Threat Intelligence

Multiple Apple iOS Zero-Days Enabled Firm To Spy On Targeted iPhone...

Victims of 'lawful intercepts' include human rights activists and journalist, researchers from Citizen Lab and Lookout say. Apple’s much vaunted reputation for security took a bit of beating this week with two separate reports identifying serious vulnerabilities in its iOS operating system for iPhones and iPads. One of the reports, from security firm Lookout and the University of Toronto’s Citizen Lab, details a trio of zero-day vulnerabilities in iOS, dubbed Trident, that a shadowy company called the NSO Group has been exploiting for several years to spy on targeted iOS users. The NSO Group is based in Israel but owned by an American private-equity firm.  The company has developed a highly sophisticated spyware product called Pegasus that takes advantage of the Trident zero-day exploit chain to jailbreak iOS devices and install malware on them for spying on users. In an alert this week, security researchers at Citizen Lab and Lookout described Pegasus as one of the most sophisticated endpoint malware threats they had ever encountered.

The malware exploits a kernel base mapping vulnerability, a kernel memory corruption flaw and a flaw in the Safari WebKit that basically lets an attacker compromise an iOS device by getting the user to click on a single link. All three are zero-days flaws, which Apple has addressed via its 9.3.5 patch.

The researchers are urging iOS users to apply the patch as soon as possible. Pegasus, according to the security researchers, is highly configurable and is designed to spy on SMS text messages, calls, emails, logs and data from applications like Facebook, Gmail, Skype, WhatsApp and Viber running on iOS devices. “The kit appears to persist even when the device software is updated and can update itself to easily replace exploits if they become obsolete,” the researchers said in their alert. Evidence suggests that Pegasus has been used to conduct so-called ‘lawful intercepts’ of iOS owners by governments and government-backed entities.

The malware kit has been used to spy on a noted human rights activist in the United Arab Emirates, a Mexican journalist who reported on government corruption and potentially several individuals in Kenya, the security researchers said. The malware appears to emphasize stealth very heavily and the authors have gone to considerable efforts to ensure that the source remains hidden. “Certain Pegasus features are only enabled when the device is idle and the screen is off, such as ‘environmental sound recording’ (hot mic) and ‘photo taking’,” the researchers noted.   The spyware also includes a self-destruct mechanism, which can activate automatically when there is a probability that it will be discovered. Like many attacks involving sophisticated malware, the Pegasus attack sequence starts with a phishing text—in this case a link in an SMS message—which when clicked initiates a sequence of actions leading to device compromise and installation of malware. Because of the level of sophistication required to find and exploit iOS zero-day vulnerabilities, exploit chains like Trident can fetch a lot of money in the black and gray markets, the researchers from Citizen Lab and Lookout said.

As an example they pointed to an exploit chain similar to Trident, which sold for $1 million last year. The second report describing vulnerabilities in IOS this week came from researchers at the North Carolina State University, TU Darmstadt, a research university in Germany and University Politehnica in Bucharest. In a paper to be presented at an upcoming security conference in Vienna, the researchers said they focused on iOS’ sandbox feature to see if they could find any security vulnerabilities that could be exploited by third-party applications.

The exercise resulted in the researchers unearthing multiple vulnerabilities that would enable adversaries to launch different kinds of attacks on iOS devices via third-party applications. Among them were attacks that would let someone bypass iOS’ privacy setting for contacts, gain access to a user’s location search history, and prevent access to certain system resources.
In an alert, a researcher who co-authored the paper said that the vulnerabilities have been disclosed to Apple, which is now working on fixing them. Related stories: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ...
View Full Bio More Insights

The Secret Behind the NSA Breach: Network Infrastructure Is the Next...

How the networking industry has fallen way behind in incorporating security measure to prevent exploits to ubiquitous routers, proxies, firewalls and switches. Advanced attackers are targeting organizations’ first line of defense--their firewalls—and turning them into a gateway into the network for mounting a data breach. On August 13, the shady “Shadow Brokers” group published several firewall exploits as proof that they had a full trove of cyber weapons. Whether intended to drive up bids for their “Equation Group Cyber Weapons Auction” (since removed), or to threaten other nation states, the recent disclosure raises the question: if organizations can’t trust their own firewalls, then what can they trust? Does the cache of cyber weapons exposed by Shadow Brokers signal a shift in attack methods and targets? We analyzed the dump and found working exploits for Cisco ASA, Fortinet FortiGate and Juniper SRX (formerly NetScreen) firewalls.

The names of the exploits provided by the Shadow Brokers match the code names described in Edward Snowden’s 2013 revelations of NSA snooping. The exploit names are not the only link to the NSA.

By analyzing the implementation of a cryptographic function, researchers at Kaspersky have found the same encryption constant used in malware attributed to the Equation Group (Kaspersky’s nickname for the NSA) and python code in the latest breach. Cyber Attacks with a Side of EXTRABACONResearching one of the Cisco ASA exploits (dubbed EXTRABACON) in our lab, we found that it’s a simple overflow using SNMP read access to the device.

The additional payload bundled with the exploit removes the password needed for SSH or telnet shell access, providing full control over the appliance.

The payload can also re-enable the original password to reduce the chance that the attacker will be detected. The python code handles multiple device versions and patches the payload for the version at hand.

This indicates the amount of operations the group had in the past as the developers probably modified the exploit on a case-by-case basis. We ran the exploit against a supported version of a Cisco ASA in our lab multiple times and it didn’t crash once, showing the prowess of the exploit developers. Our attempt yielded a shell without password protection: Networking Equipment in the CrosshairsWhile the exploits themselves are interesting in their own right, no one is addressing the elephant in the room: attackers increasingly target network infrastructure, including security as a means to infiltrate networks and maintain persistence. While the entire cybersecurity industry is focused on defending endpoints and servers, attackers have moved on to the next weak spot.

This advancement underscores the need to detect active network attackers because they can certainly—one way or another—penetrate any given network. Persisting and working from routers, proxies, firewalls or switches requires less effort than controlling end points; attackers don’t need to worry that an anti-virus agent will detect an unusual process, and networking devices are rarely updated or replaced. Most networks have the same routers and switches from a decade ago. Plus, few forensics tools are available to detect indicators of compromise on networking devices and attackers can gain an excellent vantage point within the network.  Network devices vendors have fallen behind operating system vendors in terms of implementing stronger security measures.

A wide range of networking equipment still run single-process operating systems without any exploit mitigation enabled (Cisco IOS, I’m looking at you) or exhibit the effects of little to no security quality assurance testing.
In recent years, endpoint and mobile operating systems have incorporated security techniques such as address space layout randomization (ASLR), data execution prevention (DEP), sandboxes, and other methods that made life harder for every exploit writer.

The affected networking devices provide none of these security mechanisms and it shows. Not the First and Definitely Not the LastThe Equation Group breach is not the first example of highly capable attackers targeting network devices.

The threat actor behind last year’s Hacking Team breach leveraged a vulnerability in a VPN device to obtain full access to their internal network without any obstacles.

The attacker moved from the networking device to endpoints without using a single piece of malware, only taking what he needed from endpoints remotely or running well known administrative tools.

This is a soft spot in every endpoint solution’s belly; a privileged attacker using credentials to access files is not considered malicious as long he doesn’t use any malicious software. Notice that as we have stated earlier, the attacker, quoted in pastebin, opted for an embedded exploit and not the other options, stating that it’s the easiest one: So, I had three options: look for a 0day in Joomla, look for a 0day in postfix, or look for a 0day in one of the embedded devices.

A 0day in an embedded device seemed like the easiest option, and after two weeks of work reverse engineering, I got a remote root exploit.
As always, nation state attacks are usually a step ahead of the entire industry on both the defensive and offensive. We will probably see the same methods employed by less sophisticated attackers as it becomes increasingly difficult to compromise endpoint devices and stay undetected. We have seen this happen before; cybercrime attackers stole techniques from Equation Group, as well as Stuxnet and Flame malware and Reign and other APTs and it will surely happen again with the Equation Group’s recently leaked exploits. In the meantime, here are four recommendations to help fortify network devices against attack: Recommendation 1: Patch your network devices promptly. Replace network devices that have reached their end of support date. Recommendation 2: Restrict access to devices management addresses to the minimum required, and block any unneeded, seemingly benign protocols including SNMP and NTP. Recommendation 3: Manage your device passwords as you would with your administrator accounts by periodically changing your passwords and defining a different password for each device.

Do not use a standard template for passwords.

For example, the password Rout3rPassw0rd192.168.1.1 might seem strong, but after compromising one device, the attacker will know all of the passwords. Recommendation 4: Deploy a network monitoring solution that can profile users and IP-connected devices to establish a baseline of normal behavior and then detect unusual activity originating from network devices.

Attackers have no way of knowing what “normal” looks like for any given network and network detection is the only generic way to stop attackers from compromising network devices. Related Content:   Yoni Allon is responsible for leading the LightCyber research team in monitoring and researching cybercriminal and cyberwarfare actions and ensuring that the LightCyber Magna platform accurately finds these behaviors through its detectors and machine learning. Mr.

Allon has ...
View Full Bio More Insights

Sharing Threat Intel: Easier Said Than Done

For cyber intelligence sharing to work, organizations need two things: to trust each other and better processes to collect, exchange and act on information quickly. As cyberthreats become more sophisticated and expand to the Cloud and the Internet of Things, the sharing of meaningful threat intel  between trusted organizations has become more critical than ever before.  At Fortinet  this year, our teams witnessed the benefits of info sharing first hand as part of a joint operation that helped INTERPOL and the Nigerian Economic & Financial Crime Commission uncover the head of an international criminal network. What did we learn? For one thing, these partnerships demonstrate the importance of global threat intelligence research and analytics that security vendors can offer in dealing with cyberthreats.
In my opinion, security vendors have a responsibility to share threat findings with each other, as well as end-user advocacy groups.
It is essentially the best way to combat adversaries and assist law enforcement in fighting cybercriminals. Yet, serious challenges remain to the worthwhile goal of info sharing, even among classified, trusted networks. One of the major barriers to information sharing is the perception of liability.
In a 2014 Ponemon survey of over 700 IT security practitioners, 71% of respondents who participate in information sharing said that sharing improves their security posture.

But for organizations that don’t share, half pointed to “potential liability” as the principal reason for holding back.  To get beyond these obstacles, two things must be in place: trust between organizations and a process to receive to receive and implement threat intelligence information quickly. Trust but VerifyNot only do organizations need detailed protocols in place about what information can be shared, but they also need to trust the organizations with whom they are sharing, or the process being used to collect, process and exchange such information. Another major concern revolves around data privacy and protecting personally identifiable information (PII). How can you share information that provides details about an attack and attacker without having it be connected, even contextually, to customers and thereby risk customer privacy and assume liability? Organizations have to rely on trusted partners who rigidly adhere to and enforce agreed-upon protocols, e.g. only sharing information related to the adversary, and anonymizing PII. Here are a few tips for developing trusted relationships: Start with folks you know in your industry.

Ask them their thoughts about threat sharing. Join an ISAO (Information Sharing and Analysis Organization) or ISAC (Information Sharing and Analysis Center).

These are groups focused on sharing threat intelligence relevant to that vertical that have established protocols and procedures best suited for an industry’s needs. Organizations like INTERPOL, the NATO Industry Cyber Partnership (NICP), and even regional organizations have active partnerships with vendors and industry leaders to collect and share threat data.

For security vendors, participation in industry organizations such as the Cyber Threat Alliance (CTA) and the OASIS Cyber Threat Intelligence (CTI) group makes everyone safer. Meet people in person.

Trust is a slow process and few things work better than meeting with peers over dinner or drinks to establish a rapport.

There are dozens of industry-related conferences, local meet-ups and user groups designed to bring folks together. As Ronald Reagan famously said, “Trust, but verify.” Sharing and receiving critical security information requires constant monitoring.

Are you sharing critical information but receiving junk? Is data being appropriately anonymized? Are you receiving the same data you shared? Keeping everyone honest is critical for maintaining a trusted relationship. Rapid ProcessingA common critique of many information-sharing services is that they are slow and unreliable.

For sharing to work, organizations need to be able to receive, process and implement threat intelligence information quickly.

They also need to ensure that any threat intelligence they share is immediately useful.  Dark Reading's all-day virtual event Nov. 15 offers an in-depth look at myths surrounding data defense and how to put business on a more effective security path.  Actionable information is the best way to move from being reactive to proactive.
It allows organizations to move from simply stopping attacks to actually catching cybercriminals.

Developing and sharing truly actionable intelligence requires the efforts of a trained security team on the part of the organization developing that information, as well as on the part of the users or organizations consuming it. While many organizations are actively engaged in collecting as much data as they can from a variety of sources — including their own — much of the work in processing, correlating and converting it into policy is still done manually.

This makes it very difficult to respond to an active threat quickly, or share timely and actionable information.
Ideally, the consumption, processing and correlation of threat intelligence is automated. Security vendors also need to automate the sharing of threat intelligence information – and not just with outside entities. Many organizations are still struggling to share threat intelligence between deployed security devices or even between different team members.

Automation ensures that time-sensitive threat information immediately reaches all stakeholders so it can be shared in real time and acted on. Trusted sharing, even with a known partner or community, is easier said than done. When evaluating your security landscape, characteristics of network design should be considered that will securely facilitate the receiving and sharing of threat intelligence.

Given that the time to compromise for today’s attacks continues to shorten, it is essential that we begin to to automate as much of the process as possible — including time-sensitive activities such as sharing, consuming, hand-correlating intelligence, and distributing updated policies.  Related Content: Derek Manky formulates security strategy with more than 15 years of cyber security experience behind him. His ultimate goal to make a positive impact in the global war on cybercrime. Manky provides thought leadership to industry, and has presented research and strategy ...
View Full Bio More Insights

AT&T, IBM, Palo Alto Networks, Symantec, Team Up In IoT Security

IoT Cybersecurity Alliance is made up of AT&T, IBM, Nokia, Palo Alto Networks, Symantec, and Trustonic.

Attackers Exploit Weak IoT Security

Akamai researchers say attackers are using an old OpenSSH vulnerability to target IoT devices and launch attacks. While the Internet of Things is touted for facilitating all sorts of life-changing services, there's been an undercurrent of anxiety among the more security conscious IT pros.

Their concern: All those smart devices, oftentimes built with default passwords and otherwise poor protection, could put networks and users at risk. Now it's clear those fears were warranted. Recent events have put the spotlight on IoT security – or to be more precise, IoT insecurity. Malware has surfaced that allows attackers to create botnets from vulnerable IoT devices and launch distributed denial-of-service attacks.

For example, Mirai was used in last month's high-profile DDoS attack on the KrebsOnSecurity website. In September, Symantec reported that cybercriminals are taking advantage of poor IoT security to hijack home networks and consumer devices and carry out DDoS attacks, most often against large companies. See the full article here on Network Computing. Marcia Savage is the managing editor for Network Computing, and has been covering technology for 15 years.
She has written and edited for CRN and spent several years covering information security for SC Magazine and TechTarget. Marcia began her journalism career in daily ...
View Full Bio More Insights

Another Massive DDoS Closes Out 2016, But Mirai Not To Blame

Using a new malware variant called Leet, the 650 Gbps DDoS attack matched Mirai's floods of traffic. This past year has been one for the record books when it comes to distributed denial of service (DDoS) attacks, so it is only proper that 2016 closes out with news of another massive DDoS attack, reported by Imperva researchers.

According to them, the Imperva Incapsula network was forced to mitigate a 650 Gbps DDoS attack just a few days before Christmas. One of the largest DDoS attacks on record, this particular assault is notable because it strayed from the bad guys' recent DDoS playbook.

For much of the year, attackers have been testing the bounds of DDoS traffic-pushing capabilities using the advanced Mirai botnet, which consists of hijacked IoT devices.

This time around, Imperva researchers say the holiday attack came at the hands of a new malicious network it calls Leet Botnet. Earlier this fall, Mirai was behind the 620 Gbps attack against KrebsOnSecurity.com, a 990 Gbps attack against French hosting provider OVH that reportedly utilized a network that could have been capable of pushing up to 1.5 Tbps in malicious traffic, and the massive DDoS in October against DNS provider Dyn that reached an estimated 1.2 Tbps in malicious traffic.

To pull off these attacks, Mirai primarily relied on tens of thousands of IoT devices, most of which were compromised CCTV cameras and DVR machines. Imperva researchers report that spoofed IPs make it impossible to figure out what kind of devices carried out the Christmas attack.

Their analysis of the payload does at least lead them to conclusively determine it was another botnet wreaking havoc. "So far, all of the huge DDoS attacks of 2016 were associated with the Mirai malware," wrote Avishay Zawoznik and Dima Bekerman of Imperva. "However, the payload characteristics clearly show that neither Mirai nor one of its more recent variants was used for this assault." Like many recent DDoS attacks, the Leet Botnet used a combination of both large and small SYN packet sizes "to both clog network pipes and bring down network switches," the pair wrote.

The smaller packets were used to push up packet rates up past 150 million packets per second (Mpps), while the larger ones were used to increase the overall attack capacity.
Imperva dubbed the botnet Leet because of a 'signature' left in some of the TCP Options headers of the smaller packets that spelled out "1337." What really interested researchers, though, was Leet's larger payloads, which were populated by shredded lists of IP addresses that indicated Leet was accessing local files of compromised devices and scrambling them up to generate its payloads. "Basically, the entire attack was just a mishmash of pulverized system files from thousands upon thousands of compromised devices," Zawoznik and Bekerman wrote. "It makes for an effective obfuscation technique that can be used to produce an unlimited number of extremely randomized payloads. Using these payloads, an offender can circumvent signature-based security systems that mitigate attacks by identifying similarities in the content of network packets."  This year we saw DDoS attacks escalate to record heights and these high-powered botnets are a symptom of the times. So far, all of the huge DDoS attacks of 2016 were associated with the Mirai malware. However, the payload characteristics clearly show that neither Mirai nor one of its more recent variants was used for this assault. Related content: Ericka Chickowski specializes in coverage of information technology and business innovation.
She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio More Insights

New Book Traces Obama Strategy To Protect America From Hackers, Terrorists...

A review of Charlie Mitchell's 'Hacked: The Inside Story of America's Struggle to Secure Cyberspace.' Hardcover, 320 pagesPublished June 20th 2016 by Rowman & Littlefield Publishers One of the most pressing issues in cybersecurity policy is the question of jurisdiction. Who should secure cyberspace from rogue hackers, terrorists, and nation-states? Is it the responsibility of the government, the private sector, or both? In his recent book, Hacked: The Inside Story of America’s Struggle to Secure Cyberspace, Charlie Mitchell traces how that question has been answered in the Obama administration, mapping recent attempts by the government and industry to cooperate on the issue. Towards the end of his second term, president Bush began to explore the issue of cybersecurity and the Obama administration picked up where he left off, except the forty-fourth president, hoping not to stifle economic growth by putting undue burdens on corporations was less inclined to use regulation as a security mechanism than his predecessor. Hoping for amore voluntary approach, the administration attempted to partner with the private sector and the two aspects of that partnership that Mitchell highlights were cybersecurity standards and information sharing. After Congressional failure to pass cyber legislation (a constant theme throughout the book), the White House decided to take the lead and in 2013 the President issued an executive order based on government and private sector collaboration. The most significant example of such collaboration was the National Institute of Standards and Technology (NIST) cybersecurity framework creation process.

The executive order tasked NIST with developing a framework of “voluntary standards” for cybersecurity in collaboration with the tech industry.

Both sides met and discussed the framework at a series of conferences at various college campuses across the country.  The basics of the framework included “five core functions: know, prevent, detect, respond, and recover…  It would also include three framework implantation levels.” It also included a list of other issues that NIST officials hoped industry leaders would consider including “improving authentication” and “bolstering the cybersecurity workforce.” The process was constantly threatened by business leader’s fears that the framework (specifically the metrics used to measure adoption of the framework) would devolve into regulation, accordingly the three implementation levels were changed to four “tiers.” The Framework was released in 2014 to positive reviews from the business community but the media and security experts had more unenthusiastic takes. Information sharing, another area of collaboration highlighted by Mitchell refers primarily to the flow of information about cyber threats between the government and private industry. Laws and national security considerations limit the sharing ability of the federal government, and concerns about liability and government punishment inhibit industry sharing with the government. Hacked follows the twisted path that information sharing-legislation takes through Congress and explores how Washington strives to foster increased information sharing between the two parties.

A number of bills are proposed in the House during Obama’s second term with different approaches to information sharing, especially concerning who in the government information should be shared with: the Department of Homeland Security, the NSA, or multiple government agencies. Mitchell spends most of his time not on the specifics of the bills but on the excruciatingly difficult and long process that the House and the Senate take to pass them.

Cybersecurity legislation is repeatedly passed over because of looming elections, government shutdowns, squabbles between Republicans and Democrats, the budget, immigration, and the Iran nuclear deal.

Even when it is brought up, it is constantly assailed by privacy advocates such as the ACLU. Mitchell closes the book with musings on the future of cybersecurity in the United States. Questions still exist about whether the voluntary approach favored by the Obama administration has staying power, especially when a new president takes office this January. Restructuring at the federal government level, especially within Congress and the bureaucracy is also necessary to deal with the cyber threat more efficiently, and he warns against seeing information-sharing as an end in itself instead of part of a larger cyber strategy.

The private sector, especially the insurance community has made great strides in security but the government still struggles to provide adequate incentives for companies to invest in it, and time will tell whether the government or private industry will take the lead in cybersecurity development in the future. Mitchell ends by stating that “cybersecurity, and cyber threats, are now a permanent feature of the governing, political, and economic landscape,”  the dangers they pose will not disappear, and any response to them must be based on this fundamental fact.

Though a bit dry at times, Hacked is a must read for anyone seeking greater familiarity with this essential element of national security, which will only grow in importance in the coming years. Related Content:   Wilson Alexander is a writer passionate about national security and international relations, as well as how technology shapes human life around the globe. He has written for Taylor University's The Echo and presented papers at the Butler Undergraduate Research Conference and ...
View Full Bio More Insights

Democrats And Republicans Join In Demand For Select Cyber Panel

Four senators push Mitch McConnell for select committee on foreign cyber threats and Russian interference in US presidential polls. Four US senators have written to Majority leader Mitch McConnell to set up a select committee on cybersecurity with two goals – a “top to bottom” review of Russia’s involvement in the recent presidential polls and determining a strategy towards cyberwarfare, a POLITICO report says.

This call, also made through TV shows and press meets, comes even as McConnell has emphasized this to be the responsibility of the Senate Intelligence Committee. Republicans John McCain and Lindsey Graham have collaborated with Democrats Chuck Schumer and Jack Reed to write this letter despite Donald Trump’s dismissal of allegations that Russia interfered in the elections.

They wrote "Democrats and Republicans must work together, and across the jurisdictional lines of the Congress, to address this unique challenge." An open hearing on Russia’s involvement is scheduled for next month by the Senate Foreign Relations Committee but the four Senators believe too many committees will not do the job. “We want to find out what the Russians are doing to our political system and what other foreign governments might do to our political system, and then figure out a way to stop it. Only a select committee can do it,” Schumer said to the press.  Read more here. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

HD Moore Joins Research-Driven Consulting Firm

Metasploit creator joins Atredis Partners.

Malware Used In DNC Breach Found Tracking Ukraine Military

Russian 'Fancy Bear' now tied to Ukraine artillery Android app hack with the same malware used in breach of the Democratic National Committee. Forget that 400-pound hacker sitting on his bed somewhere.
Security researchers have discovered yet another link between the Russian military and the hack of the Democratic National Committee (DNC): this time, in an Android app used by Ukraine's military. Security firm Crowdstrike, which previously had identified a Russian nation-state cyber espionage unit as the perpetrator behind the DNC data breach and leak of emails and other information in the run-up to the US presidential election, recently found the so-called Fancy Bear hacking team's signature spying malware embedded in an Android app originally created by a Ukrainian artillery officer to help calibrate its field artillery operation in the battle against Russian forces. The Android version of the so-called X-Agent backdoor malware is able to track the location of Ukrainian artillery forces, and can hijack communications from the mobile devices running the malware.

Crowdstrike found that X-Agent from late 2014 through 2016 had been surreptitiously injected into the legitimate app used by Ukrainian military to streamline the previously manual process of configuring their older Soviet-era D-30 Howitzer weapon systems, reducing the time to set a target from minutes to under 15 seconds.

The app was available via various online forums and is used by more than 9,000 Ukrainian artillery soldiers. Dmitri Alperovitch, co- founder and CTO of Crowdstrike, says the discovery provides "more conclusive" evidence of a connection between Fancy Bear and the GRU, Russia's military intelligence arm. "And it shows fascinating ways that Russia is using cyber to achieve an affect on the battlefield in Ukraine," he says. A Windows version of X-Agent was used in the DNC hack, allowing the attackers to remotely control the organization's servers and to steal documents and data, such as the internal emails that were later leaked online.

Crowdstrike also has seen iOS versions of the malware, all of which have been only used by Fancy Bear. "The source code is not publicly available, and we've never seen it before in any public or private" forum, Alperovitch says, which led Crowdstrike to conclude X-Agent is the handiwork of Fancy Bear. "We have high confidence that it's evident that whoever did the DNC hack is very closely and operationally linked to the Russian military, and most likely, the GRU," he says. Crowdstrike's new report comes amid a dispute between the incoming administration and the CIA and FBI, which have concluded that Russia was behind the DNC and other hacks and leaks in an effort to influence the outcome of the US presidential election. President-Elect Donald Trump has repeatedly dismissed reports from the US intelligence and cybersecurity communities that Russia was behind the DNC hacks, and maintaining that it could be anyone behind the breaches, including "somebody sitting on their bed who weighs 400 pounds." Alperovitch says with the same group of hackers targeting the Ukraine artillery and the DNC, the source is obvious: "One would have to ask the question, who would have an interest in that? It inevitably comes back to the Russian government," he says. The Cyber Battlefield The hijacked Android app basically lets Ukrainian artillery soldiers automate the process of determining settings for the older Howitzer weaponry, such as wind speed and elevation, in order to more accurately and rapidly operate them. "It was a pen-and-paper process that took minutes [to set up] before you could fire," Alperovitch says.

The app lets them plug in the coordinates, and it calculates the settings automatically. "Russia backdoored the app with X-Agent, giving them the location of anyone using the app" and engage them militarily, he says. According to Crowdstrike's report, publicly sourced reports show that Ukrainian artillery forces have suffered some major losses in the conflict with Russia. "Open source reporting indicates that Ukrainian artillery forces have lost over 50% of their weapons in the 2 years of conflict and over 80% of D-30 howitzers, the highest percentage of loss of any other artillery pieces in Ukraine's arsenal," the report said. "It's interesting that cyber is now migrating this way to the battlefield," Alperovitch says, and it's a "sign of more to come." Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

RSA's Yoran Says Firm's Mission Remains Unchanged In Dell-EMC Merger

RSA remains in full charge of its destiny, RSA president Amit Yoran says. With RSA this week officially joining Dell Technologies as part of the giant merger between Dell and EMC announced last October, executives from the security firm were quick to reassure customers that it would be business as usual for them. In a press conference Thursday morning, RSA president Amit Yoran stressed that the company will continue to have full brand autonomy under Dell Technologies and also the ability to maintain its own partner programs and ecosystems. “Customers should expect to see business as usual,” Yoran said. “We will continue to execute on this notion of business driven security,” while leveraging Dell’s capabilities and market presence, he said. Dell Inc. this week announced that it had formally completed its giant $67 billion acquisition of RSA parent EMC Corp. about 11 months after it first announced the deal last October. The unified company, called Dell Technologies, is the world’s largest privately owned technology firm with revenues of $74 billion, some 140,000 employees and 98% of Fortune 500 companies as it customers. It has claimed market leadership position in nearly two-dozen technology market segments. The newly merged entity offers a huge portfolio of technology products from a wide range of vendors including Dell, EMC, VMware, RSA, SecureWorks, and Virtustream. For RSA, the integration with Dell takes it one more step away from its roots as an independent security vendor. EMC acquired the company in 2006 and it has been operating as a subsidiary of the Hopkinton-based storage vendor since then. As part of Dell, expect to see RSA continue to expand on its concept of a business-driven security model, Yoran said. The goal is to help organizations enable IT business transformation in a secure way, he said. “RSA remains an absolutely focused entity in control of our own destiny,” he said, “Our mission remains unchanged. We have encouragement and autonomy to continue to pursue that,” under Dell. All changes to product strategies, sales models, customer support, and resource management will continue to be full in RSA’s control, he said in separate blog post. Yoran will report to David Goulden, CEO of Dell’s EMC Infrastructure unit. Grant Geyer, senior vice president of products at RSA, said the company’s strategy remains focused on three key technology areas. One of them is enabling businesses to get greater visibility over their endpoint devices, networks, and cloud infrastructure via technology from NetWitness, a company that EMC acquired in 2011. The second area of focus is identity management, where RSA’s SecureID technology will play a critical role in helping organizations mitigate security risks related to issues like user authentication and access control to on-premise and cloud-based IT assets. RSA’s third major focus area is risk management and security analytics, where the company will leverage its Archer governance, risk management and compliance platform. Despite the upbeat assessments of the future from Yoran and Geyer, RSA faces challenges as a Dell subsidiary. Dell Technologies, for instance, already has one fairly major security company in its technology stack in the form of SecureWorks. With RSA joining the ranks, both security outfits will need to find a way to minimize product overlap while leveraging each other’s specialties to fill gaps in their respective product lines. RSA will also have its work cut out harmonizing and eliminating overlap between some of its products and those in VMware’s technology stack. It is an area of focus for RSA and one that is already under active discussion, according to Yoran, who did not elaborate further. It will be interesting to see how RSA leverages the synergies between VMWare and SecureWorks, says Doug Cahill, an analyst with Enterprise Strategy Group. “I don’t see this merger as affecting RSA customers in the near term as most are likely to adopt a “wait and see” posture,” he says. “But in the mid- to long-term, RSA should be able to leverage the flexibility of being a privately held company to execute at a greater velocity,” he says. Related stories: Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio More Insights

France's Online Criminal Underground Built On Foundation Of Distrust

French criminals seeking black market goods and services -- cyber and otherwise -- have to look in darker shadows and work harder to prove their felonious credibility. Criminals in North America needn't always go as far as the Deep or Dark Web looking for weapons, drugs, stolen identities, or malware kits; those can often be found on the open web.

And while these marketplaces certainly aim for criminal buyers, they're often penetrated by amateurs and even law enforcement.

According to a new report by Trend Micro, things are very different in France. The French underground is a comparatively small operation -- only about 40,000 individuals strong, according to estimates by the Gendarmerie Nationale and Police Nationale.

The small size, however, may be a deliberate function of the fact that it's so hard to crack into, and even those inside the community often work mostly alone. "French cybercriminals are very cautious," Trend Micro threat researcher and author of the report Cedric Pernet says, "because they are frightened by both law enforcement agencies which might be working on trying to catch them and the other cybercriminals who might scam them."  The French underground exists only on the Dark Web, say researchers, and access is vigorously restricted through a system of vetting, reputation-based controls, membership programs, and "halls of shame" where anyone exercising dishonor amongst thieves will be blasted.  Shaming is also for competitors, and sometimes the dog-eats-dog world gets so nasty that marketplace operators commit cyberattacks against each other, with little regard for their own customers. Researchers cite one example: the administrator of marketplace A -- knowing that some of its customers also patronized marketplace B -- took its own members' credentials and used them to hack into marketplace B -- and steal Bitcoins. (This ultimately backfired.) Full access to forum services is often allowed only after obtaining a high enough reputation score - proving one's criminal mettle with each "incriminating post or successful fradulent transaction," as the report explains. Even then, trust is wary and security is paramount. Members of the French underground generally use encrypted communications and accept payments only through Bitcoins or Prepaid Card Services that require no identity information. Payments are also generally done through escrow services that take a 5% to 7% cut (one marketplace had a semiautomatic escrow system with two-factor authentication and took only 4%) and some will restrict further purchases until payment has cleared for initial purchases. "I feel the situation was different some years ago, before Bitcoin appeared," Pernet says.

Bitcoin makes it easier for marketplaces to handle money, says Pernet, "Therefore, it is also easier to be scammed by marketplace administrators who might run away with all the money.

Add some wars between different marketplaces and you have quite a pretty good feeling on why they are paranoid.

The hack of the whole database of one of the biggest marketplace last year also made them think how vulnerable they are, and enforced the use of encrypted communications even in private messages on marketplaces." Many sellers also cut out the marketplace operator and instead run "autoshops" -- sites maintained by individual providers who deal directly with buyers.

Autoshops are so common that there are even autoshop creation services that provide CMSes and domain registration. Even the products themselves slant towards the stealthy.
In addition to stolen credentials and locally produced ransomware are a niche market for small, easily hidden or disguised weapons -- including pen guns, brass knuckles, and flexible knives shaped like credit cards.

Also popular are fake bills for use in sale fraud, fake car registrations for use in the sale of stolen automobiles and bank account opening services. Working in the French underground isn't an entirely friendless endeavor, though. "When it comes to make a lot of money illegally, few people have all the required skillset to do it all by themselves," says Pernet.
So at least in some cases, "Therefore, they need to partner/team up." Related Content: Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ...
View Full Bio More Insights