April 20, 2014

36 million euros stolen from banking customers across Europe using mobile malware

(LiveHacking.Com) –  A sophisticated and complex attack has been used to systemically steal millions from banking customers, both corporate and private, across Europe. By using a combination of malware for the PC and malware for mobile, the attackers have been able to  intercept SMS messages used by banks as part of their two-factor authentication process. First the attackers would infect the victim’s PC and then  infected their mobile. Once the two-factor authentication was bypassed, the criminals used the corresponding transaction authentication number (TAN), to automatically transfers of funds from the victims’ accounts. The sums varied in size from €500 to €250,000.

According to Check Point, the firewall maker, an estimated €36+ million has been stolen from more than 30,000 corporate and private bank accounts. This attack campaign has been named “Eurograbber” by Versafe and Check Point Software Technologies who have released a case study about the criminals activities. By using a variation of the Zeus-In-The-Mobile Trojan the  victim’s online banking sessions were completely monitored and manipulated by the attackers. The mobile part of the attack used malware developed for both the Blackberry and Android platforms.

“Cyberattacks are constantly evolving to take advantage of the latest trends. As online and mobile banking continue to grow, we will see more targeted attacks in this area, and Eurograbber is a prime example,” said Gabi Reish, Head of Product Management at Check Point Software Technologies. “The best way to prevent these attacks is with a multi-layered security solution that spans network, data, and endpoints, powered by real time threat intelligence.”

In the on-going battle between cyber-criminals and IT infrastructure designers, cyberattacks have become more sophisticated. The Eurograbber attack has found the weakest link in the chain, the banking customers and their devices. In this case by unwittingly installing malware on their PC and phone the victims allowed the attackers to launch and automate their attacks and avoid traceability.

Checkpoint has notified the banks involved and it is actively working with law enforcement  agencies to halt any current or future attacks. The report ends by reminding  individual users that they must be steadfast in ensuring all of their desktops, laptops and tablets have all possible security layers enabled and that they are kept current with software and security updates to ensure the best protection possible.

Tumblr attacked with viral worm that posts hate messages

(LiveHacking.Com) –  The GNAA, an “anti-blogging” group, is claiming responsibility for a worm which hit Tumblr this week. The worm posted unpleasant posts on victim’s accounts and spread when others viewed the post. The text posted on victim’s blogs starts with “Dearest Tumblr users,” but it quickly turns into a bewildering rant about the “self-indulgent” and “decadent” ways of Tumblr bloggers.

The GNAA, whose acronym is intentionally inflammatory and isn’t worth repeating here, has attacked other major sites in the past including CNN, President Obama’s re-election campaign and Wikipedia.  As another “prank” the group pretended to be looters on Twitter in the aftermath of hurricane Sandy. In an interview, a spokesman for the group claims they told Tumblr weeks ago about the potential security vulnerability but they were ignored.

During the attack Tumblr posted the following status message: “There is a viral post circulating on Tumblr which begins “Dearest ‘Tumblr’ users”. If you have viewed this post, please log out of all browsers that may be using Tumblr immediately. Our engineers are working to resolve the issue as swiftly as possible. Thank you.”

An analysis of the worm by Sophos shows that “the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.” The contents of the post contained a base64 string of encoded JavaScript, which itself was hidden inside an iFrame. The Javascript then downloaded more from a subdomain of strangled.net.

“It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post – our assumption is that the attackers managed to skirt around Tumblr’s defences by disguising their code through Base 64 encoding and embedding it in a data URI,” wrote Graham Cluley of Sophos.

According to SCMagazine, Tumblr has fixed the security issue which allowed the worm to spread. The worm did not do any other damage other than spreading the inflammatory spam message. According to Tumblr, users’ accounts were not compromised.

The fix was confirmed by the blogging platform, “Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience.”

 

Egyptian hacker selling Yahoo! Mail exploit for $700

(LiveHacking.Com) – An Egyptian hacker is selling a zero-day exploit for Yahoo! Mail that lets an attacker hijack email accounts. The hacker is offering the exploit for $700 on a hacking related black market website. The exploit uses a  cross-site scripting  (XSS) vulnerability in yahoo.com that allows an attacker to steal cookies. Once the cookie has been stolen the attacker can send or read email from the victim’s account.

The hacker created a video for potential buyers on the Darkode cybercrime forum. In the video a method for accessing the victim’s account is demonstrated. For the exploit to work the attacker must trick the user into clicking on a specially-crafted link. Brain Krebs has got hold of the video and posted it to YouTube.

As part of the sales pitch the hacker wrote, “I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers. And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!” Notice how his uses his entrepreneurial skills to drop the price to just $700.

Brain Krebs has informed Yahoo! of the problem. According to Ramses Martinez, director of security at Yahoo!, the problem for the engineers is to work out exactly which URL is susceptible as it isn’t clear from the video. Once found it should be easy enough to fix.

XSS attacks are unfortunately all too common. The site Xssed.com hosts an archive of reported XSS vulnerabilities  including several examples of other XSS flaws in yahoo.com CSS attacks work by getting an unsuspecting user to click on a  malicious link. Once clicked a script is executed, and can access cookies, session tokens or other sensitive information stored by the victim’s browser. This information can then be stolen by the attacker.

Two machines attacked within the FreeBSD.org cluster

(LiveHacking.Com) – Just over a week ago the FreeBSD team detected an intrusion on two of its machines in the FreeBSD.org cluster. As a result the affected machines were taken offline while they investigated.  Also as a precaution, most of the remaining infrastructure machines were also taken offline. The investigation has revealed that the compromise occurred due to a leaked SSH key. No vulnerability or code exploit within FreeBSD was found. However the most alarming thing is that the attack and subsequent  compromise may have occurred as early as the 19th September 2012.

FreeBSD is divided into two segments: the “base” which includes the kernel; the system libraries; the compiler; and the core command-line tools and daemons, and the “packages” which are the third-party components distributed as part of the overall FreeBSD system. According to the security advisory published by the FreeBSD team, “no part of the base FreeBSD system has been put at risk. At no point has the intruder modified any part of the FreeBSD base system software in any way. However, the attacker had access sufficient to potentially allow the compromise of third-party packages.”

The investigation has concluded that although the attacker had sufficient access to compromise the third-party packages, no evidence has been found that any packages were modified. But the FreeBSD team is taking an extremely conservative view and is working on the assumption that packages generated and distributed between the 19th September and 11th November 2012 could theoretically have been modified.

Who’s affected?

You have no reason to worry if:

  • you are running a system that has had no third-party packages installed or updated on it between the 19th September and 11th November 2012.
  • you reply in the Source, Ports and Documentation Subversion repositories to make updates.
  • you use the freebsd-update binary upgrade mechanism (it uses an entirely separate infrastructure).

However for everyone else the FreeBSD project cannot cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors. Those affect should re-install any machines from scratch, using trusted sources.

The package set built for the upcoming 9.1-RELEASE has been deleted, and will be rebuilt from source before 9.1 is released. With regards to the cluster machines, all suspect machines are being either reinstalled, retired, or thoroughly audited before being brought back online.

In brief: Callcentric hit by malicious series of DDoS attack

(LiveHacking.Com) – Callcentric, a VoIP Internet phone service, has sent an email to its subscribers telling them about a malicious series of DDoS attacks which have been launched against the service. The company are treating the attacks as a Direct Criminal Act with clear malicious intent. This is based on the persistent, aggressive, and evolving nature of attacks. The company has been in direct contact with the FBI and FCC to report the matter and to prompt and an investigation.

According to the email, the attacks are targeting Callcentric’s SIP Servers:

  • As a result of these attacks, users may experience drops in system registration, which can ultimately lead to inconsistent inbound/outbound calling results.
  • Customer’s using “Call Forwarding” to temporarily route their inbound calls to a 3rd party number (SIP URI, Cellphone, PSTN line, etc.) should not experience difficulty in receiving calls.

“We can appreciate and share in everyone’s frustration regarding these malicious attacks and we continue to work around the clock to deploy software\hardware updates and upgrades in effort to mitigate against them,” said Callcentric. “At Callcentric we have always been and remain committed to providing great value, reliable service, and putting our customer’s first. Once this matter has been fully resolved our corporate management team will be performing a complete review and we will work to provide a fair resolution to address any inconvenience that our customers’ have experienced resulting from these attacks.”

Chinese hackers reportedly breached White House systems used for nuclear commands

(LiveHacking.Com) – The Washington Free Beacon is reporting that hackers with connections to the Chinese government have breached one of the U.S. government’s computer systems used for nuclear commands. The hack, which is said to have taken place earlier this month, used servers in China to access the computer network used by the White House Military Office (WHMO).

The WHMO is the president’s military office which handles not only presidential communications and inter-government teleconferences, but also communications relating to strategic nuclear commands. The so-called “nuclear football” is the nuclear command and control suitcase used by the president which enables him to be in constant communication with the USA’s strategic nuclear forces.

According to an unidentified national security official the instant the attack was identified, the system was isolated, and there are no indications that any data was copied. It is thought that since the WHMO handles such important communications it is likely the work of Chinese military cyber warfare specialists under the direction of a unit called the 4th Department of General Staff of the People’s Liberation Army, or 4PLA.

“The White House network would be the crown jewel of that campaign so it is hardly surprising that they would try their hardest to compromise it,” said Former McAffee cyber threat researcher Dmitri Alperovitc who now works for Crowdstrike.

The revelation of the attack comes only days after Rear Admiral Samuel Cox, The U.S. Cyber Command’s top intelligence officer, accused China of persistent efforts to pierce Pentagon computer networks. He also said a proposal was moving forward to boost the cyber command in the U.S. military hierarchy.

The White House have so far given no comment on the cyber attack, or on whether President Obama was notified of the incident.

However, there are questions being raised over the validity of the claims made by The Washington Free Beacon. In the original report an Obama administration national security official is reported to have said “This was a spear phishing attack against an unclassified network.” This is interesting for two reasons:

  1. A spear phishing attack isn’t really a hack, but rather a targeted email which tries to solicit information from the recipient.
  2. The unclassified network mentioned means a normal non-secret network rather than a classified or “high side” encrypted network.

 

 

SourceForge distributes phpMyAdmin with backdoor after mirror hacked

(LiveHacking.Com) – SourceForge has stopped using one of its mirrors in Korea after the popular open source website was alerted to a corrupted copy of phpMyAdmin being served from that site. The ‘cdnetworks-kr-1′ mirror in Korea was immediately removed from rotation when it was discovered that the mirror had been hacked (via a yet as unknown vector) and started serving a modified copy of phpMyAdmin-3.5.2.2-all-languages.zip with a built-in backdoor which allowed the execution of arbitrary commands.

According to an advisory posted on the phpMyAdmin  website, the backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.

SourceForge has examined its logs and has identified around 400 users who downloaded the hacked file. Where possible SourceForge has send emails to those users if they were able to identify them through the logs.

SourceForge is currently conducting additional validation to confirm that only one file was modified on the ‘cdnetworks-kr-1′ mirror and they will post an update once this process is complete. For the moment the mirror remains out of rotation.

Anyone concerned that they may have downloaded a corrupt version of the popular MySQL administration software should check the phpMyAdmin distribution and download it again from a trusted mirror if it contains the file server_sync.php.

 

In brief: GoDaddy outage was not due to hacking

(LiveHacking.Com) – As reported yesterday, GoDaddy suffered an interruption to its services on Monday starting shortly after 10 a.m. PDT. The company, which is one of the world’s biggest domain registrars and web hosts,  managed to restore full services by by 4 p.m. PDT. It was thought that the down time was due to a denial of service attack when a user on Twitter, who claimed to be an official member of the hacking group Anonymous,  took sole responsibility for the alleged attack, stating, “was only me not the Anonymous [collective]“.

However GoDaddy has now completed its investigation and is reporting that the incident was not related to a “hack”.

“The service outage was not caused by external influences. It was not a ‘hack’ and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented measures to prevent this from occurring again,” said Scott Wagner CEO of GoDaddy in a statement.

What happens when a big web hosting service has troubles – Did Anonymous hack GoDaddy?

(LiveHacking.Com) – GoDaddy suffered an outage yesterday that left millions of users frustrated. The cause of the outage, which lasted about four hours, has yet to be confirmed by GoDaddy but a hacker known as @AnonymousOwn3r has claimed sole responsibility for the alleged attack, stating, “was only me not the Anonymous [collective]“. According to his Twitter profile, AnonymousOwn3r is an official member of Anonymous.

GoDaddy , which is one of the world’s largest web hosting providers and domain registrars, first mentioned a problem on Twitter just after 1:30 p.m. ET, the tweet said “Status Alert: Hey, all. We’re aware of the trouble people are having with our site. We’re working on it.”

GoDaddy’s main website also went down for a short time with the message:

We are experiencing problems. We understand this is impacting some customers and we take this situation very seriously. Everyone at GoDaddy.com is working to restore all sites affected by this outage as soon as possible.

After some 7 hours, the GoDaddy Twitter account was updated: “Most customer hosted sites back online. We’re working out the last few kinks for our site & control centers. No customer data compromised.”

The key to that statement was that no customer data was compromised. From this we can ascertain that the attack was a denial of service attack and not a security breach. According to ZDNet, the problem was that GoDaddy’s DNS servers were not resolving and so took many websites offline. Even if the site wasn’t hosted by GoDaddy but GoDaddy was the domain registrar then the site itself became unavailable.

Of course the people hit the hardest by this attack are the web site owners themselves. GoDaddy has a large engineering staff which is dedicated to keeping their servers up and running. But as Darnell Clayton, a normal web user, mentioned in a tweet to AnonymousOwn3r, not only was his site down, “but so are millions of struggling small biz owners.” I don’t think that those who lost potential income, bread taken from the mouths of their children, will find any pleasure in AnonymousOwn3r’s skill set.

Hackers breach externally hosted database used by UK’s Herfordshire Police

(LiveHacking.Com) – A website belonging to the UK’s Hertfordshire Police has been hacked and what appear to be login details, passwords and other details have been published online. The database for the Safer Neighbourhood Teams website, which was  externally hosted, held personal data including phone numbers and IP addresses that related to a number of officers.

In a statement given to the BBC, the Hertfordshire Constabulary said it was currently investigating the publication of information stored on a database linked to the public Safer Neighbourhoods pages of the external Constabulary website. And that the site has been temporarily disabled. “There is absolutely no suggestion that any personal data relating to officers or members of the public has been, or could have been compromised. Nevertheless matters of IT security are extremely important to the Constabulary and an investigation is already under way.”

The hack seems to be have been motivated by the current plight of Wikileaks founder, Julian Assange. There has been a rise in the number of hacking attacks since the UK government said it would arrest and extradite Mr Assange if he left Ecuador’s embassy in London.  An “OpFreeAssange” banner was included with the database details that were posted online as well as a quote from the Wikileaks founder. However the hacker was also keen to point out that he wasn’t part of the infamous hacking Anonymous.

Catalin Cosoi, chief security researcher at Bitdefender, said to SC Magazine: “The unknown attacker extracted from the second breached website what appear to be police officers’ email addresses, passwords to those email accounts and a list of PINs probably employed as additional safety tools. Several user logs have also been made public, exposing a list of employee names and corresponding IPs that could be used in cyber crime operations requiring identification of a specific machine, containing a particular type of data.”

Questions are now being asked about why a Police force was using an externally hosted website. The problem with any third-party supplier is that their security practices and procedures are unknown and outside the control of the client, in this case a Police force. This attack highlights the need for anyone (including Public sector organisations) using external hosting to validate the security of the external service.