Month: February 2016

A DHS report confirms the use of BlackEnergy in the Ukrainian outage, still unknown its role

Posted on

A report issued by the DHS CERT confirms that the outage in Ukraine was caused by a well-coordinated attack still unclear the BlackEnergy role.

In December, a major outage hit a region in Ukraine, more than 225,000 customers were affected by the interruption of the electricity. Security experts speculate the involvement of Russian nation-state actors that have used the BlackEnergy to infect SCADA systems of Ukrainian grid and critical infrastrcuture.

According to a Ukrainian media TSN, the power outage was caused by the destructive malware that disconnected electrical substations. The experts speculate that hackers run a spear phishing campaign across the Ukrainian power authorities to spread the BlackEnergy malware leveraging on Microsoft Office documents.

Now a new report published by the DHS Industrial Control Systems Cyber Emergency Response Team confirms that the outage was caused by a cyber attack.

The report is based on interviews with operations and IT staff at six Ukrainian organizations involved in the attacks. The thesis has been supported first by the SANS industrial control systems team, but it is still unclear the real impact of the BlackEnergy malware of the incident.


The SANS report reported that attackers flooded the call centers at the power authorities with phone calls, the intent of the attackers was to prevent customers from reporting the incident to the companies operating the critical infrastructure.

The DHS report highlights the possibility that the two strains of malware were used by the attackers after the outage in an attempt either to destroy evidence the intrusion or make recovery more difficult.

“Following these discussions and interviews, the team assesses that the outages experienced on December 23, 2015, were caused by external cyber-attackers. The team was not able to independently review technical evidence of the cyber-attack; however, a significant number of independent reports from the team’s interviews as well as documentary findings corroborate the events as outlined below.” states the report.

“Through interviews with impacted entities, the team learned that power outages were caused by remote cyber intrusions at three regional electric power distribution companies (Oblenergos) impacting approximately 225,000 customers.”

“The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.

All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable. It was further reported that in at least one instance, Windows-based human-machine interfaces (HMIs) embedded in remote terminal units were also overwritten with KillDisk. The actors also rendered Serial-to-Ethernet devices at substations inoperable by corrupting their firmware. In addition, the actors reportedly scheduled disconnects for server Uninterruptable Power Supplies (UPS) via the UPS remote management interface. The team assesses that these actions were done in an attempt to interfere with expected restoration efforts.”

The report confirmed that every company victim of the attack was infected with the BlackEnergy malware, but avoided to provide further details on the role played by the malware.

“Each company also reported that they had been infected with BlackEnergy malware; however, we do not know whether the malware played a role in the cyber-attacks. The malware was reportedly delivered via spear phishing emails with malicious Microsoft Office attachments. It is suspected that BlackEnergy may have been used as an initial access vector to acquire legitimate credentials; however, this information is still being evaluated. It is important to underscore that any remote access Trojan could have been used and none of BlackEnergy’s specific capabilities were reportedly leveraged.”


FighterPOS Malware Can Now Spread on Its Own

Posted on

Brazilian POS malware gets worm-like features. A POS (Point of Sale) malware family has just taken a dangerous turn in its evolution after Trend Micro researchers observed that it has now gained the ability to replicate itself and spread to other local systems.

Called FighterPOS, this malware family was first seen in April 2015, when Trend Micro researchers discovered it targeting POS terminals in Brazil.

At that time, researchers speculated that FighterPOS was a one-man operation, probably run by a local Brazilian hacker. Trend Micro also reported that the person behind the malware used it to steal 22,000 credit card details and that its author was selling a version of his malware on the Dark Web for around $5,000 (€4,500).

FighterPOS evolves into Floki Intruder

Based on data picked up by their security products, the same Trend Micro experts are nowreporting on a new variation of the FighterPOS malware family, which they dubbed Floki Intruder.

According to their investigation, this variant is not developed by the same person that created the original FighterPOS malware. It appears that the source code was sold to someone else, or that the hacker behind the first version might have joined forces with someone else.

File compilation details reveal that a different person put together Floki Invader, a theory that’s also reinforced by the fact that many source code functions and comments are now in English, not Portuguese as they were in FighterPOS.

Floki Intruder can replicate itself

Floki Intruder appears to be much dangerous than the old FighterPOS version. The main difference is the presence of a worm-like feature that goes into effect after Floki infects computers.

This worm-like feature will scan the local network for similar POS terminals, clone itself and infect those devices as well.

“Adding this routine, in a way, makes sense: given that it is quite common for PoS terminals to be connected in one network,” Trend Micro’s Erika Mendoza and Jay Yaneza explain. “A propagation routine will not only enable the attacker to infect as many terminals as possible with the least amount of effort, it will also make this threat more difficult to remove because reinfection will occur as long as at least one terminal is affected.”

Despite the presence of English code in the malware’s source, FighterPOS (Floki Intruder) has not moved outside Brazil. Over 93% of all FighterPOS infections are coming from Brazil while only 6% of infected terminals are located in the US.

Floki Intruder geographical spread

Floki Intruder geographical spread


Posted on

Según Huiqing Wang, el profesor del curso de hacking ético de IICS hay otras herramientas para hackear el sistema  y backdoorme es una de esas herramientas. Backdoorme es una utilidad capaz de crear una puerta trasera en equipos de Unix. Backdoorme utiliza una interfaz de Metasploit con más funcionalidades. Backdoorme usa una conexión SSH existente o las credenciales de la víctima, a través de la cual se transferirá y desplegaría una puerta trasera.

Backdoorme viene con una serie de puertas traseras integradas, módulos y auxiliares. Existen puertas traseras como netcat backdoor, msfvenom backdoor y otras. Acuerdo con el curso de hacking ético, pueden usar módulos con cualquier puerta trasera y se usan para hacer puertas traseras más potentes, ocultas o más fáciles de instalar. Auxiliares son operaciones útiles que podrían realizarse para ayudar a la persistencia.



Git clone <Your Clone Folder Name>

cd <your Folder>




Hay diferentes puertas trasera disponible en backdoorme según Huiqing Wang, el profesor del curso de hacking ético.

remove_ssh backdoor: La puerta trasera de remove_ssh quita el servidor ssh en el cliente. Es usado al final de sesión backdoorme para quitar todos los rastros.

ssh_key/ ssh_port backdoor: La puerta trasera de ssh_key crea claves RSA y añade un nuevo puerto de ssh.

setuid backdoor: Puerta trasera setuid trabaja por el bit setuid en un binario mientras que el usuario tiene acceso root, de modo que cuando el usuario ejecuta el binario sin acceso a root, el código binario es ejecutado con acceso de root. Tenga en cuenta que tener acceso root es inicialmente necesario para implementar esta puerta trasera.

shell backdoor: La puerta trasera de shell es una puerta trasera de elevación de privilegios similar a setuid. Se duplica a bash shell a un binario oculto, y establece el bit SUID.

keylogger backdoor: Añade un keylogger en el sistema y enviar por correo electrónico los resultados.

simplehttp backdoor: Instalar python’s SimpleHTTP servidor en el cliente.

user backdoor: Añade nuevo usuario en el cliente.

web backdoor: Instalar servidor de Apache en el cliente.

bash/bash2 backdoor: Utiliza un simple script bash para conectarse a una combinación de IP y puerto específico y enviar los resultados.

metasploit: Emplea msfvenom para crear un tcp reverse binario en el destino, y luego ejecuta el binario para conectar a un shell meterpreter.

netcat/netcat_traditional backdoor: La puerta trasera de netcat utiliza netcat, proporciona al usuario un shell interactivo.

perl backdoor: La puerta trasera de perl es un script escrito en perl que redirige el resultado a bash, y cambia el proceso para ver menos llamativo.

php backdoor: La puerta trasera de php ejecuta un backdoor php que redirige el resultado a bash. No se instala automáticamente un servidor web, pero en su lugar, utiliza el módulo de web.

pupy backdoor: La puerta trasera de pupy usa n1nj4sec’s Pupy backdoor.

python backdoor: La puerta trasera de python, utiliza un script en python para ejecutar comandos y enviar los resultados al usuario.

web backdoor: La puerta trasera de web ejecuta un backdoor php que redirige el resultado a bash y se instala automáticamente un servidor web


Hay diferentes módulos disponible en backdoorme según el curso de hacking ético.

Módulo Poison: Realiza bin envenenamiento del equipo y compila un ejecutable para llamar a una utilidad de sistema y una puerta trasera existente.

Módulo Cron: Añade una puerta trasera existente a crontab del usuario root para correr con una frecuencia determinada.

Módulo Web: Configura un servidor web y una página web que dispara la puerta de atrás. Simplemente visita el sitio y la puerta trasera se iniciará.

Módulo User: Agrega un nuevo usuario en el equipo.

Módulo Startup: Permite puertas traseras que se generó con los archivos bashrc y init.

Módulo Whitelist: Las listas blancas de IP’s para que sólo la IP puede conectarse a la puerta trasera.

Servidores Unix se utilizan en muchas empresas y hay gran cantidad de vulnerabilidades de seguridad en el sistema Unix. Hay una gran cantidad de medidas de seguridad que se pueden implementar para asegurar un sistema Unix. Usted puede aprender más acerca de la arquitectura de seguridad de Unix y cómo proteger contra las herramientas del tipo backdoorme durante el curso de hacking ético del International Institute of Cyber Security.



Posted on Updated on

Las bases de datos pueden ser un tesoro de datos sensibles. Normalmente la mayor parte de bases de datos contienen los datos sensibles, datos confidenciales de las empresas, gente, propiedad intelectual, empleados, o clientes. Los datos pueden incluir la información de cliente, salario de empleado, dirección de empleado, registros pacientes, datos financieros, números de la tarjeta de crédito y mucho más. Desde el punto de vista de empresa de seguridad en bases de datos, un base de datos de cualquier empresa u organización, es un sistema que se forma por un conjunto de datos organizados, los cuales se almacenan o estructuran en nube o en servidores local, y cuyo tratamiento y acceso requiere de aplicaciones que aprueban modificarlos o utilizarlos. Según consultores de servicios de auditoría de base de datos, el acceso concurrente por parte de varios usuarios sin soluciones de seguridad de base de datos implica muchos riesgos como perdidos o robo de datos. Según una encuesta de empresa de seguridad en bases de datos, los datos perdidos o robados, especialmente los datos sensibles, pueden causar daños de marca, multas graves, juicios y desventaja competencia.

Estos riesgos obligan a las empresas a tomar en cuenta aspectos como la seguridad de base de datos e implementación de soluciones de seguridad de base de datos. Alternativamente las empresas pueden tomar ayuda de servicios de seguridad de base de datos que incluyen respaldo y recuperación en caso de incidentes, causados por errores humanos, desastres naturales y en muchos casos por ataques cibernéticos.

Los servicios de seguridad de base de datos implican protegerlos de actividades indebidas que pongan en peligro la estructura, disponibilidad, consistencia e integridad de base de datos. Además los reglamentos de privacidad de protección de datos personales requieren la implementación de soluciones y servicios de seguridad de base de datos para alinear con la ley de protección de datos personales.  Empresas de seguridad en bases de datos deben lograr seguridad de base de datos mediante procedimientos que permiten controlar el acceso, reestructurar o actualizar la base datos acuerdo a los requisitos de las aplicaciones sin necesidad de modificar mucho el diseño del modelo de datos. Las empresas u organizaciones pueden implementar solución de seguridad de base de datos en el nivel de la aplicación, el nivel de almacenamiento o el nivel de la base de datos según expertos de empresas de seguridad en bases de datos. La solución de seguridad de base de datos implementada en nivel de almacenamiento (en disco o cinta), asegura contra el riesgo en el caso que se pierdan los medios de almacenamiento. Pero la misma solución de seguridad de base de datos no puede asegurar frente a empleados internos o infraestructura infectada por malware.

La solución de seguridad de base de datos implementada en el nivel de la aplicación representa otra opción y proporciona el mayor nivel de control. Pero la misma solución de seguridad de base de datos no puede proteger en el caso que se pierdan los medios de almacenamiento. Además implementación de la solución de seguridad de base de datos en el nivel de la aplicación requiere muchos cambios en la aplicación y a veces no puede ser un planteamiento viable.

Debido a estas complejidades, muchas empresas u organizaciones están eligiendo ayuda de expertos de empresas de seguridad en bases de datos para que puedan implementar soluciones avanzadas. Estos servicios de seguridad de base de datos proporcionan seguridad al nivel almacenamiento, al nivel aplicación y al nivel de datos en flujo.



Según expertos de IICS – Instituto Internacional de seguridad Cibernética, las soluciones, servicios de seguridad de base de datos pueden añadir nuevos niveles de seguridad en su empresa y ayudar su empresa a proteger y administrar datos confidenciales de forma eficaz. Los servicios deben incluir los servicios de auditoría de base de datos y cursos de seguridad de base de datos. Los servicios de seguridad de base de datos gestionarán la confidencialidad, integridad y continuidad de la información empresarial, incrementando con esto la credibilidad y confiabilidad de la empresa. Los siguientes son algunos aspectos y ventajas de los servicios de auditoría de base de datos:

  • El servicio de auditoría de base de datos incluye pruebas de intromisiones. Eso le ayudaría poner controles de seguridad en los bases de datos.
  • Toda la infraestructura de base de dato se somete a los servicios de auditoría de base de datos. Sin ayuda de los servicios de auditoría de base de datos, no pueden conocer todos los riesgos y vulnerabilidades.
  • Los servicios de auditoría de base de datos ayudan a implementar un sistema de monitoreo. El sistema tiene la capacidad de supervisar y verificar todas las actividades. Este sistema puede descubrir cualquier actividad indebida o errónea.
  • Creación de los procesos por desarrollar y mantener información detallada sobre las vulnerabilidades y riesgos empresariales de redes y aplicaciones.
  • Aseguran de la implementación de los procedimientos para la gestión de controles criptográficos para el resguardo y fortalecimiento de base de datos después de terminación de los servicios de auditoría de base de datos.
  • Los servicios de auditoría de base de datos aseguran implementación y ejecución periódica de los procesos de respaldos.
  • Generar las políticas y procedimientos para la eficaz gestión de los proveedores de servicios y terceros.
  • Implementan el plan de continuidad del negocio, forense y recuperación de los datos en caso de un ataque cibernético.
  • La infraestructura de base de datos estaría protegida contra el fuego, el robo y otras formas de daño físico. Los servicios de seguridad de base de datos desarrollan las políticas de seguridad física y seguridad lógica.

Con los cursos de seguridad de base de datos aprenderán gestionar los riesgos, los incidentes de seguridad, las vulnerabilidades existentes, y disminuir los riesgos de incumplimiento a la legislación de protección de datos personales. Los siguientes son algunos aspectos y ventajas de las capacitaciones de seguridad de base de datos:

  • Puede aumentar la eficacia reduciendo los costes de gestión vinculados a la seguridad en bases de datos en los entornos de gran escala, con la arquitectura de gestión de seguridad enseñada durante la capacitación de seguridad de base de datos.
  • Con el curso de seguridad de base de datos, puede aprender en tiempo real las habilidades de seguridad en base de datos con mucha práctica.
  • Durante el curso de seguridad de base de datos puede implementar la seguridad sobre infraestructura real y agregar mayores niveles de seguridad.
  • Personalizan capacitaciones y cursos de seguridad de base de datos para que se integren fácilmente en sistemas de gestión de base de datos implementados y otras soluciones de seguridad.
  • Enseñan la implementación de la solución de cifrado de bases de datos de alta garantía durante el curso de seguridad de base de datos.
  • Además temas como simplificación de las obligaciones de cumplimiento de privacidad de datos, cómo aplicar mejores prácticas y normas de cumplimiento, la copia de seguridad y automatización de respaldo están parte del curso de seguridad de base de datos.


Snowden Says FBI can hack San Bernardino terrorist’s iPhone using acid and lasers

Posted on Updated on

Edward Snowden joins the iPhone hack party, says FBI can use acids and lasers to hack it. Amidst the ongoing debate whether or not Apple should unlock the iPhone, or provide backdoor access to the iPhone belonging to one of the shooters of the San Bernardino shootings, Edward Snowden said that the government can gain access to San Bernardino shooter Syed Rizwan Farook’s iPhone 5c by using acid, lasers and other very delicate instruments without the assistance of Apple.


In court filings last week in which the Department of Justice requested a judge compel Apple to assist them in opening the phone, the government said, “The phone may contain critical communications and data prior to and around the time of the shooting that, thus far: (1) has not been accessed; (2) may reside solely on the phone; and (3) cannot be accessed by any other means known to either the government or Apple.”

Former NSA contractor and privacy activist Edward Snowden who appeared in a virtual talk at Johns Hopkins University said the third statement is not totally true.

“The problem is, the FBI has other means… They told the courts they didn’t, but they do. The FBI does not want to do this,” Snowden said during his talk.

Called “de-capping,” this extremely risky hacking method involves removing and de-capsulating the phone’s memory chip to expose it to direct, microscopic scrutiny and exploitation.

According to some security experts, performing the decapping hack should be technically possible. Decapping is a mechanism where the main processor chip of the phone is physically attacked to probe its contents. The process first uses acid to remove the chip’s encapsulation. After that, a laser drills down into the chip in an attempt to expose the portion of the memory that contains the iPhone’s unique ID (UDID) data. From there they would place tiny probes on the spot and read out the UDID bit by bit, as well as the algorithm used to untangle it.

Once the FBI has extracted the targeted data, they could put it on a super computer and gear up to recover the missing pass code by simply trying all possible combinations until one unlocks the iPhone data. Since the process is being done outside the iOS, there is no 10-try limit or self-destruct mechanism that can wipe the data.

The only drawback is that if at any point there’s even a slight mistake in the decapping or attack process, the chip could be destroyed and all access to the phone’s memory lost forever. This may be a major reason the FBI may not be willing to take the risk to recover the data this way and rather rely on a backdoor entry via Apple.

On the other hand, Apple doesn’t seem to be willing to break into that iPhone, and Apple CEO Tim Cook says that, even though “we mourn the loss of life and want justice for all those whose lives were affected,” the fact that the FBI wants to create a backdoor that can be installed on every phone is still a security threat.

“The FBI may use different words to describe this tool, but make no mistake: Building a version of iOS that bypasses security in this way would undeniably create a backdoor. And while the government may argue that its use would be limited to this case, there is no way to guarantee such control,” Cook pointed out.

By the end of the week, the company is set to file its legal response to the FBI’s court order, though Tim Cook has said he wants the government to drop the order and let a federal commission make the decision.


Hezbollah-Affiliated Hackers Breach Israeli Security Camera System

Posted on

Hackers tap into feeds from Israel’s Defense Ministry. Qadmon (or Kadimon), one of Hezbollah’s hacking units has revealed it managed to breach many of Israel’s CCTV systems, having had access to camera feeds from various government buildings, Israeli news sites Ynet and Times of Israel report, quoting a news broadcast of Hezbollah-linked al-Manar TV station.

Qadmon, whose name translates from Arabic as “We’re Coming” claims to have accessed live video feeds from cameras inside government buildings in Tel Aviv and Haifa.

The group says its prize target was the Defense Ministry’s Kirya compound in Tel Aviv, from where the hackers also provided screenshots to al-Manar reporters, along with an interview.

Data on the provided screenshots revealed the breach took place on February 14. The news report was also accompanied by a quote from the group’s members who said “We will reach you even if you are in your offices. The next step will be greater.”

Qadmon members also bragged about breaking into over 5,000 Israeli websites during the past year, some of which contained information about Israeli security forces.

Qadmon formed in 2013, has evolved over time

The group, which appeared on the hacking scene in 2013, has grown tremendously in capabilities since its early days. In its beginnings, Qadmon hackers were spotted defacing unimportant Israeli sites and taking over Facebook accounts for random Israeli citizens.

Most of the attacks were timed to coincide with the death of Lebanese militants, killed by Israeli forces, and had little effect, except to annoy its targets.

Israel officials have not acknowledged the incident, but Israel rarely does. Hezbollah is a paramilitary group that originates from Lebanon. Some consider it a terrorist group, other consider it a political party. Views depend on each person’s stance on the Israeli-Arab World conflict.

It is to no surprise to see Hezbollah developing a cyber-division, especially after ISIS (Daesh) hackers created quite some trouble for US forces in cyber-space.

US School Agrees to Pay $8,500 to Get Rid of Ransomware

Posted on

Ransomware shuts down school website for a week. Administrators of the Horry County school district (South Carolina, US) have agreed to make a $8,500 / €7,600 payment to get rid of a ransomware infection that has affected the school’s servers.

The ransomware took root during the past week, on Monday, February 8, and affected 25 servers that stored information for Horry County elementary schools, WBTW reports.

Immediately after school employees noticed problems accessing their data, its IT personnel took down all servers to prevent the ransomware from spreading to more computers. Shutting down the servers affected the school’s online services.

Ransomware asked for 20 Bitcoin School officials discovered that the ransomware asked 0.8 Bitcoin per computer, for a total of 20 Bitcoin. The school’s IT staff said the ransomware penetrated their network through an older server running outdated equipment.

Local South Carolina law enforcement and the FBI were brought in to investigate, but as in many similar cases, they could do little to help.

After spending countless hours trying to find a way around the ransomware’s encryption, and failing, the school’s administration has approved Monday, February 15, a payment that would cover the ransom demand.

Local newspapers reported that the school had troubles making the payment in the beginning because the sum needed to be converted in Bitcoin, something for which legal papers were needed.

Everything is now up and running

At the time of this article, the school’s website is up and running, meaning that the payment went through and the school received the decryption keys that allowed them to recover their files and return their network online.

Coincidentally, when the ransomware incident happened, the school’s administration was looking into hiring an outside security provider.

About the same time this was happening on the East Coast, a similar, more high-profile incident was in full swing on the West Coast. On the same day, February 15, the Hollywood Presbyterian Medical Center in Los Angeles approved a $17,000 payment to free its IT network of a ransomware infection that almost shut its operations in the previous week.