3.1 C
London
Friday, November 17, 2017

Cisco Addresses Zero-Day Firewall Flaw Exposed In Equation Group Hack

ShadowBrokers dump of Equation Group exploits uncovers previously unknown security hole as well as a known one. Cisco Systems yesterday released a security alert on flaws in its ASA and PIX firewalls that were publicly exposed via the recent online leak of files from the Equation Group (aka the National Security Agency). The so-called ShadowBrokers group -- thought by many experts to be a Russian-backed entity -- is holding an online auction of Equation Group exploits.  The first is a previously unknown security flaw.

Cisco in its security advisory said the ASA SNMP Remote Code Execution vulnerability is a “buffer overflow in the affected code area” that an intruder could use to execute arbitrary code remotely or to cause reload of the system. The second flaw that is one Cisco first announced in 2011 -- a ASA CLI Remote Code Execution vulnerability -- could allow a local attacker to call up invalid commands in an affected device and launch a denial-of-service attack or execute arbitrary code. For more information, see Cisco's advisory here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

SWIFT Ignored Lax Security In Smaller Member Banks, Say Officials

Former and current SWIFT managers admit security of customer terminals was not addressed, says Reuters report. A special report by Reuters reveals that for years SWIFT was aware of vulnerabilities in the security of smaller banks, which are part of the global messaging group, but neglected it.
Some former and current SWIFT officials have admitted the organization did not monitor security of customer terminals, leaving it up to bank regulators. "They were focusing on other things, and not about the fundamental, sacred role of SWIFT, which is the security and reliability of the system," former CEO Leonard Schrank told Reuters. Large banks traditionally take adequate care of computer security at their end, but it is the smaller banks which pose a threat, says the news agency. SWIFT, however, denied the charge: “Today's security threats are not the same threats the industry faced five or ten years ago – or even a year ago – and like any other responsible organization we adapt as the threat changes." Read details here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

Spam and phishing in Q2 2016

 Download the full report (PDF) Spam: quarterly highlights The year of ransomware in spam Although the second quarter of 2016 has only just finished, it’s safe to say that this is already the year of ransomware Trojans.

By the end of Q2 there was still a large number of emails with malicious attachments, most of which download ransomware in one way or other to a victim’s computer. However, in the period between 1 June and 21 June the proportion of these emails decreased dramatically. The majority of malicious attachments were distributed in ZIP archives.

The decline can therefore be clearly seen in the following graph showing spam with ZIP attachments that arrived in our traps: Number of emails with malicious ZIP archives, Q2 2016 In addition to the decline, June saw another interesting feature: this sort of spam was not sent out on Saturdays or Sundays. The same situation could be observed in KSN: the number of email antivirus detections dropped sharply on 1 June and grew on 22 June. Number of email antivirus detections by day, Q2 2016 This decline was caused by a temporary lull in activity by the Necurs botnet, which is mostly used to distribute this type of malicious spam.

After the botnet resumed its activity, the spam email template changed, and the malicious attachments became even more sophisticated. As in the previous quarter, the spam messages were mainly notifications about bills, invoices or price lists that were supposedly attached to the email.

The attachments actually contained a Trojan downloader written in Javascript, and in most cases the malware loaded the Locky encryptor. For example, some emails (see the screenshot above) contained an attachment with a Trojan downloader. When run, it downloaded Trojan-Ransom.Win32.Locky.agn, which encrypts the data on a victim’s computer and demands a ransom, to be paid in bitcoin. Obfuscation The second quarter saw spammers continue to mask links using various Unicode ranges designed for specific purposes.

This tactic became especially popular in 2015, and is still widely used by spammers. The link in this example looks like this: If you transfer the domain from UTF-8 into the more familiar HTML, it becomes .

The characters, which look quite ordinary, in fact belong to the Mathematical Alphanumeric Symbols UTF range used in highly specific mathematical formulas, and are not intended for use in plain text or hyperlinks.

The dot in the domain is also unusual: it is the fullwidth full stop used in hieroglyphic languages.

The rest of the hyperlink, as well as the rest of the text in these spam messages, is written using the Latin alphabet. Spam in APT attacks In Q2, we came across a number of APT attacks in the corporate sector.

Emails were made to look as if they came from representatives of the targeted company, and contained a request to immediately transfer money to a specific account.

The text was fairly plausible and hinted at a personal acquaintance and previous communication.
In some cases, the emails included the logo of the attacked company.

All the messages conveyed a sense of urgency (“ASAP”, “urgent”, “must be completed today”) – scammers often use this trick in an attempt to catch people off guard, so that they act rather than think. Below is an example: Hello NNNNN, How are you doing! Are you available at the office? I need you to process an overdue payment that needs to be paid today. Thanks, XXXXX The emails were sent selectively – to individual employees, usually connected to the finance department.

The knowledge shown by the scammers suggests the attack was carefully prepared. The most suspicious aspect of the attack was the domain used in the ‘From’ field – myfirm.moby – that differed from the corporate one. Perhaps the attackers hope that some email clients only show the sender’s name by default, while concealing the address. It is not that difficult to write any domain in the ‘From’ field, and in the future we can expect more well-prepared attacks. Sporting events in spam Spam mailings exploiting real-life events have long become an integral part of junk email.
Sporting events are not as popular among spammers as political events, although their use is increasing with every year.

There is a continuous stream of emails mentioning various political figures, while sport-related spam messages usually only appear in the run-up to an event. However, we have noticed that mass mailings can now be launched long before an event starts.

For instance, emails exploiting the Olympic Games in Brazil were discovered over a year ago, in the second quarter of 2015.

The majority of them were fraudulent emails designed to trick recipients and steal their personal information and money. The classic scenario involves false notifications about lottery wins related to 2016 Olympics.

The messages claim that the lottery was held by the official organizers of the games and the recipient was selected at random from millions of addresses.
In order to claim the cash, the recipient has to reply to the email and provide some personal information. The text of the message was often contained in an attached file (.pdf, .doc, .jpg), while the body of the message only displayed a short text prompting the recipient to open the attachment. There were also more traditional messages where the spammer text was included directly in the body of the message. In addition to fraudulent messages, advertising spam was also sent out. Unlike the Olympics, football tournaments have long been used by scammers to grab people’s attention to their spam. Q2 2016 saw the long-awaited UEFA European Championship, and in the run-up to the tournament spam traffic included fake notifications of lottery wins.

The content was no different from that dedicated to the Olympic Games, and the emails also contained attachments explaining why the message was sent. The football theme was also exploited by ‘Nigerian’ scammers.

They sent out emails supposedly on behalf of the former FIFA president, and used the infamous corruption scandal associated with his name to make their messages look more realistic.

They believed that a fabricated story about how Sepp Blatter had supposedly received money and secretly transferred it to an account in a European bank would not arouse suspicion.
In return for keeping the money in their bank accounts, the recipients were promised a 40% cut of the total sum. In order to convince recipients that the message was genuine, the authors even went to the trouble of using the correct name and domain in the ‘From’ field. US politicians in spam The presidential election campaign is now in full swing in the United States and the nominees and their entourages are under close media scrutiny. Of course, spammers couldn’t resist using the names of high-profile politicians in their advertising and fraudulent emails.

For example, numerous ‘Nigerian’ letters were sent in the name of current president Barack Obama and his wife Michelle.
In their ‘official’ emails, the ‘President’ and the ‘First lady’ assured the recipient that a bank card or a check for a very large sum of money had already been issued in their name.

The only thing the recipient had to do was complete some formalities, and the money would be delivered shortly afterwards.
In order to get the instructions from the White House the recipient had to send some personal information, including their email address and the password for their email account, as well as detailed passport information to spoofed email addresses. Another politician whose name regularly cropped up in spam was Donald Trump, one of the contenders for the US presidency.
Spammers offered a unique Trump technique for earning money online: anyone who wanted to know how to get rich, had to click a link in the emails which were designed to look like news reports from CNN and Fox News. The links led to fake news sites also in the style of major media outlets and news networks.

The sites contained a story about a simple method for earning money – the publication of links, which is basically another kind of spam distribution.
In order to participate in the program, a user had to register by providing their phone number and email address. Statistics Proportion of spam in email traffic Percentage of spam in global email traffic, Q2 2016 The largest percentage of spam in the second quarter – 59.46% – was registered in May and was 3 p.p. more than in April.

The average percentage of spam in global email traffic for Q2 amounted to 57.25%. Sources of spam by country Sources of spam by country, Q2 2016 In Q2 2016, the biggest three sources of spam remained the same as in the previous quarter – the US (10.79%), Vietnam (10.10%) and India (10.01%). However, the figures for each country changed: the gap between them narrowed to within a single percentage point. China (6.52%) moved up to fourth with an increase of 1.43 p. p. compared to Q1. Mexico (4.55%) came fifth, followed by Russia (4.07%) and France (3.60%).

Brazil (3.28%), which was fourth in the previous quarter, lost 2.2 p.p. and dropped to eighth place.

Germany (2.97%) and Turkey (2.30%) completed the TOP 10. Spam email size Breakdown of spam emails by size, Q1 and Q2 2016 Traditionally, the most commonly distributed emails are very small – up to 2 KB (72.26%), although the proportion of these emails dropped by 9.6 p.p. compared to the previous quarter. Meanwhile, the share of emails sized 10-20 KB increased by 6.76 p.p.

The other categories saw minimal changes. Malicious email attachments Currently, the majority of malicious programs are detected proactively by automatic means, which makes it very difficult to gather statistics on specific malware modifications.
So we have decided to turn to the more informative statistics of the TOP 10 malware families.
TOP 10 malware families The three most popular malware families remained unchanged from the previous quarter – Trojan-Downloader.JS.Agent (10.45%), Trojan-Downloader.VBS.Agent (2.16%) and Trojan-Downloader.MSWord.Agent (1.82%). The Trojan.Win32.Bayrob family moved up to fourth place (1.68%), while the Backdoor.Win32.Androm family fell from fourth to ninth place with 0.6%. TOP 10 malware families in Q2 2016 A newcomer to this ranking was the Trojan.Win32.Inject family (0.61%).

The malicious programs from this family embed their code in the address space of other processes. The Trojan-Spy.HTML.Fraud family (0.55%) rounded off the TOP 10 in Q2 2016. Countries targeted by malicious mailshots Distribution of email antivirus verdicts by country, Q2 2016 Germany (14.69%) topped the ranking of countries targeted by malicious mailshots, although its share decreased 4.24 p.p.
It was followed by China (13.61%) whose contribution grew 4.18 p.p. Japan (6.42%) came third after ending the previous quarter in seventh with a share of 4.29%. Fourth place was occupied by Brazil (5.57%).
Italy claimed fifth with a share of 4.9% and Russia remained in sixth (4.36%). The US (4.06%) was the seventh most popular target of malicious mailshots.

Austria (2.29%) rounded off this TOP 10. Phishing In Q2 2016, the Anti-Phishing system was triggered 32,363,492 times on the computers of Kaspersky Lab users, which is 2.6 million less than the previous quarter. Overall, 8.7% of unique users of Kaspersky Lab products were attacked by phishers in Q2 of 2016. Geography of attacks The country where the largest percentage of users is affected by phishing attacks was China (20.22%).
In Q2 2016, the proportion of those attacked increased by 3.52 p.p. Geography of phishing attacks*, Q2 2015 * Number of users on whose computers the Anti-Phishing system was triggered as a percentage of the total number of Kaspersky Lab users in the country The percentage of attacked users in Brazil decreased by 2.87 p.p. and accounted for 18.63%, placing the country second in this ranking.

Algeria (14.3%) came third following a 2.92 p.p. increase in its share compared to the previous quarter. TOP 10 countries by percentage of users attacked: China 20.22% Brazil 18.63% Algeria 14.3% United Kingdom 12.95% Australia 12.77% Vietnam 11.46% Ecuador 11.14% Chile 11.08% Qatar 10.97% Maldives 10.94% Organizations under attack The statistics on phishing targets are based on detections of Kaspersky Lab’s heuristic anti-phishing component.
It is activated every time a user attempts to open a phishing page while information about it has not yet been included in Kaspersky Lab’s databases.
It does not matter how the user attempts to open the page – by clicking a link in a phishing email or in a message on a social network or, for example, as a result of malware activity.

After the security system is activated, a banner is displayed in the browser warning the user about a potential threat.
In Q2 of 2016, the share of the ‘Global Internet portals’ category (20.85%), which topped the rating in the first quarter, decreased considerably – by 7.84 p.p.

The share of the ‘Financial organizations’ category grew 2.07 p.p. and accounted for 46.23%.

This category covers ‘Banks’ (25.43%, +1.51 p.p.), ‘Payment systems’ (11.24%, -0.42 p.p.) and ‘Online stores’ (9.39%, +0.99 p.p.). Distribution of organizations affected by phishing attacks by category, Q2 2016 The share of attacks on the ‘Social networking sites’ category increased by 2.65 p.p. and reached 12.4%.

The ‘Online games’ category was also attacked more often (5.65%, + 1.96 p.p.). Meanwhile, the ‘Telephone and Internet service providers’ (4.33%) and the ‘IMS’ (1.28%) categories lost 1.17 p.p. and 2.15 p.p. respectively. Hot topics this quarter The Olympics in Brazil For a number of years now Brazil has been among the countries with the highest proportion of users targeted by phishing.
In 2015 and 2016 phishers have focused on the Rio Olympic Games in Brazil. Last quarter showed that as well as ordinary users, the potential victims of phishing included the organizers of the Olympic Games. The Olympic theme remained popular in Q2, with phishers working overtime to send out fake notifications about big cash wins in a lottery that was supposedly organized by the Brazilian government and the Olympic Committee. ‘Porn virus’ for Facebook users Facebook users are often subjected to phishing attacks.

During one attack in the second quarter, a provocative video was used as bait.

To view it, the user was directed to a fake page imitating the popular YouTube video portal, and told to install a browser extension. This extension requested rights to read all the data in the browser, potentially giving the cybercriminals access to passwords, logins, credit card details and other confidential user information.

The extension also distributed more links on Facebook that directed to itself, but which were sent using the victim’s name. Phisher tricks Compromising domains with good reputation To bypass security software filters, fraudsters try to place phishing pages on domains with good reputations.

This significantly reduces the probability of them being blocked and means potential victims are more trusting.

The phishers can strike it big if they can use a bank or a government agency domain for their purposes.
In Q2, we came across a phishing attack targeting the visitors of a popular Brazilian e-commerce site: the fake page was located on the domain of a major Indian bank.

This is not the first time fraudsters have compromised the domain of a large bank and placed their content on it. Phishing pages targeting the users of the Brazilian store americanas.com When trying to purchase goods on the fake pages of the store, the victim is asked to enter lots of personal information. When it’s time to pay, the victim is prompted to print out a receipt that now shows the logo of a Brazilian bank. The domains of state structures are hacked much more frequently by phishers.
In Q2 2016, we registered numerous cases where phishing pages were located on the domains belonging to the governments of various countries. Here are just a few of them: Phishing pages located on the domains of government authorities The probability of these links being placed on blacklists is negligible thanks to the reputation of the domain. TOP 3 organizations attacked Fraudsters continue to focus most of their attention on the most popular brands, enhancing their chances of a successful phishing attack. More than half of all detections of Kaspersky Lab’s heuristic anti-phishing component fall on phishing pages hiding behind the names of fewer than 15 companies. The TOP 3 organizations attacked most frequently by phishers accounted for 23% of all phishing links detected in Q2 2016. Organization % of detected phishing links 1 Microsoft 8.1 2 Facebook 8.03 3 Yahoo! 6.87 In Q2 2016, this TOP 3 ranking saw a few changes. Microsoft was the new leader with 8.1% (+0.61 p.p.), while Facebook (8.03%, +2.32 p.p.) came second.

The share of attacks targeting Yahoo! (6.87%) fell 1.46 p.p., leaving last quarter’s leader in third. Q2 leader Microsoft is included in the ‘Global Internet portals’ category because the user can access a variety of the company’s services from a single account.

This is what attracts the fraudsters: in the event of a successful attack, they gain access to a number of services used by the victim. Example of phishing on Live.com, a Microsoft service Conclusion In the second quarter of 2016, the proportion of spam in email traffic increased insignificantly – by 0.33 p.p. – compared to the previous quarter and accounted for 57.25%.

The US remained the biggest source of spam.

As in the previous quarter, the top three sources also included Vietnam and India. Germany was once again the country targeted most by malicious mailshots, followed closely by China. Japan, which was seventh in the previous quarter’s ranking, completed the TOP 3 in Q2. Trojan-Downloader.JS.Agent remained the most popular malware family distributed via email. Next came Trojan-Downloader.VBS.Agent and Trojan-Downloader.MSWord.Agent.

A significant amount of malicious spam was used to spread ransomware Trojans such as Locky.

For almost a month, however, cybercriminals did not distribute their malicious spam, but then the Necurs botnet began working again. We don’t expect to see any significant reduction in the volume of malicious spam in the near future, although there may be changes in email patterns, the complexity of the malware, as well as the social engineering methods used by attackers to encourage a user to launch a malicious attachment. The focus of phishing attacks shifted slightly from the ‘Global Internet portals’ to the ‘Financial organizations’ category. The theme of the Olympic Games was exploited by both phishers and spammers to make users visit fake pages with the aim of acquiring their confidential information or simply to get their money. Events in the political arena, such as the presidential election in the US, also attracted spammers, while the sites of government agencies were compromised in phishing attacks. As we can see, the overriding trend of the quarter is that of fraud and making quick money from victims using direct methods such as Trojan cryptors that force unprotected users to pay a ransom, or phishing attacks that target financial organizations, rather than long drawn-out scams.

All of this once again highlights the need for both comprehensive protection on computers and increased vigilance by Internet users.

Kaspersky Uncovers Malware Riding On The Back Of Google Adsense

CONSTANT SECURITY WATCHDOG Kaspersky Lab has once again shaken us with its talk of Android users and the vulnerabilities they face. Ever vigilant Kaspersky has uncovered a banking trojan that is making itself available via Google AdSense and forces itself on users with no interaction like a smack in the face. "This morning we encountered a gratuitous act of violence against Android users.

By simply viewing their favourite news sites over their morning coffee users can end up downloading last-browser-update.apk, a banking trojan detected by Kaspersky Lab solutions as Trojan-Banker.AndroidOS.Svpeng.q," said the Kaspersky researchers in a blog post. "It turns out the malicious program is downloaded via the Google AdSense advertising network.

Be warned, lots of sites use this network - not just news sites - to display targeted advertising to users.
Site owners are happy to place advertising like this because they earn money every time a user clicks on it. "But anyone can register their ad on this network - they just need to pay a fee.

And it seems that didn't deter the authors of the Svpeng trojan from pushing their creation via AdSense.

The trojan is downloaded as soon as a page with the advert is visited." These kind of attacks are not new, and Kaspersky blurted out an alert about an incident at the Meduza news portal in July which has since been fixed. "The Svpeng family of banking trojans has long been known to Kaspersky Lab and possesses a standard set of malicious functions.

After being installed and launched, it disappears from the list of installed apps and requests the device's admin rights," the post continued. "Svpeng can steal information about the user's bank cards via phishing windows, intercept, delete and send text messages (this is necessary for attacks on remote banking systems that use SMS as a transport layer) and counteract mobile security solutions that are popular in Russia by completing their processes. "In addition, Svpeng collects an impressive amount of information from the user's phone: the call history, text and multimedia messages, browser bookmarks and contacts." µ

Operation Ghoul: targeted attacks on industrial and engineering organizations

Introduction Kaspersky Lab has observed new waves of attacks that started on the 8th and the 27th of June 2016.

These have been highly active in the Middle East region and unveiled ongoing targeted attacks in multiple regions.

The attackers try to lure targets through spear phishing emails that include compressed executables.

The malware collects all data such as passwords, keystrokes and screenshots, then sends it to the attackers. #OpGhoul targeting industrial, manufacturing and engineering organizations in 30+ countries Tweet We found that the group behind this campaign targeted mainly industrial, engineering and manufacturing organizations in more than 30 countries.
In total, over 130 organizations have been identified as victims of this campaign. Using the Kaspersky Security Network (KSN) and artifacts from malware files and attack sites, we were able to trace the attacks back to March 2015. Noteworthy is that since the beginning of their activities, the attackers’ motivations are apparently financial, whether through the victims’ banking accounts or through selling their intellectual property to interested parties, most infiltrated victim organizations are considered SMBs (Small to Medium size businesses, 30-300 employees), the utilization of commercial off-the-shelf malware makes the attribution of the attacks more difficult. In total, over 130 organizations have been identified as victims of Operation Ghoul #OpGhoul Tweet In ancient Folklore, the Ghoul is an evil spirit associated with consuming human flesh and hunting kids, originally a Mesopotamian demon.

Today, the term is sometimes used to describe a greedy or materialistic individual. Main infection vector: malicious emails The following picture represents emails that are being used to deliver malware to the victims, in what looks like a payment document.

The e-mails sent by attackers appear to be coming from a bank in the UAE, the Emirates NBD, and include a 7z file with malware.
In other cases, victims received phishing links.

A quick analysis of the email headers reveals fake sources being utilised to deliver the emails to victims. Malicious attachments In the case of spear phishing emails with an attachment, the 7z does not contain payment instructions but a malware executable (EmiratesNBD_ADVICE.exe). We have observed executables with the following MD5s: Malware MD5 hashes fc8da575077ae3db4f9b5991ae67dab1b8f6e6a0cb1bcf1f100b8d8ee5cccc4c08c18d38809910667bbed747b274620155358155f96b67879938fe1a14a00dd6 Email file MD5 hashes 5f684750129e83b9b47dc53c96770e09460e18f5ae3e3eb38f8cae911d447590 The spear phishing emails are mostly sent to senior members and executives of targeted organizations, most likely because the attackers hope to get access to core intelligence, controlling accounts and other interesting information from people who have the following positions or similar: Chief Executive Officer Chief Operations Officer General Manager General Manager, Sales and Marketing Deputy General Manager Finance and Admin Manager Business Development Manager Manager Export manager Finance Manager Purchase manager Head of Logistics Sales Executive Supervisor Engineer Technical details Malware functionality The malware is based on the Hawkeye commercial spyware, which provides a variety of tools for the attackers, in addition to malware anonymity from attribution.
It initiates by self-deploying and configuring persistence, while using anti-debugging and timeout techniques, then starts collecting interesting data from the victim’s device, including: Keystrokes Clipboard data FileZilla ftp server credentials Account data from local browsers Account data from local messaging clients (Paltalk, Google talk, AIM…) Account data from local email clients (Outlook, Windows Live mail…) License information of some installed applications #OpGhoul malware collects all data such as #passwords, keystrokes and screenshots Tweet Data exfiltration Data is collected by the attackers using primarily: Http GET posts Sent to hxxp://192.169.82.86 Email messages mail.ozlercelikkapi[.]com (37.230.110.53), mail to info@ozlercelikkapi[.]com mail.eminenture[.]com (192.185.140.232), mail to eminfo@eminenture[.]com Both ozlercelikkapi[.]com and eminenture[.]com seem to belong to compromised organisations operating in manufacturing and technology services. Malware command center The malware connects to 192.169.82.86 to deliver collected information from the victim’s PC.

This information includes passwords, clipboard data, screenshots… hxxp://192.169.82.86/~loftyco/skool/login.phphxxp://192.169.82.86/~loftyco/okilo/login.php The IP address 192.169.82.86 seems to belong to a compromised device running multiple malware campaigns. Victim information Victim organizations are distributed in different countries worldwide with attackers focused on certain countries more than others: Number of Victim Organisations by Country Countries marked as “others” have less than three victim organizations each, they are: Switzerland, Gibraltar, USA, Sweden, China, France, Azerbaijan, Iraq, Turkey, Romania, Iran, Iraq and Italy. Victim industry information Victim industry types were also indicators of targeted attacks as attackers were looking to infiltrate organizations that belong to the product life cycle of multiple goods, especially industrial equipment. #Manufacturing #transportation #travel targets of #OpGhoul Tweet Number of Victim Organizations by Industry Type Victim industry description Industrial Petrochemical, naval, military, aerospace, heavy machinery, solar energy, steel, pumps, plastics Engineering Construction, architecture, automation, chemical, transport, water Shipping International freight shipping Pharmaceutical Production/research of pharmaceutical and beauty products Manufacturing Furniture, decor, textiles Trading Industrial, electronics and food trading Education Training centers, universities, academic publishing Tourism Travel agencies Technology/IT Providers of IT technologies and consulting services Unknown Unidentified victims The last attack waves Kaspersky Lab user statistics indicate the new waves of attacks that started in June 2016 are focused on certain countries more than others. #opghoul highly active in #MiddleEast Tweet Hundreds of detections have been reported by Kaspersky Lab users; 70% of the attacked users were found in the United Arab Emirates alone, the other 30% were distributed in Russia, Malaysia, India, Jordan, Lebanon, Turkey, Algeria, Germany, Iran, Egypt, Japan, Switzerland, Bahrain and Tunisia. Other attack information Phishing pages have also been spotted through 192.169.82.86, and although they are taken down quickly, more than 150 user accounts were identified as victims of the phishing links sent by the attackers.
Victims were connecting from the following devices and inserting their credentials, a reminder that phishing attacks do work on all platforms: Windows Mac OS X Ubuntu iPhone Android The malware files are detected using the following heuristic signatures: Trojan.MSIL.ShopBot.wwTrojan.Win32.Fsysna.dfahTrojan.Win32.Generic Conclusion Operation Ghoul is one of the many attacks in the wild targeting industrial, manufacturing and engineering organizations, Kaspersky Lab recommends users to be extra cautious while checking and opening emails and attachments.
In addition, privileged users need to be well trained and ready to deal with cyber threats; failure in this is, in most cases, the cause behind private or corporate data leakage, reputation and financial loss. Indicators of Compromise The following are common among the different malware infections; the presence of these is an indication of a possible infection. Filenames and paths related to malware C:\Users\%UserName%\AppData\Local\Microsoft\Windows\bthserv.exeC:\Users\%UserName%\AppData\Local\Microsoft\Windows\BsBhvScan.exeC:\Users\%UserName%\AppData\Local\Client\WinHttpAutoProxySync.exeC:\Users\%UserName%\AppData\Local\Client\WdiServiceHost.exeC:\Users\%UserName%\AppData\Local\Temp\AF7B1841C6A70C858E3201422E2D0BEA.datC:\Users\%UserName%\AppData\Roaming\Helper\Browser.txtC:\Users\%UserName%\AppData\Roaming\Helper\Mail.txtC:\Users\%UserName%\AppData\Roaming\Helper\Mess.txtC:\Users\%UserName%\AppData\Roaming\Helper\OS.txtC:\ProgramData\Mails.txtC:\ProgramData\Browsers.txt List of malware related MD5 hashes 55358155f96b67879938fe1a14a00dd6f9ef50c53a10db09fc78c123a95e8eecb8f6e6a0cb1bcf1f100b8d8ee5cccc4c07b105f15010b8c99d7d727ff3a9e70fae2a78473d4544ed2acd46af2e09633d21ea64157c84ef6b0451513d0d11d02e08c18d38809910667bbed747b2746201fc8da575077ae3db4f9b5991ae67dab18d46ee2d141176e9543dea9bf1c079c836a9ae8c6d32599f21c9d1725485f1a3cc6926cde42c6e29e96474f740d12a786e959ccb692668e70780ff92757d23353664d7150ac98571e7b5652fd7e44085d87d26309ef01b162882ee5069dc0bde5a97d62dc84ede64846ea4f3ad4d2f935a68f149c193715d13a361732f5adaa1dabc47df7ae7d921f18faf685c367889aaee8ba81bee3deb1c95bd3aaa6b13d7460e18f5ae3e3eb38f8cae911d447590c3cf7b29426b9749ece1465a4ab4259e List of malware related domains Indyproject[.]orgStudiousb[.]comcopylines[.]bizGlazeautocaree[.]comBrokelimiteds[.]inmeedlifespeed[.]com468213579[.]com468213579[.]com357912468[.]comaboranian[.]comapple-recovery[.]ussecurity-block[.]comcom-wn[.]inf444c4f547116bfd052461b0b3ab1bc2b445a[.]comdeluxepharmacy[.]netkatynew[.]pwMercadojs[.]com Observed phishing URLs hxxp://free.meedlifespeed[.]com/ComCast/hxxp://emailreferentie.appleid.apple.nl.468213579[.]com/hxxp://468213579[.]com/emailreferentie.appleid.apple.nl/emailverificatie-40985443/home/login.phphxxp://verificatie.appleid.apple.nl.referentie.357912468[.]com/emailverificatie-40985443/home/lo…hxxp://192.169.82.86/~gurgenle/verify/webmail/hxxp://customer.comcast.com.aboranian[.]com/loginhxxp://apple-recovery[.]us/hxxp://apple.security-block[.]com/Apple%20-%20My%20Apple%20ID.htmlhxxp://cgi.ebay.com-wn[.]in/itm/2000-Jeep-Wrangler-Sport-4×4-/?ViewItem&item=17475607809hxxp://https.portal.apple.com.idmswebauth.login.html.appidkey.05c7e09b5896b0334b3af1139274f266b2hxxp://2b68.f444c4f547116bfd052461b0b3ab1bc2b445a[.]com/login.htmlhxxp://www.deluxepharmacy[.]net Other malware links Malware links observed on 192.169.82.86 dating back to March and April 2016: hxxp://glazeautocaree[.]com/proforma-invoice.exehxxp://brokelimiteds[.]in/cdn/images/bro.exehxxp://brokelimiteds[.]in/cdn/images/onowu.exehxxp://brokelimiteds[.]in/cdn/images/obe.exehxxp://brokelimiteds[.]in/wp-admin/css/upload/order.exehxxp://brokelimiteds[.]in/wp-admin/css/upload/orders.exehxxp://papercuts[.]info/SocialMedia/java.exehxxp://studiousb[.]com/mercadolivrestudio/f.ziphxxp://copylines[.]biz/lasagna/gate.php?request=true For more information on how you can protect your business from similar attacks, please visit this post from Kaspersky Business.

'Strong Connection' Between Files Leaked By ShadowBrokers & The Equation Group

Researchers from Kaspersky Lab, which exposed the so-called Equation Group two years ago, say several hundred of the hacking tools leaked online have ties to the nation-state gang. The team of researchers at Kaspersky Lab who initially exposed the so-called Equation Group in 2015 today confirmed that several hundred of the purported tools leaked online have ties to that sophisticated hacker group. The researchers found that a rare deployment of RC5/RC6 encryption in the files dumped online this week by the so-called "ShadowBrokers" matches that of the Equation Group. Kaspersky Lab has never confirmed Equation Group is the NSA -- it does not confirm attribution of groups -- but security experts say the two are one in the same. ShadowBrokers claimed to have in its possession stolen Equation Group tools and files, which it has offered for sale online.
Security experts for the past couple of days have been debating the authenticity of the leak, as well as just who may be behind it -- not to mention just how and when the National Security Agency (NSA) could have been breached. "This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation Group. While the ShadowBrokers claimed the data was related to the Equation Group, they did not provide any technical evidence of these claims.

The highly specific crypto implementation above confirms these allegations," the Kaspersky Lab researchers wrote in a blog post today. More than 300 of the files dumped by ShadowBrokers use the RC6 crypto implementation associated with the Equation Group. "There are more than 300 files in the Shadowbrokers’ archive which implement this specific variation of RC6 in 24 different forms.

The chances of all these being faked or engineered is highly unlikely," the researchers said.  Former NSA analyst Blake Darche, who has been studying the leak, says the tools appear to be legitimate.

Darche, CTO and co-founder of Area 1, says the backdoors and exploits in the dump include a tool called SecondDate that runs on Cisco PIX631 firewalls. Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

The Equation Giveaway

Rare implementation of RC5/RC6 in ‘ShadowBrokers’ dump connects them to Equation malware August 13, 2016 saw the beginning of a truly bizarre episode.

A new identity going under the name ‘ShadowBrokers’ came onto the scene claiming to possess files belonging to the apex predator of the APT world, the Equation Group [PDF].
In their initial leak, the ShadowBrokers claimed the archive was related to the Equation group, however, they didn’t provide any technical details on the connections. Along with some non-native rants against ‘Wealthy Elites’, the ShadowBrokers provided links to two PGP-encrypted archives.

The first was provided for free as a presumptive show of good faith, the second remains encrypted at the time of writing.

The passphrase is being ‘auctioned’, but having set the price at 1 million BTC (or 1/15th of the total amount of bitcoin in circulation), we consider this to be optimistic at best, if not ridiculous at face value. The first archive contains close to 300MBs of firewall exploits, tools, and scripts under cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION. Most files are at least three years old, with change entries pointing to August 2013 the newest timestamp dating to October 2013. As researchers continue to feast on the release, some have already begun to test the functional capabilities of the exploits with good results. Having originally uncovered the Equation group in February 2015, we’ve taken a look at the newly released files to check for any connections with the known toolsets used by Equation, such as EQUATIONDRUG, DOUBLEFANTASY, GRAYFISH and FANNY. While we cannot surmise the attacker’s identity or motivation nor where or how this pilfered trove came to be, we can state that several hundred tools from the leak share a strong connection with our previous findings from the Equation group. The Devil’s in the Crypto The Equation group uses the RC5 and RC6 encryption algorithms quite extensively throughout their creations. RC5 and RC6 are two encryption algorithms designed by Ronald Rivest in 1994 and 1998.

They are very similar to each other, with RC6 introducing an additional multiplication in the cypher to make it more resistant.

Both cyphers use the same key setup mechanism and the same magical constants named P and Q. The particular RC5/6 implementation from Equation group’s malware is interesting and deserves special attention because of its specifics.
Inside the Equation group malware, the encryption library uses a subtract operation with the constant 0x61C88647.
In most publicly available RC5/6 code, this constant is usually stored as 0x9E3779B9, which is basically -0x61C88647.
Since an addition is faster on certain hardware than a subtraction, it makes sense to store the constant in its negative form and adding it instead of subtracting.
In total, we’ve identified 20 different compiled versions of the RC5/6 code in the Equation group malware. Encryption-related code in a DoubleFantasy (actxprxy32.dll) sample In the screenshot above, one can observe the main loop of a RC6 key setup subroutine extracted from one of the Equation group samples.

The ShadowBrokers’ free trove includes 347 different instances of RC5/RC6 implementations.

As shown in the screenshot below, the implementation is functionally identical including the subtraction of the inverted constant 0x61C88647. Specific RC6 implementation from “BUSURPER-2211-611.exe” (md5: 8f137a9100a9fcc8b512b3729878a373 Comparing the older, known Equation RC6 code and the code used in most of the binaries from the new leak we observe that they are functionally identical and share rare specific traits in their implementation. In case you’re wondering, this specific RC6 implementation has only been seen before with Equation group malware.

There are more than 300 files in the Shadowbrokers’ archive which implement this specific variation of RC6 in 24 different forms.

The chances of all these being faked or engineered is highly unlikely. This code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group. While the ShadowBrokers claimed the data was related to the Equation group, they did not provide any technical evidence of these claims.

The highly specific crypto implementation above confirms these allegations. More details about the ShadowBrokers leak and similarities with Equation group are available to Kaspersky Intelligence Services reports’ subscribers.

For more information, email <intelreports@kaspersky.com>

Dark Reading Radio: What Keeps IT Security Pros Awake at Night

Join us for a discussion with (ISC) 2 Chief Exec David Shearer on your most worrisome trends and challenges.

Tune in tomorrow, Wednesday, Aug 17, 1 pm.

EDT/10 am PDT. Whether it's phishing, ransomware, data breaches, a shortage of skilled staff, or communicating with users, internal business colleagues and the C-suite, IT security executives have a lot to worry about. In our next Dark Reading Radio show, Wednesday, August 17 at 1:00 p.m.

EDT/10:00 a.m. PDT, we’ll take a look at recent survey data – including results from the annual 2016 Black Hat Attendee Survey -- with (ISC)² Chief Executive Officer David Shearer in a discussion about issues that are causing security professionals to lose their well-earned sleep. Before taking the helm at (ISC)², our featured speaker served as associate CIO for International Technology Services at the U.S.

Department of Agriculture, deputy CIO at the U.S.

Department of the Interior, and the executive for architecture, engineering and technical services at the U.S. Patent and Trademark Office. At (ISC)², he is responsible for the overall direction and management of the organization and its Center for Cyber Safety and Education Among the issues and trends we’ll be discussing Wednesday: Security Readiness: According to the Black Hat 2016 survey 72% of respondents believe it’s “likely” their organizations will face a major breach in the next 12 months and 70% believe they don’t have enough people, budget, or training to defend themselves against current threats. Attack Trends:  Almost 60% of Black Hat survey respondents have experienced breaches through phishing or malware in the past year; 23% of respondent experienced a ransomware attack in the past year, and  17% identified a targeted attack Cloud:  Among the most significant practical security trends identified by more than half of respondents to (ISC)² ’s co-sponsored Cloud Security Spotlight Report were issues involving unauthorized access via misuse of employee credentials and improper access controls. Security Skills Shortage. According to the Black Hat survey, 74% of respondents say they do not have enough staff to defend their organizations against current threats. State of industry security practices.
In the Black Hat survey, respondents reported that the most common security practices are strong passwords, virus detection, and end user awareness training.

But newer practices such as DevOps for tighter application security and forensics/advanced threat practices are much lessprevalent. Are these issues keeping you up at night? What else is causing you to lose sleep? I hope you'll join our show this Wednesday, and bring your personal insights and opinions to the conversation. You can post your comments and questions below or take them with you to the Dark Reading Radio studio on Wednesday, where you can participate directly through online chat. Please note, you’ll need to register for the broadcast to participate. I look forward to seeing you there.

But if you can't make it, please check out the broadcast and live chat from our Dark Reading Radio archive. Related Content:       Marilyn has been covering technology for business, government, and consumer audiences for over 20 years. Prior to joining UBM, Marilyn worked for nine years as editorial director at TechTarget Inc., where she launched six Websites for IT managers and administrators supporting ...
View Full Bio More Insights

Blogger Turns Tables On Cyber-Scammer

A French security researcher says he managed to turn the tables on a cyber-scammer by sending him malware.Technical support scams try to convince people to buy expensive software to fix imaginary problems.But Ivan Kwiatkowski played along with the scheme until he was asked to send credit card details. He instead sent an attachment containing ransomware.He told the BBC he wanted to waste the man's time to make the scheme unprofitable.ScarewareTechnical support scams are designed to scare people into buying useless and sometimes harmful software.Scammers send out emails, create fake websites or place advertisements online, falsely warning people that their computers have been infected with viruses.They encourage victims to contact "technical support" via a supplied telephone number or email address."In most cases, the scammer's objective is to convince you that your machine is infected and sell you a snake-oil security product," Mr Kwiatkowski told the BBC. Not fooledWhen Mr Kwiatkowski's parents stumbled across one such website, he decided to telephone the company and pretend he had been fooled.The "assistant" on the telephone tried to bamboozle him with technical jargon and encouraged him to buy a "tech protection subscription" costing 300 euros (£260).Mr Kwiatkowski told the assistant that he could not see his credit card details clearly and offered to send a photograph of the information.But he instead sent a copy of Locky ransomware disguised as a compressed photograph, which the assistant said he had opened."He says nothing for a short while, and then... 'I tried opening your photo, nothing happens.' I do my best not to burst out laughing," Mr Kwiatkowski wrote in his blog.Tips for avoiding scarewareBe suspicious of messages on web pages that tell you your device has been infected by viruses or has other problems Be suspicious of advertisements that masquerade as system messages Avoid clicking on links and attachments in emails from unknown senders Contact your device or operating system manufacturer directly for advice Timewaster"I respond to email scam attempts most of the time, but this was the first time I responded to one over the telephone," Mr Kwiatkowski told the BBC."I'm curious about how criminals operate and what they're trying to accomplish."More often than not it ends up being fun and there's social utility in wasting their time.
I believe that if more people respond and waste their time, their activities might not be profitable enough to continue."Mr Kwiatkowski said he could not be absolutely certain whether the ransomware had infected the scammer's computer, but there was a fair chance it had."He did not let on that something had happened to his computer, so my attempt is best represented as an unconfirmed kill," said Mr Kwiatkowski."But encrypting a whole file system does take some time."He acknowledged that some people may have found his retaliation unethical, but said responses had been "mostly positive". "People respond well to the story because this is such a David versus the Goliath setting," he said.However, Professor Alan Woodward from the University of Surrey warned that "hacking back" could have consequences,"There's a lot of talk around hacking back - and while it may be very tempting, I think it should be avoided to stay on the right side of the law."But wasting their time on the phone I have no problem with.
I even do that myself!"

Alleged Russian Hacker Seleznez Goes On Trial In US

A RUSSIAN CHAP is on trial for his alleged involvement in $170m worth of fraudulent credit card purchases. Roman Seleznev is the son of a Russian lawmaker, which might make things awkward.

The US wants him, and is starting a jury trial this week. Seleznev faces a 40-count indictment for allegedly masterminding a multi-company hacking organisation that took millions of dollars from many victims. He was indicted in 2014 along with Sergei Nicolaevich Tšurikov and others.

Tšurikov has already been sentenced. "A leader of one of the most sophisticated cyber crime rings in the world has been brought to justice and sentenced," said US attorney Sally Quillian Yates in an FBI report at the time. "In just one day in 2008, an American credit card processor was hacked in perhaps one of the most sophisticated and organised computer fraud attacks ever conducted. "Almost exactly one year later, the leaders of this attack were charged.

This prosecution was successful because of the efforts of the victim, and unprecedented cooperation from various law enforcement agencies worldwide." The credit card processor was RBS WorldPay, and the mayhem lasted for a month.

Financial outfits usually lose that kind of money only when it comes to dishing out worker bonuses. Seleznev was injured in an explosion at a café and has undergone some years of surgery and recovery. We bet he felt really positive about the future when he was given the all clear from the doctors.
Still, at least he will be well used to institutional food. He now faces a federal jury trial, to which 11 further counts have been added since 2014's proceedings. Associated Press reported that the trial is expected to last for two weeks, but Seleznev is low on English and will need an interpreter, so we can probably add a day or two to that estimate. Others from the same gang have already felt the pinch of the law on their collars. µ

Alleged Russian Hacker Seleznev Goes On Trial In US

A RUSSIAN CHAP is on trial for his alleged involvement in $170m worth of fraudulent credit card purchases. Roman Seleznev is the son of a Russian lawmaker, which might make things awkward.

The US wants him, and is starting a jury trial this week. Seleznev faces a 40-count indictment for allegedly masterminding a multi-company hacking organisation that took millions of dollars from many victims. He was indicted in 2014 along with Sergei Nicolaevich Tšurikov and others.

Tšurikov has already been sentenced. "A leader of one of the most sophisticated cyber crime rings in the world has been brought to justice and sentenced," said US attorney Sally Quillian Yates in an FBI report at the time. "In just one day in 2008, an American credit card processor was hacked in perhaps one of the most sophisticated and organised computer fraud attacks ever conducted. "Almost exactly one year later, the leaders of this attack were charged.

This prosecution was successful because of the efforts of the victim, and unprecedented cooperation from various law enforcement agencies worldwide." The credit card processor was RBS WorldPay, and the mayhem lasted for a month.

Financial outfits usually lose that kind of money only when it comes to dishing out worker bonuses. Seleznev was injured in an explosion at a café and has undergone some years of surgery and recovery. We bet he felt really positive about the future when he was given the all clear from the doctors.
Still, at least he will be well used to institutional food. He now faces a federal jury trial, to which 11 further counts have been added since 2014's proceedings. Associated Press reported that the trial is expected to last for two weeks, but Seleznev is low on English and will need an interpreter, so we can probably add a day or two to that estimate. Others from the same gang have already felt the pinch of the law on their collars. µ

20 Top US Hotels Hit By Fresh Malware Attacks

A new swathe of US hotels has fallen prey to point-of-sale (PoS) malware which may have exposed customer financial data. 20 US hotels operated by HEI Hotel & Resorts on behalf of Starwood, Marriot, Hyatt and Intercontinental may have leaked the fin...