STE WILLIAMS

Ransomware Sales on the Dark Web Spike 2,502% in 2017

Sales soar to $6.2 million as do-it-yourself kits, ransomware-as-a-service, and distribution offerings take hold.

Ransomware is a $6.2 million industry, based on sales generated from a network of more than 6,300 Dark Web marketplaces that sell over 45,000 products, according to a report released Wednesday by Carbon Black.

Revenue from these illicit marketplaces soared 2,502% so far in 2017, compared to $249,287 raised in all of 2016, the report states.

“It’s surprising how fast specialization has occurred in this industry and how fast it has grown,” says Rick McElroy, Carbon Black security strategist.

Among the best sellers on the Dark Web marketplaces include do-it-yourself ransomware kits that range from 50 cents to $3,000, with the median price at $10.50, the report notes. Custom ransomware, meanwhile, costs in excess of $3,000, says McElroy.

“You don’t have to know how to code your ransomware to get your business up and running,” McElroy says.

Other products include lockscreen ransomware that targets Android devices for $1, custom ransomware that comes with source code for $1,000 or more, and ransomware-as-a-service (RaaS) and distribution services, the report says.

The study focused on three tiers that comprise the ransomware ecosystem: tier 1 are ransomware authors; tier 2 is RaaS; and tier 3 are the distributors.

“It was surprising how much you can make authoring ransomware,” McElroy says. The findings revealed some ransomware authors earn as much as $163,000 per year, substantially higher than the $69,000 that is usually paid to software developers.

The Dark Web marketplaces also feature a rating system for sellers, similar to that found on eBay, McElroy says.

Takeaway for Enterprises

Carbon Black’s survey found 52% of respondents would be willing to pay a ransom if their files and documents were inaccessible.

The survey also says 12% would be willing to pay $500 or more to retrieve their data in a ransomware attack; 29% would be willing to pay between $100 to $500 to reclaim their data; and 59% would pay less than $100 to get their data back.

Enterprises may be able to sidestep a ransomware attack if they had their data secured in a backup. But according to a survey released Tuesday by Mimecast, 88% of the 600 IT decision makers surveyed report that their organizations characterized their existing archiving solutions as problematic.

Nearly 60% of survey respondents list administrative complexity as their greatest challenge, while 56% say their systems were plagued by slow search performance.

“Analysts say a backup strategy is your best strategy against ransomware,” says Achmad Chadran, Mimecast cybersecurity strategist.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

 

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/ransomware-sales-on-the-dark-web-spike-2502--in-2017/d/d-id/1330095?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 11/10/2017
  • adm

‘There has never been a right to absolute privacy’ – US deputy AG slams ‘warrant-proof’ crypto

Continuing the US government’s menacing of strong end-to-end encryption, Deputy Attorney General Rod Rosenstein told an audience at the US Naval Academy that encryption isn’t protected by the American Constitution.

In short, software writers and other nerds: the math behind modern cryptography is trumped by the Fourth Amendment, and in any case, there has never been an absolute right to privacy. This message came at the end of this wide-ranging speech on Tuesday, which repeated fixations heard in previous speeches.

He called for backdoors in April, and doubled down last week, then saying: “Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection.”

In this week’s speech, Rosenstein time-travelled from the American Revolutionary War to the tragic death of US student Otto Warmbier at the hands of North Korean authorities, before launching a volley into encryption.

Amid a rising backlash that’s uniting some tech giants and developers, academics, and civil libertarians, Rosenstein believes criminal investigators should be able to crack strong and so-called “warrant-proof” encrypted communications on demand without any legal headaches:

Encryption is a foundational element of data security and authentication. It is essential to the growth and flourishing of the digital economy, and we in law enforcement have no desire to undermine it.

But the advent of “warrant-proof” encryption is a serious problem. Under our Constitution, when crime is afoot, impartial judges are charged with balancing a citizen’s reasonable expectation of privacy against the interests of law enforcement. The law recognizes that legitimate law enforcement needs can outweigh personal privacy concerns.

Our society has never had a system where evidence of criminal wrongdoing was totally impervious to detection, especially when officers obtain a court-authorized warrant. But that is the world that technology companies are creating.

Those companies create jobs, design valuable products, and innovate in amazing ways. But there has never been a right to absolute privacy. Courts weigh privacy against other values, including the need to solve and prevent crimes. Under the Fourth Amendment, communications may be intercepted and locked devices may be opened if they are used to commit crimes, provided that the government demonstrates showing of probable cause.

Warrant-proof encryption defeats the constitutional balance by elevating privacy above public safety. Encrypted communications that cannot be intercepted and locked devices that cannot be opened are law-free zones that permit criminals and terrorists to operate without detection by police and without accountability by judges and juries.

Readers will surely be aware that the famed Daniel Bernstein spent nine years establishing that cryptography is free speech in the US, and therefore protected by the First Amendment, a notion that would have to be overturned for Rosenstein to get his way, we presume.

The remainder of Rosenstein’s arguments will already be wearyingly familiar to followers of the debate: encryption can be rendered accessible to law enforcement bearing warrants without weakening it for everyone; and “going dark” renders criminals immune from justice.

Rosenstein offered a list of what he called “responsible encryption” – in which messages are safeguarded from hackers and criminals yet accessible to authorized third parties – to prove his case, which we present so readers can dismember it in the comments.

“Such encryption already exists,” the deputy AG claimed. “Examples include the central management of security keys and operating system updates; the scanning of content, like your emails, for advertising purposes; the simulcast of messages to multiple destinations at once; and key recovery when a user forgets the password to decrypt a laptop.”

He concluded with:

There is no constitutional right to sell warrant-proof encryption. If our society chooses to let businesses sell technologies that shield evidence even from court orders, it should be a fully-informed decision.

El Reg will get the ball rolling by saying content-scanning middle-boxes are known to be insecure. We await your comments with enthusiasm. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/11/deputy_us_ag_rosenstein_encryption_isnt_free_speech/

  • 11/10/2017
  • adm

Russian spies used Kaspersky AV to hack NSA staffer, swipe exploit code – new claim

Russian government spies used Kaspersky Lab software to extract top-secret software exploits from an NSA staffer’s home PC, anonymous sources have claimed.

The clumsy snoop broke regulations by taking the classified code, documentation, and other materials home to work on using his personal computer, which was running Kaspersky’s antivirus, sources told the Wall Street Journal. It is alleged Kremlin hackers exploited the security package in one way or another to identify those sensitive files and exfiltrate them.

In effect, it means the Russian government has copies of the NSA’s tools used to exploit vulnerabilities in computer systems and equipment to spy on other nations and targets. It also means Russia can turn the cyber-weapons on American corporations, government agencies and other networks, and steal secrets, cause merry havoc, and so on.

The theft, reported today, is said to have occurred in 2015, but apparently wasn’t discovered until earlier this year. The allegedly stolen NSA code and dossiers sound an awful lot like the Shadow Brokers archive of stolen agency spyware. The brokers’ pilfered exploits dates back to 2013, though.

And this case is not thought to be related to the former Booz Allen Hamilton contractor Harold Thomas Martin III who stashed classified NSA materials at his home to study. Martin was indicted in February and faces prison time for removing top-secret files from his employer’s workplace, if convicted. He denies any wrongdoing.

“Whether the information is credible or not, NSA’s policy is never to comment on affiliate or personnel matters,” an NSA spokesperson said.

Like almost all security software, Kaspersky’s software scans files on computers to look for anything matching known malware, or programs that behave in a way that looks like malicious code. It may be that the antivirus package sent the employee’s NSA code back to a cloud service to inspect, which set off internal alarms and attracted the attention of Russian spies, or the product was tampered with to open a backdoor to the PC, or the software was remotely exploited to gain access.

stop

Homeland Security drops the hammer on Kaspersky Lab with preemptive ban

READ MORE

The WSJ’s sources didn’t say if Kaspersky was actively involved in helping hack the staffer’s computer, nor whether President Putin’s spies exploited vulnerabilities in the security software to silently swipe the exposed documents. Don’t forget, there are a lot of exploitable holes in antivirus packages for hackers to abuse.

It is also possible, under Russian law, the Kremlin instructed staff within Kaspersky to hijack the mark’s computer and extract its contents. The software maker is denying any wrongdoing or direct involvement in the exploit theft.

“Kaspersky Lab has not been provided any evidence substantiating the company’s involvement in the alleged incident reported by the Wall Street Journal on October 5, 2017, and it is unfortunate that news coverage of unproven claims continue to perpetuate accusations about the company,” the Moscow-based biz told The Register in a statement.

“As a private company, Kaspersky Lab does not have inappropriate ties to any government, including Russia, and the only conclusion seems to be that Kaspersky Lab is caught in the middle of a geopolitical fight.

“Kaspersky Lab products adhere to the cybersecurity industry’s strict standards and have similar levels of access and privileges to the systems they protect as any other popular security vendor in the US and around the world.”

The organization’s founder Eugene Kaspersky was more blunt, tweeting the following before today’s revelations hit the ‘net:

Kaspersky has repeatedly offered its source code to government officials to review for backdoors after allegations that it was working with Russian intelligence surfaced a year or so ago. No evidence has ever been made public about such claims of compromised code. That didn’t stop the US government banning Kaspersky code from federal computers last month. American box-shifter Best Buy followed suit.

However the exploits leaked, let’s not forget it was sparked by another NSA worker taking classified materials home.

“It’s a lot harder to beat your opponent when they’re reading your playbook, and it’s even worse when someone on your team gives it to them. If these reports are true, Russia has pulled that off,” said US Senator Ben Sasse (R-NE), who is on the Senate Armed Services committee.

“The men and women of the US Intelligence Community are patriots; but, the NSA needs to get its head out of the sand and solve its contractor problem. Russia is a clear adversary in cyberspace and we can’t afford these self-inflicted injuries.”

Matthew Hickey, cofounder of British security shop Hacker House, told The Register Kaspersky could well be blameless and that the security software was simply doing its job. The Russian software maker has been detecting NSA malware in the wild since 2014, and this could be where the connection lies.

The antivirus may have identified Uncle Sam’s powerful exploit code samples on the home PC, and flagged them up to Kaspersky’s customers, possibly all the way to the FSB, Russia’s security services. Following this alert, Russians agents could have tracked down the NSA employee’s machine and remotely commandeered it. In a blog post today, Eugene said all his customers are warned when new software nasties are discovered by his antivirus tools:

Kaspersky also provides real-time analysis to the FSB, meaning the software may have automatically tipped off the Kremlin to the presence of the highly guarded Western attack code on the NSA worker’s home PC.

“It’s likely that the Kaspersky detection of NSA tools was somehow responsible for FSB targeting the contractor’s home computer, but it doesn’t mean the company was complicit,” Hickey told us.

“Kaspersky have detected many of the NSA tools being used in the wild, the FSB would surely know that, and target the company for that reason alone. The Kaspersky statement holds no punches and makes it clear they don’t cooperate with governments. I’m inclined to believe them, their software is top grade at detection of new threats, and is notoriously difficult to bypass.”

Hickey said the alternative is that Kaspersky deliberately backdoored its own software, and handed over the keys to Putin”s snoops, putting billions of dollars of business at risk to do a favor for Russian intelligence. Occam’s razor would suggest this is unlikely.

Meanwhile, cybersecurity expert Matt “Pwn all the Things” Tait said the focus should be on the embarrassing claims that yet more dangerous NSA tools have escaped Uncle Sam’s highly secretive surveillance agency:

Senator Jeanne Shaheen (D-NH), one of Kaspersky’s most vocal critics in Congress, has few doubts on the matter, though. In a strongly worded statement, she condemned the company and called for the Trump administration to declassify and release the evidence it has in this case.

“The strong ties between Kaspersky and the Kremlin are extremely alarming and have been well documented for some time,” she said today. “It’s astounding and deeply concerning that the Russian government continues to have this tool at their disposal to harm the United States.” ®

PS: The Washington Post says the NSA bod was an employee – and not a contractor as first thought – and was a US citizen born in Vietnam. He was on the NSA’s ace hacking team, Tailored Access Operations, and was working to replace the exploits compromised by the Snowden leaks. He was fired in 2015, and is now under a federal investigation.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/05/anonymous_report_russian_spies_used_kaspersky_lab_software_to_steal_nsa_secrets/

  • 11/10/2017
  • adm

Apple’s iOS password prompts prime punters for phishing: Too easy now for apps to swipe secrets, dev warns

Apple, we have a problem. A bug report filed Monday through Open Radar – which mirrors bug reports developers submit to Apple’s private bug tracking system – suggests that password prompts in iOS apps can be misused to steal passwords and other secrets.

In a blog post today describing the issue, developer Felix Krause, founder of fastlane.tools, explained that Apple’s UIAlertController API allows programmers to present alerts that closely mimic legit password prompts from Apple system services like iCloud, iTunes, or GameCenter.

The problem arises because Apple has trained iOS users to hand over their credentials for Apple services from within third-party apps, without any kind of mechanism for verifying the legitimacy of the prompt. Thanks to that indoctrination, a malicious developer can present a lookalike login box – a UIKit alert or action sheet – and expect the user to respond by supplying an Apple ID, a password, or similar.

At present, the risk is theoretical. Krause said in an email to The Register he wasn’t aware of anyone using this technique in the wild, though it’s difficult to be certain. Apple may detect deliberate deception of this sort through its iOS app review process, but a determined developer may also be able to conceal misuse long enough to see the app distributed.

Using visual trickery to steal data has been a problem for years. For example, a recent Gmail phishing attack relied on image files designed to look like attached PDFs.

Apple’s Secure Coding Guide acknowledges that social engineering attacks like phishing can be difficult to combat. It cites domain name homograph attacks by which different character sets (eg. Latin and Cyrillic) can be intermixed to dupe users, noting that Safari has implemented defenses.

That’s essentially what Krause is describing – an interface homograph attack. And there isn’t really a method to visually separate Apple-authorized prompts from doppelgängers.

“No matter what kind of custom UI Apple would use, people could always somehow fake it,” said Krause. “The problem is that now people are used to just entering the password whenever asked, and changing that behavior is really difficult and will take time.”

Krause suggests one way to mitigate the risk would be for each alert to contain the app icon in the pop-up or action sheets, similar to how the app icon is shown on the lock screen next to notifications.

Even so, graphic designs can be faked.

“Another way, people on Twitter mentioned, would be a different keyboard for system password inputs,” he said. “However I think the best way would be if the dialog tells the user to open the iCloud settings, instead of asking for the password directly.”

Apple, as expected, did not respond to a request for comment. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/10/apple_ios_password_prompts_phishing/

  • 11/10/2017
  • adm

Equifax: About those 400,000 UK records we lost? It’s now 15.2M. Yes, M for MEELLLIOON

Updated Last month, US credit score agency Equifax admitted the personal data for just under 400,000 UK accounts was slurped by hackers raiding its database. On Tuesday this week, it upped that number ever-so-slightly to 15.2 million.

In true buck-passing fashion, at the time of writing, Equifax hadn’t even released a public statement on the matter. Instead it fell to Blighty’s National Cyber Security Centre to reveal the bad news that a blundering American firm had put them at risk of phishing attacks.

“We are aware that Equifax was the victim of a criminal cyber attack in May 2017,” the NCSC said in a statement today.

“Equifax have today updated their guidance to confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. NCSC advises that passwords are not re-used on any accounts if you have been told by Equifax that any portion of your membership details have been accessed.”

Any answers to security questions – such as your mother’s maiden name – given to Equifax during an account signup should now be considered compromised, the NCSC warned, and should be changed for other websites, if possible. Names, home and email addresses, telephone numbers, and account recovery question and answers were swiped by the hackers, and will be a boon to phishers obtaining the records, the centre warned.

UK folks should be on the look out for phishing emails asking for their financial information or luring them to fake websites using their Equifax records to make the messages look legit. Recipients will likely get an email quoting their home address and some digits of their phone number to prove its authenticity.

Hackers got into Equifax’s servers in May this year by exploiting an unpatched flaw in Apache Struts. It took until July, though, for the biz to find out it had been infiltrated, and it stayed quiet until early September when it admitted 143 million US citizens had their info exposed to miscreants. Some senior executives sold off their stock days before the world learned of the hack, conveniently. A week later, the biz said about 400,000 Brits had also been hit in the IT break-in.

Disaster

You’d have thought that with that amount of time to play with, and the nature of the information involved, Equifax would have given a bravura performance in how to deal with a database security breach. Instead, to describe the company’s response as a car crash is unfair to automakers. Its website detailing the hack, equifaxsecurity2017.com, looked so unofficial and rushed together that many initially feared it was a phishing site itself, and the credit agency later had to stress that signing up for free credit monitoring as a result of the attack would not waiver your rights to sue.

Next, Equifax’s chief security officer and chief information officer left the outfit – not fired but instead allowed to retire with their golden parachutes. Shortly before trying to blaming a single lowly IT staffer on the cockup, CEO Rick Smith also jumped ship, taking his $90m retirement pot with him.

In the meantime, outside investigators were checking up on Equifax’s servers. Last week they upped the number of affected US citizens to 145.5 million, and that a probe into the UK side of things was still ongoing. The UK investigation ended on October 2, according to Equifax. Eight days later, the bad news comes out and hundreds of thousands of British peeps are now on high alert.

While it has lost three senior executives in well-compensated disgrace, it looks unlikely Equifax will face any further sanctions. After all, we’re not customers of Equifax who can refuse to provide data for its servers – it just collects it all, one way or another, and sell it on to others.

The US government certainly doesn’t seem interested in causing Equifax grief. Instead, its Internal Revenue Service awarded the biz a $7.5m no-bid contract last week to provide – you guessed it – identity verification services. With tough action like that, things will obviously get better. ®

Stop press

Just as we were hitting the publish button, Equifax emitted the following clarification, saying the actual number of people in the UK seriously affected is about 700,000 due to duplicated data:

Today Equifax can confirm that a file containing 15.2m UK records dating from between 2011 and 2016 was attacked in this incident. Regrettably this file contained data relating to actual consumers as well as sizeable test datasets, duplicates and spurious fields. Equifax has brought every analytical tool, technique and data asset it has available to bear in order to ‘fill in the blanks’ and establish actual consumer identities and attribute a current home address to them. This complete, we have been able to place consumers into specific risk categories and define the services to offer them in order to protect against those risks and send letters to offer them Equifax and third-party safeguards with instructions on how to get started. This work has enabled us to confirm that we will need to contact 693,665 consumers by post.

The balance of the 14.5m records potentially compromised may contain the name and date of birth of certain UK consumers. Whilst this does not introduce any significant risk to these people Equifax is sorry that this data may have been accessed.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/10/equifax_uk_records_update/

  • 11/10/2017
  • adm

It’s 2017… And Windows PCs can be pwned via DNS, webpages, Office docs, fonts – and some TPM keys are fscked too

Microsoft today released patches for more than 60 CVE-listed vulnerabilities in its software. Meanwhile, Adobe is skipping October’s Patch Tuesday altogether.

Among the latest holes that need papering over via Windows Update are three vulnerabilities already publicly disclosed – with one being exploited right now by hackers to infect vulnerable machines. That flaw, CVE-2017-11826, is leveraged when a booby-trapped Microsoft Office document is opened, allowing malicious code within it to run with the same rights as the logged-in user, and should be considered a top priority to patch.

Dustin Childs, of Trend Micro’s Zero Day Initiative, noted today that users and administrators should also pay special attention to Microsoft’s ADV170012, an advisory warning of weak cryptographic keys generated by Trusted Platform Modules (TPMs) on Infineon motherboards.

Essentially, you should install Microsoft’s patch, which will generate new and stronger keys in software as required, and next check to see if you should apply a firmware fix from Infineon.

Computers from HP and Fujitsu, as well as any hand-built machines using the blighted hardware, are affected by Infineon’s TPM chipset bug. If you use BitLocker, biometric authentication, or similar, on the at-risk hardware, you should sit up and read up.

According to Microsoft:

This vulnerability is present in a specific vendor’s TPM firmware that is based on Trusted Computing Guidelines (TCG) specification family 1.2 and 2.0, not in the TPM standard or in Microsoft Windows. Some Windows security features and potentially third-party software rely on keys generated by the TPM (if available on the system).

Microsoft is releasing Windows security updates to help work around the vulnerability by logging events and by allowing the generation of software based keys. Even after the operating system and/or TPM firmware updates are installed, you will need to carry out additional remediation steps to force regeneration of previously created weak TPM keys, depending on the applicable services you are running and on your particular use-cases.

“While this doesn’t have the same broad attack surface as a vulnerability in a web browser, anyone who can [exploit the TPM bug] is likely a sophisticated and determined attacker,” Childs said.

“While that remains unlikely, system administrators must take this critical-rated threat seriously.”

Aside from the actively exploited Office flaw, the two other publicly disclosed but not yet targeted in the wild vulnerabilities are CVE-2017-11777, a cross-site scripting flaw in SharePoint Server, and CVE-2017-8703, an object handling error in the Windows Subsystem for Linux that would let a malicious app crash the machine.

A pair of flaws in the Windows font library, CVE-2017-11762 and CVE-2017-11763, can allow a web page or document execute malicious code on a vulnerable computer: visiting a website or opening a file with a specially crafted embedded font can cause malware within the font data to run and hijack the PC.

The scripting engine in Internet Explorer and Edge has 19 flaws that could allow webpages to achieve remote-code execution, with the logged-on user’s permissions, via memory corruption (CVE-2017-11792, CVE-2017-11793, and CVE-2017-11796, for example). Opening a webpage on a vulnerable computer can potentially trigger the execution of malware, spyware, ransomware, and other software nasties. The Windows Shell was found to contain two remote code execution flaws, CVE-2017-11819 and CVE-2017-8727, that can be targeted through Redmond’s browsers: a dodgy webpage can attack Microsoft’s text-handling code to potentially run malware.

Ovum analyst Jimmy Graham noted that this patch load is the fourth consecutive release to address a remote code execution bug in Windows Search, the latest being CVE-2017-11771. The flaw can be leveraged by firing specially crafted messages over the network to the machine’s Windows Search service, injecting potentially evil code into the machine to run.

“As with the others, this vulnerability can be exploited remotely via SMB to take complete control of a system, and can impact both servers and workstations,” said Graham.

“While an exploit against this vulnerability can leverage SMB as an attack vector, this is not a vulnerability in SMB itself, and is not related to the recent SMB vulnerabilities leveraged by EternalBlue, WannaCry, and Petya.”

Elsewhere in the patch load was CVE-2017-11779, a remote code execution bug in the Windows DNS client that could be exploited by accidentally connecting to a malicious DNS server: more technical details on that can be found here. There’s also flaw in Windows TRIE (CVE-2017-11769) that lets DLL files achieve remote code execution, and a programming blunder that leaves emails in Outlook open to eavesdropping (CVE-2017-11776) over supposedly secure connections. According to Microsoft:

An information disclosure vulnerability exists when Microsoft Outlook fails to establish a secure connection. An attacker who exploited the vulnerability could use it to obtain the email content of a user. The security update addresses the vulnerability by preventing Outlook from disclosing user email content.

While the 62 fixes are a heavy load from Microsoft, admins can take heart in the knowledge that there won’t be a Flash update to wrangle this month. Instead Adobe said it would release an update to Flash Player that cleans up performance and stability bugs for Windows, macOS and Linux versions. ®

PS: Etienne Stalmans and Saif El-Sherei of SensePost say they’ve been able to achieve “command execution on Microsoft Word without any macros, or memory corruption,” using the DDE protocol. We’re told Microsoft, for now, considers it a feature, and not a bug.

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/10/october_2017_microsoft_windows_patch_tuesday/

  • 11/10/2017
  • adm

Hackers nick $60m from Taiwanese bank in tailored SWIFT attack

Hackers managed to pinch $60m from the Far Eastern International Bank in Taiwan by infiltrating its computers last week. Now, most of the money has been recovered, and two arrests have been made in connection with the cyber-heist.

On Friday, the bank admitted malware managed to get into PCs and servers within its organization, and, crucially, onto its SWIFT terminal used for transferring funds between financial institutions across the world.

The malware’s masterminds, once on the network, managed to harvest the credentials needed to commandeer the terminal and drain money out of the bank. By the time staff noticed the weird transactions, $60m had already been wired to banks in the US, Cambodia and Sri Lanka.

Far Eastern vice president Liu Lung-kuang claimed, as they always do, the software nasty used in the attack was of a type never seen before. No customer information was accessed during the hackers’ raid, he said, and the bank would cover any losses.

According to the Taipei Times, the Taiwanese Premier William Lai has thrust a probe into the affair, and has asked the banking sector to investigate. Interpol has already begun its inquiries, and – thanks to security mechanism introduced between banks – all but $500,000 has now been recovered.

Two arrests connected to the theft have been made in Sri Lanka and, according to the Colombo Gazette, one of them is Shalila Moonesinghe. He’s the head of the state-run Litro Gas company and was cuffed after police allegedly found $1.1m of the Taiwanese funds in his personal bank account. Another suspect is still at large.

There has been a spate of attacks against banks to subvert the SWIFT system in the past, with the largest such heist coming in February 2016 when hackers unknown (possibly from North Korea) stole $81m while trying to pull off the first $1bn electronic cyber-robbery. SWIFT has said it is toughening up its network’s security but it seems it, and the banking sector as a whole, needs to be more on their toes. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/11/hackers_swift_taiwan/

  • 11/10/2017
  • adm

‘Israel hacked Kaspersky and caught Russian spies using AV tool to harvest NSA exploits’

The brouhaha over Russian spies using Kaspersky antivirus to steal NSA exploits from a staffer’s home PC took an explosive turn on Tuesday.

Essentially, it is now claimed Israeli spies hacked into Kaspersky’s backend systems only to find Russian snoops secretly and silently using the software as a global search engine. Kremlin agents were observed in real-time sweeping computers worldwide for American cyber-weapons, and then extracting any matching files. The Russians, it is claimed, hacked Kaspersky’s servers to harvest any suspicious data flagged up by the antivirus that matched known codenames for American software exploits.

In short, Kaspersky’s code, installed on millions of computers around the planet, was being used as a global searchable spying tool by the Russian government, it is alleged. It also means, now that this has been splashed on the pages of the New York Times, that US intelligence insiders have blown the lid on details of a highly sensitive Israeli operation.

“The role of Israeli intelligence in uncovering [the Kaspersky] breach and the Russian hackers’ use of Kaspersky software in the broader search for American secrets have not previously been disclosed,” the NYT reported. For good reason: the disclosure means someone in the US intelligence community is prepared to leak against – and put an abrupt end to – an Israeli operation known to America because Israel trusted its intelligence pals.

As cyber-security expert Matt “Pwn All The Things” Tait put it:

As we noted last week, antivirus packages can pose a huge risk to organizations, not least the NSA, because if a scan of someone’s computer yields something that looks like a threat, such as a freshly developed exploit or piece of spyware, it’s uploaded to the AV vendor’s cloud for analysis.

If an attacker were able to infiltrate those backend systems, with or without cooperation, they would be able to rifle through collected sensitive documents and snatch copies of any samples. In this case, the Russians were apparently hunting for America’s exploits to, presumably, wield them against corporations and government agencies in the West and beyond, and shore up their IT defenses to thwart the cyber-weapons.

That remains speculative, of course. Tait again:

The New York Times didn’t identify exactly what information was exfiltrated, but it claims Russia’s access to Kaspersky lasted two years. Indeed, in 2015, Kaspersky said it detected sophisticated cyber-espionage code within its corporate network, and publicly wrote about it although did not name Israel as the culprit. Back then, Kaspersky was infected by the Duqu 2.0 spyware, which was related to the American-Israeli-developed Stuxnet malware that got into the Iranian government’s nuclear weapons labs in 2010 and knackered its uranium centrifuges.

While digging around inside Kaspersky’s systems, the Israeli were poking around looking for the Moscow-based business’s research into the NSA and the UK’s counterparts, GCHQ. After spotting Kremlin agents, the Israelis tipped off the NSA. And now that’s all over the news.

Unsurprisingly, founder Eugene Kaspersky denies the substance of the NYT article:

In the light of the ongoing scandal, it’s hardly surprising that security vendors are taking a long, hard look at their code review policies – particularly any code that government agents can examine for exploitable bugs to use remotely against customers.

Symantec was the first to jump, with its CEO Greg Clark telling Reuters this week it will no longer let governments inspect its source code. Clark said: “Saying, ‘Okay, we’re going to let people crack it open and grind all the way through it and see how it all works’” poses an unacceptable risk to customers. ®

PS: Kaspersky just opened a research lab in Israel. Awkward!

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/11/israel_russia_kaspersky/

  • 11/10/2017
  • adm

Equifax: 12.5 Million UK Client Records Exposed in Breach

But of that data, it affects 700K of British consumers, credit-monitoring company said today.

Now for the official UK fallout from the massive data breach at Equifax: sensitive data on some 700,000 consumers was exposed from 15.2 million hacked client records in Britain, the credit monitoring firm announced today, according to Reuters.

Equifax last week said forensics investigators have concluded that some 2.5 million more US consumers were affected by the data breach it revealed early last month, bringing the total number to 145.5 million people whose Social Security numbers, birth dates, addresses, driver’s licenses, were stolen.

“Once again, I would like to extend my most sincere apologies to anyone who has been concerned about or impacted by this criminal act,” said Patricio Remon, Equifax’s president for Europe. “Let me take this opportunity to emphasize that protecting the data of our consumers and clients is always our top priority.”

Read the full Reuters report here.

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/cloud/equifax-125-million-uk-client-records-exposed-in-breach/d/d-id/1330090?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 11/10/2017
  • adm

Cybercrime Meets Culture In Middle East, North African Underground

Spirit of sharing and free malware a characteristic of crimeware markets in this region, Trend Micro says.

Cybercriminals shopping for malware tools and services can find plenty of wares available for free or next to nothing in emerging Middle East and North African cybercrime underground marketplaces.

Shopping these markets can be tricky for outsiders and often involves a vetting process, a joining fee, and more than just a passing knowledge of Arabic. But those that do manage to become members often can get a range of malware tools including SQL injection tools, keyloggers, crypters and instruction manuals for free, a study by Trend Micro has revealed.

“The most interesting driver here is the deep permeation of religious influence – from what is sold to how users and sellers interact,” says Ed Cabrera, chief cybersecurity officer for Trend Micro.

The trend is significant. The Middle East and North Africa is a young but emerging cybercrime region. It is increasingly thriving as a place where threat actors can coordinate and launch attacks against targets around the world. As underground markets and threat actors in the region develop and diversify, expect to see cyberattacks that go well beyond the usual Web defacements and denial of service attacks, Trend Micro said.

Expect also to see continued and closer coordination with the Russian underground, which has shown a tendency to hire malware coders from the Middle East and North Africa, the report says. Already, one of the underground sites that Trend Micro studied had advertisements promoting Russian and China-based underground forums.

Trend Micro studied Middle East and North Africa’s online underworld between July 2016 and December 2016. During that time the security vendor examined things like the kind of merchandise available for sale in these markets, average prices for malware tools, and the interactions between buyers and sellers.

What Trend Micro discovered was a marketplace that was both similar to and very different from other underground markets elsewhere around the world.

Many of the malware products and services available in Middle East and North African markets were the same as that available elsewhere. Products included credit card and credential dumps, malware tools, and stolen identity information including passport scans and driver’s license data.  Several markets that Trend Micro studied also supplied do-it-yourself kits for launching malware schemes.

The general offerings between the underground markets in the Middle East and North Africa and elsewhere were relatively consistent, Cabrera says. “Differences that we see stem from the societal influences that drive each of the economies,” he says.

Unlike cyber underground markets in Russia and China for instance, profit did not appear to be a primary driving factor behind many of the Middle Eastern and North African operations. Instead, a spirit of sharing and a sense of brotherhood appeared to be the primary drivers behind the distribution of crimeware.

Many of the sellers and buyers in these digital souks appear gathered around a common cause and ideology. In addition to members readily handing out malware tools for free, they also tended to cooperate with each other in planning and launching malicious campaigns such as Web defacement and distributed denial-of-service attacks.

While such sharing exists in other forums as well, the sheer prevalence of it on Middle Eastern and North African digital souks is interesting, Cabrera says.  “Other underground marketplaces provide support to members, but the extent and willingness in this region is unique,” he notes. 

Significantly, none of the marketplaces that Trend Micro studied was involved in the sale of weapons or drugs. Visitors looking to buy these items were directed to forums in the North American underground instead.

Prices for individual malware and hacking tools in these markets tended to be more expensive than in other regions. For example, keyloggers that sell for between $1 and $4 in the North American underground can cost as much as $19 in Middle Eastern and North African forums. But because members are willing to share their malware for a mutual cause, the price difference is usually balanced out, Cabrera said. 

In some cases, tools and information that fetch a hefty price in other markets were available for free. Port numbers for Internet-connected Supervisory Control and Data Acquisition (SCADA) system, for instance, were available for free in the cybercriminal underworld in this region, while the WannaCry ransomware sample was available for just $50.

“There is a broad range of technical capabilities seen among actors in this underground.” Cabrera observes.

“The culture allows for budding script kiddies to get their feet wet, while some of the larger Hacking as a Service and defacement campaigns are run by more experienced, sophisticated actors. This is similar to what we’ve seen in the North American or Russian underground that foster a breadth of malicious actors.”

Related content:

 

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/cybercrime-meets-culture-in-middle-east-north-african-underground/d/d-id/1330094?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

  • 11/10/2017
  • adm