NATO trains Iraqi Experts in Cyber Defense

Iraqi experts were trained on cyber defense at the Middle East Technical University (METU) in Ankara, Turkey to improve their expertise and technical knowledge and to contribute to the strengthening of Iraqi national cyber defense capabilities. According to a NATO publication, this course was supported by the Science for Peace and security (SPS) Program and took place from 21 November to 2 December 2016.

This training course aimed at Iraqi system/network administrators was tailored specifically to Iraq’s needs by focusing on its cyber security and defense requirements presented to NATO. Overall, 16 civil servants from the new Iraqi Computer Incident Response Team (CIRT) were trained during the course.

The hands-on training program included both theoretical sessions as well as practical laboratory exercises of core aspects of cyber defense, including cryptanalysis, prevention of data exfiltration, advanced digital forensics, and conducting vulnerability assessment.

The course focused on raising cyber security awareness and provided the trainees with the expertise and technical knowledge to help increase resilience of their national networks. Upon their return, the trainees will be able to apply the gained knowledge in the daily operation of their institutions thereby significantly contributing to the strengthening of Iraqi national cyber defense capabilities

Iranian Threat Agent OilRig targeted Multiple Organizations in Israel

Iranian threat agent OilRig has been targeting multiple organizations in Israel and other countries in the Middle East since the end of 2015, according to a Clear Sky report. In recent attacks, they set up a fake VPN Web Portal and targeted at least five Israeli IT vendors, several financial institutes, and the Israeli Post Office.

Later, the attackers set up two fake websites pretending to be a University of Oxford conference sign-up page and a job application website. In these websites, they hosted malware that was digitally signed with a valid, likely stolen code signing certificate

Based on VirusTotal uploads, malicious documents content, and known victims – other targeted organizations are located in Turkey, Qatar, Kuwait, United Arab Emirates, Saudi Arabia, and Lebanon.

Infrastructure Overlap with Cadelle and Chafer

In December 2015, Symantec published a post about “two Iran-based attack groups that appear to be connected, Cadelle and Chafer” that “have been using Backdoor.Cadelspy and Backdoor.Remexi to spy on Iranian individuals and Middle Eastern organizations."

Backdoor.Remexi, one of the malware in use by Chafer, had the following command and control host:

87pqxz159.dockerjsbin[.]com

Interestingly, IP address  83.142.230.138, which serve as a command and control address for an OilRig related sample (3a5fcba80c1fd685c4b5085d9d474118), was pointed to by 87pqxz159.dockerjsbin[.]com as well.

This suggest that the two groups may actually be the same entity, or that they share resources in one way or another.

For the complete report, visit the Clear Sky blog.

Malware uses denial-of-service attack in attempt to crash Macs

The malware opens emails until the system crashes.
A tech support scam is targeting Mac users with unusual malware which tries to crash the system then encourages the victim to call a phony Apple support number in order to get the system restored to normal.
Victims are infected with the malware via a malicious email or by visiting a specially registered scam website. Cybersecurity researchers at Malwarebytes warn that these websites are particularly dangerous for Mac users running Safari because simply visiting one of the domains can execute the attack.
Once the malicious code has been triggered, it will first of all check to see which version of OS X the victim is using and then attempt to trigger a a denial-of-service attack by repeatedly opens draft emails.
The DDoS continues drafting new emails in individual windows until so many windows are running that the system crashes due to lack of memory. The subject line of the emails tells the user a virus has been detected and to call the tech support number.
There are also instances of the malicious software opening up iTunes without any user prompting and displaying the fraudulent phone number there.
While users running the most up to date version of the Apple operating system - macOS Sierra 10.12.2 - don't appear to be affected by the DDoS attack against the mail application, so users should patch their systems to ensure the most protection against the attacks
This is far from the first support scam to target web users, with Microsoft users also regularly targeted by cyber fraudsters. Microsoft itself has previously warned Windows users to remain vigilant when it comes to tech support scammers malware.

Bank robber reveals identity – by using his debit card during crime

 

Moron of the month gets almost four years in the clink for failing to grasp basic opsec

On January 3, Alvin Lee Neal received a 46-month prison sentence for robbing a Wells Fargo Bank in San Diego, California, and was ordered to pay back the $565 taken.
Neal, a registered sex offender, acknowledged his role in the May 13, 2016 robbery in a plea agreement with the US Attorney's Office of Southern California.
As described in the complaint filed with the US District Court in San Diego, Neal walked up to a teller in the bank and "presented a Wells Fargo debit card which he swiped through the customer card reader located on the counter."
This displayed his name and customer profile on the teller's screen.
Asked by the teller what kind of business he wanted to transact with the bank, Neal said, "You're being robbed," and presented a note reading, "You're being robbed no mistake."
Neal subsequently clarified the ambiguity of his note, which could have been read as a statement that the robbery should not be mistaken as some other activity. His intended message turned out to be a warning that the teller not do anything that might prompt a harmful response.
"You don't want anyone to get hurt, don't make a mistake," he said.
Thanks to Neal's mistake, investigators didn't have to work very hard to solve the case. A query to the California Department of Motor Vehicles database for Alvin Lee Neal produced a picture that was similar to the individual captured on the bank's surveillance video. Additional law enforcement database searches identified Neal as a registered sex offender.
When law enforcement agents arrived at Neal's address and requested permission to search his residence (which Neal granted in writing), they found "a grey, checkered pattern double-breasted style jacket similar in appearance to the jacket worn by Neal when the Wells Fargo was robbed" and the ATM card with which he had identified himself.
The complaint indicates that Neal was read his rights, which he subsequently waived, and then admitted to the investigators his intent to rob the bank.
The sentence of almost four years is significantly less than the 20-year maximum penalty.