Month: March 2015
The Russian Ministry of Internal Affairs, together with the Federal Security Service, are taking steps to try and locate a criminal cyber-group specialising in robbing ATMs using the Tyupkin computer malware.
The criminals work in two stages. First, they get physical access to the ATMs and insert a bootable CD to install the malware – code named Tyupkin by Kaspersky Lab which discovered the exploit last year. After they reboot the system, the infected ATM is under their control.
Kaspersky reports on its website how the scam works and has produced a video on its operation.
Following successful infection, the malware runs in an infinite loop waiting for a command. To make the scam harder to spot, Tyupkin malware only accepts commands at specific times on Sunday and Monday nights. During those hours the attackers are able to steal money from the infected machine.
When the combination key is entered correctly, the ATM displays details of how much money is available in each cash cassette, inviting the operator to choose which cassette to rob. After this the ATM dispenses 40 banknotes at a time from the chosen cassette.
Alexander Vurasko, an official spokesman of the department of investigation of cyber-crimes at the Russian Ministry of Internal Affairs told SCMagazineUK.com that, in addition to being used in Russia, the Tyupkin virus has also been used for to rob ATMs around the world, including in EU states as well as in the US and China.
He added that most of attacks are achieved thanks to the widespread use of Microsoft’s XP operating systems in ATMs. The virus has several variations which include skimming capabilities, being able to read data from card magnetic stripes, and saving PIN-codes.
Analysts at Russian-based international security software company Kaspersky Lab believe that Tyupkin and other similar viruses may soon replace traditional skimming.
Ruslan Stoyanov, head of department of investigations of computer incidents of Kaspersky Lab, has said that Tyupkin represents a more progressive technology for the crooks, and that it can dramatically reduce the number of different actions and transactions needed to steal large amounts of cash.
He has also added that the use of the virus helps criminals so that they don’t need to transfer money from the card to other accounts and create fake companies and have the authorities chase the money through their accounts.
Amid this ever-growing threat of the malware’s spread, many Russian banks are taking measures to strengthen their IT security, as well as increase the security of their ATMs, with the aim of preventing an unauthorised access.
IT analysts at Russian Izvestia business paper, citing on Edward Ahunyanov, head of the department payment systems of the Russian Bank of Settlements and Savings, one of Russia’s leading banks, told SCMagazineUK.com that the malware is a typical Trojan, commenting: “There is also a threat that such malware may result in information leakage. Part of our plans are to change the locks and to modify the programs. In addition, we plan to tighten control over the keys, cash-in-transit couriers and educate the technical service staff of our bank about the threat.”
According to Andrey Lyushin, deputy chairman of Loco-bank, another leading Russian bank, the use of such high-tech theft methods is unusual in the Russian banking sector. He adds that the bank will need another one to two months to implement countermeasures against this malware.
“The INEC (Independent National Electoral Commission) website was hacked this morning but we are trying to revive it,” the body’s deputy director of public affairs, Nick Dazang, told AFP.
“But nothing has been tampered with,” he added, without elaborating.
INEC has been under scrutiny for weeks about its preparations for the election, in particular over the use of biometric voter identity cards and new technology to cut down on electoral fraud.
Voters throughout Nigeria have complained about lengthy delays in authenticating their cards. President Goodluck Jonathan’s own card failed on the new system and he had to be accredited by hand.
The INEC website — inecnigeria.org — was allegedly targeted by the Nigerian Cyber Army. A message on the home page read: “Feel some shame Admin!! Security just an illusion.”
The site was later back online.
Security researchers have warned about a widespread vulnerability in Android devices, that could see attackers sneakily modify or entirely replace seemingly benign apps with malware, without users becoming aware.
In other words, a user might attempt to install a legitimate version of “Angry Birds” but instead end up with a Flashlight app that’s harbouring malware.
Every Android user is familiar with the screen that gets displayed during an app package’s installation, explaining the permissions that the app requests in order to run.
What wasn’t commonly known was that while a user is reviewing this information (the so-called “Time of Check”), an attacker can modify or replace the app’s package with their own malicious app, in readiness of the user to click the “Install” button.
Fortunately, apps downloaded from the official Google Play Store are not at risk as they are downloaded into a protected space which cannot be overwritten by attackers.
Palo Alto Research says that it first found the Time-of-Check to Time-of-Use (TOCTTOU) vulnerability, and how it could be exploited in so-called “installer hijacking” in January 2014, and has been co-operating with Google, Samsung, Amazon and other manufacturers ever since.
The vulnerability can be successfully exploited on Android 2.3, 4.0.3-4.0.4, 4.1.X, and 4.2.x – which means that an alarming 49.5% of the Android devices currently in use are at risk.
That should obviously ring alarm bells – not just amongst home users, but also corporations which have BYOD policies allowing staff to access corporate data on Android devices and to bring their smartphones and tablets into the office.
Piling on the bad news, according to researchers the vulnerability does not rely upon Android devices being rooted (although this does make them more vulnerable) and it is possible that some phones may be running vulnerable distributions of Android 4.3 too.
So, what’s the answer?
The best solution is to stop using vulnerable versions of the Android OS on your devices. Upgrade to Android 4.4 and later, which have fixed the problem.
Of course, that’s easier said than done.
Even if you *want* to upgrade the OS on your Android device you might not be able to, because an update is only going to be available for those devices with the assistance and goodwill of Google, the device’s manufacturer and your mobile phone carrier.
As history has often shown us, older Android devices are left stranded without an easy path for OS updates.
If upgrading your version of Android is not an option, you can reduce the risk by ensuring that apps are only ever downloaded from the official Google Play store rather than third-party sites.
Palo Alto Networks has released a free vulnerability scanner (available from the Google Play store, natch) that will hunt for the flaw on your Android device.
GUESTS AT HUNDREDS of hotels around the world are susceptible to serious hacks because of routers that many hotel chains depend on for their Wi-Fi networks. Researchers have discovered a vulnerability in the systems, which would allow an attacker to distribute malware to guests, monitor and record data sent over the network, and even possibly gain access to the hotel’s reservation and keycard systems.
The security hole involves an authentication vulnerability in the firmware of several models of InnGate routers made by ANTlabs, a Singapore firm whose products are installed in hotels in the US, Europe and elsewhere.
The vulnerability, which was discovered by the security firm Cylance, gives attackers direct access to the root file system of the ANTlabs devices and would allow them to copy configuration and other files from the devices’ file system or, more significantly, write any other file to them, including ones that could be used to infect the computers of Wi-Fi users.
The researchers found 277 of the devices in 29 countries that are accessible over the internet, though there may be many others that they weren’t able to uncover over the internet because they’re protected behind a firewall. Devices behind a firewall, however, would still presumably be vulnerable to the same malicious activity by anyone who gets on the hotel’s network.
Of the 277 vulnerable devices accessible over the internet, the researchers found more than 100 of them were at locations in the US. But they also found 35 vulnerable systems in Singapore, 16 in the UK, and 11 in the United Arab Emirates.
The vulnerable systems were found primarily at hotel chains, but the researchers also found some convention centers with internet-accessible vulnerable routers. They also found that a top data center company uses an InnGate device to manage guest Wi-Fi at several of its locations in the Asia Pacific.
The InnGate devices function as a gateway for hotels and convention centers to provide guests with internet access. But Justin Clarke, a researcher with Cylance’s new SPEAR (Sophisticated Penetration Exploitation and Research) team, says the devices are often also connected to a hotel’s property management system, the core software that runs reservation systems and maintains data profiles about guests. Clarke says they found a number of hotels where the InnGate was configured to communicate with a PMS. This presents additional security risks in itself, allowing an attacker to potentially identify guests and upcoming guests at a hotel and learn their room number. But PMSes are often, in turn, integrated with a hotel’s phone system, point-of-sale system for processing credit card transactions, and the electronic keycard system that controls access to guest rooms. This would potentially give an attacker a gateway to access and exploit these systems as well.
“In cases where an InnGate device stores credentials to the PMS [property management system], an attacker could potentially gain full access to the PMS itself,” the researchers write in a blog post published today, which they shared with WIRED in advance.
The property management systems that were used in the vulnerable hotels Cylance examined include ones made by Micros Fidelio, FCS, Galaxy, and Prologic.
Oracle purchased Micros Fidelio last year and now markets its PMS as the Opera Property Management System. According to Oracle’s web site, the Opera PMS “provides all the tools a hotel staff needs for doing their day-to-day jobs—handling reservations, checking guests in and out, assigning rooms and managing room inventory, accommodating the needs of in-house guests, and handling accounting and billing.” But, the site notes, the system also includes interfaces to connect the PMS to “hundreds of third-party hospitality systems” including telephone and electronic switching and key lock systems.
Gaining access to a guest room through a compromised key lock system wouldn’t just be of interest to thieves. One of the most famous cases involving the subversion of a hotel’s electronic key system resulted in the assassination of a high-ranking Hamas official in a Dubai hotel in 2011. In that case the assassins, believed to be Israeli Mossad agents, reprogrammed the electronic lock on their victim’s hotel room door to gain entry while he was out of the room and lie in wait for him to return. It’s not known exactly how the attackers compromised that key system.
How the Hotel Vuln Works
The vulnerability lies in an unauthenticated rsync daemon used by the ANTlabs devices. The Rsync daemon is a tool often used to backup systems since it can be set up to automatically copy files or new parts of files from one location to another. Although the daemon can be password-protected, the ANTlabs device that uses it requires no authentication.
As a result, once an attacker has connected to the rsync daemon, “they are then able to read and write to the file system of the Linux based operating system without restriction,” the researchers write in their blog post. “Given the level of access that this vulnerability offers to attackers, there is seemingly no limit to what they could do… Once full file system access is obtained, the endpoint is at the mercy of the attacker.”
Anyone who visited the New York Daily News website or Metacafe website – as well as several other lesser known sites – within the past couple of weeks could have been infected with malware, according to Malwarebytes.
Researchers identified a malvertising campaign originating from the engage:BDR advertising network, a Tuesday post indicates. In a Wednesday email correspondence, Jerome Segura, senior security researcher with Malwarebytes, told SCMagazine.com that the issue has been resolved.
The malware was being delivered via malvertisements that redirected users to the Hanjuan Exploit Kit, according to the post. Researchers only observed the Hanjuan Exploit Kit taking advantage of a recently patched Adobe Flash Player zero-day vulnerability – CVE-2015-0313.
The threat is a drive-by download attack that happens within seconds and requires no user interaction, meaning no clicking is required to become infected, the post indicates.
“Typically a drive-by download is very quiet, unless it involves Java (you will see the Java icon in the tray) or perhaps crashes the browser,” Segura said. “In the case of Flash, it is completely transparent and unless the malware is obvious (changes the desktop or loads a fake app) the user would be completely unaware of it.”
Segura said that Hanjuan Exploit Kit only targets U.S. residential IP addresses, which means that only legitimate home users residing in America were targeted in the campaign. Given the vulnerability being exploited and the high profile of certain affected websites, he speculated that tens of thousands of victims may have been infected.
Hanjuan Exploit Kit uses numerous techniques to deliver malware to specific victims and go by mostly unnoticed, Segura said.
“First of all, it leverages an ad network to filter out non desirable users and really tailor the malicious [ads] for the target population,” Segura said. “Secondly, it performs very strict checks on the user’s IP address to ensure that it has never seen it before, but also that it belongs to a genuine residential ISP.”
Segura added, “The problem for security companies is that very often our IP ranges are already blacklisted by the bad guys and VPNs are not an option either since they are not the target population.”
Because Hanjuan Exploit Kit is stealthy, Malwarebytes has been unable to identify the malware being delivered, the post notes.
Users should be using anti-exploit protection to defend against these types of threats, and should also always be surfing the web using the latest security updates applied to their computers, Segura said. He added that advertising networks need to be thoroughly checking their customers to ensure they are legitimate.
“They also have to spot patterns of malicious activity in close to real-time and block attacks, something that is easier said than done, when the number of impressions for an ad network can be in the millions or even billions per day,” Segura said.
The malware is also known by the names Neverquest and Snifula, and it is an advanced piece capable of stealing financial information and executing transactions from the compromised computer through remote desktop control, thus hiding its tracks.
Its authors rely on real-time web-injection tactics to present the victim with fraudulent screens asking for the information necessary for accessing online banking account.
This method is also used for harvesting two-factor authentication (2FA) codes that are generated by separate tokens, usually based on offline card verification or its PIN number.
C&C servers have been registered in February
Security researchers at Heimdal Security analyzed the methods used by the cybercriminals to distribute Vawtrak and determined that it spreads via drive-by download attacks, phishing campaigns on social media websites as well as spam.
They say that the variant analyzed by them targets more than 15 financial institutions from Canada and it connects to six command and control (C&C) servers in different parts of the world.
Running a whois search on them, we learned that all but one have been registered on February 25, 2015.
The last one appears to have been registered on February 16, 2015, which could also be an approximate date for launching the malicious campaign.
In an in-depth analysis from researchers from antivirus company AVG, Vawtrak is presented with a complex set of features that includes protection against a large number of security solutions that may be running on the infected computer.
The malware tries to disable the antivirus products by enabling the Software Restriction Policies mechanism available on Windows systems. The feature is intended for network administrators, offering them control over the software executed on controlled endpoints.
Vawtrak gets stronger, it is not going anywhere
Additional functionality present in the latest versions of Vawtrak refers to stealing sensitive information such as passwords from different programs (via Pony infostealer module), digital certificates and cookies, logging keystrokes and capturing video and screen images.
AVG says that the malware is not showing any signs of decreased activity and that minor changes in its features, targeted regions and banks create detection spikes every two to five days.
Based on their telemetry data, the countries most affected by this threat are Czech Republic, USA, UK, and Germany.
The conclusion reached by AVG following their analysis of the malware is that “Vawtrak is like a Swiss Army knife for its operators because of its wide range of applications and available features.
Canada’s electronic surveillance agency has secretly developed an arsenal of cyberweapons capable of stealing data and destroying adversaries’ infrastructure, according to newly revealed classified documents.
Communications Security Establishment, or CSE, has also covertly hacked into computers across the world to gather intelligence, breaking into networks in Europe, Mexico, the Middle East and North Africa, the documents show.
The revelations, reported Monday by CBC News in collaboration with The Intercept, shine a light for the first time on how Canada has adopted aggressive tactics to attack, sabotage and infiltrate targeted computer systems.
The latest disclosures come as the Canadian government debates whether to hand over more powers to its spies to disrupt threats as part of the controversial anti-terrorism law, Bill C-51.
Christopher Parsons, a surveillance expert at the University of Toronto’s Citizen Lab, told CBC News that the new revelations showed that Canada’s computer networks had already been “turned into a battlefield without any Canadian being asked: Should it be done? How should it be done?”
According to documents obtained by The Intercept from National Security Agency whistleblower Edward Snowden, CSE has a wide range of powerful tools to perform “computer network exploitation” and “computer network attack” operations. These involve hacking into networks to either gather intelligence or to damage adversaries’ infrastructure, potentially including electricity, transportation or banking systems. The most well-known example of a state-sponsored “attack” operation involved the use of Stuxnet, a computer worm that was reportedly developed by the United States and Israel to sabotage Iranian nuclear facilities.
One document from CSE, dated from 2011, outlines the range of methods the Canadian agency has at its disposal as part of a “cyber activity spectrum” to both defend against hacking attacks and to perpetrate them. CSE says in the document that it can “disable adversary infrastructure,” “control adversary infrastructure,” or “destroy adversary infrastructure” using the attack techniques. It can also insert malware “implants” on computers to steal data.
The document suggests CSE has access to a series of sophisticated malware tools developed by the NSA as part of a program known as QUANTUM. As The Intercept has previously reported, the QUANTUM malware can be used for a range of purposes — such as to infect a computer and copy data stored on its hard drive, to block targets from accessing certain websites, or to disrupt their file downloads. Some of the QUANTUM techniques rely on redirecting a targeted person’s internet browser to a malicious version of a popular website, such as Facebook, that then covertly infects their computer with the malware.
According to one top-secret NSA briefing paper, dated from 2013, Canada is considered an important player in global hacking operations. Under the heading “NSA and CSEC cooperate closely in the following areas,” the paper notes that the agencies work together on “active computer network access and exploitation on a variety of foreign intelligence targets, including CT [counter terrorism], Middle East, North Africa, Europe, and Mexico.” (The NSA had not responded to a request for comment at time of publication. The agency has previously told The Intercept that it “works with foreign partners to address a wide array of serious threats, including terrorist plots, the proliferation of weapons of mass destruction, and foreign aggression.”)
Notably, CSE has gone beyond just adopting a range of tools to hack computers.
According to the Snowden documents, it has a range of “deception techniques” in its toolbox. These include “false flag” operations to “create unrest,” and using so-called “effects” operations to “alter adversary perception.” A false-flag operation usually means carrying out an attack, but making it look like it was performed by another group — in this case, likely another government or hacker. Effects operations can involve sending out propaganda across social media or disrupting communications services. The newly revealed documents also reveal that CSE says it can plant a “honeypot” as part of its deception tactics, possibly a reference to some sort of bait posted online that lures in targets so that they can be hacked or monitored.
The apparent involvement of CSE in using the deception tactics suggests it is operating in the same area as a secretive British unit known as JTRIG, a division of the country’s eavesdropping agency, Government Communications Headquarters, or GCHQ. Last year, The Intercept published documents from Snowden showing that the JTRIG unit uses a range of effects operations to manipulate information online, such as by rigging the outcome of online polls, sending out fake messages on Facebook across entire countries, and posting negative information about targets online to damage their reputations.
CSE declined to comment on any specific details contained in the latest revelations. In a general statement issued to The Intercept and CBC News, a spokesman for the agency said: “In moving from ideas or concepts to planning and implementation, we examine proposals closely to ensure that they comply with the law and internal policies, and that they ultimately lead to effective and efficient ways to protect Canada and Canadians against threats.”
The spokesman said that some of the Snowden documents do “not necessarily reflect current CSE practices or programs.” But he refused to explain which capabilities detailed in the documents the agency is not using, if any. Doing so, he said, would breach the Security of Information Act, a Canadian law designed to protect state secrets.