Archive | CYBERWAR RSS for this section

Take down of the Virut Botnet in Progress

Virut is being targeted now in an effort of allied security forces. Virut is a very dangerous botnet, which when infecting your computer can cause irreversible damage to your files, can steal a lot of personal information, and cause you to lose almost all of your data.

(Our security arm, SecuraGeek Forums, published an article helpful to users about Virut a few years ago, here.)

This takedown effort involved researchers of Poland’s Computer Emergency Response Team (CERT), Russian CERT-GIB, and the Spamhaus Project that aimed at disrupting the operations of the Virut botnet, which involved 300,000 some infected machines.

In December, the Spamhaus Project helped to work against all the domains owned in the Virut botnet, and attempted to have them shutdown. Most of the domains, if not all, were registered under the .pl cc TLD. However, the gang behind the botnet moved all of the malicious domain names toward a new registrar called home.pl.

The botnet’s operations were limited a bit during this time, when NASK (Research and Academic Network) in Poland, began to move on the infrastructure of this botnet. The NASK operates the Poland CERT and is the national registry of the .pl domain. Therefore, its presence in this situation is very important.

“In past few days, Spamhaus has been in close contact with the sponsoring registrar (home.pl), the Polish Computer Emergency Response Team (CERT.pl) to get the domain names suspended,” Morrison blogged Jan. 19. “In cooperation with the Polish CERT and the registrar home.pl, we managed to get all the Virut domain names within the .pl ccTLD sinkholed.”

“In addition, Spamhaus reached out to the Austrian CERT and the Russian-based Company Group-IB CERT-GIB to shut down the remaining Virut domains within the .at and .ru ccTLDs,” he added. “In cooperation with Spamhaus, and due to the evidence and intelligence provided by Spamhaus, CERT-GIB was able to shut down all the Virut domains within the .ru ccTLD within a few hours.”

Symantec researchers have noted that the maintainers of Virut are also involved with the Waledac botnet. The evidence is due in part to the malware writers behind both botnets using affiliate programs to spread the threats. It’s been noted also that Virut has helped to spread malware such as TDL, Zeus, and others. Also, Symantec warned that Virut had been used to redeploy Waledac. Problem is, the Waledac botnet was seized by Microsoft in 2010. So, redeploying that botnet is opening up the fields for lots of trouble.

As this takedown has occurred, three dozen domain names have been seized in total, with no sign (to researchers) of them starting back up on a different network. Since domains are so critical in the infrastructure, it’s going to be difficult for the malware writers to orchestrate a new plan.

For the past five or so years, domains like ircgalaxy.pl, zief.pl, etc. were used by the botnet…now are seized! It’s not exactly clear how NASK will affect the future operations of Virut, but right now, things are looking good and steady!

Are Mobile Devices the Next DDoS Threat?

The question that many have had on their minds is if mobile devices will become a source of DDoS attacks. Whether mobile phones will be used as zombies is currently under speculation by many researchers, who say “It may be imminent.”

It can be figured due to the amount of trojans found on Android devices, how iOS devices got attacked, and Windows Phone being vulnerable. Trojans are masks that cover an legitimate looking program. Basically, a program appears to be legitimate, but has hidden features to do something different. Most of the time, either the trojan will steal data and mine some cash, or use your computer as a zombie (using your resources such as CPU, RAM, etc.) to launch a DDoS attack.

A distributed denial of service is used to cause a server to take too many requests that it cannot handle. This is usually done by blackhat hackers or cybercriminals to either protest a specific ideal, or just for fun.

A highly used DDoS tool by Anonymous called “Low Orbit Ion Cannon” (LOIC) was recently redesigned for use on the Android platform. The porting over to Android from the Desktop app took no programming skills. In fact, it’s easy to use old tools and port them over to Android.

With device manufacturers slowly releasing updates to device operating system, firmware, etc. – this leaves an open hole for exploit/cyberattack. Android is particularly vulnerable because of the ability to use ‘unknown source’ apps, or apps outside of the Google Play store.

Although, if it is thought out, it would take thousands of devices to be able to have the power to construct a DDoS attack. However, this would make it a lot simpler for a pre-constructed attack, that can come from many countries – thus making it hard to trace the origin of the attack(s).

It is sure that as carriers and app developers are distributing e-wallet apps, the ability to rob personal data, credit card, etc. will increase. Heads up!

Anonymous Says “Expect Us 2013” – #OpNewBlood – McAfee Underestimates

Anonymous is not going away. Just wanted everyone to know that. It’s not a likely thing for them to disappear at all. From what McAfee made it sound like, is that Anonymous was low-key and not a big threat. However, it is to be disagreed with. They could strike crazy at any time with a hacking attack.

Their year-in-review video details what they have done, and it is clear they have similar plans in 2013, if not more. Some are saying the next mission to finally carry out is “#OpNewBlood”. This is actually an old plan, but they’re still carrying it out. There are already tons of posts on Twitter discussing #OpNewBlood, and how many people can freely join Anonymous. Some have linked to how to set up chatting in IRC and how to be anonymous when browsing the Internet. Many recruiting efforts are underway, such as AnonyOnion. Can anyone LOL?

Their press release on AnonNews characterizes an “Expect Us 2013” banner. See for yourself. Apparently, a lot of the new operations would be led by @Crypt0nymous.

Anyway, back to the details about the video, it details info about the temporary shutdown of websites belonging to The US Department of Justice, the FBI, the Motion Picture Association of America – which were all in protest of the indictment of MegaUpload. Although the sites were temporarily down, it sent a message of protest against the US Government, in hopes to say that people still have a voice.

However, the hacktivism continues, and is showcased in the video. It shows newsreels of Anonymous’ intervention in Syria, when the Syrian Government shut down Internet access for a day. Apparently, from what also showed up in the video involved Anonymous’ “cyberwar” against the Israeli Government – when clearly it is a problem with Syria and other neighboring countries.

“The operations which are listed in the video are only examples, there are far more operations,” Anonymous wrote in the statement. “Some of them still running, like Operation Syria. We are still here.”

Despite such threats, and other details that Anonymous threw in the faces of the viewers of the video (with a lot of them saying F*CK YEAH!), many other underestimate their presence. But, what risk can we take in computer security? The first time we let our guard down, Anonymous will strike. They do it every time. Never let your guard down in computer security. McAfee: We’re calling out to you. Stop spreading the message giving people the idea that Anonymous is going to be less active or less threat. We don’t need anymore damage. The more we stay aware, the better protected we will be.

This “syncopathic” (goth jargon: syncope=fainting, pathic=motivation) approach is common for Anonymous…meaning they are silent (kind of when you faint), and then all of the sudden they jump up (motivate quickly) and go into hacking/activism.

Expect Anonymous or get a reality check! That’s all we’re saying here. It’s not worth the mess/damage to let your guard down.

Obama Urged by US House Republicans to not issue Cybersecurity Order

46 US House of Representatives Republicans joined in a letter (PDF) to urge President Barack Obama not to issue the executive order on cybersecurity. The White House is currently drafting an executive order that encourages operators of critical infrastructures (like banks, power grids, etc.) to meet cybersecurity standards.

“Instead of preempting Congress’ will and pushing a top-down regulatory framework, your administration should engage Congress in an open and constructive manner to help address the serious cybersecurity challenges facing our country,” the lawmakers wrote.

The executive order is expected for release in January, which will help protect these vital systems from hackers. It’s highly important that this gets put into action, or the United States can see some issues happen such as power loss, plane crashes, train derailments, etc.

“This framework will work better than attempts to place the government in charge of overseeing minimum standards for industries seeking to invest in new and innovative security solutions,” the Republicans wrote.

The letter of urgency, led by Representatives Marsha Blackburn (Tennessee) and Steve Scalist (Louisiana) is aimed at helping to reduce the amount of government involvement in cyberwar, in hopes not to stir rages with hackers and other pests. However, if something isn’t done very soon, America as we know it could be in a lot of trouble.

 

 

Saudi Aramco Incident Investigated Much Closer

We reported back in October about the damage swell of Saudi Aramco, Saudi Arabia’s oil company, which fell victim to a cyberattack. Some new details have been revealed by a few investigating/reporting organizations…

The New York Times reported the following yesterday:

The attack on Saudi Aramco — which supplies a tenth of the world’s oil — failed to disrupt production, but was one of the most destructive hacker strikes against a single business.

“The main target in this attack was to stop the flow of oil and gas to local and international markets and thank God they were not able to achieve their goals,” Abdullah al-Saadan, Aramco’s vice president for corporate planning, said on Al Ekhbariya television. It was Aramco’s first comments on the apparent aim of the attack.

Hackers from a group called Cutting Sword of Justice claimed responsibility for the attack, saying that their motives were political and that the virus gave them access to documents from Aramco’s computers, which they threatened to release. No documents have yet been published.

The “Cutting Sword of Justice” made a post on PasteBin.com about taking credit for the attack.

We explained previously that most of the cyberattacks this year have been aimed at erasing data on energy companies’ computers. However, renewed thoughts of Aramco are showing the want by hackers to stop the flow of production. Good thing it got sorted out.

Data Leak about the US/UK reported by Swiss Spy Firm

Secret information on counter-terrorism shared by foreign governments may have been compromised by a massive data theft by a senior IT technician for the NDB, Switzerland’s intelligence service, European national security sources said.

Intelligence agencies in the United States and Britain are among those who were warned by Swiss authorities that their data could have been put in jeopardy, said one of the sources, who asked for anonymity when discussing sensitive information.

Swiss authorities arrested the technician suspected in the data theft last summer amid signs he was acting suspiciously. He later was released from prison while a criminal investigation by the office of Switzerland’s Federal Attorney General continues, according to two sources familiar with the case.

The suspect’s name was not made public. Swiss authorities believe he intended to sell the stolen data to foreign officials or commercial buyers.

A European security source said investigators now believe the suspect became disgruntled because he felt he was being ignored and his advice on operating the data systems was not being taken seriously.

read more in this Reuters’ report

Syria Gets Bite from Cyberwar: Internet is Down

The Syrian civil war continues now, and at its peak so far now, with cyberwar becoming involved. However, this is more of an internal cyberwar, security experts assume. It is believed the regime behind the Syrian government is removing IP blocks (basically shutting down access to the Internet), to either; A. Punish the people (unlikely); or, B. Protect the government servers and other host servers from a potential (threatened) cyberattack. It is believed to be B.

As of 5:26 am ET this morning, Renesys (organization who monitors the Internet around the world) reported the downtime for Syrian’s IP blocks, which they note only five or so IP blocks just outside of Syria are still on. The few open IP blocks are believed to be home to cybercriminals, who in May of this year targeted Syria in a Skype encyption hoax.

All of the telecommunications in Syria appear to be suspended for Internet usage, as the Renesys organization has done traceroutes with no results turning up. Some have believed the loss of Deutsche Telekom, a telecommunications network for area countries, has a little to do with some of the outages incurred recently.

Other experts have believed that the Syrian Regime is planning something a bit harsh, and may be preventing the information from the country from leaking across the Internet. This may have implications that they are protecting themselves from cyberwar, or they are planning to engage a cyberwar against opposing countries.

It is unknown for many details at this time, but many activists have been tortured, arrested, etc. It would be no surprise if Syrian Regime has cut off Internet access for this reason.

Many Cybercriminals Hack/Deface International Homepages of Google, Yahoo, MSN

As of recent problems lighting up with PKNIC vulnerability (PKNIC is the Pakistani (.PK) domain name registry), allowed hackers from Turkey to hack into the Pakistani versions of Google, Yahoo, and MSN, plus nearly 300 other webpages. The Turkish hackers also defaced the Pakistani Google homepage. Now, if that isn’t bad enough, an Algerian hacker decides to deface Google and Yahoo in the Romanian versions.

For the Pakistani .PK domain registry, a vulnerability in SQL could allow for injection to exploit it. Therefore, that’s exactly what happened when Turkish hackers hacked into somewhere near 300 .PK domains and defaced at least Google’s .PK site, and maybe a few others. Apparently, during this even, some users were redirected to a webpage showing two penguins and the slogan “Pakistan Downed”.

Defacement pages of Google/Yahoo

Screenshot of Romanian defacement page for Google & Yahoo

For the defacement of the Romanian versions of Google and Yahoo (.RO), an Algerian hacker changed the DNS records of those search pages for the sites to a recently hacked server in the Netherlands. It is likely changed DNS records, or some have stated a DNS poisoning attack is also possible.

It is contested on whether the same hacker(s) did both jobs, or if this was two different parties that coincidentally did the same type of work at the same time.

Due to the (once again) uprising of conflict in the Middle East, newer digital attacks are likely, also. It is no surprise to see these issues light up again.

If the attackers had other malicious intents, these hacks could have been worse!

Anonymous Claims Leak of 3000 Donors for Israel

Hacktivist group Anonymous today claimed to have leaked the personal information — including home address, phone numbers, and email addresses — of over 3,000 individuals who are said to have donated to pro-Israel group, Unity Coalition for Israel.

This move comes after they attacked over 650 Israeli sites on November 17th, wiping their databases and leaking the usernames and passwords found within. Clearly, Anonymous is gearing up for an extended campaign against Israel as its conflict with Hamas heats up.

The file on Pastebin is extensive, and we haven’t had time to process it in full, but there appears to be personal information for at least one incumbent US Senator listed, Daniel Inouye of Hawaii, who fought the Nazis in World War II and has developed a close relationship with Israel as a politician.

 

Read more on NextWeb

China Largest Cyber Threat Says US Panel

A draft of a recent congressional report highlighted by Bloomberg, says China as the largest cyber threat to the US and the world. Apparently, as the report shows, hackers in China are increasingly targeting the US military and defense contractor computers.

The Bloomberg article highlighted: “China’s persistence, combined with notable advancements in exploitation activities over the past year, poses growing challenges to information systems and their users,” the U.S.- China Economic and Security Review Commission said in the draft obtained by Bloomberg News. “Chinese penetrations of defense systems threaten the U.S. military’s readiness and ability to operate.”

It appears the volume of activity from China, even though their attacks are not of much substance, still makes them quite a threat in the cyberwar landscape. Some of the simple things, including hacking and exploitation, are no surprise to US security experts and military intelligence workers. Most of the time, the report states, intelligence or technology information was collected. An actual attack was not always, necessarily, the aim. With China’s cyberwarfare militia gaining, it’ll become quite an opponent in cyberwar.

The report is scheduled for November 14 of this year, and will provide an establishment for the United States to punish and penalize foreign countries or firms for cyber (industrial) espionage.

%d bloggers like this: