Wednesday, September 9, 2015

How highly advanced hackers (ab)used satellites to stay under the radar

One of the world's most advanced espionage groups has already been caught unleashing an extremely stealthy trojan for Linux systems that for years siphoned sensitive data from governments and pharmaceutical companies around the world. Now researchers have discovered a highly unusual method that members of the so-called Turla group used to cover their tracks. They hijacked satellite-based Internet links to communicate with command and control servers.
Most available satellite-based Internet remains almost as limited now as when it was introduced two decades ago. It's slow and provides users only with a unidirectional download link. But there's something about the connections that made them highly attractive to Turla members: most satellite links are unencrypted and can be intercepted by anyone within a radius of more than 600 miles. That means a connection between someone located in, say, a remote location in Africa and a satellite-based ISP can be monitored or even hijacked by an attacker.
According to research published Wednesday by researchers from Moscow-based security firm Kaspersky Lab, that's precisely what Turla members did. The Russian-speaking hackers reserved the method only for their highest-profile targets, and even then used it only during advanced stages of an espionage campaign. According to Kaspersky Lab Senior Security Researcher Stefan Tanase, here's how they did it:
Read 7 remaining paragraphs | Comments

Friday, December 6, 2013

Still No Clues In The Million Dollar Bitcoin Heist

Late November 2013, thieves stole more than US $1 million in Bitcoins from Danish Bitcoin exchange and online wallet service BIPS. The company was first attacked on 15 and 17 November through a distributed denial-of-service (DDoS) attack that appears to have laid the groundwork for a subsequent attack that disabled BIPS security systems. According to the company, the initial DDoS attacks were "found to originate from Russia and neighboring countries." This facilitated the theft of the Bitcoins. Two other significant Bitcoin thefts have occurred recently, an Australian online wallet service lost US $1.4 million in Bitcoins, and a Chinese exchange lost more than $4 million. The US Senate is now attmpting to legislate Bitcoin.

Tuesday, December 3, 2013

Government Must Improve its Cybersecurity, Technology Council Report Says

According to a report from a presidential technology council, the US government is not setting a good example in cybersecurity.  The report comes from the President's Council of Advisors on Science and Technology.  According to the report, "the Federal Government rarely follows accepted best practices."   The report further states that "Cybersecurity will not be achieved by a collection of static precautions, it requires a set of processes that continuously couple information about an evolving threat to defensive reactions and  responses."

You may read a complete copy of the report at:

Saturday, November 30, 2013

Prevalent Malware: November 2013 Edition

Sourcefire has compiled the list of this month’s most prevalent malware files.  The list provides the hash checkup values for each file as well as a link to the entry on virustotal.  To assist computer forensics analysts or incident responders, the list provides the file name and the fake publisher claimed by the malware.  Some notable examples of the identified malware files include:

SHA 256:
Typical Filename: UpdateTask.exe
Claimed Product: W32.Trojan.16l1
Claimed Publisher: None
SHA 256:
Typical Filename: FlashPlayerUpdateService.exe
Claimed Product: W32.Downloader:AgentASEBTrj.16mc.1201
Claimed Publisher: None

You may obtain a more complete list from Sourcefire or read a longer version of the list from AVM Technology Cybersecurity.

Recent Vulnerabilities With Available Exploits: November 2013 Edition

The list of recent vulnerabilities for which exploits are available is out.  This list was created to assist system administrators and computer incident responders in prioritization of their remediation activities.  This list can also help computer forensics experts in correctly identifying some of these exploits.

A few notable exploits identified include:

ID:     CVE-2013-3918
Title:  Microsoft ActiveX Controls “InformationCardSigninHelper Class”
Out-of-Bounds Memory Access Vulnerability
Vendor: Microsoft
Description: A remote code execution vulnerability exists in the
InformationCardSigninHelper Class ActiveX control.  Specifically the
issue occurs in the way “InformationCardSigninHelper Class” ActiveX
control (icardie.dll) is loaded into Internet Explorer and causes system
state corruption.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID:     CVE-2013-3906
Title:  Microsoft Graphics Component Could Allow Remote Code Execution
Vendor: Microsoft
Description: Remote exploitation of a memory corruption vulnerability
in multiple Microsoft products could allow attackers to execute
arbitrary code on the targeted host. The issue occurs with how the TIFF
codec in Microsoft’s graphics component handles crafted TIFF files.
Processing crafted TIFF files can corrupt system memory and create an
exploitable condition.
CVSS v2 Base Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)

ID:     Not Available
Title:  D-Link Authentication Security Bypass Vulnerability
Vendor: D-Link
Description: A remote exploitation of a design error vulnerability in
D-Link Systems Inc.’s routers could allow attackers to bypass
authentication security restrictions. The router allows any user with a
Web browser having the user agent string
“xmlset_roodkcableoj28840ybtide” to gain access to the Web interface of
the device without the requirement for any authentication credentials.
Affects D-Link Firmware v1.13 and other versions may also be affected.
CVSS v2 Base Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)

The entire list is available from Qualys or you may read more at the AVM Technology, LLC blog.

Tuesday, March 5, 2013

More Java Zero-Day Exploits

A Polish security firm discovered two new vulnerabilities to add to this year's list of Java zero day bugs.  The two newly found vulnerabilities are referred to as “issue 54” and “issue 55."  Apparently, one of the flaws fixed in Oracle’s recent patches for Java is under attack and when that bug is paired with another, separate vulnerability, the sandbox in the latest build of Java can be bypassed.  There is already code being distributed to exploit the vulnerability.  On the plus side, it appears that the vulnerability only affects Java’s SE 7 software and is associated with a problem with Java Reflection API.  Speaking of Java zero-day vulnerabilities, SecurityObscurity has a post dedicated to CVE-2013-0422.

Thursday, January 3, 2013

Internet Explorer Zero-Day Flaw Continues

This attack uses Adobe Flash to exploit a vulnerability in Internet Explorer 8.  Microsoft claims that the vulnerability only affects Internet Explorer 6-8 and that people using Internet Explorer 9-10 are not impacted.  The attack involves the targeted compromise of legitimate websites thought to be of interest to or frequented by end users who belong to organizations that attackers wish to infiltrate.

The network penetration testing community already has the tools to test for it.  There is now a Metasploit module (ie_cdwnbindinfo_uaf) that emulates this attack.  This also menas that the vulnerability will be exploited rapidly, users are encouraged to take immediate mitigation steps. Users running Windoes XP should use a browser other than Internet Explorer and corporate security staff should review Microsoft’s recommendations to build a layered defence to protect staff.  Microsoft's workaround options can be found at:
and at:
Microsoft FixIt workaround: