TweakTown NewsRefine News by Category:
The Red October cyberespionage attacks were thought to have used Excel and Word exploits solely, but new data by a different set of researchers suggest that a Java exploit was also used to spread the infection. Israeli IT security firm Seculert was analyzing the Command and Control servers for the attack and found a special folder containing a malicious Java applet.
The applet used an exploit that was patched back in October 2011, which suggests that the attackers preferred older, known vulnerabilities and not zero-day ones. The applet was compiled in February 2012, which furthers this theory. This discovery is being credited to the fact that the attackers switched from a PHP server-side scripting language to CGI on the C&C servers.
They left up older PHP-based attack pages, which allowed the source code to be viewed. Full analysis is now impossible as the attackers have shut the C&C servers down, likely to cover their tracks.
Kaspersky of all companies have found something utterly shocking, an advanced cyber espionage network that makes last year's infamous Flame malware look like a joke. Dubbed Operation Red October, each attack is handcrafted for its victim in order to make sure it 100% works.
Red October has been hitting systems across the world since at least May 2007 and carefully chooses its victims spanning over two dozen countries who hold positions in government, military, aerospace, research, trade and commerce, nuclear, oil and other important, vital industries. Investigators aren't sure who is behind the attacks, but it is being reported that Chinese hackers may have created the exploit, while the various malware modules deployed seem to have been created by those who speak Russian.
Kaspersky can't put their finger on the source, as it is currently being run through at least two layers of proxy servers across Russia, Germany and Austria. Whoever is involved has some skill, as they've been silently sitting, unknown to the user, in major government and industry computers.
Internet Explorer was discovered to have a vulnerability that would allow hackers to gain control of a Windows PC late last month. In order for the exploit to work, users had to be running an older version of the program, versions 6 to 8, specifically, and have visited a malicious website.
Microsoft attempted to remedy the problem with various workarounds and a "one-click fix," all of which are temporary workarounds. Normally, bugs and exploits would have been addressed during Microsoft's normally scheduled Patch Tuesday, though when it didn't come, IT professionals began to wonder when it would.
We now have the answer: today. The patch should be available through Windows Update and marked as 'Critical', meaning it will be automatically installed, as long as the user has Automatic Updates enabled. If you use an older version of Internet Explorer, pre-version 9, you should make sure you install the update, especially if you don't have Automatic Updates enabled.
There's a new exploit on the block which has pushed security experts to recommend that users disable or uninstall Java altogether after they've found a zero-day Java exploit which lets hackers gain control of your PC.
The exploit targets a vulnerability left open in Java 7 Update 10, which was released in October 2012. The exploit works by getting Java users to visit a website that has malicious code, which takes advantage of a security gap to take control of users' computers.
Just after this story broke, Oracle pushed out Java SE 7 Update 11 which supposedly addressed the exploit. Oracle "strongly recommends" that Java SE 7 users upgrade immediately.
The tragic supposed suicide of digital activist, and co-founder of Reddit, Aaron Swartz happened just days ago and now Anonymous have stepped into the ring to play [hacking] ball. They leave a tribute message to Swartz, which says:
We tender apologies to the administrators at MIT for this temporary use of their websites. We do not consign blame or responsibility upon MIT for what has happened, but call for all those feel heavy-hearted in their proximity to this awful loss to acknowledge instead the responsibility they have - that we all have - to build and safeguard a future that would make Aaron proud.
The link to see it is here, and at the time of writing wasn't loading. I'm sure MIT will have the site updated shortly.
During the 2012 holidays, PayPal's website was the most phished, with it receiving nine times more phishing sites than the next closest site. According to data by Trend Micro, PayPal had 18,947 phishing sites created during December 2012. Wells Fargo, the second place site, only had 2049, a far cry from PayPal.
Trend Micro says shopping online, while more convenient, puts you at a much greater risk of having your personal information stolen. Often, these phishing sites install malware onto the unlucky user's system. This year's malware for the PayPal sites was TROJ_QHOST.EQ, while Citibank sites infected users with WORM_CRIDEX.CTS.
Doctor Web researchers have discovered a Trojan app present in the Google Play store. The app disguises itself as the Google Play Store by using the same icon and then launching the Play Store after being clicked. When open, it connects to a Command and Control server, where upon it relays the number of device it is installed on.
The C&C server then relays commands via text message to the device. Android.DDoS.1.origin can launch DDoS attacks against targets or text spam people, such as those located in the contacts of the device. Doctor Web says the app can cause the phone to lag and increase the device owner's bill through texting premium numbers, a method hackers use to generate revenue from apps like these.
Over the weekend, a bug was discovered by XDA-Developer forum members that showed that Samsung devices running Exynos processors could be hacked with a kernal-level exploit. In other words, a serious vulnerability. Samsung has told Android Central that they intend to fix this bug as quickly as possible, an important thing when there are so many vulnerable devices running around.
Samsung is aware of the potential security issue related to the Exynos processor and plans to provide a software update to address it as quickly as possible.
The issue may arise only when a malicious application is operated on the affected devices; however, this does not affect most devices operating credible and authenticated applications.
Samsung will continue to closely monitor the situation until the software fix has been made available to all affected mobile devices.
In the meantime, Samsung suggests that users only use official markets to limit their exposure, though it doesn't make them completely safe. With spam botnets making the rounds via sketchy apps, it's important that Samsung get this fixed up quickly.
Mobile security firm Lookout has found a botnet as of December 3, which it is calling SpamSoldier. The threat was detected with the help of one of Lookout's carrier partners, though which has not been said. The botnet spreads through text messages and has not been detected on any major app store.
Two, of many, spam campaigns are shown below:
You've just won a $1000 Target gift card but only the 1st 1000 people that enter code 7777 at hxxp://holyoffers.com can claim it!
Download Grand Theft Auto 3 & Need for Speed Most Wanted for Android phones for free at hxxp://trendingoffers.com for next 24hrs only!
The link downloads an app which installs SpamSoldier and removes the icon from the launcher so you won't see it. Often it installs the free version of the game so that you won't notice that it has been installed. SpamSoldier, meanwhile, is sending out spam in the background through your SMS functions.
The malware attempts to remain hidden by deleting the outgoing texts and by attempting to intercept incoming replies to the texts it sent out. It gets a list of 100 US numbers and the message from a Command & Control server, spams those numbers, then connects back to the C&C for more numbers.
Of course, the main message here: never trust those unsolicited text messages, especially if they contain links.
Apple quick to update malware definitions, takes just two days after first OS X fake installer found
Apple, normally a company somewhat lax on security, seems to be stepping up its game. Just two days after a fake installer malware was found for Mac OS X, Apple has updated the definitions for its Xprotect.plist. The update is much quicker than Apple has been in the past and they should definitely be applauded for doing it so quickly.
The malware asks users to enter their mobile number for verification and activation. They have to then enter a code that is texted to the device to continue installation. Once a user inputs that code, their mobile account is billed an ongoing subscription. After this, the app either installs the app it pretended to be or spits out garbage.
Either way, the scammer has already made his money. This has been used on Windows for a while now, though it's not clear how many people would actually input their phone number. Clearly enough people do as the scam is still around and Apple was quick to block it. The malware is detected as "Trojan.SMSSend.3666" by DoctorWeb.