Hacking as a way of thinking

Courtesy of National Geographic

Hacker and Developer Darren Kitchen believes hacking is not an inherently criminal act. Instead, he thinks hacking can help foster more open and free societies around the world.

Source: Security news

Source: Zologic

Detect 2017 Recap

Detect 2017 was a great success, and we’d like to say a huge thank you to all of the speakers and attendees who made this possible. Here are a few highlights that made us say, “Great Scott!”.

Keynotes from:

  • Kevin Poulsen, Cyber Crime Expert and author of Kingpin
  • General Michael Hayden, former Director of the Central Intelligence Agency and the National Security Agency
  • Michael Daniel, Cybersecurity Coordinator to Barack Obama (2012 – 2016) & Special Assistant to the President
  • Hugh Njemanze, CEO of Anomali
  • Colby DeRodeff, Chief Strategy Officer of Anomali

An incredible array of breakout sessions from experts in all areas of cyber security. Don’t worry if you couldn’t make it to every session you wanted to, all of the recordings will be made available to attendees.

And last but not least, a crazy night at the Enchantment Under the Sea Dance. We hope you had as much fun as we did!

Plans are already underway for Detect 2018 – see you next year!

Kevin Poulsen, Cyber Crime Expert and Author of Kingpin
General Michael Hayden, Former Director of the Central Intelligence Agency and the National Security Agency
Michael Daniel, Cybersecurity Coordinator to President Barack Obama (2012 - 2016) & Special Assistant to the President
Hugh Njemanze, Chief Executive Officer at Anomali Keynote
Colby DeRodeff, Co-founder & Chief Strategy Officer at Anomali Keynote
ISAC Keynote Panel
Anomali Detect Sessions
Anomali Detect Attendees
Anomali Detect Gifts
Anomali Detect Crowd
Anomali Detect Party Band
Anomali Detect Party
Anomali Detect Drinks

Source: Honeypot Tech

A Closer Look at the German Election

On September 24th, 2017, federal elections took place in Germany to elect Germany’s next parliament, the 19th Bundestag. The Christian Democratic Union (CDU) won the majority of votes with 33%, making this Angela Merkel’s fourth term in office.

Merkel has been a steadfast supporter of the European Union, and much of the E.U.’s viability can be credited to Germany’s economic prowess and political stability. This made Germany an appealing yet somewhat challenging target for the likes of Russian President Vladimir Putin, whose interference in Western elections has unfolded in a dramatic and unprecedented fashion. The question on much of the world’s mind was, could the German election successfully be hacked?

There are two primary ways that modern elections can be interfered with. The most direct method is to attack the election apparatus itself which is often easier said than done unless you happen to be a dictator in control of the entities delivering election results. The other method, and the one that has been the most prolific, is to attempt to influence the electorate to support or oppose candidates or initiatives of the attacker’s choosing. With the rise of the Internet and social media, it’s not hard to spool up tons of fake social media accounts and use them to spread rumors, lies, or even amplify real news when it benefits attackers’ motives. It’s often hard to gauge the true impact of these efforts on election results, however; even for the attackers.

A Tale of Election Software

Many German states use a software created by vote iT to count votes from local and national elections, called PC-Wahl. IT specialists Thorsten Schröder, Linus Neumann and Martin Tschirsich analyzed the software and found numerous security flaws. Neumann is quoted as stating “We did this in our spare time. Everybody’s worried about state sponsors and professional hackers – if we can do this in a couple of evenings of sitting around in our apartments, you can imagine how easily this could be accomplished by a state actor.”

Vote iT told German news magazine Der Spiegel that there were “no security-related weaknesses in the software.” Nevertheless, patches were soon issued. German hacker collective Chaos Computer Club (CCC) corroborated these findings, releasing a report warning that this software is easily manipulated. Passwords were either found online or easily guessed, and encryption methods were out of date. Germany’s top technology security agency, BSI, later ordered PC-Wahl’s security to be improved.

CCC previously uncovered vulnerabilities in German election voting systems in 2006 by circumventing their security measures and reprogramming voting computers to play chess. The German Federal Constitutional Court has since eliminated use of voting computers, resulting in the return to pen and paper votes.

As a result of the move back to pen and paper, attacking the election apparatus in German elections poses a particular challenge. This analog system would require significant resources to affect the outcome of the election if trying to boost numbers directly at the polls.  Each voter casts two votes in a system that blends an additional member system with elements of a first-past-the-post system. Parties must win at least 5% of the second vote to enter parliament, a mandate put down to prevent splinter parties from bogging down the government such as with the Weimar Republic of the 1920s. The Weimar Republic was characterized by instability and short governing terms due to a large number of political parties that failed to compromise on key issues.

Individual voters, therefore, do not directly cast a ballot for the new chancellor as voters do for the President of the United States. Within the U.S. a disparity of results between the popular vote and electoral college is a sometimes expected, if not frustrating event for many voters. Any disparity of reported results and actual votes in Germany would instead incite a resoundingly more chaotic result, potentially leading to calls for another election.

Should someone look to meddle with the German election, their only realistic option would be to interfere with the software responsible for tallying or reporting the results. Votes are collected and disseminated through digitized means determined by each region. And, although the paper votes could always be recounted, any strife would likely degrade confidence in the democratic system.

All Quiet on the Western (and Eastern) Front

Russia’s two main weapons in the past round of Western elections have been cyber-attacks and misinformation. Merkel herself has directly warned of Russian cyber-attacks, and for good reason.

In 2015, criminals stole 16 gigabytes of data from the German parliamentary network. Security firm Trend Micro Inc. linked the Bundestag attack to a group with ties to Russia known as Pawn Storm.

Surprisingly, nothing has come of those linked documents, not even leading up to this pivotal election. Many believe that it’s possible the hackers couldn’t sift through the millions of emails to find anything salacious, or simply didn’t believe that exposing the information would have any substantial effect.

There was one flurry of cyber activity leading up to the election – sources close to Merkel reported that thousands of cyber-attacks hit Merkel’s website on the night of her campaign’s only nationally televised debate. Many of these attacks appeared to come from Russian IP addresses, although whether or not these were actually Russian attackers is difficult to attribute.

Misinformation Nation

The latter of Russia’s attack vectors, the spread of misinformation, is far easier to attribute. One of the more famous examples from the last year was the circulation by Pro-Russian news outlets of a story about a Russian-German girl who claimed to be kidnapped and raped by Arab migrants. She later recanted the story and confessed to having left home of her own volition, and to having made up the connection with any Arab men. Public outrage at the supposed story caused Germans to accuse Moscow of “political propaganda.”

Germany has taken a very firm stance against misinformation, directly calling out examples as they arise. In June of this year German lawmakers passed legislation that penalizes companies that fail to remove fake news from their websites with mutimillion-euro fines.

It’s no surprise though that Russia would attempt to highlight issues with integrating refugees, which remains a highly contested topic within Europe. Heightened tensions have increased support for the far-right, populist, and anti-immigrant Alternative for Germany (AfD), which won a landmark 13% of the vote. As with other far-right groups, the AfD also favors the abolishment of the European Union, and is staunchly anti-Muslim. This is the first time since 1961 that a far-right party has entered the Bundestag.

Like many European countries, German political parties must form a coalition to create a majority governing body. To date, all parties have claimed they would not form such a coalition with the AfD. Merkel’s CDU party and traditional coalition allies now account for 45% of the overall vote, meaning that she will likely form a coalition with the Liberal Free Democrats (FDP) and the Greens. Such a coalition between parties from both the left and the right may struggle to be legislatively effective.

After preliminary results came out on the 24th, protesters positioned themselves in front of the AfD’s headquarters, chanting “Nazis out!” and “say it loud, say it clear, refugees are welcome here!”.

Final Thoughts on German Election Interference

There were likely are a few unique and uncopiable factors keeping the peace before the German election:

  • Germany took adequate security precautions
  • Russians overplayed their hand in previous elections
  • Merkel’s victory was very secure, making any last-minute upsets suspicious
  • Germany is a strong economic partner, and antagonizing Merkel could weaken trade relations

Within these past elections Russia’s aim has undoubtedly been destabilization of Western alliances and building economic strength. An election is an excellent opportunity to apply influence that favors these outcomes. Russia has developed a particular proficiency in the area of voter influence.. What’s alarming is how simple the method they use really is. Evidence was found of Twitter bots attempting to boost claims of voter fraud going into the German election. Far-right Alternative for Germany (AfD) supporters  tweeted #Wahlbetrug (#ElectionFraud) in the week before the election, and the hashtag rose significantly in popularity the Friday and Saturday before voting day. This hashtag further degraded confidence in election results, whatever those results were going to be. Researchers claim the traffic was boosted by a Russian network of bots.

Speaking of Bots

Bots are everywhere. Bots are just pieces of code meant to automatically perform certain tasks or carry out commands. Not all bots are malicious or political in nature, but they can be used to amplify or distort arguments when applied to social media. It’s generally not too hard to tell if a social media account is, in fact, a bot and not representative of an actual human being. For example, there are a few questions one could ask to help determine if a Twitter account is actually a bot:

  • Is an account posting too frequently, such as more than 50 times per day?
  • Does the account not reveal any personal information?
  • What kind of posts are they retweeting? Where are these posts originating?
  • Do they use a unique photo for their avatar?

Election Reality

As a result of suspected interference in recent elections, we now find ourselves wondering if attackers will attempt to manipulate each major election. It may be the case that, for whatever reasoning, the recent German election seems to have been spared of any significant attempts at outside manipulation. Regardless, there will be more major elections soon in Western countries and we will once again be asking ourselves if attackers will try to influence the results.

Source: Honeypot Tech

What the Equifax Breach means for the Social Security Number System

On September 7th, 2017, Equifax Incorporated publicly announced a major data breach of their systems. Equifax reported that data associated with approximately 143 million Americans were exposed, with records including addresses, date of birth (DOB), full name, Social Security Number (SSN), and some driver’s license numbers. Credit card numbers for approximately 209,000 Americans were also stolen, along with dispute documents for 182,000 consumers. The impact of the breach reaches beyond the United States as approximately 400,000 U.K. consumers and 100,000 Canadian consumers were also affected.

While much of the open source reporting has focused on the vulnerability that caused the breach, the more pressing issue may be the ramifications of such a prodigious breach of Personally Identifiable Information (PII). The loss in confidentiality for nearly half of the entire U.S. population has the potential to threaten the viability of the SSN system.

The Breach

Security researchers identified a vulnerable version of Apache Struts as the cause of the breach. The vulnerability, registered as “CVE-2017-5638,” was issued a patch in March 2017 (which Equifax failed to apply). Another vulnerability, registered as “CVE-2017-9805,” was discovered in Struts in September 2017. As of this writing, researchers believe that the initial vector exploited to gain access to Equifax’s data was accomplished via CVE-2017-5638.

Previous Breaches

Similar data breaches and subsequent data theft have occurred before, although not on such an extensive scale. In 2015, the credit bureau “Experian” experienced a breach that exposed PII associated with approximately 15 million individuals, specifically, those who applied for financing via T-Mobile USA. The breach lasted from September 1, 2013 to September 16, 2015. The exposed data consisted of:

  • Addresses
  • Data associated with T-Mobile’s credit assessment process
  • DOBs
  • Driver’s license information
  • Encrypted license and passport numbers
  • Full names
  • Passport ID numbers
  • SSNs

By October 2015, security researchers began to see data associated with the breach appear on underground markets offered for purchase. The data was packed into “Fullz,” which comprises a full package of PII needed to commit identity theft and fraud such as address, DOB, full name, among others.

A similar data breach affected the U.S. Office of Personnel Management (OPM) in June 2015. OPM confirmed that sensitive information associated with background investigation records of current, former, and potential federal employees and contractors was stolen. Individuals are believed to have been affected if he/she underwent a background investigation in 2000 or afterwards with the submission forms SF-86, SF-85, and SF-85P. The breach affected approximately 21.5 million individuals. The data consisted of PII such as:

  • Background investigation information
  • DOBs
  • Full name
  • Home address
  • Interview results
  • SSNs

As with the 2015Equifax breach, data associated OPM was soon found for sale on underground markets.

The Risk

Access to this kind of data poses a significant risk. An individual’s SSN, combined with other sensitive information such as billing address, date of birth, and email address, can be used by threat actors to access and/or create other services. As the system is currently designed, it is difficult for a victim of identity theft to prove that they are not responsible for actions if:

  • The threat actor has access to PII associated with the individual
  • The threat actor is able to change information associated with a bank account

With a SSN, billing address, and DOB, threat actors can engage in malicious activity in numerous ways, such as:

  • Appropriating PII for use in a mass password attack
  • Bypassing two-factor authentication by obtaining a new SIM card for a specific phone number
  • Conducting large-scale fraudulent purchases
  • Opening new credit cards and delivering them to new billing addresses
  • Purchasing vehicles
  • Taking over bank accounts and locking the legitimate owner out
  • Utilizing email to lock individuals out of nearly every app or website

Brian Krebs provides a stark example of the types of abuse available to actors interested in identity theft in an article from 2016.

The images below provide examples of locations that threat actors could potentially abuse with the information exposed by this breach.

Portal Examples In Which Leaked Data Can Be Abused

Figure 1 – Password Reset Example That Uses Last Five Digits of SSN as Verification

Figure 2 – Web Login Requesting SSN for Retrieval of Forgotten UserID

Figure 3 – Creating New Password With SSN

Figure 4 – Recovering User ID and Password

Figure 5 – Forgotten User ID / Password


Identity theft is, unfortunately, difficult to prove and even more challenging to fight, however, there are steps that individuals can take to mitigate damages. One of the simplest and most common scenarios an individual may face occurs when a threat actor uses an individual’s line of credit to receive new credit cards. If the threat actor was first able to change the individual’s account information, and could later provide seemingly verifiable information relating to their identity, the authentic account owner would struggle to prove that they did not make those changes. The most effective remediation tactic in this scenario is to apply for a credit freeze at all credit bureaus. Credit bureaus are governed at the state level, meaning that the fees and processes for freezing credit vary from state-to-state. Michigan is the only state that currently does not have a mandate regarding credit freezing.

While credit freezing is the recommended method of mitigation, it is far from a perfect solution. Depending on the laws in place, customers looking to freeze their credit may have to pay the company responsible for the breach in the first place. It is also possible for threat actors to obtain the pin for a credit freeze by providing an individual’s DOB, address, and social security number, eliminating the protection a credit freeze should provide.

Figure 6: Screenshot for recovering of freeze pin

Customers can also place an extended fraud alert on their credit files. This prevents financial service providers from granting credit in their name without first contacting them for approval. However, the extended fraud alert requires the applicant to have been a victim of identity theft and to have created an identity theft report. Consumers may also wish to discuss with their financial service the possibility of requiring physical presence to apply for new services or to make changes to an account. For mobile providers, a PIN can be added to the account that must be given for any transactions or changes to the account. This PIN should not be related to any of the data that is suspected to have been stolen.

What Can We Do Going Forward?

Social Security numbers were never intended to be used as secure identifiers for banks, credit agencies, or anything outside of the Social Security Program. The private sector chose to use them because they were a way to identify an individual person in the U.S. (theoretically everyone has only one Social Security number). Now that malicious actors have access to the unique identifiers for approximately half of the U.S. population, the validity of this system as an identity tool is called into question. It is possible to receive a new SSN but only in fairly extreme circumstances involving harassment or abuse in regards to identity theft and/or fraud.

This breach provides the private industry with an opportunity to develop a better solution for identifying individual credit-consumers. Banks are in a good position to develop this type of solution as they can accomplish in-person verification and provide a cryptography-based digital verifier for online transactions. This would be similar to Estonia’s e-Residency program (https://e-resident.gov.ee/) where a cryptographic chip is provided to authorize transactions after verifying an individual’s identity. This type of solution would negate the need to leverage Social Security numbers for financial data (apart from the government agencies that may still use them). It is interesting, and worrisome, that in some cases there is better security for free services such as email clients. Some free email clients such as Gmail offer two-factor authentication (something you know, something you have, or something you are), but the SSN system does not apply this to an identifier that can impact numerous aspects of everyday life.

One other potential solution would be for the U.S. government to overhaul the Social Security number system and replace it with some kind of cryptographic system (again, similar to Estonia’s e-Residency cards). This would make breaches like what occurred with Equifax less worrisome and less burdensome to potential victims because SSNs would be far more difficult to crack. Many actors would not have the skills and resources needed to decrypt sensitive information protected with strong cryptography.

As long as SSNs are being used as passwords, they should be treated as passwords. For example, instead of storing SSNs in plaintext, organizations could store a salted cryptographic hash of the SSN, preferably Bcrypt, and compare the hashes. Bcrypt is based off the Blowfish block cipher, which relies heavily on accesses to an alternating table which is not able to be efficiently implemented on a GPU. In comparison to something like SHA-256 which uses 32-bit logic operations and therefore able to be handled by GPUs much more efficiently giving attackers and edge in calculating hashes. This will reduce the risk of plain text Social Security Numbers from being leaked in the case of a breach, and also makes it difficult for threat actors to brute force the hashes. Unfortunately, the recommended steps following a password breach are not applicable for a breach of PII. People cannot currently change their SSN in the same way as they can with passwords.

This issue gives rise to further questions. Do we need a law or policy mandating how SSNs should be stored? Should everyone be able to request a new SSN? Unless something changes, nearly half the U.S. population has had their individual identifying “password” breached, and face difficulties in changing it, or preventing someone else from using it. As it works today, the SSN system relies on privacy, which has now been denied to nearly half of Americans and countless others abroad. Of course, if citizens are allowed to change SSNs at will, this would break the current system of tracking credit. Some other uniquely identifiable method should be considered in lieu of SSNs for this purpose going forward.

Source: Honeypot Tech

How to Live by the Code of Good Bots

Following these four tenets will show the world that your bot means no harm.
Source: Cyber Monitoring

7 SIEM Situations That Can Sack Security Teams

SIEMS are considered an important tool for incident response, yet a large swath of users find seven major problems when working with SIEMs.
Source: Cyber Monitoring

HakTip 164 – Linux Terminal 201: Monitoring System Resources Pt 1

Today we’re monitoring system resources with ps, aux, grep, kill, killall, and lsof.
Use coupon code haktip at https://www.eero.com for free overnight shipping on your order to the US or Canada!

Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ

Source: Security news

Source: Zologic

Equifax and CCleaner Updates, Hacking Air Gapped Networks Via IR LEDs – Threat Wire

Ccleaner malware targeted big companies, Equifax falls for phishing techniques, a car tracking service leaks data, and IR light on security cameras could spill confidential information. All that coming up now on ThreatWire.

Shop: http://www.hakshop.com
Support: http://www.patreon.com/threatwire
Subscribe: http://www.youtube.com/hak5
Our Site: http://www.hak5.org
Contact Us: http://www.twitter.com/hak5
Threat Wire RSS: https://shannonmorse.podbean.com/feed/
Threat Wire iTunes: https://itunes.apple.com/us/podcast/threat-wire/id1197048999
Help us with Translations! http://www.youtube.com/timedtext_cs_panel?tab=2&c=UC3s0BtrBJpwNDaflRSoiieQ



Equifax Breach: Setting the Record Straight




Malware Steals Data From Air-Gapped Network via Security Cameras


Youtube Thumbnail credit:

Source: Security news

Source: Zologic

WTB: Oracle Patches Apache Vulnerabilities

The intelligence in this week’s iteration discuss the following threats: APT, Banking trojan, Data breach, Malspam, Mobile, Ransomware, Spear phishing, Typosquatting, and Vulnerability. The IOCs related to these stories are attached to the WTB and can be used to check your logs for potential malicious activity.

Trending Threats

Oracle Patches Apache Vulnerabilities (September 25, 2017)
The U.S. Computer Emergency Readiness Team (CERT) has issued a statement concerning Apache Struts 2 vulnerabilities. The U.S. CERT has confirmed that Oracle has released security updates to address Apache Struts 2 vulnerabilities located in multiple products. A threat actor could remotely exploit these vulnerabilities to take control of a system running vulnerable versions.
Recommendation: The U.S. CERT advises Oracle customers to view the company’s Security Alert Advisroy located at “http://www.oracle.com/technetwork/security-advisory/alert-cve-2017-9805-3889403.html”. The security updated should be applied as soon as possible if it has not been already.
Tags: Vulnerability, Apache Struts 2

A Song of Ice and Ransomware: Game of Thrones Reference in Locky Phishing (September 22, 2017)
The threat actors behind the “Locky” ransomware have been identified to be conducting a new malspam campaign themed after the television show “Game of Thrones,” according to PhishMe researchers. The Game of Thrones’ references were identified in Visual Basic script variables that were contained in the emails’ malicious attachments.
Recommendation: Educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened.
Tags: Malspam, Locky

Technical Update and Ongoing Analysis of the APT Security Incident (September 21, 2017)
Avast Threat Labs researchers have released information regarding Command and Control (C2) communication a second-stage backdoor that was identified in their product “CCleaner.” Piriform, the company that created CCleaner and was acquired by Avast, confirmed on September 18, 2017, that certain versions of CCleaner and “CCleaner Cloud” were subject to a supply chain attack and then distributed malware to users. Researchers discovered that the C2 for the malware was running since the end of July, but the data gathering did not begin until August 11. The attacks are believed to have been conducted by the Advance Persistent Threat (APT) group “APT17.”
Recommendation: It is crucial that your company ensure that servers are always running the most current software version. In addition, your company should have policies in place in regards to the proper configurations needed for your servers in order to conduct your business needs safely. Furthermore, always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Tags: Vulnerability, CCleaner

Retefe Banking Trojan Leverages EternalBlue Exploit in Swiss Campaigns (September 21, 2017)
Proofpoint researchers have discovered that the “Retefe” trojan has added the “EternalBlue” exploit to its malicious capabilities. Retefe primarily targets Austria, Japan, Sweden, and Switzerland. Recent observations have revealed that Retefe is being distributed via malspam with Microsoft Office attachments. The attachments contain OLE objects and images that attempt to trick the recipient into following a link on the document attachment, which executes a PowerShell command to download a payload.
Recommendation: Always be on high alert while reading email, in particular when it has attachments, attempts to redirect to a URL, comes with an urgent label, or uses poor grammar. Use anti-spam and antivirus protection, and avoid opening email from untrusted or unverified senders.
Tags: Malspam, Banking trojan, Retefe

New FinFisher Surveillance Campaigns: Internet Providers Involved? (September 21, 2017)
The spyware called “FinFisher,” known for its use by governments and their agencies, has been observed to be active in the wild and with new updates, according to ESET researchers. FinFisher is capable of capturing images via webcam, audio via microphone, as well stealing files and keylogging functionalities. Researchers have found use of man-in-the-middle (MITM) attacks in the wild and they believe that the malicious actor is operating at the Internet Service Provider (ISP) level.
Recommendation: One way of mitigating against these types of attacks is to move away from HTTP and instead, use HTTPS. Websites should ensure they are using HTTP Strict Transport Security (HSTS) to prevent user’s connections from being downgraded. In the case an upstream actor is performing a TLS Man In The Middle (MITM, HTTP Public Key Pinning (HPKP) can be used detect any tampering and switches of certificates. Application developers can also sign the binaries using a public key crypto. This gives the users the capability of verifying that both the downloaded file is not corrupted and that it is identical to the one published by the developer.
Tags: Spyware, FinFisher

Fake IRS Notice Delivers Customized Spying Tool (September 21, 2017)
Malwarebytes researchers have discovered a malspam campaign in which actors are impersonating documents from the U.S. Internal Revenue Service (IRS). Specifically, the document purports to be a “CP200” which is a notice of underreported income, typically used when an individual has entered information incorrectly on a previous return. The emails come with a malicious Microsoft Office attachment containing an OLE object that will infect recipients with a custom Remote Access Trojan (RAT) when clicked on.
Recommendation: Impersonation of government entities is a commonly used tactic by threat actors in malspam and phishing campaigns. It is important to educate your employees on the risks of opening attachments from unknown senders. Anti-spam and antivirus applications provided from trusted vendors should also be employed. Emails that are received from unknown senders should be carefully avoided, and attachments from such senders should not be opened.
Tags: Malspam, IRS-themed, RAT

ATP33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware (September 20, 2017)
FireEye researchers have published their findings on a new Advanced Persistent Threat (APT) group dubbed, “APT33.” The group is believed to be based in Iran and has been active since at least 2013. APT33 has primarily targeted the aviation sector in the Saudi Arabia, and the U.S., as well as the petrochemical industry in South Korea. However, other countries and business sectors were also identified to have been targeted. APT33 primarily uses spear phishing emails as the initial infection vector that attempt to trick the recipient into following a link to a malicious HTML application. The group also typosquatts domains that may appear familiar to their targets at first glance to augment their spear phishing tactics.
Recommendation: Defense in depth (layering of security mechanisms, redundancy, fail safe defense processes) is the best way to ensure safety from APTs, including a focus on both network and host based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing, and how to identify such attempts.
Tags: APT, APT33, Spear phishing, Typosquatting

SEC Reveals It Was Hacked, Information May Have Been Used for Illegal Stock Trades (September 20, 2017)
The U.S. Security Exchange Commission (SEC) has announced that they were compromised by threat actors in 2016. The SEC confirmed in a public statement that they detected the breach in 2016 and discovered that it may have provided the basis for insider trading in August 2017. The system that was compromised was used for storing documents that were filed by publicly-traded companies. The SEC has stated that the unknown actors may have been able to use the unauthorized data access to make illegal profits in the U.S. stock market.
Recommendation: Always practice Defense in Depth (do not rely on single security mechanisms – security measures should be layered, redundant, and failsafe).
Tags: Breach, SEC

The Shark CryptoMix Ransomware Variant Smells Blood in the Water (September 20, 2017)
A new variant of the “CryptoMix” ransomware has been identified adding a “.shark” extension to encrypted files, according to researcher Lawrence Abrams. Researchers state that the encryption functionality of this variant is the same as previous iterations, but this variant has new contact emails for payment communication. This variant contains 11 public RSA-1024 encryption keys, of which one is used to encrypt the AES key that is used to encrypt a user’s files. This feature allows CryptoMix to function offline with no need for network communication.
Recommendation: Ransomware is a continually evolving threat. It is paramount to have a comprehensive and tested backup solution in place. In the unfortunate case a reproducible backup is not in place, make sure to check for a decryptor before considering payment; avoid payment at all costs. Ransomware should be reported to law enforcement agencies who are doing their best to track these actors and prevent ransom from being a profitable business for cyber criminals.
Tags: Ransomware, CryptoMix variant, Shark

Equifax Suffered a Hack Almost Five Months Earlier That the Date It Disclosed (September 19, 2017)
The U.S.-based credit bureau, “Equifax,” has confirmed that another data breach, excluding the breach that took place from mid-May to July, took place in March 2017. Equifax hired the security firm “Mandiant” to investigate the March incident, and it may be possible that firm believed that the breach had been mitigated, only to be called back in late July. Equifax has stated that the two breaches are unrelated.
Recommendation: This incident portrays the potential dangers of using security question answers that can be found in open sources such as social media accounts. In this sense, these forms are questions are flawed because information such as an individual’s first car, or high school mascot for example, can often be found in social media accounts. Furthermore, accounts that rely solely on a four-digit PIN as a password are as secure as the amount of numbers used.
Tags: Data breach, Equifax

PyPI Python Repository Hit by Typosquatting Sneak Attack (September 19, 2017)
Researchers have discovered that threat actors have engaged in a new form of typosquatting that targets users of Python programming language packages from the official Python Package Index (PyPI) repository. Unknown actors were able to hide malicious code inside of 10 packages for Python 2.x by typosquatting filenames. For example, “urllib3-1.21.1.tar.gz” was impersonated as “urllib-1.21.1.tar.gz,” and other fake packages appeared as “acquisition” impersonated as “acqusition.” Researchers note that the fake packages contain the same code as the authentic ones, however, the installation script contains malicious but somewhat benign code.
Recommendation: It is important that your company institute policies regarding what can be downloaded on work machines, and downloads should only be allowed if they are absolutely needed. Furthermore, security researchers note that if outbound connections are found leading to 121[.]42[.]217[.]44 on port 8080, it may indicate that a fake package was downloaded. Reinstalling the legitimate package should mitigate the issue. Furthermore, machines can be checked for fake packages by running the following “pip list –format=legacy | egrep ‘^(acqusition|apidev-coop|bzip|crypt|django-server|pwd|setup-tools|telnet|urlib3|urllib) ‘”. If any package is listed remove using “pip uninstall ” and installing the correct package instead.
Tags: Typosquatting, PyPI

Does Your Mobile Anti-Virus App Protect or Infect You? (September 18, 2017)
The Android anti-virus application, “DU Antivirus Security Ð Applock & Privacy Guard,” has been found to collect information from a device without the user’s consent, according to Check Point researchers. Researchers state that when the application runs on a device for the first time it collects data from the device that consists of call logs, contact lists, unique identifiers and possibly the device location. The information is encrypted and then to a remote server. The data is then used if an individual uses another application create by DU group called “Caller ID & Call Block – DU Caller.” Google has since removed the malicious application, and DU has released a new version that does not include the data collection feature.
Recommendation: Always keep your mobile phone fully patched with the latest security updates. Use the Google Play Store / Apple App Store to obtain your software, and avoid downloading applications, even if they appear legitimate, from third-party stores. In addition, it is important to review the permission the application will request, and comments from others who have downloaded the application may also be useful. Furthermore, it is paramount that mobile devices be kept up-to-date with the latest security patches and employ trusted antivirus software.
Tags: Mobile, Android, Data theft

Malspam Pushing Trickbot (September 18, 2017)
Researchers have discovered a new malspam campaign in which actors are distributing emails that purport to be from “National Westminster Bank” (NatWest). The message claims that an incoming payment cannot be completed because there are errors in the recipient’s account information. The email then points to document file attachment to check the payment details. The attachment uses NatWest’s logo in an attempt to trick the recipient into enable macros. If they are enabled, the recipient will be infected with the “Trickbot” trojan.
Recommendation: All employees should be educated on the risks of malspam and how to identify such attempts. Poor grammar and urgent content are often indicators of these type of attacks. Additionally, messages that request a recipient to open a file attachment should also be avoided.
Tags: Malspam, Trojan, Trickbot

Observed Threats

This section includes the top threats observed from the Anomali Community user base as well as sensors deployed by Anomali Labs. A ThreatStream account is required to view this section. Click here to request a trial.

TrickBot Tool Tip
TrickBot is a modular Bot/Loader malware family which is primarily focused on harvesting banking credentials. It shares heavy code, targeting, and configuration data similarities with Dyreza. It was first observed in September 2016 and both the core bot and modules continue to be actively developed. Both x86 and x64 payloads exist. It has been distributed using traditional malvertising and phishing methods. Flashpoint recently (2017-07-19) observed TrickBot operators leveraging the NECURS Botnet for distribution. Previously, Anomali Labs released a Threat Bulletin detailing the unpacking of this malware family.
Tags: TrickBot, Family-Trickbot, victim-Financial-Services

Source: Honeypot Tech

Illuminating New Business Opportunities with Smart Lighting

Now that most people live in cities, urban areas are the de facto laboratories of the future.

Cities drive innovation because of their swelling populations, professional networks, and perhaps most important, the richness of data they offer. Information is everywhere, and the challenge is how everyday activities can be captured and translated into actionable insights. City planners and technologists have long grappled with the tricky issue of rolling out data-collection systems across an entire metropolis.

Recently, however, we’ve achieved a major breakthrough. CityIQ intelligent nodes, the product of collaboration between General Electric and Intel, transform simple streetlights into powerful data collection terminals. These are already capable of amassing a wide range of information by attaching cameras, sensors, and microphones to ordinary streetlights.

We know that the CityIQ intelligent nodes can collect a wide variety of information, providing hyperlocal seismic detection, weather monitoring, emergency response, gunshot detection, and traffic monitoring. But we’ve only scratched the surface of what these systems can do.

Smart streetlight sensors.

San Diego, already a pioneer in smart streetlighting with plans to build the largest known urban sensor program in the world, is exploring how the creativity of citizens can realize even more value from this powerful new technology. Co-sponsored by Intel, the San Diego Smart City Hackathon in June tasked entrepreneurs and developers with concepting new applications to take advantage of streetlight data, drawing on real CityIQ datasets and GE Intelligent Cities APIs.

The first-place team put forward an app to help aspiring small business owners find the most suitable store locations. The other top teams also had ingenious ideas: The second-place team proposed an app to identify and report drunk drivers; the third-place team suggested an app to optimize parking.

Intel and GE supported this and other hackathons, such as the recent Minds + Machines event in Berlin, to support data sharing. Bringing cities online will support entire ecosystems of innovation, opening the door for new businesses. An investment in streetlight systems pays dividends by increasing economic activity. The upside is mind-boggling: A 2014 study by consulting firm Frost & Sullivan estimated that smart cities will be worth $1.6 trillion by 2020.

As more information is collected by smart streetlights, it’s critical the data is secure. That’s why the systems use Intel’s edge processing technology and GE’s Predix platform protects data as it moves from the streetlamp to the cloud. Intel’s security-focused hardware ensures that all data is safely stored, processed, aggregated, and transmitted. The Predix operating system is already being used in other high-security networks, such as nuclear power plants and healthcare facilities.

Cities grow organically, each according to its own unique character. While the smart lighting systems stem from something universal–the need for safe, bright public spaces–there is no roadmap for where they might lead us. Instead, they open innumerable possibilities for smart cities around the globe. Armed with data, we can start building the cities we’ve always dreamed of.


The post Illuminating New Business Opportunities with Smart Lighting appeared first on IoT@Intel.

Source: Network News