Internet Explorer hackers use same tools as Bit9 attack

A criminal group exploiting the recently discovered Internet Explorer browser zero-day vulnerability has been linked to the Chinese hackers who compromised the Bit9 security platform earlier this year.

The connection between the two groups is in the command and control infrastructure used, says security vendor FireEye. Within the two infrastructures were similar malware, IP addresses, and email addresses used to register domains.

The latest attack, which FireEye has dubbed Operation DeputyDog, appears to target manufacturers, government entities and media organizations in Japan, said Darien Kindlund, manager of FireEye Threat Intelligence. The group hid IE exploits on three Japanese news sites, hoping to compromise visitors' PCs.

The compromised sites recorded more than 75,000 page views before the exploits were discovered. The attackers apparently were casting a wide net in looking for systems belonging to the desired targets. The exploit would have worked on all versions of IE, starting with IE 6.

"Maybe only a fraction of those compromised systems are really their true intended targets," Kindlund said. "The others are considered collateral damage."

Microsoft acknowledged September 17 that there was a previously unknown vulnerability in IE that was being exploited by cybercriminals on the Internet. The attack in Japan was discovered two days after Microsoft disclosed the flaw, which enables criminals to execute code on victims' computers.

Researchers have said that nearly 70 percent of Windows business users are open to attack. The threat is serious enough that experts believe Microsoft will release a fix before its scheduled monthly patch release set for October 8.

Bit9 revealed in February that its code-signing certificates had been stolen, making it possible for the thieves to bypass the vendor's security platform and run malware on customer's systems.

The certificates are used to identify trusted applications on customers' whitelists of approved software. The hackers apparently figured out a way to go around this normally effective system by going after the vendor first.

In a report released last week, Symantec identified the Bit9 attackers, dubbed the Hidden Lynx group, as a professional team of hackers for hire who have operated since at least 2009.

The group is able to run multiple campaigns at once and has breached some of the "world's best-protected organizations," Symantec said. The infrastructure and tools used by the hackers originate from network infrastructure in China.

The hackers typically use Trojans designed specifically for a pay-to-order attack to steal intellectual property.

View the original article here

Cyberspies attack key South Korean institutions, North Korean hackers suspected

South Korean organizations that conduct research on international affairs, national security and Korean unification are under siege from cyberspies whose attack may have its origins in North Korea.

The attack campaign, which has been dubbed “Kimsuky,” involves the use of malware to steal sensitive information from these institutions and has been monitored for the past several months by researchers from antivirus vendor Kaspersky Lab.

The full list of victims remains unknown, but Kaspersky’s technical analysis suggests that organizations targeted included: the Sejong Institute, a non-profit think tank that conducts research in the areas of national security, unification, regional issues and international political economy; the Korea Institute for Defense Analyses (KIDA), a research institution whose research focuses on military planning, security and strategy, human resource development, weapon systems, and more; the South Korean Ministry of Unification which works towards the reunification of Korea and promotes inter-Korean dialogue and the Hyundai Merchant Marine, a South Korean logistics company specialized in container shipping.

“Among the organizations we counted, 11 are based in South Korea and two entities reside in China,” Dmitry Tarakanov, a malware researcher at Kaspersky Lab, said Wednesday in a blog post.

The malware used in the attack, which is now detected by Kaspersky products as Trojan.Win32.Kimsuky, communicates with attackers through a free webmail service in Bulgaria called mail.bg. The malware connects to the webmail interface and authenticates with hardcoded credentials for specific mail.bg accounts.

It then checks the inbox folder for messages that have subject lines indicating certain commands from attackers. Those emails can also contain encrypted attachments, which are encrypted malicious executable files that serve as updates or additional components for the malware.

It’s not clear how attackers distribute the Kimsuky Trojan horse program to their targets, but spear-phishing is a likely possibility, Tarakanov said.

The malware has several modules used for different functions that include keylogging, collecting directory listings from the infected computers, searching for and stealing documents in the HWP format that are generated by the South Korean Hancom Office Suite software and allowing attackers to remotely control the infected computers.

The remote control module is actually a modified version of TeamViewer, a legitimate remote control application, Tarakanov said.

The malware reports the infection status and sends all of the stolen data back to the attackers using the same webmail-based technique. The data is encrypted and attached to emails which are sent from the mail.bg accounts to hardcoded Hotmail accounts used by the attackers.

On system startup, the malware disables a firewall product developed by AhnLab, a South Korean security software vendor, if present and then turns off the Windows Security Center service in order to prevent the system from alerting users that no firewall is running.

A lot of South Korean organizations use AhnLab security products and because the targets are almost exclusively from South Korea, the attackers don’t even bother trying to evade security products from other vendors, Tarakanov said.

Taking into account the profiles of the targeted organizations, one could easily suspect that the attackers might be from North Korea, the researcher said. “The targets almost perfectly fall into their sphere of interest.”

One piece of evidence that supports this theory has to do with the geographic location of the Internet Protocol (IP) addresses used by the attackers.

“During our analysis, we observed ten IP addresses used by the Kimsuky operators,” Tarakanov said. “All of them lie in ranges of the Jilin Province Network and Liaoning Province Network, in China.”

“Interestingly, the ISPs providing Internet access in these provinces are also believed to maintain lines into North Korea,” the researcher said, adding that no other IP addresses have been discovered that would put the attackers’ activity in other IP ranges.

South Korea is frequently attributing cyberattacks against organizations and institutions in the country to North Korean hackers. However, with most cyberattacks in general, establishing the location of attackers with a high degree of certainty is not possible.

View the original article here

High-profile hack attack offers a lesson for other at-risk sites

It happened early last week: Twitter started buzzing; one of the world's largest news portals was offline, and a hacking group was claiming responsibility. The Syrian Electronic Army (SEA), a pro-Assad hacking group known for their previous campaigns against media organizations, altered the DNS records for the New York Times, Twitter, and the Huffington Post. The group also targeted ShareThis.com, a platform that enables readers to share links to content on a wide range of services, including social media, sites like Reddit, Slashdot, and more.

Twitter had the most issues to deal with, as its domain shortening service (t.co) well as its primary domain and image hosting service (twimg.com) all had their DNS records altered. The attack was possible due to a social engineering campaign launched by the SEA that targeted MelbourneIT, the registrar responsible for hosting the targeted DNS servers.

According to reports, including those from MelbourneIT themselves, the SEA spent some time on this campaign, and created a clever phishing email that eventually snared an unknown reseller's username and password, which granted them access to the domain controls needed to alter DNS settings.

While this attack was bad, things could have certainly been much worse, as other large brands also use MelbourneIT for their DNS. Among the other customers are Yahoo, Google, Microsoft, Adobe, IKEA, and AOL. Fortunately, the account that the SEA compromised didn't share access to those domains.

"Social-engineering and most specifically phishing is one of the largest attack surfaces we face in the security industry. Hacking through websites and breaching perimeters takes way to much time and usually not worth the effort. Sending a targeted email to a company almost guarantees you access to whatever you want and we aren't capable of handling these types of attacks right now," said Dave Kennedy, the creator of the Social Engineer Toolkit and the founder of TrustedSec, in an email to CSO.

Kennedy added, "My question to everyone right now is that if they are targeting resellers, outside parties, and people not always in the company, but control certain aspects of an organization, where does this leave our massive exposures in the cloud?"

In the wake of the Twitter and New York Times attacks, several major brands remain at risk. The risk comes from two angles; the first is exposure to social engineering. Should an attacker gain access to the DNS controls directly, then a situation such as the one that occurred this week could certainly happen again.

The other angle is the use of a registry lock. Since details have started to emerge about how the New York Times, Twitter, and the others were attacked—thanks to disclosures from MelbourneIT, one of the defenses being touted is the practice of applying a Registry Lock flag to critical domains.

Registry locks are usually applied by the registrar and are used to prevent unauthorized or unwanted changes to a domain. Once a domain name is flagged, then the lock will prevent DNS modifications, contact modifications, transfers, and deletion. Any changes requested will require additional methods of verification outside of a username and password.

Rapid7's Chief Research Officer, HD Moore, monitored many of the Web's top brands in the aftermath of the SEA attacks. In the hours following the attacks, a number of brands had registry locks placed on their domains. As expected, Twitter locked t.co and twimg.com, but they also added a lock to tweetdeck.com and vine.com. The Huffington Post, another victim of the SEA, also added a registry lock. Moreover, Patch.com, MapQuest.com, Starbucks.com, and TechCrunch.com also added registry locks.

Among those brands lacking registry lock protection are Adobe (Adobe.com and Acrobat.com) American Airlines, AOL, BB&T Bank, Australia and New Zealand Banking Group, Cisco, IBM, and 1&1 Internet (Mail.com), just to name a few. There are plenty of others, including major security firms (McAfee), media (Huston Chronicle, SF Gate), as well as service portals such a PR Newswire and Monster.com.

In an email sent to CSO, Moore said that although twitter.com did have a lock in place, at the time of the attack, many large-brand domains were hosted with MelbourneIT and were not locked.

"There is no evidence that the attackers made changes to these domains, but these were potentially vulnerable at the time the attack took place. In other words, things could have been much worse."

In a statement, MelbourneIT encouraged domain owners to use registry locks. While the protection offered isn't foolproof, it's another layer of defense.

"For mission critical names we recommend that domain name owners take advantage of additional registry lock features available from domain name registries including.com... Some of the domain names targeted on the reseller account had these lock features active and were thus not affected."

View the original article here

Spear phishing led to DNS attack against New York Times, Twitter, others

The cyber attack that resulted in nytimes.com and some other high-profile websites being inaccessible to a large number of users Tuesday started with a targeted phishing attack against a reseller for Melbourne IT, an Australian domain registrar and IT services company.

The attack resulted in hackers changing the DNS (Domain Name System) records for several domain names including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com -- a domain owned by Twitter -- Jaime Blasco, director of the research lab at security firm AlienVault, said Tuesday in a blog post.

[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | For a quick, smart take on the news you'll be talking about, check out InfoWorld TechBrief -- subscribe today. ]

This resulted in traffic to those websites being temporarily redirected to a server under the attackers' control.

Hackers also made changes to the registration information for some of the targeted domains, including Twitter.com. However, Twitter.com itself was not impacted by the DNS hijacking attack.

A hacker group called the Syrian Electronic Army (SEA) that publicly supports Syrian President Bashar al-Assad and his government took credit for the attack via Twitter. During the past several months the group broke into the websites or Twitter accounts of several media organizations including the Financial Times, the Associated Press, The Guardian, BBC, and Al Jazeera.

Initial information suggested that the systems of Melbourne IT, the company through which all of the affected domain names were registered and administered, might have been hacked. However, the company later revealed that it was one of its resellers whose account was actually compromised.

"The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT's systems," Tony Smith, general manager of corporate communications at Melbourne IT, said Wednesday via email. "The DNS records of several domain names on that reseller account were changed, including nytimes.com."

The name of the reseller was not disclosed.

According to Smith, the affected DNS records have been reverted back to their original values and have been locked from further modification at the .com registry level. The .com registry and DNS zone are operated by VeriSign.

In a subsequent statement sent via email, Bruce Tonkin, the chief technology officer of Melbourne IT, revealed that the compromise was the result of a targeted phishing attack that might have affected multiple accounts.

"We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords," Tonkin said Tuesday via email. "We have also temporarily suspended access to affected user accounts until passwords have been changed."

Some users likely remained affected by the attack even after the DNS records were corrected by Melbourne IT in its system, as the recursive DNS servers of their ISPs continued to serve the compromised records from cache until their time-to-live (TTL) value expired. Because of caching, DNS record changes can take up to 24 hours to propagate through the entire Internet.

View the original article here

Twitter, New York Times, other marquee sites hit by powerful cyber attack

Twitter, The New York Times, and other prominent websites were struck by a powerful cyberattack that continued affecting other websites into Tuesday evening, directing visitors to a site purportedly controlled by the Syrian Electronic Army (SEA).

The attackers apparently struck an Australian IT services company, Melbourne IT, which provides domain name registration services. The pro-Syrian government SEA has recently conducted several high-profile attacks against media and other websites.

[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]

It appears that the hackers modified master DNS (Domain Name System) entries, allowing them to replace the correct IP addresses for Twitter.com and NYTimes.com with their own, said David Ulevitch, CEO and founder of the security company OpenDNS.

OpenDNS monitors when domains are redirected, and it appeared the attack was continuing into the evening U.S. time, Ulevitch said.

DNS is a distributed address book for websites. It allows a domain name, such as idg.com, to be translated into an IP addresses that can be called into a browser. Attacks against DNS can be powerful, as it can shift lots of traffic suddenly to a website controlled by an attacker, which could then pose further risk for visitors inadvertently pushed there.

The Twitter.com and NYTimes.com domains are listed as being registered with Melbourne IT, according to "whois," the domain name registration database.

As a domain name registrar, Melbourne IT holds the master DNS record, Ulevitch said. It would appear that the affected sites, some of which were listed by security vendor AlienVault Labs, have their master DNS records with Melbourne IT.

There are a few ways hackers could modify a DNS record. A hacker could obtain the access credentials needed to modify an organization's DNS record with a registrar such as Melbourne IT. Ulevitch said that kind of hack is unlikely in this case since so many websites were redirected.

It is more likely that the attackers gained access to Melbourne IT's infrastructure, he said. Melbourne IT officials could not be immediately reached on Wednesday morning.

DNS hacks can have other serious consequences. Redirecting The New York Times' domain name also means email to and from the company could have been redirected to the server controlled by the attacker.

"If you're a confidential source for The New York Times and sending an email that's rerouted to another mail server, you've just blown your cover," Ulevitch said.

In a news story, the newspaper wrote that "the attack also forced employees of The Times to take care in sending e-mails."

Also, the website that people are being redirected to could also be engineered to check if visitors have unpatched software vulnerabilities that could be used to infect their computers with malware.

Since the websites in this attack have high traffic, "you can infect millions of people in minutes," Ulevitch said.

The SEA's website is based in Russia, said Jamie Blasco, director of AlienVault. That website was not responding, which was likely the result of an overwhelming amount of redirected traffic. The SEA could not immediately be reached for comment.

Eileen M. Murphy, vice president of corporate communications for the New York Times, said the newspaper's website appeared down to people browsing from within the U.S. but was working for those outside the country.

"We're working on resolving it as we speak," Murphy said.

Twitter said one of its domains used for serving images, twimg.com, was affected starting at 20:49 UTC and disrupted the viewing of some images. The domain was restored at 22:29 UTC, Twitter wrote in a service update.

"No Twitter user information was affected by this incident," the company said.

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

View the original article here

Spear phishing led to DNS attack against the New York Times, others

The cyberattack that resulted in nytimes.com and some other high-profile websites being inaccessible to a large number of users Tuesday started with a targeted phishing attack against a reseller for Melbourne IT, an Australian domain registrar and IT services company.

The attack resulted in hackers changing the DNS (Domain Name System) records for several domain names including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com—a domain owned by Twitter—Jaime Blasco, director of the research lab at security firm AlienVault, said Tuesday in a blog post.

This resulted in traffic to those Websites being temporarily redirected to a server under the attackers’ control.

Hackers also made changes to the registration information for some of the targeted domains, including Twitter.com. However, Twitter.com itself was not impacted by the DNS hijacking attack.

A hacker group called the Syrian Electronic Army (SEA) that publicly supports Syrian President Bashar al-Assad and his government took credit for the attack via Twitter. During the past several months the group broke into the websites or Twitter accounts of several media organizations including the Financial Times, the Associated Press, The Guardian, BBC, and Al Jazeera.

Initial information suggested that the systems of Melbourne IT, the company through which all of the affected domain names were registered and administered, might have been hacked. However, the company later revealed that it was one of its resellers whose account was actually compromised.

”The credentials of a Melbourne IT reseller (username and password) were used to access a reseller account on Melbourne IT’s systems,” Tony Smith, general manager of corporate communications at Melbourne IT, said Wednesday via email. “The DNS records of several domain names on that reseller account were changed, including nytimes.com.”

The name of the reseller was not disclosed.

According to Smith, the affected DNS records have been reverted back to their original values and have been locked from further modification at the .com registry level. The .com registry and DNS zone are operated by VeriSign.

In a subsequent statement sent via email, Bruce Tonkin, the chief technology officer of Melbourne IT, revealed that the compromise was the result of a targeted phishing attack that might have affected multiple accounts.

”We have obtained a copy of the phishing email and have notified the recipients of the phishing email to update their passwords,” Tonkin said Tuesday via email. “We have also temporarily suspended access to affected user accounts until passwords have been changed.”

Some users likely remained affected by the attack even after the DNS records were corrected by Melbourne IT in its system, as the recursive DNS servers of their ISPs continued to serve the compromised records from cache until their time-to-live (TTL) value expired. Because of caching, DNS record changes can take up to 24 hours to propagate through the entire Internet.

DNS hijacking attacks can affect users beyond just preventing them from accessing a website, because they also allow attackers to redirect users to malicious content. According to Matthew Prince, CEO of CloudFlare, a company that provides website optimization and security services, this actually happened during this particular attack.

”Technical teams from CloudFlare, OpenDNS and Google jumped on a conference call and discovered what appeared to be malware on the site to which the NYTimes.com site was redirected,” Prince said Tuesday in a blog post.

”The registrar of the primary domain the Syrian Electronic Army was using as a name server for the domains they hacked revoked the domain’s registration this afternoon,” he said. “Since the cache TTL on the domain was relatively short, shortly after the domain was revoked traffic largely stopped flowing to the malware infected sites.”

Prince and CloudFlare did not immediately respond to an inquiry seeking more information about the type of malware that had been served during the attack.

In order to prevent rogue modification of DNS records, domain owners can ask their registrars to put registry locks in place for their domains, like Melbourne IT did for nytimes.com and the other affected websites. This lock is placed at the registry level, meaning with those companies that administer the .com, .net, .org, and other domain extensions.

”Registrars generally do not make it easy to request registry locks because they make processes like automatic renewals more difficult,” Prince said. “However, if you have a domain that may be at risk, you should insist that your registrar put a registry lock in place. It’s worth noting that while some of Twitter’s utility domains were redirected, Twitter.com was not—and Twitter.com has a registry lock in place.”

SEA claimed Wednesday on Twitter that they hacked Melbourne IT’s blog site. A message left on the site read “Hacked by SEA, Your servers security is very weak,” suggesting that the hacker group might still have some level of access to Melbourne IT’s systems.

View the original article here

China suffers major DDoS attack on .cn domain

Sorry, I could not read the content fromt this page.

View the original article here

Hackers attack League of Legends, steal user account data and credit card info

Game over, man, game over! Late Tuesday, Riot Games announced that hackers managed to breach the company's servers, swiping the usernames, email addresses, salted password hashes, and real-word names of North American players of the uber-popular League of Legends game. Worse, nearly 120,000 credit card transactions have been accessed.

"The payment system involved with these records hasn't been used since July of 2011, and this type of payment card information hasn't been collected in any Riot systems since then," Riot Games founders Marc Merrill and Brandon Beck explained in a blog post. "We are taking appropriate action to notify and safeguard affected players. We will be contacting these players via the email addresses currently associated with their accounts to alert them."

League of Legends had roughly 70 million registered users as of last October, with 12 million users active daily. In March, Riot said the game often has more than five million players online simultaneously. (It's also one of the 12 frustrating games we can't help but love.)

Affected players will want to keep an eye on their bank statements, but fortunately, those transactions were also hashed and salted, which means—like the swiped passwords— that they are very unlikely to be cracked any time soon. Even so, all League of Legend users will have to change their passwords the next time they log into the system. Better safe than, well, even more sorry.

If you used your League of Legends password at other websites, you'd be smart to change those as well. Or even better yet, take this opportunity to stop reusing passwords. (PCWorld has a guide to staying password-secure while maintaining your sanity.)

Riot also announced plans to add a couple of features to its security arsenal in the coming weeks and months. New accounts will need to be tied to a valid email address, and players will need to confirm any changes to existing accounts either via email or text message. Yup, that's a form of two-factor authentication, in case you were wondering.

This isn't the first time Riot has run into security woes. Last year, European League of Legends players had their account data compromised. Worried MOBA players shouldn't necessarily think the grass is greener on the other side of the fence, though. In 2011, Valve—maker of Defense of the Ancients 2, League of Legend's prime competitor—also fell victim to a hack attack that resulted in lost passwords and credit card info.

Brad Chacos spends the days jamming to Spotify, digging through desktop PCs and covering everything from BYOD tablets to DIY tesla coils.
More by Brad Chacos

View the original article here

Poison Ivy, used in RSA SecurID attack, still popular

A malicious software tool perhaps most famously used to hack RSA's SecurID infrastructure is still being used in targeted attacks, according to security vendor FireEye.

Poison Ivy is a remote access trojan (RAT) that was released eight years ago but is still favored by some hackers, FireEye wrote in a new report released Wednesday. It has a familiar Windows interface, is easy to use and can log keystrokes, steal files and passwords.

Since Poison Ivy is still so widely used, FireEye said it is harder for security analysts to link its use to a specific hacking group.

For its analysis, the company collected 194 samples of Poison Ivy used in attacks dating to 2008, looking at the passwords used by the attackers to access the RATs and the command-and-control servers used.

Three groups, one of which appears to be based in China, have been using Poison Ivy in targeted attacks going back at least four years. FireEye identified the groups by the passwords they use to access the Poison Ivy RAT they've placed on a target's computer: admin338, th3bug and menuPass.

The group admin388 is believed to have been active as early as January 2008, targeting ISPs, telecoms companies, government organizations and the defense sector, FireEye wrote.

Victims are usually targeted by that group with spear-phishing emails, which contain a malicious Microsoft Word or PDF attachment with the Poison Ivy code. The emails are in English but use a Chinese character set in the email message body.

Poison Ivy's presence may indicate a more discerning interest by an attacker, since it must be controlled manually in real-time.

"RATs are much more personal and may indicate that you are dealing with a dedicated threat actor that is interested in your organization specifically," FireEye wrote.

To help organizations detect Poison Ivy, FireEye released "Calamine," a set of two tools designed to decode its encryption and figure out what it is stealing.

Stolen information is encrypted by Poison Ivy using the Camellia cipher with a 256-bit key before it is sent to a remote server, FireEye wrote. The encryption key is derived from the password the attacker uses to unlock Poison Ivy.

Many of the attackers simply use the default password, "admin." But if the password has changed, one of Calamine's tools, the PyCommand script, can be used to intercept it. A second Calamine tool can then decrypt Poison Ivy's network traffic, which can give an indication of what the attacker has been doing.

"Calamine may not stop determined attackers that use Poison Ivy," FireEye warned. "But it can make their criminal endeavors that much more difficult."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

View the original article here