In the wake of last week’s eDellroot fiasco, Microsoft announced Monday that its revoked support for all the self-signed, trusted root certificates that were found on some Dell computers.

AT ONE POINT in Killing Them Safely, Nick Berardini’s new documentary on Taser’s bloodless response over the last decade to the charge that its stun guns have caused hundreds of cardiac deaths, CEO and co-founder Rick Smith gives a wistful PowerPoint presentation to an enthusiastic audience. One slide depicts the old corporate liability proverb of the shark and the coconut tree. The shark, so the story goes, swims faster, has more teeth, and inspires great terror, yet many more people die every year from coconuts falling on their heads than from shark attacks. “We tend to focus on things that perhaps capture our imagination more than the facts,” muses Smith. Whether or not falling coconuts actually pose a deadly threat, there has been only one fatal shark attack in the U.S. this year, but according to a recent Guardian investigation 47 people died in the first 10 months of 2015 immediately after being tased by a police officer.

No doubt Smith meant to admonish those who claim that Tasers are deadly, but his shark parable could be read sideways too, as a statement of purpose. Taser’s business model, founded on a strategic appeal to concerns about safety, depends on the inherent slipperiness of facts. In his film, Berardini makes the case that there’s something fanatical in Taser’s enthusiasm for risk management, for finding language both to create and resolve any imaginable threat.

Two brothers, Rick and Tom Smith, founded Taser International in 1993. That year, they released their first stun gun, the Air Taser, but quickly found it wasn’t powerful enough to stop “motivated individuals” from fighting through the shock. By 1999, according to former New York Times reporter Alex Berenson, in an interview for the film, the brothers “didn’t have a viable product to market” — they were in debt and about to lose the money their parents had invested. That year Taser began developing the M26, a product at least three times as powerful as its predecessor, and then pushed the new product onto the market after light and selective testing on human subjects. Today 17,000 law enforcement agencies in 107 countries use Tasers. The company’s unofficial motto, repeated by executives throughout the film, is that they are in the business of “protecting life, and protecting truth.”

The main threat that launched the Taser founders’ imaginations — and the militarization of policing, which continues its expansion today — was a spike in violent crime in the 1980s. By the time the first Taser was sold in the early 1990s, those numbers were already dwindling, but the racist myth of imminent danger from unbeatable “superpredators” was not. Coupled with this miasmic fear, Taser broadened its appeal by pushing the line that its products save lives with the argument that every Taser jolt administered by a police officer potentially represented the prevention of a gun fatality. In 2011 Rick Smith appeared on ABC News and compared the pain inflicted by a Taser to chemotherapy: “If you have cancer they do awful things to your body to try and save you. Well, our society has a cancer, we’re a violent, dangerous society.”

Like tobacco companies faced with evidence that cigarettes cause cancer, or oil companies faced with climate change, Taser’s reaction to evidence of harm from its product is to sow doubt and uncertainty. But the film also demonstrates the repeated leaps of mythological imagination Taser has made in order to protect its white-knight reputation. In 2008, security cameras captured unarmed 17-year-old Darryl Turner’s final moments as he was tased to death by police, following a verbal altercation with his former boss. The response from Smith, as documented in Berardini’s film, was typical of the company’s attempts to deflect responsibility: “It’s not a well-understood phenomenon why young, otherwise healthy people collapse and die during physically stressful events.”

Or take the case of Robert Dziekanski, a Polish immigrant who in 2007 got lost in Vancouver’s airport for hours, was inappropriately detained by guards, then tased by police until he died. “What was this guy doing in the airport for nine hours? Flying? Off his cigarettes?” asked Taser vice president Steve Tuttle, not quite rhetorically, before suggesting, “All of these things come into play.” In June the officer who deployed the Taser that killed Dziekanski was given a 30-month prison sentence for perjury and colluding with his fellow officers during the pursuant investigation.

According to the documentary, Taser maintains that its products caused neither of those deaths, and indeed no deaths ever. Now it’s not even the shark that kills you, but your own body as it collapses, coincidentally after having received a 50,000-volt shock. Meanwhile, Taser’s own count of lives the company has saved has grown to around 160,000. The flip side of Taser’s self-serving corporate narrative is that there really isn’t much evidence that Tasers prevent gun fatalities, but there’s plenty of video demonstrating that Taser opened up new opportunities for police violence, handily replacing the inconvenient old cattle prod as a torture device, and that the product has killed and maimed hundreds of people.

Taser’s line of body cameras, which the company has sold since 2006, and its cloud-based video storage system add another absurd twist to the company’s longtime practice of manufacturing entire safety dramas, from threat to solution. The company whose product has contributed perhaps more than any other to the high rate of police violence, aimed in particular at people of color, is now doubling down on delivering the cure.

In the weeks following the killing of Mike Brown by Ferguson police officer Darren Wilson in August 2014, body cameras became a subject of national discussion, and Taser’s stocks jumped by 50 percent. Advocates of body cameras, from President Obama to Hillary Clinton and Campaign Zero, have maintained that they reduce police brutality by making police interactions with the public more transparent.

That’s a highly contested assertion. Numerous reports have detailed flaws in the technology as well as uneven usage and regulation. Taser’s cameras, for instance, buffer video every 30 seconds, a common feature that allows some images of the interaction directly preceding the recording to be saved, but the buffer doesn’t record sound. Tuttle, speaking at the International Association of Chiefs of Police in October, claimed that the lack of sound was designed to protect officers’ privacy.

In a stunning rendition of the old Taser tagline, Rick Smith told Fortune magazine that Taser’s body cam was “a non-lethal weapon. The average rational person, when you tell them you’re filming them, will act more rationally.” Of course, the idea of a camera being used as a weapon completely misses the point of the movement for police accountability that Taser is capitalizing on, but that’s precisely the kind of reversal that’s fundamental to the company’s business model. If Taser had a spirit animal, I suspect it would be a shark.

The post Taser and the Myth of Non-Lethal Weaponry appeared first on The Intercept.

Tunisians using computers and phones in an Orange store. Photo: Hamza Ben Mehrez

Tunisia has made great improvements in promoting a culture of internet freedom in the five years since the Tunisian Revolution.

Unfortunately, internet activists are saying that the climate of fear and self-censorship is starting to creep back—and unless the Tunisian Parliament passes new laws protecting free speech on the internet, the country’s internet freedom could regress in the coming years.

Before the revolution in January 2011, the North African country of approximately 11 million was governed by a tightly controlled dictatorship led by President Zine El Abeddine Ben Ali.

The internet had been introduced to the country in 1996 and its use exploded in the subsequent years. However, the regime administered a deep packet inspection (DPI) system, a sophisticated technique that uses software and hardware to interfere with web traffic. When a data packet is identified as matching the criteria set by the central censor, a variety of actions can happen. Most common would be blocking the transfer of information, but DPI technology can also delete or modify words in a text or insert other content instead of what the recipient was looking for. The Tunisian DPI censorship system was considered a perfect example of how the internet could be controlled by a central authority.

The old regime censored websites administered not just by terrorist groups, but by the entire political opposition. Bloggers who reported any news that the regime considered threatening had their blogs censored. The regime also censored video sharing sites such as YouTube and Dailymotion. For a short period, the regime recorded the Facebook login information of Tunisian users. All pornographic websites were also censored. The Tunisian Internet Agency or Agence Tunisienne d’Internet (ATI) would leave messages reading “Error 404” on censored websites as if the sites never existed. In 2008 Reporters Without Borders noted that emails sent to activists from human rights organizations became illegible upon arrival. Once the filtered emails were opened, they disappeared from inboxes entirely.

Post-revolution internet policy in Tunisia is critical because the country is an example for a freer society in the rest of the region

Since the revolution, the ATI has transformed. The changes are encouraging. Moez Chakchouk, who took over the agency after the revolution, traveled widely to many conferences speaking as an open-internet activist until recently when he was named as the head of the Tunisian postal service. He also presided over the end of the agency’s monopoly over internet exchange point services, installing important internet infrastructure locally for two Tunisian telecommunications companies Orange and Tunisiana. This effort made costs lower for internet service providers and allowed private companies to take over a share of the market.

The post-revolution ATI has censored a few Facebook posts critical of the country’s army and has complied with court orders to censor pornographic websites, but it no longer blocks websites en masse.

However, Tunisian activists are saying censorship has morphed into new forms. Now, rather than overt censorship from a central authority where websites are blocked, some individuals have been targeted by other governmental institutions for what they have posted on the internet.

A new agency, the Tunisian Technical Telecommunication Agency (ATT), was set up by governmental decree in November 2013 without public scrutiny. The agency has no oversight, and has surveillance and meta data collection abilities according to Hamza Ben Mehrez, a lead policy analyst with the Internet Governance for the Middle East and North Africa program of Hivos, a Dutch development agency.

This new agency works with the Tunisian Ministries of Interior, Defense, Human Rights, and Justice “to work on judicial prosecutions against internet users and hackers who might threaten state security,” said Ben Mehrez.

In other words, the Tunisian government still sees the internet as a battle ground to go after some users that officials believe are violating the law, but enforcement is less centralized. Government mechanisms are in place to put further restrictions on the internet at any time, however. The government has said the primary targets for internet surveillance are terrorism suspects.

Repressive laws from the Ben Ali era remain on the books and also continue to threaten internet freedom. Article 86 of the Telecommunications Code states that anyone found guilty of “using public communications networks to insult or disturb others” could spend up to two years in prison and may be liable to pay a fine. During the Ben Ali era, the law was selectively enforced to imprison journalists and political opponents of the regime.

Articles 128 and 245 of the penal code also punishes slander with two to five years imprisonment. Article 121 (3) calls for a maximum punishment of five years in jail for those convicted of publishing content “liable to cause harm to public order or public morals.” These laws have been used to punish some political speech on the internet.

In July, Mouhab Toumi, a man living on the country’s southern island of Djerba, was arrested for a Facebook post he made criticizing the competence of the President in 2012. Police from the Interior Ministry who arrested him asked him if he wanted to kill the President and also asked if he supported ISIS. He was brought before a judge in August where the judge dismissed the case against him.

In December 2014, authorities arrested Tunisian blogger Yassine Ayari for claiming the national military leadership was corrupt on Facebook. Ayari was released in April although he had been sentenced to a year in prison.

“Toumi’s case as well as Ayari’s are examples of how the government is telling us that they are still watching over us,” said Yosr Jouini a student at INSAT, the country’s largest engineering school. “The problem now is that we don’t know who is doing what. People in government agencies don’t know their limits.”

As Tunisia has no democratic tradition, the biggest challenge to getting restrictive laws changed is organizing a strong enough public constituency that will push for change. Jouini said that there is no tradition of discussing internet policy with the public. “We don’t have classes on these topics at INSAT, people have to be active in looking for ways to find out about these issues,” Jouini said. The lack of public education on issues of internet governance allows the country’s large internet providers to get what they want from the country’s parliamentarians with little public complaint.

In fact, some forms of censorship in Tunisia has been purely for the purposes of economic interests. Jouini said there is a competing interest between the public’s needs and the needs of the large internet providers. These competing interests don’t often make satisfactory policy for most internet users. In October 2014, the three largest telecom companies in Tunisia blocked calling apps such as Skype and Viber from being used over their 3G networks, claiming that the apps congested traffic. Jouini said it was much more likely that users were using calling apps to get around paying for phone service to the telecom companies.

As the first Arab country to have a successful revolution, post-revolution internet policy in Tunisia is critical because the country is an example for a freer society in the rest of the region. The Tunisian government has come a long way in making the internet a more open exchange of ideas and commerce since the days of dictatorship five years ago. Recent events however, have shown that the Tunisian Revolution did not make the Tunisian internet totally free—and without constant effort and advocacy by Tunisian internet users to keep the internet free in Tunisia, the direction internet freedom has been going in the country could reverse.

An anonymous reader sends word that Italy will spend 150 million Euros on reforming information and security services. Part of this reform will be monitoring communication among users of the "chat" feature on PlayStation 4. The Stack reports: "Italian Minister of Justice Andrea Orlando has revealed that Italy is spending 150 million euros ($157mn) on new technology and staff to improve surveillance capabilities, and emphasized that the 'new instruments' (it's not clear whether this means new technology or new requisitions) will also target the Sony PlayStation network which fell under suspicion as a possible forum of organization for the Paris attacks (though no evidence was found to support this)."

Read more of this story at Slashdot.

Researchers have discovered a new form of carbon structure, called Q-carbon, that’s harder than diamond and allows artificial versions of the precious stone to be made at room temperature and pressure.

Read more...

Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.

---

Sometimes, you need to read between the lines when going over an End-user license agreement (EULA), but FrameFox (aka Duquu) has passed that stage. They must rely on the fact that nobody ever reads them anyway.

EULA

The EULA for FrameFox can be found at www[dot]framefox[dot]com/#/terms if you can reach it. I have to point that out since Malwarebytes Ant-Malware Premiuim’s web protection blocks that domain. What immediately jumped out was this snippet:

Uninstallation and Disabling Methods

The User acknowledges and agrees that as some third-party applications do not allow FrameFox’s software install or run correctly, the User explicitly consents to FrameFox having rights in its sole discretion to in listed below but not limited to:

block, uninstall or change a third-party applications and files on the User’s computer which FrameFox finds incompatible with its software;

That is a direct threat to any anti-malware or other protection software trying to remove FrameFox from the user’s computer. They will remove you first if they get the chance. It goes on to list in which ways it allows itself to go about this:

• disable third-party application updates;
• disable startup programs in computer operating systems;
• modify DNS (Domain Name System) on the local system;

And then goes on to deny all liability for these actions. This is yet another example of adware that has the potential to leave the victims computer open to worse infections. So far I have not seen any examples of software that they choose to disable, but we are always curious to hear these from you.

Arsenal

What does the installer put on your system with which they can hope to achieve this task?

• Two services, both dubbed “Duuqu Update Service” (defined under dqupdate and dqupdatem in the registry) and both pointing to the same file “C:\Program Files (x86)\Duuqu\Update\DuuquUpdate.exe”.
• One Run-key entry for the file “C:\Program Files (x86)\FrameFox\framefox.exe”.
• And two Scheduled Tasks called “DuuquUpdateTaskMachineCore” and “DuuquUpdateTaskMachineUA” both pointing to the same file as the services described above.
• Browser Extensions for Firefox and Chrome.

The Chrome extension of FrameFox Shop

Removal

Malwarebytes Anti-Malware detects and removes “FrameFox Shop” as PUP.Optional.Duuqu and PUP.Optional.FrameFox. A full removal guide can be found on our forums. The installer I used has been spotted with the file names:

• DuuquUpdateSetup.exe
• FrameFoxShopSetup.exe

Summary

We had a look at one of the most outrageous EULA’s we have seen so far. FrameFox aka Duuqu steals the show and gets nominated in the “Most aggressive” category.

As always: Save yourself the hassle and get protected.

 

Pieter Arntz

Millions of embedded devices, including home routers, modems, IP cameras, VoIP phones, are shareing the same hard-coded SSH (Secure Shell) cryptographic keys or HTTPS (HTTP Secure) server certificates that expose them to various types of malicious attacks. A new analysis by IT security consultancy SEC Consult shows that the lazy manufacturers of the Internet of Things (IoTs) and Home

I’m always interested in seeing how companies deploy the gamification of security because it’s an easy way to get more people interested in locking things down, and with the launch of Steam’s latest sale they appear to be bringing back an old favourite: rewards for keeping your account secure.

As we’ve mentioned in the past, Steam Guard is an additional level of security for your account which means if someone swipes your Steam login, they’d still need to be able to gain access from a trusted device of yours which is probably unlikely to happen, unless they have physical access (in which case you may have bigger problems to worry about). There have been one or two sneaky attempts to get around it in the past, but by and large with Steam Guard enabled you’re pretty much locked down solid.

Back in 2012, Steam had their annual Christmas holidays sale and offered daily in-game challenges, alongside some tasks which weren’t game-centric. One of these was the below:

I like that one of Steam’s reward objectives is asking users to enable Steam Guard. http://t.co/B56RMlTJpic.twitter.com/8pWE1p9V

— Chris Boyd (@paperghost) January 1, 2012

I can’t quite remember what the reward was for doing this (besides a more secure account, of course) but with the arrival of their latest sale I couldn’t help but notice the following:

Save 5% - 33% in the Community Market when you use a Steam Guard Mobile Authenticator

Steam Guard Mobile Authenticator  has its functionality built into the pre-existing Steam mobile app, and follows the typical pattern of having the device owner enter a code which changes every 30 seconds while logging into Steam. Unlike the desktop version of Steam Guard, this doesn’t have the drawback of scammers trying to convince you to send them your SSFN file.

Perhaps scammers could still grab your regular Username and Password by traditional means then try and ask you for your Steam Guard Mobile generated code, but they’d have to be super quick to then log in as you before the timer ticks down and changes the code. As mentioned on the support pages, never hand anyone a freshly generated Authenticator Code.

What is the Community Market, anyway?

Traditionally, this is where Steam users can buy and sell in-game items and other cosmetic objects such as profile backgrounds and funky little avatars to use in Steam’s IM chat. Many rare items can shift for huge sums of money [1], [2], and more often than not Steam accounts with large Market item inventories are prime targets for scammers and hustlers hoping to make a fast buck – typically at someone else’s expense.

There’s a huge amount of money being shifted around during Steam sales, and once this one is out of the way there’ll only be a short break until the official Christmas Sale rolls into town.

Can your wallet (and, more importantly) your security settings take it? If you have any intention of performing certain tasks in the Community Market then they may well have to!

Whether Black Friday or any other day, keep your (bank) cards close to your chest and safe shopping to you all.

Christopher Boyd

Trash and Mailbox by Bethesda Softworks

Otlard.A (or let's say at least the malware triggering 2806902 || ETPRO TROJAN Win32.Otlard.A C&C Checkin response )  is a Spam Botnet

I saw it loaded as a plugin in an instance of Andromeda

That Andromeda is being spread via :

• Bedep build id 6005 and here 6007 from an Angler EK fed by Malvertising :

VirtualDonna group redirecting traffic to an Angler instance loading Bedep buildid 6007 in memory Bedep 6007 loading Andromeda 55ead0e4010c7c1a601511286f879e33 before update task. 2015-09-28

Note : Bedep 6007 was sometimes loading it with other payload
-2015-09-16 for : ec5d314fc392765d065ff16f21722008 with Trapwot (FakeAV) e600985d6797dec2f7388e86ae3e82ba and Pony a4f08c845cc8e2beae0d157a3624b686
-2015-09-29 for : 37898c10a350651add962831daa4fffa with Kovter ( 24143f110e7492c3d040b2ec0cdfa3d0 )
That Andromeda beaconing to dnswow .com enslaved >10k bots in a week :

Andromeda dnswow 2015-11-22

Andromeda dnswow 2015-11-27

Here the Otlard.A task in that Andromeda instance :

Task installing Otlard.A as a plugin to Andromeda

• a Task in a Smokebot dropped by Nuclear Pack fed by Malvertising :

Malvertising > Nuclear Pack > Smokebot > Stealer, Ramnit, Htbot and Andromeda > Otlard.A 2015-11-28

Smokebot : cde587187622d5f23e50b1f5b6c86969
Andromeda : b75f4834770fe64da63e42b8c90c6fcd
(out of topic Ramnit : 28ceafaef592986e4914bfa3f4c7f5c0 - It's being massively spread those days in many infection path. (Edit 2015-12-29 :  Htbot.B :  d0a14abe51a61c727420765f72de843a named ProxyBack by PaloAlto)

Now here is what the control panel of that plugin looks like :

Otlard.A panel :

Otlard.A - JahooManager - Main - 2015-09-27

Otlard.A - JahooManager - Servers - 2015-09-27

Otlard.A - JahooManager - Settings - 2015-09-27

Otlard.A - JahooManager - Campaigns - 2015-09-27

Otlard.A - JahooManager - Bot - 2015-09-27 that exe is : 2387fb927e6d9d6c027b4ba23d8c3073 and appears to be Andromeda

Otlard.A - JahooSender - Tasks - 2015-09-27

Otlard.A - JahooSender - Tasks - 2015-11-28

Otlard.A - JahooSender - Tasks - Done Task - 2015-09-27

Otlard.A - JahooSender - Domains - 2015-09-27

Otlard.A - JahooSender - Domains - 2015-11-28

Otlard.A - JahooSender - Messages - 2015-09-27

Otlard.A - JahooSender - Messages - 2015-11-28

Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28

Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28

Otlard.A - JahooSender - Messages - Edit a Message - 2015-11-28

Otlard.A - JahooSender - Headers - 2015-11-28

Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28

Otlard.A - JahooSender - Headers - Editing Header - 2015-11-28

Otlard.A - JahooSender - Macross - 2015-11-28

Otlard.A - JahooSender - Macross - 2015-11-28

Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28

Otlard.A - JahooSender  - Macross - Editing macross - 2015-11-28

Otlard.A - JahooSender - Macross - Editing macross - 2015-11-28

Otlard.A - JahooSender - Attach - 2015-11-28

Otlard.A - JahooSender - Attach - Attached image - 2015-11-28

Otlard.A - JahooSender - Rules - 2015-11-28

Otlard.A - JahooSender - Rules > Spam - 2015-11-28

Olard.A - JahooSender - Rules > User - 2015-11-28

Olard.A - Bases - Emails - 2015-11-28

Olard.A - Bases - Blacklist - 2015-11-28

Olard.A - Bases - Blacklist - Edit - 2015-11-28

Olard.A - Botnet - Main - 2015-09-27

Olard.A - Botnet - Main - 2015-11-28

Otlard.A - Botnet - Modules - 2015-11-28

Otlard.A - Botnet - Modules - Edit - 2015-11-28

Otlard.A - Incubator - Accounts - 2015-11-28

Otlard.A - Incubator - Settings - 2015-11-28

Note : registrator menu has disappeared in last version. 


--
Andromeda C&C 2015-11-28 :
5.8.35.241
202023 | 5.8.35.0/24 | LLHOST | EU | llhost-inc.com | LLHost Inc

Spam Module C&C 2015-11-28 :
5.8.32.10 
5.8.32.8
5.8.32.52
5.8.34.20
5.8.32.53
5.8.32.56
202023 | 5.8.32.0/24 | LLHOST | EU | zanufact.com | LLHost Inc

Thanks : Brett StoneGross for helping me with decoding/understanding the network communications

Files :
All samples which hashes have been discussed here are in that zip.
Jahoo - socker.dll : 7d14c9edfd71d2b76dd18e3681fec798
( If you want to look into this, i can provide associated network traffic)

Read More :

Inside Andromeda Bot v2.06 Webpanel / AKA Gamarue - Botnet Control Panel 2012-07-02
Inside Pony 1.7 / Fareit C&C - Botnet Control Panel - 2012-06-27
Inside Smoke Bot - Botnet Control Panel - 2012-04-28

Post publication Reading :
ProxyBack Malware Turns User Systems Into Proxies Without Consent - 2015-12-23 - JeffWhite - PaloAlto

Too easy to work out who's talking to whom, says researcher

Update: 'Hoax', says Telegram  Mere days after opsec expert The Grugq warned that popular messaging app Telegram Messenger couldn't be regarded as secure, another researcher has demonstrated how its metadata leaks expose users to stalking.…

Doll leaks data, even before the tear-downs are finished

Back in February, The Register queried the security and privacy implications of Mattel's “Hello Barbie”, and now the doll has hit the shelves, a prominent security researcher has turned up the first security problems with the toy.…

Defence contractor Lockheed Martin provided intelligence services before Black Friday

Walmart has recruited aerospace, defence and security concern Lockheed Martin to comb open source intelligence in the lead up to Black Friday union protests, Bloomberg reports.…

Rejoice! From this morning, you can call freely to anyone, talk anything without any fear of being spied by the United States National Security Agency (NSA), as the agency is not allowed to collect bulk phone records. Until now we all are aware of the NSA's bulk phone surveillance program – thanks to former NSA employee Edward Snowden, who leaked the very first top secret documents of

Algebraic Eraser is a public-key key-agreement protocol that's patented and being pushed by a company for the Internet of Things, primarily because it is efficient on small low-power devices. There's a new cryptanalytic attack.

This is yet another demonstration of why you should not choose proprietary encryption over public algorithms and protocols. The good stuff is not patented.

News article.

Researchers have identified a serious vulnerability affecting VPN providers with port-forwarding services that allows an attacker to obtain the real IP address of a user's computer.

David Bisson reports.

Few schemes for monetizing stolen credit cards are as bold as the fuel theft scam: Crooks embed skimming devices inside fuel station pumps to steal credit card data from customers. Thieves then clone the cards and use them to steal hundreds of gallons of gas at multiple filling stations. The gas is pumped into hollowed-out trucks and vans, which ferry the fuel to a giant tanker truck. The criminals then sell and deliver the gas at cut rate prices to shady and complicit fuel station owners.

Agent Steve Scarince of the U.S. Secret Service heads up a task force in Los Angeles that since 2009 has been combating fuel theft and fuel pump skimming rings. Scarince said the crooks who plant the skimmers and steal the cards from fuel stations usually are separate criminal groups from those who use the cards to steal and resell gas.

“Generally the way it works is the skimmer will sell the cards to a fuel theft cell or ring,” he said. “The head of the ring or the number two guy will go purchase the credit cards and bring them back to the drivers. More often than not, the drivers don’t know a whole lot about the business. They just show up for work, the boss hands them 25 cards and says, ‘Make the most of it, and bring me back the cards that don’t work.’ And the leader of the ring will go back to the card skimmer and say, ‘Okay out of 100 of those you sold me, 50 of them didn’t work.'”

Scarince said the skimmer gangs will gain access to the inside of the fuel pumps either secretly or by bribing station attendants. Once inside the pumps, the thieves hook up their skimmer to the gas pump’s card reader and PIN pad. The devices also are connected to the pump’s electric power — so they don’t need batteries and can operate indefinitely.

Most internal, modern pump skimmers are built to record the card data on a storage device that can transmit the data wirelessly via Bluetooth technology. This way, thieves can drive up with a laptop and fill their tank in the time it takes to suck down the card data that’s been freshly stolen since their last visit.

The Secret Service task force in Los Angels has even found pump skimming devices that send the stolen card data via SMS/text message to the thieves, meaning the crooks don’t ever have to return to the scene of the crime and can receive the stolen cards and PINs anywhere in the world that has mobile phone service.

MOBILE BOMBS

Scarince said the fuel theft gangs use vans and trucks crudely modified and retrofitted with huge metal and/or plastic “bladders” capable of holding between 250 and 500 gallons of fuel.

“The fuel theft groups will drive a bladder truck from gas station to gas station, using counterfeit cards to fill up the bladder,” he said. “Then they’ll drive back to their compound and pump the fuel into a 4,000 or 5,000 [gallon] container truck.”

The fuel will be delivered to gas station owners with whom the fuel theft ring has previously brokered with on the price per gallon. And it’s always a cash transaction.

“The stations know they’re buying stolen gas,” Scarince said. “They’re fully aware the fuel is not coming from a legitimate source. There’s never any paperwork with the fuel driver, and these transactions are missing all the elements of a normal, legitimate transaction between what would be a refinery and a gas station.”

Needless to say, the bladder trucks aren’t exactly road-worthy when they’re filled to the brim with stolen and highly flammable fuel. From time to time, one of the dimmer bladder truck drivers will temporarily forget his cargo and light up a smoke.

“Two or three summers ago we had this one guy who I guess was just jonesing for a cigarette,” Scarince said. “He lit up and that was the last thing he did.”

Other bladder trucks have spontaneously burst into flames at filling stations while thieves pumped stolen gas.

“There have been other fires that took place during the transfer of fuel, where some static sparked and the whole place caught on fire,” Scarince said. “These vehicles are not road-worthy by any means. Some of the bladder tanks are poorly made, they leak. The trucks are often overweight and can’t handle the load. We see things like transmissions giving out, chassis going out. These things are real hazards just waiting to happen.”

How big are the fuel theft operations in and around Los Angeles? Scarince estimates that at any given time there are 20 to 30 of these deadly bladder trucks trundling down L.A. freeways and side streets.

“And that’s a very conservative guess, just based on what the credit card companies report,” he said.

Aaron Turner, vice president of identity service products at Verifone — a major manufacturer of credit card terminals — leads a team that has been studying many of the skimming devices that the Secret Service has retrieved from compromised filling stations. Turner says there is a huge potential for safety-related issues when it comes to skimmers in a gas-pump environment. 

“Every piece of equipment that is installed by gas station owners in the pump area is approved by reviewed and approved according to industry standards, but these skimmers…not so much,” Turner said. “One of the skimmers that we retrieved was sparking and arcing when we powered it up in our lab. I think it’s safe to say that skimmer manufacturers are not getting UL certifications for their gear.”

COUNTERING FUEL FRAUD

With some fuel theft gangs stealing more than $10 million per year, Scarince said financial institutions and credit card issuers have responded with a range of tactics to detect and stop suspicious fuel station transactions.

“A lot more card issuers and merchant processors are really pushing hard on velocity checks,” Scarince said, referring to a fraud detection technique that reviews transactions for repeating patterns within a brief period. “If you buy gas in Washington, D.C. and then 30 minutes gas later gas is being purchased on opposite side of the city in a short period of time. Those are things that are going to start triggering questions about the card. So, more checks like that are being tested and deployed, and banks are getting better at detecting this activity.”

Card issuers also can impose their own artificial spending limits on fuel purchases. Visa, for example, caps fuel purchases at $125.  But thieves often learn to work just under those limits.

“The more intelligent crooks will use only a few cards per station, which keeps them a lower profile,” Scarince said. “They’ll come in a swipe two to three cards and fill up 40-80 gallons and move on down the road to another station. They definitely also have what we determine to be routes. Monday they’ll drive one direction, and Tuesday they’ll go the other way, just to make sure they don’t hit the same stations one day after another.”

Newer credit and debit cards with embedded chip technology should make the cards more costly and difficult to counterfeit. However, the chip cards still have the card data encoded in plain text on the card’s magnetic strip, and most fuel stations won’t have chip-enabled readers for several years to come.

On Oct. 1, 2015, Visa and MasterCard put in force new rules that can penalize merchants who do not yet have chip-enabled terminals. Under the new rules, merchants that don’t have the technology to accept chip cards will assume full liability for the cost of fraud from purchases in which the customer presented a chip-enabled card.

But those rules don’t apply to fuel stations in the United States until October 2017, and a great many stations won’t meet that deadline, said Verifone’s Turner.

“The petroleum stations and the trade organizations that represent them have been fairly public in their statements that they don’t feel they’re going to hit the 2017 dates,” Turner said. “If you look at the cost of replacing these dispensers and the number of systems that have been touched by qualified, licensed technicians…most of the stations are saying that even if they start this process now they’re going to struggle to meet that October 2017 date.”

Turner said that as chip card readers take hold in more retail establishments, card thieves will begin targeting fuel stations more intensively and systematically.

“We’re moving into this really interesting point of time when I think the criminals are going to focus on the approaches that offer them the greatest return on their investment,” Turner said. “In the future, I think there will be a liability shift specifically for petroleum stations [because] the amount of mag-stripe-facilitated fraud that will happen in that market is going to increase significantly along with chip card deployment.”

Part of the reason Los Angeles is such a hotbed of skimming activity may be related to ethnic Armenian organized crime members that have invested heavily in fuel theft schemes. Last month, the Justice Department announced charges against eight such men accused of planting skimmers in pumps throughout Southern California and Nevada.

Scarince and Turner say there is a great deal of room for the geographic spread of fuel theft scams. Although the bulk of fuel theft activity in the United States is centered around Los Angeles, the organized nature of the crime is slowly spreading to other cities.

“We are seeing pump skimming now shoot across the country,” Scarince said. “Los Angeles is still definitely ground zero, but Florida is now getting hit hard, as are Houston and parts of the midwest. Technology we first saw a couple of years ago in LA we’re now seeing show up in other locations across the country. They’re starting to pick on markets that are probably less aware of what’s going on as far as skimming goes and don’t secure their pumps as well as most stations do here.”

WHAT CAN  YOU DO?

Avoid sketchy-looking stations and those that haven’t started using tamper-evident seals on their pumps.

“The fuel theft gangs certainly scout out the stations beforehand, looking for stations that haven’t upgraded their pump locks and haven’t started using tamper seals,” Scarince said. “If some franchised station decided not to spend the money to upgrade their systems with these security precautions, they’re going to be targeted.”

Scarince says he also tends to use pumps that are closest to the attendants.

“Those are less likely to have skimmers in or on them than street-side pumps,” he said.

Consumers should remember that they’re not liable for fraudulent charges on their credit or debit cards, but they still have to report the phony transactions. There is no substitute for keeping a close eye on your card statements. Also, use credit cards instead of debit cards at the pump; having your checking account emptied of cash while your bank sorts out the situation can be a huge hassle and create secondary problems (bounced checks, for instance).

Last week, we at Malwarebytes Unpacked celebrated with our CEO, Marcin Kleczynski, after hearing news from London on Black Friday that V3.co.uk honored him the “Technology Hero of the Year” award. He joined the ranks of Steve Jobs, Mark Zuckerberg, and Eugene Kaspersky.

Senior security researcher Jérôme Segura documented some interesting finds during the last several days. First, he spotted a number of compromised WordPress sites containing conditional site scripts that likely target users of Internet Explorer. These sites were redirecting to sites harboring the Angler and Flash Player exploits. Second, he found, as per our telemetry, more notable sites like the Reader’s Digest pushing out exploit kits. Lastly, he touched on a ransomware variant that asks for Bitcoin ransom amounting from $50 to $999. Segura also theorized on a possible future of malvertising, and it involves ads on videos.

For our PUP Friday post, our researchers discussed about FrameFox, an application that is capable of disabling security software installed on user systems.

Notable news stories and security related happenings:

• Australians Among World’s Worst Malware Victims – but the Death of APTs Signals Worse Times Ahead. “Australian users remain among the world’s most likely to click on malicious links, new industry research suggests – but if you thought things were bad now, hold onto your hats: security specialists warn that 2016 is likely to make things even worse as growing desire to commercialise the spoils of data breaches drives a transformation in the way attackers launch already-insidious advanced persistent threats (APTs).” (Source: CSO)
• How Online Fraud will Evolve in 2016. “While 2015 is drawing to a close, the security fraud community is preparing for more battles ahead in 2016. And next year, consumer-facing web and mobile apps are up against a much more sophisticated and prolific enemy as bad actors continue to evade traditional security defenses, leverage the latest mobile hacker tools to impersonate legitimate users and take control of consumer accounts en masse.” (Source: Help Net Security)
• Holiday Scams That will be Donning Your Inbox Soon. “Every year someone falls for something that is just too good to be true. Make sure your users are up to date on the latest social engineering scams this holiday season.” (Source: CSO Online)
• Many Embedded Devices Ship Without Adequate Security Tests, Analysis Shows. “An analysis of hundreds of publicly available firmware images for routers, DSL modems, VoIP phones, IP cameras and other embedded devices uncovered high-risk vulnerabilities in a significant number of them, pointing to poor security testing by manufacturers.” (Source: CSO Online)
• Patreon Users Threatened by Ashley Madison Scammers. “Over the last few days, the group responsible for extortion attempts and death threats against Ashley Madison users has turned to a new set of targets – Patreon users. The group sending the messages has claimed to be DD4BC, and they have a history of extortion and DDoS attacks.” (Source: CSO Online)
• Cyber Theft Hits One in Five Consumers, Survey Finds. “Just under 40% had had personal data stolen or deleted because of a computer virus or malware, up from 26% in 2013. More than half (53%) did not know the detail of the personal data that had been collected by organisations, up from 37% in 2013. The Deloitte survey also found companies that failed to safeguard data were more likely to lose custom than those which raised prices.” (Source: The BBC)
• India and Malaysia Sign Cyber-security Pact. “The cyber-security agreement seeks to promote closer cooperation and the exchange of information pertaining to cyber-security incident management, technology cooperation, cyber-attacks, prevalent policies and best practices and mutual response to cyber-security incidents.” (Source: First Post)
• Facebook ‘Most Used Words’ Game Accused of Stealing and Selling User Data. “And thanks to a post about the game – which is called Most Used Words on Facebook – from UK-based VPN comparison website Comparitech that recently called it a “privacy nightmare,” I was initially ready to urge friends like her to please not touch the game with a 12-foot pole.” (Source: Sophos’s Naked Security Blog)
• Cyber Monday: What Retailers & Shoppers Should Watch For. “The most immediate concern is anything that prevents a retailer from making money, like a denial of service attack on an online shop or mobile purchasing app — or a security measure that causes impatient customers to take their business elsewhere. Threats that may cost a retailer money — like shipping fraud or chargebacks for fraudulent purchases made with stolen credit cards or gift cards bought with stolen credit card data — are secondary.” (Source: Dark Reading)
• Researchers Poke Hole in Custom Crypto Built for Amazon Web Services. “In case it’s not clear to some readers, there’s nothing wrong with writing a new implementation of a trusted crypto standard, especially when the work is followed up with the kind of security reviews Amazon sought with s2n. And as noted in the paper, most modern browsers are immune to Lucky 13 attacks.” (Source: Ars Technica)
• GlassRAT Linked to Earlier Geopolitical Malware Campaigns. “Security researchers at RSA have discovered that the GlassRAT remote administration Trojan (RAT) might have been in the same command and control (C&C) infrastructure shared in geopolitical malware campaigns observed earlier this decade. The authors of RSA’s research paper explain that they linked GlassRAT to other malicious C&C infrastructures using malicious domains that pointed to common hosting.” (Source: Graham Cluley’s Blog)
• Dell’s Security-shattering PC Root Certificate Debacle: What You Need to Know. “In an attempt to streamline remote support, Dell installed a self-signed root certificate and corresponding private key on its customers’ computers, apparently without realizing that this exposes users’ encrypted communications to potential spying.” (Source: PC World)
• Analytics Services are Tracking Users Via Chrome Extensions. “It’s quite possible that, despite your belief that the Google Chrome is the safest browser there is and your use of extensions that prevent tracking, your online movements are still being tracked. The culprits? Popular Chrome extensions like HooverZoom, Free Smileys & Emoticons, Flash Player+, SuperBlock Adblocker and many more.” (Source: Help Net Security)
• Study Reveals Security Gaps That Could Greatly Impact 2016. “A recent Trend Micro study revealed that in third quarter 2015, a worst-case security scenario occurred when leaked information from a data breach was used for further attacks, such as blackmail and extortion.” (Source: Legal Tech News)
• Russian Criminals Steal $4 Million in Cash with a New Technique Dubbed Reverse ATM Attack. “According to the experts at security firm GroupIB, the Reverse ATM Attack allowed criminal rings in Russia to steal 252 Million Rubles (roughly US$3.8 Million) from at least five different banks. The theft started in summer 2014 and finished in Q1 2015.” (Source: Security Affairs)
• Cyberattacks On Firms Posing Credit Risk. “Credit rating agency Moody’s Corp. warns that cyber defenses as well as breach detection, prevention and response will be higher priorities in its analysis of the creditworthiness of companies across all sectors, including healthcare and financial services […] According to the report, organizations that house significant amounts of personal data, including financial institutions, healthcare entities, higher education organizations and retail companies, are at greatest risk to experience large-scale data theft attacks resulting in serious reputational and financial damage.” (Source: CXO Today)
• Black Friday: Cyber-thieves ‘target Christmas shoppers’. “One gang had updated the sophisticated malware it used to target tills in stores, security company iSight said. There had also been an increase in spam and phishing emails crafted to catch out people seeking bargains.” (Source: The BBC)
• Black Friday Deals? Nope, This Fake Amazon Android App Only Harvests Your Personal Data. “According to a post published by the Zscaler research team, the fake app is being distributed from a URL set up by the malware authors to fool victims into believing it is a legitimate Amazon site. Indeed, as Yahoo! Tech reveals, the app in some ways appears very similar to the real Amazon Underground app, which offers users games and free apps.” (Source: Graham Cluley’s Blog)
• Hello Barbie, You are a Privacy and Security Threat. “Engineering Miracle Barbie isn’t just an idiot when it comes to computers, she is also something of a loose cannon in terms of security and privacy, according to people who have been playing with their dollies […] Hello Barbie, or Hell Barbie depending on your privacy stance, is new and likely to be heading for the underside of fir trees that are wondering why they are suddenly in urban living rooms. But parents beware: it has raised privacy and security hackles.” (Source: The Inquirer)

Safe surfing, everyone!

The Malwarebytes Labs Team

Fourteen years after the FBI began using national security letters to unilaterally and quietly demand records from Internet service providers, telephone companies and financial institutions, one recipient — former ISP founder Nicholas Merrill — is finally free to talk about what it’s like to get one.

The FBI issues the letters, known as NSLs, without any judicial review whatsoever. And they come with a gag order.

But a federal District Court judge in New York ruled in September that the continuous ban on Merrill’s speech about the order was not justified, considering that the FBI’s investigation was long over and most details about the order were already openly available.

After waiting for 90 days to let the government appeal the decision — which it didn’t — the judge lifted the gag on Monday.

Merrill immediately released the FBI’s attachment to the national security letter it sent him 11 years ago, listing the kinds of information it wanted about a particular customer without getting a warrant.

One of the most striking revelations, Merrill said during a press teleconference, was that the FBI was requesting detailed cell site location information — cellphone tracking records — under the heading of “radius log” information. Traditionally, radius log refers to a user’s attempts to connect to a server or a DSL line — a sort of anachronism given the progress of technology.

“The notion that the government can collect cellphone location information — to turn your cellphone into a tracking device, just by signing a letter — is extremely troubling,” Merrill said.

The court ruling noted that the FBI is no longer requesting this type of information using NSLs, but wants to maintain the possibility of doing so in the future.

The question of whether law enforcement should be required to get a warrant before obtaining detailed cell site location information is currently being reviewed in several federal District Courts, though the Supreme Court recently turned the case down.

And, according to Merrill, the FBI’s request for “any other information which you consider to be an electronic communication transactional record” also includes incredibly invasive things like a detailed list of all the web searches performed on a computer.

Merrill did not release the name of the target of the investigation and the letter, though he is now legally allowed to do so — “for privacy reasons,” he said.

Otherwise, the newly disclosed list did not provide much new information about the FBI’s investigation practices — a big reason why the court chose to lift the gag order.

In the newly unredacted ruling, U.S. District Court Judge Victor Marrero wrote that the case “implicates serious issues, both with respect to the First Amendment and accountability of the government to the people.”

According to the Electronic Frontier Foundation, around 300,000 NSLs have been issued since 2001. By 2008, the Justice Department concluded that the FBI had been abusing its powers with NSLs, even after changing policies in 2006.

“I feel vindicated today,” said Merrill. “But there’s a lot more work to be done.”

Top photo: Attachment to a 2004 national security letter sent to Nick Merrill. 

The post Scope of Secretive FBI National Security Letters Revealed by First Lifted Gag Order appeared first on The Intercept.

What the FBI can do with an NSL and a gagging order

Following a decade-long legal battle, the details of a US national security letter (NSL) sent to ISP owner Nicholas Merrill can finally be revealed.…

Crypto comms outfit hits eject after govt backdoor demand

Blackberry will pull out of Pakistan on New Year's Eve in protest of its government's demand to intercept and decrypt people's communications.…

Sony, Macy's, GoPro, hotels, insurance giants, anyone with money accused of infringement

Scores of big brands – from AT&T and Yahoo! to Netflix, GoPro and Macy's – are being sued because their HTTPS websites allegedly infringe an encryption patent.…

FireEye Threat Intelligence analysts identified a spear phishing campaign carried out in August 2015 targeting Hong Kong-based media organizations. A China-based cyber threat group, which FireEye tracks as an uncategorized advanced persistent threat (APT) group and other researchers refer to as “admin@338,” may have conducted the activity.[1] The email messages contained malicious documents with a malware payload called LOWBALL. LOWBALL abuses the Dropbox cloud storage service for command and control (CnC). We collaborated with Dropbox to investigate the threat, and our cooperation revealed what may be a second, similar operation. The attack is part of a trend where threat groups hide malicious activity by communicating with legitimate web services such as social networking and cloud storage sites to foil detection efforts.[2][3]

A Cyber Campaign Likely Intended to Monitor Hong Kong Media During a Period of Crisis

The threat group has previously used newsworthy events as lures to deliver malware.[4] They have largely targeted organizations involved in financial, economic and trade policy, typically using publicly available RATs such as Poison Ivy, as well some non-public backdoors.[5]

The group started targeting Hong Kong media companies, probably in response to political and economic challenges in Hong Kong and China. The threat group’s latest activity coincided with the announcement of criminal charges against democracy activists.[6] During the past 12 months, Chinese authorities have faced several challenges, including large-scale protests in Hong Kong in late 2014, the precipitous decline in the stock market in mid-2015, and the massive industrial explosion in Tianjin in August 2015. In Hong Kong, the pro-democracy movement persists, and the government recently denied a professor a post because of his links to a pro-democracy leader.[7]

Multiple China-based cyber threat groups have targeted international media organizations in the past. The targeting has often focused on Hong Kong-based media, particularly those that publish pro-democracy material. The media organizations targeted with the threat group’s well-crafted Chinese language lure documents are precisely those whose networks Beijing would seek to monitor. Cyber threat groups’ access to the media organization’s networks could potentially provide the government advance warning on upcoming protests, information on pro-democracy group leaders, and insights needed to disrupt activity on the Internet, such as what occurred in mid-2014 when several websites were brought down in denial of service attacks.[8]

Threat Actors Use Spear Phishing Written in Traditional Chinese Script in Attempted Intrusions

In August 2015, the threat actors sent spear phishing emails to a number of Hong Kong-based media organizations, including newspapers, radio, and television. The first email references the creation of a Christian civil society organization to coincide with the anniversary of the 2014 protests in Hong Kong known as the Umbrella Movement. The second email references a Hong Kong University alumni organization that fears votes in a referendum to appoint a Vice-Chancellor will be co-opted by pro-Beijing interests.[9]

Figure 1: Lure Screenshots

The group’s previous activities against financial and policy organizations have largely focused on spear phishing emails written in English, destined for Western audiences. This campaign, however, is clearly designed for those who read the traditional Chinese script commonly used in Hong Kong.

LOWBALL Malware Analysis

The spear phishing emails contained three attachments in total, each of which exploited an older vulnerability in Microsoft Office (CVE-2012-0158):

MD5	Filename
b9208a5b0504cb2283b1144fc455eaaa	使命公民運動 我們的異象.doc
ec19ed7cddf92984906325da59f75351	新聞稿及公佈.doc
6495b384748188188d09e9d5a0c401a4	(代發)[采訪通知]港大校友關注組遞信行動.doc

In all three cases, the payload was the same:

MD5	Filename
d76261ba3b624933a6ebb5dd73758db4	time.exe

This backdoor, known as LOWBALL, uses the legitimate Dropbox cloud-storage
service to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.

After execution, the malware will use the Dropbox API to make an HTTP GET request using HTTPS over TCP port 443 for the files:

MD5	Filename
d76261ba3b624933a6ebb5dd73758db4	WmiApCom
79b68cdd0044edd4fbf8067b22878644	WmiApCom.bat

The “WmiApCom.bat” file is simply used to start “WmiApCom”, which happens to be the exact same file as the one dropped by the malicious Word documents. However, this is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.

The threat group monitors its Dropbox account for responses from compromised computers. Once the LOWBALL malware calls back to the Dropbox account, the attackers will create a file called “[COMPUTER_NAME]_upload.bat” which contains commands to be executed on the compromised computer. This batch file is then executed on the target computer, with the results uploaded to the attackers’ Dropbox account in a file named “[COMPUTER_NAME]_download”.

We observed the threat group issue the following commands:

@echo off

dir c:\ >> %temp%\download

ipconfig /all >> %temp%\download

net user >> %temp%\download

net user /domain >> %temp%\download

ver >> %temp%\download

del %0

@echo off

dir "c:\Documents and Settings" >> %temp%\download

dir "c:\Program Files\

" >> %temp%\download

net start >> %temp%\download

net localgroup administrator >> %temp%\download

netstat -ano >> %temp%\download

These commands allow the threat group to gain information about the compromised computer and the network to which it belongs. Using this information, they can decide to explore further or instruct the compromised computer to download additional malware.

We observed the threat group upload a second stage malware, known as BUBBLEWRAP (also known as Backdoor.APT.FakeWinHTTPHelper) to their Dropbox account along with the following command:

@echo off

ren "%temp%\upload" audiodg.exe

start %temp%\audiodg.exe

dir d:\ >> %temp%\download

systeminfo >> %temp%\download

del %0

We have previously observed the admin@338 group use BUBBLEWRAP. This particular sample connected to the CnC domain accounts.serveftp[.]com, which resolved to an IP address previously used by the threat group, although the IP had not been used for some time prior to this most recent activity:

MD5
0beb957923df2c885d29a9c1743dd94b	accounts.serveftp.com	59.188.0.197

BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.

A Second Operation

FireEye works closely with security researchers and industry partners to mitigate cyber threats, and we collaborated with Dropbox to respond to this activity. The Dropbox security team was able to identify this abuse and put countermeasures in place.

Our cooperation uncovered what appears to be a second, ongoing operation, though we lack sufficient evidence to verify if admin@338 is behind it. The attack lifecycle followed the same pattern, though some of the filenames were different, which indicates that there may be multiple versions of the malware. In addition, while the operation targeting Hong Kong-based media involved a smaller number of targets and a limited duration, we suspect this second operation involves up to 50 targets. At this time, we are unable to identify the victims.

In this case, after the payload is delivered via an exploit the threat actor places files (named upload.bat, upload.rar, and period.txt, download.txt or silent.txt) in a directory on a Dropbox account. The malware beacons to this directory using the hardcoded API token and attempts to download these files (which are deleted from the Dropbox account after the download):

• upload.bat, a batch script that the compromised machine will execute
• upload.rar, a RAR archive that contains at least two files: a batch script to execute, and often an executable (sometimes named rar.exe)  which the batch script will run and almost always uploads the results of download.rar to the cloud storage account
• silent.txt and period.txt,  small files sizes of 0-4 bytes that dictate the frequency to check in with the CnC

The threat actor will then download the results and then delete the files from the cloud storage account.

Conclusion

LOWBALL is an example of malware that abuses cloud storage services to mask its activity from network defenders. The LOWBALL first stage malware allows the group to collect information from victims and then deliver the BUBBLEWRAP second stage malware to their victims after verifying that they are indeed interesting targets.

A version of this article appeared first on the FireEye Intelligence Center . The FireEye Intelligence Center provides access to strategic intelligence, analysis tools, intelligence sharing capabilities, and institutional knowledge based on over 10 years of FireEye and Mandiant experience detecting, responding to and tracking advanced threats. FireEye uses a proprietary intelligence database, along with the expertise of our Threat Intelligence Analysts, to power the Intelligence Center.

[1] FireEye currently tracks this activity as an “uncategorized” group, a cluster of related threat activity about which we lack information to classify with an advanced persistent threat number.

[2] FireEye. Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf

[3] FireEye. HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group.  

[4] Moran, Ned and Alex Lanstein. FireEye. “Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370.” 25 March 2014. https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html.

[5] Moran, Ned and Thoufique Haq. FireEye. “Know Your Enemy: Tracking a Rapidly Evolving APT Actor.” 31 October 2013. FireEye. Poison Ivy: Assessing Damage and Extracting Intelligence

[6] BBC News. “Hong Kong student leaders charged over Umbrella Movement.’” 27 August 2015. http://www.bbc.com/news/world-asia-china-34070695.

[7] Zhao, Shirley, Joyce Ng, and Gloria Chan. “University of Hong Kong’s council votes 12-8 to reject Johannes Chan’s appointment as pro-vice-chancellor.” 30 September 2015. http://www.scmp.com/news/hong-kong/education-community/article/1862423/surprise-move-chair-university-hong-kong.

[8] Wong, Alan. Pro-Democracy Media Company’s Websites Attacked.  “Pro-Democracy Media Company’s Websites Attacked.” New York Times. 18 June 2014. http://sinosphere.blogs.nytimes.com/2014/06/18/pro-democracy-media-companys-websites-attacked/.

[9] “HKU concern group raises proxy fears in key vote.” EIJ Insight. 31 August 2015. http://www.ejinsight.com/20150831-hku-concern-group-raises-proxy-fears-in-key-vote/.

 

 

The U.S. Department of Homeland Security (DHS) has been quietly launching stealthy cyber attacks against a range of private U.S. companies — mostly banks and energy firms. These digital intrusion attempts, commissioned in advance by the private sector targets themselves, are part of a little-known program at DHS designed to help “critical infrastructure” companies shore up their computer and network defenses against real-world adversaries. And it’s all free of charge (well, on the U.S. taxpayer’s dime).

KrebsOnSecurity first learned about DHS’s National Cybersecurity Assessment and Technical Services (NCATS) program after hearing from a risk manager at a small financial institution in the eastern United States. The manager was comparing the free services offered by NCATS with private sector offerings and was seeking my opinion. I asked around to a number of otherwise clueful sources who had no idea this DHS program even existed.

DHS declined requests for an interview about NCATS, but the agency has published some information about the program. According to DHS, the NCATS program offers full-scope penetration testing capabilities in the form of two separate programs: a “Risk and Vulnerability Assessment,” (RVA) and a “Cyber Hygiene” evaluation. Both are designed to help the partner organization better understand how external systems and infrastructure appear to potential attackers.

“The Department of Homeland Security (DHS) works closely with public and private sector partners to strengthen the security and resilience of their systems against evolving threats in cyberspace,” DHS spokesperson Sy Lee wrote in an email response to an interview request. “The National Cybersecurity Assessments and Technical Services (NCATS) team focuses on proactively engaging with federal, state, local, tribal, territorial and private sector stakeholders to assist them in improving their cybersecurity posture, limit exposure to risks and threats, and reduce rates of exploitation. As part of this effort, the NCATS team offers cybersecurity services such as red team and penetration testing and vulnerability scanning at no cost.”

The RVA program reportedly scans the target’s operating systems, databases, and Web applications for known vulnerabilities, and then tests to see if any of the weaknesses found can be used to successfully compromise the target’s systems. In addition, RVA program participants receive scans for rogue wireless devices, and their employees are tested with “social engineering” attempts to see how employees respond to targeted phishing attacks.

The Cyber Hygiene program — which is currently mandatory for agencies in the federal civilian executive branch but optional for private sector and state, local and tribal stakeholders — includes both internal and external vulnerability and Web application scanning.

The reports show detailed information about the organization’s vulnerabilities, including suggested steps to mitigate the flaws.  DHS uses the aggregate information from each client and creates a yearly non-attributable report. The FY14 End of Year report created with data from the Cyber Hygiene and RVA program is here (PDF).

Among the findings in that report, which drew information from more than 100 engagements last year:

-Manual testing was required to identify 67 percent of the RVA vulnerability findings (as opposed to off-the-shelf, automated vulnerability scans);

-More than 50 percent of the total 344 vulnerabilities found during the scans last year earned a severity rating of “high” (4o percent) or “critical” (13 percent).

-RVA phishing emails resulted in a click rate of 25 percent.

 ANALYSIS

I was curious to know how many private sector companies had taken DHS up on its rather generous offers, since these services can be quite expensive if conducted by private companies. In response to questions from this author, DHS said that in Fiscal Year 2015 NCATS provided support to 53 private sector partners.  According to data provided by DHS, the majority of the program’s private sector participation come from the energy and financial services industries — with the latter typically at regional or smaller institutions such as credit unions.

DHS has taken its lumps over the years for not doing enough to gets its own cybersecurity house in order, let alone helping industry fix its problems. In light of the agency’s past cybersecurity foibles, the NCATS program on the surface would seem like a concrete step toward blunting those criticisms.

I wondered how someone in the penetration testing industry would feel about the government throwing its free services into the ring. Dave Aitel is chief technology officer at Immunity Inc., a Miami Beach, Fla. based security firm that offers many of the same services NCATS bundles in its product.

Aitel said one of the major benefits for DHS in offering NCATS is that it can use the program to learn about real-world vulnerabilities in critical infrastructure companies.

“DHS is a big player in the ‘regulation’ policy area, and the last thing we need is an uninformed DHS that has little technical expertise in the areas that penetration testing covers,” Aitel said. “The more DHS understands about the realities of information security on the ground – the more it treats American companies as their customers – the better and less impactful their policy recommendations will be. We always say that Offense is the professor of Defense, and in this case, without having gone on the offense DHS would be helpless to suggest remedies to critical infrastructure companies.”

Of course, the downsides are that sometimes you get what you pay for, and the NCATS offering raises some interesting questions, Aitel said.

“Even if the DHS team doing the work is great, part of the value of an expensive penetration test is that companies feel obligated to follow the recommendations and improve their security,” he said. “Does the data found by a DHS testing team affect a company’s SEC liabilities in any way? What if the Government gets access to customer data during a penetration test – what legal ramifications does that have? This is a common event and pre-CISPA it may carry significant liability.”

As far as the potential legal ramifications of any mistakes DHS may or may not make in its assessments, the acceptance letter (PDF) that all NCATS customers must sign says DHS provides no warranties of any kind related to the free services. The rules of engagement letter from DHS further lays out ground rules and specifics of the NCATS testing services.

Aitel, a former research scientist at the National Security Agency (NSA), raised another issue: Any vulnerabilities found anywhere within the government — for example, in a piece of third party software — are supposed to go to the NSA for triage, and sometimes the NSA is later able to use those vulnerabilities in clandestine cyber offensive operations.

But what about previously unknown vulnerabilities found by DHS examiners?

“This may be less of an issue when DHS uses a third party team, but if they use a DHS team, and they find a bug in Microsoft IIS (Web server), that’s not going to the customer – that’s going to the NSA,” Aitel said.

And then there are potential legal issues with the government competing with private industry.

Alan Paller, director of research at the SANS Institute, a Bethesda, Md. based security training group, isn’t so much concerned about the government competing with the private sector for security audits. But he said DHS is giving away something big with its free assessments: An excuse for the leadership at scanned organizations for not doing anything after the assessment and using the results as a way to actually spend less on security.

“The NCATS program could be an excellent service that does a lot of good but it isn’t,” Paller said. “The problem is that it measures only a very limited subset of of the vulnerability space but comes with a gold plated get out of jail free card: ‘The US government came and checked us.’ They say they are doing it only for organizations that cannot afford commercial assessments, but they often go to organizations that have deep enough pockets.”

According to Paller, despite what the NCATS documents say, the testers do not do active penetration tasks against the network. Rather, he said, they are constrained by their rules of engagement.

“Mostly they do architectural assessments and traffic analysis,” he said. “They get a big packet capture and they baseline and profile and do some protocol analysis (wireless).”

Paller said the sort of network architecture review offered by DHS’s scans can only tell you so much, and that the folks doing it do not have deep experience with one of the more arcane aspects of critical infrastructure systems: Industrial control systems of the sort that might be present in an energy firm that turns to NCATS for its cybersecurity assessment.

“In general the architectural reviews are done by younger folks with little real world experience,” Paller said. “The big problem is that the customer is not fully briefed on the limitations of what is being done in their assessment and testing.”

Does your organization have experience with NCATS assessments? Are you part of a critical infrastructure company that might use these services? Would you? Sound off in the comments below.

Tight-lipped spy agency up before the beak

GCHQ is being challenged over its offensive hacking practices at a hearing that started on Tuesday morning. The challenge is being heard by the Investigatory Powers Tribunal, which is the only judicial body in the country with the authority to hear complaints about the intelligence agencies.…

Yesterday's Nymaim spam campaign was also redirecting to Nuclear Pack.
Without big surprise the sample ( 592899e0eb3c06fb9fda59d03e4b5b53 ) dropped by Nuclear is the same as the fake update proposed.

But there was an additionnal 11kb payload call for which i could not find sample on drive

Nuclear Pack dropping Nymaim in the 2015-11-30 Spam Campaign

It was also unusually encoded with two XOR pass and first part of the decoded stream is a Shellcode.

Friends (who don't want to be mentioned) figured a privilege escalation was in use there :

According to Kaspersky and Timo Hirvonen (F-Secure) it's CVE-2014-4113 ( Win32k.sys Elevation of Privilege Vulnerability )

I did not got to see the privilege escalation in live condition.

Note: it's not the first time a public Exploit Kit is integrating an exploit to escalates right on dropped payload (Cf CVE-2015-2426 in Magnitude )

Files : Fiddler and Dll here (password is malware - XOR key : 56774347426F664767  then  213404052d09212031)
Thanks : Kaspersky,  Timo Hirvonen , Malc0de and 2 other friends for taking some time and use their wizardness  on this.

Read More :
An Analysis of A Windows Kernel-Mode Vulnerability (CVE-2014-4113) - 2014-10-29 - TrendMicro

I have avoided writing about the Cybersecurity Information Sharing Act (CISA), largely because the details kept changing. (For those not following closely, similar bills were passed by both the House and the Senate. They're now being combined into a single bill which will be voted on again, and then almost certainly signed into law by President Obama.)

Now that it's pretty solid, I find that I don't have to write anything, because Danny Weitzner did such a good job, writing about how the bill encourages companies to share personal information with the government, allows them to take some offensive measures against attackers (or innocents, if they get it wrong), waives privacy protections, and gives companies immunity from prosecution.

Information sharing is essential to good cybersecurity, and we need more of it. But CISA is a really a bad law.

This is good, too.

 Download PDF version
 Download EPUB
 Download Full Report PDF
 Download Full Report EPUB

1. Top security stories
2. Overall statistics for 2015
3. Evolution of cyber threats in the corporate sector
4. Predictions 2016

Introduction

As the year comes to an end, we have an opportunity to take stock of how the industry has evolved and to cast our predictions for the coming years. Taking advantage of a rare global meeting of our GReAT and Anti-Malware Research experts, we tossed ideas into the ring and I have the privilege of selecting some of the more noteworthy and plausible for both the coming year and the long-term future as we foresee it. The outlook for our rapidly evolving field of study is quite thought-provoking and will continue to present us with interesting challenges. By sticking to sober metrics, perhaps we can skip the usual science fiction fear mongering and come to some accurate predictions for both the short- and long-term.

No more APTs

Before you start celebrating, we should point out that we’re referring to the ‘Advanced’ and ‘Persistent’ elements – both of which the threat actors would gladly drop for overall stealth. We expect to see a decrease in the emphasis on persistence, placing a greater focus on memory-resident or fileless malware. The idea will be to reduce the traces left on an infected system and thus avoid detection altogether. Another approach will be to reduce the emphasis on advanced malware. Rather than investing in bootkits, rootkits, and custom malware that gets burned by research teams, we expect an increase in the repurposing of off-the-shelf malware. Not only does this mean that the malware platform isn’t burned upon discovery but it also has the added benefit of hiding the actor and his intentions in a larger crowd of mundane uses for a commercially available RAT. As the shine of cyber-capabilities wears off, return on investment will rule much of the decision-making of state-sponsored attackers – and nothing beats low initial investment for maximizing ROI.

APT: a decrease in the emphasis on persistence, a focus on memory-resident or fileless malware #KL2016Prediction

Tweet

The nightmare of ransomware continues

We expect to see the success of Ransomware spread to new frontiers. Ransomware has two advantages over traditional banking threats: direct monetization and relatively low cost per victim. This amounts to decreased interest from well-resourced third-parties such as banks, as well as low levels of reporting to law-enforcement agencies. Not only do we expect ransomware to gain ground on banking trojans but we also expect it to transition into other platforms. Weak attempts at bringing ransomware to mobile (Simplelocker) and Linux (Ransom.Linux.Cryptor, Trojan-Ransom.FreeBSD.Cryptor) have already been witnessed, but perhaps the more desirable target platform is OS X. We expect ransomware to cross the Rubicon to not only target Macs but also charge ‘Mac prices’. Then, in the longer term, there is the likelihood of IoT ransomware, begging the question, how much would you be willing to pay to regain access to your TV programming? Your fridge? Your car?

We expect ransomware to gain ground on banking trojans and to transition into other platforms #KL2016Prediction

Tweet

Betting against the house: financial crimes at the highest level

The merging of cybercrime and APT has emboldened financially motivated criminals who have gracefully transitioned from attacking end users to going after the financial institutions themselves. The past year has seen plenty of examples of attacks on point-of-sale systems and ATMs, not to mention the daring Carbanak heist that pilfered hundreds of millions of dollars. In the same vein, we expect cybercriminals to set their sights on novelties like alternate payment systems (ApplePay and AndroidPay) whose increasing rate of adoption should offer a new means of immediate monetization. Another inevitable point of interest is stock exchanges, the true mother lode. While frontal attacks may yield quick payoffs, we mustn’t overlook the possibility of more subtle means of interference, such as going after the black-box algorithms employed in high-frequency trading to ensure prolonged gains with a lower likelihood of getting caught.

Cybercriminals will set sights on novelties like alternate payment systems and stock exchanges #KL2016Prediction

Tweet

Attacks on security vendors

As attacks on security vendors rise, we foresee an interesting vector in compromising industry-standard reverse-engineering tools like IDA and Hiew, debugging tools like OllyDbg and WinDbg, or virtualization tools like the VMware suite and VirtualBox. CVE-2014-8485, a vulnerability in the Linux implementation of ‘strings’, presents an example of the vulnerable landscape of nontrivial security research tools that determined attackers may choose to exploit when targeting researchers themselves. In a similar vein, the sharing of freeware research tools through code repositories like Github is an area ripe for abuse, as users will more often than not pull code and execute it on their systems without so much as a glance. Perhaps we should also be casting a suspicious glance towards popular implementations of PGP so eagerly embraced by the infosec community.

We foresee a vector in compromising reverse-engineering, debugging & virtualization tools #KL2016Prediction

Tweet

Sabotage, extortion and shame

From dumps of celebrity nudes to the Sony and Ashley Madison hacks and the HackingTeam dump, there has been an undeniable increase in DOXing, public shaming, and extortion. Hacktivists, criminals, and state-sponsored attackers alike have embraced the strategic dumping of private pictures, information, customer lists, and code to shame their targets. While some of these attacks are strategically targeted, some are also the product of opportunism, taking advantage of poor cybersecurity to feign hacker prowess. Sadly, we can only expect this practice to continue to rise exponentially.

Whom do you trust?

Perhaps the scarcest commodity in the current internet age is trust. Abuse of trusted resources will further drive this scarcity. Attackers will continue to enlist open-source libraries and whitelisted resources for malicious purposes. We expect another form of trust to be abused, that of a company’s internal resources: as crafty attackers seek to expand their foothold on an infected network, they may target resources limited to the company intranet such as waterholing Sharepoint, file server, or ADP portals. Perhaps we’ll even witness the furthest extension of the already rampant abuse of trusted certificates as attackers establish an entirely fabricated certificate authority to issue certificates for their malware.

Attackers will enlist open-source libraries and whitelisted resources for malicious purposes #KL2016Prediction

Tweet

APT actors down the road

The profitability of cyberespionage has not escaped the attention of our foes and, as we expected, mercenaries have begun populating the scene. This trend will only increase to match the demand for cyber-capabilities by both companies as well as known APT actors looking to outsource less critical tasking without risking their tools and infrastructure. We could float the term ‘APT-as-a-Service’, but perhaps more interestingly we can expect the evolution of targeted attacks to yield ‘Access-as-a-Service’. The latter entails the sale of access to high-profile targets that have already fallen victim to mercenaries.

We’ll see members of well-established APT teams potentially coming out of the shadows #KL2016Prediction

Tweet

Looking further into the future of cyberespionage, we see members of well-established APT teams (‘APT 1%ers’, if you will) potentially coming out of the shadows. This would happen in one of two forms: as part of the private sector with the proliferation of ‘hacking back’, or by sharing their insights with the larger infosec community, perhaps by joining us at conferences to share the other side of the story. In the meantime, we can expect the APT Tower of Babel to incorporate a few more languages.

The future of the Internet

The infrastructure of the internet itself has shown signs of tension and cracks in recent years. Concerns over massive router botnets, BGP hijacking and dampening, DNS attacks en masse, or server-powered DDoSes betray a lack of accountability and enforcement on a global scale. Looking further down the line to long-term predictions, we can consider what the internet might look like if that narrative of a globally connected village continues to wither. We may end up with a balkanized internet divided by national borders. At that point, concerns over availability may come down to attacks on the service junctures that provide access between different sections, or perhaps geopolitical tensions that target the cables that connect large swathes of the internet. Perhaps we’ll even see the rise of a black market for connectivity. Similarly, we can expect that as technologies that power the internet’s underbelly continue to gain mainstream attention and widespread adoption, developers with a stake in shadow markets, exchanges, and forums are likely to develop better technologies to keep the underground truly underground.

The internet’s cracked: we may end up with a balkanized internet divided by national borders #KL2016Prediction

Tweet

The future of transportation

As investment and high-end research capabilities are dedicated to developing autonomous vehicles for both personal and commercial distribution, we will witness the rise of distributed systems to manage the routes and traffic of large volumes of these vehicles. The attacks may not focus on the distribution systems themselves, but perhaps on the interception and spoofing of the protocols they rely on (a proof of concept of the vulnerabilities of the widely adopted Global Star satcom system was presented by a Synack researcher at this year’s BlackHat conference). Foreseeable intentions behind these attacks include theft of high-value goods or kinetic damage resulting in loss of life.

Crypto: a breakdown in the reliability of standards and a need of ‘post-quantum cryptography’ #KL2016Prediction

Tweet

The cryptopocalypse is nigh

Finally, we cannot overemphasize the importance of cryptographic standards in maintaining the functional value of the internet as an information-sharing and transactional tool of unparalleled promise. These cryptographic standards rely on the expectation that the computational power required to break their encrypted output is simply above and beyond our combined means as a species. But what happens when we take a paradigmatic leap in computational capabilities as promised by future breakthroughs in quantum computing? Though quantum capabilities will not be initially available to the common cybercriminal, it signals a breakdown in the reliability of current crypto-standards and a need to design and implement ‘post-quantum cryptography’. Given the poor rate of adoption or proper implementation of high-quality cryptography as it is, we do not foresee a smooth transition to counterbalance cryptographic failures at scale.

One in ten FBI Cyber Task Force teams don't have a techie

American federal investigators are having a hard time hiring computer-savvy staff, according to a memo from the Inspector General for the US Department of Justice.…

The Paris attacks took place on Friday night. Since then, France’s president has vowed “war” on ISIS and today significantly escalated the country’s bombing campaign in Syria (France has been bombing ISIS in Iraq since last January, and began bombing the group in Syria in September).

Already this morning, as Aaron Cantú noticed, the stocks of the leading weapons manufacturers — what is usually referred to as the “defense industry” — have soared:

Also enjoying a fantastic day so far is one of the leading Surveillance State profiteers:

France’s largest arms manufacturer, Thales, is also having an outstanding day, up almost 3 percent, even as the leading French index is down:

Note how immediate the increases are: The markets could barely wait to start buying. The Dow overall is up today only .12 percent, making these leaps quite pronounced. Reuters, as published on Fox Business, starkly noted the causal connection: “Shares of aerospace and defense rose sharply on Monday in reaction to the attacks in France.” The private-sector industrial prong of the Military and Surveillance State always wins, but especially when the media’s war juices start flowing.

The post Stock Prices of Weapons Manufacturers Soaring Since Paris Attack appeared first on The Intercept.