A couple of weeks after similar revelations made by Twitter, Facebook has joined the unwelcome list of Social Networks hit by targeted attacks.
This news has shaken this quiet week end of February, as Facebook officials told to Ars Technica they discovered in January several computers belonging to mobile application developers hacked using a zero-day Java attack. According to a consolidated attack schema, the malware installed a collection of previously unseen malware.
The attack occurred within the same timeframe as the hack that hit Twitter and exposed cryptographically hashed passwords of 250,000 users, and apparently targeted other companies completely unaware of the attack, until they were notified by Facebook.
According to the information available the attack showed several interesting (and nowadays common) patterns:
- The attackers used a “watering hole” attack, compromising the server of a popular mobile developer Web forum and using it to spring the zero-day Java exploit on site visitors. The attack was injected into the site’s HTML, affecting any visitor who had Java enabled in his browser, regardless of the level of patching of the machine.
- The exploit was used to download malware to victims’ computers affecting both Windows and Apple computers.
- As usual, I would say, Antivirus software was unable to detect the malware, neither the malware was slowed down by the fact that the machines were patched.
Facebook said it is working with FBI to investigate the attack. Only the latest example of a class of targeted sophisticated threats increasingly common and aggressive against high-profile targets including tech industries, media, and now social networks. As a matter of fact (state sponsored ?) cyber criminals are actively exploiting 0-Day vulnerabilities targeting Java (and Adobe Flash), in this 2013 that, in only two months, is proving to be dramatic for the Infosec Landscape.
Update 4 Sep 23:38 GMT+2: The FBI issued a tweet denying that it ever had the 12 million Apple IDs in question:
Statement soon on reports that one of our laptops with personal info was hacked. We never had info in question. Bottom Line: TOTALLY FALSE—
FBI PressOffice (@FBIPressOffice) September 04, 2012
Here the complete Statement from the FBI Press Office.
Original Post: Few hours ago, the @AnonymousIRC Twitter account has announced yet another resounding cyber attack carried on in name of the #Antisec movement:
(@AnonymousIRC) September 04, 2012
In a special edition of their #FFF refrain (literally quoting the authors of the attack: “so special that’s even not on friday”), the Hacktivists claim to have obtained from FBI 12,000,000 Apple Devices UDIDs (UDID is the short form for Unique Device Identifier, the unique string of numbers that univocally identifies each iOS device), and have consequently published 1,000,001 of them in pastebin post.
In the same post they explain how they were able to obtain them:
During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc. the personal details fields referring to people appears many times empty leaving the whole list incompleted on many parts. no other file on the same folder makes mention about this list or its purpose.
Did you notice the misplaced detail? Actually I could not help but notice that the UDIDs were obtained exploiting a Java vulnerability, the AtomicReferenceArray vulnerability (CVE-2012-0507). A detail is not so important in other circumstances, if it had not disclosed only few days after the controversies following the discovery of a potentially devastating 0-day for Java, and the subsequent issues deriving from the release of a vulnerable patch.
There could be no worse moment for this event to happen, and I am afraid it will contribute to add fuel to the raising concerns regarding Java security… Hard days for Java… And for the FBI
Did you update your Java Plug-in with the Update 7 after the critical vulnerability discovered last week? You’d better wait!
Adam Gowdiak, CEO of Security Exploration, the Polish startup that discovered the Java SE 7 vulnerabilities (immediately exploited by cyber criminals), has discovered a new flaw that affects the patched version of Java released this Thursday. A patch released outside the consolidated Oracle update cycle which foresees three updates per year: an uncommon event for the company which demonstrates the seriousness of the security hole.
Unluckily, history is repeating, Adam Gowdiak has told The Register, that just-released Java SE 7 Update 7, contains a flaw that could allow an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems.
Even more unluckily, history is totally repeating: as happened for the previous vulnerability, the bug was reported to Oracle in April 2012 (and unfortunately is not yet patched).
At this point there is no other choice than disabling Java from your favourite browser.
If you want to know if your browser is vulnerable, you can click the following link: http://www.isjavaexploitable.com/.
Disable Java or Die!
Here it is the second part of my traditional monthly Cyber Attacks Timeline (Part I available here). From an information Security Perspective the main events of this month were the infamous Diginotar breach which led to Bankrupt for the Dutch Company and also the BEAST attack to SSL, two events which, together, thumbed the Infosec Community in its stomach.
Of course these events did not divert the attention of hackers who kept on to carry on attacks against different targets.
The Anonymous continued their campaign: although mainly focused on the #OccupyWallStreet Operation (in which a Senior Officer who used pepper spray against protestors was “doxed”, they targeted several governments including Mexico, Austria, (where they also performed an unconfirmed hack against an health insurance Firm targeting 600,000 dumped users) and Syria. In particular the latter attack triggered a retaliation by Syrian Electronic Soldiers against the prestigious Harvard University.
Chronicles also report a Japan defense contractor hit by hackers, Mitsubishi Heavy Industries, (China denied its involvement on the attack), another Twitter Account hacked by The Script Kiddies (this time against USA Today), an indirect attack perpetrated
against (through) Oracle by infecting its MySQL.com domain with downloadable malware and, last but not least a massive defacement of 700,000 sites hosted by Inmotion.
US Navy was also victim of defacement.
As far as the prize for the “Most Expensive Breach of the Month” is concerned, the laurel wreath is undoubtedly for SAIC (Science Applications International Corp.) which lost a tape database backup containing data of 4,900.000 users with an estimated cost of approximately 1 billion of bucks…
As usual, useful Resources for compiling the table include:
- Cyber War News (but it looks like it gave up to post reports on Cyber Attacks on 25 September 2011)
CNET Hackers Chart(unfortunately it is not up-to-date since 24 August 2011).
- Dark Reading
- Naked Security
- Office Of Inadequate Security (DataBreaches.net)
- The Hacker News
My inclusion criteria do not take into consideration simple defacement attacks (unless they are particularly resounding) or small data leaks.
Update: On 09/30/2011, Betfair reported a 3.15 million records breach with a total estimated cost of 1.3 billion USD winning the laurel wreath of the most expensive breach of the month.
As part of OpIndipendencia, websites of several Mexican government ministries, including Defense and Public Security, are teared down in the same day of the symbolic beginning of Mexico’s independence from Spain.
Clubmusic.com, a worldwide dj website. is hacked and the leak dumped on pastebin.
|Sep 16||Sec Indi Security Team
||Official Website of The United States Navy
An hacker crew called Sec Indi Security Team Hacker uploads a custom message on the server to warn a WebDav vulnerability.
|Sep 16||?||California State Assembly
More than 50 employees of the California State Assemby, including some lawmakers, have been warned that their personal information might have been obtained by a computer hacker.
||Intelligence And National Security Alliance
Names and email addresses of hundreds of U.S. intelligence officials have been posted on an anti-secrecy website. On Monday Sep 10 INSA published a major report warning of an urgent need for cyberdefenses. Within a couple of days, in apparent retaliation, INSA’s “secure” computer system was hacked and the entire 3,000-person membership posted on the Cryptome.org website
||Fake FBI Anonymous Report
A Fake FBI Psychological profile of the Anonymous group is published. Although not a direct cyber attack, this event can be considered an example of psychological hacking and a “sign of the times” of how information and counter information may play a crucial role in hacking.
|Sep 18||Texas Police
Anonymous/Anti-sec releases a document containing a list of about 3300 members of the Texas Police Association
Mitsubishi Heavy Industries, Japan’s biggest defense contractor, has revealed that it suffered a hacker attack in August that caused some of its networks to be infected by malware. According to the firm, 45 network servers and 38 PCs became infected with malware at ten facilities across Japan. The infected sites included its submarine manufacturing plant in Kobe and the Nagoya Guidance & Propulsion System Works, which makes engine parts for missiles.
|Sep 19||City Of Rennes
Hana SK Card Co., a South Korean credit card firm, announces that Sep 17, some 200 of its customers’ personal information has been leaked. Total cost of the breach is $42,800.
|Hana SK Card
||?||Former USSR Region
Source report that at least 50 victim organizations ranging from government ministries and agencies, diplomatic missions, research institutions, and commercial entities have been hit in the former Soviet Union region and other countries in an apparent industrial espionage campaign that has been going on at least since August 2010.The advanced persistent threat (APT)-type attacks — dubbed “Lurid” after the Trojan malware family being used in it — has infected some 1,465 computers in 61 countries with more than 300 targeted attacks.
||Shad0w||Fox Sports Website
Fox Sports website, on of the most visited Websites in the world (rank 590 in Alexa) gets hacked. An Hacker named “Shad0w” releases SQL injection Vulnerability on one of the sub domain of Fox Sports and exploit it to extract the database. Leaked database info posted on pastebin. Vulnerable link is also posted together admin password hashes.
|Sep 22||Core Security Technologies
Popular IRC service UKChatterbox advises users to change their passwords following a series of hacks which culminated in an attack that may have compromised user details. The password reset follows on from a succession of outages previously attributed to maintenance upgrades, back to the start of the summer. In a notice to users, UKChatterbox advises users to change their passwords and not to re-use them on other sites. The number of hacked account is unknown.
||Seven Major Syrian Cities and Government Web Sites
The Anonymous unleash a chain of defacement actions against the Syrian Government, hacking and defacing the official sites of seven major Syrian cities, which stayed up in their defaced version for more than 16 hours. The defacement actions kept on the following day in which 11 Syrian Government Sites were defaced as part of the same operation.
||Indira Gandhi International Airport
Although happened three months ago, it turns out that a ‘technical snag’ hittinh operations at the Indira Gandhi International Airport (IGIA) T3 Terminal was caused by a “malicious code” sent from a remote location to breach the security at the airport.
|Sep 26||Inmotion Hosting Server
700,000 websites hosted on InMotion Hosting network are hacked by TiGER-M@TE. The hackers copied over the index.php in many directories (public_html, wp-admin), deleted images directory and added index.php files where not needed. List of all hacked 700,000 sites here.
|Sep 26||Austrian Police
The Austrian Anonymous branch publishes the names and addresses of nearly 25,000 police officials, raising fears for officers’ personal security. An Austrian Interior ministry spokesman said the information came from an “association closely related with the police”. Estimated cost of the breach is around $ 5,400,000.
|Sep 26||USA Today Twitter Account
The USA Today Twitter account is hacked and starts to tweet false messages mentioning the other accounts hacked by the authors of the action: the Script Kiddies (already in the spotlight for hacking the FoxNews Twitter Account at the Eve of 9/11 anniversary)
MySQL.com website is struck by cybercriminals, who hacked their way in to serve up malicious code to visiting computers with a Java exploit that downloaded and executed malicious code on visiting Windows computers. Brian Krebs reports that just few days before, he noticed on a Russian underground website that a hacker was offering to sell admin rights to MySQL.com for $3000. MySQL.com receives almost 12 million visitors a month (nearly 400,000 a day).
|Java Exploit to install malware|
|Sep 26||Harvard University
In retaliation for the defacements performed by the Anonymous targeting Syria, Syrian Electronic Soldiers deface the website of the prestigious Harvard University. The same group came in the spotlight during July and August for defacing Anonoplus engaging a “de facto” cyberwar against The Anonymous.
The month of September is characterized by the OccupyWallStreet Operation, started on September, the 17th and still ongoing. Although not directly configurable as an hacking action, it may rely on the support of the Anonymous who “doxed” a senior police who controversially usec pepper spray against a group of female protesters.
|Sep 27||COGEL, Council On Governmental Ethical Law
Once again in this month,Snc0pe claims another resounding action. This time the alleged target is the official website of The Council on Governmental Ethics Laws (COGEL). He posts a message on pastebin, along with the database download link.
|Sep 28||Tiroler Gebietskrankenkasse (TGKK)
AnonAustria in the spotlight again after the resounding hack against Austrian Police. This time the victim is an health insurance firm Tiroler Gebietskrankenkasse (TGKK) whose database of some 600,475 medical records AnonAustria claims to have hacked. The databse includes some celebrities. The total cost of the breach is around $128,500,000.00.
||SAIC (Science Applications International Corp.)
SAIC, one of the Pentagon‘s largest contractors reveals to have discovered a data breach occurred a couple of weeks before, affecting as many as 4.9 million patients who have received care from military facilities in San Antonio since 1992. The breach involved backup computer tapes from an electronic health care record. Some of the information included Social Security numbers, addresses, phone numbers and private health information for patients in 10 states. Statement of the data breach here Estimated cost of the breach is around $ 1 billion.
||Laptop Virus Repair
Although not resounding as the one which targeted MySQL.com, here it is another example of a website infected with malicious code targeting a free antivirus cloud based service.
|Laptop Virus Repair
Betfair reports a leak including not only the payment card details of most of its customers but also “3.15m account usernames with encrypted security questions”, “2.9m usernames with one or more addresses” and “89,744 account usernames with bank account details”. The incident occurred on 14 March 2011 but was announced only 18 months later. Estimated cost of the breach is around $1.3 billion.
Dopo i turni di McAfee e Symantec è la volta di Cisco: il gigante dei router e della sicurezza perimetrale ha da poco pubblicato il proprio Cisco 4Q10 Global Threat Report che riflette i trend della sicurezza su scala globale da ottobre a dicembre 2010.
Il report Cisco si differenzia leggermente dai documenti precedentemente citati poiché proviene da un produttore di sicurezza focalizzato su soluzioni di rete, e si basa inoltre su dati di traffico raccolti dalla propria rete di sensori di Intrusion Prevention (IPS), di dispositivi di sicurezza IronPort per la posta e per il traffico Web, dai propri servizi di gestione remota Remote Management Services (RMS), ed infine dai porpri servizi di sicurezza basati sul Cloud ScanSafe.
Picco di Malware in Ottobre
Gli utenti Enterprise in media hanno registrato, nel periodo in esame, 135 impatti di nuovo malware al mese, con un picco di 250 eventi al mese in ottobre, mese che ha visto anche il più elevato numero di host intercettati ospitanti web malware che si è attestato a 16.905. In totale nel periodo sono stati rilevati 38.811 eventi web risultanti, in totale, a 127.622 URL.
Il traffico correlato ai motori di ricerca si è attestato a circa l’8% del web malware con la maggior percentuale, pari al 3.84%, proeveniente da Google, in notevole calo rispetto al 7% della stessaa tipologia di traffico rilevata nel terzo quarto. Il traffico di tipo webmail si è invece attestato all’1%.
Il malware Gumblar (caratterizzato del redirigere le ricerche) ha compromesso in media il 2% delle ricerche nel periodo Q4 2010, anche in questo caso in netto calo rispetto al picco del 17% raggiunto a maggio 2010.
Per quanto concerne gli exploit applicativi, Java l’ha fatta da padrone: la creatura di
SUN Oracle ha sbaragliato la concorrenza, posizionandosi al 6.5%, una percentuale quasi quattro volte maggiore rispetto alle vulnerabilità inerenti i file PDF.
I settori verticali più a rischio sono risultati essere il Farmaceutico, Il Chimico, e il settore dell’energia (gas and oil), probabilmente per quest’ultimo ha contribuito anche il malware Night Dragon.
Attività delle BotNET
Le analisi rese possibili dai dati raccolti mediante i sensori IPS e i servizi gestiti hanno consentito di tracciare le attività delle botnet nel periodo preso in esame. I dati hanno evidenziato un leggero aumento del traffico generato dalle Botnet, soprattutto per quanto riguarda Rustock, la rete di macchine compromesse più diffusa, che ha avuto un picco notevole al termine dell’anno.
Per quanto riguarda le signature di attacco maggiormente rilevate, al primo posto spiccano le “Iniezioni SQL” (Generic SQL Injection), a conferma del fatto, indicato da molti produttori, che nel 2011 le vulnerabilità tradizionali verrano utilizzate in modo più strutturato per scopi più ampi (furto di informazioni, hactivisim, etc.).
Interessante notare che ancora nel 2011 sono stati rilevati residuati virali quali Conficker, MyDoom e Slammer. Per contro, a detta del produttore di San Francisco, i virus di tipo più vecchio quali infezioni dei settori di boot e file DOS, sarebbero in via di estinzione (ironia della sorte era appena uscito il report ed è stata rilevata una nuova infezione informatica diretta al Master Boot Record che ha sollevato una certa attenzione nell’ambiente).
Interessante anche l’impatto degli eventi mondiali sulla qualità e quantità del traffico: la rete di sensori Cisco ha difatti rilevato un picco di traffico peer-to-peer (in particolare BitTorrent) nell’ultima parte dell’anno coincidente, temporalmente, con la rivelazione dei “segreti” di Wikilieaks che ha portato gli utenti, viste le misure di arginamento tentate dalle autorità statunitensi, a ricercare vie parallele per avere mano ai documenti.
Meno Spam per tutti!
I produttori di sicurezza raramente vanno d’accordo tra loro, tuttavia, nel caso dello Spam, le indicazioni del gigante di San Jose sono in sostanziale accordo con quelle di McAfee. Il quarto trimestre del 2010 ha registrato un calo considerevole delle mail indesiderate, verosimilmente imputabile alle operazioni di pulizia su vasta scala compiute all’inizio dell’anno passato nei confronti delle grndi botnet: Lethic, Waledac, Mariposa e Zeus; e più avanti nel corso del medesimo anno nei confronti di Pushdo, Bredolab e Koobface.