29 January 2013

Russia, China seek new cybercrime agreement

Russia and China are pushing for a new agreement to combat cybercrime, Federation Council Speaker Valentina Matviyenko said on Monday.
All the Asia Pacific Parliamentary Forum's member states are concerned by the problem, but they are split on how best to tackle it, she said.
She explained that a new initiative in this area is needed because of how much has changed since the declaration on cyber security was adopted in Budapest a decade ago.
“During these 10 years, [cyber] space has changed so greatly that Russia, China and a number of other countries insist on the preparation of a new agreement to combat cybercrime,” Matviyenko said.
“Frankly speaking, no one has proposed any effective ways, effective measures of meeting this new challenge.”


Click here to read more ....

Pentagon plans massive surge in Cyber Command staff

Boosting online warrior numbers from 900 to 4,900
Currently there are around 900 uniformed and civilian staff employed by the Pentagon in its Cyber Command, which is separate from the National Security Agency – at least in principle. In practice, however, the two work side-by-side, and both are headed by the same man, General Keith Alexander

A senior defense official told the paper that the Pentagon would primarily focus on online activity outside of US domestic borders, and would only be involved in major online attacks, not minor hacking and phishing annoyances. US companies and those international companies that use American-hosted services won't be touched.

The staffing increase is scheduled to begin later this year and next, but there are likely to be problems simply finding that many people with the right skills to do the job. The military was at last year's Black Hat hacking conference looking for recruits and support from the private security industry, but weren't finding many takers.
Security researchers who have worked with the Pentagon have complained that all too often the government wants to know their security tricks, but isn't willing to share its knowledge or pay the kind of rates that researchers can make in private industry.


Click here to read more ....

Israeli Troops Swap Guns for Computers as Cyber Attacks Rise

At an army base outside Tel Aviv, soldiers sit in front of screens glued to scrolling colored computer code, keyboards at the ready to deflect attacks.
They’re Israel’s cyber defense team in training, among the uniformed men and women learning how to stalk hackers and pounce on virtual enemies as the state shields everything from ministry websites to the systems running the Tel Aviv stock market.
“To become one of the leading countries in cyber security, we have to act quickly to ensure that everyone will understand Israel is on its way to becoming a leading cyber-nation,” Rami Efrati, head of the civilian division of the National Cyber Bureau, said in an interview at the year-old agency this month. “Cyber security can be a national growth engine.”

Israeli government networks are among the most highly attacked in the world, with daily assaults numbering in the tens of thousands, the Soufan Group, a New York-based security adviser, said in a Jan. 14 report.
Two months ago, civilian computer technicians sat in front of a bank of screens in a Jerusalem government building deflecting millions of attempted attacks on Israeli government websites as the country’s air force struck the Hamas-controlled Gaza Strip and rockets hit Israel’s towns and cities.
Palestinian militants in Gaza consider cyber part of their resistance to Israel. “Our professional hackers never sleep,” said the spokesman for a pro-Hamas group who goes by the name Abu Mujahid. Islamic Jihad, which like Hamas is considered a terrorist organization by Israel, the U.S. and the European Union, said in November its operatives hacked into 5,000 mobile phones belonging to senior Israeli army officers.

Click here to read more ....

Activists urge Skype: Tell us who is spying on us

Microsoft mum on privacy, security policies
Among the group's concerns is that although Skype was founded in Europe, its acquisition by a US-based company – Microsoft – may mean it is now subject to different eavesdropping and data-disclosure requirements than it was before.
The group claims that both Microsoft and Skype have refused to answer questions about what kinds of user data the service retains, whether it discloses such data to governments, and whether Skype conversations can be intercepted.
The letter calls upon Microsoft to publish a regular Transparency Report outlining what kind of data Skype collects, what third parties might be able to intercept or retain, and how Skype interprets its responsibilities under the laws that pertain to it. In addition it asks for quantitative data about when, why, and how Skype shares data with third parties, including governments.

Click here to read more ......

Australia puts digital frontier at heart of national security plan

Prepares for ‘long, persistent fight’ online with new national Cyber Security Centre
Australia is tooling up for a “long, persistent fight” online, and believes digital combat will be as important to the nation’s future security as involvements in Iraq and Afghanistan were in the last decade.
No less a figure that Prime Minister Julia Gillard expressed that opinion today in a speech billed as a landmark security policy pronouncement that had as its premise the assertion that “The 9/11 decade is ending and a new one is taking its place.”
To ready the nation for coming online battles, Gillard said Australia will combine the infosec functions of several agencies – the Attorney-General’s Department, the Australian Defence Force, ASIO, the Australian Federal Police and the Australian Crime Commission - in a single location to operate as the new Australian Cyber Security Centre. The new operation should be up and running by year’s end.

One signal missing from the speech is just how the Centre will engage with the private sector. One element of that sector - security vendors - has not been shy of approaching the Australian government to push their agendas and have not been rebuffed when the offer aid. McAfee recently helped to prepare a cyber-safety campaign for Australian children, while The Register is aware of a prominent security vendor’s involvement in lobbying for and formulating data breach laws due to go before Parliament this year.
One hint of what the new Centre might get up to derives, in part, from our own story that ASIO, Australia’s largest intelligence agency, has changed its recruiting practices to ensure it has specialist staff to assist in its work.

Click here to read more ....

17 January 2013

"Red October" Diplomatic Cyber Attacks Investigation

Executive Summary

In October 2012, Kaspersky Lab’s Global Research & Analysis Team initiated a new threat research after a series of attacks against computer networks of various international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation, which we called «Red October» (after famous novel «The Hunt For The Red October»).
This report is based on detailed technical analysis of a series of targeted attacks against diplomatic, governmental and scientific research organizations in different countries, mostly related to the region of Eastern Europe, former USSR members and countries in Central Asia.
The main objective of the attackers was to gather intelligence from the compromised organizations, which included computer systems, personal mobile devices and network equipment.
The earliest evidence indicates that the cyber-espionage campaign was active since 2007 and is still active at the time of writing (January 2013). Besides that, registration data used for the purchase of several Command & Control (C&C) servers and unique malware filenames related to the current attackers hints at even earlier time of activity dating back to May 2007.

Main Findings

Advanced Cyber-espionage Network
Unique architecture
Broad variety of targets
Importation of exploits:
Attacker identification

Anatomy of the attack

General description

These attacks comprised of the classical scenario of specific targeted attacks, consisting of two major stages:
  1. Initial infection
  2. Additional modules deployed for intelligence gathering
The malicious code was delivered via e-mail as attachments (Microsoft Excel, Word and, probably PDF documents) which were rigged with exploit code for known security vulnerabilities in the mentioned applications.
Right after the victim opened the malicious document on a vulnerable system, the embedded malicious code initiated the setup of the main component which in turn handled further communication with the C&C servers.
Next, the system receives a number of additional spy modules from the C&C server, including modules to handle infection of smartphones.
The main purpose of the spying modules is to steal information. This includes files from different cryptographic systems, such as «Acid Cryptofiler», (see https://fr.wikipedia.org/wiki/Acid_Cryptofiler) which is known to be used in organizations of European Union/European Parliament/European Commission since the summer of 2011. All gathered information is packed, encrypted and only then transferred to the C&C server.


Another noteworthy fact is in the first line of this file, which is a command to switch the codepage of an infected system to 1251. This is required to address files and directories that contain Cyrillic characters in their names.
The «LHAFD.GCP» file is encrypted with RC4 and compressed with the "Zlib" library. This file is essentially a backdoor, which is decoded by the loader module (svchost.exe). The decrypted file is injected into system memory and is responsible for communication with the C&C server.

There is a notable module among all others, which is essentially created to be embedded into Adobe Reader and Microsoft Office applications. The main purpose of its code is to create a foolproof way to regain access to the target system. The module expects a specially crafted document with attached executable code and special tags. The document may be sent to the victim via e-mail. It will not have an exploit code and will safely pass all security checks. However, like with exploit case, the document will be instantly processed by the module and the module will start a malicious application attached to the document.


We have identified over 1000 different malicious files related to over 30 modules of this Trojan kit. Most of them were created between May 2010 and October 2012.
There were 115 file-creation dates identified which are related to these campaigns via emails during the last two and a half years. Concentration of file creation dates around a particular day may indicate date of the massive attacks (which was also confirmed by some of our side observations):
Year 2010
  • 19.05.2010
  • 21.07.2010
  • 04.09.2010
Year 2011
  • 05.01.2011
  • 14.03.2011
  • 05.04.2011
  • 23.06.2011
  • 06.09.2011
  • 21.09.2011
Year 2012
  • 12.01.2012
We used two approaches to identify targets for these attacks. First, we used the Kaspersky Security Network (KSN) and then we set up our own sinkhole server. The data received using two independent ways was correlating and this confirmed objective findings.



Countries with more than one infections

From the point of view of country distribution of connections to the sinkhole, we have observed victims in 39 countries, with most of IPs being from Switzerland. Kazakhstan and Greece follow next.
Some of the victim organizations were identified using IP addresses and public WHOIS information or remote system names.
Most «interesting» out of those are:
Algeria - Embassy
Afghanistan - Gov, Military, Embassy,
Armenia - Gov, Embassy
Austria - Embassy
Azerbaijan - Oil/Energy, Embassy, Research,
Belarus - Research, Oil/Energy, Gov, Embassy
Belgium - Embassy
Bosnia and Herzegovina - Embassy
Botswana - Embassy
Brunei Darussalam – Gov
Congo – Embassy
Cyprus - Embassy, Gov
France - Embassy, Military
Georgia - Embassy
Germany - Embassy
Greece – Embassy
Hungary -Embassy
India – Embassy
Indonesia - Embassy
Iran – Embassy
Iraq – Gov
Ireland - Embassy
Israel - Embassy
Italy -Embassy
Japan - Trade, Embassy
Jordan - Embassy
Kazakhstan - Gov, Research, Aerospace, Nuclear/Energy, Military
Kenya - Embassy
Kuwait - Embassy
Latvia - Embassy
Lebanon - Embassy
Lithuania - Embassy
Luxembourg - Gov
Mauritania - Embassy
Moldova - Gov, Military, Embassy
Morocco - Embassy
Mozambique - Embassy
Oman - Embassy
Pakistan - Embassy
Portugal - Embassy
Qatar - Embassy
Russia - Embassy, Research, Military, Nuclear/Energy
Saudi Arabia - Embassy
South Africa - Embassy
Spain - Gov, Embassy
Switzerland - Embassy
Tanzania - Embassy
Turkey - Embassy
Turkmenistan - Gov, Oil/Energy
Uganda - Embassy
Ukraine - Military
United Arab Emirates - Oil/Energy, Embassy, Gov
United States - Embassy
Uzbekistan - Embassy


For instance, a top level XLS dropper presumably used against a Polish target, named “Katyn_-_opinia_Rosjan.xls” contains the hardcoded victim ID “F50D0B17F870EB38026F”. A similar XLS named “tactlist_05-05-2011_.8634.xls / EEAS New contact list (05-05-2011).xls” possibly used in Moldova contains a victim ID “FCF5E48A0AE558F4B859”.

Click here to read more ....

Fake LinkedIn notifications lead to phishing and malware

LinkedIn users are once again targeted with a massive and widespread spam campaign that takes the form of a notification about a supposedly received message from a potential new connection:


"Malware writers are again taking advantage of LinkedIn’s popularity and users’ social media engagement after the holidays. With many people back to work and eager to strengthen their professional connections, the malicious campaign comes in really handy for the attackers," Bitdefender

Click here to read more ....

Cyber-espionage campaign targeting diplomatic and government institutions

Kaspersky Lab identified an elusive cyber-espionage campaign targeting diplomatic, governmental and scientific research organizations in several countries for at least five years.

The primary focus of this campaign targets countries in Eastern Europe, former USSR Republics, and countries in Central Asia, although victims can be found everywhere, including Western Europe and North America.

The main objective of the attackers was to gather sensitive documents from the compromised organizations, which included geopolitical intelligence, credentials to access classified computer systems, and data from personal mobile devices and network equipment.

In October 2012 Kaspersky Lab’s team of experts initiated an investigation following a series of attacks against computer networks targeting international diplomatic service agencies. A large scale cyber-espionage network was revealed and analyzed during the investigation.

Main research findings

The attackers have been active since at least 2007 and have been focusing on diplomatic and governmental agencies of various countries across the world, in addition to research institutions, energy and nuclear groups, and trade and aerospace targets.

The Red October attackers designed their own malware, identified as “Rocra,” that has its own unique modular architecture comprised of malicious extensions, info-stealing modules and backdoor Trojans.

The attackers often used information exfiltrated from infected networks as a way to gain entry into additional systems. For example, stolen credentials were compiled in a list and used when the attackers needed to guess passwords or phrases to gain access to additional systems.

To control the network of infected machines, the attackers created more than 60 domain names and several server hosting locations in different countries, with the majority being in Germany and Russia. Kaspersky Lab’s analysis of Rocra’s Command & Control (C2) infrastructure shows that the chain of servers was actually working as proxies in order to hide the location of the ‘mothership’ control server.

Information stolen from infected systems includes documents with extensions: txt, csv, eml, doc, vsd, sxw, odt, docx, rtf, pdf, mdb, xls, wab, rst, xps, iau, cif, key, crt, cer, hse, pgp, gpg, xia, xiu, xis, xio, xig, acidcsa, acidsca, aciddsk, acidpvr, acidppr, acidssa. In particular, the “acid*” extensions appears to refer to the classified software “Acid Cryptofiler”, which is used by several entities, from the European Union to NATO.


Click here to read more ....

New Java Exploit Fetches $5,000 Per Buyer

Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.

The hacker forum admin’s message, portions of which are excerpted below, promised weaponized and source code versions of the exploit. This seller also said his Java 0day — in the latest version of Java (Java 7 Update 11) — was not yet part of any exploit kits, including the Cool Exploit Kit I wrote about last week that rents for $10,000 per month. From his sales pitch:
“New Java 0day, selling to 2 people, 5k$ per person
And you thought Java had epically failed when the last 0day came out. I lol’d. The best part is even-though java has failed once again and let users get compromised… guess what? I think you know what I’m going to say… there is yet another vulnerability in the latest version of java 7. I will not go into any details except with seriously interested buyers.
Code will be sold twice (it has been sold once already). It is not present in any known exploit pack including that very private version of [Blackhole] going for 10$k/month. I will accepting counter bids if you wish to outbid the competition. What you get? Unencrypted source files to the exploit (so you can have recrypted as necessary, I would warn you to be cautious who you allow to encrypt… they might try to steal a copy) Encrypted, weaponized version, simply modify the url in the php page that calls up the jar to your own executable url and you are set. You may pm me.”


Click here to read more ....

Homeland Security warns to disable Java amid zero-day flaw

The U.S. Department of Homeland Security has warned users to disable or uninstall Java software on their computers, amid continuing fears and an escalation in warnings from security experts that hundreds of millions of business and consumer users are vulnerable to a serious flaw.

"We are currently unaware of a practical solution to this problem," said the DHS' Computer Emergency Readiness Team (CERT) in a post on its Web site on Thursday evening. "This vulnerability is being attacked in the wild, and is reported to be incorporated into exploit kits. Exploit code for this vulnerability is also publicly available."
Java users should disable or uninstall Java immediately to mitigate any damage.


Click here to read more ....

04 January 2013

US - DHS to pick up $6 billion tab for cyber surveillance systems at every department

The Homeland Security Department is footing a potentially $6 billion bill to provide civilian agencies with the technology and expertise needed for near real-time threat detection, DHS officials said this week. The White House has demanded so-called continuous monitoring since 2010, but many agencies did not have the resources or know-how to initiate such surveillance.

Under the new five-year project, DHS, which is responsible for protecting civilian networks, will shoulder the financial burden to finish activating continuous monitoring governmentwide. More than 62 percent of the federal government, or 15 out of 24 major civilian agencies, do not have mature surveillance programs, according to internal watchdogs


Homeland Security plans to split the job among at least five teams, each comprising multiple companies supplying an array of technologies and experts. Military, state and local agencies will be urged to purchase services from the same contract packages to protect dot-mil and municipal government computer systems, but Homeland Security will not cover those costs.
“DHS is responsible for securing unclassified networks for federal executive branch civilian departments and agencies” on the dot-gov domain, Homeland Security spokesman SY Lee said.

Click here to read more ....

On the Digging of Cyber Holes: The NextGen Air Traffic Control System

Last year, researchers at the University of Texas at Austin demonstrated a proof of concept capability to hijack an unmanned drone by spoofing its Global Positioning System (GPS) components.  In effect, the spoofing sent a false positioning signal to the drone.  Using less than $1000 worth of gear, the UT students were able to the satellite signal used by an unmanned aircraft to know where it is.  Because the spoofed data looks just like the data coming down from GPS satellites, the drone’s onboard computer doesn’t realize that its navigation data is wrong.  And, voila — the attacker has complete control.


NextGen is an initiative of the FAA – they plan to replace the existing radar-based air traffic control infrastructure with a system that relies exclusively on GPS signals.  The transition is supposed to be complete by 2025.    In many ways the prospect of a transition is fundamentally good.  The new technology will improve air safety (planes will know where they are more precisely) and efficiency (aircraft will be able to take shorter routes through airspace).   Money will be saved and less fuel will be burned.  NextGen is even good for the environment.


Click here to read more ....

Fake Canadian police site 'fines' surfers for phony cyber crimes

A pop-up message seemingly from RCMP which accuses computer users of cyber crime is one of the latest computer scams to target Canadians.
The sophisticated virus locks your computer and demands a $100 fine for alleged crimes of copyright infringement, pornography, or even terrorism.

Click here to read more ....

UK to launch public cyber security awareness campaign

The Cabinet Office is to launch a public cyber security awareness programme early this year aimed at improving the online security of consumers and small and medium enterprises (SMEs).
The initiative is part of the government’s cyber security strategy, aimed at ensuring the UK can manage the risks and harness the benefits of cyberspace.

The programme will specifically target school children, as well as adults who take a reckless attitude to posting personal details online, according to The Guardian.
"The big goal for the next 12 months is to get somewhere transformative in terms of business and public understanding of this issue," the paper quotes a senior official as saying.

The government has rated cyber attacks as a Tier 1 threat and has committed £650m to the transformative National Cyber Security Programme to bolster the UK’s cyber defences.
In his one-year review of the cyber security strategy, Maude said a recent survey found that 93% of large corporations and 76% of small businesses had experienced a cyber security breach in the past year.


Click here to read more ....

US Defense bill emphasizes cyber operations

The Defense Department is taking more aggressive steps in cyberspace, including clearer authorities, more oversight and a key partnership to identify and address gaps, due to provisions in the National Defense Authorization Act for fiscal 2013.
Those provisions in the NDAA, which President Barack Obama signed into law on Jan. 2, require DOD officials to report on cyber operations to Congress on a quarterly basis, beginning March 1. It also outlines authorities and expectations for military forces in cyberspace.


‘‘The Secretary of Defense shall provide to the Committees on Armed Services of the House of Representatives and the Senate quarterly briefings on all offensive and significant defensive military operations in cyberspace carried out by the [DOD] during the immediately preceding quarter,” the NDAA text reads. It also orders the defense secretary to provide within 90 days “a briefing on the interagency process for coordinating and de-conflicting full-spectrum military cyber operations for the federal government,” as well as future cyber budgeting justification.
That open-architecture, “plug-and-play” network defense system would need to be available for cloud environments as well as the battlefield, and would need to overcome shortfalls in current systems that “cannot address new or rapidly morphing threats; consume substantial amounts of communication capacity to remain current with known threats and to report current status; or consume substantial amounts of resources to store rapidly growing threat libraries.”


Click here to read more ....

Cyber Attack On PNC’s Online Banking Slows Customer Access

PITTSBURGH (KDKA) — Bob Williams of Edgewood is one of thousands of PNC customers who enjoy the bank’s online banking system — until recently.
“What just happened?” KDKA money editor Jon Delano asked Williams as he tried to log on to the PNC online banking website.
“I got a pop-up saying Internet Explorer cannot display the webpage,” said Williams


PNC says nothing is wrong with its Internet or cyber security systems, telling KDKA-TV, “There are no internal issues with PNC’s systems. A number of large American banks, including PNC, have experienced high volume of traffic at Internet connections, crowding out legitimate customers.”

“We had 38-straight hours of attacks on our systems, and we had the longest attack of all the banks,” said Rohr. “And they just pummeled us, and now they’re talking about — they’ve sourced it from Iran — but you know what it did in our case, it dramatically slowed our processes.”

Click here to read more ....

Cyber-attack malware in Japan identified

JAPAN - A cyber-attack suspected to have compromised and sent overseas more than 3,000 confidential documents from the farm ministry, including many on global trade negotiations, used special software to transmit the information, it has been learned.
The same programme was also used to take internal Finance Ministry documents in an attack uncovered in July, government sources said.


So far, the farm ministry's initial investigation has revealed the malware used in the suspected leak to be HTran, a connection bouncer programme believed to have been developed by a Chinese hacker group around 2003, the government sources said.

The programme was also used to steal data from the Finance Ministry, as HTran data transmissions were discovered to have taken place from October 2010 to November 2011, the sources said.


Click here to read more ....

India under grip of cyber-attacks: Report

India is under the grip of cyber attacks and there is an obvious peak in the growth of malware and their modifications on mobile devices, especially on the Android platform, according to a report.
Though PC is still the prevalent target for malware authors, there is an obvious peak in the growth of malware and their modifications on mobile devices, especially on the Android platform, The Quick Heal Annual Windows and Mobile Malware Report, 2012, released by Quick Heal Technologies, a leading player in India's anti-virus segment said Mumbai.


The report reveals that India is under the grip of cyber attacks with increase of almost 90 percent in Windows malware and a mind-boggling increase of 170 percent in its modifications and the bad guys are also winning the war in the mobile platform.
Virus attacks in the mobile space have started soaring at a rapid pace with 30 percent growth registered in 2012 and 80 percent increase in its modifications.

Click here to read more ....