Month: November 2014
Hacktivists Get Serious with Remote Code Malware
Security experts are warning of a new hacktivist campaign which goes further than merely defacing websites, by linking to malware which could allow for remote code execution by an attacker.
The group in question claims to be part of the ‘AnonGhostTeam’ collective which has targeted government and mass media sites in the past, Zscaler security researcher Chris Mannon explained in a blog post.
However, unlike those simple defacements, a recent batch of compromised sites contains a malicious link in the defacement message to a “lulz.htm” page. This apparently contains obfuscated JavaScript code which then leads users to a Dokta Chef Exploit Kit (EK) hosting site.
“This appears to be a new tactic whereby a hacktivist group has escalated their activities by attacking users who visit defaced sites,” said Mannon.
“This is out of character for such groups that generally seem more interested in disrupting private sector compliance with government entities, than targeting end users.”
Dokta was serving up a malicious payload for recently disclosed Microsoft vulnerability CVE-2014-6332, which was fixed earlier this month with bulletin MS14-064.
This can cause remote code execution if the victim visits a specially crafted webpage using Internet Explorer. The flaw is triggered when IE improperly accesses Object Linking and Embedding (OLE) objects in the memory, Mannon explained.
The attackers are focusing only on 32-bit Windows users and IE, with the exploit code crafted to ensure the cycle is terminated if it’s detected that the machine is not using IE or Windows, or is a 64-bit system.
Source:http://www.infosecurity-magazine.com/news/hacktivists-serious-with-remote/
Syrian Electronic Army attacks high-profile media sites
Western media sites have again been hit by the Syrian Electronic Army hacking group which breached the popular commenting platform Gigya resulting in popups appearing on news outlets such as the Independent in the early hours of this morning.
Other sites affected by included well-known media properties such as CNBC, The Telegraph, The Chicago Tribune and PC World.
According to Gigya chief executive Patrick Salyer, the hackers managed to alter the whois domain registration record for gigya.com.
The hackers redirected gigya.com by putting it under the control of a different domain name system (DNS) server. This in turn was configured to point the providers content delivery network cdn.gigya.com to a server under the hackers control, that served up a socialize.js Javascript file that displayed an alert claiming the site in question had been hacked by the Syrian Electronic Army.
Salyer insisted that this was the only consequence of the hacking and that no data of any kind had been compromised, and that the Gigya platform itself was safe.
Gigya has rectified the incorrect whois record, and the correct DNS pointers are now propagating through the worldwide lookup system.
The Syrian Electronic Army is an unknown group of hackers, possibly affliated with the regime of the country’s dictator Basheer al-Assad.
Source:http://www.itnews.com.au/News/398312,syrian-electronic-army-attacks-high-profile-media-sites.aspx
Vodafone in the Dock After Leaking Hacks’ Records to Cops
Vodafone accidentally leaked the records of over 1,700 News UK journalists and staffers to the Metropolitan Police Service (MPS) after the cops requested the details of just one hack under investigation last year, it has emerged.
The Met demanded the call records of a Sun journalist in October last year as part of Operation Elveden – an investigation into the payment of public officials by hacks in return for private info.
However, due to what it claims was “human error” Vodafone accidentally handed over the phone records of 1,757 people working at the Murdoch-owned News UK.
Those people included “journalists, lawyers, secretarial staff and senior executives covering the years 2005-07,” according to The Times.
However, despite knowing the data had been sent to them by accident, the Met analyzed it in its entirety, building a spreadsheet of all outgoing calls made from the 1,700+ phones in question.
It was apparently months before the police notified the authorities of the error and sent a copy of the data back to Vodafone.A spokesman for the operator told The Times in a statement that the dataset could have been corrupted.
“We wrote to the Met to express our grave concern that the police continued to retain the data released to them in error and made it clear to them that any assumption that meaningful conclusions could be drawn from any aspect of the corrupted dataset was highly questionable,” he added.
A Met spokesman, meanwhile, said the MPS had consulted with the Interception of Communications Commissioner’s Office (IOCCO), and the Information Commissioner on what it should do with the data.
Source:http://www.infosecurity-magazine.com/news/vodafone-leaking-hacks-records/
Sony Pictures Shuts Down Systems After Cyberattack
A message from the hackers bears a picture of a skeleton and threatens to release the company’s “top secrets”
Sony Pictures Entertainment was forced to shut down its worldwide email and computer network on Monday after being targeted by hackers who threatened to reveal the company’s “secrets.”
A message entitled “Hacked by #GOP” with a picture of a skeleton in the background appeared on company computers Monday morning, Deadline.com reported.
“We’ve already warned you, and this is just a beginning,” the message read, going on to state that the hackers have obtained “all your internal data including your secrets and top secrets.” They then threatened to release the data by 11 p.m. if their demands aren’t met, but no demands have apparently been made clear yet.
Source:http://time.com/3604372/sony-pictures-shuts-down-systems-cyber-attack-hackers/
Follow Wired Twitter Facebook RSS Researchers Uncover Government Spy Tool Used to Hack Telecoms and Belgian Cryptographer
It was the spring of 2011 when the European Commission discovered it had been hacked. The intrusion into the EU’s legislative body was sophisticated and widespread and used a zero-day exploit to get in. Once the attackers established a stronghold on the network, they were in for the long haul. They scouted the network architecture for additional victims and covered their tracks well. Eventually, they infected numerous systems belonging to the European Commission and the European Council before being discovered.
Two years later another big target was hacked. This time it was Belgacom, the partly state-owned Belgian telecom. In this case, too, the attack was sophisticated and complex. According to published news reports and documents leaked by Edward Snowden, the attackers targeted system administrators working for Belgacom and used their credentials to gain access to routers controlling the telecom’s cellular network. Belgacom publicly acknowledged the hack, but has never provided details about the breach.
Then five months after that announcement, news of another high-profile breach emerged—this one another sophisticated hack targeting prominent Belgian cryptographer Jean-Jacques Quisquater.
Now it appears that security researchers have found the massive digital spy tool used in all three attacks. Dubbed “Regin” by Microsoft, more than a hundred victims have been found to date, but there are likely many others still unknown. That’s because the espionage tool—a malicious platform capable of taking over entire networks and infrastructures—has been around since at least 2008, possibly even earlier, and is built to remain stealth on a system for years.
The threat has been known since at least 2011, around the time the EU was hacked and some of the attack files made their way to Microsoft, who added detection for the component to its security software. Researchers with Kaspersky Lab only began tracking the threat in 2012, collecting bits and pieces of the massive threat. Symantec began investigating it in 2013 after some of its customers were infected. Putting together information from each, it’s clear the platform is highly complex and modulated and can be customized with a wide range of capabilities depending on the target and the attackers’ needs. Researchers have found 50 payloads so far for stealing files and other data, but have evidence that still more exist.
International institute of cyber security
source:http://www.wired.com/2014/11/mysteries-of-the-malware-regin/?mbid=social_fb
Drupal Core – Vulnerability – SA-CORE-2014-006
Drupal Core – Vulnerabilities – SA-CORE-2014-006
- Advisory ID: DRUPAL-SA-CORE-2014-006
- Project: Drupal core
- Version: 6.x, 7.x
- Date: 2014-November-19
- Security risk: 14/25 (Moderately Critical) AC:Basic/A:None/CI:Some/II:Some/E:Theoretical/TD:Uncommon
- Vulnerability: Multiple vulnerabilities
Description
Session hijacking (Drupal 6 and 7)
A specially crafted request can give a user access to another user’s session, allowing an attacker to hijack a random session.
This attack is known to be possible on certain Drupal 7 sites which serve both HTTP and HTTPS content (“mixed-mode”), but it is possible there are other attack vectors for both Drupal 6 and Drupal 7.
Denial of service (Drupal 7 only)
Drupal 7 includes a password hashing API to ensure that user supplied passwords are not stored in plain text.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in CPU and memory exhaustion. This may lead to the site becoming unavailable or unresponsive (denial of service).
This vulnerability can be exploited by anonymous users.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Drupal core 6.x versions prior to 6.34.
- Drupal core 7.x versions prior to 7.34.
Solution
Install the latest version:
- If you use Drupal 6.x, upgrade to Drupal core 6.34.
- If you use Drupal 7.x, upgrade to Drupal core 7.34.
If you have configured a custom session.inc file for your Drupal 6 or Drupal 7 site you also need to make sure that it is not prone to the same session hijacking vulnerability disclosed in this security advisory.
If you have configured a custom password.inc file for your Drupal 7 site you also need to make sure that it is not prone to the same denial of service vulnerability disclosed in this security advisory. See also the similar security advisory for the Drupal 6 contributed Secure Password Hashes module: SA-CONTRIB-2014-113
source:https://www.drupal.org/SA-CORE-2014-006
Hiring Hacker to Address Cyber Security Challenges: Survey
The finding comes from a KPMG survey of 300 senior IT and HR professionals in organizations with 500 or more staffers. Some 74 percent said they are facing new challenges in cyber-security, and 70 percent admit their organization “lacks data protection and privacy expertise.” In addition, the majority said they are wary of their organization’s ability to assess incoming threats.
Even though 60 percent said they have a strategy for dealing with any skills gaps, 57 percent agree it has become more difficult to retain staff in specialized cyber skills in the past two years. In addition, 60 percent said they are worried about finding cyber experts who can effectively communicate with the corporate-side of the business and not just the IT department.
Backdoors by way of Ichitaro exploit
esearchers at Symantec have uncovered the exploits of a cyberespionage group targeting organizations in Japan.
According to a Thursday blog post by the firm, malicious emails were used to spread backdoors Emdivi, Korplug and ZXshell to victims. Instead of simply including a link to compromised websites in phishing ruses, attackers used booby-trapped Ichitaro document files to spread malware.
That attack leverages a remote code execution vulnerability, CVE-2014-7247, in the widely-used Ichitaro word processor, so that users running vulnerable versions of the software are exploited. The backdoors are all designed to “steal confidential information from the compromised computer,” Symantec said.
The cyberespionage campaign,“Operation CloudyOmega,” has been active since 2011 and its perpetrators have “communication channels with other notorious attacks groups,” like Hidden Lynx, the firm noted. A patch for the zero-day vulnerability is now available.
Windows 15 years old vulnerability (CVE-2014-6332)
The IBM X-Force Research team has identified a significant data manipulation vulnerability (CVE-2014-6332) with a CVSS score of 9.3 in every version of Microsoft Windows from Windows 95 onward.
We reported this issue with a working proof-of-concept exploit back in May 2014, and today, Microsoft is patching it. It can be exploited remotely since Microsoft Internet Explorer (IE) 3.0. This complex vulnerability is a rare, “unicorn-like” bug found in code that IE relies on but doesn’t necessarily belong to. The bug can be used by an attacker for drive-by attacks to reliably run code remotely and take over the user’s machine — even sidestepping the Enhanced Protected Mode (EPM) sandbox in IE 11 as well as the highly regarded Enhanced Mitigation Experience Toolkit (EMET) anti-exploitation tool Microsoft offers for free.
What Does This Mean?
First, this means that significant vulnerabilities can go undetected for some time. In this case, the buggy code is at least 19 years old and has been remotely exploitable for the past 18 years. Looking at the original release code of Windows 95, the problem is present. With the release of IE 3.0, remote exploitation became possible because it introduced Visual Basic Script (VBScript). Other applications over the years may have used the buggy code, though the inclusion of VBScript in IE 3.0 makes it the most likely candidate for an attacker. In some respects, this vulnerability has been sitting in plain sight for a long time despite many other bugs being discovered and patched in the same Windows library (OleAut32).
Second, it indicates that there may be other bugs still to be discovered that relate more to arbitrary data manipulation than more conventional vulnerabilities such as buffer overflows and use-after-free issues. These data manipulation vulnerabilities could lead to substantial exploitation scenarios from the manipulation of data values to remote code execution. In fact, there may be multiple exploitation techniques that lead to possible remote code execution, as is the case with this particular bug. Typically, attackers use remote code execution to install malware, which may have any number of malicious actions, such as keylogging, screen-grabbing and remote access.
IBM X-Force has had product coverage with its network intrusion prevention system (IPS) since reporting this vulnerability back in May 2014, though X-Force hasn’t found any evidence of exploitation of this particular bug in the wild. I have no doubt that it would have fetched six figures on the gray market. The proof of concept IBM X-Force built uses a technique that other people have discovered, too. In fact, it was presented at this year’s
International institute of cyber security
Cyber Security 