Rogue Microsoft Services Agreement Emails Lead to Latest Java Exploit

Hackers are distributing rogue email notifications about changes in Microsoft’s Services Agreement to trick people into visiting malicious pages that use a recently circulated Java exploit to infect their computers with malware. “We’re receiving multiple reports of a phishing campaign using the template from a legitimate Microsoft email regarding Important Changes to Microsoft Services Agreement and Communication Preferences…” The rogue email messages are copies of legitimate notifications that Microsoft sent out to users to announce changes to the company’s Services Agreement that will take effect in Oct.

However, in the malicious versions of the emails, the correct links have been replaced with links to compromised websites that host attack pages from the Blackhole exploit toolkit.  Read more here

Advertisements

New virus linked to makers of Flame detected across Mideast

Kaspersky internet security firm says new virus, named Gauss, based on Flame platform; infected computers found in Israel, Lebanon, PA, among other states.

The Kaspersky internet security firm announced on Thursday that it has detected of a new kind of computer virus that has been targeting computers in Lebanon, Israel, and the Palestinian Authority.

According to the firm, the new virus, called Gauss, was designed as a spy tool, and that it was programmed using the platform of another computer virus, Flames, which was exposed earlier this year.

In the past, Kaspersky officials have determined that there was a clear link between Flame, Stuxnet – the computer worm reportedly used to target Iran’s nuclear facilities – and another virus by the name of Doqu.

What this means, is that Gauss could be another in a chain of cyber assault tools developed by a single country, or by a many countries.

According to the security firm, Gauss injects code into different internet browsers in order to track the users’ activities and steal passwords, “cookie” files, and browser history. In addition, it also collects information on the computer’s network connections and attached devices, which he sends to the virus’ control servers.

Kaspersky indicated that Gauss was developed in 2011-2012, and was actively distributed throughout the Middle East in the last ten months. Most of the infected computers were in Lebanon (1,660), with Israel a distant second, housing 483 computers with the virus.

In addition, 261 infected computers were also found in the Palestinian Authority, along with a handful of computers in Egypt, Qatar, Syria, Jordan, and Saudi Arabia, as well as 43 in the United States and five in Germany.

The virus reportedly injured Microsoft operation systems, from Windows 7 to Windows XP.

Last month, the Iranian Students’ News Agency quoted an unnamed cyber security official as saying that the United States will face a “teeth-breaking” response if it continues to carry out cyber attacks against Iran. Iran has previously accused the United States and its allies of trying to sabotage its disputed nuclear program by using computer worms like Stuxnet, which caused centrifuges at the country’s main enrichment facility to fail in 2010.

In June, Iran said it had detected plans by the United States, Israel and Britain to launch what it said was a massive cyber strike, after diplomatic efforts to curb Tehran’s nuclear program broke down.

Western powers believe Iran wants to produce atomic bombs, a charge Tehran denies. It says it only wants the technology to generate medical isotopes to treat cancer patients.

Source: Haaretz

Chinese Espionage Campaign ‘Luckycat’ Targets Android

Luckycat, a gang of Chinese cybercriminals targeting executives in the aerospace, energy, and engineering industries, has been evolving its attacks since initial reports emerged in June 2011.

First they targeted Windows (easy). Then earlier this year, we saw Luckycat exploit a Javascript flaw to spy on Mac OS systems, with SabPub.

This summer, Trend Micro reports evidence that Luckycat is now targeting Android devices.

The company discovered two unfinished, and undelivered Android apps during a recent investigation of a Luckycat command and control center (Trend also discovered ongoing deliveries of SabPub via a Javascript exploit). The two apps were called “testService” and the only difference was that one of the icons was invisible. Clearly, the attackers were working on making this as stealthy as possible:

The apps exhibited behaviors similar to a Remote Access Trojan (RAT), like being able to locate sensitive data and upload them to a remote server. However the “remote shell” command was incomplete, meaning the attackers couldn’t take real-time control of the devices.

Tom Kellermann, director of cyber security at Trend Micro, illustrated the potential danger of being able to remotely control devices in real time.

“For example if I the attacker see in your [phone’s] calendar that you have a meeting in ten minutes, I could just pop the mic,” he said.

Lookout Mobile confirmed seeing the same malware samples, all clearly in debug (testing) mode since the output was all debug messages.

The key question now is, how do the attackers intend to deliver this malware to their targets? The attackers have several options, Trend Micro notes. One is an SMS or email containing a download URL disguised as something legit (spearphishing). Sabpub, for instance, was delivered through poorly-spellt emails appealing to Tibetan sympathizers.

Should You Worry?
You may not be a key target of Luckycat, but one day the same malware could be used to target your Android device. Some simple countermeasures we normal folk can take are, well, the same as always:

  1. Stick to the official Google Play and Amazon Android app Stores.
  2. Don’t click on strange links within emails.
  3. Use a mobile security app—free versions of Lookout, Trend Micro, avast!, and McAfee provide strong lines of defense.

Source: http://securitywatch.pcmag.com/none/301002-chinese-espionage-campaign-luckycat-targets-android

Pentagon to recruit Russian hackers

An adviser to U.S. President Barack Obama said that the U.S. has a new plan to combat cyberwarfare.

The U.S. government has a plan to put the skills of the best hackers in the world to work fighting terrorism and designing security systems for government agencies. John Arquilla, an adviser to U.S. President Barack Obama’s and the man who coined the term“cyberwarfare” told the UK’s Guardian newspaper that the U.S. Defense Department plans to hire about 100 hackers, primarily Russians for the initiative.

Arquilla accused the Pentagon of wasting billions of dollars on “pointless aircraft carriers, tanks and planes at the expense of nimbler, leaner strategy” of spending on experts. He said that as a result the U.S. has fallen behind other superpowers in the global cyber race.

“We intend to set up something like the English Bletchley Park (where the UK ran decryption operations during World War II),” said Arquilla. “We will hire Russians and Asians. They are definitely the best code crackers in the world. I have already established contact with several very influential hackers. I even brought one to meet the CEO of a major company to evaluate the vulnerability of his information systems. He managed to break into the system in just a few minutes.”

Russian hackers do not rule out the possibility of cooperating with the U.S. government, provided it observes a number of crucial factors.

Said one hacker known as Zeus: “I’ll agree if they offer me a fair salary and good living accommodations. Another important thing is that my activities mustn’t be aimed at Russia. I don’t want to be a traitor. There’s a great deal of advantages in working in the U.S. like opportunities to realize my potential, high living standards and an evolved society.”

Another hacker said that working for the U.S. government is, on the one hand, fairly risky, but on the other hand, a very lucrative and stable business.

“Our task is to make sure those who agree to work for us have all they need. America has always lavishly spent money on the best specialists in the world. That’s why I’m sure we’ll persuade them to cooperate,” Arquilla said.

Source: Izvestia Ru

Hackers expose login details of 450,000 Yahoo! users

The security details of almost half a million internet users have been compromised, after hackers posted what appear to be login credentials to online accounts. Yahoo has confirmed the security breach.

The material was posted by a hacking collective known as D33Ds Company, according to Ars Technica. The group said in a statement at the bottom of the data that they used a technique known as a union-based SQL injection, which preys on poorly-secured web applications.

The hackers claim the information was gathered from a service on the Yahoo network.

The subdomain may to belong to Yahoo Voices, a contribution service which allows user-generated content to be published online, according to security firm Trusted Sec.

The method attacks sites that do not properly examine text which is entered into search boxes and other input fields. Hackers then inject database commands which trick servers into sharing large amounts of sensitive information.

Experts say the passwords were not encrypted – making them vulnerable for any hacker to immediately gain access to online accounts.

Members of D33Ds say they intend the hack to be used as a “wake-up call.”

“We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat,” the hackers said in their statement. “There have been many security holes exploited in webservers belonging to Yahoo! Inc. that have caused far greater damage than our disclosure. Please do not take them lightly.”

The latest entries in the information appear to be from accounts created in 2006, which may imply the data is old, or no longer in use.

Android Forums and Formspring were attacked at the same time. They encrypted the passwords that they stored, although there is still a possibility that they could be cracked.

Users are being encouraged to change their passwords immediately, and to check whether they used the same login details for other online services.

It is not yet known whether the three attacks are linked.

Source: RT and Agencies

Cyber Arms Race Could Change the World Around Us

Source: RIA Novosti commentator Konstantin Bogdanov

The world is getting ready for a new arms race – this time in cyber weapons. What was previously considered to be the domain of semi-criminal marginal groups or a cheap way of expressing sociopathy is now attracting the interest of governments, who are considering producing weaponized software on an industrial scale.

Whereas before it was unclear what the endless “army cyber commands” and other sinecures were up to, the last two or three years have seen the appearance of very unpleasant evidence of serious work potentially capable of changing the image of the world as we know it.

We’ve seen nothing like this before

This was the initial reaction of Symantec analysts when they started looking into an incomprehensible computer worm nicknamed Stuxnet. Two major waves of spreading the worm were noted: the first version in summer 2009 and the second in spring 2010.

Developers found a rootkit (a set of malicious software programs that integrate into the system without being detected) which was a cyber-weapon masterpiece. According to experts, half a million euros might have been spent on developing this sophisticated piece of software. The worm was unique in every respect – it simultaneously used four earlier unknown Windows bugs and two genuine security certificates. At the same time Stuxnet carried out its main task (introduction, analysis of the environment and further expansion) in a very slow and unobtrusive manner.

The worm targeted industrial control systems, in particular a specific brand of Siemens industrial controllers. At the same time, the rootkit included control procedures for variable frequency drive converters of two specific brands (of Finnish and Iranian roots).

Moreover, experts said the worm was not rushing into these converters but gradually penetrated the industrial network, gathering information about its modes and fully establishing control over the computer monitoring system. Only once it had done this did the virus begin to gently “manipulate” parameter settings. It would take them out of action for a short time in order to disrupt the operation of the equipment.

Based on the distribution of the worm, experts established a potential target of attack: software-controlled centrifuges at the uranium-enrichment facility at Natanz, Iran.

In late November 2010, Iranian President Mahmoud Ahmadinejad said on the record that cyber attacks created “problems” in what he called a “limited” number of centrifuges. Naturally enough, this report evoked an instant response from the public and the media, crediting Stuxnet with the successful termination of Iran’s enrichment efforts.

Your hard work is not your achievement but their failing

There is, however, considerable doubt that the worm attack took place (or at least that it caused any noticeable results). Experts on computer and industrial security sounded the alarm but nuclear workers remained calm.

At any rate, IAEA experts who were directly in charge of monitoring the Natanz facility bluntly rejected any allegations that any disruptions in the work of the plant took place. Nonetheless, they admitted that the worm could in theory penetrate the facility’s computer network.

Their conclusions are understandable – there was no evidence of a drop in production at the uranium enrichment facility in Natanz, the supposed target of the attack. The rate of breakdown of centrifuges accelerated somewhat between November 2009 and January 2010, but that could be explained by the mass replacement of worn-out or low-quality Iranian-produced equipment. No evidence of any emergency at the plant was recorded.

Moreover, it seems that the worm’s developers may have outsmarted themselves. In working with frequency drive converters, they used the parameters that had been supplied by Iran through the IAEA. It is not clear whether this was a Tehran-inspired leak or whether these “brainiacs” simply used the first information that seemed authentic to them and did not bother checking it. In other words, anti-nuclear hackers were let down by the ignorance of the hardware they were planning to take over. Moreover, it is possible that the equipment at Natanz was not the intended target of the worm.

However, you could say the Iranians were lucky. The virus in the network was discovered very fast and adverse consequences were avoided. This is probably why no meaningful traces of the attack were found: the worm’s impact on Iran’s centrifuges was designed to be very subtle, causing increased wear and tear over a long period of time.

Smile you’re on camera

In the meantime, the “anonymous well-wisher” of the Iranian nuclear program has continued working. Stuxnet was followed by two most interesting rootkits: Duqu, which was discovered in September 2011, and Flame, which was intercepted in late May 2012.

Unlike the mischievous Stuxnet, which was targeted at industrial control systems, these viruses were more conventional, though no less dangerous.

Both rootkits could be described as comprehensive tracking systems that collected information from infected computers. They intercepted passwords, tracked key presses, recorded sound from an in-built microphone, took screenshots, gathered information on processed files and analyzed network traffic. This information was then encrypted and downloaded to an external master server.

Analysts believe that the approaches to the development of Stuxnet and Duqu are so similar that they may have a common platform. In any event, both rootkits are likely to have been created by the same team.

Flame is considered to be a separate product, but some of the solutions typical for it can be traced back to the first 2009 version of Stuxnet. This suggests that at least two groups of developers, who partially relied on each other’s work, might have been involved in this project.

“Olympic Games” for Iran

The intuitively obvious guess about who was behind these efforts was confirmed not long ago. In June 2012, The New York Times bluntly reported that Stuxnet and Flame were developed during the operation Olympic Games, a joint effort between two electronic intelligence agencies, the U.S. National Security Agency and Israel’s Unit 8200.

According to the newspaper’s sources, the operation was launched on the orders of George W. Bush. This is the estimated period for the development of Stuxnet and Flame. Having replaced Bush in the White House, Barack Obama ordered that this work be accelerated with a view to impeding Iran’s nuclear program. All efforts to this end were code-named Olympic Games.

On precisely the fifth day after the publication, The Wall Street Journal carried the official reaction to it: “The FBI has opened an investigation into who disclosed information about a classified U.S. cyber attack program aimed at Iran’s nuclear facilities…” No further comment is needed.

Don’t play with matches at a gas station

It does not matter whether Stuxnet’s “physical attack” on Iran’s centrifuges was a success or if it was introduced into the facility’s network but failed to do much damage.

This is a model of a cyber weapon which is aimed not so much against strictly “virtual” targets (such as private information or the proper functioning of information systems) as against the actual physical infrastructure.

Industrial control systems are widespread. They are the backbone of all automated modern production systems, including hazardous ones. Computer systems are used to run energy facilities, gas compressor stations and control traffic.

The development of an effective cyber weapon capable of putting such systems out of action could have disastrous consequences.

In this sense, we are at about the same stage as the world was between July 16 and August 6, 1945, after the United States tested its first nuclear device near Alamogordo but had not yet dropped any nuclear bombs on Japanese cities.

These new awkward cyber weapons, the development of which is sponsored by the leading powers, will be followed by others, more effective and more sophisticated. The problem is that such weapons can potentially do much more damage to advanced “critical infrastructures,” of which there is a higher number in the United States and Western Europe than in Asia. Those who have launched this race for cyber weapons are throwing stones while living in glass houses.

Cyber-attack concerns raised over Boeing 787 chip’s ‘back door’

Source: guardian.co.uk

Two Cambridge experts have discovered a “back door” in a computer chip used in military systems and aircraft such as the Boeing 787 that could allow the chip to be taken over via the internet.
The discovery will heighten concerns about the risks of cyber-attacks on sensitive installations, coming on the heels of the discovery this week of the ’Flamer’ virus which has been attacking computer systems in Iran, Syria and Saudi Arabia.
In a paper that has been published in draft form online and seen by the Guardian, researchers Sergei Skorobogatov of Cambridge University and Chris Woods of Quo Vadis Labs say that they have discovered a method that a hacker can use to connect to the internals of a chip made by Actel, a US manufacturer.
“An attacker can disable all the security on the chip, reprogram cryptographic and access keys … or permanently damage the device,” they noted.
Woods told the Guardian that they have offered all the necessary information about how the hack can be done to government agencies – but that their response is classified.
“The real issue is the level of security that can be compromised through any back door, and how easy they are to find and exploit,” Woods said.
The back door may have been inserted by Actel itself, whose ProASIC3 chip is used in medical, automotive, communications and consumer products, as well as military use.
More here: http://www.guardian.co.uk/technology/2012/may/29/cyber-attack-concerns-boeing-chip