Tag: hacker

US companies take down Chinese hacker group

1220aAn alliance of US tech companies including Novetta and Microsoft hasbeen targeting the Hikit malware and have worked out a way to disrupt the Chinese cyber espionage gang Axiom’s antics.

Dubbed Operation SMN, the coalition of security companies has apparently given the hackers a Chinese burn after it detected and cleaned up malicious code on 43,000 computers worldwide infected by Axiom.

The effort was led by Novetta and included Bit9, Cisco, FireEye, F-Secure, iSIGHT Partners, Microsoft, Tenable, ThreatConnect Intelligence Research Team (TCIRT), ThreatTrack Security, Volexity, and was united as part of Microsoft’s Coordinated Malware Eradication (CME) campaign against Hikit.

Hikit is custom malware often used by Axiom to burrow into organisations and nick data. It works quietly and evades detection, sometimes for years.

Axiom used a variety of tools to access and re-infect environments including Derusbi, Deputy Dog, Hydraq, and others. Ludwig says, they expanded the group and its scope “so that we absolutely did the best possible job of clean-up and removal” and rolled it all into a Microsoft Malicious Software Removal Tool (MSRT) released Oct. 14.

Novetta thinks that while the MSRT was comprehensive, it may be only a temporary setback for Axiom, which will just work out another way of doing the same thing.

Novetta says it has “moderate to high confidence” that Axiom is a well-resourced and well-disciplined subgroup of the state-backed “Chinese Intelligence Apparatus.”

Axiom has been found in organisations that are of strategic economic interest, that influence environmental and energy policy and that develop integrated circuits, telecommunications equipment and infrastructure.

The target organisations are often related in some way, and once Hikit has burrowed its way into a computing environment, it can create a “mini-network,” communicating laterally with other Hikit installations within the organisation or related outside groups. What makes it difficult to track is that it uses proxies and never communicates with the command-and-control server directly. Hikit talks to companies in such a way that the traffic does not look dodgy.


Hackers accessed nuclear power watchdog


Picture thanks to Wiki Commons

Picture thanks to Wiki Commons

Hackers managed to gain access to the US Nuclear Regulatory Commission three times, according to a Nextgov report.

The hackers on two occasions were foreigners and the last was an unknown person or group.  The US Nuclear Regulatory Commission governs America’s nuclear power providers. Ironically making sure that they are secure.

Apparently an investigation into the source of the third hack was scuppered because logs of the incident had been destroyed.

Intruders used basic hacking techniques to get at the NRC’s computers. One attack linked to a foreign country or individual involved phishing emails that coerced NRC employees into submitting their login credentials. The second one linked to a foreign government or individual used spearphishing, or emails targeted at specific NRC employees, to convince them to click a link that led to a malware site hosted on Microsoft’s cloud storage site SkyDrive, now called OneDrive.

The third attack involved breaking into the personal account of a NRC employee. After sending a malicious PDF attachment to 16 other NRC employees, one person was infected with malware.

NRC spokesman David McIntyre insisted that the NRC computer security team “detects and thwarts” most hacking attempts.

Chinese hackers steal 4.5 million hospital data

snap dragonA top US hospital operator has admitted that Chinese hackers broke into its computer systems and stole data on 4.5 million patients.

Community Health Systems sheepishly said that the attack occurred in April and June of this year, but it was not until July that it was finally spotted.

It told the US Securities and Exchange Commission that the attack was carried out by a group based in China that used “highly sophisticated malware” to attack its systems.

The attacker was able to bypass the company’s security measures and successfully copy and transfer certain data outside the company.

The group is apparently known to US federal law enforcement authorities, which are now investigating.

Stolen were patient names, addresses, birthdates, telephone numbers and Social Security numbers of the 4.5 million people who were referred to or received services from doctors affiliated with the company in the last five years.

However the stolen data did not include patient credit card, medical or clinical information, but still ranks as the second largest disclosed attack to hit the US medical industry in the last few years.

What is still not clear is why the Chinese government would want the medical details of 4.5 million, it is not really as if it could benefit from any ID fraud. However it might be a Chinese criminal gang.

Questions posed about mega-hack

wargames-hackerQuestions have been raised among the security community about a huge attack on US systems which is alleged to have stolen 1.2 billion user name and password combinations and more than 500 million email addresses.

The hack was discovered by an outfit called Hold Security and was claimed to include confidential material gathered from 420,000 websites, including household names, and small Internet sites.

Hold Security has a history of uncovering significant hacks, including the theft last year of tens of millions of records from Adobe Systems, so it should have been seen as a reliable source.

The company said the attack was found after more than seven months of research and was being carried out by a Russian cyber gang which is currently in possession of the largest cache of stolen data. While the gang did not have a name, we dubbed it “CyberVor”.

All cool stuff, but many of the comments about the hack online centre on the fact that Hold Security happens to offer a $120/month breach notification service so that people can find out if the hackers have their passwords on file.

Others have focused on the fact that Hold Security timed the announcement to fit with the Black Hat Security conference to spark a debate on password security.

PC World  said there were unanswered questions about the hack.

Hold Security said the hacking group started out buying stolen credentials on the black market, then used those credentials to launch other attacks. However, it is unclear how many credentials they bought and how many of the 1.2 billion they culled themselves. In other words, this database, if it exists, could be full of ancient data.

It is also not clear if the passwords that are alleged to be stolen came from important financial sites or less important ones. It is also questionable what the hackers would do with those details.

If they are fresh credentials for important services like online banking, they are ripe to be used to siphon money from online accounts. If they are older or from little-used services, they might be used to send spam by email or post it in online forums.



USB drives pose big risk

Dangerous-USBUSB drives are so insecure they should not be allowed near a corporate network, according to the latest research from two security boffins.

SR Labs’ Karsten Nohl and Jakob Lell have come up with a collection of proof-of-concept malicious software to show how the security of USB devices is fundamentally broken.

The malware they created, called BadUSB, can be installed on a USB device to completely take over a PC and alter files installed from the memory stick, or even redirect the user’s internet traffic.

BadUSB does not live in the flash memory storage of USB devices, but in the firmware that it. The attack code can remain hidden even if the data has been wiped.

The researchers said that there is no easy fix because it exploits the way that USBs are designed.

They reverse engineered the firmware that runs the basic communication functions of USB devices which is the controller chips that allow the devices to communicate with a PC and let users move files on and off them.

Unless the IT guy has the reverse engineering skills to find and analyse that firmware, “the cleaning process doesn’t even touch the files we’re talking about.”

All USB devices from keyboards and mice to smartphones have firmware that can be reprogrammed in the same way.

Nohl and Lell have tested their attack on an Android handset plugged into a PC.

And once a BadUSB-infected device is connected to a computer, Nohl and Lell could do more or less what they liked.

The malware can hijack internet traffic too, change a computer’s DNS settings to siphon traffic. It can also spy on a computer’s activity.

BadUSB’s ability to spread from USB to PC and back raises makes it impossible to use USB devices securely at all.


Hackers hack Amazon’s cloud

Amazon-Cloud-OutageHackers have worked out a way to break into Amazon’s cloud and install DDoS malware.

The hole is thanks to a vulnerability in distributed search engine software Elasticsearch which is a popular open-source search engine server. The software was  developed in Java that allows applications to perform full-text search for various types of documents through a REST API (representational state transfer application programming interface).

Elasticsearch is commonly used in cloud environments and is used on the Amazon Elastic Compute Cloud (EC2), Microsoft Azure, Google Compute Engine and other cloud platforms.

Versions 1.1.x of Elasticsearch have support for active scripting through API calls in their default configuration. For some reason this does not require authentication which is how the malware writers have broke into the systm.

Elasticsearch’s developers have not released a patch for the 1.1.x branch, but starting with version 1.2.0, released on May 22, dynamic scripting is disabled by default.

Kaspersky Lab has found variants of Mayday, a Trojan program for Linux that’s used to launch distributed denial-of-service (DDoS) attacks.

One of the new Mayday variants was found running on compromised Amazon EC2 server instances.

Kaspersky Lab researcher Kurt Baumgartner said that it was not the only victim. The attackers break into   virtual machines run by Amazon EC2 customers by exploiting the CVE-2014-3120 vulnerability in Elasticsearch 1.1.x, which is still being used by some organisations in active commercial deployments despite being superseded by Elasticsearch 1.2.x and 1.3.x.

Baumgartner saw the early stages of the Elasticsearch attacks and that the hackers modified publicly available proof-of-concept exploit code for CVE-2014-3120 and used it to install a Perl-based Web shell. This gave them a backdoor script that allows remote attackers to execute Linux shell commands over the Web. The script, downloads the new version of the Mayday DDoS bot, detected as Backdoor.Linux.Mayday.g.

US arrests Russian hacker

skullkThe US has arrested a Russian national and charged him with hacking.

The Department of Homeland Security said Roman Valerevich Seleznev hacked into American retailers’ computer systems to steal credit card data from 2009 to 2011.

It has taken the Secret Service a while to find Seleznev, who was indicted in Washington state in March 2011 on charges including bank fraud, causing damage to a protected computer, obtaining information from a protected computer and aggravated identity theft.

At that time it was suggested that Seleznev hacked into websites ranging from those run by the Phoenix Zoo, a branch of Schlotzsky’s Deli and many other small restaurants and entertainment venues.

Secretary of Homeland Security Jeh Johnson implied that the hacks were the work of organised crime and that Seleznev was probably working for the Russian mafia.

“This important arrest sends a clear message: despite the increasingly borderless nature of transitional organized crime, the long arm of justice – and this Department – will continue to disrupt and dismantle sophisticated criminal organizations,” Johnson said.