Category: Security

Hackers exploited a Word hole for months

Hackers exploited a hole in Microsoft Word while Vole effectively tried to get more detail on the flaw.

The flaw, CVE-2017-0199, was dangerous but not difficult to fix but allowed a hacker to seize control of a personal computer with little trace. After nine months, it was fixed in Microsoft’s last regular monthly security update.

While Vole “investigated”, hackers found the flaw and manipulated the software to spy on unknown Russian speakers, possibly in Ukraine. It was also used by a group of thieves used it to bolster their efforts to steal from millions of online bank accounts in Australia and other countries.

Last July, Ryan Hanson found a weakness in the way that Microsoft Word processes documents from another format. That allowed him to insert a link to a malicious program that would take control of a computer. He told Microsoft in October after working out that the vulnerability could be mixed with something which made it even nastier.

Microsoft could have fixed the problem – all it took was a quick change in the settings on Word, but if it  notified customers about the bug and the recommended changes, it would also be telling hackers about how to break in. It could have patched the flaw but it thought it would be better to “dig deeper”, since no one was using Hanson’s method, and it wanted to be sure it had a comprehensive solution.

Microsoft performed an investigation to identify other potentially similar methods and ensure that our fix addresses more than just the issue reported.

It was complex – a little too complex. Because while Vole was going deeper the unknown hackers initially found Hanson’s bug and started using it.

The first known victims were sent emails enticing them to click on a link to documents in Russian about military issues in Russia and areas held by Russian-backed rebels in eastern Ukraine, researchers said. Their computers were infected with eavesdropping software made by Gamma Group, a private company that sells to agencies of many governments.

It appears that one of Gamma’s customers was trying to get inside the computers of soldiers or political figures in Ukraine or Russia,  either of those countries, or any of their neighbours or allies, could have been responsible. Such government espionage is routine.

In March, security researchers at FireEye noticed that a notorious piece of financial hacking software known as Latenbot was being distributed using the same Microsoft bug.

FireEye probed further, found the earlier Russian-language attacks, and warned Microsoft. The company, which confirmed it was first warned of active attacks in March, got on track for an April 11 patch.

McAfee saw some attacks using the Microsoft Word flaw on April 6. It established that the flaw had not been patched, contacted Microsoft, and then blogged about its discovery on April 7. McAfee Vice President Vincent Weafer admitted that leaking the information was “a glitch in our communications with our partner Microsoft”.

The blog post contained enough detail that other hackers could mimic the attacks.

By April the 9th, a program to exploit the flaw was on sale on underground markets for criminal hackers.

Finally, on Tuesday, about six months after hearing from Hanson, Microsoft made the patch available.

It is unclear how many people were ultimately infected or how much money was stolen.

German hackers ask cash for their work

You have to admire the balls of a group of German hackers who dub themselves XMR Squad.

The outfit spent all last week launching DDoS attacks against German businesses and then contacting the same companies to inform them they had to pay $275 for ‘testing their DDoS protection systems.

Attacks were reported against DHL, Hermes, AldiTalk, Freenet, Snipes.com, the State Bureau of Investigation Lower Saxony, and the website of the state of North Rhine-Westphalia. The attack against DHL Germany was particularly effective as it shut down the company’s business customer portal and all APIs, prompting eBay Germany to issue an alert regarding possible issues with packages sent via DHL.

While the group advertised on Twitter that its location was in Russia, a German reporter who spoke with the group via telephone said: “The caller had a slight accent, but spoke perfect German.”

Following the attention it got in Germany after the attacks, the group had its website and Twitter account taken down.

Hackers mocked the group for failing to extract any payments from their targets. DDoS extortionists have been particularly active in Germany, among any other countries. Previously, groups named Stealth Ravens and Kadyrovtsy have also extorted German companies, using the same tactics perfected by groups like DD4BC and Armada Collective.

Thyssenkrupp sets up 3D printing centre

German industrial group Thyssenkrupp is to open a 3D printing centre this year to manufacture products for its customers.

For those who came in late, Thyssenkrupp is famous for making steel, submarines and elevators, and supplies thousands of tonnes of metal and plastic products and provides supply-chain management services to a quarter of a million customers worldwide.

Some industrial components such as airline or wind-turbine parts can now be made by 3D printing, or additive manufacturing, in which objects are printed in layers directly from a computer design instead of being cut out of blocks of material.

This saves money on material costs by reducing the number of parts needed tenfold or more, and also saves time from design to manufacturing, allowing objects to be produced in small batches in a cost effective way.

Hans-Josef Hoss, an executive board member of Thyssenkrupp Materials Services division, said the company had invested already into the machines and the people.

“We start from the engineering side and deliver the final product with all aftersales and related services,” he said in a speech at an event during the Hannover Messe, the world’s biggest industrial fair.

Hoss said the centre would be inaugurated in September, and would produce both metal and plastic products.

General Electric is investing $109 million to expand a German 3D printing firm it bought last year – one of two it acquired at a total cost of over $1 billion – and would open a 3D printing customer centre in Munich.

Beancounters at Wohlers Associates think the use of 3D technology is surging. Sales reached $1 billion in 2007, jumped to $5.2 billion in 2015 and will hit $26.5 billion by 2021.

 

Spy probe starved of resources

The Senate’s main investigation into allegations of Russian meddling in the 2016 US presidential election has little funding and staff, which will make it hard to get a decent a clear result.

According to Reuters the investigation has been given only seven staff members and as a result progress has been sluggish and minimal.

A weak Senate investigation could renew calls by some Democrats and other Trump critics for a commission independent of the Republican-led Congress to investigate the allegations.

The intelligence committees of the Senate and House of Representatives have taken the lead in Congress in examining whether Russia tried to game the election in Republican Trump’s favour, mostly by hacking Democratic operatives’ emails and releasing embarrassing information, or possibly by colluding with Trump associates.

Previous investigations of national security matters have been much larger in terms of staffing according to a review of official reports produced by those inquiries.

The House committee formed to investigate the 2012 attacks on a US diplomatic mission in Benghazi, Libya, that killed four Americans had 46 staffers and eight interns.

The Senate Intelligence Committee’s years-long study of the CIA’s “enhanced” interrogation techniques during President George W. Bush’s administration had 20 staff members, according to the panel’s official report.

The special commission separate from Congress that reviewed the intelligence that wrongly concluded former Iraqi President Saddam Hussein possessed weapons of mass destruction ahead of the 2003 invasion of Iraq involved 88 staffers.

German hackers are revolting

Germany is facing a huge increase in the numbers of hacking cases.

The German government registered 82,649 cases of computer fraud, espionage and other cyber crimes in 2016, an increase of just over 80 percent from 2015.

German Interior Minister Thomas de Maiziere is due to release the new statistics, part of the government’s annual crime report, on Monday, according to Die Welt.

In addition to cybercrime, German police also registered 253,290 cases of crimes carried out with the help of the internet, an increase of 3.6 percent from 2015, the newspaper reported.

While it is possible that there is a sudden rise in the numbers of disaffected youth who want to stick it to the man, it is more likely the figure represents a move by organised crime to lift cash from companies.

The rise coincides  with a move by Eastern German and Russian mafia types to switch to internet extortion which is easier than hitting people with lead pipes and less noisy than shooting them.

“That is a very pretty server you have there Hans, it would be a pity if anything happened to it.”

 

Russian super-hacker gets 27 years

The US Justice Department has announced that a 32-year-old Russian “superhacker” has been sentenced to 27 years in prison for stealing and selling millions of credit-card numbers.

Roman Valeryevich Seleznev, 32, aka Track2, son of a prominent Russian politician, caused more than $169 million worth of damage to business and financial institutions in his hacks, the DoJ claims.

He was convicted last year on 38 counts of computer intrusion and credit card fraud.

Acting Assistant Attorney General Kenneth Blanco said that his investigation, conviction, and sentence demonstrates that the United States will bring the full force of the American justice system upon cybercriminals like Seleznev who victimize US citizens and companies from afar.

“And we will not tolerate the existence of safe havens for these crimes – we will identify cybercriminals from the dark corners of the internet and bring them to justice.”

 

Microsoft retires security bulletins

Microsoft retired the security bulletins making many security experts lives rather difficult.

Vole announced the demise of bulletins in November, saying then that the last would be posted with January’s Patch Tuesday, and that the new process would debut 14 February.

A searchable database of support documents would replace the bulletins. Accessed through the “Security Updates Guide” (SUG) portal, the database’s content can be sorted and filtered by the affected software, the patch’s release date, its CVE (Common Vulnerabilities and Exposures) identifier, and the numerical label of the KB, or “knowledge base” support document.

SUG’s forerunners were the web-based bulletins that have been part of Microsoft’s patch disclosure policies since at least 1998.

Vole did such a good job turning out those bulletins that they were considered the aspirational benchmark for all software vendors, so getting rid of them seemed so strange.

In February Microsoft cancelled that month’s Patch Tuesday just hours before the security updates were to reach customers, making the bulletins’ planned demise moot. Microsoft kept the bulletins the following month as well, saying it wanted to give users more time to prepare for the change to SUG.

Finally, when Microsoft yesterday shipped cumulative security updates for Windows, Internet Explorer, Office and other products, it omitted the usual bulletins.

SUG is not so popular, even if analysts say it has great potential.  Many are undecided whether it would be able to deliver the same quantity and quality of information as the bulletins, without burdening administrators with more work.

Most of the information packed into the earlier bulletins remained available through SUG by digging into the numerous online documents, it is not as accessible.

Russian hackers might have gamed Brexit

A website which allowed Britons to register to vote in last year’s European Union referendum might have been targeted by Russian hackers who crashed it before the deadline.

A committee of British MPs said that more than a million potential voters applied to register online in the run up to the deadline two weeks before last June’s vote and the government extended the cut-off point after the website crashed, blaming it on a late rush by mainly young citizens.

But parliament’s Public Administration and Constitutional Affairs Committee (PACAC) said it did not rule out the possibility that the crash was caused by a Distributed Denial of Service (DDoS) cyber attack.

“PACAC is deeply concerned about these allegations about foreign interference,” said the report.

The committee said that the interference would not have changed the outcome, but it was rather disconcerting anyway.

Russia has been accused of trying to influence the 2016 U.S. election and the committee said the government needed to ensure future elections and referendums were monitored with plans in pace to respond to and contain any cyber-attacks.

The report said that Russia and China use a cognitive approach based on understanding of mass psychology and of how to exploit individuals.

“The implications of this different understanding of cyber-attack, as purely technical or as reaching beyond the digital to influence public opinion, for the interference in elections and referendums are clear.”

The committee was also critical of the government’s failure to prepare for a vote for Brexit and former Prime Minister David Cameron’s motives for calling the referendum in the first place, saying using plebiscites as a “bluff call” to close “unwelcome debate” was questionable.

“There was no proper planning for a Leave vote so the EU referendum opened up much new controversy and left the prime minister’s credibility destroyed,” the report said.

Canadians refuse bail for “Yahoo hacker”

A Canadian judge denied bail to a 22-year-old man whom the United States wants to extradite to face charges of involvement in a massive hack of Yahoo email accounts.

Karim Baratov, a Canadian citizen who was born in Kazakhstan, was considered a flight risk by Justice Alan Whitten, who remanded Baratov in custody until May 26.

The United States claims that Baratov worked with Russian intelligence agents who paid him to break into at least 80 email accounts, including those of specific targets with non-Yahoo accounts.

The judge said that Baratov had no reason to stick around as he could continue his wealth-generating activities anywhere in the world.

Baratov faces US charges including conspiracy to commit computer fraud, conspiracy to commit wire fraud and identify theft, and could face decades in a US jail if found guilty on all charges.

His lawyer Amedeo DiCarlo says that it was not him, and he would consider appealing the bail decision if the court is unable to schedule a expeditious extradition hearing.

Federal prosecutor Heather Graham told the court that the attorney general of Canada will be ready to proceed with an extradition hearing by June 12, according to media reports.

The United States last month charged two Russian intelligence agents, Baratov and another alleged hacker over the 2014 theft of 500 million Yahoo accounts, the first time the US government had criminally charged Russian spies for cyber offenses.

The other alleged hacker is Alexsey Belan, one of the FBI’s most-wanted cyber criminals, who was arrested in Europe in June 2013 but escaped to Russia before he could be extradited to the United States, according to the US Justice Department.

Russian “spammer” and Trump suspect finds pain in Spain

Inspector Knacker of the Barcelona yard has fingered the collar of a Russian programmer following US allegations of large-scale hacking.

Pyotr Levashov was held in Barcelona and has been remanded in custody.

Spanish coppers claim Levashov controlled a botnet called Kelihos, hacking information and installing malicious software in hundreds of thousands of computers.

The arrest was part of a “complex inquiry carried out in collaboration with the FBI”, police said.

Levashov is subject to a US international arrest warrant and a Spanish court will hear whether he can be extradited.

Much of his activity involved ransomware – blocking a computer’s access to certain information and demanding a ransom for its release.

Levashov’s wife Maria told Russian broadcaster RT that the arrest had been made in connection with allegations that Russians had hacked the US presidential election.

She claimed that Spanish coppers had told her that it was all about a “a virus which appears to have been created by my husband and is linked to [Donald] Trump’s victory”.

Agence France-Presse  quoted a source close to the matter in Washington as saying that Levashov’s detention was “not tied to anything involving allegations of Russian interference with the US election”.

Several cybersecurity experts, including Brian Krebs, have also linked Levashov to a Russian spam kingpin, who uses the alias Peter Severa.