Posted by Prateek Gianchandani on Feb 05
Hi All,
The details are a bit sparse right now, but Yahoo has just disclosed by way of their Tumblr that they’ve detected what they’re calling a “coordinated effort to gain unauthorized access to Yahoo Mail accounts”.
Yahoo didn’t disclose how many accounts were affected, but we’ve asked for clarification and will update the post accordingly. It’s possible that they’ve yet to nail down an exact number. Given that it was enough to disclose the news in a public blog post, it’s presumably a non-trivial amount.
The (sort of?) good news: it doesn’t appear that Yahoo’s own servers were compromised — instead, it looks like someone is firing off a bunch of login attempts using emails/passwords secured from an unnamed “third-party database compromise”. In other words: the attackers got someone else’s database of usernames/passwords, and are mass-checking for accounts that use them same credentials on Yahoo Mail.
In response to the attack, Yahoo has reset the passwords of all accounts that appear to have been affected. If you’re trying to log in and Yahoo is asking you to change your password and verify your identity via SMS, this is probably why.
[Photo credit: Scott Schiller on Flickr]
An examination of the malware used in the Target breach suggests that the attackers may have had help from a poorly secured feature built into a widely-used IT management software product that was running on the retailer’s internal network.
As I noted in Jan. 15′s story – A First Look at the Target Intrusion, Malware – the attackers were able to infect Target’s point-of-sale registers with a malware strain that stole credit and debit card data. The intruders also set up a control server within Target’s internal network that served as a central repository for data hoovered up from all of the infected registers.
“ttcopscli3acs” is the name of the Windows share used by the POS malware planted at Target stores; the username that malware used to upload stolen card data was “Best1_user”; the password was “BackupU$r”
That analysis looked at a malware component used in Target breach that was uploaded to Symantec’s ThreatExpert scanning service on Dec. 18 but which was later deleted (a local PDF copy of it is here). The ThreatExpert writeup suggests that the malware was responsible for moving stolen data from the compromised cash registers to that shared central repository, which had the internal address of 10.116.240.31. The “ttcopscli3acs” bit is the Windows domain name used on Target’s network. The user account “Best1_user” and password “BackupU$r” were used to log in to the shared drive (indicated by the “S:” under the “Resource Type” heading in the image above.
That “Best1_user” account name seems an odd one for the attackers to have picked at random, but there is a better explanation: That username is the same one that gets installed with an IT management software suite called Performance Assurance for Microsoft Servers. This product, according to its maker — Houston, Texas base BMC Software — includes administrator-level user account called “Best1_user.”
This knowledge base article (PDF) published by BMC explains the Best1_user account is installed by the software to do routine tasks. That article states that while the Best1_user account is essentially a “system” or “administrator” level account on the host machine, customers shouldn’t concern themselves with this account because “it is not a member of any group (not even the ‘users’ group) and therefore can’t be used to login to the system.”
“The only privilege that the account is granted is the ability to run as a batch job,” the document states, indicating that it could be used to run programs if invoked from a command prompt. Here’s my favorite part:
“Perform Technical Support does not have the password to this account and this password has not be released by Perform Development. Knowing the password to the account should not be important as you cannot log into the machine using this account. The password is known internally and used internally by the Perform agent to assume the identity of the “Best1_user” account.”
I pinged BMC to find out if perhaps the password supplied in the Target malware (BackupU$r) is in fact the secret password for the Best1_user account. The company has so far remained silent on this question.
This was the hunch put forward by the Counter Threat Unit (CTU) of Dell SecureWorks in an analysis that was privately released to some of the company’s clients this week.
Relationships between compromised and attacker-controlled assets. Source: Dell Secureworks.
“Attackers exfiltrate data by creating a mount point for a remote file share and copying the data stored by the memory-scraping component to that share,” the SecureWorks paper notes. “In the previous listing showing the data’s move to an internal server, 10.116.240.31 is the intermediate server selected by attackers, and CTU researchers believe the “ttcopscli3acs” string is the Windows domain name used on Target’s network. The Best1_user account appears to be associated with the Performance Assurance component of BMC Software’s Patrol product. According to BMC’s documentation, this account is normally restricted, but the attackers may have usurped control to facilitate lateral movement within the network.”
According to SecureWorks, one component of the malware installed itself as a service called “BladeLogic,” a service name no doubt designed to mimic another BMC product called BMC BladeLogic Automation Suite. BMC spokeswoman Ann Duhon said that the attackers were simply invoking BMC’s trademark to make the malicious program appear legitimate to the casual observer, but it seems likely that at least some BMC software was running inside of Target’s network, and that the attackers were well aware of it.
Update Jan. 30, 5:48 p.m.: BMC just issued the following statement:
There have been several articles in the press speculating about the Target breach. BMC Software has received no information from Target or the investigators regarding the breach. In some of those articles, BMC products were mentioned in two different ways.
The first was a mention of a “bladelogic.exe” reference in the attack. The executable name “bladelogic.exe” does not exist in any piece of legitimate BMC software. McAfee has issued a security advisory stating that: “The reference to “bladelogic” is a method of obfuscation. The malware does not compromise, or integrate with, any BMC products in any way.
The second reference was to a password that was possibly utilized as part of the attack, with the implication that it was a BMC password. BMC has confirmed that the password mentioned in the press is not a BMC-generated password.
At this point, there is nothing to suggest that BMC BladeLogic or BMC Performance Assurance has a security flaw or was compromised as part of this attack.
Malware is a problem for all IT environments. BMC asks all of our customers to be diligent in ensuring that their environments are secure and protected.
I parse their statement to mean that the “BackupU$r” password referenced in the Target malware is not their software’s secret password. But nothing in the statement seems to rule out the possibility that the attackers leveraged a domain user account installed by BMC software to help exfiltrate card data from Target’s network.
Original story:
According to a trusted source who uses mostly open-source data to keep tabs on the software and hardware used in various retail environments, BMC’s software is in use at many major retail and grocery chains across the country, including Kroger, Safeway, Home Depot, Sam’s Club and The Vons Companies, among many others.
A copy of the SecureWorks report is here (PDF). It contains some fairly detailed analysis of this and other portions of the malware used in the Target intrusion. What it states up front that it does not have — and what we still have not heard from Target — is how the attackers broke in to begin with….
HOW DID IT HAPPEN?
The folks at Malcovery (full disclosure: Malcovery is an advertiser on this blog) have put together a compelling case that the avenue of compromise at Target stemmed from an SQL injection attack. Malcovery notes that techniques that may be similar to the Target breach were used by the Alberto Gonzalez gang, as illustrated in an indictment against Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov, Dmitriy Smilianet (see Hacker Ring Stole 160 Million Credit Cards for more information on these guys).
As that report notes, Drinkman and his associates were co-conspirators of Albert Gonzalez (famous for the TJX breach), Damon Toey, and Vladislav Horohorin (BadB). Drinkman and his gang of Russian hackers were active from at least August 2005 through at least July 2012 and were charged with stealing data from NASDAQ, 7-Eleven, Carrefour, JCPenney, Hannaford Brothers, Heartland Payment Systems, Wet Seal, Commidea, Dexia Bank, JetBlue Airways, Dow Jones, an unspecified bank in Abu Dhabi, Euronet, Visa Jordan, Global Payment Systems, Diners Singapore (a regional branch of Diner’s Club), and Ingenicard.
Malcovery’s CTO and co-founder Gary Warner writes:
“In each of these cases, an SQL Injection attack resulted in malware being placed on the network and credit card or personal information being exfiltrated from the network. According to the indictment for the above, Gonzalez and Toey would travel to retail outlets and make observations about which Point of Sale terminal software was being used, afterwards, they would pass the information to the hacker crew who would penetrate the network, customize and load the malware, and exfiltrate the stolen data.”
A copy of the Malcovery report can be downloaded here.
EAGLE CLAW, RESCATOR, AND LAMPEDUZA
An advertisement for “Eagle Claw,” a base of more than 2 million card “dumps” stolen from Target.
Meanwhile, the cybercrook known as Rescator and his merry band of thieves who are selling cards stolen in the Target breach continue to push huge new batches of stolen cards onto the market. In an update on Jan. 21, Rescator’s network of card shops released for sale another batch of two million cards apparently stolen from Target, a collection of cards which these crooks have dubbed “Eagle Claw.”
Working with several banks anxious to know whether this batch of two million cards really was from Target (or else some other recent breach like Neiman Marcus), we were able to determine that all of the cards purchased from Eagle Claw were used at Target between Nov. 27 and Dec. 15. The method behind that research was identical to that used in my previous research on this topic.
Incidentally, anyone who wants to understand the hierarchical pecking order of Rescator’s crew should check out this analysis by security researcher Krypt3ia, which examines the Lampeduza cybercrime forum of which Rescator is a leading member.
Anyone hoping that this retail breach disclosure madness will end sometime soon should stop holding their breath: In a private industry notification dated January 17 (PDF), the FBI warned that the basic code used in the point-of-sale malware has been seen by the FBI in cases dating back to at least 2011, and that these attacks are likely to continue for some time to come.
A frequency analysis of POS malware incidents assembled by Recorded Future.
“The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors,” the FBI wrote. “We believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.”
Multiple sources in the banking industry say they are tracking a pattern of fraud on cards that were all recently used at Michaels Stores Inc., an Irving, Texas-based arts-and-crafts retailer that maintains more than 1,250 stores across the United States.
On Friday morning, I put a call in to SPM Communications, the public relations company listed as the press contact on michaels.com. After explaining why I was calling, I was referred to a Michael Fox of ICR Inc. When asked what line of business ICR was in, the SPM representative replied that it was a crisis communications firm. Mr. Fox replied via email that he would inquire with Michaels, but so far the company has declined to comment.
Update 1:34 p.m. ET: The U.S. Secret Service confirmed that it is investigating a potential data breach at Michaels. Also, Michaels has just issued a statement stating that it “recently learned of possible fraudulent activity on some U.S. payment cards that had been used at Michaels, suggesting that the Company may have experienced a data security attack.”
The statement continues:
“The Company is working closely with federal law enforcement and is conducting an investigation with the help of third-party data security experts to establish the facts. Although the investigation is ongoing, based on the information the Company has received and in light of the widely-reported criminal efforts to penetrate the data systems of U.S. retailers, Michaels believes it is appropriate to let its customers know a potential issue may have occurred.”
“We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue,” said Chuck Rubin, CEO. “While we have not confirmed a compromise to our systems, we believe it is in the best interest of our customers to alert them to this potential issue so they can take steps to protect themselves, for example, by reviewing their payment card account statements for unauthorized charges.”
Their full statement is here (PDF).
Original story:
Sources with four different financial institutions have over the past few days said hundreds of customer cards that recently had been used for fraudulent purchases all traced back to Michaels stores as the common point of purchase.
On Friday, KrebsOnSecurity heard from a fraud analyst at a large credit card processor that was seeing fraud on hundreds of cards over the previous two days that all been recently used at Michaels. The fraudulent purchases on those cards, the source said, took place at the usual big box stores like BestBuy and Target.
“What’s interesting is there’s another [arts and framing] store called Aaron Brothers, and within past week or two there was a lot of activity talking about Aaron Brothers,” said the source, who asked to remain anonymous because he was not authorized to speak to the media. ”One of the things I learned the other day is that Aaron Brothers is wholly owned by Michael’s. It really does look like kind of the way we saw the Target breach spin up, because the fraud here isn’t limited to one store or one area, it’s been all over the place.”
Assuming my sources are correct and Michaels did have some kind of breach involving payment cards, this would not be the first time. In May 2011, Michaels disclosed that crooks had physically tampered with some point-of-sale devices at store registers in some Chicago locations, although further investigation revealed compromised POS devices in stores across the country, from Washington, D.C. to the West Coast.
It remains unclear what type of compromise may have prompted several banks to identity Michaels as the breached entity. But recent breaches at Target and Neiman Marcus both involved highly sophisticated malicious software that stole credit and debit card information from point-0f-sale registers at those stores. Target has said the breach may have affected more than 40 million customer credit and debit cards, and name, address, email address and phone numbers for at least 70 million customers. Earlier this week, Neiman Marcus revealed that the breach at its stores extended from July 16, 2013 to Oct. 30, 2013, and may have impacted more than 1.1 million customer cards.
According to Fox, ICR Inc. was brought in by Michaels to handle the retailer’s planned transition to a public company. Last month, the company filed paperwork for a potential public offering of its common stock. According to those filings, Michaels generated revenue of $4.41 billion in 2012. Michaels has said the timing, number of shares to be sold and the price range for the proposed offering have not yet been determined.
Number of Incidents Added to Official List SurgesResponding to inquiries about a possible data breach involving customer credit and debit card information, upscale retailer Neiman Marcus acknowledged today that it is working with the U.S. Secret Service to investigate a hacker break-in that has exposed an unknown number of customer cards.
Earlier this week, I began hearing from sources in the financial industry about an increasing number of fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase among the compromised cards was Neiman Marcus.
Today, I reached out to Neiman Marcus and received confirmation that the company is in fact investigating a breach that was uncovered in mid-December.
Neiman Marcus spokesperson Ginger Reeder said the company does not yet know the cause, size or duration of the breach, noting that these are details being sought by a third-party forensics firm which has yet to complete its investigation. But she said there is no evidence that shoppers who purchased from the company’s online stores were affected by this breach.
The entirety of the company’s formal statement is as follows:
“Neiman Marcus was informed by our credit card processor in mid-December of potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.
We informed federal law enforcement agencies and are working actively with the U.S. Secret Service, the payment brands, our credit card processor, a leading investigations, intelligence and risk management firm, and a leading forensics firm to investigate the situation. On January 1st, the forensics firm discovered evidence that the company was the victim of a criminal cyber-security intrusion and that some customers’ cards were possibly compromised as a result. We have begun to contain the intrusion and have taken significant steps to further enhance information security.
The security of our customers’ information is always a priority and we sincerely regret any inconvenience. We are taking steps, where possible, to notify customers whose cards we know were used fraudulently after making a purchase at our store.”
The disclosure comes as many in the retail sector are seeking more information about the causes of the breach at nationwide retail giant Target, which extended from around Thanksgiving 2013 to Dec. 15, and affected some 40 million customer debit and credit cards.
Target released additional details about the breach today, saying hackers also compromised the names, mailing addresses, phone number and email addresses for up to 70 million individuals. But Target has so far not publicly released information that would help other retailers determine whether their systems may have been hit by the same attackers.
Neiman Marcus’s Reeder said the company has no indication at this time that the breach at its stores is in any way related to the Target attack. Still, the timing of the discovery of the Neiman Marcus incident — mid-December — roughly corresponds to the discovery of the Target breach. I will have more on this developing story if additional details become available.
On Friday evening, luxury retailer Neiman Marcus admitted that it had suffered a data breach exposing customers' credit card information and that it was working with federal investigators to find out the extent of the damage. The company told security writer Brian Krebs that it was not sure how many customers were affected or now the hack was caused.
Krebs, who appears to have unearthed news of the hack first, explains: “Earlier this week, I began hearing from sources in the financial industry about an increasing number of fraudulent credit and debit card charges that were being traced to cards that had been very recently used at brick-and-mortar stores run by the Dallas, Texas based high-end retail chain. Sources said that while it appears the fraud on those stolen cards was perpetrated at a variety of other stores, the common point of purchase among the compromised cards was Neiman Marcus.”
For its part, Neiman Marcus said in an official statement that its credit card processor alerted the chain in mid-Decemeber about “potentially unauthorized payment card activity that occurred following customer purchases at our Neiman Marcus Group stores.”
Read 3 remaining paragraphs | Comments
A California escrow firm that was forced out of business last year after a $1.5 million cyberheist is now suing its former bank to recoup the lost funds.
A state-appointed receiver for the now defunct Huntington Beach, Calif. based Efficient Services Escrow has filed suit against First Foundation Bank, alleging that the bank’s security procedures were not up to snuff, and that it failed to act in good faith when it processed three fraudulent international wire transfers totaling $1,558,439 between December 2012 and February 2013.
The lawsuit, filed in the Superior Court for Orange County, is the latest in a series of legal battles over whether banks can and should be held more accountable for losses stemming from account takeovers. In the United States, consumers have little to no liability if a computer infection from a banking Trojan leads to the emptying of their bank accounts — provided that victims alert their bank in a timely manner. Businesses of all sizes, however, enjoy no such protection, with many small business owners shockingly unaware of the risks of banking online.
As I wrote in an August 2013 story, the heist began in December 2012 with a $432,215 fraudulent wire sent from the accounts of Huntington Beach, Calif. based Efficient Services Escrow Group to a bank in Moscow. In January, the attackers struck again, sending two more fraudulent wires totaling $1.1 million to accounts in the Heilongjiang Province of China, a northern region in China on the border with Russia.
This same province was the subject of a 2011 FBI alert on cyberheist activity. The FBI warned that cyber thieves had in the previous year alone stolen approximately $20 million from small to mid-sized businesses through fraudulent wire transfers sent to Chinese economic and trade companies.
Efficient Services and its bank were able to recover the wire to Russia, but the two wires to China totaling $1.1 million were long gone. Under California law, escrow and title companies are required to immediately report any lost funds. When Efficient reported the incident to state regulators, the California Department of Corporations gave the firm three days to come up with money to replace the stolen funds.
Three days later, with Efficient no closer to recovering the funds, the state stepped in and shut the company down. As a result, Efficient was forced to lay off its entire staff of nine employees.
On Dec. 6, the lawyer appointed to be Efficient’s receiver sued First Foundation in a bid to recover the outstanding $1.1 million on behalf of the firm’s former customers. The suit alleges that the bank’s security procedures were not “commercially reasonable,” and that the bank failed to act in “good faith” when it processed international wire transfers on behalf of the escrow firm.
Like most U.S. states, California has adopted the Uniform Commercial Code (UCC), which holds that a payment order received by the [bank] is “effective as the order of the customer, whether or not authorized, if the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.”
As evidenced by the dozens of stories in my series, Target: Small Businesses, companies do not enjoy the same protections as consumers when banking online. If a banking Trojan infection results in cyber thieves emptying the bank accounts of a small business, that organization is essentially at the mercy of their financial institution, which very often in these situations disavows any responsibility for the breach, and may in fact stonewall the victim company as a result. That can leave victim organizations in a quandary: They can swallow their pride and chalk it up to a learning experience, or opt to sue the bank to recover their losses. Of course, suing your bank can be cost-prohibitive unless the loss is significantly larger than the amount the victim might expect to spend hiring lawyers to pursue the case on the often long road to settlement or trial.
The plaintiffs in this case allege that part of the reason the bank’s security procedures were not commercially reasonable was that one component of the bank’s core security protection — the requirement that customers enter a code generated by a customer-supplied security token that changes every 32 seconds — had failed in the days leading up to the fraudulent transfers. I would argue that security tokens are a mere security speed bump whose effectiveness is easily bypassed by today’s cyber thieves. But in any case, this lawsuit claims that rather than address that failure, the bank simply chose to disable this feature for Efficient Services.
First Foundation did not return calls seeking comment. But the bank did produce an incident report that is now public record, thanks to this lawsuit (see the “Exhibit J” section of this PDF case document). The document states that the company had previously performed international wire transfers, and so it saw nothing unusual about half-million-dollar transfers to China. According to the plaintiffs, however, Efficient escrow had merely inquired about the possibility of international wires, yet had not actually performed wire transfers outside of the United States previously.
First Foundation’s incident report also appears to suggest that bank very quickly reached the conclusion that the fraud was the result of misdeeds by Efficient’s controller — Julie Gardner — and not the result of a cyberheist.
“The transaction and session history of Ms. Gardner suggests the possibility of internal fraud,” reads the bank’s report. “Ms. Gardner’s employment with ESE ended with reasons unknown to FFB. Her access from Business Online was removed on Feb. 20, 2013.”
Julie Rogers is an attorney with the Dincel Law Group, which is working with the plaintiffs in this case. In an interview with KrebsOnSecurity, Rogers said that if the bank looked at its processes honestly, it would have asked the customer before processing the international wire. Rogers noted that the bank’s incident report also brought repercussions that spilled out beyond the errant processing of several fraudulent international wire transfers.
“To name a specific employee and say, ‘We don’t think this was cyber hacking at all,’ that’s pretty egregious, and you can’t un-ring that bell,” Rogers said, citing the difficulty that some former employees of ESE have had trying to find new work in the industry.
“When you suggest that, it does some damage, not only to that individual but also to the people associated with that individual,” Rogers said. “That conduct spills out beyond just the processing of a wire transfer. It spills out into an area that isn’t covered by the UCC. Some of the individual escrow agents [formerly employed by ESE] have tried to obtain work at other companies, but the two operators and owners of the company have been subjected to license revocation and suspension that precludes them from running a similar business for five years before they can reapply.”
Rogers said there’s a larger point to these lawsuits: “These banking institutions are saying, ‘We’ll give you 24/7 protection for banking online, which is safe, efficient, and affordable.’ But meanwhile, their budgets are getting cut. The people in charge of fraud are getting laid off. And yet the public is getting more and more drawn into cyber banking.”
There is no question that Efficient Escrow should have detected these fraudulent wires a lot sooner than they did. The point of my focus on these cases is to raise awareness about the need for companies to take steps to avoid becoming victims in the first place. If you run a small business and you bank online, please consider adopting some safeguards to prevent your company from being the next victim of a cyberheist. Banking from a Live CD or from an isolated (preferably non-Windows) computer is the surest way to avoid ebanking heists. However, this approach only works if it is consistently observed.
The average small business usually has one person in charge of the books, and they’re lucky if they have one person in charge of security; very often, it’s the CEO who serves as the CTO, CFO, CSO and E-I-E-I-O. These attacks launched by today’s cyber thieves against small businesses are any thing but a fair fight: It’s basically one blue-haired lady against an entire squadron of seasoned criminals.
I’ve been writing about this problem for more than five years now, and for good reason: There are millions of small business owners who have absolutely no clue how vulnerable they are and who they’re up against. I travel quite a bit to speak to audiences around the world about cybercrime, and I frequently find myself seated next to small business owners. I always ask the same thing, and I always get the same response. Do you bank online with your business? Why, sure. Did you know that if you have a virus infection that cleans out your bank account, your bank is under no obligation to do anything on your behalf?
I’ll continue to write about this subject, mainly because awareness remains low and there will continue to be new victims every week losing hundreds of thousands of dollars as a result of these cyberheists. Meanwhile, the crooks responsible are upping their game. According to Gary Warner, co-founder and chief technologist at threat intelligence firm Malcovery (full disclosure: Malcovery is an advertiser on this blog), the latest cyberheist malware deployed by the Asprox botnet (PDF) uses geo-IP location to include the name of the would-be victim’s hometown in the malicious file that gets pushed down when the user clicks on a link.
“It geo-codes you and puts your city name into the filename, and antivirus detection of these variants continues to be very low,” Warner said. “We’ve seen this with Asprox malware spam disguised as court documents, airline tickets, and [spoofed emails made to look like they came] from Wal-Mart, Costco and BestBuy.”
I guess you could say it’s also become a bit personal. One of the most recent versions of Asprox pushes malware that includes the URL of this blog, as well as file descriptor that says “Krebs Systems.”
A copy of the complaint filed by the receiver for Efficient Services is available here (PDF).
Miscreants who earlier this week took down servers for League of Legends, EA.com, and other online game services used a never-before-seen technique that vastly amplified the amount of junk traffic directed at denial-of-service targets.
Rather than directly flooding the targeted services with torrents of data, an attack group calling itself DERP Trolling sent much smaller sized data requests to time-synchronization servers running the Network Time Protocol (NTP). By manipulating the requests to make them appear as if they originated from one of the gaming sites, the attackers were able to vastly amplify the firepower at their disposal. A spoofed request containing eight bytes will typically result in a 468-byte response to a victim, a more than 58-fold increase.
"Prior to December, an NTP attack was almost unheard of because if there was one it wasn't worth talking about," Shawn Marck, CEO of DoS-mitigation service Black Lotus, told Ars. "It was so tiny it never showed up in the major reports. What we're witnessing is a shift in methodology."
Read 4 remaining paragraphs | Comments
Researchers at Kaspersky Lab identified more malware utilizing Tor's anonymity capabilities to shield their command and control infrastructure.
Known as ChewBacca - after the character in Star Wars and the name given to one of its functions - the malware drops the function 'P$CHEWBACCA$_$TMYAPPLICATION_$__$$_INSTALL' as 'spoolsv.exe' into the Startup folder and requests the public IP of the victim via a publicly accessible service.
Tor is dropped as 'tor.exe' to the user's Temp folder and runs with a default listing on 'localhost:9050.'
"Lately Tor has become more attractive as a service to ensure users' anonymity," blogged Kaspersky Lab researcher Marco Preuss. "Also criminals use it for their activities, but they are only slowly adopting this to host their malicious infrastructure."
This was recently seen in a Zeus variant captured in the wild that also included functionality aimed at 64-bit systems. Other malware such as the CrimewareKit Atrax and the botnet built using the Mevade malware have been spotted using Tor as well.
Using Tor offers a level of protection that masks the location of a server. Still, there are drawbacks for attackers. For example, due to the overlay and structure, Tor is slower, Preuss explained. In addition, as seen with Mevade, a massive increase in botnet activity can affect the network and make such activity easy for researchers to spot.
"Tor is just one of many tricks in a good malware author’s - or gang’s - toolbox," noted Richard Henderson, Security Strategist, FortiGuard Threat Research and Response Labs at Fortinet. "Tracking down command and control [C&C] can be difficult; other methods like…bouncing through C&C proxies, using [domain generation algorithms] and multiple C&C proxies, or using a P2P [peer-to-peer] C&C model…can make it difficult for researchers to track down the head of the beast in order to lop it off."
Once running, ChewBacca logs all keystrokes to 'system.log', which is created by the malware in the local Temp folder. The Trojan also enumerates all running processes, reads their process memory and uses two different regular expression patterns to steal information.
Unlike Zeus, ChewBacca is currently not offered in public underground forums, according to Preuss.
In a perfect world, we’d all have strong and different passwords for every site we visit. We know it’s the right thing to do. But then again, we also know that getting regular exercise is the right thing to do. And maybe, just maybe, we don’t always get around to doing the “right” things.
Today, there are just so many sites out there and coming up with umpteen different passwords isn’t always easy for people. Password reuse is rampant, even among people who should know better and creates a vulnerability that can be exploited.
The single point of failure it creates can lead to a data breach from one company causing a major ripple of compromises across many other sites. Hackers will use brute force attacks to test stolen usernames and passwords from one source to gain access to another say, bank accounts, Facebook pages, Gmail, you name it. Most recently, the major loss of usernames and passwords from Adobe caused Facebook and Evernote to prompt users to reset passwords to avoid these attacks.
So what should companies downstream from a compromise do to protect users against this fallout? The one approach making headlines is to force all potentially impacted users to reset passwords, which, while effective, is burdensome for users. There are several other steps companies can take on the server side to identify and disrupt these attacks.
Beyond the Reset
For one, identify anomalous activity indicative of a brute force attack and disrupt it. Normally, users fall fairly consistently into a pattern of login activity (e.g., the average user does not generally have more than one active account on any given website). Even if they do, they generally don’t log in to more than one or two accounts on any given day. When you factor in some accidental typos and guessing at forgotten passwords, you can say that any user attempting to log in to more than eight accounts (different usernames) and trying more than a total of 12 passwords is likely performing at least a low-scale brute force attack.
When the credentials of a large website are leaked, the attackers end up with a database of several million usernames and passwords. Attempting to log in to all of those usernames and passwords from a single computer would likely not work due to distributed denial of service (DDoS) protections. So attackers are forced to scale attacks out to many different machines generally within a botnet. This, of course, costs money, time, and other resources, which is why attackers will usually attempt to scale out to the least degree necessary.
Still, time is of the essence. Credentials will rapidly decline in value as time elapses and users change their passwords in response to any breach announcements. Say an attacker has three million credentials to test, 20,000 machines to scale it across, and about three days to do it. This means, each machine would need to test at least two accounts per hour.
Once identified, companies can automatically reject any login attempts from a client who has attempted to login to eight or more accounts from a given connection. They should not, however, provide any feedback about “blocking” a user. By withholding this information, companies can prompt those behind the brute force attack to exhaust the username/password database without any indication or disruption. If attackers realize what’s happening, they could just scale out on more machines to avoid getting blocked.
This way, it’s possible to prevent all but the first four hours of a brute force attack. Of those three million credentials, that means a whopping 2.8 million will remain protected. As a result, the return on investment of the secondary attack—and even the primary attack—is reduced and would potentially become too expensive for an attacker to even bother with in the first place.
Force Password Hygiene and Employ Better Authentication
Just as cross training has proven to prevent injury, so, too, can multi-pronged security approaches. Another approach is requiring better password hygiene by users on sites. This includes requiring that they:
• Rotate passwords after a reasonable amount of time.
• Use a password strength analyzer, and enforce a sane score threshold. That’s it. Don’t apply any other crazy restrictions.
• Never lock an account as a result of failed login attempts or anything an attacker can intentionally trigger.
Companies can also employ some simple steps to make brute force attacks more difficult for attackers:
• Employ CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) on all login attempts if possible to prevent automated brute force attacks.
• Deploy some type of two-factor authentication scheme to make these types of attacks obsolete. While in some instances this approach might be cost-prohibitive, as this and other new identity management schemes gain scale, it will become a more and more viable option for companies to deploy.
• Never tell the users why the login failed, just say it failed. This includes when they get the two-factor authentication or CAPTCHA answer wrong, but still gets the password correct. This information can aid hackers in working around defenses.
• Increase the information required of a user if their account has experienced too many failures. Of course this is less important if you already require a CAPTCHA or two-factor authentication on all logins.
Related Reading: Hackers Just Made Off with Two Million Passwords, Now What?
A mobile botnet called MisoSMS is wreaking havoc on the Android platform, stealing personal SMS messages and exfiltrating them to attackers in China.
Researchers at FireEye lifted the curtain off the threat today, describing MisoSMS as "one of the largest advanced mobile botnets to date" and warning that it is being used in more than 60 spyware campaigns.
FireEye tracked the infections to Android devices in Korea and noted that the attackers are logging into command-and-controls in from Korea and mainland China, among other locations, to periodically read the stolen SMS messages.
|
|
| Related Podcast: FireEye security researcher Vinay Pidathal talks about the MisoSMS botnet and the state of security on the Android ecosystem. |
FireEye's research team discovered a total of 64 mobile botnet campaigns in the MisoSMS malware family and a command-and-control that comprises more than 450 unique malicious e-mail accounts.
FireEye security content researcher Vinay Pidathala said MisoSMS infects Android systems by deploying a malicious Android app called "Google Vx" that masquerades as an Android settings app used for administrative tasks.
The app uses a bit of trickery to install and hide itself from the user. Once it's installed, the app secretly steals the user’s personal SMS messages and emails them to a webmail command-and-control.
Pidathala explains the SMS exfiltration method:
This application exfiltrates the SMS messages in a unique way. Some SMS-stealing malware sends the contents of users SMS messages by forwarding the messages over SMS to phone numbers under the attacker’s control. Others send the stolen SMS messages to a CnC server over TCP connections. This malicious app, by contrast, sends the stolen SMS messages to the attacker’s email address over an SMTP connection.
Pidathala said all of the reported malicious e-mail accounts have been deactivated as part of a mitigation strategy with law enforcement and security response officials in Korea and China.
Related Podcast:
Cybercrooks have brewed up a botnet that uses a bogus Firefox add-on to scan the web for hackable websites.…
Microsoft has joined the board of directors of the FIDO ("Fast IDentity Online") Alliance, an industry consortium that is attempting to create a set of protocols to enable consistent, secure, passwordless access to Web-based applications. Other members include Google, BlackBerry, PayPal, Lenovo, and MasterCard.
The problems with passwords are well-known. They're poorly chosen, regularly stolen, and routinely reused across sites, meaning that a compromise of one account can lead to compromises of many others.
FIDO hopes to replace passwords with a system built around public key cryptography. To register with a FIDO site, you won't enter a password into the site. Instead, hitting register will alert your authentication devices—typically an app on your smartphone—of the attempt to register. If that attempt is approved (for example, by using a registered fingerprint or entering a PIN), the device will generate a public/private key pair. The public key will be sent to the online service; the private key will be retained on the authentication device.
Read 4 remaining paragraphs | Comments
The National Security Agency can easily defeat the world's most widely used cellphone encryption, a capability that means the agency can decode most of the billions of calls and texts that travel over public airwaves each day, according to published report citing documents leaked by Edward Snowden.
The NSA "can process encrypted A5/1" calls even when agents don't have the underlying cryptographic key, The Washington Post reported Friday, citing this top-secret document provided by former NSA contractor Snowden. A5/1 is an encryption cipher developed in the 1980s that researchers have repeatedly cracked for more than a decade. It remains widely used to encrypt older, 2G cellphone calls. Newer phones can still use A5/1, even when showing they're connected to 3G or 4G networks.
In the past five years, cracking A5/1 has grown increasingly easier and less costly. In 2010 researchers unveiled a technique that cost about $650 and relied on open-source software and off-the-shelf hardware. Next-generation spy devices sold to militaries and law-enforcement groups have long marketed the ability to eavesdrop on A5/1-protected calls, too. Despite the growing susceptibility of A5/1, it remains widely used, Karsten Nohl, chief scientist at Security Research Labs in Berlin, told The Washington Post. Reporters Craig Timberg and Ashkan Soltani explained:
Read 2 remaining paragraphs | Comments
Investigative journalist Brian Krebs has uncovered an unusual botnet that forces infected PCs to scour websites for security vulnerabilities that can cough up proprietary data or be exploited in drive-by malware attacks.
The botnet, dubbed "Advanced Power" by its operators, has discovered at least 1,800 webpages vulnerable to SQL injection attacks since May, Krebs reported in a post published Monday. SQL injection vulnerabilities exploit weaknesses in Web applications that allow attackers to send powerful commands to a website's backend databases. From there, attackers can download login credentials or other database contents or cause sites to post links that silently redirect visitors to malicious websites.
Advanced Power masquerades as a legitimate add-on for Mozilla's Firefox browser. Once installed, it looks for vulnerabilities on sites visited by the infected machine. Krebs wrote:
Read 3 remaining paragraphs | Comments
The latest release of the Firefox web browser, version 26, now blocks Java software on all websites by default unless the user specifically authorizes the Java plugin to run.…
Tags: 
