Tag Archives: hackers

Beware scammers gathering data via fake social net IDs

Posted on by

Spear phishing is one of the most effective ways to break into a corporate network, and recent studies show that employees can be easily tricked on social media to provide the information needed to launch attacks.

A phishing attack is only as good as the information hackers are able to gather on the intended victim, who is less likely to click on a malicious link or attachment in an email that does appear to come from a trusted sender. As a result, criminals often research their targets on the Web.

For example, Websense Security Labs recently found a fake LinkedIn profile gathering information that could be used in future attacks.

The profile summary pretends to be that of “Jessica Reinsch,” a made-up employee of a real dating Web site that connects young women with older, wealthy men. The site is located in Switzerland.

While Websense did not find any malicious code on the site, the vendor did find other related domains hosting “suspicious code.” In addition, the IPs used to host the site are in the same autonomous system number (ASN) as multiple exploit kit command and control URLs, including those for RedKit and Neutrino, according to Websense.

The bogus profile had more than 400 connections with legitimate LinkedIn members, giving whoever was behind the account access to people\’s current employer, job titles, and connections on the network, which has more than 250 million members.

Jeff Debrosse, director of security research at Websense, said such information would be used to build a social graph of prominent individuals that could be used in spear-phishing attacks.

“That’s worth a lot of money to the buyers of that information,” Debrosse told CSOonline.

Businesses warned

While reconnaissance on potential victims grows more sophisticated, corporations appear to underestimate the threat. Almost 60 percent of 300 IT executives, administrators and professionals in U.S. organizations rated phishing as a “minimal” impact threat, according to an unscientific survey by ThreatSim.

While rating phishing as a low-level threat, more than one in four of the respondents reported phishing attacks that led to a “material breach within the last year.” ThreatSim defined “material” as some form of malware infection, unauthorized access, and stolen data.

During a presentation at the RSA Europe security conference in Amsterdam last week, a cyberdefense specialist described an experiment that showed the effectiveness of using fake profiles on LinkedIn and Facebook to launch an attack.

Aamir Lakhani with IT service provider World Wide Technology described how the fake profile of an attractive female named Emily Williams was used to eventually get employees of an unnamed U.S. government agency to click on a link that could easily have been used to launch malware.

The bogus profile claimed Williams was a new hire at the agency with ten years experience and a 28-year-old graduate of the Massachusetts Institute of Technology. The researchers set up information about the woman on other Web sites to make the profile seem more credible.

Within 15 hours of launching the profile, Williams had 60 Facebook and 55 LinkedIn connections with agency employees and contractors. After 24 hours, she had three job offers from other companies.

The experiment pointed to the need for continuous training in organizations to reduce the chance of employees becoming victims of phishers.

“In the military it’s called situational awareness,” Lakhani told IDG News Service. “We need to develop situational awareness for this type of attack.”

via Beware scammers gathering data via fake social net IDs | PCWorld.

Security team pries open secrets of Chinese hacker gang

Posted on by

A Chinese hacker gang whose malware targeted RSA in 2011 infiltrated more than 100 companies and organizations, and was so eager to steal data that it probed a major teleconference developer to find new ways to spy on corporations, according to researchers.
The remote-access Trojan, or RAT, tagged as “Comfoo” is largely inactive, said a pair of veteran researchers from Dell SecureWorks, who presented their findings at the recent Black Hat security conference.
But their discoveries showed just how pervasively a dedicated group of attackers can infiltrate networks and walk away with secrets.
“We’re not seeing it used to the extent it was before,” said Joe Stewart, director of malware research at SecureWorks, in explaining why he and his college, Don Jackson, revealed their undercover campaign.

Digital stakeout

For more than 18 months, Stewart and Jackson, director of SecureWorks’ Counter Threat Unit (CTU), secretly monitored some of the workings of Comfoo, which they believe was the work of a hacker crew they’ve named the Beijing Group. The gang is one of China’s top-two hacker organizations.

To start, Stewart captured a sample of the malware used in the RSA attack, which at the time was attributed to Chinese hackers, then reverse-engineered the encryption that the malware used to mask instructions to and from the gang’s command-and-control (C&C) servers.
Eventually, Stewart was able to spy on the hackers as they logged onto those C&C servers. As they did, Stewart snatched the victims’ MAC addresses—unique identifiers for network hardware—their IP, or “Internet protocol” addresses, and finally, a tag the hackers used to label each data-stealing campaign.
SecureWorks was not able to see what data the attackers were stealing, but their passive monitoring reaped dividends.
“We’ve done similar ops like this before,” said Stewart, “but with the custom stuff, you rarely get this kind of insight or this level of detail of the attacks and victims.”

Victims notified

SecureWorks said its stealthy stakeout—which was intermittent to ensure that the hackers weren’t aware they were watching—uncovered over 100 victims, more than 64 different campaigns and 200-plus Comfoo variants. The Atlanta-based security firm notified some of the victims directly, and others through CERTs, the computer emergency response teams that governments maintain.
“This was just a snapshot of the [total] victims,” Stewart cautioned.
The hackers targeted a wide range of government agencies and ministries, private companies and trade organizations in fields as diverse as energy, media, semiconductors and telecommunications. They seemed eager to grab information from almost anywhere and anyone, although the victims were concentrated in Japan, India, South Korea, and the U.S.
But one victim caught their attention.
While Stewart and Jackson declined to name any of the victims, they said one campaign had been aimed at a major videoconferencing software developer.
They speculated that the attackers were sniffing through that company’s network for information on vulnerabilities in the software, which they could then exploit at other targets to put eyes and ears on confidential industry and government meetings. “They might be trying to leverage that access to spy on third parties,” said Stewart.

Unusual spy targets

comfooSecureWorks
SecureWorks’ virtual stakeout pinpointed the physical location of many of the Comfoo C&C servers. China was the hotspot.

In a report SecureWorks published last week on Comfoo, the company said that targeting audio and videoconferencing products was “unusual.”
Other attacks may have had the same goal: Acquire inside information on everything from specialized security software to digital certificates for use in future campaigns.
SecureWorks’ surveillance will also let security researchers better track the hacker gang, even though the cyber criminals have changed their malware tools since using Comfoo, and will undoubtedly do so again, said Jackson.
“It’s safe to assume that they’ll change their toolkits,” Jackson said. “But as long as the key features match, we should be able to match them [in the future] with campaigns.”
Hacker gangs, Jackson added, have personalities and quirks, and can be “fingerprinted” by closely analyzing not only the malware they use, but also how they organize the C&C infrastructure. “They all have patterns,” Jackson said.
Although he wouldn’t go into specifics, Jackson said that SecureWorks had already used the patterns found in the Comfoo campaigns to identify newer malware and attacks that the company believes is the work of the Beijing Group.
“As long as it’s evolutionary rather than revolutionary, we should be able to spot them,” Jackson said.
via PCWorld

Password thieves target blogs, content management sites

Posted on by

Brute force attacks to pry login credentials from content management sites like blogs have been growing as more data robbers use a short-term gain for a bigger payoff later on.
Such sites are attractive targets because they tend to be less secure than other environments—such as financial services—and since they’re interactive by design, “drive-by” malware planted on them can infect a lot of users quickly, said David Britton, vice president of industry solutions at 41st Parameter.
“With these types of interactive sites being compromised, we see more evidence of the developing attack trend that is focusing less on direct financial gain and more on gathering more detailed personal data, allowing fraudsters to build much more complex social engineering attacks that result in an eventual larger payoff,” he said via email.
More and more attackers are realizing that websites built on CMS platforms, like WordPress, are ripe for password picking. “This marks a sea change in attackers targeting the low-hanging fruit of these blog systems,” Matt Bing, a research analyst with Arbor Networks, said in an interview.
One such brute force campaign was identified last week by Bing. Dubbed “Disco Fort” by the researcher, it’s using 25,000 infected Windows machines to support attacks on more than 6000 Joomla, WordPress, and Datalife Engine sites.
Easy passwords, easy pickings
What attackers are finding is that login credentials for many sites running popular CMS systems are easy to steal. “The common passwords that were used to successfully compromise sites were nothing very sophisticated,” Bing said.
Of the more than 6000 sites compromised by the campaign, the top ten passwords used to crack them were “admin,” “123456,” “123123,” 12345,” {domain}, “pass,” “123456789,” “1234 150,” “abc123” and “123321.”
Brute force may be overstating what campaigns like Disco Fort are doing, since performing billions of computations in order crack these sites’ passwords isn’t in the attackers’ game plan. In fact, they can crack many of these sites with very few CPU cycles.

“You can find files on the Internet of the 100,000 most commonly used passwords that can crack more than 95 percent of accounts,” Girish Wadhwani, a product manager at Nok Nok Labs, said in an interview.
Once Disco Fort compromises a site, it places “backdoor” software on it so its operator can upload and download files and execute commands.
In a number of cases, the attacker installed tools that could be used to activate a drive-by exploit kit. However, no evidence was found that the tools were ever used.
How the attacker is recruiting PCs for a botnet army is also a mystery at this point. “The best evidence we have is that social engineering is being used,” Bing said. “We found an executable that was the name of a book in Russian—Michael Lewis’ “The Big Short: Inside The Doomsday Machine”—so it may have been trying to use that to trick users into installing the malware.”
Shared vulnerabilities targeted
The widespread use of off-the-shelf CMS systems has attracted attackers’ attention because if they have an unknown vulnerability for one of them in their pocket, it can be used to compromise many websites.
“Hackers are always looking to get the most profit for the least work,” Barry Shteiman, a senior security strategist at Imperva, said an interview. “With these CMS systems, they can do their work once and then hack many, many sites.”
Many of CMS systems, like WordPress, are easy to use. That’s a good thing for users, but it’s not so good for site security. “The biggest issue with WordPress is that its users are not always the most technically savvy,” Michael Sutton, vice president of security research at Zscaler, said in an email.
“WordPress is designed to be fairly easy and straightforward to install,” he continued, “so security is an afterthought for many of its users.”
In addition, many bloggers and other CMS users aren’t concerned about someone breaking into their Web locale because they believe they don’t have anything worth stealing. That may be true, but it doesn’t mean they don’t have something valuable to hackers.
“What they don’t realize is that hacking into a website has become all about distributing malware,” Marc Gaffan, founder of Incapsula, said in an interview. “If you have a lot of people coming to your website, it’s a great place to infect your visitors.”
via Password thieves target blogs, content management sites | PCWorld.

Aging networking protocols abused in DDoS attacks

Posted on by

Aging networking protocols still employed by nearly every Internet-connected device are being abused by hackers to conduct distributed denial-of-service (DDoS) attacks.
Security vendor Prolexic found that attackers are increasingly using the protocols for what it terms “distributed reflection denial-of-service attacks” (DrDos), where a device is tricked into sending a high volume of traffic to a victim’s network.
“DrDos protocol reflection attacks are possible due to the inherent design of the original architecture,” Prolexic wrote in a white paper. “When these protocols were developed, functionality was the main focus, not security.”
Government organizations, banks and companies are targeted by DDoS attacks for a variety of reasons. Hackers sometimes use DDoS attacks to draw attention away from other mischief or want to disrupt an organization for political or philosophical reasons.
One of the targeted protocols, known as Network Time Protocol (NTP), is used in all major operating systems, network infrastructure and embedded devices, Prolexic wrote. It is used to synchronize clocks among computers and servers.
A hacker can launch at attack against NTP by sending many requests for updates. By spoofing the origin of the requests, the NTP responses can be directed at a victim host.
It appears the attackers are abusing a monitoring function in the protocol called NTP mode 7 (monlist). The gaming industry has been targeted by this style of attack, Prolexic said.
Other network devices, such as printers, routers, IP video cameras and a variety of other Internet-connected equipment use an application layer protocol called Simple Network Management Protocol (SNMP).
SNMP communicates data about device components, Prolexic wrote, such as measurements or sensor readings. SNMP devices return three times as much data as when they’re pinged, making them an effective way to attack. Again, an attacker will send a spoofed IP request to an SNMP host, directing the response to a victim.
Prolexic wrote there are numerous ways to mitigate an attack. The best advice is to disable SNMP if it is not needed.
The U.S. Computer Emergency Readiness Team warned administrators in 1996 of a potential attack scenario involving another protocol, Character Generator Protocol, or CHARGEN.
It is used as a debugging tool since it sends data back regardless of the input. But Prolexic wrote that it “may allow attackers to craft malicious network payloads and reflect them by spoofing the transmission source to effectively direct it to a target. This can result in traffic loops and service degradation with large amounts of network traffic.”
CERT recommended at that time to disable any UDP (User Datagram Protocol) service such as CHARGEN if it isn’t needed.
via Aging networking protocols abused in DDoS attacks | PCWorld.

Common security flaws leave applications open to amateur hackers, security report says

Posted on by

The software industry’s inability to reduce the number of security flaws in its code is fueling an age of the “everyday hacker,” criminals who can exploit vulnerabilities with a minimum of technical skills, Security testing firm Vercode’s latest State of Software Security (SoSS) report suggests.
Of the 22,430 applications submitted to the firm’s code analysis service in an 18-month period ending June 2012, only 13 percent of web applications were able to pass the generic OWASP Top 10 list of security problems.
When it came to standalone applications, only 31 percent complied with the separate CWE/SANS Top 25, a significant decrease on the compliance rate in the previous SoSS report caused, Veracode suggested, by a broader sample of companies using the service.
Nevertheless, the percentage of applications containing common but serious flaws such as SQL injection remained static at 32 percent, with cross-site scripting also stubbornly entrenched at 67 percent.
In short, these failure rates underscore that weak and insecure software development lifecycles are still an issue years after the industry was supposed to have started fixing the problem. Dataq breaches were an inevitable consequence.

Expect SQL injection attacks
And having failed to eradicate issues such as SQL injection, the ability of non-technical hackers to hunt down and exploit them also augured badly for the industry, Veracode said.
The company predicts that around one in three data breaches during 2013 will be caused by SQL injection alone, one of the easiest for “everyday hackers” to target.
“The pessimist remains very concerned that we are not seeing the dramatic decreases in exploitable coding flaws that I expect to see with each passing year,” said Veracode’s co-founder and CTO, Chris Wysopal in his introduction to the report.
“It’s as if for each customer, development team, or application that has become more secure, there are an equal number or more that do not,” he added. “Put more bluntly, we must figure out a way to code more securely simply to keep up with attacks from the most basic attacker.”
The effect of failures in the SDL on the security professional and CISOs is open to some debate although Veracode claims that the average length of tenure could now be as low as 18 months. Is this an effect of data breaches, and therefore code insecurity? That’s not clear.
via Common security flaws leave applications open to amateur hackers, security report says | PCWorld.

Brace for more mega-DDoS attacks, security experts warn

Posted on by

Distributed Denial of Service attacks like the one that resulted from an altercation between a Dutch company and Spamhaus last week are on the rise, according to a report by security firm Kaspersky Labs.
The security vendor was responding to the huge DDoS attack that occurred last week, described as the biggest cyber attack in history. The attack affected millions of rank and Internet users, slowing hundreds of processes down.
Spamhaus attacks tracked
According to reports, the DDoS attack occurred when Spamhaus, an organization that blacklists spammers, blacklisted Dutch company Cyberbunker, an open hosting service that allows anyone to set up a website on its servers.
The attack exploited the architecture of the Internet to heard huge amounts of traffic to the Spamhaus website. The attack then went global, affecting the wider Internet.
“Based on the reported scale of the attack, which was evaluated at 300 Gigabits per second, we can confirm that this is one of the largest DDoS operations to date,” said Kaspersky Lab’s Global Research and Analysis team in a statement.
“The data flow generated by such an attack may affect intermediate network nodes when it passes them, thus impeding operations of normal web services that have no relation to Spamhaus or Cyberbunker. Therefore, such DDoS attack may affect regular users as well, with network slowdown or total unavailability of certain web resources being typical symptoms. There may be further disruptions on a larger scale as the attack escalates.”
According to reports, Spamhaus called on Cloudflare to counter the attack after it found its defences were being overwhelmed. Cloudflare’s counters worked, so the hackers began attacking sites affiliated with Spamhaus, as well as sites used by Cloudflare. Before long, the attack had begun to affect service across the Internet.
Expect more attacks
While the worst of this latest high-level DDoS attack may now be over, Kaspersky said that the world could expect to see more of the same. Cyber criminals can now attack much more frequently and on a much wider scale, the statement said.
“In general, attacks of this type are growing in terms of quantity as well as scale. Among the reasons for this growth is the development of the Internet itself (network capacity and computing power) and past failures in investigating and prosecuting individuals behind past attacks.”
Kaspersky said that there are two major motives behind launching such high-level attacks. Firstly, the statement said, cyber criminals conduct DDoS attacks to disrupt organizations in order to extort money from them. Secondly, hackers use DDoS attacks as a weapon to disrupt organizations out of ideological or political interests.
Going by the reports of the recent Internet-wide attack, it would appear that the attackers were making a political point, rather than attempting to extort money.
via Brace for more mega-DDoS attacks, security experts warn | PCWorld.