About these ads

Archive

Posts Tagged ‘Symantec’

Here’s Shamoon!

August 17, 2012 Leave a comment

So, it looks like that the destructive impacts of the cyber attack targeting Aramco, where definitively true. In the same hours in which the first details about the malware were disclosed, Kasperky Lab, McAfee and Symantec have dedicated respectively three blog posts to describe what appears to be the latest example of a large scale cyber attack targeting Middle East (apparently focused on companies belonging to Energy Sector).

Shamoon (or W32/DistTrack), this is the name of the malware, has some points in common (the name of a module) with the infamous Flame, but according to Kaspersky this is the only similarity:

It is more likely that this is a copycat, the work of a script kiddies inspired by the story.

The malware has the same features seen in other “companions” among which the driver signed by a legitimate company “Eidos Corporation”.

According to Symantec, the malware consists of several components:

  • Dropper: the main component and source of the original infection. It drops a number of other modules.
  • Wiper: this module is responsible for the destructive functionality of the threat.
  • Reporter: this module is responsible for reporting infection information back to the attacker.

According to McAfee, machines infected by the malware are made useless as most of the files, the MBR and the partition tables are overwritten with garbage data. The overwritten data is lost and is not recoverable, so this should confirm the destructive details received yesterday.

While, according to Seculert, the malware is a two-stage attack:

Stage 1: The attacker takes control of an internal machine connected directly to the internet, and uses that as a proxy to the external Command & Control server. Through the proxy, the attacker can infect the other internal machines, probably not connected directly to the internet.

Stage 2: Once the intended action on the internal infected machines is complete, the attacker executes the Shamoon malware, wiping all evidence of other malicious software or stolen data from those machines (or also the MBR and the partition table as McAfee Suggested). It then reported back to the external Command & Control Server through the proxy.

So far it is not clear who is behind the attack, although Kaspersky Lab suggests that the term Shamoon:

could be a reference to the Shamoon College of Engineering http://www.sce.ac.il/eng/. Or, it could simply be the name of one of the malware authors. Shamoon is the equivalent of Simon in Arabic.

More details are expected in the next hours.

About these ads

January 2012 Cyber Attacks Timeline (Part 2)

February 2, 2012 1 comment

Click here for part 1.

The second half of January is gone, and it is undoubtely clear that this month has been characterized by hacktivism and will be remembered for the Mega Upload shutdown. Its direct and indirect aftermaths led to an unprecedented wave of cyber attacks in terms of LOIC-Based DDoS (with a brand new self service approach we will need to get used to), defacements and more hacking initiatives against several Governments and the EU Parliament, all perpetrated under the common umbrella of the opposition to SOPA, PIPA and ACTA. These attacks overshadowed another important Cyber Event: the Middle East Cyberwar (which for the sake of clarity deserved a dedicated series of posts, here Part I and Part II) and several other major breaches (above all Dreamhost and New York State Electric & Gas and Rochester Gas & Electric).

Chronicles also reports a cyber attack to railways, several cyber attacks to universities, a preferred target, and also of a bank robbery in South Africa which allowed the attackers to steal $6.7 million.

Do you think that cyber attacks in this month crossed the line and the Cyber Chessboard will not be the same anymore? It may be, meanwhile do not forget to follow @paulsparrows to get the latest timelines and feel free to support and improve my work with suggeastions and other meaningful events I eventually forgot to mention.

Read more…

Categories: Cyber Attacks Timeline, Cyberwar, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

January 2012 Cyber Attacks Timeline (Part 1)

January 15, 2012 2 comments

Click here for part 2.

New year, new Cyber Attacks Timeline. Let us start our Information Security Travel in 2012 with the chart of the attacks occurred in the first fifteen days of January. This month has been characterized so far by the leak of Symantec Source Code and the strange story of alleged Cyber Espionage revolving around it. But this was not the only remarkable event: chronicles tell the endless Cyber-war between Israel and a Saudi Hacker (and more in general the Arab World), but also a revamped activity of the Anonymous against SOPA (with peak in Finland). The end of the month has also reserved several remarkable events (such as the breaches to T-Mobile and Zappos, the latter affecting potentially 24,000,000 of users). In general this has been a very active period. For 2012 this is only the beginning, and if a good beginning makes a good ending, there is little to be quiet…

Browse the chart and follows @paulsparrows to be updated on a biweekly basis. As usual after the jump you will find all the references. Feel free to report wrong/missing links or attacks.

Read more…

Categories: Cyber Attacks Timeline, Security Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Fake Leaked Memos And Closed BackDoors

January 15, 2012 Leave a comment

From an Information Security perspective this 2012 has begun with (too) many meaningful events, among which the most resounding so far, has been the alleged leak of portions of the source code belonging to several consumer and enterprise product by Symantec, a leading security vendor.

@YamaTough, a member of a hacking collective called “The Lords of Dharmaraja” (Dharmaraja is the Lord of Death and Justice in Hinduism) claimed paternity for an attack that, immediately after its execution, has unleashed a complicated story of Cyber Espionage full of twists and mysteries which has raised (and keeps on rising) many (un)resolved questions.

The Indian Mystery

Date

Event

Jan 5

@YamaTough, a member of an hacking group called, the Lords of Dharmaraja, leaks the source code of Symantec Endpoint Protection Enterprise Suite (SAVCE 10.2 and SEP11), approximately 5 years old. The source code was allegedly obtained from The hacking of Indian Military Servers.Symantec has admitted that “a segment of its source code used in two of our older enterprise products has been accessed”.

During the same operation the same hackers also leaked some other documents according to which:

  1. The Indian government has source code for Symantec’s AV software, albeit of 2006 vintage.
  2. The Indian government is strong arming cell phone manufacturers to provide back doors into their handsets (defined RINOA: RIM, Nokia and Apple).
  3. The Indian government is in possession of confidential internal communications from the US-China Economic and Security Review Commission (USCC).
  4. The Indian government is actively engaged in espionage efforts targeting not only the USCC, but potentially thousands of US government networks, ranging from those of federal agencies to systems used by state and municipal entities.

Jan 12

In any case, although the leaked source code is real, it looks like the Lords of Dharmaraja faked the government memo (in order to attract more attention) since some emails there contained (and purportedly obtained by the RINOA backdoors) were allegedly stolen from the Indian Embassy on Paris and appear to have already been leaked on pastebin in December by the same hacker @YamaTough. There are also several doubts on the fact that activities of the USCC could be of any interest to Indian intelligence.

Jan 13

As an announced trail of the controversial Cyber Espionage affair, @YamaTough releases the source code of Norton Utilities. The author claims the leak is in support of the lawsuit between Symantec and Jame Gross, a US resident who is taking the company to court for spreading scareware. The full Source Code of Norton Antivirus is announced for Tuesday, Jan the 17th.

Not only, according to the hackers, the source code has been found on a server belonging to India Military Intelligence, but also, together with the links to the Source Code, the hackers posted an Internal Memo of India Military Intelligence entitled “Tactical Network For Cellular Surveillance”, containing potentially explosive information. According to this controversial memo “in exchange for the Indian market presence” mobile device manufacturers, including RIM, Nokia, and Apple (collectively defined in the document as “RINOA”) have agreed to provide backdoor access on their devices. Moreover it looks like the a CYCADA Team used the backdoors for espionage actions against the  U.S.-China Economic and Security Review Commission (USCC) and potentially against thousands of US government networks, ranging from those of federal agencies to systems used by state and municipal entities.

Although the implicated manufacturers firmly denied any connection, at first glance the hypothesis of a backdoor on our mobile companions seemed possible, also because it came immediately after another controversial event concerning mobile privacy, the infamous Carrier IQ rootkit found on many mobile devices.

A giant case of Cyber Espionage? Not actually! It looks like the whole story is showing an unpredictable conclusion (?). In the last days evidences are emerging that the Lords Of Dharmaraja faked the memo, maybe in order to obtain a greater attention on their operations. Although, as previously stated, Symantec has recognized parts of the source code on the leaked data, there are too many inconsistencies and incorrect information inside the memo, and also several of the emails allegedly obtained by mean of the RINOA backdoor had already been posted on December after the original attack made by the collective at the Indian Embassy in Paris (where the memo was leaked). Moreover, the letterhead on the memo comes from a military intelligence unit not involved in surveillance.

The mistery deepens, but in the meantime the Lords Of Dharmaraja keep on posting Symantec Code: Saturday Jan 14 the alleged Source Code of the Norton Utilities was released, the next Tuesday Jan 17, will be the turn of the full Norton Antivirus Source Code.

What Security Vendors Said One Year Ago…

January 10, 2012 2 comments

I did not resist, so after publishing the summary of Security Predictions for 2012, I checked out what security vendors predicted one year ago for 2011. Exactly as I did in my previous post, at the beginning of 2011 I collected the security predictions in a similar post (in Italian). I also published in May an update (in English) since, during the Check Point Experience in Barcelona held in May 2011, the Israeli security firm published its predictions. Even if the latters have been published nearly at the half of 2011, for the sake of completeness, I decided to insert them as well in this year-to-year comparison.

Then, I included Symantec (for which this year I did not find any prediction), McAfee, Trend Micro, Kaspersky, Sophos and Cisco. I included Check Point in a second time and I did not include Fortinet, At that time I missed their five security predictions, which I only discovered later so I decided to provide an addendum for this post including Fortinet as well in order to provide a deeper perspective.

The security predictions for 2011 are summarized in the following chart, which reports what the vendors (with the partial above described exception of Checkpoint) expected for the past year in terms of Information Security trends.

But a strict side-by-side comparison with the 2012 information security predictions (extracted by my previous post) is more helpful and meaningful:

As you may notice mobile threats were on top even among the predictions for 2011. This prediction came easily true most of all for Android which suffered (and keeps on suffering) a huge increase in malware detection samples (even if the overall security risk remains contained). Social Media were on top as well: they have been crucial for the Wind of the Changes blown by the Arab Spring but in the same time Social Media have raised many security concerns for reputation, the so called Social Network Poisoning (who remembers Primoris Era?). Although 2011 was the year of the Anonymous, hacktvism ranked “only” at number 4, behind Advanced Persistent Threats, which however played a crucial role for information security (an APT was deployed for the infamous RSA Breach, but it was not an isolated case).

Also botnets, web threats and application vulnerabilities ranked at the top of Security predictions for last year (and came true). As far as botnets are concerned, fortunately 2011 was a very important year for their shutdown (for instance Hlux/Kelihos, Coreflood, Rustock). In several cases the botnets were taken down thanks to joint operations between private sectors and law enforcement agencies (another prediction came true). On the application side, this prediction came true most of all thanks to the Sony breach, the Liza Moon infection and the huge rate of SQLi based attacks and ASP.NET vulnerabilities. We have also assisted to an hard blow to SSL/TLS and XML Encryption.

But what is more surprising (and amusing) in my opinion is not to emphasize which predictions were correct, but rather to notice  which predictions were dramatically wrong: it looks like that, against the predictions, virtualization threats were snubbed by cybercrookers in 2011 (and nearly do not appear in 2012). But the most amusing fact is that no security vendor (among the ones analyzed) was able to predict the collapse of the Certification Authority model thanks most of all to the Comodo and Diginotar Breaches.

One Year Of Lulz (Part II)

December 26, 2011 1 comment

Christmas has just gone and here it is my personal way to wish you a Happy New Year: the second part of my personal chart (first part here) of Main 2011 Cyber Attacks covering the time window from August to November 2011 (December is not yet finished, and featuring remarkable events, so expect an update very soon). This memorable year is nearly over and is time, if you feel nostalgic, to scroll down the second part of the list to review the main Cyber Events that contributed, in my opinion, to change the landscape and the rules of the (information security) game. Many events in this period among whom, IMHO, the most noticeable is the one carried on against Diginotar. Since then our trust in conventional authentication models is not (and will not be) the same anymore.

Of course this is my personal selection. Suggestions are well accepted and if you need more details about the cyber events in 2011, feel free to consult my 2011 Cyber Attacks Master Index. As usual after the page break you find all the references…

Read more…

Another Certification Authority Breached (the 12th!)

December 10, 2011 1 comment

2011 CA Attacks Timeline (Click To Enlarge)This year is nearly at the end but it looks like it is really endless, at least from an Information Security Perspective. As a matter of fact this 2011 will leave an heavy and embarassing heritage to Information Security: the Certification Authority authentication model, which has been continuously under siege in this troubled year; a siege that seems endless and which has shown its ultimate expression on the alleged compromise of yet another Dutch Certification Authority: Gemnet.

Gemnet, an affiliate of KPN, has suspended certificate signing operation after an intrusion on its publicly accessible instance of phpMyAdmin (a web interface for managing SQL Database) which was, against any acceptable best practice, exposed on the Internet and not protected by password. As in case of Diginotar, another Dutch Certification Authority which declared Bankrupt few days after being compromised by the infamous Comodo Hacker, Gamnet has  the Dutch government among its customers including the Ministry of Security and Justice, Bank of Dutch Municipalities and the police.

After the intrusion, the attacker claimed to have manipulated the databases, and to allegedly have been able to gain control over the system and all of the documents contained on it, although KPN, claims the documents contained on the server were all publicly available. Moreover the attacker claimed the attack was successful since he could obtain the password (braTica4) used for administrative tasks on the server. As a precaution, while further information is collected about the incident, Gemnet CSP, KPN’s certificate authority division, has also suspended access to their website.

The breach is very different, in purpose and motivations, from the one occurred to Diginotar, at the end of July, which led to the issuance of more than 500 bogus Certificates (on behalf of Google, Microsoft, and other companies). In case of Diginotar the certificates were used to intercept about 300,000 Iranians, as part of what was called “Operation Black Tulip“, a campaign aimed to eavesdrop and hijack dissidents’ emails. For the chronicles, the same author of the Diginotar hack, the Infamous Comodo Hacker, had already compromised another Certification Authority earlier this year, Comodo (which was at the origin of his nickname). In both cases, the hacks were performed for political reasons, respectively as a retaliation for the Massacre of Srebrenica (in which the Comodo Hacker claimed the Dutch UN Blue Helmets did not do enough to prevent it), and as a retaliation for Stuxnet, allegedly developed in a joint effort by Israel and US to delay Iranian Nuclear Program.

But although resounding, these are not the only examples of attacks or security incidents targeting Certification Authorities: after all, the attacks against CAs started virtually in 2010 with the infamous 21th century weapon Stuxnet, that could count among its records, the fact to be the first malware using a driver signed with a valid certificate belonging to Realtek Semiconductor Corps. A technique also used by Duqu, the so called Duqu’s son.

Since then, I counted 11 other breaches, perpetrated for different purposes: eavesdropping (as is the case of the Infamous Comodo Hacker), malware driver signatures, or “simple” compromised servers (with DDoS tools as in case of KPN).

At this point I wonder what else we could deploy to protect our identity, given that two factor authentication has been breached, CAs are under siege, and also SSL needs a substantial revision. Identity protection is getting more and more important, since our privacy is constantly under attack, but we are dangerously running out of ammunitions.

(Click below for references)

Read more…

November 2011 Cyber Attacks Timeline (Part I)

November 17, 2011 5 comments

Update 12/01/2011: November Cyber Attacks Timeline (Part II)

This first half of November has been very hard for Steam. The Valve Online Gaming Platform suffered a security breach putting at risk a potential sample of 37 million of users and hence wins the crown for the Major Breach of the First Half of November.

Also a sportswear giant like Adidas fell among the victims of cybercriminals, with a “sophisticated attack” targeting 500,000 users.

This month was also hot for the Cold Finland which has suffered two security breaches involving more than 30,000 users (a third breach also happened on November, the 16th, affecting 16,000 users but of course will be reported in the next report).

Two other CAs (KPN and Digicert Sdn Bhd Malaysia, not to be confused with Digicert US-based CA) were compromised. Also F-secure discovered a sample of malware signed with a valid certificate stolen from a Malasyan company.

On a larger scale, after 2 years of hunt, FBI uncovered a huge Botnet in Estonia, which stole $14 million from 4 million users worldwide, while on the other side of the Globe, Brazilian ISPS were targeted by a massive DNS Poisoning attack.

Not even Facebook was safe this month, whose (too) many users were targeted with a malware posting pornographic images on their wall exploiting an Internet Explorer Vulnerability.

As far as hactivism is concerned, the political events in the real world had a predictable echo in the Cyber space, with an attack to Palestine the day after the nation was admitted as a full member of UNESCO.

As a retaliation, some Israeli Government web sites were targeted with a wave of DDoS attacks by the infamous Anonymous hacking group. In any case the Anonymous were active also in other Cyberwar fronts acting a couple of defacements and DDoS (in one case they targeted the Muslim Brotherhood) and were also the authors to one of the two attacks in Finland (the one towards a right-wind party).

A group of Hackers called TeaMp0isoN claimed to have hacked more than 150 Email Id’s of International Foreign Governments even if this statement is controversial.

What is not controversial is the Cyberwar declared against Mexico which was targeted, in November, by a massive waves of Cyber Attacks.

Besides these noticeable events, the month was characterized by many other minor attacks and dumps among which, particularly noticeable are: the attacks to a couple of banks (DDoS and defacements) and Universities (UCLA and Standford hit by data breaches), and the Fox Business Twitter Account Hacking (Oops they did it again!).

The month ends with the first example of malware targeting ambulance.

Please notice that I decided henceforth not to insert attacks targeting a limited amount of users and most of all, claimed without clear evidence: in this month I discovered a claimed fake attack to Italian Police announced recycling old data.

  1. http://www.guardian.co.uk/world/2011/nov/01/palestinians-hit-cyber-attack-unesco
  2. http://www.cyberwarnews.info/2011/11/02/dump-of-steam-accounts/
  3. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the_nitro_attacks.pdf
  4. http://thehackernews.com/2011/11/fraud-communities-owned-and-exposed-by.html
  5. http://www.cyberwarnews.info/2011/11/03/opdarknet-official-and-last-release/
  6. http://www.cyberwarnews.info/2011/11/03/accounts-dumped-from-hiphopinstrumental-net/
  7. http://www.cyberwarnews.info/2011/11/03/peru-government-websites-defaced-by-challenges-hackers/
  8. http://nakedsecurity.sophos.com/2011/11/03/another-certificate-authority-issues-dangerous-certficates/
  9. http://www.cyberwarnews.info/2011/11/04/bayareaconnection-net-defaced/
  10. http://www.cyberwarnews.info/2011/11/04/yet-another-pointless-account-dump-hundreds-dumped-from-www-jjs2-com/
  11. http://threatpost.com/en_us/blogs/another-dutch-ca-kpn-stops-issuing-certificates-after-finding-ddos-tool-server-110411
  12. http://thehackernews.com/2011/11/capitalone-bank-taken-down-by-anonymous.html
  13. http://www.networkworld.com/news/2011/110411-hacker-selling-access-to-compromised-252771.html?source=nww_rss
  14. http://www.phiprivacy.net/?p=8227
  15. http://thehackernews.com/2011/11/anonymous-attack-on-israeli-government.html
  16. http://www.itworld.com/security/222033/fake-threat-against-facebook-dwarfs-anonymous-real-attacks-israel-finland-portugal
  17. http://pplware.sapo.pt/informacao/site-freeport-pt-foi-atacado-entre-outros/
  18. http://www.databreaches.net/?p=21359
  19. http://www.itworld.com/security/222033/fake-threat-against-facebook-dwarfs-anonymous-real-attacks-israel-finland-portugal
  20. http://www.yomiuri.co.jp/dy/national/T111105002386.htm
  21. http://www.cyberwarnews.info/2011/11/08/massive-amount-of-accounts-dumped-from-adidas-com/
  22. http://www.theregister.co.uk/2011/11/07/adidas_hack_attack/
  23. http://www.cyberwarnews.info/2011/11/08/massive-amount-of-accounts-dumped-from-adidas-com/
  24. http://thehackernews.com/2011/11/international-foreign-government-e.html
  25. http://www.theregister.co.uk/2011/11/09/teamp0ison_publishes_stupid_password_list/
  26. http://news.softpedia.com/news/16-000-Finns-Affected-by-Data-Breach-232851.shtml
  27. http://nakedsecurity.sophos.com/2011/11/08/anonymous-attacks-el-salvadoran-sites/
  28. http://www.smh.com.au/business/privacy-of-millions-at-mercy-of-a-usb-device-20111107-1n3wm.html
  29. http://thehackernews.com/2011/11/ump-french-political-party-got-hacked.html
  30. http://www.cyberwarnews.info/2011/11/08/premierleaguepool-co-uk-accounts-dumped-by-sen/
  31. http://www.cyberwarnews.info/2011/11/08/60k-accounts-dumped-from-ohmedia-by-teamswastika/
  32. http://www.cyberwarnews.info/2011/11/08/dump-of-accounts-from-beachvolley-se/
  33. http://www.cyberwarnews.info/2011/11/08/khadraglass-com-hacked-and-accounts-dumped-by-inj3ct0r/
  34. http://www.cyberwarnews.info/2011/11/09/scamming-email-account-dumpers-are-surfacing-50k-french-accounts-dumped/
  35. http://thehackernews.com/2011/11/possible-credit-card-theft-in-steam.html
  36. http://www.fbi.gov/news/stories/2011/november/malware_110911/malware_110911
  37. http://www.theregister.co.uk/2011/11/10/it_manager_charges/
  38. http://thehackernews.com/2011/11/bangladesh-supreme-court-website-hacked.html
  39. https://twitter.com/#!/igetroot/status/134865652543520768
  40. http://thehackernews.com/2011/11/operation-brotherhood-shutdown-by.html
  41. http://nakedsecurity.sophos.com/2011/11/14/ambulance-service-disrupted-by-computer-virus-infection/
  42. http://www.cyberwarnews.info/2011/11/12/ucla-department-of-psychology-hacked-by-inj3ct0r/
  43. http://www.ehackingnews.com/2011/11/social-network-site-findfriendzcom.html
  44. http://www.cyberwarnews.info/2011/11/13/dump-of-information-by-inj3ct0r/
  45. http://www.f-secure.com/weblog/archives/00002269.html
  46. http://www.cyberwarnews.info/2011/11/14/dump-of-accounts-from-congress-of-sonora/
  47. http://www.cyberwarnews.info/2011/11/14/2-more-government-dumps-by-metalsoft-team/
  48. http://www.cyberwarnews.info/2011/11/14/another-big-dump-of-accounts-from-sec404-mexican-hackers/
  49. http://www.cyberwarnews.info/2011/11/14/another-mexican-government-congress-hacked-canaldelcongreso-gob-mx/
  50. http://www.cyberwarnews.info/2011/11/14/dump-of-data-from-another-mexican-congress-sinaloa-state-congress/
  51. http://www.cyberwarnews.info/2011/11/14/ministry-of-economy-mexico-hacked-by-sec404/
  52. http://www.cyberwarnews.info/2011/11/14/unit-of-transparency-and-access-to-public-information-website-hacked/
  53. http://www.cyberwarnews.info/2011/11/14/national-commission-of-physical-culture-and-sport-hacked-and-accounts-leaked/
  54. http://nakedsecurity.sophos.com/2011/11/14/hacked-sky-news-twitter-account-james-murdoch-arrested/
  55. http://news.softpedia.com/news/Anonymous-Attacks-Anonymous-For-Being-Trolls-234949.shtml
  56. http://nakedsecurity.sophos.com/2011/11/16/facebook-explains-pornographic-shock-spam-hints-at-browser-vulnerability/

October 2011 Cyber Attacks Timeline (Part II)

November 2, 2011 Leave a comment

Halloween has just gone and here it is Part II of the October 2011 Cyber Attacks Timeline covering the second half (15-31) of this month.

From an Information Security Perspective, the 10th month of 2011 has been characterized by Duqu, the brand new Advanced Persistent Threat dubbed “The Sun Of Stuxnet”, whose echo is far from being silent (a brand new 0-day vulnerability targeting Windows Kernel has just been discovered in the Malware Installer). Duqu affected the timeline in two circumstances: not only the malware was discovered, but also an Indian Provider called Web Werks had some servers seized from a Data Center in Mumbai because they were discovered to be involved in the C&C communication of the infected endpoints.

Other noticeable events of the month involved:

  • The wave of alleged Cyber Attacks from China against Japan Parliament and Embassies and also against Canadian Finance and Treasury Board. These were not the only Cyber Events allegedly affecting China in October: even if occurred months before, news were reported that the attack against Mitsubishi Heavy Industries led to the theft of sensitive data, moreover other 760 organizations worldwide were attacked with the same methodology used for RSA Breach and originating from China as well.
  • A new tide of Hacktivism by Anonyomous and Antisec, encouraged from the OccupyWallStreet Movement, including a dramatic face-to-face of Anonymous Mexico against Las Zetas one of the most powerful Mexican Drug Cartel.

A particular rank in this month is deserved by Israel and Sweden, the first reported a huge data breach (affecting 9,000,000 users) occurred in 2006, while the latter suffered a Black October with a data leak involving nearly 200,000 users of the social platform bloggtoppen.se including Politicians and Journalists. At this point is clear that the cold Sweden won the Prize for the “Hottest Breach of The Month”.

Also Facebook was targeted with an alleged dump of 10,000 accounts, nothing if compared with the 600,000 compromised logins per day that the social network admitted to suffer).

According to my very personal estimate (based on the indications from the Ponemon’s insitute) the cost of the breaches for this months (in all those cases where enough information was available) is around $500 million, excluding the massive data breach in Israel reported today but occurred in 2006.

As usual, this Timeline was compiled with Useful Resources by:

And my inclusion criteria do not take into consideration “simple” defacement attacks (unless they are particularly resounding) or small data leaks.

Date

Author

Description

Organization

Attack

Oct 16

Fatal Error

UNESCO E-Platform Domain

The E-Platform domain of one of the Biggest Organizations: United Nations Educational, Scientific and Cultural Organization (UNESCO) gets hacked and defaced by Fatal Error Crew hackers.

Defacement

Oct 17

10,000+ FaceBook accounts

A Hacking Crew From Nepal called TeamSwaStika hacks more than 10,000 facebook accounts. The hacking crew declares next target will be Nepal Government website and e-governance for Freedom. Estimated cost of the breach is $2,140,000.

Account Hacking (Phishing?)

Oct 17

?

Sesame Street’s Youtube Channel

Sesame Street had its YouTube channel hacked on Sunday, and its highly popular child-friendly videos of muppets like Kermit the frog and the Big Bird replaced with hard core porn movies.

Account Hacking

Oct 17

?

NHS Direct Twitter Account

NHS Direct, the UK helpline which provides expert health advice via the telephone and internet, has had its Twitter account taken over by spammers promoting an Acai Berry diet.

Account Hacking

Oct 18

TurkisH -RuleZ

proXPN

proXPN, one of the famous VPN client based on OpenVPN Service, is hacked by TurkisH-RuleZ.

Defacement

Oct 19

?

Gameloft

Gameloft, a Paris-based video game company that’s a leading mobile-game developer, acknowledges that a security breach has prompted it to pull the plug on one of its Web sites, the Order and Chaos online site.

SQLi?

Oct 19

?

Duqu

In a blog post, Symantec explains it came across the first samples of a new malware infecting some computer systems in Europe that appears to be very similar to Stuxnet. More analysis shows the malware is a “simple” keylogger using the same Stuxnet Technology

N/A

APT

Oct 19

?

Lord Of The Rings On Line

A FAQ on the official forum of the Lord Of The Rings Community On Line reveals that the site was breached although no financial data has been obtained by the attackers.

SQLi?

Oct 20

?

Phishing The Phisher

Finally someone decides to give a lesson to a phisherm by hacking the phishing website with a message educating the potential victims.

Phishing

Oct 21

Vikram Pandit (Citigroup CEO)

Mobile phone number and home address of Vikram Pandit, CEO of Citigroup, have been placed on the web by hacking group CabinCr3w in retaliation for the cuffing of protesters at an Occupy Wall Street demo. In their online statement the hackers say that they had accessed the data – which also included family information and some financial figures – and uploaded it online in response to events during the recent anti-bank protests on Wall Street.

N/A

Oct 21

Law Enforcement Agencies

Anonymous and Antisec broke their apparent October silence and renewed the tradition of the Friday Dumps against law enforcement agencies releasing a 600MB data dump of confidential data belonging to Law enforcement agencies. A couple of days later an AntiSec hacker tells police in a phone call that boredom drove him to hack their website.

Defacement

Oct 22

40 Child Porn Websites

As part as what they call #OpDarknet, Anonymous takes down more than 40 darknet-based child porn websites over the last week. They also leak personal details of 1500 users. Detalils on “AnonMessage” and “BecomeAnonymous” YouTube channels.

40 child Porn Websites

SQLi

DDoS

Oct 23

?

Microsoft’s Official YouTube Channel

Hackers take control of Microsoft’s official YouTube Channel (24,000+ subscribers), remove the company’s videos and replace them with videos of their own. Neither Microsoft nor Google (which owns YouTube) have disclosed information on how the security breach was perpetrated.

N/A

Oct 23

One Hit Play

@DiabloElite dumps 1008 accounts from onehitplay.com, with no other reason beside to show the need of a stronger security. All the accounts have been stored as plain text. Estimated cost of the breach is around $214,000.

SQLi?

Oct 23

Xbox A new hackers’ crew @DestructiveSec dumps some Xbox Live accounts.

SQLi?

Oct 24

?

cheaptickets.nl

The database of CheapTickets.nl (containing 715,000 customers) is leaked. Stolen information include 1,200,000 tickets and 80,000 passport numbers. Total cost of the breach might exceed $153 million.

SQLi?

Oct 24

Intra Web Security Exploit Team

LG Australia Web Site

One of the Australian websites belonging to global electronics giant LG (lge.com.au) is hacked by a collective calling itself the Intra Web Security Exploit Team. The attackers replaced the site with some lightly-obfuscated JavaScript pretending to be conducting an injection attack.

Defacement,

Simulated SQli

Oct 24

Malicious Employee

Israely Ministry of Labor and Social Welfare

Employee with access to the Population Registry has been discovered to steal the details of over 9 million residents and then passed them to someone else. Estimated cost of the breach is nearly $2 billion.

Malicious Access

Oct 24

760 Organizations Worldwide

Brian Kerbs publishes in his blog a list of companies whose networks were shown to have been connecting to the same control infrastructure that was used in the attack on RSA. The first victims appear to have begun communicating with the attacker’s control networks as early as November 2010. According to the list 760 other organizations had networks compromised with some of the same resources used to hit RSA and almost 20 percent of the current Fortune 100 companies are on this list.

760 Organizations Worldwide

APT

Oct 25

?

bloggtoppen.se

The usernames and passwords of around 90,000 accounts at Bloggtoppen.se have been made public after a hacker attack against the website. Several journalists and politicians are among the bloggers whose log-in details have been published. On Oct 26, the Aftonbladet newspaper reported that a further 57 other websites had also been hacked, and the login details of up to 200,000 people are at risk. Estimated cost of the breach is around $42 million.

SQLi?

Oct 25

Chinese Hacker?

Japanese Parliament

According to local media reports, hackers were able to snoop upon emails and steal passwords from computers belonging to lawmakers at the Japanese parliament for over a month. PCs and servers were infected after a Trojan horse was emailed to a a Lower House member in July. The Trojan horse then downloaded malware from a server based in China – allowing remote hackers to secretly spy on email communications and steal usernames and passwords from lawmakers.

APT

Oct 25

Mitsubishi Heavy Industries

Mitsubishi Heavy Industries, a high-tech military contractor, which suffered an attack from hackers earlier this year, is reported to have lost sensitive data related to defence equipment including fighter jet planes and nuclear power plant plans, according to The Ashai Shimbun. Once again suspects are directed to China.

APT

Oct 25

Inside Error

United States Department Of Education

Highly sensitive information (including SSN) belonging to around 5,000 students was exposed after a computer error causing a federal government student loan website to reveal the data: a glitch in the website allowed students who were logged in to freely view the data of other scholars. Fortunately, the site was compromised only for 7 minutes at most, but it is possible that some users were able to steal sensitive information. Estimated cost of the breach is around $ 1 million.

Inside Error

Oct 26

?

awurval.se

314 job seekers’ e-mail addresses and clear-text passwords acquired and dumped. Estimated Cost of the breach is around $67,000.

SQLi?

Oct 26

?

Mobile Tele Systems

MTS is a primary Mobile Operator in Russia with more than 70 million subscribers. Personal data of 1.6 million mobile phone users appeared online in the second such leak in three months. The database, posted on Zhiltsy.net, included the full names and phone numbers of MTS subscribers in St. Petersburg and Bashkortostan, as well as residential addresses and passport data for some of them. According to MTS the database goes back to 2006 and most numbers are no longer valid. Estimated cost of the breach could potentially achieve $300 million.

N/A

Oct 26

@_V4ND

nationmultimedia.com

@_V4ND dumps what they say is a teaser of accounts obtained from nationmultimedia.com in what appears to be another havij or similar SQLi vun tool based attack. The leak contains user emails and passwords in clear text.

SQLi

Oct 26

Robert Delgado

Massive Identity Theft

Robert Delgado, a 40 years old California man, was sentenced to eight years in prison for identity theft after federal police GPS-tracked his phone and discovered a hard drive with over 300,000 victim profiles during a raid of his home. Estimated Cost of the thiet (not including purchases made with stolen data) is around $65 million.

300,000 frauded users

Bank Fraud

Oct 26

Pakistani Hacker

Bharat Sanchar Nigam Limited (BSNL)

Another occurrence of the Cyberwar between Pakistan and India: A Pakistani hacker “KhantastiC haX0r” hacks into the official website of India’s leading telecom Company Bharat Sanchar Nigam Limited (BSNL).

Defacement

Oct 27

Law Enforcement Authorities

@_f0rsaken a member of @TeaMp0isoN publishes a list of websites utilized by law enforcement authorities that are supposed to be vulnerable to MSAccess SQL injection attacks. A number of six sites that are listed are supposedly utilized by the police for their updates, the cybercriminals urging Occupy Wall Street supporters to take them down.

Law Enforcement Authorities

MSAccess SQLi

Oct 27

Oakland Police Department Web Site

Cyber activists associated with Anonymous target the Oakland Police Department (OPD) and other law enforcement agencies that participated in a controversial crackdown against OccupyOakland protestors with a DDoS (distributed denial-of-service) attack against the department’s website. Moreover According to TG Daily, the infamous collective is offered a $1,000 reward for anyone who can provide information on an officer that allegedly injured a war veteran that was taking part in the protest.

DDoS

Oct 27

?

Clarinda Bank Iowa

In a letter dated Tuesday, Oct. 25, bank vice president Jon Baier notifies specific customers of a data breach. The letter states the bank was not provided details of the security compromise, but to protect the impacted debit card accounts, replacement cards with new numbers were ordered. The number of affected users is unknown.

N/A

Oct 27

Japanese Embassies

There are new reports that dozens of diplomatic computers Japanese embassies abroad were infected with malware this Summer. The news comes on the heels of recent news about malicious software attacks on Japanese defense contractors and the Japanese Parliament. A report in a local Japanese publication, The Daily Yomiuri, places the infected diplomatic computers in Canada, China, France, Myanmar, the Netherlands, South Korea, and the United States. Again China is suspected since a China Link is found on the malware.

APT

Oct 27

U.S. Government Satellites

Bloomberg reports that Computer hackers, possibly from the Chinese military, interfered with two U.S. government satellites four times in 2007 and 2008 through a ground station in Norway, according to a congressional commission.

N/A

Oct 28

Canadian Finance and Treasury Board

Ottawa Citizen reveals that, in Jan 2011, the Canadian Finance and Treasury Board’s networks were targeted by hackers in an attempt to steal sensitive information about the potash industry even though Finance and Treasury Board representatives denies it. It looks that the hackers were actually foreign, the first clues indicating that the attack originated from China.

APT

Oct 28

PayFail

PayPal Executives’ Contact Information

In what looks to be the first of a number of “name and shame” postings, an individual or individuals posting as “PAYFAIL” upload some personal information on dozens of former and current PayPal executives. The dumped data do not seem to be particularly sensivite, nevertheless, although deleted three times so far, the original statement keeps on appearing on pastebin.

N/A

Oct 28

?

Again on Duqu

Two workers at an Indian web-hosting company called Web Werks tell Reuters that last week officials from India’s Department of Information Technology seized several hard drives and other components from a server hosted on a Mumbai Data Center, that security firm Symantec Corp indicated as communicating with computers infected with Duqu.

APT

Oct 29

El Paso County Community College

@DestructiveSec hacks the El Paso Country Community College, defacing the web site and dumps some data.

SQLi?

Oct 29

Las Zetas (Mexican Drug Cartel)

Anonymous Mexico faces one of the most dangerous criminal organizations in the World, the Las Zetas Mexican Drug Cartel. In a video they warn the Cartel to release one of their members kidnapped during a street protest, otherwise the hacker group will disclose (or dox) the identities of members of the cartel including corrupted politicians and policeman. Another example of an hacking action with huge real aftermaths in terms of possible deadly retaliations.

Mexican Droug Cartel

SQLi?

Oct 29

Dominican Republic Police

As part of their Spanish Solidarity Saturday Anonymous release a pastebin document containing a list of finds and vulnerabilities on the Dominican Republic Police system and some other sites too. They also left a website defaced.

Several Vulns,

Defacement

Oct 31

3xp1r3 cyber army

hi5ads.com

A hacker group going by the name of 3xp1r3 cyber army dumps two separate pastes with respectively 5,065 and 3,149 account details to www.hi5ads.com. The leaks contain emails and plain text passwords. Estimated cost of the breach is around $680,000.

SQLi

Oct 31

3xp1r3 cyber army

Bangla TV

The Same group hacks Bangla TV and releases 1,517 usernames and clear-text password. Estimated cost of the breach is around $320,000.

SQLi

Oct 31

ScreamDevz

Penguin Elite

A group or individual dubbed ScreamDevz hacks Club Penguin Elite Database and dumps nearly 400 usernames, emails and MD5 hashed passwords. Estimated cost of the breach is around $80,000.

SQLi

Oct 31

Chinese Government Web Site

@TehMaskz, a member of @ChaoticSec defaces a web site belonging to Chinese Government (at the time of writing http://www.wfaic.gov.cn/index.html is still defaced). In the same circumstance other 9 sites all over the World are defaced.

Defacement

Oct 31

One Hit Play

@ChaoticSec hacks One Hit Play (once again) and releases more than 1000 User information, including emails, passwords, and usernames. Estimated cost of the breach is around $214,000.

SQLi

Oct 31

comitet.ru

@DeleteSec attacks comitet.ru and dumps more than 2000 records with email and passwords. Estimated cost of the breach is around $420,000

SQLi

Oct 31

plusline.org

@DeleteSec attacks plusline.org and dumps more than 1000 records with email and passwords. Nearly in contemporary the same group dumps 700+ accounts from several sites. Estimated cost of the breach is around $420,000.

SQLi

Oct 31

Mr. DarkCoderz

Adult Site

Another occurrence of hackers dumping data from adult sites. Estimated cost of the breach is around $43,000.

Adult Site

SQLi?

Follow

Get every new post delivered to your Inbox.

Join 2,705 other followers