Threatpost for B2B

Syndicate content
The First Stop For Security News
Updated: 19 hours 12 min ago

Hacktivist Collective Takes Credit for Comcast Mail Server Hack

Thu, 02/06/2014 - 17:16

Hackers broke into at least 34 servers belonging to Comcast yesterday, dumping what appears to be a list of the company’s mail servers, passwords and a link to the root file that contains the vulnerability they used to penetrate the system.

The hacktivist collective NullCrew has claimed to have hacked a handful of corporations over the years, Sony, PayPal, Orange Telecom and Ford just to name a few, and took credit for the attack against Comcast Wednesday, on its official Twitter handle, @NullCrew_FTS.

“Fun Fact: 34 Comcast mail servers are victims to one exploit,” the group boasted yesterday afternoon before posting a Pastebin document full of leaked information as proof.

The compromised mail servers apparently run on Zimbra, a groupware email server client whose Lightweight Directory Access Protocol (LDAP) directory service was the target of the attack.

NullCrew was able to exploit a local file inclusion (LFI) vulnerability in LDAP to secure access to the credentials and passwords.

A LFI vulnerability can allow a hacker to add local files to web servers via script and execute PHP code. OWASP’s definition notes that hackers can take advantage of the vulnerability when sites allow user-supplied input without proper validation, something Comcast is apparently guilty of.

Through the vulnerability, NullCrew was able to access localconfig.xml, a file that contains Comcast LDAP administrative credentials, including LDAP passwords and credentials for MySQL and Nginx.

With the information they could be able to make an API call and then execute a privilege escalation, according to a chat log from a few weeks ago, posted today between two hackers familiar with the vulnerability, _MLT_, formerly of TeaMp0isoN and C0RPS3, also formerly of TeaMp0isoN but now with NullCrew.

The hack is the second that Nullcrew has taken credit for in the past week following telecom company Bell Canada’s announcement that it was breached on Sunday and that more than 22,000 usernames, passwords and some credit card numbers belonging to the phone company’s small business customers had been leaked.

While Bell acknowledged the breach over the weekend, blaming it on an Ottawa-based third-party supplier, NullCrew publicized the company’s insecurities in mid-January, even posting a warning it issued to a company support representative about the vulnerabilities. NullCrew delivered on Saturday, posting a link on Twitter to a Pastebin document, since deleted, full of Bell customer data.

While user information, including five valid credit card numbers, was breached in the Bell attack, Comcast customer information is not expected to be implicated in yesterday’s attack.

Requests for comment directed to Comcast, who have not made a public statement about the hack yet, were not immediately returned on Thursday.

Light Microsoft Patch Load Precedes MD5 Deprecation

Thu, 02/06/2014 - 15:36

February’s Microsoft Patch Tuesday promises to be a relatively straightforward set of bulletins, but more noteworthy is that it’s the same day Microsoft officially deprecates the MD5 hash algorithm.

Announced last August, Microsoft will officially restrict the use of digital certificates with MD5 hashes issued under roots in the Microsoft root certificate program. The update will be rolled out on Tuesday, but Windows administrators have had six months to download and test the update as to whether it would impact other areas of a company’s respective infrastructure.

Microsoft said in August that the change applies only to certificates used for server authentication, code signing and time stamping. Microsoft also said it would not block other uses of MD5, and that it would allow for signed binaries that were signed before March 2009.

The general recommendation is that companies move to a stronger algorithm such as SHA2 or better. MD5—and SHA1—have been broken for some time. Weaknesses in MD5 go back to the mid-1990s and collisions were identified in 2005.

As for Tuesday’s security bulletins, two of the five are rated critical by Microsoft because they are remote-code execution bugs in Windows and Microsoft security software. The other three bulletins are rated important and resolve privilege escalation, information disclosure and denial-of-service flaws in Windows and .NET.

The critical Windows bulletin affects Windows 7, Windows Server 2008 R2, Windows 8 and 8.1., Windows Server 2012 and 2012 R2, as well as Windows RT and RT 8.1. The other critical bulletin affects Microsoft Forefront Protection 2010 for Exchange Server.

“Given a remote code execution in a perimeter service like Forefront, I’d have to say that this is the highest priority patching issue this month.  The second is, not surprisingly, the critical in Windows 7 and later,” said Ross Barrett, senior manager of security engineering at Rapid7. “The other three issues are all of lower risk and likely lower exploitability, ranging from information disclosure to denial of service and elevation of privilege.  Not to be ignored, but should be of slightly less concern than remote critical vulnerabilities.”

Tyler Reguly, manager of security research at Tripwire, said the Forefront bug is worth watching.

“While I wouldn’t expect the software to have a huge user base, vulnerabilities affecting email security can be particularly dangerous especially when you consider the current number for phishing and email malware attacks,” Reguly said.

Two of the important-rated bulletins affect Windows all the way back to XP; the other affects Windows 8 and later. Windows XP support ends April 8.

What’s missing this month is a cumulative rollup for Internet Explorer, the first time in close to a year that Microsoft has not issued patches for its browser.

“This month is a very Windows-centric month and, once again, there’s no IE patch in sight,” said Tripwire’s Reguly. “Given the frequency of browser vulnerabilities and how often they are patched, the length of time we’ve gone without an IE patch is rather worrisome.”

Twitter Transparency Report Shows Increase in Government Requests

Thu, 02/06/2014 - 14:40

Color Twitter unimpressed with the Justice Department ruling that eased a gag order on technology companies and service providers with regard to the reporting of FISA orders and National Security Letters.

Twitter released a transparency report today on government and law enforcement requests for account information, content removal, and DMCA takedown notices. While the reports show a definite increase in government requests for user account information and content, Twitter chose not to report FISA orders, which is unlike what Google, Facebook, Microsoft, LinkedIn and Yahoo did this week.

“While this agreement is a step in the right direction, these ranges do not provide meaningful or sufficient transparency for the public, especially for entities that do not receive a significant number of – or any – national security requests,” said Twitter manager of global legal policy Jeremy Kessel.

Kessel called the Justice Department ruling a step in the right direction for enhanced transparency between technology companies that manage reams of user data and their customers, but said the ranges of 1,000 requests these companies are allowed to disclose still does not provide sufficient transparency for Twitter’s liking.

“Allowing Twitter, or any other similarly situated company, to only disclose national security requests within an overly broad range seriously undermines the objective of transparency,” Kessel said. “In addition, we also want the freedom to disclose that we do not receive certain types of requests, if, in fact, we have not received any.”

Twitter and the other leading technology and services companies spent much of last summer petitioning the Obama administration and filing lawsuits seeking the right to disclose specifics on requests for customer data related to national security. Those demands were rebuffed until last week when the Justice Department, acting on a directive from the White House related to NSA surveillance changes, bent and offered companies two reporting options. The companies, in turn, dropped their related lawsuits.

The first option brings FISA reporting in line with reporting of National Security Letters in that companies will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests. The reporting restrictions around National Security Letters were eased last summer and companies are allowed to similarly bundle their reporting.

Reports may be published every six months, however, reporting on national security orders issued against data collected by new company products and services must be delayed two years.

The second option allows companies to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.

Kessel said the restrictions infringe on the companies’ First Amendment rights to free speech.

“We believe there are far less restrictive ways to permit discussion in this area while also respecting national security concerns,” he said. “Therefore, we have pressed the U.S. Department of Justice to allow greater transparency, and proposed future disclosures concerning national security requests that would be more meaningful to Twitter’s users. We are also considering legal options we may have to seek to defend our First Amendment rights.”

As for today’s report, which excludes national security-related requests, the number of overall worldwide requests for the last two years since Twitter has published these reports has climbed 66 percent. The U.S. government accounts for 59 percent of the requests to Twitter.

For the last six months of 2013, Twitter received 1,410 account information requests, most of those related to criminal investigations; 833 of those came from the U.S. government on 1,323 accounts. Twitter complied and provided information in 69 percent of those requests. Overall, it complied with 50 percent of the requests worldwide.

Content removal requests jumped sharply to 365, up from 60 over the first six months of 2013.

Cost of Doing APT Business Dropping

Thu, 02/06/2014 - 12:33

PUNTA CANA–The term APT often is used as a generic descriptor for any group–typically presumed to be government-backed and heavily financed–that is seen attacking high-value targets such as government agencies, critical infrastructure and financial systems. But the range of targets APT groups are going after is widening, as are the levels of talent and financing these groups possess.

One reason for this evolution is that the amount of money that’s required to get into the APT game is no longer prohibitive. Whereas once an aspiring APT crew might need hundreds of thousands or millions of dollars in backing, depending upon their target list and timeline, now smaller, more agile groups can get in on the action for a fraction of that cost.

“The cost of entry for APT is decreasing,” said Costin Raiu, head of the Global Research and Analysis Team at Kaspersky Lab, in a talk on the threat landscape at the company’s Industry Analyst Summit here Thursday. “We’re going to see more surgical strikes and critical infrastructure attacks.”

One example of this phenomenon is the Icefog group. Discovered last fall, the Icefog attackers targeted a variety of organizations and government agencies in Japan and South Korea and researchers believe the group comprised a small number of highly skilled operators who went after select targets very quickly. Raiu estimated that the Icefog campaign probably required an investment of no more than $10,000. By comparison, he said that the NetTraveler campaign likely cost about $500,000, while Stuxnet was in the range of $100 million.

“Icefog is special because it indicates a new trend of cyber mercenaries, maybe five to ten people that are highly skilled,” Raiu said. “They knew what documents they wanted to steal from each machine and they spent only a few minutes on each machine.”

The massive investment required to create, test and deploy the infamous Stuxnet malware, Raiu said, should not be seen as the ceiling for such APT tools.

“If you’re thinking that’s a lot of money, it’s not,” Raiu said. “It’s the cost of several missiles.”

Missiles, of course, can only be used once; APT tools can be deployed any number of times, and by a wide variety of attackers. It’s often the case that tools written by a high-level group will eventually trickle down through the ranks and be used by less-skilled attackers as time passes. That’s part of the democratization process in the attacker community and it’s only going to accelerate.

Jeremiah Grossman on His New Role as CEO of WhiteHat Security

Wed, 02/05/2014 - 15:50

Dennis Fisher talks with Jeremiah Grossman, the new interim CEO of WhiteHat Security, about taking on the new role, how things have changed since he was CEO 10 years ago and what the biggest challenges will be.

*Image via @biatch0‘s Flickr photostream, Creative Commons

Google Broadens Bounty Program to Include Chrome Extensions

Wed, 02/05/2014 - 15:18

Google has announced it will retool its bounty program and extend its scope to include Chrome apps and extensions branded as “by Google,” including extensions tied to popular products such as Gmail and Hangouts.

According to a post by Google’s Michal Zalewski and Eduardo Vela Nava on the company’s Online Security blog yesterday, the rewards will depend on the permissions and data each extension handles, and the rewards should range from $500 to $10,000.

The move is being done to make sure efforts to keep the extensions secure are rewarded accordingly, something Google believes is relatively easy, providing the company’s security guidelines are followed.

Chrome extensions such as Google Calendar, Google Dictionary, Speed Tracer and Tag Assistant should also fall under Google’s new bounty program.

The two also used the blog to announce that Google has upped the amount of money it will pay to those who contribute to patches for open source projects.

Google announced the experimental rewards program in October in hopes of garnering more insight from the developer community and as a way to improve its Chrome OS and Chrome browser. The program encourages developers to point out bugs in open source projects that are supplemental to Google such as Apache, OpenSSH, OpenSSL and some parts of the Linux Kernel.

Initially the rewards ranged from $500 to $3,133.70.

Now vulnerabilities found in those projects will fetch up to $10,000 for complicated, high-impact improvements, $5,000 for moderately complex patches and between $500 and $1,337 for simple submissions, according to the blog,

These programs continue to be “critical to the health of the internet in recognition of the painstaking work that’s necessary to make a project resilient to attacks,” according to Nava and Zalewski.

Google’s bug bounty programs have become some of the most successful of its kind. Last summer, the Mountainview firm upped the amount of money it paid out for cross site scripting vulnerabilities and bugs in Chromium. The company also announced last summer that it had paid out $2 million in rewards since the program’s inception, a figure that has almost certainly jumped since then.

Per usual, interested parties can submit vulnerabilities to Google via a form on its website.

Government Agencies Failing at Basic Security Hygiene

Wed, 02/05/2014 - 15:12

A damning report on the security of government computers paints an unflattering picture of lax or non-existent patching efforts, poor password policies, configuration errors and a general lack of confidence that exposes critical services and systems to attack.

The report, “The Federal Government’s Track Record on Cybersecurity and Critical Infrastructure,” was released yesterday by Oklahoma Republican Sen. Tom Coburn, the ranking member of the Homeland Security and Governmental Affairs Committee. Coburn reiterated the risks to financial markets, emergency response and individuals’ information posed these security issues brought to light in the report—the majority of which can be addressed with basic information security hygiene.

“While politicians like to propose complex new regulations, massive new programs, and billions in new spending to improve cybersecurity, there are very basic – and critically important – precautions that could protect our infrastructure and our citizens’ private information that we simply aren’t doing,” Coburn said.

Coburn pointed the finger at the White House for not holding the agencies accountable for proper cybersecurity policies and enforcement. The report referenced President Obama’s Executive Order, signed one year ago, which promised the government and private sector would collaborate on the directive to secure commercially owned critical infrastructure networks.

“It is appropriate for the White House to envision a federal role in protecting privately-owned infrastructure, particularly when that infrastructure undergirds the nation’s economy and society,” Coburn’s report said. “However, for the country’s citizens and businesses to take the government’s effort seriously, the federal government should address the immediate danger posed by the insecurity of its own critical networks.”

A good amount of ire in the report, which was built off data collected in 40 audits, interviews and reporting on government systems done in a dozen agencies, was reserved for DHS, which in 2010 was tasked with leading the effort to secure government computers.

Despite that responsibility, the White House Office of Management and Budget last year rated DHS below government agency averages for the use of up to date antivirus software and other automated detection programs, as well as a lack of email encryption and security awareness training. It also failed to reach a goal of sending 95 percent of DHS internet traffic through Trusted Internet Connections (TICs), sending only 72 percent.

Two years ago, computers at the National Protection and Programs Directorate (NPPD) which houses DHS cybersecurity, were below proper patching levels and were protected by weak passwords. FEMA and ICE immigration servers had missing patches, and Web applications were also vulnerable to remote attacks. In addition, physical security no-no’s were reported, including a number of passwords found written down on desks, unlocked desks, unlocked laptops, and even credit cards left on desks.

DHS was not alone in its troubles. The Nuclear Regulatory Commission had many of the same password and patching weaknesses, but the report points out a general lack of confidence in NRC’s IT staff. Business owners were buying their own computers and setting up their own networks inside agency offices. Workers were also storing data on nuclear facilities’ cybersecurity programs on unsecured shared drives.

“Just about every aspect of that process appears to be broken at the NRC,” the report said. “Problems were identified but never scheduled to be fixed; fixes were scheduled but not completed; fixes were recorded as complete when they were not.”

Computers at the Internal Revenue Service, which arguably stores the most sensitive information on just about every adult in the United States, are vulnerable to the same weaknesses year after year since 2008, the report said. The General Accounting Office, for example, identified 100 vulnerabilities on IRS machines, including a lack of encryption on data transmitted between offices over the Internet.

The Department of Education, which manages $948 billion in student loans, is vulnerable to remote attack on systems accessible to remote workers. The report also identified lax investigations by the department into reported compromises of accounts; only 17 percent of cases were reviewed. In addition, the department was flagged for weak network monitoring and security to the point where hackers were able to set up a rogue connection on the agency’s network behind the firewall.

The Department of Energy, which suffered two intrusions last year resulting in the theft of personal information on past and present government and contract employees, was another offender. The report cites an audit of Western Area Power Administration which handles power needs for 15 states in the central and western parts of the U.S. All 105 computers tested in the audit lacked proper patching, in addition to having public-facing servers configured with default credentials and poor scanning of systems for vulnerabilities so as not to impact performance of services running on those machines.

The Securities and Exchange Commission was not left out. The report said employees were using personal email accounts, including web-based programs such as Gmail, to send information to and from financial institutions. Laptops storing sensitive information were unencrypted and lacking antivirus software. Laptops belonging to the Trading and Markets team dedicated to cybersecurity contained information on vulnerabilities in exchange computers, as well as networking maps that could have facilitated hacks, the report said.

“The investigation also found that members of the team took work computers home in order to surf the web, download music and movies, and other personal pursuits,” the report said. “They also appeared to have connected laptops containing sensitive information to unprotected Wi-Fi networks at public locations like hotels—in at least one reported case, at a convention of computer hackers.”

Details Emerge on Latest Adobe Flash Zero-Day Exploit

Wed, 02/05/2014 - 12:05

Exploits for a newly reported zero-day vulnerability in Adobe’s Flash Player drop a password-grabbing Trojan that targets the email and social media accounts of users and organizations in China, researchers at Kaspersky Lab said today.

The attacks appear to be an isolated campaign and there is no connection between these exploits and a new advanced espionage campaign called The Mask that Kaspersky researchers are expected to unveil next week at the company’s Security Analyst Summit.

Adobe issued an emergency patch for the zero-day yesterday; CVE-2014-0497 allows an exploit to remotely inject code and control the underlying system hosting the vulnerable software. Flash Player and earlier on Windows and Mac systems are affected as is version on Linux.

Kaspersky Lab researchers Alexander Polyakov and Anton Ivanov reported the bug to Adobe after finding a set of new .swf exploits, said Vyacheslav Zakorzhevsky, head of the vulnerability research group at Kaspersky Lab.

Researchers discovered 11 exploits—for Flash versions 11.3.372.94, 11.3.375.10, 11.3.376.12, 11.3.377.15, 11.3.378.5, 11.3.379.14, 11.6.602.167, 11.6.602.180, 11.7.700.169, 11.7.700.202, 11.7.700.224—all of them unpacked .swf files with identical actionscript code that performs a version check on the victim’s operating system. The exploits work against Flash running on Windows XP, Vista, Windows Server 2003 and 2003 R2, Windows 7 and 7 64-bit, Windows Server 2008 R2, Windows 8 and Windows 8 64-bit, and Mac OS X 10.6.8.

Once the OS check is done, the malware assembles a return-oriented programming (ROP) chain depending on the version of Windows and Flash that is installed. Shellcode specific to the OS version is then generated and the exploit executes, Zakorzhevsky said.

It appears the attacks start with phishing emails in which the victims are sent infected .docx documents that contain an embedded Flash video, Zakorzhevsky said.

“When a document is opened, an embedded flash exploit drops and starts an easy downloader to the disk, which downloads a fully featured backdoor and а Trojan,” Zakorzhevsky said. “Afterwards, the program steals passwords from popular email clients and grabs logins and passwords from Web forms of popular social media and email services.”

Kaspersky could not confirm whether these were targeted attacks, but it is likely. The malicious .docx and Flash files have titles written in Korean and were found on three computers, one in an email attachment opened on a Mac OS X machine, and two in the browser cache of a Windows 7 machine, likely also after the victim opened an email. The browser used on the Windows machine was Chinese, SogouExplorer, and the Mac mailbox was hosted on 163[.]com, a Chinese web-based email provider.

Researchers were able to find only one exploit containing executable files, a downloader, Trojan-Downloader.Win32.Agent.hdzh, encrypted with Microsoft CryptoAPI and hosted on a free hosting service bugs3[.]com. The executables included password stealers for email clients and social media sites including Google, Yahoo, Twitter, Facebook and many others. The backdoor, Backdoor.Win32.Agent.dfdq, connects to one of three command and control servers: sales[.]eu5[.]org; www[.]mobilitysvc[.]com; and javaupdate[.]flashserve[.]net.

Zakorzhevsky said the campaign is ongoing and that researchers have not been able to view documents being sent to the command and control server. Zakorzhevsky said this is likely an isolated campaign and Kaspersky Lab researchers have not been able to link of the malicious Word or Flash files to an existing botnet.

There is also no link to the Mask campaign, researchers said. A post on the Securelist blog this week said The Mask was above Duqu in terms of sophistication and is one of the most advanced threats in the wild.

“The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products,” the blog post said.

Adobe, meanwhile, urges its customers to update Flash immediately because of the active exploits. A complete rundown of updates in the Adobe advisory:

  • Users of Adobe Flash Player and earlier versions for Windows and Macintosh should update to Adobe Flash Player
  • Users of Adobe Flash Player and earlier versions for Linux should update to Adobe Flash Player
  • Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player for Windows, Macintosh and Linux.
  • Adobe Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player for Windows 8.0.
  • Adobe Flash Player installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player for Windows 8.1.

Image courtesy Siggi Arni.

Tech Giants Update Transparency Reports with FISA Request Numbers

Tue, 02/04/2014 - 16:34

Google, Microsoft, Facebook, Yahoo and LinkedIn wasted little time in disclosing what they could about requests for customer data made under the secret Foreign Intelligence Surveillance Act.

One week after the Justice Department eased a gag order on reporting of FISA requests, the five tech giants and advocates for greater transparency yesterday published data for the first six months of 2013.

The respective transparency reports are somewhat a victory for the companies, which banded together for much of last year filing lawsuits and signing petitions asking the government to allow them greater transparency on reporting requests for data involving national security. Apple and CloudFlare updated their transparency reports already last week, the same day as the Justice Department’s ruling.

The government finally conceded last week after months of negotiating, giving companies two reporting options. In return, the companies agreed to drop their suits.

The first option brings FISA reporting in line with reporting of National Security Letters in that companies will be able to report the number of FISA orders for content, non-content, as well as the number of customer accounts affected for each in bands of 1,000 requests. The reporting restrictions around National Security Letters were eased last summer and companies are allowed to similarly bundle their reporting.

Reports may be published every six months, however, reporting on national security orders issued against data collected by new company products and services must be delayed two years.

The second option allows companies to report all national security requests, NSLs or FISA orders, and the number of customer accounts affected with exact numbers up to 250 requests, and thereafter in bands of 250.

The companies cried out about the limited reporting options afforded them by the government.

“We were not, for example, permitted to break down the data between conventional law enforcement requests and those related to national security, or indeed even to acknowledge that we had received certain types of national-security related requests at all,” said Facebook general counsel Colin Stretch.

In general, the number of requests reported today involves a tiny percentage of the companies’ respective customers, and the firms hope the updated transparency reports dispel the possibility they may have been secretly cooperating with the government in providing them data on customers’ activity.

“While our customers number hundreds of millions, the accounts affected by these orders barely reach into the tens of thousands.  This obviously means that only a fraction of a percent of our users are affected by these orders,” said Microsoft general counsel Brad Smith. “In short, this means that we have not received the type of bulk data requests that are commonly discussed publicly regarding telephone records.  This is a point we’ve publicly been making in a generalized way since last summer, and it’s good finally to have the ability to share concrete data.”

The requests made each company generally fall within 0-999 for content and non-content requests, as well as National Security Letters. Yahoo, however, is an outlier. The company was the laggard among tech giants in turning on SSL encryption by default last month on its web-based email service. The lag is noteworthy for Yahoo, which is more than three years behind Google’s default implementation of SSL for Gmail. Users of Microsoft’s webmail service have had SSL enabled by default since July 2012 while Facebook made it the default last February.

Experts were quick to criticize Yahoo’s lax encryption implementation for its customers, especially in light of the surveillance carried out by the National Security Agency. SSL, the experts said, should be considered a minimum standard and that other technologies such as Perfect Forward Secrecy and HTTP Strict Transport Security should be implemented as well. Sites and services such as Dropbox, Facebook and Twitter already implement both or plan to in 2014 according to the Electronic Frontier Foundation’s 2013 Encrypt the Web report.

A company-by-company breakdown of requests for the first half of 2013 is as follows:

  • Microsoft:  FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 15,000-15,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters non-content orders 0-999; accounts impacted by National Security Letters non-content orders 0-999.
  • Yahoo: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 30,000-30,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters requests 0-999; accounts impacted by National Security Letters requests 0-999.
  • Facebook: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 4,000-4,999; FISA non-content requests 0-999; accounts impacted by FISA non-content requests 0-999; National Security Letters requests 0-999; accounts impacted by National Security Letters requests 0-999.
  • LinkedIn: National Security Letters requests 0-249; accounts impacted by National Security Letter requests 0-249.
  • Google: FISA orders seeking content 0-999; accounts impacted by FISA orders seeking content 9,000-9,999; FISA non-content requests 0-999; accounts impacted by FISA non-content orders 0-999;

PNG Image Metadata Leading to iFrame Injections

Tue, 02/04/2014 - 16:25

Researchers have discovered a relatively new way to distribute malware that relies on reading  JavaScript code stored in an obfuscated PNG file’s metadata to trigger iFrame injections.

The technique makes it highly unlikely a virus scanner would catch it because the injection method is so deeply engrained in the image’s metadata.

Peter Gramantik, a malware researcher at Securi, described his findings in a blog post Monday.

This particular iFrame calls upon a simple JavaScript file, jquery.js (below) that loads a PNG file, dron.png. Gramantik notes that while there was nothing overly odd with the file – it was a basic image file – what did catch him off guard was stumbling upon a decoding loop in the JavaScript. It’s in this code, in this case the strData variable, that he found the meat and potatoes of the attack.

The iFrame calls upon the image’s metadata to do its dirty work, placing it outside of the browser’s normal viewing area, off the screen entirely, -1000px, according to Gramatik. While users can’t see the iFrame, “the browser itself sees it and so does Google,” something that if exploited could potentially lead to either a drive-by download attack or a search engine poisoning attack.

The payload can be seen in the elm.src part (above) of the data: A suspicious-looking, Russian website that according to a Google Safe Browsing advisory is hosting two Trojans and has infected 1,000-plus domains over the last 90 days.

The strategy isn’t exactly new; Mario Heiderich, a researcher and pen tester at the German firm Cure 53 warned that image binaries in Javascript could be used to hide malicious payloads in his “JavaScript from Hell” con talk back in 2009.

Similarly, Saumil Shah, the CEO at Net-Square described how to embed exploits in grayscale images by inserting code into pixel data in his talk, “Deadly Pixels” at NoSuchCon in Paris last year and at DeepSec in Vienna the year before that.

Still though, it appears Gramantik’s research might be the most thought out example of the exploit to date using this kind of attack vector.

Regardless of how new or old the concept is, Gramantik stresses that it could still be refined and extended to other image files. Because of that the researcher recommends that going forward, IT administrators better understand what files are and aren’t being added and modified on their server.

“Most scanners today will not decode the meta in the image, they would stop at the JavaScript that is being loaded, but they won’t follow the cookie trail,” Gramantik warns in the blog.

Steganography, the science of hiding messages, oftentimes by concealing them in image and media files has been used in several high profile attacks in the past. The actors behind the MiniDuke campaign in 2013 used it to hide custom backdoor code while Shady Rat was found encoding encrypted HTML commands into images to obscure their activity in 2011 .

Emergency Adobe Update Patches Flash Zero-Day

Tue, 02/04/2014 - 15:21

Adobe today released an out-of-band security update for Flash Player that patches a vulnerability the company said is currently being exploited.

Adobe Flash Player version and earlier for Windows and Mac are affected as is and earlier on Linux.

The vulnerability, CVE-2014-0497, allows an attacker to remotely inject code and take control of the underlying system hosting Flash.

A complete rundown of updates in the Adobe advisory:

  • Users of Adobe Flash Player and earlier versions for Windows and Macintosh should update to Adobe Flash Player
  • Users of Adobe Flash Player and earlier versions for Linux should update to Adobe Flash Player
  • Adobe Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player for Windows, Macintosh and Linux.
  • Adobe Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player for Windows 8.0.
  • Adobe Flash Player installed with Internet Explorer 11 will automatically be updated to the latest Internet Explorer 11 version, which will include Adobe Flash Player for Windows 8.1.

The vulnerability was reported by Kaspersky Lab researchers Alexander Polyakov and Anton Ivanov.

Researchers from the company’s Global Research and Analysis Team yesterday said details on a new advanced espionage campaign called The Mask will be unveiled next week at the company’s Security Analyst Summit. A post on the Securelist blog said The Mask was above Duqu in terms of sophistication and is one of the most advanced threats in the wild.

“The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customized attack against Kaspersky products,” the blog post said.

Facebook Releases to Open Source its Conceal Android Crypto Library

Tue, 02/04/2014 - 13:25

Facebook has released to open source its Conceal Java crypto libraries for Android devices.

Conceal, according to Facebook, offers developers a lightweight and efficient crypto library. The social media giant developed Conceal to handle encryption of storage on removable SD cards, something that has a negative performance impact on mobile devices, the company said. It also isn’t the ideal security solution because Android treats SD cards as a publicly accessible directory that any mobile app can read if granted appropriate permissions.

“We saw an opportunity to do things better and decided to encrypt the private data that we stored on the SD card so that it would not be accessible to other apps,” Facebook said in a post. “We created Conceal to be small and faster than existing Java crypto libraries on Android while using memory responsibly.”

Conceal, however, isn’t flexible. It provides default options only to developers, rather than the gamut of encryption algorithms other libraries provide.

“We think this makes sense because encryption can be very tricky to get right,” Facebook said.

Developers will see that Conceal has been released under a BSD license that allows it to be modified. Facebook has built Conceal using parts of the OpenSSL crypto library to keep the file sizes down to a minimum, rather than shipping the whole OpenSSL library.

“We believe providing a smaller library will reduce the friction of adopting state of the art encryption algorithms, make it easier to handle different Android platform versions, and enable us to quickly incorporate fixes for any security vulnerabilities in OpenSSL as well,” Facebook said.

“As is true with many crypto libraries, higher-level wrappers that can offer sane cipher suites and modes are extremely valuable to the developer community,” said Jon Oberheide, CTO at Duo Security. “Developers aren’t (and shouldn’t be) experts in cryptography, so preventing them from shooting themselves in the foot with libraries like Conceal is a very welcome development and boost for mobile app security.”

Conceal uses an offshoot of the AES encryption standard known as AES-GCM which, in addition to encrypting data, simultaneously computes a message authentication code (MAC) of the data. Android devices are limited in capability by their hardware making separate AES and MAC computing inefficient, Facebook said, adding that commonly AES is used to encrypt data and then a MAC message using the HMAC algorithm for example, encrypts that data.

“We found that computing an HMAC takes significant time in the encryption of data,” Facebook said in explaining its decision to go with AES-GCM.

Facebook said that this abstraction also gets around known vulnerabilities in the Android random number generator.

“Specifically, Conceal provides default implementations of key management and stores the key in private SharedPreferences by default,” Facebook said. “It also performs authenticated versioning of the encryption libraries so that if we change the encryption algorithms we use in the future, we can retain both compatibility with previously encrypted data and resistance against cross version attacks.”

Chrome Web Store Beset by Spammy Extensions

Tue, 02/04/2014 - 12:57

UPDATE: Twelve seemingly legitimate Chrome browser extensions installed by more than 180,000 users are injecting advertisements on 44 popular websites.

According to a Barracuda Labs report, the extensions can be found in the official Chrome Web Store. They advertise themselves and operate as games but also require permission to access “your data on all websites,” so that they can inject advertisements into the user’s browser on any website that person visits. All of the allegedly spammy extensions are registered to the same developer organization: www.konplayer[.]com.

Threatpost attempted to reach out to the people responsible for developing the extensions but was not able to. It appears that some of Konplayer’s extensions have been removed from the Chrome Web Store.

You can see a list of affected websites in the following graphic:

The malicious JavaScript responsible for injecting advertisements isn’t contained directly within the extensions themselves. Instead, the extensions contain a reference URL to www[.]chromeadserver[.]com, which contains the malicious JavaScript. As Barracuda Labs research scientist Jason Ding notes, that domain is made to appear as if it is owned and operated by Google but, of course, it is not.

Barracuda Labs then downloaded and decoded the JavaScript contained on URL referenced above. At first the code seemed benign, but a closer examination revealed that it was responsible for injecting banner advertisements into empty spaces in various positions on popular websites visited by users that had downloaded one of the spam extensions.

In an interview with Threatpost, Ding explained that the permissions sought by these extensions are unnecessary considering that actual purpose of the extensions. Furthermore, the extensions constitute a violation of Google’s terms of service because they mislead users about their purpose. Unfortunately, Ding claims that Google does not have a good way of policing for spam in their Web Store.

“If an extension advertises itself as a game, it should NOT ask for any extra permissions,” Ding told Threatpost. “In most cases, it only need to redirect users to the targeted game websites (which has the game or more games). Or it can ask for the permission for a specific website that the game was hosted at, not the permission ‘Access to data on all website’.”

Ding continued:

“Some other extensions do need the ‘Access to data on all website’ permission, such as the Ads Block extension: of course, it need such permission, so it can remove ads (html elements) for all the websites you are browsing.”

The code used by these extensions is similar to the code used by a group of scammers examined in a prior report issued by Baracuda Labs. Ding believes that the group responsible for Konplayer[.]com is the same group that once distributed their malicious extensions from

The graph below contains the names of the allegedly malicious extensions:

GameOver Zeus Now Using Encryption to Bypass Detection

Mon, 02/03/2014 - 18:28

Cybercriminals have begun to tweak the way the GameOver Zeus Trojan is being delivered to users’ machines, making it easier for the banking malware to evade detection and steal victims’ credentials.

To get the job done the malware has been working in tandem with the malware Upatre.

For about a week now criminals have been changing the .exe files Upatre downloads to non-executable .enc files. According to a computer forensics expert, this is how the malware, which spreads via spam e-mails and malicious attachments, can avoid being spotted by firewalls, Web filters and other security defenses.

Gary Warner, a director of research in computer forensics at the University of Alabama at Birmingham posted about the trick and included a handful of spam email examples on his Cybercrime & Doing Time blog yesterday.

The file, while encrypted, can still be executed after a user opens a .zip file (found in spam e-mail attachments which initiates a domino effect, downloading the GameOver Zeus file.

The .zip files download the .enc files from the internet, decrypts the file, “placing it in a new location with a new file name, and then causing it both to execute and to be scheduled to execute in the future,” Warner says.

As .enc files aren’t inherently malicious, none of the 50 security programs at VirusTotal, Google’s free detection service, are currently marking attachments carrying them as so.

Warner noticed the trend when a colleague, Brendan Griffin, a malware analyst at the firm Malcovery sent along a series of spam messages, some purporting to come from the Better Business Bureau, Skype and the IRS, among other agencies, spreading the malware.

The behavior has been happening consistently since that time and Warner is stressing that both spam campaigns, GameOver and Upatre, are still very much related and are still being powered by the Cutwail botnet.

Spam emails spreading Gameover, a variant of the Zeus malware, have been making the rounds for two years or so. The F.B.I initially sounded the alarm over bogus emails from the FDIC and NACHA carrying it in 2012 and shortly thereafter the Trojan leveraged the Cutwail botnet to spread the spam messages further.

According to Boldizsár Bencsáth, a researcher at Hungary’s CrySys Lab who helped Warner’s research, technically the .enc file is compressed then XOR’ed with a 32-bit key before Upatre reverses the process, in turn creating the .exe file.

Upatre is the malware that popped up last year and was studied extensively by Microsoft and Dell’s SecureWorks. The malware is basically used to download other malware, and like GameOver, is also primarily spread via spam.

Bencsáth notes on CrySys’s blog that while the droppers sent out via spam emails are small, he was able to find a small (5k) downloader that he discovered can connect to a server, download the .enc file, decrypt, decompress and execute it, resulting in GameOver.

In addition to Bencsáth, Warner also gives a tip of the hat to GoDaddy’s William MacArthur and Dell Secure Works’ Brett Stone-Gross, who also assisted in the research.

Last fall, Microsoft noticed the Cutwail botnet distributing Upatre malware via spam and through exploit kits targeting Java and PDF vulnerabilities to the tune of over one million reported infections, a colossal spike over statistics from prior months.

Pwn2Own Paying $150,000 Grand Prize for Microsoft EMET Bypass

Mon, 02/03/2014 - 13:53

Microsoft has not been shy in the past nine months about advising users to install and use its Enhanced Mitigation Experience Toolkit (EMET) as a temporary mitigation until zero-day vulnerabilities are patched.

Experts have advised enterprises and smaller organizations to deploy EMET as a proactive security measure; Microsoft has recommended it in a number of recent attacks, including a XP zero-day and another previously unreported vulnerability in Internet Explorer that was abused in watering hole attacks against a number of NGOs.

The tables, however, are about to be turned on EMET. At the upcoming CanSecWest Conference, the popular Pwn2Own contest will include a contest that will test the mettle of EMET. Contest sponsors HP announced late last week a $150,000 grand prize for anyone able to bypass the EMET mitigation on a Windows 8.1 machine and Internet Explorer 11.

“We’re hunting the Exploit Unicorn – not because we think there are a lot of researchers out there who can capture it, but because we think there aren’t,” said HP senior security content developer Angela Gunn.

EMET is a mitigation technology that puts up obstacles that hackers must hurdle in order to exploit a vulnerability, including existing mitigations such as ASLR and DEP. EMET forces applications to use these mitigations native to Windows. Recently, Microsoft added a certificate pinning feature called Certificate Trust to EMET 4.0 that wards off man-in-the-middle attacks, and mitigations that handle return-oriented programming.

“With EMET carrying that kind of burden of protection, researchers are getting more interested in testing its limits, and our grand prize reflects that,” Gunn said. “We may not have any successful contestants, but security researchers thrive on insanely difficult challenges; we’re excited to provide one.”

Gunn said in order for contestants to win the grand prize, in addition to breaking EMET, they must break out of the sandbox in Internet Explorer, then locate new vulnerabilities in Windows to view system information, change data, and control its behavior before moving on to EMET.

In 2012, a researcher beat EMET with a pair of techniques; the mitigation bypass was one of the finalists in the first BlueHat Prize, a competition sponsored by Microsoft to encourage researchers to attack a defensive technology rather than beat a vulnerability brought on by poor coding.

The first Blue Hat Prize of $200,000 was paid out at the 2012 Black Hat Briefings to Vasillis Pappas for his kBouncer ROP mitigation technology that beat out two other ROP submissions. Pappas’ kBouncer technology uses the kernel to enforce restrictions about what processes can do, and prevents anything that looks like return-oriented programming from running.

Last October, Microsoft paid out a $100,000 prize to British researcher James Forshaw for a bypass of Windows memory protections, the second major bounty coming out of Redmond for a mitigation bypass.

The Exploit Unicorn is just one phase of the Pwn2Own contest. HP’s Zero Day Initiative announced the rules and prizes last week, revealing there will be three divisions for the competition: browsers, plug-ins and the grand prize.

Payouts in the browser competition are: $100,000 for Google Chrome on Windows 8.1, 64-bit, and Microsoft Internet Explorer 11 on Windows 8.1 64-bit; $65,000 for Apple Safari on OS X Mavericks; and $50,000 for Mozilla Firefox on Windows 8.1 64-bit.

In the plug-ins competition: payouts are $75,000 for Adobe Reader running in Internet Explorer 11 on Windows 8.1 64-bit and Adobe Flash running in Internet Explorer 11 on Windows 8.1 64-bit; and $30,000 for Oracle Java running in Internet Explorer 11 on Windows 8.1 64-bit.

Chrome Pop-Up to Warn Windows Users of Browser Hijacking

Mon, 02/03/2014 - 12:13

A rising number of online scams involve the modification of browser settings where a hacker spikes a free download or website with malware. The end result is generally a click-fraud scheme of some kind where the new browser settings might include spiked search engine pages or a new home page enticing the user to click on a link where the attacker would profit from the click.

Google says hijacked settings are Chrome users’ No. 1 complaint, and late last week it enhanced an existing feature in the browser to get a little more in your face about fending off hijacking attempts.

Vice president of engineering Linus Upson said from now on, Windows users will be prompted via a dialog box that appears if Chrome settings have been changed. The warning will ask users if they would like to reset their Chrome settings to their original default.

“You should always be in charge of your own Chrome settings,” Upson said.

The up-front warning is an extension to a feature Google added to Chrome in October which buried the reset option on a settings page.

Google explained in October that its motivation for the reset option was an increase in malware being bundled with software such as video plug-ins, toolbars, or even in more serious instances, alleged security updates.

“These malicious programs disguise themselves so you won’t know they’re there and they may change your homepage or inject ads into the sites you browse,” Upson wrote in October. “Worse, they block your ability to change your settings back and make themselves hard to uninstall, keeping you trapped in an undesired state.”

The reset button was originally placed in the Advanced Settings section of the Chrome settings and was part of a Halloween day update to the browser.

Upson said, however, that users in Google help forums and other feedback mechanisms were complaining that the problem was not abating. The main problem, Upson said last week, was the persistence of these attacks.

“Some hijackers are especially pernicious and have left behind processes that are meant to undermine user control of settings,” Upson said. “So you may find that you’re hijacked again after a short period of time.”

While restoration of Chrome settings to essentially factory defaults will wipe away the malicious entries placed there by the hacker, it will also disable any desired customizations. Extensions, apps and themes a user may have installed on Chrome will become deactivated. They, however, are not uninstalled and can be re-enabled via the Chrome menu under tools and extensions. , Upson said.

Scammers Using World Cup as Phishing Lure

Mon, 02/03/2014 - 11:55

The World Cup is still four months away, but attackers already are ramping up their efforts to defraud fans. As with most major events, such as the Super Bowl, the Olympics and others, attackers are using fans’ enthusiasm for the event as a lure to separate them from their money.

When a major event like the World Cup is on the calendar, scammers typically will register rafts of domain names with some reference to the event and use them to attract victims for a variety of scams. The most recent evidence of this trend is a bunch of scams targeting Brazilian soccer fans looking for tickets for the World Cup, which will be held in Brazil this summer. Researchers at Kaspersky Lab have been tracking these schemes and identified a number of fraudulent domains attackers are using to entice victims to cough up their personal data and some money in exchange for cheap or free tickets, which of course don’t exist.

“The attacks start when a user does a simple search on Google, looking for websites selling World Cup tickets. Bad guys registered the fraudulent domain that is displayed among the first results as a sponsored link,” Fabio Assolini, a Kaspersky Lab researcher in Brazil wrote in an analysis of some recent attacks he’s tracking.

“Kaspersky products are blocking several fraudulent domains daily; all of them are using the theme of the World Cup. Such attacks are focused totally on Brazilian users and the messages generally use the names of local credit card, banks, and big stores, etc. Phishing messages with fraudulent giveaways are getting common as well – some offering free tickets, cash, or even free travel.”

In order to get their non-existent free or discounted tickets, victims need to give up their personal information, such as name, address, birth date and credit-card data. Researchers have been seeing World Cup-themed attacks for nearly a year now, and the lures have been pretty consistent over time. Back in March 2013, Assolini was looking at some similar attacks that were phishing Brazilian soccer fans.

“Offers range from alleged cash prizes, trips and tickets to watch the games, while the attacks involve massive phishing mailings, and, to add spurious credibility, stars of the national soccer team have been ‘signed up’ by the conmen. Here’s one example featuring Neymar, the latest Brazilian hero to be dubbed the new Pelé,” Assolini wrote at the time.

As with most of these schemes that are pegged to a major sporting event, it’s always safer to buy tickets from the official site rather than any brokers or third parties.

DailyMotion Still Infected, Serving Fake AV Malware

Fri, 01/31/2014 - 16:07

More than three weeks after notifying video-sharing site DailyMotion that it was compromised, security company Invincea reports the popular website is still infected.

A spokesperson told Threatpost that Invincea’s original notification was not acknowledged and the company suspects this is a continuation of the same attack and the site was never cleaned up.

Invincea said it has again notified DailyMotion, which is the 96th most popular destination on the Internet according to Alexa. The site allows users to upload and share videos.

The attack was originally reported Jan. 7 when malicious ads were discovered on the site. Those ads were redirecting visitors to a fake AV scam. Invincea said today that the same threat is happening on the site.

A video on the security firm’s website, below, demonstrates what happens to a site visitor. Landing on the DailyMotion homepage, a visitor is presented with a dialog box warning the user that “Microsoft Antivirus” found a problem on the victim’s computer and that it needs to be cleaned. A list of potential problems is shown next and the user is enticed to run an executable pretending to be security software.

A report from Invincea shows a number of files written to the compromised computer were launched and stored in order to maintain persistence at startup. It also shows the computer communicating out to servers in the United States and Romania.

In its original advisory on Jan. 7, Invincea said that the malicious ads redirect to a third-party domain in Poland called webantivirusprorh[.]pl (93[.]115[.]82[.[246). According to VirusTotal, 10 of 47 antivirus products detect the threat; most detect it as a variant of the Graftor Trojan. The initial redirect, Invincea said, is loaded via engine[.]adzerk[.]net.

With fake AV scams, victims are tricked into installing what they think is security software but is instead malware. They’re then informed they must purchase a subscription of some kind in order to clean the computer of the infection.

Other scams, such as ransomware infections, build off this same premise but are much more sinister in that they use harsher tricks to get the user to install the malware. Some ransomware attacks lock down computers and inform the user they’re machine has been taken over by law enforcement because of some illicit activity online and the victim must pay a ransom to get their computer unlocked.

Malicious advertising, also known as malvertising, is becoming a common attack vector for spreading fake AV, ransomware and other malware redirecting victims to exploit kits. One such campaign was uncovered in September with sites including the Los Angeles Times, Women’s Health magazine and others were hosting ads serving malware. Malicious iframes redirected victims to the Blackhole Exploit Kit; Blackhole has since disappeared off the black market after the arrest of its alleged creator, a Russian hacker known as Paunch.

At the Black Hat Briefings last summer, WhiteHat Security researchers demonstrated how to use online advertising networks to distribute JavaScript and build the equivalent of a botnet that could be used to crash webservers or distribute malicious code.

Boasting Better Encryption, Bug Fixes, OpenSSH 6.5 Released

Fri, 01/31/2014 - 14:07

The OpenBSD Project pushed out a new build on Thursday of the OpenSSH security suite, adding a new private key format, a new transport cipher and fixing 15 bugs in the Secure Shell.

OpenSSH version 6.5 adds support for the key exchange using elliptic-curve Diffie Hellman within cryptographer Daniel Bernstein’s elliptic-curve Curve25519. A 32-byte secret key will now be the default when both the client and server support it.

Many encryption implementations are suspect after alleged subversion of widely used algorithms by the National Security Agency. Documents disclosed  by NSA whistleblower Edward Snowden indicate the NSA inserted weakened crypto algorithms into NIST standards. The most flagrant may be Dual EC DRBG which is the crpto library used by a number of commercial products including RSA BSafe. RSA Security and NIST warned developers to move off the algorithm.

Additionally, according to the release notes, 6.5 also adds support for the elliptic curve signature scheme Ed25519, a tweak that allows better security than the Digital Signature Algorithm (DSA) and its Elliptic Curve Digital Signature Algorithm (ECDSA) variant.

The new OpenSSH build is also set up to refuse old clients and servers that use a weaker key exchange hash calculation, including dated RSA keys from clients and servers “that use the obsolete RSA+MD5 signature scheme.”

The MD5 algorithm has been broken so long that it really hasn’t become an obstacle for hackers looking to crack it. It was last famously exploited in 2012 in an attack which saw the malware Flame forge a certificate from Microsoft.

OpenSSH will refuse connection entirely with anyone using these old clients or servers in a future build, but for the meantime will allow DSA keys.

A new transport cipher – – based on algorithms (ChaCha20 and Poly1305 MAC) devised by Bernstein is also present in the update. Initially committed by OpenSSH developer Damien Miller back in November to replace the disintegrating RC4, the cipher should allow for better encryption going forward.

ChaCha, a variant of the stream cipher Salsa20, has been called faster in low-level implications and more secure than its alternatives, winning the confidence of cryptographers in the last few years.

A new private key format that uses bcrypt, a key derivation method  “to better protect keys at rest,” has also been added to the latest OpenSSH.

Developers are calling 6.5 a “feature-focused release” and urging those who use it to update as soon as they can.

Those looking for a full rundown of the fixes and further information about 6.5’s new features can check out the release notes here.

Chewbacca Point-of-Sale Malware Campaign Found in 10 Countries

Fri, 01/31/2014 - 12:14

Before you think that RAM scraper malware was a phenomenon specific to the Target breach, think again. A four-month-long crime spree targeting point-of-sale systems in a number of industries has been discovered; the campaign, however, is not related to the mammoth Target break-in or other recently reported hacks at Neiman Marcus or Michaels.

The malware in question is the privately sold Chewbacca Trojan, which is a two-pronged threat that uses the Tor anonymity network to hide its communication with the attackers’ command and control infrastructure. Chewbacca not only infects point-of-sale terminals with the RAM scraping malware in order to steal payment card data before it is encrypted, but also drops keylogging software onto compromised systems.

Researchers at RSA Security discovered the criminal campaign and say it has found malware samples used in 10 countries, primarily in the United States and the Russian Federation. Will Gragido, senior manager at RSA FirstWatch, the company’s research arm, said the command and control server they intercepted has been taken offline—likely by its Ukrainian handlers rather than law enforcement—putting a halt to the campaign. Gragido said the criminals had their hands on 49,330 credit card numbers and there were 24 million transaction records on the attackers’ server.

“It’s actually a mixture of industries that have been hit: some broadband providers were impacted, retailers, supermarkets, gas stations, and other associated businesses,” Gragido said. “It’s a sloppily put-together piece of code; it’s not the most sophisticated code, but it seems effective.”

The original Chewbacca samples were found in October and reported by Kaspersky Lab’s Global Research and Analysis Team in December.  While the original attack vector is not yet understood, Chewbacca’s behaviors are pretty self-evident. Chewbacca finds running processes on compromised computers, reads process memory, drops a keylogger and is able to move that information off of infected machines, said Marco Preuss, director of research for Kaspersky Lab in Europe.

The malware is a PE32 executable compiled with Free Pascal 2.7.1; its 5 MB file includes the Tor executable, which the attackers use to move data and communication between infected POS terminals and servers, and the attackers. Once executed, Chewbacca drops as spoolsv.exe into the victim machine’s startup folder and then launches its keylogger and stores all keystrokes to a log created by the malware, Preuss said. Spoolsv.exe is the same name used by the Windows Print Spooling service; the malware does so to insert itself into the startup process and maintain persistence.

Gragido said RSA FirstWatch had infiltrated the attackers’ original command server, which was using a Tor .onion domain for obfuscation.

“We think we caught this campaign early on,” Gragido said. “Chewbacca has not been out there very long. We’ve seen it established in a few small retailers and service providers.”

The Target breach has elevated awareness around point of sale malware, in particular RAM scrapers. Target admitted shortly before Christmas that attackers has been on its network and stolen 40 million payment card numbers from infected point of sale systems, along with the personal information of 70 million people, putting potentially 110 million at risk for identity theft and fraud.

New details emerged this week on just how burrowed into Target’s network the attackers were. Experts believe the initial compromise was a SQL injection attack that allowed the attackers access to the network. Once there, it’s apparent they took advantage of hard-coded credentials on system management software used by the retailer to set up a control server on the Target network and moved data out in batches.

“We don’t have anything from an evidentiary perspective that this is tied to Target, Neiman Marcus or Michaels,” Gragido said. “The malware is different, the attackers’ MO is different, there’s no common infrastructure or common malware. The gang behind it, we think, is a newer crop of folks with activity in Eastern Europe, but it’s hard to say.”