Home Tags Reconnaissance

Tag: Reconnaissance

7 Ways Hackers Target Your Employees

One employee under reconnaissance by cyberattackers can put your whole business at risk. Where are they being targeted, and what should they know?

Someone is putting lots of work into hacking Github developers

Dimnie recon trojan has flown under the radar for three years ... until now.

This blue-sky image of Pluto is absolutely stunning

Pluto’s surface features become clear at the terminator, under the twilight Sun.

Nominee for top intelligence post “shocked” by Indian satellite launch

"We’ve seen now 11 nations that have the capacity to launch instruments into space.”

Cyber-Reconnaissance Malware Bugging Computers in Ukraine

NEWS ANALYSIS: An industrial security company CyberX finds malware that is suspects was created by Russian hackers infecting computers and gathering audio data at critical infrastructure sites in Ukraine.

Fun, games, and security: WarCollar’s DopeScope and Booby Trap

It’s all fun and games until someone loses a password.

RiskIQ Deepens Digital Threat Mitigation Capabilities with Acquisition of Maccabim

Increase in Brand Abuse, Malvertising, Spearsphishing, Spoofing Requires More Automated Digital Threat Triage, Legal Coordination and ResponseLondon, UK – January 24, 2017 — RiskIQ, the leader in digital threat management, today announced that the company has completed the acquisition of brand threat project management company Maccabim.com Ltd and has appointed Jonathan Matkowsky, its founder, to vice president of intellectual property and brand security. With the acquisition of Maccabim, RiskIQ expands its threat mitigation technology, including dispute resolution proceedings and takedown functions, to expedite brand governance processes. RiskIQ logo According to Forrester Research, takedown capabilities are the second most sought-after feature of surveyed digital risk monitoring (DRM) customers.

DRM vendors routinely interact with cyber, fraud, and compliance stakeholders at major digital channel providers, along with registrars and registry operators.

These frequent interactions reduce the time it takes to submit and complete related requests.
In specific cases, DRM vendors establish technical partnerships that expedite their submissions.* “Enterprises must be able to identify and validate brand abuse across web, social and mobile channels, and also have means to efficiently respond to preempt and moderate damage,” said Elias Manousos, co-founder and CEO of RiskIQ. “Jonathan brings a wealth of expertise and experience that will fortify our market leading threat mitigation capabilities and we welcome him to our team.” “The enormity of online brand and domain infringement is staggering and affects a broad spectrum of a business’s intangible assets.

This requires organisations and their legal counsel to advance tools and processes in order to better systematically uncover and counter digital exploits,” said Jonathan Matkowsky, vice president of intellectual property and brand security. “I am incredibly thrilled to be a part of RiskIQ which has the technology, vision and passion to help customers defend their online brand, intellectual property and reputation in a constantly evolving digital threat landscape.” Matkowsky has been a pioneer in the threat remediation space with focus on internet security and brand protection. Maccabim, under the leadership of Matkowsky, offered an online project management system to facilitate threat data, legal case and take down processes. Matkowsky brings 17 years of combined trademark and internet law experience to RiskIQ, and is an active member in numerous industry consortiums. *The Forrester Wave™: Digital Risk Monitoring, Q3 2016, Forrester Research Inc, September 28, 2016 About RiskIQRiskIQ is the leader in digital threat management, providing the most comprehensive discovery, intelligence, and mitigation of threats associated with an organization’s digital presence. With more than 80 percent of attacks originating outside the firewall, RiskIQ allows enterprises to gain unified insight and control over web, social, and mobile exposures.

Trusted by thousands of security analysts, RiskIQ’s platform combines advanced internet data reconnaissance and analytics to expedite investigations, understand digital attack surfaces, assess risk, and take action to protect business, brand, and customers.

Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, and MassMutual Ventures.
Visit RiskIQ.com or follow us on Twitter. Try RiskIQ PassiveTotal for free by visiting www.riskiq.com/whats-new-passivetotal. ### Media RelationsAnna MayAtomic PRriskiq@atomicpr.com+44 (0)203 861 3816

Thanks, Obama: NSA to stream raw intelligence into FBI, DEA and...

Gee, what a lovely parting gift by outgoing US prez A last-minute rule change signed off by the outgoing Obama administration has made it much easier for the NSA to share raw surveillance data with more than a dozen government agencies. The changes [PDF] are tacked onto executive order 12333, which was enacted by then-President Ronald Reagan to allow intelligence agencies to share information on non-US nationals.

The new rules will allow the NSA to share unfiltered signals intelligence with other members of the intelligence community if it is deemed necessary. "The procedures permit IC [intelligence community] elements to have access, under appropriate conditions, to the unevaluated or unminimized (ie, 'raw') signals intelligence (SIGINT) information that the NSA collects pursuant to EO 12333, thus enabling elements to bring their own analytic expertise to reviewing that information and to use that information in support of their own missions," the office of the Director of National Intelligence explained today. "The procedures therefore provide an important mechanism for enhancing information sharing, integration, and collaboration in the IC." Under the terms of the changes – which were signed off by outgoing US spymaster James Clapper and the Attorney General Loretta Lynch – the NSA can now pass on information to the other 15 organizations that make up the US intelligence community.

Those 15 members are: Air Force Intelligence, Army Intelligence, the CIA, Coast Guard Intelligence, the Defense Intelligence Agency, the Department of Energy, the Department of Homeland Security, the Department of State, the Department of the Treasury, the Drug Enforcement Administration (DEA), the FBI, Marine Corps Intelligence, the National Geospatial-Intelligence Agency, the National Reconnaissance Office, and Navy Intelligence. The collected information itself can include any data slurped on a foreign national, including files, phone calls, satellite messages and faxes.
It applies to communications that take place outside the US and any traffic that passes within US borders. To get their paws on this data, an intelligence organization will have to assert that it's needed for an overseas investigation, and have that request approved by a "high-level NSA official," according to a fact sheet prepared by government officials.

The requestor also has to commit to protecting the data as much as possible. US citizens can have their data surveilled in the same way on the authorization of the Attorney General, the Director of the NSA, or the head of the recipient intelligence body – or a high-level designee. The amendment also requires Uncle Sam's snoopers to undergo training on how to follow the new rules, and creates an audit trail for the information. Quite why this needed to be rushed through in the dying days of the Obama administration remains to be seen. ® Sponsored: Flash enters the mainstream.
Visit The Register's storage hub

Hackers trigger yet another power outage in Ukraine

EnlargeYellowForester reader comments 10 Share this story For the second time in as many years, security researchers have determined that hackers have caused a power outage in Ukraine that left customers without electricity in late December, typically one of the coldest months in that country. The researchers' conclusion, reported by news outlets including Dark Reading, Motherboard, and the BBC, signals yet another troubling escalation in the hacking arena.

A December 2015 attack that caused 225,000 Ukrainians to lose electricity was the first known instance of someone using malware to generate a real-world power outage. Ukrainian officials have pinned the attack on the Russian government, a claim that's consistent with some evidence collected by private security firms. Now, researchers say a second power outage that struck Ukraine in mid-December was also the result of a computer intrusion and bears many of the same technical hallmarks as the first one.
It was part of a series of malicious hacks that have recently targeted key Ukrainian infrastructure, including the country's rail system server, several government ministries, and a national pension fund.

The attacks started on December 6 and lasted through December 20.

The December 17 power outage was the result of an attack at the Pivnichna substation outside Kiev that began shortly before midnight.
It lasted for about an hour. Demonstration of capabilities "The attack [was] not meant to have any lasting dramatic consequences," Marina Krotofil, a security researcher for Honeywell Industrial Cyber Security Labs, told Motherboard. "They could do many more things, but obviously they didn't have this as an intent.
It was more like a demonstration of capabilities." At the S4x17 Conference in Miami on Tuesday, Krotofil said last month's attacks used many of the same tools that were deployed in the year-earlier hack—including a framework known as BlackEnergy and disk-wiping malware called KillDisk.

The breaches stemmed from a massive spear phishing campaign that struck government organizations in July and allowed the attackers to conduct months of covert reconnaissance before finally striking last month.

The phishing e-mail came from a highly trusted individual and contained a macro attachment that infected people who allowed it to run.

The "dropper" malware, DarkReading reported, underwent 500 software builds over a two-week period, a testament to the rigor of the attackers' software development. In a pre-recorded video played at the conference, Oleksii Yasynskyi, head of research for Information Systems Security Partners in Ukraine, which has investigated the attacks, said the attackers belonged to several different groups that worked together.

Among other things, they gathered passwords for targeted servers and workstations and created custom malware for their targets. The attack on the Pivnichna transmission facility shut down the remote terminal units that control circuit breakers.

That hack was less severe than the one used in the 2015 attack, which rendered the devices inoperable and prevented engineers from remotely restoring power. Last month's hacking campaign also made use of denial-of-service attacks. It's still too early to definitively attribute the attacks to the Russian government, but it's also not possible to rule the possibility out. Last month's attack came around the same time that the US intelligence community blamed Russia for hacks against Democratic groups and individuals, attacks that were allegedly aimed at disrupting the 2016 US presidential election.
If Russia is in fact behind campaigns in both countries, the attacks signal Russia's growing willingness to use hacking to achieve geopolitical goals.

Even if Russia isn't involved, the events in Ukraine demonstrate that once-unprecedented attacks on power facilities and other critical infrastructure are quickly becoming the new normal.

Latest Ukraine Blackout Tied To 2015 Cyberattackers

Broad cyberattack campaign hitting finance, energy, transporation in Ukraine were meant to disrupt but not cause major damage, researchers say. S4x17 CONFERENCE -- Miami, Fla.-- A wave of fresh cyberattacks against power substations, defense, finance, and port authority systems in Ukraine last month appear to be the handiwork of the same attackers who in December 2015 broke in and took control of industrial control systems at three regional power firms in that nation and shut off the lights, researchers said here today. A pair of researchers from Ukraine confirmed that a second power outage on Dec. 16, 2016, in the nation also was the result of a cyberattack. Ukrainian officials have identified Russian hackers as the perpetrators, and Ukraine President Petro Poroshenko recently revealed that his nation had suffered 6,500 cyberattacks at the hands of Russia in the past two months. But unlike the 2015 cyberattack that crippled some 27 power distribution operation centers across the country and affected three utilities in western Ukraine, the December 2016 attack hit the Pivnichna remote power transmission facility and shut down the remote terminal units (RTUs) that control circuit breakers, causing a power outage for about an hour. Confirmation of yet another cyberattack campaign against the Ukraine comes at a time when Russian nation-state hacking is a front-burner concern in the US and Western world, especially with the US intelligence community's recent report concluding that Russian president Vladimir Putin directed a wide-ranging campaign to influence the outcome of the 2016 US presidential campaign in favor of President-Elect Donald Trump. US officials say Russia employed cyber espionage attacks against policy groups, US primary campaigns, and the Democratic National Committee (DNC) in 2015, as well as propaganda to influence public opinion. Marina Krotofil, a security researcher for Honeywell Industrial Cyber Security Labs, who today presented the newest findings on the Ukraine hacks, said the attackers appear to be using Ukraine "as a training ground for R&D" - basically a way to hone their attacks on critical infrastructure attacks in general. She said in an interview that this testbed-type approach against Ukraine is considered by experts as a "standard practice" by Russian nation-state attackers for testing out their tools and attacks. This recent campaign worries some US security experts. "The 'red lines' that conventional wisdom taught us would prevent disruptive or destructive attacks in critical infrastructure are dimming, if not gone," says Steve Ward, a senior director at Claroty. "With the 2015 Ukraine incident and the fact that no apparent repercussions followed, it is not surprising to be at the point where a follow-up attack has been confirmed … We should be very concerned with the potential of such attacks in America," Ward says. Honeywell's Krotofil says the latest attacks began on Dec. 6 and lasted until Dec. 20, with each target getting hit one-by-one, via a combination of remote exploits and websites crumbling under distributed denial-of-service attacks. With the Ukraine rail system's server taken offline by the attacks, travelers were unable to purchase train tickets, and cargo shipments also were interrupted, she says. She said the attackers didn't appear to intend to wreak major damage on Ukraine's infrastructure, however. "It's hypothesized that this hacking campaign was to sabotage normal operations in Ukraine to cause disorganization and distrust," she said. "The goal was to destabilize the economy and political situation." The attackers used many of the same tools that they deployed in the 2015 power grid blackout -- including BlackEnergy framework tools and KillDisk. "The attacks [grew] in sophistication," Krotofil said. "They were more organized, with several groups working together like a good orchestra.

That was different from" the 2015 attack that appeared to be more disjointed and disorganized, she said. A spear phish on July 14, 2016, kicked off the first phase of the attacks aimed at a Ukraine bank.

The attachment employed malicious macros that checked for sandboxes and hid its activity with obfuscation techniques.

The researchers did not confirm the initial attack vector for the electric grid, however. Via a translater, in a pre-recorded video shown during Krotofil's talk, Oleksii Yasynskyi - head of research for Information Systems Security Partners in Ukraine and a fellow investigator of the Ukraine attacks - said that the attackers were "several cybercriminal groups" working together. Yasynskyi said the groups employed legitimate IT administrative tools to evade detection as they gathered the necessary intelligence about the networks in the reconnaissance phase of the attacks. They gathered passwords about targeted servers and workstations, for instance, noted Yasynskyi, and they created custom malware for their targets. "The code was written by experts," he said. Macro Got More Game The attackers upped their malicious macro game significantly in the 2016 attacks in comparison to the 2015 attack.

Case in point: 69% of the code in their macro software was for obfuscation, 30% for duping forensic analysis, and only one percent of the code actually corresponded to the macro's ability to launch malware, according to Yasynskyi. "In essence, this macro is a sophisticated container for infiltrating and delivering malicious code for actual intrusion by the attackers," he said. The attackers this time around also put extra effort into making malware analysis as onerous as possible. "It writes itself into certain parts of memory, like a puzzle," he said. "It unwraps only parts it needs at the time. "This only confirms the theory that this was executed by several teams: infrastructure, instruments to automate the analysis and penetration, and to deliver the malicious code," he said. The dropper malware, a custom tool called Hancitor, had two different samples, but some 500 software builds during a two-week period, demonstrating the level of software development by the attackers, Krotofil noted. The attackers also obviously had done the homework in order to wreak havoc on the power grid, such as the inner workings of industrial processes there. "You can't simply get" that information or documents on the Net, Krotofil said. Interestingly, while it took some four months to investigate the 2015 Ukraine power grid attack, it took Yasynskyi and the other investigators only two weeks to investigate the 2016 attacks.

They were able to detect the similar methods and tools in the second attacks based on the research from the previous attacks. Michael Assante, SANS lead for ICS and SCADA security, in a presentation here today noted that the Ukraine attacks raise new issues for ICS/SCADA operators. "In the case of Ukraine, it opened up a lot of questions" after that 2015 attack about how to engage when such physically disruptive events hit, such as who should identify a cyberattack, how to respond, and what protocol to follow if the attack causes damage. Related Content: Kelly Jackson Higgins is Executive Editor at DarkReading.com.
She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ...
View Full Bio More Insights

‘DNC hackers’ used mobile malware to track Ukrainian artillery – researchers

Frontline battlefield operatives are Fandoids? The Russian hacking crew controversially linked to hacks against the Democrat Party during the US election allegedly used Android malware to track Ukrainian artillery units from late 2014 until 2016, according to new research. Threat intelligence firm CrowdStrike reckons that mobile malware was used to harvest communications and some locational data from infected devices. The operation provided intelligence in order to direct strikes against the artillery ranged against pro-Russian separatists fighting in eastern Ukraine. The mobile malware used in the op is a variant of a remote access tool used against the Democratic National Committee, according to CrowdStrike. X-Agent, the cross platform remote access toolkit in play in both ops, was developed by the "Fancy Bear" hacking group and used exclusively by them, according to the report. This and other similarities have allowed CrowdStrike to link the Ukrainian hacking operation to Fancy Bear (APT 28), a hacking crew linked by US intelligence to GRU, Russia's military intelligence agency. The filename "Попр-Д30.apk" of a malicious Android app used to carry out the spying is linked to a legitimate application which was initially developed domestically within Ukraine by an officer of the 55th Artillery Brigade, according to CrowdStrike. The legitimate app provided a targeting guide to using the D-30 122mm towed howitzer, a Soviet-era artillery piece that’s still in service. This is not something you’re going to find in regular app stores. More than 9,000 artillery personnel in the Ukrainian military used the application, according to the report. Fancy Bear’s X-Agent implant was covertly distributed on Ukrainian military forums within a legitimate Android application, according to CrowdStrike, which says the whole hacking pop bears the hallmarks of a military operation. Successful deployment of the Fancy Bear malware within this application may have facilitated reconnaissance against Ukrainian troops. The ability of this malware to retrieve communications and gross locational data from an infected device makes it an attractive way to identify the general location of Ukrainian artillery forces and engage them. "This cannot be a hands-off group or a bunch of criminals, they need to be in close communication with the Russian military," CrowdStrike co-founder Dmitri Alperovitch told Reuters. ® Sponsored: Flash enters the mainstream. Visit The Register's storage hub

China gives America its underwater drone back – with a warning

Should have thrown in a dictionary, too, for Trump The Chinese government has handed back to America the US Navy underwater drones it stole last week. The Seaglider submersible was scooped out of the ocean by a Chinese military vessel shadowing the USNS Bowditch in the South China Sea. The drone, one of hundreds of autonomous vehicles the US Navy uses to track currents and water salinity, was causing a hazard to shipping – according to the Chinese. The ensuing diplomatic incident led president-elect Donald Trump to issue a 4.30am tweet decrying the action.

Trump was so annoyed he forgot how to spell – or created a new word to add to his bigly vocabulary. A message from the soon-to-be leader of the free world The Donald later tweeted again, telling China to keep the drone. After a round or three of negotiations, the Chinese have now given the unmanned underwater vehicle back to sailors on the USS Mustin at a meeting approximately 50 nautical miles northwest of Subic Bay, Philippines. "This incident was inconsistent with both international law and standards of professionalism for conduct between navies at sea," said Pentagon press secretary Peter Cook. "The US has addressed those facts with the Chinese through the appropriate diplomatic and military channels, and have called on Chinese authorities to comply with their obligations under international law and to refrain from further efforts to impede lawful US activities." The Navy will now investigate the drone to see if it has been tampered with and will be issuing a further report on the state of the equipment.

Cook said the US would continue operating in the South China Sea as it always had. The incident was seen by many as a response to Trump's acceptance of a phone call from the Taiwanese premier.

This was seen as an insult by the Middle Kingdom because it broke the "One China" policy, whereby countries deal with either China or Taiwan – but not both. Chinese Defense Ministry spokesperson Yang Yujun said that his government has examined the initially "unidentified device," and decided to return it. He said the US's "unilateral move to dramatize the issue in the process is inappropriate" and hadn't helped. "We regret that," Yang said, state media reports. He added that the US Navy had frequently invaded Chinese waters to carry out reconnaissance and military surveys, despite Chinese protests. "China resolutely opposes these activities, and demands that the U.S. side should stop such activities," he said. "China will continue to be vigilant against the relevant activities on the U.S. side, and will take necessary measures in response." ® Sponsored: Next gen cybersecurity.
Visit The Register's security hub