Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for November 2016

Gooligan Malware Breaches 1M+ Google Accounts

Gooligan Malware Breaches 1M+ Google Accounts

A resurgent Android malware has already breached more than a million users’ Google accounts—and is infecting an estimated 13,000 devices per day.   

The campaign, which Check Point Software dubs Gooligan, roots Android devices and steals the email addresses and authentication tokens stored on them. With this information, attackers can access users’ sensitive data from Gmail, Google Photos, Google Docs, Google Play and G Suite.

It also generates revenues for the criminals by fraudulently installing apps from Google Play and rating them on behalf of the victim. Every day, Gooligan installs at least 30,000 apps on breached devices, or over 2 million apps since the campaign began. And to make things worse, many of the apps are part of the Ghost Push family.

Gooligan targets devices on Android 4 (Jelly Bean, KitKat) and 5 (Lollipop), which represent nearly 74% of Android devices in use today. The infection begins when a user downloads and installs a Gooligan-infected app on a vulnerable Android device, or by clicking on malicious links in phishing attack messages.

“This…represents the next stage of cyber-attacks,” said Michael Shaulov, head of mobile products at Check Point. “We are seeing a shift in the strategy of hackers, who are now targeting mobile devices in order to obtain the sensitive information that is stored on them.”

The Google security team has contacted affected users and revoked their tokens, removed apps associated with the Ghost Push family from Google Play, and added new protections to its Verify Apps technology.

“We appreciate Check Point's partnership as we’ve worked together to understand and take action on these issues,” said Adrian Ludwig, Google’s director of Android security. “As part of our ongoing efforts to protect users from the Ghost Push family of malware, we’ve taken numerous steps to protect our users and improve the security of the Android ecosystem overall.”

Aaron Lint, vice president of research for Arxan, said that there’s a big lesson here for mobile app providers as well.

"This malware is ruling the phone and speaks to the importance of validating the mobile environment your applications run on,” he said, via email. “Your applications have a leg up if they can detect when rooting exploits have applied, causing the end user to be more susceptible to fraud and loss. Having that telemetry in your application can permit your risk prevention measures to be aware of users which have these compromised devices. our business can respond with extra monitoring, password and credential revocation,or even notifying your customers that they are at risk."

Check Point’s Mobile Research Team first encountered Gooligan’s code in the malicious SnapPea app last year. In August 2016, the malware reappeared with a new variant and has become virulent. About 40% of the affected devices are located in Asia and about 12% are in Europe.

Check Point is offering a free online tool that allows users to check if their account has been breached.

“If your account has been breached, a clean installation of an operating system on your mobile device is required,” added Shaulov. “This complex process is called flashing, and we recommend powering off your device, and approaching a certified technician or your mobile service provider, to re-flash your device.”

Photo © Benny Marty/Shutterstock.com

Source: Information Security Magazine

UK IT Pros: 'We're Losing Control Over Cloud Services'

UK IT Pros: 'We're Losing Control Over Cloud Services'

Almost two thirds (60%) of UK business leaders believe the management of technology is shifting away from IT to other departments as more cloud services are adopted—resulting in some significant security trade-offs.

According to a region-specific survey from VMware, leaders from across the business believe this is causing a duplication of spending on IT services (63%), a lack of clear ownership and responsibility for IT (62%) and the purchasing of unsecure solutions (59%).

Furthermore, this decentralization movement is happening against the wishes of IT teams, the majority (67%) of which want IT to become more centralized. In particular, IT leaders feel that core functions like network security and compliance (79%), disaster recovery/business continuity (46%) and storage (39%) should remain in their control.

That said, the decentralization of IT is delivering real business benefits too, including the ability to launch new products and services to market with greater speed (56%), giving the business more freedom to drive innovation (63%) and increasing responsiveness to market conditions (59%). There are also positives from a skills perspective, with the shift in technology ownership beyond IT to the broader business seen to increase employee satisfaction (53%) and help attract better talent (37%). This indicates that finding a way to address the aforementioned challenges will soon be a requirement.

“It’s ‘transform or die’ for many businesses, with a tumultuous economic environment and radically evolved competitive landscape upturning the way they operate,” said Joe Baguley, vice president and CTO, EMEA, at VMware. “Managing this change is the great organizational challenge companies face. The rise of the cloud has democratized IT, with its ease of access and attractive costing models, so it’s no surprise that lines of business have jumped on this opportunity. Too often, however, we’re seeing this trend left unchecked and without adequate IT governance, meaning that organizations across EMEA are driving up costs, compromising security and muddying the waters as to who does what, as they look to evolve.”

The survey also found that more than three-quarters (77%) believe that IT should enable the lines of business to drive innovation, but must set the strategic direction and be accountable for security—highlighting the balance to be struck between the central IT function retaining control while also allowing innovation to foster in other, separate areas of the business.

“This isn’t ‘shadow IT’ anymore, that’s yesterday’s story—this is now ‘mainstream IT’,” added Baguley. “The decentralization movement is happening, driven by the need for speed in today’s business world: we’ve never seen such a desire for new, immediately available applications, services and ways of working. By recognizing these changes are happening, and adapting to them, IT can still be an integral part of leading this charge of change. The latest technology or application will only truly drive digital transformation when it’s able to cross any cloud, to be available at speed and with ease, within a secure environment.”

The UK results mirror those from a broader VMware survey showing that the security ramifications are significant: 57% of global respondents agree that decentralization has resulted in the purchasing of non-secure solutions. Another 60% agree decentralization results in applications being developed outside of corporate or government regulations, while 56% agree decentralization results in lack of regulatory compliance of data protection.

Photo © ibreakstock

Source: Information Security Magazine

Cobalt Group Linked to ATM Jackpotting Across Europe

Cobalt Group Linked to ATM Jackpotting Across Europe

A cyber-criminal collective known as the Cobalt Group is suspected to be behind the ATM malware “touchless jackpotting” attacks across 14 countries in Europe, including Netherlands, Russia, Britain, Poland, Romania and Spain.

According to analysis from Comodo Labs, hackers typically initiate an infection using phishing attacks to gain access to the bank’s network. From there, they pivot through the network to gain access to an ATM’s individual system and plant the bad code. Once the malware is installed, the team can simply send a remote command to specific ATMs to spit out cash. This money is then collected by money mules, who get a share of the whole amount collected.

“In this attack, the cyber criminals themselves did not have to go to the individual ATM machines to plant the malware,” Comodo explained, in a blog. “From the server, they spread the malware to specific ATM machines across Europe…The malware is so potent that once it just enters the financial network of any bank, it can spread to the server.”

The firm also thinks that there could be a link between Cobalt and Buhtrap, another cyber-criminal group that works on the similar kinds of attacks. Buhtrap, known for stealing money through fraudulent wire transfers, has been testing ATM hacking techniques on Russian banks, and will soon look to try them out on financial institutions in other countries, according to the FBI. The FBI also recently said that it was “monitoring emerging reports indicating that well-resourced and organized malicious cyber-actors have intentions to target the US financial sector,” including ATM jackpotting attacks.

“These kinds of attacks are dangerous as the complete attack happens logically; physical presence is not involved,” the Comodo team said. “When cyber-criminals infected the banking servers, they have also been able to compromise the SWIFT (a secure messaging provider) system to issue fraudulent money transfers through the SWIFT system.”

To thwart their efforts, employee education is an obvious place to start. Training on cybersecurity measures, various types of malware attacks—phishing, spear phishing, spoofed mails, etc.—and how to identify fraudulent emails should be front and center. It’s also advisable to place ATMs in buildings that can be completely covered by security cameras, to deter money collectors who would get recorded on the cameras.

And, of course, updating ATM operating systems with the latest patches and employing effective security systems to detect and block malicious activity in real-time are other best practices.

Photo © Dragon Gordic

Source: Information Security Magazine

Security Products Riddled with Bugs

Security Products Riddled with Bugs

Nearly a quarter of the top 20 products with most vulnerabilities in the period August-October this year was security software, according to new research from Flexera Software.

The vendor’s Secunia Research team studied the top 20 in each month – comprising a total of 46 products across the report period.

Some 11 of these were security products from some of the world’s biggest and best known vendors including IBM, McAfee and Palo Alto Networks.

Part of the problem lies with open source and third party components, which are often reused in code without adequate checks to ensure there are no bugs present.

Jeff Luszcz, vice-president of product management for Flexera’s Software Composition Analysis solutions, explained that open source components comprise as much as half of the global code base.

“As the Heartbleed open source vulnerability reminds us, vulnerable open source components built into software products can cause global disruption if they are not discovered and patched prior to delivering software products to customers,” he added.

“Every software and IoT producer must understand these risks, and leverage technology to automate open source component scanning, governance and vulnerability management.”

The findings reflect research from Forrester released in October which revealed a host of security issues in products from many top vendors including FireEye, Symantec, Cisco and Fortinet.

The latest Vulnerability Update from Flexera also warned of the growing risk from commonly used browser and PDF readers.

To illustrate the point, seven such products appeared at least once on the top 20 products with the most vulnerabilities during the report period, the firm claimed.

In 2015, Secunia Research reported a whopping 16,081 vulnerabilities across more than 2400 products and 263 vendors in 2015 alone.

Some 1114 vulnerabilities were discovered in the five most popular browsers – Chrome, Mozilla Firefox, Internet Explorer, Opera and Safari – and 147 bugs were discovered in the most popular readers: Adobe Reader, Foxit Reader, PDF-XChange Viewer, Sumatra PDF and Nitro PDF Reader.

Source: Information Security Magazine

National Lottery: Over 26,000 Accounts Compromised

National Lottery: Over 26,000 Accounts Compromised

The accounts of over 26,000 National Lottery players have been compromised, resulting in the potential theft of sensitive personal information, operator Camelot has revealed.

The firm said in a statement that it picked up unusual activity on the accounts on Monday as part of its security monitoring.

However, it was at pains to point out that no National Lottery core systems had been affected and no money had been deposited or withdrawn from the affected accounts.

It continued:

“We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details.

"We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited. However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”

Some 26,500 accounts are believed to have been accessed, with activity subsequently taking place in 50 of those – although Camelot admitted this could have been by the account owners rather than the hackers.

Nevertheless, it has suspended those accounts and instigated a compulsory password reset on all 26,500.

This is the latest in a long line of attacks likely facilitated because consumers frequently reuse credentials across sites.

Deliveroo last week blamed a widespread fraud campaign against its customers on that very practice, while the iCloud calendar and photo sharing spam deluge spotted over the past few weeks is likely to have come about after hackers got hold of users’ iCloud-linked email addresses.

Chris Hodson, EMEA CISO at Zscaler, argued the fact that no payment data was taken shouldn’t lessen the impact of the breach.

“Confidential data can still be used to build a false customer profile or commit subsequent fraud at scale,” he added.

“To mitigate risks in the short-term, account holders should update passwords and avoid using the same password across multiple sites. Instead they should consider using a password vault to store a variety of different, and more complex passwords without becoming reliant on the security of corporate enterprises.”

Ollie Whitehouse, technical director at NCC Group, argued that all companies which store online passwords have a responsibility to do so “in a manner which cannot easily be recovered and reused by threat actors if they are breached.

“Companies are increasingly consuming post-breach threat intelligence of other companies to mitigate the effects against their services,” he added. “If this had been done in this instance the impact would have likely been far less.”

Source: Information Security Magazine

Cisco Extends Bug Disclosure to 90 Days

Cisco Extends Bug Disclosure to 90 Days

Cisco’s Talos threat intelligence business has decided to extend its bug disclosure window from 60 to 90 days in a bid to give vendors more time to patch their products.

The firm decided on the new disclosure window after consulting the vendor community and its own data on average times to patch, according to the firm’s Mitch Neff.

As it now stands, the vendor will be contacted once on “day zero” and then again a week later. If they are still unresponsive after 45 days a vulnerability report will be forwarded to Carnegie Mellon Computer Emergency Response Team (CERT).

The vendor will then have a further 45 days to respond before public disclosure of the bug.

However, Neff confirmed that “extenuating circumstances, such as threats of any nature, may result in adjustments to disclosures and timelines either forward or backward.”

Cisco’s change of heart is partly down to data it pulled from previous bug reports, which illuminates the difference between open source and commercial communities.

The industry average time to patch stood at 78 days, with open source (42 days) appearing far more responsive than commercial (> 80 days).

However, breaking down the latter revealed those “leading” commercial vendors are actually doing better than their open source rivals – averaging 38 days.

It’s the “lagging vendors” which drag the overall commercial figure down, taking 113 days on average to patch.

“Interestingly, several large commercial vendors of consumer software were found in the Leading category. The most responsive of these vendors were noted as ‘Quick Turn-around Commercial’ vendors in our data – and they share some common traits,” explained Neff.

“All are large commercial vendors of popular consumer software, have taken a public stance on product security, and have active bug-bounty programs. This indicates these companies have invested heavily in product security and take that security seriously.”

Source: Information Security Magazine

Celebs, Politicos Caught in Swiss Bank Account Blackmail

Celebs, Politicos Caught in Swiss Bank Account Blackmail

Celebrities, high-net-worth individuals and politicos are in extortionists’ crosshairs: A group of unidentified hackers is threatening to publish Swiss bank account information.

According to Reuters, the group more specifically has hit the high-end Valartis Bank Liechtenstein, located in the Alpine principality that lies between Switzerland and Austria. The bank was formerly part of the Swiss-listed Valartis Group—but was recently sold to a Hong Kong-based holding company known as Citychamp Watch & Jewellery Group.

The outlet reports that blackmailers have found their way into the Liechtenstein bank's system and obtained customer account information, including that of many Germans—and are demanding 10% of the account balances, to be paid in Internet cryptocurrency Bitcoin.

The bank has not yet responded to requests for comment on the matter.

The approach differs from most financially motivated bank hacks, according to independent security researcher Graham Cluley.

“In a typical bank heist, the attackers either raid affected customers' accounts outright or they abuse something like the SWIFT platform to fraudulently transfer money to an account under their control,” he said, in a blog. “[Here}, the hackers want money from the bank's customers, or else they'll leak their account information online…The potential for fraud ultimately rests online, where an actor can abuse someone's bank account number and routing number to submit an Automated Clearing House (ACH) transaction.”

It’s an interesting gambit—if having the account info were such a threat to customers’ financial security, why wouldn’t the hackers simply use that information to drain the accounts entirely rather than asking for a 10% cut?

“Different countries have different ways of allowing people to withdraw money from their bank accounts,” Cluley said. “To process that kind of transaction, a criminal needs to have a valid bank account number and the routing number for the financial institution at which that account is held. But depending on how they attempt to withdraw money, they might need a physical card or photo identification.”

One answer could be the potential for getting caught.

“A bank can technically detect suspicious transactions through the use of anti-fraud measures,” Cluley noted. “It could alert the user, for example, if they detect a money withdrawal from another country, but as we all know, bad actors can circumvent that obstacle through the use of the VPN.”

As for what to do, disabling online transactions will in the very least help prevent remote actors from stealing account holders' money, he added.

Photo © Denis Linine/Shutterstock.com

Source: Information Security Magazine

Mirai Again: DT Outage a Precursor to Larger DDoS Attack

Mirai Again: DT Outage a Precursor to Larger DDoS Attack

The Mirai botnet strikes again: Researchers say that the internet of things (IoT) specialist network is behind the outage that affected 900,000 Deutsche Telekom customers this week.

According to analysis from cybersecurity company Tripwire, that outage was just the tip of the iceberg: It was caused by an attempt to hijack customers’ router devices for a wider Internet attack, one that would be similar to the huge Internet outage in October that wreaked havoc across the web.

For now, the downtime at DT has affected businesses and private users all over Germany as well as telephony and television services.

Craig Young, security researcher at Tripwire, has carried out research into the outage by analyzing strings from the attack binaries. He has been able to confirm the attack was definitely carried out by the Mirai malware. He also said that one of the main servers used in the attack infrastructure is registered out of Kiev, under the name Peter Parker (famously, Spider-Man’s real name). 

“After a system is infected, Mirai deletes the original malicious binary and relocates itself to blend in with normal system items,” Young said, via email. “Mirai also attempts to block access to the vulnerable remote management protocol, thereby preventing subsequent attack/infection and also making it that much harder for ISPs to forcibly reset devices.”

Young was also able to look at the general topology of the botnet.

“The attackers have built the payload for multiple architectures,” he said. “As of this morning however, the malware available on the C&C server is instead downloading and running a script which attempts to run a payload from each of seven architectures until one succeeds.”

Previously infected systems are not running the new variant, which Young said would imply that the controller has not (or cannot) update the malware on already deployed systems. 

This week’s router hijackings offered no geographic pattern (other than being confined to DT’s German terrestrial network) and had the effect of slowing and hampering customers’ broadband service in varying degrees.

Mirai’s source code is open, so any bad actor out there can download it and get to work. This has led to a range of attackers with varying ability levels carrying out attacks. One particular group, operating what MalwareTech.com dubbed Botnet 14, has taken on significantly bigger targets than most of the Mirai dabblers out there, and is believed to be responsible for the Dyn attack in October. Mirai typically carries out DDoS attacks, but other types of offensives—like this week’s attempts to hijack the DT routers to pave the way for a large DDoS campaign—are obviously in its wheelhouse.

Photo © Profit_Image 

Source: Information Security Magazine

380,000 xHamster Account Details Traded on Digital Underground

380,000 xHamster Account Details Traded on Digital Underground

Account details belonging to hundreds of thousands of users of porn website xHamster are being traded on the digital underground.

That’s according to Vice’s Motherboard, who claimed it received a database of almost 380,000 users from for-profit breach notification site LeakBase which included usernames, email addresses and what looks like poorly-hashed passwords.

Despite xHamster being a free porn site, users do have the option to create their own collections, post comments and upload videos, but to do so they need to sign up with their credentials first.

Motherboard confirmed that the email addresses within the database appear to be legitimate and correspond to existing xHamster accounts. The publication selected 50 at random and tried to create new accounts on the site with them, but received a message for each stating the email address was already being used. What’s more, almost all of the related usernames seem to be taken too.

LeakBase told Motherboard the data was being traded at around the same time a hacker found a vulnerability in xHamster's website earlier this year. However, it is not currently known exactly how this database was obtained.

“Data leaks are becoming increasingly commonplace as the digital world advances and digital assets become more lucrative to sell on the dark web,” Claire Stead, online safety ambassador at Smoothwall, told Infosecurity. “Companies now have a wealth of data on their users, and a lot of damage can be done even with the simplest of information such as an email, name or password.”

Companies that collect data and deal in sensitive issues should ensure that they have the latest technologies in place to protect their users, otherwise they risk seriously harming their reputation and also put their users at risk outside of their organization, she added. 

“Likewise, users should protect themselves by refreshing their passwords on a regular basis, ensuring they remain complex and impersonal.”

Source: Information Security Magazine

Muni Ransomware Attacker is Hacked

Muni Ransomware Attacker is Hacked

The hacker responsible for a major ransomware attack on San Francisco’s “Muni” rail network has earned over $100,000 from multiple attacks over the past few months, it emerged after he himself was hacked.

An unnamed security researcher managed to crack the email account posted by the attacker in his message to the San Francisco Municipal Transportation Agency (SFMTA) on Friday, according to Krebs On Security.

Guessing the secret question apparently allowed the white hat to reset the account password.

That account revealed a ransom message sent on Friday to an SFMTA infrastructure manager and details from more than a dozen Bitcoin wallets, suggesting he has managed to extort over $140,000 from companies since August.

It also appears as if his main targets were US manufacturing and construction companies, the majority of which paid a ransom of around one Bitcoin ($730) per server.

The attacker used open source tools to scan for internet-connected machines vulnerable to exploit, with Oracle servers, including Primavera project portfolio management software, particularly favored.

Some companies would even pay up extra Bitcoins in return for information on how they were hacked, the report claimed.

Over 300 addresses linked to an attack server used by the black hat appear to be based in Iran, although a contact number is for a Russian mobile.

It appears as if the hacker will be out of luck this time, as the SFMTA has claimed it will not be paying the ransom.

A lengthy note on Monday had the following:

“The SFMTA has never considered paying the ransom. We have an information technology team in place that can restore our systems, and that is what they are doing.

Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next day or two.”

However, the outage over the weekend – which affected “900 office computers” – and the resulting lost revenue should be a reminder of the need for improved layered security at gateway, endpoint, network and server to combat the threat of ransomware.

Source: Information Security Magazine