Home   Blog   Twitter   Database  

Slapdash SSL code puts tons of top Android Play Store apps in hack peril

Man-in-the-middles all round!

Sloppy programming, poor patching, and unreliable trust engines are rife within Android apps, according to a new study. In short, millions smartphone users are wide open to man-in-the-middle attacks.…

Posted: 20 Aug 2014 | 9:01 pm

A Quick Peek at Network Injection

Like many of you, I’ve been looking at the various NSA document leaks to see what kind of tools and techniques are being used. I suppose these releases will give cybercriminals new ideas and we will see some of these put to nefarious use sooner than later.

This particular article was very interesting, especially the concept of network injectors. I’ve heard about EvilGrade but never played with it. It seems as though QUANTUMINSERT and FinFly ISP do something similar.

I wondered how I could use this for a pentest. Getting inline with my target would be the first challenge. There are several tools I could use to route wired and wireless network traffic to my computer but maybe an easier way is to setup a proxy server then push out a proxy.pac file.

Here’s a website with a link to a setup file for Revelo.

2014-08-20_01

When the user downloads the program, I can see their GET request and response. At this point the program gets downloaded. Here we see excerpts from Paros.

2014-08-20_02

The way QUANTUMINSERT is described to work, the download request gets silently redirected to another server where an implant gets downloaded. And according to the FinFisher documentation, there is a method called “INJECT-EXE” which “infects the downloaded EXE file in real time. The agent is installed when the target runs the EXE file.”

There’s not too much details so I can only infer how this is being done. Maybe they would have pre-downloaded popular programs, binded it with a backdoor, then sent the file over via a forged HTTP redirect. This would allow the user to install the real program with real certificates but have their program run too.

But how could you do this in real-time, with any download? If I can write a program that intercepts the GET request to any EXE program, bind it with a backdoor in real-time, update the Content-Length field in the response header, and send the file along…it *should* work. ;)

After some coding, I came up with “Interjector” – Interceptor and Injector (because of the nature of this program I won’t be making this available, sorry). There’s not much to look at I know.

2014-08-20_03

With Interjector off, when I download the file, it looks like this:

2014-08-20_04

However, when Interjector is running, the same download dialog box now looks like this (note the file size):

2014-08-20_05

What’s happening behind the scenes is that there is a specially-crafted EXE file that’s been added to Interjector as a resource. When the program sees a GET request to any EXE file, it loads the resource to a variable and gets ready. When the program sees the response, it reads in the Content-Length value, adds the length of the resource to it, and puts the updated value back into the header. Finally, it injects the variable containing the resource into the download stream.

The advantage of doing it this way is that I don’t need to redirect users to another server, I can intercept/inject any EXE file the user downloads, it’s very stealthy, and all of this happens in real time.

Here’s what it looks like when the downloaded file is executed:

2014-08-20_06

Ugh, the icon makes it look fake but I can fix that. This is going to be a challenge for those programs with unique icons. The best way is probably to use a generic icon like this and hope users don’t notice.

2014-08-20_07

What about the MD5/SHA hash? That’s the biggest hurdle to overcome. I could change the hash on the webpage to match the final file but only for the ones I know about by doing a global search and replace. Or I can search for any hash line and remove it from the webpage.

2014-08-20_08

What if it’s a compressed file download (e.g. ZIP)? I think I would have to rezip the file with a new EXE or rebuild the download which changes the ZIP file to an EXE. The real-time requirement makes this difficult to handle without the user taking notice.

So what’s a user to do?
- Use HTTPS to download programs
- Choose to download a compressed version (e.g. ZIP) instead of a bare EXE/MSI file
- Pay attention to any anomalies and inconsistencies; when in doubt, stop
- Verify the program’s hash before installing (for the paranoid, use an out-of-band device like your phone to view the hash on the webpage)

Posted: 20 Aug 2014 | 8:15 pm

Data vs. Metadata

Google uses HTTPS for all search queries. That's good, because it means that all of the questions you ask (a.k.a. your data) will be encrypted. However… regardless of HTTPS, inferences about your searches can still be made by somebody with access to your network traffic. For example:

Network Traffic Analysis, Google to AA

In the screenshot above, a popular "packet analyzer" displays DNS queries (a.k.a. metadata). We first connected our test device to google.com and performed a search — and then we clicked on the top search result link — and connected to aa.org.

The deductive reasoning skills of Sherlock Holmes aren't required to figure out "alcoholics anonymous" was searched for. And even if aa.org used HTTPS encryption (it doesn't), using DNS metadata, we can still infer the contents of the search data. The connections made offer all the evidence needed.

And that's why metadata matters.

On 20/08/14 At 01:10 PM

Posted: 20 Aug 2014 | 3:21 pm

'Facebook Drug Task Force’ hoax cranks up the paranoia

Just in time for Facebook's newly announced "Satire" tag, a satirical news site brings us Facebook's corporate police force, replete with assault weapons and anti-bomb vehicles, transporting their first two busted users to the nation's first corporate jail - which is in Facebook's Menlo Park, Calif., headquarters, of course.

Posted: 20 Aug 2014 | 2:34 pm

Android SSL Vulnerabilities: Lessons for CISOs

We recently published a blog reporting a variety of issues with a set of security capabilities found in commonly used Android applications in the Google Play store. These capabilities frequently come from security configurations baked into the ad libraries that developers use to display ads in their apps and don’t want to develop themselves. This is a laudable practice (implementing things like encryption protocols is hard and should be avoided by most software engineers), but it means that a flaw in a single library can impact thousands of apps downloaded by billions of users.
 
So what? Well, for starters, the most common flaws we found expose users of vulnerable applications to man-in-the-middle attacks.  Basically, that boils down to this: if you’re using a vulnerable application on a network where someone can intercept your communications (use the wireless at your favorite coffee shop recently?) you could be exposed. If you want the gory details you can get them in this post http://www.fireeye.com/blog/technical/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html.
The exec-level view boils down to the below:
Again, so what? Perhaps you’re using an MDM (or other security solution) that implements containers for your enterprise sensitive data for exactly this reason. You understand the mobile ecosystem and anticipated this exposure – particularly if your enterprise lets employees bring their own mobile device. A few parting thoughts on why you should still care:
My recommendation is simple: via a process, technology, or both, identify mechanisms to rate this risk so you *at least* have awareness, if not a complete remediation plan.

Posted: 20 Aug 2014 | 7:02 am

"El Machete"

Introduction

Some time ago, a Kaspersky Lab customer in Latin America contacted us to say he had visited China and suspected his machine was infected with an unknown, undetected malware. While assisting the customer, we found a very interesting file in the system that is completely unrelated to China and contained no Chinese coding traces. At first look, it pretends to be a Java related application but after a quick analysis, it was obvious this was something more than just a simple Java file.  It was a targeted attack we are calling "Machete".

What is "Machete"?

"Machete" is a targeted attack campaign with Spanish speaking roots. We believe this campaign started in 2010 and was renewed with an improved infrastructure in 2012. The operation may be still "active".

The malware is capable of the following cyber-espionage operations:

Targets of "Machete"

El_Machete_1

Most of the victims are located in, Venezuela, Ecuador, Colombia, Peru, Russia, Cuba, and Spain, among others. In some cases, such as Russia, the target appears to be an embassy from one of the countries of this list.

Targets include high-level profiles, including intelligence services, military, embassies and government institutions.

How does "Machete" operate?

The malware is distributed via social engineering techniques, which includes spear-phishing emails and infections via Web by a fake Blog website. We have found no evidence of of exploits targeting zero-day vulnerabilities. Both the attackers and the victims appear to be Spanish-speaking.

During this investigation, we also discovered many other the files installing this cyber-espionage tool in what appears to be a dedicated a spear phishing campaign. These files display a PowerPoint presentation that installs the malware on the target system once the file is opened.  These are the names of the PowerPoint attachments:

These files are in reality Nullsoft Installer self-extracting archives and have compilation dates going back to 2008.

A consequence of the embedded  Python code inside the executables is that these installers include all the necessary Python libraries as well as the PowerPoint file shown to the victim during the installation. The result is extremely large files, over 3MB.

Here are some screnshots of the mentioned files:

El_Machete_2

El_Machete_3

El_Machete_4

A technical relevant fact about this campaign is the use of Python embedded into Windows executables of the malware. This is very unusual and does not have any advantage for the attackers except ease of coding. There is no multi-platform support as the code is heavily Windows-oriented (use of libraries). However, we discovered several clues that the attackers prepared the infrastructure for Mac OS X and Unix victims as well. In addition to Windows components, we also found a mobile (Android) component.

Both attackers and victims speak Spanish natively, as we see it consistently in the source code of the client side and in the Python code.

Indicators of Compromise

Web infections

The following code snippets were found into the HTML of websites used to infect victims:

El_Machete_4

Note: Thanks to Tyler Hudak from Korelogic who noticed that the above HTML is copy pasted from SET, The Social Engineering Toolkit.

Also the following link to one known infection artifact:

hxxp://name.domain.org/nickname/set/Signed_Update.jar

Domains

The following are domains found during the infection campaign. Any communication with them must be considered extremely suspicious

java.serveblog.net
agaliarept.com
frejabe.com
grannegral.com
plushbr.com
xmailliwx.com
blogwhereyou.com (sinkholed by Kaspersky Lab)
grannegral.com (sinkholed by Kaspersky Lab)

Infection artifacts

MD5 Filename
61d33dc5b257a18eb6514e473c1495fe AwgXuBV31pGV.eXe
b5ada760476ba9a815ca56f12a11d557 EL ARTE DE LA GUERRA.exe
d6c112d951cb48cab37e5d7ebed2420b Hermosa XXX.rar
df2889df7ac209e7b696733aa6b52af5 Hermosa XXX.pps.rar
e486eddffd13bed33e68d6d8d4052270 Hermosa XXX.pps.rar
e9b2499b92279669a09fef798af7f45b Suntzu.rar
f7e23b876fc887052ac8e2558f0d6c38 Hot Brazilian XXX.rar
b26d1aec219ce45b2e80769368310471 Signed_Update.jar

Traces on infected machines

Creates the file Java Update.lnk pointing to appdata/Jre6/java.exe

Malware is installed in appdata/ MicroDes/

Running processes Creates Task Microsoft_up

Human part of "Machete"

Language

The first evidence is the language used, both for the victims and attackers, is Spanish.

The victims are all Spanish speaking according to the filenames of the stolen documents.

The language is also Spanish for the operators of the campaign, we can find all the server side code written in this language: reportes, ingresar, peso, etc.

Conclusion

The "Machete" discovery shows there are many regional  players in the world of targeted attacks. Unfortunately, such attacks became a part of the cyber arsenal of many nations located over the world. We can be sure there are other parallel targeted attacks running now in Latin America and other regions.

Kaspersky Lab products detect malicious samples related to this targeted attack as Trojan-Spy.Python.Ragua.

Note: A full analysis of the Machete attacks is available to the Kaspersky Intelligent Services customers. Contact: intelreports@kaspersky.com

Posted: 19 Aug 2014 | 11:30 pm

The Administrator of Things (AoT) – A Side Effect of Smartification

In an earlier article, we talked about the ongoing smartification of the home – the natural tendency of households to accumulate more intelligent devices over time. While this has its benefits, the residents of smart homes also need to invest their time and energy to maintain these devices. These requirements will only grow as more and more devices are added to the homes of the ordinary consumer.

Managing a household full of smart devices calls for the skills of both a multi-user IT administrator and a handyman. Let’s call this role the Administrator of Things (AoT). Ordinary users are being asked to take on this role despite scant evidence that they are ready for it.

This emerging role is something that should be looked into, as how well people can actually perform it has a huge impact on their daily lives, which includes the security of their household. The degree of work that is required by this role is dependent on factors, which include:

Consider the previous staple of home computing: the PC. It is an impressively powerful and capable machine, but it’s also a very complex one. How many of us have relatives or friends with computers that are old and full of insecure software? I’d bet we all know someone like that.

Think of the last time you had to fix a smart device in your household – for instance, your router or IP camera. Consider: how did you find what the problem was, what the solution was, and how long the fix took. If we considered this as a job, the listing for it would look something like this:

Role Summary

Implement and maintain the ongoing deployment and operation of intelligent devices (IoT devices) within the household. Required to be on-call 24 hours a day, seven days a week.

Qualifications Desired

Responsibilities

Figure 1. Solution loop for smart devices

This eye-opening array of responsibilities would be a significant challenge for the average non-techie user. One can imagine increased business opportunities for traditional support services like Geek Squad, Staples, QuickFix, and others who are willing to expand into supporting smart devices deployed in the household. It’s less of a stretch than you’d think – for example, many of these services will calibrate the high-definition TV that you bought from them or their parent company.

Conclusion

As a result of smartification, there will be an increased administrative burden of maintaining smart devices within the household over time. This will put more pressure on members of the household whose current mindset might be locked into performing these tasks themselves. These trends will likely result in (amongst other things) expanded commercial opportunities for home smart device technical deployment and support services.

If you’re already cringing at the thought of all of this, I have some good news: eventually, things will get better. The companies that make and design smart devices will learn how to create devices that are both secure and easy to use. Even today, some devices already do a good job of balancing these requirements while others…. don’t. If a smart device is built with security in mind, it will make the life of the person who has to maintain it much easier.

We’ve created an Internet of Everything buyers guide entitled What to Consider When Buying a Smart Device. This guide discusses the things you need to know, from a security perspective, about buying smart devices. Doing your homework now may save you much grief down the road.

For more information on security risks and how to secure smart devices, visit our Internet of Everything hub which contains materials that talk about this emerging field.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

The Administrator of Things (AoT) – A Side Effect of Smartification

Posted: 19 Aug 2014 | 2:46 pm

Attackers abusing Internet Explorer to enumerate software and detect security products

During the last few years we have seen an increase on the number of malicious actors using tricks and browser vulnerabilities to enumerate the software that is running on the victim’s system using Internet Explorer.

In this blog post we will describe some of the techniques that attackers are using to perform reconnaisance that gives them information for future attacks. We have also seen these techniques being used to decide whether or not they exploit the victim based on detected Antivirus, versions of potential vulnerable software or the presence of certain security features such as Enhanced Mitigation Experience Toolkit EMET. EMET is a Microsoft tool that uses security mitigation to prevent vulnerabilities from being successfully exploited.  This makes it more difficult for attackers – so they would prefer to avoid it.

1. Abusing res:\\

 The first technique we are describing affects Internet Explorer 8 and earlier. Internet Explorer blocks attempts to access the local file system using “file://” but it used to be possible to access image files within a resource section of a DLL/EXE. In a previous blog post we mentioned how attackers were using this technique as part of a waterhole campaign affecting a Thailand NGO. In that case we found the following code in the HTML of the affected website:

The resList array contains a list of executable files with resource sections containing an image file. An example using explorer.exe:

 {id: 'Windows Explorer', res: 'res://explorer.exe/#2/#143'}

If we take a look at the resource sections present on explorer.exe we can find a resource named 143:

 

The resLis array contains a big list of executable files that is used to detect Antivirus software and VMware (probably to check if it is an analysis machine used by a security researcher):

The complete list of detected software is:

We found similar code being used by the Sykipot actors in combination with a phishing scheme. In that case the list of software was much longer and it detected common software along with security products:

The list of detected software:

Security software detected:

They also used this code snippet to detect Adobe Acrobat Reader (English, Chinese and Taiwanese.)

Finally they were also able to list the patches that were installed in the Microsoft platform using a predefined list of patch numbers:

2. Microsoft XMLDOM ActiveX control information disclosure vulnerability

Another technique we found is being used by the Deep Panda actors.  They usually use this code in waterholing campaigns to detect specific software installed on the intended victim's system. It exploits the XMLDOM ActiveX to check for the presence of multiple files and folders:

This vulnerability was disclosed last year and it affects Internet Explorer versions 6 through 11 running on Windows through version 8.1.

Software enumerated includes most of the Antivirus and endpoint security products on the market:

3. More XMLDOM vulnerabilities

At the beginning of the year we found a different method being used in combination with a Zeroday vulnerability affecting Internet Explorer (CVE-2014-0322) targeting the French Aerospace Association. In that case we found the following code snippet.

The attackers were using a similar technique to detect if EMET was present on the system.  If EMET was detected they didn’t trigger the exploit since EMET was able to block it and alert the user to the 0 Day and diminish the attacker's effectiveness.

A month after the exploit code was made public we detected the same technique being used in the Angler Exploit Kit. They were using it to detect Kaspersky Antivirus.

In recent samples of the Angler Exploit Kit we have seen an improved version where they added detection for TrendMicro products.

In this blog post we have given an overview of the different techniques attackers are using to enumerate software running on a remote system.  These techniques can give attackers information that they can use in future attacks to exploit certain vectors based on the software running (or not running) on a system. In addition, we've illustrated ways were cybercriminals have adapted and copied techniques used by more advanced attackers for their own purposes.

References:

Vulnerability in Internet Explorer 10.1

XMLDOM vulnerability

URI Use and Abuse

Angler Exploit Kit 

       

Posted: 25 Jul 2014 | 7:25 am

CZ Solution Ltd. signed samples of Xtreme Rat, Zeus, Spy-Net, Gh0st, BozokRAT and other


Here are all samples (+ more) mentioned in this post by Fireeye : The Little Signature That Could: The Curious Case of CZ Solution"
All files are digitally signed with a "CZ Solutions" certificate making it easy to create a Yara or ClamAV signature.

A few Zeus samples seem to be still beaconing. Most are sinkholed.
The certificate is now revoked by VeriSign.

Enjoy




Download


Download. Email me if you need the password





File Information

Listed by Fireeye 
  1. Xtreme Rat_78CED3B6C04D372CE10B6B8606B3B747 78ced3b6c04d372ce10b6b8606b3b747
  2. Spy-Net 2.6_6A56F6735F4B16A60F39B18842FD97D0 6_6A56F6735F4B16A60F39B18842FD97D0
  3. Xtreme Rat_7C00BA0FCBFEE6186994A8988A864385.msg msg 7c00ba0fcbfee6186994a8988a864385
  4. XtremeRAT 3.5 Private _2E776E18DEC61CF6CCD68FBACD55FAB3 2e776e18dec61cf6ccd68fbacd55fab3
  5. XtremeRAT 3.5 Private _BD70A7CAE3EBF85CF1EDD9EE776D8364 bd70a7cae3ebf85cf1edd9ee776d8364
  6. XtremeRAT 3.5 Private_0BE3B0E296BE33903BF76B8CD9CF52CA 0be3b0e296be33903bf76b8cd9cf52ca
  7. XtremeRAT 3.5 Private_7416EC2889227F046F48C15C45C102DA 7416ec2889227f046f48c15c45c102da
  8. XtremeRAT 3.5 Private_BE47EC66D861C35784DA527BF0F2E03A be47ec66d861c35784da527bf0f2e03a
  9. XtremeRAT 3.5 Private_C27232691DACF4CFF24A4D04B3B2896B c27232691dacf4cff24a4d04b3b2896b
  10. XtremeRAT 3.5 Private_E79636E4C7418544D188A29481C100BB e79636e4c7418544d188a29481c100bb
  11. Zeus_9C11EF09131A3373EEF5C9D83802D56B 9c11ef09131a3373eef5c9d83802d56b
  12. Zeus_DCD3E45D40C8817061F716557E7A05B6 dcd3e45d40c8817061f716557e7a05b6


Additional (mix of RATs and Trojans)

  1. 2D186068153091927B26CD3A6831BE68 2d186068153091927b26cd3a6831be68
  2. 4A997E3395A8BB8D73193E158289F4CE 4a997e3395a8bb8d73193e158289f4ce
  3. 7E92A754AAAA0853469566D5DBF2E70C 7e92a754aaaa0853469566d5dbf2e70c
  4. 9CFD17C48FC0D300E4AA22E2C8C029D6 9cfd17c48fc0d300e4aa22e2c8c029d6
  5. 37FEE821695B664EBE66D55D8C0696F2 37fee821695b664ebe66d55d8c0696f2
  6. 445C22E94EAB61B3D4682824A19F8E92 445c22e94eab61b3d4682824a19f8e92
  7. 819B4C40F56F69C72E62EF06C85EA3E1 819b4c40f56f69c72e62ef06c85ea3e1
  8. 947C21CB8E28B854FF02C2241399A450 947c21cb8e28b854ff02c2241399a450
  9. 2859089CC3E31DA60C64D56C416175E2 2859089cc3e31da60c64d56c416175e2
  10. A9EE1BF62DEE532BE2BE217D3E4A8927 a9ee1bf62dee532be2be217d3e4a8927
  11. AC87BC7DD4B38FA3EBA23BF042B160CE ac87bc7dd4b38fa3eba23bf042b160ce
  12. B953FD2B3D5C10EC735681982D3C6352 b953fd2b3d5c10ec735681982d3c6352
  13. BD5188031BB8EB317FB58F0A49CCBF9C bd5188031bb8eb317fb58f0a49ccbf9c
  14. D7CF30E3DBFD32A1D1E38CEE464EC6A6 d7cf30e3dbfd32a1d1e38cee464ec6a6
  15. E1AFC706C8C96FACEDB6CB62E6CBFD2D e1afc706c8c96facedb6cb62e6cbfd2d
  16. Gh0stB_7A26BBD7B5942B49FC0A9CB7268BD030 7a26bbd7b5942b49fc0a9cb7268bd030
  17. SpyRat_E0B0BBA2F6399B0577C37E2A3BC3390A e0b0bba2f6399b0577c37e2a3bc3390a
  18. Zeus_0D8F9C5898596251233C3FD1DCB34161 0d8f9c5898596251233c3fd1dcb34161
  19. Zeus_7A6BBC32868A9F776452355F909F95D6 7a6bbc32868a9f776452355f909f95d6
  20. Zeus_7CD6C4A6103F23858C7ED047391F1D3B 7cd6c4a6103f23858c7ed047391f1d3b
  21. Zeus_52BE0408084F536E42FEB7C57F521592 52be0408084f536e42feb7c57f521592
  22. Zeus_5746DD569623431BA41A247FA64847D7 5746dd569623431ba41a247fa64847d7
  23. Zeus_A79089B5E6744C622D61BEFA40AF77D3 a79089b5e6744c622d61befa40af77d3
  24. Zeus_E2190F61B532BD51E585449BAAE31BC1 e2190f61b532bd51e585449baae31bc1
  25. Zeus_F76A509FEE28C5F65046D6DC072658B2 f76a509fee28c5f65046d6dc072658b2

Posted: 20 Jul 2014 | 9:59 pm

Cyber Engineering Services Announces the Cyber Red List

Cyber Engineering Services Announces the Cyber Red List, Industries That Have Been Cyber Walloped Since 2010

List Highlights Smaller Defense Supply Chain Partners, Legal Counsel and Public Relations/Advertising as Major Targets for Cyber Attacks

COLUMBIA, MD – May 7, 2013 – Based on its observation of thousands of cyber attacks over the 30 months since its founding, Cyber Engineering Services today announced the launch of the Cyber Red List. Developed using the company’s proprietary technology that enables Cyber Engineering Services to identify cyber attacks in progress, the Cyber Red List details the industries that have been hardest hit by cyber attacks since November 2010, and identifies accompanying environmental indicators that place organizations at a higher level of risk.

“Size doesn’t matter when you’re looking at cyber attack victim commonalities; the kind of data you have does,” commented Joseph Drissel, CEO of Cyber Engineering Services and former acting chief of the Department of Defense Computer Forensics Lab cyber intrusions section. “Based on what we’ve read in the news lately, it would be easy for companies with revenues of $1 billion and under to get the false impression that only the big contractors, the news organizations, and companies that are involved in Chinese diplomacy are targets. The Cyber Red List shows that what motivates the adversary is the kind of information you deal in and have access to – weapons, communications, energy, policy, and research – and often the smaller companies don’t have the resources in place to effectively seal their networks. We help them get the same level of data protection as the big guys.”

Cyber Engineering Services is an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT). Its proprietary technology, called Legal Non-Invasive Malware Exploitation technique (LNIME), provides the company substantial insight into the malicious activities of cyber adversaries. Cyber Engineering Services works on behalf of its clients to:
• Identify, in real time, when a cyber attack is happening,
• Stop an attack before critical data is lost,
• See live command-and-control keystrokes of the adversary, and
• Engage with the adversary to regain control of networks.
“A huge volume of our country’s intellectual property is owned by companies that supply or collaborate with large contractors or government agencies, yet what is most alarming is that many of these companies don’t have the cyber security infrastructure that their larger, better-funded counterparts do,” Drissel went on to say. “The smaller players not only have the most to lose in terms of IP and valuation, but the potential implications for national and international safety, security, health and well-being are vast. All it takes is one hole in the network to result in a massive data loss. We identify and then plug those holes to keep the bad guys out and seal data in.”
For media inquiries, contact: Media@CyberEngineeringServices.com.

The Cyber Red List

 
Cyber Engineering Services has observed cyber attacks in thousands of networks since the company’s inception in November 2010, many of which resulted in significant data losses for the compromised companies. The following is a snapshot of industries that were most targeted based on the data gathered through Cyber Engineering Services Legal Non-Invasive Malware Exploitation (LNIME) technique. The vast majority of compromises took place in organizations with revenues of less than $1 billion USD annually.

TOP TARGETED INDUSTRIES
1. Defense, Homeland Security, International Security including unmanned aerial vehicles (UAV), satellite communications, aerospace and military communications, rocket and propulsion systems, and radar systems.

2. Critical infrastructure including energy, oil, gas, transportation, banking, and telecommunications.

3. Sensitive data exchange environments including law firms, public relations and advertising agencies whose clients do business in energy, oil, transportation, communications, and defense.

4. Long-term policy information including from lawmakers, think tanks, diplomatic and policy organizations.

5. Research and Development-focused industries including laboratories, pharmaceutical and medical facilities.

ENVIRONMENTAL INDICATORS
Additionally, the following environmental indicators were present in cyber attacks among the targeted industries:

1. Where data is shared electronically via email, the internet, on a smartphone or other handheld device;
2. Where the Advanced Persistent Threat or competitor could degrade or otherwise manipulate data to source, duplicate, transport, purchase, sell, manufacture or supply a product or service through alternate means;
3. Where there is a global nexus.

DISCLOSURES
Due to the highly sensitive nature of the data that was breached in these attacks – inclusive of data protected under the International Traffic in Arms Regulations (ITAR) – Cyber Engineering Services does not disclose the names of the victims or the technical information that was stolen. Cyber Engineering Services has reported these incidents directly to the victims, as well as followed established protocols to report to the government agencies that oversee these functions.

ABOUT THE CYBER RED LIST
Cyber Engineering Services, an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT), compiled the Cyber Red List to raise awareness among victim organizations – especially smaller organizations often with fewer cyber security resources – for the need to protect mission and operation-critical data assets from cyber attacks. Cyber Engineering Services team of experts works with clients to control their networks and protect their most valued data assets using unrivaled technical skills, investigative curiosity and tenacity to prevail. For more information, contact Media@CyberEngineeringServices.com.

# # #

Posted: 6 May 2013 | 8:21 pm