WASHINGTON – Sony Pictures Entertainment is looking into whether North Korea may have been behind a major cyberattack on the studio last week, a news website reported.

The website re/code noted that the attack came as the studio neared release of a comedy about a CIA plot to assassinate its leader Kim Jong-Un.

“The Interview,” which stars Seth Rogen and James Franco as two journalists recruited by the CIA to bump off Kim, has infuriated the North Koreans, with state media warning of “merciless retaliation.”

Citing sources familiar with the matter, re/code on Friday said Sony and outside consultants were exploring the theory hackers operating in China carried out the attack last Monday on behalf of North Korea.

A North Korean link has not been confirmed, however, according to the sources.

An image posted on the Reddit social network from an individual claiming to be a former Sony employee showed a page with the words “Hacked by #GOP.”

It was unclear what GOP stands for, but some reports said the hacker group is called Guardians of Peace.

The posted image said unspecified demands must be met by Sony or important files would be released.

Tags:

• NEWS & INDUSTRY
• Cybercrime

Kaspersky Lab recently analyzed the activities of a threat group that has been targeting executive business travelers in the Asia-Pacific region.

The actors behind the cyber espionage campaign dubbed “<a href="http://redirect.viglink.com?key=11fe087258b6fc0532a5ccfc924805c0&u=http%3A%2F%2Fwww.securityweek.com%2Fdarkhotel-attackers-target-business-travelers-hotel-networks%22%3EDarkhotel%3C%2Fa%3E" use various techniques to distribute their sophisticated pieces of malware, such as highly customized spear-phishing, malicious Wi-Fi networks, and P2P sharing websites.

The attackers, which appear to speak Korean, have been compromising the networks of luxury hotels for the past four or five years, attempting to trick chief executives, senior vice presidents, sales and marketing directors, and researchers into downloading a backdoor disguised as software updates. Some of the pieces of malware used in these attacks date back to 2007, Kaspersky said.

Thousands of Darkhotel victims have been spotted all over the world, but most of them appear to be located in Japan, Taiwan, China, Russia and Korea. 

Security experts shared their thoughts on this campaign and provided some important recommendations for executives who travel often and don’t want sensitive corporate information to end up in the hands of cyber spies.

And the Feedback Begins…

Carl Wright, General Manager for TrapX Security:

“Organizations must understand that hackers are always looking for the path of least resistance. While enterprises today are generally doing a better job of securing their networks against intrusions from outsiders, they’re falling short when it comes to securing devices outside the corporate network.

As a result of this and an ever-increasing mobile workforce, we’re seeing hackers shifting their attention from attacking organizations head-on through their network and instead concentrate their efforts on individuals outside the corporate firewall. And what a better place to reach them than at the hotels they’re staying at while they’re on the road.

Executives must begin to treat every hotel, plane, bus, cab, cafe etc. as an extension of their corporate office and as such, they need to subject themselves to the same level of security and best practices imposed by their organization’s IT teams. This includes not clicking on suspicious links and making sure their communications to corporate HQ are secured through a proper VPN tunnel.”

Jack Daniel, Strategist at Tenable Network Security:

“Recent stories including the Darkhotel attacks have made it clear that travelers need to assess their information security risks and take reasonable precautions to protect their systems and information. As always, context is critical in deciding what is reasonable in your situation- for some travelers a little extra caution may be all that is needed, for others more aggressive actions such as dedicated (and possibly even disposable) hardware may be required.

A few universal basics can help everyone. Start with strong authentication, including using two-factor authentication everywhere possible and keeping your second factor devices (tokens, phones, cards, etc.) under your control at all times. Use VPNs any time you connect to any network not under your (or your organization¹s) control. Since different networks sometimes interfere with different VPN technologies it is a good idea to have more than one VPN endpoint to connect to, and ideally use more than one VPN technology (IPsec, SSL, etc.) to improve your chances of establishing a secure connection. Other fundamentals include taking no more information than you need for the trip, and limiting the systems and information you access while traveling.

Depending on the type and amount of technology you travel with, it may be best to simply keep all of your digital equipment with you at all times. For more advanced tips, such as the use of Wi-Fi firewalls, consult a trusted security professional.”

Idan Tendler, Fortscale CEO:

“The DarkHotel malware is just more evidence of the troubling vulnerability of networks when it comes to phishing campaigns and credentials theft. It is one of the reasons that networks will need turn their focus internally and adopt a more aggressive approach to security that includes analyzing users.

If a user’s behavior is thoroughly analyzed and profiled, an attacker could steal the user credentials but can’t imitate his historic behavior, which can immediately trigger red flags to the security team for deeper investigation.”

Jared DeMott, security researcher at Bromium:

“Wi-Fi attacks are a real threat, and not just in hotels. At most free Wi-Fi spots there is usually no guidance on secure connection: the user is left to figure it out, and hope it just works. Traveling business people typically are not technical experts either. So, using a device that prefers a VPN is helpful in preventing snooping once connected.  But, if initial connection pages attack with 0-day exploits, the browser is, as usual, a potential weak link without a way to isolate attacks.

I’d advise people to stay off Wi-Fi, in favor of a mobile hotspot. Understandably that can be difficult while in planes, or overseas where mobile devices may not function or be prohibitively expensive.” 

Alex Cox, Senior Manager, RSA-FirstWatch:

“My advice to travelers wishing to stay secure is to opt for the “overly paranoid” approach.

When executives travel they should assume that any open wifi access point has the potential to be malicious, especially in “convenience” areas, where Internet access is provided as a service, probably without a lot of security forethought. They should consider using an Internet access service through a portable wifi device via a cellular network (a MiFi is a popular version). This gives the user a self-contained source of internet access that is for their use only, and this method of connectivity has proven to be one of the more secure as far as eavesdropping and manipulation. That said, it must be configured and used correctly.

If an executive is travelling in a high-risk area, they should consider that any time their device is out of their direct physical control (airport, hotel room, vehicle, etc.) it has the potential to be tampered with. With that in mind, the traveler should keep physical control of the device as much as possible. It’s also a good idea for a high-risk traveler to bring a “clean” laptop and/or smartphone or tablet that doesn’t involve any of their work outside of what is currently needed. While traveling users should have increased suspicion of update notifications, emails with attachments and unknown links, or the request to install “helper” apps in order to access something.

It’s important to adopt an intelligence-focused mindset, to help understand the threat vectors and attackers that may be targeting the traveler.”

John Dickson, Principal at The Denim Group:

“I think the pressure from clients, shareholders or deadlines puts executives in a situation where they rarely think twice about hopping on a hotel Wi-Fi to conduct business. Couple that with the trust in brands – executives would assume Hilton, Hyatt, and others provide information security in addition to physical security and a clean room – and you have a dangerous mix.

Connecting [to Wi-Fi] itself is not completely terrible, but users should VPN-in as soon as they connect to the network for both e-mail and browsing purposes. Also, they should make sure their laptops and mobile devices have the most recent software updates, to make their computing devices less vulnerable to known, often exploited vulnerabilities. The thing to remember is that most security issues occur when two things happens: (1.) A user-initiated action, like clicking on an attachment or link or visiting a site hosting malware; and (2.) a latent vulnerability exists on the computing devices from which the user is browsing.

This was a well thought-out attack, and like most great attacks, is less about the technology and more about exploiting a known trust mechanism, in this case the strength of hotel chains’ brands.”

Oliver Tavakoli, CTO of Vectra Networks:

“There are two lessons that can be learned from the DarkHotel issue. The first is security architectures must be able to protect against attacks that exploit mobile users on guest Wi-Fi networks. The second is in the fast evolving threat landscape, “what the malware is doing” is more important than “what the malware is.

The BYOD Mobile Security Report published by the LinkedIn InfoSec Community revealed that exploits entering organizations via mobile devices is a top security concern in 2014. It is not possible to completely protect users from exploits when they travel and use public-access Wi-Fi networks at coffee shops or hotels. However, it is possible to detect the activities of an attacker who has breached the network perimeter through a traveling employee’s laptop. In a targeted attack, the attacker will use the infected laptop to perform reconnaissance, spread laterally, acquire data, and ultimately exfiltrate it in as stealthy a manner as possible. Real-time breach detection uses machine learning to detect these behaviors among the chatter in the network, even when the exploit or malware “walks” into an organization on a user’s laptop.

 

Just like there were multiple iterations of Conficker and the malware that was used to attack Target was “tweaked,” there could one day be a “DarkHotel 2.” Naming malware may satisfy a human need or assist in knowing whether the right detection signatures are deployed, but it is not relevant in advanced threat defense. Advanced threats, even when they start with simple tactics like spear phishing, are stealthy by nature and will use malware and C&C channels that slip past perimeter and endpoint security that use signatures and reputation lists. Detecting what the malware is doing will always have a higher likelihood – and multiple opportunities – of detecting a targeted attack than knowing what the malware is. Think of it this way, if you can name it, then it is no longer an advanced threat or a targeted attack. Ignoring the malware may only relegate you to being one of its first victims, and that is no fun.”

Ian Amit, ZeroFOX Vice President:

“First things first – nothing is revolutionary about Darkhotel. It uses the same tactics that penetration testers have been using at red team engagements for years. The only surprise is that the attack was found, albeit with a delay of 7 years.

Darkhotel leverages publicly available information and past behaviors to predict where and when an executive is traveling. Having that information at hand is critical for launching a pinpoint attack, and in most cases can be derived from a simple social media search. Once the target is located, the attack comes via the hotel wireless network. As usual, the human factor plays a lead role in enabling such attacks, and unfortunately, most of the information needed can be found on social media.

When traveling, follow the rule “no changes allowed” – no updates, no downloads, no new software or hardware installations. This will prevent almost every malware attack. For the extremely security-conscious traveler, a freshly installed laptop and phone are recommended, both of which should be disposed of at the end of the trip.”

Anup Ghosh, Founder and CEO, Invincea:

“The DarkHotel campaign sheds light on risks business travelers face when leaving the four walls of their enterprise networks. Business travelers need access to the Internet, of course, and the hotel networks is usually the gateway. Even if they are employing VPNs, the access point is the local hotel wireless net prior to being able to login via VPN. At this juncture, we have seen not only rogue Flash updates, but also drive-by exploits hosted on these hotel network pages that silently infect the traveller’s machine.

This isn’t confined to hotel networks, of course, as any public network with a network access login (coffee shops, airports) can be compromised accordingly. Airports would be particularly rich for business travelers and many incorporate advertising that can be subverted via third party ad networks.

Bottomline is business travelers need end point protection that stops targeted attacks and novel malware without requiring the corporate network.”

Tal Klein, VP of Strategy for Adallom:

“Captive portals are basically dressed up Men-in-the-Middle. I don’t particularly understand the hype around DarkHotel given that tools like Hak5’s Pineapple have demonstrated the ease with which people can be compromised by trusting captive portals, especially in hotel settings. My advice: Invest in a mobile carrier Mi-Fi. Most hotel internet connections are unbearably slower and more expensive than a Mi-Fi anyway.”

Ian Pratt, Co-founder & EVP, Products at Bromium:

“Attacks using Wi-Fi captive portals are certainly on the rise. The networks at hotels are particular attractive as information about the user’s name and the organization they work for is frequently available, enabling very targeted attacks. It is common for hotels to outsource provision of networking services, and hence these third parties become attractive targets to attackers to target visitors staying at many hotels. In some parts of the world state security services specifically take advantage of this.

 

A VPN is unable to help protect against many of these attacks. Most Wi-Fi networks require you to successfully sign-in to a captive portal page before they will allow you external access. In many cases it is the sign-in page itself that is malicious, and by the time the user has entered their surname and room number they will have been delivered an exploit tailored to their machine and compromised. Bringing a VPN up at this point plays directly into the attackers hands, bringing the infection onto the enterprise network.”

Paul Lipman, CEO of iSheriff:

“Darkhotel illustrates a fundamental hole in the typical approach to corporate cybersecurity. Organizations spend many millions of dollars to protect their networks against outside threats, investing in ever more sophisticated ways to defend their network infrastructure, applications, and data from attack. Despite all of this investment, roaming users are typically protected with nothing more than endpoint anti-virus, a technology that is woefully inadequate to protect against advanced persistent threats such as Darkhotel. Even worse, when an infected user later comes back into the office, any malware infection picked up “on the road” can instantly spider out across the network, multiplying the risk by orders of magnitude.

 

A cloud-based Web security solution provides a persistent layer of protection for roaming users, wherever or however they are connecting to the Internet. These services are constantly updated to cover the latest advanced threats, identifying them in the cloud in real-time, and blocking them before they can ever reach an end user’s device. In the case of Darkhotel, a user connecting through a cloud security layer would be fully protected through a “secure tunnel” from the device to the cloud security provider.”

Chris Messer, vice president of technology at Coretelligent:

“DarkHotel is a moderate threat for unsuspecting and non-technical users, and for users and organizations that have lax security safeguards present on traveling employee or executive devices.

 

This type of attack requires the potential victim to download a compromised update such as Adobe Flash or Google Toolbar from a compromised link or pop-up browser window. The user is then tricked into installing these updates as the attacker uses bogus digital certificates to “sign & validate” the compromised software to lead the user to believe they came from a trusted source. This compromised application then installs additional malicious software (Trojan, keylogger, etc.) on the victim’s machine, and then allows the attacker to track and collect data from their machine at will.

 

The good news is that this type of attack can be prevented if users follow good security practices and have reasonable security software and precautions put in place by IT:

 

• Individuals should avoid hotel wired and wireless Internet services all together, and instead rely on a company-provided mobile hotspot device, or tether via their mobile device. When individuals are required to leverage a hotel’s wired or wireless Internet, they should avoid performing any system administrative tasks or updates.

 

• Users should only transact business over a secure VPN connection and HTTPS secured sites. They should avoid sensitive sites such as banking sites for the duration of the hotel stay, if at all possible.

 

• Users should never click on any advertisements via the hotel Wi-Fi, and after logging into the wireless, make it a point to close and re-open their browsers to avoid re-using a questionable session.

 

• Individuals should ensure that they have a robust antivirus suite installed on their machine that has some sort of web filtering component. 

 Feel free to add your thoughts in the comments below, and until Next Friday…Have a Great Weekend!

Tags:

• Network Security
• NEWS & INDUSTRY
• Incident Management
• Risk Management
• Malware
• Management & Strategy

SAN FRANCISCO – US justice officials are scooping up mobile phone data from unwitting Americans as part of a sophisticated airborne surveillance program designed to catch criminals, the Wall Street Journal reported Thursday.

Small aircraft deployed by the US Marshals Service from at least five major airports have been taking to the skies with “dirtbox” equipment designed to mimic signals from cell towers, according to the Journal.

That in turn tricks mobile phones into revealing unique identifying numbers and general locations, according to the report.

The name “dirtbox” was said to be derived from an acronym of Digital Recovery Technology Inc., the Boeing subsidiary that makes the device.

The range of aircraft in the program covers most of the US population, the Journal reported, citing unnamed sources familiar with the operation.

Details of flights were not given, but they were said to take place regularly with each outing potentially gathering data from tens of thousands of mobile phones.

The Journal reported that the US Justice Department declined to comment for the story other than to say that its agencies comply with the law when it comes to surveillance.

Mobile phones are programmed to connect with the closest signal tower, but trust signals from towers or imposters when it comes to making decisions, hackers have demonstrated.

Boxes in planes could automatically assure mobile phones they are the optimal signal tower, then accept identifying information from handsets seeking connections.

Fake cell towers could then pass connections onto real signal towers, remaining as a conduit with the ability to tune into or block digital transmissions.

Hackers refer to such tactics as “man-in-the-middle attacks.”

The Journal quoted American Civil Liberties Union chief technologist Christopher Soghoian as calling the program “dragnet surveillance” that is “inexcusable.”

The program is reportedly in place to reveal locations of mobile phones associated with criminals or those suspected of crimes, but collect data about other handsets that connect, according to the Journal.

After sifting through data collected, investigators could determine the location of a targeted mobile phone to within about three meters, the report indicated.

Similar devices are used by US military and intelligence officials operating in other countries to locate terrorist suspects, according to the Journal.

Trust in US authorities has already been shaken by revelations about a sweeping Internet surveillance program.

Tags:

• NEWS & INDUSTRY
• Privacy
• Tracking & Law Enforcement

BrowserStack is back online after temporarily suspending service due to an attack.

The company stated it had been hacked after someone sent an email to customers claiming the company was shutting down and had failed to follow-through on promises related to security. Founded in 2011, BrowserStack is a cross-browser testing tool used to test websites and servers.

A copy of the email was posted to Pastebin.

“Not only do all of our administrators have access, but so does the general public,” the hacker claims in the email. “We have no firewalls in place, and our password policies are atrocious. All virtual machines launched are open to the public, accessible to anyone with the alpha password “nakula” on port 5901, a password which is stored in plaintext on every VM. As well, our infrastructure uses the same root passwords on all machines, which is also stored in plaintext on every VM launched (“c0stac0ff33″).”

“Given the propensity for cyber criminals to target infrastructure services such as ours, it is almost certain all of your data has been compromised,” the email states. “These passwords take no less than 15 minutes to find for anyone who is looking. We hope we have not caused you too much trouble, and to our enterprise customers who signed deals contracts based on a fabrication, we are equally sorry.”

It is not known whether any of the hacker’s claims in the email are true. According to BrowserStack, the hacker’s access was limited solely to a list of email addresses.

“All BrowserStack services are now up and running,” the company tweeted shortly after noon PST. “We are keeping a strong check and will email all users the entire analysis.”

The company said it will post a post-mortem of the attack.

BrowserStack serves some 25,000 customers and more than 520,000 registered developers across the world.

Tags:

• NEWS & INDUSTRY
• Cybercrime

Researchers at Palo Alto Networks identified a new piece of malware designed to target Mac OS X and iOS users. The threat, called WireLurker, has potentially affected hundreds of thousands of users, almost all of them located in China. 

Cybercriminals are distributing the threat by trojanizing OS X apps hosted on third party app stores. The 467 malicious apps uploaded to the Maiyadi App Store have been downloaded more than 350,000 times.

Once it infects a Mac, the malware downloads other malicious iOS application to the infected machine. When victims connect their iPads, iPhones or iPods via USB to the infected device, WireLurker installs the downloaded iOS applications onto them. The mobile component of WireLurker is capable of stealing information from infected devices.

The latest version of WireLurker is interesting because it can infect not only jailbroken devices, but also ones that haven’t been jailbroken. The threat can install the malicious iOS apps on non-jailbroken devices by signing them with a stolen code signing certificate.

Shortly after Palo Alto Networks disclosed details on WireLurker, researchers identified an older variant of the threat apparently designed to target computers running Microsoft Windows. 

The command and control servers used by the malware are currently offline and Apple has revoked the certificate used by the malware authors. However, experts believe WireLurker once again shows that Apple devices are not immune to malware.

And the Feedback Begins…

Ian Amit, Vice President of ZeroFOX:

“It’s interesting to see how malware is getting more holistic from an attack vector approach, utilizing technical vulnerabilities and elements, as well as human ones. This isn’t the first malicious code that is designed to “hop” between connected platforms, examples date back to variants such as Stuxnet that infected Windows based computers, which in turn affected Siemens PLCs. This is an interesting turn of events, as Apple’s iPhone is commonly considered a safe platform as long as it isn’t jailbroken.

Beyond the already familiar abuse of social interactions that allow the malware to run in the first place – essentially, having the victim ‘knowingly’ install it, WireLurker also abuses the trust between the victim’s PC and the iPhone connected to it, which grants it full access to the phone and it’s applications – apps can be backed up over USB, then restored to the phone, after the malware has modified them and inserted a backdoor.”

Greg Martin, CTO of ThreatStream:

“Wirelurker is being distributed via a 3rd party app-store called Maiyadi that is out of control of Apple.

The danger with third-party app stores such as Maiyadi is that Apple and Google have no vetting control of what gets added to 3rd party app stores, severely limiting their ability to protect end-users from running malicious apps. In-fact nearly all cases of known malware for the iPhones have originated from 3rd party app stores such as Cydia (App store for jailbroken iPhones) and now new ones like Maiyadi.

Monitoring these 3rd party app stores for malicious apps will become an opportunity for cyber security companies to help provide intelligence back to Apple and Google on what’s happening outside of their control.”

Steve Bell, security consultant, BullGuard:

“The really interesting thing about the WireLurker malware is the scale of the infection and how it is promulgated.  Because of the proprietary nature of Apple devices and the fact that apps are checked for malware before they go into the Apple store users have generally been protected in the past.

However, with an estimated 350,000 downloads of infected apps and the fact that the malware can also transfer via a USB port signals a serious notching up of hacker’s endeavours to hit Apple devices. In the US Apple users tend to stick to the Apple store which is wise. WireLurker shows precisely the danger of downloading apps from unregulated third party stores.

However, the use of a USB port to also transfer malware, while obvious and simple, could be potentially devastating. Without wishing to be alarmist, USB ports are an obvious vulnerability, and it’s not beyond the realms of possibility that hackers might use this to insert Trojans designed to lie dormant for a period. With Apple now putting its considerable weight behind Apple Pay, hackers have serious motivation.”

Carl Wright, General Manager for TrapX Security:

“What has enabled the success of the creators of WireLurker is the concept of transitive trust. This two-way approved relationship automatically created between parties has long been an Achilles heel to security professionals trying to ensure the validity of transactions on a more or less case by case bases.

This recent hack continues to illustrate the trade-off the end users must consider between that of maintaining security of the end point device and innovative new applications that may not be developed or certified by Apple.

In the end, the price may indeed be too extreme for corporations who desire to take advantage of end user BYOD.”

Jared DeMott, Security Researcher with Bromium Labs:

 “People still seem to think malware on the Mac is less likely than on Windows.  If this is true, it’s simply because attackers are less interested in Mac.  The relative attack surface is just as big (similar chance to find and exploit bugs) as on Windows or any other modern operating system.

In fact, my suspicion is that Macs really are exploited more than people realize.  But it’s either typically by better funded attackers, who know how to stay hidden, or because Apple in general does a better job at managing bad security press when compared to Windows.

This particular malware is distributed not in the form of an exploit, but in the form of pirated software.  China in particular, is known to run a lot of illegal software.  Thus, it’s not surprising the Chinese took the brunt of this round, considering the deployment mechanism.”

Mark Parker, Senior Product Manager, iSheriff:

“Wirelurker introduces a new threat vector in a place that was thought to be secure. The concept of using trojan software to download new threats is not new, that is something that has been in practice for many years. However, up to this point the software on iOS devices has been considered secure since the only software on the device would come through the heavily vetted Apple App Store.

By using the workstation’s USB connection as an avenue to surreptitiously install the Trojan applications, the protection afforded by the App Store is leap frogged in an effective manner. Since it has shown success, there is sure to be more advancement and copycats. The introduction of the mobile phone as a method of payment will increase the potential for attacks. Wherever there is money, there is always going to be Malware built to try to get access to that money.

This approach of using the workstation USB connection to another device could also be used in other “closed system” environments. Examples of this could be physical security system maintenance, or point-of-sale terminals that can only be maintained via a workstation USB connection, or similar method. It is always important to ensure that all workstations, even those of workers off-site, are protected from endpoint, web, and email based attacks at all times. The need for security doesn’t stop when the device leaves the network, especially in cases of workers that will be connecting to these types of devices.”

Kenneth Bechtel, Malware Research Analyst, Tenable Network Security:

 “With a resurgent BlackEnergy now targeting network routers and WireLurker spreading like wildfire across China’s iOS devices, this has been an interesting week to be in the malware business. But the thing to keep in mind is that despite the hype, neither of these threats herald an impending Internet apocalypse, though both deserve to be taken seriously.

WireLurker infects iOS through compromised OS X machines. Following successful malware trends, it is modular and updateable, having 467 applications hosted on the Maiyadi App Store (a third-party store hosted in China). This threat can now infect non-jail broken iOS devices simply by connecting an iPhone/ iPad/ iPod to a computer to sync the calendar or contacts list. This concept is very frightening to many users, and means it won’t be long before it spreads to countries outside of China.”

Michael Sutton, VP of Security Research for Zscaler:

 “We keep waiting for mobile malware to eclipse traditional PC malware but it turns out that we’re waiting for the wrong thing. We’ll never see the drive by downloads and fast spreading device to device malware that we’ve become accustomed to in the Windows world, due to the differing architectures of Windows vs Mobile operating systems. That doesn’t however mean that malware on mobile devices isn’t a concern, it just means that malware is being forced to evolve and adapt to a more restrictive environment.

This is especially true for iOS devices and WireLurker represents a new advance on that front. Whether or not Apple designed their Walled Garden for security purposes or not, the fact that iOS apps must primarily be installed only from the iOS App Store, where they can first be vetted by Apple, has made malicious apps on non-jailbroken devices a rare commodity. WireLurker took advantage of an exception to this rule.

WireLurker abuses the fact that there is another way to get apps onto non-jailbroken devices. Apple allows enterprise development teams to leverage Enterprise Provisioning as a means to push homegrown apps to employees without the hassle of hosting them in the App Store. The process is still restricted and requires the use of an Apple supplied code signing certificate and provisioning profiles pushed to devices, but it does provide an alternative. The authors of WireLurker appear to have stolen a legitimate code signing certificate from Hunan Langxiong Advertising Decoration Engineering Co. Ltd., in order to pushed apps to non-jailbroken devices via provisioning profiles.”

Steve Hultquist, chief evangelist at RedSeal:

“Trust. It’s the first requirement for security, but seldom considered by consumers. In the case of WireLurker, existing trust between an iOS device and a Mac becomes the surrogate for malware to infect the devices. When the Mac user mistakenly places trust in a third-party app site to only offer uninfected applications for download, it opens the door to infection of the Mac and then the iOS devices.

This is another example of the sophistication and automation of attacks that are growing inexorably into the future. Attackers are both more subtle and more capable than ever before. This attack resulted in over a quarter of a million infected downloads, in all likelihood impacting thousands of people and devices, all because of misplaced trust.

This attack and others that will follow underscore the need for proactive security efforts, from application design-for-security to trust architectures and automated analysis of potential access paths. Without automated proactive prevention, attacks will continue to grow in volume and impact. Enterprises need to take notice, since these consumer attacks are merely the ice above the water. The enterprise and governmental attacks are the bulk under the sea.”

Until Next Friday…Have a Great Weekend!

Tags:

A two-year study by Bitdefender sheds some light on the most popular types of scams on Facebook and who is falling for them.

The study examines more than 850,000 Facebook scams. Analyzing each of them revealed the following top five bait categories for attackers looking to hit users with spam, malware or other attacks: profile viewer scams (45.5 percent); Facebook functionality scams such as claims about adding a dislike button (29.53 percent); gift card/gadget giveaway scams (16.51 percent); celebrity scams such as death hoaxes (7.53 percent); and atrocity videos with subjects like animal cruelty (0.93 percent).

The report delves into psychological explanations as to why users fall for the traps.

“The most popular Facebook scam offers users the chance to see if they are still searched by a person for whom they may still have feelings for,” according to the report. “Their judgment tells them to avoid clicking on such a lure, but this rational censorship will come along with big emotional consumption. They often don’t even need to believe the link hides emotionally-important information, but they rather do it just to check things out.”

“There is also an additional element helping hackers to trick millions of users ever year,” the report notes. “The “profile viewer” message is customized, touching them on a personal level.”

Facebook functionality scams rely on the desire of users to make their image and experience better, while the giveaways play to greed – or in the case of giveaway scams aimed at gamers, competitiveness, Bitdefender researchers explain in the report.

“Though less present, the last two categories of Facebook scams are growing at a steady pace,” according to the report. “Celebrity sex tape scams and atrocity news (such as murders and child abuse) are attracting thousands of victims with every new campaign, as they also “include” alluring videos. In the attempt of creating a profile of the most gullible victims, Bitdefender’s behavior analysts discovered there is such a wide range of users falling for Facebook scams, that an exact profiling would be too restrictive.”

“In conclusion, anyone could fall victim to a Facebook scam at one point in his life, as cyber-criminals always pull the right psychological triggers.”

The whitepaper can be read here.       

Tags:

• NEWS & INDUSTRY
• Cybercrime

Welcome back to Feedback Friday! An unclassified computer network at the White House was breached recently and the main suspects are hackers allegedly working for the Russian government.

The incident came to light earlier this week when an official said they had identified “activity of concern” on the unclassified network of the Executive Office of the President (EOP) while assessing recent threats. The official said the attackers didn’t cause any damage, but some White House users were temporarily disconnected from the network while the breach was dealt with.

Experts have pointed out that while the attackers breached an unclassified network, it doesn’t necessarily mean that they haven’t gained access to some useful data, even if it’s not classified. They have also outlined the methods and strategies used by both the attackers and the defenders in such a scenario.

And the Feedback Begins…

Amit Yoran, President at RSA:

“The breach underscores the constant siege of attacks on our government and businesses. Fortunately — by definition — information with grave or serious impact to national security is classified and would not be found on an unclassified network. That said, there is most likely information on unclassified networks that the White House would not like public or for 3rd party consumption.

As for the profile of the adversary, the White House uses the latest security technologies making them a very challenging target to breach. Top secret clearances are required for access to networks and personnel are continuously and rigorously vetted. As such — and acknowledging that until a thorough investigation is completed, speculation can be dangerous — a standard botnet or phishing malware is a less likely scenario than a focused adversary with time and expertise in developing customized exploits, malware and campaigns.”

Mark Orlando, director of cyber operations at Foreground Security. Orlando previously worked at the EOP where he led a contract team responsible for building and managing the EOP Security Operations Center under the Office of Administration:

“Sophisticated attackers constantly alter their approach so as to evade detection and they will eventually succeed. The best a defender can do in this case is to identify and respond to the attack as quickly and effectively as possible. It isn’t at all unusual for an attack like this one to be discovered only after a malicious email has been identified, analyzed, and distilled into indicators of compromise (subject lines, source addresses, file names, and related data elements) used to hunt for related messages or attacks that were initially missed. White House defenders routinely exchange this kind of data with analysts across the Federal Government to facilitate those retrospective investigations. That may have been how this compromise was discovered and that doesn’t amount to a ‘miss’.

While the media points to outages or delays in major services like email at the White House, this is also not an unusual side effect of proper containment and eradication of a threat like this one- especially if there are remote users involved. Incidents exactly like this one occur all over the Federal government and increasingly in the private sector as well; the only thing different about this attack that makes it more newsworthy than those other incidents is that it occurred at EOP.”

Tom Kellermann, Trend Micro chief cybersecurity officer and former commissioner on The Commission on Cyber Security for the 44th Presidency:

“Geopolitical tensions are now manifested through cyberattacks. The enemies of the state conduct tremendous reconnaissance on their targets granting them situational awareness as to our defenses in real time. This reality allows for elite patriotic hackers to bypass our defenses.”

Irene Abezgauz, VP Product Management, Quotium:

“Security, cyber or physical, relies heavily on risk management. With a large operation, it is difficult to secure everything on the same level, priority is often given to the more sensitive networks. In the case of the White House hack, the breached network was unclassified, meaning it probably has slightly different security measures than classified networks.

Government systems are prime targets for hackers. Even if the breached network is unclassified and no sensitive information was exposed, all government network breaches draw attention. In public opinion, attackers gaining access to government computer systems, no matter whether classified or not, reflects badly on the ability of the US to defend itself, especially when foreign nationals are suspected. In addition, availability and integrity must be maintained in systems that involve any kind of government decision making, more than in most other systems.

The bottom line is that high profile targets must maintain a high level of security on all networks. Hackers, private and state-funded, are continuously attempting attacks on these systems. Such attacks must be blocked in order to protect data within as well as assure the public of the ability of the government to protect its cyber systems.”

John Dickson, Principal at the Denim Group:

“Although initial reports emphasize the unclassified nature of the system and networks, security experts know that successful attacks against certain unclassified systems can, in fact, still be gravely serious. Given the fact this concerns perhaps the most high-visibility target in the world – the White House – and you potentially have a genuinely difficult situation.

On one hand, you have the issue of public confidence in our institutions of government. ‘If the attackers can compromise the White House, what else can the possibly get into?’ is a perfectly valid question from citizens who may not recognize the distinction between unclassified and classified systems. Also, sensitive information that is unclassified may traverse these systems and give attackers more context to allow them to put together a larger picture of what’s happening at the White House. Military folks call refer to this term as Operational Security, or OPSEC, and this is always a worry for those protecting the President, the White House, and the operations of the Executive Branch of government.

From a defensive standpoint, when you face a sophisticated attacker with substantial resources you have be constantly vigilant and assume certain systems will fail. It’s far too early to editorialize on theories of ‘what might have happened’ at the White House, but we always recommend a defense in depth approach to application and system design that ‘fails open,’ so that if an attacker compromises one type of defense, it doesn’t compromise the entire ecosystem.”

Ian Amit, Vice President at ZeroFOX:

“Much of the conversation surrounding the recent White House hack centers on the nature of the compromised network. The network is ‘unclassified,’ leading many people to believe the affected information is non-critical or innocuous. It’s important to note however that enough unclassified information, when aggregated and correlated, quickly becomes classified. Isolated data points might not mean much by themselves, but enough time spent passively listening to unclassified chatter can reveal some very sensitive intelligence.

So how much time was the hacker on the network? It’s difficult to tell. Security officials alerted on ‘suspicious activity.’ This phrase doesn’t give us much insight into how long the network was compromised. The hacker could have been active on the network for months without doing anything to sound the alarms. It’s one thing if a hacker is caught in the act of breaking in or stealing data. That kind of event information generally gives a clear indication of the attack timeline. Triggering on passive behavior makes this much more difficult.

With that said, it’s commendable that White House security officials are looking for behavioral cues rather than overt events to detect malicious activity. Soft indicators are much more difficult to detect and means the security officials are using some advanced tools to understand traffic on the network.”

Anup Ghosh, CEO of Invincea:

“The disclosure of breach from the White House this week was remarkable for its differences from a similar disclosure in 2012. It’s clear from recent press releases from security companies, that Russia is the New Black now. In fact, if you get hacked by the Chinese now, it’s almost embarrassing because they are considered less sophisticated than the Russians. So now, every breach seems to be attributed to Russians, though largely without any evidence.

A little more than two years ago in October 2012, the White House acknowledged a breach of its unclassified networks in the White House Military Office (which also manages the President’s nuclear ‘football’). The talking points at the time were: 1. Chinese threat, 2. Non-sophisticated attack method (spear-phish), 3. Unclassified network, so no harm. This week, the talking points are: 1. Russian government threat, 2. Sophisticated attack method (spear-phish), and 3. Deep concern over breach of unclassified network. The similarities between the two breaches are remarkable, but the reaction couldn’t be more different.

Before we indict the Russians for every breach now, it would be great to see some bar set for attribution to a particular group. It would also be great to not use “sophisticated” threat or Russians as a scape goat for not properly addressing spear-phishing threats with technology readily available off the shelf (and shipped with every Dell commercial device).”

Michael Sutton, VP of Security Reasearch for Zscaler:

“The breach of a compromised White House computer reported this week is simply the latest in ongoing and continual attacks on government networks. While such breaches periodically hit the headlines thanks to ‘unnamed sources’, it’s safe to assume that the general public only has visibility into the tip of the iceberg. White House officials admitted that this latest breach was discovered ‘in the course of assessing recent threats’, suggesting that following the trail of breadcrumbs for one attack led to another.

In September, there were reports of yet another successful attack, this one leveraging spear phishing and compromising a machine on an unclassified network and earlier this month, details of the Sandworm attacks emerged, which leveraged a then 0day Microsoft vulnerability to target NATO and EU government agencies. All of these recent attacks have been attributed to groups in Russia and it’s likely that they’re tied together. All Internet facing systems face constant attack, but the White House understandably presents a particularly attractive target.

While all G20 nations have advanced cyber warfare capabilities and conduct offensive operations, Russia and China have been particularly aggressive in recent years, often conducting bold campaigns that are sure to be uncovered at some point.”

Zach Lanier, Senior Security Researcher at Duo Security:

“U.S. government and defense networks are often the target of attackers — and the White House is without a doubt very high on that list, regardless of the breached network reportedly being ‘unclassified’. Everyone from hacktivists to foreign intelligence agencies have sought after access to these networks and systems, so this intrusion isn’t a huge surprise.” 

Carl Wright, General Manager of North America for TrapX Security:

“When it comes to our military, government and its supporting national defense industrial complex, the American public’s expectation is and should be significantly higher. The Senate Armed Services Committee (SASC) findings in September highlighted how nation-state actors were targeting contractors with relation to the federal government so it is to be expected that actual government bodies are also being targeted.

95 percent of the security market is signature based and thus will not detect a targeted zero-day. We must operate under the notion that networks are already compromised and focus defenses on monitoring lateral movements within data centers and private networks as that is how hackers escalate their attack and access. Unfortunately, existing security technologies focus from the outside in, trying to understand the entire world of cyber terrorists’ behaviors which inundate security teams with alerts and false-positives.

These breaches demonstrate how traditional security tools alone don’t do enough and both enterprises and government organizations need to constantly evaluate and improve their security posture to thwart today’s nation-states or crime syndicates whether foreign or domestic. With the United States President’s intranet being compromised, it truly shows the poor state of our national cyber defense capabilities.”

Nat Kausik, CEO at Bitglass:

“Organizations whose security models involve ‘trusted devices’ are naturally prone to breaches. Employees take their laptops on the go, get hacked at public WIFI networks, and come back to the office where the device is treated as trusted and allowed to connect to the network.

The compromised device enables the hacker to gain a broader and more permanent foothold inside the network. Government entities have long favored the ‘trusted devices’ model and are actually more prone to breaches than organizations that treat all user devices as suspect.”

Greg Martin, CTO at ThreatStream:

“It’s public knowledge that Russia has been very active in sponsored cyber espionage and attacks but have recently turned up the volume since both the Ukranian conflict and given the Snowden leaks which in my opinion have given Russian and China the open door to be even more bold in their offensive cyber programs.

Recent cyberattacks on retailers and financial institutions have been riddled with anti-US propaganda. This makes it increasingly difficult to pinpoint the backers as the activity is heavily blended threats between criminal actors, hack-tivist and state sponsored activity. As seen in the recent reports, Russia APT attacks have been prevalent in targeting U.S. interests including the financial sector.

ThreatStream believes organizations should accelerate their policy of sharing cyber threat information and look at how they currently leverage threat and adversary intelligence in their existing cyber defense strategies.”

Until Next Friday…Happy Happy Halloween and have a Great Weekend!

Tags:

• Network Security
• NEWS & INDUSTRY
• Incident Management

Researchers have uncovered a remote administration tool (RAT) that uses a novel technique to stay persistent on infected systems and avoid detection.

The RAT, dubbed “COMpfun,” has been analyzed by experts from G DATA Software’s SecurityLabs. When it comes to functionality, the malware is not out of the ordinary. It can be used to log keystrokes, take screenshots, download and upload files, execute code, and for other specific tasks.

The threat can run on both 32 and 64-bit versions of Microsoft Windows (up to Windows 8), and it relies on HTTPS and RSA encryption to communicate with its command and control (C&C) server.

What makes COMpfun interesting is the fact that it injects itself into the processes running on compromised systems by hijacking legitimate Component Object Model (COM) objects.

COM allows developers to manipulate and control the objects of other applications. Each of these objects has a unique identifier called CLSID.

When it’s installed on a system, the RAT creates two files, after which it creates two registry entries to define COM objects with the CLSIDs {b5f8350b-0548-48b1-a6ee-88bd00b4a5e7} and {BCDE0395-E52F-467C-8E3D-C4579291692E}. These IDs are already assigned to two Microsoft libraries that are used by several applications, including the Web browser. However, by defining objects with the same CLSIDs, the originals are replaced with the new ones.

Once this is done, the malicious libraries are loaded into processes instead of the legitimate Microsoft libraries. This ensures not only that the RAT is persistent, but it also makes it more difficult to detect.

“As soon as the infection was successful, Microsoft Windows then natively executes the library in the processes of the infected user. Hence, the attacking process is hard to be identified. Using COM hijacking is undoubtedly silent. It is not even detected by Sysinternals’ Autoruns,” G DATA researcher Paul Rascagnères wrote in a blog post.

Many antiviruses monitor systems for DLL injections, but since COMpfun doesn’t rely on DLL injections, some security solutions might miss the threat. Rascagnères has warned that any type of malware could leverage this technique to become stealthy.

COMpfun is not the only RAT that abuses COM. Back in August, G DATA detailed IcoScript, a piece of malware that leveraged COM to control Internet Explorer. By taking control of the Web browser, cybercriminals have been able to carry out various actions, such as accessing websites, entering credentials, pressing buttons on pages, and exfiltrating data.

In the case of IcoScript, cybercriminals leveraged the technique to access Yahoo Mail accounts and use them for C&C communications. Researchers noted at the time that the attackers could have used other webmail services as well, such as Gmail.

Tags:

A Massachusetts man has been sentenced to 21 months in prison for using information hacked from customer accounts at more than a dozen banks, brokerage firms, payroll processing companies and government agencies in a plot to steal $ 15 million.

Robert Dubuc, 41, of Malden, Mass., previously pleaded guilty to charge of wire fraud conspiracy and conspiracy to commit access device fraud and identity theft.

According to court documents, Dubuc and 50-year-old Oleg Pidtergerya of Brooklyn – who has also pleaded guilty – were asked by leaders of the conspiracy to participate in a “cash-out” scheme to help steal money from compromised bank accounts. Pidtergerya managed a cash-out crew in New York for the cyber-ring’s leaders while Dubuc controlled a cash-out crew in Massachusetts for the organization.

Authorities believe Oleksiy Sharapka, 34, of Kiev, Ukraine, directed the conspiracy with the help of Leonid Yanovitsky, 39, also of Kiev.

According to authorities, hackers gained unauthorized access to the bank accounts of customers of more than a dozen organizations ranging from Citibank to E-Trade to the U.S. Department of Defense. After obtaining access to the bank accounts, Sharapka and Yanovitsky allegedly diverted money to bank accounts and pre-paid debit cards they controlled. They then turned to the cash-out crews to withdraw the stolen funds, authorities said.

Both Sharapka and Yanovitsky are under indictment in the United States and remain at large, according to the U.S. Department of Justice.

In addition to the prison term, Judge Sheridan sentenced Dubuc to serve three years of supervised release and pay restitution in the amount of $ 338,685. Sentencing for Pidtergerya is scheduled for Dec. 22.

Tags:

• NEWS & INDUSTRY
• Cybercrime

KIEV – Hackers attacked Ukraine’s election commission website Saturday on the eve of parliamentary polls, officials said, but they denied Russian reports that the vote counting system itself had been put out of action.

The www.cvk.gov.ua site, run by the commission in charge of organising Sunday’s election, briefly shut down. Ukrainian security officials blamed a denial-of-service (DDoS) attack, a method that can slow down or disable a network by flooding it with communications requests.

“There is a DDoS attack on the commission’s site,” the government information security service said on its Facebook page.

The security service said the attack was “predictable” and that measures had been prepared in advance to ensure that the election site could not be completely taken down.

“If a site runs slowly, that doesn’t mean it has been destroyed by hackers,” the statement said.

A report on Russia’s state news agency RIA Novosti quoted a statement on the personal website of the Ukrainian prosecutor general saying that the electronic vote counting system was out of order and that Sunday’s ballots would have to be counted by hand.

The commission spokesman, Kostyantyn Khivrenko, called the RIA Novosti report a “fake”.

“The Central Election Commission will issue preliminary results of the voting with the help of the Vybory information-analytical system. This system is working normally,” he said.

The Ukrainian Security Service (SBU), the country’s lead internal security agency, said that “the physical protection of the central server and its regional components has been ensured”.

“Any statements regarding the alleged successful unauthorised intrusions into the cyber space of the Central Election Commission or the elements of the elections systems do not correspond to the facts. Hackers are controlling nothing,” Markiyan Lubkivskyy, an adviser to the SBU chief, said.

An SBU spokeswoman told AFP that attacks on the election commission’s site began a week ago, “but so far we have dealt with them”.

Outdoor video screens hacked?

The cyber troubles came as Ukraine prepared for an election overshadowed by a bloody pro-Russian insurgency in the country’s east and the annexation by Russia of the Crimean province in the south.

Pro-Western and nationalist parties are expected to dominate the new parliament. In another possible sign of cyber tensions, the Ukrainska Pravda news website on Friday reported that outdoor video screens across Kiev were briefly hacked.

The screens, which are used for advertising, including pre-election political ads, reportedly started to display “scary and horrible images,” the report said.

Engineers went out “to physically unplug” the screens, according to the report.

The report could not be confirmed, but footage on YouTube purporting to capture the incident showed a street screen abruptly switching to footage of destroyed buildings and dead bodies, as well as the images of two nationalist politicians running for parliament, with the words “war criminals”.

Tags:

• Network Security
• NEWS & INDUSTRY