Z banky ukradli hackeři stovky miliónů. Deset dní si jich nikdo nevšímal

27.7.2016 Kriminalita
Z amerických akčních filmových trháků by se dalo usuzovat, že velké banky patří k nejstřeženějším místům na této planetě a že si každý musí okamžitě všimnout byť jen jediného chybějícího dolaru. Opak je ale pravdou, jak dokazuje nově zmapovaný hackerský útok na ekvádorskou banku. Při něm si nikdo počítačových pirátů nevšímal dlouhých deset dní, díky čemuž si přišli na několik stovek miliónů korun.
Útok na banku Banco del Austro (BDA) se odehrál už v lednu 2015. Samotná banka o něm ale oficiálně informovala až nyní, v rámci žaloby se totiž domáhá ukradených stamiliónů zpět. Právě díky tomu se podařilo celý hackerský útok zmapovat, uvedla v pátek agentura Reuters.

Hackeři odcizili z BDA minimálně 12 miliónů dolarů, tedy v přepočtu bezmála 290 miliónů korun. K penězům se dostali až neuvěřitelně snadno. Nejprve do počítačů ve zmiňované finanční instituci propašovali viry, díky kterým získali přístupové kódy do SWIFT systému.

Je to stejné jako získat klíče od bankovního trezoru.
Ve virtuálním světě jedniček a nul je to stejné jako získat klíče od bankovního trezoru. SWIFT systém totiž jednotlivé banky využívají jako bezpečnostní standard k ověřování transferů mezi sebou. Pomocí něj jsou schopny získat jakési podpisové klíče, na základě kterých se pak identifikuje jedna finanční instituce před druhou klidně i na druhém konci planety. Zjednodušeně řečeno, banky se takto při komunikaci poznají.

A právě toho využili kyberzločinci. Po získání kódů do SWIFT systému začali pomalu provádět jednu platbu za druhou. Aby nebyla jejich činnost příliš nápadná, převáděli jen něco málo přes milión dolarů denně.

Patrně i kvůli tomu si pracovníci banky okamžitě nevšimli, že je něco v nepořádku. Jak upozornil server The Hacker News, zarazit neoprávněné transakce počítačovým pirátům se podařilo až po deseti dnech od prvního převodu. I to lze ale považovat za úspěch, protože v opačném případě by si hackeři odnesli ještě více.

Ukradené peníze chtějí zpět
Zástupci ekvádorské banky se však s tímto konstatováním patrně nechtějí smířit a své peníze požadují zpět. Protože se jim za více než rok nepodařilo peníze ani hackery vypátrat, chtějí své štěstí zkusit u soudu.

Zažalovali proto Wells Fargo – jednu z největších amerických bank. Právě z ní vylákali počítačoví piráti díky přístupu do SWIFT systému milióny dolarů, protože zde BDA má vedený účet. Zástupci BDA v žalobě tvrdí, že si „bankéři z Wells Fargo měli všimnout podezřelých transakcí“.

Wells Fargo však jakoukoliv vinu odmítá. V prohlášení pro agenturu Reuters v pátek zástupci americké banky prohlásili, že všechny „transakce byly provedeny podle pokynů přijatých přes ověřený SWIFT systém“.

Zatímco se banky dohadují, hackeři se mohou patrně radovat. Po měsících stopa vychladla a milióny dolarů byly postupně přeposílány a následně i vybrány přes banky v různých koutech světa.

Ztratilo se už 81 miliónů dolarů
Vše navíc nasvědčuje tomu, že se počítačové piráty nepodaří jen tak vypátrat. Podobným způsobem si totiž přišli také na 81 miliónů dolarů (1,9 miliardy Kč) z účtu bangladéšské centrální banky, vedeného u Federální rezervní banky (Fed) v New Yorku.

Při tomto útoku se také nabourali do SWIFT systému pomocí škodlivého kódu. Vyšetřování této velké bankovní loupeže letos v dubnu navíc ukázalo, že bankéři nepoužívali firewall. Jinými slovy tak hackerům banka naservírovala peníze doslova na zlatém podnosu.

Podle vyšetřovatelů bylo zřejmé, že se lidé starající o miliardové transakce snažili ušetřit. Další síťová technika, kterou vyšetřovatelé kontrolovali, totiž byla pořízena z druhé ruky. Například nákupem síťových přepínačů z bazaru přitom banka ušetřila maximálně tak pár stovek dolarů.

LinkedIn narychlo mění hesla. Čtyři roky po útoku

27.7.2016  Zabezpečení
Desítky miliónů uživatelských jmen a hesel, která hacker nabízí k prodeji na internetu, jsou podle všeho pravá. Zástupci profesní sítě LinkedIn totiž začali uživatelům narychlo měnit hesla. A to i přesto, že se útok stal už před čtyřmi roky.
Jak postupovat při změně hesla na LinkedIn:

:: Navštivte web LinkedIn nebo běžte do mobilní aplikace.
:: Jste-li přihlášeni, odhlaste se.
:: Znovu se přihlaste a postupujte podle instrukcí ke změně hesla.
pátek 20. května 2016, 8:54
„V nedávné době jsme zaznamenali potenciální riziko pro váš účet na LinkedInu a přijali jsme okamžitá opatření na ochranu vašeho účtu. Při příštím přihlášení si budete muset změnit heslo,“ konstatovali zástupci sítě LinkedIn.

E-mail v tomto znění obdržely během čtvrtka a pátku milióny uživatelů zmiňované profesní sítě. Mezi ohroženými uživateli jsou i Češi.

Odcizená uživatelská data mají pocházet z útoku z roku 2012. Tehdy se však předpokládalo, že z LinkedInu uniklo méně než 6,5 miliónu hesel. Tento týden ve čtvrtek se však ukázalo, že jich je mnohem víc. 

Hacker chce 50 000 korun
Hacker vystupující pod přezdívkou Peace totiž na černém internetovém trhu začal prodávat databázi obsahující na 167 miliónů hesel. Požaduje za ni pět bitcoinů, tedy v přepočtu zhruba padesát tisíc korun.

Testy na vzorku uživatelských dat, která hacker nabízí jako ukázku, prokázaly, že odcizená hesla jsou pravá. Právě proto začali zástupci LinkedInu narychlo resetovat uživatelům hesla, přestože se útok udál už před čtyřmi lety.

Databáze může představovat pro uživatele potenciální riziko i po změně hesla. Celá řada lidí totiž používá stejné přihlašovací údaje k různým webovým službám. Pro počítačové piráty tedy není nic jednoduššího než hesla vyzkoušet i na jiných serverech.

V případě, že lidé používají totožná hesla jako k síti LinkedIn i na jiných webových službách, je vhodné je změnit samozřejmě i tam.

O2 čelí masivním útokům hackerů. Kvůli hokejovému mistrovství

27.7.2016  Počítačový útok
Již několik dní čelí společnost O2 masivním útokům hackerů. Ti se snaží z velkého množství přistupovat na servery O2 a tím je vyřadit z provozu. Právě v souvislosti s DDoS útoky nastal ve čtvrtek výpadek pevného internetu tohoto operátora (vdsl a adsl).
Co je DDoS

Útok DDoS (Distributed Denial of Service) má vždy stejný scénář. Stovky tisíc počítačů začnou přistupovat v jeden okamžik na konkrétní server. Ten zpravidla nezvládne tak vysoké množství požadavků zpracovat a spadne. Pro běžné uživatele se pak takto napadená webová stránka tváří jako nedostupná.
„Hackeři zaútočili ve čtvrtek na streamovací servery O2. Jedná se již o několikátý útok od začátku hokejového šampionátu, který zapříčinil technické problémy při online vysílání hokejového zápasu Česka proti USA a několikaminutové problémy s přihlášením k mobilní službě O2 TV,“ uvedla Kateřina Mikšovská z tiskového oddělení O2.

První útoky nastaly už minulý týden. "Přesto jsme byli minulý čtvrtek schopni poskytnout službu 320 tisícům zákazníků a přenést rekordní objem 237 Gbps,“ prohlásil Václav Hanousek, šéf síťového provozu.

Výpadky se prý mohly dotknout také diváků iVysílání. „Intenzita a rozsah útoků vedly k přetížení serverů mobilní televize O2 TV. Krátké výpadky mohli bohužel zaznamenat také diváci, kteří hokejový zápas sledovali prostřednictvím iVysílání. Výpadky se však netýkaly všech uživatelů webu České televize, bez jakýchkoli problémů mohlo zápas sledovat téměř 300 tisíc lidí,“ konstatovala Mikšovská.

Výpadek pevného internetu
Právě kvůli snaze zabránit hackerům v úspěšném útoku bylo v pondělí vyřazeno internetové připojení v Praze a středních Čechách. Výpadek trval více než 1,5 hodiny, jak Novinky.cz informovaly již dříve. 

„Opatření, které jsme na ochranu služby poskytované našim zákazníkům přijali, bohužel vlivem systémové chyby způsobily dnešní výpadek na pevném internetu," konstatoval Hanousek.

Hackerský útok nyní bude řešit policie. „Operátor O2 se již s případem pirátských útoků obrátil na orgány činné v trestním řízení,“ doplnila Mikšovská.

Hacker nabízí k prodeji 167 miliónů hesel ze sítě LinkedIn

27.7.2016 ¨Sociální sítě
Hacker vystupující pod přezdívkou Peace nabízí na černém trhu ke koupi na 167 miliónů přihlašovacích údajů k profesní síti LinkedIn. Požaduje za ně pět bitcoinů, tedy v přepočtu zhruba padesát tisíc korun. Upozornil na to server The Hacker News.
Uživatelská data mají pocházet z útoku, který se stal už v roce 2012. Tehdy o něm informovaly i Novinky.cz. 

Původně se přitom předpokládalo, že ze sítě LinkedIn bylo odcizeno méně než 6,5 miliónu hesel. Jak ale ukazuje nabídka hackera, bylo jich pravděpodobně daleko více.

Hacker postupuje obezřetně
Peace dokonce zveřejnil část databáze, aby případným kupcům ukázal, že nejde o podvrh. To ale samozřejmě nikdo nedokáže dopředu potvrdit, pokud nebude mít k detailní analýze databázi se všemi přihlašovacími údaji.

Jisté je nicméně to, že hacker postupuje velmi obezřetně. Virtuální měnu bitcoin totiž nelze snadno vystopovat, a tak i po zaplacení zůstane jeho identita nadále skryta.

Zástupci profesní sítě LinkedIn se nechali slyšet, že celý incident již prošetřují. Žádné oficiální vyjádření však zatím nevydali.

Riziko i po letech
Databáze může představovat pro uživatele potenciální riziko i přesto, že útok proběhl před čtyřmi lety. LinkedIn sice v roce 2012 hesla uživatelům resetovala, ale celá řada lidí používá stejné přihlašovací údaje k různým webovým službám. Pro počítačové piráty tedy není nic jednoduššího než hesla vyzkoušet i na jiných serverech.

Únik dat ze sítě LinkedIn jasně ukazuje na to, jak zranitelná mohou hesla a pochopitelně také samotné uživatelské účty na síti být. Vhodné je proto nejen vymýšlet sofistikovaná hesla, ale alespoň jednou za pár měsíců je pravidelně měnit.

Hackeři zotročili milión počítačů. Vydělávali tak velké peníze

27.7.2016  Hacking
Skupině zatím neznámých hackerů se podařilo infikovat virem na milión počítačů z různých koutů světa. Přestože jejich majitelé o tom neměli ani tušení, s pomocí jejich PC pak vydělávali velké peníze. Upozornil na to server The Hacker News.
Zotročovat jednotlivé počítače pomáhal kyberzločincům škodlivý kód známý jako Redirector.Paco, který internetem putuje už od roku 2014. Šířil se zpravidla jako příloha nevyžádaného e-mailu nebo odkaz v různých chatech a na sociálních sítích.

Napadené stroje pak útočníci zapojovali do jednoho obrovského botnetu, tedy do sítě zotročených počítačů, které zpravidla slouží k rozesílání spamu nebo útokům typu DDoS. Počítačoví piráti však v tomto případě botnet využívali k něčemu úplně jinému, pomocí něj vydělávali nemalé peníze.

Kontrolovali internetový provoz
Napadené stroje totiž používali k tomu, aby mohli ovládat jejich internetový provoz. Tak byli schopni na pozadí skrytě navštěvovat tisíce různých internetových stránek na každém jednotlivém PC, díky čemuž pak inkasovali peníze za zobrazovanou reklamu.

Bezpečnostní experti antivirové společnosti Bitdefender odhadli, že se jim podobným způsobem podařilo zotročit na milión počítačů. S ohledem na to se tak dá celkem snadno odhadnout, že s pomocí botnetu si vydělali přinejmenším několik jednotek nebo klidně i desítek miliónů dolarů.

Přesnou částku se však bezpečnostním odborníkům, kteří se případem zabývají, nepodařilo zjistit.

Z řádků výše je patrné, že se kyberzločinci snažili pracovat co nejdéle v utajení, aby uživatelé infiltraci škodlivého kódu neodhalili. Přišli by tak o cenný zdroj příjmů.

Virus útočil i v Evropě
Podle Bitdefenderu pocházela většina zotročených počítačů z Indie, Malajsie, Řecka, Spojených států, Itálie, Pákistánu, Brazílie a Alžírska. Není však vyloučeno, že se škodlivým kódem mohly nakazit také stroje tuzemských uživatelů, protože virus se objevil v některých evropských státech.

Bezpečnostní experti připomínají, že hackerům většinou usnadňují práci samotní uživatelé svým chováním. Podceňují totiž základní bezpečnostní pravidla – například klikají na přílohy v nevyžádaných e-mailech, případně neinstalují pravidelně aktualizace jednotlivých programů a operačního sytému.

Z toho všeho jsou pochopitelně kyberzločinci schopni těžit. A vydělávat díky tomu klidně i velké peníze…

Počítačoví piráti se omluvili za šíření vyděračského viru. Data je možné odemknout zadarmo

27.7.2016  Viry
Velmi netradiční zvrat nastal v případě počítačových pirátů, kteří šířili po internetu vyděračské viry. Ti se patrně nemohli už koukat na zkázu, kterou napáchal, a tak se jej rozhodli odstřihnout. Všem uživatelům se navíc omluvili. Upozornil na to server Bleeping Computer.
„Projekt končí, moc se všem omlouváme,“ uvedli neznámí kyberzločinci, kteří šířili po internetu vyděračský virus TeslaCrypt. Aby dokázali, že svou omluvu myslí skutečně vážně, připojili k ní také hlavní dešifrovací klíč. S jeho pomocí je možné zašifrovaná data odemknout i bez placení výkupného.

Sluší se však podotknout, že vyděračských virů existuje přinejmenším několik desítek různých druhů. Univerzální klíč přitom funguje pouze na již zmiňovaný TeslaCrypt.

Kyberzločinci se k nečekanému kroku podle všeho odhodlali díky jednomu bezpečnostnímu výzkumníkovi z antivirové společnosti Eset. Ten je anonymně kontaktoval přes oficiální kanál určený obětem vyděračského viru a požádal o zveřejnění univerzálního dešifrovacího klíče. Sám přitom patrně nečekal, že budou počítačoví piráti tak vstřícní.

Na základě toho vytvořili pracovníci Esetu dešifrovací nástroj, s jehož pomocí je možné uzamčená data na pevném disku snadno odemknout. Stahovat jej je možné zdarma zde.

Nástroj společnosti Eset k dešifrování dat, která byla uzamčena vyděračským virem TeslaCrypt.
FOTO: archív tvůrců

Jak útočí vyděračské viry
Na napadeném stroji dokážou vyděračské viry udělat pěkný nepořádek. Nejprve zašifrují všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.

Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod. I proto jim celá řada lidí již výkupné zaplatila.

Zaplatit zpravidla chtějí v bitcoinech, protože pohyby této virtuální měny se prakticky nedají vystopovat. A tím logicky ani nelegální aktivita počítačových pirátů.

Ani po zaplacení výkupného se ale uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné. V případě škodlivého kódu TeslaCrypt to však už nyní neplatí.

Phineas Fisher hacked a bank to support anti-capitalists in the Rojava region
20.5.2016 Hacking

Phineas Fisher, the notorious Hacking Team hacker, stole $10,000 from a bank and donated the equivalent in Bitcoin to Kurdish anticapitalists in Rojava.
Phineas Fisher (@GammaGroupPR), revealed on Reddit that he breached a bank and turned the stolen money to a Kurdish anti-capitalists that operate in the Rojava autonomous region. The region in located in the north of the Syria, near to the territories controlled by the ISIL. The hacker did not reveal the name of the breached financial institution nor provided details of the cyber heist.
Phineas Fisher explained that it is quite easy to steal money from the bank, he cited the Carbanak group, but took the distance from the motivation of the Russian criminal crew. Phineas Fisher is a hacker, not a thief, he hasn’t financial motivation, he follows his own ideals.

“Banks are being robbed more than ever, it’s just done differently these days.” he explained. The money did come from robbing a bank. As I said in an earlier comment, bank robbing is more viable than ever, it’s just done differently these days. There’s a reason in the last hacking guide I wrote (spanish original english translation) I spoke in favor of expropriating money from banks, said you used to need a gun but can now do it from bed with a laptop in hand, and linked a technical report on the Carbanak group. Not that I’m a fan of Russian gangsters robbing banks so they can buy luxury cars or whatever, but there’s a lot to learn from their methods.

Phineas Fisher became very popular in the security industry because he is the hacker that breached the surveillance firms Hacking Team and the surveillance company Gamma International.

He is coherent with his thoughts about surveillance and the support offered by IT companies to totalitarian regimes, for this reason, he decided to target them and interfere with their “dirty” affairs.

The enemies of freedom are Phineas Fisher enemies.

Now the popular hacker has donated 25 Bitcoin (worth around US$11,000) to a crowdfunding campaign known as the Rojan Plan, which has been launched by the members of the Rojava’s economic committee. described by Fisher as “one of the most inspiring revolutionary projects in the world.”

Fisher defined the campaign as “one of the most inspiring revolutionary projects in the world.”

The campaign aims to help the local population and that are oppressed by the ISIL and treated by nearby governments. The project is ambitious and has a long list of goals, including the organizations of training in the neighborhood centers and schools, the production of educational material (pamphlets, short films) about the need to separate waste, the establishment of facilities for processing the waste and making fertilizer.

This is the list of things this people needs.

2 trucks: $45000
Small bulldozer: $35000
Pool for liquid fertilizer: $500
Machine: $1500
Plastic buckets for waste: $2000
Structure: $3000
Thermometer: $50
Big plastic canvas: $2500
Worker clothes: $300
Scale: $500
Airsystem: $500
Hangar: $40000
Material: $33000
Mixer: $15000
Other: $10000
9 workers: $10800

Phineas Fisher hack bank

Some experts already verified the Bitcoin transaction made by Phineas Fisher, THN of one of them

“When deeply investigated, it was found that the Rojava Plan’s Bitcoin address received a 25 BTC (Bitcoin) transaction timestamped 5th May 2016, which means the donation has publicly been recorded on the blockchain ledger.” reported the THN.

“You can see the payments made to our campaign on the campaign page. You can also check our Bitcoin address, which is public,” Deniz Tarî from Rojava Plan told Ars. The page lists a €10,000 donation by “Hack Back!”

How to trigger DoS flaws in CISCO WSA. Apply fixes asap

20.5.2016 Vulnerebility

Cisco issued a series of patches for the AsyncOS operating on CISCO WSA that fix multiple high severity Denial-of-Service (DoS) vulnerabilities.
Cisco has released security patches for the AsyncOS operating system that run on the Web Security Appliance, also called CISCO WSA. The security updates fix multiple high severity Denial-of-Service (DoS) vulnerabilities.

Below the details of the flaws in the CISCO WSA fixed by the last series of patches:

CVE-2016-1380 is a flaw ranked as high that is triggered when parsing an HTTP POST request with Cisco AsyncOS for Cisco WSA, it could be exploited by an unauthenticated, remote attacker to cause a denial of service (DoS) condition due to the proxy process becoming unresponsive.
The flaw is caused by the lack of proper input validation of the packets that compose an HTTP POST request.

CVE-2016-1381 resides in the cached file-range request functionality implemented by Cisco AsyncOS. A remote, unauthenticated attacker can trigger it to cause a denial of service (DoS) condition. The flaw, is ranked as high, could exploit by opening multiple connections that request file ranges through the affected device. When the memory is saturated to attack causes the WSA to stop passing traffic.

CVE-2016-1382 is a vulnerability that resides in the HTTP request parsing in Cisco AsyncOS for the Cisco WSA. The flaw could allow a remote, unauthenticated attacker to trigger a denial of service (DoS) condition when the proxy process unexpectedly restarts.

In order to exploit the flaw, the attacker just needs to send a specifically crafted HTTP request to the vulnerable device, the OS will not properly allocate the sufficient space for the HTTP header and any expected HTTP payload.

CVE-2016-1383 is a flaw ranked as high that resides in the way the operating system handles certain HTTP response code. The flaw could be exploited by an unauthenticated, remote attacker to cause a DoS condition by simply sending to the device a specially crafted HTTP request causing it to run out of memory.

Cisco confirmed that the security issues affect various versions of the AsyncOS running on CISCO WSA on both hardware and virtual appliances.

Cisco confirmed that it isn’t aware that the flaw has been exploited by hackers in the wild.

John McAfee and his crew claim to have hacked a WhatsApp Message, But …
20.5.2016 Hacking

The popular security expert John McAfee and a team of four hackers demonstrated that is is possible to read WhatsApp message.
The cybersecurity expert John McAfee and four hackers demonstrated that is is possible to read a WhatsApp message even if it is encrypted. The hacker crew used their servers located in a remote section in the mountains of Colorado

McAfee reported the success to the Cybersecurity Ventures and shared the details of the clamorous hack.

The hacked message was exchanged between two researchers located at the New York City headquarters office of the digital forensics firm LIFARS. The researchers used two brand new Android phones running a tiny app written by McAfee and his colleagues.

Cybersecurity Ventures reported the message was sent at 2:45pm EST in New York, and the hackers read it in Colorado one minute later. Wait, but WhatsApp implements end-to-end encryption. How is it possible?

hacked whatsapp message

McAfee explained that the problem doesn’t affect WhatsApp but the Android OS that is affected by a serious design flaw. The exploitation of the vulnerability allowed McAfee’s team to take full control of the information managed by the mobile device.

We have no information about the components of the team, we only know that one of them is Chris Roberts, a security researcher that in May 2015 announced via Twitter that he was able to hack the flight he was on. Roberts was arrested by the FBI, the experts claimed he had burrowed through the aircraft’s onboard entertainment system to gain control over critical systems of the airplane.

“I have been warning the world for years that we are teetering on the edge of an abyss, that our cyber security paradigms no longer function, and that chaos will descend if something is not done” said McAfee, commenting the successfully hack of the WhatsApp message. “The fundamental operating system (Android), used by 90% of the world, and that should be the first bulwark against malicious intrusion, is flawed. Should I not bring this to the world’s attention through a dramatic demonstration? Do I not owe it to the world?”

Experts from LIFARS who analyzed the mobile phones reported the presence of “malware traces,” a memo issued by the CEO Ondrej Krehel confirms the smartphones have been infected by a spyware app that allowed hackers to log keystrokes. According to Krehel, the hackers haven’t rooted the device in order to exploit the flaw, more information will be disclosed after that McAfee and his team will discuss the flaw with Google, and I believe it is important to highlight that McAfee is doing this not for money.

“McAfee said he is open to dialogue with Google and WhatsApp in order to help remedy the vulnerability, and there would be no cost for his services. “This in no way was done for financial gain. This was my obligation to my tribe” said McAfee.” continues Cybersecurity Ventures.

Are you a SnapChat user? Bad news also for you, McAfee confirmed that similar problems have been noticed also with other messaging apps.

Facebook Sued for illegally Scanning Users' Private Messages
20.5.2016 Social
Facebook is in trouble once again regarding its users' privacy.
Facebook is facing a class-action lawsuit in Northern California over allegations that the company systematically scans its users' private messages on the social network without their consent and makes the profit by sharing the data with advertisers and marketers.
According to the lawsuit filing, Facebook might have violated federal privacy laws by scanning users' private messages.
Facebook routinely scans the URLs within users' private messages for several purposes like anti-malware protection and industry-standard searches for child pornography, but it has been claimed that the company is also using this data for advertising and other user-targeting services.
Google to Face a Record $3.4 Billion AntiTrust Fine in Europe
The plaintiffs, Matthew Campbell, and Michael Hurley argue that the Facebook is scanning and collecting URLs-related data in a searchable form, violating both the Electronic Communications Privacy Act and California Invasion of Privacy Act, reported the Verge.
Facebook argues that the company scans users' private messages in bulk, and maintains the URL records in an anonymized way, which is only used in aggregate form.
However, according to a technical analysis done on behalf of the plaintiffs, each URL-related message is stored in "Titan," a private message database that displays the date and time the message was sent, along with the user IDs of both the sender and the recipient.
However, it turns out that Facebook used this practice in past, but the company claimed to have stopped such practices a long time ago.
"We agree with the court's finding that the alleged conduct did not result in any actual harm and that it would be inappropriate to allow plaintiffs to seek damages on a class-wide basis," a Facebook spokesperson told CNET.
"The remaining claims relate to historical practices that are entirely lawful, and we look forward to resolving those claims on the merits."
However according to the plaintiffs, Facebook is still continuing to collect links from users' private messages.
"Facebook's source code not only reveals that Facebook continues to acquire URL content from private messages, but that it also continues to make use of the content it acquires."
Meanwhile, you can check out the lawsuit here. The lawsuit was originally filed in 2012 and for now, the case is expected to proceed.
Plaintiffs have until June 8 to file an amended complaint, following a scheduled conference toward the end of the month.

Spam and phishing in Q1 2016
20.5.2016

SPAM
Spam: features of the quarter

Trending: dramatic increase in volume of malicious spam

The first quarter of 2016 saw a dramatic increase in the number of unsolicited emails containing malicious attachments. Over the last two years the number of email antivirus detections on computers with a Kaspersky Lab product installed fluctuated between 3 and 6 million. At the end of 2015 this number began to grow and in early 2016 there was a sharp upturn.

Number of email antivirus detections on computers with a Kaspersky Lab product installed

In March, the number of email antivirus detections reached 22,890,956, which is four times more than the average for the same period last year.

With the rise of drive-by-downloads, we could have expected malicious email attachments to have long since given way to malicious sites that the user accesses via a link in an email. However, the use of emails has its advantages (for the attackers): the content of the email may encourage the user not only to download a malicious file but also launch it. It’s also possible that malicious attachments are enjoying a new wave of popularity because in the last couple of years the developers of the most popular browsers have considered adding protection against infected and phishing websites (using in-house developments as well as partnering with well-known anti-virus vendors). This is something that built-in protection at the email client level does not provide yet. Therefore, if a potential victim doesn’t use antivirus software, their computer can be easily infected via email.

What’s inside?

The variety of malicious attachments is impressive. They include classic executable EXE files and office documents (DOC, DOCX, XLS, RTF) with embedded malicious macros, and programs written in Java and Javascript (JS files, JAR, WSF, WRN, and others).

Attachment containing a Trojan downloader written in Java

Also worth noting is the diversity of languages used in malicious spam. In addition to English, we regularly came across emails in Russian, Polish, German, French, Spanish, Portuguese and several other languages.

Attachment containing the Trojan banker Gozi

Most emails imitated notifications of unpaid bills, or business correspondence.

The malicious .doc file in the attachment is a Trojan downloader. It downloads and runs the encryptor Cryakl using macros written in Visual Basic

Attachment containing backdoor-type malware that downloads other malicious programs to the infected machine

Particular attention should be paid to emails containing Trojan downloaders that download the Locky encryptor. The attackers exploited a variety of file types to infect victim computers: at first they used .doc files with malicious macros, then JS scripts. In order to bypass filtering, the attackers made every malicious file within a single mass mailing unique. In addition, the emails had different content and were written in different languages. This doesn’t come as much of a surprise as attacks utilizing this encryptor were registered by KSN in 114 countries around the world.

Examples of emails with the Locky encryptor

The content of the emails was related to financial documents and prompted users to open the attachment.

If the attack was successful, Locky encrypted files with specific extensions (office documents, multimedia content, etc.) on the user’s computer, and displayed a message with a link leading to a site on the Tor network containing the cybercriminals’ demands. This process was analyzed in more detail in our blog.

As Locky is not always contained directly in the message, we cannot estimate its share in the volume of other malicious mail. However, the scripts that download and run Locky (detected by Kaspersky Lab as Trojan-Downloader.MSWord.Agent, Trojan-Downloader.JS.Agent, HEUR: Trojan-Downloader.Script.Generic) accounted for more than 50% of all malicious programs in email traffic.

Spam terrorism

Today terrorism is one of the most widely discussed topics both in the media and when political leaders meet. Frequent terrorist attacks in Europe and Asia have become a major threat to the world community, and the theme of terrorism is widely used by cybercriminals to mislead users.

In order to prevent terrorist attacks, security measures in many countries have been enhanced, and malicious spammers have been quick to take advantage. They tried to convince recipients of mass mailings that a file attached in an email contained information that would help a mobile phone owner detect an explosive device moments before it was about to detonate. The email claimed the technology came from the US Department of Defense, was easy to use and widely available. The attachment, in the form of an executable EXE file, was detected as Trojan-Dropper.Win32.Dapato – a Trojan that is used to steal personal information, organize DDoS attacks, install other malware, etc.

‘Nigerian’ scammers also got in on the act, exploiting the theme of terrorism to try and concoct credible stories. The senders introduced themselves as employees of a non-existent FBI division involved in the investigation of terrorism and financial crime. Their story revolved around the need for the recipient to contact the sender in order to resolve issues that are preventing the payment of a large sum of money. Among the reasons given for the delay in transferring the money the scammers cited a lack of confirmation that the money was legal and rightfully belonged to the recipient, or it was claimed third parties were trying to pocket the recipient’s money.

Nigerian letters also told stories of money – some of which was offered to the recipient – that had been obtained legally and was not related to drugs, terrorism or other crime. This was an attempt to dispel any doubts about their honesty and persuade recipients to reply.

The theme of terrorism came up again in tales related to the current situation in the Middle East. For example, some emails were sent on behalf of US soldiers who were fighting against terrorism in Afghanistan and were looking for an intermediary to save and invest money for them. Yet another author claimed that he had not joined ISIS or any another terrorist organization, but as a Muslim he wanted to donate a large sum of money for good deeds. A mistrust of charities meant the “Muslim” wanted to transfer the money to the recipient of the email. Yet another story was written on behalf of an American businessman who had lost half his business in Syria and Iraq because of the war and terrorism, and was looking for a partner to help him invest the remaining money.

Nigerian letters describing the tense situation in Syria also remained popular and were actively used by scammers to trick users.

We also came across advertising spam from Chinese factories offering all sorts of devices to ensure public security (for example, special devices for detecting explosives) and other anti-terrorist products.

Also trending: significant increase in volume of ‘Nigerian’ spam

It seems so-called Nigerian spammers have also felt the effects of the economic crisis, because they have recently increased their activity. In Q1 2016 we observed a significant increase in the volume of this type of mailing. In the past, the scammers encouraged recipients to respond to an email by telling a long detailed story that often contained links to articles in the mainstream media; now they send out short messages with no details, just a request to get in touch. Sometimes the email may mention a large sum of money that will be discussed in further correspondence, but there is no information about where it came from.

Perhaps the scammers believe that those who are already aware of the classic ‘Nigerian’ tricks will fall for these types of messages; or maybe they think that such short messages will be more suited for busy people who have no time to read long emails from strangers.

Spammer methods and tricks: short URL services and obfuscation

In our spam and phishing report for 2015 we wrote about obfuscation of domains. In Q1 2016, spammers continued this trend and even added some new tricks to their arsenal.

Cybercriminals continued to use short URL services, although the methods for adding “noise” to them have changed.

First of all, spammers began inserting characters – slashes, letters and dots – between the domain of a short URL service and the final link.

Both the link which the user follows and the link to the uploaded image in the email are obfuscated:

In addition to letters and dots, spammers even inserted random comment tags between slashes, and the browser continued to correctly interpret the links:

Note that the subject of the email contains the name Edward; it is also included in the comment tag used to add “noise”. In other words, the name is taken from one database while the “noise” tag is unique for each email in the mass mailing.

Russian-language spam also used obfuscation and short URL services, but the algorithm was different.

For example, to obfuscate links the @ symbol was used. To recap, the @ symbol is intended for user authentication on the site (it is actually no longer used). If the site does not require authentication, everything that precedes the @ symbol will simply be ignored. It means that in the email above, the browser will first open the site ask.ru/go where it will execute the subquery ‘url =’ and then go to the URL specified, which belongs to a short URL service.

The link in this emails was also obfuscated with the @ symbol. Noise was also added by additional subqueries including the user’s email address, which made it unique for each email in the mass mailing.

Statistics

Proportion of spam in email traffic

Percentage of spam in global email traffic, Q1 2016

The percentage of spam in overall global email traffic remained stable during the last few months of 2015. However, in January 2016 we registered a considerable increase in the share of unwanted correspondence – over 5.5 p.p. By February, however, the amount of spam in email traffic had dropped to its previous level. In March it grew again, though less dramatically. As a result, the average percentage of spam in Q1 2016 amounted to 56.92%.

Sources of spam by country

Sources of spam by country, Q1 2016

The US (12.43%) maintained its leadership, remaining the biggest source of spam in Q1 2016. Next came Vietnam (10.30%), India (6.19%) and Brazil (5.48%). China rounded off the Top 5, accounting for 5.09% of global spam.

Russia fell from last year’s second place to seventh (4.89%) in Q1 2016. It followed closely behind France (4.90%), which was sixth biggest source of spam.

Spam email size

Spam email size distribution, Q4 2015 and Q1 2016

The most commonly distributed emails were very small – up to 2 KB (79.05%). The proportion of these emails grew by 2.7 p.p. from the previous quarter. The share of emails sized 20-50 KB also increased – from 3.02% to 7.67%. The amount of emails sized 2-5 KB, however, fell significantly compared to Q4 2015 – from 8.91% to 2.5%.

Malicious email attachments

Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications. So we have decided to turn to the more informative statistics of the Top 10 malware families.

Top 10 malware families

Trojan-Downloader.JS.Agent.
A typical representative of this family is an obfuscated Java script. This family malware uses ADODB.Stream technology that allows them to download and run DLL, EXE and PDF files.

Trojan-Downloader.VBS.Agent.
This is a family of VBS scripts. As is the case with the JS.Agent family, ranked first, the representatives of this family use ADODB.Stream technology; however, they mainly download ZIP files, from which they extract and run other malicious software.

Trojan-Downloader.MSWord.Agent.
The representatives of this family are DOC files with an embedded macro written in Visual Basic for Applications (VBA) that runs when the document is opened. The macro downloads other malware from the cybercriminal’s site and launches it on the victim’s computer.

Backdoor.Win32.Androm. Andromeda.
This is a family of universal Andromeda/Gamarue modular bots. The key features of these bots include downloading, storing and launching malicious executable files; downloading and uploading a malicious DLL (without saving it to disk); updating and deleting themselves. The bot functionality is extended with plug-ins that can be loaded at any time.

Trojan.Win32.Bayrob.
The malicious programs of this Trojan family can download from the command server and run additional modules, as well as work as a proxy server. They are used to distribute spam and steal personal data.

Trojan-Downloader.JS.Cryptoload.
A typical representative of this family is an obfuscated Java script. The malicious programs of this family download and run ransomware on the user’s computer.

Trojan-PSW.Win32.Fareit.
This malware family was designed to steal data such as credentials for FTP clients installed on an infected computer, credentials for cloud storage programs, cookie files in browsers, passwords for email accounts. The stolen information is sent to the criminals’ server. Some members of the Trojan Fareit family are capable of downloading and running other malware.

Trojan.Win32.Agent.
The malicious programs of this family destroy, block, modify or copy data or disrupt the operation of computers or computer networks.

Trojan-Downloader.Win32.Upatre.
The Trojans of this family do not exceed 3.5 KB, and their functions are limited to downloading payloads on the infected computer – more often than not these are Trojan bankers known as Dyre/Dyzap/Dyreza. The main aim of this family of Trojan bankers is to steal payment data from users.

Trojan-Spy.HTML.Fraud.
The Trojans of this family consist of a fake HTML page sent via email that imitates an important notification from a major commercial bank, online store, or software developer, etc. The user has to enter their personal data on this page, which is then forwarded to cybercriminals.

Countries targeted by malicious mailshots

There were some significant changes in the ranking of countries targeted most often by mailshots in Q1 2016.

Distribution of email antivirus verdicts by country, Q1 2016

Germany (18.93%) remained on top. China (9.43%), which ended 2015 in 14th place, unexpectedly came second. Brazil (7.35%) rounded off the Top 3.

Italy (6.65%) came fourth in the ranking, followed by the UK (4.81%). Russia was in sixth place with a share of 4.47%.

The US (3.95%), which had been in the Top 5 countries targeted by malicious mailshots for months on end, ended Q1 in eighth.

Phishing

In Q1 2016, the Anti-Phishing system was triggered 34,983,315 times on the computers of Kaspersky Lab users.

Geography of attacks

The country where the largest percentage of users were affected by phishing attacks was once again Brazil (21.5%), with a 3.37 p.p. increase from the previous quarter. The share of those attacked in China (16.7%) and the UK (14.6%) also grew compared to Q4 2015 – by 4.4 p.p. and 3.68 p.p. respectively. Japan (13.8%), which was a leader in the previous year, saw its share fall by 3.18 p.p.

Geography of phishing attacks*, Q1 2016

* Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country

Top 10 countries by percentage of users attacked:

Brazil 21.5%
China 16.7%
United Kingdom 14.6%
Japan 13.8%
India 13.1%
Australia 12.9%
Bangladesh 12.4%
Canada 12.4%
Ecuador 12.2%
Ireland 12.0%
Organizations under attack

The statistics on phishing targets are based on detections of Kaspersky Lab’s anti-phishing component. It is activated every time a user enters a phishing page when information about it is not yet included in Kaspersky Lab databases. It does not matter how the user enters the page – by clicking a link in a phishing email, in a message on a social network or as a result of malware activity. After the security system is activated, the user sees a banner in the browser warning about a potential threat.

Distribution of organizations affected by phishing attacks, by category, Q1 2016

In the first quarter of 2016, the ‘Global Internet portals’ category (28.69%) topped the rating of organizations attacked by phishers; its share increased by 0.39 p.p. from the previous quarter. Second and third were occupied by two financial categories: ‘Banks’ (+4.81 p.p.) and ‘Payment systems’ (-0.33 p.p.). ‘Social networking sites’ (11.84%) and ‘Online games’ (840 p.p.) rounded off the Top 5, having lost 0.33p.p.and 4.06 p.p. respectively.

Online stores

Attacks on online store users are interesting because they are often followed by the theft of bank card details and other personal information.

Distribution of online stores subject to phishing attacks, Q1 2016

Apple Store was the most popular online store with phishers. In the first quarter of 2016 its share in the ‘E-shop’ category accounted for 27.82%. Behind it in second place was another popular online store –Amazon (21.6%).

Example of a phishing page designed to steal Apple ID and bank card data

Steam (13.23%), a popular gaming service that distributes computer games and programs, rounded off the Top 3. It came 19th in the overall ranking of organizations affected by phishing attacks.

Links to phishing pages exploiting the theme of online games and gaming services are distributed via banners, posts on social networking sites, forums and, less frequently, via email.

Cybercriminal interest in Steam and gaming services in general is growing – gamers’ money and personal data are often targeted not only by phishers but also by software developers.

Top 3 organizations attacked<

Fraudsters continue to focus the greatest part of their non-spear phishing attacks on the most popular companies. These companies have lots of customers around the world which enhances the chances of a successful phishing attack.

The Top 3 organizations attacked most often by phishers accounted for 21.71% of all phishing links detected in Q1 2016.

Organization % of detected phishing links
1 Yahoo! 8.51
2 Microsoft 7.49
3 Facebook 5.71
In Q1 2016, the leading three organizations targeted by phishers saw a few changes. Yahoo! remained top (+1.45 p.p.). Microsoft (+2.47 p.p.) came second, followed by Facebook (-2.02 p.p.).

Interestingly, phishing on Facebook is delivered in almost all languages.

Facebook is also popular with cybercriminals as a means of spreading malicious content. We wrote about one such scheme in a recent blog.

Conclusion

In the first quarter of 2016 the percentage of spam in email traffic increased by 2.7 percentage points compared with the previous quarter. But it is too early to speak about a growth trend. The proportion of spam grows significantly at the beginning of every year because the amount of normal email decreases over the holiday period.

The US remained the biggest source of spam in Q1 2016. The Top 5 also included Vietnam, India, Brazil and China – all large, fast developing countries with high levels of internet connection.

Spam messages are becoming shorter. In the first quarter, the proportion of emails up to 2 KB exceeded 80% of all spam.

Q1 of 2016 saw the amount of spam containing malicious attachments increase dramatically. The share of malicious attachments in mail reached a peak in March – four times greater than last year’s average. This rapid growth was caused, specifically by the popularity of crypto-ransomware which was either contained in emails or downloaded to computers via a Trojan downloader.

This growth confirms our long-term forecasts on the gradual criminalization of spam that makes it even more dangerous, as well as reducing the overall share of email traffic. The diversity of languages, social engineering, lots of different types of attachments, text changing within a single mass mailing – all this takes spam to a new level of danger. Moreover, these malicious mass mailings have broad geographical coverage. The picture of malware distribution by email has changed significantly this year. In particular, China came an unexpected second in the ranking of countries targeted by malicious mailshots.

Another factor confirming the trend of increasingly criminalized spam is the growth of fraudulent, namely ‘Nigerian’, spam in the first quarter of 2016.

It is unlikely that the amount of malicious spam will continue to grow so rapidly: the more cybercriminals distribute malicious spam, the more people get to know of its dangers and the more careful they become about opening suspicious attachments. Therefore, such attacks will gradually fade away after a few months. However, there is the risk they may be replaced by other, even more complex attacks.

Na prodej je 117 milionů hesel z LinkedIn, za 2 200 dolarů

20.5.2016
Jako se všemi úniky hesel, musíte být velmi opatrní a velmi zkoumat, jestli to je pravé, vymyšlené, ale třeba i roky staré.
Přihlašovací údaje více než 117 milionů účtů (někde se uvádí i 167 milionů) z LinkedIn jsou nabízeny na prodej za něco přes 2 200 dolarů (respektive 5 BTC). Jde o e-mailové adresy a SHA1 podobu hesel. Skutečnost je ale taková, že nejspíš jde o hesla, která z této služby unikla již v roce 2012.

Podle Then there were 117 million. LinkedIn password breach much bigger than thought i samotné LinkedIn potvrdilo, že jde o uniklá data z roku 2012. Na Lupa.cz se o tomto úniku psalo ve Z LinkedIn.com uniklo 6,5 milionu hesel uživatelů, respektive o jednom z úniků, protože v roce 2012 jich podle všeho bylo několik (nebo jeden větší) a celkový počet tehdy uniklých účtů byl podstatně větší. A to je také důvod, proč je aktuálně řeč o více než 100 milionech účtů.

Na již známém haveibeenpwned.com tehdejší (ani tento nový) únik není zahrnut, ale leakedin.org už také nefunguje. Z tehdejší doby je možné stále najít An Update on LinkedIn Member Passwords Compromised přímo od LinkedIn, pokud vás zajímají roky staré detaily.

Co je podstatné si uvědomit, je, že toto není původní menší únik a že opravdu jde o hesla z roku 2012. Což také může znamenat, že i když váš e-mail a heslo do LinkedIn nebylo v předchozím úniku, může být v tomto novém. Na druhou stranu, jestli jste v roce 2012 používali LinkedIn a nezměnili si heslo, tak je asi něco špatně (změnit jste si ho asi tehdy ale museli, LinkedIn udělalo tehdy reset všech hesel).

Jakkoliv nový únik není na obvyklém testovacím webu, můžete zkusit www.leakedsource.com , kde by už i tato nová data měla být kompletní. S ohledem na to, že jde o více než 100 milionů hesel, tak by mohlo jít o skoro celou tehdejší databázi uživatelů LinkedIn. Dnes má LinkedIn přes 300 milionů účtů, z nichž ale jenom zhruba třetina jsou aktivní uživatelé.

Osobně mohu potvrdit, že na LeakedSource.com je možné v LinkedIn datech najít oba e-mailové účty, které jsem používal v roce 2012 právě na LinkedIn (a na kterých jsem měnil hesla hned poté, co se v roce 2012 zjistilo, že unikla hesla).

Zašifrovaní ransomwarem TeslaCrypt? Eset prý dokáže data zase zpřístupnit

20.5.2016
Nástroj, který dokáže obnovit soubory zašifrované pomocí ransomwaru TeslaCrypt, uveřejnil Eset. Dokáže to ale jen u novějších verzí TeslaCrypt 3 nebo 4. Novinka je ke stažení na webových stránkách dodavatele.

Operátoři ransomwaru TeslaCrypt nedávno ohlásili, že ukončují své škodlivé aktivity. Při této příležitosti jeden z analytiků Esetu anonymně kontaktoval útočníky přes kanál určený obětem TeslaCrypt a požádal jej o univerzální dešifrovací klíč (tzv. master key).

Žádost byla překvapivě kladně vyřízená, což umožnilo Esetu vytvořit řešení pro ty, kteří ztratili přístup ke svým souborům.

TeslaCrypt se poprvé objevil na scéně začátkem roku 2015 a začal se soustředit na obsah spojený s hrami, jako jsou například uložené pozice, uživatelské mapy, ale i na osobní dokumenty a obrázky – celkem šlo o 185 různých koncovek souborů.

Nástroj Esetu dokáže dešifrovat soubory zakódované TeslaCryptem s koncovkou .xxx, .ttt, .micro nebo .mp3, a samozřejmě i ty, jejich koncovka se šifrováním nezměnila.

Hacker Steals Money from Bank and Donates $11,000 to Anti-ISIS Group
20.5.2016 Hacking
Meet this Robin Hood Hacker:
Phineas Fisher, who breached Hacking Team last year, revealed on Reddit Wednesday that he hacked a bank and donated the money to Kurdish anti-capitalists in Rojava autonomous region in northern Syria that borders territory held by the ISIS (Islamic State militant group).
Fisher, also known as "Hack Back" and "@GammaGroupPR," claimed responsibility for both the Hacking Team and Gamma Group data breaches.
The vigilant hacker donated 25 Bitcoin (worth around US$11,000) to a crowdfunding campaign known as the Rojan Plan, which has been set up by members of the Rojava’s economic committee, described by Fisher as "one of the most inspiring revolutionary projects in the world."
Also Read: Here's How Hackers Stole $80 Million from Bangladesh Bank
The funds donated to the campaign came from a bank heist, though the hacker neither revealed the name of the bank nor provided any further details of the bank heist.
When deeply investigated, it was found that the Rojava Plan's Bitcoin address received a 25 BTC (Bitcoin) transaction timestamped 5th May 2016, which means the donation has publicly been recorded on the blockchain ledger.
"You can see the payments made to our campaign on the campaign page. You can also check our Bitcoin address, which is public," Deniz Tarî from Rojava Plan told Ars. The page lists a €10,000 donation by "Hack Back!"
Also Read: 25 Line Exploit Code that could let anyone steal $25 Billion from a Bank
Fisher on Reddit even urged another hacker to set up ATM skimming campaigns or rob banks and then donate all the money to the Rojava campaign in order to help the cause.

Telephone metadata by NSA can reveal deeply personal information
20.5.2016 BigBrothers

A study conducted by the NSA confirms that telephone metadata from phone logs reveals individuals’ Personal Information to government surveillance agencies.
It has been argued in the past that the mass collection of phone records by government surveillance agencies poses a significant threat to privacy rights. Now, however, a new study confirms what privacy advocates have been arguing for years. This is according to US researchers who used basic phone logs and were able to identify individuals and access their confidential information.

All of these personal details were derived from anonymous “metadata” found on individuals’ calls and texts. The two scientists at Stanford University who conducted the research were able to figure out individuals’ names, where they lived and association information.

But that’s not all they found.

They also uncovered details such as gun ownership, medical and disability information and activities involving recreational drugs.When the results were paired with public information already available on services such as Yelp, Google and Facebook, a much bigger, more detailed picture of a given individual’s life can be seen.

Former general counsel at the US National Security Agency (NSA), Stewart Baker has said that, “metadata absolutely tells you everything about somebody’s life.”

“For the study, the researchers signed up 823 people who agreed to have metadata collected from their phones through an Android app. The app also received information from their Facebook accounts, which the scientists used to check the accuracy of their results. In all, the researchers gathered metadata on more than 250,000 calls and over 1.2m texts.” read an article published by the The Guardian.

“Analysts who logged into the NSA’s metadata gathering system were initially allowed to examine data up to three hops away from an individual. A call from the target individual’s phone to another number was one hop. From that phone to another was two hops. And so on. The records available to analysts stretched back for five years. The collection window has now been restricted to two hops and 18 months at most.”

Alarmingly, the Stanford study revealed that given just one phone number to start with, the NSA program would have access to telephone metadata for tens of millions of people. With restrictions in place, however, the number plummets–but still indicates that armed with just one phone number, it is possible to retrieve metadata on 25,000 people.

Telephone metadata NSA

Patrick Mutchler, a computer security researcher at Stanford, writing in the journal Proceedings of the National Academy of Sciences, goes over some key points:

A wealth of personal information was disclosed, some of it sensitive, about people who took part in the study.
“Through automatic and manual searches, they identified 82% of people’s names.”
This same technique revealed the names of businesses those individuals had contacted.
When plotted on a map, clusters of local businesses appeared, which the scientists predicted would be located near the given individuals’ home addresses.
“In this way, they named the city people lived in 57% of the time, and were nearly 90% accurate in placing people within 50 miles of their home.”
The scientists were eventually able to determine relationships based on analyzing individuals’ call patterns. Following that, they “gathered details on calls made to and from a list of organisations, including hospitals, pharmacies, religious groups, legal services, firearms retailers and repair firms, marijuana dispensaries, and sex establishments. From these, they pieced together some extraordinary vignettes from people’s lives.”

Mutchler hopes these findings will give legislators pause in regard to to authorizing mass surveillance programs: “Large-scale metadata surveillance programs, like the NSA’s, will necessarily expose highly confidential information about ordinary citizens,” he wrote. Mutchler went on to write: “To strike an appropriate balance between national security and civil liberties, future policymaking must be informed by input from relevant sciences.”

Similarly, Ross Anderson, professor of security engineering at Cambridge University argues that the study presents data that discussions can now be based on, saying: “With the right analytics running over nation-scale comms data you can infer huge amounts of sensitive information on everyone. We always suspected that of course, but here’s the data.”

O2 čelí v souvislosti s MS v hokeji masivním DDoS útokům

19.5.2016 Počítačový útok

Hackeři zaútočili ve čtvrtek 19. května na streamovací servery O2. Jedná se již o několikátý útok od začátku hokejového šampionátu, který zapříčinil technické problémy při online vysílání hokejového zápasu Česka proti USA a několika minutové problémy s přihlášením k mobilní službě O2 TV.

O2 před dnešním zápasem výrazně posílilo své streamovací kapacity a přijalo několik opatření, které pomáhají útoky typu DDoS odrazit.

"První útoky přicházely již minulý týden a o víkendu,"vysvětluje Václav Hanousek, šéf síťového provozu. "Přesto jsme byli minulý čtvrtek schopni poskytnout službu 320 tisicům zákazníků a přenést rekordní objem 237 Gbps. Opatření, které jsme na ochranu služby poskytované našim zákazníkům přijali, bohužel vlivem systémové chyby způsobily dnešní hodinový výpadek na pevném internetu v části Prahy a středních Čech," dodává Hanousek.

Intenzita a rozsah útoků vedly také k přetížení serverů mobilní televize O2 TV. Krátké výpadky mohli bohužel zaznamenat také diváci, kteří hokejový zápas sledovali prostřednictvím iVysílání.

Japanese Docomo makes its smartphone covertly trackable
19.5.2016 Mobil

The Japanese Mobile carrier NTT Docomo announced that its mobile devices will allow authorities to covertly track the locations of the users.
The Japanese Mobile carrier NTT Docomo announced that five of its new smartphone models will allow authorities to track the locations without users being aware of it.

Today, users are alerted when the GPS locator is activated remotely, even if it is turned on by the mobile carrier.

The Docomo spokesman explained that the tracking feature will be used by the Japanese authorities in crime investigation, the company hasn’t denied to have already supported law enforcement in the past for the same reason.

“If requested, we provided positional information using the GPS systems on phones to emergency services such as the police, ambulance services and the Japan Coast Guard, in line with proper guidelines,” the spokesman told The Japan Times.

Another significant change in the surveillance activity arrived in June 2015, according to the Ministry of Internal Affairs and Communications starting from this date, carriers are no more obliged to obtain the permission of users before providing location data to law enforcement and intelligence agencies.

The change stimulated the Docomo to provide new smartphone models that covertly track the users.

Docomo also disclosed the models that will implement this new feature, they are all Android models, and specifically the Xperia X Performance, the Galaxy S7 Edge, the Aquos Zeta, the Arrows SV and the Disney Mobile.

According to the mobile carrier, a version of trackable Galaxy S7 Edge will be available in stores from Thursday, the remaining models will go on the market in June.

Of course, also other smartphones will be upgraded by the Docomo in order to implement the new tracker feature, but at the time I’m writing there is no news about a possible deadline for the updates.

The news is raising heated discussion in the country, some experts consider the new feature disturbing. Many privacy advocates consider illegal for carriers to provide user locations without informing it.

“This is an extreme invasion of privacy. It’s nothing like acknowledging merely which country you’re in,” the lawyer Tsutomu Shimizu told the Japan Times. “Positional information is highly private because it reveals people’s movements. However, I understand that investigative authorities would need such information in certain situations, so there should be a law passed to help public understanding.”

“It is a common practice and belief internationally that personal information should not be distributed to external organizations,” he said.

Teslacrypt decryption tool allows victims to restore their files
19.5.2016 Virus

A security researcher from ESET security firm issue a Teslacrypt decryption tool after the author closed the project and released a free master key.
The victims of the dreaded TeslaCrypt Ransomware now have the opportunity to restore their files by using a decryptor developed by experts from the ESET security Firm.

“Today, ESET® released a decryptor for recent variants of the TeslaCrypt ransomware. If you have been infected by one of the new variants (v3 or v4) of the notorious ransomware TeslaCrypt and the encrypted files have the extensions .xxx, .ttt, .micro, .mp3 or remained unchanged, then ESET has good news for you.” announced ESET.

A researcher from the company observed a decline in the number of victims of the TeslaCrypt ransomware, so he decided to the decryption key to the authors.

Incredibly, the author provided a free master key to the expert that developed a free universal Teslacrypt decryption tool.
Teslacrypt decryption tool

“In surprising end to TeslaCrypt, the developers shut down their ransomware and released the master decryption key. Over the past few weeks, an analyst for ESET had noticed that the developers of TeslaCrypt have been slowly closing their doors, while their previous distributors have been switching over to distributing the CryptXXX ransomware. ” reported Lawrence Abrams from bleepingcomputer.com that also published a step by step guide to use the Teslacrypt decryption Tool.

“When the ESET researcher realized what was happening, he took a shot in the dark and used the support chat on the Tesla payment site to ask if they would release the master TeslaCrypt decryption key. To his surprise and pleasure, they agreed to do so and posted it on their now defunct payment site.”

Ransomware is one of the most widespread threats. The last iteration of the TeslaCrypt ransomware spotted by experts at Endgame Inc. has been improved by the implementation of new sophisticated evasion techniques and the ability to target new file types.
The malware was used by crooks in numerous malvertising campaigns targeting high-traffic websites. The ransomware represents a serious threat for netizens and organizations. It is important to maintain aligned fresh backups of data in offline sources.

Recently experts at Kaspersky have issued a decryption tool for another ransomware, the Cryptxxx.

If you are one of the TeslaCrypt victims and want to have instruction on the Teslacrypt decryption tool, give a look to the step-by-step guide published by bleepingcomputer.com.

Android Instant Apps — Run Apps Quickly Without Installation
19.5.2016 Android

Downloading an app is a real pain sometimes when you don't want to install the complete app on your smartphone just for booking a movie ticket, or buying something online. Isn't that?
Now, Imagine the world where you can use any Android app without actually the need to download or even install it on your smartphone.
This is exactly what Google has intended to offer you with its all new Instant Apps feature.
Announced at Google I/O event Wednesday, Android Instant Apps will break down the walls between websites and Android apps by allowing people to tap on a URL and open an Android app instantly, without even having to install it.
As a live demonstration, Google's presenter on stage showed how just clicking a Buzzfeed Video link, which has a dedicated app, opened the relevant part of an app — all in just 2 seconds.
In another demonstration, the presenter showed a link to buy a camera bag at B&H Photo and complete the purchasing process instantly through the shopping cart inside the company's touchscreen-friendly Android app, without even installing the whole app.
For Developers:

Android Instant Apps
Developers who want to provide Instant Apps will have to modularize their already existing apps that can start within a few seconds and users don't have to install the whole app just to use some of its features.
According to Google, some developers with basic apps could even implement Instant Apps support to their apps in as little as a day.
Additionally, alongside with their Instant apps, developers can provide "call to action" links to encourage users to download and install their complete apps if users find them particularly useful.
For Users:

When users click on a Web URL and if that URL has an associated Instant App, users will get a tiny version of that app instead of the website. Once tap, the smartphone fetches some part of the app that users want to use, allowing the app to instantly and seamlessly install.
The user experience with Android Instant Apps is as fast as loading up a web page with the same functionality. So, just don’t bother about Loading…
Instant Apps will run in a secure sandbox and once released, Android Instant Apps feature will work on all smartphones running Android 4.2 (Jelly Bean) or later.
The company will make the feature available via an update to the Google Play Services software coming "later this year."

This App Lets You Find Anyone's Social Profile Just By Taking Their Photo
19.5.2016 Social Site
Is Google or Facebook evil? Forget it!
Russian nerds have developed a new Face Recognition technology based app called FindFace, which is a nightmare for privacy lovers and human right advocates.
FindFace is a terrifyingly powerful facial recognition app that lets you photograph strangers in a crowd and find their real identity by connecting them to their social media accounts with 70% success rate, putting public anonymity at risk.
The FindFace app was launched two months ago on Google Play and Apple’s App Store and currently has 500,000 registered users and processed nearly 3 Million searches, according to its co-founders, 26-year-old Artem Kukharenko, and 29-year-old Alexander Kabakov.
According to The Guardian, FindFace uses image recognition technology to compare faces against profile pictures on Vkontakte, a very popular social networking site in Russia that has over 200 Million users.
Besides showing the social media account of the one you are searching for, FindFace also shows you social media accounts of people who look very much like the person in the photograph.
"It also looks for similar people," Kabakov told The Guardian. "So you could just upload a photo of a movie star you like or your ex, and then find ten girls who look similar to her and send them messages."
Although many people may find the app useful, possibly girls who do not want pervs to contact them and harass them would definitely find this app as a stalking tool.
FindFace has marketed itself as a dating app, but its founders hope to make big money from licensing its algorithm to retail companies and law enforcement, claiming their algorithm can search through a Billion photographs in a matter of seconds on a normal computer.
They said that Russian police had already contacted them about using their facial recognition technology.
Just after the launch of this app, Security firm Kaspersky also tested the FindFace's algorithm in April and found that the app works as accurate as it claims to.
When the security company uploaded posed photographs, the app correctly identified people 90 percent of the time, although when it uploaded photos taken sneakily in public, accuracy decreased.
Are you finding the whole thing a bit scary?
This is the entirely new world of technology and gadgets where nothing is hidden; nobody is anonymous.
So, the app leaves just two option for you: Either wear something on your face to trick the camera, like wearing a hoodie, mask, glasses, while roaming on a street, or you better get used to having no privacy in your new society.
Kaspersky also advised Vkontakte users to make their pictures private and delete old photos from the profile pictures album, if they do not want to be identified by strangers.

Hackers target the campaigns of presidential contenders
19.5.2016 Hacking

The US Director of National Intelligence James Clapper revealed that attackers are targeting the campaigns of US presidential contenders.
At the end of 2015, I published a post titled “2016 Cyber Security Predictions,” one of my prediction is related the rise of cyber attacks related to the US elections.

“Social media are a primary communication method for politicians, the online activity will be intense in the period before the elections and cyber criminals and nation-state actors will try to exploit the event to launch cyber-attacks.” I wrote in the post.

According to the US Director of National Intelligence James Clapper, hackers are targeting the campaigns of Democratic and Republican presidential contenders.

“We already have some indications of that,” he explained during a discussion at the Bipartisan Policy Center in Washington. “I anticipate that as the campaign intensifies, we are probably going to have more of it.”

presidential contenders

The US authorities are aware that threat actors are targeting the US politicians, the Department of Homeland Security and the FBI are issuing multiple warnings to educate them in assuming a proper security posture and avoid being hacked.

“There is a long-standing practice of briefing each of the candidates once they are officially designated, and that shifts in to a higher gear in terms of details after the president-elect is known,” Clapper said.

Clapper confirmed that the US intelligence gathered evidence of several hacking campaigns targeting the campaigns of presidential contenders with different motivations (e.g. cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, cyber espionage operated by nation-state actors, hacktivism, financial motivation).

“We’re aware that campaigns and related organizations and individuals are targeted by actors with a variety of motivations — from philosophical differences to espionage,” said the FBI spokesman Brian Hale.

He also reported that the attacks ranged from “from defacements to intrusions.” According to US Intelligence, its experts tracked intrusions by foreign intelligence services into the campaigns for president back in 2008.

According to Clapper, the two candidates would receive “exactly the same” briefings that will be filed to avoid any interference with the programs of the candidates.

“We’ve been doing this for many years, it’s not designed to shape anybody’s worldview,” Clapper addedworldview,” Clapper added

Cyber spies from Suckfly group hacked organizations in India
19.5.2016 Hacking

A crew of cyber spies named Suckfly group is targeting organizations in India, it conducted long-term espionage campaigns against entities in the country.
A group of high professional hackers called Suckfly is targeting organizations in India, according to the experts at Symantec the crew conducted long-term espionage campaigns against the country.

Symantec did not disclose the names of the targeted organizations, it only revealed that the list of the victims includes one of India’s largest financial institutions, a top five IT firm, two government organizations, another a large e-commerce company, and the Indian business unit of a US healthcare company.

In March 2016, experts from Symantec, discovered Suckfly targeting South Korean organizations, the hackers were searching for digital certificates to steal. Later the group launched long-term espionage campaigns against organizations across the world, most of them located in India.

“In March 2016, Symantec published a blog on Suckfly, an advanced cyberespionage group that conducted attacks against a number of South Korean organizations to steal digital certificates. Since then we have identified a number of attacks over a two-year period, beginning in April 2014, which we attribute to Suckfly. The attacks targeted high-profile targets, including government and commercial organizations.” states a blog post published by Symantec. “These attacks occurred in several different countries, but our investigation revealed that the primary targets were individuals and organizations primarily located in India.”

The principal weapon in the arsenal of the Suckfly group is the a backdoor called Nidiran that leverage Windows known vulnerabilities to compromise the targets and move laterally within the corporate network.

The experts noticed that the group spent a significant effort to compromise an Indian government department that installs network software for other ministries and departments.

Symantec analyzed the tactics, techniques, and procedures (TTPs) of the hacker group profiling the modus operandi of the attackers. The hackers use to identify employees in the target organization trying to compromise their systems, likely through a spear-phishing attack.

Once inside the target network, the hackers search for other targets to compromise by using hacking tools to move laterally and escalate privileges.

The nature of the targets, the TTPs of the Suckfly group and the working days in which the group is active (The group operates from Monday to Friday) led the experts into believing that it is a nation-state actor.

“These steps were taken over a 13-day period, but only on specific days. While tracking what days of the week Suckfly used its hacktools, we discovered that the group was only active Monday through Friday. There was no activity from the group on weekends. We were able to determine this because the attackers’ hacktools are command line driven and can provide insight into when the operators are behind keyboards actively working. Figure 4 shows the attackers’ activity levels throughout the week. This activity supports our theory, mentioned in the previous Suckfly blog, that this is a professional organized group.” states Symantec.

Who is behind the Suckfly group?

It is hard to link the Suckfly group to a specific Government, Symantec highlighted that its targets have been India, South Korea, Saudi Arabia, and India.

Giving a look to the C&C infrastructure used by the group, we can notice that several domains were registered by users with the addresses of the Russian email service provider Yandex. Of course, this information alone gives us no added value for the attribution, the unique certainly is that the hackers will continue their campaign in the next months.

“The nature of the Suckfly attacks suggests that it is unlikely that the threat group orchestrated these attacks on their own. We believe that Suckfly will continue to target organizations in India and similar organizations in other countries in order to provide economic insight to the organization behind Suckfly’s operations.” states Symantec.

The Rio Olympics: Scammers Already Competing
18.5.2016 Zdroj:Kaspersky Spam

A few years ago, spammers and scammers were not as interested in the Olympics as they were in football (the World Cup and European Championships). The first major increase in the number of spam messages devoted to the Olympic Games occurred in the run-up to the Winter Olympics in Sochi in 2014. Since then, their interest in the Olympics has shown no sign of weakening and the upcoming event in Brazil is no exception.

Back in 2015, a year before the Olympics in Rio, we registered fake notifications of lottery wins allegedly organized by the country’s government and the International Olympic Committee. Similar emails continue to be sent in 2016. The vast majority of these messages contain a DOC or PDF attachment, while the body of the message includes only a brief text asking the recipient to open the attachment.

The name of the DOC file, the name of the sender and the subject line of the email often mention the Olympic Games.

The content of these attachments is fairly standard: a lottery was held by an official organization; the recipient’s address was randomly selected from a large number of email addresses, and to claim their winnings the recipient has to respond to the email and provide the necessary personal information.

We also came across emails without attachments; the text written by the scammers was included in the body of the message.

English is undoubtedly the most popular language used in fraudulent emails exploiting the Olympics theme, but we have also registered messages in other languages, for example Portuguese. In these the spammers stuck to the same story of a lottery win, trying to convince the recipient that the email is genuine.

In addition to fraudulent spam, we have registered unsolicited advertising messages containing offers for various goods and services that, one way or another, use the Olympics to grab the attention of recipients.

For example, spammers have been pushing new TVs for watching sporting events.

They also promised to make the recipient an “Olympic champion” with the help of magic pills.

Taking any of these emails seriously enough to reply to them could well leave you out of pocket. But the biggest hit that sporting fans’ wallets are likely to take are from fake ticketing services. We are constantly blocking dozens of newly registered domains with names containing the words “rio”, “rio2016” and so on. Each of these domains hosted good quality imitations of official services offering tickets to sporting events at this summer’s games in Rio de Janeiro.

The scammers register these domains to make their sites look more credible; for the same purpose, they often buy the cheapest and simplest SSL certificates. These certificates are registered within a few minutes, and certification authorities don’t verify the legal existence of the organization that has issued the certificate. The certificates simply provide data transfer over a secure protocol for the domain and, most importantly, gives fraudsters the desired “https” at the beginning of their address.

If you examine the whois data for such domains, you will find that they have only been registered recently, for a short period of time (usually a year) and in the names of individuals. Moreover, the detailed information is often hidden, and the hosting provider could be located anywhere, from Latin America to Russia.

The sites are necessary to implement a simple scam whereby the phishers ask for bank card information, allegedly to pay for tickets, and then use it to steal money from the victim’s bank account. In order to keep the buyer in the dark for some time, the scammers assure them that the payment has been received for the tickets and that they will be sent out two or three weeks before the event.

As a result, the criminals not only steal the victim’s money but deprive them of the chance of attending the Olympics – by the time they realize they won’t be getting the tickets they booked it will be too late to buy genuine tickets… especially if there’s no money in their bank account.

According to our information, the creation of these fake sites usually involves international cybercriminal groups, each fulfilling its own part of the scam. One group creates a website, the second registers the domains, the third collects people’s personal information and sells it, and the fourth withdraws the cash.

To avoid falling victim to the scammers’ tricks, sports fans should be careful and only buy tickets from authorized reseller sites and ignore resources offering tickets at very low prices. The official website of the Olympic Games provides a list of official ticket sellers in your region and a service that allows you to check the legitimacy of sites selling tickets.

Also, we strongly recommend not buying anything in stores advertised in spam mailings or advertising banners, whether it’s tickets or souvenirs related to the Olympics. At best, you’ll end up with non-certified goods of dubious quality, and at worst – you’ll just be wasting your money. For those who cannot resist impulse purchases, we recommend getting a separate bank card that is only used for online payments and which only ever has small sums of money on it. This will help to avoid serious losses if your banking information is stolen.

117 Million LinkedIn credentials offered for sale
18.5.2016 Social Site

A hacker who goes by the name “Peace,” is offering 117 million LinkedIn credentials for 5 bitcoin, the precious data come from the 2012 hack.
According to Motherboard, a hacker who goes by the name “Peace,” is offering personal details of 117 million LinkedIn users for 5 bitcoin (around $2,200). The hacker is offering the data in the popular black marketplace The Real Deal, he confirmed to Motherboard that data results from the data breach suffered by LinkedIn in 2012.

LinkedIn credentials and Stolen Data

Following the hack, around 6.5 million encrypted passwords were leaked online, but clearly the incident has a greter magnitude.

“LinkedIn.com was hacked in June 2012 and a copy of data for 167,370,910 accounts has been obtained by LeakedSource which contained emails only and passwords. You can search the hacked LinkedIn.com database and many others on our main site. If you are in this database, contact us and we will remove you from our copy for free.” states LeakedSource who analyzed the archive that includes 167 million accounts, on them roughly 117 million have both emails and encrypted passwords.

According to LeakedSource, the precious archive was kept by a Russian hacker crew.

LeakedSource confirmed that the passwords were hashed with the SHA1 algorithm, with no “salt.”

“One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours.” reported Lorenzo Bicchierai from Motherboard.

Giving a look to the top passwords in the LinkedIn credentials included in the archive we can notice that the top 5 are:

1 123456 753,305
2 linkedin 172,523
3 password 144,458
4 123456789 94,314
5 12345678 63,769
Every other comment is superfluous … shall we?

Of course, all the users that are still using the same credentials included in the archive are at risk and urge to change it as soon as possible.

Hacker puts up 167 Million LinkedIn Passwords for Sale
18.5.2016 Hacking

LinkedIn's 2012 data breach was much worse than anybody first thought.
In 2012, LinkedIn suffered a massive data breach in which more than 6 Million users accounts login details, including encrypted passwords, were posted online by a Russian hacker.
Now, it turns out that it was not just 6 Million users who got their login details stolen.
Latest reports emerged that the 2012's LinkedIn data breach may have resulted in the online sale of sensitive account information, including emails and passwords, of about 117 Million LinkedIn users.
Almost after 4 years, a hacker under the nickname "Peace" is offering for sale what he/she claims to be the database of 167 Million emails and hashed passwords, which included 117 Million already cracked passwords, belonging to LinkedIn users.
The hacker, who is selling the stolen data on the illegal Dark Web marketplace "The Real Deal" for 5 Bitcoins (roughly $2,200), has spoken to Motherboard, confirming these logins come from the 2012 data breach.
Since the passwords have been initially encrypted with the SHA1 algorithm, with "no salt," it just took 'LeakedSource', the paid search engine for hacked data, 72 hours to crack roughly 90% of the passwords.
Troy Hunt, an independent researcher who operates "Have I Been Pwned?" site, reached out to a number of the victims who confirmed to Hunt that the leaked credentials were legitimate.
The whole incident proved that LinkedIn stored your passwords in an insecure way and that the company did not make it known exactly how widespread the data breach was at the time.
In response to this incident, a LinkedIn spokesperson informs that the company is investigating the matter.
In 2015, Linkedin also agreed to settle a class-action lawsuit over 2012's security breach by paying a total of $1.25 million to victims in the U.S, means $50 to each of them.
According to the lawsuit, the company violated its privacy policy and an agreement with premium subscribers that promised it would keep their personal information safe.
However, now new reports suggest that a total 167 Million LinkedIn accounts were breached, instead of just 6 million.
Assuming, if at least 30% of hacked LinkedIn Accounts belongs to Americans, then the company has to pay more than $15 Million.
Meanwhile, I recommend you to change your passwords (and keep a longer and stronger one this time) and enable two-factor authentication for your LinkedIn accounts as soon as possible. Also, do the same for other online accounts if you are using same passwords on multiple sites.

Core Tor Developer who accuses FBI of Harassment moves to Germany
18.5.2016 Safety
One of TOR's primary software developers, Isis Agora Lovecruft, has fled to Germany, following the threat of a federal subpoena.
Lovecruft is a well-known cryptographer and lead software developer for Tor project from many years. She has worked for a variety of other security and encryption products, such as Open Whisper Systems and the LEAP Encryption Access Project.
Since November 2015, the FBI special agents in the United States have been trying to meet with her, but they will not tell her or her lawyer exactly why.
When her lawyer reached out the FBI Special Agent Mark Burnett and asked why he wanted to meet with her, the agent assured the lawyer that she is not the target of any investigation, but also said that…
Also Read: Mozilla asks Court to disclose Firefox Exploit used by FBI to hack Tor users.
The FBI have their agents on the streets in 5 cities in the United States hunting for her, intending to simply ask her some questions without her lawyer's presence.
Lovecruft's lawyer responded by saying that all questions should be directed to him rather than to Lovecruft or her family, but Burnett said that he will not tell her or her lawyer what this involves.
In general, it's not a big deal to have at least a meeting with the FBI agents to know what exactly are the federal agents looking for.
But Lovecruft fears that the federal agents will serve her with some kind of secret warrant, possibly to get her to insert a backdoor in the TOR system and expose TOR users around the world to potential spying.
Must Read: Former Tor Developer Created Malware for FBI to Unmask Tor Users.
So, she packed her suitcase and left the United States for Germany on December 7 last year, accusing the FBI of harassment for the past 6 months.
"I had already been in the process of moving, permanently, to Germany, and had retained a German immigrations lawyer several months prior to these events," Lovecruft wrote in her blog post titled, 'FBI Harassment.'
Although unsure if she was breaking any laws by leaving the country, she booked a flight to Berlin – despite the fact that she didn't intend to use the return ticket – just to avoid raising suspicions.
However, this didn't end the matter, and the FBI Special Agent Kelvin Porter in Atlanta called Lovecruft's lawyer last month, asking him where to send a subpoena for Lovecruft to help testify in a criminal hacking case.
Also Read: Judge Ordered the FBI to Reveal the Source Code of its Tor Hacking Exploit.
Following the Lovecruft's blog post, the Tor Project official Twitter tweeted out in support of their developer, saying "We support our colleague Isis."
In response to this issue, an FBI spokesperson told IBTimes:
"The FBI, as a general policy, does not confirm nor deny investigations, nor comment on the investigative activity unless it is a matter of public record. If someone is alleging harassment of any kind that should be brought to the attention of the government, though it is unclear what specific activity is even being characterized as harassment."
TOR is an anonymity software that provides a safe haven to human rights activists, government, journalists but also is a place where drugs, child pornography, assassins for hire and other illegal activities has allegedly been traded.
Since last few years, the FBI has been trying to break TOR and unmask TOR users identity in several investigations.
The agency has accused of hacking TOR users in an investigation of the world’s largest dark web child pornography site 'Playpen.' The FBI has also compelled Carnegie Mellon University to help them hack TOR users.

CVE-2016-4010 – Watch out a critical bug can fully compromise your Magento shop
18.5.2016 Vulnerebility

The vulnerability CVE-2016-4010 allows an unauthenticated attacker to execute PHP code at the vulnerable Magento server and fully compromise the shop.
The Israeli security expert Nethanel Rubin (@na7irub) has reported a critical flaw (CVE-2016-4010) in the eBay Magento e-commerce platform that could be exploited by hackers to completely compromise shops online.

The vulnerability rated 9.8/10 has been fixed with the Magento version 2.0.6 published yesterday. The fix prevents unauthenticated user or user with minimal permissions to access the platform installation code and execute arbitrary PHP code on the server.

“Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs. Previously, an unauthenticated user could remotely execute PHP code on the server using either REST or SOAP APIs. (These APIs are enabled by default in most installations.)” states the company security advisory.

The independent researcher Nethanel Rubin confirmed that attackers can execute arbitrary PHP code in unpatched systems exploiting several smaller flaws.

“The vulnerability (CVE-2016-4010) allows an attacker to execute PHP code at the vulnerable Magento server unauthenticated. This vulnerability actually consists of many small vulnerabilities, as described further in the blog post.” reads a blog post published by Rubin .

“This vulnerability works on both the Community Edition and Enterprise Edition of the system.”

In his post, Rubin has detailed the attack chain explaining how the attacker can exploit the flaw in the Magento platform. The attack chain relies on REST or SOAP RPCs that are enable by default in the majority of installations.

“The “API” directory is made out of different PHP files, each containing one PHP class, responsible for exposing some of the module functionality to the rest of the system.” wrote Rubin. “Magento’s Web API is allowing two different RPCs – a REST RPC, and a SOAP API. Both RPCs provide the same functionality, the only difference between the two is that one is using JSON and the HTTP query string to transfer its input, while the other uses XML envelopes.
As both are enabled by default, I will use SOAP API in this document as I find it more understandable.”

Experts at Magento have spent a significant effort to release the fix in a short time, they had improved the code in a significant way.

Rubin defined the effort as a “huge step forward.”

If you are running a Magento online store you have to update it to the 2.0.6 patch asap.

Hacker Interviews – Speaking with GhostShell
18.5.2016 Hacking

GhostShell is back and I had the opportunity to interview him. It is important to understand the thoughts and opinion of talented minds like GhostShell.
Yesterday I reported the news of the return of one of the most popular hacker, Ghost Shell who exposed data from 32 companies and launched a new campaign to punish negligent network administrators.

Who is GhostShell? It is too simple to label it as a hacker or hacktivist … I decided to go behind the scene and reach him for an interview. … I decided to go behind the scene and reach him for an interview.

GhostShell Tweet

I believe it is important to understand the thoughts and opinion of talented minds like GhostShell. Hackers have their codes, their experiences, their growth paths, knowledge of which is crucial for people who actually live cyber security.

Let me thank GhostShell for his availability, I really appreciated it.

Enjoy the Interview!

What are your motivations? Why do you hack?

I have plenty of reasons for hacking. For starters I’m a hacktivist so my public hacks and leaks are politically

motivated. The reasons vary for each of them. In the past they’ve been focused on topics such as the educational sector or the abuse of governments towards its people in places like Russia or China. Other times they were more aimed at the authorities in the US for arresting other fellow hackers across the world. Or even widespread corruption in other parts of the world, like Africa.

Behind the scene, I take pleasure in exploring the internet without any restrictions or anyone judging me for it.

To be able to explore any part of this new and ever-changing world to your heart’s desire gives you a brief taste of true freedom. Like a cold breeze in a hot summer day, short but memorable.

What is your technical background and are you an IT professional?

Can’t really say that I have an official (technical) background in this industry. Everything that I know or can do I’ve studied and learned on my own. In fact, when I first appeared on the scene, it was just me with a twitter account and zero followers. I literally had no friends or contacts. The reason why I even bring this up is to prove that you don’t need any sort of professional help from a private class course or governmental training to learn about cybersecurity. Anyone with a bit of curiosity and determination can pursue any topic out there associated with this field.

Some of the topics that I have been attracted to over the years have ranged from general pen testing, general programming in various languages, cryptology – cryptography although with a bigger focus on cryptanalysis, since code breakers are almost non-existent nowadays. Infiltrating and extracting private data is one thing but what happens when you stumble upon encrypted data? Being a regular MD5 password cracker with rainbow tables just doesn’t cut it anymore. Hackers have to evolve and adapt in parallel with this ever-changing environment.

As an exclusive tidbit of information that I would like to share is that I have a presence in plenty of other industries, not just this one. I have been a game developer for years, both as a game programmer and designer. Or a theory hardware hacker in robotics, mostly engaged in breadboard simulation and light programming. But also involved in other non-IT industries.

I cannot really mention more or even go into too many details. As mentioned before, earlier this year in my outing, the moment you release any sort of private information about yourself or others it no longer becomes yours but everyone else’s. However, if there’s someone out there interested in cybersecurity and wants to learn how to pen test then they should start by looking up every single tutorial on the open net.

Most of the information, exploits, step-by-step tutorials can all be found online. Places like OWASP are pretty cool for beginners to read more on the different types of attacks out there and pretty much every source of freely available information, from blogs to online videos, can help tremendously, especially when you’re a newcomer.

Newcomers should never feel discouraged in their pursuit for knowledge. Regardless of what any and every paid troll or ignorant researcher may label us as, take pride in the knowledge you have accumulated so far and make way to acquire even more. For me, when it comes to cybersecurity, hacking is basically coding and security testing. People, especially outsiders or the usual upper-class middle-aged men from the west that are part of this industry, are too bent on name branding everything/everyone and micromanaging the cultural aspect of things. My only advice to them would be less judging, more security testing.

What was your greatest challenge?

My greatest challenge for me was holding back from the systematic destruction of every single person from the industry working on my case. This started back at the beginning of 2013 when I took my first break because of them and has lasted up until this very day. I have been aware of the people assigned to my case since the start, from the federal agents to the private companies aiding them. In 2013, I was prepared to leak all their identities and point fingers at all the exact honeypots from the scene where hackers are herded and actively entrapped, but I held back.

To put someone’s identity and life on display for the world to judge and critique while you laugh at their own misfortune is something that the authorities do for a living.

I wasn’t about to become the same medieval animal as them.

What was your greatest hacking challenge?

I don’t really have a specific target in mind but I’m pretty sure that the most difficult and equally irritating cyberspace for me was South Africa’s slow connections, poorly configured encodings on the site, and overall tricky measures incorporated into their systems made my campaign there one of the worst hacker experiences I’ve ever had.

I suppose that’s me complimenting their cyberspace since they made me feel like I was stuck in quicksand while pen testing their domains. Props.

Another challenging territory to attack is China. The slow connections play a huge role here as well, add to that the new and unique encodings never seen before in western networks all the while you’re trying to map out a hermit cyberspace that houses a solid population of over 500 million netizens and you end up with quite a handful of things to worry about. There are more than half a billion users there but realistically how many people on Twitter can name at least 10 websites from mainland China? The ignorance and lack of information in the west will one day end up in our own downfall.

What scares you the most on the internet?

People. People scare me. Especially those with even a shred of power at their disposal that are incapable of suppressing their urges from abusing it.

I have the knowledge to make and break this digital reality yet you don’t see me actively taking down websites, altering server data or leaking compromising information about any individual such as up to date banking information or private medical records. Even in this recent leak dubbed Light Hacktivism where I’ve strayed a bit away from that, the few examples given were either outdated/expired credentials or redacted medical data that had nothing to do in general with a patient but with the establishment itself. That’s a courtesy that you don’t see all too often around here, considering how a lot of this information is available en mass on the internet, unprotected for anyone to see.

I can’t claim all the higher moral ground here either since I also have my faults and failures but they don’t even come close to those of grown ass men working for or with governments to both surveil and entrap children and young people. It makes me sick to my stomach to witness federal agencies parading around 15 year olds through the press, branding them criminals or terrorists simply because they were curious to test a network’s security or naive enough to fall into another one of the usual generic entrapments.

What would you change about the cybersecurity industry and why?

You mean apart from the medieval practices of using children and young people as escape goats for an industry that basically exploits them? How many times have we seen news about the end of days on the internet?

Companies overreacting to our hacks while peddling their own broken products, the feds entrapping us with whatever is politically trendy, all the while the bystanders sit on the fence calling us criminals or terrorists that need to be put behind bars.

If I had to pick a set of topics that need everyone’s attention in the near future, it would be these:

The changing of federal practices when it comes to official investigations of hackers, especially hacktivists.The psychological trauma of being constantly obfuscated, being surveilled and misinformed for years is far greater than any of the people working on the scene could think. Paranoia, insomnia, depression, panic attacks, various other disorders end up causing a permanent scar on our minds, even after we’ve been caught and reintegrated back into society.
The on-going exploitation of children and young hackers by the corporations has to end. How much money have they all made off our backs? How many customers did they acquire after pointing their fingers in our direction and claiming that the cyberarrmagedon is upon us and that the only salvation is through their software? I can’t even call these people businessmen but rather a new digital form of religious fanatics, piggy-back riding on our infamy.
The cybersecurity industry needs more women. And I’m not talking about chicks that rock the chair in marketing, public relations, recruiting, and accounting or as secretaries. I’m talking about actual cybersecurity experts.
How many women do you know that are hackers or pen testers? What about as networking architects? Data mining experts?

Hacktivists? If anyone out there can name 5 of them from each of those categories then you’ve just won the internet but if you can’t even name 1 or 2 without looking it up then you know we have a problem. A diverse industry leads to a diverse set of ideas, which leads to more innovative creations. That much is a no brainer to anyone. Let’s try to make a change for the better. Together.

A serious talk about the future of cybersecurity. And here I mean less the software and more the people. Because at the end of the day the people are the ones that make up the industry. We should talk more often about the sensitive problems we’re facing, like drugs abuse or alcohol. We have been pointing it out in the past but we never really came to any conclusion. Can we do something about it? Can we help prevent hackers and security professionals from becoming drug addicts or alcoholics? Maybe we need a support group for them. Maybe we need to stop being so judgmental and more understanding when bringing up the subject. Maybe that’s how we prevent certain disasters.

Maybe it’s all linked to those three other points above.

Why did you agree to this interview? You’re usually reserved in giving them so why give one now?

Because I respect you as a journalist. You’re one of the original team of independent people that have reported on the hacker scene since before I even arrived. You’ve reported on my projects and activities from the very beginning and I wanted to thank you for it. Same goes for all the other infosecurity enthusiast. You guys have no idea how amazing it is to have journalists that report on our activities while sitting at the same level as us. It helps bridge that gap between hacker and journalist. After the Hacker Team journo list was formed I thought things were going to change and some hacker activities obfuscated but I’m glad that things have remained the same.

We all need down-to-earth journalists that can do their job of reporting on real-time news and for that I’m thankful.

Hackeři zotročili milión počítačů. Vydělávali tak velké peníze

18.5.2016 Hacking
Skupině zatím neznámých hackerů se podařilo infikovat virem na milión počítačů z různých koutů světa. Přestože jejich majitelé o tom neměli ani tušení, s pomocí jejich PC pak vydělávali velké peníze. Upozornil na to server The Hacker News.
Zotročovat jednotlivé počítače pomáhal kyberzločincům škodlivý kód známý jako Redirector.Paco, který internetem putuje už od roku 2014. Šířil se zpravidla jako příloha nevyžádaného e-mailu nebo odkaz v různých chatech a na sociálních sítích.

Napadené stroje pak útočníci zapojovali do jednoho obrovského botnetu, tedy do sítě zotročených počítačů, které zpravidla slouží k rozesílání spamu nebo útokům typu DDoS. Počítačoví piráti však v tomto případě botnet využívali k něčemu úplně jinému, pomocí něj vydělávali nemalé peníze.

Kontrolovali internetový provoz
Napadené stroje totiž používali k tomu, aby mohli ovládat jejich internetový provoz. Tak byli schopni na pozadí skrytě navštěvovat tisíce různých internetových stránek na každém jednotlivém PC, díky čemuž pak inkasovali peníze za zobrazovanou reklamu.

Bezpečnostní experti antivirové společnosti Bitdefender odhadli, že se jim podobným způsobem podařilo zotročit na milión počítačů. S ohledem na to se tak dá celkem snadno odhadnout, že s pomocí botnetu si vydělali přinejmenším několik jednotek nebo klidně i desítek miliónů dolarů.

Přesnou částku se však bezpečnostním odborníkům, kteří se případem zabývají, nepodařilo zjistit.

Z řádků výše je patrné, že se kyberzločinci snažili pracovat co nejdéle v utajení, aby uživatelé infiltraci škodlivého kódu neodhalili. Přišli by tak o cenný zdroj příjmů.

Virus útočil i v Evropěy

Podle Bitdefenderu pocházela většina zotročených počítačů z Indie, Malajsie, Řecka, Spojených států, Itálie, Pákistánu, Brazílie a Alžírska. Není však vyloučeno, že se škodlivým kódem mohly nakazit také stroje tuzemských uživatelů, protože virus se objevil v některých evropských státech.

Bezpečnostní experti připomínají, že hackerům většinou usnadňují práci samotní uživatelé svým chováním. Podceňují totiž základní bezpečnostní pravidla – například klikají na přílohy v nevyžádaných e-mailech, případně neinstalují pravidelně aktualizace jednotlivých programů a operačního sytému.

Z toho všeho jsou pochopitelně kyberzločinci schopni těžit. A vydělávat díky tomu klidně i velké peníze…y

Jaké jsou aktuálně nejčastější hrozby v Česku?

18.5.2016 Viry
Globálně nejvíce zlobí červ Bundpil, v Česku se ale momentálně nejčastěji šíří infikované přílohy e-mailu.

Žebříček deseti největších bezpečnostních hrozeb v IT za měsíc duben zveřejnil Eset. Podle něj oproti březnu výrazně stouplo rozšíření škodlivého červa Bundpil, který se šíří prostřednictvím vyměnitelných médií. Druhou nejčastější hrozbu představuje trojan Nemucod, třetí je potom Javascript Danger.ScriptAttachment. Ten je ve světovém měřítku třetí, v České republice se jedná o hrozbu nejčastější.

„Červ Bundpil obsahuje URL, ze které se snaží do napadeného zařízení stáhnout několik souborů. Ty se pak instalují a umožňují do zařízení stahovat další škodlivé kódy,“ popisuje Petr Šnajdr, expert Esetu.

Bundpil předstihl trojského koně Nemucod. I ten však nadále zaznamenával zvýšený výskyt a v žebříčku deseti největších kybernetických hrozeb za měsíc duben se posunul na druhé místo.

Nemucod používají hackeři jako prostředek pro instalaci dalších škodlivých kódů a ovládnutí infikovaného zařízení. „Jde o klasický downloader, který se šíří jako příloha e-mailových zpráv. Nejčastěji se maskuje jako faktura nebo pozvánka k soudu,“ konstatuje Šnajdr.

Nově se v desítce nejaktivnějších škodlivých kódů objevuje na třetí pozici JS/Danger.ScriptAttachment, což je škodlivý soubor, který se šíří jako příloha e-mailu a může způsobit stažení malware. „Jde o detekci, která podle obecnějších kritérií posuzuje škodlivost zprávy. Detekce JS/Danger pokrývá jiným algoritmem varianty škodlivého kódu Nemucod, a proto je část Nemucodu detekována jako JS/Danger. V českém prostředí se jedná o hrozbu nejčastější, identifikujeme ji ve více než čtvrtině všech případů,“ vysvětluje Šnajdr.

Aktuálně se v přehledu nejčastějších kybernetických hrozeb objevuje i vir Agent.XWT, který otevírá vrátka dalším infiltracím. Nejrozšířenější hrozby v první pětici uzavírá kód ScrInject, který otevírá webové HTML stránky se škodlivými skripty nebo vloženými iframe objekty, které automaticky přesměrovávají zařízení ke stažení malware.

Druhá polovina žebříčku nejaktivnějších virů už neobsahuje tak rozšířené škodlivé kódy. Na šestou pozici se v dubnu posunul trojan HTML/Refresh, který přesměrovává internetový prohlížeč na nepříliš důvěryhodná URL. Sedmou pozici si stejně jako v březnu udržel virus Rammit, který se aktivuje při každém spuštění systému a jeho pomocí může útočník na dálku vypnout nebo restartovat napadený počítač.

Na osmou pozici z březnové třetí příčky v dubnu klesl malware Agent.CR, který ke svému maskování používá soubor typu LNK a v rámci něho zneužívá ke svým aktivitám systémový program rundll32.exe.

Devátou příčku pak obsadil polymorfní virus Sality, který při každém restartu operačního systému narušuje nebo odstraňuje bezpečnostní aplikace.

Dubnový žebříček nejrozšířenějších kybernetických hrozeb uzavírá malware Agent.BZ, který podobně jako Agent.CR využívá volání škodlivé funkce ze své DLL knihovny pomocí runddl32.exe.

Top 10 hrozeb - globální přehled

Win32/Bundpil
JS/TrojanDownloader.Nemucod
JS/Danger.ScriptAttachment
Win32/Agent.XWT
HTML/ScrInject
HTML/Refresh
Win32/Ramnit
LNK/Agent.CR
Win32/Sality
LNK/Agent.BZ

Kritická chyba v antivirech Symantec a Norton umožňuje atak hackerů

18.5.2016 Zranitelnosti
Chyba v jádru antiviru, užívaném hned v několika produktech firmy Symantec, je velmi snadno zneužitelná. Podle bezpečnostního technika Googlu, Tavise Ormandyho, který chybu objevil, může být zranitelnost zneužitá ke spuštění nakaženého kódu na počítačích, a to i vzdáleně.

Jediné, co útočník musí udělat, je poslat e-mail s vadným souborem jako přílohu nebo přesvědčit uživatele, aby klikl na nebezpečný odkaz.

Samotné spuštění souboru již není třeba: Jádro antiviru používá ovladač k zachycení všech systémových operací a automaticky soubor „projede“ ve chvíli, kdy jakkoli pronikne do systému.

Již v pondělí firma chybu opravila v Anti-Virus Engine (AVE) aktualizaci verze 20151.1.1.4 skrze službu LiveUpdate. Bezpečnostní vadou je přetečení bufferu, které mohlo nastat během parsování spustitelných souborů s vadným záhlavím.

Přípona souboru nehraje roli, má-li záhlaví označující jej jako přenosný spustitelný soubor, zapackovaný pomocí ASPacku, komerčního kompresního softwaru.

Zdaleka nejhorší zprávou však je, že Symantec AVE takové soubory rozbaluje uvnitř kernelu, tedy přímo v jádru operačního systému, oblasti s nejvyššími pravomocemi. To znamená, že úspěšné nakažení systému může vést ke kompletní ztrátě moci nad celým systémem.

„Na Linuxu, Macu a dalších unixových platformách může tento proces způsobit vzdálené přetečení heapu (haldy) v procesech Symantecu nebo Nortonu,“ vysvětluje Ormandy v článku k tématu. „Ve Windows tento proces vede k přetečení paměti přidělené kernelu, jak je sken jádra v kernelu postupně načítán, což z toho činí vzdálenou zranitelnost ring0 memory corruption – o moc horší už to být nemůže.“

Symantec zranitelnost ohodnotil na škále CVSS na 9,1 z 10 maximálních, tedy jako extrémně nebezpečnou.

„Nejčastější ukazatel úspěšného útoku by bylo okamžité selhání systému, tedy modrá obrazovka smrti ,“ popsala společnost v článku.

Uživatelé by se měli ujistit, že nainstalovali nejnovější možné aktualizace, dostupné pro jejich Symantec antivirové produkty.

Jde o nejnovější z dlouhé řady kritických chyb nalezených Ormandym a jinými bezpečnostními analytiky v antivirových produktech z posledních let. Většina z nich nepřestává výrobce antivirů kritizovat za jejich tendenci pokračovat s nebezpečnými skeny souborů, které v minulosti vedly ke zneužití chyb pomocí získaných pravomocí kernelu.

Hacker finds flaws that could let anyone steal $25 Billion from a Bank
18.5.2016 Hacking
A security researcher could have stolen as much as $25 Billion from one of the India's biggest banks ‒ Thanks to the bank's vulnerable mobile application.
Late last year, security researcher Sathya Prakash discovered a number of critical vulnerabilities in the mobile banking application of an undisclosed bank that allowed him to steal money from any or all bank customers with the help of just a few lines of code.
Being a white hat hacker, Prakash immediately reached out to the bank and alerted it about the critical issues in its mobile app and helped the bank fix them, instead of taking advantage of the security holes to steal money from the bank that has about 25 Billion USD in Deposits.
While analyzing the mobile banking app, Prakash discovered that the app lacks Certificate Pinning, allowing any man-in-the-middle attacker to downgrade SSL connection and capture requests in plain text using fraudulently issued certificates.
Also Read: Hackers Stole $80 Million from Bangladesh Bank.
Besides this, Prakash also found that the mobile banking app had insecure login session architecture, allowing an attacker to perform critical actions on the behalf of targeted account holder without knowing the login password, like seeing victim's current account balance and deposits, as well as to add a new beneficiary and making illegal transfers.
"So invoking the fund transfer API call directly via CURL, bypassed the receiver/beneficiary account validation. I was able to transfer money to accounts that weren't on my beneficiary list," Prakash wrote in his blog post.
"It was a matter of 5 lines of code [exploit] to enumerate the bank's customer records (Current Account Balance, and Deposits)."
Stealing Money from Anyone Else's Account
bank-hacking-news
If this wasn't enough, Prakash discovered that the app did not check to see if the given customer ID or Transaction Authorisation PIN (MTPIN) ‒ used for critical controls like transferring funds, creating a new fixed deposit ‒ actually belong to the sender's account.
This blunder in the mobile banking app could have allowed anyone with the app and an account in the bank to transfer money from someone else's account, reported by Motherboard.
"I tested [the hack] with a bunch of accounts belonging to my family. Few of those accounts don't even have net banking or mobile banking activated," Prakash added. "And it all worked like a charm."
However, instead of taking advantage of these bugs, Prakash responsibly emailed the bank on November 13, 2015, and within few days, bank’s deputy general manager informed him that the security flaws had been fixed, without rewarding him with a bug bounty, that's unfair.

1 Million Computers Hacked for making big Money from Adsense
18.5.2016 Hacking
A group of cyber criminals has infected as much as 1 Million computers around the world over the past two years with a piece of malware that hijacks search results pages using a local proxy.
Security researchers from Romania-based security firm Bitdefender revealed the presence of this massive click-fraud botnet, which the researchers named Million-Machine Campaign.
For those unaware, Botnets are networks of computers infected with malware designed to take control of the infected system without the owner's knowledge, potentially being used for launching distributed denial-of-service (DDoS) attacks against websites.
The malware in question is known as Redirector.Paco that alone has infected over 900,000 machines around the world since its release in 2014.
The Redirector.Paco Trojan infects users when they download and install tainted versions of popular software programs, such as WinRAR, YouTube Downloader, KMSPico, Connectify, or Stardock Start8.
Once infected, Paco modifies the computer's local registry keys and adds two new entries disguised as "Adobe Flash Update" and "Adobe Flash Scheduler," to make sure the malware starts after every computer boot-up process.
Besides this, the malware drops JavaScript files that downloads and implements a PAC (Proxy Auto Configuration) file that hijacks all Web traffic, ensuring traffic routes through an attacker-controlled server.
Search Engine Display Fake Results even Over HTTPS
Paco then sniffs all Web traffic originating from the infected computer and looks for queries made over popular search engines like Google, Bing, or Yahoo! and replace the actual results with fake Web pages, mimicking their real User Interface.
The botnet has the ability to redirect search engine results even when the results are served over encrypted HTTPS connections. To do so, the malware uses a free root certificate ‒ DO_NOT_TRUST_FiddlerRoot ‒ that avoid your browser showing HTTPS errors.
"The goal is to help cyber-criminals earn money from the AdSense program," Bitdefender's Alexandra Gheorghe said in a blog post. "Google's AdSense for Search program places contextually relevant ads on Custom Search Engine's search results pages and shares a portion of its advertising revenue with AdSense partners."
Although the malware tries to make the search results look authentic, some markers can raise suspicions, like messages showing "Waiting for proxy tunnel" or "Downloading proxy script" in the status bar of your web browser.
Additionally, the search engine takes longer than usual to load results, and the typical yellow 'O' characters in Google above the page numbers are not displayed, according to researchers.
The security firm says that majority of victims are from India, Malaysia, Greece, the United States, Italy, Pakistan, Brazil, and Algeria.
However, to avoid these kinds of cyber threats, following standard security measures could save your ass, such as keep your system and antivirus up-to-date, and always keep an eye on warning that says something is not right with your computer.

Watson Is Getting Ready from IBM to Deal with Hackers
18.5.2016 Hacking

IBM has targeted hackers, bringing Watson (its computer brain) in the game, with the help of eight prominent US universities
IBM’s computer brain, or else Watson, has been known to multitask, already involved in fighting cancer and cooking and so many other things. Right now, the focus of IBM has been placed towards dealing with hackers and therefore a whole campaign has got ready for educating Watson accordingly. In specific, Watson for Cybersecurity is the new project launched by IBM, including the participation of eight universities for offering their knowledge to Watson. The target is of course cybercrime!

Since there is a lot to take in, the primary educational goal is to process about 15,000 documents on a monthly basis. All the documents will be related to cyber security, so as for Watson to develop a deep and thorough understanding of the terms used and the concepts involved. Even though the contribution of the universities is going to be crucial at first, eventually Watson will be properly educated towards processing everything on its own.

ibm watson

Apparently, in the long run the goal of IBM is to have a powerful ally that will handle a gigantic volume of data related to cyber security. As a result, Watson is going to be super-efficient in dealing with any threats emerging and coming up with the perfect solutions to all similar problems. Due to the fact that there are quite a few false positives in the alerts sent over to tech specialists, it is extremely difficult to address the threats and either classify them as serious or ignore them. Watson will be able to do that, unlike humans.

Instead of replacing the tech specialists, Watson is going to provide exceptional knowledge and invaluable help to them. With the help of Watson in dealing with excessive quantities of data and with the personalized look of the experts, cyber security will be proven exquisitely effective! Rather than just blocking the threat, they will be able to prevent similar threats coming up in the future. This is definitely precious, especially in the delicate environment of cyberspace.

Among the universities laying a helping hand in this ambitious, optimistic scheme, we find MIT (Massachusetts Institute of Technology), New York University and California State Polytechnic University Pomona. Good luck to IBM and its computer brain!

CSIRT varuje před útoky na Ubiquity jednotky. Virus kosí Wi-Fi sítě v Česku

17.5.2016 Zdroj: Lupa.cz Viry
V poslední době obdrželo Ubiquiti několik zpráv o napadení systému airOS na neaktualizovaných zařízeních. Odhaduje se, že by bez internetu mohly být řádově tisíce uživatelů.
Tak se nám zase viry dostaly do republiky. „Jedná se o HTTP/HTTPS malware, který útočí převážně na starší zařízení bez aktuálního firmwaru. Vir nevyžaduje ověření, infikuje i zaheslovaná zařízení. První napadá jednotky s veřejnou IP adresou a pak se šíří dál do sítě. Podle aktuálních informací postihl tento virus také klienty několika poskytovatelů internetového připojení v ČR,“ tvrdí varování na stránkách CSIRTu.

Ubiquity je značka síťového hardware, která je v tuzemsku populární především mezi lokálními providery. Už včera varoval i prodejce síťových prvků i4wifi, který popisuje i příznaky útoku a možné řešení situace s tím, že v některých případech je možné vyřešit problém na dálku.

Analytik Pavel Bašta bezpečnostního týmu popsal pro ČTK princip viru tak, že dotčená zařízení nastaví do tzv. výchozího stavu. Využívá přitom chybu ve webových službách, která má za následek úplnou kontrolu nad zařízením. Tato zranitelnost by měla být opravena ve firmware verze 5.6.5.

Problém se může týkat podle odhadů řádově tisíců uživatelů. Česko je totiž v Evropě bezdrátovou velmocí. A to především kvůli liknavému přístupu tehdejšího Českého Telecomu k rozšiřování ADSL. Na přelomu tisíciletí tak vzali lidé na připojení k rychlému internetu do svých rukou a po celé republice vznikala malá sdružení, která se postupně proměňovala v providery.

Do pátrání po škodách se zapojilo i další veřejnoprávní médium. Podle Radiožurnálu s infekcí bojuje například jihlavská firma M-Soft, kde technici musí osobně navštívit 1500 domácností. Další napadené antény opravují na dálku. Podle informací firmy jsou stejné problémy i na Děčínsku a Náchodsku.

Problémy v minulých dnech však hlásili i poskytovatelé v Havlíčkově Brodě, Mnichově Hradišti nebo v Příbrami. Starší zařízení po napadení přestala fungovat. Problémy začaly v sobotu a pracovníci havlíčkobrodského providera museli dojet k desítkám zákazníků a zařízení znovu nastavit.

Ukrainian Hacker Admits Stealing Corporate Press Releases for $30 Million Profit
17.5.2016 Hacking

A 28-year-old Ukrainian hacker has pleaded guilty in the United States to stealing unpublished news releases and using that non-public information in illegal trading to generate more than $30 Million (£20.8 Million) in illicit profits.
Vadym Iermolovych, 28, admitted Monday that he worked with two other Ukrainian hackers to hack into computer networks at PR Newswire, Marketwired and Business Wire, and steal 150,000 press releases to gain the advantage in the stock market.
The defendants then used nearly 800 of those stolen news releases to make trades before the publication of the information, exploiting a time gap ranging from hours to 3 days.
The trades would occur in "extremely short windows of time between when the hackers illegally accessed and shared the [news] releases and when the press releases were disseminated to the public by the Newswires, usually shortly after the close of the markets," said the Department of Justice in a press release.
Thirty-two people have been charged in connection with the global scheme to hack into services that distribute corporate news releases and then rapidly pass the stolen information to stock market traders in the US, resulting in more than $100 Million of profit.
The group hacked the computer networks of Marketwired LP, PR Newswire Association LLC, and Business Wire between February 2010 and August 2014 using phishing and SQL injection techniques, the Justice Department says.
The group traded the stolen information with the companies including Align Technology, Caterpillar, Hewlett Packard, Home Depot, Panera Bread and Verisign.
Iermolovych was initially arrested in November 2014 on credit card fraud and computer hacking-related charges, the U.S. Attorney Paul Fishman in New Jersey said.
Iermolovych has pleaded guilty to up to three charges including conspiracy to commit computer hacking, conspiracy to commit wire fraud, and aggravated identity theft.
The other accused Ukrainian hackers include Oleksandr Ieremenko and Ivan Turchynov.
Iermolovych will be sentenced on August 22 in Newark, New Jersey and could face up to 20 years in jail.

GhostShell is back and exposed data from 32 companies hacked through Open FTP

17.5.2016 Hacking

GhostShell is back, it exposed data from 32 companies and launched a new campaign to punish negligent network administrators.
The popular hacker crew GhostShell is back and is launching a new campaign to sensitize administrators to the importance of a proper security posture, but he’s doing it in his own way.

GhostShell is a group of hacktivists most active in 2012 that targeted systems worldwide, the list of victims is long and includes the FBI, NASA, the Pentagon, and the Russian government.

Three years ago the group launched its last attack, we had no news about the popular hackers since 2015 when the Team GhostShell conducted a number of cyber attacks against various targets, including the Smithsonian photo contest website, The Church of Jesus Christ of Latter-day Saints, Socialblade, and the Exploratorium in San Francisco.

In March 2016, G.Razvan Eugen (24) claimed to be the founder of the popular collective Team GhostShell.

Now the dreaded collective is back and leaked data \, their system administrators left FTP directories open. In some cases, the GhostShell hackers exploited poor FTP configuration as the entry point in the target networks and then to move laterally compromising other systems.

GhostShell leaked dumped data online from the following 32 organizations:

The leaked data contains several types of information, including credit card details, user name and email combinations some with and without encryption. Experts at Risk Security Based firm who analyzed the leaked data have found 1,181 unique email addresses from 521 different providers.

“The Light Hacktivism leak is a similar style and format as to what we have seen in the past from Razvan. It is comprised of data collected from 30 unique sites and contains varying types of data including credit card details, user name and email combinations some with and without encryption. All together, we have detected 1,181 unique email addresses from 521 different providers. A large portion of the affected sites appear to be data from educational institutions which have been open on the Internet for some time.” wrote RSB.

The hackers leaked the data online end left the following message on Pastebin, at the time I was writing the post has been removed by the administrator of the service.

“This is me raising awareness to the on-going open FTP directories that still plague the net even after all these decades. Despite warnings in the past about the dangers posed by leaving your ports open and unprotected, netizens small and large are still paying no attention to it effectively leaving their networks unprotected to even the newbies of this industry.

I’ve comprised a list of targets that range across the field, from government, educational, medical, industrial, retail, personal and many others. Since I wanted to clear and taken serious about this I have leaked some credit cards information, however it is recently expired, however I am willing to prove more in private to any researcher out there that even CC/CCv is stored in plaintext on open ports. Medical data is also present but it has been censored, the sensitive stuff. Still, accounts – usernames, password are present. Personal identities, names, addresses, phone numbers etc. are also there.

Never underestimate the most simple vulnerabilities out there as they often time end up being anyone’s downfall. Light Hacktivism is about finding and exposing those vulnerabilities to the public so that they can be patched.

Millions of people at risk everyday due to sheer laziness and incompetence.”

It seems that the group has the intention to hit more targets in the short period and their negligent admins.

Stay Tuned …

Apple Patches DROWN, Lockscreen Bypass Vulnerability, With Latest Round of Updates

17.5.2016 Apple

Apple on Monday rolled out a series of patches for nearly all of its operating systems, OS X, iOS, its smart watch operating system, watchOS, and Apple TV’s tvOS, along with fixes for both iTunes and Safari. OS X received the lion’s share of the updates, 67 in total, bringing Apple’s operating system El Capitan to version 10.11.5. Among the fixes, the OS X update finally resolves the DROWN vulnerability, first detailed back in March by a cooperative of 15 researchers. The vulnerability stems from a flaw in SSLv2 that relates to export-grade cryptography and could have let an attacker leak user information. Apple claims it fixed the issue by disabling SSLv2 in Tcl, an embeddable dynamic language interpreter. Roughly 25 of the 67 OS X patches address vulnerabilities that could ultimately lead to code execution, including 19 issues that could trigger an application to execute code with kernel privileges. Six more could result in either application termination or arbitrary code execution and primarily stem from flaws in graphics standards and frameworks like SceneKit, Quicktime, and OpenGL, and libraries like libxml2 and libxslt. While most of the issues exist in Apple’s most recent operating system, El Capitan, 12 bugs were fixed in Mavericks 10.9.5 and 14 in Yosemite 10.10.5. The libxslt issue in particular, dug up by Sebastian Apelt, a researcher at the German pentesting firm Siberas, exists in all three operating systems. The vulnerability also affects iOS, tvOS, and watchOS by extension, since the XSLT C library exists in each operating system. If an attacker tricked a user into visiting a malicious site, the vulnerability could lead to code execution. The same 19 issues that could let an application execute code with kernel privileges in OS X also affect iOS but were fixed Monday. In addition, two issues in Messages – also present in OS X – were fixed, including one that could have let an attacker modify a users’ contact list, and another that could have let attackers leak sensitive user information. The iOS update also remedies a lockscreen bypass vulnerability that could have allowed access to contacts and photos. Spanish iPhone researcher, Jose Rodriguez a.k.a videodebarraquito, has dug up a handful of lockscreen bypass bugs in the past and is credited by Apple for finding this particular vulnerability. Apple also took the opportunity on Monday to patch a handful of issues in platforms like watchOS and tvOS, many of the same bugs it patched in iOS and OS X. Just a single issue needed to be fixed in iTunes: A dynamic library loading issue that could have led to code execution. Only seven vulnerabilities were addressed with this week’s Safari update, five that could lead to code execution and two that could lead to the leaking of data. The vulnerabilities could still easily make their way into attackers’ toolkits however, experts claim. “Such vulnerabilities are hooks for phishers to use to bait users to visit malicious websites and compromise their systems,” warned Chris Goettl, director of product management at LANDESK. “If you have any doubt, make sure Safari is up to date quickly as the five arbitrary code vulnerabilities will undoubtedly be useful for targeting users,” Goettl said. The updates come roughly two weeks after Apple’s last set of patches, when it fixed two issues in its development environment Xcode, as they relate to its implementation of git.

Virus napadl tisíce routerů v Česku, varoval Národní bezpečnostní tým

17.5.2016 Viry
Národní bezpečnostní tým CSIRT.CZ v úterý varoval před novým počítačovým virem, který se šíří Českem jako lavina. Zaměřuje se výhradně na routery – brány do světa internetu, prostřednictvím kterých se pak počítačoví piráti dostanou do celé počítačové sítě. Infikovaných strojů mají být v tuzemsku tisíce.
Virus útočí nejčastěji na neaktualizovaná zařízení. „Jedná se o HTTP/HTTPS malware, který útočí převážně na starší zařízení bez aktuálního firmwaru. Vir nevyžaduje ověření, infikuje i zaheslovaná zařízení,“ varoval Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.

„Podle aktuálních informací postihl tento virus také klienty několika poskytovatelů internetového připojení v ČR,“ doplnil Bašta.

Česká tisková kancelář upřesnila, že napadené přístroje jsou hlášeny například na Děčínsku či Náchodsku, ale také v Havlíčkově Brodě, Mnichově Hradišti nebo Příbrami. Největší problémy ale podle Radiožurnálu má firma M-Soft z Jihlavy, kde technici musejí osobně navštívit 1500 domácností. Po celé republice jsou tak tisíce infikovaných routerů.

Jak poznat, že je router zavirovaný?
Problémy se podle všeho týkají pouze uživatelů, kteří přijímají internet prostřednictvím wi-fi a mají router se systémem airOS. Lidé používající například kabelové rozvody či služby mobilních operátorů (modemy se SIM kartami) by v ohrožení být neměli.

Že je router zavirovaný, mohou uživatelé poznat například podle toho, že jim přestane z připojených počítačů zcela fungovat internetové připojení, případně se při snaze o připojení na nějakou webovou stránku zobrazí úplně jiný web.

Přesně to se stalo už v minulosti kvůli zranitelnosti známé jako „rom-0“. Místo serverů, jako jsou například Seznam.cz nebo Google.com, se poškozeným zobrazila hláška o nutnosti instalace flash playeru. Místo té se ale do PC stáhnul další virus. Útočníci tak rázem měli přístup nejen k routeru, ale i k připojenému počítači.

Útoky jsou stále častější
Na brány do světa internetu se zaměřují kyberzločinci stále častěji. Využívají toho, že zabezpečení těchto internetových zařízení uživatelé především v domácnostech velmi podceňují, někdy to ale platí i o firmách. Březnová studie Cisco Annual Security Report totiž ukázala, že devět z deseti internetových zařízení má slabá místa.

Hlavní problém je podle bezpečnostních expertů v tom, že routery není možné chránit antivirovými programy, jako je tomu u počítačů. I tak ale nejsou uživatelé úplně bezbranní. „Hlavní způsob, jak této hrozbě předejít, představuje upgrade firmwaru routeru na aktuální verzi a nepoužívat mnohdy triviální přednastavené přihlašovací jméno a heslo. Rovněž je vhodné zvážit přihlašování k routeru pouze z vnitřní sítě, a nikoliv z internetu,“ uvedl již dříve Pavel Matějíček, manažer technické podpory společnosti Eset.

Do konfigurace routerů by se nicméně neměli pouštět méně zkušení uživatelé. Mohou totiž nevhodným nastavením způsobit více škody než užitku. Paradoxně tak mohou klidně otevřít zadní vrátka pro útočníky.

Červ Bundpil otevírá zadní vrátka do systému. Přes ně pak proudí další viry

17.5.2016 Viry
Především přes vyměnitelná média se šíří nebezpečný červ, kterého bezpečnostní experti nazývají Bundpil. Ten je aktuálně světově nejrozšířenější hrozbou a v počítači dokáže vytvořit zadní vrátka pro další škodlivý software, varovala antivirová společnost ESET.
Bundpil se nejčastěji šíří prostřednictvím nejrůznějších USB flashek a externích disků. „Červ obsahuje URL, ze které se snaží do napadeného zařízení stáhnout několik souborů. Ty se pak instalují a umožňují do zařízení stahovat další škodlivé kódy,“ uvedl Petr Šnajdr, bezpečnostní expert společnosti ESET.

To jinými slovy znamená, že díky Bundpilu mohou počítačoví piráti propašovat do cizího počítače prakticky jakýkoliv jiný virus. Teoreticky se s využitím těchto nezvaných návštěvníků mohou dostat k cizím uživatelským datům nebo například odposlouchávat probíhající komunikaci, a tedy i snadno odchytávat přihlašovací údaje k různým službám.

Šíří vyděračské viry
Zákeřný červ dělá bezpečnostním expertům dokonce větší vrásky na čele než škodlivý kód Nemucod, který ještě před pár týdny žebříčku nejrozšířenějších hrozeb kraloval. Ten přitom dokáže prakticky to samé jako Bundpil – uhnízdí se v počítači a může potom stahovat další nezvané návštěvníky.

Nejčastěji stahuje vyděračské viry. „Aktuálně stahuje především různé typy ransomwaru, například známý TeslaCrypt nebo Locky. Následně tento škodlivý kód začne šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování počítače musí zaplatit,“ varoval již dříve Šnajdr.

Nemucod je stále druhým nejrozšířenějším virem na světě, ale v dubnu se nešířil tak agresivně jako absolutní král žebříčku, červ Bundpil.

Útočí i v Česku
Na pozoru by se uživatelé měli mít také před hrozbou s krkolomným názvem JS/Danger.ScriptAttachment. Ta se do desítky nejrozšířenějších virů v globálním měřítku dostala vůbec poprvé, přesto vyskočila rovnou na třetí příčku.

Je tedy zřejmé, že se tato hrozba šíří až nečekaně rychle.

Jde o škodlivý soubor, který se šíří jako příloha e-mailu a také otevírá zadní vrátka do operačního systému. „V českém prostředí se jedná o hrozbu nejčastější, identifikujeme ji ve více než čtvrtině všech případů,“ vysvětlil Šnajdr.

Deset nejrozšířenějších virových hrozeb za měsíc duben
1. Win32/Bundpil
2. JS/TrojanDownloader.Nemucod
3. JS/Danger.ScriptAttachment
4. Win32/Agent.XWT
5. HTML/ScrInject
6. HTML/Refresh
7. Win32/Ramnit
8. LNK/Agent.CR
9. Win32/Sality
10. LNK/Agent.BZ

Motherfucker: virus v bezdrátových zařízeních Ubiquiti (AirOS)
17.5.2016 Zdroj: root.cz Viry

Zařízení s operačním systémem AirOS jsou ohrožena kvůli vážné bezepčnostní mezeře, která dovoluje modifikovat souborový systém bez znalosti přihlašovacích údajů. Jak se bránit?
Před pěti lety se kvůli bezpečnostní díře začal šířit virus Skynet. Možná si pamatujete na nahodilé restartovaní zařízení. Před měsícem byla popsána nová bezpečností díra ve všech typech zařízení AirOS. Ta umožňuje útočníkovi nahrát jakýkoliv soubor kamkoliv do souborového systému Wi-Fi zařízení bez znalosti přihlašovacích údajů.

V pondělí 16. května byl konečně vydán opravný firmware verze 5.6.5, který tuto chybu řeší. Jak se vlastně dostane do nezabezpečeného zařízení?

Infekce zařízení
Jelikož exploit umožňuje nahrání souboru kamkoliv do souborového systému, virus si nahraje veřejný klič SSH do routeru (bez nutnosti autentizace). Také zkopíruje sám sebe do zařízení. Přihlásí se pomocí SSH a nainstaluje se. Tedy rozbalí si tar, zapíše se do souboru rc.poststart a zapíše se do perzistentní paměti. Pak se restartuje.

Po restartu
Znovu se rozbalí z taru, a spustí soubor mother. Tato matka si nastaví firewall na HTTP/HTTPS – tím můžete poznat infikované zařízení. Dále inicializuje stažení příkazu curl a několika knihoven pomocí wget. Příkaz curl potřebuje pro své šíření a nevejde se do perzistentní paměti.

Následně spustí search a začne skenovat adresní prostor. Pokud najde zařízení které by mohlo být „airos“, zkusí na něj nahrát pomocí HTTP (HTTPS) opět svůj veřejný klíč a následně se zkusí pomocí SSH přihlásit do zařízení a nainstalovat se.

To však není vše. Skript si ukládá IP adresu pravděpodobně infikovaných zařízení a zkusí je všechny přibližně jednou za 66 666 sekund (18,5 hodiny) resetovat pomocí webového přístupu do továrního nastavení – skript fucker. Reset se podaří jen na zařízení, které se nepodařilo správně infikovat a samozřejmě mají zranitelný firmware.

Dále na hostitelském zařízení pustí odpočet na 666 666 sekund (7,5 dne) a po uplynutí přenastaví ESSID na „motherfucker“ a následně zařízení vypne. Detaily naleznete na fóru ubnt.

Jak se bránit?
Především aktualizovat na firmware 5.6.5! Zároveň je dobré nasadit firewall na HTTP nebo HTTPS, stačí jej nastavit ve webovém rozhraní zařízení. Dále je možné nastavit naslouchání zařízení na jiný než výchozí port 80 či 443. Zkušenější samozřejmě mohou využít vlastních skriptů v ubnt.

Pokud už jste byli napadeni, můžete manuálně odstranit virus pomocí SSH:

# cd /etc/persistent/
# rm mf.tar
# rm rc.poststart
# rm -R .mf
# sed -i "/^mother/d" /etc/passwd
# cfgmtd -p /etc/ -w
# reboot
Doufám, že všichni stihnete aktualizovat dříve, než naši republiku pokryje Wi-Fi nápis „motherfucker“.

ATM infector
17.5.2016 Zdroj: Kaspersky Virus

Seven years ago, in 2009, we saw a completely new type of attack on banks. Instead of infecting the computers of thousands of users worldwide, criminals went directly after the ATM itself – infecting it with malware called Skimer. Seven years later, our Global Research and Analysis Team together with Penetration Testing Team have been called on for an incident response. They discovered a new, improved, version of Skimer.

Virus style infections

Criminals often obscured their malware with packers to make analysis more difficult for researchers. The criminals behind Skimer also did this, using the commercially available packer Themida, which packs both the infector and the dropper.

Once the malware is executed it checks if the file system is FAT32. If it is, it drops the file netmgr.dll in the folder C:\Windows\System32. If it is an NTFS file system, the same file will be placed in the NTFS data stream corresponding to the XFS service´s executable file. Placing the file in an NTFS data stream is most likely done to make forensic analysis more difficult.

After successful installation, the sample patches the XFS executable (SpiService.exe) entry point, in order to add a LoadLibrary call to the dropped netmgr.dll file. This file is also protected by Themida.

Entry point in SpiService.exe before infection

Entry point in SpiService.exe after infection

After a successful installation the ATM is rebooted. The malicious library will be loaded into the SpiService.exe thanks to the new LoadLibrary call, providing it with full access to XFS.

Functionality

Unlike Tyupkin, where there was a magic code and a specific time frame where the malware was active, Skimer only wakes up when a magic card (specific Track 2 data, see IOCs at the bottom of this blogpost) is inserted. It is a smart way to implement access control to the malware’s functionality.

Once the magic card is inserted, the malware is ready to interact with two different types of cards, each with different functions:

Card type 1 – request commands through the interface
Card type 2 – execute the command hardcoded in the Track2
After the card is ejected, the user will be presented with a form, asking them to insert the session key in less than 60 seconds. Now the user is authenticated, and the malware will accept 21 different codes for setting its activity. These codes should be entered from the pin pad.

Below is a list of the most important features:

Show installation details;
Dispense money – 40 notes from the specified cassette;
Start collecting the details of inserted cards;
Print collected card details;
Self delete;
Debug mode;
Update (the updated malware code is embedded on the card).
During its activity, the malware also creates the following files or NTFS streams (depending on the file system type). These files are used by the malware at different stages of its activity, such as storing the configuration, storing skimmed card data and logging its activity:

C:\Windows\Temp\attrib1 card data collected from network traffic or from the card reader;
C:\Windows\Temp\attrib4 logs data from different APIs responsible for the communication with the keyboard (effectively logging data such as the pin);
C:\Windows\Temp\mk32 same as attrib4;
C:\Windows\Temp:attrib1 same as the homologue file;
C:\Windows\Temp:attrib4 same as the homologue file;
C:\Windows\Temp:mk32 same as the homologue file;
C:\Windows\Temp:opt logs mule´s activity.
 

Main window

The following video details the scenario on how money mules interact with an infected ATM as described above.

Conclusions

During our recent Incident Response cases related to the abuse of ATMs, we have identified Tyupkin, Carbanak and black box attacks. The evolution of Backdoor.Win32.Skimer demonstrates the attacker interest in these malware families as ATMs are a very convenient cash-out mechanism for criminals.

One important detail to note about this case is the hardcoded information in the Track2 – the malware waits for this to be inserted into the ATM in order to activate. Banks may be able to proactively look for these card numbers inside their processing systems, and detect potentially infected ATMs, money mules, or block attempts to activate the malware.

We also recommend regular AV scans, the use of whitelisting technologies, a good device management policy, full disk encryption, the protection of ATM BIOS with a password, only allowing HDD booting, and isolating the ATM network from any other internal bank networks.

Kaspersky Lab has now identified 49 modifications of this malware, with 37 of these modifications targeting ATMs made by just one manufacturer. The most recent version was discovered at the beginning of May 2016.

All samples described are detected by Kaspersky Lab as Backdoor.Win32.Skimer. Patched SpiService.exe files are detected as Trojan.Win32.Patched.rb

As this is still an ongoing investigation, we have already shared the full report with different LEAs, CERTs, financial institutions and Kaspersky Lab Threat Intelligence-Service customers. For more information please contact intelreports@kaspersky.com

Appendix I. Indicators of Compromise

Hashes

F19B2E94DDFCC7BCEE9C2065EBEAA66C
3c434d7b73be228dfa4fb3f9367910d3
a67d3a0974f0941f1860cb81ebc4c37c
D0431E71EBE8A09F02BB858A0B9B80380
35484d750f13e763eae758a5f243133
e563e3113918a59745e98e2a425b4e81
a7441033925c390ddfc360b545750ff4

Filenames

C:\Windows\Temp\attrib1
C:\Windows\Temp\attrib4
C:\Windows\Temp\mk32
C:\Windows\Temp:attrib1
C:\Windows\Temp:attrib4
C:\Windows\Temp:mk32
C:\Windows\Temp:opt
C:\Windows\System32\netmgr.dll

Track 2 data

******446987512*=********************
******548965875*=********************
******487470138*=********************
******487470139*=********************
******000000000*=********************
******602207482*=********************
******518134828*=********************
******650680551*=********************
******466513969*=********************

Bug in Symantec’s anti-virus engine can lead to system compromise

17.5.2016 Vulnerebility

Google Project Zero researcher Tavis Ormandy has unearthed a critical remote code execution vulnerability in the anti-virus engine powering Symantec’s endpoint security products (including Norton-branded ones).

The flaw (CVE-2016-2208) has been responsibly disclosed to the company, and it released a new version of its Anti-Virus Engine (v20151.1.1.4) with the fix incorporated. It will delivered to customers via LiveUpdate along with the usual definition and signature updates, Symantec reassured.

In the security advisory accompanying the security update, Symantec noted twice that “the most common symptom of successful exploitation resulted in an immediate system crash,” aka the “Blue Screen of Death.”

There’s more to it, though.

“On Linux, Mac and other UNIX platforms, this results in a remote heap overflow as root in the Symantec or Norton process. On Windows, this results in kernel memory corruption, as the scan engine is loaded into the kernel (wtf!!!), making this a remote ring0 memory corruption vulnerability – this is about as bad as it can possibly get,” Ormandy explained.

“On Windows with Symantec Endpoint Antivirus, this vulnerability permits code execution as NT AUTHORITY\SYSTEM in the ccSvcHost.exe process. On Norton Antivirus for Windows, this code is loaded into the kernel and results kernel pool corruption.”

The flaw can be triggered without any user interaction. It’s enough that the user receives a malformed portable-executable (PE) header file via email or downloads it (intentionally or unintentionally) from a website, and Symantec software will start scanning it for malware and trigger the exploit.

There is no indication that the flaw is currently being exploited in the wild.

Ormandy said that aside from this Anti-Virus Engine bug, he discovered and notified the company about other (7 or 8) critical RCE vulnerabilities in their products. To fix these, users will have to download a patch (when made available).

The blackmarket Silk Road 3.0 emerged from the Dark Web

17.5.2016 Crime

The administrator of Crypto Market launched Silk Road 3.0, the fourth iteration of the popular black market (Silk Road, Silk Road 2.0, Silk Road Reloaded).
We all know that Silk Road was one of the greatest black marketplaces in the criminal underground, but many ignore that someone is still running the fourth iteration of the popular black market (previous are Silk Road, Silk Road 2.0, Silk Road Reloaded), Silk Road 3.0.

It was announced recently on Reddit and other crime forums, it is being managed by the same by the administrator of the Crypto Market black market.

The access to the Silk Road 3.0 black market is very easy, the registration is open and it is easy to note the number of illegal goods offered for sale is growing day by day.

Silk Road first appeared online back in February 2011, it operated until the FBI seized it and arrested its main operator Ross Ulbricht, who has since been sentenced to life in prison. A second iteration, Silk Road 2.0 appeared on the dark web a few months later the seizure of the original black markets, but the US law enforcement immediately shut down it and arrested Blake “Defcon” Benthall, the alleged operator of the popular underground black market.

In January 2015, a third incarnation of the black market dubbed Silk Road Reloaded appeared in the dark web, it implemented new anonymizing features, including I2P connectivity and the possibility to pay for the goods with several virtual currencies, including Bitcoin, Darkcoin, Dogecoin, and Anoncoin.

The marketplace closed very soon because it was not able to attract users.

What will happen to the new born market?

Difficult to say, the evolution of the Silk Road brand in the last years suggests that it could be a new commercial failure. Many experts consider the Silk Road saga ended, this new black market is not related to the original one, but we cannot ignore the association with Crypto Market, which is considered in the criminal community a reliable market.

The onion address for the Silk Road 3.0 is

The popular crime forum Nulled.io pwned by hackers
17.5.2016 Hacking

The popular crime forum Nulled.io has suffered a serious security breach that exposed personal details of more than 500K users and their activities.
Nulled.io is a popular crime forum with roughly 500,000 users that but and sell any kind of product and services and share information regarding illegal practices.

According to the Risk Based Security, last week the Nulled.io forum has suffered a security breached that exposed details of its members and more than 800,000 personal messages exchanged by the users of the hacker forum.

“Last week a well known “hacker” forum became victim to the fast growing list of over 1,076 data breaches that have occurred so far in 2016. The Nulled.IO forum was compromised and data was leaked on May 6th consisting of a 1.3GB tar.gz compressed archive which when expanded is a 9.45GB SQL file named db.sql.” reported Risk Based Security.

On May 6, the attackers leaked a 1.3Gb compressed archive containing a 9.45Gb database that included the details of more than 536,000 user accounts (usernames, hashed passwords, registration dates, email addresses, and IP addresses).

The popular cyber security expert Troy Hunt has already added the stolen account credentials to the Have I Been Pwned service.

Follow
Have I been pwned? ‎@haveibeenpwned
New breach: Nulled cracking forum had 599k email addresses exposed last week. 25% were already in @haveibeenpwned https://haveibeenpwned.com/
2:12 PM - 9 May 2016
24 24 Retweets 15 15 likes
The hackers also leaked thousands of purchase records and invoices.

“If law enforcement obtains this information, (which no doubt they already have) it can be used to filter out any “suspects” under investigation for possibly conducting illegal activities via the forums. With this being such a comprehensive dump of data it offers up a very good set of information for matching a member ID to the attached invoices, transactions and other content such as member messages and posts.” continues the post.

The experts that analyzed the archive noticed the presence of a table containing personal details of VIP users.

The archive includes detailed information about transactions completed by VIP users, including their PayPal email addresses.

“Further we find API credentials for 3 payment gateways (Paypal, Bitcoin, Paymentwall) as well as 907,162 authentication logs with geolocation data, member id and ip addresses, and 256 user donation records that are able to be matched to the user with member id.” continues the post.

The experts from Risk Based Security several email addresses belonging to government across the world, including United States, Jordan, and Brazil.

At the time I was writing it is still unknown who is behind the attack neither how the hackers breached the Nulled.io crime forum that is powered by the IP.Board forum framework. Experts speculate that the attackers might have exploited a flaw in the IP.Board forum software.

Experts at Sucuri reported multiple attacks against IP.Board forums leveraging on the ImageMagick flaw.

Follow
Daniel Cid ‎@danielcid
In addtiion to vBulletin, seeing a few #ImageTragick attempts against "app=members&module=profile&section=photo&do=save" on IP.Board
5:47 AM - 9 May 2016
3 3 Retweets 2 2 likes
Daniel Cid, founder and CTO of Web security firm Sucuri, noted last week that IP.Board forums had been targeted in attacks exploiting a recently disclosed ImageMagick flaw.

Currently the Nulled.io crime forum is down.

Nulled io data breach

Redirector.Paco, a Million-Machine Clickfraud Botnet

17.5.2016 BotNet

According to the experts at Bitdefender an HTTPS hijacking click-fraud botnet dubbed Redirector.Paco infected almost 1 million devices since now.
Security experts at Bitdefender spotted a new click fraud botnet dubbed Redirector.Paco that has been around at least since September 2014 and has already infected more than 900,000 devices over the years.

Crooks behind the Redirector.Paco aimed to create a clickbot that is able to redirect all traffic performed when using a search engine (i.e. Google, Yahoo or Bing) and to replace the legitimate results with others decided by hackers to earn money from the AdSense program.

“To redirect the traffic the malware performs a few simple registry tweaks. It modifies the “AutoConfigURL” and “AutoConfigProxy” values from the “Internet Settings” registry key so that for every request that a user makes, a PAC (Proxy auto-config) file will be queried. This file tells the browser to redirect the traffic to a different address.” states a blog post from BitDefender.

The experts highlighted the existence of some indicators that could be associated with the fraudulent activity of the botnet, including:

Displaying messages like “Waiting for proxy tunnel” or “Downloading proxy script” in the status bar of the browser.
Long page loading time for Google page.
Missing “o” characters above the number of search result pages.
The threat actors behind the Redirector.Paco botnet used to deliver the malware by bundling it with installers for benign applications, such as WinRAR and YouTube Downloader.

In one of the attacks spotted by the experts at Bitdefender, the installers dropped JavaScript files that modify the “Internet Settings” registry key in order to change the behavior of the web browser and force it into using a proxy auto-configuration (PAC) file created by the attacker to provide fake search results. The attackers also rely on a root certificate so that any connection that goes through the server specified in the PAC file looks private without raising suspicion.

“As shown, any request to any page that starts with https://www.google or https://cse.google will be redirected to the IP 93.*.*.240 on port 8484. However, at this point, since the requests are made on the HTTPS protocol, they will be accompanied by a warning that alerts the user that there is a problem with the certificate.” continues the post. “Update.txt downloads and installs a root certificate so that any connection that goes through the server specified in the PAC file looks private.”

The experts also spotted a variant of the Redirector.Paco botnet that relies on a .NET component that modifies search results locally by setting up a local server without redirecting traffic to an external server.

Most infected devices are located in India, but experts observed several infections also in the United States, Malaysia, Greece, Italy, Brazil and other African countries.

Redirector.Paco botnet infections

Google to Face a Record $3.4 Billion AntiTrust Fine in Europe
16.5.2016 IT
Google faces a record anti-trust penalty of about 3 BILLION Euros (US$3.4 Billion) from the European Commission in the coming days, according to reports.
After 7-years of the investigation, the European Commission filed anti-trust charges against Google last year for violating antitrust laws.
The European Union accused the search engine giant that it had abused its dominance in search by unfairly prioritize and displaying its own comparison shopping service at the top of its search results at the expense of rival products.
British newspaper The Sunday Telegraph reports that the European Union is currently preparing a fine of about 3 Billion Euros ($3.4 billion), which is almost triple the amount (1.06 Billion Euro) that Intel was levied several year ago over violating antitrust law.
According to the newspaper's sources, the EU officials, led by Margrethe Vestager, are planning to openly announce the fine against Google as early as next month, although the exact figure of the fine has yet to be finalized.
Reportedly, the European Commission regulators can impose a maximum penalty of up to 10 percent of the company's annual sales, which, in the case of Google, is possibly more than 6.6 Billion Euros.
Not just fine, but Google will also be banned from manipulating its search results in the region so that it does not continue to favor its homebrew products.
In a separate antitrust case, Google has also been accused of abusing its dominant position in the smartphone industry with Android by pre-installing its own apps, like Google Search, Chrome, YouTube, Gmail as default apps, making it harder for other companies to compete.
"Anyone can use Android with or without Google applications. Hardware manufacturers and carriers can decide how to use Android and consumers have the last word about which apps they want to use," Google spokesperson says.
The EU is also looking into the transparency of paid reviews and the conditions of use of services like Google Maps and Apple's iOS mobile operating system.

The Lucrative But Vulnerable Gaming Industry is Ripe For Cyberattacks
16.5.2016 Vulnerebility
As the gaming industry continues to become a more lucrative market, it has also increasingly become more attractive to cybercriminals.

These cyber attackers are employing the same tactics used to hack online banks and retailers.

The reader may recall late last year when Steam, one of the world’s largest online video game platforms, publicly admitted that 77,000 of its gamer accounts are hacked every month. It was the first time a major video game company acknowledged itself as a cybercrime target.

Kaspersky Lab researcher Santiago Pontiroli launched an investigation into how many gamers are being exploited by cybercriminals. Pontiroli and his team uncovered the existence of a new type of malware developed specifically to hack Steam accounts. The “Steam Stealer,” is able to bypass the Steam client’s built-in multifactor authentication (MFA) protocols, which enables hackers to gain the access necessary to compromise the integrity of a player’s account.

Cyber threats are significantly underreported, though the video game industry is, according to Dark Reading, “as big, if not bigger, than any industry in the world. Of the 1.2 billion video game players worldwide, nearly 700 million of them play online. For the video game industry, providing entertainment for one seventh of the world’s populace equates to revenues of more than $86.8 billion annually. This is nearly double the amount of the film industry, yet the Sony Pictures hack was covered for months. For financially motivated hackers, and fraudsters, there is perhaps no bigger opportunity to profit than the video game industry provides.”

Online video games are indeed vulnerable to attacks. Unfortunately, the video game industry is still largely in denial over the fact that it is a systemic problem. Dark Reading reports:

“In-video game attacks occur when a player’s account is hijacked using readily available malware that enables man-in-the-middle exploits, keylogging, remote access, and other hacks. Once inside, cyber criminals can steal player credentials, gain access to a player’s game account, transfer in-game assets to other accounts, and sell those assets on the ‘grey market,’ an unauthorized, but not necessarily illegal place that is used to sell virtual items and currency for real money.”

Additionally, the emergence of a ‘grey market’ is perhaps the most significant unintended consequence of video games moving online. The demand for virtual items is massive and many people strive to gain virtual items through regular game play and then sell them for real money. Known as ‘gold farming,’ it is so rampant and profitable that in a World Bank report it is estimated that it generates $3 billion a year for people in developing countries.

Now, because the demand for virtual items is so high, gold farmers have automated their operations and are able to run hundreds or thousands of bots to speed up the accumulation process. This has flooded the online gaming economies and has caused publishers to lose as much as 40 percent of in-game revenue per month, not to mention the reputational damage done to the businesses.

Video games are attractive targets for hackers longing for better scores, more money and notoriety. But, hackers are also fixated on game services.

Companies in the Gaming industry may not appear to be a prime target for cybercriminals, but consider the fact that one of the biggest hacks of all time, of Sony’s PlayStation Network in 2011, resulted in 77 million account holder details being compromised. Twelve thousand credit card details were also leaked, and the company’s stock price crashed overnight.

Currently, the following are the most common ways attackers are targeting the businesses in the gaming industry and their users:

DDoS attacks to cause disruption – Denial-of-service (DoS) or distributed denial of service (DDoS) attacks are frequently used by hackers to shut down a website or web service. It’s done by basically flooding the recipient’s web server with too much traffic, which forces the server to ‘fall over’ and the service to go offline. According to WeLiveSecurity, “a number of so-called hacktivism groups, including ‘Lizard Squad’, have used DDoS attacks in the past, including on gaming sites. Perhaps most famously, the Lizard Squad knocked Sony’s PlayStation Network and Microsoft’s Xbox Live offline last Christmas Day, causing thousands of gamers to be unable to access both services.”
Spoofed websites for grabbing credentials and more – In these cases, malware is served up to unsuspecting users by way of fake websites designed to steal from them.
Stealing money with ransomware and scareware – In March 2015, it was discovered that cybercriminals were infecting gamers’ machines with ransomware. This caused users to be unable to continue playing their games until they paid a Bitcoin ransom.
Brute force attacks and keyloggers to spy on passwords – Log-in usernames and passwords are always sought after by cyber criminals–irrespective of what sector the victim’s business is in. And, gaming sites are no exception, as Sony, Ubisoft and others know well.
Utilizing social engineering to achieve all of the above – Attackers are employing social engineering techniques, such as phishing, to find and attack their victims. “For instance, perhaps he would look you up on Twitter or Facebook before sending targeted spear phishing emails directing you to a spoofed website. Or maybe the same email would be sent with a weaponised document containing malicious code,” WeLiveSecurity explains.
Currently, online video game cybersecurity is focused on protecting and monitoring the login and monetary transaction processes. Unfortunately, that’s the same plan used by banks–and anyone who has been watching the news knows how ineffective that strategy has been. It has cost the banking industry billions of dollars over time. Online gaming also depends on MFA to protect the login process, but this safeguard is no match for the widely available keylogging and screen-scrape technology. Then too, device reputation technology is vulnerable to man-in-the-middle hacks. And, rules-based security is deeply flawed.

So, it is expected that large-scale attacks will continue to occur until the video game industry wakes up and begins tightening up on cybersecurity. Cyber criminals aren’t going to stop until they’re stopped.

CVE-2016-4117 – FireEye revealed the exploit chain of recent attacks
16.5.2016 Exploit

The FireEye researcher Genwei Jiang revealed the exploit chain related to phishing attacks leveraging CVE-2016-4117 flaw recently fixed by Adobe.
Security experts at FireEye have recently spotted an attack leveraging on an Adobe zero-day vulnerability (CVE-2016-4117) recently patched.

The CVE-2016-4117 flaw affects older versions of the Adobe Flash, a few days ago the company was informed of a new zero-day vulnerability in the Flash Player software that was being exploited in cyber attacks in the wild. The company announced the fix for the CVE-2016-4117 on May 12 and confirmed that it affected Windows, Mac OS X, Linux and Chrome OS.

Adobe rated as critical the vulnerability, the issue was discovered by the security expert Genwei Jiang from FireEye, which also confirmed that it is being used in targeted attacks.

“A critical vulnerability (CVE-2016-4117) exists in Adobe Flash Player 21.0.0.226 and earlier versions for Windows, Macintosh, Linux, and Chrome OS. Successful exploitation could cause a crash and potentially allow an attacker to take control of the affected system.” reads the advisory published by Adobe.

“Adobe is aware of a report that an exploit for CVE-2016-4117 exists in the wild. Adobe will address this vulnerability in our monthly security update, which will be available as early as May 12. For the latest information, users may monitor the Adobe Product Security Incident Response Team blog.”

After the flaw was fixed, Genwei Jiang revealed the details of the previously undisclosed phishing attacks he reported to Adobe.

The experts explained that threat actors used phishing links and files to compromise Windows systems running Flash, and Microsoft Office.

The expert explained that threat actors embedded the Flash exploit inside a Microsoft Office document, which they then hosted on a web server they controlled. They used a Dynamic DNS (DDNS) domain to reference the document and the malicious payload.

When victims open the malicious document, then the exploit downloads and executes the payload hosted on the crooks’ server. In order to avoid suspicion and make the attack stealth, threat actors then display victims a decoy document.

“On May 8, 2016, FireEye detected an attack exploiting a previously unknown vulnerability in Adobe Flash Player (CVE-2016-4117) and reported the issue to the Adobe Product Security Incident Response Team (PSIRT). Adobe released a patch for the vulnerability inAPSB16-15 just four days later.” reads a blog post published by FireEye.

“Attackers had embedded the Flash exploit inside a Microsoft Office document, which they then hosted on their web server, and used a Dynamic DNS (DDNS) domain to reference the document and payload. With this configuration, the attackers could disseminate their exploit via URL or email attachment. Although this vulnerability resides within Adobe Flash Player, threat actors designed this particular attack for a target running Windows and Microsoft Office.”

The post published by FireEye details the attack that proceeds as follows:

The victim opens the malicious Office document.
The Office document renders an embedded Flash file.
If the Flash Player version is older than 21.0.0.196, the attack aborts.
Otherwise, the attack runs the encoded Flash exploit.
The exploit runs embedded native shellcode.
The shellcode downloads and executes a second shellcode from the attacker’s server.
The second shellcode:
Downloads and executes malware.
Downloads and displays a decoy document.
The malware connects to a second server for command and control (C2) and waits for further instructions.

Experts are warning about a possible spike in the attacks exploiting this flaw that was recently fixed.

Users should install the latest Adobe patch as soon as possible and FireEye suggests them to employ additional mitigations, such as Microsoft EMET to prevent exploit attacks.

Experts also cracked the CryptXXX ransomware 2.0
16.5.2016 Virus

Security Experts at Kaspersky have updated their decryption tool to adapt to the second version of CryptXXX ransomware in the RannohDecryptor 1.9.1.0.
A couple of hours ago I published an interesting post the summarizes the ransomware activities in the last week, and unfortunately, this kind of malware is becoming even more popular in the criminal underground.

A few weeks ago a new threat appeared in the wild, it is the CryptXXX ransomware that was first spotted by the experts from Proofpoint in April. Researchers at ProofPoint discovered a number of compromised websites hosting the Angler exploit kit that were abused by crooks to serve the CryptXXX ransomware and infect Windows machines.

The CryptXXX ransomware has the ability to encrypt local files and any other document present on every connected data storage a short time after the PC has been infected. The threat also steals Bitcoins from the victim’s machines.

The malware authors use the delay in order to make harder for victims the identifications of the malicious website used to compromise their machines.

The files are encrypted with RSA4096 encryption and the CryptXXX ransomware demands the payment of a $500 ransom in bitcoins for decrypting the data back. Like other ransomware, CryptXXX instructs victims about the payment process, it drops an image on the desktop containing the instructions to download the Tor browser and access an Onion service containing the instructions.

In April, experts at Kaspersky cracked the CryptXXX ransomware and released the RannohDecryptor utility, that was initially designed to recover files encrypted by the Rannoh ransomware.

A few days ago, the researchers from ProofPoint discovered that the CryptXXX ransomware had evolved making ineffective the RannohDecryptor.

In response, the experts from Kaspersky Lab have updated the decryption tool to defeat the second variant the CryptXXX ransomware, they released the RannohDecryptor tool version 1.9.1.0.

Victims of the new strain of the CryptXXX ransomware doesn’t need original copies to decrypt the file.

Below some notes published by the experts:

1. We support decryption of about 40 popular file formats, including documents, archives, images, etc. Unfortunately, there is no possibility to decrypt any arbitrary file format.

2. Decryption may take some time. Generally, the 1st file gets decrypted within several minutes, and all subsequent files in a matter of seconds (each). In the worst case every file will take several minutes. The utility notifies the user prior to start with the following message:

3. Original copy is not needed for Cryptxxx v2.

While this tool will help those infected decrypt their .crypt files, we know that criminals will always look to evolve to stop workarounds from good guys in cybersecurity. It is an unfortunate reality in the current world we live in. But fear not, we won’t rest and will stay vigilant to protect you.

ATM Skimming attacks are skyrocketing
16.5.2016 Crime

Security and fraud experts are observing a significant increase in the number of ATM skimming attacks across the world. It’s an emergency!
Security and fraud experts are observing a significant increase in the number of cyber attacks against the ATMs, in particular, skimming attacks. The popular investigator Brian Krebs recently published an interesting post that warns about an alarming increase of skimming attacks for both American and European banks.

“Skimming attacks on ATMs increased at an alarming rate last year for both American and European banks and their customers, according to recent stats collected by fraud trackers.” wrote Krebs. “The trend appears to be continuing into 2016, with outbreaks of skimming activity visiting a much broader swath of the United States than in years past.”

The FICO Card Alert Service issued several warning about a spikes in ATM skimming attacks.

On April 8, FICO noted that its fraud-tracking service recorded a 546 percent increase in ATM skimming attacks from 2014 to 2015.

“The number of ATMs in the US compromised by criminals rose 546 percent in 2015 over 2014, analytic software firm FICO reported today. The number of ATM compromises in 2015 was the highest ever recorded by the FICO® Card Alert Service, which monitors hundreds of thousands of ATMs in the US. Criminal activity was highest at non-bank ATMs, such as those in convenience stores, where 10 times as many machines were compromised as in 2014. FICO first reported on the sharp growth in ATM fraud on its blog last May.” states the note. “

FICO highlighted that the ATM attacks were taking place over fewer days, but experts are worried by the quick-hit approach to ATM.

“Criminals are taking a quick-hit approach to ATM theft and card fraud,” said TJ Horan, vice president of fraud solutions at FICO. “They are moving faster to make it harder for banks to react and shut down the compromises. They are targeting non-bank ATMs, which are more vulnerable — in 2015, non-bank ATMs accounted for 60 percent of all compromises, up from 39 percent in 2014.”

In the US, the last wave of ATM skimming attacks was spread out across the entire territory.

In February, The ATM maker NCR issued a warning about ATM skimming attacks that involved hidden cameras, skimming devices plugged into the ATM network cables to steal customer card data and keypad overlays.

The company observed a number of attacks targeting NCR and Diebold ATMs leveraging the use of external skimming devices that crooks use to hijack the phone or Internet jack.

“These devices are plugged into the ATM network cables and intercept customer card data. Additional devices are attached to the ATM to capture the PIN,” reads the alert issued by the NCR “A keyboard overlay was used to attack an NCR ATM, a concealed camera was used on the Diebold ATM. PIN data is then likely transmitted wirelessly to the skimming device.”

Source Brian Krebs’s website

The situation is worrisome, some financial institutions preferred to shut down the ATM machines in order to mitigate the fraudulent activities.

Unfortunately, the number of ATM skimming attacks is increasing also in Europe as confirmed by the data shared by the European ATM Security Team (EAST). This kind of fraudulent activity has increased by 19% from 2014 to 2015.

“During 2015 total losses of 327.48 million euros were reported,” EAST wrote. “This is a 17% increase when compared to the total losses of 279.86 million euros reported for 2014 and equates to losses of 884,069 euros per 1000 ATMs over the period.”

Experts suggest bank users cover with their hand while entering a PIN to foil ATM attacks leveraging on hidden cameras to capture the PIN.

The Verizon Data Breach Investigations Report confirmed that over 90 percent of the security breaches last year involved skimmers used a tiny hidden camera.

“Payment card skimming remains one of the most lucrative and easy to pull off crimes, both for organized criminals and the occasional independent pilferer (he’s just a poor boy, from a poor family)” states the Verizon Report.

“The physical action of ‘surveillance’ was selected in over 90% of cases—this is due to the installation of pinhole cameras designed to capture PIN codes on the devices in question.”

Experts have no doubts, ATM skimming attacks are the easiest way to gather payment card data, most exposed are peripheral machines located at gas stations and malls.

Hacker claims to have full access to Pornhub and already sold it
16.5.2016 Hacking

A 19-year-old hacker who goes by the name Revolver claims to have breached into Pornhub server and already sold the access for $1,000.
It happened during the weekend, a researcher using the 1×0123 Twitter account announced the availability of a shell access to a subdomain on Pornhub and offered it for $1,000.

The figure is obviously ridiculous when you consider the high traffic that daily reach the server, more than 2.1 million visits per hour.

View image on Twitter
View image on Twitter
Follow
1x0123 ‎@1x0123
#pornhub command injection + shell on subdomain + src for sale
xmpp : revolver@rows.io
1:08 AM - 15 May 2016
151 151 Retweets 157 157 likes
In order to prove the access to the Pornhub platform, 1×0123 posted on Twitter a couple of pictures. The researchers explained to have compromised the server by exploiting uploading a shell by exploiting a flaw in the mechanism used to upload the picture in the user profile.

Once the shell is uploaded on the server it is possible to have full control over the environment.

Salted Hash reached 1×0123 who confirmed that he had sold access to three people.

“2 guys with shell, 1 guy for a command injection script,” he told Salted Hash.

“Pornhub contacted Revolver for more information. He offered to share those details, and help patch the vulnerability that allowed such access, for total cost of $5,000 USD. It isn’t clear if the adult entertainment giant agreed to those terms.” states Salted Hash.

1×0123 hasn’t provided further information on the hack, he only stated the vulnerability affecting the user profile isn’t the ImageMagick flaw recently disclosed.

A Pornhub spokesperson confirmed the presence of the shell that appears to be on a non-production server and confirmed the company is currently investigating the issue.

1×0123 is a known in the security industry, he offered a similar access to the LA Times website in April after he exploited a vulnerability in the Advanced XML Reader WordPress plugin.

During the same period, he revealed to have found an SQL injection flaw on one of the servers of Mossack Fonseca (a custom online payment system called Orion House).

In March, he designed a website called VNC Roulette that displayed screenshots of random hackable computers.

On April 10, 2016, Edward Snowden publicly thanked 1×0123 for reporting a vulnerability in Piwik to the Freedom of the Press Foundation.

On May 9, Pornhub announced a bounty program through HackerOne with a maximum bounty set at $25K.

“The public launch of Pornhub’s Bug Bounty Program follows a private, invite-only beta program that the adult entertainment site ran last year, which compensated participants for helping to identify and fix about two dozen bugs. ” states the announcement.

Unfortunately for Pornhub, 1×0123 has a bad opinion of the bounty program has he confirmed in the following statement published on Twitter.

“i don’t report vulnerabilities anymore go underground or go away ” reads the Tweet.

OpIcarus: Anonymous crusade against the sick banking industry
15.5.2016 Hacking

Anonymous alongside with BannedOffline and Ghost Squad crews are resuming the OpIcarus targeting banking websites around the world.
Hackers of the Anonymous collective alongside with Ghost Squad and BannedOffline continued their attacks on the banks worldwide under the campaign named OpIcarus.

The Operation OpIcarus was resumed in March 2016, both Anonymous and Ghost Squad launched several attacks on financial institutions worldwide, including the bank of Greece, HSBC, Bank of England, Dutch Central Bank, , Central Bank of Bosnia and Herzegovina, the central bank of Cyprus, and Central Bank of Guernsey and Maldives Monetary Authority (Central bank and banking regulator), and Turkish Banks.

After a temporary suspension of the attack, the hacktivists are back and hit the websites of banks in South Korea, Jordan, Montenegro and Monegasque.

“OpIcarus will continue,” announced Anonymous

The hackers launched a series of DDoS attacks that shut down the websites of the Central Bank of Jordan, Central bank of South Korea and Bank of Compagnie, Monegasque.

The HackRead.com reached one of the attackers and reported the following statement:

“Montenegro is at the heart of elite political corruption. Most of the ISIS/ISIL terrorist group looted money flows through Jordanian banks and South Korea is pretty much a US army base in the Asia-Pacific. Sites are staying offline for much longer periods now as more people are joining in the Operation. All targets so far have been central banks and no innocent people were harmed. We aim to keep it that way. OpIcarus will continue.”

A couple of days ago, Hackers claimed to have taken down the Bank of England’s internal email server as part of an operation dubbed ‘OpIcarus.’

Hackers affiliated with Anonymous also claimed to have hit several international banks last week, including the Federal Reserve Bank of Boston, the central banks of Sweden, National Reserve Bank of Tonga, and Myanmar and Laos.

The hacktivist “S1ege,” who is an alleged member of the Ghost Squad crew, claimed responsibility for the attacks announcing ” an online revolution” to retaliate against the “elite banking cartels putting the world in a perpetual state of chaos.”

Malware used in the recent banking cyberheists is linked to Sony Pictures hack
15.5.2016 Virus

Experts at the BAE security firms collected evidence that demonstrates the malware used in the recent cyberheists is linked to 2014 Sony Pictures hack.
A second bank was a victim of a malware-based attack, the news was recently confirmed by the SWIFT. The investigation conducted by the security researchers at BAE Systems are making the situation very intriguing because according to experts the cyberheist at the Bangladesh Bank, and at an unnamed commercial bank in Vietnam are linked could be linked to the clamorous Sony Pictures hack.

At the time of the Sony hack, the US authorities blamed the North Korea for the attack, the Obama administration decided to exacerbate the economic sanctions against 10 senior North Korean officials and three entities of the country.

At this point we have two options, the North Korea is targeting the global financial or we are in front of a false flag operation conducted by someone that is conducting a diversionary operation relying on the code used in the Sony hack.

Security experts Sergei Shevchenko and Adrian Nish from BAE Systems have collected evidence of the link between the malware used in the recent cyber attacks against the financial institutions and the malicious code used to compromise Sony Pictures systems in 2014.

The security duo has demonstrated that the malware used in the attacks against the banks relies on the same wiper component.

“The implementation of this function is very unique – it involves complete filling of the file with the random data in order to occupy all associated disk sectors, before the file is deleted. The file-delete function itself is also unique – the file is first renamed into a temporary file with a random name, and that temporary file is also deleted.” states the analysis published by the experts.

Extending their analysis to previous malware samples with similar features, the duo has found one wiper component called msoutc.exe. The wiper component was compiled on Oct. 24, 2014 and first uploaded to the malware database on March 4, 2016, by a US users.

The wiper-malware once executed checks if there is another instance of itself running on the infected system to prevent multiple copies of the same malware running on it.

If it finds another running instance it runs a script to delete itself from the system.

The experts also discovered that the malicious code encrypted its log file with a key:

y@s!11yid60u7f!07ou74n001

exactly the same key used by another destructive malware reported by PwC in 2015 and also described in the Alert TA14-353A issued by the US CERT in December 2014 following the Sony Pictures hack.

Shevchenko and Nish confirmed that the script used by the malware to erase itself from the infected machine is the same reported in the analysis published by the Novetta security firm on a malware used by the Lazarus APT Group. That’s the group Novetta blamed for the Sony Pictures attack in its report “Operation Blockbuster.”

“Further details of this same toolkit were disclosed in the ‘Op Blockbuster’ report in February 2016. msoutc.exe matches the description of the ‘Sierra Charlie’ variants in their report. From their analysis this is described as a spreader type of malware, presumably used to gain a foothold on multiple devices within a target environment before launching further actions.” continues the report.

Despite the revelations made by Shevchenko and Nish, it is possible that a threat actor reused the code of the Sony Pictures hack to make harder the attribution, but the duo seems to have a different opinion:

“The overlaps between these samples provide strong links for the same coder being behind the recent bank heist cases and a wider known campaign stretching back almost a decade,” they concluded.

Week in Ransomware – Week of May 13th, 2016

15.5.2016 Virus

Just in a week several new ransomware variants, services, and updates have been discovered in-the-wild, disclosed publicly, and thoroughly analyzed.
Statistical Summary

This week, in a span of just five (5) days (Monday, May 9th, 2016 – Friday, May 13th, 2016), through the collaborative efforts of several organizations and individual analysts around the globe, several new ransomware variants, services, and updates have been discovered in-the-wild, disclosed publicly, and thoroughly analyzed.

At the time of this writing (5/13/2016), the following metrics have been reported:

(6) New Ransomware Variants

(1) New Ransomware-as-a-Service (RaaS) Offering

(1) Update to an Existing Ransomware

Monday, May 9th, 2016
CryptXXX 2.0

The 2nd member of the CryptXXX family was released, dubbed CryptXXX 2.0.
Kaspersky released a decryption utility that decrypted files encrypted by CryptXXX’s first version.
However, Kaspersky’s decryption tool cannot decrypt files affected by this version of CryptXXX.
Appends the. crypt extension to all affected files.
Generates and assigns a unique identifier to the victim device.
Generates ransom notes whose filenames are created using this unique ID.
Its ransom notes are saved with the. html
Enigma

Targets Russian-speaking victims
Appends the. enigma extension to all affected files
Generates ransom notes named: txt
Tuesday, May 10th, 2016
Shujin

May possibly be the first ransomware discovered to be targeting only Chinese users
All associated files (including ransom notes) are written in Chinese
Generates ransom notes named: 文件解密帮助.txt
Wednesday, May 11th, 2016
German Netherlands Locker (GNL Locker)

Queries the target computer’s IP address and determine its geolocation
Only begins encryption process if device is located in either Germany or the Netherlands
Appends the. locked extension to all affected files.
Generates ransom notes using the following filenames and extensions:
txt
html
Thursday, May 12th, 2016
CryptoHitman

Actually a new version of the Jigsaw ransomware (created by the same developers)
Performs the same activities as the Jigsaw ransomware; the only differences between CryptoHitman and Jigsaw are, for the most part, aesthetic:
It now uses “Agent 47” of the “Hitman” videogame and movie series as their
logo, and includes an image of this character on the locker screen
The locker screen, however, also contains several pornographic images
Appends the. porno extension to all affected files.
Crypren

Heavily publicized this week, but has been around for a while.
Appends the. encrypted extension to all affected files.
Generates ransom notes named: html
New Version of Petya Ransomware with Additional Mischa Ransomware

New Version of Petya Ransomware

Utilizes a significantly modified installer
Some of the observed changes:
When executed, Petya will check to see if it can escalate to administrative privileges.
If so: the Petya ransomware will be installed
If not: the Mischa ransomware will be installed
Remember:
Petya encrypts the Master File Table (MFT) of the victim device.
It displays then an illegitimate screen created to resemble a legitimate “chkdsk” screen.
While the fake chkdsk screen is being displayed, encryption of the MFT is underway.
Once the encryption activities are finished, the victim device will present a lock screen with ransom payment instructions displayed.
Mischa

Generates ransom notes using the following filenames and extensions:
HTML
TXT
Unique in that it also encrypts executable files.
Friday, May 13th, 2016
Petya and Mischa Offered as Ransomware-as-a-Service (RaaS)

Allows distributors of malware to earn a portion of the revenue generated by Petya/Mischa by distributing their own unique installer of the malware.
Affiliate program is called “Janus”.
The name “Janus” is based on the criminal organization from the James Bond film, Goldeneye, which is named the “Janus Syndicate”.
RaaS has an official Twitter handle, @janussec
Alleged revenue share percentages are displayed below:
Volume/Week Shared %
< 5 BTC 25%
< 25 BTC 50%
< 125 BTC 75%
>= 125 BC 85%
petya ransomware

CryptXXX 2.0 Decryption Utility Released by Kaspersky

Kaspersky, who released a decryption utility for the earlier version of the CryptXXX ransomware, have thwarted the efforts of the CryptXXX authors once again.
Kaspersky modified their original CryptXXX decryption tool and released an updated version capable of decrypting files affected by the 2nd member of the CryptXXX family, CryptXXX 2.0.

Hackeři zaútočili na další banku, získali její SWIFT kódy

15.5.2016 Hacking
Společnost pro celosvětovou mezibankovní finanční telekomunikaci (SWIFT) upozornila na nový kybernetický útok, který byl namířen proti nejmenované komerční bance. SWIFT, která dohlíží na mezinárodní peněžní transfery, proto vyzvala svoje klienty, aby neodkladně zkontrolovali svoje systémy zabezpečení.
Hackeři k útoku na program pro čtení PDF souborů použili malware, tedy software, jehož cílem je infiltrovat nebo zničit počítačový systém bez souhlasu uživatele. Útočníkům se prý podařilo rozesílat swiftové zprávy využívající kódy dotčené banky. SWIFT, která má sídlo v Belgii, ale neuvedla název banky ani to, zda nějaké peníze zmizely.

Systém SWIFT se používá k mezinárodnímu platebnímu styku. Každá banka má v rámci tohoto systému jedinečný kód, kterým se identifikuje. Systém využívá zhruba 11 000 finančních institucí po celém světě.

Soudní experti se podle organizace SWIFT domnívají, že použití malwaru není ojedinělý případ, "ale součást širší a velmi adaptivní kampaně cílící na banky".

Při útoku byly využity nástroje a techniky podobné těm, které byly využity při únorové krádeži 81 miliónů dolarů (1,9 miliardy Kč) z účtu bangladéšské centrální banky, vedeného u Federální rezervní banky (Fed) v New Yorku.

Bankéři chtěli ušetřit…
Vyšetřování této velké bankovní loupeže letos v dubnu ukázalo, že bankéři šetřili a nepoužívali firewall. Jinými slovy tak hackerům banka naservírovala peníze doslova na zlatém podnosu.

Firewall je síťové zařízení, které slouží k zabezpečení počítačových sítí. Jeho hlavním úkolem je tedy bránit počítače a servery v rámci dané sítě, aby se na ně nedostaly škodlivé viry a další nezvaní návštěvníci.

Podle vyšetřovatelů bylo zřejmé, že se lidé starající o miliardové transakce snažili ušetřit. Další síťová technika, kterou vyšetřovatelé kontrolovali, totiž byla pořízena z druhé ruky. Například nákupem síťových přepínačů z bazaru přitom banka ušetřila maximálně tak pár stovek dolarů.

A hacker compromised several Reddit accounts to prove it needs 2FA
14.5.2016 Hacking

A mysterious hacker is responsible for a mass Reddit defacement of 70 subreddits, he wants to demonstrate the lack of security of the popular platform.
Someone is creating the panic on Reddits, a mysterious user behind the name TehBVM (@TehBVM) claims to have already popped more than 100 Reddit subreddits. The user already targeted subreddits related to Battlefield One game, Marvel Studios, Star Wars, How to Hack, and Game of Thrones, he also defaced popular subreddits like TIFU (today I f**ked up).

The hacker spent the last weeks hijacking Reddit moderator accounts and defacing their subreddit pages, changing cover images and CSS.

Which is the motivation behind the defacements?

Apparently, TehBVM is doing it partly to demonstrate the lack of security posture of Reddit, the hacker hasn’t disclosed personal information belonging to the Reddit users.

“Around 70 or more subreddits have been defaced since 4 May – including /r/gameofthrones,/r/starwars, /r/pics, /r/books, /r/marvel, /r/robocraft and others.”

TehBVM did not explain how he compromised the Reddit accounts the unique certainly seems to be that he hasn’t launched a brute force attack against the platform. It is likely that the hacker is using login credentials related to other data breaches with the hope that users have shared it among multiple online services.

TehBVM is also offering moderator account credentials on the hacked subreddits.
Clearly this kind of incidents could be simply avoided by introducing a two-factor authentication mechanism.

Reddit has already planned the introduction of the 2FA feature, but it is still to develop a beta.

The lack of a strong authentication method was already exploited in the past by hackers, in 2013 other subreddits have been popped in similar circumstances.

Also the Giant Google has recently faced a data breach via benefits provider
14.5.2016 Security

Google started sending out notifications to employees about a data breach that occurred at a third party company that operates as a benefits provider.
We all make mistakes, sometime they are small, some other big. But what if the mistake is so important to indirectly affect one the biggest companies in the world? “Oooops!” This is what happened to an employee working on a benefits management service provider, a company Google has partnered with to provide its employee comprehensive benefits packaged, had discovered.

On May 8th, 2016, Google Inc started notifying affected stakeholders of a breach of data that contain their personal sensitive information due to an email “fumble” —a mistake of email (recipient) identify where the email client auto-complete address resolver feature may have played a part. The disclosure came after a vendor, specializing in employee/staff benefits management services, realized that an email that

The disclosure came after a vendor, specializing in employee/staff benefits management services, realized that an email that contains sensitive private information on Google employees have been inadvertently sent to the “wrong person”. In a notice filed with the Attorney-General’s office in California, Teri Wisness, Benefits Director of United States at Google, said Google had been notified immediately of the data breach by the sender themselves and appreciates the efforts of disclosing this leak as quickly as possible.

“We recently learned that a third-party vendor that provides Google with benefits management services mistakenly sent a document containing certain personal information of some of our Googlers to a benefits manager at another company. Promptly upon viewing the document, the benefits manager deleted it and notified Google’s vendor of the issue. After the vendor informed us of the issue, we conducted an investigation to determine the fact” reads the notice.

The email contains a document with an undisclosed number of Google’s staff names and US Social Security Numbers (SSN). Acknowledging the mishap, Google dispatched its incident responders to investigate and mitigate; however, from initial reports, no misuse, abuse or malicious intent was discovered. Also, logs from both parties indicate nobody else had viewed this document nor intentionally saved elsewhere locally or remotely or disclosed to another party. In fact, the unintended recipient simply deleted the email and its contents upon having it viewed once and contacted the sender.

Google will offer a three-year credit monitoring and protection for the affected employees, and recommends its employees to producing a credit rating score report.

Malware-Laced Porn Apps Behind Wave of Android Lockscreen Attacks
14.5.2016 Android

Incidents of Android lockscreen malware masquerading as porn apps are a growing concern to security analysts who are forecasting an uptick in attacks. Once infected, Android users bitten by this malware appear to be locked out of their device and are forced to undergo a complex extraction of the app to win back control of their phone or tablet. The warning comes from Dell SonicWALL Threats Research Team that said this yet-to-be-named variant of lockscreen malware is immature, but potent. “We have found over a 100 different apps that contain this malware and suspect that the authors behind the apps are gearing up for a much larger more deadly assault,” said Alex Dubrovsky, director of software engineering and threat research at Dell. Unlike other lockscreen malware such as ICE, Jisut and Cyber.Police that locks the user’s screen and asks them to pay a ransom, the lockscreen malware that Dell found does not appear to be financially motivated, yet. The malware is closely tied to porn websites. Users are enticed to download porn-themed apps via links or SMS message requests that link users to third-party Android app stores. Once a target downloads the advertised malicious porn app, it requests for Device Administrator privileges. When users click the application or open the System Settings app a screen, what appears to be the ransom or lockscreen message appears. But that lockscreen can be easily circumvented by clicking the Home or Recent Apps buttons, according to a SonicWALL team research blog about the discovery posted Thursday. At this time, Dubrovsky said, attackers are not employing a command and control backend to manipulate the device. Neither are attackers executing remote code or taking control over a user’s Android device. However, “once the application starts running, encoded data is transmitted to multiple domains in the background,” SonicWALL reports. Dubrovsky said his team is still dissecting the malware and at this time he suspects that data transmitted from the phone could possibly be personal in nature, but couldn’t be sure. “This is clearly beta software that attackers are refining in real time. Many of the obvious features you’d expect with malware are just not feature complete.” One thing is certain about this strain of lockscreen malware is it is hard to remove. “If an Android device gets infected with a malware with Device Administrator privileges it becomes difficult to remove it as the uninstall button gets greyed out,” write Dell’s SonicWALL security team. Dell said that the obvious solution of running your Android device in Safe Mode to remove app doesn’t work in this instance. Once in Safe Mode the malicious app starts blocking the System Settings after a few moments making it impossible to uninstall. The alternative is to disable the running app via Android Debug Bridge, a software developer’s tool. The other option for non-technical users is simply, reset your Android device. “Overall it looks like this campaign is in its early days as the lockscreen does not work as expected and it is easy to come out of the ‘lock’ state,” Dell wrote. “Considering the volume of malicious apps that are part of this campaign it can be said that this campaign might grow bigger in the near future with updated components.” Dubrovsky said his researchers are bracing for more mature variants of this lockscreen malware that will be much more technically adept at demanding a ransom in some form from mobile porn surfers and apps that have a broader non-adult themed appeal.

VIDEO – RedTeam Hackers Crack Businesses’ Security
14.5.2016 Hacking

A few days ago group of white hat hackers from RedTeam traveled to the Midwest to test the systems of a major power company and breach it with Social Engineering.
RedTeam Security is a group of ethical hackers who specialize in offensive security, believing that the best defense is a good offense. We wrote about their initiative and the recent hack of the Midwest power company.

social engineering RedTeam hackers

Now the hackers shared a video that documents their attack …. enjoy it!

Microsoft removes its controversial Windows 10 Wi-Fi Sense Password Sharing Feature
14.5.2016 Safety
Microsoft has finally decided to remove one of its controversial features Wi-Fi Sense network sharing feature from Windows 10 that shares your WiFi password with your Facebook, Skype and Outlook friends and enabled by default.
With the launch of Windows 10 last year, Microsoft introduced Wi-Fi Sense network sharing feature aimed at making it easy to share your password-protected WiFi network with your contacts within range, eliminating the hassle of manually logging in when they visit.
This WiFi password-sharing option immediately stirred up concerns from Windows 10 users especially those who thought the feature automatically shared your WiFi network with all your contacts who wanted access.
Must Read: Here's How to run Ubuntu Linux on Windows 10.
But Wi-Fi Sense actually hands over its users controls so they can select which networks to share and which contact list can access their Wi-Fi.
Also, the feature doesn't share the actual password used to protect your Wi-Fi, but it does give your contacts access to your network.
However, the biggest threat comes in when you choose to share your Wi-Fi access with any of your contact lists.
But, Who really wants to share their Wi-Fi codes with everyone in the contacts?

Of course, nobody wants.
Since the feature doesn't give you the option to share your network with selected individuals on Facebook, Skype or Outlook, anyone in your contact list with a malicious mind can perform Man-in-the-Middle (MITM) attacks.
Also Read: How to Turn Off Windows 10 Keylogger
We have written a detailed article on Wi-Fi Sense, so you can read the article to know its actual security threat to Windows 10 users.
Although Microsoft defended Wi-Fi Sense network-sharing as a useful feature, Windows users did not give it a good response, making the company remove WiFi Sense's contact sharing feature in its latest Windows 10 build 14342.
"The cost of updating the code to keep this feature working combined with low usage and low demand made this not worth further investment," said Microsoft Vice President Gabe Aul. "Wi-Fi Sense, if enabled, will continue to get you connected to open Wi-Fi hotspots that it knows about through crowdsourcing."
Microsoft just released its latest Windows 10 build for testers. The company will remove the Wi-Fi Sense password sharing feature as part of its Anniversary Update due in the summer, but will keep the Wi-Fi Sense feature that lets its users connect to open networks.

SWIFT warns of new attacks, Bangladesh Bank heist linked to Sony hack

14.5.2016 Attack

SWIFT, the organization that provides banks with a secure network for sending and receiving information about financial transactions, has sent out a warning about a malware attack against another bank. They believe that its customers are facing “a highly adaptive campaign targeting banks’ payment endpoints.”

In the earlier case – the heist at Bangladesh’s central bank – the attackers compromised the bank’s environment, obtained valid operator credentials that allowed them to submit fraudulent SWIFT messages, and to hide evidence by removing some of the traces of the fraudulent messages.

“In this new case we have now learnt that a piece of malware was used to target the PDF reader application used by the customer to read user generated PDF reports of payment confirmations,” the organization explained.

“Once installed on an infected local machine, the Trojan PDF reader gains an icon and file description that matches legitimate software. When opening PDF files containing local reports of customer specific SWIFT confirmation messages, the Trojan will manipulate the PDF reports to remove traces of the fraudulent instructions.”

They made sure to note that the malware can’t create new or modify outgoing messages, and does not affect SWIFT’s network, interface software or core messaging services.

“In both instances, the attackers have exploited vulnerabilities in banks funds’ transfer initiation environments, prior to messages being sent over SWIFT,” they pointed out. “The attackers clearly exhibit a deep and sophisticated knowledge of specific operational controls within the targeted banks – knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both.”

SWIFT did not identify the victim of this latest attack nor did they say whether it was ultimately successful.

But Sergei Shevchenko and Adrian Nish, two BAE Systems researchers who are analyzing the malware, revealed that the financial institution that has been hit is a commercial bank in Vietnam.

What’s more, their analysis of the malware used in both attacks revealed that:

The malware was custom-made in both cases
It sported unique “file-wipe-out” and “file-delete” functions that are the same or have been only minimally modified
The malware exhibits the same unique characteristics, such as mutex names and encryption keys, as other tools from a larger toolkit described in US-CERT Alert TA14-353A – the alert that is widely believed to describe the 2014 attack against Sony Entertainment.
It contains some of the same typos, and exhibits evidence of being developed in the same environment.

“The overlaps between these samples provide strong links for the same coder being behind the recent bank heist cases and a wider known campaign stretching back almost a decade,” they pointed out.

“It is possible that this particular file-delete function exists as shared code, distributed between multiple coders who look to achieve similar results. However, we have noted that this code isn’t publically available or present in any other software after searching through tens of millions of files. The unique decision to move and rename the file before deletion after overwriting is unusual, and not a common step we would expect to see when implementing this capability.”

They admit that it’s possible that different coders were involved, and tried to made it look like they were one and the same, but they say it’s unlikely.

“Who the coder is, who they work for, and what their motivation is for conducting these attacks cannot be determined from the digital evidence alone,” they say, and hope that further investigation of command infrastructure and related tools will give more definitive answers.

In the meantime, SWIFT urged its customers to review controls in their payments environments, to all their messaging, payments and ebanking channels and, if they have been attacked, to share the info they have with SWIFT and the authorities.

Cerber Ransomware On The Rise, Fueled By Dridex Botnets

14.5.2016 Virus

Starting in April security experts at FireEye spotted a massive uptick in Cerber ransomware attacks delivered via a rolling wave of spam. Researchers there link the Cerber outbreaks to the fact that attackers are now leveraging the same spam infrastructure credited for making the potent Dridex financial Trojan extremely dangerous. Cerber, which is best known for its high-creep factor in using text-to-speech to “speak” its ransom note to victims, was first spotted in the wild in February. Its typical distribution method was via exploit kits, with Magnitude and Nuclear Pack exploiting a zero day in Adobe Flash Player (CVE-2016-1019). But as recently as May 4, FireEye reports, Cerber is now part of a spam campaign linked to Dridex botnets. “By partnering with the same spam distributor that has proven its capability by delivering Dridex on a large scale, Cerber is likely to become another serious email threat similar to Dridex and Locky,” wrote FireEye security analysts in a research blog posted Thursday. Dridex is a financial Trojan that has emerged as a significant threat to consumers and business, targeting the acquisition of financially related credentials. Its chief means of distribution is Dridex botnets that have been behind massive spam campaigns since February and are responsible for pushing out millions of targeted spam messages a day. Cerber ransomware, according to FireEye, follows the same spam framework as Dridex. Targets are sent emails with an attachment disguised as an invoice that contains malicious VBScript. Once the user opens the document, they’re encouraged to enable macros. In the case of Cerber, the malicious attachment obfuscates the offending VBScript that may be detected by an email gateway or spam filter. Instead, the macro downloads and installs the VBScript in the %appdata% path of the targeted PC. The VBScript is further manipulated to avoid detection and reverse engineering through the injection of junk code. Next, Cerber sniffs out whether a victim has an internet connection. If it does, the last piece of the Cerber ransomware is delivered. That’s when the VBScript sends an HTTP Range Request to fetch a JPEG file from a URL. “In the HTTP Request Headers, it sets the value of Range Header to: “bytes=11193-“. This indicates to the web server to return only the content starting at offset 11,193 of the JPG file,” FireEye wrote. This multi-stage technique of delivering the Cerber payload, FireEye said, is similar to HTTP Range Request checks leveraged by Dridex and Ursnif Trojans. Other similarities that Cerber has to Dridex include the fact that spam campaigns are typically English language only and are financially motivated booby-trapped with invoice, receipt, and order attachments. Once Cerber goes to work on a system, it targets email, Word documents, and Steam (gaming) related files appending encrypted files with the ‘.cerber’ file extension. Victims are directed to visit various versions of the “decrypttozxybarc” domain. In some instances, FireEye said, Cerber also installs a spambot module on the host PC. Attackers, FireEye suspect, are in the test stages of using infected PCs for distributing spam.

CryptXXX 2.0 foils decryption tool, locks PCs

14.5.2016 Virus

CryptXXX ransomware, first spotted in mid-April, has reached version 2.0, and a new level of nastiness. It’s also on its way to become one of the top ransomware families in the wild.

The malware’s first version would encrypt files but leave the rest of the infected computer alone, and victims would be able to use it to buy Bitcoin and pay the required ransom.

This also allowed them to deploy a decryption tool, developed by Kaspersky Lab researchers only a week after the first instance of the ransomware was spotted. The AV maker added the decryption capability to its decryptor tool meant initially for decrypting files taken hostage by the Rannoh ransomware.

But that option is not available any more, as CryptXXX 2.0 not only bypasses the decryption tool, but also locks the computer’s screen after popping-up the ransom request:

In addition to all this, the page where the crooks explain how the victims can effect the ransom payment mentions a Google Decrypter tool they will be able to use to decrypt their files. Proofpoint researchers believe that’s just a misdirection, to prevent victims to identify with which ransomware they have been hit.

“While new decryption tools may emerge, CryptXXX’s active development and rapid evolution suggest that this new ransomware will continue to compete strongly in malware ecosystems,” the researchers noted.

“As always, best practices for avoiding infection include patching systems and software, updating endpoint antimalware, deploying robust network protections, and regularly backing up all critical systems.”

The Pirate Bay loses its Main Domain Name in Court Battle
13.5.2016 Crime

The Pirate Bay has fought many legal battles since its launch in 2003 to keep the website operational for the last 13 years.
However, this time The Pirate Bay is suffering a major blow after the Swedish Court ruled Thursday that it will take away the domain names 'ThePirateBay.se' and 'PirateBay.se' of the world's most popular torrent website and will hand over them to the state.
As its name suggests, The Pirate Bay is one of the most popular file-sharing torrent site predominantly used for downloading pirated or copyrighted media and programs free of charge.
Despite the criminal convictions, the torrent site remains functioning although it has moved to different Web domains several times.
However, this time, The Pirate Bay loses its main .SE domain, the world's 225th most popular website according to the Alexa ranking, according to Swedish newspaper DN.
"In common with the District Court ruling the Court of Appeal finds that there is a basis for confiscation since the domain names assisted crimes under the Copyright Act," a statement on the site of the Svea Court of Appeal reads. "This means that the right to the domain names falls to the state."
Back in 2013, the anti-piracy prosecutor Fredrik Ingblad took a different approach to shutting down the file-sharing website.
Must Read: The Pirate Bay Founders Free Of Criminal Copyright Case.
Instead of suing the operators of the site or going after The Pirate Bay directly, the prosecutor decided to take two of its more popular domains from it and filed a complaint against Punkt SE (IIS), the company that manages .SE domain names.
The lawsuit filed against Punkt SE claimed that The Pirate Bay was an illegal torrent site and that all tools, including the domain names thepiratebay.se and piratebay.se, used in connection with the illegal site should be suspended.
Last year, the Stockholm District Court ruled in favor of the prosecution, saying that both ThePirateBay.se and PirateBay.se would be taken from the owners of The Pirate Bay.
Punkt SE then appealed and won the case and also awarded the body compensation of US$40,000 for legal costs.
Also Read: The Pirate Bay Runs on 21 "Raid-Proof" Virtual Machines To Avoids Detection.
As a result, the prosecution appealed, and now the decision came in the prosecution's favor, which means The Pirate Bay’s popular domains names are set to be forfeited to the Swedish state.
Both ThePirateBay.se and PirateBay.se are held in the name of The Pirate Bay co-founder Fredrik Neij, so the next step of the legal battle will now be against him.
Although there is still the possibility of another appeal, it is hard to say at this time whether both .SE domains of The Pirate Bay will still be active in the coming months.

Talking with Azeem Aleem about the evolution of cyber threats
13.52016 Safety

Azeem Aleem, Director for the Advanced Cyber Defense Services Practice – EMEA at RSA, shares its vision on the evolution of threats in the next future.
The last 14 months have highlighted that attacks domains are expanding. We have seen the trends with OPM data breach, to sensitive PII information leak at Anthem breach and Vtech breach. The extortion malware impacting organizations, to an advanced coordinated attack at Ukrainian Power grid highlights the complexity around the anatomy of attacks.

To better understand the topic we have been talking with Azeem Aleem Director for the Advanced Cyber Defense Services Practice – EMEA at RSA. Azeem is responsible for overall professional services engagement for Global Incident Response/Discovery (IR/D), breach readiness, remediation, SOC/CIRC redesign and proactive computer network defense. Prior to RSA, Azeem was the Director for the Centre for E-crime and earlier, led cyber security consultancy services for advanced cyber threats to the law enforcement agencies, Big 4, public sector and the private financial services.

Azeem Aleem RSA cybercrime

Which are the most targets of cyber attack actually? People, industries or companies? And which differences or similarities in the attack methods can we underline?
Aristotle (Aristotle, 384-322BC) said, “ It must be expected that something unexpected must occur” . The current time is the unexpected as we are passing through an era of phenomenon technological revolution. From the realm of the international space exploration ( Scott Kelly and Mikhail Kornienko returned on 2 March after spending 340 days in the space ) to the immense growth of the smart tablets (Apple’s iPad 2 rivals the Cray 2 supercomputer, the world’s fastest computer in 1985) highlights how technology is molding our civilisation to the new heights.

Unfortunately, crime follows opportunity and with this technological advancement we are seeing a rise in the advanced cyber attacks . These days the attacks we are seeing are more focused towards Zero day attack bringing in sophistication and complexity. Rogue Nation-state actors are on the rise and have developed a more diverse and stealthy network of operations. They are devising intelligent way of using the leak data for commercial and national security implications. The hunt for these attacks is not an easy phenomenon. Cyber Criminals are not bound with any rules; their attacks are shielded/ hidden across the organization network. Traditional perimeter is melting and the attack service is increasing which requires holistic view of how we protect the echo systems. Not in my back yard Siloed approach does not work anymore. No doubt there is a long journey for Security industry to cover however, the Security Industry leaps and bound towards maturity – Simultaneously the customer familiarity of security has increased and they now expect from vendors security as an essential discriminator.

Which are in your opinion the majors risks facing to cybercrime today for a company?
The threat landscape is shifting fast – every day there is a new threat domain that hackers have utilized to impact the organisations. We can divide the threat landscape around four main areas:

OS attacks: OS- Attacks are on the rise, they are becoming and persistent for example, attack on the windows OS PowerShell is continuing as it provides cyber criminals with the organized sophisticated exploitation capabilities. While on the other side MAC OSX leverage by bypassing the Gatekeeper using SSH reverse tunnel is on the rise.
Mobile Device: Vulnerabilities in Android OS and now IOS is on the rise- Attacks like stage freight and Xcode Ghost, which allowed malware code execution via text messaging/ video viewing in emails or browsing highlights that attackers are exhibiting innovative methods of undermining the mobile OS. Non-trusted apps are on the rise and are creating a grave concern among the organizations.
Industrial Control Systems : From the days of Slammer, Stuxnet, Shamoon etc to the recent Ukrainian (black energy) Power Grid Attacks narrate the advancement in these attacks. The shift from legacy systems towards process control networks with connectivity around enterprise and Internet is creating extensive backdoors exploit around the industrial control systems. We are seeing that organizations are even not aware of these devices connectivity pattern inside and outside their ICS environment. Attack via cloud service provider at ICS is on the rise and there is a dire need of intelligence correlations / reporting mechanism around SCADA attacks through behavioral analytics.
IoTs: The computer vacuum is difficult to get secured. IOTs have created a technological disruption development where it is difficult to contain the gene in the bottle. The revolution of IOT is already underway; businesses are under pressure to accommodate the flux of IOTs. The potential vulnerabilities from IOTs across the organization network to home appliances even stretching to medical devices can be used as additional vector exploit against the organizations. Already we are seeing evidence of IOT connections on corporate enterprise network creating 3rd party breaches frequent and simplistic. From the early days of TRENDnet camera hack, the recent growth in IOT has brought extreme anxiety across the security sector. Gartner predicts that by 2020 there would be 26 billion units installed channeling huge volume of data traffic. This will create a 50 Trillions GBS of data hovering across these technologies.
Ransomware: These are not new attacks – they been hovering around for some time. Traditionally these attacks have been targeted against SMES (small to medium size organizations) where the adversary acted on a hit and run strategy i.e. encrypt the business data and call for small amount as a ransom. Recent attacks trends have shown ransomware attacks are becoming more aggressive and diversify by attacking a multitude of attack vectors.
What can we do to protect the sensible infrastructures against possible attack? What Ukrain case has shown and what we have learned, if we have
Two areas where we are going wrong are: Preventive Mindset and Analysis Paralysis Syndrome. In the first case we need to understand the attack telemetry; while there is an agreement on the complexity of advanced attack, what we see is that organizations are still trying to protect them using traditional controls around signature based framework. Organizations are lacking in the right visibility and still relying on the traditional tools like SIEM for advanced monitoring – which is only able to detect 1% of the Advanced Attacks. We are witnessing that traditional prevention approach has become a failed strategy. You will be get breach and it is the move towards proactive defense that will enable organizations to preempt where the next attack would be forthcoming from. Comprehensive visibility for full packet capture to gather what is happening in your network is the way forward. In the second aspect what we see as those organizations that understand rational of collecting the data from end points, network flow/packets, cloud based apps and network perimeter are facing a problem flux of data. To detect the pattern they have a task of finding a needle in the haystack; they lack the capability to integrate into a single normalized platform to detect the behavioral classification of these cyber criminals.

What kind of suggestions, projects or good practices could you share or could you speak about to help people and company to implement awareness into the cybersecurity topics?
Security programmes solely focus on compliance won’t work. There is no such thing as an isolated incident and there is a need to manage the whole incident space by developing the threat intelligence capability – pervasive visibility is essential but they need to develop the capability to tackle TTPs (Tactics, Techniques & Procedures). The element of time has changed its now a matter of minutes and seconds on how do we respond to an attack. Nurturing threat intelligence capability will enable them to act as hunters, and help them classify the behaviour and pattern of cyber criminals. The value of the threat Intel is how we use it and put it to action- operationalize the platform- automating the raw data into a tangible Intel is the key. Developing the niche capability will help unveil the opponents and force the adversaries to change/edit their strategies which in turn enhancing the ability to respond. Organization requires a mindset change to develop hunting methodology and enable their staff. Breeding the right culture is very important. To nurture the hunting capabilities you need to accept mistakes. Our industry is building itself on illusions (one fix work all)- organizations need to develop filters to chalk out the white noise and follow patterns of attacks that are specific to organizations.

Changing any culture is not easy. Within the security department, training, education and new norms for doing security hunting need to be established. This may also require bringing in new staff members fresh to the new ways of doing things. It is also necessary to evangelize the new approach to those more senior staff in the organisation, to ensure that they understand and support the new approaches, as well as to those personnel and departments that interact with security. Central to this is promoting the metrics ( whether security is working or not ) so that the success (or the failure) can be clearly seen by all. Azeem Aleem has been staunch supporter of convergence and been actively writing to highlight the need for converged methodology to tackle these advanced attacks

What is your opinion about the future scenario in the cybersecurity field related to trending topics?
Development of educational route is very important to develop talent career progression. The recent move of recognizing Masters degree by GCHQ for selected 10 UK universities will enable the students to take security as a career. We need a stronger partnership among academia, public and private sector – universities students final year MSc project and PHD thesis could be an excellent route to work on Industry live work case examples. Element of research needs to be enabled by developing this partnership. For example at RSA we are working with number of universities such as Brighton, Napier and Macquarie University to develop various areas of research where university researchers can contribute towards our efforts in fights against advanced adversaries. From technology viewpoint organizations are overwhelmed with legacy technologies. This is creating an impact around productivity and creating a dizzying whirlpool of reality (that we are secured). They are getting all the alerts but no real credibility and tangible intel. Traditional Perimeter have melted away and this requires holistic view of how we protect the echo system. Closer integration of the supply chain is very important- continuous monitoring needs to be done and silted approach needs to be taken out.

Second Bank hit by Malware attack similar to $81 Million Bangladesh Heist
13.52016 Virus

SWIFT, the global Society for Worldwide Interbank Financial Telecommunications, warned on Thursday of a second malware attack similar to the Bangladesh central bank hack one that led to $81 million cyber heist.
In February, $81 Million cyberheist at the Bangladesh central bank was carried out by hacking into SWIFT, the global financial messaging system that thousands of banks and companies around the world use to transfer billions of dollars every day.
However, the hackers behind the cyber heist appear to be part of a comprehensive online attack on global banking and financial infrastructure.
The second attack involving SWIFT targeted a commercial bank, which the company declined to identify. SWIFT also did not immediately clear how much money, if any, was stolen in the attack.
However, SWIFT spokeswoman Natasha de Teran said that the second attack and the Bangladesh bank heist contained numerous similarities and were very likely part of a "wider and highly adaptive campaign targeting banks," the NY Times reported.
The malware involved in the Bangladesh cyber heist was used to manipulate logs and erase the history of the fraudulent transactions, and even prevented printers from printing the fraudulent transactions.
The malware used in the attack also has the capability to intercept and destroy incoming messages confirming the money transfers, preventing hackers to remain undetected.
SWIFT said in a statement that the attackers clearly exhibited "a deep and sophisticated knowledge of specific operation controls within the targeted banks — knowledge that may have been gained from malicious insiders or cyber attacks, or a combination of both."
News of a second attack involving SWIFT comes as law enforcement authorities in Bangladesh and elsewhere investigate the February's $81 Million cyberheist at the Bangladesh central bank account at the New York Federal Reserve Bank.
The hackers had attempted to steal $951 Million in total from Bangladesh central bank account using fraudulent transactions, but a simple typo by hackers halted the further transfers of the $850 Million funds.
SWIFT has acknowledged that the scheme involved Bangladesh cyberheist did not harm its core messaging system.
However in both the cases, insiders or hackers had successfully penetrated the targeted banks' systems, pilfering user credentials and submitting fraudulent messages that correspond with money transfers.

Mozilla asks Court to disclose Firefox Exploit used by FBI to hack Tor users
13.5.2016 Security
Mozilla has filed a brief with a U.S. District Court asking the FBI to disclose the potential vulnerabilities in its Firefox browser that the agency exploited to unmask TOR users in a criminal investigation.
Last year, the FBI used a zero-day flaw to hack TOR browser and de-anonymize users visiting child sex websites.
Now, Mozilla is requesting the government to ask the FBI about the details of the hack so that it can ensure the security of its Firefox browser.
TOR is an anonymity software that provides a safe haven to human rights activists, government, journalists but also is a place where drugs, child pornography, assassins for hire and other illegal activities has allegedly been traded.
TOR Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the user's anonymity via Tor and Vidalia.
In 2015, the FBI seized computer servers running the world’s largest dark web child pornography site ‘Playpen’ from a web host in Lenoir, North Carolina. However, after the seizure, the site was not immediately shut down.
Instead, the FBI agents continued to run Playpen from its own servers in Newington, Virginia, from February 20 to March 4. During that period, the agency deployed its so-called Network Investigative Technique (NIT) to identify the real IP addresses of users visiting this illegal site.
Recently, an investigation revealed that Matthew J. Edman, a former employee of TOR Project, created malware for the FBI that has been used by US law enforcement and intelligence agencies in several investigations to unmask Tor users.
The FBI hacked more than a thousand computers in the US alone and over three thousand abroad. The Internet Service Providers (ISPs) were then forced to hand over the target customer’s details, following their arrest.
Two months back, a judge ordered the FBI to reveal the complete source code for the TOR exploit that not only affected the Tor Browser, which would have likely been used to hack visitors of PlayPen, but also Firefox.
Here’s what Mozilla’s top lawyer Denelle Dixon-Thayer explained in a blog post:
"The Tor Browser is partially based on our Firefox browser code. Some have speculated, including members of the defense team, that the vulnerability might exist in the portion of the Firefox browser code relied on by the Tor Browser. At this point, no one (including us) outside the government knows what vulnerability was exploited and whether it resides in any of our code base."
Mozilla has now filed a motion with a US district court in Washington, asking the government to disclose the vulnerability within 14 days before any disclosure to the Defendant requiring the FBI to hand over the source code of the exploit to the defense team.
It is because Mozilla wants time to analyze the vulnerability, prepare a patch, and update its products before any malicious actor could exploit the flaw to compromise its Firefox browser, which is being used by millions of people.

Results of PoC Publishing
13.5.2016 Virus Zdroj: Kaspersky
Malware Analyst
Dreams of a Threat Actor

There are two crucial features of the Android OS protection system:

it is impossible to download a file without user’s knowledge on a clean device;
it is impossible to initialize installation of a third-party app without user’s knowledge on a clean device.
These approaches greatly complicate malware writers’ lives: to infect a mobile device, they have to resort to ruses of social engineering. The victim is literally tricked into force-installing a Trojan. This is definitely not always possible, as users become more aware, and it is not that easy to trick them.

Invisible installation of a malware app onto a mobile device without a user’s knowledge is definitely a daydream of many a malware writer. To do that, it is necessary to find and exploit an Android system vulnerability. These vulnerabilities have been found: we are talking about CVE-2012-6636, CVE-2013-4710, and CVE-2014-1939.

These vulnerabilities allow to execute any code on a device by means of a custom-made HTML page with a JavaScript code. The vulnerabilities have been closed, starting with Android 4.1.2.

It would be great to say that everything is fine now, but, alas, that is not so. We should not forget about the third feature of the Android OS: a device manufacturer is responsible for creating and deploying updates for its specific device model.

Updating the Android operating system is decentralized: each company uses its own custom version of Android, compiled with its own compilers and supplied with its own optimization and drivers. Regardless of who has found a vulnerability and whether that person has informed the OS developer about it, releasing updates is a prerogative of each manufacturer. Only manufacturers are capable of helping the users.

Nevertheless, updates are released somewhat periodically but mostly for the leading models: not all of the manufacturers actively support all of their models.

A publically available detailed description of vulnerabilities for the Android OS provides malware writers with all of the required knowledge. Incidentally, a potential victim of the vulnerability exploits can remain such for a long period of time: let us call it “an endless 0-day”. The problem can be solved only by buying a new device.

This, in particular, coupled with publically available descriptions of the vulnerabilities and examples of the vulnerabilities being exploited, incited malware writers into developing an exploit and performing drive-by attacks onto mobile devices.

Web Site Infection

Drive-by attacks on computers of unsuspecting users give a large audience to threat actors (if they manage to post a malicious code on popular web sites) as well as invisibility (inasmuch as users do not suspect being infected). Owners of compromised web sites may not suspect being infected for a long time as well.

The method of code placement and other attack features allow one to distinguish web sites infected with the same “infection”. For quite long, we observed a typical infection within a group of minimum several dozens of Russian web sites of different types and attendances, including quite well-known and popular resources (for example, web sites with a daily turn-out of 25,000 and 115,000 users). Web-site infection from this group is characterized by the usage of the same intermediate domains, the similarity of the malicious code placed onto them, the method of code placement (in most cases, it is placed on the same domain as an individual JavaScript file), as well as speed and synchronicity of changes in the code on all of the infected web sites after the malicious code has been detected.

The attack method has been standard (even though it has gone through some changes), and it has been used at least since 2014. It has been standard also owing to its targeting Windows OS users. However, some time ago, after threat actors performed a regular modification of the code on infected web sites, we discovered a new script instead of a “common” one that uploads flash exploits. It checked for the “Android 4” setting in User-Agent and operated with tools uncommon for Windows. This anomaly urged us to study the functionality of the script meticulously and watch the infection more closely.

Thus, on the 22nd of January 2016, we discovered a JavaScript code that exploited an Android vulnerability. Only within 3 days, on the 25th of January 2016, we found a new modification of this script with more threatening features.

Scripts

We managed to detect two main script modifications.

Script 1: Sending SMS

The only goal of the first script is to send an SMS message to a phone number of threat actors with the word “test”. For that, the malware writers took advantage of the Android Debug Bridge (ADB) client that exists on all of the devices. The script executes a command to check for the ADB version on a device using the Android Debug Bridge Daemon (ADBD). The result of the command execution is sent to the server of the threat actors.

The code for sending an SMS is commented. In fact, it cannot be executed. However, if it is uncommented, then devices with the Android version below 4.2.2 could execute the commands given by malware writers. For newer versions of Android, the ADBD local connection (in the Loopback mode) is forbidden on the device.

Sending an SMS to a regular number does not promise big losses for the victim, but nothing prevents the malware writers from replacing the test number with a premium-rate number.

The first malicious script modification should not cause any big problems for users, even if the threat actors would be able to send an SMS to a short code. Most mobile carriers have the Advice-of-Charge feature, which does not apply any charges for the first SMS to a premium-rate number: one more message with a specific text must be sent. This is impossible to do from within a JavaScript code for the specific case. This is why, most likely, a second modification of the script has appeared.

Script 2: SD-Card File

The second script, in effect, is a dropper. It drops a malicious file from itself onto an SD card.

By resorting to unsophisticated instructions, part of the script body is decrypted. First of all, separators are removed from the string:

Then, the string is recorded onto an SD card into the MNAS.APK file:

The string must be executed. As a result, the created app should be installed onto the system:

However, this code is yet still commented.

Let us review the script in more detail. The script has a check for a specific Android version (it has to be 4).

Obviously, the malware writers know which versions are vulnerable, and they are not trying to run the script on Android 5 or 6.

Just like with the first script, the second has an ADB check at the control center side:

In this case, the check will not affect anything; however, the ADB version is really essential, since not all of the versions support a local connection with ADBD.

We analyzed several modifications of the second script, which allowed us to track the flow of thought of the malware writers. Apparently, their main goal was to deliver the APK file to the victim.

Thus, some earlier script modifications send data about each executed command to the control center:

In this case, the SD card is checked for the MNAS.lock file. If it is not there, then the script tries to create the MNAS.APK file with a zero size by using a touch utility.

In later script modifications, the task of the APK file delivery to the victim was solved by using the ECHO command, which allows to create any file with any content on a device:

As a result of the ECHO command execution, a malicious APK file is created on the SD card.

Trojan

The second script, in the state as we have discovered it, created and wrote a malicious file, which also needed to be executed, onto an SD card. Inasmuch as the dropper script does not contain a Trojan execution mechanism, the task has to be fulfilled by the user.

The APK file dropped from the script can be detected by Kaspersky Lab as Trojan-Spy.AndroidOS.SmsThief.ay. Since the beginning of 2016, we have managed to find four modifications of the Trojan.

Malware writers use the “example.training” name inside the Trojan code:

At the same time, the malicious file has enough privileges to carry out fully fledged attacks onto the wallet of the victim by sending SMS messages:

The first action that the malicious code does after its execution is requesting administrator rights for the device. After obtaining the rights, it will conceal itself on the application list, thus making it difficult to detect and remove it:

The Trojan will wait for incoming SMS messages. If they fall under given rules, for example, if the come from a number of one of the biggest Russian banks, then these messages will be forwarded at once to the malware writers as an SMS:

Also, the intercepted messages will be forwarded to the server of the threat actors:

Aside from the controlling server, the threat actors use a control number to communicate with the Trojan: the data exchange occurs within SMS messages.

The control number initially exists in the malicious code:

The Trojan awaits specific commands from the control center and in SMS messages from the control number.

A command to change the control number can come from the server of threat actors:

The following commands can come from a control number:

SEND: send an SMS to an indicated number with indicated text;
STOP: stop forwarding SMS messages;
START: start forwarding SMS messages.
For the moment, the functionality of the Trojan is limited to intercepting and sending SMS messages.

Conclusion

The task of carrying out a mass attack on mobile users is solved by infecting a popular resource that harbors a malicious code that is capable of executing any threat actors’ command on an infected mobile device. In case of the attacks described in the article, the emphasis has been placed on devices of Russian users: these devices are old and not up-to-date (notably, Russian domains have been infected).

It is unlikely that the interest of the malware writers towards drive-by attacks on mobile devices will decrease, and they will keep finding methods of carrying out these attacks.

It can be inferred that it is obvious that the attention of malware writers towards publications of research laboratories regarding the topic of Remote Code Execution vulnerabilities will increase, and the attempts to implement attacks by using mobile exploits will persist.

It is also obvious that no matter how enticing publishing is for a 0-day vulnerability, it is worth to refrain from showing detailed exploit examples (Proof of concept). Publishing the mentioned examples most likely will lead to someone creating a fully functional version of a malicious code.

There is a good news for the owners of old devices: our Kaspersky Internet Security solution is capable of protecting your device by tracking changes on the SD card in real time and removing a malicious code as soon as it is written to the SD card. Therefore, our users are protected from the threats known to Kaspersky Lab, which are delivered by the drive-by download method.

Pawn Storm hackers hit the German Christian Democratic Union party
13.5.2016 Attack

Researchers at Trend Micro discovered that Pawn Storm threat actor targeted the political party of Chancellor Angela Merkel, the Christian Democratic Union.
Security experts follow a long time the operations of the Russian-linked Pawn Storm cyber spies, aka APT 28, Sednit, Sofacy, Fancy Bear and Tsar Team.

In October 2014, security experts at Trend Micro spotted a cyber espionage operation targeting military, government and media agencies across the world.

A new cyber espionage operation targeting military, government and media agencies on a global scale has been discovered by security experts at Trend Micro. The researchers speculate the threat actors behind the campaign have been active since at least 2004 and are still running espionage campaigns.

“Pawn Storm is an active economic and political cyber-espionage operation targeting a wide range of entities, mostly those related to the military, governments, and media. Specific targets include:

Military agencies, embassies, and defense contractors in the US and its allies
Opposition politicians and dissidents of the Russian government
International media
The national security department of a US ally
wrote Trend Micro in a blog post.

Now the group has been observed targeting the political party of Chancellor Angela Merkel, the Christian Democratic Union of Germany.

Last year, the computer systems at the German Parliament Bundestag were infected by a malware developed by Pawn Storm.

A spokeswoman for the Bundestag confirmed that unknown hackers stole data during the cyber attack.

In April 2015, security experts at Trend Micro spotted a number of phishing attacks targeting members of the Christian Democratic Union (CDU) and high-profile users of German freemail providers GMX and WEB.DE.

“In April 2016, we discovered that Pawn Storm started a new attack against the German Christian Democratic Union (CDU), the political party of the Chancellor of Germany, Angela Merkel.” States Trend Micro “The attack consisted of seemingly coordinated credential phishing attacks against the CDU and high profile users of two German freemail providers.”

The hackers set up a bogus webmail server of Christian Democratic Union in Latvia with the intent to launch phishing attacks.

They also registered three domains for web.de and gmx.de with the same intent, they targeted high-profile individual users of two German free webmail providers.

The three domains are:

account-web[.]de
account-gmx[.]de
account-gmx[.]net
The experts noticed that attackers used a VPS provider registered in the United Arab Emirates that has also servers in the Netherlands and Romania. The VPS provider was linked by the experts to other campaigns conducted by the Pawn Storm around the world.

“Credential phishing is an important espionage tool: we have witnessed Pawn Storm downloading complete online e-mail boxes and securing future access by e.g. setting up a forwarding e-mail addresses secretly.” states Trend Micro.

“It is a recurring theme in recent Pawn Storm attacks; organizations get hit from different angles simultaneously. We have seen that happening time and time again against various governments, armed forces, defense companies and media.”

Experts at Trend Micro have observed more than a dozen active command and control (C&C) servers used to control a strain of espionage malware dubbed X-Agent that was used by hackers against high-value targets.

In March, the Pawn Storm targeted organizations in Turkey, including the government’s Directorate General of Press and Information, the Grand National Assembly, the newspaper Hürriyet, and the Prime Minister’s Office.

Aktualizace opravují nebezpečné trhliny v Internet Exploreru i Windows

13.5.2016 Zranitelnosti
V rámci pravidelných měsíčních updatů vydala společnost Microsoft i záplaty pro chyby, které byly odhaleny v operačním systému Windows a webových prohlížečích Internet Explorer a Edge. S instalací aktualizací by lidé neměli otálet, protože opravují kritické zranitelnosti.
V produktech amerického softwarového gigantu bylo nalezeno dohromady sedm kritických chyb. Je velmi pravděpodobné, že po jejich oficiálním odhalení se je budou snažit zneužít počítačoví piráti.

Kromě operačního systému Windows a zmiňovaných webových prohlížečů byly stejně nebezpečné trhliny nalezeny také v kancelářském balíku Office. Jedna z trhlin se týká také enginu VBScript, tedy skriptovacího jazyku určeného ke vkládání kódu do webových stránek.

Rizika jsou velká
Jako kritické jsou vždy označovány chyby, jež mohou kyberzločinci zneužít k tomu, aby do počítače propašovali prakticky libovolného nezvaného návštěvníka.

Stačí jim k tomu vytvořit podvodnou internetovou stránku, prostřednictvím které vzdáleně spustí škodlivý kód. Touto cestou se mohou dostat k souborům uloženým na pevném disku i sestavu na dálku ovládnout.

Takový stroj se pak klidně i bez vědomí uživatele může stát součástí botnetu (síť zotročených počítačů), který kyberzločinci zpravidla zneužívají k rozesílání spamu nebo k DDoS útokům.

S instalací neotálet
Vedle updatů pro kritické bezpečnostní chyby vyšla řada aktualizací, které jsou označeny jako důležité. Ani s jejich instalací by uživatelé neměli otálet, protože mohou mít vliv na funkčnost samotného operačního systému Windows nebo některých programů.

Stahovat všechny opravy pro kritické a důležité trhliny, které vyšly společně s balíkem pravidelných běžných aktualizací, je možné prostřednictvím služby Windows Update.

Flawed 7-Zip compression tool opens systems to hack.Update it now!
12.5.2016 Vulnerebility

Recently security experts at Cisco Talos have discovered multiple exploitable vulnerabilities in 7-Zip that open users to cyber attacks.
According to the Cisco security researcher Jaeson Schultz, multiple flaws in the 7-Zip compression tool could be exploited by hackers to gain the complete control on the target machine running the popular software.

“Recently Cisco Talos has discovered multiple exploitable vulnerabilities in 7-Zip. These type of vulnerabilities are especially concerning since vendors may not be aware they are using the affected libraries.” states a blog post published by CISCO Talos.

The first issue discovered by the expert is an out-of-bounds read vulnerability (CVE-2016-2335)” that exists in the way 7-Zip handles Universal Disk Format (UDF) files.

“An out-of-bounds read vulnerability exists in the way 7-Zip handles Universal Disk Format files. This vulnerability can be triggered by any entry that contains a malformed Long Allocation Descriptor,” states Talos.

The experts at CISCO discovered also a second heap overflow vulnerability (CVE-2016-2334) that exists in the Archive::NHfs::CHandler::ExtractZlibFile method functionality of 7-Zip.

The expert reported the security issues to the maintainers of the open source 7-Zip platform that promptly worked to a patch. Schultz explained that attackers could exploit the flaw to compromise updated machines and get the same access rights as the logged-in users.

“Anytime the vulnerable code is being run by any sort of privileged account, an attacker can exploit the vulnerability and execute code under those same permissions,” explained Schultz. “A fully patched Windows 10 box lacking the 7-Zip fixes would not help you.” continues the post. “An exploitable heap overflow vulnerability exists in the Archive::NHfs::CHandler::ExtractZlibFilemethod functionality of 7-Zip.” “There is no check whether the size of the block is bigger than size of the buffer buf, which can result in a malformed block size which exceeds the mentioned buf size. This will cause a buffer overflow and subsequent heap corruption.”

The issues are caused by the failure of input validation process, but the most worrisome aspect of the story is that several software solutions rely on the 7-Zip compression tool. By simply querying Google for the 7-Zip licence (http://7-zip.org/license.txt) it is possible to retrieve a long list of solutions that use it.

“This can be of particular concern, for example, when it comes to security devices or antivirus products. 7-Zip is supported on all major platforms, and is one of the most popular archive utilities in-use today. Users may be surprised to discover just how many products and appliances are affected.”

Users are urged to update their 7-Zip software to the latest version 16.00.

Flash Player opět terčem útoků, Adobe varuje před kritickým zneužitím

12.5.2016 Zranitelnosti
Adobe Systems momentálně řeší kritickou zranitelnost ve Flash Playeru, kterou se již hackerům podařilo zneužít. Mezitím firma vydala opravy pro další zasažené aplikace, kterými jsou Reader, Acrobat a ColdFusion, na záplatě pro Flash Player se ale ještě pracuje.

Chyba je zaznamenaná jako CVE-2016.4117 a týká se verzí Flash Playeru 2.0.0.226 a starších pro Windows, OS X, Linux a Chrome OS. Úspěšné zneužití chyby umožňuje útočníkovi převzít vládu nad systémem.

„Adobe si je vědomo zpráv, že hack na CVE-2016-4117 existuje,“ píše společnost v článku zveřejněném v úterý. „Adobe tuto zranitelnost opraví v naší každoměsíční bezpečnostní aktualizaci, náplánované na 12. květen.“

V úterý také firma vydala balíček aktualizací pro Reader a Acrobat, které dohromady opraví 92 chyb. Většina z nich je hodnocená jako kritická.

Zranitelné verze zahrnují Acrobat DC a Reader DC 15.010.20060 a starší, 15.006.30121 a starší, a také Acrobat XI a Reader XI 11.0.15 a starší. Uživatelé si mohou produkt aktualizovat ručně kliknutím na „pomoc“ a následně „zkontrolovat dostupnost aktualizací“ v české verzi.

Firma také vydala aktualizace pro svůj ColdFusion aplikační server. Tyto aktualizace cílí na zranitelnost s ověřením validity vstupu, která mohla vést k mezistránkovým scripting útokům, na problém s ověřením host name, který způsoboval problém u wild card certifikátů, a na Java deserializační chybu v knihovně Apache Commons Collections.

Adobe radí uživatelům nainstalovat ColdFusion (verzi z roku 2016) Update 1, ColdFusion 11 Update 8 nebo ColdFusion 10 Update 19, podle toho, kterou vezi aplikace mají.

Instalace ColdFusion bývají cílem útočníků. V roce 2013 výzkumníci zjistili větší útok, kde hackeři zneužili zranitelností v ColdFusion a nainstalovali díky nim malware na IIS servery Microsoftu.

Root Kernel Backdoor found in China-made Popular ARM Processors
12.5.2016 Virus

Secret Kernel Backdoor found in China-made Popular ARM Processors
How to Hack an Android device?
It is possibly one of the most frequently asked questions on the Internet.
Although it's not pretty simple to hack an Android device, sometimes you just get lucky to find a backdoor access.
Thanks to Allwinner, a Chinese ARM system-on-a-chip maker, which has recently been caught shipping a version of Linux Kernel with an incredibly simple and easy-to-use built-in root backdoor.
Chinese fabless semiconductor company Allwinner is a leading supplier of application processors that are used in many low-cost Android tablets, ARM-based PCs, set-top boxes, and other electronic devices worldwide.
Simple Backdoor Exploit to Hack Android Device
All you need to do to gain root access of an affected Android device is…
Send the text "rootmydevice" to any undocumented debugging process.
The local privileges escalation backdoor code for debugging ARM-powered Android devices managed to make its way in shipped firmware after firmware makers wrote their own kernel code underneath a custom Android build for their devices, though the mainstream kernel source is unaffected.
The backdoor code is believed to have been left by mistake by the authors after completing the debugging process.
For exploiting this issue, any process running with any UID can be converted into root easily by simply using the following command:
echo "rootmydevice" > /proc/sunxi_debug/sunxi_debug
The Linux 3.4-sunxi kernel was originally designed to support the Android operating system on Allwinner ARM processors for tablets, but later it was used to port Linux to many Allwinner processors on boards like Banana Pi micro-PCs, Orange Pi, and other devices.
android-root-software
At the forum of the Armbian operating system, a moderator who goes by the name Tkaiser noted that the backdoor code could remotely be exploitable "if combined with networked services that might allow access to /proc."
This security hole is currently present in every operating system image for A83T, H3 or H8 devices that rely on kernel 3.4, he added.
This blunder made by the company has been frustrating to many developers. Allwinner has also been less transparent about the backdoor code. David Manouchehri released the information about the backdoor through its own Github account (Pastebin) and then apparently deleted it.

Bad actors used a Windows zero-day in financial attacks
12.5.2016 Vulnerebility

In March 2016 experts from FireEye spotted a malicious campaign conducted by a financially motivated threat actor that leveraged on a zero-day exploit.
According to security experts at FireEye, a sophisticated criminal organization targeted more than 100 organizations in North America. Most of the victims are in the retail, hospitality and restaurant sectors. Threat actor leverages windows zero-day exploit in payment card data attacks.

The attackers relied on a zero-day privilege escalation vulnerability affecting Windows systems, hackers used spear-phishing emails and malicious macro-enabled Word documents to deliver the threat PUNCHBUGGY.

PUNCHBUGGY is a DLL downloader that used to compromise the target and move laterally within the victim’s network. The criminal crew also used a new point-of-sale (PoS) malware dubbed “PUNCHTRACK.” The malware is a memory scraper that is able to capture both Track 1 and Track 2 payment card data.

“FireEye identified more than 100 organizations in North America that fell victim to this campaign. FireEye investigated a number of these breaches and observed that the threat actor had access to relatively sophisticated tools including a previously unknown elevation of privilege (EoP) exploit and a previously unnamed point of sale (POS) memory scraping tool that we refer to as PUNCHTRACK. ” states FireEye. “Designed to scrape both Track 1 and Track 2 payment card data, PUNCHTRACK is loaded and executed by a highly obfuscated launcher and is never saved to disk.”

As reported by FireEye, in some of the attacks the criminal organization exploited a local privilege escalation vulnerability in Windows (CVE-2016-0167). The CVE-2016-0167 flaw was exploited by hackers to run malicious code with SYSTEM privileges.

The flaw was unknown at the time of the attacks, experts at FireEye worked with Microsoft to fix the issue on April 12, 2016. Patch Tuesday (MS16-039).

FireEye confirmed that the flaw was exploited in limited, targeted attacks dating back to March 8.

“This actor has conducted operations on a large scale and at a rapid pace, displaying a level of operational awareness and ability to adapt their operations on the fly. These abilities, combined with targeted usage of a [privilege escalation] exploit and the reconnaissance required to individually tailor phishing emails to victims, potentially speaks to the threat actors’ operational maturity and sophistication,” continues FireEye in the post.