Russian hacker Rasputin allegedly stole logins from the US election agency EAC

According to the security firm Record Future, a Russian-speaking hacker was offering for sale stolen login credentials for a U.S. agency that tests and certifies voting equipment, the U.S. Election Assistance Commission (EAC).

The EAC Agency was formed in 2002, it is tasked of certifying voting systems and developing best practices for administering elections.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
More than 100 allegedly compromised U.S. Election Assistance Commission login credentials were offered for sale by a hacker that uses the Rasputin online moniker.

“On December 1, 2016, Recorded Future threat intelligence technology identified chatter related to a suspected breach of the U.S. Election Assistance Commission (EAC).” Record Future said in a Thursday blog post.

“Further research identified a Russian hacker (Recorded Future refers to this actor as Rasputin) soliciting a buyer for EAC database access credentials.”

Researchers discovered that some of these credentials included the highest administrative privileges that could be used by an attacker to steal sensitive information from the U.S. Election Assistance Commission or deploy an Exploit kit to compromise targeted individuals in a watering hole attack.

Recorded Future shared multiple screenshots that demonstrate the hacker had access to the system at the U.S. Election Assistance Commission.

Election and software systems test reports (image provided by Rasputin).

The Rasputin hacker claimed to have broken in the system via an unpatched SQL injection (SQLi) vulnerability.

The U.S. Election Assistance Commission (EAC) investigated the incident with authorities and has terminated access to the vulnerable application.

“The U.S. Election Assistance Commission (EAC) has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects.” reads a statement issued by the Agency.

The Election Assistance Commission clarified that it does not administer elections.

“The EAC does not maintain voter databases. The EAC does not tabulate or store vote totals,” added the commission.

The discovery of this new data breach raises the debate around possible interference with 2016 Presidential. The US Government blamed the Russia for attempted to influence the U.S. election through several high-profile cyber attacks.

SQL Injection Attack is Tied to Election Commission Breach

Just as cybersecurity concerns over the U.S. presidential election reach a fevered pitch, the U.S. agency responsible for certifying that voting machines work properly says it may have been hacked. That’s after independent researchers say they uncovered evidence that hackers have infiltrated the agency in question – the U.S. Election Assistance Commission. On Thursday security firm Recorded Future reported that a hacker offered to sell knowledge of an unpatched SQL injection vulnerability on the Dark Web. The vulnerability would have given an attacker access to the Election Assistance Commission (EAC) website and backend systems. In addition to knowledge of the vulnerability, the seller also included 100 potentially compromised access credentials for the system, including some with administrative privileges

“This vulnerability would of given an adversary access to the EAC database, allowed them to plant malware on the site or effectively stage a watering hole attack,” said Levi Gundert, VP of intelligence and strategy at Recorded Future. EAC is an independent bipartisan commission that develops voting guidelines and provides information on administering elections. The commission is also responsible for testing and certifying voting equipment and systems to ensure they meet security standards, according to the agency’s website. Gundert said access to EAC’s systems by an attacker would be invaluable for future attacks, helping them glean sensitive information about existing electronic voting systems as well as those coming online.

 The Election Assistance Commission acknowledged the vulnerability and released the following statement: “EAC has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects… Upon detecting the intrusion, the EAC terminated access to the application and began working with federal law enforcement agencies to determine the source of this criminal activity. The FBI is currently conducting an ongoing criminal investigation.” Little is known about the hacker selling the SQL injection flaw. According to a report by Recorded Future the seller’s native language is Russian and goes by the online handle “Rasputin.” Researchers said they spotted Rasputin advertising the flaw on the Dark Web for between $2,000 and $5,000 on Dec. 1 and alerted authorities the next day. “Based on Rasputin’s historical criminal forum activity, Recorded Future believes it’s unlikely that Rasputin is sponsored by a foreign government,” Recorded Future said. SQL injections are among the most common techniques employed by hackers to steal valuable information from corporate databases. Recorded Future declined to share technical specifics of the SQL injection vulnerability or EAC’s compromised platform.

 This past U.S. presidential election has seen an unprecedented amount of concern over hackers attempting to sway election results. In August, the Federal Bureau of Investigation’s Cyber Division warned election officials nationwide to fortify voter registration data systems in the wake of two breaches it was able to detect earlier this summer. Earlier this week, President Barack Obama said the U.S. intelligence community has concluded Russian cyberattacks were part of an effort to influence the 2016 presidential election. Gundert doesn’t believe the sale of the unpatched SQL injection vulnerability is tied to past election attacks. However, he said, stolen credentials and earlier attacks that may have taken advantage of the SQL injection vulnerability could fuel more serious cyberattacks in the future. “It’s unclear how long the EAC vulnerability has been active; however, it could have been potentially discovered and accessed by several parties independently,” Recorded Future said.

Just as cybersecurity concerns over the U.S. presidential election reach a fevered pitch, the U.S. agency responsible for certifying that voting machines work properly says it may have been hacked. That’s after independent researchers say they uncovered evidence that hackers have infiltrated the agency in question – the U.S. Election Assistance Commission. On Thursday security firm Recorded Future reported that a hacker offered to sell knowledge of an unpatched SQL injection vulnerability on the Dark Web. The vulnerability would have given an attacker access to the Election Assistance Commission (EAC) website and backend systems. In addition to knowledge of the vulnerability, the seller also included 100 potentially compromised access credentials for the system, including some with administrative privileges.

See more at: SQL Injection Attack is Tied to Election Commission Breach https://wp.me/p3AjUX-vSX

“This vulnerability would of given an adversary access to the EAC database, allowed them to plant malware on the site or effectively stage a watering hole attack,” said Levi Gundert, VP of intelligence and strategy at Recorded Future. EAC is an independent bipartisan commission that develops voting guidelines and provides information on administering elections. The commission is also responsible for testing and certifying voting equipment and systems to ensure they meet security standards, according to the agency’s website. Gundert said access to EAC’s systems by an attacker would be invaluable for future attacks, helping them glean sensitive information about existing electronic voting systems as well as those coming online. The Election Assistance Commission acknowledged the vulnerability and released the following statement: “EAC has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects… Upon detecting the intrusion, the EAC terminated access to the application and began working with federal law enforcement agencies to determine the source of this criminal activity. The FBI is currently conducting an ongoing criminal investigation.” Little is known about the hacker selling the SQL injection flaw. According to a report by Recorded Future the seller’s native language is Russian and goes by the online handle “Rasputin.” Researchers said they spotted Rasputin advertising the flaw on the Dark Web for between $2,000 and $5,000 on Dec. 1 and alerted authorities the next day. “Based on Rasputin’s historical criminal forum activity, Recorded Future believes it’s unlikely that Rasputin is sponsored by a foreign government,” Recorded Future said. SQL injections are among the most common techniques employed by hackers to steal valuable information from corporate databases. Recorded Future declined to share technical specifics of the SQL injection vulnerability or EAC’s compromised platform. This past U.S. presidential election has seen an unprecedented amount of concern over hackers attempting to sway election results. In August, the Federal Bureau of Investigation’s Cyber Division warned election officials nationwide to fortify voter registration data systems in the wake of two breaches it was able to detect earlier this summer. Earlier this week, President Barack Obama said the U.S. intelligence community has concluded Russian cyberattacks were part of an effort to influence the 2016 presidential election. Gundert doesn’t believe the sale of the unpatched SQL injection vulnerability is tied to past election attacks. However, he said, stolen credentials and earlier attacks that may have taken advantage of the SQL injection vulnerability could fuel more serious cyberattacks in the future. “It’s unclear how long the EAC vulnerability has been active; however, it could have been potentially discovered and accessed by several parties independently,” Recorded Future said.

See more at: SQL Injection Attack is Tied to Election Commission Breach https://wp.me/p3AjUX-vSX

Hack attack fear scares Canadian exam board away from online tests

Every year Ottawa's Education Quality and Accountability Office (EQAO) tests secondary school students in their literacy skills. This year it rolled out online tests and the results weren't good.
In October the online pilot test of the Ontario Secondary School Literacy Test (OSSLT) was deployed and quickly fell over with its legs in the air mimicking a dead parrot. The failure was the result of what it called an "intentional, malicious and sustained distributed denial-of-service attack," against the testing system.
The attack was successful despite earlier testing of the online system against the possibility of just such an online assault. Forensic examiners are still investigating where the attack came from – El Reg suggests they look for a computer-savvy kid who doesn't study English much.
The original plan was for the OSSLT to be run for real in March, with students and teachers being able to choose whether to do the tests online or in the old-fashioned way. But because the source of the attack is still unknown, the EQAO is dropping all online testing for the time being.
"While we are pressing 'pause' on EQAO's move toward online assessments, we are by no means hitting 'stop,'" said Richard Jones, interim CEO of EQAO.
"In the days following the cyberattack in October, we heard from hundreds of members of Ontario's education community about the online OSSLT and we will take the time required to continue those discussions, so that we can integrate feedback into our system design. The intent is to come back with a system that better addresses needs in terms of usability, accessibility and security."

NAB sent details of 60,000 customers to wrong email address

The National Australia Bank (NAB) has taken "full responsibility" and apologised for the sending of personal data of 60,000 customers to an "incorrect email address".
The email contained each customer's name, address, email address, branch and account number, as well as an NAB identification number for some customers. Those impacted were customers who had their accounts created by the bank's migrant banking team while they were overseas.
"This error does not impact customers who set up an account in Australia," the bank said in a statement on Friday afternoon. "We take the privacy and the protection of our customers' personal information extremely seriously.
"The error was caused by human error and identified following our own internal checks and as soon as we realised what had happened we took action."
NAB said it had not seen any unusual activity on the affected accounts, and 40 percent of those customers had either closed their accounts or not used them in 2016. The bank said 19,000 accounts contained less than AU$2.
"We are sorry for this error and we will continue to work hard to improve and strengthen our processes," the bank said.
NAB said it had notified the Office of the Australian Information Commissioner and the Australian Securities and Investments Commission.
In October, NAB posted a AU$352 million statutory net profit for the 2016 financial year and praised its reduction in "technology incidents".

LinkedIn's training arm resets 55,000 members' passwords, warns 9.5m

Lynda.com, the training arm of LinkedIn, on Saturday issued email notices to about 55,000 members whose data it says has been perused by an “unauthorized third party.”

The letter sent to members, two of whom thoughtfully forwarded it to El Reg, reads as follows:

We recently became aware that an unauthorized third party breached a database that included some of your Lynda​.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution. Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, ​we wanted to notify you as a precautionary measure.

The Register asked LinkedIn when the breach detected, when it occurred and how many people were impacted.
The company offered a statement penned by an un-named spokesperson, re-stating news of the breach and offering the following.

As a precautionary measure, we reset passwords for the less than 55,000 Lynda.com users affected and are notifying them of the issue. We’re also working to notify approximately 9.5 million Lynda.com users who had learner data, but no protected password information, in the database. We have no evidence that any of this data has been made publicly available and we have taken additional steps to secure Lynda.com accounts.

LinkedIn has form when it comes to breaches: earlier this year the company downplayed the sale of 117m user records. Which is a trivial number compared to the billion users records Yahoo! last week admitted it had lost, probably as a result of management fearing a costly and complex encryption re-tooling effort

PayAsUGym breach exposes passwords

Fitness website PayAsUGym has been breached in a hack that may have exposed up to 400K emails and passwords.
In a breach notice to users, the firm admitted one of its servers was hacked after “underground researchers” posted screenshots purporting to show PayAsUGym’s hacked database via Twitter. The 1x0123 hacker crew later claimed that they planned to sell off the compromised database through underground markets.
PayAsUGym apparently used the obsolete MD5 hashing technology, making it straightforward to work out the corresponding passwords using a brute force attack and dictionary lookups.
Troy Hunt, the security researcher behind the haveibeenpwned breach notification website, warned over the weekend that “PayAsUGym data appears to be circulating with “more than 400k unique emails in there for UK customers”.
Hunt reposted a notice that admitted email addresses and passwords might have been breached. PayAsUGym, which says that it doesn’t store credit card numbers, has reset user passwords.
Password reuse is always a bad idea. Those users who their PayAsUGym password at other sites are particularly exposed to so-called credential-stuffing attacks, where hackers try passwords exposed at one site at other sites.
Luke Brown, VP and GM EMEA at Digital Guardian, said: “It’s easy to think that breaches from consumer sites like PayAsUGym do not affect businesses, but it’s certainly possible that some customers have used their business email address to sign up to these services. Using the compromised login details, hackers can attempt to hijack the email accounts, steal more data, and target the victims’ friends, family and place of work in advanced social engineering attacks.
“This highlights why it’s so important for businesses to make sure that employees can’t use the same password for their personal and professional accounts. Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information,” he added.
PayAsUGym offers flexible access to day passes, fitness classes and no-contract membership at over 2,200 UK gyms. The firm is yet to respond to a request from El Reg to confirm the number of breached records.

Yahoo hacked again, more than one billion accounts stolen

Yahoo has disclosed that more than one billion accounts may have been stolen from the company's systems in another cyberattack

The company said in a statement Wednesday after the markets closed that unnamed attackers stole the accounts in August 2013, a year prior to a previously disclosed attack, in which attackers stole around 500 million accounts in September 2014.

The company wasn't able to identify the intrusion associated with the August 2013 breach.

The statement said the hackers may have stolen names, email addresses, telephone numbers, hashed passwords (using the weak, easy-to-crack MD5 algorithm), dates of birth, and in some cases, encrypted or unencrypted security questions and answers.

Yahoo said it has invalidated unencrypted security questions and answers so that they cannot be used to access affected accounts.

Payment card data and bank account information, stored in separate systems, are not thought to have been stolen in the attack.

SOURCE CODE STOLEN

The company admitted that hackers may have developed a way of accessing accounts without a password by stealing Yahoo's secret source code.

"Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies," which can be used to store authentication credentials locally.

"The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used," the statement said.

Yahoo has also invalidated the cookies.

REPORTING DELAY 'UNACCEPTABLE'

It's the latest security blow against the former internet giant, which earlier this year -- just as it was being bought by Verizon for $4.8 billion -- said it had been attacked by "state-sponsored" hackers.

Yahoo still hasn't said who behind the attack, nor which state may have sponsored the hackers.

Verizon reiterated its statement on Wednesday, saying it "will evaluate" the purchase as Yahoo continues its investigation.

The news likely won't help confidence in the company that was heavily criticized by six leading senators for taking two years to disclose the September 2014 breach.

When reached, a Yahoo spokesperson said in an email that the company is "working closely with law enforcement."

Yahoo was down more than 2.5 percent in after-hours trading on the Nasdaq in New York.

BlackEnergy power plant hackers target Ukrainian banks

The same hackers who turned out the lights at Ukrainian utilities last December have been running attacks against the same country’s banks over recent months.

Security firm ESET reports that the gang slinging the TeleBots malware against Ukrainian banks shares a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December, 2015 and January, 2016. ESET thinks that the BlackEnergy crew has evolved into what it calls the TeleBots group.

As with campaigns attributed to BlackEnergy group, the attackers used spear-phishing emails with Microsoft Excel documents containing malicious macros as their main means of spreading infection.

Once a victim clicks on the Enable Content button, Excel executes the malicious macro. That gets the attackers a compromised PC, which is used to further infiltrate a compromised network, sniff passwords, and other hacker tricks.

Eventually the hackers drop the KillDisk malware onto compromised PCs. This malware deletes system files, making machines unbootable, before displaying a Mr Robot-themed logo on the computers' screens as a sign-off.

Analysis by ESET shows that the code of the macro used in TeleBots documents matches the macro code that was used by the BlackEnergy group in 2015.

Russia was the prime suspect for the BlackEnergy attacks. The latest attacks follow recent accusations by Russian security services that foreign agencies were trying to sabotage Russia's financial system.

Mirai botnet attacks targeting multiple ISPs

 
Analysis The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected. The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so.
Problems at the Post Office began on Sunday, while TalkTalk was hit yesterday; collectively this has affected hundreds of thousands of surfers. Similar attacks against thousands of KCOM broadband users around Hull that started about the same time targeted users of telco-supplied routers. Thousands of punters at the smaller ISP were left without a reliable internet connection as a result of the assault, which targeted routers from Taiwanese manufacturer ZyXEL.
KCOM told El Reg that Mirai was behind the assault on its broadband customers, adding that: "ZyXEL has developed a software update for the affected routers that will address the vulnerability." The timing and nature of this patch remains unclear.
ZyXEL told El Reg that the problem stemmed from malicious exploitation of the maintenance interface (port 7547) on its kit, which it was in the process of locking down.

With malicious practice in place, unauthorised users could access or alter the device's LAN configuration from the WAN-side using TR-064 protocol.
ZyXEL is aware of the issue and assures customers that we are handling the issue with top priority. We have conducted a thorough investigation and found that the root cause of this issue lies with one of our chipset providers, Econet, with chipsets RT63365 and MT7505 with SDK version #7.3.37.6 and #7.3.119.1 v002 respectively.

Last week a widespread attack on the maintenance interfaces of broadband routers affected the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany. Vulnerable kit from ZyXEL also cropped up in the Deutsche Telekom case. Other victims include customers of Irish ISP Eir where (once again) ZyXEL-supplied kit was the target.
The Post Office confirmed that around "100,000 of our customers" have been affected and that the attack had hit "customers with a ZyXEL router".
ZyXEL routers are not a factor in the TalkTalk case, where routers made by D-Link are under the hammer. TalkTalk confirmed that the Mirai botnet was behind the attack against its customers, adding in the same statement that a fix was being rolled out.

Along with other ISPs in the UK and abroad, we are taking steps to review the potential impacts of the Mirai worm. A small number of customer routers have been affected, and we have deployed additional network-level controls to further protect our customers.
We do believe this has been caused by the Mirai worm – we can confirm that a fix is now in place, and all affected customers can reconnect to the internet. Only a small number of our customers have the router (a D-Link router) that was at risk of this vulnerability, and only a small number of those experienced connection issues.

The Post Office is similarly promising its customers that a fix is in the works.

Post Office can confirm that on 27 November a third party disrupted the services of its broadband customers, which impacted certain types of routers. Although this did result in service problems we would like to reassure customers that no personal data or devices have been compromised. We have identified the source of the problem and implemented a resolution which is currently being rolled out to all customers.

It's unclear who is responsible for the growing string of attacks on ISP customers across Europe or their motives. The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc. The IoT malware scans for telnet before attempting to hack into vulnerable devices, using a brute-force attack featuring 61 different user/password combinations, the various default settings of kit from various manufacturers. Up to 5m devices are up for grabs thanks to wide open management ports, according to some estimates.
Jean-Philippe Taggart, senior security researcher at Malwarebytes, said: "The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign.
"So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection. This prevents the ISP from applying an update that would solve these issues. The botnet gains a longer life as users seldom reboot their routers unless they're experiencing a problem."
Other experts imply further attacks along the same lines are inevitable because the state of router security is poor and unlikely to improve any time soon.
Daniel Miessler, director of advisory services at IOActive, commented: "Recent attacks to Deutsche Telekom, TalkTalk and the UK Post Office will be felt by hundreds of thousands of broadband customers in Europe, but while the lights stay on and no one is in any real physical or financial danger, sadly nothing will change. IoT will remain fundamentally insecure.
"The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better. The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example."

Malware uses Facebook and LinkedIn images to hijack your PC

Malware doesn’t always have to attack your computer through browser- or OS-based exploits. Sometimes, it’s the social networks themselves that can be the problem. Researchers at Check Point have discovered that a variant of known ransomware, Locky, is taking advantage of flaws in the way Facebook and LinkedIn (among others) handle images in its bid to infect your PC. The trick forces your browser to download a maliciously coded image file that hijacks your system the moment you open it. If you do, your files are encrypted until you pay up.

While the actual Locky code is relatively pedestrian and easy to avoid if you’re aware (just don’t open the file), it’s the delivery mechanism that has analysts worried. Many security apps explicitly trust big social networks, and many people aren’t used to worrying about their downloads at sites like Facebook.
Check Point says it told Facebook and LinkedIn about the exploit in September, but it’s not clear that there are fixes in place. We’ve reached out to both companies to find out what the situation is right now. Whether or not you’re in the clear, this is a reminder that you can’t take the safety of social sites for granted — it’s a good idea to be wary of any downloads you weren’t expecting.

NetWire RAT Back, Stealing Payment Card Data

The remote access Trojan NetWire is back and this time making the rounds pilfering payment card data. The move is a shift for attackers behind notorious NetWire, that was once thought to be the first multi-platform RAT. Over the last couple of years payment card breaches have been mostly synonymous with point of sale (POS) malware that scrapes memory from credit and debit cards swiped through the infected system. A new variant of NetWire RAT scrapes card data and also boasts an integrated keylogger that can sniff data from devices like USB card readers, according to researchers at SecureWorks, who detailed on Monday the latest version of the RAT they came across back in September. The RAT relies on victims opening an attachment in a phishing email; once opened the malware is downloaded and the infection can linger for months or years until it’s discovered, according to SecureWorks researchers. Researchers claim they spotted the RAT collecting data during an incident response engagement, but that this particular variant wasn’t specially trained to target POS systems. This iteration was a .NET-compiled binary named “TeamViewer 10,” that once executed, unloads an .EXE file and gets to work maintaining persistence. Researchers claim the file creates a Windows shortcut in the Startup menu, something that ensures the RAT launches every time the victim logs into the system. Researchers note the file has nothing to do with TeamViewer; it was likely just the name the malware’s author gave it to trick victims into thinking the file was the actual remote support software. In addition to copying itself to the startup menu, NetWire also injects code in notepad.exe to evade detection. Ironically, the technique did more harm than good and got the malware noticed, as it’s odd for notepad to have an active network connection. It wasn’t until researchers devised a decoder to decode the keylogger’s output files that they determined it was actually stealing sensitive information. They found track one and track two card data, plain text credentials and data that helps the attacker know where the data was entered. “The files also display the window title of the opened application, which reveals which application and website the sensitive information was entered,” SecureWorks’ research describes. Researchers with the firm didn’t disclose which company’s system it discovered the RAT on, only that it was an organization that processes numerous credit cards on a daily basis. The NetWire RAT is by no means new – it’s been around in one iteration or another since 2012. Attackers used NetWire last year in a rash of attacks against banks and healthcare companies. Victims of that variant would have had to have opened a malicious Word document, rigged with macros, to download the RAT from Dropbox in order to get infected. In 2014 researchers with Palo Alto Networks discovered that a group of Nigerian scammers – operating under the guise of Silver Spaniel – were using Netwire to remotely control infected systems. Researchers with FireEye observed a separate spam campaign that same year peddling RATs like Netwire and DarkComet, along with Trojans such as Zeus and Handsnake. Retail chains are likely wary to hear of this week’s Netwire news. The holiday season is perpetually marred by credit card fraud. Three years ago the now infamous Target hack affected customers who shopped at U.S. Target stores during this pivotal span of time, between November 27 and December 15. The same malware that hit Target’s point of sale terminals, BlackPOS, was ultimately tied to the even bigger hack of Home Depot that following summer, although that connection was disputed by some experts.

The remote access Trojan NetWire is back and this time making the rounds pilfering payment card data. The move is a shift for attackers behind notorious NetWire, that was once thought to be the first multi-platform RAT. Over the last couple of years payment card breaches have been mostly synonymous with point of sale (POS) malware that scrapes memory from credit and debit cards swiped through the infected system. A new variant of NetWire RAT scrapes card data and also boasts an integrated keylogger that can sniff data from devices like USB card readers, according to researchers at SecureWorks, who detailed on Monday the latest version of the RAT they came across back in September. The RAT relies on victims opening an attachment in a phishing email; once opened the malware is downloaded and the infection can linger for months or years until it’s discovered, according to SecureWorks researchers. Researchers claim they spotted the RAT collecting data during an incident response engagement, but that this particular variant wasn’t specially trained to target POS systems. This iteration was a .NET-compiled binary named “TeamViewer 10,” that once executed, unloads an .EXE file and gets to work maintaining persistence. Researchers claim the file creates a Windows shortcut in the Startup menu, something that ensures the RAT launches every time the victim logs into the system. Researchers note the file has nothing to do with TeamViewer; it was likely just the name the malware’s author gave it to trick victims into thinking the file was the actual remote support software. In addition to copying itself to the startup menu, NetWire also injects code in notepad.exe to evade detection. Ironically, the technique did more harm than good and got the malware noticed, as it’s odd for notepad to have an active network connection. It wasn’t until researchers devised a decoder to decode the keylogger’s output files that they determined it was actually stealing sensitive information. They found track one and track two card data, plain text credentials and data that helps the attacker know where the data was entered. “The files also display the window title of the opened application, which reveals which application and website the sensitive information was entered,” SecureWorks’ research describes. Researchers with the firm didn’t disclose which company’s system it discovered the RAT on, only that it was an organization that processes numerous credit cards on a daily basis. The NetWire RAT is by no means new – it’s been around in one iteration or another since 2012. Attackers used NetWire last year in a rash of attacks against banks and healthcare companies. Victims of that variant would have had to have opened a malicious Word document, rigged with macros, to download the RAT from Dropbox in order to get infected. In 2014 researchers with Palo Alto Networks discovered that a group of Nigerian scammers – operating under the guise of Silver Spaniel – were using Netwire to remotely control infected systems. Researchers with FireEye observed a separate spam campaign that same year peddling RATs like Netwire and DarkComet, along with Trojans such as Zeus and Handsnake. Retail chains are likely wary to hear of this week’s Netwire news. The holiday season is perpetually marred by credit card fraud. Three years ago the now infamous Target hack affected customers who shopped at U.S. Target stores during this pivotal span of time, between November 27 and December 15. The same malware that hit Target’s point of sale terminals, BlackPOS, was ultimately tied to the even bigger hack of Home Depot that following summer, although that connection was disputed by some experts.

See more at: NetWire RAT Back, Stealing Payment Card Data https://wp.me/p3AjUX-vMg

Open Source Honeypot for Mirai Detection

Cymmetria Research is releasing an open source honeypot for Mirai detection, a specific tool built to match what Mirai expects, based on its source code. MTPot was developed by Dean Sysman, Co-Founder & CTO; Itamar Sher, Head of Research; and Imri Goldberg, Co-Founder & VP R&D; Cymmetria.

Mirai has hit the news recently with the huge DDoS attack (“DynDOS”) that occurred in October, which has overwhelmed Internet service providers and caused multiple disruptions, making DDoS one of the key concerns of security as well as businesses worldwide.

According to the company, a need arose for a very lightweight honeypot with which one could collect verified Mirai Indicators of Compromise (IoCs) – specifically IP addresses trying to compromise IoT systems – and the malware samples they infect them with.

In addition to the DDoS component, Mirai first compromises IoT devices, building an infrastructure from which the DDoS can be launched. The infection attempt is what Cymmetria aims to detect.

The Mirai honeypot functionality includes the ability to:

·         Detect incoming connections on any port using telnet (equivalent to listening on that port).

·         Specifically ID the Mirai version we researched (the one which is open source), based on the commands requested from the service.

·         Alter parameters to ID Mirai (port and commands).

·         Report to a Syslog server.

·         Collect the malware samples Mirai tried to infect the user with (will currently crash Mirai instead, see below note).

The company says that there was a limit as to how much debugging time they could invest in Mirai and this last functionality (collecting samples) is not currently working. Instead, Mirai crashes when it receives the input it expects.

Usage of the tool is simple, but much like any other low interaction honeypot, it has limitations by its nature of emulating a service. This is shown through the requests Mirai sends via its telnet connection, based on the mirai source code available on GitHub, here. Thus, it can be fingerprinted if anyone puts their mind to it.

To download the mirai honeypot from Cymmetria's Git, click here. The company also offers the MazeRunner Community Edition, a free version of Cymmetria’s enterprise cyber deception platform

The Threat of Connected Devices to the Internet

At least three consecutive waves of complex online attacks were directed at Domain Name System (DNS) servers operated by Dyn, a US internet infrastructure provider. The attack on October 21, 2016 consisted of a Distributed Denial of Service (DDoS) attack, and blocked access to thousands of websites, including Netflix, Amazon, Twitter, Airbnb, the New York Times, PayPal, and more. Immediately, suspicions centered on Russia and China as having both the motivation and the ability to plan and execute such an attack. Yet as of this writing, it is not at all clear if the attack was state-motivated. After the attack, it was reported that the Chinese and Russian hacker group known as New World Hackers assumed responsibility and claimed it was a sophisticated attack using botnets at higher-speed traffic than ever know before – 1.2 terabytes per second (Tbps).

The attack exploited vast numbers of connected devices (in an announcement to the media, Dyn stated that some 100,000 devices were involved). These devices, also known as the Internet of Things (IoT), include webcams, alarm systems, baby monitors, internet-based security cameras, DVRs, printers, and routers – all connected to the internet. The attackers managed to plant a software component in these devices that could receive commands from a control server so that the masses of devices all sought out the target in a synchronized manner and paralyzed the attacked servers’ ability to function by flooding it with traffic. The vast majority of these devices lack any kind of significant defenses; access to most of the systems is ensured through default usernames and passwords installed by the manufacturer. In fact, there is no current effective concept to respond to this type of threat.

The threat inherent in the swarm of connected devices is not new. As early as 2013, Symantec reported the existence of a worm called Linux.Darlloz that according to estimates, infected some 50,000 IoT connected devices, such as routers and Set Top Box devices or computers based on Intel’s X86 architecture. The goal was to install software allowing attackers to mine crypto currencies. In 2015, Symantec issued a detailed report about simplifications that make it possible to break into 50 different kinds of smart home devices. In its April 2016 report, the company stated that medical devices (such as insulin pumps, X-ray systems, and CT scanners) are also exposed to attack, as well as smart TV systems and dozens of other devices of all types.

Even though the ability to penetrate these devices and carry out extensive DDoS attacks through them was not surprising, the intensity of the attacks demonstrated the destructive capability of using a large number of synchronized simple devices. The attack broke the record for the largest DDoS attack ever, which occurred in September 2016, targeting the French company OVH, at a scope of 1 Tbps; it used bots (software agents) that exploited the widespread CCTV cameras. In many respects, this is a dangerous escalation and sets a new threshold for a cyber threat that on a few levels so far has no satisfactory response.

The first aspect is connected to the proliferation of these devices. In the US, there are about 25 connected devices per every 100 people, and this is just the beginning of the trend. Gartner Inc. estimates that in 2016 the world will have 6.4 billion connected devices, and that by 2020 that number will approach 21 billion. Such a vast number of devices creates a significant weakness for the web and allows attackers of various sorts to use them for any number of goals. The new twist in the most recent attack was the simplicity with which it was carried out. Millions of devices can serve as the potential means for DDoS cyberattacks whose execution is relatively simple, because the devices create new entrance points to the internet, making the scope of the threat enormous. The threat grows even greater because end devices, such as smartphones and computers, are used to control the connected devices.

The second aspect concerns the weakness of the defense. Most IoT devices lack appropriate means of security, making it easy for attacks to exploit the weaknesses of the systems operating the devices. The majority of manufacturers have yet to adopt a framework of standards and security; they generally use publicly available open code to make it possible for their devices to communicate with other similar devices in the area, and this itself generates severe security soft spots. Important corrective steps have been initiated in the United States, as security companies, manufacturer associations, and even government agencies have begun to cooperate, but these steps are far from constituting a sufficient defensive response.

The third aspect regards the scope and depth of the damage. The attack on Dyn was a clear warning sign: while the offensive capabilities displayed in the attacks did not require anything particularly sophisticated, the impact was significant. The fact that the malicious code was made public prepared the ground for other attacks that will make use of this or similar code, and raises the specter that the writers of the code already possess an improved version. Thus the use of similar methods of attack will presumably be seen again, perhaps even in more powerful versions.

Finally, there is privacy. One of the key problems with connected devices is securing user privacy. Connected devices are constantly collecting information about their users’ parameters, at home and in the office, including the nature of use of equipment and electrical appliances as well as wearable devices, whose use is becoming more widespread. The inherent defensive weaknesses of these devices means that all that information could be available to various attackers intent on subversion.

The weakness shown in the last attack is not the burden of the private sector alone. The use of armies of connected devices is a challenge for the state, because it has the capability to harm the routine performance of governments and, worse still, disrupt performance during emergencies and in wartime. Because the risk is real, defending connected devices is an enormous challenge. In response to the attack on Dyn, the United States government was called on to enact regulation on the security of IoT products. Indeed, this seems precisely where efforts should be focused, with measures similar to the steps taken in the financial sector. Although the problem is global, Israeli entities charged with cyber security must fully understand the risk of exposure to such attacks and take action by partnering with international efforts on the issue, while at the same time taking steps to enhance the relevant defensive mechanisms and their continued performance in order to cope with this type of attack.

NITA committed to strict cyber security

He explained that with an oversight responsibility over the Electronic transaction ACT (ACT 772); used to cure cybercrime, NITA with support from stakeholders such as the law enforcement agencies and the judiciary, was empowered to ensure that the ACT was implemented to the letter.
Mr Atta-Boateng made these remarks, in a speech read on his behalf in Accra, at a Computer Security Incident Response Team training workshop.
He said the recent security governance initiative with the United States Government and the GLACY+capacity building with the Council of Europe, which NITA was fully involved, would bring Ghana the needed capacity to implement the recently approved Cyber Security Policy and Strategy to improve on the fight against cybercrime.
He said NITA had been mandated to lead in the development and implementation of cyber security policy and strategy to make Ghana a safe place in cyberspace.
“NITA was actively involved in the development of the national policy on cyber security and would be a principal player in the implementation,” he said.
“NITA is the Government’s ICT service player and it has rolled out an elaborate wireless and fibre optics network across the country.
“It has also developed and is managing the National Datacentre Infrastructure currently being used by both public and private sectors entities,” Mr Atta-Boateng added.
He said NITA, as a manager of the huge ICT Infrastructure, was very mindful of the security of the network and must ensure that the network was always up to ensure that the government’s business was not impeded.
He said in view of this NITA had set up the NITACERT in 2012, the first computer security incidents Response Team(CSIRT) in Ghana, to manage incidents that occurred on the network.
With the establishment of the National CSIRT, CERT-GH, in 2014 by the Ministry of Communication, NITACERT now worked closely with CERT-GH to secure its network elements.
Mr Atta-Boateng said NITA currently hosted CERT-GH and supported its operation in the light of its commitment to ensure that the Ghana Cyber was safe.
“It is on this note that NITA has partnered with other stakeholder in the private sector and civil society to promote awareness of cyber security by organising the cyber security initiative this year,” he said.
He said under the security governance initiative, more capacity building and awareness creation activities would begin next year.
The training workshop, which is part of the 2016 National Cyber Security Week Celebration, is to create awareness to participants on computer security incident response teams and their role in ensuring cyber security.
Cyber security is the body of technologies, processes and practices designed to protect networks, computers, programmes and data from attack, damage or unauthorised access.
Mr Eric Akumiah, CERT-GH Manager, Ministry of Communication, said the best way of ensuring cybersecurity was through creating awareness on it.
He noted that 70 per cent of cyber security could be attributed to awareness creation and 30 per cent to technical; adding that, an awareness creation would allow the country to have a firm grip and know what to do.
He said the workshop was to create high a level of cyber security awareness and how to be more responsive towards it.
Mr Kenneth Adu-Amanfoh of the National Communication Authority, said the Authority in collaboration with NITA, would ensure that the National Cyber Space was free from criminals.
He said as regulators of the telecommunications sector, the Authority would ensure that consumers got the best services from the operators.
Mr Marcus Adomey, the Chief Operations Manager, AfricaCERT, in his presentation, noted that the internet had no respect for national borders; hence, there was the need for an appropriate structure to deal with cyber crime

How Israel Built One Of The World’s Most Powerful Cyber Armies

In the last few years, along with the United States, UK, China and Russia, Israel has become a superpower in the world of government hacking and cyber espionage.
Israeli cyberspies are believed to have worked with NSA hackers to develop Stuxnet, the world’s first cyberweapon. And many of its cyberspies and warriors have moved to the private sector to launch companies worth hundreds of millions of dollars that have a footprint all over the globe, such as Cellebrite or the NSO Group. How did such a small country become such a big player in the world hacking stage?
At the core of Israel’s success in cyberspace is a military intelligence corps named Unit 8200, which specializes in sophisticated hacking and espionage operations. Young Israeli geeks vie to get into Unit 8200 to have a chance to work within a team tasked with carrying out cutting-edge missions, and the license to hack and spy on almost anyone.
“You get 18 or 19-year-olds to deal with the most exciting stuff that anyone can deal with, espionage!” said Ronen Bergman, an investigative journalist at Yedioth Ahronoth.
After they leave service, they can leverage the experience and prestige of Unit 8200 to get practically any cybersecurity job or get funding to launch a company. That’s why kids in high school dream about joining Unit 8200, and that’s why the Israeli government has set up a program to nurture and recruit high school kids interested in computers.

A zero-day vulnerability in InPage publishing software used primarily in Urdu, Pashto and Arabic-speaking nations has been publicly exploited in attacks against financial institutions and government agencies in the region. While there are more than 10 million InPage users in Pakistan and India alone, there are a significant number of users in the U.S., U.K. and across Europe as well. Related Posts IBM Opens Attack Simulation Test Center November 16, 2016 , 6:04 pm CrySis Ransomware Master Decryption Keys Released November 14, 2016 , 2:20 pm Microsoft Patches Zero Day Disclosed by Google November 8, 2016 , 2:57 pm Researchers at Kaspersky Lab today disclosed the vulnerability after a number of attempts to privately report the bug to InPage were ignored. “We have informed the vendor of the affected software of the existence of the vulnerability, but have received no reply, while the attacks continue,” Kaspersky Lab said in a statement. “We have also informed the Indian CERT and received the reply that the organization’s specialists are looking into the issue.” Kaspersky Lab said it’s possible a number of criminal or nation-state actors are using this exploit since it has recorded several different attacks against banks in Asia and Africa, as well as others targeting government agencies. The exploit is spreading via phishing campaigns, and was discovered during a separate investigation in September. It was then when Kaspersky Lab researchers found a file with a .inp extension that was analyzed and found to contain shellcode inside a Microsoft OLE file, a file format that has been used in a number of Office exploits dating back to 2009. The researchers detected a number of different payloads and command and control servers used in the respective attacks. A list of C2 servers and indicators of compromised has been published as well. Kaspersky Lab’s analysis of some of the emails shows that the attackers used other exploits using .rtf and .doc files in conjunction with the InPage exploit. The attacks dropped different versions of particular keyloggers and backdoors on victims’ machines. The vulnerability in question is in a parser in the main InPage module. “The parser in the software’s main module ‘inpage.exe’ contains a vulnerability when parsing certain fields,” Kaspersky Lab said. “By carefully setting such a field in the document, an attacker can control the instruction flow and achieve code execution.” The shellcode found in the document first looks for certain patterns in virtual memory space before launching a decoder that obtains an instruction pointer and decrypts the next stage of the attack. At that point, a downloader grabs and executes the payload. Kaspersky Lab researchers said the attacks are similar to attacks exploiting vulnerabilities in the Hangul Word Processor against government targets in South Korea. Researchers at FireEye last year found such an attack and linked the payloads and command and control infrastructure used to North Korea. “Despite our attempts, we haven’t been able to get in touch with the InPage developers,” Kaspersky Lab said. “By comparison, the Hangul developers have been consistently patching vulnerabilities and publishing new variants that fix these problems.”

See more at: InPage Zero Day Used in Attacks Against Banks https://wp.me/p3AjUX-vLy

Attackers use ancient zero-day to pop Asian banks, govts

Attackers are compromising government and banks across Asia by exploiting a years-old zero day vulnerability in desktop publishing application InPage, which targets users working in Urdu or Arabic.
Kaspersky Labs analyst Denis Legezo found the attacks and reported the zero-day to InPage, which he says ignored his disclosures.
Legezo says InPage has some 19 million users, 10 million in Pakistan, six million in India, two million in the UK, and one million in the US.
If someone wants to deploy attack modules into regional press-related companies, an InPage exploit would work well.
"We don’t observe any public mentions of [the InPage] exploit so we consider it a zero day.
Lengezo found live attacks, likely from multiple groups, utilising the zero day vulnerabilities against unnamed banks and governments in Myanmar, Sri-Lanka and Uganda.
Criminals are attaching multiple InPage files and also exploiting old bugs through attached .rtfs and xxx.doc files.
The analyst found several keyloggers and backdoors within the phishing emails used to attack InPage users.
He says the parser within the proprietary InPage file format contained a vulnerability that allowed attackers to gain control of instruction flow and then remote code execution.
"By all appearances, this newly discovered exploit has been in the wild for several years," Lengezo says.
Hackers have previously targeted regionally-specific software. Several exploits have been found in the Hangul Word Processor almost exclusively used in South Korea in what Lengezo says are attacks against Korean interests.

Nigerian companies lost $550M to cyber-criminals in 12 months

Nigerian businesses lost slightly more than half a billion US Dollars in the last twelve months to cyber criminals, a new pan African cyber intelligence report reveals.


The Nigeria Cyber Security Report 2016, which is expected to be launched next week at the eNigeria Conference and Expo in Abuja was researched, analysed, compiled and published by Kenyan based Serianu in partnership with Nigeria’s Demadiur Systems and the United States International University (USIU)’s Centre for Informatics Research and Innovation (CIRI).
The report is said to be the first of its kind in Nigeria, as it sheds light on the impact that cybercrime has had on local businesses.
Speaking on the report, Serianu’s Managing Director, Mr. William Makatiani said that in developing the research, the firm’s Cyber Threat Intelligence Team reviewed publicly and privately available data from individual industries and performed interviews of business leaders and IT security practitioners.
Makatiani noted that the Nigeria Cyber Security Report 2016 established that the annual cost of cybercrime to Nigerian business is close to Naira 173,387,500,000 (USD550 Million).  To illustrate this further, the report reveals that more than half (56.3%) of Nigerian businesses remain exposed to cyber-attacks.
“A vast majority of these companies and organizations are not even aware of the threats that they are exposed to from criminals, who are always trawling the Internet for firms to raid,” said Makatiani.
According to The Nigeria Cyber Security Report 2016, systems found to be most at risk were MikroTik routers, Apache HTTPD web servers, IIS Servers and Cisco routers. The most vulnerable applications identified were exchange servers and those running Microsoft Outlook Web Applications emerged as the most common.
The report warns that security breaches, especially those perpetrated by internal staff are becoming more sophisticated. Effectively, it took up to one year to detect an external cyber-attack and resolve it.  The average time taken to detect an external attack in a typical organisation in Nigeria was 260 days and another 80 days to resolve the attack. The report reveals that it in many organizations, it took them nearly two years to detect and resolve malicious insider attacks. This especially apparent in organisations that had not invested in cyber security products that facilitate anticipation, detection, recovery and containment of cybercrime.
Makatiani explained that many of organizations had been found to maintain administrative interfaces viewable from anywhere on the Internet and that their owners had failed to take preventive cautionary measures, including changing manufacturers’ default passwords. During the study, the research team came across a total of 100,000 Internet routers and cameras publicly accessible to anyone who could get to them via the Internet.
Ikechukwu Nnamani, President of Demadiur Systems and the local research lead, added that Nigeria as a country has not yet established any process to track and capture cyber criminals.
“To counter this situation, Nigerians installing these Internet access systems in their homes/office networks must work with cyber security experts to ensure that they are not exposed. Similarly, companies need to raise their degree of vigilance with the IT teams required to invest more time and resources in auditing their entire systems and establishing modalities to reduce breaching incidences,” said Nnamani.

Oracle buys cyber attack target Dyn

Oracle plans to enhance its offerings with Dyn's expertise in monitoring, controlling, and optimizing cloud-based internet applications and managing online traffic (AFP Photo/Justin Sullivan)

Oracle plans to enhance its offerings with Dyn’s expertise in monitoring, controlling, and optimizing

 cloud-based internet applications and managing online traffic (AFP Photo/Justin Sullivan)

Oracle on Monday announced it is buying Dyn, a Web traffic management firm recently hit with a cyber attack that closed off the internet to millions of users.

Business software and hardware titan Oracle did not disclose financial terms of the deal to acquire US-based Dynamic Network Services Inc, or Dyn.

Oracle planned to enhance its own offerings with Dyn’s expertise in monitoring, controlling, and optimizing cloud-based internet applications and managing online traffic.

“Dyn’s immensely scalable and global DNS is a critical core component and a natural extension to our cloud computing platform,” Oracle product development president Thomas Kurian said in a release.

Dyn was the target of cyber attacks that pounded the underpinnings of the internet in October, crippling Twitter, Netflix and other major websites with the help of once-dumb devices made smart with online connections.

The onslaught incapacitated a crucial piece of internet infrastructure, taking aim at a service entrusted to guide online traffic to the right places by turning website names people know into addresses computers understand.

The hacker was probably a disgruntled gamer, an expert whose company closely monitored the attack said last week.

Dale Drew, chief security officer for Level 3 Communications, which mapped out how the October 21 attack took place, told a Congressional panel that the person had rented time on a botnet — a network of web-connected machines that can be manipulated with malware — to level the attack.

Using a powerful malicious program known as Mirai, the attacker harnessed some 150,000 “Internet of Things” (IoT) devices such as cameras, lightbulbs and appliances to overwhelm Dyn systems, according to Drew.

Dyn has more than 3,500 customers including Netflix, Twitter, and CNBC, making tens of billions of online traffic optimizing decisions daily, according to Oracle.