About these ads

Archive

Posts Tagged ‘Duqu’

16-30 November 2014 Cyber Attacks Timeline

December 2, 2014 Leave a comment

The Cyber Monday has just gone, and here we are with the second Cyber Attacks Timeline of November (Part I here).

Even if no massive breaches against retailers have been discovered so far (however do not get carried away since they will probably need several weeks to surface!), this month equally shows some remarkable events for Cyber Crime, Hacktivism and Cyber Espionage.

Actually I just really did not know where to begin, since each sector shows at least one noticeable events. However, after scrolling down the list, I believe that the crown of the month is all for the powerful Regin, the brand new cyber weapon discovered by Symantec. If you believed that the complexity of Stuxnet, Flame and Duqu was a closed page, you will have to change your mind.

This event has overshadowed the massive attack against Sony Pictures Entertainment, allegedly traced to North Korea, in the wake of the release of the comedy “The Interview”, which has been deemed discriminatory against the country and inciting to terrorism. This attack, which has more then one similarity with the infamous Dark Seoul, has completely blocked the Sony internal IT network and is making happy many individuals worldwide, since several Gigabytes of unreleased material are being leaked in these hours.

Last but not least the hacktivists are back! Not only the Syrian Electronic Army has exited stealth mode, with an attack to Gigya, an identity management platform, which has affected many illustrious victims worldwide, but also the Anonymous have been the authors of several attacks, just like the good old days, in the wake of the controversial decision of the Ferguson grand jury decision.

If you want to have an idea of how fragile our electronic identity is inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011, 2012, 2013 and now 2014 (regularly updated). You may also want to have a look at the Cyber Attack Statistics, and follow @paulsparrows on Twitter for the latest updates.

Also, feel free to submit remarkable incidents that in your opinion deserve to be included in the timelines (and charts).

16-30 November 2014 Cyber Attacks Timeline Read more…

About these ads

The Cradle of Cyber War

August 31, 2012 2 comments

Yesterday Bloomberg reported the news of a new cyber attack in Middle East targeting an Oil Company. The latest victim is Ras Laffan Liquefied Natural Gas Co., a Qatari LNG producer that has shut down part of its computer systems targeted by an unidentified malware since Aug. 27.

According to the scant official information available, desktop computers in company offices were the only affected, while operational systems at onshore and offshore installations were immune, with no impact on production or cargoes.

Of course it is impossible to avoid a parallelism with the cyber attack targeting Saudi Aramco a couple of weeks ago, and the 30,000 workstations that the company admitted to have been targeted (and restored only few days ago) by this malware outbreak. It is also impossible not to mention the infamous Shamoon, the brand new malware discovered in Middle East that information security community immediately connected to the Saudi Aramco cyber incident, furthermore stating (by literally quoting Symantec’s blog):

W32.Disttrack is a new threat that is being used in specific targeted attacks against at least one organization in the energy sector.

The Ras Raffan cyber attack maybe provides a partial answer to the question regarding who else might have been affected by Shamoon (I wonder if we will soon learn of other companies targeted) and even if security researchers have not confirmed, so far, the connection between Shamoon and this latest attack, the first speculations on regard have already appeared. According to the WSJ, the RasGas information technology department identified the virus as Shamoon, stating that:

Following the virus attack, some “computers are completely dead”.

The Middle East is considered the Cradle of Civilization, but I am afraid that, in this 21st century, it is becoming the “Cradle of Cyber War”. And even if you consider Shamoon just an amateurish copycat (with no cyberwar intentions), you cannot ignore that the latest research according to which even Wiper is a son of the so-called Tilded Platform (the same malware platform that originated Stuxnet, Duqu and Flame).

This cannot be considered a mere coincidence.

Another Massive Cyber Attack in Middle East

August 16, 2012 5 comments

Update August 17: More details about Shamoon, the malware targeting Saudi Aramco and other Middle East companies belonging to Energy Sector. Apparently the destructive details unveiled yesterday are confirmed.

Upate August 27: Saudi Aramco Admits 30K workstations affected.

I have just received a couple of tweets from an unknown user @cyberstrikenews providing more details about the latest Cyber Attack in Middle East targeting Saudi Arabian Oil Company (Saudi Aramco).

The Oil Company declared that “production had not been affected” and even if the virus affected some computers, it did not penetrate key components of the network. The company also said it would return to normal operating mode soon.

From the information I have received (I cannot verify the integrity of the source, so I report the data integrally), the situation appears quite different:

  • The company has about 40000 computer clients and about 2000 servers, the destructive virus was known to wipe all information and operation system related files in at least 30000 (75%) of them all data lost permanently.
  • Among the servers which (were) destroyed are the company main web server, mail server (smtp and exchange), and the domain controller which as the central part of their network.
  • All clients are permanently shut down and they will not be able to recover them in a short period.
  • The main company web site ( http://www.aramco.com ) was down during 24 hours and at last they redirected it to an outside country web site called “www.saudiaramco.com”.

Apparently the web site has just been restored to normal operation redirecting the user to Saudi Aramco.

After Stuxnet, Duqu, Flame and Gauss, yet another confirm that there is no cyber peace in middle East!

References:

http://pastebin.com/p5C4mCCD

http://pastebin.com/5YB3TUH1

A Flame on the Cyberwarfare Horizon

May 28, 2012 6 comments

Irony of fate: not even a day after the publication of a provocative article on the role of Cyber Warfare for maintaining peace, a new cyber threat appears, which is destined to leave an indelible mark on the cyber weapons’ landscape.

Today is one of those days that the Infosec Community will remember for a long time. It looks like the mystery of the malware targeting the Iranian Oil business a month ago has come to a solution, and it is not that kind of conclusion we would have hoped and expected.

Nearly in contemporary Kaspersky Lab, CrySyS Lab and the Iranian Computer Emergency Response Team Coordination Center have unleashed details of what has been defined (arguably) the most complex malware ever found.

The malware, which has been dubbed Flame (Kaspersky), or sKyWIper (CrySyS Lab), or also Flamer (CERTCC), has some unprecedented features that make it one of the most complex threats ever discovered:

  • The Cyber Weapon Malware is a sophisticated attack toolkit, It is a backdoor, a Trojan, and has worm-like features (three in one). According to Kaspersky its development has taken a couple of years and it will probably take year to fully understand the 20MB of code of Flame.
  • According to CrySyS Lab Flame has been in the wild since 2007, having been seen in the following geographical regions: Europe on Dec 5 2007, The United Arab Emirates on Apr 28 2008 and the Islamic Republic of Iran on Mar 1 2010;
  • Flame is controlled via an SSL channel by a C&C infrastructure spread all around the world, ranging from 50 (Kaspersky) to 80 (CrySyS) different domains;
  • Flame owns many capabilities, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard. C&C operators may choose to upload up to about 20 modules, which can expand Flame’s functionality;
  • The complete set of 20 modules is 20 MB in size when fully deployed (about 20 times larger than Stuxnet and maybe it is the reason why it wasn’t discovered for so long);
  • Flame includes a piece of code (about 3000 lines) written in LUA, a not so common occurrence for malware;
  • Top 7 affected countries include Islamic Republic of Iran (189 Samples), Israel/Palestine (98 samples), Sudan (32), Syria (30), Lebanon (18), Saudi Arabia (10), Egypt (5).
  • Flame appears to have two modules designed for infecting USB sticks: “Autorun Infector” (similar to Stuxnet) and “Euphoria” (spread on media using a “junction point” directory that contains malware modules and an LNK file that trigger the infection when this directory is opened);
  • Flame may also replicate via local networks using the following:
    1. The printer vulnerability MS10-061 exploited by Stuxnet – using a special MOF file, executed on the attacked system using WMI;
    2. Remote jobs tasks.
    3. When Flame is executed by a user who has administrative rights to the domain controller, it is also able to attack other machines in the network: it creates backdoor user accounts with a pre-defined password that is then used to copy itself to these machines.
  • So far no 0-day vulnerabilities have been found, despite the fact that some fully-patched Windows 7 installations have been compromised, might indicate the presence of high-risk 0-days.

With no doubt a beautiful piece of malware written with the precise intent of Cyber-Espionage. Besides the resounding features of the malware, I found particularly interesting the same infection mechanism used by Stuxnet, that make me think of (another) possible double agent implanting the first infection.

This (legitimate) suspicion is also reinforced by the disarming conclusions issued by CrySyS Lab:

The results of our technical analysis support the hypotheses that sKyWIper was developed by a government agency of a nation state with significant budget and effort, and it may be related to cyber warfare activities.

Middle East Cyber War Timeline (Part 5)

February 19, 2012 1 comment

Click here for the Middle East Cyber War Master Index with the Complete Timeline.

This week of Cyber War on the Middle East front, has shown a slight change on the Cyber Conflict trend. For the first time since January, psyops have deserved a primary role, maybe on the wake of the video released by the Anonymous against Israel one week ago. Not only the Jerusalem Post calls the video into question, but also argues that it may have been forged by Iran, identifying a state sponsored impersonation behind the entry of Anonymous in this cyber war.

But this has not been the only psyops event as an alleged message from Mossad to the Anonymous has appeared on pastebin, whose beginning sounds like a dark warning: If you want to be a hero start with saving your own lives. Although there are many doubts on its truthfulness, it deserves a particular attention since outlines a new age on psyops, what I call “pastebin psyops”.

But a war is not made only of psyops, so this week has also seen more hostile actions, among which the most remarkable one has been the leak of 300,000 accounts from Israeli Ministry of Construction and Housing. This action had been preannounced by a wave of attacks on primary Israeli sites (which targeted also the PM site), and most of all, has been carried on by 0xOmar, the absolute initiator of this cyber conflict.

Palestine has been targeted as well, and it is really interesting to read under this perspective a statement by Ammar al-Ikir, the head of Paltel, the Palestinian telecommunications provider according to whom cyber attacks on Palestinian websites and internet servers have escalated since Palestine joined UNESCO.

On the Iranian front chronicle report of a failed cyber attacks againstPress TV, Iran’s English-language 24-hour news channel and most of all of a controversial statement by Gholam Reza Jalali, a senior Iranian military official in charge of head of the Iranian Cyber Intelligence, according to whom the country’s nuclear facilities have finally been made immune to cyber attacks. And it is not a coincidence that in this week Iran has kicked off the first national conference on Cyber Defense. A matter that deserves a special attention by Tehran because of the growing number of attacks on Iran’s cyber space by US and Israel. On the other hand, Israel did a similar move one month ago, at very early stage of the cyber conflict.

Read more…

One Year Of Lulz (Part II)

December 26, 2011 1 comment

Christmas has just gone and here it is my personal way to wish you a Happy New Year: the second part of my personal chart (first part here) of Main 2011 Cyber Attacks covering the time window from August to November 2011 (December is not yet finished, and featuring remarkable events, so expect an update very soon). This memorable year is nearly over and is time, if you feel nostalgic, to scroll down the second part of the list to review the main Cyber Events that contributed, in my opinion, to change the landscape and the rules of the (information security) game. Many events in this period among whom, IMHO, the most noticeable is the one carried on against Diginotar. Since then our trust in conventional authentication models is not (and will not be) the same anymore.

Of course this is my personal selection. Suggestions are well accepted and if you need more details about the cyber events in 2011, feel free to consult my 2011 Cyber Attacks Master Index. As usual after the page break you find all the references…

Read more…

Another Certification Authority Breached (the 12th!)

December 10, 2011 1 comment

2011 CA Attacks Timeline (Click To Enlarge)This year is nearly at the end but it looks like it is really endless, at least from an Information Security Perspective. As a matter of fact this 2011 will leave an heavy and embarassing heritage to Information Security: the Certification Authority authentication model, which has been continuously under siege in this troubled year; a siege that seems endless and which has shown its ultimate expression on the alleged compromise of yet another Dutch Certification Authority: Gemnet.

Gemnet, an affiliate of KPN, has suspended certificate signing operation after an intrusion on its publicly accessible instance of phpMyAdmin (a web interface for managing SQL Database) which was, against any acceptable best practice, exposed on the Internet and not protected by password. As in case of Diginotar, another Dutch Certification Authority which declared Bankrupt few days after being compromised by the infamous Comodo Hacker, Gamnet has  the Dutch government among its customers including the Ministry of Security and Justice, Bank of Dutch Municipalities and the police.

After the intrusion, the attacker claimed to have manipulated the databases, and to allegedly have been able to gain control over the system and all of the documents contained on it, although KPN, claims the documents contained on the server were all publicly available. Moreover the attacker claimed the attack was successful since he could obtain the password (braTica4) used for administrative tasks on the server. As a precaution, while further information is collected about the incident, Gemnet CSP, KPN’s certificate authority division, has also suspended access to their website.

The breach is very different, in purpose and motivations, from the one occurred to Diginotar, at the end of July, which led to the issuance of more than 500 bogus Certificates (on behalf of Google, Microsoft, and other companies). In case of Diginotar the certificates were used to intercept about 300,000 Iranians, as part of what was called “Operation Black Tulip“, a campaign aimed to eavesdrop and hijack dissidents’ emails. For the chronicles, the same author of the Diginotar hack, the Infamous Comodo Hacker, had already compromised another Certification Authority earlier this year, Comodo (which was at the origin of his nickname). In both cases, the hacks were performed for political reasons, respectively as a retaliation for the Massacre of Srebrenica (in which the Comodo Hacker claimed the Dutch UN Blue Helmets did not do enough to prevent it), and as a retaliation for Stuxnet, allegedly developed in a joint effort by Israel and US to delay Iranian Nuclear Program.

But although resounding, these are not the only examples of attacks or security incidents targeting Certification Authorities: after all, the attacks against CAs started virtually in 2010 with the infamous 21th century weapon Stuxnet, that could count among its records, the fact to be the first malware using a driver signed with a valid certificate belonging to Realtek Semiconductor Corps. A technique also used by Duqu, the so called Duqu’s son.

Since then, I counted 11 other breaches, perpetrated for different purposes: eavesdropping (as is the case of the Infamous Comodo Hacker), malware driver signatures, or “simple” compromised servers (with DDoS tools as in case of KPN).

At this point I wonder what else we could deploy to protect our identity, given that two factor authentication has been breached, CAs are under siege, and also SSL needs a substantial revision. Identity protection is getting more and more important, since our privacy is constantly under attack, but we are dangerously running out of ammunitions.

(Click below for references)

Read more…

Follow

Get every new post delivered to your Inbox.

Join 3,200 other followers