Kaspersky of all companies have found something utterly shocking, an advanced cyber espionage network that makes last year's infamous Flame malware look like a joke. Dubbed Operation Red October, each attack is handcrafted for its victim in order to make sure it 100% works.
Red October has been hitting systems across the world since at least May 2007 and carefully chooses its victims spanning over two dozen countries who hold positions in government, military, aerospace, research, trade and commerce, nuclear, oil and other important, vital industries. Investigators aren't sure who is behind the attacks, but it is being reported that Chinese hackers may have created the exploit, while the various malware modules deployed seem to have been created by those who speak Russian.
Kaspersky can't put their finger on the source, as it is currently being run through at least two layers of proxy servers across Russia, Germany and Austria. Whoever is involved has some skill, as they've been silently sitting, unknown to the user, in major government and industry computers.
Internet Explorer was discovered to have a vulnerability that would allow hackers to gain control of a Windows PC late last month. In order for the exploit to work, users had to be running an older version of the program, versions 6 to 8, specifically, and have visited a malicious website.
Microsoft attempted to remedy the problem with various workarounds and a "one-click fix," all of which are temporary workarounds. Normally, bugs and exploits would have been addressed during Microsoft's normally scheduled Patch Tuesday, though when it didn't come, IT professionals began to wonder when it would.
We now have the answer: today. The patch should be available through Windows Update and marked as 'Critical', meaning it will be automatically installed, as long as the user has Automatic Updates enabled. If you use an older version of Internet Explorer, pre-version 9, you should make sure you install the update, especially if you don't have Automatic Updates enabled.
There's a new exploit on the block which has pushed security experts to recommend that users disable or uninstall Java altogether after they've found a zero-day Java exploit which lets hackers gain control of your PC.
The exploit targets a vulnerability left open in Java 7 Update 10, which was released in October 2012. The exploit works by getting Java users to visit a website that has malicious code, which takes advantage of a security gap to take control of users' computers.
Just after this story broke, Oracle pushed out Java SE 7 Update 11 which supposedly addressed the exploit. Oracle "strongly recommends" that Java SE 7 users upgrade immediately.
The tragic supposed suicide of digital activist, and co-founder of Reddit, Aaron Swartz happened just days ago and now Anonymous have stepped into the ring to play [hacking] ball. They leave a tribute message to Swartz, which says:
We tender apologies to the administrators at MIT for this temporary use of their websites. We do not consign blame or responsibility upon MIT for what has happened, but call for all those feel heavy-hearted in their proximity to this awful loss to acknowledge instead the responsibility they have - that we all have - to build and safeguard a future that would make Aaron proud.
The link to see it is here, and at the time of writing wasn't loading. I'm sure MIT will have the site updated shortly.
During the 2012 holidays, PayPal's website was the most phished, with it receiving nine times more phishing sites than the next closest site. According to data by Trend Micro, PayPal had 18,947 phishing sites created during December 2012. Wells Fargo, the second place site, only had 2049, a far cry from PayPal.
Trend Micro says shopping online, while more convenient, puts you at a much greater risk of having your personal information stolen. Often, these phishing sites install malware onto the unlucky user's system. This year's malware for the PayPal sites was TROJ_QHOST.EQ, while Citibank sites infected users with WORM_CRIDEX.CTS.
Doctor Web researchers have discovered a Trojan app present in the Google Play store. The app disguises itself as the Google Play Store by using the same icon and then launching the Play Store after being clicked. When open, it connects to a Command and Control server, where upon it relays the number of device it is installed on.
The C&C server then relays commands via text message to the device. Android.DDoS.1.origin can launch DDoS attacks against targets or text spam people, such as those located in the contacts of the device. Doctor Web says the app can cause the phone to lag and increase the device owner's bill through texting premium numbers, a method hackers use to generate revenue from apps like these.
Over the weekend, a bug was discovered by XDA-Developer forum members that showed that Samsung devices running Exynos processors could be hacked with a kernal-level exploit. In other words, a serious vulnerability. Samsung has told Android Central that they intend to fix this bug as quickly as possible, an important thing when there are so many vulnerable devices running around.
Samsung is aware of the potential security issue related to the Exynos processor and plans to provide a software update to address it as quickly as possible.
The issue may arise only when a malicious application is operated on the affected devices; however, this does not affect most devices operating credible and authenticated applications.
Samsung will continue to closely monitor the situation until the software fix has been made available to all affected mobile devices.
In the meantime, Samsung suggests that users only use official markets to limit their exposure, though it doesn't make them completely safe. With spam botnets making the rounds via sketchy apps, it's important that Samsung get this fixed up quickly.
Mobile security firm Lookout has found a botnet as of December 3, which it is calling SpamSoldier. The threat was detected with the help of one of Lookout's carrier partners, though which has not been said. The botnet spreads through text messages and has not been detected on any major app store.
Two, of many, spam campaigns are shown below:
You've just won a $1000 Target gift card but only the 1st 1000 people that enter code 7777 at hxxp://holyoffers.com can claim it!
Download Grand Theft Auto 3 & Need for Speed Most Wanted for Android phones for free at hxxp://trendingoffers.com for next 24hrs only!
The link downloads an app which installs SpamSoldier and removes the icon from the launcher so you won't see it. Often it installs the free version of the game so that you won't notice that it has been installed. SpamSoldier, meanwhile, is sending out spam in the background through your SMS functions.
The malware attempts to remain hidden by deleting the outgoing texts and by attempting to intercept incoming replies to the texts it sent out. It gets a list of 100 US numbers and the message from a Command & Control server, spams those numbers, then connects back to the C&C for more numbers.
Of course, the main message here: never trust those unsolicited text messages, especially if they contain links.
Apple quick to update malware definitions, takes just two days after first OS X fake installer found
Apple, normally a company somewhat lax on security, seems to be stepping up its game. Just two days after a fake installer malware was found for Mac OS X, Apple has updated the definitions for its Xprotect.plist. The update is much quicker than Apple has been in the past and they should definitely be applauded for doing it so quickly.
The malware asks users to enter their mobile number for verification and activation. They have to then enter a code that is texted to the device to continue installation. Once a user inputs that code, their mobile account is billed an ongoing subscription. After this, the app either installs the app it pretended to be or spits out garbage.
Either way, the scammer has already made his money. This has been used on Windows for a while now, though it's not clear how many people would actually input their phone number. Clearly enough people do as the scam is still around and Apple was quick to block it. The malware is detected as "Trojan.SMSSend.3666" by DoctorWeb.
Oops, it looks like Microsoft's security may not be quite as good as every seems to think it is today. While it is massively better than it used to be, a new vulnerability that has just been discovered in Internet Explorer allows hackers to track your mouse movements across the screen, possibly allowing them to record what you enter on a virtual keyboard.
No longer will you be safe from keyloggers, nor advertising companies, apparently. Spider.io discovered the vulnerability in Internet Explorer versions 6 to 10 and told Microsoft about it back in October, though they have now gone public with the information. Microsoft recognizes the problem, but has said there are no current plans to fix it.
Apparently web analytic companies are making use of the vulnerability to track mouse movements. The movements can be tracked, even when the IE tab is minimized. This is just another reason to not use Internet Explorer, especially considering that Microsoft knows about the vulnerability and isn't planning on fixing it right now.
The times are changing and what better way to illustrate this than by telling you how many cyber attacks the Navy sees every hour? The number, by the way, is 110,000, at least according to HP. HP should know, too, as they run the Navy Marine Corps Intranet (NMCI) and protect it from intruders.
The HP's Discover event in Frankfurt, Mike Nefkens, head of enterprise services at HP, told V3, "For the US Navy we provide the network for 800,000 men and woman in 2,000 locations around the world, protecting them against 110,000 cyber attacks every hour. This means the attacks average out at about 1,833 per minute or 30 every second."
Wow. Let me grab a calculator. 24 * 365 * 110,000 = 963,600,000. That works out to 963 million attacks every year. That's an incredible number and really illustrates that our nation needs to secure its IT infrastructure more than anything else.
Good news, at least. 2 Months ago, the FBI decided to work 24/7 investigating hackers and network attacks, but even that might not be enough if the Navy alone is seeing that many attacks. Add in the other three branches of the armed forces, and then add to that all of the other governmental services and you start to see the real nature of the problem.
Windows users beware: cybercriminals are at it again and are trying to get you to download and install malware. The new trick is relying on forged iTunes invoices and IRS warnings and aims to get you to question the charges so that you'll infect your system with malware and they will get your banking details.
The scam is just about as elaborate as those fake Windows tech support calls are, so we'll try to explain it all. It begins with a fake Apple iTunes invoice being e-mailed to you. The invoice is for a Postcard and supposedly cost you $699.99. The links, if you dare to click them, will lead you to this weird IRS prompt:
If you see this and your system isn't completely patched up, the Blackhole Exploit kit will have you infected in no time. Should you decide to update your browser, you'll download a file called "upload.exe," which is the Zeus Trojan. The Zeus Trojan is a keylogger and aims to log your back credentials.
Be warned, stay fully patched, and never click on links in suspicious e-mails.
Hacker collective group Anonymous have reportedly asked member of the British police force by email to "join us", and yes, it's serious. The group hacked into the UKPoliceOnline forum, stole email addresses of police officers, where they then emailed a manifesto which reads like a recruitment message:
We know that most of you are working-class people, like the majority of us, and that you too have mortgages, student loans, or your children do, and other debts as well. Don't defend the traitors against us, your fellow citizens. We offer you our hands in friendship. Join us.
Why Anonymous did this, we don't know, but it is definitely an interesting turn of events. Anonymous look to be acting toward the human side of these officers, after all, they're in debt just as much as the next person. We've seen what police and hired enforcements can do to Occupy Wall St and the various riots in the EU lately, maybe this is a step toward Anonymous and the police working together, maybe it's just a huge troll.
Gary McKinnon hacked NASA looking for proof of UFOs, won't be extradited to the US due to Asperger's
UK citizen Gary McKinnon hacked NASA, the US Army and US Navy systems to the point of effectively crippling the entire US Army's Military District of Washington network. This attack had their systems down for 24 hours and affected over 2000 computers across many states.
At the same time, he gained access to a US Army server which was responsible for managing 2455 accounts, causing the systems to reboot and become inoperable. McKinnon hacked these systems over ten years ago, and has British officials refusing to send the hacker overseas due to concerns he may commit suicide, based on evaluations of McKinnon who suffers from Asperger's Syndrome and "depressive illness".
Because McKinnon's sentence is estimated at 60 years, mixed with his depressive illness, this is something the UK officials are saying will force McKinnon to take matters into his own hands. It has gone as far as making the UK push this as a matter of human rights.
More proof of cyber espionage has surfaced with the discovery of miniFlame, a virus that is small and highly flexible. miniFlame is designed to control systems and steal data and was originally discovered in July 2012. When first discovered, it was thought that the virus was simply a module for the Flame virus.
However, further analysis has shown that the "module" is actually an "interoperable tool that could be used as an independent malicious program, or concurrently as plug-in for both the Flame and Gauss malware." Kaspersky research suggests that there were several versions built during 2010 and 2011, some of which are still on infected machines.
Alexander Gostev, Chief Security Expert, Kaspersky Lab, commented: "miniFlame is a high precision attack tool. Most likely it is a targeted cyberweapon used in what can be defined as the second wave of a cyberattack. First, Flame or Gauss are used to infect as many victims as possible to collect large quantities of information. After data is collected and reviewed, a potentially interesting victim is defined and identified, and miniFlame is installed in order to conduct more in-depth surveillance and cyber-espionage. The discovery of miniFlame also gives us additional evidence of the cooperation between the creators of the most notable malicious programs used for cyber warfare operations: Stuxnet, Duqu, Flame and Gauss."
US Secretary of Defense, Leon Panetta, has earned of cybersecurity on Thursday during a speech that the agency is aware of foreign hackers that have remotely gained access to control systems for vital American infrastructure. Examples of this would be chemical, electricity and water plants.
We know that foreign cyber actors are probing America's critical infrastructure networks. We know of specific instances where intruders have successfully gained access to these control systems.
Panetta also warned of recent cyberattacks on US financial institutions have been "unprecedented" in both their scale, and speed. If you're a reader of our site, you might remember us reporting in August that the world's largest oil company, Saudi Aramco, were cyber-attacked.
The Kauffman Center for Performing Arts is set to host hackathon Compute Midwest (CMW), which is a 2.5-day event happening on November 9 to 11 in Kansas City. What makes this stand out is that the event will be powered by Google Fiber.
CMW has told The Next Web that more than 100 developers will come together at the Google Fiber space to build apps overnight, where they could be up for thousands of dollars in prizes. There are multiple categories to compete in, but CMW should have developers excited to test out the Google Fiber service.
Are you headed to CMW? What are you more excited for now? The hackathon itself, or getting your eyes glued on Google Fiber?
Skype users attacked by 'lol is this your new profile pic?' ransomware and click fraud, be careful of what you click on
Users of the popular video chat and messaging application Skype are being targeted by a round of ransomware and click fraud that is being sent around as a message from contacts. The message reads "lol is this your new profile pic?" and is then followed by a link. The link downloads a zip file, which contains an executable that infects the system.
The executable opens up a Java exploit using BlackHole 2.0. The system is then locked down via the ransomware and displays a message requesting money. GFI, the company that first reported this latest wave, explains how it works:
The above is a typical Ransomware scare message that locks the user out of their data, encrypts the files and demands payment (via Moneypak) to the tune of $200. The IP address and geographical location is displayed in the bottom right hand corner, along with various threats related to the downloading of MP3s, illegal pornography, gambling and more besides.
The ransomware also simulates legitimate clicks on websites and such to generate ad revenue for the creators of the ransomware. Not only are you having to pay to unlock the system, but your computer generates money for the creators even if you don't pay up.
We're here again, with another exploit to watch out - this time with security researcher Adam Gowdiak discovering a new zero-day vulnerability in Java. This new bug is said to be in currently-supported versions of Java, such as Java 5, Java 6, and Java 7 and has the ability to allow attackers to install malware on close to 1 billion systems (based on the installation numbers from Oracle themselves).
This exploit affects both Macs and PCs, meaning that any Java-powered PC is at risk. Right now, the exploit doesn't pose much threat to the general public, but Gowdiak who is known for finding similar issues within Java, has said that he isn't currently aware of any active attacks that exploit this particular vulnerability.
Gowdiak found the exploit last week and has spent the last few days testing a proof-of-concept before he revealed the exploit to Oracle. Oracle has since confirmed that the vulnerability with Gowdisk, and have said that it will be fixed in a future security update. Oracle haven't given a date on when this update will be pushed out, but the next scheduled update is a while way - October 16.
As most Android users know, carriers and smartphone manufacturers aren't the best at keeping your device updated to the latest Android operating system. Unfortunately, never upgrading, or slow upgrading, leaves consumers' devices open to vulnerabilities that have been patched in the later version.
According to one study, the number of devices with vulnerabilities that have been patched in later versions is in excess of 50 percent. This news comes from a new statup that is receiving funding from the Department of Defense. Users who ran their X-ray app had their phone scanned by the app for known vulnerabilities that are unpatched.
"The stat is based on over 20,000 users who downloaded and ran the X-Ray mobile application on their device, and the current global distribution of Android versions," said Jon Oberheide, CTO of Duo Security. "As carriers are very conservative in rolling out patches to fix vulnerabilities in the Android platform, users' mobile devices often remain vulnerable for months and even years."
Unfortunately, this means a more insecure operating system for users who's carriers or manufacturers don't update the devices. This could ultimately be the downfall of Android, if the manufacturers don't start keeping devices up-to-date.
A member of Anonymous has claimed responsibility for the hacking of GoDaddy today, which has affected sites across the web. GoDaddy's site has been down today, along with sites hosted with the service. Other sites that use GoDaddy for DNS or other services have also been affected, though not all are down for everyone.
GoDaddy has acknowledged the problem with a Tweet:
Status Alert: Hey, all. We're aware of the trouble people are having with our site. We're working on it.
@AnonymousOwn3r has Tweeted the following, taking credit for the attack:
I'm taking godaddy down bacause well i'd like to test how the cyber security is safe and for more reasons that i can not talk now
@AnonOpsLegion, the official Twitter for Anonymous responded with the following:
@AnonymousOwn3r Good job brother, glad to see you back!
GoDaddy has provided the following updates:
Update: Still working on it, but we're making progress. Some service has already been restored. Stick with us.
We're continuing our work to get back on track. This is our #1 priority. We'll keep posting updates here. Thanks for all the support.
It's not clear when all services will be restored, but GoDaddy is working as quickly as possible to bring everything back online. I'm sure will come out in the following hours and days and we will be sure to keep you updated on the latest.