Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

Yhdysvaltalaispankki Capital One kertoo joutuneensa massiivisen tietomurron kohteeksi. Hakkeri pääsi käsiksi yli sataan miljoonaan luottokorttihakemukseen tämän vuoden maaliskuun ja heinäkuun välisenä aikana.

Kyseessä on yksi suurimmista tietomurroista, joita on tehty isoon pankkiin. Capital One on yksi suurimmista luottokorttien myöntäjistä Yhdysvalloissa.

Pankin lausunnon (siirryt toiseen palveluun) mukaan murto koskee sataa miljoonaa asiakasta Yhdysvalloissa ja kuutta miljoonaa Kanadassa.

Hakkeri on saatu kiinni, ja hänet pidätettiin maanantaina.

Tietomurrosta epäilty 33-vuotias ohjelmistoinsinööri jäi kiinni, kun hän kerskui tekemisillään GitHub-verkkosivustolla. Julkaisun nähnyt toinen käyttäjä ilmoitti asiasta pankille, joka otti yhteyttä liittovaltion poliisiin FBI:hin varmistuttuaan murrosta.

Syytekirjelmästä käy ilmi, että hakkeri yritti jakaa tietoja muiden kanssa internetissä, kertoo CNN (siirryt toiseen palveluun).

– Vaikka olen kiitollinen tekijän kiinnijäämisestä, olen samalla syvästi pahoillani tapahtuneesta, Capital Onen toimitusjohtaja Richard D. Fairbank sanoi pankin tiedotteen mukaan
https://yle.fi/uutiset/3-10898706
 
Huokaus

About 200 million Internet-connected devices—some that may be controlling elevators, medical equipment, and other mission-critical systems—are vulnerable to attacks that give attackers complete control, researchers warned on Monday.

In all, researchers with security firm Armis identified 11 vulnerabilities in various versions of VxWorks, a slimmed-down operating system that runs on more than 2 billion devices worldwide (this section of Wikipedia's article on the OS lists some of its more notable uses). Billed collectively as Urgent 11, the vulnerabilities consist of six remote code flaws and five less-severe issues that allow things like information leaks and denial-of-service attacks. None of the vulnerabilities affects the most recent version of VxWorks—which was released last week—or any of the certified versions of the OS, including VxWorks 653 or VxWorks Cert Edition.
https://arstechnica.com/information...ssion-critical-vulnerable-to-remote-takeover/

As such, an attacker needs network access to a vulnerable device, either on a LAN or over the internet if for some reason the gadget is public facing. VxWorks version 6.5 or higher, released circa 2006, with IPnet is vulnerable, except VxWorks 7 SR0620, which is the latest build: it contains patches that fix the aforementioned holes, and was released on July 19 following Armis' discovery of the blunders. Safety-certified flavors of the OS, such as VxWorks 653 and VxWorks Cert Edition are said to be unaffected.

"As each vulnerability affects a different part of the network stack, it impacts a different set of VxWorks versions," Armis researchers Ben Seri, Gregory Vishnepolsky, and Dor Zusman said in a write-up. "As a group, URGENT/11 affect VxWorks’ versions 6.5 and above with at least one remote code execution vulnerability affecting each version."

Should a miscreant be able to connect to a vulnerable VxWorks device, they would potentially be able to send packets that could exploit any of the six critical flaws (CVE-2019-12256, CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, CVE-2019-12263, CVE-2019-12257) to gain remote code execution, thus leading to a complete takeover of the hardware.

Obviously, the seriousness of the exploit would depend on the device itself and where it sits on the network. External-facing devices like firewalls and routers could be pwned to act as the springboard for a larger attack, or embedded devices like industrial appliances could be exploited to cause physical damage.

Additionally, a hacker could cause a denial of service via two of the bugs (CVE-2019-12258, CVE-2019-12259), leak information (CVE-2019-12265), or tamper with devices through logic flaws (CVE-2019-12264, CVE-2019-12262).
https://www.theregister.co.uk/2019/07/29/wind_river_patches_vxworks/
 
Valtiolliset
Porin kaupunki on joutunut tietomurron kohteeksi.

Murto havaittiin keskiviikkona 7. elokuuta yhdellä kaupungin opetusverkon työasemalla. Kyseisellä työaseman kautta oli saatu asennettua haittaohjelma opetusverkon käyttäjähakemistopalvelimille.

– Tilanne koskee noin 9 000 ihmistä kaupungin opetusverkon puolella. Heidän täytyy vaihtaa sähköpostiensa salasanat. Kello 10 jälkeen vanhat eivät enää toimi, kertoo IT-palvelutoimintayksikön esimies Jani Setälä.

Viime yön aikana on saatu selville, että tietomurto onnistui Windowsissa olleen tietoturva-aukon takia.

– Tätä nyt jatkoselvitetään, että miten se on ollut mahdollista.

Setälä painottaa, että tietomurto on keskitetty nimenomaan kaupungin opetusverkkoon eikä esimerkiksi hallintopuolelle. Haastavaksi tilanteen tekee se, että koulut alkoivat Porissa tänään.

Jo toinen tietomurto Satakunnassa lyhyessä ajassa
Koulujen ja päiväkotien henkilökuntaa sekä oppilaita on ohjeistettu salasanojen vaihtamisesta. Tällä hetkellä näyttää siltä, että sähköposti- ja salasanatietojen lisäksi muita tietoja ei ole vaarantunut.

– Vahva epäilys on, että kyse on kansainvälisestä rikollisuudesta. Euroopassa on elokuussa loma-aika, ja valvontaa on vähemmän, kertoo ICT-yksikön päällikkö Heikki Haaparanta.

Porin kaupungilta kerrotaan, että tilanne on hallinnassa. Tapauksesta tullaan tekemään rikosilmoitus, kyberturvallisuusilmoitus sekä ilmoitus tietoturvaloukkauksesta.

– Ikävin skenaario olisi se, että käyttäjätunnus- ja salasanapareja myytäisiin rikollisille. Korostaisin sitä, etteivät ihmiset käyttäisi samoja salasanoja eri palveluissa, ettei tällaisissa tilanteissa vaarantuisi muita kirjautumistietoja.

Pahimmillaan rikolliset voisivat tehdä verkossa erilaisia ostoksia uhrien tiedoilla.

Vasta viime viikolla Kokemäen kaupunki joutui vakavan tietomurron kohteeksi ja koko kaupungin sisäinen verkko oli tapauksen takia alhaalla.
https://yle.fi/uutiset/3-10913191
 
The introduction of Russia's Sovereign Internet rules is having an impact on the way criminal hackers around the world do business.

This is according to security house IntSights, which says that the law, set to become official in a few months, will force many hacking groups to change the way they operate both in Russia and in other countries.

The rule would lead to Russia developing its own standalone network that could be cut off from all connections outside of the country if need be and continue to function.

"It creates this infrastructure that kind of isolates Russia a little bit," Charity Wright, a threat intelligence analyst with IntSights, told The Register ahead of this week's Black Hat conference in Las Vegas.

"A lot of outsiders feel threatened because they feel they may not have access to the Russian internet, but really Russia's intention is to become sovereign over their own infrastructure so if there is an attack to cut them off, they can go on with business as usual."

While the Russian government is notorious for turning a blind eye to criminal hackers (and in some cases even enlisting them for official activities), the new law will still have a major impact on how cybercrime is conducted both within and outside the country.

In particular, hackers operating within Russia will have to make sure that the services they use to conduct attacks, such as VPNs, are either Russian or operate in compliance with the strict sovereign internet requirements that have lead many VPN providers to already pull out of the country.

"Although Russia is not known for cracking down on crime, this is really going to create a new culture for darkweb usage," Wright said.

"They will really have to consider the VPNs they are using and make sure they comply or stop using them."

Those sentiments were echoed by fellow IntSights security pro Andrey Yakovlev, who said that while Russia is tightening its grip on the internet and becoming more insular, it also gives its domestic hackers more motivation to launch attacks outside their borders.

"The sovereign internet will make it much easier for Russian law enforcement to crack down on hackers that target Russian entities," Yakovlev explained in the IntSights Dark Side of Russia report.

"But the government will still likely turn a blind eye to threat actors that target foreign entities – particularly those operating in enemy states, like the United States."

In other words, as hacking within Russia becomes more difficult and dangerous, expect to see Russian hacking groups focus even more of their attention on western countries, where the attacks will not draw a police response.

This is particularly bad news given the technological advantage many Russian hacking crews enjoy. The IntSights team noted that many of the major attacks and exploits to arise in recent months, such as the Windows RDP BlueKeep flaw, were weaponised in Russia long before hackers in other countries were able to get working attack code launched in the wild.

"The Russian underground covers virtually any known type or method of malicious activity," noted Yakovlev.

"If news outlets are talking about it, it is likely Russian cybercriminals have already had it for some time."

Combine that with the stronger motivation to hack outside of Russian borders, and it is shaping up to be a long year for foreign companies in the crosshairs of Russian hacking crews. ®
https://www.theregister.co.uk/2019/08/08/blackhat_russian_internet_law/
 
On Friday, Mac security researcher Patrick Wardle showed how an attacker can repurpose someone else’s Mac malware, create false attribution flags and sidestep Mac anti-malware defenses with ease. The attack scenarios were his own and meant to serve as cautionary examples and reasons why Mac security professionals need to stay on their toes.

The heart of Wardle’s thesis surfaced at the end of his talk here at DEF CON when he highlighted several Mac signature-based malware defenses woefully inadequate when it came to fending off the attacks he created. Far more effective at detecting and warding off threats is a behavioral and heuristics approach to identifying Mac threats, said Wardle, security researcher with Jamf.

The session here proved the point. Wardle laid out a soup-to-nuts attack strategy that likely could be in use by adversaries today. He began his proof-of-concept attack by demonstrating how to repurpose known malware samples and customize them for use in fresh attacks.
https://threatpost.com/macos-gets-a-malware-beatdown/147186/
 
Suomen julkisia verkkopalveluita vastaan hyökätään – palvelunestoisku aiheuttaa häiriöitä
Julkaistu: 22.8. 11:29

Hyökkäys aiheuttaa häiriöitä esimerkiksi Suomi.fi -tunnistautumiseen.
Julkiset verkkopalvelut ovat palvelunestohyökkäyksen takia saavuttamattomissa.

Lisää pian
https://www.is.fi/kotimaa/art-2000006212349.html

Tämmöistä tapahtuu.
 

It is possible to discern someone's SSH password as they type it into a terminal over the network by exploiting an interesting side-channel vulnerability in Intel's networking technology, say infosec gurus.

In short, a well-positioned eavesdropper can connect to a server powered by one of Intel's vulnerable chipsets, and potentially observe the timing of packets of data – such as keypresses in an interactive terminal session – sent separately by a victim that is connected to the same server.
https://www.theregister.co.uk/2019/09/10/intel_netcat_side_channel_attack/
 

Vain tilaajille, mutta pieni nosto aiheesta:
Mustan rekan valtasi paniikki ja sekasorto: Niin pitikin käydä, sillä se joutui kyberhyökkäyksen kohteeksi – näin ”valkohattujen” avulla opetellaan, miten haavoittuvuudet tilkitään
...snips...
Harjoittelulle on kysyntää


Valtionhallinto korostaa nyt kyberhyökkäysten torjunnan harjoittelua, jotta häiriötilanteisiin voitaisiin reagoida oikein.

Harjoituksissa on tarkoitus testata, miten organisaatiot voivat rajoittaa ja hallita hyökkäyksiä niin, että häiriöiden vaikutukset ja kestot olisivat mahdollisimman pieniä. Opit ovat tarjolla julkisen hallinnon lisäksi yrityksille.

– Ei riitä, että julkinen hallinto hoitaa asiat hyvin, koska valtaosa julkishallinnon palveluista tuotetaan joko suoraan tai välillisesti yritysten toimesta, Kimmo Rousku toteaa.

Tietomurtoihin ja kyberhyökkäyksiin varaudutaan esimerkiksi Väestörekisterikeskuksen järjestämässä TAISTO19-harjoituksessa, joka järjestetään marraskuussa toista kertaa. Viime vuoden harjoitukseen osallistui yli 230 eri organisaatiota.

Tänä vuonna oppia otetaan kesän kyberhyökkäyksistä Lahteen, Kokemäelle ja Poriin. Kuntia onkin ilmoittautunut harjoitukseen innokkaammin kuin viimeksi.
.... snip....
 
Two security contractors were arrested in Adel, Iowa on September 11 as they attempted to gain access to the Dallas County Courthouse. The two are employees of Coalfire—a "cybersecurity advisor" firm based in Westminster, Colorado that frequently does security assessments for federal agencies, state and local governments, and corporate clients. They claimed to be conducting a penetration test to determine how vulnerable county court records were and to measure law enforcement's response to a break-in.

Unfortunately, the Iowa state court officials who ordered the test never told county officials about it—and evidently no one anticipated that a physical break-in would be part of the test. For now, the penetration testers remain in jail. In a statement issued yesterday, state officials apologized to Dallas County, citing confusion over just what Coalfire was going to test:

State court administration (SCA) is aware of the arrests made at the Dallas County Courthouse early in the morning on September 11, 2019. The two men arrested work for a company hired by SCA to test the security of the court’s electronic records. The company was asked to attempt unauthorized access to court records through various means to learn of any potential vulnerabilities. SCA did not intend, or anticipate, those efforts to include the forced entry into a building. SCA apologizes to the Dallas County Board of Supervisors and law enforcement and will fully cooperate with the Dallas County Sheriff’s Office and Dallas County Attorney as they pursue this investigation. Protecting the personal information contained in court documents is of paramount importance to SCA and the penetration test is one of many measures used to ensure electronic court documents are secure.

The case is an example of the legal risks faced by security testing firms, particularly when the scope of such tests is vague. Even the most basic electronic security tests, when done outside of the bounds of a contractual agreement, could land the testers in trouble, as Ars reported when Gizmodo reporters attempted to phish Trump administration and campaign figures in 2017.

Josh Rosenblatt, a Maryland attorney who teaches at the University of Baltimore and is a legal instructor for the Baltimore Police Department, noted the legal complications of penetration testing in a presentation at BSides Charm. "If you have a full black-box assessment," Rosenblatt said—meaning a security assessment with no scope set and only vague definitions of how the security is to be checked—"you might run into issues." That's particularly the case when the organization issuing the assignment doesn't own the infrastructure being tested.

"The scope is everything," Roseblatt explained. If the scope is only vaguely defined, "you could find yourself exposed to legal liability."

Coalfire's Justin Wynn and Gary Demercurio, who are still in jail [Update: They appear to have made bail on Thursday], have been charged with third-degree burglary and possession of burglary tools. Their bond has been set at $50,000, and they are scheduled to appear for a preliminary hearing on September 23—in the same courthouse they were caught breaking into
https://arstechnica.com/information...d-jailed-in-iowa-courthouse-break-in-attempt/
 
  • Tykkää
Reactions: xzu
On Tuesday, the Common Weakness Enumeration (CWE) team from MITRE, a non-profit focused on information security for government, industry and academia, published its list of the CWE Top 25 Most Dangerous Software Errors.

These CWEs represent the most common critical weaknesses in software. They're bugs, design flaws, or other errors in software implementation. They include things like buffer overflows, pathname traversal errors, undesired randomness or predictability, code evaluation and injection, lack of data verification and so on.

CWEs differ from CVEs in that they are precursors to vulnerabilities. "A weakness can become an exploitable vulnerability under the right operational conditions," explained Chris Levendis, a project manager at MITRE, in a phone interview with The Register.
https://www.theregister.co.uk/2019/09/18/the_25_most_dangerous_software_weaknesses/
 
Hackers backed by the Iranian government recently tried to hack email accounts used by the campaign of a US presidential candidate, a Microsoft official said on Friday.

The “Phosphorous” hackers, as Microsoft has named the group, targeted the unidentified campaign by attempting to access email accounts campaign staff received through Microsoft cloud services. Rather than relying on malware or exploiting software vulnerabilities, the attackers worked relentlessly to gather information that could be used to activate password resets and other account recovery services Microsoft provides.
https://arstechnica.com/tech-policy...ers-tried-to-hack-a-us-presidential-campaign/
 

The US National Security Agency (NSA) is warning admins to patch a set of months-old security bugs that have recently come under active attack.

The NSA's bulletin, issued earlier this week, says that state-sponsored hacking groups are now actively targeting the remote takeover and connection hijacking flaws in VPNs that were first publicized in April of this year.

"These vulnerabilities allow for remote arbitrary file downloads and remote code execution on Pulse Connect Secure and Pulse Policy Secure gateways. Other vulnerabilities in the series allow for interception or hijacking of encrypted traffic sessions," the NSA warned.

"Exploit code is freely available online via the Metasploit framework, as well as GitHub. Malicious cyber actors are actively using this exploit code."

The NSA's update comes on the heels of an earlier alert issued in the UK by the National Cyber Security Centre (NCSC), warning of attacks that it had spotted against both private and government sector firms in the UK ranging from military and academic institutions to business and healthcare providers.

"An attacker can use these stolen credentials to connect to the VPN and change configuration settings, or connect to further internal infrastructure," the NCSC's warning reads.

"Unauthorised connection to a VPN could also provide the attacker with the privileges needed to run secondary exploits aimed at accessing a root shell." David Stubley, CEO of security firm 7 Elements, told The Register that his firm has already found tens of thousands of servers vulnerable one of the outlined bugs, and provided a video showing just how easy the process of exploiting the flaws and stealing VPN user data is.
https://www.theregister.co.uk/2019/10/10/nsa_ncsc_vpn_warnings/
 
More than a year has passed since Bloomberg Businessweek grabbed the lapels of the cybersecurity world with a bombshell claim: that Supermicro motherboards in servers used by major tech firms, including Apple and Amazon, had been stealthily implanted with a chip the size of a rice grain that allowed Chinese hackers to spy deep into those networks. Apple, Amazon, and Supermicro all vehemently denied the report. The National Security Agency dismissed it as a false alarm. The Defcon hacker conference awarded it two Pwnie Awards, for "most overhyped bug" and "most epic fail." And no follow-up reporting has yet affirmed its central premise.

But even as the facts of that story remain unconfirmed, the security community has warned that the possibility of the supply chain attacks it describes is all too real. The NSA, after all, has been doing something like it for years, according to the leaks of whistle-blower Edward Snowden. Now researchers have gone further, showing just how easily and cheaply a tiny, tough-to-detect spy chip could be planted in a company's hardware supply chain. And one of them has demonstrated that it doesn't even require a state-sponsored spy agency to pull it off—just a motivated hardware hacker with the right access and as little as $200 worth of equipment.

At the CS3sthlm security conference later this month, security researcher Monta Elkins will show how he created a proof-of-concept version of that hardware hack in his basement. He intends to demonstrate just how easily spies, criminals, or saboteurs with even minimal skills, working on a shoestring budget, can plant a chip in enterprise IT equipment to offer themselves stealthy backdoor access. (Full disclosure: I'll be speaking at the same conference, which paid for my travel and is providing copies of to attendees.) With only a $150 hot-air soldering tool, a $40 microscope, and some $2 chips ordered online, Elkins was able to alter a Cisco firewall in a way that he says most IT admins likely wouldn't notice, yet would give a remote attacker deep control.

"We think this stuff is so magical, but it’s not really that hard," says Elkins, who works as "hacker in chief" for the industrial-control-system security firm FoxGuard. "By showing people the hardware, I wanted to make it much more real. It’s not magical. It’s not impossible. I could do this in my basement. And there are lots of people smarter than me, and they can do it for almost nothing."
https://arstechnica.com/information...-chips-in-hardware-can-cost-as-little-as-200/
 
Snowdenin kynästä

In every country of the world, the security of computers keeps the lights on, the shelves stocked, the dams closed, and transportation running. For more than half a decade, the vulnerability of our computers and computer networks has been ranked the number one risk in the US Intelligence Community’s Worldwide Threat Assessment – that’s higher than terrorism, higher than war. Your bank balance, the local hospital’s equipment, and the 2020 US presidential election, among many, many other things, all depend on computer safety.

And yet, in the midst of the greatest computer security crisis in history, the US government, along with the governments of the UK and Australia, is attempting to undermine the only method that currently exists for reliably protecting the world’s information: encryption. Should they succeed in their quest to undermine encryption, our public infrastructure and private lives will be rendered permanently unsafe.

In the simplest terms, encryption is a method of protecting information, the primary way to keep digital communications safe. Every email you write, every keyword you type into a search box – every embarrassing thing you do online – is transmitted across an increasingly hostile internet. Earlier this month the US, alongside the UK and Australia, called on Facebook to create a “backdoor”, or fatal flaw, into its encrypted messaging apps, which would allow anyone with the key to that backdoor unlimited access to private communications. So far, Facebook has resisted this.

 
5G-verkoista kilpailee kiinalainen Huawei yhdessä eurooppalaisten yritysten kuten suomalaisen Nokian ja ruotsalaisen Ericssonin kanssa. Pekka Sihvonen huomauttaa, että molemmat yhtiöt tuottavat tietoturvapalvelunsa Suomessa ja tekijöiltä löytyy Suomen passi.

 
COLUMBIA, Md.—In a business park that plays home to a number of tech and cybersecurity firms situated strategically between Washington, DC, and Baltimore, there's a two-story building that looks externally like many other office buildings, remarkable this day only for the food trucks in the parking lot and the stream of people in camouflage swarming in and out. The building, called DreamPort, is a collaboration facility leased by US Cyber Command—and on October 18, it was the location of AvengerCon IV, the latest incarnation of a soldier-led cybersecurity training event that takes the shape of a community hacking conference.

The event also offered USCYBERCOM a chance to show off DreamPort—and a chance for me to meet with David Luber, the Executive Director of USCYBERCOM.

"AvengerCon is an event that is attracting the very best talent both from our DoD participants and also from some of the folks that are working with us outside of the DoD," Luber said. "When you bring those very best cyber experts together, they get to learn, test out new ideas, and work in an environment that is hosted by and for DoD cyber operations community experts. They're working in a community of peers—they get to learn together, they get to fail together. And what we've seen from previous activities with AvengerCon is that it's an exhilarating, fun environment for them to work in, and they learn a ton while they're here. And the private sector benefits because as AvengerCon shows, we're all working on some of the same cyber challenges together."
https://arstechnica.com/information...hacker-con-goes-big-the-return-of-avengercon/
 
One of the world’s most most technologically advanced hacking groups has a new backdoor that’s every bit as sophisticated as its creators.

Dubbed Titanium by the Kaspersky Lab security researchers who discovered it, the malware is the final payload delivered in a long and convoluted attack sequence. The attack chain uses a host of clever tricks to evade antivirus protection. Those tricks include encryption, mimicking of common device drivers and software, memory-only infections, and a series of droppers that execute the malicious code a multi-staged sequence. Yet another means of staying under the radar is hidden data delivered steganographically in a PNG image.

Named after a password used to encrypt a malicious archive, Titanium was developed by Platinum, a so-called advanced persistent threat group that focuses hacks on the Asia-Pacific region, most likely on behalf of a nation.

“The Titanium APT has a very complicated infiltration scheme,” Kaspersky Lab researchers wrote in a post. “It involves numerous steps and requires good coordination between all of them. In addition, none of the files in the file system can be detected as malicious due to the use of encryption and fileless technologies. One other feature that makes detection harder is the mimicking of well-known software.”

Titanium uses several different methods to initially infect its targets and spread from computer to computer. One is a local intranet that has already been compromised with malware. Another vector is an SFX archive containing a Windows installation task. A third is shellcode that gets injected into the winlogon.exe process (it’s still unknown how this happens). The end result is a stealthy and full-featured back door that can:
  • Read any file from a file system and send it to an attacker-controlled server
  • Drop a file onto or delete it from the file system
  • Drop a file and run it
  • Run a command line and send execution results to the attacker’s control server
  • Update configuration parameters (except the AES encryption key)
Platinum has been operating since at least 2009, according to a detailed report Microsoft published in 2016. The group is primarily focused on the theft of sensitive intellectual property related to government interests. Platinum often relies on spear phishing and zero-day exploits.

Interestingly, Kaspersky Lab says it has yet to detect any current activity related to Titanium. It’s not clear if that’s because the malware isn’t in use or if it’s just too hard to detect infected computers.
https://arstechnica.com/information...ackdoor-employs-clever-ways-to-go-undetected/
 
Back
Top