June 24, 2019

36 million euros stolen from banking customers across Europe using mobile malware

(LiveHacking.Com) –  A sophisticated and complex attack has been used to systemically steal millions from banking customers, both corporate and private, across Europe. By using a combination of malware for the PC and malware for mobile, the attackers have been able to  intercept SMS messages used by banks as part of their two-factor authentication process. First the attackers would infect the victim’s PC and then  infected their mobile. Once the two-factor authentication was bypassed, the criminals used the corresponding transaction authentication number (TAN), to automatically transfers of funds from the victims’ accounts. The sums varied in size from €500 to €250,000.

According to Check Point, the firewall maker, an estimated €36+ million has been stolen from more than 30,000 corporate and private bank accounts. This attack campaign has been named “Eurograbber” by Versafe and Check Point Software Technologies who have released a case study about the criminals activities. By using a variation of the Zeus-In-The-Mobile Trojan the  victim’s online banking sessions were completely monitored and manipulated by the attackers. The mobile part of the attack used malware developed for both the Blackberry and Android platforms.

“Cyberattacks are constantly evolving to take advantage of the latest trends. As online and mobile banking continue to grow, we will see more targeted attacks in this area, and Eurograbber is a prime example,” said Gabi Reish, Head of Product Management at Check Point Software Technologies. “The best way to prevent these attacks is with a multi-layered security solution that spans network, data, and endpoints, powered by real time threat intelligence.”

In the on-going battle between cyber-criminals and IT infrastructure designers, cyberattacks have become more sophisticated. The Eurograbber attack has found the weakest link in the chain, the banking customers and their devices. In this case by unwittingly installing malware on their PC and phone the victims allowed the attackers to launch and automate their attacks and avoid traceability.

Checkpoint has notified the banks involved and it is actively working with law enforcement  agencies to halt any current or future attacks. The report ends by reminding  individual users that they must be steadfast in ensuring all of their desktops, laptops and tablets have all possible security layers enabled and that they are kept current with software and security updates to ensure the best protection possible.

US Navy having to protect itself from 110,000 cyber threat per hour

(LiveHacking.Com) – Back in 2010 HP took over the running of the Navy’s Intranet and the company is also working with the Navy to help it transition to a Next Generation Enterprise Network (NGEN). The Navy Marine Corps Intranet (NMCI) is a shore-based enterprise network that provides a single integrated, secure network for the Navy’s use. After the Internet the NMCI is the world’s largest network. Such a big network is prone to cyber attacks and according to V3, Hp is helping the Navy defend itselg against 110,000 cyber attacks per hour.

“For the US Navy we provide the network for 800,000 men and woman in 2,000 locations around the world, protecting them against 110,000 cyber attacks every hour,” said the head of enterprise services at HP, Mike Nefkens, at the firm’s Discover event in Frankfurt. “This means the attacks average out at about 1,833 per minute or 30 every second.”

Large  public and private institutions are always facing this growing cyber threat and governments all over the world are increasing the funding andresources needed to ensure that their networks are protected. Just recently the UK government announced plans to create a British Computer Emergency Response Team (CERT) and a Cyber Reserves force. The UK’s CERT is to be built on the success the UK had in defending itself against online threats during the Olympics.

“Working with the private sector to improve awareness of the need for better cyber security continues to be a priority. We are now focusing our efforts on making sure that the right incentives and structures are in place to change behavior in a sustainable way,” said Cabinet Office Minister, Francis Maude, said in a written statement. “Government departments and agencies are working with professional and representative bodies to ensure the consideration of cyber security becomes an integral part of corporate governance and risk management processes.”

HP also revealed at its Discover event that it manages some 5.5 million mobile devices across 100 countries along with 13 billion credit card transactions every year.

Tumblr attacked with viral worm that posts hate messages

(LiveHacking.Com) –  The GNAA, an “anti-blogging” group, is claiming responsibility for a worm which hit Tumblr this week. The worm posted unpleasant posts on victim’s accounts and spread when others viewed the post. The text posted on victim’s blogs starts with “Dearest Tumblr users,” but it quickly turns into a bewildering rant about the “self-indulgent” and “decadent” ways of Tumblr bloggers.

The GNAA, whose acronym is intentionally inflammatory and isn’t worth repeating here, has attacked other major sites in the past including CNN, President Obama’s re-election campaign and Wikipedia.  As another “prank” the group pretended to be looters on Twitter in the aftermath of hurricane Sandy. In an interview, a spokesman for the group claims they told Tumblr weeks ago about the potential security vulnerability but they were ignored.

During the attack Tumblr posted the following status message: “There is a viral post circulating on Tumblr which begins “Dearest ‘Tumblr’ users”. If you have viewed this post, please log out of all browsers that may be using Tumblr immediately. Our engineers are working to resolve the issue as swiftly as possible. Thank you.”

An analysis of the worm by Sophos shows that “the worm took advantage of Tumblr’s reblogging feature, meaning that anyone who was logged into Tumblr would automatically reblog the infectious post if they visited one of the offending pages.” The contents of the post contained a base64 string of encoded JavaScript, which itself was hidden inside an iFrame. The Javascript then downloaded more from a subdomain of strangled.net.

“It shouldn’t have been possible for someone to post such malicious JavaScript into a Tumblr post – our assumption is that the attackers managed to skirt around Tumblr’s defences by disguising their code through Base 64 encoding and embedding it in a data URI,” wrote Graham Cluley of Sophos.

According to SCMagazine, Tumblr has fixed the security issue which allowed the worm to spread. The worm did not do any other damage other than spreading the inflammatory spam message. According to Tumblr, users’ accounts were not compromised.

The fix was confirmed by the blogging platform, “Tumblr engineers have resolved the issue of the viral post attack that affected a few thousand Tumblr blogs. Thanks for your patience.”


Two machines attacked within the FreeBSD.org cluster

(LiveHacking.Com) – Just over a week ago the FreeBSD team detected an intrusion on two of its machines in the FreeBSD.org cluster. As a result the affected machines were taken offline while they investigated.  Also as a precaution, most of the remaining infrastructure machines were also taken offline. The investigation has revealed that the compromise occurred due to a leaked SSH key. No vulnerability or code exploit within FreeBSD was found. However the most alarming thing is that the attack and subsequent  compromise may have occurred as early as the 19th September 2012.

FreeBSD is divided into two segments: the “base” which includes the kernel; the system libraries; the compiler; and the core command-line tools and daemons, and the “packages” which are the third-party components distributed as part of the overall FreeBSD system. According to the security advisory published by the FreeBSD team, “no part of the base FreeBSD system has been put at risk. At no point has the intruder modified any part of the FreeBSD base system software in any way. However, the attacker had access sufficient to potentially allow the compromise of third-party packages.”

The investigation has concluded that although the attacker had sufficient access to compromise the third-party packages, no evidence has been found that any packages were modified. But the FreeBSD team is taking an extremely conservative view and is working on the assumption that packages generated and distributed between the 19th September and 11th November 2012 could theoretically have been modified.

Who’s affected?

You have no reason to worry if:

  • you are running a system that has had no third-party packages installed or updated on it between the 19th September and 11th November 2012.
  • you reply in the Source, Ports and Documentation Subversion repositories to make updates.
  • you use the freebsd-update binary upgrade mechanism (it uses an entirely separate infrastructure).

However for everyone else the FreeBSD project cannot cannot guarantee the integrity of any packages available for installation between 19th September 2012 and 11th November 2012, or of any ports compiled from trees obtained via any means other than through svn.freebsd.org or one of its mirrors. Those affect should re-install any machines from scratch, using trusted sources.

The package set built for the upcoming 9.1-RELEASE has been deleted, and will be rebuilt from source before 9.1 is released. With regards to the cluster machines, all suspect machines are being either reinstalled, retired, or thoroughly audited before being brought back online.

Anonymous planning lots of activity for November 5th

(LiveHacking.Com) – Since the mascot for the Anonymous hacking group is a stylised mask of Guy Fawkes, a member of a group of provincial English Catholics who planned the failed Gunpowder Plot of 1605; and since today is November the 5th, the night British peoples traditionally celebrate the failed plot by lighting bonfires and setting off fireworks; and since it has said as much, the Anonymous hacking group is planning multiple hacking activities today.

And it looks like it has already started. ZDNet is reporting on claims circulating by hackers, some connected with Anonymous – and some not, of dumped user and employee account information on accounts from PayPal and Symantec. There are also reports of defacements of Saturday Night Live’s website and Australian government websites.

According to the various Twitter accounts related to Anonymous, today could see more hacks and database/document dumps. News of hacking spree is is being published on Twitter, Facebook, YouTube, and Pastebin.

The November the 5th protests are focusing on the emerging TrapWire and INDECT technologies, both of which are designed to collate data and predict or find criminal behavior. Very much like the supercomputer depicted in the ‘Person of Interest’ TV show INDECT, a research project being carried out by several European universities, aims to automatically detect criminal threats through processing of CCTV camera data streams, while TrapWire is meant to be a ‘counter-terrorism’ technology designed to find patterns indicative of terrorism attacks. It was mentioned by WikiLeaks as software that facilitates intelligence-gathering citizens, using surveillance technology, incident reports, and data correlation from law enforcement agencies.

Anonymous is calling people n the UK to march on The Houses of Parliament (albeit peacefully and unarmed). It says that this is the centrepiece of a worldwide operation of global strength and solidarity, a warning to all governments worldwide that if they keep trying to censor, cut, imprison, or silence the free world or the free internet they will not be governments for much longer.

As part of the activities Anonymous has claimed to have breached The Organization for Security and Co-operation in Europe (OSCE), the world’s largest security-oriented intergovernmental organization with a mandate that includes issues such as arms control and the promotion of human rights, freedom of the press and fair elections.

Due to timezones, Anonymous Australia seems to be the most active at this time.

In brief: Callcentric hit by malicious series of DDoS attack

(LiveHacking.Com) – Callcentric, a VoIP Internet phone service, has sent an email to its subscribers telling them about a malicious series of DDoS attacks which have been launched against the service. The company are treating the attacks as a Direct Criminal Act with clear malicious intent. This is based on the persistent, aggressive, and evolving nature of attacks. The company has been in direct contact with the FBI and FCC to report the matter and to prompt and an investigation.

According to the email, the attacks are targeting Callcentric’s SIP Servers:

  • As a result of these attacks, users may experience drops in system registration, which can ultimately lead to inconsistent inbound/outbound calling results.
  • Customer’s using “Call Forwarding” to temporarily route their inbound calls to a 3rd party number (SIP URI, Cellphone, PSTN line, etc.) should not experience difficulty in receiving calls.

“We can appreciate and share in everyone’s frustration regarding these malicious attacks and we continue to work around the clock to deploy software\hardware updates and upgrades in effort to mitigate against them,” said Callcentric. “At Callcentric we have always been and remain committed to providing great value, reliable service, and putting our customer’s first. Once this matter has been fully resolved our corporate management team will be performing a complete review and we will work to provide a fair resolution to address any inconvenience that our customers’ have experienced resulting from these attacks.”

Denial of Service attacks reach 150 gigabits per second, higher rates expected

(LiveHacking.Com) – Alex Caro the Chief Technology Officer for Akamai Technologies has told ZDNet that the company has seen Denial of Service attacks which have reached 150 gigabits per second. This is in line with a growing trend for hackers to use DoS as a means to disrupt a websites for ideological, political or commercial reasons. From 2010 to 2011 Akamai saw the number of DDoS attacks against their customers double. This trend is expected to continue in 2012 and 2013.

Akamai’s experiences are similar to those of others in the security industry. According to a hacker forum study, which security vendor Imperva carried out last year, 22% of discussions focused on DoS, slightly higher than SQL injection which accounted for 19% of all discussions. In its Hacker Intelligence Initiative, Monthly Trend Report #12 the company reveals that hackers are now favoring DoS attacks aimed at the Web application layer (rather than at the IP and TCP layers) as these types of attacks decrease costs and are harder to detect.

Distributed Denial of Service attacks, which split the attack load among many machines simultaneously, are being used most to get the public’s and media’s attention. Such attacks are usually accompanied by announcements that reveal the reasons (ideological etc) behind the attack. However DDoS attacks are not limited to hacktivists. DDoS attacks have been used to disrupt businesses for monetary gain including blackmailing a company to pay a ransom other wise the site will be attacked.

The good news is that companies like Akamai seem able (at the moment) to absorb this malicious data.

“Today, we’re probably serving eight, maybe ten terabits per second of traffic at peak, so a 150 gigabit per second denial of service attack is actually fairly small when all is said and done,” said Caro.

Chinese hackers reportedly breached White House systems used for nuclear commands

(LiveHacking.Com) – The Washington Free Beacon is reporting that hackers with connections to the Chinese government have breached one of the U.S. government’s computer systems used for nuclear commands. The hack, which is said to have taken place earlier this month, used servers in China to access the computer network used by the White House Military Office (WHMO).

The WHMO is the president’s military office which handles not only presidential communications and inter-government teleconferences, but also communications relating to strategic nuclear commands. The so-called “nuclear football” is the nuclear command and control suitcase used by the president which enables him to be in constant communication with the USA’s strategic nuclear forces.

According to an unidentified national security official the instant the attack was identified, the system was isolated, and there are no indications that any data was copied. It is thought that since the WHMO handles such important communications it is likely the work of Chinese military cyber warfare specialists under the direction of a unit called the 4th Department of General Staff of the People’s Liberation Army, or 4PLA.

“The White House network would be the crown jewel of that campaign so it is hardly surprising that they would try their hardest to compromise it,” said Former McAffee cyber threat researcher Dmitri Alperovitc who now works for Crowdstrike.

The revelation of the attack comes only days after Rear Admiral Samuel Cox, The U.S. Cyber Command’s top intelligence officer, accused China of persistent efforts to pierce Pentagon computer networks. He also said a proposal was moving forward to boost the cyber command in the U.S. military hierarchy.

The White House have so far given no comment on the cyber attack, or on whether President Obama was notified of the incident.

However, there are questions being raised over the validity of the claims made by The Washington Free Beacon. In the original report an Obama administration national security official is reported to have said “This was a spear phishing attack against an unclassified network.” This is interesting for two reasons:

  1. A spear phishing attack isn’t really a hack, but rather a targeted email which tries to solicit information from the recipient.
  2. The unclassified network mentioned means a normal non-secret network rather than a classified or “high side” encrypted network.



SourceForge distributes phpMyAdmin with backdoor after mirror hacked

(LiveHacking.Com) – SourceForge has stopped using one of its mirrors in Korea after the popular open source website was alerted to a corrupted copy of phpMyAdmin being served from that site. The ‘cdnetworks-kr-1′ mirror in Korea was immediately removed from rotation when it was discovered that the mirror had been hacked (via a yet as unknown vector) and started serving a modified copy of phpMyAdmin- with a built-in backdoor which allowed the execution of arbitrary commands.

According to an advisory posted on the phpMyAdmin  website, the backdoor is located in file server_sync.php and allows an attacker to remotely execute PHP code. Another file, js/cross_framing_protection.js, has also been modified.

SourceForge has examined its logs and has identified around 400 users who downloaded the hacked file. Where possible SourceForge has send emails to those users if they were able to identify them through the logs.

SourceForge is currently conducting additional validation to confirm that only one file was modified on the ‘cdnetworks-kr-1′ mirror and they will post an update once this process is complete. For the moment the mirror remains out of rotation.

Anyone concerned that they may have downloaded a corrupt version of the popular MySQL administration software should check the phpMyAdmin distribution and download it again from a trusted mirror if it contains the file server_sync.php.


In brief: GoDaddy outage was not due to hacking

(LiveHacking.Com) – As reported yesterday, GoDaddy suffered an interruption to its services on Monday starting shortly after 10 a.m. PDT. The company, which is one of the world’s biggest domain registrars and web hosts,  managed to restore full services by by 4 p.m. PDT. It was thought that the down time was due to a denial of service attack when a user on Twitter, who claimed to be an official member of the hacking group Anonymous,  took sole responsibility for the alleged attack, stating, “was only me not the Anonymous [collective]“.

However GoDaddy has now completed its investigation and is reporting that the incident was not related to a “hack”.

“The service outage was not caused by external influences. It was not a ‘hack’ and it was not a denial of service attack (DDoS). We have determined the service outage was due to a series of internal network events that corrupted router data tables. Once the issues were identified, we took corrective actions to restore services for our customers and GoDaddy.com. We have implemented measures to prevent this from occurring again,” said Scott Wagner CEO of GoDaddy in a statement.