We have a lot to cover this week, but before we get to our list of items, here is the contact details for the Infosec Institute that we mention on the show:
INFOSEC INSTITUTE / INTENSE SCHOOL
Toll Free – 866-471-0059 x 7185
Direct – 708-689-0131 x 7185
On this show we talk about (and more):
- New Report Says Cyberspying Group Linked to China’s Army
- Q&A on Attacks by the Comment Crew
- Unusually detailed report links Chinese military to hacks against US
- Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent
- The new Presidential Executive Order and the State Of The Union speach
- A Hacker finally has a face, and yes he is Chinese (is there a theme here?)
- Oxford University blocks Google docs
- New Adobe PDF Reader 0 Day and Acrobat exploit found in the wild
- Apple provided plugin removed from browsers
- Facebook, Twitter and Apple hack sprung from an iPhone dev forum
- DDoS Attack on Bank Hid $900,000 cyberheist
- ShmooCon Firetalks 2013
- iOS 6.1 hack lets users see your phone app, place calls
- LA Times Exploit on their website was there for 6 weeks
- New vulnerability in Blackberry Enterprise Server
- Key Figure in Police Ransomware activity and 10 of his buddies arrested
New Report Says Cyberspying Group Linked to China’s Army:
Q&A on Attacks by the Comment Crew
- Called APT1
- As far back as 2006
- Group called the Comment Crew
- They were dubbed the Comment Crew due to their use of HTML comments to hide communication to the command-and-control servers.
- The initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment using a theme relevant to the target. Some recent examples used by this group and blocked by Symantec technologies are listed here:
- U.S. Stocks Reverse Loss as Consumer Staples, Energy Gain.zip
- New contact sheet of the AN-UYQ-100 contractors.pdf
- U.S. Department of Commerce Preliminarily Determines Chinese and Vietnamese Illegally Dumped Wind Towers in the United States.doc
- Chinese Oil Executive Learning From Experience.doc
- My Eight-year In Bank Of America.pdf
- Targets include Finance, Information Technology, Aerospace, Energy, Telecommunications, Manufacturing, Transportation, Media, and Public Services
- Trojan.Ecltys,Backdoor.Barkiofork, andTrojan.Downbot.
Unusually detailed report links Chinese military to hacks against US
- Security firm Mandiant has published an unusually detailed report documenting China-sponsored hacking intrusions that have siphoned terabytes of sensitive data from 141 organizations over the past seven years.
- latest report to lay a battery of computer intrusions at the feet at hackers linked to China’s government
- many of those claims lacked crucial details, opening them up to skeptics who complained that the lack of specificity made it difficult or impossible to conclude Chinese actors were behind attacks targeting US governmental agencies, corporations, and human rights organizations.
- The Mandiant report is largely a response to these critics.
- It identifies a 12-story white office tower on the outskirts of Shanghai as the nerve center for a hacking group long known to security researchers as the “Comment Crew.”
- The tower also happens to be the headquarters for the People Liberation Army’s Unit 61398, which was described in 2011 as the “premier entity targeting the United States and Canada, most likely focusing on political, economic, and military-related intelligence” by the Virginia-based nongovernmental organization known as the Project 2049 Institute.
- Many of the claims in the Mandiant report have been independently confirmed by US intelligence officials, according to an article published by The New York Times.
- According to Mandiant, Comment Crew has for years vacuumed up the proprietary secrets of more than 100 targets, including technology blueprints, manufacturing processes, clinical trial results, pricing documents, and negotiation strategies.
- Of more concern, Comment Crew hackers have most recently tuned their focus to computer systems used to control dams, gasoline refineries, and other critical infrastructure.
Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent
- In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings —OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.
- The firm said it was still investigating the incident, but that as a precautionary measure, it had disconnected the usual data links between clients and affected portions of its internal networks.
- Joe Stewart, director of malware research at Dell SecureWorks and an expert on targeted attacks, said the Web site and malware names cited in the Telvent report map back to a Chinese hacking team known as the “Comment Group.”
Executive Order — Improving Critical Infrastructure Cybersecurity
A Chinese Hacker’s Identity Unmasked
- Oxford University
- Blocking Google Docs
- Due to Phishing
- Oxford has been a target for phishing attacks
- using forms on google docs
New Adobe PDF Reader 0day and Acrobat Found Exploited in the Wild
Apple-provided Java plug-in removed with software update
- two Java updates, one for OS X 10.6 Snow Leopard and another for OS X 10.7 Lion and OS X 10.8 Mountain Lion
- Latter removes Java plugin from all installed web browsers
- forcing users to download the latest version curated directly by Oracle
Facebook, Twitter, Apple hack sprung from iPhone developer forum
- iphonedevsdk.com, could still be hosting exploit attacks
- The java “zero-day” exploit allowed the attackers to install a collection of malware on the Java-enabled computers of those who visited the site
- Site is still infected, do not visit
- iphonedevsdk.com is an example of a “watering hole” attack.
- These attacks compromise a site popular with a population of desired hacking victims, using security vulnerabilities to install code on the Web server hosting it, which injects attacks into the HTML sent to its visitors.
- The exploit was the source of the attack on Twitter that led to the theft of Twitter usernames and passwords, according to a source familiar with the attack, and was used to infect computers belonging to Apple engineers.
- Mobile developers who have used the forum in the last few months should check their systems for signs of malware.
DDoS Attack on Bank Hid $900,000 Cyberheist
- A Christmas Eve cyberattack against the Web site of a regional California financial institution helped to distract bank officials from an online account takeover against one of its clients, netting thieves more than $900,000.
- At approximately midday on December 24, 2012, organized cyber crooks began moving money out of corporate accounts belonging to Ascent Builders, a construction firm based in Sacramento, Calif. In short order, the company’s financial institution – San Francisco-based Bank of the West — came under a large distributed denial of service (DDoS) attack, a digital assault which disables a targeted site using a flood of junk traffic from compromised PCs.
- KrebsOnSecurity contacted Ascent Builders on the morning of Dec. 26 to inform them of the theft, after interviewing one of the money mules used in the scam. Money mules are individuals who are willingly or unwittingly recruited to help the fraudsters launder stolen money and transfer the funds abroad. The mule in this case had been hired through a work-at-home job offer after posting her resume to a job search site, and said she suspected that she’d been conned into helping fraudsters.
- Mark Shope, president of Ascent Builders, said that when the company’s controller originally went online on the morning of Dec. 24 to check the firm’s accounts, her browser wouldn’t let her access the bank’s page. She didn’t know it at the time, but her computer was being remotely controlled by the attackers’ malware, which blocked her from visiting the bank’s site.
- The money mule was just one of 62 such individuals in the United States recruited to haul the loot stolen from Ascent. Most of the mules in this case were sent transfers of between $4,000 and $9,000, but several of them had bank accounts tied to businesses, to which the crooks wired huge transfers from Ascent’s account; five of the fraudulent transfers were for amounts ranging from $80,000 to $100,000.
- Not long after putting through a batch of fraudulent automated clearing house (ACH) and wire transfers from Ascent’s accounts, the fraudsters initiated a DDoS attack against the bank’s Web site, effectively knocking it offline.
- It’s not clear what tactics or botnets may have been used in the DDoS attack, but the cyberheist+DDoS approach matches the profile of cybercrime gangs using the Gameover Trojan – a ZeuS Trojan variant that has been tied to numerous DDoS attacks initiated to distract attention from high-dollar cyberheists.
ShmooCon Firetalks 2013
iOS 6.1 hack lets users see your phone app, place calls
- Video of how to perform on youtube
- Gives access to recent calls, make calls and voicemail
- Apple is working on a fix, it will require a code upgrade
- “Apple takes user security very seriously,” the company told CNET today. “We are aware of this issue, and will deliver a fix in a future software update.”
New Adobe Vulnerabilities Being Exploited in the Wild
Anonymous Planning Feb. 14 Attack on Goldman Sachs
- Stood up
Exploit Sat on LA Times Website for 6 Weeks
- The Los Angeles Times has scrubbed its Web site of malicious code that served browser exploits and malware to potentially hundreds of thousands of readers over the past six weeks.
- since at least December 23, 2012
- Initially denied by the LA Times and said is was a problem with a google ad server
- estimated about 18 million visitors visited the infected site.
Facebook computers compromised by zero-day Java exploit
- Facebook officials said they recently discovered that computers belonging to several of its engineers had been hacked using a zero-day Java attack that installed a collection of previously unseen malware.
- the attack did not expose customer data, and it was contained to the laptops of a small number of Facebook engineers.
- The attack was discovered when a suspicious domain was detected in Facebook’s Domain Name Service request logs.
New Crimeware-as-a-Service Market Thriving
- First it was do-it-yourself malware and phishing toolkits, then it was specialized sites selling stolen FTP credentials and credit card accounts, and now its the next phase in cybercrime: crimeware as a service.
- cybercriminal organizations set up shop as service providers to other bad guys, offering them online, point and click criminal software as a service — often with customer service guarantees.
- With relatively less effort, they can get more money. Instead of collecting data and trying to sell it, which takes more time, they build a platform to do that, and can reach a wider audience that would like to commit these crimes.
- This lets other criminals who dont want to install and update their own software or run their own malicious servers get their stolen information via a Web-based service that does the dirty work for them.
- The operators of these services typically operate in small groups of five to eight people in the U.S., Netherlands, Germany, Russia, and China, he says. The servers are hosted in Asia — in China and Malaysia.”
Cyber espionage campaign against the Uyghur community, targeting MacOSX systems
BSRT-2013-003 Vulnerabilities in BlackBerry Enterprise Server components that process images could allow remote code execution
OnRamp, A Free, Open Source Ad Server From OpenX, Gets Shut Down After Getting Besieged By Hackers
Trending malware /phishing
BlackBerry Spam with Backdoor
- This spammed message targets BlackBerry users.
- It is a notification asking the reader to download and open the attached .ZIP file for a full experience of their device.
- However, the said attachment contains a backdoor, detected by Trend Micro as BKDR_ANDROM.JWS.
- When users open the attachment, routines of the said backdoor are executed on the reader’s system.
- Ransomware is a nasty scam that infiltrates your computer and tricks you into thinking that you’ve done something wrong.
- Police ransomware in particular informs users that they need to pay their local police a fine.
- The apparent arrest of this cybercriminal of Russian origin occured in Dubai, United Arab Emirates.
- The law enforcement authorities are working to extradite him to Spain for prosecution. Along with his arrest, the operation included the arrests of 10 other individuals tied to the money laundering component of the gang’s operations, which managed the monetization of the PaySafeCard/UKash vouchers received as payment in the scam.
- The gang apparently had a branch in Spain that exchanged these vouchers and converted them into actual money, which would then be transferred to the leaders of the gang in Russia.