Operation ‘Red October’: Global cyber-spy network uncovered by Russian experts
A sophisticated cyber-espionage network targeting the world’s diplomatic, government and research agencies, as well as gas and oil industries, has been uncovered by experts at Russia’s Kaspersky Lab.
The system’s targets include a wide range of countries, with the primary focus on Eastern Europe, former Soviet republics and Central Asia – although many in Western Europe and North America are also on the list.
“The majority of infections are actually from the embassies of ex-USSR country members located in various regions such as Western Europe and even in North America – in the US we have few infections as well. But most infections are concentrated around Russia,” Vitaly Kamluk, chief malware expert at Kasperky Lab, told RT, adding that in Europe, the hardest-hit countries are apparently Beligum and Switzerland.
In addition to attacking traditional computer workstations, ‘Rocra’ – an abridgment of ‘Red October,’ the name the Kaspersky team gave the network – can steal data from smartphones, dump network equipment configurations, scan through email databases and local network FTP servers, and snatch files from removable disk drives, including ones that have been erased.
Unlike other well-known and highly automated cyber-espionage campaigns, such as ‘Flame’ and ‘Gauss,’ Rorca’s attacks all appear to be carefully chosen. Each operation is apparently driven by the configuration of the victim’s hardware and software, native language and even document usage habits.
The information extracted from infected networks is often used to gain entry into additional systems. For example, stolen credentials were shown to be compiled in a list for use when attackers needed to guess passwords or phrases.
The hackers behind the network have created more than 60 domain names and several server hosting locations in different countries – the majority of those known being in Germany and Russia – which worked as proxies in order to hide the location of the ‘mothership’ control server.
That malicious server’s location remains unknown, but experts have uncovered over 1,000 modules belonging to 34 different module categories.While Rocra seems to have been designed to execute one-time tasks sent by the hackers’ servers, a number of modules were constantly present in the system executing persistent tasks. This included retrieving information about a phone, its contact list, call history, calendar, SMS messages and even browsing history as soon as an iPhone or a Nokia phone is connected to the system.
The hackers’ primary objective is to gather information and documents that could compromise the security of governments, corporations or other organizations and agencies. In addition to focusing on diplomatic and governmental agencies around the world, the hackers also attacked energy and nuclear groups, and trade and aerospace targets.
No details have been given yet as to the attackers’ identity. However, there is strong technical evidence to indicate that the attackers are of Russophone origins, as Russian words including slang have been used in the source code commentaries. Many of the known attacks have taken place in Russian-speaking countries.
The hackers designed their own authentic and complicated piece of software, which has its own unique modular architecture of malicious extensions, info-stealing modules and backdoor Trojans. The malware includes several extensions and malicious files designed to quickly adjust to different system configurations while remaining able to grab information from infected machines.
These included a ‘resurrection’ module, which allowed hackers to gain access to infected machines using alternative communications channels and an encoded spy module, stealing information from different cryptographic systems such as Acid Cryptofiler, which has reportedly been used since 2011 by organizations such as NATO, the European Parliament and the European Commission.
The first instances of Red October malware were discovered in October 2012, but it has been infecting computers since at least 2007, Kaspersky Lab reported. The firm worked with a number of international organizations while conducting the investigation, including Computer Emergency Readiness Teams from the US, Romania and Belarus.
The EU is attempting to counter the huge rise in cyber-espionage by launching the European Cybercrime Center, which opened on Friday.
Source: RT
The European Network and Information Security Agency (ENISA) recommends that honeypots be used to detect threats at an early stage
The European Network and Information Security Agency (ENISA) recommends that honeypots be used to detect threats at an early stage; the agency tested 30 current systems and came up with concrete recommendations.
Honeypots are digital traps used to analyse cyber attacks and their strategies and tools. In the study, ENISA tested honeypots for effectiveness and practicality, with a focus on open-source honeypots. The results are intended to help companies find the best digital traps for their particular situations and to promote further development in the area.
The evaluation system developed for the ENISA study places particular emphasis on user-friendliness. ENISA employees used the honeypot evaluation procedure
developed in 2006 by Christian Seifert, Ian Welch and Peter Komisarczuk as a basis for the system and added more “practical” categories. They also differentiated more between various types of honeypots; types tested include server-side honeypots, client-side honeypots, low-interaction honeypots, high-interaction honeypots, hybrid honeypots and sandboxes. Open source online honeypots for monitoring suspicious URLs were also evaluated.
As part of the study findings, ENISA recommends a number of digital traps, noting that dionaea, Glastopf, kippo and Honeyd are particularly easy to use. Among the client honeypots, Thug and Capture-HPC NG also received special mentions.
Read more here: http://www.h-online.com/open/news/item/ENISA-promotes-digital-hacker-traps-1759415.html
Rogue Microsoft Services Agreement Emails Lead to Latest Java Exploit
Hackers are distributing rogue email notifications about changes in Microsoft’s Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploit to infect their computers with malware. “We’re receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences…” The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company’s Services Agreement that will take effect in Oct.
However, in the malicious versions of the emails, the correct links have been replaced with links to compromised websites that host attack pages from the Blackhole exploit toolkit. Read more here
New virus linked to makers of Flame detected across Mideast
Kaspersky internet security firm says new virus, named Gauss, based on Flame platform; infected computers found in Israel, Lebanon, PA, among other states.
The Kaspersky internet security firm announced on Thursday that it has detected of a new kind of computer virus that has been targeting computers in Lebanon, Israel, and the Palestinian Authority.
According to the firm, the new virus, called Gauss, was designed as a spy tool, and that it was programmed using the platform of another computer virus, Flames, which was exposed earlier this year.
In the past, Kaspersky officials have determined that there was a clear link between Flame, Stuxnet – the computer worm reportedly used to target Iran’s nuclear facilities – and another virus by the name of Doqu.
What this means, is that Gauss could be another in a chain of cyber assault tools developed by a single country, or by a many countries.
According to the security firm, Gauss injects code into different internet browsers in order to track the users’ activities and steal passwords, “cookie” files, and browser history. In addition, it also collects information on the computer’s network connections and attached devices, which he sends to the virus’ control servers.
Kaspersky indicated that Gauss was developed in 2011-2012, and was actively distributed throughout the Middle East in the last ten months. Most of the infected computers were in Lebanon (1,660), with Israel a distant second, housing 483 computers with the virus.
In addition, 261 infected computers were also found in the Palestinian Authority, along with a handful of computers in Egypt, Qatar, Syria, Jordan, and Saudi Arabia, as well as 43 in the United States and five in Germany.
The virus reportedly injured Microsoft operation systems, from Windows 7 to Windows XP.
Last month, the Iranian Students’ News Agency quoted an unnamed cyber security official as saying that the United States will face a “teeth-breaking” response if it continues to carry out cyber attacks against Iran. Iran has previously accused the United States and its allies of trying to sabotage its disputed nuclear program by using computer worms like Stuxnet, which caused centrifuges at the country’s main enrichment facility to fail in 2010.
In June, Iran said it had detected plans by the United States, Israel and Britain to launch what it said was a massive cyber strike, after diplomatic efforts to curb Tehran’s nuclear program broke down.
Western powers believe Iran wants to produce atomic bombs, a charge Tehran denies. It says it only wants the technology to generate medical isotopes to treat cancer patients.
Source: Haaretz
Chinese Espionage Campaign ‘Luckycat’ Targets Android
Luckycat, a gang of Chinese cybercriminals targeting executives in the aerospace, energy, and engineering industries, has been evolving its attacks since initial reports emerged in June 2011.
First they targeted Windows (easy). Then earlier this year, we saw Luckycat exploit a Javascript flaw to spy on Mac OS systems, with SabPub.
This summer, Trend Micro reports evidence that Luckycat is now targeting Android devices.
The company discovered two unfinished, and undelivered Android apps during a recent investigation of a Luckycat command and control center (Trend also discovered ongoing deliveries of SabPub via a Javascript exploit). The two apps were called “testService” and the only difference was that one of the icons was invisible. Clearly, the attackers were working on making this as stealthy as possible:
The apps exhibited behaviors similar to a Remote Access Trojan (RAT), like being able to locate sensitive data and upload them to a remote server. However the “remote shell” command was incomplete, meaning the attackers couldn’t take real-time control of the devices.
Tom Kellermann, director of cyber security at Trend Micro, illustrated the potential danger of being able to remotely control devices in real time.
“For example if I the attacker see in your [phone's] calendar that you have a meeting in ten minutes, I could just pop the mic,” he said.
Lookout Mobile confirmed seeing the same malware samples, all clearly in debug (testing) mode since the output was all debug messages.
The key question now is, how do the attackers intend to deliver this malware to their targets? The attackers have several options, Trend Micro notes. One is an SMS or email containing a download URL disguised as something legit (spearphishing). Sabpub, for instance, was delivered through poorly-spellt emails appealing to Tibetan sympathizers.
Should You Worry?
You may not be a key target of Luckycat, but one day the same malware could be used to target your Android device. Some simple countermeasures we normal folk can take are, well, the same as always:
- Stick to the official Google Play and Amazon Android app Stores.
- Don’t click on strange links within emails.
- Use a mobile security app—free versions of Lookout, Trend Micro, avast!, and McAfee provide strong lines of defense.
Source: http://securitywatch.pcmag.com/none/301002-chinese-espionage-campaign-luckycat-targets-android
Pentagon to recruit Russian hackers
An adviser to U.S. President Barack Obama said that the U.S. has a new plan to combat cyberwarfare.
The U.S. government has a plan to put the skills of the best hackers in the world to work fighting terrorism and designing security systems for government agencies. John Arquilla, an adviser to U.S. President Barack Obama’s and the man who coined the term“cyberwarfare” told the UK’s Guardian newspaper that the U.S. Defense Department plans to hire about 100 hackers, primarily Russians for the initiative.
Arquilla accused the Pentagon of wasting billions of dollars on “pointless aircraft carriers, tanks and planes at the expense of nimbler, leaner strategy” of spending on experts. He said that as a result the U.S. has fallen behind other superpowers in the global cyber race.
“We intend to set up something like the English Bletchley Park (where the UK ran decryption operations during World War II),” said Arquilla. “We will hire Russians and Asians. They are definitely the best code crackers in the world. I have already established contact with several very influential hackers. I even brought one to meet the CEO of a major company to evaluate the vulnerability of his information systems. He managed to break into the system in just a few minutes.”
Russian hackers do not rule out the possibility of cooperating with the U.S. government, provided it observes a number of crucial factors.
Said one hacker known as Zeus: “I’ll agree if they offer me a fair salary and good living accommodations. Another important thing is that my activities mustn’t be aimed at Russia. I don’t want to be a traitor. There’s a great deal of advantages in working in the U.S. like opportunities to realize my potential, high living standards and an evolved society.”
Another hacker said that working for the U.S. government is, on the one hand, fairly risky, but on the other hand, a very lucrative and stable business.
“Our task is to make sure those who agree to work for us have all they need. America has always lavishly spent money on the best specialists in the world. That’s why I’m sure we’ll persuade them to cooperate,” Arquilla said.
Source: Izvestia Ru
