Posted: 16 Mar 2014 | 1:04 am
The Pwn2Own and Pwnium hacking contests at the annual CanSecWest conference in Vancouver have earned security researchers over a million dollars in prizes, exposed 34 serious zero-day flaws in popular code, and earned over $82,000 for the Canadian Red Cross.…
Posted: 14 Mar 2014 | 12:15 pm
A few days ago the personal blog and Reddit account of MTgox CEO, Mark Karpeles, were hacked. Attackers used them to post a file, MtGox2014Leak.zip, which they claim contains valuable database dumps and specialized software for remote access to MtGox data. But this application is actually malware created to search and steal Bitcoin wallet files from their victims. It seems that the whole leak was invented to infect computers with Bitcoin-stealer malware that takes advantage of people keen interest in the MtGox topic.
Posted: 14 Mar 2014 | 6:47 am
Rockstar Games’ latest offering for the videogame industry, open-world crime simulator Grand Theft Auto V, came out several months ago for consoles to fanfare and anticipation. Unsurprisingly, people have been waiting for the PC version, despite Rockstar Games being very mum about its release date (or even its existence).
This uncertainty did not stop cybercriminals from taking advantage of the pre-release publicity. We recently found a spam campaign making the rounds; this one claims that the user has been invited to the GTA V PC beta test.
Figure 1. Spam message
The second half are links written in Slovak, leading to several sites, one of which is a phishing site. The biggest problem is the attached .ZIP file, which when opened reveals an application named Your promo code in app rockstargames.com. The extension may actually make people believe that it is a link to the Rockstar; in fact it is a backdoor detected as BKDR_ANDROM.ATG.
Figure 2. Contents of malicious attachment
Even though the existence of a PC version of GTA V is an unproven rumor, cybercriminals still managed to make convincing bait out of it.
We recently covered a similar incident using the non-existent desktop version of the messaging app WhatsApp. Like GTA V, the desktop version of WhatsApp has yet to even be announced, and yet it managed to garner its own share of victims.
As always, we remind users to always be vigilant and alert when it comes to spammed mails such as these. Make sure to check valid and reputable news organizations/websites first before clicking on anything that seems too good to be true. If possible, seek verification from first-party sources (in this case, Rockstar Games). It saves everyone a lot of wasted time, effort and hassle.
Additional analysis by Christopher So and Mark Manahan.
Posted: 14 Mar 2014 | 3:27 am
On 14/03/14 At 11:14 AM
Posted: 14 Mar 2014 | 2:14 am
Today, Bloomberg Businessweek reported on the methods hackers used to steal millions of credit card numbers from Target. In the report, FireEye was mentioned as having discovered the attack prior to the broad discovery by Target as well as providing services to the CIA. It is FireEye policy to not publically identify our customers and, as such, we cannot validate or comment on the report’s claims that Target, the CIA, or any other companies are customers of FireEye.
Additionally, certain follow-on media coverage has reported that the CIA was involved with the founding of FireEye. These claims are not true. To clear any misconceptions in the market, we wanted to provide more information about how FireEye was founded.
In 2004, Ashar Aziz founded FireEye with venture capital provided by Sequoia Capital. Ashar recognized the advantages of applying virtualization technology to IT security and is the original inventor of the FireEye security technology now known as the Multi-Vector Virtual Execution engine. In subsequent funding rounds, FireEye added other top investors including Norwest Venture Partners, Jafco Ventures, Dag Ventures, Juniper Networks, Four Rivers Partners, Goldman Sachs, and In-Q-Tel (IQT).
IQT is a not-for-profit venture capital firm whose mission is to identify and invest in companies developing cutting-edge technologies that serve national security interests. IQT is an independent strategic investor that makes investments based on objective due diligence and is extremely selective about the companies in which it invests. We felt honored to receive funding from such a selective investor.
To be clear, however, IQT owns far less than 1 percent of FireEye and no one from IQT (or any intelligence agencies) sits on our board of directors, or is employed, or otherwise performs any services for or on behalf of FireEye. IQT has no influence on our roadmap, operations, financials, governance, or any other aspect of our business. We do not provide IQT with any content or intelligence.
Looking more broadly at the technology industry’s relationship with government entities, FireEye does not share or receive any content with any intelligence agencies that is not available to our entire customer base. We make available to all our customers FireEye Dynamic Threat Intelligence, a cloud-based solution that efficiently shares auto-generated threat intelligence to protect all our customers once a threat has been identified in one organization.
FireEye was never a CIA company and we’ve never provided unique intelligence to any government agencies. Our position as a global security company is to be independent of any government agencies and solely focused on protecting our customers around the world.
Posted: 13 Mar 2014 | 3:13 pm
Every single day our automated systems analyze hundreds of thousands of malicious samples. Yesterday one of the samples caught my attention because the malware started performing bruteforce attacks against Remote Desktop using certain username and passwords.
Other similar samples:
Once started the malware copy itself to \Documents and Settings\Administrator\Application Data\lsacs.exe and starts the communication with the C&C sending data about the status of the bot (number of hosts bruteforced, packets per second, number threatds, version, etc).
and the server replies with a configuration block containing:
- Login/Password list to use during bruteforcing
- List of IP Addresses to attack
- Number of threads to use
As you can see some of the user/passwords that they are using (pos, pos1, pos01, shop, station, hotel, atm, atm1, micros, microssvc) are the default ones commonly used in Point of Sale terminals by retailers and businesses all around the world.
The control panel of the botnet is also hosted in the same server:
This is not new, we know cybercriminals have been using this technique to compromise Point of Sale systems for years. Once they gain access to the terminal using one of the default credentials, they upload a second stage payload commonly known as a memory scrapper that is a piece of malware that searchs for credit card data in memory before it has been encrypted. Some examples are:
These pieces of malware are able to extract the credit card data from the terminal and exfiltrate the data to the attackers that will then sell the information in the black market.
When it comes to detect the infection of a system in your network, this is how our AlienVault Unified Security Management (USM) will detect a compromised assset in your network:
USM is able to detect both the communication wit the the C&C server and the network activity that is generated when the malware performs bruteforce attacks against devices on the Internet. It is worth mentioning that the C&C server IP address was already in our Open Threat Exchange database and the correlation engine used that information to generate an alarm about a system compromise.
If you want to try yourself you can download our Open Source SIEM - OSSIM or the Free 30 day trial of AlienVault Unified Security Management (USM)
We have shown how these threats can impact companies using Point Of Sale terminals, specially those retailers and medium and small businesses that don't have visibility into the systems that are part of their networks and handle credit card information.
Some recommendations to protect against these kind of attacks are:
- Change default credentials of POS systems
- Configure an access control list
- Keep your software up-to-date
- Install an Antivirus solution
- Centralize and monitor the logs from your POS systems to detect potential security breaches
Posted: 11 Mar 2014 | 2:34 am
The latest version includes several new features and bug fixes:
Convert Binary File
Added the ability delete bytes in the File > Convert Binary File function. The bytes are deleted before any action is taken.
Under the Format menu > Sort Text you can now sort by characters, rows, or comma-delimited values.
Under the Tools menu > Range Search/Replace enables you to do a search and replace using one of three methods. While you can also do this using regex in Search/Replace Text, this is another way I thought I’d add.
Key Search/Convert – Calculate Distance
Added a method to have Converter try to automatically find a multi-byte XOR key. You can read this blog post where I describe how this works.
Just import a binary file that you suspect is an executable. You only need the first 1K bytes so leave that checkbox at the top checked. Click on the “Calculate Distance…” option. It will automatically paste in the DOS header string and set it to auto mode. Converter will start using offset 1, 2, 3…until the (near) length of your search string. I found it generated too much false positives if I used the entire length. You can get false positives when you have a short search string or large offset.
Converter, File Converter, and Data Converter can all be downloaded from here. Thank you for your support!
Posted: 17 Feb 2014 | 2:34 pm
Posted: 4 Feb 2014 | 6:48 pm
Cyber Engineering Services Announces the Cyber Red List, Industries That Have Been Cyber Walloped Since 2010
– List Highlights Smaller Defense Supply Chain Partners, Legal Counsel and Public Relations/Advertising as Major Targets for Cyber Attacks –
COLUMBIA, MD – May 7, 2013 – Based on its observation of thousands of cyber attacks over the 30 months since its founding, Cyber Engineering Services today announced the launch of the Cyber Red List. Developed using the company’s proprietary technology that enables Cyber Engineering Services to identify cyber attacks in progress, the Cyber Red List details the industries that have been hardest hit by cyber attacks since November 2010, and identifies accompanying environmental indicators that place organizations at a higher level of risk.
“Size doesn’t matter when you’re looking at cyber attack victim commonalities; the kind of data you have does,” commented Joseph Drissel, CEO of Cyber Engineering Services and former acting chief of the Department of Defense Computer Forensics Lab cyber intrusions section. “Based on what we’ve read in the news lately, it would be easy for companies with revenues of $1 billion and under to get the false impression that only the big contractors, the news organizations, and companies that are involved in Chinese diplomacy are targets. The Cyber Red List shows that what motivates the adversary is the kind of information you deal in and have access to – weapons, communications, energy, policy, and research – and often the smaller companies don’t have the resources in place to effectively seal their networks. We help them get the same level of data protection as the big guys.”
Cyber Engineering Services is an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT). Its proprietary technology, called Legal Non-Invasive Malware Exploitation technique (LNIME), provides the company substantial insight into the malicious activities of cyber adversaries. Cyber Engineering Services works on behalf of its clients to:
• Identify, in real time, when a cyber attack is happening,
• Stop an attack before critical data is lost,
• See live command-and-control keystrokes of the adversary, and
• Engage with the adversary to regain control of networks.
“A huge volume of our country’s intellectual property is owned by companies that supply or collaborate with large contractors or government agencies, yet what is most alarming is that many of these companies don’t have the cyber security infrastructure that their larger, better-funded counterparts do,” Drissel went on to say. “The smaller players not only have the most to lose in terms of IP and valuation, but the potential implications for national and international safety, security, health and well-being are vast. All it takes is one hole in the network to result in a massive data loss. We identify and then plug those holes to keep the bad guys out and seal data in.”
For media inquiries, contact: Media@CyberEngineeringServices.com.
Cyber Engineering Services has observed cyber attacks in thousands of networks since the company’s inception in November 2010, many of which resulted in significant data losses for the compromised companies. The following is a snapshot of industries that were most targeted based on the data gathered through Cyber Engineering Services Legal Non-Invasive Malware Exploitation (LNIME) technique. The vast majority of compromises took place in organizations with revenues of less than $1 billion USD annually.
TOP TARGETED INDUSTRIES
1. Defense, Homeland Security, International Security including unmanned aerial vehicles (UAV), satellite communications, aerospace and military communications, rocket and propulsion systems, and radar systems.
2. Critical infrastructure including energy, oil, gas, transportation, banking, and telecommunications.
3. Sensitive data exchange environments including law firms, public relations and advertising agencies whose clients do business in energy, oil, transportation, communications, and defense.
4. Long-term policy information including from lawmakers, think tanks, diplomatic and policy organizations.
5. Research and Development-focused industries including laboratories, pharmaceutical and medical facilities.
Additionally, the following environmental indicators were present in cyber attacks among the targeted industries:
1. Where data is shared electronically via email, the internet, on a smartphone or other handheld device;
2. Where the Advanced Persistent Threat or competitor could degrade or otherwise manipulate data to source, duplicate, transport, purchase, sell, manufacture or supply a product or service through alternate means;
3. Where there is a global nexus.
Due to the highly sensitive nature of the data that was breached in these attacks – inclusive of data protected under the International Traffic in Arms Regulations (ITAR) – Cyber Engineering Services does not disclose the names of the victims or the technical information that was stolen. Cyber Engineering Services has reported these incidents directly to the victims, as well as followed established protocols to report to the government agencies that oversee these functions.
ABOUT THE CYBER RED LIST
Cyber Engineering Services, an information security company with heavy experience in forensics analysis, reverse engineering and malware arenas focusing on what is known as the Advanced Persistent Threat (APT), compiled the Cyber Red List to raise awareness among victim organizations – especially smaller organizations often with fewer cyber security resources – for the need to protect mission and operation-critical data assets from cyber attacks. Cyber Engineering Services team of experts works with clients to control their networks and protect their most valued data assets using unrivaled technical skills, investigative curiosity and tenacity to prevail. For more information, contact Media@CyberEngineeringServices.com.
# # #
Posted: 6 May 2013 | 8:21 pm