Tag

hacking

Browsing

WIRED has an in-depth article on the recently revealed North Korean hacker group known as APT37 aka ScarCruft aka Group123:

In its analysis of APT37, FireEye provides a rare breakdown of the hacker group’s entire known toolset, from initial infection to final payload. Earlier this month, security firms tracked the group using a zero-day vulnerability in Adobe Flash to spread malware via websites, an unusual use of a still-secret and unpatched software flaw. But in the past, the group has also exploited non-zero-day Flash vulnerabilities that victims have been slow to patch, lingering flaws in the popular Korean Hangul word processor to infect computers via malicious attachments, and even BitTorrent, indiscriminately uploading malware-infected software to piracy sites to trick unwitting users into downloading and installing it.

Once it finds an initial foothold on a victim’s machine, APT37 has a diverse grab bag of spy tools at its disposal. It has installed malware that FireEye calls DogCall, ShutterSpeed, and PoorAim, all of which have the capability of stealing screenshots of a victim’s computer, logging keystrokes, or digging through their files. Another malware sample, ZumKong, is designed to steal credentials out of browser memory. A tool called CoralDeck compresses files and extracts them to the attacker’s remote server. And a piece of spyware FireEye calls SoundWave takes over a victim’s PC microphone to silently record and store eavesdropped audio logs.

Perhaps most disturbing, Hultquist notes, is that APT37 has in some cases also dropped a tool that FireEye calls RUHappy, which has the potential to destroy systems. That wiper malware deletes a portion of the computer’s master boot record and restarts the computer so that it’s left fully paralyzed, displaying only the words “Are You Happy?” on the screen. FireEye notes that it’s never actually seen that malware triggered on a victim’s network—only installed and left as a threat. But Cisco’s Talos researchers noted in their own detailed report on APT37 last month that a 2014 attack on a Korean power plant had indeed left that three-word message on wiped machines, though they weren’t able to otherwise tie that attack to APT37.

It is fascinating how the different groups of hackers within nation state backed organizations use different tactics, techniques, and procedures, thus making it relatively easy for foreign intelligence agencies to track their operations so well. While there is no definitive proof APT37 is who FireEye says they are, there is a good chance this is the real deal. Attribution used to be difficult, but has come a long way in the recent years.

This is one group to watch, especially since they have already targeted Japan. This means there is a possibility they may leverage Tokyo 2020 as a jumping point into Japanese networks.

I bet you did not know there is a billion-dollar company helping governments around the world hack mobile phones for various, likely unnecessary, reasons:

“Mexico and the UAE aren’t the only countries where commercially made, government-only cyberweapons have been aimed at activists and lawyers, and NSO isn’t the only company making this kind of software: Citizen Lab has also helped investigations into abuse of spyware made by the Italian company Hacking Team and the Munich-based Gamma Group.

The Panamanian government has also been caught using Pegasus to hack citizens’ smartphones, alongside a similar weapon by the Italian company Hacking Team called RCS. In 2015, the government of Panama opened an investigation into its former president, Ricardo Martinelli, for running a personal NSO deployment out of a secret office, from which he spied on a number of opponents, including Americans.

The investment firm didn’t comment on the letter or the reasons for its decision not to invest in NSO. But when asked by a reporter for Israel’s Haaretz last month if NSO would have still sold its technology to Mexico in retrospect, one unnamed executive affiliated with the company was emphatic: “No,” they said.

When asked by Reuters about abuses of NSO software in Mexico and elsewhere, he said, “I think people believe that NSO is a company that does good. understand the value that this company has generated for the world. I am extremely proud of NSO.”

Cyber Security researchers are pushing back against Chrysler for mitigating the Jeep vulnerability by mailing a USB drive and hoping customers will plug it in to their vehicles to fix the known problems:

Security pros have long warned computer users not to plug in USB sticks sent to them in the mail—just as they shouldn’t plug in thumb drives given to them by strangers or found in their company’s parking lot—for fear that they could be part of a mass malware mailing campaign. Now Chrysler is asking consumers to do exactly that, potentially paving the way for a future attacker to spoof the USB mailers and trick users into installing malware on their cars or trucks.

“An auto manufacturer is basically conditioning customers into plugging things into their vehicles,” says Mark Trumpbour, an organizer of the New York hacker conference Summercon whose sister-in-law’s husband received the USB patch in the mail Thursday. “This could have the potential to backfire at some point in the future.”

When WIRED reached out to Chrysler, a spokesperson responded that the USB drives are “read-only”—a fact that certainly wouldn’t protect users from a future spoofed USB mailing—and that the scenario of a mailed USB attack is only “speculation.”

While the idea of mailing out a USB drive is not the best method, it likely is the only mechanism Chrysler has in its current arsenal. In the future they need to devise a much more secure method to release these types of security updates.

Forget about the Ashley Madison and Sony hacks, a crippling cyber attack against the United States is imminent and something the entire nation, especially average people, need to start taking seriously (emphasis added):

By 2020 the US will be hit with an earthquake of a cyber-attack that will cripple banks, stock exchanges, power plants and communications, an executive from Hewlett-Packard predicted. Companies are nowhere near prepared for it. Neither are the Feds. And yet, instead of mobilising a national defence, we want a toaster that communicates with the washing machine over the internet.

In many ways the Target event and the dinner demonstrate a kind of collective cognitive dissonance about technology. We’ll eagerly pursue innovations like the internet of things and electronic health records even as we’re increasingly aware of how vulnerable such technology makes us to terrorists and criminals. In fact, the reference to earthquakes was fitting. Scientists have long predicted the “Big One” – a massive earthquake in Seattle or San Francisco that will kill lots of people and cause trillions of dollars of damage. Yet people still build houses and buildings on what is essentially the most dangerous land in the country.

What struck me about the dinner, attended by executives from Hewlett-Packard, software company Cloudera and PayPal, along with academics and investors, was the naked pessimism in the room. Nobody even tried to put a happy face on the situation. “A slow-moving train wreck,” one executive said. Forget about coordinating with each other or the Feds: companies don’t even know how to deal with their own hacks, never mind worry about someone else’s. A whopping 57% of chief executives have not been trained on what to do after a data breach, according to a report by HP. And more than 70% of executives think their companies only partially understand the risks. Buying antivirus software is one thing; deploying an effective strategy is quite another. However, companies don’t even want to admit they were hacked in the first place.

The entire article succinctly captures what many of us in the cyber security deal with each and every day.

It is refreshing to read cyber security news when the journalist understands how the unintended consequences of certain legislation adversely affects the nation. In this case, The Washington Post postulates why cracking down on hackers will ultimately be bad for technological innovation (emphasis added):

The problem is that simply toughening the laws on hackers by extending their scope and reach or extending the prison sentences of hackers is not going to help catch the real hackers — the criminalized, anonymous hackers who operate in places such as China. Instead, they’re more likely to ensnare the likes of hacktivist heroes such as Aaron Swartz.

Getting tough on hackers by extending the definition of what a hacker is would theoretically mean that people who even so much as retweet or click on a link with unauthorized information could be committing a felony. Moreover, the white hat hackers (the “good guys”) could be ensnared as well, since their work, at its core, is indistinguishable from that of the black hat hackers (the “bad guys”).

And that could have a chilling effect on innovation.

That’s because laws and regulations can’t keep up with the pace of technological change and end up either prosecuting the wrong people or prosecuting the right people, but on charges that far exceed the scope of the crime. Consider that the current anti-hacking federal statute, the Computer Fraud and Abuse Act (CFAA), was enacted back in 1986, well before most politicians had ever heard of the Internet.

Two security researchers performed a proof-of-concept hack on a Jeep, remotely controlling in while it was in motion on a highway, proving they could control its dashboard, steering, breaking, and transmission (emphasis added):

Miller and Valasek’s full arsenal includes functions that at lower speeds fully kill the engine, abruptly engage the brakes, or disable them altogether. The most disturbing maneuver came when they cut the Jeep’s brakes, leaving me frantically pumping the pedal as the 2-ton SUV slid uncontrollably into a ditch. The researchers say they’re working on perfecting their steering control—for now they can only hijack the wheel when the Jeep is in reverse. Their hack enables surveillance too: They can track a targeted Jeep’s GPS coordinates, measure its speed, and even drop pins on a map to trace its route.

All of this is possible only because Chrysler, like practically all carmakers, is doing its best to turn the modern automobile into a smartphone. Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs, and trucks, controls the vehicle’s entertainment and navigation, enables phone calls, and even offers a Wi-Fi hot spot. And thanks to one vulnerable element, which Miller and Valasek won’t identify until their Black Hat talk, Uconnect’s cellular connection also lets anyone who knows the car’s IP address gain access from anywhere in the country. “From an attacker’s perspective, it’s a super nice vulnerability,” Miller says.

From that entry point, Miller and Valasek’s attack pivots to an adjacent chip in the car’s head unit—the hardware for its entertainment system—silently rewriting the chip’s firmware to plant their code. That rewritten firmware is capable of sending commands through the car’s internal computer network, known as a CAN bus, to its physical components like the engine and wheels. Miller and Valasek say the attack on the entertainment system seems to work on any Chrysler vehicle with Uconnect from late 2013, all of 2014, and early 2015. They’ve only tested their full set of physical hacks, including ones targeting transmission and braking systems, on a Jeep Cherokee, though they believe that most of their attacks could be tweaked to work on any Chrysler vehicle with the vulnerable Uconnect head unit. They have yet to try remotely hacking into other makes and models of cars.

Imagine how it must feel to suddenly lose complete control over your vehicle while it is traveling over 60mph on a highway. Reading it is scary enough, but living through it must be much more terrifying.

There is a delicate balance between convenience and security. To do things correctly, security needs to be baked in from the beginning rather than duct taped on after the fact. Sounds like Chrysler opted for the latter route.

After a lengthy quiet period, the team responsible for Kali Linux took to their blog today to offer a teaser about the upcoming release day for Kali Linux 2.0:

We’ve been awfully quiet lately, which usually means something is brewing below the surface. In the past few months we’ve been working feverishly on our next generation of Kali Linux and we’re really happy with how it’s looking so far. There’s a lot of new features and interesting new aspects to this updated version, however we’ll keep our mouths shut until we’re done with the release. We won’t leave you completely hanging though…here’s a small teaser of things to come!

If you are unfamiliar with Kali Linux, it is the best penetration testing and white-hat hacking Linux distribution available. It comes built with Metasploit and tons of other tools to help make ethical hacking a lot easier and more productive.

Hillary Clinton, presidential candidate, has decided to jump into the deep end of a cesspool, publicly accusing China of being responsible for the recent massive OPM hack placing many current and former government employees at great risk:

Mrs Clinton said: “They’re trying to hack into everything that doesn’t move in America … stealing huge amounts of government information all looking for an advantage. Make no mistake, they know they’re in competition — and they’re gonna do everything they can to win.”

She also said she was hopeful the US could reach a “strong verifiable deal” to curb Iran’s nuclear weapons program by next week’s deadline, but added: “Even if we are successful, however, Iran’s aggressiveness will not end.”

As US secretary of state, Mrs Clinton helped set in motion the talks that are nearing completion in Vienna. She said Iran ramped up its nuclear capabilities during president George W. Bush’s two terms, building covert facilities and intimidating its neighbours.

“The Bush administration’s respons­e through diplomacy was somewhat half-hearted,” Mrs Clinton said, adding that the “only response” was to level punitive sanctions on Iran.

The Christian Science Monitor on how mercenary hackers are proving to be an elusive, and challenging foe:

One reason it’s so difficult to attribute breaches such as the Office of Personnel Management or the Anthem hacks to a particular country – China being suspect in both of those cases – is because freelance hackers are skilled at carrying out attacks that leave behind little direct evidence connecting them to their sponsors.

It’s gotten to the point where the talent is so plentiful online that many nation-states, militant groups, and organized crime syndicates don’t actually need to train or develop their own teams of skilled hackers. The “talent” can be outsourced from around the world.

“North Korea doesn’t need to use hackers that even set foot in North Korea,” says Fred Cate, director of the Center for Applied Cybersecurity Research at Indiana University. “Bright young talent can be contracted online, and this attack vector can be fully conducted remotely and paid by the operation.”

As I have said many times before, attribution is very tricky.

Buzzfeed, of all places, has an interesting article introducing a mysterious new hacker army freaking out the Middle East:

But the campaign continued to build. Twitter accounts were created calling for hackers to attack Saudi targets rallying around the hashtag #OpSaudi. On May 20, the Saudi foreign ministry was hacked. The next day, a story appeared on Iran’s state-run FARS news agency, the first media mention of the group (followed quickly by a second press mentionon Russia Today). The FARS story credited the Yemen Cyber Army with carrying out the hack of the Saudi foreign ministry and said it would soon be releasing personal information about Saudi federal employees as well as diplomatic correspondence. In the week that followed, documents surfaced in Pastebin accounts with passport information that appeared to come from the Saudi foreign ministry.

Fast forward to one month later, when Wikileaks announced it would make public roughly one million diplomatic cables from Saudi Arabia’s foreign ministry. Wikileaks’ press release mentions that “a group calling itself the Yemen Cyber Army was responsible for breaching the Saudi Foreign Ministry,” but stops short of naming the group as the source of the documents being uploaded to Wikileaks. The documents range from cables outlining Saudi Arabia’s funding of Islamist groups in the region, to a request from Osama bin Laden’s son for his father’s death certificate. It was the first news-making event for Wikileaks since November 2013.

Who is the shadowy group that appears to have launched a full-scale digital campaign to expose, or at least embarrass, Saudi Arabia?

I am surprised to see such an interesting, and well written, cyber security story on Buzzfeed.

Asher DeMetz of Forbes on the three best hacking techniques to create a security breach:

I find that good, law-abiding citizens are fascinated by what I do. I’m a penetration tester, a.k.a. “white hat” or “ethical” hacker. In other words, companies hire me to break into their systems for a living to demonstrate where there are vulnerabilities. (I can’t believe I get paid for doing this!) If you want to avoid a cyber security breach at your company, I recommend that you understand – and guard against – three hacking techniques that your enemies (the “black hat” hackers) use every day.

First, let’s set the stage. Let’s say that your company is Big Boxes 4U, a major mass-market retailer with more than 1,500 locations in the United States. Your innovative designer partnerships, high-quality product mix, and great customer service have earned you a loyal customer following.

You capture customer information every day at the point of sale, including both in-store and online purchases. The result is a central database that houses a collection of valuable customer information that gives insight into how your customers shop, what they buy, and what products and services they prefer. Just as you value this information, so do hackers. Here’s how they create a cyber security breach.

This is a good, quick read for those who do not really understand hacking techniques and how malicious actors perform some of their cyber operations. It is fairly standard fare if you already are in the industry, but educational if you are unaware of the simple tradecraft.

Brian Krebs on what appears to be even more evidence of mSpy apathy over their recent breach:

Mobile spyware maker mSpy has expended a great deal of energy denying and then later downplaying a breach involving data stolen from tens of thousands of mobile devices running its software. Unfortunately for victims of this breach, mSpy’s lackadaisical response has left millions of screenshots taken from those devices wide open and exposed to the Internet via its own Web site.

he mSpy data was leaked to the Deep Web, where hundreds of gigabytes of files, chat logs, location records and other data was dumped after the company reportedly declined to comply with extortion demands made by hackers who’d broken into mSpy’s servers. Included in that huge archive is a 13 gigabyte (compressed) directory referencing countless screen shots taken from devices running mSpy’s software — including screen shots taken secretly by users who installed the software on a friend or partner’s device.

Previous coverage is here.

The Associated Press reports on the IRS tracing the identity thieves to Russia, a country commonly known for their penchant to conduct cyber-based criminal activity:

But two officials briefed on the matter said Wednesday the IRS believes the criminals were in Russia, based on computer data about who accessed the information. The officials spoke on condition of anonymity because they were not authorized to publicly discuss the ongoing investigation.

The revelation highlights the global reach of many cyber criminals. And it’s not the first time the IRS has been targeted by identity thieves based overseas.

In 2012, the IRS sent a total of 655 tax refunds to a single address in Lithuania, and 343 refunds went to a lone address in Shanghai, according to a report by the agency’s inspector general. The IRS has since added safeguards to prevent similar schemes, but the criminals are innovating as well.

The information was taken from an IRS website called “Get Transcript,” where taxpayers can get tax returns and other tax filings from previous years. In order to access the information, the thieves cleared a security screen that required detailed knowledge about each taxpayer, including their Social Security number, date of birth, tax filing status and street address.

No surprises here.

Cory Bennett of The Hill discusses how the IRS cyber theft tactics could work at any United States government agency:

The IRS revealed Tuesday that cyber crooks, likely backed by an organized crime syndicate, had accessed returns for roughly 104,000 taxpayers through the agency’s “Get Transcript” feature.

The scheme appeared to be part of a larger plot to file fraudulent tax returns and collect illegitimate refunds.

But the digital thieves didn’t actually break into the IRS’s database. They simply imitated individuals using information culled from the vast trove of personal data being traded on the dark Web after numerous company data breaches in recent years.

Any federal agency with valuable data could fall victim to the same maneuver, experts explained.

“The possibility of the same tactic being reprised at other agencies that have public-facing missions, I think, is very high,” said Jim Penrose, a former head of the National Security Agency’s Operational Discovery Center and now an executive vice president at cybersecurity firm DarkTrace.

It is absolutely true. The US government has a fairly standard cyber security posture across the board, and is likely open to the same types of attacks no matter what agency we are talking about with the one possible exception being the Department of Defense.