Feed aggregator

The secrecy of underground forums where financial malware and crimeware kits are traded is well guarded, to the point that few are able to penetrate them without some kind of internal sponsor. Here, criminals value their privacy as much as those from whom they steal.

That’s what makes a recent discovery from RSA Security’s FraudAction Research Lab all the more jarring. Expert Limor Kessem found this week that a new fraud service was being marketed over Facebook. The developer, an Indonesian-speaking person, was selling a customized botnet panel for the Zeus Trojan.

Kessem said the Facebook page was updated frequently with information about botnets, exploits and their version of Zeus.

“Beyond having compiled a working Zeus Trojan kit, the developer customized an attractive control panel for the admin (basic and familiar in functionality, and taken from previous Zeus versions), the developer and his team created a demo website for potential buyers—which they have no qualms about sharing publicly,” Kessem said.

While this particular criminal is an outlier, the use of social networks to market crimeware speaks to the commodity nature some of the malware used for fraud. Zeus source code was leaked online in 2011, and since then many variants have popped up, each with varying degrees of functionality. While high-end underground forums are out of reach for many, others such as this developer, might be trying to expand their reach with his own version of the banking malware and taking advantage of a market shift where some of the more professional malware dealers have been laying low. Some, such as the keepers of the Citadel Trojan, have sworn off commercially selling their kit and will trade only with current and trusted customers.

“Underground forums are fairly well protected; these folks want to keep a low profile,” said George Tubin, senior security researcher at Trusteer. “But, you can imagine that maybe some want to branch out a little and get into a new market and attract folks who are not part of this secret underground as a way to reach out. Maybe they want to reach out to a new group of folks with no access to forums or don’t know how to get to them.”

In fact, commercial versions of Zeus, SpyEye and Ice IX aren’t for sale either, another trend leading toward crimeware kits and service offerings available online.

“This case shows that the code leak, leading to the availability of the Trojan, makes for an even more diverse crimeware market, one that gives room to new offerings, especially at a time when all the major developers are staying away from the commercial arena,” Kessem said. “Marketing cybercrime in such an open and accessible manner is not something common.”

Crimeware kits and fraud services have become increasingly specialized, Tubin said, and cheaper. Criminals not only sell malware, phishing kits and botnets ready for launch, but have added features such as phone flooding capabilities for denial-of-service attacks, as well as check-forging specialists who can create counterfeit personal checks from stolen online check images. Specialization has also come to malware and botnets, to the point where compromised computers making up a botnet can be sold or rented according to geography if an attacker wants to target a particular regional financial institution.

“It’s amazing how every piece can be bought directly or as a service,” Tubin said, adding that malware writers want to make these kits sellable, therefore, easy to use.

“There are a broad range of kits out there,” he said. “Malware writers want to make them as intuitive as possible in order sell to a wide variety of folks, not just sophisticated programmers. That’s probably what is being sold on social networks and other outlets where they are reaching out to folks they have not before hoping these people just get sucked in once they realize how easy it is to do.”

Google, which gradually has been moving its users away from using passwords as their main form of authentication for Web services, has joined a young organization whose goal is to phase out passwords and replace them with various forms of strong authentication. The FIDO Alliance, formed last year, is working to make two-factor authentication the default mechanism for authentication through the establishment of an open standard for strong authentication.

Google has been working to make passwords obsolete for some time now. It has introduced two-factor authentication for its Gmail service, giving users the ability to enable an option that requires the use of a one-time code in addition to their normal password in order to sign in to their accounts. Other vendors, including Apple and Facebook, have followed suit. But none of those vendors have made two-factor authentication the default mode.

The FIDO Alliance is seeking to help make two-factor authentication a more mainstream thing through the development of an open standard for the use of various strong authentication technologies such as TPMs (trusted platform modules), hardware tokens and others.

“The formation of the FIDO Alliance addresses a longtime, critical need for technology providers and their users: stronger security that is easier to use,” said Phillip Dunkelberger, Nok Nok Labs CEO and founding FIDO Alliance member. “From day one, through our Unified Authentication Infrastructure, we are developing solutions that will deliver on the vision of the FIDO Alliance.”

Google’s involvement lends some major muscle to the effort. The company already has gone pretty far down the road toward developing strong authentication systems and has significant engineering and security resources to contribute to the project.

“Joining the FIDO Alliance is a great way to increase industry momentum around open standards for strong authentication,” sayid Sam Srinivas, Product Management Director for Information Security at Google and FIDO Alliance Board Member. “We look forward to continuing our current development work on strong, universal second-factor tokens as part of a new FIDO Alliance working group.”

The standard that FIDO is working on would support a range of technologies, including one-time passwords, near-field communications (NFC) and other alternatives. It’s not clear how soon the standard will be ready.

Another day, another smartphone lock screen bypass vulnerability.

This time a flaw in a popular messaging application for the Android mobile platform is to blame. Viber, which is similar to Skype in that it allows users to make free phone calls and send instant messages, is vulnerable to a flaw that could allow an attacker with physical access to an Android device full control of the phone, according to Bkav Corporation, a California security company.

Viber has been installed between 50 million and 100 million times, the company said on the Google Play store. The app is also available for iPhone, BlackBerry and Windows devices. Bkav did not say whether any of those devices are vulnerable as well.

The alert posted by Bkav said the vulnerability is present on Samsung, Sony, HTC, Google Nexus, and other devices that support Android.

“Through a few actions on Viber, new message popups, combining with some tricks like using [a] victim’s notification bar, sending other Viber messages, [a] bad guy can gain full access to the phone and use any apps, features, etc. on the phone as its authorized user,” the alert said.

The exploit is relatively simple according to Bkav. There are several video examples of bypasses for different handsets, each relying on either a Viber instant message or missed call combined with the use of the Viber keyboard and back button to unlock the phone.

Bkav said it reported the vulnerability to Viber, which has yet to acknowledge it.

A similar vulnerability was discovered in Samsung devices running Android 4.1.2 by a U.K. researcher through the use of the emergency call button and emergency contact list buttons, which causes the home screen to appear briefly allowing an outsider to access any app without having to authenticate via the Android pattern lock or PIN.

In February, two iPhone screen lock bypass flaws were discovered, one in the iOS 6.1 kernel that enabled access to contacts and other data, and another also in the emergency call feature.

A little-known policy through which the Departments of Justice, Defense, and Homeland Security offered prosecutorial immunity to companies that helped the U.S. military monitor Internet traffic on the private networks of defense contractors has reportedly been expanded by Executive Order to include a score of other “critical infrastructure” industries, according to information obtained as part of a Freedom of Information Act lawsuit filed by the Electronic Privacy Information Center (EPIC).

EPIC writes that the pilot-version of the program was brought to light in June 2011 after the Washington Post published a report detailing the implementation of a new program by National Security Administration that let them monitor traffic flowing from some defense contractors through certain Internet service providers. At the time, the Washington Post quoted Deputy Defense Secretary William J. Lynn III saying that the program was designed to help thwart attacks against defense firms and that the government hoped to expand the program moving forward.

The documents obtained in the FOIA request, EPIC said, reveal that the DoD advised private industry organizations on the ways in which they circumvent federal wiretap laws in order to aid the DoD and DHS in their surveillance of private Internet networks belonging to defense contractors.

EPIC, digital rights group the Electronic Frontier Foundation, and others are concerned that this program is being expanded to apply to the broad swath of organizations that potentially fall under the increasingly vague category of “critical infrastructure.”

The government has not yet named the program, but EPIC claims that the NSA has partnered with AT&T, Verizon, and CenturyLink in order to keep tabs on the Internet traffic flowing into and out of some 15 defense contractors, including Lockheed Martin, CSC, SAIC, and Northrop Grumman.

For its part, the NSA has said that it is not directly monitoring these networks, but is rather filtering their traffic in order to detect the presence of suspicious packets based on a number of malicious code signatures that the agency has developed.

EPIC issued a FOIA request in July 2011 requesting the following information: “All contracts and communications with Lockheed Martin, CSC, SAIC, Northrop Grumman, or any other defense contractors regarding the new NSA pilot program; All contracts and communications with AT&T, Verizon, and CenturyLink or any other ISPs regarding the new NSA pilot program; All analyses, legal memoranda, and related records regarding the new NSA pilot program; Any memoranda of understanding between NSA and DHS or any other government agencies or corporations regarding the new NSA pilot program; Any Privacy Impact Assessment performed as part of the development of the new NSA pilot program.”

The government failed to provide any of this information. So, EPIC filed a FOIA lawsuit on March 1, 2012 and was eventually granted access to thousands of pages of previously unreleased documents, which they have posted on their website.

Photo courtesy of Flickr user TexasGOPVote.com, Creative Commons

Google has released a new Transparency Report, this time pointing out sharp increases in the number of government requests from Brazil and Russia it received to remove content from Google-branded websites.

This is the seventh time the Mountain View-based company has released the report that provides details on how many countries have appealed to the company to remove potentially controversial content over a specific span of time.

In total, Google received 2,285 government requests to remove 24,179 different types of content from July to December 2012, up from 1,811 requests and 18,070 pieces of content from January to June 2012.

Google’s Legal Director Susan Infantino broke down the numbers in a post on its blog Thursday. Complaints from Brazil are up, 697 in the second half of the year compared to 191 in the beginning of the year along with complaints from Russia, up 114 from six. Both of the increases stem from congressional shifts in those countries. Brazil held municipal elections last fall and half of that country’s requests called for the deletion of potentially defamatory candidate content. In Russia a new law was implemented that allows government authorities to blacklist and take down websites that contain content harmful to children. More than 100 of the requests from Russia pertained to that law.

Google has been releasing the reports every few months – already this year in January and March – in hopes of making it clear for users what governments are doing when it comes to censorship online. Google has made it clear that it’s receiving more and more requests to remove blog posts, especially those that contain politically tinged content, over time.

This version of the report is the first where Google has begun breaking down exactly when it blocked and unblocked certain videos on YouTube in particular countries.

As part of one request, Google responded to 20 countries that wanted a controversial movie deleted from YouTube. Google went on to restrict clips from Jordan, Malaysia and other nations and temporarily restricted views for the video in Egypt and Libya. The film, “Innocence of Muslims”  has fostered a vicious fight over freedom of speech and censorship online since its release last summer. It has also been the motive for a string of denial-of-service attacks against a number of leading U.S. banks.

“While the videos were within our Community Guidelines, we restricted videos from view in several countries in accordance with local law after receiving formal legal complaints,” Infantino wrote.

The report is the third of its kind for Google this year and follows similar reports from Twitter in January and Microsoft in March regarding the disclosure of information requests via law enforcement. The reports are being seen as a welcome trend in the security industry; as Threatpost editor Dennis Fisher put it last month, “it’s time for these disclosures to become as commonplace as quarterly earnings reports.”

If three reports in four months from Google - even if each one is breaking down relatively the same information – is a sign, it’s looking like it’s a promising trend.

The full rundown of what Google removed can be found here while a rundown of disruptions Google found affecting some of its products and services can be found here.

Adobe has named Brad Arkin to the newly created position of CSO, a major expansion of responsibilities for Arkin, who has been leading the company’s product security and privacy initiatives.

Adobe has been in the security spotlight for several years now, as attackers have focused their attention on the company’s portfolio of products that enjoy user counts in the billions. Flash and Reader have been frequent targets for attackers who are always on the lookout for vulnerabilities in widely deployed applications, which give them the best chance of compromising a high number of users. Exploits for Adobe products often pop up in the commercial exploit kits such as Cool, Blackhole and others and Flash and Reader zero days are highly prized in the hacking underground.

As the threats to Adobe’s products have escalated, so too have the company’s efforts to combat them. Arkin joined the company in 2008, just as Adobe was emerging as a key target. Before that, attacker mainly had focused on Microsoft, Oracle and browsers, but the ubiquity of Adobe’s products drew their attention. Arkin began addressing the problem from the bottom up, implementing a software security program designed to help developers write more secure code and eliminate vulnerabilities before products ship. The company joined the BSIMM program to help measure the effectiveness of the security development lifecycle and also began implementing countermeasures in its products to help prevent exploitation of vulnerabilities.

One of the key changes Arkin’s team made was the implementation of a sandbox for both Flash and Reader. The sandbox helps prevent an attacker from using a bug in a protected application to break out and gain control of the underlying operating system. With Flash running on more than a billion machines, that protection gives users of modern versions good protection.

In his new role, Arkin will continue to run the company’s ASSET security research team and the PSIRT product response team, but also will have responsibility for Adobe’s worldwide infrastructure security.

“In my new role, I have the opportunity to lead Engineering Infrastructure Security, a team that builds and maintains security-critical internal services relied on by our product and engineering teams, such as code signing and build environments. I will also continue to manage and foster two-way communication with the broader security community, a vital part of the central security function,” Arkin wrote in a blog post.

“The driving goal behind our security work is to protect our customers from those who would seek to harm them. Adobe has some of the most widely-deployed software in the world and we are keenly aware that this makes us a target.”

 

It’s not quite the development freeze Microsoft underwent during the Trustworthy Computing push, but it’s a start for Oracle, which will delay the release of Java 8 until Q1 of next year, largely because the platform and browser plug-in is such a security disaster.

This year has done nothing but reinforce that notion. Start where you will, with any number of zero-days, watering hole attacks, or a pair of takedowns at Pwn2Own, Java has taken a beating from hackers in 2013 and apparently enough is enough.

Mark Reinhold, chief architect of the Java Platform Group, took to his personal blog last week to announce that the next version won’t make its scheduled September GA date.

“Maintaining the security of the Java Platform always takes priority over developing new features, and so these efforts have inevitably taken engineers away from working on Java 8,” Reinhold said. “Looking ahead, Oracle is committed to continue fixing security issues at an accelerated pace, to enhance the Java security model, and to introduce new security features. This work will require more engineer hours than we can free up by dropping features from Java 8 or otherwise reducing the scope of the release at this stage.”

In other words, see ya next year Java 8. Not that many people would miss it.

For months, you’ve had experts from a number of security, development and IT organizations tell you flat out: “Disable Java.” And for the average Web user, that’s a feasible strategy. Disabling the plug-in won’t impede the average browsing experience. Websites functionality won’t be impaired and you’ve lessened your exposure to exploits targeting the technology. It’s on the business end where disabling Java becomes a sticky proposition. Any number of home-spun applications rely on Java, as do some pretty well-deployed commercial mobile banking, e-government and enterprise services applications. Disabling Java means real costs to those organizations and an impact on availability of services.

So that puts the onus on Oracle to right its ship in a hurry. Larry Ellison has yet to issue a landmark Gates-esque memo, but maybe he should. Rather than Unbreakable, maybe Ellison should formally put the capital-B Broken label on Java. The industry would surely say “No, duh, Larry,” but it’s a start—admitting you have a problem is generally considered the first step on the road to recovery.

Java is everywhere, making it an attractive target for hackers. Exploits targeting previously unreported vulnerabilities have been folded into a number of popular commercial malware kits. You can also find free attack code on Pastebin and a number of other online sources. It pays to attack Java; just ask the Tibetans, the defense industrial base, mobile developers at Twitter, Apple, Microsoft and Facebook, and any one hosting a website that’s been popped by a Java exploit since Christmas.

It’s a mess.

Not that Oracle hasn’t tried. A slew of security enhancements have been added to Java in recent months around code signing and new prompts warning users that a Java applet could be unsafe. The warnings have shields, are color-coded and there’s bold red text hammering the message home. Neat. Problem is that, much like Microsoft back in the day, by taking this approach Oracle tries to turn the user into a security admin. Users don’t want to be admins. They want their apps. They will click Yes, Run, Save, Execute—whatever it takes to get their apps or funny cat video. And hackers know this. And they’ll trick users into clicking on a harmful applet by spoofing Oracle’s dialog box and security warnings, twisting and turning them in their favor.

Locking down Java 8 is a start. Oracle is putting some key features on hold with this decision and has given itself a yearlong cushion to get its security house in order. For years security experts have been asking Oracle when its Trustworthy Computing moment will come and maybe this is the start. As Reinhold confirmed, security will be a priority going forward.

“If we sacrifice quality in order to maintain the schedule,” he wrote, “then we’ll almost certainly repeat the well-worn mistakes of the past, carving incomplete language changes and API designs into virtual stone where millions of developers will to work around their flaws for years to come until those features—or the entire platform—are replaced by something new.”

We’ll see…

Twitter is facing increased pressure to beef up authentication for users after the hijacking of another high-profile account yesterday caused some temporary tremors on the stock market.

The social network has reportedly been testing two-factor authentication internally; Twitter lags behind Google, Facebook, Microsoft and Apple in implementing a two-factor authentication system. Wired claimed in a report published last night that the micro-blogging giant has developed a two-step login feature. A source told Wired that Twitter plans on incrementally rolling the authentication feature out to its users as soon as internal testing wraps up.

This comes on the heels of a series of false tweets from a hijacked Associated Press Twitter account claiming that President Barack Obama had been injured in a series of explosions near the White House. An AP reporter Mike Baker tweeted that the hijacking came less than an hour after some at the AP received an “impressively disguised phishing email.” The false report caused a temporary plunge of 143 points on the Dow Jones Industrial Average.

White House press secretary Jay Carney almost immediately dispatched any concerns by announcing in a press briefing that he had just been with President Obama and that the president was perfectly fine. Once it was clear that the tweet was a fraud, Twitter and the AP quickly suspended this and other AP accounts, and, just as rapidly as it fell, the Dow Jones returned to previous levels.

The Associated Press would later confirm the compromise, saying the Syrian Electronic Army, a pro-Bashar al-Assad regime hacker group, had claimed responsibility for a hack that was preceded by a phishing attack campaign on AP networks. Contrary to what has been widely reported, the AP did not say with any degree of certainty that this account takeover resulted from the earlier phishing campaign.

Two-factor authentication systems require users to authenticate themselves with one mechanism, usually a password, before asking them to authenticate with a second, usually a numeric code sent via SMS to a mobile device. There are variations on how two-factor systems work. Some of the better ones include a physical token or even a biometric identifier as one of the factors. The reality though is that even a rudimentary SMS-based second factor of authentication, like those used by Google and Facebook, would have made it much more difficult for any attacker to hijack AP’s Twitter account (if the AP had the feature turned on).

The Syrian Electronic Army has carved itself a niche with its Twitter takeovers. The Pro-Syria group claimed responsibility for attacks in which it wrested control of National Public Radio accounts last week and British Broadcasting Corp. account last month, according to a New York Times report.

To its credit though, the hacker collective hasn’t limited itself to hijacking Twitter accounts and publishing alarming but ultimately untrue tweets. In September 2011, the SEA allegedly hacked into and defaced a Harvard University site in an apparent, but unclear, attempt to promote the embattled Assad regime. The hacktivist group has reportedly taken credit for similar attacks targeting the Twitter accounts of Al-Jazeera English, Reuters, and CBS and may have also target the Qatar Foundation, FIFA, Human Rights Watch, and Colombia University.

Twitter account takeovers happen all the time, but usually involve low skilled hackers guessing bad passwords or using automated tools to break weak ones – as opposed to the sort of sustained phishing campaign that numerous sources have suggested enabled the AP hijack. It is probably safe to say that a Twitter account takeover has never caused the amount of grief that yesterday’s did. Fox News suffered a similar breach last summer when hackers took over their politics-specific Twitter account and announced that the President had been assassinated while campaigning in Iowa. The Fox News incident grabbed headlines, but its impact paled in comparison to the almost identical mishap that plagued the more prestigious AP yesterday.

“This latest attack shows just how devastating the impact of hacktivist groups can be as the fake news which was spread from AP’s compromised Twitter account was enough to cause panic on Wall Street for a few moments, making the Dow Jones index plummet by more than 150 points,” said a Kaspersky Lab spokesperson.

A pair of popular WordPress plugins used to help sites cache content have fixed serious vulnerabilities that attackers could exploit simply by including special HTML code in a comment. Both WP Super Cache and W3 Total Cache contained a vulnerability that allowed for PHP code injection through a simple attack vector, but both plugins have now been updated to address the vulnerability.

The vulnerability was in the way that the plugins handled dynamic snippets included in the comments on sites with one of the plugins enabled. An attacker who found a vulnerable site would be able to execute arbitrary code on the backend server. The developers of both plugins have patched the vulnerability and so details of the bug have now become public.

“As a result, blogs with WP Super Cache (before version 1.3) and W3 Total Cache (before version 0.9.2.9) were at risk of PHP code injection. Blog comments could contain dynamic snippets (in HTML-comments) and WordPress core did not them filter out. Upon a such a malicious comment having been submitted, a new cached version of the page was created that included the injected PHP-code. Upon the first request of the cached page, that code was successfully executed,” Frank Goossens, a Belgian blogger wrote in a description of the problem.

First word of the vulnerability appeared in a WordPress user forum about a month ago, and the original poster included detailed code that demonstrated the vulnerability. Last week, Donncha O Caoimh, the author of WP Super Cache, said that he was releasing a new version of his plugin and would add a feature in a future version to disable a function that was one of the causes of the vulnerability.

“I’ve just released a new version of WP Super Cache that removes the html comments from user comments. I’ll publish a post about it in a few days time after most people have hopefully upgraded their sites. In the next release (1.4) I’m going to disable mfunc and associated functions by default because I suspect most users don’t even use them. Admins will have to enable them on the settings page,” O Caoimh wrote.

The hugely popular WordPress publishing platform is is used by a wide variety of users, including professional publishers and individual writers. There are hundreds of plugins available for the platform that perform all kinds of tasks, from preventing spam comments to enabling the site to run on mobile platforms, and attackers often target vulnerabilities in those plugins, as they know that users may not update them as often as they should. Just as browser extensions and plugins such as Flash and Java have become favorites of attackers, so too have the WordPress plugins.

 

Serial port servers are admittedly old school technology that you might think had been phased out as new IT, SCADA and industrial control system equipment has been phased in. Metasploit creator HD Moore cautions you to think again.

Moore recently revealed that through his Critical IO project research, he discovered 114,000 such devices connected to the Internet, many with little in the way of authentication standing between an attacker and a piece of critical infrastructure or a connection onto a corporate network. More than 95,000 of those devices were exposed over mobile connections such as 3G or GPRS.

Serial port servers, also known as terminal servers, provide control system or IT administrators with remote access to non-networked equipment, enable tracking of physically mobile systems, or out-of-band communication to network and power equipment in case of outages. Not only do they provide serial port connections to devices, but many are wireless-enabled.

“The thing that opened my eyes was looking into common configurations; even if it required authentication to manage the device itself, it often didn’t require any authentication to talk to the serial port which is part of the device,” Moore told Threatpost. “At the end of the day, it became a backdoor to huge separate systems that shouldn’t be online anyway. Even though these devices do support authentication at various levels, most of the time it wasn’t configured for the serial port.”

Attackers who are able to gain access to the serial port are golden because once they’re on the server, the device assumes they are physically present and doesn’t require an additional log-in, Moore said. Making matters worse, he added, automatic log-offs are not enabled.

“So an administrator who logged into a device like an industrial control system, an attacker can follow behind them and take over an authenticated session to a serial port,” Moore said. “There are a huge number of devices out there are exposing an interactive administrative or command shell without any authentication because an administrator had previously authenticated and left the session open.”

An attacker with essentially undetectable access is able to capture or manipulate data moving through the serial port. Moore said it would be possible to add a signature to the device, for example that any time the word password appears, that UDP packet and the entire serial session could be mailed to a third party.

“If you’re looking to steal data, you could write a rule where it emails you the data you care about as it floats across the serial port,” he said, adding that attackers could mess with anything from HVAC, to oil pipelines, traffic signal or even corporate VPN connections, essentially opening a backdoor into a company’s networked resources.

Access to a remote serial port happens via a log-in over telnet, SSH or Web interface, Moore said. You could also connect to a specific TCP port that acts as a proxy for the serial port. Telnet, SSH or a Web interface requires authentication, however, an attacker could telnet into a TCP connection without authentication because the devices are configured under the assumption that anyone with access is physically connected to the serial port. Moore said he found more than 13,000 root shells, system consoles and admin interfaces that did not require authentication or were pre-authenticated. However, Moore said he was unaware of any attacks.

“Seeing how much stuff that’s out there, it’s kind of surprising no one has,” Moore said. “You don’t need to know anything about serial ports to start exploiting this stuff. If you scan, you start seeing random authenticated router shells popping up. For an attacker, they don’t have to know that’s a serial port, they’ll just say ‘hey cool, a shell.’”

As far as remediation, Moore said he is trying to bring awareness to the issue now and is encouraging companies to only use encrypted management services, require authentication for serial ports, enable activity timeouts for serial consoles and other best practices.

Photo courtesy HD Moore.

Microsoft has released a new version of the MS13-036 patch that was causing some customers’ machines to crash. The company had recommended in the days after the original fix was first released that customers uninstall the MS13-036 patch while Microsoft investigated the cause of the problems.

The new fix that Microsoft released on Tuesday resolves some conflicts with third-party applications that apparently were causing the blue screen issues for some people. The company didn’t specify which software was causing the crashes, but said that the update should resolve the problems.

“We’ve determined that the update, when paired with certain third-party software, can cause system errors,” said Trustworthy Computing group manager Dustin Childs at the time that the patch was recalled earlier this month.

The MS13-036 patch fixes a pair of race condition vulnerabilities in the Windows kernel, both of which could be used for code execution. However, the patch was rated important rather than critical because an attacker would need physical access to a vulnerable machine in order to run code using one of these bugs.

Childs said in a blog post Tuesday that customers should install the revised update as soon as possible.

“As we previously discussed, we stopped distributing this update when we learned some customers were having issues. The new update, KB2840149, still addresses the Moderate security issue described in MS13-036, and should not cause these issues. If you have automatic updates enabled, you won’t need to take any actions. For those manually updating, we encourage you to apply this update at your earliest convenience,” he said.

It’s a familiar refrain: Attackers often have months of unfettered access to corporate networks; and security and network managers remain in the dark until they’re notified of serious breaches by third parties.

Enterprises, regardless of industry, dread that fateful knock on the door by the FBI, card brands or fraud detection services informing them that an external group has been moving data off their network for months. Yet it’s happening with greater frequency and with devastating consequences in some cases, according to the 2013 Verizon Data Breach Investigations Report (DBIR).

This year’s version of the DBIR has quantified not only financially motivated attacks, but also those carried out by state-sponsored attackers targeting intellectual property or military secrets. The numbers in the report paint a representative picture of the state of affairs for companies that value IP such as those in manufacturing and telecommunications, and the numbers aren’t pretty. Sixty six percent of breaches remain undiscovered for months or longer, up from 55 percent in 2011 and 41 percent in 2010.

Targeted attacks and attacks motivated by espionage represent 21 percent of the 621 breaches investigated by Verizon’s RISK Team and those attacks account for the inflated numbers representing the time from initial compromise to discovery, Verizon said.

“That pits the virtually unlimited resources of a nation against the very finite resources of a single company. Nobody can reasonably be expected to withstand that,” the DBIR says, adding that while prevention remains an important part of any security strategy, more investment must be made in detection and response to breaches that result in data loss.

This year’s report paints a gruesome picture, one where most companies are compromised and lose data in a matter of hours. Financially motivated attacks that rely on relatively simple SQL injection attacks or compromises of remotely accessible point-of-sale systems guarded by weak or default credentials beef up those numbers substantially. Attackers are able to break those systems in a matter of seconds or minutes. And initial compromises in financially motivated attacks are not difficult, according to the DBIR data. In such attacks, 78 percent were considered low or very low difficulty, while in espionage-related attacks, the degree of difficulty climbs to 22 percent overall and 26 percent in attacks against large organizations.

The time from compromise to data exfiltration is longer only because espionage attackers require more time pivot between network resources, and find and exploit vulnerable systems before they’re able to move data to a command and control server.  From the data, 84 percent of compromises are achieved within hours, and in 69 percent of breaches, data is moving off the network within hours.

Unfortunately for the victims, only 9 percent of breaches are discovered within hours. It’s taking months to years for most network intrusions to be discovered; 62 percent of breaches are found within months, 4 percent in years.

“Let’s stop treating [detection and response] like a backup plan if things go wrong,” the DBIR says, “and start making it a core part of the plan.”

Once discovered, most breaches are contained within days or weeks (76 percent), leaving a quarter to be contained within months or longer.

There is some tempered good news in that while 70 percent of breaches were discovered by third parties, down from 92 percent last year, detection capabilities seem to still be lacking within IT organizations. Another win is that external notification by organizations with no business relationship to the victim such as ISPs, and industry watchdog groups, climbed to 34 percent of breaches in cases of espionage. Fraud detection services and customer and law enforcement notification lead the way for financially motivated attacks.

In an attempt to better evade detection, cybercriminals are increasingly configuring their command and control infrastructure in such a way that initial malware callbacks communicate with a server located in the same country as the newly infected machines.

This emerging trend is among the vast and varied findings of a FireEye report, “The Advanced Cyber Attack Landscape,” made public this morning. FireEye gathered the data in the report in an analysis of some 12 million messages communicated between various malware targeting enterprises and their command and control servers.

The creation and proliferation of malware is more global than ever, with C&C servers living in 184 countries. That’s a substantial 42 percent increase from 2010, when only 130 nations played host to C&C servers.

While the breadth and quantity of such servers is changing dramatically, much remains the same: parts of South and Eastern Asia and areas near Eastern Europe are still the international cybercrime hotspots. China, South Korea, India, Japan, and Hong Kong are believed to be responsible for 24 percent of cyberattacks, while Russia, Romania, Poland, Ukraine, Kazakhstan, and Latvia accounted for 22 percent. The caveat to FireEye’s claim that these regions are driving the majority of advanced attacks is that their analysis showed that 44 percent of C&C servers are actually located in North America. This, FireEye believes, is a statistical anomaly reflecting the new reality that attackers are evading detection more and more by distributing the C&C servers in close proximity to their targets.

In fact, North America’s 44 percent share of these servers and its more drastic 66 percent share of C&C servers responsible for advanced persistent threat-style attack campaigns is an indicator of something that has not changed according to FireEye: relatively speaking, the U.S. corporate landscape, particularly its wealth of high technology firms, is densely packed with valuable intellectual property, and therefore attackers continue targeting companies based there. However, forensic analysis of the tools used in these attacks and the communication tactics of the C&C infrastructure supporting them revealed that the vast majority of attacks – and as many as 89 percent of APT tools, most of them related to Gh0stRAT – originated in China where they were developed by Chinese hacker groups.

Another evolution is a move toward the use of social sites like Facebook and Twitter to communicate with infected machines. This tactic and another whereby attackers embed stolen content in commonly used JPG files are deployed by attackers in an attempt to make malicious traffic seem benign.

Other interesting findings highlighted by FireEye are that South Korean businesses, mostly because of that country’s incredibly developed Internet infrastructure, are witnessing the highest level of callbacks per organization. Their findings also suggest that Japan’s density of intellectual property may rival that of the U.S., considering that 87 percent of callbacks originate and stay in that country. Lastly, high exit-rate detection in both the U.K and Canada suggests to FireEye that attackers are generally unconcerned about being detected in those countries.

Optimism and praise followed last week’s Java critical patch update. Oracle not only patched 42 vulnerabilities in the Java browser plug-in, but also added new code-signing restrictions and new prompts warning users when applets are potentially malicious. It took less than a week, however, to deflate any good will toward Java that resulted.

Noted Java bug hunter Adam Gowdiak, founder and CEO of Security Explorations of Poland, said this week that he reported to Oracle a new Reflection API vulnerability that affects all Java versions, including 7u21 released last Tuesday.

“It can be used to achieve a complete Java security sandbox bypass on a target system,” Gowdiak wrote on the Full Disclosure mailing list on Monday. “Successful exploitation in a Web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).”

Attackers can exploit this vulnerability to achieve a complete Java security sandbox escape, Gowdiak said, adding that he also send proof-of-concept code to Oracle demonstrating an exploit. Gowdiak, who first reported vulnerabilities in the Reflection API a year ago, also said that this vulnerability is present in the server versions of the Java Runtime Environment, as well as in the JRE Plugin and JDK software.

“It’s been a year since then and to our true surprise, we were still able to discover one of the simplest and most powerful instances of Java Reflection API-based vulnerabilities,” Gowdiak said. “It looks like Oracle was primarily focused on hunting down potentially dangerous Reflection API calls in the ‘allowed’ class space. If so, no surprise [this issue] was overlooked.”

Gowdiak identified four Java components and APIs that are risk for exploit: Sun Microsystems’ implementation of the XSLT interpreter; Long Term Persistence of JavaBeans Components; RMI and LDAP (RFC 2713); and many SQL implementations.

“These are the APIs and Java components that could be potentially used as execution vectors for untrusted Java code in other than web browser environments,” he told Threatpost via email. “In other words, they have the potential to be abused for the exploitation of Java SE flaws.”

Last week’s Oracle patch update repaired many issues plaguing the platform. Of the 42 vulnerabilities patched in the update, all but three were remotely exploitable. A number of Java zero-day vulnerabilities and exploits have been the center of watering hole attacks and other high-profile website hacks.

The update also now requires any applets that execute at runtime on the browser be signed with a trusted certificate, and that all code will prompt the user for approval. The level of user interaction required depends on the potential risk involved, Oracle said. Oracle has color coded its user prompts; blue for apps signed by a trusted certificate, and yellow indicating an untrusted or expired certificate. Red text accompanies high-risk warnings that an applet could be a security risk.

“We are not sure if these warnings will help the platform,” Gowdiak said. “Java was supposed to provide a safe execution environment for untrusted, potentially harmful code. A dialog prompt warning a user about a security risk prior to the execution of an untrusted application basically denounces one of the main advantages of the platform: its security.”

Oracle also removed the low security settings in the Java Control Panel; users will no longer be able to opt out of the security features built into Java.

“The platform will not deny the execution of Java applications, however in high-risk scenarios the user is provided an opportunity to abort execution if they choose,” Oracle said in its advisory last week. “Future update releases may include additional changes to restrict unsafe behaviors like unsigned and self-signed applications.”

Dennis Fisher talks with Chris Hoff of Juniper Networks about his childhood scaring sheep on a farm in New Zealand, his early days hacking on the first wave of personal computers, his misadventures in a college computer lab and how he ended up as an itinerant security guy.

Download: 05_chris_hoff.mp3

Image via Flickr user Myrcurial‘s photostream, Creative Commons

Download: 05_chris_hoff

This article is based on technical data from KL experts and their analysis of the Korablin and Morcut malicious programs. A number of conclusions based on open source data.

Targeted cyberespionage attacks have dominated discussions within the security community and outside of it from the mainstream media to the halls of the executive and legislative branches of government.  But until now, discussions about attacks stemming from China that target intellectual property from engineering, manufacturing and military interests in the United States, have been anecdotal and one-off analyses of specific breaches.

The 2013 Verizon Data Breach Investigations Report (DBIR) has changed that. For the first time, the report has branched out and extensively quantified nation-state attacks motivated by espionage. This is a significant departure from previous editions of the report, which many consider to be the industry standard research on data breaches.

Released today, the report takes great pains to correlate threat actor motives and the data that is compromised. It also has a host of new contributors, now 19 in all, bringing fresh perspectives to the data set used to make up the bulk of the 60-plus page report. As has been the case with the past eight DBIRs, the data comes from paid forensic investigations carried out by Verizon’s RISK Team, in addition to contributions from law enforcement and computer emergency response teams worldwide, as well as industry groups, large consulting and services organizations, and the U.S. Secret Service.

The data in this year’s report comes from 621 breaches where data loss or disclosure was confirmed and 47,000 reported security incidents. Despite the new focus on espionage-related attacks, the report still does its customary deep dive into financially motivated attacks and comparing the tactics used by cybercriminals to those used by nation-state actors.

The report’s bevy of new contributors brought with them the most insightful data into attacks tied to China targeting intellectual property, which accounted for 19 percent of breaches.

“They all focus on something different,” said Jay Jacobs, one of the DBIR authors and a principal at Verizon. “You have to understand the research and information you want to pull out; that makes a difference in what you want to share. If you want to count the number of SQL injection attacks, that’s one thing. If you want to correlate that to industry and organization size, you have to expand your vision.”

The majority of data breaches still rely on the exploitation of weak or default credentials or stolen passwords. Hackers continue to blend hacking and malware to steal payment card information or to gain legitimate access to network resources to steal intellectual property. Most financially motivated attacks are opportunistic and rated as low difficulty, while those motivated by espionage use a combination of phishing emails and advanced malware to ramp up the difficulty of initial compromise and subsequent actions.

And there isn’t a typical victim for espionage attacks.

“The ‘I’m too small to be a target’ argument doesn’t hold water. We see victims of espionage campaigns ranging from large multinationals all the way down to those that have no IT staff at all,” the report says. “Lesson two is that some industries appear to be more targeted than others.”

Most attacks motivated by espionage target the manufacturing and transportation industries, while retail and food services lead the way for financially motivated actors. State-sponsored hackers covet not only secrets and internal organizational data, but system information.

“Most organizations have some form or proprietary or internal information they want kept private. Without this secret sauce, it’s hard to stay competitive,” the report says. “And because it’s a secret and competitively advantageous, others may want to steal that sauce. Thus, ‘who wants my sauce?’ is probably a better question than ‘am I a target of espionage?’”

The number of state-affiliated actors accounts for 21 percent of attacks, compared to 55 percent attributed to organized crime groups. While China accounts for the majority of state-affiliated espionage attacks (96 percent), Eastern European countries such as Romania, Bulgaria and Russian Federation countries account for the bulk of financial crimes targeting payment systems with commodity malware not found in espionage attacks. Attribution, Verizon says, isn’t based just on geolocation of IP addresses for example, but data from arrests and the use of particular tactics associated with known groups of attackers. Insiders, meanwhile, aren’t on the radar with 92 percent of attacks attributed to external sources, again, most of those coming from criminal groups. Insiders have a role in 14 percent of data breaches, most of that number resulting from non-malicious actions, including human error.

The use of malware hasn’t tapered off. Espionage-related attacks, for example, account for a spike in the use of malicious email attachments as part of phishing campaigns. Phishing has become the initial entry point in many financial attacks too, in addition to direct compromise of a point-of-sale system or ATM machine. Malware used in espionage attacks, however, has very different goals than financially motivated attacks. Malware used to spy on organizations enables prolonged access to systems, control of those systems, and the ability to capture and exfiltrate data.

Spyware, keyloggers and RAM scrapers dominate the types of malware used in financially motivated attacks, while in espionage attacks, the threat actors are interested in a number of different things including grabbing screenshots of sensitive data. State-affiliated attackers are interested in maintaining persistence on machines and want to install backdoors in order to move data and install more malware such as downloaders, password dumpers and rootkits.

“Throughout this process, attackers promulgate across the systems within the network, hiding their activities within system processes, searching for and capturing the desired data, and then exporting it out of the victim’s environment,” the report says.

Hacking remains the most popular way attackers are infiltrating organizations, primarily through the use of stolen credentials. In financially motivated attacks, hackers will brute force attacks to steal weak credentials, or socially engineer them. Organized crime groups behind financially motivated attacks again made payment card data the most sought-after data type; that in addition to identity information can most quickly be turned into cash. In espionage attacks, stolen credentials are used to set up backdoor connections and then shell services such as SSH or RPC are used to pivot internally to different network resources. Similarly, Web-based desktop sharing services such as RDP and VNC are favorites for financially motivated attackers.

Given the number of new data sources, this year’s DBIR branches out in a number of new directions. With the number of high-profile espionage attacks gaining more attention, i.e., attacks on the New York Times, Apple, Facebook, Twitter and a number of government an activist organizations, organizations now have more insight into attacks that rely on more than social engineering and commodity malware.

“We’re seeing a diverse set of data that we can analyze,” Verizon’s Jacobs said. “We’re getting more views into breach data and seeing a diversity in threat actors and motives.”

As Twitter continues to secure its footing in the social network spectrum, it continues to be complemented by an ongoing deluge of spam and malware, intent on tapping into – and duping – the social network’s 200 million plus users.

Tanya Shafir, a researcher at the security firm Trusteer recently discovered a new type of new malware being used by cybercriminals to infect otherwise legitimate Twitter accounts.

According to a post by Director of Product Marketing Dana Tamir on the company’s blog today, the malware is “an active configuration of TorRAT” and is spreading via man-in-the-browser attacks.

Once a user stumbles upon a malicious page, the page injects Javascript (below) into the victim’s Twitter account page, which in turn swipes the user’s Twitter authentication token. With the token, the malware can contact Twitter’s API and post whatever it sees fit – or in this case – a boatload of Dutch spam.

Trusteer spotted the malware posting a series of tweets about everything from Beyonce to the Netherlands’ king, Willem-Alexander on some users’ accounts. Each tweet was accompanied with a suspicious link – which while not inspected, Trusteer assumes is a malicious website that likely leads to a drive-by download.

Malware like this has been seen before, but as Trusteer points out, it’s usually attempting to leverage users’ financial data by targeting their banking accounts and log-in credentials.

Twitter has done a good job at curbing spammy and malicious tweets as of late but at one point last year some accounts were sending over 150,000 malicious tweets at a time. Now the site allows users to report unwanted tweets as spam and block users who are blatantly peddling questionable content.

If you’ve ever sat in on a cybersecurity hearing on Capitol Hill or attended a security conference , then you’re no doubt familiar with the oft-preached need for information sharing and private-public partnerships. So frequently repeated are these refrains that they’re almost as meaningless as the acronym “APT.”

However, the security firm Group-IB and the Russian government’s cybersecurity investigatory unit, Department K, claim to have curbed the theft of a billion rubles by doing just that: sharing information and partnering.

Russia’s largest bank, Sberbank of Russia, suspected that someone was attacking its online banking operation and reached out to Group-IB to carry out a forensic analysis of its networks. Group-IB determined that the attacker was stealing money from the bank’s customers by circumventing its SMS-based payment verification feature.

In the end, the Russian cybersecurity police known as Department K used information provided by Group-IB and Sberbank of Russia to arrest an unnamed 40-year-old man from the Volga River city of Togliatti. According to Group-IB, the prolific Russian cybercriminal exploited the online banking systems of various Russian banks in order to perform more than 5,000 fraudulent transactions from as far back as August 2011.

Group-IB’s analysis determined that the attacker, who has been since arrested, deployed the popular the Carberp malware against his targets. The perpetrator of the attack campaign installed the Carberp Trojan on the machines of Sberbanks’ unknowing online customers. The malware then used Web-injection functionality to display spoofed banking pages to users on infected systems. In this way, users willingly submitted their banking log-in information and cell phone numbers into web forms that appeared to come from their bank, but actually communicated back to the attacker. Using this information, the man managed to clone his victims’ SIM cards and bypass SMS-based mobile payment confirmations.

“The investigation of this case — from the first moment when Group-IB received a complaint from a victim to when the perpetrator was apprehended — was conducted in record time, in less than six months. Thus, we managed to prevent thefts from Russian banks on the amount of 1 billion Roubles ($34 Million)” said Group-IB CEO, Ilya Sachkov. “This was the first case investigated within the European Cyber Security Federation (ECyFed) union, which includes Group-IB, CyberDefcon, and CSIS.”

*Image of Sberbank of Russia bank in Krasnodar, Russia via Helen Flamme‘s Flickr photostream