Tag: attack

Cyber criminals capture 25,000 Unix servers

Security boffins at ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing as well as other agencies, have found a cybercriminal campaign that has taken control of over 25,000 Unix servers worldwide.

Dubbed “Operation Windigo” it has resulted in infected servers sending out millions of spam emails which are designed to hijack servers, infect the computers that visit them, and steal information.

cPanel and kernel.org have already been identified as victims.

ESET’s security research team published a detailed technical paper, presenting the findings of the team’s investigations and malware analysis. The paper also provides guidance on how to find out if your systems are affected and instructions for removing the malicious code.

The sheer size and complexity of the operation has remained largely unrealised by the security community which has been too busy trying to work out how to keep the US NSA out.

Windigo has been building for over two and a half years, and currently has 10,000 servers under its control.

ESET security researcher Marc-Étienne Léveillé said that the botnet sends out more than 35 million spam messages every day to innocent users’ accounts, clogging up inboxes and putting computer systems at risk.

“Worse still, each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements.”

Windigo-affected websites attempt to infect visiting Windows computers with malware via an exploit kit, while Mac users are typically served adverts for dating sites. iPhone owners are redirected to online porn.

It could be more serious. More than 60 percent of the world’s websites are running on Linux servers, and many more might not be aware that they have been hacked. 

London firm at centre of mass hack

A London-registered outfit appears to be at the centre of a massive attack that’s redirecting traffic from 300,000 routers.

UK Company 3NT Solutions has been named as being part of an attack which has control of consumer and small office/home office (SOHO) routers throughout Europe and Asia.

Florida-based security firm Team Cymru said claims to have uncovered a “SOHO pharming” campaign that had overwritten DNS settings on 300,000 routers. That allows attackers to redirect traffic to sites and domains controlled by them, “effectively conducting a man-in-the-middle attack”.

Team Cymru spokesman Steve Santorelli told PC Pro  that the attack was very clever. The routers’ DNS settings had been changed to two IP addresses, both of which are for machines that are physically in the Netherlands, but registered with UK company 3NT Solutions, he said.

3NT Solutions was offline at the time of writing and the company could not be reached for comment. Its registered address is a mailbox location in central London.

Security researcher Conrad Longmore wrote in his blog that there was a connection between Serbian web host inferno.name. He said that 3NT/Inferno.name as a “known bad actor” that ran malicious and “spammy” sites – and advised admins to “block all their IPs on sight”.

Santorelli stressed that the router attack was serious. It’s not new as a problem to the InfoSec community but this is one of the biggest he’s seen recently as it’s quite insidious.

He said that it was not the first time this kind of thing has been spotted, but it is certainly the biggest in recent memory.

The attack affects devices from several manufacturers, the firm said said, adding that “consumer unfamiliarity” with configuring routers and weak default settings makes the devices a “very attractive target”.

Santorelli said the problem was not a hardware bug, but weaknesses in ZyXEL’s widely used router firmware, ZynOS. 

Healthcare.gov may not have been hit by DoS attack

The US press is full of reports that the troubled US Healthcare.gov website appears to have been hit by a Denial of Service attack.

Despite huge amounts of dosh thrown at the site, Healthcare.gov has been plagued with problems since launching on October 1.

This week Security software provider Arbor Networks commented that there were rumors of a new denial-of-service attack crashing the federal online healthcare exchange site but wondered why anyone would say that.

But to be fair to Arbor, a DoS attack is the sort of thing that it was expecting and it had lots of defenses in place to stop it. It is not even sure that a DoS attack is actually happening.

Writing in their bog Arbor researchers said that this particular attack is “unlikely to succeed in affecting the availability of the healthcare.gov site.”

The outfit had recently found one tool that is designed to overload the webpage. The standalone tool is written in Delphi and performs layer seven requests to get the healthcare.gov webpage. The tool alternates between requesting https://www.healthcare.gov and https://www.healthcare.gov/contact-us. But this was also unlikely to work.

Marc Eisenbarth, a research manager for Arbor Security Engineering and Response Team, suggested that there are political motivations behind making the site appear under attack.

He wrote that ASERT has seen site specific denial of service tools in the past related to topics of social or political interest. This application continues a trend ASERT is seeing with denial of service attacks being used as a means of retaliation against a policy, legal rulings or government actions.

Given that the site might be just crashing anyway, it is possible that those who want to see the whole Obama care are stirring up FUD that a DoS attack will steal their data. 

After Woolwich attack, 'snooper's charter' back on the agenda

The UK thought it was rid of the reviled ‘snooper’s charter’ communications bill, which would make storing data on all Britains legal, but now political figures are suggested it be resurrected in light of the axe attack in Woolwich yesterday.

Lord Carlisle, formerly the independent reviewer of terror laws, said on BBC’s Newsnight that it should offer a “pause for thought” about dropping the bill, the Metro reports.

“We must ensure that the police and the security services have for the future the tools they need which will enable them to prevent this kind of attack taking place,” Carlisle said. 

“I hope that this will give the government pause for thought about their abandonment for example of the communications data bill and possibly pause for thought about converting control orders into what are now called Tpims, with a diluted set of powers”.

Lord Reid weighed in saying that mobile data stopped a 2006 airline attack. “2,500 people would probably have been blown out of the sky over the United Kingdom,” he said.

The unpopular bill was thought to be blocked by deputy prime minister Nick Clegg, and it was not mentioned in the Queen’s speech.

Nick Pickles, at Big Brother Watch, told TechWeekEurope that Lord Reid’s track record speaks for itself. Reid was, Pickles said, “one of those responsible for the knee-jerk decision to try and introduce powers for people to be detained for up to 90 days without trial by the last government, after the 7/7 attack”.

“We face down terrorists by defending our values and traditions and acting proportionately, which is a balance current policy recognises,” Pickles said.

In a blog post, Big Brother Watch offered agreement to former head of MI5 Lady Neville-Jones, who said efforts need to be made in tackling hateful rhetoric online and elsewhere.
Critics of the Snooper’s Charter would argue that there is little evidence to support it as a preventative measure, and would also paint every citizen in the UK as a potential violent criminal. 

Zero-day black market bolstered by 'malware industrial complex'

The US government’s plans to develop new computer weapons is driving a black market in zero-day bugs which could make life more dangerous for the rest of us.

According to MIT’s Technology Review, the methods by which governments, contractors, and researchers are developing cyber-weapons is putting internet users at risk.

For a while now hackers have become aware that the number of bugs being unveiled has dropped dramatically. The reason is that zero-day bugs can be cashed in to defence contractors, security agencies and governments who can use them in cyber weapons.

After Stuxnet, the United States and governments around the world have been paying more and more for the exploits needed to make such weapons work.

According to Christopher Soghoian, a principal technologist at the American Civil Liberties Union, on one hand, the US the government is freaking out about cyber-security, and on the other it is participating in a global market in vulnerabilities and pushing up the prices.

Even civilian law-enforcement agencies pay for zero-days, Soghoian says, in order to sneak spy software onto suspects’ computers or mobile phones.

Currently the top dollar is being paid for zero day hacks into mobile phone operating systems which are rarely updated, meaing flaws can be exploited for a long time.

At the moment, whoever discovers a zero-day vulnerability receives a monthly payment as long as a flaw remains undiscovered.

A Bangkok, Thailand-based security researcher who goes by the name “the Grugq” has spoken to the press about negotiating deals worth hundreds of thousands of dollars with government buyers from the United States and Europe.

The French security company VUPEN demonstrated a zero-day flaw that compromised Google’s Chrome browser, but turned down Google’s offer of a $60,000 reward if they would share how it worked. The guess is that they had sold it to a government.

So far, no US government agency has gone on the record as saying that it buys zero-days. But they have begun to publicly acknowledge that they intend to launch as well as defend against cyberattacks. The only way to do that is buying zero days. 

Cyber war is now cleaner but far more dangerous

Security expert Eugene Kaspersky said that while cyber weapons may be “cleaner” than traditional weapons they can be much more dangerous.

Speaking during a debate at the DLD 2013 conference, with F-Secure’s Mikko Hypponen, according to the International Business Times, he warned that humanity is nowhere near ready to deal with the dangers and is vulnerable. It is just a matter of time before there is a serious incident.

He said that there are certain digital technologies which should be walked away from because they are too dangerous. Humanity had a chance to walk away from the Zeppelin and the Concorde, but no one seems to be considering dangers when it comes to digital technology.

Kaspersky said it might be difficult to do that or to limit the function of digital tech. Consuming IT is a little like oxygen or water consumption and can’t exactly be stopped.

Both Kaspersky and Hypponen agreed that the next major military engagement will involve a serious cyber element, and while the battle won’t be completely online, it will be a major aspect of the war.

Hypponen said that the danger of cyber warfare is that it can be launched and denied it ever happened.

What sets cyber weapons apart from traditional weapons is that anyone can get their hands on them, unlike a nuclear bomb, missiles or tanks, which only armies would have access to, Hypponen said.

Hypponen doesn’t consider spying to be an act of cyber-warfare. He thinks that cyber warfare is not really happening until critical infrastructure is targeted.

He said that the situation now is similar to the way nuclear scientists lost their innocence in 1945 with the bombing of Hiroshima and Nagasaki.

Security experts lost their virginity in 2009 when Stuxnet infected a Siemens PLC device in the Natanz nuclear enrichment facility in Iran, he said. 

Pakistani hackers deface Chinese government websites

A number of Chinese government websites have been defaced by hackers from Pakistan.

Around 400 domains managed by the Xuchang City People’s Procuratorate were affected while the Lushan County, Henan Province People’s Government portal, and the City of Rushan’s websites also become casualties.

Chinese commercial websites were defaced with messages from the hackers too, Softpedia reports.

The sites included messages such as: “For those who are killing innocent Muslims, disturbing them, we gave you warning Hindu and Christians, but you didn’t stop your cheapless (sic) acts. We are Pak cyber attackers.”

Other hacked sites were scrawled with the message: “An attack for those who abuse Mohammad, who abused our religion, who insulted our religion, who killed innocent Muslims. Islam is religion of peace, stop making fun of Muslims and Mohammad! We only have fear of Allah, we are the soldiers of Islam!!!!”

Although some sites had managed to clean up the messages, others were still showing them.

Around 20 Bangladeshi government websites were also hit over the weekend.

According to BDNews24, sites including the Ministry of Foreign Affairs, bared messages like: “You have been hacked,” and “This is a PayBack From Pakistan Cyber Army. This is not a game you kidz, Don’t play with fire.”

"Inadequate" ICO hit by Anonymous

A group working under the banner of Anonymous has succeeded in bringing down the ICO’s website with a suspected DDoS attack.

The privacy watchdog’s site was down for all of yesterday after a group identifying with the  collective dealt its blow.

According to a Tumblr page, the team – calling itself Anon A Team – targeted the privacy watchdog because they believed it lacked independence and had repeatedly failed “to protect the public’s privacy from hacking or data protection breaches.”

It also claimed that the law protecting privacy was “inadequate and with disproportionate measures in relation to political protests but none for the civil service or media,” as well as a systematic bias in the way the press reports public interest stories – as a consequence of its failure to give sufficient weight to certain stories.

“There is zero commitment by all our regulators to protect UK citizens from data protection breaches,” it continued.

The group described the Leveson inquiry as a “farce”.

The sentiments were echoed in an interview at TechWeek Europe, where someone claiming to be affiliated with Anonymous said the watchdog was not “equipped, nor have the motivation to ensure that we are protected”.

The attack was met with mixed feelings by the security industry with many refusing to comment.

However, one security professional did speak with TechEye under anonymity. “Hackers are far cleverer than heads of states, government bodies and companies,” the source said. “No matter how much security is in place, if Anonymous wants to take you down, it will.

“Do I agree with this attack? They do have a point about privacy,” the source said.

The ICO itself refused to speak beyond issuing a generic statement:

“Access to the ICO website has been disrupted over the past few days. We believe this is due to a distributed denial of service attack. The website itself has not been damaged, but people have been unable to access it. We provide a public facing website which contains no sensitive information.

 “We regret this disruption to our service; however we are pleased that our website is now available.”

Toshiba becomes latest hack victim – customers targeted

Toshiba has suffered a hacking attack, possibly because it angered groups in Asia, a security expert has said.

The comments come as the company looks like it fell foul of two attacks over the weekend.

Firstly it was targeted by hacking group V0iD, which got into a server for Toshiba America.

The group said it had managed to gain usernames and passwords on 450 of the company’s customers and around 20 resellers, as well as around twelve administrators on the company’s Electronic Components and Semiconductors and Consumer Products wings.

Today Toshiba issued an announcement admitting that its US based servers – Toshiba America Information Systems (TAIS) – containing customer registration were hacked.

The database included information on 7,520 of TAIS’s customers, but did not contain such personal data as financial information or credit card and social security numbers. However hackers were able to get away with e-mail addresses and passwords affecting 681 customers confirmed.

Toshiba told us that the information stolen was relating to people who had bought products from registered Toshiba retailers.  

It seems a bizarre target to earn kudos from, leading one security expert, talking under anonymity, to reason it may be something not yet in the public domain. Our source tells us: “Over the past few months we’ve seen a range of high profile attacks on companies such as Sony. While these aren’t really a surprise – hackers target high profile sites for notoriety and to show that they can – what is a bit confusing is that Toshiba has come under fire.

“It’s not a popular company, and although it’s worth millions, hacking this company won’t get as much recognition as say, Nintendo. So why have they done it?

“Firstly, because they can. I assume Toshiba hasn’t listened to warnings that companies are being targeted. 

“Another reason is that the hackers know something about the company we don’t. Let’s not forget the likes of Anonymous who make their point against a company’s policies through DDoS.

“Perhaps Toshiba has something to hide in Asia that hasn’t come out here yet.

“Whatever the reason other companies should learn by example and make sure their security is completely up to date.”

Graham Cluley, Senior Technology Consultant at Sophos however, pointed out that the company could have been targeted for financial gains.

“Different hacking groups out there have different motives,” he said.

“LulzSec hacked computer gaming companies because it was a fan of rival consoles, while others hack for financial gain. This attack looks like the latter.

“Although Toshiba has said no financial data was taken, the email addresses and passwords are powerful enough to as they can be used to help the hackers log into other sites.

“This is because many of us use the same details for many sites meaning they may get into bank accounts or log into the likes of Amazon. Using these email addresses the hackers could also send out malicious mails.

“The hackers could have accessed the site in a range of ways. Perhaps the site wasn’t written well enough so they could have used what is called a Sequential injection attack. But I don’t know the specifics so it could also be something else. “

Further US and Israel Stuxnet ties surface

Further evidence has emerged that the Stuxnet worm, which caused major disruption to Iran’s nuclear programme, was a team effort by Israel and the US – according to the New York Times.

The news, which supports TechEye’s reports on the origin of the computer virus, came from a number of anonymous sources close to the newspaper. These sources stated that Stuxnet was created by Israel and the US as a way to “sabotage” Iran’s growing nuclear power.

This view was also held by a number of security experts, including Symantec and Langer Communications, who reported that the worm was designed to cause maximum damage to the Iranian nuclear enrichment programme by forcing gas centrifuge motors to spin too fast, which can cause them to break apart.

The Iranian President, Mahmoud Ahmadinejad, admitted that Stuxnet was successful, ensuring a delay of two years in the nuclear programme. Ahmadinejad also claimed that the worm was launched by enemies of the state.

The New York Times reported that Siemens, which created the SCADA systems for Iran’s nuclear facilities, revealed vulnerabilities in them in 2008 to the Idaho National Laboratory, which is the US’s primary nuclear research centre. 

Siemens also participated with the US Department of Homeland Security in a security study of the PCS 7 control systems, which were, coincidentally enough, targeted by Stuxnet.

It was also revealed that Israel tested the Stuxnet worm on machines and control systems within its Dimona nuclear research centre, giving further assurance of the two countries’ involvement in the attack on Iran’s nuclear capabilities.