Search the Community

During incident response, a team of security specialists needs to follow the artefacts that attackers have left in the network. Artefacts are stored in logs, memories and hard drives. Unfortunately, each of these storage media has a limited timeframe when the required data is available. One reboot of an attacked computer will make memory acquisition useless. Several months after an attack the analysis of logs becomes a gamble because they are rotated over time. Hard drives store a lot of needed data and, depending on its activity, forensic specialists may extract data up to a year after an incident. That’s why attackers are using anti-forensic techniques (or simply SDELETE) and memory-based malware to hide their activity during data acquisition. A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers. Cybercriminals (like Carbanak or GCMAN) may use PLINK for that. Duqu2 used a special driver for that. Now you may understand why we were very excited and impressed when, during an incident response, we found that memory-based malware and tunnelling were implemented by attackers using Windows standard utilities like “SC” and “NETSH“. Read more: https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/

Introduction: Spear phishing attacks Spear phishing and its evolutions like the watering hole attack represent one of the most insidious attack techniques adopted by the majority of threat actors in cyber space. According to the experts at Trend Micro security firm, spear phishing is the attack method used in some 91 percent of cyber attacks. Differently from a common phishing attack, in the spear phishing attack scenario bad actors target a subset of people, usually the employees of an organization, members of an association or visitors of a particular website. The purpose of the attack is to collect personal information and other sensitive data that would be used later in further attacks against the victims. The attack vector is usually an email message that appears to come from a legitimate entity, that requests an action from the victims. There are numerous variants of spear phishing: some phishing emails include malicious links to websites controlled by attackers, while others include a malicious attachment that infects the victim’s system. In recent attacks operated by several APT groups, the malicious email sent to the victims encouraged users to read Word or PDF documents that were specifically crafted to exploit vulnerabilities in the web browser in order to compromise the host. Analyzing data related to the cyber attacks that occurred in the last five years, it is easy to deduct that spear phishing represents the easiest way for an attacker to compromise enterprises and organizations of any size. The “Operation Aurora” attack (2010), the hack (2011), the Target breach (2013), and the most recent Sony Entertainment (2014) and the cyber attacks operated by Operation Carbanak and the Syrian Electronic Army are just a few examples of offensives that relied on spear phishing as an infection method. The key to the success of a spear phishing attack is that it relies on the weakest link of a security chain, humans. Another characteristic of a spear phishing attack is that the content shared with the victims of an attack is usually highly customized to the recipient to increase the chance of exploitation. Social engineering techniques entice users to click on malicious attachments and links by suggesting they may be topics of interest for the victims. Spear phishing and terrorism Terrorism is defined as violent conduct or the threat of violent acts conducted with the purpose to create a climate of terror and damage the critical operations of a nation. We must consider that today’s society heavy relies on technologies, the majority of services that we access every day strongly depend on IT systems. This is particularly evident in some industries like defense, energy, telecommunications and banking. For this reason terrorism is enlarging its spectrum of action and is targeting IT services whose destruction can have the effects of an old style terrorist attack. Terrorists have several ways to use technology for their operations, and once again, the spear phishing methodology could help them to realize their plans. Let’s imagine together some attack scenarios and the way a spear phishing attack could help a terrorist to hit the collective. Terrorists can directly target the services compromising their operations. A number of services are based on sophisticated infrastructure managed by humans. By interrupting them, it is possible to create serious damage to the victims and to the population. Let’s imagine a cyber attack against a bank that will cause the interruption of the operations of a financial institution, or a cyber attack against telecommunication systems of a national carrier. Suddenly the users will have no opportunity to withdraw money from their bank accounts, or they will be isolated due to the interruption of the service of the telecommunications carrier; both events would create panic among the population. Again, let’s think to cyber attacks against the transmission of a broadcaster or an energy grid of a state. Also in this case, the impact on the public order could be dramatic. All the systems that could be targeted by the attacks mentioned rely on both an IT system and a human component, and human operators are the element that could be targeted by terrorists using spear phishing attacks that could give them the opportunity to infiltrate the computer systems and move laterally inside the systems of the service provider. Unfortunately, the attack scenarios described are feasible, and attacks with similar consequences on the final services have already occurred. In those cases, the threat actors were state-sponsored hackers and cyber criminals that mainly operated for cyber espionage and for profit, but in the case of a terrorist attack, the final goal is more dangerous: the destruction itself. Terrorists can run a spear phishing attack for information gathering Information gathering through a spear phishing technique is the privileged choice for a terrorist. Cells of terrorists could use this attack method to spread malware and hack into computers and mobile phones of persons of interest with the intent to collect information on their social network and related to the activities they are involved in. Spear phishing could allow terrorists to collect information on a specific target or to access information related to investigation on members of the group. Let’s imagine a spear phishing attack on personnel of a defense subcontractor that could give the terrorist precious information about security measures in place in a specific area that the terrorist cell intends to attack. Online scams to finance activities of cells Spear phishing attacks could be used by terrorists to finance small operations. The attacks can be carried out with the intent to conduct online frauds and the proceeds, albeit modest, may also finance the purchase of weapons and false documents in the criminal underground. The terrorists operate online purchases that enable cells to avoid controls exercised by the intelligence agencies in the area. Terrorists groups become more tech-savvy Terrorist groups like ISIS and Al Qaeda have become more tech-savvy, and among their members there are also security experts with a deep knowledge of hacking techniques, including social engineering and spear phishing. Spear phishing is the privileged technique to steal sensitive information from corporate or government entities that the terrorists plan to hit. Unfortunately, the skills necessary to hack SCADA systems of a critical infrastructure are less and less specialized, because on the Internet it is easy to find numerous exploits ready for use. Very often, it is sufficient to know the credentials of a VPN service used to access the SCADA system remotely in order to hack it. Terrorists are aware of this, and spear phishing attacks against the staff that manages the systems in the critical infrastructure would provide all the necessary information to attack the internal network structure and launch the exploit to hack the SCADA systems. Resuming, a spear phishing attack could give an attacker the information necessary to damage processes of a nuclear power plant, a water facility systems or a satellite systems. Another factor that incentivizes the use of spear phishing attacks by terrorists is that this kind of attack for information gathering could be conducted remotely without arousing suspicion. ISIS operates spear phishing attacks against a Syrian citizen media group The demonstration that the terrorist group of the Islamic State in Iraq and Syria (ISIS) is using spear phishing techniques against opponents was provided by Citizen’s Lab, which published a detailed report on a hacking campaign run by the members of the organization against the Syrian citizen media group known as Raqqah is being Slaughtered Silently (RSS). The hackers operating for ISIS run the spear phishing campaign to unmask the location of the militants of the RSS with the intent to kill them. The Syrian group RSS is an organization that in several cases has criticized the abuses made by ISIS members during the occupation of the city of Ar-Raqqah, located in northern Syria. “A growing number of reports suggest that ISIS is systematically targeting groups that document atrocities, or that communicate with Western media and aid organizations, sometimes under the pretext of finding ‘spies’.” ISIS members are persecuting local groups searching for alleged spies of Western governments. The spear phishing campaign run by the terrorists allowed the members of ISIS to serve a malware to infect the computers of the opponents and track them. The experts at Citizen’s Lab uncovered the spear phishing campaign managed to target the RSS members. “Though we are unable to conclusively attribute the attack to ISIS or its supporters, a link to ISIS is plausible,” Citizen’s Lab noted. “The malware used in the attack differs substantially from campaigns linked to the Syrian regime, and the attack is focused against a group that is an active target of ISIS forces.” The malicious emails contain a link to a decoy file, which is used by attackers to drop a custom spyware on the victim’s machine. “The unsolicited message below was sent to RSS at the end of November 2014 from a Gmail email address. The message was carefully worded, and contained references specific to the work and interests of RSS,” states the report. “The custom malware used in this attack infects a user who views the decoy “slideshow,” and beacons home with the IP address of the victim’s computer and details about his or her system each time the computer restarts.” The researchers at Citizen’s Lab have noticed that the malicious code served through the spear phishing campaign is different from the Remote Access Trojans used by the hackers backed by the Syrian Government. Figure 1 – Slideshow.zip file used by ISIS members in the spear phishing campaign One of the principal differences is related to the control infrastructure. The members of the ISIS used an email account to gather information from compromised machines. “Unlike Syrian regime-linked malware, it contains no Remote Access Trojan (RAT) functionality, suggesting it is intended for identifying and locating a target,” said CL. “Further, because the malware sends data captured by the malware to an email address, it does not require that the attackers maintain a command-and-control server online. This functionality would be especially useful to an adversary unsure of whether it can maintain uninterrupted Internet connectivity.” Western intelligence collected evidence of the presence of hackers among the members of ISIS. According to some experts, members of ISIS are already working to secure communications between ISIS members and supporting the group to spread propaganda messages avoiding detection. “In addition, ISIS has reportedly gained the support of at least one individual with some experience with social engineering and hacking: Junaid Hussain (aka TriCk), a former member of teamp0ison hacking team. While Mr. Hussain and associates have reportedly made threats against Western governments, it is possible that he or others working with ISIS have quietly supported an effort to identify the targeted organization, which is a highly visible thorn in the side of ISIS.” ISIS members are targeting many other individuals with spear phishing attacks – for example, it has been documented that it targeted Internet cafés in Syria and Iraq that are used by many hacktivits. “Reports about ISIS targeting Internet cafés have grown increasingly common, and in some cases reports point to the possible use of keyloggers as well as unspecified IP sniffers to track behavior in Internet cafes,” Citizen’s Lab reported. Citizen’s Lab seems to be confident of the involvement of a non state-actors in the attack, and ISIS is a plausible suspect. “After considering each possibility, we find strong but inconclusive circumstantial evidence to support a link to ISIS,” CL said. “Whether or not ISIS is responsible, this attack is likely the work of a non-regime threat actor who may be just beginning to field a still-rudimentary capability in the Syrian conflict. The entry costs for engaging in malware attacks in a conflict like the Syrian Civil War are low, and made lower by the fact that the rule of law is nonexistent for large parts of the country.” The Energy industry – A privileged target for a terrorist attack The energy industry is probably the sector more exposed to the risk of terrorist attacks, as energy grids, nuclear plants, and water facilities represent a privileged target for terrorists. Spear phishing attacks could allow terrorists hit systems in the critical infrastructure to destroy the operations or could allow bad actors to gather sensitive information to organize a terrorist attack. The spear phishing campaign could be run against the personnel of a targeted infrastructure to gather sensitive information on defense mechanisms in place and ways to breach them. The last report issued by the DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), the ICS-CERT MONITOR report related to the period September 2014 – February 2015, revealed that the majority of the attacks involved entities in the Energy Sector followed by those in Critical Manufacturing. Figure 2 – ICS-CERT MONITOR report related to the period September 2014 – February 2015 Spear phishing attacks appear among the principal attack vectors adopted by threat actors, but it is important to highlight that the report doesn’t mention cyber terrorism among possible motivations for the attacks. The fact that spear phishing attacks are effective to compromise the systems in the energy sector should make us reflect on the potential effectiveness of the cyber threat if it is adopted by terrorist groups. In April 2014, security experts at Symantec discovered a cyber espionage campaign targeting energy companies around the world by infecting them with a new trojan dubbed Laziok. Also in this case, the attack chain starts with a spear phishing attack. The emails used by hackers come from the moneytrans[.]eu domain, which acts as an open relay Simple Mail Transfer Protocol (SMTP) server. The e-mails contain an attachment, typically in the form of an Excel file, that exploits a well-known Microsoft Windows vulnerability patched in 2012 and that was exploited by threat actors behind Red October and CloudAtlas campaigns. The experts confirmed that the bad actors who used Trojan.Laziok malware to target energy companies haven’t adopted a sophisticated hacking technique. The investigation demonstrated that they exploited an old vulnerability by using exploit kits easy to find in the underground market. This kind of operation could be potentially conducted by groups of terrorists that intend to collect information on the IT infrastructure adopted by an organization to compromise it and cause serious damages to the process of a refinery or a nuclear plant. Since now security experts have no evidence for the availability of zero-day exploits in the arsenal of terrorists, the spear phishing campaign run by groups linked to the ISIS or Al-Qaida are quite different from the attacks run by APT groups backed by governments. Unfortunately, it is impossible to exclude that in the future group of terrorists with significant financial resources will have access to the underground market of zero-day exploits and purchase them to conduct targeted campaigns aimed to cause destruction and the lost of human lives. Conclusion Spear phishing represents a serious threat for every industry, and the possibility that a group of terrorists will use this technique is concrete. To prevent spear phishing attacks, it is crucial to raise awareness of the mechanics behind these kind of offensives. By sharing the knowledge of the techniques and tactics of the threat actors, it is possible to reduce in a significant way the likelihood and impact of spear phishing campaigns. To prevent spear phishing attacks, it is necessary that everyone in an organization has a deep knowledge of the threat and defense mechanisms. The pillars for an effective defense against the spear phishing attacks are: Awareness of the cyber threat Implementation of effective email filtering Implementation of effective network monitoring Spear phishing attacks are still a primary choice for cyber criminals and intelligence agencies that intend to steal money and sensitive information, but the technique could be a dangerous weapon to start a cyber terrorism attack. In order to protect our society we must trigger a collective defense. As explained by many security experts, the government cannot prevent spear-phishing attacks against private firms, but a successful attack against private industrial systems can be used to harm the security of a nation and take innocent lives. For this reason, it is important to share information on ongoing spear-phishing attacks and track potentially dangerous threat actors, especially cyber terrorists. Homeland security and national defense need a collective effort! References ISIS operates spear phishing attacksSecurity Affairs Phishing: A Very Dangerous Cyber Threat - InfoSec Institute The US energy industry is constantly under cyber attacksSecurity Affairs Energy companies infected by newly Laziok trojan malwareSecurity Affairs ICS-CERT- Most critical infrastructure attacks involve APTsSecurity Affairs http://techcrunch.com/2015/03/27/spear-phishing-could-enable-cyberterrorism-attacks-against-the-u-s/ http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-spear-phishing-email-most-favored-apt-attack-bait.pdf https://citizenlab.org/2014/12/malware-attack-targeting-syrian-isis-critics/ Phishing: A Very Dangerous Cyber Threat - InfoSec Institute Source

A Quantum Insert Attack is a classic example of man-in-the-middle attacks which resurfaced into news among the top 10 biggest leaks by WikiLeaks founder Edward Snowden. The NSA and Britain’s GCHQ intelligence services allegedly used it against OPEC and Belgacom successfully for their benefit. In short – Quantum is a code name for the servers which are strategically placed by NSA and GCHQ that can respond faster to a request than the intended recipient. The attacker would need monitoring capabilities to successfully attack the victim. Once the quantum servers win the race condition against the original response, the attacker can steal sensitive data like login credentials, bank account details, and credit card numbers or even spread a malware which can work in tandem with a botnet C&C server. Understanding the attack The attack begins with the attacker gaining monitoring capabilities into the victim’s network. In a government sponsored attack, the monitoring capabilities can be gained by Internet Service Providers and in the case of cyber espionage crimes, having access within a network looking to move laterally inside. This kind of attack is generally not used for large scale attacks, instead the attacker is very well aware of his target and most frequently used websites. In the past, Snowden leaks revealed that LinkedIn and Slashdot users have been targeted for attacks. The crux of the attack is in winning the race condition against the legitimate response packets. The schematic diagram here will help you understand better: Step 1: Step 2: Step 3: In the above schematic diagram, we see that the attacker waits on the network for the target to initiate a connection with a particular website. Each quantum server is configured so that certain conditions are met. Once any request from the target fulfills this set of conditions, the attacker is notified of the request from the target. The quantum servers then shoot a response to the original request by the victim. The victim receives the malicious payload, and the attacker can have full control of the victim. The original response packets from the website are discarded. Simulating the attack To simulate the Quantum Insert attack, we would require three VMs: One VM will act as a victim Second VM will be used to monitor the traffic Third will be used to shoot a malicious payload to the victim. The proof-of-concept code for simulation is available to be downloaded here: Download hough the details of use for the script is given in the github page, let me re-iterate them here for quick reference. The attacker knows that the victim frequents mysite.com and configures his monitor.py to notify the shooter on matching certain conditions. In our case the conditions are as follows: Victim visits mysite.com We need SYN+ACK of mysite.com On getting this information via tcpdump (whose output is parsed by monitor.py) the shooter is notified. Shooter has a dependency on Scapy to craft packets (with its header details, but a different payload) to be sent to the victim. The only challenge here is to have a privileged position in the Internet backbone, to win the race condition. How real time QI works I. Foot printing Agencies like NSA and GCHQ catch hold of choke point in the Internet backbone, and try to catch hold of the identity of the users from the organization that is being targeted. The project codenamed as TURMOIL captures the network dumps and passes it to traffic analysis tools like Xkeyscore which automate the packet analysis. II. Build User Profiles Tools like Xkeyscore can be used to search for patterns in the network traffic which help in identifying multiple points of attacks. The kinds of data which are captured include web histories, email traffic, chat logs etc. It seems that in a particular case of QI attacks on OPEC, this phase went on for several years. III. Attack the target Once the attack points are profiled, the monitor at the choke point of the Internet backbone notifies the shooter when any requests fulfilling all the conditions are met. In the case of the Belgacom hack, GCHQ used QI attack to route the traffic for LinkedIn and Slashdot to malicious servers posing as those sites. IV. Maintain access and persist Once the attack is successful, it’s the same old mundane post exploitation tasks where the attacker tries to escalate privileges and laterally move within the network in stealth mode to gain his hands on sensitive data and other network resources like mail servers, file servers etc., which are then exfiltrated to data analysis experts. Detecting QI attacks QI attacks work by spoofing the packets in response to a request to a particular website. One packet in response to a GET request from the victim contains content for the real website, and another packet will contain content for the malicious website. But, both of these packets are bound to have the same sequence numbers, which is a giveaway while detecting QI attacks. Another anomaly to be noticed is the TTL value of the packet. The spoofed packets would contain a significant difference in the TTL values than the real packets because of the closer proximity of the attacker to the victim. Links for QI detection for snort: GitHub Links for QI PCAPS: GitHub References http://blog.fox-it.com Source

The Department of Homeland Security sponsored CERT at Carnegie Mellon University on Tuesday released an advisory warning infrastructure providers of a vulnerability in Multicast DNS, or mDNS, that could leak device information that could be leveraged in high volume DDoS amplification attacks. “I would say the most serious concern with a vulnerability like this is abuse for DDoS campaigns, since it’s using UDP (easily spoofable) and the amplification in most cases is well over 100 percent,” said security researcher Chad Seaman, who reported the vulnerability. “We’ve seen a huge surge in the abuse of SSDP devices being used in reflection attacks, this is along the same lines and offers greater amplification, but luckily there aren’t nearly as many vulnerable mDNS devices in the wild.” The advisory lists a number of vendors whose devices are affected, including Canon, HP and IBM among others. Cisco, D-Link and Microsoft devices are in the clear, while whether Apple, a number of Linux distributions, and Dell devices are affected. Mostly, mDNS is used in consumer devices to simplify configuration and integration of services and networking, Seaman said. The issue is that mDNS devices could respond to unicast queries from outside a local link network and those responses could include network and device data that would facilitate a large-scale DDoS attack. According to the advisory, mDNS enables devices on a local link network to discover other services and devices. The fact that some devices would respond to unicast queries from outside goes against the implementation recommendations in RFC 6762. “It’s very easy to abuse. It’s little more than running a standard DNS query for a specific string/service name on port 5353. If you get a reply to the most generic query, the machine is accepting input over the WAN interface that it shouldn’t be,” Seaman said. The leaked information depends on the particular device and how the service it supports is configured. The useful information includes device names, model numbers, serial numbers, network configuration information, and more. “These could be used for social engineering attacks, targeting purposes, reconnaissance purposes, etc.,” Seaman said. The CERT advisory recommends either blocking inbound and outbound mDNS on the WAN, or disabling mDNS services. As with other noteworthy amplification attacks, large amounts of bad traffic is pointed at a specific online service, in most cases, over-running it in short order. “As a reflector it would just be a high number of incoming DNS queries targeted at port 5353, likely from a spoofed source to achieve reflection. As a victim you would see a wide array of replies coming back from various devices,” said Seaman, who has posted sample traffic signatures that would be similar to those used in such an attack. “However because of mDNS explicitly stating it should only operate on port 5353 in the RFC, all requests will be sourced from port 5353 during the reflection. Meaning mitigation should be as simple as blocking port 5353 to protect vulnerable internal devices and drop incoming traffic sourced from port 5353 to help mitigate an attack.” Source

The noose around the neck of the Internet's most widely used encryption scheme got a little tighter this month with the disclosure of two new attacks that can retrieve passwords, credit card numbers and other sensitive data from some transmissions protected by secure sockets layer and transport layer security protocols. Both attacks work against the RC4 stream cipher, which is estimated to encrypt about 30 percent of today's TLS traffic. Cryptographers have long known that some of the pseudo-random bytes RC4 uses to encode messages were predictable, but it wasn't until 2013 that researchers devised a practical way to exploit the shortcoming. The result was an attack that revealed small parts of the plaintext inside an HTTPS-encrypted data stream. It required attackers to view more than 17 billion (234) separate encryptions of the same data. That was a high bar, particularly given that the attack revealed only limited amounts of plaintext. Still, since the researchers demonstrated the attack could decrypt HTTPS-protected authentication cookies used to access user e-mail accounts, Google and other website operators immediately took notice. Now, researchers have figured out refinements that allow them to recover RC4-protected passwords with a 50-percent success rate using slightly more than 67 million (226) encryptions, a two-order of magnitude reduction over the previous attack used to recover secure cookies. The exploits—laid out in a paper published last week titled Attacks Only Get Better: Password Recovery Attacks Against RC4 in TLS—work against both Basic access authentication over HTTPS and the widely used IMAP protocol for retrieving and storing e-mail. Bar-mitzvah attack A second exploit targeting RC4 was devised by researchers from security firm Imperva and was presented Thursday at the Black Hat security conference in Singapore. The attack uses new ways to exploit the "invariance weakness," a key pattern in RC4 keys that can leak plaintext data into the ciphertext under certain conditions. The weakness first came to light in 2001, and led to the fatal exploit against wired equivalent privacy technology used to encrypt Wi-Fi networks. Given the age of the invariance weakness, Imperva researchers are dubbing their new exploit the "bar-mitzvah attack." "The security of RC4 has been questionable for many years, in particular its initialization mechanisms," Imperva researchers wrote in a research paper that accompanied Thursday's Blackhat talk. "However, only in recent years has this understanding begun translating into a call to retire RC4. In this research, we follow [the 2013 RC4 researchers] and show that the impact of the many known vulnerabilities on systems using RC4 is clearly underestimated." The bar-mitzvah attack requires adversaries to sample about one billion RC4 encryptions to infer a credit card number, password, or authentication cookie key. The known weakness exploited involves a flaw found in one out of every 16 million (224) RC4 keys that leads to "structures" in the "least significant bits" of the keystream. The attack is subject to a significant limitation, however, since the leaky plaintext is contained only in the first 100 bytes of ciphertext. Despite the limitation and the challenge of sampling so many encryptions, the attack may be enough to drastically reduce the cost of doing an exhaustive attack that guesses passwords, credit card numbers or similar data. Rather than try every possible combination, the bar-mitzvah attack allows attackers to hone in on a much smaller number of candidates. The growing body of attacks that defeat SSL and TLS encryption are only one threat facing the system millions of Internet users rely on to encrypt sensitive data and authenticate servers. In 2011 hackers broken into Netherlands-based certificate authority DigiNotar and minted counterfeit credentials for Google and other sensitive Web properties. Earlier this week, shoddy practices at an intermediate CA known as MCS Holdings, allowed its customers to obtain unauthorized certificates for several Google addresses. Poor practices on the part of Microsoft also led to the discovery of misissued certificates, on two separate occasions. “RC4 must die” The TLS protocol has two significant phases. The first "handshaking" phase uses asymmetric encryption to negotiate the symmetric encryption keys to be used by an e-mail or Web server and the connecting end user. During the later "record" phase, the parties use the agreed-upon keys to encrypt data using either the AES block cipher or RC4 stream cipher. The two attacks unveiled this month, combined with the exploit disclosed in 2013, are a strong indication the security of RC4 can't be counted on for much longer and should be phased out in favor of alternative algorithms. Retiring RC4 is proving a challenging proposition. A 2011 attack known as BEAST—short for Browser Exploit Against SSL/TLS—targets an encryption mode known as CBC, or cipher block chaining, which is present in most algorithms except for RC4. After BEAST was demonstrated to pose a credible threat to TLS-protected data in transit many security experts recommended website operators opt for RC4 to blunt the threat. That advice is no longer sound, now that RC4 is under attack, too. Imperva researchers say Web app developers should strongly consider disabling RC4 in all their TLS configurations and tech-savvy end uses should disable RC4 in their Browser settings. In February, the Internet Engineering Task Force submitted a request for comments prohibiting the use of RC4 cipher. Use of RC4 has shrunk from about half of all TLS traffic in 2013 to about 30 percent today, but eliminating it altogether may take years. Hanging in the balance, is the security and confidentiality of millions of Internet users. "RC4 was already looking nervously towards the cliff-edge," Kenny Paterson, a Royal Holloway, University of London professor who helped author last week's research, as well as the 2013 research it built on, wrote in a blog post published last week. "Our work pushes RC4 a significant step closer, leaving it teetering on the brink of oblivion for SSL/TLS. After all, attacks can only get better…" Source

Security researchers have banged another nail into the coffin of the ageing RC4 encryption algorithm. The latest password recovery attacks against RC4 in TLS by Christina Garman of Johns Hopkins University, Prof. Kenny Paterson and research student Thyla van der Merwe (both of Royal Holloway, University of London) show that attacks against the scheme are getting better and easier so RC4 "needs to die", as the researchers themselves put it. The continued use of RC4 in TLS is "increasingly indefensible", the researchers conclude in an abstract of their work. The research - which also involved the development of "proof of concept" implementations of the attacks against the BasicAuth and IMAP protocols – is explained in full in a paper here (PDF, 34 pages). Independent researchers agree that RC4 needs to be pensioned off even though some question whether the attack developed by is a practical concern. "RC4 must die. Despite, not because of, attacks like the one described here which is extremely impractical," said Martijn Grooten, editor of Virus Bulletin and occasional security researcher. Caveats about whether or not attacks could be economically pulled off aside, there's little or no disagreement about the direction of travel, which is that the cipher ought to be consigned straight towards the cyber equivalent of Boot Hill cemetery. The only reason it's still around is that websites are reluctant to drop support even for obsolete technology. RC4, developed in 1987, is a popular stream cipher that's often used in HTTPS connections to protect sensitive network traffic from eavesdroppers, among other uses. Potential attacks have been documented for years but they are now decreasing in complexity to the point where using the cipher is risky even before considering the implication of the revelations from NSA whistleblower Edward Snowden. Leaks from Snowden suggested that US and UK spies have developed "groundbreaking cryptanalysis capabilities", which ultimately allow the intelligence agencies to break RC4 encryption. Distrust of the cipher is spreading. Microsoft urged Windows developers to ditch the RC4 encryption algorithm and pick something stronger back in November 2013. Cisco also told its customers to "avoid" the cipher around the same time. The IETF moved towards killing off the venerable-but-vulnerable RC4 cipher with a proposal that net-standard clients and servers need to quit using RC4 in Transport Layer Security (TLS) that surfaced in December 2014. Source

Strong stresser is a Powerful Booter ! A Special Attacks for the website uses CloudFlare Service On Layer7. A Special Attacks to OVH Servers On Layer 4. STRONG Stresser | Test Security of Your Server & Neywork

Radware, a provider of application delivery DDoS attack protection solutions, this week unveiled its latest attack mitigation platform designed to help carriers and cloud providers protect against high volume DDoS attacks. According to Radware, its new attack mitigation platform provides up to 300Gbps of mitigation capacity and can help protect against volumetric DDoS attacks such as UDP reflection attacks, fragmented and out-of-state floods. Radware’s DefensePro x4420 has the ability to handle 230 million packets per second of attack traffic and was designed for multi-tenant environments with the ability to support up-to 1,000 active policies, separate processing capabilities and customized management & reporting per tenant, the company said. “Cyber-attacks have evolved and reached a tipping point in terms of quantity, length, complexity and targets,” says Carl Herberger, vice president of security solutions for Radware. “In 2014, one in seven cyber-attacks were larger than 10Gbps and we’ve seen attacks 100+Gbps in size. The attack landscape is changing and cyber-attackers are getting more and more aggressive with their tactics. It’s not uncommon for mobile carriers and cloud providers to experience extra-large attacks.” “Soon enough, DDoS attacks will eventually reach the 1Tbs level, placing manufacturers in a frenzy to keep up with future volumetric cyberattacks,” Dan Thormodsgaard, vice president of solutions architecture for FishNet Security, said in a statement. More information on the platform is available online. Sursa: securityweek.com

ScanBox is a framework in the form of a JavaScript file. The function of ScanBox is to collect information about the visitor’s system without infecting the system. And this information includes things like the last page the user was on before visiting the compromised website, the OS of the system and the language settings of the system, the screen width and height, the web browsers used by the victim, the geographical location, security softwares used and programs like Java, Acrobat Reader, MS Office and Adobe Flash versions used. ScanBox also can log the keystrokes the victim is typing inside the website under the control of the attacker, which could include the passwords and other sensitive information of the users. And all this information is then sent to a remote C&C server controlled by the attackers. ScanBox’s goal is to collect information that will later be misused to compromise specific targets. The ScanBox framework has been deployed on several websites belonging to disparate companies and organizations in different countries. Attackers were able to compromise the website and include code that loaded a malicious JavaScript file from a remote server. ScanBox is particularly dangerous, as it doesn’t require malware to be successfully deployed to disk in order to steal information. Instead the key logging functionality would do the same work by simply requiring the JavaScript code to be executed by the web browser. The framework also facilitates surveillance, enabling attackers to exploit vulnerabilities in visitors’ systems by pushing & executing malware. ScanBox is designed to be a modular and reusable JavaScript based exploit kit. It allows a lesser number of sophisticated attackers to first compromise a website using basic attacks such as SQL injection or WordPress bugs and set up a waterhole attack to infect hundreds to thousands of victims who visit that website. Some of the recent attacks which used ScanBox are the following: Table 1: List Of Attacks Month Identified Country Sector/Type Scan Box domain August 2014 JP Industrial sector js.webmailgoogle.com September 2014 CN Uyghur code.googlecaches.com October 2014 US Think tank news.foundationssl.com October 2014 KR Hospitality qoog1e.com By analyzing the script used in these attacks, it has been found that the base codes are pretty much the same and they differ in implementation. This shows that different attackers are using ScanBox as a tool for their attack. The framework was altered according to the victims’ browsers and other factors in every case. Researchers say that the changes may be the result of the upgrades in the framework. The common codebase in all the attacks leads to a conclusion that all the attackers share some resources in using this framework. Working Step 1: The basic step of the ScanBox framework is to configure the C&C server. This server helps to collect and store the information obtained from the compromised website. Figure 1: ScanBox framework for collecting data Step 2: The collected information is first encrypted before sending it to the C&C server to ensure security. Figure 2: Function for data encryption Step 3: After completion of the encryption process the following request is passed: Figure 3: Request produced after encryption Step 4: The encrypted data finally reaches the C&C server and is decrypted to obtain the original data. These pieces of information are the key for starting the attack. Figure 4: Decrypted data Figure 5: Working of ScanBox framework Plugins Several plugins are loaded accordingly in between to extract the required information. These are selectively added to avoid any kind of suspicious alerts when the page loads. The following are some plugins used during the process: Pluginid 1: List the software installed in the system and also to check if the system is running any different versions of EMET (Enhanced Mitigation Experience Toolkit). Figure 6: Pluginid 1 code Pluginid 2: Determines Adobe Flash versions Pluginid 5: Determines Microsoft Office versions Pluginid 6: Enumerates Adobe Reader versions Pluginid 8: Lists Java versions Pluginid 21: Plants a keylogger inside the compromised website. It records all the keystrokes the person is typing in the website. The logs may include account password and other details. The recorded logs are sent to the corresponding command and control center. This information is later used to launch an attack against the particular user. The keylogger feature of ScanBox helps the attacker to collect the data without loading a malware from the disc. Therefore any malware removal tool won’t be able to find this. Figure 7: Keylogger plugin code The plugins required to load a page on different browsers are different. An attacker should be well aware of the version and type of browser used by the victim. According to the requirement, the plugins are loaded so that the desired result could be obtained. The following is the list of plugins loaded per browser on code.googlecaches.com. Table 2: Plugins loaded per browser on code.googlecaches.com Plugin ID Description Internet Explorer Chrome Firefox Safari 1 Software reconnaissance Y N N N 2 Browser plugin N Y Y Y 3 Flash recon Y Y Y Y 4 SharePoint recon Y N N N 5 Adobe PDF reader recon Y N N N 6 Chrome security plugins recon N N Y N 7 Java recon Y Y Y Y 8 Internal IP recon N Y N N 9 JavaScript keylogger Y Y Y Y It has been found that Google Chrome is less vulnerable to such attacks than others on the list due to their security update between the interval of 15 days, which makes it a bit difficult to carry out the attack. Also the Aviator Web browser set up by WhiteHat Security provides impressive privacy and security settings by default. Watering Hole Attack This is a type of attack is mainly targeted on businesses and organizations. Waterholing attacks drive the ScanBox framework. The attacker keeps an eye on the websites the victim visits frequently and infects the websites with a malware. These type of attacks are hard to detect. Once the targeted victim enters the infected website, the malware finds a way into the victim’s network or system. The dropped malware may be in the form of a Remote Access Trojan (RAT), which allows the attacker to access delicate and personal information. The main goal of the watering hole attack is not to serve maximum malware to the system, but to exploit the websites frequently visited by the targeted victim. Figure 8: Watering hole working A watering hole attack could be carried out with the help of ScanBox framework. In this method the JavaScript does its job and saves the attacker from using a malware. This type of attack using ScanBox has much more efficiency than using a malware and could not be detected by any malware removal tool. You can see the list of watering hole attacks which used ScanBox in Table 1. Precautions Regular Software Updating: Timely upgrade on the software reduces the vulnerability of such attacks. Vulnerability Shielding: It helps to scan suspicious traffic and any deviation from the normal protocols used. Network Traffic Detection: Even though hackers find different ways to access the information, the traffic generated by the final malware in communicating with the C&C server remains consistent. Identifying these paths helps to take control of the effect of such attacks. Threat Intelligence: A subscription of prominent threat intelligence providers will help you to track down all the command and control servers that it connects to. These C&C servers can be fed to proxy or perimeter devices to see any successful communication has been established or not. Least privilege: The concept of least privilege has to be implemented on all users who log on to the machine. Admin privilege has to be limited to certain users only. Next generation firewall: Use of a next generation firewall can detect such type of attacks easier, as they have an inbuilt sandbox. SIEM: By using a SIEM solution, security administrators will be able to monitor all the traffic by capturing the logs. It will give a holistic view of what is happening on your network with a few clicks on a single dashboard. Conclusion By the detailed analysis of ScanBox framework, we can say that it could be very dangerous if the user is not cautious. Thorough monitoring and analysis of computer and network should keep such attacks bolted to an extent. References Cyber security updates: October 2014 ScanBox Framework — Krebs on Security https://www.alienvault.com/open-threat-exchange/blog/ScanBox-a-reconnaissance-framework-used-on-watering-hole-attacks AlienVault discovered Watering Hole attacks using Scanbox for reconnaissanceSecurity Affairs Source

Researchers have uncovered a distributed denial-of-service (DDoS) attack campaign that takes advantage of Joomla servers with a vulnerable Google Maps plug-in installed. Akamai's Prolexic Security Engineering & Research Team (PLXsert) worked with PhishLabs' Research, Analysis, and Intelligence Division (R.A.I.D) to analyze malicious traffic coming from multiple Joomla websites, a threat advisory (PDF) issued Wednesday said. Through analysis, the teams found that attackers were able to use servers as DDoS zombies due to a vulnerability in a Google Maps plug-in that allows the plug-in to act as a proxy, masking the origin of DDoS attacks. “Attackers spoof the source of the request, causing the results to be sent from the proxy to someone else – their denial of service target,” a release from Akamai explained. This year, the company has observed eight Joomla-based DDoS attacks against its customer base, six of which were targeted at the education sector. PLXsert said that the DDoS attacks contained traffic signatures that matched sites known for providing DDoS-for-hire services, and that miscreants used attack tools, such as DAVOSET and UFONet, that have also been increasingly adapted by the DDoS-for-hire market. Researchers have observed the Joomla-based DDoS attacks since September, but believe the for-hire attacks are ongoing. In a Thursday interview with SCMagazine.com, Rod Soto, principal security researcher at PLXsert, said that reflection-based DDoS attacks, like those seen in this campaign, have become popular as they allow attackers to use the “path of least resistance.” In the last quarter of 2014, Akamai found that 39 percent of all DDoS traffic used reflection techniques, which amplified attacks while hiding attackers' identities. “For reflection attacks, it does not require the attacker to actually compromise the botnet [or abused hosts],” Soto said. “Most of them don't even realize they are being used as reflectors.” In addition to ensuring that plug-ins for content management systems (CMS), like Joomla or WordPress, are properly patched, Akamai provided other DDoS migration steps, such as blocking HTTP GET/1.0 request traffic if support for legacy clients isn't needed, and blocking HTTP requests with a PHP-based user-agent string, if they are not needed, the threat advisory said. The advisory also included three Snort rules, which match the DDoS attack variations Akamai detected in the campaign. Source

The need to defend confidentiality of our sensitive information against persistently rising cyber threats has turned most of us toward using encryption on a daily basis. This is facilitated by easy-to-use GUI tools like TrueCrypt that offer advanced encryption without hassles. TrueCrypt offers ‘on-the-fly’ encryption, which means we do not have to wait for large files to decrypt after entering the correct passphrase; files are immediately accessible. Many of us have come to trust TrueCrypt to defend extremely sensitive personal and business secrets. However, there is no such thing as absolute security. Vulnerabilities always exist, and in this paper we look at some of the ways in which TrueCrypt security can be “beaten”. Please note that these attacks may not target a flaw in TrueCrypt itself, but rely on ‘bypassing’ TrueCrypt security or taking advantage of user negligence. This paper seeks to address TrueCrypt users who wish to understand known attacks against TrueCrypt, and forensics analysts who are interested in defeating TrueCrypt during the course of criminal investigations. Downloads: Evil Maid USB image Memory image and encrypted TrueCrypt volume Tools Used: TrueCrypt 7.1 (source code) Truecrack Unprotect Inception Volatility Aeskeyfinder Bulk Extractor\ Known Attacks against TrueCrypt In this paper, we will progress via attacks that are easily understood, and move toward attacks that require advanced understanding of TrueCrypt functionality and encryption systems. Dictionary Attacks The concept of a dictionary attack is simple. We sequentially try all entries in a dictionary file as potential passphrases until we succeed. However, there are obvious downsides to this approach. Most users who are using TrueCrypt to protect their sensitive information are smart enough to use complicated passphrases that would not be found in dictionaries. Also, this attack can get very time-consuming, depending on the size of the dictionary selected. Here, we use a tool called ‘truecrack’ to implement a dictionary attack on a protected TrueCrypt volume. We created a dummy dictionary with 7 phrases, the last of which was the correct passphrase [Figure 1]. Figure 1 Note: Such dictionary attacks on TrueCrypt are incredibly slow, since it uses the Password-Based Key Derivation Function 2 (PBKDF2) that is meant to slow down the password cracking process using key stretching. Brute Force Attacks Brute force attacks deploy a similar concept to dictionary attacks, except here every possible combination of characters is tried from a pre-determined set. To simulate a brute force attack on a TrueCrypt volume, we used the tool ‘unprotect.info’. First, we point it to the encrypted volume [Figure 2]. Figure 2 Next, we set the parameters to be used while implementing the attack [Figure 3]. These parameters will determine the total number of possible combinations. Note that we set the password to the encrypted volume as ‘haha’—a simple combination of 4 characters—to save time during experimentation. Figure 3 For example, in this case we knew the password to be 4 characters long and having all lower case characters. We set the parameters accordingly which gave us a total of (26*26*26*26) =456976 possible passphrases [Figure 4]. Figure 4 The tool sequentially tried all possible combinations until it got to the correct passphrase, which was then displayed to us [Figure 5]. Figure 5 As with dictionary attacks, PBKDF2 used in TrueCrypt would considerably slow down the brute force attacks. DMA Attacks DMA (Direct Memory Access) is used to acquire control of the RAM via the FireWire port. The attacker can then take a full memory dump even if a computer is locked or logged off. If the protected TrueCrypt volume is mounted while the memory dump is taken via a FireWire port, the resulting image would contain the cryptographic keys needed to decrypt and mount the TrueCrypt volume (as explained later in this paper). ‘Inception’ is a free tool that allows one to perform a FireWire attack. The best mitigation against this attack is to simply disable the FireWire drivers in the Operating System and render the port non-functional. Bootkit Attacks Rootkits are a form of advanced malware that facilitate stealthy deployment and operation of programs on a system. Bootkits are variants of rootkits that infect the Master Boot Record (MBR) or a boot sector Wik1. In case full disk encryption is being used, such bootkits are capable of manipulating the original bootloader and replacing it with an infected copy. Such an attack was implemented by researchers Alex Tereshkin and Joanna Rutkowska Ale2. This “evil maid” attack drew attention to the need for physical security of the device that holds the encrypted TrueCrypt volume. The idea is that even if the user is protecting his sensitive information using full disk encryption, the MBR itself is not encrypted and can be infected. Hence, if an attacker can boot your computer using a USB stick, he can overwrite the original bootloader and insert a type of “sniffer” that would “hook” a TrueCrypt password function and save the passphrase the next time the volume is mounted. This passphrase is then extracted by the attacker at a later time. Note: If you wish to replicate this experiment, you would need a copy of the Evil Maid infector image (see Downloads above), and a device that is using full disk encryption. Also note that it is best to use TrueCrypt 6.3a during this test since Evil Maid is no longer updated and is known to corrupt the bootloader when used against TrueCrypt 7.1a. Cached Passphrase Attacks Cached passphrases allow automatically mounting containers without requiring the user to enter the passphrase every time. This cached passphrase is located in ‘TrueCrypt.sys’. In case the user has explicitly told TrueCrypt to ‘cache’ passphrases [Figure 6], an attacker could locate this passphrase in a memory dump. Volatility framework provides a plugin called ‘TrueCryptpassphrase’ especially for the retrieval of cached passphrases from memory. Note that once the attacker has access to the passphrase, he would not need to know the details of the encryption algorithm used or the cryptographic keys. Figure 6 Decrypting and Mounting a TrueCrypt Volume using Cryptographic Keys Extracted from Memory Analyzing the Protected TrueCrypt Volume The first thing we need to do is make sure that we are, in fact, dealing with an encrypted TrueCrypt volume. TrueCrypt volumes are identified based on certain characteristics such as sizes that are multiple of 512 (block size of cipher mode), missing headers, etc. Volatility framework offers a ‘TrueCryptsummary’ plugin that can be used to locate information germane to TrueCrypt within our memory image [Figure 7]. Figure 7 Looking at the results, we know that TrueCrypt 7.0a was being used on the system and the protected volume was mounted while the memory was dumped. Also, we notice that ‘ppp.challange.vol’ is the TrueCrypt container. Understanding Cryptographic Keys TrueCrypt provides ‘on-the-fly‘ encryption, which means that the cryptographic keys have to be loaded in memory at all times while the protected TrueCrypt volume is mounted. By default, TrueCrypt uses AES encryption along with XTS, and the 256 bit primary and secondary keys are concatenated together to form one master key of 512 bits. You may search for these keys on RAM (system memory) or ‘hiberfile.sys’ (a file created during hibernation). Here, it is important to note that hiberfile.sys can only be expected to contain the keys if the protected TrueCrypt volume was mounted while the system went into hibernation. In case the protected volume was dismounted during hibernation, it is futile to look for the cryptographic keys on the RAM dump or hiberfile.sys. The keys are not stored on disk due to obvious security concerns Mic3. Searching for Cryptographic Keys in Memory Before we can extract keys from memory, we need to identify them. One approach is to attempt decryption of known plaintext using every possible combination of bytes. However, in the presence of bit errors in memory, this approach gets highly convoluted JAl084. Another approach is to cycle through each byte in memory and to treat the following block of a certain size as a key schedule. Then, a hamming distance is calculated pertaining to this word and the word that should have been generated based on surrounding words. If the number of bits that violate constraints germane to correct key schedule is small, the key is discovered JAl084. ‘Aeskeyfind’ implements this approach, and we use it to search for AES keys in our memory image [Figure 8]. Figure 8 Alternatively, you can use ‘bulk extractor’ to locate keys in memory [Figure 9]. Note that this tool also locates other information in memory such as emails, IP addresses, URLs, etc.\ Figure 9\ Figure 10 Figure 11 At this point, we know the two 256 bit primary and secondary AES keys and we can use these to mount the protected volume. However, we first need to fake a header. Faking a TrueCrypt Header Since we do know the actual passphrase pertaining to the protected volume, we will create a template containing a known passphrase and copy this to the protected volume. Later, we can use this known passphrase and the extracted AES keys to mount or decrypt the protected volume. ./TrueCrypt –text –create –encryption=aes –filesystem=FAT –hash=RIPEMD-160 –password=pranshu –random-source=/dev/random –size=33600000 –volume-type=normal anothvol Figure 12 Here, we are using TrueCrypt in ‘text’ mode to create a volume with default AES encryption, RIPEMD-160 hash, and a FAT file system. Please note that the size of the encrypted volume is 33.6 MB or 33600000 bytes. We need this TrueCrypt volume (with known password) to be of the same size [Figure 12]. In order to copy header information from this volume to the protected volume, we use ‘dd’ [Figure 13]: dd bs=512 count=1 conv=notrunc if=/root/TrueCrypt/Main/anothvol of=/root/ppp.challenge.vol Figure 13 Hard Coding Keys into TrueCrypt Source Code We now need to “patch” TrueCrypt so that it accepts the discovered AES keys. Here, we have patched TrueCrypt 7.1 (see Downloads above). For this purpose, we modify the ‘VolumeHeader.cpp’ file and hard code the AES keys in there Mic15 [Figure 14]. Figure 14 Now, we compile this modified source code and attempt to mount the protected volume using the known password [Figure 15]. ./TrueCrypt –text –mount-options=readonly –password=pranshu /root/ppp.challenge.vol /mnt/pranshu Figure 15 We have successfully mounted the protected TrueCrypt volume at ‘/mnt/pranshu/’ using the known password and hard coded AES keys. We can now view the sensitive file inside the volume [Figure 16]. Figure 16 Conclusion The purpose of this paper—like many researchers who studied and implemented attacks on TrueCrypt—is to make a TrueCrypt user aware of what protection is truly being offered. A false sense of security is highly perilous. For instance, it is imprudent to neglect physical security of the device while using TrueCrypt lest you fall prey to a bootkit attack or a DMA attack. On the other hand, keeping the protected volume mounted at all times, or for extended periods, increases the likelihood of getting cryptographic keys stolen from memory. Note that we have intentionally avoided discussing any commercial recovery software in this paper. As of this writing, there is a vague warning on TrueCrypt website that apprises users of “security issues” in TrueCrypt. There is no detailed information on this warning yet, however, if you wish to pay heed to it, you may use ‘Veracrypt’ as an alternative to TrueCrypt. References [1] Wikipedia. [Online]. http://en.wikipedia.org/wiki/Rootkit#Bootkits [2] Joanna Rutkowska Alex Tereshkin. The Invisible Things Lab’s blog. [Online]. http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-TrueCrypt.html [3] Michael Ligh. Volatility Labs. [Online]. http://volatility-labs.blogspot.com/2014/01/TrueCrypt-master-key-extraction-and.html [4] Seth D. Schoen, Nadia Heninger, William Clarkson, Joseph A. Calandrino, Ariel J. Feldman, Jacob Appelbaum, Edward W. Felten. J. Alex Halderman, “Lest We Remember: Cold Boot Attacks on Encryption Keys,” in Proc. 17th USENIX Security Symposium (Sec ’08), San Jose, CA, 2008. [5] Michael Weissbacher. Michael Weissbacher. [Online]. http://mweissbacher.com/blog/2011/05/17/plaidctf-writeup-fun-with-firewire/ [6] Michael Ligh, “Mastering TrueCrypt: Windows 8 and Server 2012 Memory Forensics,” in Open Memory Forensics Workshop, 2013. Source

Existing in some form since 2008, the popular remote access tool PlugX has as notorious a history as any malware, but according to researchers the tool saw a spike of popularity in 2014 and is the go-to malware for many adversary groups. Many attacks, especially those occurring during the latter half of the year, were seen using the tool. In fact, researchers are theorizing the further proliferation of PlugX, which enables attackers to log keystrokes, modify and copy files, capture screenshots, as well as the ability to quit processes, log users off, and completely reboot users’ machines, could suggest eventual worldwide adoption. The malware was the most used variant when it came to targeted activity in 2014 according to Crowdstrike’s Global Threat Report, released today. Despite kicking around for years, the malware is now the de facto tool for dozens of China-based adversarial groups the firm tracks. One of the ways the malware improved itself in 2014, and in turn caught on, was by switching up the way it communicates with its infrastructure further up the chain. By implementing a newer DNS command and control module, the malware has been able to send its data in the form of long DNS queries to its overseeing infrastructure. By modifying the way the DNS and HTTP requests are produced, something Crowdstrike is calling a deviation from “some of the more typically monitored protocols,” it’s made it more difficult to be detected over the past year or so. “The upward trend in use of PlugX indicates an increasing confidence in the capabilities of the platform, justifying its continued use across multiple sectors and countries,” according to the report. One of the groups that Crowdstrike caught dropping PlugX on machines was a hacking collective it calls Hurricane Panda, who used the malware’s custom DNS feature to spoof four DNS servers, including popular domains such as Pinterest.com, Adobe.com, and Github.com. Instead of their legitimate IP addresses, the malware was able to instead point these domains to a PlugX C+C node. The malware, as has been the case in the past, is commonly delivered via a spear phishing attack. Some of attacks go on to leverage a zero day from last March, CVE-2014-1761, which exploits vulnerable Microsoft RTF or Word documents. Others, meanwhile, make use of well-worn holes like CVE-2012-0158 in PowerPoint and Excel, that were also used by the IceFog, Red October, and Cloud Atlas attacks. While some of the groups using PlugX have gone out of their way to register new domains for leveraging the malware’s C+C, many domains from the last several years remain active, something else that Crowdstrike has attributed to the malware’s success and persistence over the years. The firm has two schools of thought when it comes to rationalizing how the malware has become so commonplace. It’s thought that there’s either a central malware dissemination channel that’s pushing PlugX out to adversary groups or that groups that hadn’t used PlugX in the past have recently been able to get copies of it via public repositories or the cybercrime underground. Either way, while the malware is mostly used by attackers from “countries surrounding China’s sphere of influence,” the report suggests that that trend could change soon enough. The malware has been used in recurring attacks against commercial entities in the U.S., and in other politically fueled attacks, but its rapid deployment “could be a precursor to future worldwide use,” according Crowdstrike. “The ongoing development of PlugX provides attackers with a flexible capability that requires continued vigilance on the part of network defenders in order to detect it reliably.” Source

Hacktivists and gamers are becoming big users of net attacks that knock sites offline by bombarding them with data, suggests a report. Compiled by Arbor Networks, the report looks at 10 years of distributed denial of service (DDoS) attacks. The ease with which they could be staged had made them a favourite for groups with a grudge, said Arbor. Also, it said, insecure home routers were being enrolled into large groups of devices that mounted the attacks. Extortion attempt In the early days of DDoS, cybercrime gangs had used them to extort cash from websites run by betting and gambling firms that could not afford to be knocked offline, said Darren Anstee, a senior analyst at Arbor. Now, he said, attacks were being mounted by different groups and had grown considerably in size. In 2011, the biggest attacks had flung about 100 gigabits per second (Gbps) of data at targets, found the report. In 2014 that peak had hit 400Gbps and in the same year there had been four times as many attacks over 100Gbps than in the previous 12 months. "There's been a massive jump in the number of very large attacks going on out there," said Mr Anstee. "In 2014 we saw more volumetric attacks, with attackers trying to knock people offline by saturating their access to the internet." Almost 40% of the organisations Arbor contacted for its report said they were being hit by more than 21 attacks per month, said the report. The hacking group known as The Lizard Squad reportedly uses hacked home routers to mount some of its attacks Part of the reason for the shift to the large attacks could be explained by a change in the technologies being used to stage them, he said. When cybercrime gangs had been behind the majority of attacks, the data barrages had been generated by the thousands of hijacked home computers they had had under their control, he said. Botnets were still used to mount extortion attacks, he said, and were also used to divert the attention of a company's security team so they did not notice a separate attack on another part of a company's infrastructure. Figures in the report suggested that companies were getting better at spotting the early stages of an attack and recovering once they were hit, he said. However, said Mr Anstee, building a botnet was difficult for hacktivists and others, who had instead turned to other net-connected devices and technologies to generate the huge data flows. Some attacks abused the net's timekeeping system or the domain servers that kept a list of which website was where, he said. Other groups had found ways to enrol insecure home net gateways and routers into attacks, he added. Hacktivists, hacker groups such as Lizard Squad and gamers who wanted revenge on other players were the bigger users of these tactics, said Mr Anstee. It was now easy to find so-called "booter" services online that let gamers kick rivals off a particular gaming network or title by attacking that network, he said. DDoS was also being used by people keen to use their technical skills express their feelings about a real-world conflict. "If you look at DDoS attacks and try to tie them up with geopolitical events in the last few years, you will always see those events echoed in cyberspace," he said. Source

Chinese hackers have launched a wave of man-in-the-middle (MITM) attacks capable of stealing emails, contacts and passwords is targeting Microsoft Outlook users in the country. Greatfire.org, a group that reports on and works to combat Chinese government online censorship and surveillance, reported uncovering the campaign this week. "On January 17, we received reports that Microsoft's email system, Outlook (which was merged with Hotmail in 2013), was subjected to a MITM attack in China," read the Greatfire threat advisory. "This form of attack is especially devious because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers." The attack reportedly uses a bogus certificate to push a malicious alert to Outlook users that siphons information from the victim's account if it is opened. "Users will only see an abrupt pop-up warning when the client tries to automatically retrieve messages. Users will then be able to tap on a 'continue' button and ignore the warning message," explained the advisory. "If users do click on the 'continue' button, all of their emails, contacts and passwords will be logged by the attackers." The number of affected Outlook users remains unknown, although a Microsoft spokesperson confirmed to V3 that the firm is aware of the attacks. "We are aware of a small number of customers impacted by malicious routing to a server impersonating Outlook.com. If a customer sees a certificate warning, they should contact their service provider for assistance," they said. Greatfire believes that the Chinese government is responsible for the attacks, citing similarities to previous attacks it believed were state sponsored. "Because of the similarity between this attack and previous, recent MITM attacks in China on Google, Yahoo and Apple, we once again suspect that Lu Wei and the Cyberspace Administration of China have orchestrated this attack," it said. "If our accusation is correct, this new attack signals that the Chinese authorities are intent on further cracking down on communication methods that they cannot readily monitor." The attack on Apple's iCloud occurred at the end of 2014 and was serious enough for CEO Tim Cook to fly to China. F-Secure security advisor Sean Sullivan told V3 that the Outlook attacks follow a similar pattern to the iCloud campaign and warned business users visiting China to be extra cautious. "This case appears similar to the move against iCloud back in October. Any business person travelling or working in China should use a VPN (or other measures) to access their email - or else pay very careful attention to warning messages," he said. "If you're doing business in China, be very mindful of the situation. I'd even recommend using separate hardware for the trip." Jason Steere, director of technology strategy at FireEye, mirrored Sullivan's sentiment, pointing out that, even if focused on monitoring Chinese citizens alone, the attacks could cause trouble for Western professionals visiting the country. "I suspect this attack is more about gathering intel on Chinese citizens - using international mail systems to communicate information that they could not do with a Chinese web platform due to censorship," he told V3. "However, many other people are collateral damage with information exposed that I'm sure they would prefer not to be picked up. "Anything sent or received, such as usernames, passwords, holidays, journalist sources, new stories, personal information etc, would all have been exposed during the time of the attack. "All of that information can be collected and used for intel, surveillance etc." The attack on Outlook comes less than a month after Chinese authorities began blocking local access to Google services including Gmail. Prior to the Google blockade the Beijing government mounted a mass censorship campaign that cut off access to thousands of websites, applications and cloud services in November 2014. Source

Numerous malicious attacks on computers and mobile devices as well as networks of important entities have recently made the news and have brought back to the surface the debate on cyber warfare and the dangerousness of cyber weapons. The increasing dependence on the Internet and the recent spur of attacks are beginning to create greater concern. The fear is not just based on the possibility that a cyber attack could simply cause the non-availability of information and services we are now accustomed to. The Internet has not just reshaped the way we obtain news, communicate with others, take care of our finances, watch TV and listen to music, but it is also permeating other essential fields of our lives. From power smart grids to the “Internet of Things,” the potential targets of cyber warriors are now multiple and the possible consequences catastrophic. Premeditated, politically or socially motivated attacks against a computer-dependent society could be orchestrated by foreign powers and affect nations at any level: from the availability of utilities, to denied access to important financial and medical information, to causing a significant impact on national GDPs. This article will explore the concept of cyber warfare and cyber weapons, plus recount latest happenings and discuss whether the danger is real. Cyber Warfare and Cyber Weapons The definition of cyber warfare and cyber weapons is not as clear-cut as it might seem. Distinguishing these attacks from simple cyber crimes is essential to define rules of engagements by countries and to establish what should be considered a direct act of war against the sovereignty and wellbeing of a state. According to the Tallin Manual on the International Law Applicable to Cyber Warfare – a study commissioned by the NATO Cooperative Cyber Defence Centre of Excellence that is not considered a legally binging document – cyber weapons are cyber means of warfare designed, used or intended to cause either injury or death of people or damage to or destruction of objects. Without a globally recognized definition, however, it is hard to strictly define and recognize true acts of cyber warfare, prevent attacks, hold entities accountable and define legal responses. The inability to agree to basic notions is a considerable weakness in the international arena and leaves space to much uncertainty and endless possibilities for nations beginning to employ these warfare techniques. Several definitions have been given by scholars, but, in general, a cyber weapon is intuitively considered any software, virus, and intrusion device that can disrupt critical infrastructures of other countries, from military defense systems to communications to electric power smart grids to financial systems and air traffic control. Debates have been rising on the possibility to consider cyber weapons tools used not only to directly impair systems but also to spy on nations through cyber espionage. Again, the lack of a globally-recognized legal definition doesn’t help. Have cyber weapons ever been deployed? You may recognize an incident that happened in 2009, the first known use of a cyber weapon: Stuxnet. It was a complex piece of malware believed to be an example of government cyber weapon aimed at severely disrupting the Iranian nuclear program. The paternity of the attack has been a source of debate, but in the end, it was believed to be a joint US/Israel operation. Stuxnet targeted a plant in Natanz, Iran. By turning off valves and impairing centrifuges, equipment was damaged and the Iranian uranium enrichment program effectively slowed down. However, Stuxnet might have not even been the first cyber war tool directed toward Iran. Flame, another powerful malware that masqueraded itself as a routine Microsoft software update, had already been used to map and monitor Iranian networks and collect critical information. Is a Cyber World War a Concern? A 2013 report by Director of National Intelligence James R. Clapper explained that the possibility of a major cyber attack to US critical infrastructures causing a long-term and widespread disruption of services by major players like Russia and China is remote. However, smaller scale attacks by smaller states or non-state entities seem to be a concern. According to the report, “less advanced but highly motivated actors could access some poorly protected US networks that control core functions, such as power generation, during the next two years, although their ability to leverage that access to cause high-impact, systemic disruptions will probably be limited. At the same time, there is a risk that unsophisticated attacks would have significant outcomes due to unexpected system configurations and mistakes, or that vulnerability at one node might spill over and contaminate other parts of a networked system.” This may not come as a surprise to anyone, but any telecommunications infrastructure attack could cause enough harm to generate fear. Every government or corporation entire infrastructure, let alone the public at large, may be at stake. Can digital attacks really have tangible effects? Absolutely. An oil pipeline in Turkey was cyber attacked and exploded in 2008. The pipeline was super-pressurized and alarms were shut off. By hacking security cameras, attackers (allegedly Russian) were able to hide the blast from the control room that, unaware, was unable to respond promptly. Another attack to a German steel company demonstrated how, by simply infiltrating the information systems running the plant, hackers could cause major damage. Although not a single Internet successful attack has been recognized as directed by a foreign terror organization against the United States homeland, there have been instances of intrusions intended to inflict significant harm on the American government or state agency, as well as US businesses. Last November, there was an intrusion into the networks of the Department of the State that led to the unclassified email system shutdown. Carol Morello, the diplomatic correspondent for The Washington Post who covered the affair, noted the activity was related to hacking of White House computers reported a month prior, and to security breaches that occurred at both the U.S. Postal Service and the National Weather Service. Those incidents pointed to Russian hackers as prime suspects; the perpetrators were believed to be working directly for the Russian government. Sony Pictures Entertainment (SPE) is another recent case; its networks were infected in a November 2014 incident. According to the FBI, the occurrence resembled past cyber efforts by North Korea. What makes a cyber warfare attack appealing? Mainly the fact that it can come at little or no cost for the perpetrator. An attacker with great technical capabilities can create disruption by using a single computer wherever he or she is located. While the use of conventional weapons requires expensive manufacturing and physical travel to target locations, cyber attacks can be conducted from anywhere. Traditional weapons have a cost that might be prohibitive for many and are hard to transport (or deliver) in secrecy. In other cases, attacks might require the sacrifice of the offenders. Cyber attacks are quick, can be equally destructive and can definitely be inexpensive to execute. According to Amy Chang, research associate at the Center for a New American Security, “Cyber warfare is a great alternative to conventional weapons. […] It is cheaper for and far more accessible to these small nation-states. It allows these countries to pull off attacks without as much risk of getting caught and without the repercussions when they are.” Accountability is hard to prove when cyber weapons are used. By using several proxies or infecting computers indirectly, it is difficult to trace back to a particular malicious hacker or organization on any form of attacks. And even if a culprit is found, it is hard to accuse a nation of a deliberate act of war, especially due to lack of a legal framework. The problem today is that we live in a high-tech world of uncertainty where people are not well trained and equipped for these new threats that can disrupt communications, and network traffic to and from websites and can potentially paralyze Internet service providers (ISPs) at the international level across national borders. So, in the face of constant security threats, there is a need for all to fully understand how to handle cyber security issues and cyber war and how to mitigate risks and minimize the damage, as best as possible if the circumstances arise. Cyberspace and its Security What can be done and who should act in defense of a nation’s cyberspace? The answer may be complicated. Defending cyberspace is not an easy feat, considering the number of interconnected computers, mobile devices and networks. The majority of the systems, including those regulating nations’ critical infrastructures, are interconnected and then vulnerable not only to direct attacks but also to infection by transmission. Ironically, the numerous technological advances might also pose a risk, as cyber terrorists seem to be always a step forward in identifying security vulnerabilities before security experts can patch them. Lack of recognized rules in cyberspace and difficulty to implement boundaries complete the picture. Lacking a real global response to cyber warfare, many countries and organizations are creating structures and task forces to prepare against cyber threats. According to intelligence studies, more than 140 countries have funded cyber weapon development programs. The U.S. is particularly active and created the USCYBERCOM that “plans, coordinates, integrates, synchronizes, and conducts activities to: direct the operations and defense of specified Department of Defense information networks and; prepare to, and when directed, conduct full-spectrum military cyberspace operations in order to enable actions in all domains, ensure US/Allied freedom of action in cyberspace and deny the same to our adversaries.” In 2012, the U.S. Defense Advanced Research Projects Agency (DARPA) invested $110 million in Plan X, a “Cyberspace is now recognized as a critical domain of operations by the U.S. military and its protection is a national security issue. Plan X is a foundational cyberwarfare program to develop platforms for the Department of Defense to plan for, conduct, and assess cyber warfare in a manner similar to kinetic warfare.” The program was included in DARPA’s reported $1.54 billion cyber budget for 2013-2017. Recently, the U.S. Naval Academy also received $120M to build a classified cyber warfare center in 2016. The center will allow midshipmen to work on classified system and acquire cyber warfare skills. Organizations like the European Advanced Cyber Defence Centre (ACDC), the NATO Computer Incident Response Capability (NCIRC) and the Internet Engineering Task Force (IETF), amongst many others, are working on fighting back against organized, international cyber criminals that have used cyberspace as a warfighting domain. However, this may not be enough to avoid terrorism-based cyberwar attacks, so everyone ought to prepare proactively and effectively by securing systems as much as possible. In an Internet-connected world, every end user is at risk, either directly or indirectly. The Internet provides many different ways to attack. Internet-connected systems must be secured on a global scale. With cyberspace being so vast, flexible, and unregulated, all its users are highly vulnerable to dangers from outside threats. Recent cyber attacks highlight the potential threat posed by information warfare tactics and techniques that use computer connectivity and exploit vulnerabilities sometimes caused by users’ inattentiveness or lack of basic cyber security practices. Proper use of intrusion-detection and intrusion-prevention systems (IDS/IPS) and firewalls (a network’s first line of defense against threats) is a basic response. Through real-time analysis of network traffic—i.e., to investigate and contain these security threats—people can detect the majority of the less sophisticated hacking attacks at a user level. Larger companies must be more aware than ever about their network security vulnerabilities and secure their properties with proper Advanced Threat Protection Platforms for endpoint protection and server security. In the case of government-orchestrated cyber attacks, one of the main lines of defense is the creation of a common front against attackers. There is no better time than now to open collaboration and dialogue amongst various industries and government agencies to take action. Attacks against larger, interconnected systems might be more easily disclosed by comparing data and creating common task forces. Detection and prevention alone may not be enough to stop the attackers, each time, but at least it may inhibit future, similar threats. The Internet might be becoming a new weapon for terrorists, so overcoming cyber vulnerability requires multiple different organizations to come forward and stop the launch of cyber threats that can manipulate the physical world while operating without international boundaries. Conclusion Some of the numerous larger-scale cyber attacks can be intuitively considered acts of cyber war. With many countries large and small investing in cyber warfare, it is impossible not to think of the use of “information warfare” as a new form of terrorism. Information warfare goes beyond simply attacking computers and communications networks, as a computer-literate terrorist can wreak havoc causing physical destruction and harm to populations. The Internet can be turned into a weapon used against targets by terrorists hidden in cyberspace to carry out cyber violence and disruption, while being physically located elsewhere. Computer-related crimes, as an extension of terrorist attacks, have the potential of bringing catastrophic side effects. Cyberspace is increasingly becoming a place of risk and danger, vulnerable to hacks and cyber warfare. With today’s civilization dependent on interconnected cyber systems to virtually operate many of the critical systems that make our daily lives easier, it is obvious that cyber warfare can be the choice for many governments and states, especially those that don’t have access to expensive, conventional weapons of mass destruction. So, how do we counteract such attacks? If cyber warfare is considered war, then anti-terrorism defenses must be deployed. First, though, a legal basis for responses to attacks must be defined. A legal definition of cyber war and cyber weapon, a definition agreed upon globally, is necessary to define the perimeters within which nations can operate in cyberspace. It is important to define what to consider cyber espionage, cyber war or an act of simple hacking. Lacking a clear definition and a global cyber etiquette, nations are left with creating their own defense against cyber weapons and cyber espionage. Exploring real-world examples, continuously monitoring the Information Superhighway, and endorsing cyber security awareness, web security and online safety are the tools currently available for an effective international governance of the Internet. Although the United States has not been subjective to real, destructive cyber terrorism as of today, in terms of hostile action or threat, it has identified a number of ways terrorists can use the computer as a tool for hacking or information warfare. As the job of a cyberterrorist has become more difficult to detect, in time, information control may also be critical for successful counter-terrorism and avoidance of infrastructure warfare. Therefore, it is paramount to investigate some common defense mechanisms that can help pinpoint and capture these threats before they affect massive numbers of people and impair activities in a much more pervasive way. References Brecht, D. (2014, December). Are Cyber Threats the New Terrorism Frontier? Cyber Warnings E-Magazine, 28-32. Retrieved from index Clapper, J. R. (2013, March 12). US Intelligence Community Worldwide Threat Assessment Statement for the Record. Retrieved from http://www.odni.gov/files/documents/Intelligence%20Reports/2013%20ATA%20SFR%20for%20SSCI%2012%20Mar%202013.pdf Donohue, B. (2014, December 19). FBI Officially Blames North Korea in Sony Hacks. Retrieved from FBI Officially Blames North Korea in Sony Hacks | Threatpost | The first stop for security news Kostadinov, D. (2012, December 21). Cyberterrorism Defined (as distinct from “Cybercrime”). Retrieved from Cyberterrorism Defined (as distinct from “Cybercrime”) - InfoSec Institute Morello, C. (2014, November 16). State Department shuts down its e-mail system amid concerns about hacking. Retrieved from State Department shuts down its e-mail system amid concerns about hacking - The Washington Post NATO REVIEW. (n.d.). The history of cyber attacks – a timeline. Retrieved from http://www.nato.int/docu/review/2013/cyber/timeline/EN/index.htm Paganini, P. (2013, December 6). Cyber warfare – Why we need to define a model of conflict? Retrieved from http://securityaffairs.co/wordpress/20204/intelligence/cyber-warfare-model-of-conflict.html Storm, D. (2014, December 22). Cyberwarfare: Digital weapons causing physical damage. Retrieved from http://www.computerworld.com/article/2861531/cyberwarfare-digital-weapons-causing-physical-damage.html Suciu, P. (2014, December 21). Why cyber warfare is so attractive to small nations. Retrieved from http://fortune.com/2014/12/21/why-cyber-warfare-is-so-attractive-to-small-nations/ Source