Wednesday, 4 September 2013

Phishing at root of elaborate cyberattacks

Astounding cyberheists and politically motivated cyberattacks have one thing in common: They invariably begin with simple trickery.
Top-tier cybergangs and hacking collectives, such as Anonymous and the Syrian Electronic Army, are taking full advantage of search engines and social websites to compile rich profiles on individuals. This information is then used to target individuals to receive an e-mail ruse known as a spear phishing attack. The e-mail carries a viral PDF attachment or Web link.
The bad guys are pulling out all the stops to profile executives and their charges, then crafting an e-mail carrying a viral PDF attachment or Web link from the boss to the subordinate. The goal: to trick the subordinate into following orders to click on the viral payload.
"A great deal of time and money is spent crafting these attacks," says Nicholas Percoco, senior vice president at data security company Trustwave. "The attackers know business relationships and understand how the person they are impersonating constructs his messages."
Most often the bad guys seek the user name and password of an employee who they believe has privileged access to sensitive databases and internal applications.
"If you look through the history of recent breaches, every one of them has a privileged connection," says John Worrall, chief marketing officer at security firm CyberArk.
The empowerment gained from possessing just the right logon is limited only by the attackers' imagination.
The pro-Syrian hackers who cut off The New York Times' website for 20 hours last week, for instance, lured a distributor working for Melbourne IT, a registrar that helps direct Web traffic, into divulging his user name and password. With that distributor's credentials, the attackers were able to redirect traffic intended for to a website they controlled.
The FBI earlier this year put a crimp in a crime syndicate that by then had pilfered $45 million from ATMs, using data stolen from a major payment processing company. The thieves likely got inside the payment processor's network by spear phishing an employee. Not only did that enable them to steal payment card account numbers and PINs, they also boosted the ATM withdrawal limits on hundreds of accounts for which they had stolen card numbers.
The account numbers were then embedded on blank mag stripe cards and distributed with the accompanying PINs to an army of recruits, who then hit the streets to make large ATM withdrawals. The FBI caught a handful of these street operatives, but the masterminds are still at large.
In another inventive heist, a crime ring launched denial-of-service attacks against several banks' websites. While tech staff labored to restore service, the bad guys used a bank employee's privileged logon to access a master payment switch for issuing wire transfers.
Thus, a successful spear phishing campaign enabled the thieves to flick a switch to wire funds into accounts they controlled on a mass scale, says Avivah Litan, Gartner banking security analyst. "Considerable financial damage has resulted from these attacks," says Litan.
Last fall the FBI issued an alert about criminals targeting bank employees, in particular, for spear phishing attacks. However, politically motivated hacking groups have begun spear phishing employees who are once or twice removed from the targeted website, as The New York Times hack showed.
The lesson: We all need to to stay alert.
"The entire attack sequence often begins with a very legitimate looking e-mail with a juicy story prompting the victim's computer to become infected," says Percoco. "Companies should educate their employees that these type of attacks are very real and to be vigilant all day, every day when using e-mail, social networks and the Web."

NetTraveler APT hackers still active improved their attacks

Experts at Kaspersky firm provided evidences that the hackers behind cyber espionage campaign NetTraveler are still active and improved their attack methods.

Last June Kaspersky firm uncovered a new global cyber espionage campaign dubbed NetTraveler. Kaspersky’s team discovered that NetTraveler targeted over 350 high profile victims from 40 countries.
The name of the operation derives from the malicious code used in the attacks, the surveillance malware NetTraveler, according the security firm behind the cyber espionage campaign there are China-based hackers as written in the report published by Kaspersky, the security experts are convinced that the group of attackers is composed of around 50 individuals, many of them Chinese-speaking but with a good knowledge of the English.
The NetTraveler campaign has been running since 2004 targeting  government institutions, energy companies as well as contractors and embassies. Despite the majority of infections was located in Mongolia, India and Russia also European countries were hit by the hackers, Germany, UK and Spain were mainly affected nations.
Just after the public exposure of the cyber espionage campaign the attackers shut down all known C&C to active new servers in China, Hong Kong and Taiwan.

The hackers behind NetTraveler are still active, a recent post on SecureList blog revealed that last week a new wave of spear-phishing e-mails were sent to multiple Uyghur activists exactly as occurred in the past.
NetTraveler Spear Phishing
The hackers have also differentiated their techniques of attack, adopting also a watering hole attack method, this strategy is very common especially when attackers intend to targets limited communities having common characteristics (e.g. Belonging to the same ethnic group, employees of the same company and so on).
Also for the  watering hole attacks detected, the NetTraveler instances referred at the domain “wetstock[dot]org”, the majority appeared to be hijacked from the Uyghur-related website belonging to the “Islamic Association of Eastern Turkistan”.
The malicious mails contain a link to a page that appear to belong to the World Uyghur Congress website that in reality leads the victims to domain at “wetstock[dot]org” used by hackers to serve NetTraveler malware. The page loads and runs a Java applet named “new.jar” that hide an exploit for CVE-2013-2465 vulnerability recently fixed by Oracle in Java versions 5, 6 and 7 that allows remote attackers to compromise victim.
The jar file contains payload of the exploit in the file “file.tmp”, a NetTraveler backdoor dropper that results compiled on 2103 May 30th, standing to PE header timestamp. The command and control server for NetTraveler variant localized by Kaspersky specialists are hosted at IP belonging to a machine located in the U.S., at “Multacom Corporation” and never used before as C&C for other malware.
The C&C server was operational at the time of publishing the results of the investigation, the server is still collecting the stolen data from victims.
 NetTraveler CeC

The report provided by Kaspersky is the proof that NetTraveler APT is still ongoing, the attackers have improved their techniques combining traditional spear phishing with watering hole attack based on the Java exploit for CVE-2013-2465.
“It obviously has a higher success rate than mailing CVE-2012-0158 exploit-ridden documents, which was the favorite attack vector until now. We estimate that more recent exploits will be integrated and used against the group’s targets.”
The post closes with a precious suggestion for the readers to avoid this new wave attacks.
  • Update Java to the most recent version or, if you don’t use Java, uninstall it.
  • Update Microsoft Windows and Microsoft Office to the latest versions.
  • Update all other third party software, such as Adobe Reader.
  • Use a secure browser such as Google Chrome, which has a faster development and patching cycle than Microsoft’s Internet Explorer.
  • Be wary of clicking on links and opening attachments from unknown persons.

Syrian Electronic Army Cyberattacks

The Syrian Electronic Army attacked again this week, compromising the websites of the New York Times, Twitter, the Huffington Post, and others.
Political hacking isn't new. Hackers were breaking into systems for political reasons long before commerce and criminals discovered the Internet. Over the years, we've seen U.K. vs. Ireland, Israel vs. Arab states, Russia vs. its former Soviet republics, India vs. Pakistan, and US vs. China.
There was a big one in 2007, when the government of Estonia was attacked in cyberspace following a diplomatic incident with Russia. It was hyped as the first cyberwar, but the Kremlin denied any Russian government involvement. The only individuals positively identified were young ethnic Russians living in Estonia.
Poke at any of these international incidents, and what you find are kids playing politics. The Syrian Electronic Army doesn't seem to be an actual army. We don't even know if they're Syrian. And -- to be fair -- I don't know their ages. Looking at the details of their attacks, it's pretty clear they didn't target the New York Times and others directly. They reportedly hacked into an Australian domain name registrar called Melbourne IT, and used that access to disrupt service at a bunch of big-name sites.
We saw this same tactic last year from Anonymous: hack around at random, then retcon a political reason why the sites they successfully broke into deserved it. It makes them look a lot more skilled than they actually are.
This isn't to say that cyberattacks by governments aren't an issue, or that cyberwar is something to be ignored. Attacks from China reportedly are a mix of government-executed military attacks, government-sponsored independent attackers, and random hacking groups that work with tacit government approval. The US also engages in active cyberattacks around the world. Together with Israel, the US employed a sophisticated computer virus (Stuxnet) to attack Iran in 2010.
For the typical company, defending against these attacks doesn't require anything different than what you've been traditionally been doing to secure yourself in cyberspace. If your network is secure, you're secure against amateur geopoliticians who just want to help their side.
This essay originally appeared on the Wall Street Journal's website.