April 16, 2014

300,000 home routers and modems hacked

network leds on routerNew research by Team Cymru’s Threat Intelligence Group has discovered that attackers have been changing the DNS settings on thousands of consumer level small office and home routers. By changing the DNS settings the attackers are able to redirect the victims DNS requests to any desired site and effectively conduct a Man-in-the-Middle attack.

The biggest risk is for those accessing financial sites. In this situation the compromised routers can redirect traffic to a fake websites and captures user’s login credentials. It would also be possible for the attackers to  inject their own adverts into web pages people visit or change  search results .

The team started its  investigation in January 2014 and to date it has  identified over 300,000 devices, mostly in Asia and Europe, that have been compromised. Once a device has been hacked the DNS settings are changed to 5.45.75.11 and 5.45.75.36. It seems that the majority of the affected routers are in Vietnam, however other affected countries include  India, Italy and Thailand.

“Many cyber crime participants have become used to purchasing bots, exploit servers, and other infrastructure as managed services from other criminals,” wrote the report authors. ”We expect that these market forces will drive advances in the exploitation of embedded systems as they have done for the exploitation of PCs.”

Unfortunately more than one manufacturer’s router seem to be vulnerable to the attacks and the hackers are using multiple exploit techniques.  The research has not uncovered any new, or previously unknown vulnerabilities. Instead the report shows that the techniques and vulnerabilities observed have been in the public domain for well over a year.

The two DNS servers listed belong to a hosting company in south London. The BBC has contacted the company but has yet to receive a response. Team Cymru has contacted the relevant law enforcement agencies about the attack and informed the ISPs which have the bulk of the compromised customers.

 

Zero-day vulnerability in Windows XP being exploited via a malicious PDF file

microsoft logoMicrosoft has issued a warning to all users of its aging Windows XP operating system about a zero-day vulnerability that allows attackers to gain elevated privileges. Once the attackers have system level privileges they can install programs; view, change, or delete data; or create new accounts with full administrative rights.

The vulnerability is in the Windows kernel and affects Windows Server 2003 as well as XP. Once exploited an attacker can run arbitrary code in kernel mode which automatically gives them full administrative rights.

According to CVE-2013-5065 NDProxy.sys in the kernel of Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a crafted application. The vulnerability is being exploited in the wild.

Microsoft has issued a workaround for the vulnerability however by implementing it services that rely on the Windows Telephony Application Programming Interfaces (TAPI) to not function, this includes Remote Access Service (RAS), dial-up networking, and virtual private networking (VPN). Full details of the workaround, which disables NDProxy.sys and reroute all calls to Null.sys, can be found in Microsoft’s security advisory.

According to Symantec there have been a “small number” of in-the-wild attacks happening since early November. Users in the U.S., India, Australia, Saudi Arabia and throughout Europe were targeted.

This is the second zero-day vulnerability to be recently exposed in Windows. At the beginning of November Microsoft released  a security advisory about a vulnerability in Windows Vista and Windows Server 2008, Microsoft Office 2003 to 2010, and all supported versions of Microsoft Lync, that is being exploited in the wild and targeting PC users mainly in the Middle East and South Asia.

Adobe Acrobat source code stolen along with 2.9 million customer records

adobe-logo(LiveHacking.Com) – Adobe has suffered what it is calling a series of “sophisticated attacks” on its network, resulting in the theft of customer information as well as source code for numerous Adobe products including Adobe Acrobat.

It is currently thought that the attackers stole Adobe customer IDs and encrypted passwords as well as personal and financial information relating to 2.9 million of its customers. The data stolen includes customer names, encrypted credit or debit card numbers and expiration dates.

As a result of the breach Adobe has reset all the  relevant customer passwords, and notified the customers whose credit or debit card information was taken. Adobe is also offering the customers, whose card information was taken, the option of a one-year complimentary credit monitoring membership. Adobe has also notified the banks that process its customer payments and have contacted the relevant federal law enforcement agencies.

In what is being seen as a related incident, Adobe is investigating the unauthorized access of source code for Adobe Acrobat, ColdFusion and ColdFusion Builder.  Brian Krebs, a former reporter for The Washington Post and renowned security expert spotted a 40 GB source code dump stored on a server used by some known cyber criminals. The dump contained huge repositories of uncompiled and compiled code that appeared to be for ColdFusion and Adobe Acrobat. Krebs told Adobe about the source dump, Adobe then revealed to Krebs that the company has been investigating a security breach into its networks since Sept. 17, 2013.

“We are in the early days of what we expect will be an extremely long and thorough response to this incident,” said Adobe’s Chief Security Officer Brad Arkin. “We’re still at the brainstorming phase to come up with ways to provide higher levels of assurance for the integrity of our products, and that’s going to be a key part of our response. We are looking at malware analysis and exploring the different digital assets we have. Right now the investigation is really into the trail of breadcrumbs of where the bad guys touched.”

Adobe isn’t aware of any zero-day exploits targeting any Adobe products. However, as always, it recommends that customers use only supported versions of its software and apply all available security updates.

In an unrelated announcement, Adobe confirmed it will it will be releasing critical security updates next Tuesday for Adobe Acrobat and Adobe Reader.

Belgium’s largest telecommunications company victim to a nation-state sponsored spying campaign

belgium_flag_mapThe Belgium government has revealed that a foreign state has been spying on its largest telecommunications company Belgacom. The company, which is a top tier carrier for voice traffic in Africa and the Middle East, was hacked by an intruder with significant financial and logistic means.

According to the Belgian daily newspaper De Standaard, the NSA is responsible for the attack and the agency has been monitoring international telephone traffic through Belgacom for two years. It is thought that the NSA was primarily interested in Belgacom’s subsidiary BICS, which provides international phone lines for Africa and the Middle East.

“This fact, combined with the technical complexity of the hacking and the scale on which it occurred, points towards international state-sponsored cyber espionage,” Federal prosecutors said in a statement.

The government of Belgium, which has a majority stake in Belgacom, condemned the intrusion but did not actually accuse the USA directly. The hack was performed using malware with advanced encryption techniques. Belgacom has now removed the unknown malware from its internal systems.

These latest accusations come in the midst of further revelations about the NSA’s actvities thanks to documents released by Edward Snowden. According to the Brazilian television network Globo, the NSA has been spying using the computer systems of companies including Google Inc. and the Brazilian state oil firm Petroleo Brasileiro. It is also alleged that the NSA hacked into France’s Foreign Ministry and has been snooping through international financial transactions made via the Belgian-based international banking cooperative SWIFT.

Tor users exposed due to vulnerability in Firefox 17

Tor project logoUsers of the popular Tor anonymity tool have been exposed to malware which can reveal the user’s IP address. According to an announcement made a Tor mailing list, the Tor Browser Bundle is susceptible to a Firefox JavaScript vulnerability and that this vulnerability has been exploited in the wild.

Although all Tor users are potentially vulnerable it appears that the malware, which is exploiting the bug, targets only Windows users. The vulnerability allows arbitrary code execution and the observed attack appears to collect the hostname and MAC address of the Tor user and send them to a remote web server. According to the Tor project, “it’s reasonable to conclude that the attacker now has a list of vulnerable Tor users who visited those hidden services.”

While outlining what users can do, besides upgrade to the latest version of the Tor Browser Bundle which contains a fixed version of Firefox, the email suggested that, “switching away from Windows is probably a good security move for many reasons.”

The malware used to discover the identities of the Tor users is possibly linked to the FBI as on Friday a vast number of “hidden services” disappeared from Tor and a man from Ireland was arrested on a warrant issued by the FBI in connection with child porn charges which allegedly used the Tor network.

According to the Electronic Frontier Foundation, which issued a statement about the attack, the Tor anonymity tool is often used by human rights activists, journalists, political dissidents and whistleblowers since it allows them to use the web anonymously and avoid different surveillance and censorship techniques.

Four-star General under investigation for leaking details of Stuxnet attack

circuitboard(LiveHacking.Com) – New reports are suggesting that the FBI is starting a new investigation into the public leak  about the Stuxnet worm. According to NBC a retired four-star general US Marine, who had a close relationship to President Barack Obama, is under investigation for leaking details of the cyber-attack.

Gen. James Cartwright, who was the former vice chairman of the Joint Chiefs of Staff,  has been told he is under investigation for allegedly disclosing details the USA’s cyber-attack on Iran’s nuclear facilities. The original FBI investigation looked into possible White House sources, however now the agency has turned its investigation towards possible military leaks including Cartwright.

When the worm first escaped the confines of Iran’s Natanz plant and starting infecting computers across the global, the origin and purpose of the malware was unclear. Over time more and more details of the worm’s activity were analysed and finally thanks to an internal leak in the US Government, it was confirmed (but not publicly) that the National Security Agency had developed Stuxnet in tandem with the Israelis.

According to the  New York Times report on 1 July, 2012, Stuxnet was created under a project known as ”Operation Olympic Games” as part of an American and Israeli effort to undermine Iran’s nuclear program.

Stuxnet was designed to destroy the centrifuges used in Iran’s uranium enrichment program and targeted Siemens supervisory control and data acquisition systems (SCADA) which controlled the industrial processes at the Natanz enrichment facilities.

Chevron claimed it also had trouble with Stuxnet, once it had gone global, as it too uses SCADA based systems. However Chevron says none of its equipment was damaged.

There is likley to be other cases of Stuxnet infections in industrial plants across the U.S. and mainland Europe that have been unreported for reasons of security or to avoid embarrassment.

Sky hacked by the Syrian Electronic Army

logos of sky android apps(LiveHacking.Com) – Several apps belonging to British Sky Broadcasting (Sky) have been removed from Google’s official Android app store following an attack on Sky by the Syrian Electronic Army. The SEA also hacked into one of Sky’s Twitter accounts where it urged readers to download the new defaced apps. The SEA aligns itself with Syrian President Bashar al-Assad, but denies they operate under the orders of his government.

As part of the hack six of Sky’s Android apps where defaced by having their logos replaced with the SEA logo. Also the descriptions of the apps, which included the company’s Sky News, Sky Sports News, Sky Sports Football, Sky WiFi, Sky+ and Sky Go apps, were altered to read: “Syrian Electronic Army Was Here”. The screenshots for the apps were also replaced.

The attack of a Google Play account is something new for the SEA which until now  focused on breaching social media accounts of various media companies and western politicians. Normally once an account was hacked the SEA would publish false information. Last month the SEA launched an attack on AP’s twitter account and published a false tweet about the White House being bombed and President Barack Obama being injured. The tweet led to a multi-million dollar drop in the Dow.

According to another Sky account: “Due to a security breach Twitter has locked down @skyhelpteam & we are currently unable to tweet from it.” A Sky spokesman told the BBC it was working to reinstate its apps now that they have been taken offline.

Over the weekend, it was also reported by the Israeli press that the SEA had mounted a failed attempt to disrupt the water supply in the port city of Haifa. The Jerusalem Post said that the chairman of the Science Ministry’s National Council for Research and Development - Prof Yitzhak Ben Yisrael –  revealed that earlier this month the hackers tried to damage the computers controlling the city’s infrastructure .

China suspected to be behind U.S. Army Corps of Engineers database hack

dam(LiveHacking.Com) – U.S. intelligence agencies are treating a recent cyber attack and subsequent intrusion into a database belonging to the U.S. Army Corps of Engineers as a cyber attack from China. According to the Free Beacon, U.S. intelligence agencies have traced the hack to the Chinese government or military cyber warriors.

The compromised database belonged to the U.S. Army Corps of Engineers and held data about dams. The National Inventory of Dams (NID) contains information on possible vulnerabilities of some 8,000 dams across the United States. In a worst case scenario the attack is a preemptive move by China in preparation for future cyber attacks against the nations electrical infrastructure.

“The U.S. Army Corps of Engineers is aware that access to the National Inventory of Dams (NID), to include sensitive fields of information not generally available to the public, was given to an unauthorized individual in January 2013 who was subsequently determined to not to have proper level of access for the information,” said Pete Pierce, a Corps of Engineers spokesman.

Upon discovering the unauthorized access the Corps of Engineers revoked the user’s access to the database.

The database collects information about dams which are either large (those that exceed 25 feet in height or exceed 50 acre-feet storage) and those that have a hazard classification because of the loss of human life that would result if the dam failed. The database was started in 1972 when laws came into effect that required cooperation between the Corps and the Federal Emergency Management Agency. These laws were updated in 2002 and 2006 to recognize that dams are part of critical U.S. infrastructure and require protection.

In January, a report published by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), part of the Department of Homeland Security’s Office of Cybersecurity and Communications, revealed that the last three months of 2012 saw at least two instances of malware infecting computers inside power generation facilities.

Evernote hacked, forces 50 million users to reset password

evernote(LiveHacking.Com) – Over the weekend Evernote, the cloud based information storage company, revealed that it had discovered suspicious activity on its servers by hackers trying to access secure areas where user’s “notes” and files are kept. During the follow up investigation, Evernote discovered that the hackers had gained access to user information, which includes usernames, email addresses, and encrypted passwords. Therefore, as a precaution, the company has implemented a forced password reset for each of its 50 million users.

One good bit of news is that the passwords are encrypted and use a salt, something that LinkedIn failed to do. Evernote is confident that its password encryption is robust, but is forcing the password reset to ensure that users’ personal data remains secure.

“As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content,” said Evernote is a statement.

As part of the notification email, which Evernote sent to its users, the company gave some general tips for passwords including:

  • Avoid using simple passwords based on dictionary words
  • Never use the same password on multiple sites or services
  • Never click on ‘reset password’ requests in emails – instead go directly to the service

Although the last bit of advise is generally sound (because so many phishing emails use password resets as link bait), Sophos has pointed out that the notification email itself contained links for resetting a user’s password. However in fairness to Evernote the links do take the user to the evernote.com site and not a password reset page. However the problem is that the link uses a click tracking system and goes via a domain called links.evernote.mkt5371.com, which could look like a phishing attack! The mkt5371.com domain is owned by Silverpop, an email communications firm who Evernote is using to send out the 50 million emails!

 

GPS more vulnerable than previously thought

(LiveHacking.Com) –  The Global Positioning System (GPS) has grown from its simple beginnings to a ubiquitous and trusted source for positioning, navigation, and timing data. GPS chips are built into everything from Sat Nav systems to mobile phones and from vehicle tracking systems to digital cameras. It has always been possible to jam and spoof GPS signals, since they are just radio transmissions from the orbiting satellites, but now new research has been published which shows that when treated as a complete computer system, GPS is more vulnerable than previously thought.

The research paper, which has been published by Carnegie Mellon University and Coherent Navigation, shows that a 45 second GPS message can disable over 30% of the Continually Operating Reference Station (CORS) network. CORS, which is used for many safety and life-critical applications, provides Global Navigation Satellite System (GNSS) data which is used by surveyors, GIS users, engineers, scientists to improve the precision of their positions.

The new, larger attack surface for GPS now includes the following three areas:

  1. GPS Data Level Attacks – Producing good, bad, and wrong data at higher-levels such as the navigation message in real time with the valid GPS signal. These data-level attacks can cause more damage than simple spoofing including the ability to remotely crash a high-end professional receiver.
  2. GPS Receiver Software Attacks – The GPS software stack in a receiver can be compromised, in some cases remotely.The danger is that if the GPS receivers is treated as a device, rather than a computer system, the vulnerabilities could remain unpatched.
  3. GPS Dependent System Attacks – Most systems which use GPS data implicitly trust the data. Since there is no validation of the data it is possible to affect system which depend on GPS data but are’t themselves GPS receivers. The researchers have shown that it is possible to permanently de-synchronize the date of Phasor Measurement Units (PMUs) used in the smart grid.

To carry out the “attacks” the researchers designed a GPS phase-coherent signal synthesizer (PCSS). Like a hybrid receiver and satellite in a box, the PCSS has an input antenna that receives live GPS signals, and outputs malicious signals. It also allows full programmatic control over the GPS signals in real time. The total hardware cost of the PCSS is about the same as a high-end laptop – around $2,500.

“Until GPS is secured, life and safety-critical applications that depend upon it are likely vulnerable to attack,” wrote the paper’s authors.

These new attacks highlight the possibility of causing serious damage using only a few thousand dollars worth of hardware. As a result the researchers are recommending  the use of an Electronic GPS Attack Detection Systems (EGADS). An EGADS is similar in spirit to a network or host IDS system, but designed to detect GPS attacks.