, 27/10/2016 | Source: The Hacker News
Pierluigi Paganini, 27/10/2016 | Source: Security Affairs
The threat actor behind the Blackgear cyber-espionage campaign that is targeting Japanese entities is the same that hit Taiwan in 2012.
According to security experts from Trend Micro, Japanese organizations were targeted in an espionage campaign dubbed Blackgear.
Attackers behind the Blackgear appear to be the same that targeted users in Taiwan in 2012, they used a well-known strain of malware detected by many security firms as Elirks.
The attack vectors are spear phishing emails or compromised websites used to serve the malware in watering hole attack. The websites used in the watering hole attacks were used to download a malicious code that drops decoy documents and the downloaders used to fetch the backdoors used by the group (i.e. Elirks and Ymalr).
The researchers noticed that the both Elirks and Ymalr used as command and control (C&C) infrastructure blogging services in order to make harder their detection and , allowing the attackers to keep the location of the actual C&C server hidden and easily change the server that is in use.
“BLACKGEAR is an espionage campaign which has targeted users in Taiwan for many years. Multiple papers and talks have been released covering this campaign, which used the ELIRKS backdoor when it was first discovered in 2012. It is known for taking using blogs and microblogging services to hide the location of its actual command-and-control (C&C) servers. This allows an attacker to change the C&C server used quickly by changing the information in these posts.” read the blog post published by TrendMicro.
“Like most campaigns, BLACKGEAR has evolved over time. Our research indicates that it has started targeting Japanese users. “
The researchers speculate the BLACKGEAR has evolved over time and threat actors behind the espionage campaign now moved to Japan. The decoy documents used in the attacks are now in Japanese and the blogging services used as part of the C&C infrastructure are based in Japan.
The experts from PaloAlto Network arrived at the same conclusion after they noticed some cyber attacks against organizations in Japan this summer that presented many similarities with attacks against targets in Taiwan.
(Security Affairs – BLACKGEAR , Japan)
The post Hackers behind the BLACKGEAR espionage campaign now targets Japan appeared first on Security Affairs.
BrianKrebs, 27/10/2016 | Source: Krebs on Security
It may soon become easier for Internet service providers to anticipate and block certain types of online assaults launched by Web-based attack-for-hire services known as “booter” or “stresser” services, new research released today suggests.
The findings come from researchers in Germany who’ve been studying patterns that emerge when miscreants attempt to mass-scan the entire Internet looking for systems useful for launching these digital sieges — known as “distributed denial-of-service” or DDoS attacks.
To understand the significance of their research, it may help to briefly examine how DDoS attacks have evolved. Not long ago, if one wanted to take down large Web site, one had to build and maintain a large robot network, or “botnet,” of hacked computers — which is a fairly time intensive, risky and technical endeavor.
These days, however, even the least sophisticated Internet user can launch relatively large DDoS attacks just by paying a few bucks for a subscription to one of dozens of booter or stresser services, some of which even accept credit cards and PayPal payments.
These Web-based DDoS-for-hire services don’t run on botnets: They generally employ a handful of powerful servers that are rented from some dodgy “bulletproof” hosting provider. The booter service accepts payment and attack instructions via a front end Web site that is hidden behind Cloudflare (a free DDoS protection service).
But the back end of the booter service is where the really interesting stuff happens. Virtually all of the most powerful and effective attack types used by booter services rely on a technique called traffic amplification and reflection, in which the attacker can reflect or “spoof” his traffic from one or more third-party machines toward the intended target.
In this type of assault, the attacker sends a message to a third party, while spoofing the Internet address of the victim. When the third party replies to the message, the reply is sent to the victim — and the reply is much larger than the original message, thereby amplifying the size of the attack.
To find vulnerable systems that can be leveraged this way, booters employ large-scale Internet scanning services that constantly seek to refresh the list of systems that can be used for amplification and reflection attacks. They do this because, as research has shown (PDF), anywhere from 40-50 percent of the amplifiers vanish or are reassigned new Internet addresses after one week.
Enter researchers from Saarland University in Germany, as well as the Yokohama National University and National Institute of Information and Communications Technology — both in Japan. In a years-long project first detailed in 2015, the researchers looked for scanning that appeared to be kicked off by ne’er-do-wells running booter services.
To accomplish this, the research team built a kind of distributed “honeypot” system — which they dubbed “AmpPot” — designed to mimic services known to be vulnerable to amplification attacks, such as DNS and NTP floods.
“To make them attractive to attackers, our honeypots send back legitimate responses,” the researchers wrote in a 2015 paper (PDF). “Attackers, in turn, will abuse these honeypots as amplifiers, which allows us to observe ongoing attacks, their victims, and the DDoS techniques. To prevent damage caused by our honeypots, we limit the response rate. This way, while attackers can still find these ratelimited honeypots, the honeypots stop replying in the face of attacks.”
In that 2015 paper, the researchers said they deployed 21 globally-distributed AmpPot instances, which observed more than 1.5 million attacks between February and May 2015. Analyzing the attacks more closely, they found that more than 96% of the attacks stem from single sources, such as booter services.
“When focusing on amplification DDoS attacks, we find that almost all of them (>96%) are caused by single sources (e.g. booters), and not botnets,” the team concluded. “However, we sadly do not have the numbers to compare this [to] DoS attacks in general.”
Many large-scale Internet scans like the ones the researchers sought to measure are launched by security firms and other researchers, so the team needed a way to differentiate between scans launched by booter services and those conducted for research or other benign purposes.
“To distinguish between scans performed by researchers and scans performed with malicious intent we relied on a simple assumption: That no attack would be based on the results of a scan performed by (ethical) researchers,” said Johannes Krupp, one of the main authors of the report. “In fact, thanks to our methodology, we do not have to make this distinction upfront, but we can rather look at the results and say: ‘We found attacks linked to this scanner, therefore this scanner must have been malicious.’ If a scan was truly performed by benign parties, we will not find attacks linked to it.”
What’s new in the paper being released today by students at Saarland University’s Center for IT-Security, Privacy and Accountability (CISPA) is the method by which the researchers were able to link these mass-scans to the very amplification attacks that follow soon after.
The researchers worked out a way to encode a secret identifier into the set of AmpPot honeypots that any subsequent attack will use, which varies per scan source. They then tested to see if the scan infrastructure was also used to actually launch (and not just to prepare) the attacks.
Their scheme was based in part on the idea that similar traffic sources should have to travel similar Internet distances to reach the globally-distributed AmpPot sensors. To do this, they looked at the number of “hops” or Internet network segments that each scan and attack had to traverse.
Using trilateration –the process of determining absolute or relative locations of points by measurement of distances — the research team was able to link scanners to attack origins based on hop counts.
These methods revealed some 286 scanners that are used by booter services in preparation for launching amplification attacks. Further, they discovered that roughly 75 percent of those scanners are located in the United States.
The researchers say they were able to confirm that many of the same networks that host scanners are also being used to launch the attacks. More significantly, they were able to attribute approximately one-third of the attacks back to their origin.
“This is an impressive result, given that the spoofed source of amplification attacks usually remains hidden,” said Christian Rossow of Saarland University.
Rosso said the team hopes to conduct further research on their methods to more definitively tie scanning and attack activity to specific booter services by name. The group is already offering a service to hosting providers and ISPs to share information about incidents (such as attack start and end times). Providers can then use the attack information to inform their customers or to filter attack traffic.
“We have shared our findings with law enforcement agencies — in particular, Europol and the FBI — and a closed circle of tier-1 network providers that use our insights on an operational basis,” the researchers wrote. “Our output can be used as forensic evidence both in legal complaints and in ways to add social pressure against spoofing sources.”
Even if these newly-described discovery methods were broadly deployed today, it’s unlikely that booter services would be going away anytime soon. But this research certainly holds the promise that booter service owners will be able to hide the true location of their operations less successfully going forward. and that perhaps more of them will be held accountable for their crimes.
Efforts by other researchers have made it more difficult for booter and stresser services to accept PayPal payments, forcing more booters to rely more on Bitcoin.
Also, there are a number of initiatives that seek to identify a handful of booter services which resell their infrastructure to other services who brand and market them as their own. Case in point, in September 2016 I published an expose on vDOS, a booter service that earned (conservatively) $600,000 over two years helping to launch more than 150,000 DDoS attacks.
Turns out, vDOS’s infrastructure was used by more than a half-dozen other booter services, and shortly after vDOS was taken offline most of those services went dark or were dismantled as well.
One major shift that could help to lessen the appeal of booter services — both for the profit-seeking booter proprietors and their customers — is a clear sign from law enforcement officials that this activity is in fact illegal and punishable by real jail time. So far, many booter service owners have been operating under the delusion or rationalization that their services are intended solely for Web site owners to test the ability of their sites to withstand data deluges. The recent arrest of two alleged Lizard Squad members who resold vDOS services through their own “PoodleStresser” service is a good start.
Many booter operators apparently believe (or at least hide behind) a wordy “terms of service” agreement that all customers must acknowledge somehow absolves them of any sort of liability for how their customers use the service — regardless of how much hand-holding and technical support they offer those customers.
Indeed, the proprietors of vDOS — who were arrested shortly after my story about them — told the Wall Street Journal through their attorneys that, “If I was to buy a gun and shoot something, is the person that invents the gun guilty?”
The alleged proprietors of vDOS — 18-year-old Israelis Yarden Bidani and Itay Huri — were released from house arrest roughly ten days after their initial arrest. To date, no charges have been filed against either men, but I have reason to believe that may not be the case for long.
Meanwhile, changes may be afoot for booter services advertised at Hackforums[dot]net, probably the biggest open-air online marketplace where booter services are advertised, compared and rated (hat tip to @MalwareTechblog). Earlier this week, Hackforums administrator Jesse “Omniscient” LaBrocca began restricting access to its “stressers” subsection of the sprawling forum, and barring forum members from advertising booter services in their user profiles.
“I can absolutely see a day when it’s removed entirely,” LaBrocca said in a post explaining his actions. “Could be very soon too.”
My worry is that we may soon see a pendulum shift in the way that many booter services operate. For now, the size of attacks launched by booter services is somewhat dependent on the number and power of the back-end servers used to initiate amplification and reflection attacks.
However, I could see a day in the not-too-distant future in which booter service operators start earning most of their money by reselling far more powerful attacks launched by actual botnets made from large networks of hacked Internet of Things (IoT) devices — such as poorly-secured CCTV cameras and digital video recorders (DVRs).
In some ways this has already happened, as I detailed in my January 2015 story, Lizard Stresser Runs on Hacked Home Routers. But with the now public release of the source code for the Mirai botnet — the same malware strain that was used in the record 620 Gbps DDoS on my site last month and in the widespread Internet outage last week caused by an attack against infrastructure provider Dyn — far more powerful and scalable attacks are now available for resale.
A copy of the paper released today at the ACM CSS conference in Vienna is available here (PDF).
Lisa Vaas, 27/10/2016 | Source: Naked Security
Tami Casey, 27/10/2016 | Source: Imperva
There is no doubting that cyber security is a very technical subject, and with the current state of hacking for profit and the games of cat and mouse among nation states, it’s more stressful than ever. With Halloween just around the corner, we thought we’d offer up a “treat” designed to bring cyber security professionals a laugh or two.
We have all heard the phrase, “you’re only as secure as the weakest link,” and sometimes the teams we support ask cringe-worthy questions that really make us wonder. To have a bit of fun, the Imperva team decided to ask attendees at the 2016 Black Hat cyber security conference to share the most ridiculous question they’d been asked during their IT security career.
The Imperva team compiled a list of the top 25 answers. It’s our Halloween treat to you. We hope you enjoy it.
- “Can you get hacked if you hide your computer?”
- “Should I phone HR? I need to send some money somewhere to get my files back from someone.”
- “Are there hackers at Black Hat?”
- “Why does hacking only happen in America?”
- “Is hacking a recent occurrence? My parents didn’t get hacked.”
- “What is the hacking worst case scenario? Losing money, stealing information or end of the world?”
- “How long would it take to hack McDonalds?”
- “I keep pressing the help key on my keyboard but no one is coming. What’s taking so long?”
- “Is this a cup holder - pointing to CD-ROM holder?”
- “Do you also provide security services like body guards?”
- “Do you have any insect repellent; I’ve been told my computer has a bug?”
- “Can you please tell me who is going to hack me?”
- “If I unplug my computer does it mean I can’t get hacked?”
- “Is malware good or bad? I have some on my computer.”
- “Can you make money from hacking?”
- “I have nothing to lose, why are hackers coming after me?”
- “Is anything secure anymore?”
- “I know I can’t get hacked; I use antivirus software.”
- “Are there pills for a computer virus?”
- “Can you only get hacked once?”
- “Can hackers steal all my money, even if I keep it in a piggybank?”
- “I understand hackers can attack my computer, but I keep everything private on my phone. I know hackers can’t access that.”
- “How can I hack Facebook?”
- “Is hacking preventable?”
- “Would I always know if I have been hacked?”
“Cyber security is undoubtedly a very complex subject. However, some of these questions are slightly alarming. If an employee doesn’t know what a CD-ROM drive is, can we trust they won’t fall prey to an email phishing scam? Humans, unlike software, are virtually impossible to patch. Hence, user education, while helpful at times is highly overrated. Technologies that provides a solid defense line for security professionals when humans fail are paramount to keeping your data safe,” said Amichai Shulman, CTO of Imperva.
For a more serious look at cyber security read our blog titled, “Cyber Security Awareness: You Can Patch Systems, but Can You Patch People?
Angelo Righi, 27/10/2016 | Source: PillolHacking
Adobe is aware of a report that an exploit for CVE-2016-7855 exists in the wild, and is being used in limited, targeted attacks against users running Windows versions 7, 8.1 and 10
Lisa Vaas, 27/10/2016 | Source: Naked Security
, 27/10/2016 | Source: The Hacker News
Pierluigi Paganini, 27/10/2016 | Source: Security Affairs
Massive DDoS attacks caused broadband outages to StarHub customers,it is the first time that Singapore has experienced such an attack on its infrastructure.
StarHub in Singapore is the latest victim of a massive DDoS attacks powered with compromised IoT devices against its DNS infrastructure.
It seems that hackers used kit owned by its customers, the company mitigated the attacks by filtering the malicious traffic and increasing the DNS capacity.
“StarHub Confirms Cause of Home Broadband Incidents on 22 October and 24 October 2016
Singapore, 25 October 2016 – We have completed inspecting and analyzing network logs from the home broadband incidents on 22 October and 24 October and we are now able to confirm that we had experienced intentional and likely malicious distributed denial-of-service (DDoS) attacks on our Domain Name Servers (DNS). These caused temporary web connection issue for some of our home broadband customers.” reads a message published on Facebook by the company.
“On both occasions, we mitigated the attacks by filtering unwanted traffic and increasing our DNS capacity and restored service within two hours.”
The DNS server of the company was hit by a huge volume of traffic that knocked some home broadband customers offline.
The company has no doubts about the malicious nature of the DDoS attack that reached a magnitude and a level of sophistication never experienced before by StarHub.
“These two recent attacks that we experienced were unprecedented in scale, nature and complexity. We would like to thank our customers for their patience as we took time to fully understand these unique situations and to mitigate them effectively”, reads StarHub.
In the message shared by the company there is no explicit reference to the Mirai botnet, but representatives of StarHub told Straits Times speculated the attack was powered by customers’ infected webcams and routers.
The company is inviting its customers to use only IoT from reputable vendors and it is inviting to adopt a proper security posture when dealing with connected objects. The company already started a campaign to sanitize the kit used by its customers.
Singapore’s Cyber Security Agency and the Infocomm Media Development Authority issued a notice to all Internet service providers and telco companies to improve the level of cyber security following two cyber attacks on StarHub.
“This is the first time that Singapore has experienced such an attack on its telco infrastructure,” reads the joint notice.
“Given the increasing connectedness of digital systems, there is no fool-proof solution. It takes a collective effort from companies and society to bolster our cyber resilience,” according to a joint statement late Wednesday.
(Security Affairs – Singapore, Massive DDoS)
The post Massive DDoS attacks caused broadband outages to StarHub customers appeared first on Security Affairs.
Pierluigi Paganini, 27/10/2016 | Source: Security Affairs
CyberX experts at the SecurityWeek’s 2016 ICS Cyber Security Conference disclosed a critical flaw in the Schneider Industrial Firewalls.
This week, at the SecurityWeek’s 2016 ICS Cyber Security Conference, researchers at industrial security firm CyberX disclosed several important vulnerabilities.
The experts demonstrated how hackers can target ICS systems and passing security measures in places.
Among the vulnerabilities disclosed by the experts, there is a flaw affecting a Schneider Electric industrial firewall that could be exploited by hackers for remote code execution.
The vulnerability affects products of the Schneider Electric’s ConneXium TCSEFEC family of industrial ethernet firewalls. This family of products is used in the industrial contexts for the protection of SCADA systems, automation systems, industrial networks and other systems.
The experts discovered that the web-based administration interface of the Schneider Electric’s ConneXium TCSEFEC firewalls is affected by a buffer overflow. The exploitation of the flaw could allow attackers to execute arbitrary code.
The researchers also reported the flaw to the US ICS-CERT that is to issue a security advisory.
A threat actor could exploit the flaw to change firewall rules, eavesdrop on traffic, inject malicious traffic, and disrupt communications.
The researchers highlighted that the flaw is exploitable also by attackers that haven’t specific technical skills.
“Exploitation of this security hole could also lead to manipulation of control systems, which, in a worst case scenario, could result in physical damage. Programmable logic controllers (PLCs) typically don’t have any type of authentication, allowing attackers to easily gain access and exploit known or zero-day flaws.” reported Eduard Kovacs from Security Week.
According to CyberX, the vendor Schneider Electric has already developed a security update to address the vulnerability, but it has yet released it.
The researchers from CyberX also reported seven zero-day flaws in PLC systems from a major unnamed vendor that is already working on a security update to fix them.
(Security Affairs – SCADA, Schneider industrial firewall)
The post Experts disclosed a critical flaw in Schneider Industrial Firewalls appeared first on Security Affairs.