Sunday, December 27, 2015

Issue 44 - Week of Dec 21st


1.       What a year in security 2015 was: The biggest security stories of 2015 include - major cyberespionage groups being uncovered, the most embarrassing data breach in history, an unbelievable Android flaw, and incredibly stupid decisions from two major PC makers. The top 10 are:
a.       Ashley Madison: Hackers were able to breach and steal sensitive data of many users of the infidelity service.
b.      VTech: Suffered a major data breach losing data records of millions of children and their parents.
c.       OPM Hack: Office Of Personnel Management lost millions of sensitive data records of federal employees.
d.      Hacking Team: Surveillance company lost 400GB data, exposed sensitive company data and exposed unknown vulnerabilities that the company was using.
e.      Super fishy security: Dell and Lenovo messed around, Dell added root certificates that help impersonation of any site while Lenovo's superfish left users vulnerable.
f.        Encrypt everything, but leave the back door open: Govt wants backdoor but that makes it possible for hackers to capitalize on. The industry v/s Govt. debate continues.
g.       Android gets stage fright: Hackers can just send a MMS to any android phone and hack it.
h.      Flash crash: When Flash vulnerabilities became public-Mozilla blocked Flash, Facebook called for flash EoL, Amazon dropped it for ads, YouTube switched its default to HTML5 video instead of Flash. Even if Adobe doesn’t kill Flash, the web will.
i.         LastPass Breach: Browser-based password manager LastPass dealt with a major breach. LastPass asked all of its users to reset their master passwords.
j.        Tor hacking: It is believed that FBI paid Carnegie Mellon researchers at least $1 million to hack users on the Tor network in order to reveal their true identities.

2.      2015 Ransonware Wrap-Up:
a.       Pacman: The most highly targeted ransomware attack, the Pacman ransomware only went after Danish chiropractors. The malware was also very difficult to remove.
b.      Tox: Tox was the first to offer ransomware as a service, it offered free toolkit but the site hosting the ransomware takes a 20 percent cut of the profits.
c.       Chimera: Chimera also a ransomware-as-a-service, takes a 50 percent cut of the profits and tries to recruit its victims as new ransomware operators.
d.      CryptoWall 2.0: Used TOR on command-and-control traffic and could execute 64-bit code from its 32-bit dropper.
e.      CryptoWall 3.0: Spread mostly through exploit kits and made $325 million in extortion payments.
f.        Cryptowall 4.0: Nuclear & Angler Exploit Kit used to spread this, steals passwords before encrypting files.

3.      Good guys hacking - 8 Coolest Hacks Of 2015:
a.       Chrysler Jeep hack: Hackers remotely controlled a car on highway by killing its ignition, Chrysler recalled 1.4 million vehicles to fix the bug.
b.      Non smart cars hackable too: Researchers inserted rogue devices in the two police vehicles to reprogram car's electronic operations & attack via mobile devices.
c.       Gun hack: A husband & wife team in August demonstrated how they were able to hack a long-range, precision-guided rifle.
d.      Car wash hack: Web interface in a popular car wash has weak passwords that allows an attacker to hijack the functions to wreak physical damage or score a free wash.
e.      Gas gauge hack: Gas tank monitoring systems at US gas stations have no password protection making them vulnerable to attacks & disrupt the fuel tank operations.
f.        Globalstar hack: A researcher was able to hack the Globalstar satellite data as it was not encrypted, Globalstar has however shot down this work.
g.       GM Onstar hack: A kit called Ownstar that makes it possible to track, remotely unlock & start the engine of GM vehicles that run the OnStar connected car system.
h.      Other cool stuff: DEF CON this year launched its first IoT Hacking Village, everything from Apple network storage, toys, blood pressure monitors, Fitbits, and fridges fell to white-hat hackers there.

4.       87 percent of employees take data they created with them when they leave the company: According to a recent survey - most employees believe they own their work, and take strategy documents or intellectual property with them as they head out of the door. The biggest driver is sense of ownership, 59 percent of them felt the data was theirs while 77% thought the information would be useful in their new job. The common methods used to take data was a Flash or external drive, personal email accounts, hard copies & Dropbox. None of the respondents believed their action will not harm the company. The Security teams have some control on data when the employee is being laid off but when employees leave voluntarily there is hardly any control. To a large extended these can be prevented by using technologies to monitor user behavior -- like behavioral analytics, data exfiltration monitoring -- and regular security awareness programs.

5.       Oracle settles with the FTC over 'deceptive' Java security promises: Oracle acquired Java in 2010 and has been aware of security issues. It promises customers  that updates would keep users' systems safe but in reality, those updates removed only the most recent prior version of the software, leaving older ones intact -- and vulnerable to attacks. Oracle will now be required to notify consumers during the Java SE update process if they have outdated versions of the software on their computer, notify them of the risk of having the older software, and give them the option to uninstall it. In addition, the company will be required to provide broad notice to consumers via social media and their website on how consumers can remove older versions of the software.

6.       Online broadcaster Livestream suffers possible database breach: Live video streaming platform Livestream has discovered that an unauthorized person may have accessed its customer accounts database. The database holds information such as a user's name, email address, an encrypted version of their password, as well as phone numbers and the customer's date of birth. Livestream has issued a warning to users to update their passwords.

7.       Millions of Hello Kitty fans' data exposed by database hack: A database used by Hello Kitty fans has reportedly been found online after servers were hit last month. As many as 3.3 million records are said to be in the database. It's not immediately clear where the database was leaked to, or if the database can be verified for authenticity. The Hello Kitty toy brand has a major sway in far eastern Asian countries, particularly Japan where it was invented. Its parent company Sanrio generates more than $7 billion in revenue from the brand alone.

8.       Yellow Alert Sounded For Juniper Vulns, Feds Called In: The infosec alert level for Juniper backdoors was bumped to yellow last week after the two crucial vulnerabilities rocked the infosec world. As the industry scrambles to fill these gaping holes in its ScreenOS platform, news continues to trickle in that FBI officials are investigating potential nation-state actions that led to the insertion of an authentication backdoor (whose password is public now)  that impacts tens of thousands of devices on the Internet. This fiasco is a major blow-up for government's backdoor rhetoric and a shining example why backdoors are bad.

9.       Yahoo now warns users if they're targets of state-sponsored hackers: The web giant is the latest firm, behind Google, Facebook, and Twitter, to warn users of state attacks. In order to prevent the hackers from learning about Yahoo's detection methods, Yahoo will not share any details publicly about these attacks.

10.   After UP, Maharashtra leads India in cybercrime: In India, the rising cases of hacking, cyber bullying, IP spoofing, credit card fraud has always kept the cyber security team on its toes. As per a recent report - 3,049 people were put behind the bars for committing cybercrime during 2010-2014. Mumbai being the financial capital has seen a 295 per cent increase in cybercrime. Credit card fraud tops the list with hackers using various methods like - Rigged ATM machines, Skimming devices at POS, Phone and email frauds & Duplicate websites. The good news is Banks are getting smarter by issuing EMV cards (Chip and PIN Credit card), Banks are also looking at contact-less credit cards with NFC (Near Field Communication) and RFID technology which do not require swiping of card thereby lowering the chance of any data leakage.



Sunday, December 20, 2015

Issue 43 - Week of Dec 14th

1.       J.P. Morgan, Bank of America, Citibank And Wells Fargo Spending $1.5 Billion To Battle Cyber Crime: There’s a showdown going down between a global network of cyber criminals and the world’s largest corporations, governments and cybersecurity companies. Insurance companies estimate the annual cost of cyber-attacks to be more than $500 billion. The BFSI sector has been the prime target of cyber criminals over the last five years, followed by IT/telecom, defense, and the oil and gas sector. JPMC expects its cybersecurity spending to be around $500 million in 2016 while Bank of America will spend $400 million, Citibank $300 million & Wells Fargo $250 million. That’s roughly $1.5 billion in cybersecurity spending by these 4 companies. The U.S. financial services US cybersecurity market is $9.5 billion, making it the largest non-government cybersecurity market in the world. Worldwide market size of financial services is estimated at $16 Billion.

2.       Chinese hacker Steals $170,000 by hacking airline website and offering ticket booking: A 19-year-old man in Dalian, China has been arrested by the police after he was caught hacking into an airline’s website, stealing booking information from 1.6 million ticket orders, and ripping off hundreds of travelers. Using the information, the teen went on to make hundreds of fraudulent transactions and pocketed $170k. It took the airline three weeks to notice the data breach. A police officer said the hack was a result of a loophole in the airline’s computer system and was not highly sophisticated.

3.       Xbox Live downed after threats; hacker group takes responsibility: Hackers from the Phantom Squad are said to have launched a distributed denial-of-service (DDoS) attack against the Microsoft gaming network. In a tweet, the hacker group said Xbox maker Microsoft, and rival Sony-owned gaming network PSN, doesn't "bother working on security" despite their "millions of dollars." Last year, the infamous Lizard Squad launched a series of network attacks against Xbox Live and Sony's PSN network. The attacks were so ferocious and long-lasting that new and existing gamers during the Christmas holidays were unable to login for hours or even days at a time, drawing ire from the international gaming community.

4.       The Ghosts of Technologies Past will Come Back to Haunt Us: Just like it takes continual effort to keep the Golden Gate Bridge or the Taj Mahal in its famous hue, maintenance of the broader IT infrastructure is an ongoing task and requires continual vigilance and effort. However, unlike a bridge or monument, IT Infrastructure continues to grow and expand in depth and criticality, requiring increasing resources just to maintain the status quo. In essence, with every passing day, IT managers have to work harder just to stay in the same place...and that’s a problem. As our infrastructure ages, the challenges posed by connected technology that has become obsolete will grow - for eg: erstwhile robust algorithms such as MD5 and SHA-1 have now become vulnerable to attack.

5.       Over 650 terabytes of data up for grabs due to publicly exposed MongoDB databases: There are at least 35,000 publicly accessible and insecure MongoDB databases on the Internet, and their number appears to be growing. Combined they expose 684.8 terabytes of data to potential theft. This is the result of a scan performed over the past few days. Millions of user accounts from various apps and services, including 13 million users of the controversial OS X optimization program MacKeeper stand exposed.

6.       Torrent websites infect 12 million users a month with malware: If you visit torrent search websites to pirate software, the risk isn't only through the law but also through malware. Almost a third of the 800 main torrent search websites online today regularly serve their visitors malware - most of them through malvertising. Malware is also found in torrented content. In one example, a pirated copy of the game Fallout 4 served malware to a gamer victim resulting in the theft of their bitcoin savings, worth approximately $2000. Exploits, Remote Access Trojans (RATs), adware, ransomware and botnets were all discovered, and all of which could lead to the theft of sensitive data or system surveillance.

7.       Russian hacking group sharpens its skills: APT 28 group targets political figures, telecom, aerospace companies and has developed new ways of attacking according to researchers. The primary targets of the group are in countries such as Ukraine, Spain, Russia, Romania, the US and Canada. They primarily use three attack vectors to infect targets: spear phishing e-mails with crafted Word and Excel documents attached, phishing websites hosted on typosquatted domains and malicious iFrames leading to Java and Flash zero-day exploits. The hacking group also takes advantage of several newly discovered zero-days exploits, relying on the fact that not everyone installs security updates immediately after they are published.

8.       Data Theft Prevention (DTP) Crosses the Chasm: Chances are, data about you was leaked or stolen in 2015. The variety of industries targeted by attackers in 2015 is unprecedented - 177 Million data records were stolen from 750 reported breaches. As Data has value to criminals, they began to spread their attacks to steal data much more widely than ever before. From retail pharmacy and broader healthcare and insurance industries; to university systems and financial service companies; and even to attacks against prominent security companies; data is money to attackers, and in 2015, they made a lot of money from stolen data. An assumption that, “we are already compromised” is beginning to pervade security professionals and the prediction is that DTP adoption will dramatically increase in more mainstream companies.

9.       NASSCOM task force considering corporate cyberattacks disclosure: The technology industry in India is working on a comprehensive cybersecurity plan, which includes asking companies to share information about online breaches and the methods employed to deal with them to help the larger community take better decisions about investing resources in cyber-attacks. Most of the corporates do not want to disclose that they got hacked but at-least a disclosure of actions that companies have taken to protect themselves, in terms of staffing, in terms of funding, in terms of action will help fix similar issues from recurring elsewhere. A similar decision was taken in 2012 but it never saw the light of the day. Last week, NASSCOM also discussed the need for India to become self-reliant in cybersecurity technologies and the need to have more trained professionals in the country engaged in cybersecurity.

10.   Comcast customers targeted in sophisticated malvertising scheme: Comcast ISP customers need to watch out for a new malvertising campaign specifically designed to install ransomware on their machines or hook them through fake tech support. The ad in question is for a review site called SatTvPro[.]com (now down), which appeared on comcast Xfinity's search page and quietly loads the Nuclear exploit kit. Daily Motion, Daily Mail and Yahoo are the other such recent victims. Some Comcast customers would see an additional phishing website designed to look like the Xfinity portal, warning their system may have been breached. The message reads: "Comcast's security plugin has detected some suspicious activity from your IP address. Some Spyware may have caused a security breach at your network location. Call Toll Free 1-866-319-7176 for technical assistance. In this tech support scam - if visitors end up calling the number - the scammers could persuade victims to hand over their account details.

Sunday, December 13, 2015

Issue 42 - Week of Dec 7th

1.       Daily Motion served Angler exploit kit to visitors, over 128 million users placed at risk: Popular streaming website Daily Motion has become the latest victim of malicious advertisements (Malvertising) and has delivered malware payloads to potentially millions of visitors. The hacker bought ad space in the Daily Motion website and placed a decoy ad that initiates a series of redirections and ultimately loads the Angler exploit kit. The bogus advertiser used a combination of SSL encryption, IP blacklisting and JavaScript obfuscation. In addition, Angler Exploit Kit also fingerprints potential victims before launching its exploits to ensure the user is not a security researcher, honeypot or web crawler. This case is a reminder that any legitimate website can become an attack vector - such as  Yahoo in the past.

2.       Business E-Mail Compromise (BEC)- An Emerging Global Threat: The accountant for a U.S. company recently received an e-mail from her CEO, who was on vacation, requesting a transfer of funds on a time-sensitive acquisition that required  quick completion. It was not unusual for the accountant to receive such emails from the CEO, so she went ahead and made the transfer of $737,000 to a bank in China. The next day, when the CEO happened to call, he was shocked to learn about the transfer and alleged acquisition. Earlier this year the FBI reported that such scams cost victims more than $750 million and has impacted more than 7,000 people between Oct 2013 to Aug 2015 and these scams are still ongoing.

3.       Content Theft Websites Delivering More Than Just Content: In the dark reaches of the Internet are thousands of sites that offer users stolen entertainment content for free. This content is used as bait to lure users with malware delivery being the objective. The malware may or may not require user interaction. The malware need not be high end Zero day exploits, it could be known exploits leveraging unpatched systems. Such sites are paid by malware advertising agencies at the rate of about 10-20 cents per malware install. No free meals indeed!

4.       Spy Banker Trojan Being Hosted On Google Cloud: The Trojan is spreading through Brazil via malicious links posted on social networks. The hackers are using Google Cloud Servers to host the initial Spy Banker Downloader Trojan, which in turn installs the payload (Dropper file). The Lures used in social media range from coupon vouchers to free AV software applications. The Trojan has some stealthy capabilities, while it is designed to steal banking passwords, one of the first things it does is check a machine for the presence of a virtual environment.

5.       Hello Barbie toy security issues disclosed and fixed quickly: With the recent VTech breach exposing millions of parents and children to risk, there is increased sensitivity and awareness around the security of Internet-connected toys this holiday season. Last week, researchers revealed flaws in the Hello Barbie connected toy manufactured by ToyTalk. The good news, though, is that the issues were responsibly disclosed and ToyTalk acted quickly to remediate them. ToyTalk now also has a bug-bounty program. Hello Barbie is an interactive device that makes use of WiFi to listen and respond to a child's voice.

6.       .Cyber and .Criminal are Coming for Your .Money and .Computer: We are all accustomed to the old Internet of .com, .co.in, .edu, .gov, .net, .org, and .info; With the implementation of expanded new generic top level domains (gTLD) by ICANN, we will now need to get accustomed to many new URLs ending in .club, .xyz, .guru, etc. This will only increase in frequency, because as of November 2015, the number of new gTLDs available is over 800. A quick look at the new approved and delegated TLD provided by ICANN reveals both big brands like .Tatamotors, .bmw, which are used by everyday consumers and common words (including .car, .wine, .mom, .family). Attackers are often early adopters of new opportunities and will rapidly colonize new avenues of attack, including new domains.

7.       Microsoft warns of possible attacks after Xbox certificate leaked: The private keys for xboxlive.com were "inadvertently disclosed," Microsoft said, which could be used to impersonate the Xbox Live website and carry out a so-called "man-in-the-middle" attacks, which allows the attacker to intercept the website's secure connection. This could trick Xbox users into handing over their username and password, potentially leading to further attacks on the user. The company has revoked trust in the certificate, which more often than not is an automatic process for all supported versions of Windows and users do not have to take any action.

8.       Cyber Insurance Moves Toward “Must Have” and “Evidence Based”: 2015 was a tough year for breaches and the trend for 2016 looks to be no better. Against this backdrop is the gradual realization within corporations that the value of their company’s data is a large part of corporate assets, and a huge potential cost during a cyber-event. Indeed, for some information-centric companies, a data breach can be the largest single risk for business continuity, especially when considering the potential of downstream liability from loss of PII. Such losses comprise not only that data related to customers, but also to employees. Over time, cyber insurance will drive improvements in company security posture to better handle threats.

9.       FBI Tweaks Stance On Encryption BackDoors, Admits To Using 0-Day Exploits:  It seems the Bureau has backed off the idea of a "government backdoor" per se, as long as technology companies themselves can still access customers' data (and thus surrender it to law enforcement when legally subpoenaed). FBI also admitted to use 0-day exploits for public safety. In India - government's draft encryption policy, unveiled in September, was booed off stage because it sought to weaken standards rather than boost them. It had heavy-handed specifications on encryption algorithms, mandatory registration of encryption products, and the retention of unencrypted user information for 90 days. Now, as the government reworks its stand on encryption, it can include global opinion, learn from other's mistakes and keep in mind that undermining security standards just leaves everyone vulnerable.


10.   49% of CIOs feel budget hampers Information Security operations: 49% of CIOs feel a budget constraint is the main obstacle or reason that challenge Information Security operations followed by lack of skilled labor, says EY's study on Global Information Security Survey 2015 called 'Creating trust in the digital world'. 65% of the responses from more than 200 Indian organizations believe their information security structure does not fully meet the organization's needs.

 

Sunday, December 6, 2015

Issue 41 - Week of Nov 30th

1.       Chennai Rains: Attackers frequently see large events as an opportunity to launch cyber-attacks on a curious population, these events are used as effective lures. People are exposed to information on social media and they have to often wade through rumors, hackers exploit this. In the past, hackers have used major crisis to spread malware - like they did during the Boston Marathon blast in 2013. Chennai Rains offers a ripe opportunity to hackers and one needs to take precaution before opening any email or clicking on any URL. US elections is another such event that hackers may exploit!

2.       Vtech hack: Hong Kong-based Children's toy company Vtech announced it was hacked last week. 6.4 million children's accounts and 4.9 million parental accounts were accessed. The hack exposed general user profile information including name, email address, encrypted password, secret question and answer for password retrieval, IP address, mailing address and download history. The company on its website confirmed that no Credit card information or personal identification data was lost. The hack occurred on 14th Nov 2015. The company discovered the breach, after being contacted by a journalist, 10 days later on the 24th Nov. Customers were informed on 27th Nov.

3.       Hacker leaks customer data after UAE bank fails to pay ransom: A hacker who broke into a large bank in the United Arab Emirates made good on his threat to release customer data after the bank refused to pay a bitcoin ransom worth about $3 million. The hacker, who calls himself Hacker Buba, breached the network of a bank in Sharjah last month and began releasing customer account and transaction records via Twitter. Although Twitter closed the account, the hacker opened a new one and released the account statements.

4.       Gambling darling Paysafe confirms 7.8 Million customers hit in hacks: The newly-branded Paysafe Group confirmed in a London Stock Exchange announcement that information related to 3.6 million Neteller accounts and 4.2 million Skrill users were leaked. Paysafe group lists itself as a British online payments company with Neteller and Skrill being its subsidaries. The Neteller attack involved an exploit of a vulnerability in the Joomla content management system, whilst the Skrill breach saw a VPN, designed to provide secure access to the firm’s network, hacked and a transaction database accessed.

5.       New Windows ransomware steals passwords before encrypting files: Several badly secured websites are being used by hackers to redirect the visitors to sites that are hosting the notorious Angler Exploit kit. A mere visit to such sites installs the exploit kit without the user's knowledge and then the exploit kit delivers the payload (Crytowall 4) to the system. Before Cryptowall encryts the machine, the hackers systematically harvests all usable usernames and passwords from the infected system and sends them to servers controlled by hackers. This enables hackers to acquire working logins for websites, e-commerce sites, and even corporate applications, which they could further steal data from. We discussed Cryptowall 4 last week.

6.       JD Wetherspoon loses data of over 650,000 customers in cyber-attack: In an email to customers sent last week, the food and drink chain said the firm's website had been hacked between 15th and 17th June this year, resulting in the potential loss of customer data including names, dates of birth, email addresses and phone numbers -- as well as a small amount of credit card records. However, it is applaudable that the company went public with the news, quickly after it was told about the breach on 1st December.

7.       Pickpocketing the Mobile Wallet: Mobile wallets and new payment technologies will introduce additional opportunities for credit card theft and fraud. Hacks targeting mobile devices and new payment methodologies will impact payment security more than EMV (Chip and PIN Credit card). The increase in non-traditional payment methods on mobile devices or via beacons (a system to allow retailers to detect a mobile app user’s presence in the store) and smart carts will open up the doors for a new wave of retail data breaches.

8.       Anonymous leaks Paris climate summit official’s private data: Hackers have leaked the private login details of nearly 1,415 officials at the UN climate talks in Paris in an apparent act of protest against arrests of activists in the city. They hacked the website of the summit organizers, the UN Framework Convention on Climate Change (UNFCCC), and posted names, phone numbers, usernames, email addresses, and secret questions and answers onto an anonymous publishing site. The damage is likely to be limited, and can mitigated by changing the passwords on any other accounts of the officials that use similar passwords.

9.       Over 50,000 cyber security incidents reported in India this fiscal: As many as 54,483 cyber security incidents such as phishing, spam and malicious code have been reported in the current financial year, Parliament was informed last week by the Communications and IT Minister. These incidents were reported to the Indian Computer Emergency Response Team (CERT-In) by various Indian organizations, individuals and agencies from other countries.


10.   Chimera Ransomware tries to turn malware victims into Cybercriminals: Chimera ransomware is taking victims hostage, then trying to recruit them to be part of the criminal team. Compared to other ransom messages, Chimera's is brief, straightforward, and polite: it says 'please' twice and invites the victims with a message - 'Take advantage of our affiliate program!'. The hackers are trying to build a ransomware-as-a-service (RaaS) business and are offering 50% commission for spreading and infecting other victims. This Malware first appeared in September with a unique tactic of threatening to publish the victim's files online if payment is not received.  In Issue 38, we did discuss - a similar model from CryptoLocker.

Sunday, November 29, 2015

Issue 40 - Week of Nov 23rd

1. The Target breach, two years later: It was exactly 2 years ago that Target was hacked, even today it remains the most significant breach in history because it was the first time the CEO of a major company was fired because of a data breach. Target says it has since taken a number of actions to repair and improve its security posture - the retailer brought in new senior leadership with cybersecurity know-how, the retailer also rolled out EMV-compliant POS terminals in all of its stores (the ones that accept chip and pin), several changes were made in the network and its structure. Until some time ago Organizations would not take security seriously until they had breach but it is now slowly changing with several of them taking proactive measures. 

2. RSA warns of Zero detection Trojan: Zero-day vulnerabilities and zero detection malware threats continue to bother cyber security professional worldwide. Last week RSA announced the discovery of GlassRAT, a zero detection malware that has been around for more than 3 years. RSA also presented evidence that GlassRAT's command and control (C2) infrastructure has some historical overlap with other malicious malware campaigns that have previously targeted Asia-based organizations. The malware comes with reverse shell capabilities and allows for data exfiltration, file transferring, process listing, and other typical RAT capabilities. It is also known to have used the trademarked icon of Adobe Flash Player and to have been named "Flash.exe" in the past. 

3. Stealthy ModPOS is 'Most sophisticated PoS malware' ever: Researchers are warning retailers about ModPOS malware in their systems that is nearly impossible to detect, can do a whole lot more than just scrape customers credit card data. ModPOS is modular. In addition to the PoS card scraper module, it also has a keylogger, an uploader/downloader (with which it could add other pieces), and plug-ins for scraping credentials, and gathering local system and network information. The malware is able to stay persistent and obfuscated because every module is a rootkit (operates in kernel mode). 

4. Nuclear Exploit Kit Spreading Cryptowall 4.0 Ransomware: All earlier verisions of Cryptowall were being spread through spam and Phishing emails, last week researchers have found that for the first time Cryptowall 4.0 has been infecting machines via an exploit kit. The move to Nuclear, won’t be exclusive; industry expects other exploit kits, including Angler, to eventually redirect compromised sites their way. Attackers will continue moving Cryptowall 4.0 via spam as well. 

5. United Airlines waits 6 months to patch critical flaw submitted to bug bounty program: A security researcher found and reported a critical vulnerability to United Airlines that could allow an attacker to “completely manage any aspect of a flight reservation using United’s website.” He claims United Airlines, which announced a bug bounty program about six months ago, didn’t deploy a fix for five months and only plugged the holes after he threatened to publicly disclose the unpatched vulnerability. 

6. Blackhole Exploit Kit Makes a Comeback: The once-popular Blackhole exploit kit has returned, attempting to infect using old exploits but also showing signs of active development. The return of Blackhole suggests that cyber-criminals may be reusing the code (a lot of criminals do not reinvent the wheel), they will use older infrastructure and build on top of it. Exploit kits are software programs used by cyber-criminals to infect victims and install malicious software (Dropper file). They are a basic building block for creating botnets and infecting users' systems to steal information. 

7. Starwood and Hilton suffer data breach: Starwood Hotels and Resorts is investigating data breaches at 54 locations. A malware breached and affected point-of-sale systems at all the 54 locations. The attackers gained access to credit card information, including cardholder name, card number, security code and expiration dates. In a separate incident, Hilton publicly disclosed last week that it was hit by a cyber-attack and noted that unauthorized malware targeted payment card information at its Worldwide hotels. It's not uncommon for attackers to use malware and tactics across entities within the same industry as most of them use very similar software that have similar vulnerabilities. 

8. Dell acknowledges security hole in new laptops: Last week, Dell said that a security hole exists in some of its recently shipped laptops that could make it easy for hackers to access users’ private data. This flaw is being compared to Superfish (adware preinstalled on Lenovo computers earlier this year). The Flaw: Dell PCs were found to have the eDellRoot certificate and private key preinstalled, and worse, they were found to be the same across all of Dell's affected laptops. Using this anyone could launch a Man in the Middle Attack and redirect browser traffic to spoofs of real websites. 

9. CISO Forum in India: In a hall full of CISOs of key Indian private companies during an event in Chandigarh, many CISOs present did not know which authority in government needs to be approached in case of a cyber-attack. A few mentioned that they would approach Indian Computer Emergency Team (CERT-In), few mentioned that they will go to National Critical Information Infrastructure Protection Centre (NCIIPC), few mentioned that they will go to the cyber police station in their city while a few were of the opinion that they will go to the local police station. One of the CISOs narrated an interesting situation when local police demanded a photograph of data which was stolen. :-)

10. Indian hackers deface Pakistani websites on 26/11 anniversary: Underground Indian hacking groups have launched an attack on Pakistani websites on the seventh anniversary of 26/11 Mumbai attacks. Cybercrime experts' claim several hacking groups carried out a mass defacement operation on key Pakistani websites to pay "homage to the martyrs of 26/11 terror attacks". Recently, hacking group Mallu cyber soldiers claimed to have hacked several Pakistani websites and servers to avenge Pakistani attacks.

Sunday, November 22, 2015

Issue 39 - Week of Nov 16th

1.       Following Paris attack, Clinton tells Silicon Valley to be a team player: Hillary Clinton wants Silicon Valley to stop being so stubborn. That's the message from the Democratic front runner in the US presidential race following attacks in Paris last week that renewed debate about technology's role in terrorism. Clinton told the tech industry it can't simply ignore the federal government's need to track down extremists and tech companies should not view government as its adversary. Federal officials have repeatedly requested an option that wouldn't weaken encryption for everyone but still make it possible for law enforcement to track potential foreign spies and violent extremists.

2.       Counter view: Tech group rejects push to let Govt. into encrypted data: In its first comments since the attacks, which killed at least 129 people and wounded hundreds more, the Information Technology Industry Council (ITI) argued that ensuring access to encrypted devices would be ruinous for global security. "We deeply appreciate law enforcement's and the national security community's work to protect us," said ITI CEO in a statement. "But weakening encryption or creating backdoors to encrypted devices and data for use by the good guys would actually create vulnerabilities to be exploited by the bad guys, which would almost certainly cause serious physical and financial harm across our society and our economy.

3.       Dyre banking malware: Windows 10 and Edge browser now targets: The notorious Dyre banking malware has been updated to take on Windows 10 machines and hook its claws into the Edge browser. Dyre appeared on the cybercrime scene in July 2014 and has quickly gained a reputation as a nasty piece of malware that aims to steal credentials. It's been found to target Salesforce users and banking customers. When a Dyre infected user tries to open any banking site, the credentials are first stolen and then the malware tricks users to call a telephone number and the person on the other end scams these victims.

4.       Crooks use old-school Conficker virus to infect police body cams: It is not surprising when Chinese phones come with pre-installed malware but it is definitely surprising when police body cams come with pre-installed malware. The malware infects PCs physically connected to the body cams and it spreads quickly across the network. Conficker was a major concern a few years ago, mostly for Windows devices.  IoT vendors are driven by time to market, functionality, and pricing pressures, meaning they will invest very little time, effort and money on IoT device security. This puts the onus of securing the devices before and after installation, very much on the users.

5.       2015 has been very successful year for hackers: The number of data records lost (in the first 10 months) to hackers is more than twice that of 2014. Researchers have now found that the Exploit kit activity is on a massive upswing and that the command and control (CnC) infrastructure behind these kits has mushroomed last quarter. The cybercrime economy thrives on this infrastructure and hackers rent it for as low as $500/month and earn $80k in returns. Angler, Magnitude, Neutrino, and Nuclear are the 4 major exploit kit families, with Angler estimated to have 82% market share. If these patterns remain consistent, one can expect 2016 to be deadlier than 2015.

6.       A 23-year-old Windows 3.1 system failure crashed Paris airport: A Paris airport was forced to shut down earlier this month after a computer running Windows 3.1, a prehistoric operating system, crashed in bad weather. The system connected the weather Bureau to ATC and this crash grounded flights for several hours. Older / obsolete systems are likely to have several known vulnerabilities and these remain prone to attacks and crashes, with rarely any support from OEM.

7.       Thousands of sites infected with Linux encryption ransomware: We discussed this last week, now there are several reports of infections coming in from various parts of the world. Researchers say the ransomware is designed to infect Linux machines set up to host websites by exploiting vulnerabilities in the Magento e-commerce platform and various content management systems (CMSs). It is estimated that there are over 3000 infections and the number will continue to rise. This infection does not depend on Social engineering it is exploiting a known vulnerability and hence it is strongly encouraged to update any outdated software.

8.       HDFC bank to monitor ATM fraud transactions on real time basis: Almost everybody carries a smart phone today and location of the phone can be easily found out. The Bank will be able to use this data and match it with the ATM location data. If the ATM card is being used at a location which is at a different location from the phone, then it will raise an alert. The bank's software can then either decline the transaction or seek a confirmation from the user before allowing the transaction. The bank is yet to lay down rules regarding the distance between  the ATM where the transaction is taking place and the mobile phone.

9.       Indian hackers target Pak Govt. entities: Two India-based cyber hacking groups have attacked defense and government establishments of Pakistan and some West Asian countries last month. The attacks were in the form of spear phishing, where an email with an attachment or link is sent to targeted individuals to gain unauthorized access to confidential data, the links used were that of spoofed new agencies websites to attract clicks. These APT attacks were only targeted to Govt. agencies.


10.   Spy firm publishes Price List for secret hacker techniques: The buying and selling of secret hacker techniques known as “zero day exploits”, has long taken place in the dark, hidden from the companies whose software those exploits target, and from the privacy advocates who criticize the practice. But one zero-day broker is taking the market for these hacking techniques into the open, complete with a full price list.  See below. In related news, a different firm that paid $1M for latest Apple hack is also in the business of selling Zero day exploits.

Sunday, November 15, 2015

Issue 38 - Week of Nov 9th

1.       U.S. charges three Israelis in huge cyber-fraud targeting JPMorgan, others: U.S. Attorney Preet Bharara in a press conference last week unveiled criminal charges against the three men accused of running a sprawling hacking and fraud scheme that included a huge attack against JPMC and generated hundreds of millions of dollars of illegal profit.  This fraud is described as a vast, multi-year criminal enterprise centering on hacks of at least nine big financial and publishing firms and the theft of information on 100 million of their customers that fueled a web of stock manipulation, credit-card fraud and illegal online casinos. From 2012 to mid-2015, the suspects and their co-conspirators successfully manipulated dozens of publicly traded stocks, sent misleading pitches to clients of banks and brokerages whose e-mail addresses they’d stolen, and profited by using trading accounts set up under fake names, prosecutors said.

2.       Linux hit by crypto-ransomware - but attackers botch private key: Admins are facing a variant of Linux malware (Linux.Encoder.1) that encrypts files on infected web servers. But the good news for now is the private key that locks down those files is predictable. The crypto-ransomware is aimed at Linux system administrators and demands exactly one Bitcoin (~$350) to restore access to key files. Researchers analyzed the malware and said it was extremely similar to more widespread ransomware for Windows machines, such as CryptoLocker and TorLocker, which have reportedly made tens of millions of dollars for their operators.

3.       No two factor authentication- FBI got basic security wrong: Hackers earlier this month were able to access a US law enforcement arrest database, and posted screenshots to Twitter. The hackers also gained access to a police file transfer service, and an instant messaging service for police, and a real-time intelligence-sharing platform, among others.  A servers were located in one centralized location, and were accessible by a single sign-on process -- using one username and one password. What's more surprising is that the FBI trumpets two-factor authentication as one of the prime ways of keeping data safe. FBI warned that it takes this very seriously and will hold accountable those who engage in illegal activities in cyberspace.

4.       Bug bounty programs help but researchers need a platform to report: Many computer-security researchers think the world would be a safer place if they could easily report bugs to software creators, so the holes could be patched before hackers exploit them. But there's a problem: 94% companies don't advertise a way for users to report bugs, such as J.P. Morgan Chase, Bank of America, Allstate Insurance, Ford Motor, etc. The exceptions who do are: Facebook, Microsoft, Apple, Amazon, etc. As discussed in Week of Aug 10th post, Oracle's CSO had equated recreating and testing the source code behind Oracle products with 'sinning', Oracle has since removed the post.

5.       New Ransomware business cashing in on CryptoLocker's name: A new service launched last week is offering a new Ransomware product under the name CryptoLocker service to anyone willing to pay ten percent of the collected ransom. CryptoLocker Service requires a $50 USD fee to begin with, which customers (other hackers) pay in order to get the basic Ransomware payload. Once the payment is done, customers will be allowed to specify the amount of ransom money they want to receive and account details for Bitcoin transfer. When crytpolocker file is executed on the victim's machine it encrypts all files. If the victim pays the demanded ransom, the payment address will forward the funds – less a ten percent fee – to the Bitcoin wallet designated by the CryptoLocker Service customer. MaaS – Malware as a Service.

6.       Latest Android phones hijacked with tidy one-stop-Chrome-pop (does not require multiple chained vulnerabilities to work): Google's Chrome for Android has been hacked in a single exploit that could lead to the compromise of any Android handset. The exploit, showcased at MobilePwn2Own at the PacSec conference in Tokyo last week, targets the JavaScript v8 engine. It can probably hack all modern and updated Android phones if users visit a malicious website. As soon as the phone accessed the website the JavaScript v8 vulnerability in Chrome was used to install an arbitrary application without any user interaction, thereby taking complete control of the phone.

7.       Apple and Google remove Instagram password-stealing app from app stores: Google and Apple have removed a malicious third-party Instagram app that stole passwords – but only after it had become a top-grossing app in the App Store and gained over 100,000 users from Google Play. iOS developers raised the alarm over the app 'Who Viewed Your Profile - InstaAgent', posting on Twitter that it was storing Instagram usernames and passwords and sending it in clear-text to a remote server. As discussed in Issue 31, Apple had earlier discovered dozens of apps in the China App Store laced with the XCodeGhost malware.

8.       All Windows users should patch these two new 'critical' flaws: The software giant [Microsoft] released the patches Tuesday as part of its monthly release of security updates. All users running Windows Vista and later - including Windows 10 - are affected by two flaws, which could allow an attacker to install malware on an affected machine. The patch, MS15-112 addresses a memory corruption flaw in Internet Explorer. If exploited, an attacker could gain access to an affected machine, gaining the same access rights as the logged-in user, such as installing programs, and deleting data.

9.       Tax talks - Central Board of Direct Taxes will be using email for correspondence with taxpayers: In order to improve services, CBDT will be using email for correspondence with taxpayers for notice on scrutiny and getting responses from them. To start with, it will be on a pilot basis in five cities — Delhi, Mumbai, Bengaluru, Ahmedabad and Chennai. This will reduce the need for taxpayers to personally meet the tax officers. To avoid impersonation authorities will only be using '@incometax.gov.in' domain. The 'Tax notice' will now be an eNotice and will be followed up with a SMS to ensure people read those emails and respond. An online portal is also being mooted which will enable all tax payers to upload returns and communicate to CBDT directly.


10.   Japan its own enemy in push to improve cybersecurity: Apart from rogue hackers, criminal organizations or even state-backed cyber-warfare units, Japan's businesses and government agencies are facing a unique cybersecurity foe: themselves. The primary reason is the widespread corporate culture that views security breaches as a loss of face, leading to poor disclosure of incidents or information sharing at critical moments.  Rank-and-file workers fear reports of security lapses may get them punished, the problem reflects a broad lack of understanding of cybersecurity among the top ranks of Japanese executives. The cybersecurity industry around the world, not just in Japan, frequently echoes the call for greater transparency within and among organizations. In many ways, several other countries including India suffer from such cultural barriers.