Researchers at Trend Micro revealed details of an attack against a major Korean utility company hit by malware designed to wipe the master boot records (MBR) of compromised computers.

According to Trend Micro, the malware is believed to have infected the targeted systems through a vulnerability in the Hangul Word Processor (HWP), a commonly-used application in South Korea. The attackers used a variety of social engineering lures as well.

“We detect the malware as TROJ_WHAIM.A, which is a fairly straightforward MBR wiper,” according to Trend Micro. “In addition to the MBR, it also overwrites files that are of specific types on the affected system. It installs itself as a service on affected machines to ensure that it will run whenever the system is restarted. Rather cleverly, it uses file names, service names, and descriptions of actual legitimate Windows services. This ensures that a cursory examination of a system’s services may not find anything malicious, helping this threat evade detection.”

“This particular MBR-wiping behavior, while uncommon, has been seen before,” the researchers noted. “We observed these routines in March 2013 when several attacks hit various South Korean government agencies resulting in major disruptions to their operations. The malware involved in this attack overwrote the MBR with a series of the words PRINCPES, HASTATI, or PR!NCPES. The recent attack on Sony Pictures also exhibited a similar MBR-wiping capability.”

Trend Micro also found similarities to the previous MBR wiper attacks as well. All three attacks overwrite the MBR with certain repeated strings; this attack uses the repeating “Who Am I?” string, while the Sony attack used a repeating 0xAAAAAAAA pattern.

The attack on Sony has caused a further rift between North Korea and the United States, as U.S. President Barack Obama promised last week that the United States would offer a proportional response to North Korea’s involvement in the attack.

North Korea has denied any involvement in the incident. The country began suffering Internet outages this week, though the cause of those outages remains unclear.

“While there are definite similarities in the behavior of all these attacks, this is not enough to conclude that the parties behind the attacks are also related,” according to Trend Micro. “All three attacks have been well documented, and it is possible that the parties behind each attack were “inspired” by the others without necessarily being tied. Without sufficient evidence, we cannot make claims either way.”

“These attacks highlight our findings about the destructive, MBR-wiping malware that appear to have become a part of the arsenal of several threat actors,” the researchers added. “This is a threat that system administrators will have to deal with, and not all targeted attack countermeasures will be effective. Techniques to mitigate the damage that these attacks cause should be considered as a part of defense-in-depth networks.”

Tags:

• Cyberwarfare
• NEWS & INDUSTRY

VMware released a series of updates to address the OpenSSL vulnerability known as Heartbleed in its products in April, but many organizations still haven’t secured their installations, virtualization management firm CloudPhysics reported on Monday.

Based on machine metadata collected from virtualized datacenters, CloudPhysics determined that 57% of VMware vCenter servers and 58% of VMware ESXi hypervisor hosts are still vulnerable to Heartbleed attacks.

“This is a remarkably high percentage given that ESX run the majority of business critical VMs in the world. I speculate that IT teams are more lax about patching ESXi since those machines are typically behind the firewall and not easy to reach from the outside world,” Irfan Ahmad, CTO and co-founder of CloudPhysics, wrote in a blog post.

“However, that laxity doesn’t make the delay in patching a good idea,” he added. “For one thing, insider attacks continue to be a major source of breaches. Another consideration is that if outside attackers do manage to infiltrate a low privilege service inside your firewall, you have just given them carte blanche to attack your most sensitive data.”

According to Ahmad, 40% of the organizations in CloudPhysics’ dataset have at least one vCenter server or ESXi host running a vulnerable version of OpenSSL. By May, over 25% of vCenter servers and ESXi hosts had been patched, but over the next two months, the rate at which organizations were applying the updates had slowed down.

Shortly after the existence of the Heartbleed bug came to light, there were roughly 600,000 vulnerable systems. A couple of months later, Errata Security reported that the number was down to 300,000. However, some experts predict that it will take months, possibly even years, until all systems are patched.

“If insiders, or attackers via insiders, exploit the Heartbleed vulnerability through an untraceable attack they can gain access to mission-critical systems. With the window for the exploit being so large, combined with the current slowness of patching, the severity of an already serious problem is exacerbated,” Ron Zalkind, CTO of cloud data protection company CloudLock, told SecurityWeek.

“Maintaining patches is always prudent, but with an exploit like Heartbleed, its importance cannot be overstated. We strongly encourage organizations to immediately patch their systems per guidance from VMware, with a particular focus on systems that are the most significant to their businesses.”

Eric Chiu, founder and president of cloud control company HyTrust, points out that the traditional approach to security has been to protect the perimeter, which has bred a long-standing misconception that systems within an organization’s datacenter don’t need to be protected.

“However, breaches are not only happening more often and getting bigger, but they’re also primarily happening from the inside. Attackers are using social engineering, phishing, malware and other attack techniques to steal employee or I.T. credentials in order to gain access to networks. Once in, they can move forward, backward or laterally, and siphon large amounts of sensitive data without ever being detected. Given that virtualization is a ‘concentration’ of systems and data, the result is a higher concentration of risk. If an attacker is able to pose as a virtualization admin, for example, that could ultimately be ‘game over’ for a victim company,” Chiu told SecurityWeek.

“Bottom line, organizations need to shift their security strategy from that of just an ‘outside-in’ approach, to an ‘inside-out’ model. They should assume attackers are already inside, in which case access controls, audit logging, alerts and data encryption are important—if not critical… especially in ensuring a secure cloud environment.”

Related: Heartbleed Vulnerability Still Beating Strong

Related: Recovering from Heartbleed: The Hard Work Lies Ahead

Tags:

• NEWS & INDUSTRY
• Cloud Security
• Vulnerabilities

Recent Phishing Attacks Compromised Employee Email, Social Media Accounts at Microsoft

Microsoft on Friday said that attackers breached the email accounts of a “select number” of employees, and obtained access to documents associated with law enforcement inquiries.

According to the company, a number of Microsoft employees were targeted with attacks aiming to compromise both email and social media accounts, and in some cases, the attacks were successful.

“While our investigation continues, we have learned that there was unauthorized access to certain employee email accounts, and information contained in those accounts could be disclosed,” Adrienne Hall, General Manager at Microsoft’s Trustworthy Computing Group, wrote in a blog post. 

“It appears that documents associated with law enforcement inquiries were stolen,” Hall said.

“If we find that customer information related to those requests has been compromised, we will take appropriate action,” Hall continued. “Out of regard for the privacy of our employees and customers – as well as the sensitivity of law enforcement inquiries – we will not comment on the validity of any stolen emails or documents.”

The software giant did not say how many documents might have been obtained or exposed as a result of the attacks, or who they believe may have been behind the attacks.

Targeted attacks like this are not uncommon, especially for an organization like Microsoft. What’s interesting about this is that the incident was significant enough to disclose, indicating that a fair number of documents could have been exposed, or that the company fears some documents will make their way to the public if released by the attackers—which may be the case if this was a “hacktivist” attack.

“In terms of the cyberattack, we continue to further strengthen our security,” Hall continued. “This includes ongoing employee education and guidance activities, additional reviews of technologies in place to manage social media properties, and process improvements based on the findings of our internal investigation.”

In a Microsoft Law Enforcement Requests Report that covered the first half of 2013, Microsoft (including Skype) said that it received 37,196 requests from law enforcement agencies potentially impacting 66,539 accounts.  

Microsoft has recently faced a barrage of attacks claimed by the Syrian Electronic Army (SEA), hackers who support President Bashar al-Assad’s regime. While no attacks have resulted in any significant data loss or company-wide impact, the company did have social media accounts and blogs compromised this month.

It is unclear if the attacks may be related to the Syrian Electronic Army.

SecurityWeek has reached out to Microsoft for additional details and this story will be updated when a response is received.

Related: Yes, Virginia, There Really is Social Engineering

Related: Social Engineering is Alive and Well. How Vulnerable is Your Organization?

Tags:

• NEWS & INDUSTRY
• Cybercrime

BlackBerry today warned that its newest smartphones and tablets are at risk of remote code execution attacks via vulnerabilities in Adobe Flash Player.

According to a BlackBerry advisory, a malicious hacker could booby-trap Adobe Flash content and lure users into visiting rigged Web pages or downloading Adobe Air applications.

“If the requirements are met for exploitation, an attacker could potentially execute code with the rights of the application that opens the specially crafted malicious Flash content,” BlackBerry warned.

From the BlackBerry advisory:

Vulnerabilities exist in the Flash Player version supplied with affected versions of the BlackBerry 10 OS and PlayBook OS. The Flash Player is a cross-platform, browser-based application runtime.

Successful exploitation of these vulnerabilities could potentially result in an attacker executing code in the context of the application that opens the specially crafted Flash content (typically the web browser). Failed exploitation of this issue might result in abnormal or unexpected termination of the application.

In order to exploit these vulnerabilities, an attacker must craft Flash content in a stand-alone Flash (.swf) application or embed Flash content in a website. The attacker must then persuade the user to access the Flash content by clicking a link to the content in an email message or on a webpage, or loading it as part of an AIR application. The email message could be received at a webmail account that the user accesses in a browser on BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry tablets.

Affected products include the BlackBerry Z10 and BlackBerry Q10 smartphones and the BlackBerry PlayBook tablet.

The company said it was not aware of any active exploitation of the Flash Player vulnerabilities.

Separately, Adobe shipped a cross-platform Flash Player update to fix at least four vulnerabilities that expose users to hacker attacks. Adobe said the vulnerabilities could be exploited to cause a crash and potentially allow an attacker to take control of the affected system.

Tags:

• Mobile Security
• NEWS & INDUSTRY
• Fraud & Identity Theft
• Wireless Security
• Malware
• Vulnerabilities

Earlier this week, author Pad Honan had the unthinkable happen. Someone experienced his iCloud account, plus they could remotely wipe his apple iphone, iPad and Mac laptop Air and remove his Google account which was mounted on his iCloud account. The first assumption was this happened since the hacker brute-forced his distance to Honan’s account. After a little further digging, it found light the hacker was simply able to utilize social engineering to trick Apple Support into resetting his password.

Around we love to to trumpet using good passwords, this really is one instance by which this will not have designed a difference. You should use the very best password on the planet, but when someone can socially engineer you or someone in the site or service itself to show passwords, it’ll make no difference. That is not to state that strong passwords aren’t important getting a powerful password will safeguard you from nearly all common attacks. However, you should certainly not wager the farm on the password.

You will find numerous questions this raises, obviously:

• What else could you do in order to get over a catastrophic loss of data incident?
• What else could you do in order to safeguard yourself from this kind of attack?
• What’s the probability of this happening in my experience?

Honan learned the response to this primary question hard way: Make regular backup copies in multiple locations. Don’t simply depend around the Cloud to keep your backups–websites aren’t bulletproof, companies go bankrupt, problems happen. Honan may recover the accounts which were jeopardized throughout this hack, but that’s by no means certain in each and every situation. He might not have the ability to recover the year’s price of data he hadn’t supported in another location. (Though he was fortunate the remote wipe didn’t complete, so it might not be lost.)

For that second question, we’ll define the attack like a compromise on any internet account that consists of a great deal of your important data whether that become your contacts, your calendar, entire backup copies, or selected files, or simply links to numerous your other accounts (social media, banking, shopping online, etc). This may be iCloud, this may be Google, it may be a variety of different services.

We must think that you cannot trust the security of the password alone, as that may be stolen by social engineering or hacking of one other sort. But this really is another place in which a layered defense strategy is available in handy. We already covered the necessity to support your computer data in multiple places. But what else are you able to do?

1. Secure because the internet data as possible.