Yahoo Spreading Malware?

Some advertisements on Yahoo Inc’s European websites last week spread malicious software, Yahoo said on Sunday, potentially infecting the computers of thousands of users.

Last Friday, Fox-IT, a Delft, Netherlands-based computer security firm, wrote in a blog that attackers had inserted malicious ads served by ads.yahoo.com.

In a recently released statement, a Yahoo spokesman, said: “On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware.” Yahoo said it promptly removed the bad ads, and that users of Mac computers and mobile devices were not affected.

Malware is software used to disrupt a computer’s operations, gather sensitive information, or gain access to private computer systems.

Fox-IT estimated that on Friday, the malware was being delivered to approximately 300,000 users per hour, leading to about 27,000 infections per hour. The countries with the most affected users were Romania, Britain, and France.

“It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors,” Fox-IT wrote in the January 3 blog post.

Source

Did Stuxnet Infect A Russian Nuclear Plant?

Kaspersky has claimed that the infamous Stuxnet computer worm “badly infected” the internal network of an unnamed Russian nuclear plant after it caused chaos in Iran’s nuclear facilities.

Speaking at a keynote presentation given at the Canberra Press Club 2013, Kaspersky CEO Eugene Kaspersky said a staffer at the unnamed nuclear plant informed him of the infection.

“[The staffer said] their nuclear plant network which was disconnected from the internet was badly infected by Stuxnet,” Kaspersky said.

“So unfortunately these people who were responsible for offensive technologies, they recognise cyber weapons as an opportunity.”

Stuxnet was discovered to have spread throughout industrial software and equipment in 2010 and is believed to have been created by the United States and Israel to attack Iran’s nuclear facilities. According to Kaspersky’s source, the malware was carried into the Russian nuclear plant and installed on a physically separated “air-gapped” network.

Kaspersky also made a rather outlandish joke during his speech, saying that all data is subject to theft. “All the data is stolen,” Kaspersky said. “At least twice.”

“If the claim of the Russian nuclear plant infection is true, then it’s easy to imagine how this “collateral damage” could have turned into a very serious incident indeed, with obvious diplomatic repercussions,” said security expert Graham Cluley.

“There is no way to independently verify the claim, of course. But it is a fact that Stuxnet managed to infect many computer systems outside of its intended target in Iran,” Cluley added. “Indeed, the very fact that it spread out of control, was what lead to its discovery by security firms.”

Earlier this year, Symantec claimed that the Stuxnet computer worm could date back further than 2010 and was more widespread than originally believed.

Symantec’s report called “The Missing Link” found a build of the Stuxnet attack tool, dubbed Stuxnet 0.5, which it said dated back to 2005 and used different techniques to sabotage industrial facilities.

Source

Adobe Data Found Online

A computer security firm has discovered data it says belongs to some 152 million Adobe Systems Inc user accounts, suggesting that a breach reported a month ago is much larger than Adobe has so far disclosed and is one of the largest on record.

LastPass, a password security firm, said that it has found email addresses, encrypted passwords and password hints stored in clear text from Adobe user accounts on an underground website frequented by cyber criminals.

Adobe said last week that attackers had stolen data on more than 38 million customer accounts, on top of the theft of information on nearly 3 million accounts that it disclosed nearly a month earlier.

The maker of Photoshop and Acrobat software confirmed that LastPass had found records stolen from its data center, but downplayed the significance of the security firm’s findings.

While the new findings from LastPass indicate that the Adobe breach is far bigger than previously known, company spokeswoman Heather Edell said it was not accurate to say 152 million customer accounts had been compromised because the database attacked was a backup system about to be decommissioned.

She said the records include some 25 million records containing invalid email addresses, 18 million with invalid passwords. She added that “a large percentage” of the accounts were fictitious, having been set up for one-time use so that their creators could get free software or other perks.

She also said that the company is continuing to work with law enforcement and outside investigators to determine the cost and scope of the breach, which resulted in the theft of customer data as well as source code to several software titles.

The company has notified some 38 million active Adobe ID users and is now contacting holders of inactive accounts, she said.

Paul Stephens, director of policy and advocacy for the non-profit Privacy Rights Clearinghouse, said information in an inactive database is often useful to criminals.

He said they might use it to engage in “phishing” scams or attempt to figure out passwords using the hints provided for some of the accounts in the database. In some cases, people whose data was exposed might not be aware of it because they have not accessed the out-of-date accounts, he said.

“Potentially it’s the website you’ve forgotten about that poses the greater risk,” he said. “What if somebody set up an account with Adobe ten years ago and forgot about it and they use the same password there that they use on other sites?”

Source

Chinese Hackers Go After Dissidents

The “Comment Crew,” a group of China-based hackers whose outing earlier this year in major media outlets caused a conflict with the U.S., have resumed their attacks against dissidents.

FireEye, a security vendor that specializes in trying to stop sophisticated attacks, has noticed attackers using a fresh set of tools and evasion techniques against some of its newer clients, which it can’t name. But Rob Rachwald, director of market research for FireEye, said in an interview Monday that those clients include an organization in Taiwan and others involved in dissident activity.

The Comment Crew was known for many years by security analysts, but its attacks on The New York Times, described in an extensive report in February from vendor Mandiant, thrust them into an uncomfortable spotlight, causing tense relations between the U.S. and China.

Rachwald said it is difficult to determine if the organizations being targeted now were targeted by the Comment Crew previously, but FireEye said last month that the group didn’t appear to be hitting organizations they had compromised before.

Organizations opposing Chinese government policies have frequently been targeted by hackers in what are believed to be politically motivated surveillance operations.

The Comment Crew laid low for about four months following the report, but emerging clues indicate they haven’t gone away and in fact have undertaken a major re-engineering effort to continue spying. The media attention “didn’t stop them, but it clearly did something to dramatically alter their operations,” Rachwald said in an interview.

“If you look at it from a chronological perspective, this malware hasn’t been touched for about 18 months or so,” he said. “Suddenly, they took it off the market and started overhauling it fairly dramatically.”

FireEye researchers Ned Moran and Nart Villeneuve described the new techniques on Monday on FireEye’s blog.

Two malware samples, called Aumlib and Ixeshe, had been used by the Comment Crew but not updated since 2011. Both malware programs have now been altered to change the appearance of their network traffic, Rachwald said.

Many vendors use intrusion detection systems to spot how malware sends data back to an attacker, which helps determine if a network has been compromised. Altering the method and format for how the data is sent can trick those systems into thinking everything is fine.

In another improvement, encryption is now employed to mask certain components of the programs’ networking communication, Rachwald said. The malware programs themselves, which are designed to steal data and log keystrokes, are basically the same.

Mandiant’s report traced the hacking activity to a specific Chinese military unit called “61398.” The company alleged that it waged a seven-year hacking spree that compromised 141 organizations.

Rachwald said it is strongly believed the Comment Crew is behind the new attacks given its previous use of Aumlib and Ixeshe. But the group has also re-engineered its attack infrastructure so much over the last few months that it is difficult to say for sure.

Source

Collaborating Viruses Showing Up

Two computer viruses are collaborating to defeat clean-up operations. Microsoft researcher Hyun Choi has found that the pair of viruses foil removal by regularly downloading updated versions of their malware partner.

It is the first time that such a defense plan has been noticed before. Choi said that the Vobfus and Beebone viruses, were regularly found together. Vobfus was the first to arrive on a machine, he said, and used different tactics to infect victims. Vobfus could be installed via booby-trapped links on websites, travel via network links to other machines or lurk on USB drives and infect machines they are plugged into.

Once installed, Vobfus downloaded Beebone which enrolled the machine into a botnet. After this the two start to work together to regularly download new versions of each other. If Vobfus was detected and remediated, it could have downloaded an undetected Beebone which can in turn download an undetected variant of Vobfus.

Vobfus become a persistent problem since 2009 when it first appeared.

Source

Bonets Attack U.S. Banks

Evidence collected from a website that was recently used to flood U.S. banks with junk traffic suggests that the responsible parties behind the ongoing DDoS attack campaign against U.S. financial institutions — thought by some to be the work of Iran — are using botnets for hire.

The compromised website contained a PHP-based backdoor script that was regularly instructed to send numerous HTTP and UDP (User Datagram Protocol) requests to the websites of several U.S. banks, including PNC Bank, HSBC and Fifth Third Bank, Ronen Atias, a security analyst at Web security services provider Incapsula, said Tuesday in a blog post.

Atias described the compromised site as a “small and seemingly harmless general interest UK website” that recently signed up for Incapsula’s services.

An analysis of the site and the server logs revealed that attackers were instructing the rogue script to send junk traffic to U.S. banking sites for limited periods of time varying between seven minutes and one hour. The commands were being renewed as soon as the banking sites showed signs of recovery, Atias said.

During breaks from attacking financial websites the backdoor script was being instructed to attack unrelated commercial and e-commerce sites. “This all led us to believe that we were monitoring the activities of a Botnet for hire,” Atias said.

“The use of a Web Site as a Botnet zombie for hire did not surprise us,” the security analyst wrote. “After all, this is just a part of a growing trend we’re seeing in our DDoS prevention work.”

Source…

Satellite Phone Encryption Cracked

German researchers claim to have cracked the algorithm that secures satellite phone transmissions.

Benedikt Driessen and Ralf Hund from Ruhr University have reverse engineered the GMR-1 and GMR-2 voice ciphers used in a lot of satellite systems. These are used by, among others, government agencies and the military.

Bjoern Rupp, CEO at GSMK Cryptophone said, “This breakthrough has major implications for the military, civilians engaged on overseas operations, or indeed anyone using satellite phones to make sensitive calls in turbulent areas.”

Their report is titled “Don’t Trust Satellite Phones” and shows how someone with a “suitably programmed computer” and software radio capable of receiving satellite frequencies can hack calls. These include ones made by disaster relief agencies and the military.

Source…

Yahoo Messenger Flaw Exposed

An unpatched Yahoo Messenger vulnerability that allows hackers to change people’s status messages and possibly perform other unauthorized functons can be exploited to spam malicious links to a large number of users.

The flaw was discovered in the wild by security researchers from antivirus vendor BitDefender while investigating a customer’s report about unusual Yahoo Messenger behavior.

The flaw appears to be located in the application’s file transfer API (application programming interface) and allows attackers to send malformed requests that result in the execution of commands without any interaction from victims.

“An attacker can write a script in less than 50 lines of code to malform the message sent via the YIM protocol to the attacker,” said Bogdan Botezatu, an e-threats analysis & communication specialist at BitDefender.

“Status changing appears to be only one of the things the attacker can abuse. We’re currently investigating what other things they may achieve,” he added.

Victims are unlikely to realize that their status messages have changed and if they use version 11.5 of Yahoo Messenger, which supports tabbed conversations, they might not even spot the rogue requests, Botezatu said.

This vulnerability can be leveraged by attackers to earn money through affiliate marketing schemes by driving traffic to certain websites or to spam malicious links that point to drive-by download pages.

Source….

China Denies Hack Attack

China has denied involvement in hacking US environment monitoring satellites.

Last week the US-China Economic and Security Review Commission released a draft report about several incidents where US satellites were interfered with in 2007 and 2008.

The Commission did not say that the attacks were traced back to China, but it did cite China’s military as a prime suspect, due to the similarity of the techniques used with “authoritative Chinese military writings” on disabling satellite control.

The hackers gained access to the satellites on at least four occasions through a ground station in Norway. The unauthorised access lasted for between two and 12 minutes. While the attacks did no real damage, they did demonstrate that it is possible to hijack satellites, which is a worrying realisation when military satellites are taken into consideration.

China has a bad reputation throughout the world for alleged cyber attacks, often being the first to blame when a major attack has been discovered. The US has not been the only target either, with alleged attacks against Canada and France having been reported earlier this year.

“[The US] has always been viewing China with colored lenses. This report is untrue and has ulterior motives. It’s not worth a comment,” said Hong Lei, a spokesperson for the Chinese Foreign Ministry, according to Reuters.

Source….

Microsoft: Stolen SSL Certs No Good

Microsoft has officially stated that a digital certificate stolen from a Dutch company could not be used to force-feed customers malware through its Windows Update service.

The company’s assertion came after a massive theft of more than 500 SSL (secure socket layer) certificates, including several that could be used to impersonate Microsoft’s update services, was revealed by Dutch authorities and several other affected developers.

“Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers,” said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), in a Sunday blog post. “The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued
and secured by Microsoft.”

Seven of the 531 certificates now known to have been fraudulently obtained by hackers in July were for the domains update.microsoft.com and windowsupdate.com, while another six were for *.microsoft.com.

Read More…..

« Previous Page — Next Page »