It has been reported by the BBC that the alleged mastermind behind the recent Spamhaus cyber attacks has been nabbed by the Spanish police from Barcelona. The suspect, a Dutchman named Sven Kamphius is the owner of the famous Dutch hosting firm CyberBunker which has been accused of providing hosting access to a wide variety of threats across the internet.

It is believed that the anti spam website’s openly declaring CyberBunker as a threat to internet security must have set in motion the latest string of events.

The attack on Spamhaus was a wake-up call to the entire internet community. It was perhaps the largest cyber attack reported in history. The rumbling effect of Distributed Denial of Service (DDoS) attacks on Spamhaus resulted in the whole of Europe experiencing a considerable slowdown in the internet speeds. The vulnerability of the internet servers to respond to the commands of potential attackers was brought to light with this incident.

Even though this news of capturing the man behind the attack is good to hear, things cannot be taken for granted. The Spamhaus issue pointed out clearly how network intrusions and volatile security policies followed by hosting servers can be exploited. And just look at the effects of the attack!

Not just Spamhaus, but the whole of Europe was made to pay the price. This is just an invitation for more cunning and intelligent cyber thieves/hackers to attack even bigger online resources. It is now virtually possible to cripple the entire internet backbone using such exploitation techniques.

So unless the world leaders take a more serious approach to resolve this problem, the threat is far from over. If measures are not taken to identify and rectify weaknesses, attacks of even greater magnitude might occur in the near future and in the most unexpected of places.

Source:

http://www.bbc.co.uk/news/technology-22314938

http://news.cnet.com/8301-1009_3-57581639-83/police-arrest-dutchman-for-alleged-spamhaus-web-attacks/

Source: http://www.examiner.com/article/cybercriminals-using-boston-marathon-bombings-to-spread-malware

Social media always held an upper hand when it came to ‘spreading the word’. Be it joy or tragedy. In the recent mishap that occurred during the Boston Marathon, various social networks like Facebook and Twitter have played an active role in spreading awareness. But it is also unfortunate that cybercriminals are using this constructive aspect of the network to spread malware. The attackers (cyber) uploaded false updates regarding the incident. Any concerned citizen who tried to learn more about the news by accessing the link, soon found himself trapped with the malware. Sites such as YouTube as well as spam mails played the favorite hosts to these ransomware.
According to the studies released by a Romanian based anti-virus agency, the attackers released the malware through false updates, hours after the actual bombings happened in the locality. According to the report of TechNewsDaily, even before the smoke of the bombings faded away, spam mails containing the malware bombarded various accounts. With titles containing ‘explosion’ ‘Boston’ and ‘marathon’, they deceived the victim into believing the link showcased live video and related news of the event. Hence quite obviously they piqued the victim’s curiosity and to lead him into the attached link.

On opening the mail, the victim found no text. It consisted of an HTML document, that ended in ‘boston.html’ and ‘news.html’ and a link. On hitting the link, the browser is directed to a youtube video that showcased the real event. While the video frame captures the victim’s attention, what escapes his notice is that the mail supports iframe. The iframe leads to a nasty Java code that gets revived when the browser is redirected to the site. Thus cybercriminals slip in the malware by redirecting the victim’s attention elsewhere. The malware was identified as Trojan.GenericKDZ.14575, which was in the limelight for the infamous attack on the NBC website.

Google Play store has off late met with a lot of criticism for the presence of malware in bouncer certified applications. The Trustgo Security report (released in March) confirmed the presence of malwares in 7-8 % of apps 2 months back. These developments show the internet giant’s urge to attain a firm grasp on the apps and its authors. Never before has Google implemented such aggressive rules in Play store and freedom was the one sweet thing that attracted many people to Android.

Google Says an Official ‘NO’ to Off-Market Updates
Off-market updates have been strictly banned by Google from now on and so applications that release updates outside its Play store ecosystem will be kicked out for good. Imposing this rule will do good for the users as certified apps with intrusive adwares or malwares will be reduced.
The most important, yet the most criticized, reform has been the removal of all ad-blocking apps from the Google Play store. As 90% of the users love these apps, they sure are going to hate Google for the step taken. This action was taken as Google revenue from Play store is heavily dependent on online ads. The reason for the removal of apps in the message sent to the ad-blocking author is “Violation of Section 4.4 of the Developer Distribution Agreement”. Jared Rummler (author of Ad Blocker) tweeted about the “You’re Fired” notification from Google.

Although a ban is now in place on these apps in the Play store, users can still install these apps from other Android app markets. Still many users hope that Google will revoke the ban on Ad-blockers as they don’t want to linger in any third party stores.

http://nakedsecurity.sophos.com/2013/04/28/google-tightens-up-play-store-policy-officially-bans-off-market-updates/

http://nakedsecurity.sophos.com/2013/03/14/google-tells-ad-blocking-utilities-on-android-youre-fired/

http://www.v3.co.uk/v3-uk/news/2235637/one-in-five-android-apps-rank-as-having-high-risk-security-issues

The Gh0st RAT malware, the mother of all cyber-espionage tools, is still going strong. This malware, which first shot into the limelight in 2008, is a Trojan that opens up a remote backdoor access for the attackers to infiltrate and gain real-time control of systems. Having gained access, it becomes possible for the attackers to steal the files stored in the system, turn on the camera and audio-recording functions to eavesdrop on the users, undertake keylogging, and do more.

Gh0st RAT had targeted 1,000 computers in 103 countries, in 2009. The world of cyber-espionage has advanced considerably since then, but many advanced persistent threat attacks continue to use Gh0st RAT and reap rich dividends. Gh0st RAT has been involved in many high profile instances of hacking including the 2012 attack on Amnesty International UK website.

Security major FireEye analyzed about 12 million reports of suspicious activity in 2012 and flagged about 2,000 of them as dangerous advanced persistent threats. A majority of these 2,000 incidents employed Gh0st RAT.

The Gh0st RAT malware is now present in over 184 countries now, a 42% increase from 2009. And the attackers have become more sophisticated and intuitive. For instance, they place commands for the compromised computer in social media sites such as Facebook and insert the stolen information into JPEG image files. Such antics make the data generated by the malware appear more like normal traffic and help evade the network monitoring systems in place.

As things stand, network security is clueless as to how exactly to end the Gh0st RAT menace.

Reference:

1. http://www.cio.com/article/732275/Fireeye_Finds_Gh0stRAT_Cyberespionage_Campaigns_Continue?taxonomyId=3089

2. http://www.mcafee.com/hk/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf

That information sharing would make the world wide web more secure is a much hackneyed idea.

Security firm Group-IB and Russia’s cyber police Department-K have just offered proved that information sharing works. They have busted a theft worth billions of rubles by prompt and efficient information sharing.

Matters came to a head when Sberbank of Russia, Russia’s largest bank, suspected that cyber criminals were attacking its online banking operations. The bank approached Group-IB to undertake forensic analysis. The security researchers confirmed the bank’s worst fears. They unearthed attacker/s nibbling away money from customer accounts, by circumventing the SMS-based verification which was a part of the two-factor authentication required to complete financial transactions through the online portal.

The attacker/s used the Carberp malware, popular for such heists. The malware, probably installed on the unsuspecting victims’ computers through drive-by-download attack, applied web-injection techniques to display spoofed banking pages when the users tried to log on to the bank portal. When the unsuspecting victims entered their login credentials on such spoofed pages, the malware communicated the information to the attacker. The attacker, having gained the victim’s mobile numbers through similar spoofed pages, cloned SIM cards to hijack the SMS-based payment confirmations.

Group IB and Sberbank of Russia shared all the information with Department-K, leading to the prompt arrest of the 40 year old mastermind behind the crime. At the time of arrest, he had 5,000 fraudulent transactions to his credit, dating back from August 2011.

This, incidentally, is the first case investigated within the European Cyber Security Federation (ECyFed) union. ECyFed is a joint front, set up to fight cyber criminals and has Group-IB, CyberDefcon, Northwave, CSIS, and Cyscon as its partners.

Reference:

http://threatpost.com/prolific-russian-bank-fraud-scheme-halted/

The Verizon Data Breach Investigations Report (DBIR) 2013 reveals the findings after analyzing 47,000 reported security incidents, 621 confirmed data breaches, and 44 million compromised records worldwide, last year. The information has been gathered from Verizon, the US Computer Emergency Response Team (CERT), the US Secret Service, various other national CERTs, and law enforcement agencies in and around Europe. The following are the key findings:

· 75% of security breaches in 2012 were financially motivated attacks while 20% were cyber espionage for competitive purposes. Hacktivism, as usual, was steady with more DDoS attacks.

· 92% of attackers were outsiders. Next stood state-sponsored attacks (mainly from China) with 19% attacks and 14% insider attacks.

· 37% of 2012 attacks hit financial organizations; 24% affected retailers and restaurants; 20% manufacturing, transportation, and utilities; and 20% hit professional and information services.

· 40% of the total attacks affected large firms and cyber espionage-type attacks hit small firms largely.

· Attackers came up with a number of techniques with hacking accounting for 52% of the attacks, malware attacks 40%, physical attacks like ATM skimmers 35%, social ones 29%, misuse 13%, and user mistakes 2%.

· Smaller companies face a variety of attack methods than larger firms. Malware and phishing are popular combination with large companies. Specific attacks like cyber-espionage often aims at larger firms, but these days the same is used against targeted small firms. Senior analyst for the Verizon RISK Team, Jay Jacobs says, “With smaller targets, it’s more of low-hanging fruit….With larger targets, we see a more diverse set of attacks.” According to Verizon, the bottom line is, “Any attempt to enforce a one-size-fits-all approach to securing our assets may result in leaving some organizations underprotected from targeted attacks, while others potentially overspend on defending against simpler opportunistic attacks”.

· In 2012, phishing tactics quadrupled as a result of phishing popularity in cyber espionage campaigns.

· Criminals from Eastern Europe and North America target the finance, food industries and retail for credentials, payment cards, and bank information. State-sponsored attackers from China target professional, manufacturing and transportation firms for trade secrets, data, and system information.

Principal author of the DBIR reports, Wade Baker said, “The bottom line is that unfortunately, no organization is immune to a data breach in this day and age….We have the tools today to combat cybercrime, but it’s really all about selecting the right ones and using them in the right way. In other words, understand your adversary – know their motives and methods, and prepare your defenses accordingly and always keep your guard up.”

Reference:

http://www.verizonenterprise.com/DBIR/2013/

http://www.darkreading.com/attacks-breaches/no-one-size-fits-all-in-data-breaches-ne/240153379

http://www.darkreading.com/attacks-breaches/no-one-size-fits-all-in-data-breaches-ne/240153379

I know how special the critical app Viber is for Android users out there who celebrate the endless Viber season of free messaging, calling and picture sharing with friends worldwide. The love people have for this App in Google Play Store has given it a 4.4+ rating and over 175million customers! However, over 50 million Android users worldwide are under the risk posed by a flaw in this App.

Security experts from Bkav spotted a critical vulnerability in Viber that, when exploited, allows hackers to bypass the Android lock screen and gain full access to the device. Skype-rival Viber confirms the issue and says about 100 million users might have been affected by this. Bkav says the lock screen bypass is ‘simple’. All it needs is 2 Android phones running Viber and a phone number.

Director of Bkav’s Security Division, Mr. Nguyen Minh Duc says, the weird way in which Viber handles messages causes the issue. “The way Viber handles to pop up its messages on smartphones’ lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear.”

Here’s how the attack works:

1. Viber Message is sent to the victim.

2. By performing some actions with message pop-ups, the Viber keyboard is made to appear.

3. A missed call is created once the keyboard has appeared or the ‘Back’ button is pressed.

4. At this point, the lock screen unlocks and the attacker can have complete access to the device.

The third step, however, varies with different devices. Viber has been notified of the vulnerability by Bkav. For safety from this local attack, make sure your phone stays in sight always and don’t let others take it. Also, update the App as soon as Viber releases the Update.

Reference:

https://play.google.com/store/apps/details?id=com.viber.voip&hl=en

http://nakedsecurity.sophos.com/2013/04/24/viber-flaw-bypasses-lock-screen-to-give-full-access-to-androids/

http://news.softpedia.com/news/Viber-Flaw-Allows-Hackers-to-Bypass-Android-Smartphone-Lock-Screens-Video-347763.shtml

I know how special the critical app Viber is for Android users out there who celebrate the endless Viber season of free messaging, calling and picture sharing with friends worldwide. The love people have for this App in Google Play Store has given it a 4.4+ rating and over 175million customers! However, over 50 million Android users worldwide are under the risk posed by a flaw in this App.

Security experts from Bkav spotted a critical vulnerability in Viber that, when exploited, allows hackers to bypass the Android lock screen and gain full access to the device. Skype-rival Viber confirms the issue and says about 100 million users might have been affected by this. Bkav says the lock screen bypass is ‘simple’. All it needs is 2 Android phones running Viber and a phone number.

Director of Bkav’s Security Division, Mr. Nguyen Minh Duc says, the weird way in which Viber handles messages causes the issue. “The way Viber handles to pop up its messages on smartphones’ lock screen is unusual, resulting in its failure to control programming logic, causing the flaw to appear.”

Here’s how the attack works:

1. Viber Message is sent to the victim.

2. By performing some actions with message pop-ups, the Viber keyboard is made to appear.

3. A missed call is created once the keyboard has appeared or the ‘Back’ button is pressed.

4. At this point, the lock screen unlocks and the attacker can have complete access to the device.

The third step, however, varies with different devices. Viber has been notified of the vulnerability by Bkav. For safety from this local attack, make sure your phone stays in sight always and don’t let others take it. Also, update the App as soon as Viber releases the Update.

Reference:

https://play.google.com/store/apps/details?id=com.viber.voip&hl=en

http://nakedsecurity.sophos.com/2013/04/24/viber-flaw-bypasses-lock-screen-to-give-full-access-to-androids/

http://news.softpedia.com/news/Viber-Flaw-Allows-Hackers-to-Bypass-Android-Smartphone-Lock-Screens-Video-347763.shtml

On the afternoon of April 23, the Associated Press tweeted “Breaking: Two Explosions in the White House and Barack Obama is injured.” Bedlam broke loose and the stock markets went into a tailspin, all until sanity returned and people realized that the news was a hoax. Associated Press suspended its Twitter account and the White House confirmed that Obama was well.

What transpired was that the self-styled “Syrian Electronic Army” had hacked their way into Associated Press’ Twitter account to make this tweet.

Associated Press also confirmed that there was a phishing attempt on its corporate network, immediately before the hacking of the Twitter account, indicating that the incident was a calculated effort and not just a mere hoax by some pranksters.

The perpetrators remain at large, and as such, how the account was hijacked, and the motive, remains a matter of speculation.

In all probability, the hackers spear-phished an AP reporter, getting his email from the public domain, and then, as the reporter clicked on the apparently harmless email link or attachment, downloaded a keylogger to his system.

Regardless of the motive, or the modus-operandi this incident underscores the need to have out-of-band two-factor authentication for remote users and keystroke encryption.

Out-of-band two-factor authentication requires entering an one-time password send to the individual over the mobile phone, or any other different channel, to complete the login process. This, however, may not be enough, as the hackers, who may already have installed keyloggers, would still be able to crack the password, or even redirect the one-time password to a device they control.

Having keystroke encryption in place is just as important. This encrypts every keystroke at the point of origin, negating the efforts of the keylogger malware to catch passwords and transmit it to its command and control server.

Twitter, incidentally, has already made plans for a two-step login feature, and would be rolling out the authentication feature soon enough.

Reference:

http://www.cio.com/article/732267/AP_Twitter_Hijacking_Proves_Need_for_Better_Authentication_Encryption

http://www.darkreading.com/quickview/twitter-preps-two-factor-authentication/3181

http://threatpost.com/hijacking-of-ap-twitter-account-renews-calls-for-two-factor-authentication/

Operation Beebus is an attack campaign targeting government agencies, defense and aerospace establishments, and telecom companies, in the USA and India. Security researchers FireEye, tracking this malware, hold that this attack aims to steal research, design, and manufacturing information on drone vehicles and subsystems.

The attackers launch phishing attacks on their victims to download Mutter, a new backdoor Trojan, on their systems. The perpetuators impersonate people known to the victim, and send malicious PDF documents, seemingly coming from such known sources. Having installed itself, Mutter exploits known system vulnerabilities to open a backdoor for the attackers. Over twenty establishments and agencies have succumbed to this malware, so far.

The malware remains inactive on host systems for long periods, before executing itself, in an effort to evade the dynamic detection capabilities of antivirus scanners. When the malware remains dormant for long, the antivirus suites give up on analysis and regard the malware as benign software. This evasion technique, incidentally, is strikingly similar to the method adopted by the malware involved in the attack of South Korean banks and broadcasters in March 2013, suggesting a possible link.

The brains behind Operation Beebus are unknown, but, all indications point to the infamous Comment Crew, the stealthy cyber unit of China’s people Liberation Army. What lends credence to this theory is that the command and control infrastructure of Beebus has much in common with the infrastructure deployed for the 2011 attack against RSA Secur-ID tokens, which has already been traced to China.

Such revelations notwithstanding, the fact of the matter is that the attacks may have already succeeded. Beebus now has 214 command and control servers, with over 60 unique IP addresses. In 2012, Beebus launched 261 separate attacks on FireEye customers alone.

Reference:

http://threatpost.com/comment-crew-malware-is-after-drone-technology/

http://www.cio.com/article/728292/Chinese_Malware_Targeted_U.S._Drone_Secrets_Security_Firm_Alleges

http://www.fireeye.com/blog/technical/cyber-exploits/2013/02/operation-beebus.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+FE_research+%28FireEye+Malware+Intelligence+Lab%29