11.5 C
Thursday, October 19, 2017

Targeted mobile implants in the age of cyber-espionage

Background When mass-produced electronic spying programs became widely known by the public, many email providers, businesses, and individuals started to use data encryption. Some of them have implemented forced encryption solutions to server connections, while others went further and implemented end-to-end encryption for data transmission as well as server storage. Unfortunately, albeit important, said measures did not solve the core problem. Well, the original architectural design used in emails allows for metadata to be read as plain text on both sent and received messages. Said metadata includes recipient, sender, sent/receipt date, subject, message size, whether there are attachments, and the email client used to send out the message, among other data. This information is enough for someone behind targeted campaigns attacks to reconstruct a time line for conversations, learn when people communicate with one another, what they talk about, and how often they communicate. Using this information to fill in the gaps, threat actors are able to learn enough about their targets. In addition to the above, technologies are evolving, so something that is encrypted today may be easily decrypted a few years later, sometimes only months later, depending on how strong the encryption key is and how fast technologies are developing. Said scenario has made people move away from email exchanges when it comes to confidential conversations. Instead, they started using secure mobile messaging applications with end-to-end encryption, no server storage and timed deletion. On the one hand, these applications manage strong data and connection encryptions. On the other hand, they manage auto deletion on cell phones and provider servers. Finally, they practically have no metadata or are impersonal, thus not allowing identifiers about targets or data correlation. This way, conversations are truly kept confidential, safe, and practical. Naturally, this scenario has made threat actors develop implants for mobile devices since, from a hacking perspective, they address all the aforementioned technical limitations―that is, the inability to intercept conversations between users who have migrated to these secure mobile messaging applications. What is an implant? This is an interesting terminology invented by the very same threat actors behind targeted attacks. We saw it for the first time during the Careto campaign we announced a few years ago. Now we will analyze some implants developed by HackingTeam to infect mobile devices running on iOS (Apple), Android, Blackberry, and Windows Mobile. HackingTeam isn’t the only group developing mobile implants. There are several campaigns with different roots, which have been investing in the development of mobile malware and used it in targeted attacks at the regional and international level. Implants for Androids Android-based phones are more affordable and, consequently, more popular worldwide. That is why threat actors responsible for targeted attacks have Android phones as their #1 priority and have developed implants for this operating system in particular. Let’s analyze what one of these implants is capable of. HEUR:Trojan-Spy.AndroidOS.Mekir.a It is well known that the encryption algorithm used in text messages is weak. It is safe to assume that practically all text messages sent are susceptible to interception. That is precisely why many users have been using instant messaging programs. In the coding fragment above, we can see how threat actors are able to obtain access to the messaging database used by WeChat, a mobile application for text message exchange. Let’s assume that the messaging application being used by the victim is really secure and has applied a strong end-to-end encryption, but all messages sent and received are stored locally. In said case, threat actors would still have the ability to decode these messages. Well, when they steal a database along with the encryption key that is stored within the victim’s device, threat actors behind these attacks can decrypt all contents. This includes all database elements, not only the text information, but also geographic locations shared, pictures, files, and other data. Besides, threat actors have the ability to manipulate the camera on the device. They can even take pictures of the victim for identity confirmation. This also correlates with other data, such as the wireless network provider that the phone is connected to. Actually, it doesn’t matter what application the victim is using. Once the mobile end point is infected, threat actors are able to read all messages sent and received by the victim. In the following code segments, we can see the instructions used to interact with messaging applications Viber and WhatsApp. If a mobile devices is compromised with an implant, the rule becomes very simple – if you read a secure text message on your screen, the threat actor behind that implant, reads it too. Implants for iOS Undoubtedly, Apple mobile devices also enjoy a large market share. In some markets, they are certainly more popular than Android devices. Apple has managed the safety architecture of its devices very well. However, it doesn’t make them completely immune to malware attacks, especially when there are high-profile threat actors involved. There are several infection vectors for these devices. Likewise, when high-profile targets are selected, threat actors behind these targeted attacks may apply infection techniques that use exploits whose costs are higher―hundreds of thousands of dollars―but highly effective, as well. When targets are of an average profile, less sophisticated, but equally effective infection techniques are used. For example, we would point to malware installations from a previously infected computer when a mobile device is connected through a USB port. What technical abilities do iOS implants have? Let’s see the following implant example: Trojan.OSX.IOSInfector.a This Trojan infects iOS devices as they are being charged by the victim of the attack by using a previous Jailbreak made to the device. In other words, if targets usually charge their cell phones using a USB cable, the pre-infected computer may force a complete Jailbreak on the device and, once the process is complete, the aforementioned implant is installed. In this code, you can see that the attacker is able to infected the device and confirm the victim’s identity. This is a crucial step during targeted attacks, since threat actors behind this kind of attacks wouldn’t want to infect the wrong victim and―worse yet―lose control of their implant and spoil the entire operation, thus exposing their attack to the public. Consequently, one of the technical abilities of these implants is to verify the phone number of their victim, along with other data to make sure they’re not targeting the wrong person. Among other preliminary surveying actions, this implant also verifies the name of the mobile device and the exact model, battery status, Wi-Fi connection data, and the IMEI number, which is unique to each device. Why would they check the battery status? Well, there are several reasons for that, the main one of them being that data can be transferred through the internet to the hacker’s server as this information is extracted from an infected device. When phones are connected to the internet, be it through a data plan or Wi-Fi connection, the battery drains faster than normal. If threat actors extract data at an unsuitable moment, the victim could easily notice that there’s something wrong with the phone, since the battery would be hot and start draining faster than normal. That is the reason why threat actors would rather extract information from victims―especially heavy data like photos or videos―at a moment when their battery is being charged and the cell phone is connected to the Wi-Fi. A key part of spying techniques is to combine a victim’s real world with the digital world they live in. In other words, the objective is not only to steal information stored in the cell phone, but also to spy conventional conversations carried out off line. How do they do it? By enabling the front camera and microphone on hacked devices. The problem is that, if the cell phone isn’t in silent or vibrate mode, it will make a particular sound as a picture is taken with the camera. How to resolve it? Well, implants have a special setting that disables camera sounds. Once the victim is confirmed, the hacker once again starts to compile the information they are interested in. The coding below shows that threat actors are interested in the Skype conversations their victims are having. This way, threat actors have complete control over their victims’ conversations. In this example, Skype is the messaging application being used by threat actors, but it could actually be any application of their choice, including those considered very secure apps. As mentioned above, the weakest link is the mobile end point and, once it is compromised, there is no need to even crack any encryption algorithm, no matter how strong it may be. Implants for Blackberry Some targets may use Blackberry phones, which are known to be one of the most secure operating systems in the market. Even though they are safer, threat actors behind targeted attacks don’t lag behind and they have their arsenal ready. Trojan-Spy.BlackberryOS.Mekir.a This implant is characterized by a strong code obfuscation technique. Analyzing it is complex task. When we look at the code, we can clearly see that even though the implant comes from the same threat actor, the developer belongs to another developer group. It’s as if a specific group were in charge of developing implants for this operating system in particular. What actions may these implants develop in an infected Blackberry device? Well, there are several possible actions: Checking the Battery Status Tracking the victim’s geographic location Detecting when a SIM card is replaced Reading text messages stored within the device Compiling a list of calls made and received by the device. Once Blackberry phones start to use the Android operating system, threat actors will have a farther-reaching operation. Implants for Windows Mobile Windows Mobile aren’t necessarily the most popular operating system for mobile devices in the market, but it is the native OS used by Nokia devices, which are preferred by people looking for quality and a solid track history. There is a possibility that some targets may use this operating system, and that is why the development of implants for Windows Mobile devices is underway as well. Next, we will see the technical scope of implants for Windows Mobile devices. HEUR:Trojan-Spy.WinCE.Mekir.a When infecting a victim’s mobile device, this implant is hidden under a dynamic library file by the name bthclient.dll, which is supposedly a Bluetooth driver. The technical abilities of these implants are practically limitless. Threat actors may develop several actions, such as checking: A list of apps installed, The name of the Wi-Fi access point to which the victim is connected, Clipboard content that usually contains information of interest to the victim and, consequently, to the attacker. Threat actors may even be able to learn the name of the APN that victims connect to while using the data plan through their provider. Additionally, threat actors can actively monitor specific applications, such as the native email client and communications hub being used by a Windows Mobile device to process the victim’s communication data. Conclusions Considering the explanation in the introduction, it is probable that the most sensitive conversations take place in secure end-to-end mobile applications and not necessarily emails sent with PGP. Threat actors are aware of it, and that is why they have been actively working not only on developing implants for desktop computers, but also for mobile devices. We can say for sure that threat actors enjoy multiple benefits when they infect a mobile device, instead of a traditional computer. Their victims are always carrying their cell phones with them, so these devices contain information that their work computers won’t. Besides, mobile devices are usually less protected from a technological point of view, and victims oftentimes don’t believe their cell phones could ever become infected. Despite a strong data encryption, a compromised mobile end point is completely exposed to spying, since threat actors have the same ability to read messages as users themselves. Threat actors don’t need to struggle with encryption algorithms, nor intercept data at the network layer level. They simply read this information the same way, as their victim would. Mobile implants don’t belong to the group of massive attacks launched by cybercriminals; they are actually targeted attacks in which victims are carefully selected before the attack. What Makes You A Target? There are several factors involved in being a target, including whether you are a politically exposed person, have contacts of interest to threat actors, are working on a secret or sensitive project that is also of interest, among others. One thing is certain: if you’re targeted by such an attack, the probability of infection is very high. Everything we’re seeing now is a battle for numbers. You cannot decide whether you’ll become a victim, but one thing you could do is elevate the cost of such an attack to the point that threat actors might give up and move on to a less expensive target who is more tangible in terms of time invested and risk of the exploit campaign being discovered. How Can Someone Elevate the Cost of an Attack? Here is a set of best practices and habits in general. Each case is unique, but the main idea is to make threat actors lack motivation once it becomes too laborious to carry out their operation, thus increasing their risk of failure. Among the basic recommendations to improve the security of our mobile devices, we could highlight the following: Always use a VPN connection to connect to the Internet. This will help making your network traffic not easily interceptable and susceptible to malware that could be directly injected into a legitimate application being downloaded from the internet. Do not charge your mobile devices using a USB port connected to a computer. The best thing you can do is to plug your phone directly into the AC power adapter. Install an anti-malware program. It has to be the best one. It seems that the future of these solutions lies precisely in the same technologies already implemented for desktop security: Default Deny and Whitelisting. Protect your devices with a password, not a PIN. If the PIN is found, threat actors may gain physical access to your mobile device and install the implant without your knowledge. Use encryption in the data storage memories implemented by your mobile devices. This advice is especially current for devices that allow for memory disks extraction. If threat actors extract your memory by connecting it to another device, they’ll also be able to easily manipulate your operating system and your data in general. Do NOT Jailbreak your device, especially if you’re not very sure what it implies. Don’t use second-hand cell phones that may already come with pre-installed implants. This piece of advice is especially important if your cell phone comes from someone you’re not very familiar with. Always keep the operating system in your mobile device updated and install the latest upgrade as soon as it becomes available. Review all processes being executed in your device memory. Review all authorized apps in your system and disable the automatic data submission function for logs and other service data, even if the communication is between your cell phone and your provider. Finally, keep in mind that, without a doubt, conventional conversations in a natural environment are always safer than those carried out electronically.

Hyatt Names Hotels Hit By Payment Information Malware

Image copyright Getty Images The Hyatt hotel chai...

The mysterious case of CVE-2016-0034: the hunt for a Microsoft Silverlight...

Perhaps one of the most explosively discussed subjects of 2015 was the compromise and data dump of Hacking Team, the infamous Italian spyware company. For those who are not familiar with the subject, Hacking Team was founded in 2003 and specialized in selling spyware and surveillance tools to governments and law enforcement agencies. On July 5, 2015, a large amount of data from the company was leaked to the Internet with a hacker known as “Phineas Fisher” claiming responsibility for the breach. Previously, “Phineas Fisher” did a similar attack against Gamma International, another company in the spyware/surveillance business. The hacking of Hacking Team was widely discussed in the media from many different points of view, such as the legality of selling spyware to oppressive governments, the quality (or lack of…) of the tools and leaked email spools displaying the company’s business practices. One of these stories attracted our attention. How a Russian hacker made $45,000 selling a 0-day Flash exploit to Hacking Team So reads the title of a fascinating article written for Ars Technica by Cyrus Farivar on July 10, 2015. The article tells the story of Vitaliy Toropov, a 33-year-old exploit developer from Moscow who made a living by selling zero-day vulnerabilities to companies such as Hacking Team. In the Ars Technica article, Cyrus writes the following paragraph, which shows the original offer from the exploit seller: Excerpt from the Ars Technica article For a company like Hacking Team, zero-days are their “bread and butter” — their software cannot infect their targets without effective exploits and zero-days, especially those that can bypass modern defense technologies such as ASLR and DEP. Those exploits are in very high demand. The trade between these two continued until they finally agreed on purchasing an Adobe Flash Player zero-day, now defunct, for which Vitaliy Toropov promptly received a $20,000 advance payment. A good salesman, Vitaliy Toropov immediately mailed back and offered a discount on the next purchases. So writes Cyrus, in his Ars Technica story: Excerpt from the Ars Technica article This section of the story immediately spiked our attention. A Microsoft Silverlight exploit written more than two years ago and may survive in the future? If that was true, it would be a heavyweight bug, with huge potential to successfully attack a lot of major targets. For instance, when you install Silverlight, it not only registers itself in Internet Explorer, but also in Mozilla Firefox, so the attack vector could be quite large. The hunt for the Silverlight zero-day In the past, we successfully caught and stopped several zero-days, including CVE-2014-0515 and CVE-2014-0546 (used by the Animal Farm APT group), CVE-2014-0497 (used by the DarkHotel APT group) and CVE-2015-2360 (used by the Duqu APT group). We also found CVE-2013-0633 a FlashPlayer zero-day that was used by Hacking Team and another unknown group. We strongly believe that discovery of these exploits and reporting them to the affected software manufacturers free of charge makes the world a bit safer for everyone. So while reading the Ars Technica story, the idea to catch Vitaliy Toropov’s unknown Silverlight exploit materialized. How does one catch zero-days in the wild? In our case, we rely on several well-written tools, technologies and our wits. Our internal tools include KSN (Kaspersky Security Network) and AEP (Automatic Exploit Prevention). To catch this possibly unknown Silverlight exploit we started by investigating the other exploits written by Vitaliy Toropov. Luckily, Vitaliy Toropov has a rather comprehensive profile on OVSDB. Additionally, PacketStorm has a number of entries from him: This one caught our attention for two reasons: It is a Silverlight exploit It comes with a proof of concept written by Vitaly himself One can easily grab the PoC from the same place: Which we did. The archive contains a well-written readme file that describes the bug, as well as source codes for the PoC exploit. The exploit in this PoC simply fires up calc.exe on the victim’s machine. The archive includes a debug version compiled by the author, which is extremely useful to us, because we can use it to identify specific programming techniques such as specific strings or shellcode used by the developer. The most interesting file in the archive is: SilverApp1.dll:Size: 17920 bytesmd5: df990a98eef1d6c15360e70d3c1ce05e This is the actual DLL that implements the Silverlight exploit from 2013, as coded by Vitaliy Toropov. With this file in hand, we decided to build several special detections for it. In particular, we wrote a YARA rule for this file which took advantage of several of the specific strings from the file. Here’s what our detection looked like in YARA: Pretty straightforward, no? Actually, nowadays we write YARA rules for all high-profile cases and we think it’s a very effective way to fight cyberattacks. Great props to the Victor Manuel Alvarez and the folks at VirusTotal (now Google) for creating such a powerful and versatile tool! The long wait… After implementing the detection, we waited, hoping that an APT group would use it. Since Vitaliy Toropov was offering it to Hacking Team, we also assumed that he sold it to other buyers, and what good is a zero-day if you don’t use it? Unfortunately, for several months, nothing happened. We had already forgotten about this until late November 2015. On November 25th, one of our generic detections for Toropov’s 2013 Silverlight exploit triggered for one of our users. Hours later, a sample was also uploaded to a multiscanner service from Lao People’s Democratic Republic (Laos). This file was compiled in July 21, 2015, which is about two weeks after the Hacking Team breach. This also made us think it was probably not one of the older 2013 exploits but a new one. It took us some time to analyse and understand the bug. When we were absolutely sure it was indeed a new zero-day exploit, we disclosed the bug to Microsoft. Microsoft confirmed the zero-day (CVE-2016-0034) and issued a patch on January 12, 2016. Technical analysis of the bug: The vulnerability exists in the BinaryReader class. When you create an instance of this class you can pass your own realization of the encoding process: Moreover, for the Encoding process you can use your own Decoder class: Looking at the BinaryReader.Read() code, we see the following: Indeed, the “index” value was checked correctly before this call: But if you will look deeper inside InternalReadChars (this function is marked as unsafe and it is using pointers manipulations) function you will see the following code: The problem appears because the GetChars function could be user-defined, for instance: Therefore, as you can see we can control the “index” variable from user-defined code. Let’s do some debugging. This is a Test.buf variable, where 05 is the array length before triggering the vulnerability: After calling BinaryRead.Read method we are stopping in InternalReadChars method (index is 0): After this call we stopped in user-defined code: This is a first call of user-defined function and we return incorrect value from it. In the next iteration, the “index” variable contains the incorrect offset: After we change the offset we can easily modify memory, for instance: This is a Test.buf object after our modifications in decoder method: So, is this the droid you’ve been looking for? One of the biggest questions we have is whether this is Vitaliy Toropov’s Silverlight zero-day which he tried to sell to Hacking Team. Or is it a different one? Several things make us think it’s one of his exploits, such as the custom error strings. Of course, there is no way to be sure and there might be several Silverlight exploits out there. One thing is for sure though – the world is a bit safer with the discovery and patching of this one. One final note: due to copyright reasons, we couldn’t check if the leaked Hacking Team archive has this exploit as well. We assume the security community which found the other zero-days in the HackingTeam leaks will also be able to check for this one. If you’d like to learn how to write effective YARA rules and catch new APTs and zero-days, why not take our elite YARA training before SAS 2016? Hunt APTs with Yara like a GReAT Ninja (with trainers Costin Raiu, Vitaly Kamluk and Sergey Mineev). The class is almost sold out! Kaspersky products detect new Silverlight exploit as HEUR:Exploit.MSIL.Agent.gen.

Microsoft Security Updates January 2016

с новым годом! Microsoft rings in the New Year with a new set of ten security bulletins MS16-001 through MS16-010, patching 24 CVE detailed vulnerabilities. These bulletins effect Microsoft web browsers and plugins, Office software, Windows system software, and Exchange mail servers. Six of them maintain a critical rating. The Critical bulletins effect the following software: Silverlight Runtime Internet Explorer Microsoft Edge VBScript and JScript scripting engine Microsoft Office, Visio, and SharePoint Windows Win32k Kernel Components Somewhat surprisingly with over twenty vulnerabilities, Microsoft claims to be unaware of public exploitation of any of them at the time of reporting, however they acknowledge at least three were publicly disclosed. Nonetheless, the urgency to patch remains, so please update your software. Of these, the Silverlight vulnerability CVE-2016-0034 (note that Mitre records the CVE as assigned on 2015.12.04) appears to be the most interesting and most risky, as it enabled remote code execution across multiple platforms for this widespread software, including Apple. But more of the IE, Edge and add-on related vulnerabilities also provide opportunity for mass exploitation. Don’t forget to return to Securelist soon for concrete perspective and upcoming posts detailing past and ongoing exploitation of these issues. It’s also assuring to see Microsoft security operations pushing the edges of improving TLS algorithms to encrypt web sessions and provide greater privacy. Even their Technet page for a summary of these Bulletins provides TLS 1.2, implementing 3DES_EDE_CBC with HMAC-SHA1 and a RSA key exchange. But, it looks like their research group hasn’t pushed forward their work on post-quantum resistant TLS key exchange (Full RWLE Paper [pdf]), as “R-LWE in TLS” into production. Tomorrow’s privacy will have to wait.

Malware on the Smart TV?

In a comment on Reddit this week, user “moeburn” raised the possibility of new malware circulating for Smart TVs: My sister got a virus on her TV. A VIRUS ON HER GODDAMN TV.It was an LG Smart TV with a built in web browser, and she managed to get a DNS Hijacker that would say “Your computer is infected please send us money to fix it” any time she tried to do anything on the TV.iff The Reddit post included this image: We immediately got to work trying to figure out if this threat was targeting connected televisions specifically or whether this was an accidental infection. Trying to connect to the webpage mentioned in the URL from the photo does not work — the domain name does not resolve to an IP at the moment. We used our favorite search engine and found many hits while looking for the domain. Besides the host “ciet8jk” (ciet8jk.[maliciousdomain].com), 27 other hosts have been assigned to that domain name and pointed to same IP address. The domain ***-browser-alert-error.com was registered on August 17th 2015. Two days later, an IP address was assigned: It appears that there were just a few days when this scam was online and thus, we’re sure the image from the TV is at least four months old. These kind of attacks are nothing new, so we started looking for a server which is currently online to see what exactly the page tries to do. Unfortunately, we weren’t able to find a live page from that very source, but while searching for the alert message shown in the photo, we found similar domains used for the same scam. A few examples: ***sweeps-ipadair-winner2.com ***-browser-infection-call-now.com The last domain listed is still online but there is no reply from the server.All the domain names mentioned have been blocked by Kaspersky Web Protection for several months. Interestingly, all the IPs belong to Amazon’s cloud (54.148.x.x, 52.24.x.x, 54.186.x.x). Although they used different providers to register the domain, they decided to host the malicious pages in the cloud. This could be because if offers another layer of anonymization, because it’s cheaper than other providers or because they were unsure about the traffic and needed something scaleable. Still unable to find a live page, we kept searching for parts of the alert message and one hit took us to HexDecoder from ddecode.com. This is a webpage that de-obfuscates scripts or entire web pages. To our surprise, all previous decodings were saved and are publically viewable. This led to a decoded script and the original HTML file. The script checks the URL parameters and displays different phone numbers based on the location of the user. Phone numbers: DEFAULT (US)          : 888581****France                         : +3397518****Australia                      : +6173106****UK                               : +44113320****New Zealand               : +646880****South Africa                : +2787550**** The JavaScript selecting the phone number was uploaded to Pastebin on July 29th 2015 and it includes all the comments that were also present in the sample we got from HexDecoder. This is another indicator that this is not a new threat. Now having the right sample, we took a look on a test machine and got this result, which is quite close to what we can see on the image from the SmartTV: The page loads in any browser and displays a popup dialog. As you can see above, it even works on Windows XP. If you try to close the dialog or the window, it will pop up again. We also ran the file on a LG Smart TV and got the same result. It was possible to close the browser, but it did not change any browser or DNS settings. Turning it off and on again solved the problem as well. It is possible that other malware was involved in the case reported on Reddit, that changed the browser or network settings. Keep in mind that you should never call those numbers! You might get charged per minute or someone at the end of the line might instruct you to download and install even more malware onto your device. So in this case, it’s not a new type of malware specifically targeting Smart TVs, but a common threat to all internet users. There are also reports that this scam has hit users on Apple MacBooks; and since it runs in the browser, it can run on Smart TVs and even on smartphones. These kinds of threats often get combined with exploits and may take advantage of vulnerabilities in the browser, Flash Player or Java. If successful, they may install additional malware on the machine or change DNS settings of your system or home router which may lead to similar symptoms. Such behaviour could not be observed in this case, since they malicious pages have been removed already.Keep in mind, there might be vulnerabilities in the software on your TV! Therefore it’s important to check if your device is up to date. Make sure you installed the latest updates for your Smart TV! Some vendors apply updates automatically, while others leave it to the user to trigger the update manually. There is malware that works on Smart TV, but it’s not really “in the wild” at the moment. There are several reasons why criminals focus on PC and smartphone users instead of Smart TVs: Smart TVs are not often used to surf the web and users seldom install any app from web pages other than the vendor’s App Store – as it is the case with mobile devices Vendors are using different operating systems: Android TV, Firefox OS, Tizen, WebOS. Hardware and OS may even change from series to series, causing malware to be incompatible. There are by far fewer users surfing the web or reading email on the TV compared to PCs or mobile devices. But remember, for example, that it’s possible to install an app from a USB stick. If your TV runs Android, a malicious app designed for an Android smartphone might even work on your TV. In a nutshell, this case isn’t malware specifically targeting Smart TVs, but be aware that such websites, as with phishing generally, work on any OS platform you’re using.Keep your eyes open!

Eight Arrested In Eastern Europe Over ATM Malware Attacks

January 07, 2016 Share this article: Tyupkin ATM trojan Europol has announced the takedown of an international criminal group believed to be behind a series of ATM malware attacks dating back to at least 2014. Said to be one of the first operations of this type in Europe, it resulted in multiple house searches and arrests in Romania and the Republic of Moldova. Using malware dubbed Tyupkin, the suspects were allegedly able to empty cash from ATM machines on demand following the successful installation of a trojan. Called “ATM jackpotting”, the exploit allowed attackers to empty infected machines by issuing commands via the machine's pin pad. The malware was identified in 2014 by Kaspersky Lab following a request from a financial institution to investigate multiple attacks in eastern Europe. At the time of the investigation, Kaspersky reported that it had found the malware on more than 50 ATMs at banks in eastern Europe, but based on listings at VirusTotal, it was convinced that the virus had been deployed in the US, India, China, Russia, Israel, France and Malaysia. However, according to a video posted on YouTube, the affected manufacturer may be NCR. We reported in March 2015 that the Russian Ministry of Internal Affairs had made the identification of the Tyupkin malware gang a priority as they targeted an increasing number of ATMs in the country. Kaspersky said that the attackers were able to install the malware via a bootable CD after gaining physical access to the PC inside the cash dispenser. The malware enabled users to check the amount of cash in each cash cassette in the machine and dispense up to 40 notes at a time. It also had its own security built in by requiring the user to enter a session key based on a random seed and a secret algorithm before it would accept any commands. The criminal investigation was conducted by Romanian National Police and the Directorate for Investigating Organised Crimes and Terrorism (DIICOT), assisted by Europol, Eurojust and other European law enforcement authorities. Wil van Gemert, Europol's Deputy Director Operations, commented: "Over the last few years we have seen a major increase in ATM attacks using malicious software. The sophisticated cybercrime aspect of these cases illustrates how offenders are constantly identifying new ways to evolve their methodologies to commit crimes. To match these new technologically savvy criminals, it is essential, as it was done in this case, that law enforcement agencies cooperate with their counterparts via Europol to share information and collaborate on transnational investigations". This article originally appeared on SC Magazine UK.

Canadian Cyberthreats Differ From Those In The U.S.

January 06, 2016 Share this article: Researchers at Trend Micro examined Canada's threat landscape including malware and its dark web. The U.S. and Canada both see their fair shares of malware such as Dridex and other banking trojans, but there was one threat conspicuously absent from Canada's list of common threats - ransomware While prominent in the U.S., ransomware is just not a thing north of the border Trend Micro researchers revealed in it Canada threat landscape report. “For whatever reasons the market forces just aren't driving them in that direction,” Christopher Budd, global threat communications manager at Trend Micro, told SCMagazine.com. Though the report didn't specify a reason for ransomware's absence, Budd hinted that cost-benefit analyses by cybercriminals could show that using ransomware may have a low-yield because Canadians are not culturally attuned to falling victim such attacks. Budd pointed out that ransomware attacks have worked their way around the globe, initially rising to prominence in New Zealand and the U.K., before cybercriminals used it to target Americans. So, it is possible that Canadians may be targeted more in the future, he said. OpenCandy (see chart at left) adware toolbar and Dridex malware are currently the most prominent threats in Canada. Cybercriminals in the U.S. influence the Canadian threat landscape by providing the infrastructure for hosting malicious content. And the majority of malicious sites that Canadians visit are predominantly hosted in the U.S. - malicious hosting in Canada simply isn't as sophisticated as it is in other countries.   Underground toolkits and infrastructure services such as VPN services, botnet toolkits and DDoS services aren't widely found in Canada, the researchers said. And, the study showed, there is little market for violent crimes for hire in Canada's dark web. Budd said it's likely that cybercriminals look to the U.S. for toolkits and infrastructure services, noting, “If you have a mature marketplace where you can buy what you need there's no need to build a new one.” The parts of the dark web hosted in Canada are primarily focused on the sale of fake and stolen documents and credentials such as driver's licenses, passports and dumps of personal information. 

BlackEnergy Drains Files From Ukraine Media, Energy Organizations

Malware writers are wiping hard drives of Ukraine media outlets and energy companies using a cocktail of backdoors. Eset threat bod Anton Cherepanov says VXers are attacking the unnamed organisations with the BlackEnergy trojan's new KillDisk component, capable of destroying some 4000 different file types and rendering machines unbootable. The attackers are hitting specific files and documents journalists and staff are likely to have stored on their machines. Cherepanov says attackers have set a delayed execution for when the 35 file types will be erased, along with Windows logs and settings, and the miscreants are also overwriting a specific industrial control software executable. "ESET has recently discovered that the BlackEnergy trojan was recently used as a backdoor to deliver a destructive KillDisk component in attacks against Ukrainian news media companies and against the electrical power industry," Cherepanov says . The researcher also found a previously unknown SSH backdoor attackers used as an alternative to BlackEnergy for accessing infected systems. Build identity numbers suggest possible Russian links, but ESET avoids confirming the attribution. BlackEnergy was first discovered in 2007 and has undergone capability upgrades from a basic distributed denial of service attack malware to a polished modular trojan over ensuing years. Targets in Ukraine and Poland have been attacked through known and unknown vulnerabilities and vectors, the company says. The attack software can install rootkits and defeat Windows' user access control and driver signing requirements. ® Youtube Video Sponsored: Building secure multi-factor authentication

Social Networks – A Bonanza for Cybercriminals

What do you think when you receive yet another spam or phishing message on your mobile phone? Most likely it is: “Who are these people, and how on earth did they get my phone number?” Initially, suspicion usually falls on an unscrupulous employee at some organization that you gave your number to. However, it’s not uncommon for spammers and cybercriminals to use a database harvested from a social network using special software, rather than a “leaked” database of cellphone subscribers. Information security experts, including us, have for years reiterated: cybercriminals can make use of any information that you publish about yourself on a social network. However, a huge amount of users still continue to share news and a plethora of personal information with their virtual friends as well as incidental onlookers. This may lead to unpleasant and, at times, unforeseen consequences. To show that this isn’t just scaremongering, let me offer an example from the recent activities of our cybercrime investigation team. A run-of-the-mill cybercrime This autumn, we helped law enforcement agencies halt the activities of a small Russian cybercriminal gang that specialized in distributing Android malware and stealing money from online banking accounts. The group’s plan of action was fairly straightforward: they used a database of cellphone numbers they already had to send short messages containing a link to a banking Trojan. If infected successfully, the mobile device became part of a botnet, and the Trojan began to search for information about any banking services used by the victim, collecting any data required to access them. The cybercriminals then had the relatively simple task of transferring the victim’s money to their own accounts. It is interesting to note that none of the cybercriminals were professional programmers. When people talk about hackers and stealing money, an image springs to mind of some corrupt programmer who writes malicious code and then uses it to infect the devices of unwitting users. This time, however, we are not talking about professionals with the relevant education and experience. Instead, we assume they spent just enough time on public hacking forums to garner the information and tools required to commit cybercrimes. One of the tools they employed is of particular interest: it is a parser program that harvests mobile phone numbers from public profiles on the popular Russian social network VKontakte. With the help of this tool, the cybercriminals have created a database of cellphone numbers that was later used to send malicious messages. As far as we know, the social network was the sole source of information from which the cybercriminals harvested their data. A post on a popular Russian hacker forum advertising an app to harvest the phone numbers of social network users Russian cybercriminal forums (especially the open forums frequented by amateur fraudsters) have loads of adverts offering this type of software for sale or rent. It is capable of collecting and structuring all valuable information about users, including their first and last names, all published contact data and profile settings – not just mobile phone numbers. The availability of this information offers cybercriminals plenty of opportunities for fraud. The most obvious ways the gathered data can be used are: sending spam (including both advertising and malicious spam), stealing money through premium SMS services, and creating fake SIM cards. In less than a year the cybercriminals have managed to steal an estimated 600,000 RUR (approximately $8,500). This is a relatively small amount compared to the millions stolen by larger, more advanced cybercriminal groups. However, in this case it is not the amount of money stolen that defines the scope of the problem, but rather the number of similar non-professional cybercriminal groups that are conducting the same sort of activity. Judging by the user complaints that get posted on the support forums of online banks, dozens of these criminal groups appear to be operating. Beyond Russia The fact that these types of fraudulent activities mostly take place in Russia and neighboring countries does not mean there is nothing to fear for people living in other countries. For instance, the early banking Trojans for PCs and mobile devices mostly targeted users living in Russia. However, with time the Russian-language cybercriminals behind those Trojans either radically changed their target “audience” and switched to residents of other countries, or expanded it by creating versions that targeted the residents of other countries. The criminal group we are looking at used an application that collected the personal information of users from just one social network – VKontakte. However, there are offers on hacking forums for similar tools designed to collect data from other social networks, including Facebook and Instagram. So, it is quite possible that similar schemes exploiting data collected from public sources are already emerging in countries beyond the former Soviet Union, or are likely to emerge in the near future. An advert posted on a popular Russian public hacking forum offering a parser program designed to harvest users’ mobile phone numbers and other information from Instagram The countries at most risk include those where pre-paid phone contracts are prevalent and various SMS services are popular, including those that allow bank card operations via SMS. What to do? In summary, we would like once again to urge users to publish as little information about themselves in social networks as possible. In particular, do not publish your mobile phone number, or remove it if you already have. This will not completely eliminate the problem of cybercriminals harvesting users’ personal information from social networks, but at least it prevents the easiest ways of stealing your money. If you or your family and friends use mobile banking services, you should also apply these basic security measures: Block installation of apps from third-party sources on the Android device you use for mobile banking; Set withdrawal limits for your bank account; Restrict or disable the sending of text messages to premium-rate numbers; Use a reliable security solution capable of protecting your device from infections. If you should still fall victim to an attack and your money is stolen, contact the appropriate law enforcement agencies. It is important you do this, because we are seeing an ominous trend: the broad availability of various tools, including malicious ones, and the perceived anonymity of cybercrime create a false sense of security in cybercriminals, which is only exacerbated by the passive attitude of the victims. This encourages an increasing number of people to start acting as cybercriminals in the hope of easy gains. The more cybercriminals that are arrested for these illegal activities, the more obvious it will be that cybercrime doesn’t pay and those contemplating it will be less likely to start committing crimes on the web. This will help make the Web a safer place.

Riddle Of Cash-For-Malware Offer In New Raspberry Pi Computers

The Raspberry Pi Foundation was offered cash to smuggle malware onto its bargain-basement credit-card-size computers, we're told. Liz Upton, the Foundation's director of communications, today revealed an email from a "business officer" called Linda, who promised a "price per install" for a suspicious executable file. "Amazing. This person seems to be very sincerely offering us money to install malware on your machines," said Liz. The name of the company Linda claimed to represent was redacted, so we are unable to check the veracity of the offer. Plus the email, dated Wednesday, does contain a number of odd details – like writing exe. rather then .exe, and using "u" in place of "you." Some of the language also points to someone whose first language is not English. Amazing. This person seems to be very sincerely offering us money to install malware on your machines. pic.twitter.com/1soL0MIc5Z — Raspberry Pi (@Raspberry_Pi) December 23, 2015 It's fair to say Linda's approach wasn't exactly professional. However, the offer seems genuine, and it shines a light on the murky world of paid-for malware distribution. There are countless examples of software nasties being installed on systems via unrelated applications – toolbars and spyware bundled with legit-looking apps, mainly. Sometimes the developer directly plants the dodgy code, but more often than not the malware comes from a third-party willing to pay for access to PCs and devices. While some malware is relatively benign and easy to remove, others severely compromise computers – allowing them to hold files to ransom, snoop on passwords, hide within operating systems, and so on. Some ad-injecting software nasties even come bundled with new PCs, right, Lenovo? More than five million Raspberry Pis have been sold to date, which is quite an install base. The Foundation declined Linda's offer, and described her company as "evildoers." ® Sponsored: Building secure multi-factor authentication

Java Plug-In Malware Alert To Be Issued By Oracle

Image copyright JAva logo Image caption ...

Sneaky Skimmer Scam Stings Several Safeway Supermarkets

US grocery chain Safeway has confirmed that registers at several stores in California and Colorado had somehow been fitted with "skimmer" hardware to collect payment card information. According to a report from Krebs on Security citing investigators involved with the case, registers at two stores in northern California and five stores in Colorado were found to have been fitted with the skimming devices. Safeway believes these were unrelated incidents. The source of the devices is not known. The Krebs report noted that the Colorado discovery was only made after bank customers had reported unauthorized cash withdrawals and that reports of the activity have been coming in since September of 2015. Safeway said that no card data had been stolen by either of the two skimmers in California, and that a total of three skimmers had been found in Colorado in November. "When our store teams find evidence of criminal activity like this, we have been able to pinpoint with surveillance video when the devices were installed and how many transactions were processed," Safeway said in a statement to The Register. "We immediately followed the proper protocol of contacting law enforcement and the banks that service the few cards that were used on those pin pads." Safeway is advising customers in Colorado to check their bank statements and report any unauthorized activity. Cash registers and sales terminals have become favorite targets for criminals looking to collect credit card information. Attackers use skimmers or specialized malware packages to collect and then upload card numbers and data for fraudulent transactions or bulk resale online. ® Sponsored: Building secure multi-factor authentication