gooligan masquerades as legitimate-looking Android apps. Checkpoint has found 86 titles, many of which are offered on third-party app stores, that contain the malicious coding.


Once Gooligan is installed, it attempts to root the device, as a way to gain full control. The malware does this by exploiting well-known vulnerabilities in older versions of Android.

“These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user,” Checkpoint said.

Saturday, 3 December 2016

UK National Lottery Accounts Breached

Camelot claims that "there has been no unauthorized access to core National Lottery systems or any of our databases;" that is, it has not been hacked. Instead it suggests that the attackers used emails and passwords stolen from another online service.

Camelot, the company that runs the UK National Lottery, announced today that approximately 26,500 customer accounts had been fraudulently accessed. The activity was discovered on Monday.

Camelot is also confident that the affected customers cannot directly lose financially from the activity, although some personal information will have been accessed. It adds, "We have taken the measure of suspending the accounts of these players and are in the process of contacting them to help them re-activate their accounts securely." This will undoubtedly lead to increased phishing activity as criminals pretend to be Camelot offering help while actually soliciting further personal information.

The incident demonstrates the need for a responsible partnership between online organization and users. Both have their part to play. Organizations should require two factor authentication (and there are now several frictionless biometric options available), while customers should never reuse passwords for any account that holds personal or financial details

In both cases it seems as if the attackers timed their activity over a weekend. A similar number of accounts were affected, and in both cases credentials stolen elsewhere were used. The possibility that attackers are automating the extraction of customer details from large stolen databases should not be ignored. If this is the case, then it is not just affected Camelot customers that should change their passwords, but anyone who has reused passwords for more than one account. Needless to say, if a two-factor authentication option is available, it should be adopted.

"There's no doubt that when one database is breached, it's common for the credentials stolen to be tried elsewhere," comments ESET senior research fellow David Harley. "If you were a bad guy, why wouldn’t you try them elsewhere? It can be done manually, of course, but it doesn’t require a lot of effort to automate, either. Which is why I (and many other security commentators) routinely recommend that people don't re-use credentials, at any rate for sites that use and may retain significant data."

The danger, however, is whether these bad guys are able to find common third-party services among the millions of email addresses and passwords at their disposal; that is, if they can find a way of locating Tesco Bank customers, or Camelot customers within the databases. This would not be impossible. Among the stolen credentials there will be many that provide access to the users' actual email accounts.