Archive
Certificates From Leading Security Vendor Bit9 Used to Sign Malware
Another high-profile security company has been breached. Bit9, a leading provider of application whitelisting technology, has admitted to have been attacked by a malicious external third party who was able to illegally gain access to one of their digital code-signing certificates. The attackers did not waste time and the compromised certificate has immediately been used to sign malware infiltrating, according to the company’s investigation, the network of three customers.
The news was initially revealed by Brian Krebs in a blog post, and later confirmed by the security vendor, which also gave additional (scant) details, including the fact that the malicious attackers were able to infiltrate a portion of their internal network not protected by their product.
“We simply did not follow the best practices we recommend to our customers by making certain our product was on all physical and virtual machines within Bit9.“
At first glance the attack has many points in common with the infamous RSA Breach of 2011, including the fact that maybe the real target of the attack was not the company itself, but the protected network of its customers. On the other hand, if it is true, as the company claims, that Bit9 was the only security company capable to stop both the Flame malware and the RSA breach attack, to achieve their target, the attackers had no other chance than attacking the source of their technology.
The latest demonstration, if necessary, that attacks are becoming more and more aggressive and sophisticated, and the protection is not only a matter of technology but even of good procedures and best practice, and not only for the possible victims…
A Strange Coincidence
After the revelation of the Chinese attack against the Gray Lady, other U.S. media companies have admitted to have been targeted by (probably state-sponsored) Chinese Hackers in 2012. Immediately after the NYT, even the Wall Street Journal has revealed to have been infiltrated, and similar rumors have emerged for Bloomberg and the Washington Post in what appears to be a systematic hostile campaign.
In particular the attack against the NYT has apparently confirmed the inadequacy of signature-based antivirus against targeted attacks. As the same New York Times admitted, over the course of three months, the foreign attackers installed 45 pieces of custom malware, but the antivirus in use, made by Symantec, was only able to detect one instance of malware over the entire sample.
The security firm has immediately replied to those allegations:
“Advanced attacks like the ones the New York Times described … underscore how important it is for companies, countries and consumers to make sure they are using the full capability of security solutions. The advanced capabilities in our endpoint offerings, including our unique reputation-based technology and behaviour-based blocking, specifically target sophisticated attacks. Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security. Anti-virus software alone is not enough.”
Said in few words: signatures alone are not enough. The sophistication of the next generation targeted attacks require advanced security capabilities such as reputation and behavioral analysis.
According to the scant information available even the Washington Post used Symantec technology to protect its assets, and even in this case it could not prevent the hostile attackers to systematically compromise computer systems.
I wonder if this double coincidence could somehow be connected to the infamous leak of Symantec antivirus source code which occurred (or better was made public) approximately one year ago (the 6th of January 2012). As a consequence of the breach (that allegedly dates back to 2006) the source code of two old products (Symantec Antivirus Corporate Edition 10.2 and Symantec Endpoint Protection 11) were leaked on the Internet. Of course the affected products have been greatly modified since then, nevertheless it is likely that any core functions have not evolved, so in theory, hostile hackers could have taken a (detailed) look at them and have consequently found ways to evade the antivirus (some claim that a similar scenario happened for the infamous RSA breach).
Of course this is just a speculation, maybe the reality is much more simple: traditional antivirus technologies are not enough to thwart sophisticated targeted attacks.
Related articles
- Symantec: don’t blame us for New York Times hack (go.theregister.com)
- Symantec Gets A Black Eye In Chinese Hack Of The New York Times (forbes.com)
The White House and The Red Dragon
There’s no day without a new high-profile cyber attack. The last victim in order of time is The White House which has confirmed to have been targeted by an unsuccessful spear phishing campaign.
According to officials, hackers linked to China’s government have tried to break into the computer network used by the White House Military Office (WHMO), the president’s military office in charge of some of the U.S. government’s most sensitive communications, including strategic nuclear commands. This is considered one of the U.S. government’s most sensitive computer networks, since it is used by the White House Military Office for nuclear commands. The secrets behind the WHMO include data on the so-called “nuclear football,” the nuclear command and control suitcase used by the president to be in constant communication with strategic nuclear forces commanders for launching nuclear missiles or bombers.
The cyber attack took place earlier this month, and the hackers are believed to have used servers located in China. According to officials, this kind of attack is “not infrequent” and hence there are unspecified “mitigation measures in place” which allowed to identify the attack and isolate the system. As a consequence there is no indication that any exfiltration of data took place.
This is not the first time in which alleged state-sponsored Chinese hackers have breached (or at least have tried to breach) high-profile U.S. targets. On July, 14, 2011, The Pentagon revealed to have lost 24,000 files during a cyber attack happening in March of the same year (suspects were directed to China). On May of the same year several U.S. Defense contractors such as Lockheed Martin, Northrop Grumman and L-3 Communications were hit by targeted attacks carried on with compromised SecurID tokens as a consequence of the infamous RSA breach.
At this link a non-exhaustive collection of the main cyber attacks carried on by Chinese hackers, maybe it is a little old (and should be updated), in any case it is enough to understand how active the Red Dragon is inside the cyber space.
Exclusive Infographic: All Cyber Attacks on Military Aviation and Aerospace Industry
Cross Posted from TheAviationist.
2011 has been an annus horribilis for information security, and aviation has not been an exception to this rule: not only in 2011 the corporate networks of several aviation and aerospace industries have been targeted by digital storms (not a surprise in the so-called hackmageddon) but, above all, last year will be probably remembered for the unwelcome record of two alleged hacking events targeting drones (“alleged” because in the RQ-170 Sentinel downed in Iran episode, several doubts surround the theory according to which GPS hacking could have been the real cause of the crash landing).
But, if Information Security professionals are quite familiar with the idea that military contractors could be primary and preferred targets of the current Cyberwar, as the infographic on the left shows, realizing that malware can be used to target a drone is still considered an isolated episode, and even worse, the idea of a malware targeting, for instance, the multirole Joint Strike Fighter is still something hard to accept.
However, things are about change dramatically. And quickly.
The reason is simple: the latest military and civil airplanes are literally full of electronics, which play a primary role in managing avionics, onboard systems, flight surfaces, communcation equipment and armament.
For instance an F-22 Raptor owns about 1.7 millions od line of codes , an F-35 Joint Strike Fighter about 5.7 millions and a Boeing 787 Dreamliner about 6.5 millions. Everything with some built in code may be exploited, therefore, with plenty of code and much current and future vulnerabilities, one may not rule out a priori that these systems will be targeted with specific tailored or generic malware for Cyberwar, Cybercrime, or even hacktivism purposes.
Unfortunately it looks like the latter hypothesis is closer to reality since too often these systems are managed by standard Windows operating systems, and as a matter of fact a generic malware has proven to be capable to infect the most important U.S. robots flying in Afghanistan, Pakistan, Libya, and Indian Ocean: Predator and Reaper Drones.
As a consequence, it should not be surprising, nor it is a coincidence, that McAfee, Sophos and Trend Micro, three leading players for Endpoint Security, consider the embedded systems as one of the main security concerns for 2012.
Making networks more secure (and personnel more educated) to prevent the leak of mission critical documents and costly project plans (as happened in at least a couple of circumstances) will not be aviation and aerospace industry’s information security challenge; the real challenge will be to embrace the security-by-design paradigm and make secure and malware-proof products ab initio.
While you wait to see if an endpoint security solution becomes available for an F-35, scroll down the image below and enjoy the list of aviation and aerospace related cyber attacks occurred since the very first hack targeting the F-35 Lightning II in 2009.
Of course aviation and aerospace industries are not the only targets for hackers and cybercriminals. So, if you want to have an idea of how fragile our data are inside the cyberspace, have a look at the timelines of the main Cyber Attacks in 2011 and 2012 (regularly updated) at hackmageddon.com. And follow @pausparrows on Twitter for the latest updates.
As usual the references are after the jump…
What Security Vendors Said One Year Ago…
I did not resist, so after publishing the summary of Security Predictions for 2012, I checked out what security vendors predicted one year ago for 2011. Exactly as I did in my previous post, at the beginning of 2011 I collected the security predictions in a similar post (in Italian). I also published in May an update (in English) since, during the Check Point Experience in Barcelona held in May 2011, the Israeli security firm published its predictions. Even if the latters have been published nearly at the half of 2011, for the sake of completeness, I decided to insert them as well in this year-to-year comparison.
Then, I included Symantec (for which this year I did not find any prediction), McAfee, Trend Micro, Kaspersky, Sophos and Cisco. I included Check Point in a second time and I did not include Fortinet, At that time I missed their five security predictions, which I only discovered later so I decided to provide an addendum for this post including Fortinet as well in order to provide a deeper perspective.
The security predictions for 2011 are summarized in the following chart, which reports what the vendors (with the partial above described exception of Checkpoint) expected for the past year in terms of Information Security trends.
But a strict side-by-side comparison with the 2012 information security predictions (extracted by my previous post) is more helpful and meaningful:
As you may notice mobile threats were on top even among the predictions for 2011. This prediction came easily true most of all for Android which suffered (and keeps on suffering) a huge increase in malware detection samples (even if the overall security risk remains contained). Social Media were on top as well: they have been crucial for the Wind of the Changes blown by the Arab Spring but in the same time Social Media have raised many security concerns for reputation, the so called Social Network Poisoning (who remembers Primoris Era?). Although 2011 was the year of the Anonymous, hacktvism ranked “only” at number 4, behind Advanced Persistent Threats, which however played a crucial role for information security (an APT was deployed for the infamous RSA Breach, but it was not an isolated case).
Also botnets, web threats and application vulnerabilities ranked at the top of Security predictions for last year (and came true). As far as botnets are concerned, fortunately 2011 was a very important year for their shutdown (for instance Hlux/Kelihos, Coreflood, Rustock). In several cases the botnets were taken down thanks to joint operations between private sectors and law enforcement agencies (another prediction came true). On the application side, this prediction came true most of all thanks to the Sony breach, the Liza Moon infection and the huge rate of SQLi based attacks and ASP.NET vulnerabilities. We have also assisted to an hard blow to SSL/TLS and XML Encryption.
But what is more surprising (and amusing) in my opinion is not to emphasize which predictions were correct, but rather to notice which predictions were dramatically wrong: it looks like that, against the predictions, virtualization threats were snubbed by cybercrookers in 2011 (and nearly do not appear in 2012). But the most amusing fact is that no security vendor (among the ones analyzed) was able to predict the collapse of the Certification Authority model thanks most of all to the Comodo and Diginotar Breaches.
One Year Of Lulz (Part I)
Update December 26: 2011 is nearly gone and hence, here it is One Year Of Lulz (Part II)
This month I am a little late for the December Cyber Attacks Timeline. In the meantime, I decided to collect on a single table the main Cyber Attacks for this unforgettable year.
In this post I cover the first half (more or less), ranging from January to July 2011. This period has seen the infamous RSA Breach, the huge Sony and Epsilon breaches, the rise and fall of the LulzSec Group and the beginning of the hot summer of Anonymous agsainst the Law Enforcement Agencies and Cyber Contractors. Korea was also affected by a huge breach. The total cost of all the breaches occurred inthis period (computed with Ponemon Institute’s estimates according to which the cost of a single record is around 214$) is more than 25 billion USD.
As usual after the page break you find all the references.
The China Cyber Attacks Syndrome
A w
eek ago, the Office of the National Counterintelligence Executive published a report to Congress concerning the use of cyber espionage to attempt to gain business and industrial secrets from US companies. Easily predictable, the results present a frightening picture!
With no surprise it turned out that the biggest dangers and perpetrators of cyber-espionage operations against American business are China and Russia.
- Chinese actors are the world’s most active and persistent perpetrators of economic espionage. US private sector firms and cybersecurity specialists have reported an onslaught of computer network intrusions that have originated in China, but the Intelligence Community cannot confirm who was responsible.
- Russia’s intelligence services are conducting a range of activities to collect economic information and technology from US targets.
- Some US allies and partners use their broad access to US institutions to acquire sensitive US economic and technology information, primarily through aggressive elicitation and other human intelligence tactics. Some of these states have advanced cyber capabilities.
Unfortunately the predictions for the near future are not encouraging: the authors of the report judge that the governments of China and Russia will remain aggressive and capable collectors of sensitive US economic information and technologies, particularly in cyberspace.
This is mainly due to three factors: a technological shift with a growing number of devices connected to the Internet (according to a Cisco Systems study, the number of devices connected to the Internet is expected to increase from about 12.5 billion in 2010 to 25 billion in 2015). An economical shift driven by the Cloud Paradigm which requires the information to be ubiquitous and always available and, last but not least, a cultural shift which bring users to a growing use of social media for personal and professional use with a dangerous overlapping.
With these considerations in mind I decided to concentrate on a single table all the attacks with cyber espionage implications reported in 2011 for which China was directly or indirectly (or allegedly) considered responsible. The details (and links) of each single attack can be found on my 2011 Cyber Attacks Timeline Master Index (of course the list does not include the infamous Operation Aurora and the attack to G20 during the French Leadership since these events occurred during 2010).
U.S., Canada, Japan and Korea are among the countries hit by the Cyber Attacks from Far East. The most known attack is for sure the one perpetrated against RSA, whose wake affected several U.S. Contractors. Moreover the same attack was not an isolated episode, but the tip of an iceberg hiding 760 affected organizations worldwide.
Shady Rat and the IMF attack were other noticeable events as also the breach reported against the Cyworld the Korean Social Networks in which 37 million users were affected.
A frightening scenario that also generated some resounding fake attacks during 2011 (do you remember the Renault affair?)
A new cold (cyber)war at the gates?
Related articles
- Cyber-espionage attempts on US businesses are on rise (arstechnica.com)
October 2011 Cyber Attacks Timeline (Part II)
Halloween has just gone and here it is Part II of the October 2011 Cyber Attacks Timeline covering the second half (15-31) of this month.
From an Information Security Perspective, the 10th month of 2011 has been characterized by Duqu, the brand new Advanced Persistent Threat dubbed “The Sun Of Stuxnet”, whose echo is far from being silent (a brand new 0-day vulnerability targeting Windows Kernel has just been discovered in the Malware Installer). Duqu affected the timeline in two circumstances: not only the malware was discovered, but also an Indian Provider called Web Werks had some servers seized from a Data Center in Mumbai because they were discovered to be involved in the C&C communication of the infected endpoints.
Other noticeable events of the month involved:
- The wave of alleged Cyber Attacks from China against Japan Parliament and Embassies and also against Canadian Finance and Treasury Board. These were not the only Cyber Events allegedly affecting China in October: even if occurred months before, news were reported that the attack against Mitsubishi Heavy Industries led to the theft of sensitive data, moreover other 760 organizations worldwide were attacked with the same methodology used for RSA Breach and originating from China as well.
- A new tide of Hacktivism by Anonyomous and Antisec, encouraged from the OccupyWallStreet Movement, including a dramatic face-to-face of Anonymous Mexico against Las Zetas one of the most powerful Mexican Drug Cartel.
A particular rank in this month is deserved by Israel and Sweden, the first reported a huge data breach (affecting 9,000,000 users) occurred in 2006, while the latter suffered a Black October with a data leak involving nearly 200,000 users of the social platform bloggtoppen.se including Politicians and Journalists. At this point is clear that the cold Sweden won the Prize for the “Hottest Breach of The Month”.
Also Facebook was targeted with an alleged dump of 10,000 accounts, nothing if compared with the 600,000 compromised logins per day that the social network admitted to suffer).
According to my very personal estimate (based on the indications from the Ponemon’s insitute) the cost of the breaches for this months (in all those cases where enough information was available) is around $500 million, excluding the massive data breach in Israel reported today but occurred in 2006.
As usual, this Timeline was compiled with Useful Resources by:
- Cyber War News
- DATALOSSdb
- Naked Security
- Office Of Inadequate Security (DataBreaches.net)
- Softpedia
- The Hacker News
- Threatpost
And my inclusion criteria do not take into consideration “simple” defacement attacks (unless they are particularly resounding) or small data leaks.
|
Date |
Author |
Description |
Organization |
Attack |
|
Oct 16 |
Fatal Error |
UNESCO E-Platform Domain
The E-Platform domain of one of the Biggest Organizations: United Nations Educational, Scientific and Cultural Organization (UNESCO) gets hacked and defaced by Fatal Error Crew hackers. |
|
Defacement |
|
Oct 17 |
|
10,000+ FaceBook accounts
A Hacking Crew From Nepal called TeamSwaStika hacks more than 10,000 facebook accounts. The hacking crew declares next target will be Nepal Government website and e-governance for Freedom. Estimated cost of the breach is $2,140,000. |
|
Account Hacking (Phishing?) |
|
Oct 17 |
? |
Sesame Street’s Youtube Channel
Sesame Street had its YouTube channel hacked on Sunday, and its highly popular child-friendly videos of muppets like Kermit the frog and the Big Bird replaced with hard core porn movies. |
|
Account Hacking |
|
Oct 17 |
? |
NHS Direct Twitter Account
NHS Direct, the UK helpline which provides expert health advice via the telephone and internet, has had its Twitter account taken over by spammers promoting an Acai Berry diet. |
|
Account Hacking |
|
Oct 18 |
TurkisH -RuleZ |
proXPN
proXPN, one of the famous VPN client based on OpenVPN Service, is hacked by TurkisH-RuleZ. |
|
Defacement |
|
Oct 19 |
? |
Gameloft
Gameloft, a Paris-based video game company that’s a leading mobile-game developer, acknowledges that a security breach has prompted it to pull the plug on one of its Web sites, the Order and Chaos online site. |
|
SQLi? |
|
Oct 19 |
? |
Duqu
In a blog post, Symantec explains it came across the first samples of a new malware infecting some computer systems in Europe that appears to be very similar to Stuxnet. More analysis shows the malware is a “simple” keylogger using the same Stuxnet Technology |
N/A |
APT |
|
Oct 19 |
? |
A FAQ on the official forum of the Lord Of The Rings Community On Line reveals that the site was breached although no financial data has been obtained by the attackers. |
 |
SQLi? |
|
Oct 20 |
? |
Phishing The Phisher
Finally someone decides to give a lesson to a phisherm by hacking the phishing website with a message educating the potential victims. |
|
Phishing |
|
Oct 21 |
|
Vikram Pandit (Citigroup CEO)
Mobile phone number and home address of Vikram Pandit, CEO of Citigroup, have been placed on the web by hacking group CabinCr3w in retaliation for the cuffing of protesters at an Occupy Wall Street demo. In their online statement the hackers say that they had accessed the data – which also included family information and some financial figures – and uploaded it online in response to events during the recent anti-bank protests on Wall Street. |
|
N/A |
|
Oct 21 |
|
Law Enforcement Agencies
Anonymous and Antisec broke their apparent October silence and renewed the tradition of the Friday Dumps against law enforcement agencies releasing a 600MB data dump of confidential data belonging to Law enforcement agencies. A couple of days later an AntiSec hacker tells police in a phone call that boredom drove him to hack their website. |
|
Defacement |
|
Oct 22 |
|
40 Child Porn Websites
As part as what they call #OpDarknet, Anonymous takes down more than 40 darknet-based child porn websites over the last week. They also leak personal details of 1500 users. Detalils on “AnonMessage” and “BecomeAnonymous” YouTube channels. |
40 child Porn Websites |
SQLi DDoS |
|
Oct 23 |
? |
Microsoft’s Official YouTube Channel
Hackers take control of Microsoft’s official YouTube Channel (24,000+ subscribers), remove the company’s videos and replace them with videos of their own. Neither Microsoft nor Google (which owns YouTube) have disclosed information on how the security breach was perpetrated. |
|
N/A |
|
Oct 23 |
|
One Hit Play
@DiabloElite dumps 1008 accounts from onehitplay.com, with no other reason beside to show the need of a stronger security. All the accounts have been stored as plain text. Estimated cost of the breach is around $214,000. |
|
SQLi? |
|
Oct 23 |
|
Xbox A new hackers’ crew @DestructiveSec dumps some Xbox Live accounts. |
|
SQLi? |
| Oct 24 |
? |
cheaptickets.nl
The database of CheapTickets.nl (containing 715,000 customers) is leaked. Stolen information include 1,200,000 tickets and 80,000 passport numbers. Total cost of the breach might exceed $153 million. |
|
SQLi? |
|
Oct 24 |
Intra Web Security Exploit Team |
LG Australia Web Site
One of the Australian websites belonging to global electronics giant LG (lge.com.au) is hacked by a collective calling itself the Intra Web Security Exploit Team. The attackers replaced the site with some lightly-obfuscated JavaScript pretending to be conducting an injection attack. |
|
Defacement, Simulated SQli |
|
Oct 24 |
Malicious Employee |
Israely Ministry of Labor and Social Welfare
Employee with access to the Population Registry has been discovered to steal the details of over 9 million residents and then passed them to someone else. Estimated cost of the breach is nearly $2 billion. |
|
Malicious Access |
|
Oct 24 |
|
760 Organizations Worldwide
Brian Kerbs publishes in his blog a list of companies whose networks were shown to have been connecting to the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010. According to the list 760 other organizations had networks compromised with some of the same resources used to hit RSA and almost 20 percent of the current Fortune 100 companies are on this list. |
760 Organizations Worldwide |
APT |
|
Oct 25 |
? |
bloggtoppen.se
The usernames and passwords of around 90,000 accounts at Bloggtoppen.se have been made public after a hacker attack against the website. Several journalists and politicians are among the bloggers whose log-in details have been published. On Oct 26, the Aftonbladet newspaper reported that a further 57 other websites had also been hacked, and the login details of up to 200,000 people are at risk. Estimated cost of the breach is around $42 million. |
|
SQLi? |
|
Oct 25 |
Chinese Hacker? |
Japanese Parliament
According to local media reports, hackers were able to snoop upon emails and steal passwords from computers belonging to lawmakers at the Japanese parliament for over a month. PCs and servers were infected after a Trojan horse was emailed to a a Lower House member in July. The Trojan horse then downloaded malware from a server based in China – allowing remote hackers to secretly spy on email communications and steal usernames and passwords from lawmakers. |
|
APT |
|
Oct 25 |
|
Mitsubishi Heavy Industries
Mitsubishi Heavy Industries, a high-tech military contractor, which suffered an attack from hackers earlier this year, is reported to have lost sensitive data related to defence equipment including fighter jet planes and nuclear power plant plans, according to The Ashai Shimbun. Once again suspects are directed to China. |
|
APT |
|
Oct 25 |
Inside Error |
United States Department Of Education
Highly sensitive information (including SSN) belonging to around 5,000 students was exposed after a computer error causing a federal government student loan website to reveal the data: a glitch in the website allowed students who were logged in to freely view the data of other scholars. Fortunately, the site was compromised only for 7 minutes at most, but it is possible that some users were able to steal sensitive information. Estimated cost of the breach is around $ 1 million. |
|
Inside Error |
|
Oct 26 |
? |
awurval.se
314 job seekers’ e-mail addresses and clear-text passwords acquired and dumped. Estimated Cost of the breach is around $67,000. |
|
SQLi? |
|
Oct 26 |
? |
Mobile Tele Systems
MTS is a primary Mobile Operator in Russia with more than 70 million subscribers. Personal data of 1.6 million mobile phone users appeared online in the second such leak in three months. The database, posted on Zhiltsy.net, included the full names and phone numbers of MTS subscribers in St. Petersburg and Bashkortostan, as well as residential addresses and passport data for some of them. According to MTS the database goes back to 2006 and most numbers are no longer valid. Estimated cost of the breach could potentially achieve $300 million. |
|
N/A |
|
Oct 26 |
nationmultimedia.com
@_V4ND dumps what they say is a teaser of accounts obtained from nationmultimedia.com in what appears to be another havij or similar SQLi vun tool based attack. The leak contains user emails and passwords in clear text. |
|
SQLi |
|
|
Oct 26 |
Robert Delgado |
Massive Identity Theft
Robert Delgado, a 40 years old California man, was sentenced to eight years in prison for identity theft after federal police GPS-tracked his phone and discovered a hard drive with over 300,000 victim profiles during a raid of his home. Estimated Cost of the thiet (not including purchases made with stolen data) is around $65 million. |
300,000 frauded users |
Bank Fraud |
|
Oct 26 |
Pakistani Hacker |
Bharat Sanchar Nigam Limited (BSNL)
Another occurrence of the Cyberwar between Pakistan and India: A Pakistani hacker “KhantastiC haX0r” hacks into the official website of India’s leading telecom Company Bharat Sanchar Nigam Limited (BSNL). |
|
Defacement |
|
Oct 27 |
|
Law Enforcement Authorities
@_f0rsaken a member of @TeaMp0isoN publishes a list of websites utilized by law enforcement authorities that are supposed to be vulnerable to MSAccess SQL injection attacks. A number of six sites that are listed are supposedly utilized by the police for their updates, the cybercriminals urging Occupy Wall Street supporters to take them down. |
Law Enforcement Authorities |
MSAccess SQLi |
|
Oct 27 |
|
Oakland Police Department Web Site
Cyber activists associated with Anonymous target the Oakland Police Department (OPD) and other law enforcement agencies that participated in a controversial crackdown against OccupyOakland protestors with a DDoS (distributed denial-of-service) attack against the department’s website. Moreover According to TG Daily, the infamous collective is offered a $1,000 reward for anyone who can provide information on an officer that allegedly injured a war veteran that was taking part in the protest. |
|
DDoS |
|
Oct 27 |
? |
Clarinda Bank Iowa
In a letter dated Tuesday, Oct. 25, bank vice president Jon Baier notifies specific customers of a data breach. The letter states the bank was not provided details of the security compromise, but to protect the impacted debit card accounts, replacement cards with new numbers were ordered. The number of affected users is unknown. |
|
N/A |
|
Oct 27 |
|
Japanese Embassies
There are new reports that dozens of diplomatic computers Japanese embassies abroad were infected with malware this Summer. The news comes on the heels of recent news about malicious software attacks on Japanese defense contractors and the Japanese Parliament. A report in a local Japanese publication, The Daily Yomiuri, places the infected diplomatic computers in Canada, China, France, Myanmar, the Netherlands, South Korea, and the United States. Again China is suspected since a China Link is found on the malware. |
|
APT |
|
Oct 27 |
|
U.S. Government Satellites
Bloomberg reports that Computer hackers, possibly from the Chinese military, interfered with two U.S. government satellites four times in 2007 and 2008 through a ground station in Norway, according to a congressional commission. |
|
N/A |
|
Oct 28 |
|
Canadian Finance and Treasury Board
Ottawa Citizen reveals that, in Jan 2011, the Canadian Finance and Treasury Board’s networks were targeted by hackers in an attempt to steal sensitive information about the potash industry even though Finance and Treasury Board representatives denies it. It looks that the hackers were actually foreign, the first clues indicating that the attack originated from China. |
|
APT |
|
Oct 28 |
PayFail |
PayPal Executives’ Contact Information
In what looks to be the first of a number of “name and shame” postings, an individual or individuals posting as “PAYFAIL” upload some personal information on dozens of former and current PayPal executives. The dumped data do not seem to be particularly sensivite, nevertheless, although deleted three times so far, the original statement keeps on appearing on pastebin. |
|
N/A |
|
Oct 28 |
? |
Again on Duqu
Two workers at an Indian web-hosting company called Web Werks tell Reuters that last week officials from India’s Department of Information Technology seized several hard drives and other components from a server hosted on a Mumbai Data Center, that security firm Symantec Corp indicated as communicating with computers infected with Duqu. |
|
APT |
|
Oct 29 |
|
El Paso County Community College
@DestructiveSec hacks the El Paso Country Community College, defacing the web site and dumps some data. |
|
SQLi? |
|
Oct 29 |
|
Las Zetas (Mexican Drug Cartel)
Anonymous Mexico faces one of the most dangerous criminal organizations in the World, the Las Zetas Mexican Drug Cartel. In a video they warn the Cartel to release one of their members kidnapped during a street protest, otherwise the hacker group will disclose (or dox) the identities of members of the cartel including corrupted politicians and policeman. Another example of an hacking action with huge real aftermaths in terms of possible deadly retaliations. |
Mexican Droug Cartel |
SQLi? |
|
Oct 29 |
|
Dominican Republic Police
As part of their Spanish Solidarity Saturday Anonymous release a pastebin document containing a list of finds and vulnerabilities on the Dominican Republic Police system and some other sites too. They also left a website defaced. |
|
Several Vulns, Defacement |
|
Oct 31 |
3xp1r3 cyber army |
hi5ads.com
A hacker group going by the name of 3xp1r3 cyber army dumps two separate pastes with respectively 5,065 and 3,149 account details to www.hi5ads.com. The leaks contain emails and plain text passwords. Estimated cost of the breach is around $680,000. |
|
SQLi |
|
Oct 31 |
3xp1r3 cyber army |
Bangla TV
The Same group hacks Bangla TV and releases 1,517 usernames and clear-text password. Estimated cost of the breach is around $320,000. |
|
SQLi |
|
Oct 31 |
ScreamDevz |
Penguin Elite
A group or individual dubbed ScreamDevz hacks Club Penguin Elite Database and dumps nearly 400 usernames, emails and MD5 hashed passwords. Estimated cost of the breach is around $80,000. |
|
SQLi |
|
Oct 31 |
|
Chinese Government Web Site
@TehMaskz, a member of @ChaoticSec defaces a web site belonging to Chinese Government (at the time of writing http://www.wfaic.gov.cn/index.html is still defaced). In the same circumstance other 9 sites all over the World are defaced. |
|
Defacement |
|
Oct 31 |
|
One Hit Play
@ChaoticSec hacks One Hit Play (once again) and releases more than 1000 User information, including emails, passwords, and usernames. Estimated cost of the breach is around $214,000. |
|
SQLi |
|
Oct 31 |
|
comitet.ru
@DeleteSec attacks comitet.ru and dumps more than 2000 records with email and passwords. Estimated cost of the breach is around $420,000 |
|
SQLi |
| Oct 31 |
|
plusline.org
@DeleteSec attacks plusline.org and dumps more than 1000 records with email and passwords. Nearly in contemporary the same group dumps 700+ accounts from several sites. Estimated cost of the breach is around $420,000. |
|
SQLi |
|
Oct 31 |
Mr. DarkCoderz |
Adult Site
Another occurrence of hackers dumping data from adult sites. Estimated cost of the breach is around $43,000. |
Adult Site |
SQLi? |
Related articles
- October 2011 Cyber Attacks Timeline (Part I) (paulsparrows.wordpress.com)
- Just For Reference… (paulsparrows.wordpress.com)
Phoning Home to China
A couple of weeks ago, during the RSA Conference in London, Tom Heiser, president of RSA declared that two separate hacker groups already known to authorities were behind the serious breach affecting tbe Security Firm early this year in March, and were likely working at the behest of a government. Heiser also declared that the attackers possessed inside information about the company’s computer naming conventions that helped their activity blend in with legitimate users on the network, concluding that, due to the sophistication of the breach:
“we can only conclude it was a nation-state-sponsored attack.”
In a statement issued after the breach, the Security Firm declared that some information related to their two-factor authentication technology SecurID had been extracted during the attack, and that information could be used, as part of a broader attack, to decrease the effectiveness of the two-factor authentication.
Curiously RSA refused to name the involved nation, so not confirming the suspects directed to China. Regardless of the nation, among Security Professional it was immediately clear that the true target of the attack was not RSA but its customers: SecurID tokens are used by 40 million people in at least 30,000 organizations worldwide to allow secure access to IT systems. So it was not a surprise the fact that few weeks after the breach three Defense Contractor were attacked using compromised seeds, and although in two cases (L-3 Communications and Northrop Grumman) there was no direct evidence of a direct involvement of compromised tokens but only rumors, in one case (Lockheed Martin), RSA admitted the use of compromised tokens and offered to replace the tokens to affected customers.
Today another interesting piece of the puzzle: in his blog Brian Kerbs publishes a list of companies whose networks were shown to have been phoning home (i.e. connect to the C&C Server) to some of the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010. According to the list 760 other organizations had networks compromised with some of the same resources used to hit RSA and almost 20 percent of the current Fortune 100 companies are on this list.
Scroll down the names on the list and you will find many interesting and surprising firms, even if the author correctly advises that:
- Many of the network owners listed are Internet service providers, and are likely included because some of their subscribers were hit;
- It is not clear how many systems in each of these companies or networks were compromised, for how long those intrusions persisted, or whether the attackers successfully stole sensitive information from all of the victims;
- Some of the affected organizations (there are also several antivirus firms mentioned) may be represented because they intentionally compromised internal systems in an effort to reverse engineer malware used in these attacks.
So at the end, what’s the matter with China? Simple, at the bottom of the article there is a chart reporting the location of more than 300 command and control networks that were used in these attacks. Guess where 299 of them were located…
(Thanks to @MasafumiNegishi for reporting the original blog post).
Related articles
October 2011 Cyber Attacks Timeline (Part I)
October has come and here it is, also for this month, the first part of my Cyber Attacks Timeline covering the cyber events occurred in the first half of the current month.
Three events in particular have marked this month: The German Trojan R2-D2 (that is raising many questions and concerns inside the infosec community), the keylogger hitting U.S. Drones and a new cyber attack to Sony involving this time “only” 93,000 accounts (oops! They did it again).
Except for a couple of isolated occurrences (in Austria and UK), the Cyber Attacks by Anonymous and Antisec had a break, maybe because hacktivism efforts are being focused on the #OccupyWallStreet operation that is rapidly spreading all over the World (I wonder why in here in Rome yesterday it has not been possible to have peaceful protests as happened in all the other Capitals). Besides, albeit not directly related with Anonymous, several Syrian log files were leaked showing the control of the Government on the Internet.
Other events of the month: a couple of fashion related websites were hacked, the Cyber-Guerrilla between India and Pakistan was particularly active with the cyber armies of the two nations facing themselves in the cyber space with continual mutual defacements, @SwichSmoke was also particularly active against Venezuela Government Web Sites. Other “minor” leaks were performed by @FailRoot and @ThEhAcKeR12 but one of the victims of the latter was Camber Corporation, an U.S. Contractor.
Anyway, Camber Corporation was not the only targeted Contractor, also Raytheon Corporation (a survivor of the RSA Breach) was targeted with a cloud based spear-phishing campaign, again the attack was thwarted but, in my opinion, has deserved a mention as well. Chronicles also reports of a claimed hack to Infragard (again).
Moreover the aftermaths of the RSA breach are not completely over: this month the security firm’s CEO claimed that a couple of different Cyber Crews, under the flag of an enemy nation (and the suspects were immediately directed to China), are behind the Cyber Attack in March and acted to perform it.
But a very special mention for this month (and the consequent lowly desiderable prize), is undoubtedly deserved by Mr. Oliver Letwin, Her Majesty’s Cabinet Minister, who was caught by The Daily Mirror in the habit of dumping private correspondence and sensitive documents detailing Al-Qaeda activities and secret service operations into park bins in St James’s Park, Westminster, close to Downing Street. Security, logical and physical, may have many unpredictable implications…
From a technical point of view SQLi and defacements were the most used lethal weapons for this month, even if a massive ASP.NET based attack, targeting 300,000 web sites, is also worth mentioning.
This Timeline was compiled with Useful Resources by:
- Cyber War News
- DATALOSSdb
- Naked Security
- Office Of Inadequate Security (DataBreaches.net)
- Softpedia
- The Hacker News
- Threatpost
And my inclusion criteria do not take into consideration simple defacement attacks (unless they are particularly resounding) or small data leaks.
Last but not least: you may find all the timelines for 2011 in my Master Index. Enjoy the list(s) and share and retweet to encourage me to keep it up2date!
| Date | Author | Description | Organization | Attack |
| Oct 1 |  |
NeatStuffs hacks filmradar.com a movie review and information site/community and releases on Mediafire a 6mb txt file containing 95167 accounts with hashed passwords. Estimated cost of the breach is $ 20,365,738. |
 |
SQLi? |
| Oct 2 |  |
Venezuela National Statistics Institute
SwichSmoke crew hacks the Venezuela National Statistics Insitute during the 2011 Census. |
 |
SQLi? |
| Oct 2 |
 |
Camber Corporation (US Contractor)
Once again a US Government contractor is target of cyber crime. This time is the turn of Camber Corporation, targeted by a small hack by @ThEhAcKeR12, which releases 3 admin accounts with encrypted passwords. and admin full name. |
 |
? |
| Oct 2 |
|
wrestlegame.co.uk
Again @ThEhAcKeR12, this time the crew dumps 1500+ accounts (in encrypted format) and a database from wrestlegame.co.uk. Estimated cost of the breach is around $321,000. |
wrestlegame | SQLi? |
| Oct 2 |
A student arrested few days later |
Thailand Prime Minister
Thailand’s Prime Minister, Yingluck Shinawatra, had her Twitter account hacked flooding her followers with a stream of messages criticising her leadership with statements like this: The final post read: “If she can’t even protect her own Twitter account, how can she protect the country?“ |
 |
Account Hacking |
| Oct 4 |  |
Austrian Economy Chamber (WKO) WKO confirms that its webserver was infiltrated by unidentified cyber criminals. More than 6,000 data sets of customers of the chamber were published on the internet. Although Anonymous Austria leaked the data, they stressed they had not carried out the attack on WKO themselves, but had been provided with the records by someone else, adding that the security leak was exposed by using online search engine Google. Estimated cost of the Breach is around $1,284,000. |
 |
Vulnerability on The Target Platform |
| Oct 5 | |
@ThEhAcKeR12 does not stop here and dumps 3300 accounts from funniestvideosonline.com and are all encrypted passwords. Estimated cost of the Breach is around $706,200. |
 |
SQLi? |
| Oct 5 |  |
www.xvidonline.com @FailRoot hacks and leaks several accounts from www.xvidonline.com putting the websits offline. |
xvidonline.com | SQLi? |
| Oct 5 | Optik Fiber | Gmail (Claimed) Optik Fiber releases several gmail accounts claimed to have been hacked via a known security flaw in gmail. It is not sure if this is real or not but it is meaningful as well of the global level of (in)security, real or psychological. |
 |
Known Security Flaw in Gmail (N/A) |
| Oct 5 | ? | Fashion TV India Unknown hackers hacks Fashion TV India with the injection tool havij and obtain a list of accounts dumping usernames and passwords in clear text. |
 |
SQLi via havij |
| Oct 6 |  |
Syrian Internet Log Files
Internet activists from Telecomix release 54 GB of log files allegedly created by Syrian internet censors between 22 July and 5 August 2011. The data were found on a third party server. |
 |
? |
| Oct 7 |
|
An Australian University website that lists jobs is hacked by @BlackHatGhosts and has data dumped, included user logins and passwords. |
 |
SQLi? |
| Oct 7 | Several Hackers |
Department of Public Enterprises South Africa Department of Public Enterprises, south Africa is hacked and had its database dumped |
 |
SQLi |
| Oct 7 | Same authors above |
Ministry of Culture and Tourism, Republic of Indonesia Another day, another government website hacked, (and its data leaked). |
 |
SQLi |
| Oct 7 | ? | University Of Georgia The University of Georgia discovers a data file on a publicly available Web server that contained sensitive personnel information on 18,931 members of the faculty and staff employed at the institution in 2002. The file included the social security number, name, date of birth, date of employment, sex, race, home phone number and home address of individuals employed at UGA in 2002. Estimatec Cost of the Breach is around $4,051,234. |
 |
Internal Accidental Error |
| Oct 8 | ? |
U.S. Military Drones
Wired reports that a computer virus has infected Predator drones and Reaper drones, logging pilots’ keystroke during their fly missions over Afghanistan and other warzones. The virus was detected nearly two weeks ago at the Ground Control System (GCS) at Creech Air Force Base in Nevada and has not prevented drones from flying their missions, showing an unexpected strength so that multiple efforts were necessary to remove it from Creech’s computers. |
 |
USB Stick? |
| Oct 8 | German law Author. and Customs Dep. |
German Citizens A very strange (un)lawful Cyber Attack, against German Citizens. Chaos Computer Club discloses a “state malware”: a backdoor Trojan horse capable of spying on online activity and recording Skype internet calls. They declare the malware is used by the German police force. The malware was allegedly installed onto the computer as it passed through customs control at Munich Airport. |
 |
Troian Horse |
| Oct 9 | Turkish Energy Team |
Several Government Websites
Turkish Energy Team performs (and keeps on to perform) a massive defacement against several governments websites (in certain cases some sub domains). The list (in continuous growth) is published on Zone-H. |
 |
Defacement |
| Oct 9 | MCA-CRB |
Other Government Websites
Different Crew, same result: a massive defacement against several governments websites. Also in this case the list (in continuous growth) is published on Zone-H. |
 |
Defacement |
| Oct 9 | |
justonehost.com
Another Web site hosting company defaced: this time it is the turn of justonehost.com that is hacked by @FailRoot, that also dumps its Database online. The leak contains all users informations, emails, paypals and much more is 11.86mb and has been uploaded to megaupload. |
 |
Defacement SQLi |
| Oct 10 |
|
Congress of the State of Chihuahua Another government website hit and leaked by @FailRoot: Congress of the state of Chihuahua Mexico. The leak contains administration usernames and (easy guessable) passwords. |
 |
SQLi? |
| Oct 10 | Q!sR QaTaR |
A cybercriminal from Quatar defaces a large number of websites belonging to the Ankara government, leaving them non-operational. |
 |
Margent |
| Oct 10 |
 |
40 Zimbabwe Government Websites
A crew called ISCN hacks and defaces 40 Zimbabwe government based websites leaving a polical message. |
 |
Defacement |
| Oct 10 |  |
UKGraffiti.com
UKGraffiti is hacked by Anonymous_DR (Anonymous Dominicana) who also dumps usernames, emails and encrypted passwords. |
 |
SQLi? |
| Oct 11 | ? |
RSA
RSA reveals that it believes two groups, working on behalf of a single nation state, hacked into its servers during the infamous Breach of March and stole information related to the company’s SecurID two-factor authentication products used to attack some defense contractors. Although people are likely to assume that China might have been involved in the attack, they did not reveal the name of the nation involved. |
 |
APT |
| Oct 11 | ? |
Sony (Playstation Network, Sony Entertainment Network and Sony Online Entertainment) Back tho the future! Sony under cyber attack… Again! The Company reports of unauthorized attempts to verify valid user accounts on Playstation Network, Sony Entertainment Network and Sony Online Entertainment. A total of 93,000 accounts have been affected (PSN/SEN: approximately 60,000 accounts; SOE: approximately 33,000). In these cases the attempts succeeded in verifying valid sign-in IDs and passwords, so the accounts were temporalily locked. |
 |
SQLi? |
| Oct 11 | ? |
blueHOMES.com Unknown Hackers hack the European property Dealers website blueHOMES.com . About 500,000 Users data claim to be hacked including database with customer passwords in plaintext, full addresses, skype account, and mailboxes of bluehomes. Specified data leaked on pastebin with sample data of some users. |
 |
SQLi |
| Oct 11 | ? |
Find2Trade.com
Another website hit by Havij. This time is the turn of Find2Trade, an internet portal whose goal is to help small and medium enterprises to reach much higher profits while reducing costs. UserID, email and passwords, which are encrypted, were leaked. |
 |
Havij |
| Oct 12 | ? |
Raytheon
The U.S. Defense Contractor reveals that it was the victim of a cloud-based attack for the first time, with the incident occurring one week before. Nothing new but the fact that this was the first cloud based attack. The firm usually blocks 1.2 billion attacks a day in addition to four million spam emails each day. |
 |
N/A |
| Oct 12 | ? | WineHQ
Another Linux Project hacked! Jeremy White, Codeweavers Founder announces that access to the WineHQ database has been compromised. It looks like attackers have used phpMyAdmin to access the WineHQ project’s database and harvest users’ appdb and bugzilla access credentials. |
 |
SQLi |
| Oct 13 | ? |
300,000 Websites Google reveals another mass infection which affected hundreds of thousands of sites that relied on ASP or ASP.NET: A malicious script got injected into several locations targeting English, German, French and other language speakers surfers. |
 |
ASP Vulnerability |
| Oct 13 | ? |
Genentech The biotechnology company suffered a data breach on August, 17 which may have resulted in the theft of information belonging to 3,500 of the million patients who utilize the company’s support programs. Estimated Cost of The Breach is around $750,000 |
 |
Unlegitimate Access |
| Oct 14 | ? |
Chili’s Grill & Bar Restaurant
Ok a Chili Breach is not a big deal, except the fact that the computer server Hackers broke into, is placed at Yokosuka Naval Base. According to Navy officials, hackers stole credit card information and run up erroneous charges. |
 |
Credit Card Thieft |
| Oct 14 | ? |
Fedora Project This is not a direct cyber attack but a consequence of the hacks to Linux projects (Kernel.org and Linux). ThreatPost reveals that Fedora Project contacted users to change their password and SSH public key before November 30 to avoid having their accounts marked as inactive. |
 |
N/A |
| Oct 14 | |
Barinas State, Venezuela Another dump of sites from @SwichSmoke coming from the state “Barinas” and the government for that state. The release note, in Spanish states that the original password is 123456, fairly lame for a government website. |
 |
SQLi |
| Oct 14 | Vicky Singh |
Pakistan Embassy in China Another episode of the Cyberware between Pakistan and Indian Crew: Vicky Singh defaces the Pakistan Embassy in China. |
 |
? |
| Oct 14 | Team Dexter |
Contrexx.com
An European Content Management System provider is hacked and has a dump of administration details leaked online. |
 |
N/A |
| Oct 14 Oct 15 | Several Authors |
Club Music CPPS
Club Music CPPS is hacked: the leak contains account emails, usernames and decrypted passwords. Note: on Oct 16 the site is still defaced |
 |
SQLi Defacement |
| Oct 14 | |
Venezuela National Graduate Advisory Council
Another cyber attack by @SwichSmoke, this time they leak the Venezuela National Graduate Advisory Council and release the leaked data on pastebin. |
 |
SQLi |
| Oct 14 | ? |
Infragard Atlanta (claimed)
It seems that Infragrad has been hacked again and had a dump of accounts leaked and decrypted even if there is no source or reason or even proof that this is 100% real in anyway. Anyway it still shows that Infragard is still in the eyes of some people. The alleged leak contains emails, usernames, encrypted passwords and the decryption of the password as well. |
 |
N/A |
| Oct 14 | ? |
NSEC (Netaji Subhash Engineering College)
The Netaji Subhash Engineering College NSEC is hacked and has a fair amount of member accounts dumped on pastebin. This comes from an unknown source and unknown reasons. The leak contains full user information, emails and passwords in clear text. |
 |
SQLi |
| Oct 14 |  |
Barbaros-DZ hacks over 1,700 sites belonging to the Chinese Government defacing them and leaving a message against the Goverment itself. THe list of the sites is available on Zone-H. |
 |
Defacement |
| Oct 14 |  |
Special mention this month for Her Mayesty’s Cabinet Minister Oliver Letwin, who has got himself into hot water, after The Daily Mirror reported him in the habit of dumping private correspondence and sensitive documents detailing Al-Qaeda activities and secret service operations into park bins in St James’s Park, Westminster, close to Downing Street. The documents contained the personal details of the minister’s constituents, including names, phone numbers, email contacts and postal addresses. |
 |
Defacement |
| Oct 15 | SA3D HaCk3D |
16,000+ websites
SA3D HaCk3D shows on Zone-H the results of his work of the past years: a total of 16,000+ websites defaced. |
 |
Defacement |
| Oct 15 | p0xy |
iCPPS
For an alleged personal revenge, a hacker called p0xy leaks usernames, emails and hashed passwords from the iCPPS online platform. |
 |
SQLi |
| Oct 15 | iolaka |
World Miss Photogenic
This time is the turn of a fashion/model based website, which is attacked and suffers a dump of accounts leaked containing 1000+ accounts including usernames, emails and encrypted passwords by iolaka. |
 |
SQLi |
| Oct 15 |  |
India Cyber Crime Investigation Cell Another episode of the Cyber-Guerrilla between India and Pakistan: Pakistani hacker Shadow008 hacks and defaces India’s Most Important website of Cyber cell located at Mumbai. |
 |
Defacement |
Related articles
- Just For Reference… (paulsparrows.wordpress.com)
- September 2011 Cyber Attacks Timeline (Part II) (paulsparrows.wordpress.com)
- September 2011 Cyber Attacks Timeline (Part I) (paulsparrows.wordpress.com)
About The Author
Support My Work!
Share:
News
08/13/2011 - My Post on Android Malware Mentioned on Engadget.
04/14/2011 - The Article Smart Grid: L'ultima Frontiera del Cybercrime published on ICT Security Magazine May 2011.
03/14/2011 - Security Summit 2011: Paolo Passeri guest at Round Table "Mobile Security: Rischi, Tecnologie, Mercato"
02/14/2011 - The Article Gears of Cyberwar published on ICT Security Magazine January 2011.
Visitors from…
