Articles 2016 April  - English Press  English Articles  Page  1  2  3  4  5  6  2020  2019  2018  2017  2016  2015  2014  2013  2012

H  Analysis  Android  Apple  APT  Attack  BigBrothers  BotNet  Congress  Crime  Crypto  Cryptocurrency  Cyber  CyberCrime  CyberSpy  CyberWar  Exploit  Forensics  Hacking  ICS  Incindent  iOS  IT  IoT  Mobil  OS  Phishing  Privacy  Ransomware  Safety  Security  Social  Spam  Virus  Vulnerebility

Jednotlivé èlánky jsou rozdìleny podle mìsícù a zde je najdete./The articles are broken down by month and can be found here.


2016 - January  February  March  April  May  June  July  August  September  October  November  December


The evolution of Brazilian Malware
2.4.2016 Zdroj: Kaspersky Virus

Brazilian malware continues to evolve day by day, making it increasingly sophisticated. If you want to know how the various malicious programs work nowadays, you can jump to the corresponding section here. Meanwhile, before that, we would like to show how the techniques used by Brazilian cybercriminals have changed, becoming more advanced and increasingly complex.

Taking a look at the wider picture we can see that the authors are improving their techniques in order to increase malware lifetime as well as their profits.

Some time ago, analyzing and detecting Brazilian malware was something that could be done pretty fast due to no obfuscation, no anti-debugging technique, no encryption, plain-text only communication, etc. The code itself used to be written in Delphi and Visual Basic 6, with a lot of big images inside making it a huge file, as well as poor exception handling where the process would regularly crash.

Nowadays, the scenario is not the same; the attackers are investing time and money to develop solutions where the malicious payload is completely hidden under a lot of obfuscation and code protection. They do still use Delphi and VB, but have also adopted other languages like .NET and the code quality is much better than before, making it clear to us that they have moved to a new level.

Let’s walk through some samples showing the difference between what we used to find a few years ago and the threats being delivered today.

What we used to find

Keylogger

In the beginning, the first samples used to steal banking information from customers were simple keyloggers, most of them using code publicly available with some minor customizations in order to log only specific situations. At the time it was sufficient since banking websites were not using any kind of protection against this threat.

 

Public keylogger source code

 

Code implemented on malicious binary

The code was pretty simple; it just used the function GetAsyncKeyState in order to check the state of each key and then logged it as necessary. Most of the keyloggers were not using any obfuscation to hide the targets, helping in the identification of such attacks.

 

Plaintext strings used to detect navigation

Phishing Trojan

After the banks introduced virtual keyboard to their systems, the use of keyloggers was no longer effective. To bypass these protections, the Brazilian bad guys started developing mouselogger malware and later Phishing Trojans.

This type of malware was using DDE (Dynamic Data Exchange) in order to get the current URL opened in the browser; this method still works nowadays, but most of these malicious programs have updated their code to use OLE Automation instead of DDE because it provides more advanced options.

 

Code using DDE to get URL information

After getting the current URL the malware just checks if the URL is in the target list. If found, the malware would show a phishing screen asking for banking information.

 

Phishing Trojan being shown inside Internet Explorer

At this time the malware was not using any kind of encryption or encoding – all strings were plaintext making the analysis easier.

 

Malware strings without any encryption/encoding

The stolen information is then sent to the attacker by email.

 

Email containing the stolen information

Hosts

In order to steal information without making it easy to identify a phishing Trojan they started redirecting users to malicious web pages by changing the hosts file to resolve the banking domain names to hardcoded servers. In this way, after infection it would be more transparent to the user increasing the chances of a successful attack.

 

Data written to the hosts file in order to redirect access

 

Code used to write data to host file

These types of attack were very effective at the time, while not all anti-malware vendors were able to identify and block them. We can still see some samples using host modifications, but they are not so effective anymore.

Anti-rootkit

At this stage they realized that anti-malware solutions and internet banking security plugins were making their work more difficult. They then started to focus their efforts on removing security solutions before running the malicious payload in order to increase the chances of a successful execution and to keep running on the infected machine for much longer.

Nothing could be better than using well known command line tools that already have this capability –and most of them are already whitelisted.

RegRun Partizan
This tool is a Native Executable which runs on system startup before the Win32 subsystem starts up. It is able to delete files and registry keys even if they are protected by Kernel mode drivers, since it is executed before the drivers are loaded to the system. The commands to be executed are specified on the .RRI file as shown below.

 

Partizan RRI script containing the list of files to remove

The Avenger
A Windows driver designed to remove persistent files and registry keys. The commands to be executed on the system are written to a script that will be read by the driver once it starts.

 

The Avenger GUI and script to delete security solutions

Gmer
Gmer is a well-known rootkit detector and remover with lots of functions to detect rootkit activities on the system as well as delete files by using its own device driver. As it has a command-line interface, it is easy to remove protected files.

 

BAT file using GMER’s killfile function to remove security solution

More details about banking Trojans using GMER to uninstall security software can be found in a separate blogpost.

Malicious Bootloader

After using anti-rootkits Brazil’s cybercriminals went deeper and started to develop their own bootloaders, tailored exclusively to remove the security solutions from user’s machine. The downloader is in charge of installing the malicious files and then rebooting the machine. After reboot the malicious bootloader can remove the desired files from the system.

Basically, the malware replaces the original NTLDR, the bootloader for Windows NT-based systems up to Windows XP, to a modified version of GRUB.

 

Modified GRUB loader acting as NTLDR

This loader will read the menu.lst file that points to the malicious files already installed on the system xp-msantivirus and xp-msclean.

 

Menu.lst file containing the parameters to execute malicious commands

When executed the malware will remove files related to security solutions and then restore the original NTLDR files that were previously renamed to NTLDR.old.

 

Commands executed to remove security modules and restore the original NTLDR

What we have nowadays

Automation

Most banks were using machine identification to prevent unauthorized attempts to perform operations using the stolen information. To bypass this the bad guys started performing the malicious operations from the infected machine, by using Internet Explorer Automation (formerly OLE automation) to interact with the page content.

The first samples using this type of attack were Browser Helper Objects (BHOs) that could detect a transfer transaction and then change the destination account, sending the money to the attacker instead of the real destination.

Later, the same method was heavily used in Boleto attacks, where they were using automation to get the inputted barcode and then replace it with the fraudulent one.

Since this method only works for Internet Explorer, the malware needs to force the user to access internet banking via that browser. Therefore, it implements a timer which checks if Firefox or Chrome is being used and then kills the process.

 

Code to avoid use of Chrome and Firefox

When an instance of IE is found, the malware will search for a tab instance in order to be able to read the window text and then to know which URL is being accessed.

 

Finding the tab handle and obtaining the URL being accessed

 

Search for target’s specific titles

As the automation will process the page structure, it needs to know if the victim is on the page to input the Boleto information. It installs a handle to the event OnDocumentComplete in order to collect the full URL as soon as it is loaded and then checks if the user is on the target page.

 

Search for target’s specific pages

After confirming that the user is on the target page, the malware will process the page structure and install a handler to the submit button, then it can take control of the execution right after the user has submitted the page and then process the inputted content.

 

Search for a specific textbox and get the inputted data

After collecting the inputted data, it can be processed and then changed to the malicious content before submitting the page.

For those samples we could find, string obfuscation, debugger detection and virtual machine detection as well as this method mean they are not as easy to detect as other attacks involving phishing Trojans and hosts.

Code Obfuscation and RunPE

Looking for new ways to bypass detection, Brazilian criminals started using obfuscation in order to hide the parts of code that perform their main operations.

In the code below the coder has encrypted the original code of the function used to download the malicious payload; on a static analysis you cannot figure out what the purpose of this function is.

 

Encrypted downloader function

In runtime the malware will call the function to decrypt this code prior to executing it.

 

Decrypt code call

 

Decryption routine

As we can see in the code above, the decryption is a simple sub operation using the key 0x42 on the encrypted byte – a simple and fast way to hide parts of code.

 

Decrypted downloader function

In order to avoid detection by a network firewall, the downloaded file is encrypted using its own encryption function.

 

Encrypted file

 

Decrypted file

The encryption function is also hidden by using the same method used in the download function – after decrypting the code we can find a XOR-based encryption combined with a shift-right operation on the XOR key.

 

After decrypting the file, it will not be executed using the normal methods usually found in malicious code. To hide the process on the machine the malware uses a trick known as RunPE where the code will execute a clean process (like iexplorer.exe or explorer.exe) in a suspended state and then modify its memory content to the malicious code and execute.

 

Code launching clean process as suspended state

After creating the process in a suspended state the code will write the new code to the memory space, set the new EIP for execution and then resume the thread.

 

Writing malicious code and resuming the thread

 

Internet explorer process hosting the malicious file

Since the malicious code is running on the memory space allocated to Internet Explorer, using tools like Process Explorer to verify the publisher signature does not work because they check the signature of the process on the disk.

It was clear that they had moved on completely from using beginner’s code to a much more professional development and we realized it was time to update the analysis process for Brazilian malware. We are sure most of this evolution happened due to contact and the exchange of knowledge with other malware scenes, mostly those in Eastern Europe, which we described in this article.

AutoIt Crypto

AutoIt is now often used as a downloader and crypto for the final payload in order to bypass detection. After being compiled the AutoIt script is encrypted and embedded to the generated binary which makes it necessary to extract the original script before analyzing its code.

Looking for a better way to hide the final payload, the Brazilian cybercriminals have developed a new crypto using AutoIt language where the decrypted payload is executed by using a RunPE technique.

 

AutoIt Crypto execution flow

The crypto uses two different methods to store the encrypted file: the first one is by using the FileInstall function that already exists on AutoIt, and the other one is embedding the file at the end of the binary.

When using the second method the crypto writes a key which is used to mark where the encrypted payload content starts and is then able to find the content to decrypt. On the sample below, the key used is a short version of “Sei que ganharei 20K” which means “I know that I will win R$ 20,000”.

 

Key used to mark where the encrypted payload starts

 

AutoIt Crypto main code

After reading the encrypted payload it decrypts the content using the decryption key “VENCIVINICI” and then executes the malicious payload using RunPE.

The decryption function code is not written in AutoIt – it is written in C language. After being compiled the bytes are included in the code as a string and then mapped to memory and executed by using CallWindowProc API.

 

Decryption function implementation

We found the following algorithms being implemented as the encryption/compression method for this crypto:

RC4
XXTEA
AES
LZMA
ZLIB
The use of AutoIt for malware development is not something new, but in the middle of 2014 we saw a wave of attacks using AutoIt in Brazil, as we can see on the graph below.

 

Trojan.Win32.Autoit: number of users attacked in Brazil

MSIL Database

Another type of malware that emerged recently was malware developed in .NET instead of Visual Basic 6.0 and Delphi, following a trend we saw worldwide. It is not hard to find a downloader written in .NET. Anyway, some samples of Trojan-Banker.MSIL.Lanima grabbed our attention when we found some of them were not using functions commonly used to download the payload.

 

Download function

As we can see in the picture above this samples does not use any download function because it uses SQL Server to host the binary content and then just uses an SQL command to retrieve the content and save to disk.

The strings are encoded with base64 and encrypted with Triple DES algorithm in order to hide the text related to the main actions of the malware.

 

Decrypt function

This family of malware is very prevalent in Brazil and China:

 

MSIL Crypto

Following the same method used by AutoIt Crypto the bad guys developed another crypto, this time using .NET language. The process to extract the real executable is almost the same as AutoIt Crypto but it has an intermediate module which is responsible for extracting the final payload.

Looking at the main module we have a .NET code and the main function of this main module is to extract and load the embedded DLL.

 

.NET Crypto execution flow

 

Crypto main function

As we can see, the function above will split the binary content by using the separator string “cdpapxalZZZsssAAA” and use the second block which contains the encrypted code of the Loader DLL.

 

Loader DLL encrypted content

Then it is time to decrypt it by calling the function named “fantasma” (or “ghost” in English), the official name used for this crypto in the forums is PolyRevDecrypt which is basically an XOR operation between the encrypted byte, the last byte of the encrypted buffer and one byte of the password provided to the function.

 

Decryption function

After being decrypted, the code will be loaded and executed by the function “docinho” (or “candy” in English).

 

Function to load and execute the DLL

The code of the library is almost the same as the main executable except that now it will use the second block of the split content.

 

Loader DLL main function

RAT

In a bid to reduce the losses related to cyber attacks, banks implemented two-factor authentication using a hardware token and SMS token for online banking transactions in addition to the solutions already in place like machine identification. To solve this problem the cybercriminals have created a remote administration tool specially developed to request the information required to process internet banking transactions.

 

RAT execution flow

The browser watcher will monitor the user browser and see if any of the target banks are accessed; if they are, it will decompress and execute the RAT Client and notify the C&C about the new infection.

 

Internet banking access monitoring

The strings used by this malware are encrypted using their own encryption routine. After decrypting it we are able to identify the targets as well as the important parts of the code.

 

Decrypted strings

For this type of infection it is common for the bad guys to create a way to manage the attacks. Here we can see the number of computers infected on the same day, keeping in mind that this number means the amount of users that have accessed internet banking while the malware was running on their computer.

 

C&C panel showing the list of infected users

The RAT Client will connect to the server to alert the attacker that a new victim is accessing the internet banking system. It is then possible to execute the attack in real time.

 

RAT Server showing a new victim is connected

At this stage the attacker just needs to wait for the user to login and then proceed with the attack. When the user is already logged in, the attacker can see the user screen, lock it and control the execution as well as ask for specific information that will help him to steal the account, like:

Token
Access card code
Date of birth
Account password
Internet banking password
Electronic signature
To prevent the user from seeing that the computer is being remotely controlled, this RAT has a function that simulates an update for the bank security plugin showing a progress bar and disabling all user interactions. Meanwhile, the attacker can perform the banking operations by using the active browser section because the overlay screen is not shown to the attacker.

 

Lock screen simulating an update

If some information is requested to confirm the transaction, e.g. SMS token, the attacker can ask the victim who will think the information is necessary in order to proceed with the update process.

 

Screen asking for token code

As soon as the user provides the information, the attacker can enter it on the internet banking screen, bypassing the 2FA used in the transaction.

 

Information received from the victim

Ransomware

Brazilian cybercriminals not only work with banking malware – they are also exploring other types of attacks involving ransomware. Some years ago, we found TorLocker which contains details inside the malware code suggesting that the developer is from Brazil.

 

Code containing some strings suggesting the author is from Brazil

As we can see in the image above, we found the sentence highlighted in blue: “Filho de Umbanda não cai!” (“Umbanda’s son never falls down”). Umbanda is an unorthodox religion in Brazil. The name marked in red is the nickname of the author and it also uses the extension .d74 for the encrypted files. This user is very active on underground forums looking for malicious services in Brazil.

We also found other references, like the use of a service in Brazil to get the victim IP in order to notify about an infection.

 

Request to a Brazilian service to obtain the victim IP

Some months ago, we found another ransomware program based on the Hidden Tear source code that was modified to target Brazilian users, differing from the initial program that was found targeting English- and Japanese-speaking users.

 

Victim’s machine showing messages in Portuguese, asking to pay in order to receive the files

Why they evolve

We have sufficient evidence that Brazilian criminals are cooperating with the Eastern European gangs involved with ZeuS, SpyEye and other malware created in the region. This collaboration directly affects the quality and threat level of local Brazilian malware, as its authors are adding new techniques to their creations and getting inspiration to copy some of the features used in the malware originating from Eastern Europe. Brazilian cybercriminals are not only developing the quality of their code but also using the cybercrime infrastructure from abroad.

We saw the first sign of this ‘partnership’ in the development of malware using malicious PAC scripts. This technique was heavily exploited by Brazilian malware starting in 2011 and was later adopted by Russian banking Trojan Capper. This cooperation continued as Brazilian criminals started to use the infrastructure of banking Trojans from Eastern Europe – the Trojan-Downloader.Win32.Crishi was the first to use DGA domains hosted at bulletproof companies from Ukraine. Also the Boleto malware adopted the massive usage of fast flux domains, aiming to avoid the takedown of C2s – we saw that with the “bagaça” (bagasse in Portuguese) domains, registered using anonymous services, which hosted crimeware and boleto stuff and was resolving different IPs for every request.

 

The “bagaça” domains: fast flux and bulletproof from Eastern Europe

Other strong signs of their cooperation are the constant presence of Brazilian cybercriminals on Russian or Eastern European underground forums. It’s not unusual to find Brazilian criminals on Russian underground forums looking for samples, buying new crimeware and ATM/PoS malware, or negotiating and offering their services. The results of this cooperation can be seen in the development of new techniques adopted in Brazilian malware.

 

The Brazilian malicious author of TorLocker negotiating in a Russian underground forum

These facts show how Brazilian cybercriminals are adopting new techniques as a result of collaboration with their European counterparts. We believe this is only the tip of the iceberg, as this kind of exchange tends to increase over the years as Brazilian crime develops and looks for new ways to attack businesses and regular people.

Conclusion

Cybercrime in Brazil has changed drastically in the last few years, as it shifted from simple keyloggers built from public source code to tailored remote administration tools that can run a complete attack by using the victim machine.

Malware that used to show a phishing screen as soon as it was executed is now completely reactive and waits for a valid session in order to start the job.

That means that the criminals are investing much more money and time in order to develop their malicious code, enhancing anti-debugging techniques and then running the malware undetected for much longer.

As we know, they are in touch with cybercriminals from Eastern Europe, mainly Russians, where they exchange information, malware source code and services that will be used in Brazilian attacks. We can see that many of the attacks used in Brazil were first seen in Russian malware as well as Brazilian techniques later being used in Russian attacks.

Based on that, we can expect to find Brazilian malware with enhanced code obfuscations, anti-debugging tricks, encryption algorithms and secure communications making our work much harder than now.


Hacker Hijacks a Police Drone from 2 Km Away with $40 Kit
1.4.2016

A researcher has demonstrated how easy it is to steal high-end drones, commonly deployed by government agencies and police forces, from 2 kilometres away with the help of less than $40 worth of hardware.
The attack was developed by IBM security researcher Nils Rodday, who recently presented his findings at Black Hat Asia 2016.
Hacking the $28,463 Drone with Less than $40 of Hardware
Rodday explained how security vulnerabilities in a drone's radio connection could leverage an attacker (with some basic knowledge of radio communications) to hijack the US$28,463 quadcopters with less than $40 of hardware.
Rodday discovered (PPT) two security flaws in the tested drone that gave him the ability to hack the device in seconds.
First, the connection between drone's controller module, known as telemetry box, and a user’s tablet uses extremely vulnerable 'WEP' (Wired-Equivalent Privacy) encryption – a protocol long known to be 'crackable in seconds.'
Also Read: Police Training Eagles to Take Down Rogue Drones
This flaw could be exploited by any attacker in Wi-Fi range of 100 meters to break into that connection and send a malicious command that disconnects the drone's owner of the network.
Second, the onboard chips used for communication between that telemetry module and the drone uses even less-secured radio protocol.
Hijacking Drones from 2 Kms Away
Hacker Hijacks a Police Drone from 2 Km Away
The module and drone communicate using 'Xbee' chip, created by the Minnesota-based chipmaker Digi International and is commonly used in unmanned aerial vehicles (UAVs) everywhere.
According to Rodday, Xbee chips do have built-in encryption capabilities, but for avoiding latency between the drone and the user's commands, the chips doesn't implement encryption.
This issue leaves the drones open to 'Man-in-the-Middle' (MitM) attacks, leveraging an attacker to intercept everything happening on the UAVs network connection and inject commands between the drone and the telemetry box from up to 2 kilometres away.
Also Read: Anti-Drone Weapon that Shoots Down UAVs with Radio Waves
Furthermore, Rodday also warned that any sophisticated hacker with the ability to reverse engineer the drone's software would be able to send navigational controls, block all commands from the real operator, or even crash it to the ground.
Rodday's research proves that there are critical issues with what's likely the most expensive drone yet, as well as one that is used for more serious purposes than high-altitude selfies, which needs to be considered seriously.


The dangerous interaction between Russian and Brazilian cyber criminal underground
1.4.2016 Hacking

Kaspersky has analyzed the interaction between the Russian and Brazilian criminal underground communities revealing a dangerous interaction.
In the past weeks, we have analyzed the evolution of cyber criminal communities worldwide, focusing on illicit activities in the Deep Web. To simplify the approach we have considered the principal cyber criminal communities (Russia, Brazil, North America, Japan, China, Germany) as separated entities, instead, these ecosystems interact each other in a way that Kaspersky experts have analyzed.

Experts from Kaspersky Lab have analyzed the interaction between the Russian and Brazilian criminal communities, a dangerous interaction that is leading to a rapid evolution of hacking tools.

The experts at Kaspersky Lab demonstrated that Brazilian and Russian-speaking criminals have an intense cooperation, Brazilian criminals use to buy malware samples from the Russian peers operating the principal underground forums. Typically they pay for exploit kits, ATM or PoS malware and also hacking services.

The first example of collaboration is dated back 2011, when Brazilian cyber criminals have been actively abusing malicious PAC scripts to redirect victims to phishing pages. A few months later, cyber criminals behind the Russian banking Trojan Capper adopted the same technique.

“We saw the first sign of this ‘partnership’ in the development of malware using malicious PAC scripts. This technique was heavily exploited by Brazilian malware starting in 2011 and was later adopted by Russian banking Trojan Capper. ” states the analysis published by Kaspersky.

Russian Brazilian underground

The experts highlight that cooperation runs both ways, helping to speed up the growth of hacking capabilities of both communities and also malware evolution.

“As we know, they are in touch with cybercriminals from Eastern Europe, mainly Russians, where they exchange information, malware source code and services that will be used in Brazilian attacks. We can see that many of the attacks used in Brazil were first seen in Russian malware as well as Brazilian techniques later being used in Russian attacks.” continues Kaspersky.

The researchers collected evidence of the profitable collaboration, in one discussion thread on an underground forum frequented by Russian hackers a user behind the moniker “Doisti74” expressed his interest in buying compromised machines located in Brazil. The same user is present in the Brazilian underground scene and researchers believe he could be interested in launching malware-based campaign in Brazil.

Brazilian crooks are looking with increasing interest at ransomware, some years ago experts at Kaspersky discovered the threat TorLocker developed by Brazilian malware developers. Some months ago, Kaspersky has spotted another ransomware based on the Hidden Tear source code that was adapted to target Brazilian users.

Crooks belonging to the two criminal underground communities also use to share malicious infrastructure, this is the case of a number of Boleto malware campaigns observed in Brazil that were relying on the same infrastructure used months before by operators behind the Russian banking Trojan family (Crishi).

The researchers have illustrated in details numerous evidence they collected related to the collaboration between Russian and Brazilian hackers, the experts highlighted that Brazilian banking malware has rapidly evolved in the last years thanks to this interaction.

“Just a few years ago, Brazilian banking malware was very basic and easy to detect,” said Thiago Marques, security researcher at Kaspersky Lab.

“With time, however, the malware authors have adopted multiple techniques to avoid detection, including code obfuscation, root and bootkit functions and so on, making their malware much more sophisticated and harder to combat.

“This is thanks to malicious technologies developed by Russian-speaking criminals. And this cooperation works both ways.”

I have no doubt, cybercrime has no boundaries and this kind of interaction will reinforce the principal criminal underground communities.


Do hackers have hacked election to make Peña Nieto President?
1.4.2016 Hacking

A Columbian hacker claims he helped the candidate Enrique Peña Nieto in winning the Mexican presidential election in 2012.
Until now we have seen something of similar only in the TV series, but the reality could overwhelm the fiction because a Columbian hacker claims he helped Enrique Peña Nieto in winning Mexican presidential election.

The hacker named Andrés Sepúlveda revealed to have operated in a team with peers to install a malware to monitor opponents during the 2012 campaign as part of a hacking campaign codenamed ‘black propaganda.’

The hackers helped Enrique Peña Nieto win Mexico’s 2012 presidential election, they manipulated the event it in nine countries across Latin America. The hackers have installed malware with the intent to spy on target machines and steal data, they also used a botnet to manage PSYOPs on the social media trying to influence the final decision of the voters.

Enrique Pena Nieto

The hacker, who is currently serving a 10-year prison sentence for hacking crimes related to Colombia’s 2014 presidential election, released an interview to Bloomberg explaining that he was hired by the Miami-based political consultant Juan José Rendón.

“My job was to do actions of dirty war and psychological operations, black propaganda, rumors—the whole dark side of politics that nobody knows exists but everyone can see” the man told to Bloomberg.

Sepúlveda added that his primary motivation was political, he hacked in opposition to what he defined “dictatorships and socialists governments.”

The political consultant Juan José Rendón denied to have hired Sepúlveda for illegal activities and confirmed that he paid him in 2005 for the development of a web site.

“He is delusional,” Rendón said in a phone call. “All the things he describes are exactly like the TV show Mr Robot.”

“Can you really change the will of the people through social networks? Maybe in Ukraine or Syria where there is no alternatives. But here (in the Americas) where there is TV, a free press and door to door campaigns, it is not so influential,” he added.

Sepúlveda confirmed to have had a $600,000 budget to undermine the presidential campaigns Nieto’s opponents, Josefina Vázquez Mota and Andrés Manuel López Obrador.

The hacker team compromised computers at the headquarters of the two candidates in order to monitor communications and exfiltrate sensitive data, including speech drafts and campaign schedules.

They also managed a PSYOP through the principal social networks by using a multitude of fake Twitter accounts to fuel the public debate on the Peña Nieto’s political plan and discrediting his rivals, all these accounts were carefully managed in a way to appear legitimate.

“He wrote a software program, now called Social Media Predator, to manage and direct a virtual army of fake Twitter accounts. The software let him quickly change names, profile pictures, and biographies to fit any need. Eventually, he discovered, he could manipulate the public debate as easily as moving pieces on a chessboard—or, as he puts it, “When I realized that people believe what the Internet says more than reality, I discovered that I had the power to make people believe almost anything.”” reported Bloomberg.

Sepúlveda confirmed to have used a strategy similar to the ‘black propaganda’ in order to influence the opinion of voters in other elections in several countries, including Venezuela, Nicaragua, Panama, Honduras, El Salvador, Colombia, Costa Rica and Guatemala.

Unfortunately, the man has destroyed most of the evidence of his support to the politic candidates in various presidential campaigns.

Which is the Peña Nieto’s position?

The Office of the President issued the following statement:

“We reject any relationship between the 2012 presidential campaign team and Andrés Sepúlveda or that there was a contract with the consultant J.J. Rendón.”


Just One? No, FBI to Unlock More iPhones with its Secret Technique
1.4.2016  Apple
The Federal Bureau of Investigation (FBI) worked with Israeli mobile forensic firm Cellebrite to unlock iPhone used in the San Bernardino shooting last year, confirmed by multiple sources familiar with the matter.
The United States Department of Justice (DoJ) said on Tuesday that the FBI successfully unlocked iPhone and accessed data with the help of an undisclosed alternative method offered by a third party and that it no longer needs Apple's assistance.
Apple was engaged in a legal encryption battle with the DoJ for a month over a court order that forces the company to write new software, which could disable passcode protection on Farook's iPhone 5C to help them access data on it.
Apple refused to comply with the order, saying the FBI wants the company to create the "software equivalent of cancer" that would likely threaten the privacy and data security of millions of its iPhone users.
FBI to Unlock iPhone in Several Pending Cases
Although the legal battle between the FBI and Apple is over, the 'encryption vs. national security' drama is still ongoing.
Apple to FBI: Reveal Your Secret Technique

Apple asked the FBI to share its exploit that bypassed the iPhone security protections, but the agency, which has already been frustrated in convincing Apple to help it access data on just one iPhone, might prefer to keep its technique secret.
Now, when the FBI itself owns a cancerous software, the agency would most likely use it to resolve several pending court cases in which the Feds were seeking Apple's assistance to access information from a locked iPhone.
Yes, the FBI is keeping its technique secret… but only from Apple and not from other law enforcement agencies seeking details on the method to access locked iPhones involved in criminal cases.
Currently, there are two separate court cases, one in Arkansas and the other in Brooklyn, seeking help from the FBI.
Case 1: Reportedly, the FBI agreed to help the Police in Arkansas in the homicide case by unlocking an iPhone and iPod belonging to two teens accused of killing a couple.
Case 2: In the Brooklyn case, an iPhone 5S was seized in the course of a drug investigation, which runs iOS 7. The DoJ will disclose by April 11 as to whether it would "modify" its own request for Apple's assistance in this case or will unlock itself.
Apple's Biggest Problem: How FBI hacked its iPhone
It's still a question, but since the agency so desperately wanted an iPhone backdoor, it seems that it will not share with Apple after having one.
Apple is now in the uncomfortable position as the company knows that a critical vulnerability exists in its operating system, but don't know what it is.
The situation becomes serious for Apple where the company knows the FBI has no legal obligation to disclose how it broke the iPhone's security.
However, the government could argue the technique is bound by a non-disclosure agreement with the third party that unlocked the iPhone.
Though it's not just Apple who had been approached several times to help Feds unlock iPhone, Google had also been asked, at least, nine times to help federal agencies hack into locked Android smartphone citing the All Writs Act.


SideStepper method allows to infect iOS devices via MDM Solutions
1.4.2016 Apple

SideStepper is a method to install malicious apps on iOS devices by abusing the mobile device management (MDM) solutions.
Security researchers from the Check Point firm have devised a method to install a malicious code on iOS devices by abusing the mobile device management (MDM) solutions used by many enterprises.

The technique relies on a vulnerability dubbed by the experts SideStepper, but that Apple considers it as a normal behavior.

“SideStepper is a vulnerability that allows an attacker to circumvent security enhancements in iOS 9 meant to protect users from installing malicious enterprise apps. These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, making it harder to install a malicious app accidentally.” state the blog post published by Check Point.

Apple allows enterprises to distribute internally-used apps through a Developer Enterprise Program instead passing through the App Store. In order to install the apps, enterprises need to use certificates signed by Apple.

The program allows organizations to install internal apps on employee devices using enterprise certificates signed by Apple.

However, hackers have abused in several circumstances of digital certificates so Apple introduced new security enhancements in iOS 9.

“These enhancements require the user to take several steps in device settings to trust an enterprise developer certificate, making it harder to install a malicious app accidentally.” States the CheckPoint firm.

SideStepper technique

MDM solutions are used by enterprises to easily manage mobile devices used by employees. MDM allows the easy management of any aspect of the mobile devices, including installing apps, deployment of security policies, and remotely wipe phones.

Experts at CheckPoint firm highlighted that threat actors can launch a man-in-the-middle (MitM) attack against the MDM solution to allow the installation of malicious enterprise apps over-the-air, this is possible because Apple gives apps installed using MDMs the possibility to bypass security measures.

Malicious MDM-distributed apps can be abused by using the following process:

Install a malicious iOS configuration profile. This is a native way to distribute a set of configuration settings like networking, security settings, root CAs, and more. A threat actor can craft a configuration profile that will install a root CA and route traffic through a VPN or a proxy to a malicious server, and then initiate a MitM attack. This configuration could be deployed using phishing attack.
Set up a remote enterprise app server to serve the malicious app.
Wait for a command to be sent to an iOS device by an MDM: then, using a MitM attack, intercept and replace the command with a request to install a malicious app. The iOS device will fetch from the remote enterprise app server and install it.
Execute commands using the malicious enterprise app which, because of the method used to install it, does not require explicit user trust. This means that users will not be able to distinguish between a legitimate enterprise app, an App Store app, or a bogus app installed by a threat actor.
Basically, the attackers could intercept the command sent by the MDM to the devices and replace it with a request to install a malicious app. The operation doesn’t need user’s interaction making hard to discover the attack.

The SideStepper technique could be used to infect Apple devices and control them with a malicious code.

CheckPoint suggests enterprises to carefully assess the risk of malicious applications on mobile devices.

Experts from CheckPoint will present the SideStepper method at the Black Hat Asia conference Today.