Trojanized, Info-Stealing PuTTY Version Lurking Onlinefrom the at-your-command-prompt dept.

Original Article
One of the best first steps in setting up a Windows machine is to install PuTTY on it, so you have a highly evolved secure shell at your command. An anonymous reader writes, though, with a note of caution if you’re installing PuTTY from a source other than the project’s own official page. A malicious version with information-stealing abilities has been found in the wild. According to the article:

Compiled from source, this malicious version is apparently capable of stealing the credentials needed to connect to those servers. “Data that is sent through SSH connections may be sensitive and is often considered a gold mine for a malicious actor. Attackers can ultimately use this sensitive information to get the highest level of privileges on a computer or server, (known as ‘root’ access) which can give them complete control over the targeted system,” the researchers explained.

The Symantec report linked above also shows that (at least for this iteration) the malware version is easy to spot, by hitting the “About” information for the app.

Posted by timothy 10 days ago

Trend Micro: Hackers Using Android App For Sextortion   

 

Researchers found that the extortionists first lure their victims through a number of online chatting tools   
Saturday, March 28, 2015:  Security software company Trend Micro has come up with a new finding in which they detected that criminals have developed advanced mobile applications and tools that siphon their victims’ online passwords and contacts to increase the chance that they will pay up.

In a latest report ‘sextortion in the far east’, Trend Micro’s researchers detailed a new Android app that criminals are using to pressure their victims into blackmail.

Sextortion is the act of coercing cybercrime victims to perform sexual favors or to pay large amounts of money in exchange for the non-exposure of their explicit images, videos, or conversations.

Cybercriminals lure, record, and threaten their victims online, which includes a mobile malware component. During their chat or Skype session, cybercriminals convince victims to install a data stealer or disguised Android malware that steals victim data off their device. Cybercriminals can then threaten their victims with the possibility of sending the explicit content to their victim’s contact list. The malware these cybercriminals used are persistent and exhibit various intrusive behaviors.

Researchers found that the extortionists first lure their victims through a number of online chatting tools. Once the trap is set, they feign audio or messaging problems to persuade their target to download one of four malicious Android apps. Using their email, social media and bank accounts, Trend Micro traced several of the Android app developers and their money go-betweens to China.

The company found evidence that the criminals opened different bank accounts for each extortion campaign, which typically, lasted for a few weeks. 

Sushma rani, EFYTIMES News Network 

New Evidence Strengthens NSA Ties To Equation Group Malware

from the tax-funded-hacks dept.
An anonymous reader writes:When researchers from Kaspersky Lab presented the Equation Group espionage malware, many in the security community were convinced it was part of an NSA operation. Now, Kaspersky has released new evidence that only strengthens those suspicions. In a code sample, they found a string named BACKSNARF_AB25, which happens to be the name of a project in the NSA’s Tailored Access Operations. Further, when examining the metadata on the malware files, they found the modification timestamps were almost always consistent with an 8-5 workday in the UTC-3 or UTC-4 timezones, consistent with work based in the eastern United States. The authors also tended to work Monday through Friday, and not on the weekends, suggesting a large, organized development team. “Whereas before the sprawling Equation Drug platform was known to support 35 different modules, Kaspersky has recently unearthed evidence there are 115 separate plugins. The architecture resembles a mini operating system with kernel- and user-mode components alike.”ORIGINAL ARTICLE 

Hacking 4G USB modems and SIM Card via SMS

/home/wpcom/public_html/wp-content/blogs.dir/4bc/29857760/files/2014/12/img_2459.jpg

A group of experts managed to uncover USB modem vulnerabilities that allow a potential attacker to gain full control of the connected system.

A team of researchers at Positive Technologies conducted a study on how to compromise USB modems and attack SIM cards via SMS over 4G networks at the PacSec and Chaos Computer Club conferences in Tokyo and Hamburg.

The team consisting of Sergey Gordeychik, Alexander Zaitsev, Kirill Nesterov, Alexey Osipov, Timur Yunusov, Dmitry Sklyarov, Gleb Gritsai, Dmitry Kurbatov, Sergey Puzankov and Pavel Novikov.

The experts discovered that 4G USB modems are affected by vulnerabilities that could be exploited by threat actors to gain full control of the machines to which the devices are connected.

The researchers also demonstrated that exploiting the flaws they were able to access subscriber accounts on carrier portals, simply by sending a binary SMS, they are able to lock SIM cards and sniff and decrypt device traffic.

The researchers analyzed six USB modems running 30 separate firmware and discovered that just 10% of the software tested was resilient to the attacks.

“First, we identified the gear. The documentation and search engines helped us with that. In some cases Google was even more useful: it gave us the password for Telnet access. However, for external communications we need http, not Telnet. Just connect the modem to a computer and manage it as a separate network node with web applications. It gives you the opportunity to launch an attack via a browser (CSRF, XSS, RCE). This way you will force the modem to give out a lot of useful information about itself.” states the blog post published by the researchers.

/home/wpcom/public_html/wp-content/blogs.dir/4bc/29857760/files/2014/12/img_2460.jpg

The team used Google to find publicly available telnet access credentials via Google, but they needed http access in order to sniff communications.

The attack technique was very ingenious, once connected the 4g USB modems to their computers, the researchers were able to run several browser-based attacks, including cross-site request forgery, cross-site scripting and remote code execution attacks. The attacks allowed researchers to retrieve several information like the international mobile subscriber identities, the interface types, firmware versions, the universal integrated circuit cards, international mobile station equipment identities and software versions, device names, WI-Fi statuses and more.

/home/wpcom/public_html/wp-content/blogs.dir/4bc/29857760/files/2014/12/img_2461.png

In a more scaring attack scenario the researchers installed a bootkit on the targeted device, to do this they installed a USB keyboard driver, which causes the computer to identify the modem as an input device. At this point using a pseudo keyboard to issue the command the attacker were able to reboot the system from an external disk or the from the modem itself. Then they served and installed a bootkit that allows them to remotely control the device as showed in the following video PoC.

[an error occurred while processing this directive]

The experts highlighted the dangerous impact of the vulnerabilities in 4g USB modem on the industrial sector, for example, in all those processes that are using machine-to-machine (M2M) communications. SCADA and ATM are just a few samples of systems that use the technology.

M2M applications are very common in several critical infrastructure installations, including industrial control systems (ICS) and supervisory control and data acquisition (SCADA) systems.

” It is not only the matter of security for trendy smartphones that we use to read news feed in social networks. Multiple critical infrastructures including industrial control systems (SCADA) also implement digital mobile communication based on the GSM standard. Another example from everyday life is having your money stolen from bank accounts. No one would like to become a victim of that. Yet you might have seen small antenna on ATMs. Yes, it is also GSM.” continues the post.

The researchers also run SIM attacks that was slightly less effective, they succeeded to exploit nearly the 20 percent of the 100 SIM cards they used. The success rate depends on the capability to brute-force the data encryption standard (DES) keys protecting the SIMs.

“To brute-force DES keys, we use a set of field-programmable gate arrays (FPGA), which became trendy for Bitcoin mining a couple of years ago and got cheaper after the hype was over,” states the post. “The speed of our 8 modules *ZTEX 1.15y board with the price tag of 2,000 Euro is 245.760 Mcrypt/sec. It is enough to obtain the key within 3 days.”

/home/wpcom/public_html/wp-content/blogs.dir/4bc/29857760/files/2014/12/img_2462.jpg

To run brute-force attack on partially known 3DES key they spent nearly 10 days, once the DES or 3DES is broken, the experts were able to issue commands to toolkit applications (TAR).

“Then we may easily issue commands to well-known TARs and manage them; e.g. Card Manager allows installing a Java application to the SIM.

Another curious TAR is a file system that stores TMSI (Temporary Mobile Subscriber Identity) and Kc (Ciphering Key). We may perform the following actions via a binary SMS:

decrypt subscriber traffic without using brute force attacks on DES,
spoof a subscriber’s identity (receive his/her calls and SMS),
track a subscriber’s whereabouts, cause DOS by entering 3 wrong PIN codes and 10 wrong PUK codes in a row if PIN code is enabled for file system protection.

ORIGINAL ARTICLE

Transforming USB sticks into undetectable malicious devices

Original Article

IMG_2322.JPG

Two researchers Brandon Wilson and Adam Caudill released their attack code to reprogram USB sticks and use them as an undetectable hacking instrument.
Recently, two independent researchers, Brandon Wilson and Adam Caudill, have released the code which can reprogram, benign USB devices turning them in malicious components.

The experts published the code on the Github raising the question related to the real level of security of USB devices, the BadUSB research was approached in detail during the Black Hat conference when security experts demonstrated the risks related to an undetectable menace carried via USB.

Security experts explained that USB devices can be used to compromise personal computers in a potential new type of attacks that could not be detected with all actual security protections.

Karsten Nohl, chief scientist with Berlin’s SR Labs, discovered that bad actors could exploit this new class of attacks loading malicious software low-cost computer chips that control the functions of USB devices.

The researchers from SR Labs, which presented the attack scheme during the Black Hat conference this summer, point a series of flaws in the software used to run a tiny electronic components, these components are usually designed without protections against tampering with their code.

Hackers can uncover such flaws and exploit them creating serious problems to the targeted architecture.

“You cannot tell where the virus came from. It is almost like a magic trick,” said Nohl.

Nohl explained that his team has written malicious code and deployed it into USBcontrol chips used in thumb drives and smartphones, at this point it is sufficient that victims connect the USB device to a computer to trigger the execution of malicious software.

Nohl and Lell’s BadUSB demonstrations during Black Hat illustrated how their code could overwrite USB firmware and turn a USB device into anything. A flash drive plugged into a PC, could for example, emulate a keyboard and issue commands that steal data from the machine, spoof a computer’s network interface and redirect traffic by altering DNS settings, or could load malware from a hidden partition on the drive.

Antivirus software are not able to detect malicious firmware that controls USB devices, the code inserted with this method can be used for many purposes, including spy on communications, data tampering and log keystrokes.

But while Karsten Nohl decided to not disclose the attack code, Brandon Wilson and Adam Caudill made public their source code to solicit the IT industry to adopt necessary measures for securing USB firmware from malicious manipulation.

“The security of these devices is completely compromised.” “The security of these devices is completely compromised,” Wilson said. “You can’t trust anything you plug into your computer any longer, not even something as simple as a flash drive.”
“We’re just taking advantage of the USB protocol,” Wilson said. “This drive is a reprogrammable computer that allows you to do all sorts of things. It allows you to be any device, and up until now, most developers had hard-coded them to behave in specific ways. The firmware on a flash drive makes it behave like a flash drive.”

After Black Hat, Wilson said he bought numerous drives and tested them and were able to take advantage of existing tools used to update firmware to get their code to overwrite the firmware on the Phison device. At Derby Con, they were able to demonstrate their attack with the device pretending to be a keyboard that typed out a predetermined script once it was plugged into the host computer. They also showed another demo where they had a hidden partition on a flash drive that was not detected by the host PC.

“It’s undetectable while it’s happening,” Wilson said. “The PC has no way of determining the difference. The way a PC determines the type of device all happens through the USB and code on the other device. Our ability to control that code means you cannot trust anything a USB device tells you.”

This kind of attack is very insidious, it is necessary that the device manufacturers will improve the level of security for their devices, avoiding for example the unauthorized firmware overwriting using digitally signed code for the USB device firmware.

“The fact that we were so easily able to change the firmware is an easy fix. The manufacturers could implement code-signing, but they don’t do that at all” Wilson said. “That needs to change. And even if they do add code-signing, you still have the other aspect which is that the computer cannot trust what you’re plugging into it. To truly fix the problem, it has to be fixed on the host.” “When you have a firmware image, you want to protect it in some way. You want a checksum, or something that the drive uses to validate that something is coming across correctly,” Wilson added. “There’s nothing like that. There needs to be something. Code signing is one approach to take for now. But to really shut it down long term, the host needs to be aware that when you plug in a device you don’t trust, it has to be given an option not to trust it. Because once you plug it in, it’s done.”

Resuming, threat actors could exploit USB as an attack vector simply by reprogramming USB peripherals, so it is crucial to implement protection from such malicious reprogramming.

IMG_2323.JPG

Once reprogrammed, any USB devices could be used for various malicious purposes, including:

emulates a keyboard and issue commands on behalf of the logged-in user, for example to exfiltrate files or install malware. Such malware, in turn, can infect the controller chips of other USB devices connected to the computer.
spoofs a network card and change the computer’s DNS setting to redirect traffic.
A modified thumb drive or external hard disk can – when it detects that the computer is starting up – boot a small virus, which infects the computer’s operating system prior to boot.
Unfortunately, no effective defenses from USB attacks are possible in this moment, antivirus cannot access the firmware running on USB devices and behavioral detection very hard to implement.

Pierluigi Paganini

(Security Affairs – hacking, USB)

A Cybersecurity Threat That Could Be Lurking On Your Phone

A Cybersecurity Threat That Could Be Lurking On Your Phone

Gary Miliefsky, SnoopWall CEO, and founding member of the US Department of Homeland Security announces a privacy breach posed by smartphone flashlight apps. Miliefsky has advised two White House Administrations on Cybersecurity.

He was scheduled to join us on set for Special Report, but we had to make room for breaking news. We know you were all excited to hear this story and so we brought Gary in just for The Daily Bret. Share your thoughts with us on Twitter @BretBaier or here on the blog– after hearing this story will you delete your flashlight app?

Top Ten Ways to Defend your Network against the Latest SSL Exploits

Top Ten Ways to Defend your Network against the Latest SSL Exploits

29 MAY 2014 | WHITE PAPER

Staying on top of the latest web exploits can be a challenge for Network Admins who are worried about simply keeping up with all the day-to-day management tasks required by a complex environment. This whitepaper details many of the most recent popular SSL-related exploits that your network is likely vulnerable to, along with simple steps you can immediately take to protect yourself.

Armed with the right tools and know how, Network and Security Admins can take the right steps to lock down their networks from viable dangers. The reality is that brute force attacks are not new, but remain a viable danger to your network – even if you are securing it by more traditional means.

This article details many of the most prevalent SSL exploits that your network could be vulnerable to, ranging from not using HSTS (HTTP Strict Transport Security) to the more theoretical BEAST (Browser Exploit Against SSL/TLS) attacks. Most importantly, this paper offers some simple steps you can take to protect your network now. A few of the ten defense techniques you will learn are:

Disabling TLS Compression to defeat CRIME
Using HttpOnly Cookies to defeat Cross-Site Scripting
Supporting Secure Renegotiation to defeat Man-in-the-Middle attacks
And 7 other valuable techniques to strengthen your network’s security

The paper

Records of up to 25,000 Homeland Security staff hacked in cyber-attack

Records of up to 25,000 Homeland Security staff hacked in cyber-attack

Associated Press in Washington
theguardian.com, Friday 22 August 2014 20.48 EDT

Anonymous official says number could be even greater as department warns employees to check bank accounts

The internal records of as many as 25,000 employees of America’s Department of Homeland Security (DHS) were exposed during a recent computer hack at a federal contractor that handles security clearances, an agency official said on Friday.

The official, speaking anonymously, said the number of victims could be greater. The incident is under active federal criminal investigation.

The department was informing employees whose files were exposed in the hacking against contractor USIS and warning them to monitor their financial accounts.

Earlier this month, USIS acknowledged the break-in, saying its internal cybersecurity team had detected what appeared to be an intrusion with “all the markings of a state-sponsored attack”.

Neither USIS nor government officials have speculated on the identity of the foreign government.

USIS, once known as US Investigations Services, has been under criticism in Congress in recent months for its performance in conducting background checks on National Security Agency systems analyst Edward Snowden and on Aaron Alexis, a military contractor employee who shot 12 people dead in Washington in September 2013.

Private contractors perform background checks on more than two-thirds of the 4.9 million government workers with security clearances, and USIS handles nearly half of that number.

It is not clear when the hacking took place, but DHS notified all its employees internally on 6 Aug.

At that point, DHS issued “stop-work orders” preventing further information flows to USIS until the agency was confident the company could safeguard its records.

At the same time, the Office of Personnel Management (OPM) temporarily halted all USIS background check fieldwork “out of an abundance of caution,” spokeswoman Jackie Koszczuk said.

Officials would not say whether workers from other government agencies were at risk. DHS will provide workers affected by the intrusion with credit monitoring.

The risk to as many as 25,000 DHS workers was first reported on Friday by Reuters.

A cybersecurity expert, Rick Dakin, said the possibility that other federal departments could be affected depends on whether the DHS records were “segmented, or walled off, from other federal agencies’ files inside USIS.

“The big question is what degree of segmentation was already in place so that other agencies weren’t equally compromised,” said Dakin, chief executive of Coalfire, a major IT audit and compliance firm.

Revealed: How governments can take control of smartphones

Revealed: How governments can take control of smartphones

“Our latest research has identified mobile modules that work on all well-known mobile platforms, including as Android and iOS”

RT.com
June 25, 2014

‘Legal malware’ produced by the Italian firm Hacking Team can take total control of your mobile phone. That’s according to Russian security firm Kaspersky Lab and University of Toronto’s Citizen Lab(which also obtained a user manual).

Operating since 2001, the Milan-based Hacking Team employs over 50 people and offers clients the ability to “take control of your targets and monitor them regardless of encryption and mobility,” while “keeping an eye on all your targets and manage them remotely, all from a single screen.”

It’s the first time Remote Control Systems (RCS) malware has been positively linked with mobile phones and it opens up a new privacy threat potential to mobile phone users.

“Our latest research has identified mobile modules that work on all well-known mobile platforms, including as Android and iOS,” wrote Kaspersky researcher Sergey Golovanov.

“These modules are installed using infectors – special executables for either Windows or Macs that run on already infected computers. They translate into complete control over the environment in and near a victim’s computer. Secretly activating the microphone and taking regular camera shots provides constant surveillance of the target – which is much more powerful than traditional cloak and dagger operations.”

20140625-164404-60244101.jpg
Image from citizenlab.org

Police can install the spy malware directly into the phone if there is direct access to the device, or if the owner of the phone connects to an already infected computer, according to Wired.

Various softwares can also lure users to download targeted fake apps.

Once inside an iPhone, for instance, it can access and activate all of the following: control of Wi-Fi, GPS, GPRS, recording voice, e-mail, SMS, MMS, listing files, cookies, visited URLs, cached web pages, address book, call history, notes, calendar, clipboard, list of apps, SIM change, live microphone, camera shots, support chats, WhatsApp, Skype, and Viber.

20140625-164453-60293182.jpg
Image from citizenlab.org

While the malware can be spotted by some of the more sophisticated anti-virus software, it takes special measures to avoid detection – such as “scouting” a victim before installation, “obfuscating”its presence, and removing traces of its activity.

Hacking Team has maintained that its products are used for lawful governmental interceptions, adding that it does not sell items to countries blacklisted by NATO or repressive regimes.

Wired reported that there have been cases where the spying apps were used in illegal ways in Turkey, Morocco, and Saudi Arabia.

Citizen Lab discovered spying malware hiding in a legitimate news app for Qatif Today, an Arabic-language news and information service that reports on events in Saudi Arabia’s eastern Qatif region. It also argued that circumstantial evidence pointed to Saudi Arabia’s government using the spying malware against Shia protesters in the area.

“This type of exceptionally invasive toolkit, once a costly boutique capability deployed by intelligence communities and militaries, is now available to all but a handful of governments. An unstated assumption is that customers that can pay for these tools will use them correctly, and primarily for strictly overseen, legal purposes. As our research has shown, however, by dramatically lowering the entry cost on invasive and hard-to-trace monitoring, the equipment lowers the cost of targeting political threats for those with access to Hacking Team and Gamma Group toolkits,” Citizen Lab said in its report.

20140625-164550-60350694.jpg
Map showing the countries of the current HackingTeam servers’ locations (Image from securelist.com)

Hacking Team controls the spying malware remotely via command-and-control servers. Kaspersky has discovered more than 350 such servers in more than 40 countries. A total of 64 servers were found in the US – more than in any other country. Kazakhstan came in second, with a total of 49 servers found. Thirty-five were found in Ecuador and 32 in the UK.