Archive
1-15 November 2012 Cyber Attacks Timeline
The first half of November 2012 has been undoubtedly characterized by Hacktivism. Not only the month has begun with the ProjectBlackStar by the infamous Team Ghostshell (2.5 million accounts leaked belonging to different Russian sectors), but also the long-awaited November 5 has brought an unprecedented wave of Cyber Attacks against organizations all over the world, including Symantec and the UK Ministry Of Defence (more than 3,000 accounts leaked in both cases).
Moreover, after the dramatic event of the 14th of November (the killing of Ahmed Al-Jaabari, the commander of the military wing of Hamas by an Israeli missile and the consequent Operation “Pillar Of Defense”), the Anonymous have started a massive campaign of Cyber Attacks against Israel sites and in support of Palestine. This campaign is still ongoing even if it is really impossible to track all the attacks (nearly 700 defaced web sites so far), and hence, as far as possible, only a general overview is provided.
Of course these events have shadowed the other attacks, including the ones to LG (3,300 accounts leaked in two different cyber attacks) and Adobe (150,000 records allegedly compromised).
The chronicles also report of an alleged cyber attack against Telecom Italia (30,000 accounts allegedly leaked), even if there several doubts about the real authenticity of this attack.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Yet Another Breach Targeting Adobe
Hard Times for Adobe. On the evening of Tuesday, November 13, 2012, immediately after the claims of an alleged Egyptian hacker dubbed ViruS_HimA, the company has taken offline the connectusers.com forum.
In his pastebin post, the hacker claims to have breached an unidentified Adobe server, gaining full access to it and dumping the whole Database: over 150,000 emails, passwords with full data of Adobe customers and partners with some users belonging to Adobe, Google, NASA, Military Institutions, etc.).
As a proof of his breach he has published some screenshot, and a text file containing 645 records with emails belonging to some selected domains: “adobe.com”, “.mil” and “.gov”.
After the rumors, the breach has been finally confirmed by Adobe in a blog post where the company has announced the decision to take the forum offline and to reset the passwords.
Meanwhile more details about the breach are emerging: the hacker allegedly exploited a SQL Injection vulnerability, and also the cracked passwords from the breach show a lack of security with no salt, no iteration, and finally no complexity. Unfortunately we are getting more and more used to attacks exploiting SQLi and to poorly-protected passwords.
Unfortunately Adobe continues to attract the attention of cyber-attackers. At the end of September the company discovered a targeted attack against a build server accessing the code signing infrastructure with the consequence that the certificates of 5000+ applications were revoked, one month and half later the passwords of 150,000 forum users are at risk.
Related articles
16-30 September 2012 Cyber Attacks Timeline
Part One with 1-15 September 201 Timeline Here.
September is over and it’s time to analyze this month from an Information Security perspective with the second part of the Cyber Attack Timeline.
Probably this month will be remembered for the massive outage of six U.S. Banks (Bank of America, JPMorgan Chase, Citigroup, U.S. Bank, Wells Fargo and PNC ) caused by a wave of DDoS attack carried on by alleged Muslim hackers in retaliation for the infamous movie (maybe this term is exaggerated) “The Innocence of Muslims”.
China has confirmed its intense activity inside the Cyber space. Alleged (state-sponsored?) Chinese hackers were allegedly behind the attack to Telvent, whose project files of its core product OASyS SCADA were stolen after a breach, and also behind a thwarted spear-phishing cyber attack against the White House.
Adobe suffered a high-profile breach which caused a build server to be compromised with the consequent theft of a certificate key used to sign two malware strains found on the wild (with the consequent necessary revoke of the compromised key affecting approximately 1,100 files).
Last but not least, the Hacktivism fever has apparently dropped. September has offered some attacks on the wake of the #OpFreeAssange campaign, and a new wave of attacks at the end of the month after the global protests set for September, the 29th, under the hashtag of #29s.
If you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 and the related statistics (regularly updated), and follow @paulsparrows on Twitter for the latest updates.
Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).
Adobe Persistent Threat
Adobe is the latest victim of a targeted attack. The news has been reported in a blog post by Brad Arkin, Director of product security and privacy at Adobe.
According to Mr. Arking the company has recently received two malware strains in disguise of malicious utilities that appeared to be digitally signed using a valid Adobe code signing certificate and has identified the possible reason for the illegitimate code signing in a compromised build server with access to the Adobe code signing infrastructure as part of the build server.
The first malicious utility is called pwdump7 v7.1 and extracts password hashes from the Windows OS as a single file that statically links the OpenSSL library libeay32.dll. The second malicious utility, dubbed myGeeksmail.dll, is a malicious ISAPI filter.
Of course the forensic investigation is ongoing. To date Adobe has identified the presence of malware on the build server (although the details of the machine’s configuration were not to Adobe corporate standards for a build server, this was not caught during the normal provisioning process”) and the likely mechanism used to first gain access. Although the forensic investigation has found evidence linking the build server to the signing of the malicious utilities, it appears that the private key required for generating valid digital signatures was not extracted from the HSM, which is kept in physically secure facilities. Even, so far there is no evidence that the source code was compromised or stolen.
As a natural consequence the company has changed the signing process and has deployed an interim solution including an offline human verification to ensure that all files scheduled for signature are valid Adobe software. Furthermore the company is also designing and deploying a new, permanent signing solution.
All the certificates signed with the impacted key since July 10, 2012 will be revoked on Thursday October 4, 2012 (does this means that the build server has been compromised, undetected, for more than two months?). Potentially there could be 5127 applications signed with the compromised key.
According to the available information, we are in front of a typical targeted attack:
We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.
Moreover “Targeted Attacks generate Targeted Attacks” since the malware samples discovered (most of all in case of the pwdump7 “utility”) show the typical features used by Advanced Persistent Threats: compromise one machine, extract information to escalate privileges (see password) and use the initial entry point as a bridgehead to harvest the target network.
So at the end Adobe is the latest high-profile target to join the group of the companies hit by targeted attack: “Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate. We plan to share our lessons learned as well as foster a conversation within the industry about the best way to protect users and minimize the impact on users in cases where the revocation of a certificate becomes necessary (as in this example).”
“Please stay tuned for more details in the coming weeks.”
Related articles
- Inappropriate Use of Adobe Code Signing Certificate (blogs.adobe.com)
The Alphabet of Cyber Crime from APT to Zeus
If you need to know what Cyber Crime is but you are bored and fed up with the too many information security terms, loosing yourself among the acronyms, you have stumbled upon the correct place. I have just compiled a very special alphabet which collects the terms related to Cybercrime. Forgive me for some “poetic license” and enjoy this half-serious list.
A like APT
Yes, the Advanced Persistent Threats have been the undisputed protagonists of 2011. An APT is essentially an attack carried on with different vectors, different stages and on a distributed time windows (yes, it Persistent). APT are behind the most remarkable events of 2011 such as the RSA Breach, Stuxnet, and so on…
B like Botnet
Botnet are networks of compromised machines that are used by cybercriminals to perpetrate their malicious action. Tipically a compromised machine becomes part of a botnet where the master distributes the commands from a C&C Server. Command may include the theft of information or the attack to other machines.
C like Crime-As-A-Service
The last frontier of Cybercrime: why developing costly malware if you can find a wide offer of customizable malware on the black market offering help desk and support services?
D like DLP
Data Leackage (or Lost) prevention is a suite of technologies that may help organization to counter the theft of information by preventing misuse or leak of data while they are in use at the endpoint (DIU), in transit on the network (DIM), or simply it is an aggregated Dark Matter on the corporate servers (DAR) that needs to be indexed and cataloged (and possibly classified and assessed).
December 2011 Cyber Attacks Timeline (Part I)
As usual, here it is my compilation of December Cyber Attacks.
It looks like that Christmas approaching is not stopping hackers who targeted a growing number of organizations including several security firms (Kaspersky, Nod 32 and Bitdefender) even if in secondary domains and with “simple” defacements.
Cyber chronicles report of Gemnet, another Certification Authority Breached in Holland (is the 12th security incident targeting CAs in 2011) and several massive data breaches targeting Finland (the fifth this year, affecting 16,000 users), online gambling (UB.com affecting 3.5 million of users), Telco (Telstra, affecting 70,000 users), and gaming, after the well known attacks to Sony, Sega and Nintendo, with Square Enix, which suffered a huge attacks compromising 1,800,000 users (even if it looks like no personal data were affected).
Online Payment services were also targeted by Cybercrookers: a Visa East European processor has been hit by a security breach, but also four Romanian home made hackers have been arrested for a massive credit card fraud affecting 200 restaurants for a total of 80,000 customers who had their data stolen.
As usual, hacktivism was one of the main trends for this first half of the month, which started with a resounding hacking to a Web Server belonging to ACNUR (United Nations Refugees Agency) leaking more than 200 credentials including the one belonging to President Mr. Barack Obama.
But from a mere hactvism perspective, Elections in Russia have been the main trigger as they indirectly generated several cyber events: not only during the election day, in which three web sites (a watchdog and two independent news agencies) were taken down by DDoS attacks, but also in the immediately following days, when a botnet flooded Twitter with Pro Kremlin hashtags, and an independent forum was also taken down by a further DDoS attacks. A trail of events which set a very dangerous precent.
Besides the ACNUR Hack, the Anonymous were also in the spotlight (a quite common occurrence this year) with some sparse attacks targeting several governments including in particular Brazil, inside what is called #OpAmazonia.
Even if not confirmed, it looks like that Anonymous Finland might somehow be related to the above mentioned breach occurred in Finland.
Other interesting events occurred in the first two weeks of December: the 0-day vulnerability affecting Adobe products, immediately exploited by hackers to carry on tailored phishing campaigns and most of hall, a targeted attack to a contractor, Lockheed Martin, but also another occurrence of DNS Cache Poisoning targeting the Republic of Congo domains of Google, Microsoft, Samsung and others.
Last but not least, the controversial GPS Spoofing, which allegedly allowed Iran to capture a U.S. Drone, even the GPS Spoofing on its own does not completely solve the mistery of the capture.
Other victims of the month include Norwich Airport, Coca Cola, and another Law Enforcement Agency (clearusa.org), which is currently unaivalable.
As usual after the page break you find all the references.
Report McAfee Q4 2010: Il Malware è Mobile Qual Piuma Al Vento!
I Laboratori McAfee hanno appena pubblicato il report relativo alle minacce informatiche del quarto trimestre 2010 (McAfee Q4 Threat Report). Oramai sembra un immancabile e monotono refrain ma, tanto per cambiare, nel corso dell’ultimo scorcio del 2010 i malware per i dispositivi mobili l’hanno immancabilmente fatta da padroni.
I dati sono impressionanti: le infezioni dei dispositivi mobili nel corso del 2010 sono cresciute del 46% rispetto all’anno precedente. Nell’anno passato sono stati scoperti 20 milioni di nuovi esemplari di software malevolo, corrispondenti a circa 55.000 nuovi vettori di infezione al giorno. In effetti nel 2010 gli sviluppatori malevoli si sono dati molto da fare se si considera che i Laboratori McAfee hanno identificato in totale 55 milioni di tipologie di malware, da cui su evince che il malware sviluppato nel 2010 corrisponda al 36% del totale.
Una cosa è certa: i cybercriminali si stanno concentrando su dispositivi popolari che garantiscono il massimo risultato con il minimo sforzo, con una tendenza destinata ad accenturarsi nel 2011 verso un fenomeno che si potrebbe riassumere benissimo con il termine ipocalypse.
I risultati del report si possono così sintetizzare:
Dispositivi mobili sempre più in pericolo per le botnet
Non è una novità, e la mia prima previsione in proposito risale a dicembre 2010 quando, commentando le previsioni di sicurezza Symantec per il 2011, mi ero sbilanciato asserendo che nel corso del 2011 avremmo probabilmente assistito alla nascita di botnet di terminali compromessi. Da lì a breve è stato un climax ascendente che ha portato dapprima alla rilevazione del trojan Geinimi al termine del 2010, ed in seguito alla creazione di un malware botnet-like in laboratorio.
Il report di McAfee conferma questo trend (scusate il gioco di parole), assegna a Geinimi il titolo di una delle minacce più importanti dell’ultimo trimestre 2010, e sancisce perentoriamente che i Cybercriminali utilizzeranno sempre di più, nel corso del 2011, tecniche di botnet per infettare i dispositivi mobili.
I motivi sono presto detti: maggiore popolarità (e portabilità) dei dispositivi mobili come strumenti di lavoro implicano maggiore contenuto sensibile immagazzinato senza le stesse misure di sicurezza e la stessa sensibilità dell’utente (non a caso Geinimi, come anche altre minacce mobili) sono false applicazioni scaricata da market paralleli. D’altronde una botnet di dispositivi mobili ha una duplice valenza malevola: da un lato consente di rubare dati e informazioni sensibili (dalla rubrica alla posizione) dall’altro potrebbe essere utilizzata con intenti malevoli con maggiori capacità di mimetismo all’interno della rete di un operatore mobile (come confermato indirettamente anche dal report di Arbor Networks.
Ad ogni modo nel Q4 2010, Cutwail ha perso lo scettro di botnet più attiva, ad appannaggio della rete di macchine compromesse appartenenti alla rete Rustock, seguita a ruota da Bobax
Almeno una buona notizia, lo Spam è un Periodo di Transizione
Sebbene i mezzi favoriti dai Cybercriminali in questo trimestre siano stati il malware di tipo AutoRun (Generic!atr), i trojan di tipo banking o downloader (PWS or Generic.dx), o anche gli exploit web-based (StartPage and Exploit-MS04-028), perlomeno si è registrato un leggero abbassamento dei livelli di spam, che sebbene rappresenti ancora l’80% di tutti i messaggi di posta elettronica, si è comunque attestato ai livelli del 1 trimestre 2007. Questo periodo di transizione è verosimilmente dovuto al letargo di alcune botnet (ad esempio Rustock, Letic e Xarvester) e alla chiusura di altre (ad esempio Bredolab o in parte Zeus). In questo trimestre, al vertice delle reti di macchine compromesse si sono posizionate Bobax e Grum.
Se aumentano gli apparati aumentano le minacce web
In base ai dati dell’ultimo trimestre 2010, in cui i domini malevoli sono cresciuti velocemente grazie alle minacce più attive del calibro di Zeus, Cornficker e Koobface; McAfee rivela che le i vettori di infezione basati sul web continueranno a crescere in dimensioni e complessità , di pari passo con il crescere degli apparati eterogenei che accedono alla rete.
Ovviamente non poteva mancare il phishing e il malvertising e SEO Poisoning in virtù del quale McAfee Labs rivela che all’interno dei primi 100 risultati delle principali ricerche quotidiane, il 51% conduce l’ignaro navigatore verso siti poco sicuri che contengono più di cinque link malevoli. Non è un caso che il produttore rosso preveda che gli attacchi facenti uso di tecniche di manipolazione dei risultati dei motori di ricerca cresceranno notevolmente nel 2011, focalizzandosi soprattutto (tanto per cambiare) ai dispositivi di nuova generazione.
Le vulnerabilità Adobe come mezzo di distribuzione del malware
Nel corso del 2010 le vulnerabilità dei prodotti Adobe (Flash e PDF), inseparabili compagni di navigazione, sono stati il mezzo principale di distribuzione del malware preferito dai Cybercriminali. C’e’ da aspettarsi una inversione di tendenza per il 2011? Nemmeno per idea, almeno secondo McAfee che prevede, per quest’anno, una prosecuzione del trend, anche a causa del supporto per le varie tecnologie Adobe, da parte dei dispositivi mobili e dei sistemi operativi non Microsoft.
Hacktivissimi!
Anche l’hactivism vedrà la sua azione proseguire nel 2011 dopo i botti di fine anno compiuti dal gruppo Anonymous, (e anche il Governo Italiano ne sa qualcosa in questi giorni. Anzi, secondo il produttore dichiara che il confine tra hactivism e cyberwarfare diventerà sempre più confuso.
About The Author
Support My Work!
Share:
News
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
Visitors from…
