http://arstechnica.com/security/2015/08/fake-eff-site-serving-espionage-malware-was-likely-active-for-3-weeks/ By Dan Goodin Ars Technica Aug 28, 2015 A spear-phishing campaign some researchers say is linked to the Russian government masqueraded as the Electronic Frontier Foundation in an attempt to infect targets with malware that collects passwords and other sensitive data. The targeted e-mails, which link to the fraudulent domain electronicfrontierfoundation.org, appear to be part of a larger campaign known as Pawn Storm. Last October, researchers at security firm Trend Micro brought the campaign to light and said it was targeting US military, embassy, and defense contractor personnel, dissidents of the Russian government, and international media organizations. Last month, Trend Micro said the espionage malware campaign entered a new phase by exploiting what then was a zero-day vulnerability in Oracle’s widely used Java browser plugin. Separate security firm FireEye has said the group behind the attacks has ties to Russia’s government and has been active since at least 2007. EFF staff technologist Cooper Quintin wrote in a blog post published Thursday that the round of attacks involving the electronicfrontierfoundation.org site may have the ability to infect Mac and Linux machines, as well as the normal Windows fare. On Windows, the campaign downloads a payload known as Sednit that ultimately installs a keylogger and other malicious modules. Its use of the same path names, Java payloads, and Java exploits found in last month’s campaign mean it’s almost certainly the work of the same Pawn Storm actors that struck last month. Quintin wrote: […]
http://www.csoonline.com/article/2854672/business-continuity/the-breach-at-sony-pictures-is-no-longer-just-an-it-issue.html By Steve Ragan Salted Hash CSO Dec 2, 2014 I’m going to make a prediction. The breach at Sony Pictures has nothing to do with North Korea, aside form the fact that the destructive malware believed to be present on Sony’s network is similar to the malware used in South Korea in 2013 – an incident that was blamed on North Korea. Furthermore, I predict there will be an insider aspect to Sony’s breach. The first part of the attack on Sony centered on compromising records, once done, the attackers planted malware that was timed – based on the FBI memo – to activate just before Thanksgiving. The easiest way to accomplish this task – assuming I’m right – is by having someone on the inside with just enough access that everything looks normal with a passive glance at the logs. The second part of the attack on Sony is the aftermath, including the financial burden of dealing with box office losses, employee issues, as well as any fines that are sure to be levied. Sony’s just starting to enter this phase. On Monday, GOP (Guardians of Peace), the group claiming responsibility for the attack on Sony, pushed 25GBs worth of data to the public domain. They say this is only a fraction of the data they were able to compromise, suggesting to one media outlet that they were harvesting records for more than a year before making themselves known. A year. […]
http://www.theregister.co.uk/2014/11/06/hackers_use_gmail_drafts_as_dead_drops_to_control_malware_bots/ By John Leyden The Register 6 Nov 2014 Sneaky hackers are using Gmail and Yahoo! drafts to control compromised devices, with the tactic designed to make detection of malware-related communications more difficult to pick up in enterprise environments. Attacks occur in two phases. Hackers first infect a targeted machine via simple malware that installs Python onto the device, enabling simple attack scripts to run. Using Gmail (or Yahoo! Mail), hackers then use draft emails to run command and control prompts on these compromised systems, allowing them to siphon data from infected devices. The new attack methods have already been used in the wild against a variety of large-scale targets, according to security researchers at Shape Security, who say the malware at the centre of the attack is a variant of the Icoscript remote access trojan first discovered by the German security software firm G-Data back in August. […]
http://www.v3.co.uk/v3-uk/news/2356410/fresh-threat-to-critical-infrastructure-found-in-havex-malware By Alastair Stevenson V3.co.uk 21 Jul 2014 A dangerous open-platform communication (OPC) scanner that could be used to launch cyber attacks against critical infrastructure areas has been discovered in a variant of the Havex malware. The scanner was uncovered by researchers at FireEye while investigating a variant of Havex commonly referred to as “Fertger” or “Peacepipe”. Threat intelligence analyst at FireEye Kyle Wilhoit said the scanner is dangerous as it could be used by hackers to target the supervisory control and data acquisition (SCADA) systems used in many critical infrastructure areas, including water and power plants. “If an attacker wanted to attack an OPC server, they would need and want details of the OPC servers they were targeting. Having the OPC scan data gives the attacker enough information to start possible next phases of attack against a SCADA environment,” he said […]
http://www.nextgov.com/cybersecurity/2014/04/gsa-has-new-plan-cloud-providers-navigating-changing-security-standards/83014/ By Frank Konkel Nextgov.com April 22, 2014 The General Services Administration released a transition plan on Tuesday that provides guidance to cloud computing service providers that will have to adhere to new baseline security standards slated for release in June. The transition plan will govern how CSPs adhere to upcoming changes to the Federal Risk and Authorization Management Program, or FedRAMP, based on the fourth revision of the National Institute of Standards and Technology’s Special Publication 800-53. The plan provides specific guidance to CSPs at varying stages. CSPs in the early “initiation” phase will have to implement new baseline standards and test SP 800-53 Rev. 4 controls before receiving authorization. Those in the FedRAMP pipeline before June 1 will be assessed against current FedRAMP baseline standards – based on NIST’s SP 800-53 Rev. 3 – but will have one year from the authorization date to implement the new baseline, submit new documents using updated templates and test their controls against new Rev. 4 controls. Similarly, CSPs with FedRAMP-accredited solutions with an annual continuous monitoring assessment completed prior to June 1 will have “one year from the date of their last assessment” to implement the new baseline and complete testing. CSPs with an annual assessment scheduled between June 1, 2014 and Jan. 1, 2015, must implement the new baseline and complete testing in 2015. […]
http://thediplomat.com/2014/02/s-korea-seeks-cyber-weapons-to-target-north-koreas-nukes/ By Zachary Keck The Diplomat February 21, 2014 South Korea is developing offensive cyber weapons to target North Korea’s nuclear weapons program, according to the country’s defense ministry said on Wednesday. According to Yonhap News Agency, South Korea’s Defense Ministry outlined its long-term cyberpolicy to the parliament’s defense committee on Wednesday. The report stated that, “A strategic plan for the second phase calls for developing cybertools for offense like Stuxnet, a computer virus that damaged Iran’s uranium enrichment facility, to cripple North Korea’s missile and atomic facilities.” Yonhap also quoted an anonymous senior defense official as saying: “Once the second phase plan is established, the cyber command will carry out comprehensive cyberwarfare missions.” These missions will be carried out under a new Cyber Defense Command that South Korea plans to establish in May. It will operate under the purview of the ROK Joint Chiefs of Staff, according to the report. South Korea first established a Cyber Command in 2010 to guard against the threat posed by North Korea’s elite unit of hackers. So far, its aims have primarily been to protect vulnerable national networks from cyber attacks originating from North Korea, as well as to wage psychological warfare campaigns against Pyongyang. The decision to equip South Korea’s cyber warriors with the capabilities to attack North Korea’s nuclear and missile facilities therefore represents a dramatic escalation. […]
http://www.eurekalert.org/pub_releases/2013-12/pm-fcs121613.php Contact: Annie Touchette annie.touchette/at/polymtl.ca 514-231-8133 Polytechnique Montréal Montreal, December 16, 2013 – Installing computer security software, updating applications regularly and making sure not to open emails from unknown senders are just a few examples of ways to reduce the risk of infection by malicious software, or “malware”. However, even the most security-conscious users are open to attack through unknown vulnerabilities, and even the best security mechanisms can be circumvented as a result of poor user choices. “The reality is that successful malware attacks depend on both technological and human factors,” says Professor José Fernandez. “Although there has been significant research on the technical aspects, there has been much less on human behaviour and how it affects malware and defence measures. As a result, no one at the present time can really say how important these factors are. For example, are users who are older and less computer-savvy more open to infection?” It is therefore necessary to take a closer look at the impact that both technological and human factors have on the success or failure of protective mechanisms. To answer this type of question, Prof. Fernandez and his team drew inspiration from the clinical trial method to design the first-ever study applied to computer security. In a fashion similar to medical studies that evaluate the effectiveness of a particular treatment, their experiment was aimed at assessing the performance of anti-virus software and the likelihood that participants’ computers would become infected with malware. The four-month study involved 50 subjects who agreed to use laptops that were instrumented to monitor possible infections and gather data on user behaviour. “Analyzing the data allowed us not only to identify which users were most at risk, based on their characteristics and behaviour, but also to measure the effectiveness of various protective measures,” says Polytechnique student Fanny Lalonde Lévesque, who is writing her master’s thesis on this project. This pilot study provided some very interesting results on the effectiveness of computer defences and the risk factors for infection. For example, 38% of the users’ computers were exposed to malware and 20% were infected, despite the fact that they were all protected by the same anti-virus product, which was updated regularly. With regard to the users themselves, there did not seem to be any significant difference in exposure rates between men and women. In addition, the most technically sophisticated users turned out to be the group most at risk… This result may seem counter-intuitive, as it contradicts the opinion of some computer experts who argue that people should have a kind of “Internet license” before going online. “The results of this study provide some intriguing insights. Are these ‘expert’ users at higher risk because of a false sense of security, or because they are naturally curious and therefore more risk-tolerant? Further research is needed to understand the causes of this phenomenon, so that we can better educate and raise awareness among users,” says Professor Fernandez. In the future, this type of study will help provide scientific data to support decision-making on security management, education, regulation and even computer security insurance. A second phase, which will involve hundreds of users over a period of several months, is already being prepared. The initial results of this experiment were presented at the ACM Conference on Computer and Communications Security (CCS), which took place November in 2013 in Berlin, Germany. ### This research was carried out with the financial support of the Natural Sciences and Engineering Research Council of Canada Internetworked Systems Security Network (NSERC ISSNet), Trend Micro and MITACS.
http://www.bankinfosecurity.com/whatever-happened-to-ddos-phase-4-a-5986 By Tracy Kitten Bank Info Security August 13, 2013 It has been three weeks since Izz ad-Din al-Qassam Cyber Fighters declared “The break’s over and it’s now time to pay off,” announcing Phase 4 of “Operation Ababil,” the nearly year-long campaign of distributed-denial-of-service attacks on major U.S. banks (see DDoS: Attackers Announce Phase 4). But it has been nearly two weeks since any DDoS activity could be attributed to this group. Which begs the question: Is Phase 4 over before it ever really began? DDoS experts offer varying theories about the recent inactivity. “I believe that to a large extent, this particular set of attacks is over,” says Rodney Joffe, senior technologist at DDoS-mitigation provider Neustar. “If attacks come back, I believe [they] will be a totally new initiative, perhaps by the same actors and perhaps using the same proxy.” Mike Smith, a security evangelist at cybersecurity firm Akamai, says it’s hard to be certain why al-Qassam has been silent. […]