Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

ctg

Ylipäällikkö
A newly published "exploit chain" for Nvidia Tegra X1-based systems seems to describe an apparently unpatchable method for running arbitrary code on all currently available Nintendo Switch consoles. Hardware hacker Katherine Temkin and the hacking team at ReSwitched released an extensive outline of what they're calling the Fusee Gelee coldboot vulnerability earlier today, alongside a proof-of-concept payload that can be used on the Switch. "Fusee Gelee isn't a perfect, 'holy grail' exploit -- though in some cases it can be pretty damned close," Temkin writes in an accompanying FAQ.

The exploit, as outlined, makes use of a vulnerability inherent in the Tegra X1's USB recovery mode, circumventing the lock-out operations that would usually protect the chip's crucial bootROM. By sending a bad "length" argument to an improperly coded USB control procedure at the right point, the user can force the system to "request up to 65,535 bytes per control request." That data easily overflows a crucial direct memory access (DMA) buffer in the bootROM, in turn allowing data to be copied into the protected application stack and giving the attacker the ability to run arbitrary code.
https://arstechnica.com/gaming/2018...makes-every-current-nintendo-switch-hackable/

Massiivinen dDoS alusta.
 

ctg

Ylipäällikkö
#Miningwars

Researchers are warning a recently discovered and highly critical vulnerability found in Drupal’s CMS platform is now being actively exploited by hackers who are using it to install cryptocurrency miners and to launch DDoS attacks via compromised systems. At the time of the disclosure, last month, researchers said they were not aware of any public exploits.

Now Netlab 360 researchers say they have identified a botnet, dubbed Muhstik, that is taking advantage of the Drupal bug. They said multiple scans on infected Drupal instances reveal attackers are exploiting the vulnerability by accessing a URL and then injecting exploit code. The technique allows adversaries to execute commands on targeted servers running Drupal.
https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/
 
F-Secure löysi avaimen miljooniin hotellihuoneisiin
Viisitoista vuotta sitten berliiniläisestä hotellihuoneesta varastettiin kannettava tietokone. Hotellin henkilökunta selvitti asiaa, mutta kun merkkejä murrosta ei havaittu, eikä lukitusjärjestelmän lokista löytynyt luvattomia käyntejä, asia oli hotellin puolesta käsitelty.

https://yle.fi/uutiset/3-10175619
 

Woodsman

Eversti
Lahjoittaja
F-Secure löysi avaimen miljooniin hotellihuoneisiin
Viisitoista vuotta sitten berliiniläisestä hotellihuoneesta varastettiin kannettava tietokone. Hotellin henkilökunta selvitti asiaa, mutta kun merkkejä murrosta ei havaittu, eikä lukitusjärjestelmän lokista löytynyt luvattomia käyntejä, asia oli hotellin puolesta käsitelty.

https://yle.fi/uutiset/3-10175619
No tämä selvitti sen, että miksi mun baarikaappi on aina tyhjentynyt hotellissa:cool:
 

ctg

Ylipäällikkö
Army researchers have discovered what experienced information security teams already know: actual human interaction isn't a key to success when you already know your role on the team.

At the National Cyberwatch Center's Mid-Atlantic Collegiate Cyber Defense Competition in March and April 2017, the team of researchers decided to conduct a study observing the competing teams. The CyberDawgs of the University of Maryland Baltimore County won the MACCDC before going on to win the Nationals a few weeks later. And like the other top-performing teams in the event, researchers discovered the CyberDawgs were able to coordinate and collaborate most effectively without leaving their keyboards.

"Successful cyber teams don't need to discuss every detail when defending a network," said Dr. Norbou Buchler, Networked Systems Branch team leader at the US Army Research Laboratory, in a press release. "They already know what to do."

The research team included members from the Army Research Laboratory's Cyber and Networked Systems Branch at Aberdeen Proving Grounds in Maryland, the National Cyberwatch Center, and Carnegie Mellon University.

The teams at the MACCDC were scored based on performance (both technical and human-focused tasks) during a simulated cyber-espionage campaign against a fictional Internet of Things middleware company. As the researchers explained in their paper, "The success of [the] teams is evaluated along three independent scoring dimensions: (a) Maintaining Services, (b) Incidence Response, and (c) Scenario Injects." The "scenario injects" included interaction with an event official role-playing as a corporate CEO. And using "sociometric badges" from Humanyze, Inc. worn by the participating teams—badges with built-in cameras that sensed faces—the researchers were able to measure the number of face-to-face interactions each team member had.

"Our results indicate that the leadership dimension and face-to-face interactions are important factors that determine the success of these teams," the researchers found. But while teams with strong leadership were more successful, "face-to-face interactions emerged as a strong negative predictor of success," the research team noted.

In other words, the less time team members spent interacting with each other, the more successful the team was as a whole. "Functional specialization within a team and well-guided leadership could be important predictors of timely detection and mitigation of ongoing cyber attacks," they write.

This sort of finding may not come as much of a surprise to anyone who has ever participated in Capture the Flag or other team hacking and defense competitions—the only sound Ars heard during most of Defcon's 2017 CTF competition was the tapping of keyboards. The same is true for other tasks where teams have highly specialized roles—from the combat zone to the football field. Usually, if a situation reaches the point where social interaction is required to adjust activity, it means things have gone objectively wrong already.

"High-performing teams exhibit fewer team interactions because they function as purposive social systems, defined as people who are readily identifiable to each other by role and position and who work interdependently to accomplish one or more collective objectives," Buchler said.
https://arstechnica.com/information...-best-cyber-teams-are-antisocial-cyber-teams/
 

ctg

Ylipäällikkö
Valtiolliset. Huvittavin asia tässä on että PKn kybersotilaat jättivät selvät jäljet osoittamaan heidän tuotteitaan.

Two aged samples of North Korean antivirus software called SiliVaccine crib software code from a competitor and come loaded with malware and a backdoor.

The two SiliVaccine samples obtained by researchers at Check Point security offer unique insight into a secretive country and how it likely protects users from outside threats; and how the AV company behind SiliVaccine could spy on its users.
https://threatpost.com/samples-of-s...nside-north-koreas-antivirus-software/131591/
 

ctg

Ylipäällikkö
Greek law enforcement has disrupted a plan to murder a Russian man arrested in Greece last year, who American authorities believe laundered billions of dollars worth of Bitcoin through BTC-e, a shady Bitcoin exchange that the suspect is also accused of creating.

Sputnik News, a Russian media outlet, quoted an anonymous source "familiar with the situation" that local criminals were plotting to poison the Russian suspect, Alexander Vinnik. He is reportedly now "forbidden" from receiving any items, and cannot even contact other inmates.

Last summer, federal authorities identified Vinnik as a central figure in the massive bitcoin theft that was a major factor in the downfall of Mt. Gox, the Japanese Bitcoin exchange that led the market in Bitcoin's early years. If Vinnik is ultimately determined to be involved in the crash and eventual bankruptcy of Mt. Gox, that revelation would finally solve what has remained one of the Bitcoin commnity’s biggest mysteries.

Sputnik’s source was quoted as saying that the threats began "after Vinnik’s extradition to the United States was blocked. There are people who are extremely interested in him not coming to Russia. The assassination was ordered by some unknown person form Russia."

In December 2017, the Supreme Court of Greece upheld American efforts to have him extradited to the United States.

Sputnik’s source further said that Vinnik has admitted his crimes and is "ready to give testimony in Russia and assist the investigation."

However, per the Russian media outlet, Vinnik’s lawyer planned in January 2018 to appeal the extradition order to the European Court of Human Rights.
https://arstechnica.com/tech-policy...ering-suspect-spared-from-prison-poison-plot/
 
"Kansallinen kyberturvallisuusharjoitus KYHA18 järjestetään Jyväskylässä
https://www.defmin.fi/ajankohtaista/tiedotteet?9_m=9314
11.05.2018 10:00

Puolustusministeriö ja Turvallisuuskomitea järjestävät yhdessä kyberturvallisuuden tutkimus-, kehitys- ja koulutuskeskus JYVSECTECin kanssa Kansallisen kyberturvallisuusharjoituksen 14.–18.5.2018 Jyväskylässä.

Harjoitusviikon aikana testataan osallistujaorganisaatioiden kybersuorituskykyä ja turvallisuusviranomaisten yhteistoimintaa. Harjoitukseen osallistuu yli 100 valtionhallinnon viranomaista useista organisaatioista. Harjoituksen johtaa puolustusministeriö yhteistyössä Turvallisuuskomitean kanssa. Suunnittelusta ja toteutuksesta vastaa JYVSECTEC.

KYHA18 on jatkumo vuodesta 2013 alkaen vuosittain järjestetylle Kansalliselle kyberturvallisuusharjoitusten sarjalle. Harjoitussarjassa on pitkäjänteisesti kehitetty viranomaistoimijoiden kyberturvallisuuden suorituskykyä haasteellisessa teknisessä toimintaympäristössä.

KYHA – harjoitusten järjestämisellä puolustusministeriö ja Turvallisuuskomitea kannustavat kaikkia kokonaisturvallisuuden yhteistyötahoja ja toimijoita kyberturvallisuuden kehittämistyöhön yhteiskunnan turvallisuusstrategian kokonaisturvallisuuden yhteistoimintamallin mukaisesti. Keskeistä on se, että toimijat jakavat ja analysoivat turvallisuutta koskevaa tietoa ja suunnittelevat sekä harjoittelevat ja toimivat yhdessä.

Harjoitus järjestetään Jyväskylän ammattikorkeakoulun IT-instituutin tiloissa"
 

ctg

Ylipäällikkö
Not NSA

The U.S. government has identified a suspect in the leak last year of a large portion of the CIA’s computer hacking arsenal, the cyber-tools the agency had used to conduct espionage operations overseas, according to interviews and public documents.

But despite months of investigation, prosecutors have been unable to bring charges against the man, who is a former CIA employee being held in a Manhattan jail on unrelated charges.

Joshua Adam Schulte, who worked for a CIA group that designs computer code to spy on foreign adversaries, is believed to have provided the agency’s top-secret information to WikiLeaks, federal prosecutors acknowledged in a hearing in January. The anti-secrecy group published the code under the label “Vault 7” in March 2017.

It was one of the most significant leaks in the CIA’s history, exposing secret cyberweapons and spying techniques that might be used against the United States, according to current and former intelligence officials. Some argued that the Vault 7 disclosures could cause more damage to American intelligence efforts than those by former National Security Agency contractor Edward Snowden. He revealed extraordinary details about the capabilities of the United States to spy on computers and phones around the world, but the Vault 7 leaks showed how such spying is actually done, the current and former officials argued.

Schulte’s connection to the leak investigation has not been previously reported.

Federal authorities searched Schulte’s apartment in New York last year and obtained personal computer equipment, notebooks and handwritten notes, according to a copy of the search warrant reviewed by The Washington Post. But that failed to provide the evidence that prosecutors needed to indict Schulte with illegally giving the information to WikiLeaks.
https://www.washingtonpost.com/worl...4a123c359ab_story.html?utm_term=.21fd78081eca
 

ctg

Ylipäällikkö


Already under attack by Russia's telecommunications regulator, a new source of woe has emerged for crypto-chat app Telegram: malware.

In news that won't surprise anybody at all, researchers from Cisco Talos say the malware attacking Telegram's desktop app was written by a Russian speaker.

Vitor Ventura and Azim Khodjibaev explained what they saw in two April attacks involved collecting “cache and key files from end-to-end encrypted instant messaging service Telegram.”

The reason the malware attacked only the desktop version is because it “does not support Secret Chats and has weak default settings” – that's a feature only of the desktop version, and Telegram warns users and explains why security is absent in that environment.

The attack works “by restoring cache and map files into an existing Telegram desktop installation, if the session was open,” giving the attacker the chance to access the victim's session, contacts, and previous chats.
http://www.theregister.co.uk/2018/05/17/talos_telegram_desktop_attack/
 

ctg

Ylipäällikkö


The world’s largest police network is evaluating software that would match samples of speech taken from phone calls or social media posts to voice recordings of criminals stored within a massive database shared by law enforcement agencies.

The platform, as described by developers, would employ several speech analysis algorithms to filter voice samples by gender, age, language, and accent. It will be managed by Interpol at its base in Lyon, France with a goal of increasing the accuracy of voice data, and boosting its reliability and judicial admissibility.

The development team completed successful field tests of the system in March and November 2017. Next up is a project review this June in Brussels.

While the system can process any “lawfully intercepted” sound, including ambient conversation, its expected use would be to match voices gleaned from telephone and social media against a “blacklist” database. The samples could come from mobile, landline, or voice-over-Internet-protocol recordings, or from snatches of audio captured from recruitment or propaganda videos posted to social media.
https://spectrum.ieee.org/tech-talk...tform-will-recognize-criminals-by-their-voice
 

ctg

Ylipäällikkö
Researchers have discovered a phishing campaign that infected Android devices with custom surveillance-ware bent on extracting data from top officials, primarily in the Middle East.

Researchers at Lookout Security told Threatpost that the tool, dubbed Stealth Mango, has been used to collect over 30 gigabytes of compromised data on attacker infrastructure, including call records, audio recordings, device location information and text messages.
https://threatpost.com/phishing-campaign-targeted-top-officials-with-surveillance-ware-tools/131994/
 

hansai

Ylipäällikkö
FBI varoitti venäläisten tehneen laajan verkkohyökkäyksen – kotireitittimetkin kannattaa päivittää
Hyökkäys on havaittu jo kymmenissä eri valtioissa.

Reititin on laite, joka yhdistää esimerkiksi kodeissa tietokoneet internetiin. (KUVA: AXEL HEIMKEN / DPA)
HS-Reuters
Julkaistu: 25.5. 21:47
YHDYSVALTOJEN liittovaltion poliisi FBI varoitti perjantaina, että venäläiset hakkerit ovat vaarantaneet satojentuhansien reitittimien turvallisuuden niin kotitalouksissa kuin toimistoissa ja virastoissakin. Vaarana FBI:n mukaan on, että hyökkääjät voivat varastaa tietoja tai sulkea yhteyksiä.

Amerikkalaisviranomaiset kehottivat kaikkia käynnistämään reitittimensä uudelleen ja päivittämään laitteiden ohjelmistot valmistajilta. Reititin on laite, joka yhdistää esimerkiksi kodeissa tietokoneet internetiin.

Hyökkäys on todettu yli 50 valtiossa, ja Suomen viestintäviraston mukaanhyökkäyksen uhreja voi olla myös Suomessa. Viestintävirasto selvittää mahdollisia haittaohjelman saastuttamia uhreja Suomesta ja ottaa heihin yhteyttä internetoperaattorien kautta.

YHDYSVALTOJENoikeusministeriön mukaan hyökkäyksestä on vastuussa ryhmä nimeltään Sofacy, jolla on amerikkalaisten mukaan läheinen yhteys Venäjän hallitukseen.

Sofacy tunnetaan myös nimillä APT28 ja Fancy Bear. Ryhmää on syytetty useista hyökkäyksistä muun muassa Yhdysvaltojen demokraattipuoluetta vastaan 2016 Yhdysvaltojen presidentinvaalikampanjan aikana.

HYÖKKÄYKSEN on sanottu koskevan ainakin Belkinin, Mikrotikin, Netgearin, TP-linkin sekä Qnapin laitteita. Näiden valmistajien laitteet kannattaa palauttaa tehdasasetuksiin ja käynnistää uudelleen sekä asentaa kaikki laitevalmistajan tarjoamat päivitykset. FBI kehottaa muun muassa myös vaihtamaan salasanat turvallisuuden takaamiseksi mutta Viestintäviraston mukaan toistaiseksi riittävistä suojaustoimenpiteistä ei ole varmuutta.

Haittaohjelma VPNFilteriä on FBI:n mukaan vaikeaa havaita. FBI:n mukaan haittaohjelma voi esimerkiksi katkaista nettiyhteyden reitittimestä.

Reititinhyökkäyksen löysivät alunperin tietoturvayhtiöt Talos ja Symantec. Talosin mukaansaastuneita reitittimiä on vähintään noin puoli miljoonaa. Suurin osa viime aikoina saastuneista reitittimistä on Ukrainassa, ja haittaohjelmasta on löydetty yhtäläisyyksiä vuonna 2015 Ukrainan sähköverkkoihin tunkeutumisessa käytetyn BlackEnergy -haittaohjelman kanssa.
https://www.hs.fi/ulkomaat/art-2000005695535.html
 

ctg

Ylipäällikkö
US CERT has issued a Technical Alert that says two strains of malware are tools of the North Korean government.

The Alert says that the United States’ Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) “identified IP addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government.”

One of the malware strains is called “Joanap” and is said to be a two-stage malware that establishes peer-to-peer communications links “to manage botnets designed to enable other operations.” The alert says Joanap lets North Korea “exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device.”

The other malware is a Server Message Block (SMB) worm called “Brambul”.

This one’s a “dynamic link library file or a portable executable file often dropped and installed onto victims’ networks by dropper malware.”
http://www.theregister.co.uk/2018/05/30/north_korea_joanap_and_brambul_malware/
 

ctg

Ylipäällikkö
An IoT botnet has been commandeered by white hats after its controllers used a weak username and password combination for its command-and-control server.

Ankit Anubhav, of Newsky Security, said researchers with the company were able to take over the MySQL server used to control the Owari botnet – thanks to its creator leaving port 3306 open and the username and password as root.

"Mirai botnet was designed to set up a MySQL server for the command and control containing three tables, namely users, history, and whitelist," explained Anubhav.

"While IoT botnets have evolved and many of them have different attack vectors, most of them still retain this tried and tested MySQL server structure, and Owari is no exception to this."

Ironically, Anubhav points out, both Mirai and Owari themselves are able to infect Internet-of-Things devices by brute-force guessing passwords and taking advantage of default credentials in the appliances. Apparently, that weakness extends to the botnet's command infrastructure as well.

As the MySQL server was left wide open, the researchers were able to take a peek into the inner workings of the army of hacked gadgets. Among other things, they noted, was that the Owari botnet maintained a list of customers who each had their own logins, allowing those who paid the owner to set up and run their own attacks for a predetermined amount of time.

Anubhav was also able to spot a history list, including a set of logs that indicated many of the DDoS attacks launched by the botnet were efforts to take out competing operators.

Sadly, Anubhav explains, getting access to the command and control server didn't bring about an immediate and swift end to the entire botnet.

"Sadly, it’s not such simple in case of most IoT botnets as these [command and control] related IPs already have a very low shelf life (on an average, a week)," the researcher writes

"Botnet operators are aware that their IPs will be flagged soon due to the bad network traffic. Hence to stay under the radar, they often voluntarily change attack IPs."
http://www.theregister.co.uk/2018/06/06/pwn_goal_botnet/
 

ctg

Ylipäällikkö
Two weeks ago, officials in the private and public sectors warned that hackers working for the Russian government infected more than 500,000 consumer-grade routers in 54 countries with malware that could be used for a range of nefarious purposes. Now, researchers from Cisco’s Talos security team say additional analysis shows that the malware is more powerful than originally thought and runs on a much broader base of models, many from previously unaffected manufacturers.

The most notable new capabilities found in VPNFilter, as the malware is known, come in a newly discovered module that performs an active man-in-the-middle attack on incoming Web traffic. Attackers can use this ssler module to inject malicious payloads into traffic as it passes through an infected router. The payloads can be tailored to exploit specific devices connected to the infected network. Pronounced “essler,” the module can also be used to surreptitiously modify content delivered by websites.

Besides covertly manipulating traffic delivered to endpoints inside an infected network, ssler is also designed to steal sensitive data passed between connected end-points and the outside Internet. It actively inspects Web URLs for signs they transmit passwords and other sensitive data so they can be copied and sent to servers that attackers continue to control even now, two weeks after the botnet was publicly disclosed.

To bypass TLS encryption that’s designed to prevent such attacks, ssler actively tries to downgrade HTTPS connections to plaintext HTTP traffic. It then changes request headers to signal that the end point isn’t capable of using encrypted connections. Ssler makes special accommodations for traffic to Google, Facebook, Twitter, and Youtube, presumably because these sites provide additional security features. Google, for example, has for years automatically redirected HTTP traffic to HTTPS servers. The newly discovered module also strips away data compression provided by the gzip application because plaintext traffic is easier to modify.
https://arstechnica.com/information...cting-50000-devices-is-worse-than-we-thought/

http://www.theregister.co.uk/2018/06/07/vpnfilter_is_much_worse_than_everyone_thought/

Naapurin valtiollinen työkalu. Itse olen ajatellut tälläistä normaaliksi työkaluksi valtiollisen pakissa offensiivissa operaatioissa. Ajatus tässä on varmaan puuttinin päätös siitä että verkko katkaistaan kriisin sattuessa. VPNFilter on esimerkki sen toteutuksesta.
 
Viimeksi muokattu:

ctg

Ylipäällikkö
Years-old security issues mostly stamped out in enterprise technology remain in maritime environments, leaving ships vulnerable to hacking, tracking, and worse.

A demo at the Infosecurity Europe conference in London by Ken Munro and Iian Lewis of Pen Test Partners (PTP) demonstrated multiple methods to interrupt and disrupt the shipping industry.

Weak default passwords, failure to apply software updates, and a lack of encryption – all reminding us of crappy IoT kit – enable a variety of attacks against shipping vessels and related operations, the conference's audience was told.

Fresh from previous Infosec demos showing how to hack a Mitsubishi Outlander and an electric kettle, the team turned their attention towards satellite comms and other seagoing systems. Staff at the UK-based security consultancy include former ship crew so their observations were particularly astute.
http://www.theregister.co.uk/2018/06/06/infosec_europe_maritime_security/
 
Top