Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

[ctg]

#MiningWar has begun!

Cryptocurrency-mining malware-scum have started to write code that evicts rivals from compromised computers.

The miner in question was first noticed by SANS Internet Storm Center handler Xavier Mertens. Mertens spotted the PowerShell script on March 4, and noting that it kills any other CPU-greedy processes it spots on target machines, he wrote: “The fight for CPU cycles started!”

Pre-infection, the attack script checks whether a target machine is 32-bit or 64-bit and downloads files known to VirusTotal as hpdriver.exe or hpw64 (they're pretending to be HP drivers of some kind).

http://www.theregister.co.uk/2018/03/06/cryptocurrency_miner_sans_martens/

 

[ctg]

Last week, the code repository GitHub was taken off air in a 1.3Tbps denial of service attack. We predicted then that there would be more such attacks and it seems we were right.

Arbor Networks is now reporting that a US service provider suffered a 1.7Tbps attack earlier this month. In this case, there were no outages as the provider had taken adequate safeguards, but it's clear that the memcached attack is going to be a feature network managers are going to have to take seriously in the future.

http://www.theregister.co.uk/2018/0...os_attack_record_broken_after_just_five_days/

 

[ctg]

The bloom is on the criminal cryptomining of computer resources and the reason is obvious – it’s lucrative. One cryptomining gang tracked by researchers over the past six months minted $7 million with the help of 10,000 computers infected with mining malware.

The rise of malicious cryptomining isn’t a shocker to anyone following cybersecurity. However, what is startling is the rise in the use of sophisticated and complex techniques that some groups now use. Many cryptomining groups have adopted hacking techniques and tools typically only seen by sophisticated APT threat actors.

In a report released Monday by Kaspersky Lab, researchers profiled three groups of cryptominers that represent this new breed cryptojacking criminals. Following the same huge growth arc as ransomware, these groups are quieter by nature and unlike in-your-face ransomware bullies, are more apt to quietly leach CPU cycles while remaining hidden on a client PC or inside the datacenter, said Anton Ivanov, a researcher at Kaspersky Lab.

https://threatpost.com/cryptomining-gold-rush-one-gang-rakes-in-7m-over-6-months/130232/

 

[ctg]

Unit 42 researchers have discovered a new currency stealer which targets cryptocurrencies and online wallets. “CryptoJack” functions by replacing clipboard addresses with an attacker-controlled address which sends funds into the attacker’s wallet. This technique relies on victims not checking the destination wallet prior to finalizing a transaction. In 2017, CryptoShuffler was the first malware to utilize this tactic. In contrast to that one, which focused on numerous cryptocurrencies, ComboJack targets both a range of cryptocurrencies, as well as digital currencies such as WebMoney and Yandex Money.

https://researchcenter.paloaltonetw...lware-alters-clipboards-steal-cryptocurrency/

Bitcoin steadied after two days of losses as investors weighed the impact of a clampdown on cryptocurrency exchanges in Japan and renewed regulatory scrutiny of the venues in the U.S.

The biggest virtual currency was flat at just under $10,000 as of 8:38 a.m. in London, after earlier slumping more than 4 percent during Asia trading hours. It has dropped about 10 percent this week.

Japan’s Financial Services Agency ordered two exchanges to halt operations for a month and penalized four others on Thursday, just hours after a warning from the U.S. Securities and Exchange Commission that many online trading platforms should register with the agency. The moves are the latest in a series of efforts by global regulators to increase oversight of the industry.

https://www.bloomberg.com/news/arti...-sec-says-crypto-platforms-must-be-registered

 

[ctg]

Researchers have discovered malware so stealthy it remained hidden for six years despite infecting at least 100 computers worldwide.

Slingshot—which gets its name from text found inside some of the recovered malware samples—is among the most advanced attack platforms ever discovered, which means it was likely developed on behalf of a well-resourced country, researchers with Moscow-based Kaspersky Lab reported Friday. The sophistication of the malware rivals that of Regin—the advanced backdoor that infected Belgian telecom Belgacom and other high-profile targets for years—and Project Sauron, a separate piece of malware suspected of being developed by a nation-state that also remained hidden for years.

https://arstechnica.com/information...hat-hid-for-six-years-spread-through-routers/

https://s3-eu-west-1.amazonaws.com/...133534/The-Slingshot-APT_report_ENG_final.pdf

 

[ctg]

The USA, China and Russia are doing all that they can to avoid development of a treaty that would make it hard for them to conduct cyber-war, but an effort led by the governments of The Netherlands, France and Singapore, together with Microsoft and The Internet Society, is using diplomacy to find another way to stop state-sponsored online warfare.

The group making the diplomatic push is called the Global Commission on the Stability of Cyberspace (GCSC).

One of the group’s motivations is that state-sponsored attacks nearly always have commercial and/or human consequences well beyond their intended targets.

http://www.theregister.co.uk/2018/03/22/global_commission_on_the_stability_of_cyberspace/

 

[Teräsmies]

China's Surveillance State Should Scare Everyone
https://www.theatlantic.com/international/archive/2018/02/china-surveillance/552203/

 

[ctg]

China's Surveillance State Should Scare Everyone
https://www.theatlantic.com/international/archive/2018/02/china-surveillance/552203/

Lähitutu ovat pitäneet minua täällä hulluna kun olen sanonut tästä asiasta ja kehoittanut että eivät raijaa eletroniikkaa kiinan reissulle. Joten olen ollut täälläkin hiljaa siitä.

 

[ctg]

The United States Department of Justice announced charges against nine Iranians accused of stealing private data from U.S. universities, private companies and U.S. government agencies.

FBI Deputy Director David Bowdich said in a statement that the state-sponsored hackers worked for more than four years to steal expensive science and engineering-related research, company trade secrets, and sensitive U.S. government information.

The stolen information was used by the Iranian government or sold for profit, said the FBI. According to the indictment, the hackers stole more than 30 terabytes of academic data– IP that totaled $3.4 billion for the U.S. universities to procure.

The nine hackers, who are currently at large, are affiliated with the Mabna Institute, an Iran-based company created in 2013. The FBI said that this company was created for the “express purpose of illegally gaining access to non-Iranian scientific resources through computer intrusions.”

https://threatpost.com/fbi-iranian-firm-stole-data-in-massive-spear-phishing-campaign/130776/

 

[ctg]

WannaCry, the Windows ransomware that took off last May around the world, has landed on some computers belonging to US aircraft and weaponry manufacturer Boeing.

“All hands on deck,” said Mike VanderWel, chief engineer at Boeing Commercial Airplane production engineering, in a memo seen earlier today by the Seattle Times. “It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down. We are on a call with just about every VP in Boeing."

VanderWel said he was concerned that equipment used to test airframes after they roll off the production line was hit by the file-scrambling nasty. He feared the malicious code, which demands a ransom to restore encrypted documents, could “spread to airplane software.”

http://www.theregister.co.uk/2018/03/28/wannacry_boeing/

Only one in five FTSE 100 companies disclose testing of online business protection plans.

Most (57 per cent) of FTSE 100 companies talk about their overall crisis management, contingency or disaster recovery plans within their annual reports but few in comparison mention cybersecurity. Just 21 per cent of UK Blue Chip businesses regularly share security updates with the board at least twice a year, according to a study by management consultancy Deloitte.

Cyber risk testing would include services such as "ethical hacking" (AKA penetration testing) to find vulnerabilities in their IT systems. Security testing will become even more important with the advent of the EU's General Data Protection Regulation, due to swing into effect in June, under which data breaches in the UK and other member states will be punished with much tougher financial sanctions.

Phill Everson, head of cyber risk services at Deloitte UK, said: "Would-be hackers look for weaknesses in a system to gain access, so testing remains vital in ensuring strong cyber resilience. The 20 per cent of companies that disclosed testing for these vulnerabilities in our analysis demonstrate to investors that the company has ways to continually and proactively test for flaws, whilst also showing commitment in fixing them if identified."

http://www.theregister.co.uk/2018/03/28/cyber_resilience_planning_ftse_100/

 

[JR49]

Tutkimus: Kyberturvallisuuden strateginen johtaminen turvaa kansallisen digitaalisen toimintaympäristön
Kyberturvallisuus on keskeinen osa suomalaisen yhteiskunnan turvallisuutta ja kilpailukykyä. Teknologisen kehityksen ja digitalisoitumisen syvenemisen myötä kyberturvallisuuden merkitys kasvaa. Samalla myös kyberturvallisuuden strateginen johtaminen korostuu. Näin todetaan 29. maaliskuuta julkaistussa Jyväskylän yliopiston ja Aalto-yliopiston tutkijoiden laatimassa raportissa.
http://valtioneuvosto.fi/artikkeli/...a-kansallisen-digitaalisen-toimintaympariston

 

[ctg]

Valtiollinen?

The federal government has formally acknowledged for the first time that it has located suspected and unauthorized cell-site simulators in various parts of Washington, DC.

The revelation, which was reported for the first time on Tuesday by the Associated Press, was described in a letter recently released from the Department of Homeland Security to the offices of Sen. Ron Wyden (D-Oregon).

"Overall, [DHS' National Protection and Programs Directorate] believes the malicious use of IMSI catchers is a real and growing risk," wrote Christopher Krebs, DHS' acting undersecretary, in a March 26, 2018 letter to Wyden.

The letter and attached questionnaire say that DHS had not determined who is operating the simulators, how many it found, or where they were located.

DHS also said that its NPPD is "not aware of any current DHS technical capability to detect IMSI catchers." The agency did not explain precisely how it was able to observe "anomalous activity" that "appears to be consistent" with cell-site simulators.

https://arstechnica.com/tech-policy...-use-of-stingrays-is-a-real-and-growing-risk/

 

[ctg]

European organisations are taking longer to detect breaches than their counterparts in North America, according to a study by FireEye.


Organisations in EMEA are taking almost six months (175 days) to detect an intruder in their networks, which is rather more than the 102 days that the firm found when asking the same questions last year. In contrast, the median dwell time in the Americas has improved from at 76 days in 2017, compared with 99 in 2016. Globally it stands at 101 days.

The findings about European breach detection are a particular concern because of the looming GDPR deadline, which will introduce tougher breach disclosure guidelines for organisations that hold Europeans citizens' data. GDPR can also mean fines of €20 million, or four per cent of global turnover, whichever is higher.

FireEye's report also records a growing trend of repeat attacks by hackers looking for a second bite of the cherry. A majority (56 per cent) of global organisations that received incident response support were targeted again by the same of a similarly motivated attack group, FireEye reports.

FireEye has historically blamed China for many of the breaches its incident response teams detected. But as the geo-political landscape has changed Russia and North Korea are getting more and more "credit" for alleged cyber-nasties.

But a different country - Iran - features predominantly in attacks tracked by FireEye last year. Throughout 2017, Iran grew more capable from an offensive perspective. FireEye said that it "observed a significant increase in the number of cyber-attacks originating from Iran-sponsored threat actors".

FireEye's latest annual M-Trends report (pdf) is based on information gathered during investigations conducted by its security analysts in 2017 and uncovers emerging trends and tactics that threat actors used to compromise organisations.

http://www.theregister.co.uk/2018/04/05/fireeye_breach_report/

 

[ctg]

Researchers have uncovered a remote hijacking vulnerability present in the systems many cities and organizations are using to manage emergency sirens and alerts.

Dubbed SirenJack, the vulnerability would allow an attacker to remotely activate emergency alert systems manufactured by a company called ATI Systems. Bastille said it privately contacted ATI about the flaw and allowed the company a 90-day period to patch the flaw before disclosing.

ATI did not have a statement on the matter at the time of publication. The company has said it is working on a patch for the flaw and has said it is on standby to help cities concerned over the vulnerability.

http://www.theregister.co.uk/2018/0..._lets_hackers_channel_their_inner_hawaii_ema/

 

[ctg]

Hackers working on behalf of the Russian government are compromising large numbers of routers, switches, and other network devices belonging to governments, businesses, and critical-infrastructure providers, US and UK officials warned Monday.

The Russian government-sponsored actors are using the compromised devices to perform man-in-the-middle attacks that extract passwords, intellectual property, and other sensitive information and to lay the groundwork for potential intrusions in the future, the officials continued. The warning was included in a technical alert jointly issued by the US Department of Homeland Security and FBI and the UK's National Cyber Security Center.

"Since 2015, the US government received information from multiple sources—including private- and public-sector cybersecurity research organizations and allies—that cyber actors are exploiting large numbers of enterprise-class and SOHO/residential routers and switches worldwide," Monday's technical alert stated. "The US government assesses that cyber actors supported by the Russian government carried out this worldwide campaign. These operations enable espionage and intellectual property that supports the Russian Federation's national security and economic goals."

The alert went on to warn that many network devices are poorly secured against remote intrusions. Old products that use protocols lacking encryption, run firmware that's no longer eligible to receive security patches, or are insufficiently hardened to withstand attacks allow hackers to remotely commandeer devices with no need to exploit zero-day vulnerabilities or even install malware. In contrast to servers and desktop computers inside targeted organizations, the network devices often receive little ongoing maintenance, making them relatively easy to hack.

https://arstechnica.com/tech-policy...oit-routers-in-homes-govs-and-infrastructure/

 

[ctg]

Olkaa varovaisia niiden kiinalaisten tuotteiden kanssa. En suosittele kenellekkään ZTEn, Huwein tai Lenovon vehkeitä.

GCHQ's cyber security advice group has formally warned of the risk of using ZTE equipment and services for the UK's telco infrastructure.

The National Cyber Security Centre, the cyber part of the UK's nerve centre, founded in 2016, has written to UK telecoms companies warning that using gear from the Chinese firm "would present risk to UK national security that could not be mitigated effectively or practicably".

In a statement, the British spooky agency confirmed the veracity of an FT report, but declined to elaborate on what specific vulnerability or threat had prompted the assessment:

"NCSC assess[es] that the national security risks arising from the use of ZTE equipment or services within the context of the existing UK telecommunications infrastructure cannot be mitigated," the agency told us in a statement.

http://www.theregister.co.uk/2018/04/16/zte_gchq_warning/

 

[ctg]

"You don't launch a cyber weapon, you share it."

This was a reminder issued to RSA Conference attendees, in San Francisco on Tuesday, by two security researchers, who warned that advanced malware strains, particularly those developed by government hackers, can be captured and repurposed by cash-strapped miscreants to build a controllable arsenal of software nasties.

Kenneth Geers, senior research scientist at Comodo, and Kārlis Podiņš, a threat analyst with Latvia's CERT, also said governments should be more aware of how their own advanced malware is being lifted by other countries and potentially repackaged for attacks on them and their allies. Sorta like what happened with the NSA's stolen and leaked EternalBlue exploit and the WannaCry ransomware that wielded it.

"It's faster and easier than one might imagine to build an arsenal of cyber tools," explained Geers. "It is going to lead to complexities on the battlefield as tools get out and get repurposed."

Podiņš explained how a savvy government agency under attack by malware could, in a matter of hours, modify portions of the malicious code to download different payloads and use new command-and-control servers, then redeploy the cyber-weapon for their own use.

This is especially tempting if the malware exploits a zero-day vulnerability – a bug for which no patch or mitigation exists – that the victim was unaware of; now the target agency or organization can work out the exploited flaw, and use it to infiltrate others.

This, the pair contend, should give nations pause when looking to deploy an advanced malware package against a hostile nation or terrorist group, least it be repackaged with a more destructive payload – such as a disk wiper as opposed to stealthy spyware – and used to create havoc.

It is a matter of awareness up front on both sides," explained Geers.

"If you have an offensive team you have to be aware that someone might steal your tools, so you have to be more judicious in your operation."

http://www.theregister.co.uk/2018/04/18/researchers_warn_of_regifted_malware/

 

[ctg]

Former members of an Israeli intelligence unit say their operation could serve as a model for the tech companies looking to bring more women into their ranks.

Unit 8200 serves as the nation's signal intelligence unit and is credited with training a number of experts who go on to careers in cybersecurity. It also boasts a large female workforce – roughly 55 per cent of the unit is comprised of women, compared to just 11 per cent of the infosec industry as a whole.

Three former members of the unit, Shira Shamban, a data analysis program lead with Dome9, Maya Pizov, VP of business development at enSilo, and Lital Asher-Dotan, senior director of research and content with cyberReason, told attendees at the 2018 RSA Conference in San Francisco that companies could learn a lot from the diverse unit.

On Tuesday, the panel observed that the structure of a military unit, with its emphasis on a rank and specialization, helped overcome not just gender bias, but also notions about age and experience.

"If you are a subject-matter expert – in whatever area – you will go and talk in the boardroom, you will be presented and tell your opinion no matter how junior you are," noted Asher-Dotan.

The camaraderie of military service from a young age also helped the men connect with their female peers, noted Pizov. She explained how, even after leaving, she was able to network with her male Unit 8200 comrades and, in many cases, develop strong connections even when she was the only woman in the room.

"When you're 18 or 19 you don't develop this prejudice," she observed, "You are all starting at same level."

After they left the unit and ventured into industry, however, all three said they were served with a rude awakening.

"It seemed so natural to speak up if you have something to say," said Shamban.

"Only after I left the military and saw the real world did I start understanding what the problem was. The way people at work communicate, the jokes they make around the table make women feel uncomfortable, a guy can make a remark that can make you feel so small and you don't want to talk in that meeting."

In addition to the familiar recommendation of changing workplace culture, the Unit 8200 alums also noted that companies could benefit from studying how their former unit found them in the first place.

The three panelists noted that, when recruited by the unit as teenagers, they were not necessarily brought on for their tech-savvy skills, but rather for having analytical skills vital to infosec work that are far harder to teach and develop than basic coding knowledge. Programming can be learned. Critical thinking is another matter.

"You don't have to be a good coder," Asher-Dotan explained. "Maybe you are good at reading and finding what is in the text, they see that you are curious and not afraid to learn."

Asher-Dotan notes that, with the security skills crisis, many women are likely far more qualified to land a position than they realize.

"The women that aren't gamers, aren't coders, they don't even know about cybersecurity, women don't know they can do it," she said.

"If we could find a way to get more females to start early on and get into this career, and if we take them seriously, that is something that will create a huge movement in any organization."

http://www.theregister.co.uk/2018/04/18/israeli_unit_8200_diversity/

 

[Kustaanmiekka]

Puolustusvoimat osallistuu jättikokoiseen kyberharjoitukseen
https://yle.fi/uutiset/3-10169440
Harjoituksella varaudutaan esimerkiksi sähkönjakeluun ja matkapuhelinverkkoihin kohdistuviin iskuihin.
Puolustusvoimat osallistuu maailman suurimpaan kyberpuolustusharjoitukseen ensi viikolla. Harjoituksen järjestää Naton kyberosaamiskeskus, tiedottaa Puolustusvoimat.

 

[ctg]

Henkilökohtaisesti näen kaikki suuret bitcoin operaatiot valtiollisten vehkeilynä.

Researchers have defeated a key protection against cryptocurrency theft with a series of attacks that transmit private keys out of digital wallets that are physically separated from the Internet and other networks.

Like most of the other attacks developed by Ben-Gurion University professor Mordechai Guri and his colleagues, the currency wallet exploits start with the already significant assumption that a device has already been thoroughly compromised by malware. Still, the research is significant because it shows that even when devices are airgapped—meaning they aren't connected to any other devices to prevent the leaking of highly sensitive data—attackers may still successfully exfiltrate the information. Past papers have defeated airgaps using a wide array of techniques, including electromagnetic emissions from USB devices, radio signals from a computer's video card, infrared capabilities in surveillance cameras, and sounds produced by hard drives.

On Monday, Guri published a new paper that applies the same exfiltration techniques to "cold wallets," which are not stored on devices connected to the Internet. The most effective techniques take only seconds to siphon a 256-bit Bitcoin key from a wallet running on an infected computer, even though the computer isn't connected to any network. Guri said the possibility of stealing keys that protect millions or billions of dollars is likely to take the covert exfiltration techniques out of the nation-state hacking realm they currently inhabit and possibly bring them into the mainstream.

https://arstechnica.com/information...e-cryptocurrency-keys-from-airgapped-wallets/