Viry a Červi

Experts Have Sobering Message on Human Rights, Privacy for Security Pros - 4 Říjen, 2017 - 19:26
Speakers at Virus Bulletin painted grim pictures of the threats to physical safety and civil liberties posed by commercial spyware and high-end surveillance software often sold to governments.
Kategorie: Viry a Červi

Russian suspected of $4bn Bitcoin laundering op to be extradited to US

The Register - Anti-Virus - 4 Říjen, 2017 - 17:10
38-year-old said to be appealing Greek court's decision

A Greek court has approved the US extradition of a Russian national accused of running a $4bn Bitcoin laundering ring on the now-defunct BTC-e exchange.…

Kategorie: Viry a Červi

Costin Raiu and Juan Andres Guerrero-Saade on APT Fourth-Party Collection - 4 Říjen, 2017 - 17:00
Costin Raiu and Juan Andres Guerrero-Saade talk to Mike Mimoso live from Virus Bulletin in Madrid about APTs leveraging one anothers' attacks and compromised machines as their own.
Kategorie: Viry a Červi

DNSSEC master key change delayed after ISPs struggle

Sophos Naked Security - 4 Říjen, 2017 - 16:21
ICANN isn't going to risk breaking the internet

Cloudflare CTO Goes Inside the Cloudbleed Bug - 4 Říjen, 2017 - 13:50
Cloudflare’s chief technology officer was frank and apologetic about February’s Cloudbleed bug during today's Virus Bulletin 2017 keynote.
Kategorie: Viry a Červi

Email fraudsters foiled by a smiley

Sophos Naked Security - 4 Říjen, 2017 - 13:23
Kiss that $90K goodbye, untalented imposters!

The Festive Complexities of SIGINT-Capable Threat Actors

Kaspersky Securelist - 4 Říjen, 2017 - 12:00

To read the full paper and learn more about this, refer to “Walking in Your Enemy’s Shadow: When Fourth-Party Collection Becomes Attribution Hell”

Attribution is complicated under the best of circumstances. Sparse attributory indicators and the possibility of overt manipulation have proven enough for many researchers to shy away from the attribution space. And yet, we haven’t even discussed the worst-case scenarios. What happens to our research methods when threat actors start hacking each other? What happens when threat actors leverage another’s seemingly closed-source toolkit? Or better yet, what if they open-source an entire suite to generate so much noise that they’ll never be heard?

Thankfully, the 2017 VirusBulletin conference is upon us and, as in previous years, we’re taking the opportunity to dive into an exciting subject, guided by our experience from doing hands-on APT research.

During the past years, we discussed the evolution of anti-malware research into intelligence brokerage, the inherent problems with doing attribution based solely on fifth-domain indicators, and an attempt to have a balanced discussion between defensive cats and the sly mice that elude them. Continuing in this direction, this year we decided to put our heads together to understand the implications that the esoteric SIGINT practice of fourth-party collection could have on threat intelligence research.

A few types of SIGINT Collection

The means by which information is generated and collected is the most important part of an analyst’s work. One must be well aware of the means and source of the information analyzed in order to either compensate or exploit its provenance. For that reason, collection can be categorized by its means of generation in relation to the position of the parties involved, as discussed below. These definitions will serve as functional categories for our understanding as outsiders looking into the more complex spheres of collection dynamics.

To showcase the types of data collection, let’s imagine a competent entity named ‘Agency-A’ as a stand-in for a ‘God on the wire‘-style SIGINT agency interested in fourth-party collection.

There are multiple types of collection categories available to this entity. The more obvious being information collected by Agency-A directly (first-party) or shared with Agency-A by partner services (second-party). Third-party collection, or information collected via access to strategic organizations, whether they realize it or not, has gotten a lot of attention over the past few years. This would include ISPs, ad networks, or social media platforms that aggregate great troves of valuable data.

Similarly, we will use further entities Agency-B as a second semi-competent SIGINT agency upon which Agency-A can be recurringly predatory for the sake of explanation. When necessary an even less competent Agency-C will serve as prey.

Yet, things get most interesting when we start talking about:

Fourth-party collection – …involves interception of a foreign intelligence service’s ‘computer network exploitation’ (CNE) activity in a variety of possible configurations. Given the nature of Agency-A as a cyber-capable SIGINT entity, two modes of fourth-party collection are available to it: passive and active. The former will take advantage of its existing visibility into data in transit either between hop points in the adversary’s infrastructure or perhaps in transit from the victim to the command-and-control servers themselves (whichever opportunity permits). On the other hand, active means involve the leveraging of diverse CNE capabilities to collect, replace, or disrupt the adversary’s campaign. Both present challenges we will explore in extensive detail further below.”

In less technical terms, fourth-party collection is the practice of spying on a spy spying on someone else. Or with age-old cryptographic interlocutors: Bob is obsessed with Alice. Alice is being spied on by her overzealous neighbour Eve. In order for Bob to be a creeper without arousing suspicion, he decides to spy on Eve with the purpose of getting to know Alice through Eve’s original privacy violation.

As you might expect there are different ways to do this and many of them enjoy the benefit of being near impossible to detect. Where possible, we have added examples of what to us looks like possible active attempts to collect on another’s collection. Otherwise, we have added thought experiments to help us wrap our heads around this shadowy practice. Two examples worth bringing to your attention (reproduced faithfully from our paper):

‘We heard you like popping boxes, so we popped your box so we can watch while you watch’

Attempting to highlight examples of fourth-party collection is a difficult exercise in the interpretation of shadows and vague remnants. While passive collection is beyond our ability to observe, active collection involves the risk of leaving a footprint in the form of artefacts. In the course of APT investigations, Kaspersky Lab’s Global Research and Analysis Team (GReAT) has encountered strange artefacts that defy immediate understanding in the context of the investigation itself. While we cannot be certain of the intent or provenance of these artefacts, they nonetheless fit a conceptual framework of active fourth-party collection. Here’s a few examples:

Crouching Yeti’s Pixelated Servers

In July 2014, we published our research on Crouching Yeti, also known as ‘Energetic Bear’, an APT actor active since at least 2010. Between 2010 and 2014, Crouching Yeti was involved in intrusions against a variety of sectors, including:

  • Industrial/machinery
  • Manufacturing
  • Pharmaceutical
  • Construction
  • Education
  • Information technology

Most of the victims we identified fell into the industrial and machine manufacturing sector, indicating vertical of special interest for this attacker.

To manage their victims, Crouching Yeti relied on a network of hacked websites which acted as command-and-control servers. For this, the attackers would install a PHP-based backend that could be used to collect data from or deliver commands to the victims. To manage the backend, the attackers used a control panel (also written in PHP) that, upon checking login credentials, would allow them to manage the information stolen from the victims.

In March 2014, while investigating one of the hacked sites used by Energetic Bear, we observed that for a brief period of time, the page for the control panel was modified to include an <img src> tag that pointed to a remote IP address in China. This remote 1×1 pixels wide image was likely intended to fingerprint the attackers as they logged into their control panel. The fingerprinting could have been used to collect attributory indicators. The usage of an IP address in China, which appeared to point to yet another hacked server, was most likely an attempt at a rudimentary false flag should this injection be discovered.

NetTraveler’s Most Leet Backdoor

While investigating the Nettraveler attacks, we obtained a disk image of a mothership server used by the threat actor. The mothership, a combination staging and relay server, contained a large number of scripts used by the attackers to interact with their malware, as well as VPN software and other IP masking solutions used to tunnel into their own hacking infrastructure.

Beyond the fortuitous boon of seizing such a content-rich server, GReAT researchers made a further unexpected discovery: the presence of a backdoor apparently placed by another entity.

We believe the backdoor was installed by an entity intent on maintaining prolonged access to the Nettraveler infrastructure or their stolen data. Considering that the NetTraveler operators had direct access to their mothership server and didn’t need a backdoor to operate it, we consider other possible interpretations less likely.

The artefact encountered is the following:

Name svchost.exe MD5 58a4d93d386736cb9843a267c7c3c10b Size 37,888

Interestingly, the backdoor is written in assembly and was injected into an empty Visual C executable that served as a template. This unusual implementation was likely chosen in order to confuse analysis or prevent detection by simple antivirus programs.

The backdoor is primitive and does nothing but listen to port 31337 (The most ‘LEET!’ port) and wait for a payload to be sent. The acceptable payload format is depicted here:

The assembly code is then executed and can perform any action chosen by the predatory attackers. The backdoor requires no authentication. Combining this sort of backdoor with Metasploit or other similar frameworks could have easily been used to control the system.

During the last years, we have seen a number of other peculiar incidents and cases which could constitute fourth party collection.”

To read the full paper and learn more about this, refer to “Walking in Your Enemy’s Shadow: When Fourth-Party Collection Becomes Attribution Hell”

2013 Yahoo Breach Affected All 3 Billion Accounts - 4 Říjen, 2017 - 08:57
Yahoo on Tuesday released an update to its 2013 breach, notifying users that all 3 billion accounts in existence at the time were compromised.
Kategorie: Viry a Červi

Oracle wants you to drop a log into its cloud, so it can talk security

The Register - Anti-Virus - 4 Říjen, 2017 - 08:30
Larry E wants diverse log file formats tamed, so you can ask security questions in natural language

OpenWorld 2017  Oracle’s founder and chief technology officer Larry Ellison put on his best salesman act Tuesday during his second keynote at the tech giant's OpenWorld gabfest – this time playing up the impact high-profile IT security breaches have had on organisations and increasing concerns over state hackers.…

Kategorie: Viry a Červi

Sole Equifax security worker at fault for failed patch, says former CEO

The Register - Anti-Virus - 4 Říjen, 2017 - 07:58
Someone failed to order the patch. If it was you, c'mere, have a hug. And a new identity

Recently-and-forcibly-retired Equifax CEO Rick Smith has laid the blame for his credit-check biz's IT security breach on a single member of the company's security team.…

Kategorie: Viry a Červi

Russian bot-herder and election-fiddling suspect closer to US trial

The Register - Anti-Virus - 4 Říjen, 2017 - 07:31
It's an international tug-of-war: Russia also wants to extradite Peter Levashov

The 36-year-old Russian accused of herding pump-and-dump spambots will be tried in America, following a decision of a Spanish court.…

Kategorie: Viry a Červi

3 billion Yahoo accounts affected by 2013 breach

Sophos Naked Security - 4 Říjen, 2017 - 02:31
The 2013 breach is three times worse than we thought

Nothing matters any more... Now hapless Equifax bags $7.5m IT contract with US taxmen

The Register - Anti-Virus - 4 Říjen, 2017 - 01:29
They're just trolling us at this point

Shortly after we all learned of a massive security breach at Equifax in which the personal information of 143 million 145.5 million Americans and sundry Brits and Canadians was plundered by hackers, the US Internal Revenue Service awarded Equifax a no-bid contract – to provide identity verification services for the tax authority.…

Kategorie: Viry a Červi

Oath-my-God: THREE! BILLION! Yahoo! accounts! hacked! in! 2013! – not! 'just!' 1bn!

The Register - Anti-Virus - 4 Říjen, 2017 - 00:06
Every user pwned, how's that $4bn looking now, Verizon?

With Equifax testifying in US Congress today about its own massive security failings, someone at Yahoo! presumably thought now would be a good time to bury bad news – but some things are too large to hide.…

Kategorie: Viry a Červi

Patch your WordPress plugins: Scum are right now hijacking blogs

The Register - Anti-Virus - 3 Říjen, 2017 - 23:34
Unless of course your site is so dull that a little hacker defacement will cheer it up

The plugin gurus at WordFence have this week found three critical security holes in third-party WordPress extensions that are being actively exploited by hackers to take over websites.…

Kategorie: Viry a Červi

Five Critical Android Bugs Get Patched in October Update - 3 Říjen, 2017 - 22:42
Android receives three remote code execution patches for vulnerabilities rated critical as Google launches a new Pixel/Nexus Security Bulletin.
Kategorie: Viry a Červi

Equifax Says 145.5M Affected by Breach, Ex-CEO Testifies - 3 Říjen, 2017 - 21:27
The credit bureau Equifax said Monday the information of 145.5M Americans, was implicated in this summer's breach.
Kategorie: Viry a Červi

Google Warns of DoS and RCE Bugs in Dnsmasq - 3 Říjen, 2017 - 19:16
A domain name system server implementation is at risk of remote code execution, information exposure and denial-of-service attacks after a seven vulnerability were disclosed by Google and patched by the maintainers of Dnsmasq.
Kategorie: Viry a Červi

Google is making encryption mandatory for sites on 45 Top-Level Domains

Sophos Naked Security - 3 Říjen, 2017 - 19:09
Millions of new sites registered under each TLD will now have HTTPS enforced

The Google tracking feature you didn’t know you’d switched on

Sophos Naked Security - 3 Říjen, 2017 - 18:16
Matt's a security expert but Google's Your Timeline slipped past him and almost everyone he asked
Syndikovat obsah