Today Kamkar released the schematics and code for a proof-of-concept device he calls PoisonTap: a tiny USB dongle that, whether plugged into a locked or unlocked PC, installs a set of web-based backdoors that in many cases allow an attacker to gain access to the victim’s online accounts, corporate intranet sites, or even their router. Instead of exploiting any glaring security flaw in a single piece of software, PoisonTap pulls off its attack through a series of more subtle design issues that are present in virtually every operating system and web browser, making the attack that much harder to protect against.
“In a lot of corporate offices, it’s pretty easy: You walk around, find a computer, plug in PoisonTap for a minute, and then unplug it,” Kamkar says. The computer may be locked, he says, but PoisonTap “is still able to take over network traffic and plant the backdoor.”
Having physical access to a PC generally results in increased risk. So it should not be much of a surprise this is possible from an access perspective, but only from an operating system or browser vulnerability context.
The attack leverages a downloader called Nemucod, which is delivered via Facebook Messenger as a .svg file.
If accessed, the malicious image will direct the victim to a website that appears to be YouTube in design only, as it’s hosted on a completely different URL.
Once the page is loaded, the victim is asked to install a codec in order to play the video that’s shown on the page.
If the codec (presented as a Chrome extension) is installed, the attack is this spread further via Facebook Messenger. Sometimes the malicious Chrome extension installs the Nemucod downloader, which ultimately delivers Locky.
There are a lot of moving parts to delivering Locky in this manner. In addition, anecdotally anyhow, I believe most people use Facebook Messenger on their mobile devices rather than via the web so I wonder about the effectiveness of this attack. Unfortunately, there are a lot of folks who do not pay close enough attention and will allow the codec to install without nary a second thought, and thus allow this exploit to succeed.
One of the exploits – which targets a memory corruption vulnerability in the GStreamer framework that by default ships with many mainstream Linux distributions – is also noteworthy for its elegance. To wit: it uses a rarely seen approach to defeat address space layout randomization and data execution prevention, which are two of the security protections built in to Linux to make software exploits harder to carry out. ASLR randomizes the locations in computer memory where software loads specific chunks of code. As a result, code that exploits existing flaws often results in a simple computer crash rather than a catastrophic system compromise. Meanwhile, DEP, which is often referred to as NX or No-Execute, blocks the execution of code that such exploits load into memory.
Since BitSight and its subsidiary company Anubis Networks took possession of the two preconfigured domains, more than 2.8 million devices have attempted to connect in search of software that can be executed with unfettered “root” privileges, the researchers said. Had malicious parties obtained the addresses before BitSight did, the actors could have installed keyloggers, bugging software, and other malware that completely bypassed security protections built into the Android operating system. The almost three million devices remain vulnerable to so-called man-in-the-middle attacks because the firmware—which was developed by a Chinese company called Ragentek Group—doesn’t encrypt the communications sent and received to phones and doesn’t rely on code-signing to authenticate legitimate apps. Based on the IP addresses of the connecting devices, vulnerable phones hail from locations all over the world, with the US being the No. 1 affected country.
“The thing that scares us is a lot of these users will be unaware of the vulnerability, and they will never get an update,” BitSight CTO Stephen Boyer told Ars. “This is full system compromise. This is at the root level. [Attackers with a MitM position] can do anything.”
I wonder how many nation state actors are actively using this exploit?
“[Organizations] are getting hit; they’re often catastrophic events, and that’s why we’re being as aggressive as we can be,” says Kramer, who supervises a squad of FBI agents and analysts in New York. The FBI’s primary goals: to ensure greater engagement between ransomware targets and the FBI as well as to improve general preparedness for these attacks.
One key challenge that healthcare entities, in particular, face is balancing the needs for speed and security. “There’s often a disconnect between the need for security and the need to get access to information quickly,” Kramer says. “They’re often at odds, and there’s an evolution underway in terms of rethinking some things … to make sure that networks are secure.”
Ransomeware seems to be affecting the healthcare industry far more than other areas, and I really have to wonder the reason. On the one hand I understand there is a need for speedy operations. On the other cyber should be there not only for protection, but to act as an enabler as well.
Healthcare needs to get its act together, and quickly, otherwise we are all going to be reading about a major medical company related cyber event quite soon.
The campaign, called Realstatistics, has tainted thousands of sites built on both Joomla! and WordPress content management systems. Researchers with security company Sucuri observed the campaign injecting bogus analytics code, including the url realstatistics[.]info, into the PHP template of infected sites over the past few days.
Like practically every strain of ransomware, Cryptobit urges victims to contact the cybercriminals in order to restore their files. The ransom note – which appears on victims’ desktops – doesn’t specify how much, or what denomination, to pay in order to get their files back however. Some of the first Cryptobit infections were discovered in April; at the time the ransomware was using both AES and RSA to encrypt files, something that makes it more difficult to decrypt the data.
Criminals were pushing Cryptobit hard for more than a week; Duncan said he spotted eight different samples of the ransomware variant pop up over the course of 10 days. The campaign shifted to distributing other malware at the end of June, however, he said.
The first one, dubbed Eleanor by researchers at antivirus provider Bitdefender, is hidden inside EasyDoc Converter, a malicious app that is, or at least was, available on a software download site called MacUpdate. When double clicked, EasyDoc silently installs a backdoor that provides remote access to a Mac’s file system and webcam, making it possible for attackers to download files, install new apps, and watch users who are in front of an infected machine. Eleanor communicates with control servers over the Tor anonymity service to prevent them from being taken down or being used to identify the attackers.
“This type of malware is particularly dangerous as it’s hard to detect and offers the attacker full control of the compromised system,” Tiberius Axinte, technical leader of the Bitdefender Antimalware Lab, said in a blog post published Wednesday. “For instance, someone can lock you out of your laptop, threaten to blackmail you to restore your private files or transform your laptop into a botnet to attack other devices.”
Personally, I do not use anti-virus on a Mac, nor do I recommend it. Stick with the default OS X settings, and use common sense, and you should be safe.
There are many tools that allow to generate backdoors and they are used during a penetration testing program or security awareness where the presenter demonstrate how it is easy to have a full control on a remote vulnerable system.
The main purposes of backdoors is to create a connection to victim machine and run some commands remotely, send files to victim computer , rebooting the system or even modifying the system passwords. If you are looking for similar tool you can check GCAT.
GCAT is a fully featured backdoor that uses Gmail as a C&C server. All you have to do is to create a Gmail account that will be used to send instruction to remote system. This helps to cover track Also it will make your server up and reachable anytime without non standard ports that can be blocked by the firewall.
Prosecutors said that as far back as 2003, the men worked to install “sniffers” designed to comb through and steal data from computer networks of financial companies, payment processors and retailers.
Prosecutors said the defendants then used an array of computers to store and ultimately sell data they collected.
They said Smilianets was in charge of sales, selling data to trusted identity theft wholesalers, selling credit card numbers for $10 to $50 a piece depending on country of origin.
The scheme ultimately caused banks and credit card companies to suffer hundreds of millions in losses, including more than $300 million reported by three companies alone, prosecutors said.
Sixteen companies’ networks were infiltrated, including those of Nasdaq OMX Group Inc, 7-Eleven, France’s Carrefour SA, JC Penney Co, JetBlue Airways Corp, a Visa Inc licensee, and Heartland Payment Systems Inc, prosecutors said.
Smilianets faces up to 30 years in prison when he is sentenced by U.S. District Judge Jerome Simandle on Jan. 13. His lawyer did not immediately respond to a request for comment.
For the past seven years, a cyber-espionage group operating out of Russia—and apparently at the behest of the Russian government—has conducted a series of malware campaigns targeting governments, political think tanks, and other organizations. In a report issued today, researchers at F-Secure provided an in-depth look at an organization labelled by them as “the Dukes,” which has been active since at least 2008 and has evolved into a methodical developer of “zero-day” attacks, pulling together their own research with the published work of other security firms to provide a more detailed picture of the people behind a long-running family of malware.
Characterized by F-Secure researchers as a “well resourced, highly dedicated and organized cyberespionage group,” the Dukes have mixed wide-spanning, blatant “smash and grab” attacks on networks with more subtle, long-term intrusions that harvested massive amounts of data from their targets, which range from foreign governments to criminal organizations operating in the Russian Federation. “The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks and governmental subcontractors,” the F-Secure team wrote. “Their targets have also included the governments of members of the Commonwealth of Independent States; Asian, African, and Middle Eastern governments; organizations associated with Chechen terrorism; and Russian speakers engaged in the illicit trade of controlled substances and drugs.”
The first known targets of the Dukes’ earliest-detected malware, known as PinchDuke, were some of the first known targets and were associated with the Chechen separatist movement. By 2009 the Dukes were going after Western governments and organizations in search of information about the diplomatic activities of the United States and the North Atlantic Treaty Organization. While most of the attacks have used spear phishing e-mails as the means of injecting malware onto targeted systems, one of their attacks has spread malware through a malicious Tor exit node in Russia, targeting users of the anonymizing network with malware injections into their downloads.
While posing as a legal or governmental authority to intimidate the victim into paying up is not new, the use of Extensible Messaging and Presence Protocol (XMPP), the instant messaging protocol used by Jabber and previously by GTalk, is a shift in tactics to evade detection by anti-malware tools. XMPP communication makes it more difficult for security and anti-malware tools to catch the ransomware before it can communicate with its command and control network because it conceals the communication in a form that looks like normal instant message communications.
Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked. An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the command and control network through a legitimate messaging relay server. And these messages can be encrypted using Transport Layer Security (TLS). The messages were pulled from the command and control network by the operators of the scheme via Tor.
The vulnerability is reminiscent of a critical flaw exploited around 2008 by an NSA-tied hacking group dubbed Equation Group and later by the creators of the Stuxnet computer worm that disrupted Iran’s nuclear program. The vulnerability—which resided in functions that process so-called .LNK files Windows uses to display icons when a USB stick is plugged in—allowed the attackers to unleash a powerful computer worm that spread from computer to computer each time they interacted with a malicious drive.
When Microsoft patched the .LNK vulnerability in 2010 with MS10-046, company officials classified the vulnerability as “critical,” the company’s highest severity rating. The classification seemed appropriate, considering the success of the .LNK exploits in infecting large numbers of air-gapped computers. For reasons that aren’t clear, Tuesday’s vulnerability has been rated “important,” Microsoft’s second-highest severity rating. Update: As Virus Bulletin researcher Martijn Grooten pointed out, the .LNK vulnerability was remotely exploitable, allowing it to infect millions of people. By contrast, the bug patched Tuesday appears to require a USB stick, a requirement that would greatly limit the scale of attacks. That’s the likely reason for the lower severity rating.
This vulnerability exists in just about every version of Windows capable of mounting USB drives.
The Gameover Zeus botnet owners looked at their operation as a complete criminal organization, owned all the assets and put them all under one roof, Elliott noted. “They were very centralized, which made it good for them from a logistics standpoint and very good for us in law enforcement.”
One of the principal servers used by Gameover Zeus was referred to by the botnet owners as the “Business Club.” Through the Business Club, the FBI was able to connect the dots across attacks and victims. There was a full ledger system in place that kept accurate track of all the fraud committed by the Gameover Zeus botnet, Elliott said.
As to how the FBI actually identified the individuals responsible, Elliott said the criminals weren’t part-time criminals; cybercrime was their full-time job. That’s how the FBI was able to identify Evgeniy Bogachev as the kingpin behind the Gameover Zeus botnet.
“One of the things we try to do as law enforcement is work ourselves in, so we can attack the seams between their personal life and their criminal life,” Elliott said. “Fortunately Bogachev was a user of VPNs, and he liked to use the same VPNs to log into his personal accounts as he would to administrate the backend of the botnet servers.”
The FBI did a botnet takeover in June of 2014 to protect victims and stop future fraud.
Hammertoss implements an algorithm that generates new Twitter handles every day, in this way the C&C server can communicate with Hammertoss by using specific Twitter accounts managed by the APT 29.
The hackers include the command for Hammertoss instances in a tweet containing a URL and a hashtag. The URL leads to an image on a different server that contains data hidden through a steganographic technique.
The hashtag is used to encode the file size of the image and a few characters that should be added to the decryption key stored within Hammertoss in order to allow the extraction of the hidden data.
“The HAMMERTOSS backdoor generates and looks for a different Twitter handle each day. It uses an algorithm to generate the daily handle, such as “234Bob234”, before attempting to visit the corresponding Twitter page. If the threat group has not registered that day’s handle, HAMMERTOSS will wait until the next day and look for a different handle” continues the report.
The experts noticed that APT 29 adopted several techniques to remain under the radar, for example Hammertoss is usually only active during the normal working day for infected organization, in this way the malicious traffic results quite difficult to detect.
A quick review of the Black Vine timeline helps underscore the significant resources the group possessed. In late December 2012, independent security researcher Eric Romang uncovered the compromise of domain name capstoneturbine.com, which is owned and operated by Capstone Turbine, a maker of gas turbines used by energy companies. As a result, anyone who visited Capstone Turbine’s website using Microsoft’s Internet Explorer browser was infected with a backdoor that Symantec researchers have dubbed Sakurel.
The “watering hole” attack—so called because it targeted a website frequented by people in the energy and aerospace industries—exploited what in 2012 was an unknown vulnerability in IE, CVE-2012-4792. Further demonstrating Black Vine’s resources, the Sakurel malware the exploit installed was digitally signed using a certificate issued to an organization called Micro Digital Inc. to bypass Windows security checks. In the last week of 2012, Black Vine targeted a second turbine power and technology manufacturer, an indication that the hackers’ primary interest at the time was related to energy. In February 2014, as the group compromised the website of a European aerospace company, the hackers exploited a newer zero-day vulnerability in IE, this time CVE-2014-0322.
This does not come as a surprise. Once a group finds and leverages an attack technique, often times they will share the code or exploit with their peers, primarily as a way of bragging about their findings.