SMALL WARS COUNCIL
Go Back   Small Wars Council > Small Wars Participants & Stakeholders > Media, Information & Cyber Warriors

Media, Information & Cyber Warriors Getting the story, dealing with those who do, and operating in the information & cyber domains. Not the news itself, that's here.

Reply
 
Thread Tools Display Modes
Old 01-14-2013   #1
AdamG
Council Member
 
AdamG's Avatar
 
Join Date: Dec 2005
Location: Hiding from the Dreaded Burrito Gang
Posts: 2,103
Default Malware & other nasty IT / cyber things

Quote:
Researchers at Kaspersky Lab have uncovered an "advanced cyber espionage network" - dubbed Red October - that has been active for at least five years and is targeting diplomatic and government agencies.

At the request of an unnamed partner, Kaspersky investigated and uncovered Red October (or Rocra) in October. Since at least 2007, it has targeted organizations mostly in Eastern Europe, former USSR members, and countries in Central Asia, but the malware has also showed up in Western Europe and North America.
http://www.pcmag.com/article2/0,2817,2414260,00.asp

Quote:
The team at Kaspersy noted that though they’d found a set of 60 “command and control” servers throughout Germany and Russia that were responsible for these attacks, they each appeared to have been controlled by a sort of “mother ship” server which they’ve not yet located. Each of the attacks thus far appear to have been attached to Microsoft Word or Excel documents and delivered via email. When the document was downloaded and opened, a connection was made between the computer and one of the many command and control servers which then delivered the files necessary to collect secure data.

This Rocra malware was also spread with USB drives as well as through smartphones, not just through desktop machines. Mentions of Russian words throughout the discovered malware systems have been suggested to either point towards the software as being Russian in origin or placed deliberately to make the software appear to have come from Russia when in fact it was made by a different group entirely.
http://www.slashgear.com/operation-r...-lab-14265239/
__________________
A scrimmage in a Border Station
A canter down some dark defile
Two thousand pounds of education
Drops to a ten-rupee jezail


http://i.imgur.com/IPT1uLH.jpg
AdamG is offline   Reply With Quote
Old 02-11-2014   #2
AdamG
Council Member
 
AdamG's Avatar
 
Join Date: Dec 2005
Location: Hiding from the Dreaded Burrito Gang
Posts: 2,103
Default Kaspersky Lab Uncovers “The Mask”

Sounds ominous. Anyone know anything more that they can share?

Quote:
Punta Cana, Dominican Republic – February 10, 2014 - Kaspersky Lab’s security research team today announced the discovery of “The Mask” (aka Careto), an advanced Spanish-language speaking threat actor that has been involved in global cyber-espionage operations since at least 2007. What makes The Mask special is the complexity of the toolset used by the attackers, including an extremely sophisticated malware, a rootkit, a bootkit, Mac OS X and Linux versions and possibly versions for Android and iOS (iPad/iPhone).

The primary targets are government institutions, diplomatic offices and embassies, energy, oil and gas companies, research organizations and activists. Victims of this targeted attack have been found in 31 countries around the world – from the Middle East and Europe to Africa and the Americas.
http://usa.kaspersky.com/about-us/pr...global-cyber-e
__________________
A scrimmage in a Border Station
A canter down some dark defile
Two thousand pounds of education
Drops to a ten-rupee jezail


http://i.imgur.com/IPT1uLH.jpg
AdamG is offline   Reply With Quote
Old 02-16-2014   #3
AdamG
Council Member
 
AdamG's Avatar
 
Join Date: Dec 2005
Location: Hiding from the Dreaded Burrito Gang
Posts: 2,103
Default

Quote:
Based on the prevalence of Spanish-speaking victims, the number of infected victims in Morocco, and the fact that Gibraltar is on the list, that implies Spain is behind this one. My guess is that soon countries will start infecting uninteresting targets in order to deflect blame, but that they still think they’re immune from discovery. So Spain, if it is you, attack a few sites in the Falklands next time -- and use a separate tool for Morocco.
https://www.schneier.com/blog/archiv...sk_espion.html
__________________
A scrimmage in a Border Station
A canter down some dark defile
Two thousand pounds of education
Drops to a ten-rupee jezail


http://i.imgur.com/IPT1uLH.jpg
AdamG is offline   Reply With Quote
Old 02-25-2014   #4
AdamG
Council Member
 
AdamG's Avatar
 
Join Date: Dec 2005
Location: Hiding from the Dreaded Burrito Gang
Posts: 2,103
Default INFOSEC Issue: Latest iPhone Update Fixes Major Security Flaw That Apple Kept Quiet

Separate thread, considering the number of readers using I-Phones.

Quote:
Apple quietly released a major update Friday to fix a security glitch in its iOS 7 systems. But independent security experts say the seemingly routine update covers up what arguably could be Apple’s biggest security lapse, exposing iPhone, iPad and iPod Touch users to hackers.

The issue is an extra line of “goto” code that bypasses the iOS system’s authentication process, allowing a third party to intercept emails and Internet traffic. That means a hacker can pose as a friendly, trusted source, such as your email provider, and eavesdrop on users’ encrypted Internet traffic and potentially take full control of the system.
http://thinkprogress.org/home/2014/0...ecurity-flaw/#
__________________
A scrimmage in a Border Station
A canter down some dark defile
Two thousand pounds of education
Drops to a ten-rupee jezail


http://i.imgur.com/IPT1uLH.jpg
AdamG is offline   Reply With Quote
Old 08-09-2016   #5
AdamG
Council Member
 
AdamG's Avatar
 
Join Date: Dec 2005
Location: Hiding from the Dreaded Burrito Gang
Posts: 2,103
Default Espionage platform with more than 50 modules was almost certainly state sponsored.

Quote:
Security experts have discovered a malware platform that's so advanced in its design and execution that it could probably have been developed only with the active support of a nation-state.

The malware—known alternatively as "ProjectSauron" by researchers from Kaspersky Lab and "Remsec" by their counterparts from Symantec—has been active since at least 2011 and has been discovered on 30 or so targets. Its ability to operate undetected for five years is a testament to its creators, who clearly studied other state-sponsored hacking groups in an attempt to replicate their advances and avoid their mistakes. State-sponsored groups have been responsible for malware like the Stuxnet- or National Security Agency-linked Flame, Duqu, and Regin. Much of ProjectSauron resides solely in computer memory and was written in the form of Binary Large Objects, making it hard to detect using antivirus.
http://arstechnica.com/security/2016...d-for-5-years/
__________________
A scrimmage in a Border Station
A canter down some dark defile
Two thousand pounds of education
Drops to a ten-rupee jezail


http://i.imgur.com/IPT1uLH.jpg
AdamG is offline   Reply With Quote
Old 08-26-2016   #6
AdamG
Council Member
 
AdamG's Avatar
 
Join Date: Dec 2005
Location: Hiding from the Dreaded Burrito Gang
Posts: 2,103
Default

Government Hackers Caught Using Unprecedented iPhone Spy Tool

Quote:
It appears that the company that provided the spyware and the zero-day exploits to the hackers targeting Mansoor is a little-known Israeli surveillance vendor called NSO Group, which Lookout’s vice president of research Mike Murray labeled as “basically a cyber arms dealer.”
http://motherboard.vice.com/read/gov...reak-nso-group
__________________
A scrimmage in a Border Station
A canter down some dark defile
Two thousand pounds of education
Drops to a ten-rupee jezail


http://i.imgur.com/IPT1uLH.jpg
AdamG is offline   Reply With Quote
Old 08-26-2016   #7
AdamG
Council Member
 
AdamG's Avatar
 
Join Date: Dec 2005
Location: Hiding from the Dreaded Burrito Gang
Posts: 2,103
Default

Quote:
Hackers claim to have stolen attack code from a team of sophisticated cyber spies known as “the Equation Group,” widely believed to be associated with the U.S. National Security Agency, one of the world’s top intelligence outfits. The hackers have offered to sell their purloined exploits to the highest bidder in an online auction conducted in the cryptocurrency Bitcoin.

Although the alleged breach could just be an extravagant hoax, experts who reviewed a preliminary data dump teased alongside the hackers’ garbled sales pitch said that the files, amazingly, looked authentic. “This appears to be legitimate code,” Matt Suiche, a French cybersecurity entrepreneur, wrote in a Medium blog post, echoing what others had posted on Twitter ( TWTR -0.11% ) .
http://fortune.com/2016/08/16/nsa-ha...cyber-weapons/
__________________
A scrimmage in a Border Station
A canter down some dark defile
Two thousand pounds of education
Drops to a ten-rupee jezail


http://i.imgur.com/IPT1uLH.jpg
AdamG is offline   Reply With Quote
Old 02-24-2017   #8
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default Cloudfare: Alert passwords compromised

Warning for SWJ commenters and bloggers and or blogsites....

List of Sites possibly affected by Cloudflare's #Cloudbleed HTTPS Traffic Leak

https://github.com/pirate/sites-usin...ster/README.md

Quote:
DISCLAIMER:
This list contains all domains that use cloudflare DNS, not just the cloudflare SSL proxy (the affected service that leaked data). It's a broad sweeping list that includes everything. Just because a domain is on the list does not mean the site is compromised. This list will be narrowed down to the affected domains as I get more information. This is a (work-in-progress) list of domains possibly affected by the CloudBleed HTTPS traffic leak. Original vuln thread by Google Project Zero.
Cloudflare has not provided an official list of affected domains, and likely will not due to privacy concerns. I'm compiling an unofficial list here so you know what passwords to change.
Impact
Between 2016-09-22 - 2017-02-18 passwords, private messages, API keys, and other sensitive data were leaked by Cloudflare to random requesters. Data was cached by search engines, and may have been collected by random adversaries over the past few months.
"The greatest period of impact was from February 13 and February 18 with around 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests), potential of 100k-200k paged with private data leaked every day" -- source
You can see some of the leaked data yourself in search engine caches: https://duckduckgo.com/?q=+%7B%22sch...IP&t=h_&ia=web
What should I do?
Check your password managers and change all your passwords, especially those on these affected sites. Rotate API keys & secrets, and confirm you have 2-FA set up for important accounts. Theoretically sites not in this list can also be affected (because an affected site could have made an API request to a non-affected one), so to be safe you should probably change all your important passwords.
Submit PR's to add domains that you know are using cloudflare
Methodology
This list was compiled from 3 large dumps of all cloudflare customers provided by crimeflare.com/cfs.html, and several manually copy-pasted lists from stackshare.io and wappalyzer.com. Crimeshare collected their lists by doing NS DNS lookups on a large number of domains, and checking SSL certificate ownership.
I scraped the Alexa top 10,000 by using a simple loop over the list:
for domain in (cat ~/Desktop/alexa_10000.csv)
if dig $domain NS | grep cloudflare
echo $domain >> affected.txt
end
end
The alexa scrape, and the crimeflare dumps were then combined in a single text file, and passed through uniq | sort. I've since accepted several PRs and issues to remove sites that were unaffected from the list.
Data sources:
https://stackshare.io/cloudflare
https://wappalyzer.com/applications/cloudflare
DNS scraper I'm running on Alexa top 10,000 sites (grepping for cloudflare in results)
https://www.cloudflare.com/ips/ (going to find sites that resolve to these IPs next)
http://www.crimeflare.com/cfs.html (scrape of all cloudflare customers)
http://www.doesitusecloudflare.com/
I'd rather be safe than sorry so I've included any domain here that remotely touches cloudflare. If I've made a mistake and you believe your site is not affected, submit a PR and I will merge it ASAP, I don't want to hurt anyone's reputation unecessarily.
You can also ping me on twitter @theSquashSH and I'll respond as soon as I can.
Full List
Download the full list.zip (22mb)
4,287,625 possibly affected domains. Download this file, unzip it, then run grep -x domaintocheck.com sorted_unique_cf.txt to see if a domain is present.
Also, a list of some iOS apps that may have been affected.
For those late to it, yes, you probably should change your passwords on sites that use CloudFlare as a precaution
https://bugs.chromium.org/p/project-...etail?id=1139#

To be clear, this isn't some nation state level attack: data is cached in search engines right now

Last edited by OUTLAW 09; 02-24-2017 at 07:44 AM.
OUTLAW 09 is offline   Reply With Quote
Old 02-24-2017   #9
davidbfpo
Council Member
 
davidbfpo's Avatar
 
Join Date: Mar 2006
Location: UK
Posts: 11,095
Default Cloudfare: Alert passwords compromised

A new thread for temporary maximum visibility and explained in the main post that will appear first in a moment. Thanks to Outlaw09 spotting the circulation.
__________________
davidbfpo
davidbfpo is offline   Reply With Quote
Old 02-28-2017   #10
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default

CloudBleed: check if you visited sites affected by CloudFlare’s security issue

By Martin Brinkmann on February 26, 2017 in Security - Last

Update:February 26, 2017

CloudBleed is the unofficial name for a security issue discovered on February 17th, 2017 that affected CloudFlare's reverse proxies.
CloudFlare is a large provider that is used by more than 5.5 million Internet properties according to the company's website. It offers CDN and DDOS protection, optimization technologies for websites, dedicated SSL and a lot more.
The basic service is offered for free, but webmasters and organizations may upgrade to a paid plan for additional features and better protection.
The security issue at hand caused the servers to "run past the end of a buffer" which returned memory that contained private information. Among other things, it might have included HTTP cookies, authentication tokens, HTTP Post bodies, and other sensitive data.
The issue was disclosed by Google's Project Zero, and has since been fixed by CloudFlare.
Cloudbleed

The main issue for Internet users is that their authentication cookies or data may have leaked. Search engines may have cached the data, and attackers may have exploited the issue as well to gather the data.
Since there is no record whether individual user data was leaked or not, some experts suggests that users change passwords on all sites and services that use CloudFlare. This is a difficult thing for most users however, as it is quite time consuming to find out whether services and sites use CloudFlare.
The Firefox add-on and Chrome Extension CloudBleed changes that. Designed by the NoSquint Plus author, it is parsing the browsing history of the browser to reveal any site or service that uses CloudFlare.
This enables you to go quickly through the listing to identify sites that you have an account on.
The extensions work identical in both browsers. Simply install it in your browser of choice, and click on the icon that it adds to the main toolbar of the browser.
The page that loads includes a short explanation, and a search button that you need to click on. The extension goes through the browsing history then, and checks whether sites in the history were affected by the issue.
Some sites may appear multiple times in the listing. An option to filter sites by domain, or subdomain, would have been useful.
The author notes that all processing is done on the local system. All that is left afterwards is to go through the list to identify the sites with accounts.
Closing Words
CloudBleed is a handy browser extension for Google Chrome and Firefox. You may use it to reveal sites affected by CloudFlare's recent security issue quickly, provided that you did not delete the browsing history in the meantime.
Now You: Have you changed account passwords of affected sites?
OUTLAW 09 is offline   Reply With Quote
Old 04-17-2017   #11
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default Malware & other nasty IT / cyber things

Moderator's Note

A number of posts have appeared recently in another thread, which advertise malware and other nasty IT things and they deserve their own thread. So I will move eight readily id'd posts that are not Russian focused here, all of them by Outlaw09 who works in the cyber arena. It may help to watch the Russian Cyber & Disinformation thread for background and other matters: Russian Info, Cyber and Disinformation (Catch all 2017 onwards).
(Mod Ends)

ALERT....I had posted this previously but am doing it again as it spreading fast now world wide


Philadelphia Ransomware, a new threat targets the Healthcare Industry

Security experts from Forcepoint have discovered a new strain of ransomware dubbed Philadelphia that is targeting organizations in the healthcare industry.

The Philadelphia ransomware is a variant of the Stampado ransomware, a very cheap malware offered for sale on the Dark Web since June 2016 at just 39 USD for a lifetime license.

Last month the popular expert Brian Krebs discovered on YouTube an ad Philadelphia.

Quote:
According to the researchers, thePhiladelphia ransomware is distributed via spear-phishing emails sent to the hospitals. The messages contain a shortened URL that points to a personal storage site that serves a weaponized DOCX file containing the targeted healthcare organization’s logo.

The file includes three document icons apparently related to patient information, and attempt to trick victims to click on them.

Philadelphia ransomware

If the victims click on the icon, a Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.

This tactic was already used to infect a hospital from Oregon and Southwest Washington.

“However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.” reads the analysis published by ForcePoint.

“In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization’s logo and a signature of a medical practitioner from that organization as bait.”

Once the ransomware infected the system it contacts the C&C server and sends various details on the target machine, including operating system, username, country, and system language. The C&C server responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.

The Philadelphia ransomware used AES-256 to encrypt the files, when the operation is completed it displays a request for 0.3 Bitcoins ransom to the victims.

The analysis of the malicious code revealed a couple of interesting things:
•the encrypted JavaScript contained a string “hospitalspam” in its directory path.
•the ransomware C&C also contained “hospital/spam” in its path.

The presence of the words suggests the attackers are specifically targeting hospitals using spear phishing emails.

“Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business” concluded Forcepoint. “Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,”

Last edited by davidbfpo; 04-22-2017 at 12:34 PM. Reason: Add Mods Note
OUTLAW 09 is offline   Reply With Quote
Old 04-17-2017   #12
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default

The Russian group Turla has continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.

The Russian APT group known as Turla (also known as Waterbug, KRYPTON and Venomous Bear) has continued to improve its Carbon backdoor, experts from ESET detected new versions released on a regular basis.

Carbon is a second-stage backdoor that is used after an initial reconnaissance phase of an attack, it involves malware such as Tavdig.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using Icedcoffee, a JavaScript payload delivered via macro-enabled Office documents.

Last time the researchers reported Turla‘s activities was February 2017, when experts at Kaspersky Lab have discovered a new piece of JavaScript malware linked to the group targeting organizations in Greece, Qatar, and Romania.

Turla has been active since at least 2007, the hackers launched several high-profile attacks against targets worldwide, including the ones aimed at Swiss defense firm RUAG and the U.S. Central Command.

Carbon, aka Pfinet, is once of the tool in the arsenal of the hacking crew, researchers from ESET described it as a lite version of Uroburos.

Carbon is a second-stage backdoor that is typically deployed after the reconnaissance phase of an attack, it has several components, including a dropper, a command and control (C&C) communications element, an orchestrator, and a loader that executes the orchestrator.

The orchestrator is used to inject the C&C communications library into a legitimate process, and dispatch the tasks received via the C&C library to other bots that are located on the network.

Turla

ESET has identified several versions of Carbon compiled last year; the most recent one was compilated on October 21, 2016. The newer versions of the Carbon malware make a massive use of encryption.

Almost any component is a DLL file, except for the loader, which is an EXE file.

“The Turla group is known to be painstaking and work in stages, first doing reconnaissance on their victims’ systems before deploying their most sophisticated tools such as Carbon.

A classic Carbon compromise chain starts with a user receiving a spearphishing email or visiting a previously compromised website, typically one that the user visits regularly — a technique known as a watering hole attack.” reads the analysis shared by ESET.

“After a successful attack, a first stage backdoor — such as Tavdig or Skipper — is installed on the user machine. Once the reconnaissance phase is over, a second stage backdoor, like Carbon, is installed on key systems.”

Threat actor behind Turla have modified their tools everytime they were detected in the wild. Researchers observed that in the case of Carbon, the hackers changed file names and mutexes in the version 3.8 released in the summer of 2016.

Experts noticed that before the malware start communicating with C&C, it checks the infected system for the presence of packet capture software, such as Wireshark and Tcpdump.


“Before communicating with the C&C server or with other computers, the malware ensures that none of the most common packet capture software is running on the system:

•TCPdump.exe
•windump.exe
•ethereal.exe
•wireshark.exe
•ettercap.exe
•snoop.exe
•dsniff.exe”
OUTLAW 09 is offline   Reply With Quote
Old 04-17-2017   #13
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default

Over 20 million Gmail and 5 million Yahoo accounts available for sale on the Dark Web


Quote:
The vendor "SunTzu583" is offering for sale over 20 million Gmail and 5 million Yahoo login credentials on the Dark Web A vendor with the online moniker "SunTzu583" is reportedly selling millions of login credentials for Gmail and Yahoo accounts on a

A vendor with the online moniker “SunTzu583” is reportedly selling millions of login credentials for Gmail and Yahoo accounts on a black market in the dark web. Over 20 million Gmail accounts and 5 million Yahoo accounts are available for sale, the huge trove of data is the result of previous massive data breaches.

SunTzu583 is known to security experts, he was specialized in the sale of stolen login credentials.

A couple of weeks ago the colleagues at HackRead reported the sale of more than 1 million Gmail and Yahoo accounts by the same seller and a few days later, SunTzu583 started selling PlayStation accounts.

Dark web Playstation accounts

SunTzu583 offered 640,000 PlayStation accounts for USD 35.71 (0.0292 BTC), the dump includes emails and clear-text passwords.

SunTzu583 confirmed that the archive was not directly stolen from PlayStation network, but it does contain unique accounts of PlayStation users. The seller added that even if the accounts may work for other web services they are first of all PlayStation accounts.

Back to the present, the seller SunTzu583 is offering in separate listings millions of Gmail accounts.

In three different listings, he is offering 4,928,888 accounts.

“The total number of Gmail accounts being sold are 4,928,888 which have been divided into three different listings. All three listings contain 2,262,444 accounts including emails and their clear text passwords.” reports the analysis published by HackRead. “In the description of these listings, SunTzu583 has mentioned that “Not all these combinations work directly on Gmail, so don’t expect that all these email and passwords combinations work on Gmail.””

The researchers at HackRead who have compared the listings with Hacked-DB and Have I been pwned repositories confirmed that the sources of the data are past data breaches including LinkedIn (117 million accounts), Adobe (153 million accounts) and Bitcoin Security Forum (5 million Gmail passwords).
OUTLAW 09 is offline   Reply With Quote
Old 04-17-2017   #14
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default

Experts from security firm Sixgill have discovered a new strain of the macOS Proton RAT that is offered for sale on Russian cybercrime underground.
Quote:
The Dark Web is the right place where to find any kind of illegal products and services, malware such as banking trojan and spyware are very popular in cyber criminal underground.

Recently a new remote access tool (RAT) specifically designed to infect macOS systems is currently being advertised on Russian cybercrime underground. The researchers at security firm Sixgill discovered the advertising on crime forums and on a custom website, this threat is also described in videos published on YouTube.

https://youtu.be/JA7sfDc9Ad0

The Proton homepage went down just after the experts at Sixgill published the report.

“Sixgill researchers have encountered a post in one of the leading, closed Russian cybercrime message boards. The author of the thread announced a RAT dubbed Proton, intended for installation exclusively on MAC OS devices. The author offered this product in one of the leading underground cybercrime markets.” reads a report published by Sixgill.

The Proton RAT first appeared in the threat landscape last year, the variant recently advertised on hacking forums includes many features such as the ability to execute console commands, access the user’s webcam, log keystrokes, capture screenshots and open SSH/VNC remote connections. The malicious code is also able to inject malicious code in the user’s browser to display popups asking victims information such as credit card numbers, login credentials, and others.

“The malware includes root-access privileges and features allowing an attacker to obtain full control of the victim’s computer. Its capabilities include: running real-time console commands and file-manager, keylogging, SSH/VNC connectivity, screenshots, webcam operation and the ability to present a custom native window requesting information such as a credit-card, driver’s license and more. The malware also boasts the capability of iCloud access, even when two-factor authentication is enabled.” continues the report.

According to the author, macOS Proton RAT is written in native Objective-C and it is fully undetected by any existing MAC OS antivirus solution.

Below the list of features described in the ad:

macOS Proton RAT

The Proton RAT has root access and is able to elude standard macOS security features, it is also able to bypass two-factor authentication on iCloud accounts.

Researchers speculate macOS Proton RAT leverages a zero-day vulnerability in macOS, but most interesting characteristic of the threat is that the malicious code is signed with genuine Apple code-signing certificates. It is likely the author has managed to falsify registration to Apple Developer ID Program or has stolend the credentials to an apple developer.

“The real threat behind the software is this: The malware is shipped with genuine Apple code-signing signatures. This means the author of Proton RAT somehow got through the rigorous filtration process Apple places on MAC OS developers of third-party software, and obtained genuine certifications for his program. Sixgill evaluates that the malware developer has managed to falsify registration to the Apple Developer ID Program or used stolen developer credentials for the purpose.” reads the report.

The price for the macOS Proton RAT ranged from $1,200 to $830,000 for the entire project (an absurd price). Below the version advertised on the Proton websites:

Standard Edition

I) License to control only ONE remote machine 1) 1 BTC — unsigned 2) 2 BTC — signed
II) License to control 20 remote machines 1) 10 BTC — unsigned 2) 11 BTC — signed
III) License to control infinite remote machines 1) 66 BTC — unsigned 2) 76 BTC — signed

Extended edition

I) License to control infinite remote machines 1) 166 BTC — unsigned 2) 200 BTC — signed
II) License to control infinite remote machines on your own server 1) 366 BTC — without source code 2) 666 BTC — with full source code

Researchers noticed that the authors of the malware try to disguise their spyware as legitimate surveillance software.
OUTLAW 09 is offline   Reply With Quote
Old 04-17-2017   #15
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default

The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.

Quote:
One year ago the Angler EK and Nuclear EK disappeared from the threat landscape, while the Sundown EK was conquering the criminal underground.

What’s happening now?

The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.

Last week, Cisco Talos published an analysis of Sundown EK, the expert detailed the improvements of the EK that presented many similarities with the RIG exploit kit.

“Sundown is an exploit kit in transition, it has stopped using calling cards and other easily ways to identify its activity. It is one of the few exploit kits adding any new exploits to their arsenal, albeit stolen. At the same time they consistently steal exploits and technologies from other people and competitors.” reads the analysis of the Talos group. “The exploit kit landscape has been struggling to find its footing since the major players have left. It still appears to be in transition with RIG and Sundown being the primary players left as an option for those looking to compromise random victims while browsing the web.”

The Sundown EK was not sophisticated like other large exploit kits.

Security experts at Talos were noticing a long inactivity of the Sundown EK, also variant of the kit was disappeared from the scene, including Bizarro and Greenflash.

This silence leads the experts into believing that threat actor ceased the operations.

“Many security researchers tracking exploit kits have noted the lack of Sundown EK activity for several weeks now. A post from Cisco’s Talos team came off as a bit of a surprise at the end of March (Threat Spotlight: Sundown Matures), but any doubts were squashed by this tweet on April 8th (Sundown (Beps) and Nebula out ? More than one month since last hits).” reads a blog post published by MalwareBytes.

“Also, whatever happened to Bizarro and Greenflash Sundown EKs? Whether this is a temporary break or yet another dead EK, time will tell.”

Recently experts observed a significant increase of hacking campaigns leveraging the Terror EK.

Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).

The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).

Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.

The Terror EK was also involved in a newer campaign using a different landing page that distributes the Andromeda malware.

The compromised websites are leveraged to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.

Terror EK

“Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here,” Malwarebytes concludes.
OUTLAW 09 is offline   Reply With Quote
Old 04-17-2017   #16
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default

Lawyers, malware, and money: The antivirus market’s nasty fight over Cylance

On the front lines of the antivirus industry's "testing wars."

Sean Gallagher - 4/17/2017, 1:00 PM

https://arstechnica.com/information-...re-that-wasnt/
OUTLAW 09 is offline   Reply With Quote
Old 04-22-2017   #17
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default

Last posting that I find critical as I and my company have moved into this research area over the last year and it is massive...especially on the botnet side of the Deep Net.....AND how those botnets are being tied into the Russian hacking and information war with the West....if these botnets are not pushing info war messaging...then they are into spamming...phishing and DDoS attacks.....and then back to info warfare messaging....depending on need and end user tasking's....

Security firm Flashpoint published an interesting paper titled, "Cybercrime Economy: An Analysis of Cybercriminal Communication Strategies" about cybercriminal communications of threat actors.

Quote:
A recent research by the threat intelligence firm Flashpoint has uncovered how malicious threat actors communicate to share information between them.
The research has found out that there is a growing economy in the cybercriminals communications, more than just information sharing it has formed an ecosystem in which the failures, successes, planning and procedures to beat the organization’s countermeasures are shared as well as the planning of attacks.
The research points out that Cybercriminal Communications use a variety of software alongside with the access to communities in the deep and dark web. This is done in order to carry out cross domain organization for commit crimes like phishing, credit card fraud, spam, and every sort of attack that pass through the corporations’ filters and defenses.

The reason for the use of this software to communicate is too make it to difficult law enforcement agencies to track the activities in the community’s forums as well as to give privacy to the user since most of these programs have cryptographic functions or protocols operating in its core. The software also allows a user to enter random, aleatory or even fraudulent information about the user which makes it more difficult, in determining who the user is.
On the other hand, one other reason for doing so is the payment required to maintain a forum, which in many cases can represent a difficultly for cybercriminals. The use of communications programs is free of charge and anyone can download them.
The study was carried out by monitoring underground communities where the users often invited other members to discuss the planning outside the underground forum. It was analyzed 80 instant messengers applications and protocols, of which at least five were more used.
Privacy is implemented in these applications, like PGP an algorithm of encryption. The secure communication of user’s difficulty authorities to gain access to the content shared between the users. Without knowing the encryption key that has generated the codification for the session.
The most used programs by cybercriminals are ICQ, Skype, Jaber, Quiet Internet Pager, Pretty Good Privacy, Pidgin, PSI and AOL Instant Messenger (AIM).
The report shows that the use of Cybercriminal Communications#is different among communities of different languages, below are reported “Language Group Specific Findings” for Russians we have the following situation:
1. Jabber (28.3%) 2. Skype (24.26) 3. ICQ (18.74%) 4. Telegram (16.39%) 5. WhatsApp (3.93%) 6. PGP (3.79%) 7. Viber (3.01%) 8. Signal (1.58%)
while for the Chinese we have the following distribution in 2016: 1. QQ (63.33%) 2. WeChat (35.58%) 3. Skype (0.44%) 4. WhatsApp (0.22%) 5. Jabber (0.31%) 6. PGP (0.13%) 7. ICQ (0.1%) 8. AOL Instant Messenger (0.08%)
“Cybercriminals can choose from a wide variety of platforms to conduct their peer-to-peer (P2P) communications.” states the report. “This choice is typically influenced by a combination of factors, which can include:
Ease of use
Country and/or Language
Security and/or anonymity concerns
Sources:
http://www.securityweek.com/many-cyb...ications-study
http://www.ibtimes.co.uk/skype-whats...online-1617822
http://www.itnews.com/article/319083...r-and-icq.html
http://www.infoworld.com/article/319...ver-skype.html
https://www.flashpoint-intel.com/blo...on-strategies/
BTW...Jabber was the preferred chat of choice for the US Army intel side for years....
Attached Images
File Type: jpg botnet.jpg (14.0 KB, 27 views)

Last edited by OUTLAW 09; 04-22-2017 at 08:30 AM.
OUTLAW 09 is offline   Reply With Quote
Old 04-22-2017   #18
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default

Quote:
Originally Posted by OUTLAW 09 View Post
IoT malware clashes in a botnet territory battle
http://www.cio.com/article/3190179/s...y-battle.html#
… via @CIOonline
Hajime IoT malware, is it the work of vigilante hacker?

Quote:
Mirai -- a notorious malware that's been enslaving IoT devices -- has competition.
A rival piece of programming has been infecting some of the same easy-to-hack internet-of-things products, with a resiliency that surpasses Mirai, according to security researchers.
"You can almost call it Mirai on steroids," said Marshal Webb, CTO at BackConnect, a provider of services to protect against distributed denial-of-service (DDoS)#attacks.
[ Your guide to top tech conferences 2017 ]
Security researchers have dubbed the rival IoT malware Hajime, and since it was discovered more than six months ago, it's been spreading unabated and creating a botnet. Webb estimates it's infected about 100,000 devices across the globe. ###

These botnets, or networks of enslaved computers, can be problematic. They're often used to launch massive DDoS attacks that can take down websites or even disrupt the internet’s infrastructure.
That’s how the Mirai malware grabbed headlines last October. A DDoS attack from a Mirai-created botnet targeted DNS provider Dyn, which shut down and slowed internet traffic across the U.S.
Hajime was first discovered in the same month, when security researchers at Rapidity Networks were on the lookout for Mirai activity. What they found instead was something similar, but also more tenacious.
Like Mirai, Hajime also scans the internet for poorly secured IoT devices like cameras, DVRs, and routers. It compromises them by trying different username and password combinations#and then transferring a malicious program.

However, Hajime doesn’t take orders from a command-and-control server like Mirai-infected devices do. Instead, it communicates over a peer-to-peer network built off protocols used in BitTorrent, resulting in a botnet that's more decentralized -- and harder to stop.
"Hajime is much, much more advanced than Mirai," Webb said. "It has a more effective way to do command and control."
Broadband providers have been chipping away at Mirai-created botnets, by blocking internet traffic to the command servers they communicate with. In the meantime, Hajime has continued to grow 24/7, enslaving some of the same devices. Its peer-to-peer nature means many of the infected devices can relay files or instructions to rest of the botnet, making it more resilient against any blocking efforts.

Who's behind Hajime? Security researchers aren’t sure. Strangely, they haven't observed the Hajime botnet launching any DDoS attacks -- which is good news. #A botnet of Hajime’s scope is probably capable of launching a massive one similar to what Mirai has done.
"There’s been no attribution. Nobody has claimed it," said Pascal Geenens, a security researcher at security vendor Radware. #
However, Hajime does continue to search the internet for vulnerable devices. Geenens' own honeypot, a system that tracks botnet activity, has been inundated with infection attempts from Hajime-controlled devices, he said.
So the ultimate purpose of this botnet remains unknown.#But one scenario is it'll be used for cybercrime to launch DDoS attacks for extortion purposes or to engage in financial fraud. #
"It's a big threat forming," Geenens said. "At some point, it can be used for something dangerous."
It’s also possible Hajime might be a research project. Or in a possible twist, maybe it's a vigilante security expert out to disrupt Mirai.
So far, Hajime appears to be more widespread than Mirai, said Vesselin Bontchev, a security expert at Bulgaria's National Laboratory of Computer Virology.
However, there's another key difference between the two malware. Hajime has been found infecting a smaller pool of IoT devices using ARM chip architecture.
That contrasts from Mirai, which saw its source code publicly released in late September. Since then, copycat hackers have taken the code and upgraded the malware.#Vesselin has found Mirai strains infecting IoT products that use ARM, MIPS, x86, and six other platforms.
That means the clash between the two malware doesn’t completely overlap. Nevertheless, Hajime has stifled some of Mirai’s expansion.
"There's definitely an ongoing territorial conflict," said Allison Nixon, director of security research at Flashpoint.
To stop the malware, security researchers say it's best to tackle the problem at its root, by patching the vulnerable IoT devices. But that will take time and, in other cases, it might not even be possible. Some IoT vendors have released security patches for their products to prevent malware infections, but many others have not, Nixon said.
That means Hajime and Mirai will probably stick around for a long time, unless those devices are retired.
"It will keep going," Nixon said. "Even if there's a power outage, [the malware] will just be back and re-infect the devices. It's never going to stop."

OUTLAW 09 is offline   Reply With Quote
Old 04-22-2017   #19
davidbfpo
Council Member
 
davidbfpo's Avatar
 
Join Date: Mar 2006
Location: UK
Posts: 11,095
Default Malware & other nasty IT / cyber things

A number of posts have appeared recently in another thread, which advertise malware and other nasty IT things and they deserve their own thread. So I will move a dozen or so posts here, all of them by Outlaw09 who works in the cyber arena. Accordingly this post will drop from being first.
__________________
davidbfpo
davidbfpo is offline   Reply With Quote
Old 04-29-2017   #20
OUTLAW 09
Council Member
 
Join Date: Nov 2013
Posts: 35,749
Default

IMPORTANT for providers of critical infrastructure....

Quote:
Severe vulnerability in GE Multilin SR poses a serious threat to Power Grid
Security experts discovered a critical vulnerability in GE Multilin SR that poses a serious threat to the power grid worldwide. A team of researchers from New York University has found a serious vulnerability in some of GE Multilin SR protection relays...
Quote:
The experts will provide further details about the vulnerability at the upcoming Black Hat conference in Las Vegas,#below an excerpt from the#abstract#published on the conference website.
“Essentially, we completely broke the homebrew encryption algorithm used by these protection and management devices to authenticate users and allow privileged operations,” explained the experts in their abstract. “Knowledge of the passcode enables an attacker to completely pwn the device and disconnect sectors of the power grid at will, locking operators out to prolong the attack.”
The experts will propose also a live demo showcasing exploitation of the vulnerability during their talk anticipating that an attack leveraging on the issue would have a significant impact on a nation.
The#ICS-CERT published a security advisory#on this threat that was tracked as CVE-2017-7095.
An attacker can obtain the password either from the front LCD panel or via Modbus commands and use it to gain unauthorized access to vulnerable products.
“Successful exploitation of this vulnerability may allow a remote attacker to obtain weakly encrypted user passwords, which could be used to gain unauthorized access to affected products.” reads the advisory.#
“Cipher text versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Cipher text of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.”

The following versions of GE Multilin SR relays are affected by the flaw:
750 Feeder Protection Relay, firmware versions prior to Version 7.47,
760 Feeder Protection Relay, firmware versions prior to Version 7.47,
469 Motor Protection Relay, firmware versions prior to Version 5.23,
489 Generator Protection Relay, firmware versions prior to Version 4.06,
745 Transformer Protection Relay, firmware versions prior to Version 5.23, and
369 Motor Protection Relay, all firmware versions.
GE has promptly released firmware updates that fix the vulnerability for most of the above products. The firmware updates for 369 Motor Protection Relays are expected to be released in June.
To mitigate the vulnerability#GE recommends that users apply updated firmware versions to affected products, as well as implement the following best practices:
Control access to affected products by keeping devices in a locked and secure environment,
Remove passwords when decommissioning devices,
Monitor and block malicious network activity, and
Implement appropriate network segmentation and place affected devices within the control system network, behind properly configured firewalls. Protection and Control system devices should not be directly connected to the Internet or business networks.
While the recent disruptions to Ukraine’s energy supply have clearly demonstrated that attacks on the power grid are a reality, it’s not uncommon for cybersecurity researchers to exaggerate the impact of their findings. It remains to be seen exactly how easily this flaw can be exploited after more information is made available.

Last edited by davidbfpo; 04-29-2017 at 10:16 AM. Reason: Moved from anothe rthread, as it fits here best.
OUTLAW 09 is offline   Reply With Quote
Reply

Bookmarks

Tags
cyber, malware, threats

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Russo-Ukraine War 2016 (April-June) davidbfpo Europe 1088 07-01-2016 08:44 PM
Leadership of Cyber Warriors: Enduring Principles and New Directions SWJ Blog Media, Information & Cyber Warriors 0 07-11-2011 02:41 PM
USAF Cyber Command (catch all) selil Media, Information & Cyber Warriors 150 03-15-2011 09:50 PM
Beijing’s Doctrine on the Conduct of “Irregular Forms of Warfare” Jedburgh Asia-Pacific 51 01-08-2011 06:42 PM
Question 5: Cyber space (oh you know I had to ask at least one of these) selil TRADOC Senior Leaders Conference 7 08-14-2009 03:27 PM


All times are GMT. The time now is 08:26 PM.


Powered by vBulletin® Version 3.8.9. ©2000 - 2017, Jelsoft Enterprises Ltd.
Registered Users are solely responsible for their messages.
Operated by, and site design © 2005-2009, Small Wars Foundation