Monday, February 29, 2016

Issue 53 - Week of Feb 22nd

Anniversary edition. TWTW’s first edition was on- 02 Mar 2015. Thanks for your support.

1.       Beware of hacked ISOs if you downloaded Linux Mint on February 20th!: Linux Mint is a community-driven operating system which is both powerful and easy to use. Last week - On Feb 20th - the website of Linuxmint was compromised. The hacker uploaded a version of Linux Mint which contained 'Tsunami' aka Kaiten backdoor and Backdoor.linux.Tsunami.bh. The backdoor connects to absentvodka[.]com in Sofia, Bulgaria. Hundreds of people downloaded the infected version and were caught unaware. Some of the most critical applications run on Linux and it is always advisable to invest in Threat Protection technology for Linux that is capable of detecting the backdoor in the memory.

2.       Apple vs. FBI -update: Apple and FBI will face off at a congressional hearing on Tuesday, March 1, following Apple CEO Tim Cook's request for Congress to get involved in the legal battle over the San Bernardino shooting suspect's locked iPhone. If Apple were to allow this backdoor, other courts will come with similar requests, hackers & repressive regimes will exploit it and hence Tim rightly called the iPhone-cracking software the "software equivalent of cancer." Several high-profile technology companies have supported Apple's stance against the FBI, including Facebook, Alphabet, Twitter, and Microsoft.

3.       Hackers hold German hospital data hostage: Lukas Hospital in Germany was hacked and suffered a Ransomware attack. Staff noticed that there were error messages popping up, and the systems became suspiciously slow. A swift response by IT, averted major damage when they decided to go offline. They are now back to pen and paper - and a fax machine for intra hospital communication. Thankfully they have regular backup of data and will be able to restore the systems once they are cleaned up. Traditional security systems can hardly stop Ransomware attacks. A multi-layered approach and usage of Web Security with Real-time detection and blocking of both known and unknown binary threats will help. Recently - a LA hospital paid $17k in ransom.

4.       MasterCard Says It Will Use Selfies to Replace Passwords: Every security provider would like to find a replacement for passwords, which can easily be forgotten and are too often stolen, hacked and otherwise abused by bad actors. MasterCard thinks that faces and fingerprints can't easily be stolen, forgotten, hacked and otherwise abused quite as much as passwords, and it's probably right. With this in mind, the credit card company has announced that its customers will soon be able to replace their passwords with a selfie and a fingerprint to verify their identity to make payments online.

5.       Nissan Leaf hackable through insecure APIs: Nissan Leaf (Like Reva) is an electric car. It has a mobile app for Apple and Android devices to allow customers manage the car and to access some features like battery charge, status, climate control and trip reports. Last week, Researchers identified and revealed a flaw in the software that an attacker could use to run down the battery of a target's car and see data about its recent journeys. Nissan has disabled the Leaf app after car hack risk was revealed online. Unlike the Jeep hack, Nissan Leaf hack would not work when cars were moving and did not affect their steering controls, so in that sense, it would not threaten people's lives.

6.       Almost Every Victim Sees Unique Malware: According to a study, Nearly 97 percent of malware encountered on users' computers is unique, as criminals automatically generate variants in order to stymie defensive software. Traditional systems that rely largely on signatures will not be able to keep pace with these criminals. The study also saw a dramatic increase in the number of new Internet addresses from which malicious attacks came.

7.       3D printing piracy: Piracy is probably as old as software itself. The latest in the piracy list is designs of 3D printing objects. A large community of object designers who create objects for 3D printers post their design files to sharing sites. Pirates download these designs, print out the 3D objects and sell them on ebay. This happens with smartphone apps as well. There are a bunch of third-party app stores out there that sell highly discounted versions of commercial apps. The catch? The original developers aren't getting paid, and the buyers often find themselves getting not only a discount, but a very nasty malware infection. Hackers buy the original app, pad it with malware payloads, repackage them and sell it at bargain pricing.

8.       Thousands of apps running this code leak personal data: Thousands of apps running code built by Chinese internet giant Baidu  have collected and transmitted users' personal information to the company, much of it easily intercepted, researchers say. The apps have been downloaded hundreds of millions of times. Researchers said they found the problems in an Android software development kit developed by Baidu. These affected Baidu's mobile browser and apps developed by Baidu and other firms using the same kit. Baidu's Windows browser was also affected, they said. The same researchers last year highlighted similar problems with unsecured personal data in Alibaba's UC Browser. Alibaba has since fixed those vulnerabilities.

9.       Industrial transaction scam: Online fraudsters target mid-level importers by hacking into their business email accounts and scanning all correspondence with their regular foreign business partners. They then pretend to be the foreign company by registering a similar looking domain with minor change in spelling and communicate with the importer offering him items of his interest at a much lower price. The greedy importers who fail to notice the typosquatted domain name end up transferring and losing huge sums of money. Hackers go after companies that have poor security.

10.   Phishing campaign targets India's largest private bank: Customers of ICICI, India's largest private bank, have become targets in a phishing campaign tailored to dupe victims into handing over their bank credentials. This phishing campaign sent out emails with a sender address ICICI Bank, and at first glance, appears legitimate. The email then asks the recipient to update their bank details and other information. A link is provided, and if clicked, it sends the victim to a landing page, asking them to confirm key pieces of information including user ID, password, transaction password, debit card number, email ID and email password. All of this information is a treasure trove to attackers, who may be able to use it to pilfer funds, conduct identity theft or break into additional accounts through social engineering.



Sunday, February 21, 2016

Issue 52 - Week of Feb 15th


1.       Apple vs. FBI - update: FBI wants to access the iPhone used by the terrorist who killed 14 people in San Bernardino last year. The iPhone is password protected and the 10th wrong attempt will permanently erase all the data on it. Apple can't by-pass this on the iPhone, so FBI has instead asked the company to disable certain features that would help its agents to unlock the iPhone in multiple attempts. Apple has opposed the request and said that this will create a backdoor which will make all iPhones insecure. Microsoft, WhatsApp, Yahoo, Twitter and many others have expressed their solidarity with Apple and support its decision.

2.       Ransomware attack - Hospital pays hackers $17,000 in Bitcoins: A Los Angeles hospital network was hacked and computers were disrupted by Ransomware. The disruption caused emergency rooms and treatments to be affected as doctors could not access computer networks for patient data. This could have been dangerous so the hospital decided to pay up the Ransom to obtain the decryption key. Most of the times Ransomware infiltrates a network with help of a Exploit kit and these kits make it into networks thru Malvertising or email attachments.

3.       Apple addresses error 53: Last edition we discussed 'Error 53' in iPhones, which bricks the phone if a non-apple technician changes the finger print scanner (Touch ID) cum home button of iPhone. The Touch ID is also used by millions of users to make payments using Apple's e-wallet called Apple Pay. Last week Apple apologized for Error 53 and shared steps to recover a bricked phone using iTunes. This will put life back into the bricked phone but the Touch ID feature will remain unusable.

4.       Linux Systems Patched for Critical glibc Flaw: Google exposed a critical flaw affecting major Linux distributions. The glibc flaw could have potentially led to remote code execution. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used and the main risk of this flaw is to Linux client-based applications that rely on DNS responses. Linux runs some of the most critical applications across industries, be it ERP for Manufacturing companies or Portals for the E-commerce world and it’s no wonder that Linux threat protection tops most CIO's investments and plans.

5.       Locky Ransomware - Encrypts Documents, Databases, Code, BitCoin Wallets: A new ransomware named Locky has emerged recently. It uses 128-bit AES encryption and has a domain generation algorithm (DGA). It is also capable of encrypting SQL databases, source code, BitCoin wallets and more. The infection begins with a email containing MS office attachments, which have harmful macros. Once opened these macros connect to the C&C and install the Ransomware. DGA makes it difficult for law enforcement to effectively shut down botnets as it will generate thousands of domain names every day to connect for updates, malware controllers cannot keep pace with this to protect.

6.       IRS Warns of 400% Surge in Email Schemes This Tax Season: The IRS has issued an alert, warning consumers of an influx of tax-related Phishing schemes this filing season which may ask taxpayers about a wide range of topics – such as information related to refunds, filing status, confirming personal information, ordering transcripts or verifying PIN information. By clicking on malicious email links, consumers are taken to sites designed to imitate an official-looking website like IRS.gov, which asks for Social Security numbers and other personal data. The sites could also carry malware, used to infect people’s computers and allow criminals to access their files or track their keystrokes to gain more information, including important login credentials.

7.       Hundreds Of Spotify Premium Accounts Exposed Online: The black-hat hacker world is at it again–this time, publishing hundreds of Spotify Premium user accounts online. The user info appeared in three different online data dumps on Pastebin starting last week. Each dump contained email addresses with their corresponding passwords for Spotify. For some accounts, home countries, account types (such as premium or free), and account renewal dates were also published. Many people use same or similar passwords across their various accounts, hackers may exploit this and try to hack other sensitive accounts like official emails or banking credentials.

8.       Twitter password recovery bug exposes data of 10,000 users: Twitter has warned roughly 10,000 users that a bug discovered in the platform's password recovery system may have exposed their personal data. In a blog post last week, Twitter said the bug affected the micro-blogging platform's systems for approximately 24 hours. The password recovery bug, while "immediately fixed," had the potential to expose the email addresses and phone numbers linked to user accounts. Twitter has notified the 10,000-or so affected users, so if you haven't had an email from the company land in your inbox recently, you have nothing to worry about.

9.       5 top weapons used by hackers: (i) Macros in MS office; (ii) iOS & Android Malware (iii) PHP Malware (iv) Adobe Flash vulnerabilities (v) Old vulnerabilities are the best vulnerabilities as users do not always patch everything. We must learn from these weapons, understand and monitor the risk environment, and build security into the fabric of the organization to better mitigate known and unknown threats, which will enable companies to Move forward without fear and focus on their core business & growth.


10.   SIM deactivation fraud linked to bank insiders: Bangalore Cyber Crime investigators suspect that unscrupulous bank employees could be providing or selling online fraudsters confidential information of bank account holders, including their mobile phone numbers and ID-proof details. They have arrested a banker from Hyderabad for allegedly abetting in a ₹1Million fraud on a Bangalore-based garment dealer. The fraudsters use this sensitive information to get duplicate SIM cards and then generate one-time passwords to siphon off money from bank accounts. This could be a nation-wide scam as investigators have also arrested two accomplices from Mumbai, non-banking staff, who routed the money to various accounts that were emptied out via ATMs.

Monday, February 15, 2016

Issue 51 - Week of Feb 8th


1.       IRS defeats 'automated attack' against tax e-filing systems: e-Taxpayers are given a five-digit e-filing code, used to authenticate the user when filing taxes. Hackers used an automated Bot to generate these codes with 464,000 stolen Social Security Numbers. The codes would have given them access to lot of information about those tax payers. Though the bot successfully generated e-filing codes for over 101,000 Social Security numbers, No taxpayer data was compromised or disclosed by IRS systems The tax agency wasn't so lucky last year when it was hit by a data breach, in which hackers pilfered tax information of more than 100,000 Americans.

2.       US Govt. looking for CISO: After a series of high-profile attacks against US government departments, agencies, and systems - President Barack Obama announced a $5 billion hike in cybersecurity spending, taking the total funding to $19 billion, in an effort to make cyber-defenses and protections a top priority. The Obama administration also set out to hire its first chief information security officer to take on federal responsibility for cybersecurity policy and strategy.

3.       Cops arrest teen for hack and leak of Dept. of Homeland Security (DHS), FBI data: A 16-year-old boy living in England has been arrested in connection with the recent hack of FBI and DHS data, as well as the personal email accounts of CIA director. The boy stole and leaked the names, titles and contact information for 20,000 FBI employees and 9,000 DHS employees. This was possible through a compromised Department of Justice email. The teen is suspected of being the leader of a group of hackers who call themselves “Crackas with Attitude” or CWA.

4.       Ukraine railway, mining company attacked with BlackEnergy malware: Weeks after the malware played a role in 'first known hacker-caused power outage' in Ukraine, BlackEnergy and its cohort KillDisk were used in attacks on mining and rail transportation firms as well. BlackEnergy has been floating around since 2011 and was originally used to collect information from industrial control systems. The US ICS-CERT issued a new YARA signature for detecting BlackEnergy. Everything that relies on an industrial control system, whether it be an oil and gas facility, a pipeline, a ship or a power generator could be compromised by this malware.

5.       Poseidon cybercriminals - first hack, then blackmail to sign contract: Poseidon launches spear phishing campaigns specifically tailored for victim companies, and they may include job applications with resumes for specific posts sent to HR. The phishing emails contain malicious RTF or DOC files. If the attachment is opened, the malware connects to the attacker's command and control (C&C) center and launches IGT malware (also called 'treasure stealer'). IGT now knows the apps, commands and vulnerabilities that can exploit this network. Armed with this data, they approach the victim and force them to sign Poseidon as their 'security consultants'. If a company refuses to hire them - they leak all stolen information. There are 35 Enterprise players across the US, France, Kazakhstan, UAE, India and Russia that have become targets, although Poseidon heavily leans upon businesses within Brazil.

6.       AlienSpy RAT strikes over 400,000 victims worldwide: Also known as Adwind, this malware is a Remote Access Tool (RAT) based on Java which is distributed using a malware-as-a-service platform. Hackers rent this platform and begin by sending the payload via Phishing campaigns.  If a victim opens the email attachment, the malware installs itself on the PC and attempts to communicate with the operator's command and control (C&C) server for additional instructions. The malware is able to collect keystrokes, steal cached passwords and data submitted through Web forms, take screenshots and pictures, as well as record video and sound. Half of the RAT's victims were based in the UAE, Germany, India, US, Italy, Russia, Vietnam, Hong Kong, Turkey and Taiwan. It is believed that subscriptions to the MaaS platform generate an annual income of approximately $200,000.

7.       Valentine's Day Inspires DDoS Attacks Against Online Florists: Several online florists experienced a surge in their traffic during the week leading to Valentine's day. Contrary to what some might expect, the traffic did not appear to be opportunistic in nature. Rather, it looked as if the florists were being individually targeted in denial-of-service campaigns apparently designed to extort money from them. The sudden spike in malicious traffic directed at online florists reflects a common tendency among cyber crooks to escalate malware campaigns and attacks around seasonal events and major news happenings.

8.       IoT Could Be Used by Spies, U.S. Intelligence Chief Says: Billions of new systems, devices and sensors connecting each year - widens the attack surface for hackers. Add to this, lack of security in many of these connected devices and their growing popularity in homes and businesses, makes the issue very concerning. But it's not all bad news, especially for spies: while these badly-designed devices will undermine security, the flip-side of that means ‘new opportunities for spies to collect intelligence’. It's not hard to think of scenarios where poorly secured devices in the home, from toys with built-in webcams to home automation systems, could be hacked into and used by intelligence agencies to gather all sorts of information.

9.       Pakistani man admits to massive telephone hacking scheme: Last week, A Pakistani man admitted to his role in a massive hacking scheme, in which he broke into various companies EPABX, found unused numbers and directed them to dial into premium telephone lines controlled by his criminal organization. AT&T paid the phony companies set up by the criminal group for the phone calls and collected the costs from the businesses that got hacked. The man also admitted to laundering $19.6 Million, the money ill-earned through this telecom fraud scam.


10.   Metel APT hacking group rolls back ATM transactions to dupe banks: Metel targets financial institutions through APT-style spying missions and custom malware. It's new tactic- is to gain control over bank machines which have access to transactions - such as support center PCs. Once this is done, the hackers legally withdraw money from the ATM of different Bank. After the cash is drawn, the hackers using their access to support center PCs - cancel the transaction and that rolls back the money drawn, back to the account. Now the hacker goes to another bank's ATM and draws money using the same card which is then  followed by rolling back the transaction. This is repeated several times during one night or on a holiday, the victim bank can only figure this out the next day.

Sunday, February 7, 2016

Issue 50 - Week of Feb 1st


1.       Online 'Batman' Takes On Dridex Trojan: Someone appears to have disrupted at least part of the channel that distributes the malware and replaced the malicious links with installers for a free antivirus tool (Avira) instead. So users who click on malicious links get Avira’s antivirus tool instead of the banking Trojan. The hacker who has discovered how to do a good thing but perhaps with not strictly legal methods - is being dubbed as the Online Batman. Dridex has caused considerable damage and has so far resisted Govt. efforts to take it down.

2.       Linux.Wifatch - White hat virus that helps:  A new virus called Linux.Wifatch has been spotted that instead of hijacking the  internet routers and IoT devices for criminal purposes, is improving their security. Most often these devices have poor security and top of that -people use default settings and default admin password. The Virus tends to address these issues - It closes the telnet protocol so that nothing else can get in, it leaves a message asking the router's administrator to change the password on the router's firmware, and the goes hunting in the router for any other malware it can kill off. However it still is a virus and one cannot be really sure of its long term intentions.

3.       US Homeland security’s $6B Firewall has many frightening blind spots: A recent audit revealed the US Cybersecurity Protection System—aka EINSTEIN—does not scan for 94% of threats and doesn't monitor web traffic. The system is signature-based and can detect only known patterns of malicious traffic. It is also limited in regards to detecting advanced persistent threats (APTs) and Zero day attacks. In terms of known vulnerabilities in common applications - it was able to identify only 29 of the 489 known  vulnerabilities. Information sharing is another goal of EINSTEIN which is also in need of attention as 1 in every 4 notifications are not received by agencies who use the Firewall.

4.       Login duplication allows 20m Alibaba accounts to be attacked: To begin with - Hackers obtained a database of 99 million usernames and passwords from a number of websites in China. They then tried out these credentials on Alibaba and were able to access 20.59 million accounts. The hackers used compromised accounts to place fake orders, a practice known as "brushing" in China and used to raise sellers' rankings. The hackers also sold these accounts to fraudsters. Hackers have exploited the human tendency to frequently use the same set of credentials for all applications and websites, it probably helps to remember at least 2 credentials - one for sensitive apps/Websites and other one for rest.

5.       PGP co-founder says Ad companies are the biggest privacy problem today, not governments: The big tech companies today- Apple, Facebook, Google, and Microsoft,  have more data on you than anyone or anything else out there. Apple and Microsoft use the data to make their products better and their revenue primarily depends on selling these products to us. On the other hand, Facebook and Google are ‘free to use’ and advertising revenue is what keeps it that way. For better ads - they collect data like browsing habits, search results, and other demographic data (such as your age, location, and education). Many find the ads intrusive and don't like being tracked.

6.       Mattel's Smart Toy Bear & HereO watches - patch vulnerabilities: The Wi-Fi-enabled stuffed animal, was vulnerable to a remote flaw. An attacker could trick the web service (API) to send requests that shouldn't be authorized. From there, an attacker could allow easily access children's profiles (reminds of Vtech hack). The attacker could also force the toy to perform actions that the child user didn't intend, interfering with normal operation of the device. A similar flaw affecting HereO, a smart GPS watch designed for children, allows a hacker to trick a family's group into accepting a request to join their group and be able to access every family member's location and location history. Both these companies were receptive to these findings and have since fixed these vulnerabilities.

7.       Apple Phone's 'Error 53' - its security v/s convenience: When those iphone6 users who had their ‘home button replaced by non-Apple technicians’ were trying to update their iOS, their expensive phones got bricked. It becomes permanently unusable and can be at best used as a brick. Many customers were furious and felt Apple was arrogant enough to do this. Apple has hit back at criticism, claiming it is part of measures to protect customers’ security. When iOS finds a mismatch in hardware, Touch ID including Apple Pay use, is disabled. If a customer encounters Error 53 or any other issues it is better to contact Apple Support. Maybe Apple should have informed users about this feature before the OS update.

8.      Hack Hall of Shame – January 2016:
a.       A new hacktivist group called New World hacking emerges - BBC, Trump web attacks "just the start," says hacktivist group.
b.      Anonymous keep themselves busy - They hack Saudi Arabian government websites, Thai police sites, Nigerian government websites & Nissan websites.
c.       Scathing report shows Microsoft failed to warn the Chinese Govt. hack on thousands of Hotmail accounts of China’s Tibetan & Uighur minorities.
d.      Britain’s Opposition Leader had his Twitter account hacked.
e.      Tech support scam points to Dell breach
f.        US Spy Chief pranked by teen hackers
g.       Hyatt names hotels hit by malware
h.      LastPass susceptible to phishing attack
i.         Melbourne hospital’s computer system is taken down by virus
j.        Java bug also found in PayPal

9.       Hackers are sending social-engineering emails to SMBs in India to steal money: Hackers begin by either stealing somebody’s email account or spoofing - to send emails to Finance dept. of targeted companies. These emails either contains a link to some malicious site or a malicious attachment. The subject line and body of the email are designed to LURE these employees to open the link / attachment. Once they do so, their machine gets compromised and from there on the hacker has full control on the machine. The hackers objective is to steal money. They use their access to the machine to observe the user and trick them to transfer money. There have been instances where the hackers would change the bank details for remittances etc. ONGC is classic Business Email Compromise (BEC) example.


10.   Deceptive-site-ahead; Google will warn legit sites carrying Malvertising: Google is casting a wider net with its Safe Browsing technology to protect Chrome users, not just from deceptive websites but also from deceptive ads on legitimate sites. Google notes the new Safe Browsing feature may have an impact on legitimate websites that display deceptive ads. The warning Google posts in its blog demonstrates that its alerts will indicate that the site itself is deceptive.