The CIA’s Cool CodeNames

Codenames are awesome. Microsoft & Apple have long used cool codenames for big projects. I just learned that America’s Central Intelligence Agenda loves their codenames as well – and boy are they awesome.

It turns out that in addition to being skilled codebreakers & mathematicians the CIA also contains some creative geniuses who have conceived some truly imaginative names for their top-secret projects. Here are some of my favorites.

Brutal Kangaroo

Image result for brutal kangaroo animated gif

Anyone else thinking of Kangaroo Jack right now? Unearthed by Wikileaks earlier today, Brutal Kangaroo is a malware program that can propagate throughout a closed, air-gapped network using infected USB flash drives. It’s very Stuxnet, in that respect. The big difference is that while Stuxnet was used to destroy nuclear centrifuges, Brutal Kangaroo exfiltrates data out of the closed network using some clever steganography tactics.

It’s all very Ronseal-esque; it does what it says in the tin. With respect to the fact that it makes a mockery of air-gapped computers, it’s brutal. Given that the malware and the stolen data ‘hops’ between systems, it’s a bit like a kangaroo.

WeepingAngel

Related image

This one particularly scares because I just bought one these! This malware targets Samsung’s F-Series Smart TVs, allowing the CIA to record what’s going on from the device’s built-in microphone. It’s so named because that’s what happens when you watch those naughty pay-per-view channels.

Starmie and Snubble

Image result for Starmie and Snubbull animated gif

Weirdly, the CIA has a lot of malware named after Pokemon characters. I guess there are similarities between the CIA and Ash Ketchum, with the respect that both are trying to catch ‘em all. Except in the case of the CIA, they’re talking about ISIS members, and instead of Pokeballs, they use Hellfire missiles.

Gaping hole of DOOM

Related image

The CIA named a Comodo AV exploit that promises to consume everything.

Creatine and RoidRage

Both of these target Android. Creatine exploits flaws in the drivers for Qualcomm’s Adreno GPU, while RoidRage is used to monitor all radio functions and steal SMS messages. The documentation for these consists of “DO YOU EVEN LIFT BRAH?” repeated ad-nauseum.

Munge Payload

This tool is used to encrypt and modify payloads so as to avoid detection by an adversary, and sounds nasty.

Panda Sneeze

Image result for Panda Sneeze ANIMATED GIF

It’s not immediately obvious what this threat does. But either way, it’s adorable.

Bumble

Image result for BUMBLE ANIMATED GIF

Similarly, this specimen targeting HP routers is just way too cute.

There you go – these security threats may be dangerous but they now have some very cool and bizarre names!

Share This:

198 Million American Voters Hacked

Another security breach – this time American voters are targeted.

It has been reported that the Republican profiling data and personal information on nearly 198 million American voters has been leaked from a private Amazon Server as this week started.

Image result for voters hacked

Amazon hosted the private server, and Republican data analytics firm Deep Root Analytics provided and managed the content.

The information included in the leaks include the voter’s name, date of birth, home address, phone number, and other voter registration details like party affiliation.

The compromised server also included data from conservative market research firm TargetPoint. The group uses their extensive data to help clients better understand voter policy preferences and political actions, according to the report.

This isn’t the first mass information leak from Republican firms. Campaign data firm i360 accidentally exposed 191 million voter profiles in 2015 and another 154 million profiles were leaked during the course of the 2016 election.

At some point, I am not sure when, online security will be taken a seriously as locking your doors when you are not home or making sure you do not leave your purse or wallet alone and open. Until everyone, both as individuals and as organizations do this, our security is exposed.

Share This:

Worst Passwords EVER!

In its sixth annual Worst Passwords report, SplashData, a provider of various security applications and services, listed the 25 weak and easy-to-guess passwords most frequently posted on various hacker forums and websites.

Related image

Presenting the list of the top 25 bad passwords people use. I hope that known of you, my dedicated readers are relying on any of these to protect your information.

  1. 123456
  2. password
  3. 12345
  4. 12345678
  5. football
  6. qwerty
  7. 1234567890
  8. 1234567
  9. princess
  10. 1234
  11. login
  12. welcome
  13. solo
  14. abc123
  15. admin
  16. 121212
  17. flower
  18. passw0rd
  19. dragon
  20. sunshine
  21. master
  22. hottie
  23. loveme
  24. zaq1zaq1
  25. password1

The list is based on 5 million leaked passwords, and almost 4% of hacked users used “123456” as their password of choice while more than 10% used another from the list.

Most had a single word password, which is a dream come true for any hacker planning a quick and effective dictionary attack. Using this method, a hacker pretends to be the user and tries to log into their account, using a predetermined set of words or phrases from a list called “dictionary”.

Frequent usage also applies to another group of passwords on the list: sequences. “123456”, “qwerty” or “zaq1zaq1” are key sequences, which means the used symbols are near one another on the physical keyboard. This kind of passwords is another dictionary favorite, but is also susceptible to a brute force attack. This tactic is similar to a dictionary attack, since it also happens on the login screen, but instead of using ready-made lists, a hacker uses a special algorithm which attempts to enter different character combinations until a password match is found (i.e. attacker will try using “1234”, then “12345”, etc.).

I recommend again friends, take the time to select a good password manager and use distinct, unique & complex passwords for all of your online accounts. The time you spend doing this may save you much hard-ache later.  You can check out our previous articles regarding password managers here.

Share This:

TA17-163A: CrashOverRIDE Malware

I am subscribed to the Homeland Security National Cyber Awareness System and will begin posting these cyber-security bulletins here for all of you, my dedicated readers. 

The United States Computer Emergency Readiness Team (US-CERT) strives for a safer, stronger internet for all Americans by responding to major incidents, analyzing threats, and exchanging critical cyber-security information with trusted partners around the world.

TA17-163A: CrashOverride Malware

06/12/2017 05:44 PM EDT

Original release date: June 12, 2017

Systems Affected

Industrial Controls Systems

Overview

The National Cybersecurity and Communications Integration Center (NCCIC) is aware of public reports from ESET and Dragos outlining a new, highly capable Industrial Controls Systems (ICS) attack platform that was reportedly used in 2016 against critical infrastructure in Ukraine. As reported by ESET and Dragos, the CrashOverride malware is an extensible platform that could be used to target critical infrastructure sectors. NCCIC is working with its partners to validate the ESET and Dragos analysis, and develop a better understanding of the risk this new malware poses to the U.S. critical infrastructure.

Although this activity is still under investigation, NCCIC is sharing this report to provide organizations with detection and mitigation recommendations to help prevent future compromises within their critical infrastructure networks. NCCIC continues to work with interagency and international partners on this activity and will provide updates as information becomes available.

For a downloadable copy of IOCs, see:

To report activity related to this Alert, please contact NCCIC at NCCICCustomerService@hq.dhs.gov or 1-888-282-0870.

Risk Evaluation
NCCIC Cyber Incident Scoring System (NCISS) Rating Priority Level (Color)
Yellow (Medium)
A medium priority incident may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.
Details

There is no evidence to suggest this malware has affected U.S. critical infrastructure. However, the tactics, techniques, and procedures (TTPs) described as part of the CrashOverride malware could be modified to target U.S. critical information networks and systems.

Description
Technical Analysis

CrashOverride malware represents a scalable, capable platform. The modules and capabilities publically reported appear to focus on organizations using ICS protocols IEC101, IEC104, and IEC61850, which are more commonly used outside the United States in electric power control systems. The platform fundamentally abuses a targeted ICS system’s legitimate control systems functionality to achieve its intended effect. While the known capabilities do not appear to be U.S.-focused, it is more important to recognize that the general TTPs used in CrashOverride could be leveraged with modified technical implementations to affect U.S.-based critical infrastructure. With further modification, CrashOverride or similar malware could have implications beyond electric power so all critical infrastructure organizations should be evaluating their systems to susceptibilities in the TTPs outlined. The malware has several reported capabilities:

  1. Issues valid commands directly to remote terminal units (RTUs) over ICS protocols. As reported by Dragos, one such command sequence toggles circuit breakers in a rapid open-close-open-close pattern. This could create conditions where individual utilities may island from infected parties, potentially resulting in a degradation of grid reliability.
  2. Denies service to local serial COM ports on windows devices, therefore preventing legitimate communications with field equipment over serial from the affected device.
  3. Scans and maps ICS environment using a variety of protocols, including Open Platform Communications (OPC). This significantly improves the payload’s probability of success.
  4. Could exploit Siemens relay denial-of-service (DoS) vulnerability, leading to a shutdown of the relay. In this instance, the relay would need to be manually reset to restore functionality.
  5. Includes a wiper module in the platform that renders windows systems inert, requiring a rebuild or backup restoration.
Detection

As CrashOverride is a second stage malware capability and has the ability to operate independent of initial C2, traditional methods of detection may not be sufficient to detect infections prior to the malware executing. As a result, organizations are encouraged to implement behavioral analysis techniques to attempt to identify pre-courser activity to CrashOverride. As additional information becomes available on stage one infection vectors and TTPs, this alert will be updated.

NCCIC is providing a compilation of indicators of compromise (IOCs) from a variety of sources to aid in the detection of this malware in the appendices. The sources provided do not constitute an exhaustive list and the U.S. Government does not endorse or support any particular product or vendor’s information referenced in this report. However, NCCIC has included this data to ensure wide distribution of the most comprehensive information available and will provide updates as warranted.

 

 

Share This:

New Malware Threat Infects Through Microsoft’s PowerPoint

In another security hack that is making the rounds, Microsoft’s PowerPoint is the target.

Image result for powerpoint malware

“Spammers are testing a new way to trick victims into installing malware that downloads after the user hovers over a link in a PowerPoint slide show,” ZDNet reports. The new infection, which was discovered by BleepingComputer, “abuses a hover action in PowerPoint slide show mode to install malware.” When a user opens the PowerPoint file and puts their cursor over the malicious hyperlink, a PowerShell command runs quietly in the background “that connects to a malicious domain and downloads malware files.”

Like other Office malware that uses macros to infect victims, the latest malware is spread via email attachments. The attached file formats are the open-source version of Microsoft PowerPoint slide show, which are only for viewing, and can’t be edited like normal files. The malware proceeds to download a banking trojan.

Image result for powerpoint malware

The PowerPoint (PPSX) examples seen so far display the hyperlinked text “Loading… Please wait”. Hovering over it will download malware automatically unless Office Protected View is enabled. Fortunately, Protected View was enabled by default in Office 2010, in which case Office displays a security warning that blocks the download.

The PowerPoint file downloads a banking trojan it calls Gootkit or Otlard. SentinalOne calls the malware Zusy.

Protecting Yourself

I wonder how much I have stated this. “Do not open attachments, or click on hyperlinks in your email unless you are 100% certain of it’s origin and that you have requested it”. Most security threats (malware – trojan horses, ransomware etc.) are spread through email. Always use caution before clicking!

Share This:

Is Our Power Grid in Danger?

Was hacking our Presidential election just the first part of an even greater cyber-problem?

Researchers from the network security firm ESET have reported that a Russian hacker group may have developed a way to take down the power grids of entire countries.

Image result for power grids cyber

The researchers described the malware, dubbed “Industroyer,” as the most dangerous hacking weapon since Stuxnet. First identified in 2010, Stuxnet is a malicious computer worm that targets industrial computer systems and was responsible for causing substantial damage to Iran’s nuclear program.

In fact, the ESET researchers said the malware was responsible for a 2016 blackout that affected Ukraine’s capital city of Kiev for an hour. The researchers also said the malware could be reconfigured to attack other key infrastructure components as well.

A Very Scary Threat Evolves

“Industroyer is a particularly dangerous threat, since it is capable of controlling electricity substation switches and circuit breakers directly. To do so, it uses industrial communication protocols used worldwide in power supply infrastructure, transportation control systems, and other critical infrastructure systems (such as water and gas),” the company wrote in a blog post today.

Because Industroyer affects switches directly, the malware can inflict varying degrees of damage on a target country’s infrastructure, from simply triggering a temporary blackout, to causing cascading failures or serious damage to equipment.

The malware is able to attack infrastructure equipment so effectively because it uses the common industry protocols that were first designed decades ago, long before most systems were connected to the Internet. As a result, security had not been a major priority at the time they were implemented. In many cases, the hackers only need to learn how to program the malware to communicate with the protocols because there aren’t any security systems that they need to circumvent.

This is yet another example that our national security relies less on firearms and more on cyber-defense.

Share This:

Fireball Threat Grows

A Chinese digital marketing company named Rafotech is behind a new wave of inter-connected adware families that found their way onto the computers of millions of users.

According to an extensive investigation, Check Point claims Rafotech has designed a very intrusive adware that hijacks people’s browsers with the primary purpose of redirecting traffic to fake search engines.

Image result for fireball adware

These fake search engines do nothing more than divert search queries through Google and Yahoo’s affiliate programs, earning the Chinese company a commission.

A Growing Fireball Threat

Rafotech spreads its adware by bundling it with legitimate software, sometimes without giving users the opportunity to opt-out of the installation.

This tactic has landed various of its adware strains on the computers of over 250 million computers, according to a rough estimation from Check Point’s team.

The most affected countries are India (25.3 million infections – 10.1%), Brazil (24.1 million – 9.6%), Mexico (16.1 million – 6.4%), and Indonesia (13.1 million – 5.2%). The US is also on the list with 5.5 million infections, accounting for 2.2% of the total global infection numbers.

To make this worse experts believe the adware made its way in over 20% of all corporate networks, which means that one in five companies has a computer infected with this adware, which Check Point nicknamed Fireball.

Fireball Brings Torjan Horse Threats With It

Once this adware reachs inside corporate networks the threat often evolves and make the situation much worse.

Check Point experts reported last week in a report that Fireball contains features that allow the Chinese company to push and execute any file (malware) to the victim’s computer.

Because the adware is so intrusive at the browser level, experts fear that its maintainers would have no technical impediment from switching from a revenue model that’s based on traffic redirection and ad injection to something that involves stealing user credentials.

Fake Search Engines

If you’re wondering how come you’ve never heard of a malware family that infected over 250 million computers, the explanation resides in the fact that Check Point refers to all the adware created by Rafotech as Fireball.

Adware strains like the one Rafotech create are usually referred to by the name of the site it redirects traffic to.

Some of these fake search engines to which Fireball adware strains redirect traffic can be found in the Alexa Top 10,000 most popular sites on the Internet. Some of these fake search engines receive so much traffic that a few managed to break into the Alexa Top 1,000 site list, well above many legitimate sites. This shows the massive scale of Rafotech’s operation.

Warning Signs of Infection

If your home page has changed or if you are continually sent to a weird search engine your PC is probably infected with some sort of adware or Trojan Horse.

Share This:

OneLogin Hacked

Its the same old story all over again. Another online company has been hacked and thousands of accounts exposed. This time, ironically it was a “password manager” services company that was hacked.

Image result for onelogin hack

Password manager OneLogin suffered a massive data breach Wednesday, and the attackers may have gained access to sensitive customer data, such as login information for a variety of companies. OneLogin manages login credentials for a variety of cloud applications for more than 2,000 enterprise clients.

OneLogin has stated that its investigation is ongoing, wrote on its blog Wednesday that the attacker was able to access database tables that contain information about users, apps, and various types of keys. “While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data,” the company wrote in a letter to clients.

The attack began on May 31 when a malicious actor somehow obtained access to a set of Amazon Web Services (AWS) keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S., according to the company.

Through the API, the attacker was then able to create several instances of the company’s IT infrastructure to probe the company’s system. The company said it was alerted to the unusual database activity seven hours later, at which point it shut down access to the affected instance and the AWS keys associated with it. The breach is thought to be enormous, as all of company’s data centers in the U.S. were hacked.

The possibility that the hacker may have obtained enough data to decrypt the encrypted credentials, meanwhile, could mean that thousands of businesses, including Yelp and Pinterest, may need to change their login information for every cloud service they use.

The details are still hazy, and OneLogin has yet to make a public announcement about exactly what data has been stolen. But in the meantime, the company has apparently contacted all of its clients to advise that they immediately reset any passwords stored on OneLogin’s servers.

This is not the first time that OneLogin has suffered a breach in recent months. The company also suffered a breach from July to August when an attacker using a OneLogin employee’s password was able hack its servers and access company analytics and logs.

Share This:

Qakbot Attacks

Another week, another cyber-threat threatens the security of both individuals and business alike. This latest one, Qakbot has a special emphases on taking down business networks. It is just the latest cyber-threat and you can be sure that there will be many more – even more destructive ones to come. These threats will continue until our behavior changes in respect to how seriously we treat internet services. Security solutions are incredibly important, however even the best security solution cannot be 100% effective in this ever changing tech world. Cyber-criminals are continually changing their modes of attack and security solutions are often playing catch-up. The way we interact with internet services is the key to not only protecting ourselves – but each other. I touch on some of my recommendations for protecting yourself at the end of this article.

Image result for malware trojan

Introducing Qakbot

On Tuesday, researchers from Cylance said that Qakbot, an information-stealing Trojan and backdoor malware that targets the Microsoft Windows operating system and 64-bit browsers with a a target against business/enterprise users is on the loose.

Qakbot is a self-propagating kind of malware that has been circulating for several years now. The Trojan can spread not only through networks and external drives and devices but also focuses on stealing valuable credentials and taking control of the networks it has infected.

There has been a resurgence of the malware, according to Cylance, which had been made even more evasive and persistent with new, polymorphic features that enable the malicious code to squat in business networks for longer and “easily thwart legacy endpoint security solutions” by the use of muddying code, as well as constantly-evolving file makeup and signatures.

The Evil Tricks of Qakbot

Once a system has been infected with Qakbot through exploit kit use, phishing campaigns or malicious downloads, the malware does not lock a system in order to hold a business to ransom.

Instead, Qakbot is able to lock out Active Directories and once credentials have been stolen, use these to spam neighboring hosts and disrupt corporate activities. In turn, this may result in the compromise of additional hosts and further spread or the user accounts related to the authentication attempts being locked out.

New samples of the malware suggest that Qakbot now also targets victims globally due to the inclusion of international character sets, and a recent surge in attacks means that companies should stay on their guard against suspicious downloads or activity and keep their systems up-to-date to prevent infection.

Protecting Yourself

I do not mean to sound like a broken record each time I report on the latest security attack, but I have no choice. Protecting yourself against most security intrusions is actually quite easy, and you will find these tips throughout this fine blog. In fact what you see below is copied from my earlier post regarding the Wannacry Ransomware threat on May 15, 2017.


It is incredibly important to do the following:

  • Always make sure that you install the latest updates & patches for your operating system, especially Microsoft Windows.
  • Make sure you have an up to date anti-virus program running on your computer.
  • Do not click on links or attachments in email unless you are 100% certain it is legitimate and that you have requested it. If you are not sure about a hyperlink or attachment contact the sender directly to ask about it.
  • Do not visit questionable able websites.
  • When you are browsing website be certain to read carefully any dialog box that pops up before clicking on it.

Last but not the least, make sure that you run a backup of your system files regularly. If your PC gets infected and your important files are encrypted, you can get them later.


Thanks to ZDNet for being on top of the Qakbot story which much of this information was attained.

Share This:

Important Security Patches Arrive for Apple Products

This past week Apple released multiple security upgrades yesterday for its iOS, watchOS, tvOS, and macOS systems, addressing dozens of security bugs across its devices. The iOS update fixes 41 security flaws, including some that could potentially allow a remote attacker to execute malicious code on an Apple mobile device.

The update is well-timed, as most of the world is still reeling from the latest WannaCry ransomeware attck that has been racing across the globe since late last week. While the ransomeware attack targets Windows systems, Mac users are likely to feel a little safer knowing they have the most recent security patches installed.

Mostly Security Fixes

Apple attributed almost half of the bug discoveries to Project Zero, Google’s internal security and bug-hunting initiative. The most significant patch Apple released last week was for macOS. The update includes several fixes to the operating systems kernel, some of which address security vulnerabilities that would allow an application to gain access to kernel privileges as well as execute arbitrary code with kernel privileges.

The iBooks application received several fixes for bugs that would have, among other things, allowed a maliciously crafted book to open Web sites on its own without user permission. Meanwhile SQLite, a relational database management system, received four separate patches for issues that could have given an attacker remote access to a user’s device.

Apple’s mobile operating system, iOS, also received a major security upgrade. Several of the fixes relate to similar problems as those addressed in the macOS patch, such as the SQLite vulnerabilities, and kernel and iBooks bugs. Another major component of the OS that was patched was WebKit, a component that helps power the Safari browser.

No New Functionality, But Some Glitches Fixed

The watchOS update includes improvements and bug fixes while the tvOS update provides bug fixes and other enhancements to the fourth-generation Apple TV.

WebKit received a whopping eight patches, including several that would have permitted hackers to attack a user’s device through malicious Web content. The upgrade also changes the way Wi-Fi network credentials are handled to prevent having a person’s username and password stolen when accessing a malicious hotspot.

The security fixes will likely be the foremost in users’ minds as they rush to update their devices, but they are not the only changes Apple rolled out yesterday. While the upgrades do not appear to include any major new functionality, they do address several performance issues that should make the user experience a bit more pleasant.

On the Macintosh platform that includes a fix for the problem where audio may stutter when played through USB headphones. The update fixes an issue affecting some enterprise and education clients that may cause the system date to be set to 2040, and also prevents a potential kernel panic from occurring when starting up from a NetInstall image. All of the updates can be downloaded over the air.

If you have any apple products you should take the time to update its operating system.

Share This:

1 2 3 37