Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

LULZ
The extraordinary trial of a former CIA sysadmin accusing of leaking top-secret hacking tools to WikiLeaks has ended in a mistrial.

In Manhattan court on Monday morning, jurors indicated to Judge Paul Crotty they had been unable to reach agreement on the eight most serious counts, which included illegal gathering and transmission of national defense information: charges that would have seen Schulte, 31, sent to jail for most of the rest of his life.

They did however find him guilty on two counts – contempt of court, and making false statements to the FBI – although he has already spent more time behind bars awaiting trial than he would be required to serve under those counts.

The two sides will meet later this month to decide what to do next. Schulte’s lawyer, Sabrina Shroff, has already asked for an extended deadline in order to file additional motions.

Some of those motions will ask for information from the prosecution that was kept from her during the trial, most controversially the case of “Michael,” a co-worker of Schulte who was put on administrative leave by the CIA when evidence emerged linking him to the theft of the Vault 7 hacking tools. Michael also refused to discuss the matter with the FBI.

The prosecution only informed Shroff that Michael had been suspended after he gave testimony in the courtroom – something she stressed heavily in her closing arguments, implying that there was a lot more going on behind-the-scenes than the jurors realized. It would appear that some jurors at least were persuaded by that line of argument, which is not surprising given the nature of the trial: a leak of classified exploit code and manuals from America’s top spy agency.

The mistrial will be a significant embarrassment for the US government which spent years pulling the case together, and spent most of the past four weeks walking the jury through what it said was a well-planned theft by Schulte of various software tools that can be used to snoop on a wide range of modern electronics from smartphones to laptop computers. The government is expected to push for a retrial.

Evidence

At the center of the case is the extraordinary fact that the CIA had a hard time proving it was Schulte who stole the tools from a secure server in the heart of spies' headquarters.

The agency produced a complicated forensic explanation for how it believes Schulte did it – he saved a backup to a thumb drive and then reverted the system to a previous state to cover his tracks – but it couldn’t hide the fact there was only circumstantial evidence against him, and so the prosecution spent a lot of time highlighting his behavior before and after the theft to fill the gaps.

The irony, of course, is that Schulte was hired for the very skills that he may have employed to hide the theft in the first place. It didn’t help that during the course of the trial, the CIA was found to have appalling security measures in place: multiple people used the same admin username and password to access the critical servers. Not only that, but the passwords used were weak – 123ABCdef and mysweetsummer being the main two – and on top of that, they were published on the department’s intranet.

Schulte’s lawyer successfully argued that the evidence against her client was not sufficient for them to say, beyond a reasonable doubt, that he was the person who stole the materials. There is no evidence that Schulte had the tools on him outside the work environment, and no evidence that he sent them to WikiLeaks.

The prosecution pointed out, however, that Schulte downloaded the very software that WikiLeaks recommends people use to send it files because, you guessed it, it deletes any traces of the file transfer from your machine.

Jail time

The strongest evidence against Schulte was his behavior in jail while awaiting trial: he was clearly being closely watched, and one point his cell was raided and a contraband phone was seized along with a notebook; both of which made plain that he was trying to communicate confidential information to outside the jail.

The prosecution argued this was evidence that Schulte was willing to damage US interests to further his own goals. His defense argued he was simply trying to get word of his innocence out to the wider world after he’d been pulled in a government black hole.

Most compelling of the evidence against the CIA/FBI’s case was the fact that co-worker Michael had a screengrab of the very server the Vault 7 tools were stolen from at the time that they were allegedly being stolen. Even the government admits this was unusual.

Michael never mentioned the fact he was actively monitoring the server at the time, and the screengrab was found many months later in a forensic deep dive by the Feds. When asked about it, Michael refused to cooperate, and the next day the CIA suspended him.

That evidence raises all kinds of questions of what was really going on inside the Operational Support Branch (OSB) of the CIA: its elite exploit programming unit. Clearly those questions were sufficient for the jury to be unable to reach agreement on whether Schulte was guilty or not.
 
Word leaked out on Tuesday of a new vulnerability in recent versions of Windows that has the potential to unleash the kind of self-replicating attacks that allowed the WannaCry and NotPetya worms to cripple business networks around the world.

The vulnerability exists in version 3.1.1 of the Server Message Block 3.1.1 that’s used to share files, printers, and other resources on local networks and over the Internet. Attackers who successfully exploit the flaw can execute code of their choice on both servers and end-user computers that use the vulnerable protocol, Microsoft said in this bare-bones advisory.

The flaw, which is tracked as CVE-2020-0796, affects Windows 10 and Windows Server 2019, which are relatively new releases that Microsoft has invested huge amounts of resources hardening against precisely these types of attacks. Patches aren’t available, and Tuesday’s advisory gave no timeline for one being released. Asked if there was a timeline for releasing a fix, a Microsoft representative said: “Beyond the advisory you linked, nothing else to share from Microsoft at this time.”

In the meantime, Microsoft said vulnerable servers can be protected by disabling compression to block unauthenticated attackers from exploiting the vulnerability against an SMBv3 server. Users can use the following PowerShell command to turn off compression without needing to reboot the machine:

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" DisableCompression -Type DWORD -Value 1 -Force

That fix won’t protect vulnerable client computers from attack. Microsoft also recommended users block port 445, which is used to send SMB traffic between machines.
 
Kotimaa|Tietoturva
Huutokaupasta Saksassa ostetussa tietokoneessa oli ohjusjärjestelmän salaiset käyttöohjeet – Samantyyppinen järjestelmä on käytössä myös Suomessa, Puolustusvoimat niukkasanaisena
Suomessa on käytössä samantyyppinen ilmatorjuntaohjusjärjestelmä kuin Saksassa.

bdc239bb2cb341cca5fb47dc355f85f7.jpg

Suomen hankkima versio Asrad-ilmatorjuntaohjusjärjestelmästä on asennettu kuorma-auton lavalle. Kuva: SIMO RÄSÄNEN / TAUNO RÄSÄNEN / WIKIPEDIA
Jarmo Huhtanen HS
Julkaistu: 18.3. 23:13, Päivitetty 7:55


KAKSI saksalaisen tietoturvayhtiö G Data Cyber Defencen tutkijaa on tehnyt hälyttävän löydön verkkohuutokaupasta ostamastaan vanhasta kannettavasta tietokoneesta.

Saksan puolustusvoimien Bundeswehrin käytöstä poistaman tietokoneen kiintolevyltä löytyi Leflasys Ozelot -nimistä (Das Leichte Flugabwehr System Ozelot) ilmatorjuntaohjusjärjestelmää koskevat täydelliset käyttöohjeet.


Samantyyppinen lyhyen kantaman ohjusjärjestelmä on käytössä myös Suomessa mutta toisella nimellä. Suomessa se tunnetaan nimellä Ilmatorjuntaohjus 2005 (Ito 05).


Suomen puolustusvoimien vuonna 2005 käyttöön ottama järjestelmä on tarkoitettu parhaiten varustettujen operatiivisten joukkojen ja pääkaupunkiseudun suojaksi.

HS KYSYI Maavoimien esikunnasta saksalaislöydön merkityksestä Suomen puolustukselle. Ilmatorjunnan tarkastaja Mikko Mäntynen vastasi HS:lle lyhyesti sähköpostitse, että Puolustusvoimat selvittää asiaa.

”Käsitykseni mukaan Suomen ja Saksan järjestelmissä on yhtäläisyyksiä, mutta en voi kommentoida toisen maan järjestelmien enkä meidän omien suorituskykyjen ominaisuuksia yksityiskohtaisesti”, everstiluutnantti Mäntynen kirjoitti.


JULKISTEN TIETOJEN mukaan näkyvimmät erot järjestelmien välillä ovat kuljetusalustassa ja käytetyssä ohjuksessa, jotka poikkeavat Bunderwehrin ja Puolustusvoimien järjestelmissä. Järjestelmä onkin rakennettu siten, että siinä voi käyttää useita erilaisia ohjuksia.

Suomen hankkima Ito 05- eli Asrad-R-Fin-ohjusjärjestelmä (Atlas short-range air defence system) on alun perin saksalaisen Atlas Elektronikin kehittämä. Siinä on ruotsalainen tutka ja ohjukset sekä kanadalainen johtamisjärjestelmä.


Suomeen on ostettu yhteensä 16 järjestelmää, jotka on asetettu Unimog-kuorma-autojen päälle. Yhdessä järjestelmässä on neljä ohjusta sisältävä ohjuslavetti sekä lisäksi erillinen ampumajalusta, jolta voidaan ampua myös ohjus.


Suomen järjestelmän ohjus on Saabin valmistama Bolide, joka yltää yli kaksinkertaiseen äänennopeuteen. Saksa käyttää Stinger- tai Mistral-ohjuksia.


Puolustusvoimat ilmoittaa Bolide-ohjuksen enimmäiskantamaksi vaakaetäisyydellä kahdeksan kilometriä ja korkeussuuntaan viisi kilometriä.

Järjestelmään kuuluvat myös maalinosoitustutka, kamera, lämpökamera ja laseretäisyysmittari.


G DATAN TUTKIJAT ostivat kannettavan tietokoneen eBay-huutokaupasta 90 eurolla. Tietokoneen oli valmistanut saksalainen Roda Computer -yhtiö, joka on erikoistunut niin kutsuttuihin ruggeroituihin koneisiin.

Ruggeroitu on tietotekniikkaslangia ja tarkoittaa lujitettua tai vahvennettua tietokonetta, joka on rakennettu kovaan käyttöön. Ne ovat juuri sellaisia laitteita, joita eri maiden puolustusvoimat suosivat, koska ne on tarkoitettu kenttäoloihin.


G Datan tutkijoiden ostama kone painaakin lähes viisi kiloa, koska siinä on erilaisia metallivahvikkeita ja kumisuojia.


KONE ON peräisin 2000-luvun alkupuolelta. Siinä on 600 megahertsin Pentium III -prosessori ja 128 megatavun keskusmuisti. Kone on nyt jo vanhentunut, mutta aikoinaan se on ollut kallis ja tehokas laite.

Tietokone on alun perin ollut runsaasti varustettu eli siinä on ollut muun muassa vielä vanha ”lerppuasema”, vara-akku, kaksi virtalähdettä ja rinnakkaisliitäntöjen kaapeleita.


Tietokoneen sisältä löytyi kuuden gigatavun kiintolevy. Siihen oli asennettu Windows 2000 -käyttöjärjestelmä.


Koneessa oli myös hallintaohjelma, jonka Guest- eli vierastilaan johtavan näytön salasana oli helposti arvattava eli ”Guest”.


Ohjelman takaa löytyi vain viranomaiskäyttöön tarkoitettuja tietoja Leflasys Ozelot -ilmatorjuntaohjusjärjestelmästä: käsikirja, huolto-ohjeet, käyttöohjeet ja piirustukset.


”Ohjeet ovat hyvin yksityiskohtaiset ja selittävät tarkasti, kuinka järjestelmää käytetään”, kirjoittaa tietoturva-asiantuntija Tim Berghoff yhtiön blogissa.


Tiedot on luokiteltu salassa pidettäväksi Bundeswehrin alimmalla suojaustasolla.

Asiasta uutisoi Saksassa ensimmäisenä Der Spiegel -lehti.

 
Kotimaa|Tietoturva
Huutokaupasta Saksassa ostetussa tietokoneessa oli ohjusjärjestelmän salaiset käyttöohjeet – Samantyyppinen järjestelmä on käytössä myös Suomessa, Puolustusvoimat niukkasanaisena
Suomessa on käytössä samantyyppinen ilmatorjuntaohjusjärjestelmä kuin Saksassa.

bdc239bb2cb341cca5fb47dc355f85f7.jpg

Suomen hankkima versio Asrad-ilmatorjuntaohjusjärjestelmästä on asennettu kuorma-auton lavalle. Kuva: SIMO RÄSÄNEN / TAUNO RÄSÄNEN / WIKIPEDIA
Jarmo Huhtanen HS
Julkaistu: 18.3. 23:13, Päivitetty 7:55


KAKSI saksalaisen tietoturvayhtiö G Data Cyber Defencen tutkijaa on tehnyt hälyttävän löydön verkkohuutokaupasta ostamastaan vanhasta kannettavasta tietokoneesta.

Saksan puolustusvoimien Bundeswehrin käytöstä poistaman tietokoneen kiintolevyltä löytyi Leflasys Ozelot -nimistä (Das Leichte Flugabwehr System Ozelot) ilmatorjuntaohjusjärjestelmää koskevat täydelliset käyttöohjeet.


Samantyyppinen lyhyen kantaman ohjusjärjestelmä on käytössä myös Suomessa mutta toisella nimellä. Suomessa se tunnetaan nimellä Ilmatorjuntaohjus 2005 (Ito 05).


Suomen puolustusvoimien vuonna 2005 käyttöön ottama järjestelmä on tarkoitettu parhaiten varustettujen operatiivisten joukkojen ja pääkaupunkiseudun suojaksi.

HS KYSYI Maavoimien esikunnasta saksalaislöydön merkityksestä Suomen puolustukselle. Ilmatorjunnan tarkastaja Mikko Mäntynen vastasi HS:lle lyhyesti sähköpostitse, että Puolustusvoimat selvittää asiaa.

”Käsitykseni mukaan Suomen ja Saksan järjestelmissä on yhtäläisyyksiä, mutta en voi kommentoida toisen maan järjestelmien enkä meidän omien suorituskykyjen ominaisuuksia yksityiskohtaisesti”, everstiluutnantti Mäntynen kirjoitti.


JULKISTEN TIETOJEN mukaan näkyvimmät erot järjestelmien välillä ovat kuljetusalustassa ja käytetyssä ohjuksessa, jotka poikkeavat Bunderwehrin ja Puolustusvoimien järjestelmissä. Järjestelmä onkin rakennettu siten, että siinä voi käyttää useita erilaisia ohjuksia.

Suomen hankkima Ito 05- eli Asrad-R-Fin-ohjusjärjestelmä (Atlas short-range air defence system) on alun perin saksalaisen Atlas Elektronikin kehittämä. Siinä on ruotsalainen tutka ja ohjukset sekä kanadalainen johtamisjärjestelmä.


Suomeen on ostettu yhteensä 16 järjestelmää, jotka on asetettu Unimog-kuorma-autojen päälle. Yhdessä järjestelmässä on neljä ohjusta sisältävä ohjuslavetti sekä lisäksi erillinen ampumajalusta, jolta voidaan ampua myös ohjus.


Suomen järjestelmän ohjus on Saabin valmistama Bolide, joka yltää yli kaksinkertaiseen äänennopeuteen. Saksa käyttää Stinger- tai Mistral-ohjuksia.


Puolustusvoimat ilmoittaa Bolide-ohjuksen enimmäiskantamaksi vaakaetäisyydellä kahdeksan kilometriä ja korkeussuuntaan viisi kilometriä.

Järjestelmään kuuluvat myös maalinosoitustutka, kamera, lämpökamera ja laseretäisyysmittari.


G DATAN TUTKIJAT ostivat kannettavan tietokoneen eBay-huutokaupasta 90 eurolla. Tietokoneen oli valmistanut saksalainen Roda Computer -yhtiö, joka on erikoistunut niin kutsuttuihin ruggeroituihin koneisiin.

Ruggeroitu on tietotekniikkaslangia ja tarkoittaa lujitettua tai vahvennettua tietokonetta, joka on rakennettu kovaan käyttöön. Ne ovat juuri sellaisia laitteita, joita eri maiden puolustusvoimat suosivat, koska ne on tarkoitettu kenttäoloihin.


G Datan tutkijoiden ostama kone painaakin lähes viisi kiloa, koska siinä on erilaisia metallivahvikkeita ja kumisuojia.


KONE ON peräisin 2000-luvun alkupuolelta. Siinä on 600 megahertsin Pentium III -prosessori ja 128 megatavun keskusmuisti. Kone on nyt jo vanhentunut, mutta aikoinaan se on ollut kallis ja tehokas laite.

Tietokone on alun perin ollut runsaasti varustettu eli siinä on ollut muun muassa vielä vanha ”lerppuasema”, vara-akku, kaksi virtalähdettä ja rinnakkaisliitäntöjen kaapeleita.


Tietokoneen sisältä löytyi kuuden gigatavun kiintolevy. Siihen oli asennettu Windows 2000 -käyttöjärjestelmä.


Koneessa oli myös hallintaohjelma, jonka Guest- eli vierastilaan johtavan näytön salasana oli helposti arvattava eli ”Guest”.


Ohjelman takaa löytyi vain viranomaiskäyttöön tarkoitettuja tietoja Leflasys Ozelot -ilmatorjuntaohjusjärjestelmästä: käsikirja, huolto-ohjeet, käyttöohjeet ja piirustukset.


”Ohjeet ovat hyvin yksityiskohtaiset ja selittävät tarkasti, kuinka järjestelmää käytetään”, kirjoittaa tietoturva-asiantuntija Tim Berghoff yhtiön blogissa.


Tiedot on luokiteltu salassa pidettäväksi Bundeswehrin alimmalla suojaustasolla.

Asiasta uutisoi Saksassa ensimmäisenä Der Spiegel -lehti.

Luin kanssa aamulla ja meinasin tuolilta pudota. Ei taida Bundeswehrillä olla know howta tarpeeksi läppärin tuhoamiseen. Kyllä Rovaniemi saatiin poltettua, mutta...:sneaky:
 
:facepalm:

The British Army has made a coronavirus-related tech U-turn after telling soldiers that commands issued over WhatsApp are now legally binding.

In written orders posted to a Ministry of Defence intranet site, an Army unit told its soldiers that from now on, orders delivered over WhatsApp are to be treated just as seriously as written instructions delivered through the usual chain of command.

The move is controversial because only last year, the Army's top sergeant major stated WhatsApp is not an acceptable way to distribute formal military demands.

For years soldiers complained that it wasn't clear if WhatsApp messages were a proper substitute for written orders (or disciplinary measures) delivered by email or hard copy.

The order itself, part of which has been seen by The Register, said:
All personnel are to be contactable at all times via their mobile phone. Orders and Sqn direction will now be passed directly through WhatsApp and all work related information passed across this means is to be considered an order.
 
The Russian hacking crew known variously as APT28, Fancy Bear and Pawn Storm has been targeting defence companies with Middle Eastern outposts, according to Trend Micro.

A new report from the threat intel firm says that the Russian state-backed hacking outfit went on a spree of targeting defence firms in the Middle East back in May last year. Using credential-phishing tactics, APT28* used the email accounts of targets they had already hacked to fire phishing emails at further targets using known contacts for a higher strike rate.

According to Trend, around 38 per cent of the attacks fired off by the Russians were targeted at defence companies, with banking, construction and government targets making up the main portion of the others.

“Surprisingly, the list also included a couple of private schools in France and the United Kingdom, and even a kindergarten in Germany,” commented the threat intel firm.

Further, Trend said APT28 were port-scanning mail servers, including Microsoft Exhcange Autodiscover boxen, on TCP ports 443 and 1433 in the hope of finding vulnerable machines to exploit, and use as a staging post in their ongoing campaign.
 
On March 13, the Brno University Hospital started turning away new patients suffering serious conditions. Urgent surgeries were postponed and the hospital, which is a key Covid-19 testing site in the Czech Republic, shutdown all computers as a cyberattack took hold

“The hospital public announcement system started to repeat the message that all personnel should immediately shut down all computers due to ‘cybernetic security’,” one cybersecurity researcher who was waiting in the hospital for surgery has said. While the cyberattack didn’t impact the work being done around the coronavirus it did cause disruption at an exceptionally busy and chaotic time.

The Czech hospital is not the only medical institution to be targeted by cybercriminals as the novel coronavirus has spread around the world. In the United States, the website for a public health department in Illinois that has more than 200,000 people registered with it has been taken offline following a ransomware attack. France’s French cybersecurity agency has also published a warning that its seeing ransomware targeting its local authorities.

As the total number of global cases of Covid-19 has swelled above 250,000, hackers have increased their activity as they look to capitalise on the crisis. “We’re seeing concerted targeting against manufacturing, pharmaceutical, travel, healthcare and insurance,” explains Sherrod DeGrippo, a senior director in threat research and detection at cybersecurity firm Proofpoint says. “When I say manufacturing, a lot of times it seems to be targeted against a subset of manufacturing, which is manufacturers that create hospital beds, medical equipment, those things you would associate with healthcare.”

Jos jäät Suomessa kiinni, linnareissu voi olla se pienin paha.
 
Näitä saattaa tulla kohta lisää ja paljon. Työntekijät käsketty etätöihin monissa virastoissa ja yrityksissä kiireellä, todennäköisesti ilman riittävää ohjeistusta tietoturvaan liittyen. Työntekijä(t) saastuttaa koneensa esim. malwarella ja saastuneella koneella otetaan vpn yhteys yrityksen verkkoon, jonka seurauksena tapahtuu security breach ja mahdollinen data breach.
 
Työntekijä(t) saastuttaa koneensa esim. malwarella ja saastuneella koneella otetaan vpn yhteys yrityksen verkkoon, jonka seurauksena tapahtuu security breach ja mahdollinen data breach.

Tähän voidaan vaikuttaa ohjeistuksella, mutta olisi järkevää että firmat käyttäisivät samaa pohjaa, taikka ilmoitus tulisi viranomaiselta. Kokemuksesta tiedän että jotkut eivät kuitenkaan lue mitään vaan toimivat kuten ennen ja aina.
 
Researchers have unearthed an attack campaign that uses previously unseen malware to target Middle Eastern organizations, some of which are in the industrial sector.

Researchers with Kaspersky Lab, the security firm that discovered the campaign, have dubbed it WildPressure. It uses a family of malware that has no similarities to any malicious code seen in previous attacks. It's also targeting organizations that don't overlap with other known campaigns.

Milum, as the malware is dubbed, is written in C++ and contains clues that suggest developers may be working on versions written in other programming languages. While Milum uses configuration data and communication mechanisms that are common among malware developers, the researchers believe that both the malware and the targets are unique.

Olen taipuvainen uskomaan että tässä on yksi henkilö kysymyksessa. Mutta toimiiko hän valtiolle on kysymysmerkki.
 
  • Tykkää
Reactions: zlm
Google’s threat analysis group, which counters targeted and government-backed hacking against the company and its users, sent account holders almost 40,000 warnings in 2019, with government officials, journalists, dissidents, and geopolitical rivals being the most targeted, team members said on Thursday.

The number of warnings declined almost 25 percent from 2018, in part because of new protections designed to curb cyberattacks on Google properties. Attackers have responded by reducing the frequency of their hack attempts and being more deliberate. The group saw an increase in phishing attacks that impersonated news outlets and journalists. In many of these cases, attackers sought to spread disinformation by attempting to seed false stories with other reporters. Other times, attackers sent several benign messages in hopes of building a rapport with a journalist or foreign policy expert. The attackers, who most frequently came from Iran and North Korea, would later follow up with an email that included a malicious attachment.

“Government-backed attackers regularly target foreign policy experts for their research, access to the organizations they work with, and connection to fellow researchers or policymakers for subsequent attacks,” Toni Gidwani, a security engineering manager in the threat analysis group, wrote in a post.
 
The Guardian says it has evidence that Saudi Arabia is exploiting a decades-old weakness in the global telecoms network to track the kingdom’s citizens as they travel in the United States.

The publication cited data provided by a whistleblower that suggests Saudi Arabia is engaged in systematic spying by abusing Signalling System No. 7. Better known as SS7, it’s a routing protocol that allows cell phone users to connect seamlessly from carrier to carrier as they travel throughout the world. With little built-in security for carriers to verify one another, SS7 has always posed a potential hole that people with access could exploit to track the real-time location of individual users. SS7 abuse also makes it possible for spies to snoop on calls and text messages. More recently, the threat has grown, in part because the number of companies with access to SS7 has grown from a handful to thousands.

The data provided to The Guardian “suggests that millions of secret tracking requests emanated from Saudi Arabia over a four-month period beginning in November 2019,” an article published on Sunday reported. The requests, which appeared to originate from the kingdom’s three largest mobile phone carriers, sought the US location of Saudi-registered phones.

The unnamed whistleblower said they knew of no legitimate reason for requests of that volume. “There is no explanation, no other technical reason to do this,” The Guardian quoted the source as saying. “Saudi Arabia is weaponizing mobile technologies.”

The whistleblower’s data appears to show Saudi Arabia sending an unnamed major US mobile operator requests for PSI—short for Provide Subscriber Information. Sunday’s report said there were an average of 2.3 million such requests per month for the four months starting in November. The data, The Guardian said, suggests that Saudi Arabian phones were tracked as many as 13 times per hour as their owners carried them about the United States. The Saudi operators also sent separate PSLs. US carriers blocked the requests, indicating that the requests were suspicious.
 
Zero-day vulns are increasingly likely to be bought and sold by malware vendors targeting the Middle East with their dodgy wares, according to FireEye.

"While not every instance of zero-day exploitation can be attributed to a tracked group, we noted that a wider range of tracked actors appear to have gained access to these capabilities," said the threat intel group in a blog post published today.

Israeli spyware company NSO Group is a name that keeps cropping up again and again in FireEye's analysis, which found that over the past three years, the number of zero-days in observed circulation has been increasing.

"Furthermore, we noted a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber capabilities," said FireEye, which went on to refer to a group of malicious persons variously named by researchers as Stealth Falcon and FruityArmor [sic].

This group "used malware sold by NSO Group", said FireEye, which speculated that it might also be linked to Uzbekistani state spying operations: "The zero-days used in SandCat operations [another online threat activity group] were also used in Stealth Falcon operations, and it is unlikely that these distinct activity sets independently discovered the same three zero-days."

Aside from NSO Group's sales, FireEye also looked at what it called "financially motivated actors", meaning criminals who want to make a quick buck from exploiting zero-days to steal and sell data. These, it said, were doing their thing "with less frequency than espionage groups", suggesting that you're at greater risk from state spies abusing zero-day vulns to pwn your network than you are from common-or-garden crims trying to ransom your stolen data back to you.

Stealth Falcon was identified by eastern European infosec bods Eset last year as using an obscure Windows background service for its command-'n'-control comms with compromised machines in the group's botnet. Before that, Kaspersky found them abusing a vuln in Windows TrueType fonts to remotely execute code on targeted devices.

Kaspersky also recently found an uptick in malicious activity targeting the Middle East as a whole, something that appears to be a rising trend from threat intel companies' findings.

A zero-day is a software vulnerability that has zero days between the time it is discovered and the time that someone is found to be using it for criminal purposes. Responsible infosec researchers find vulns and then privately tell vendors about them so they can be patched before everyone knows; zero days, in contrast, are highly prized by malware vendors and state spies alike.
 
A parliamentary order issued yesterday says the nation’s Department of Cyber Security (DCS) has decided that when government agencies, and some private entities, use videoconferencing: “The underlying video software to be used should not have associated security or privacy concerns, such as the Zoom video communication service.”

The order notes that Taiwan’s Cyber Security Management Act suggests buyers focus on local suppliers. But the order nonetheless acknowledges that may not be possible “for international exchanges or some other special situation”.

The order therefore advises: “Many global information and communications giants—like Google and Microsoft—are offering such technology for free amid the current pandemic. Organizations should certainly consider these options after evaluating any associated data security risks.”

The order doesn’t say why Taiwan doesn’t like Zoom. One likely reason is that the beleaguered meeting-wrangler has been observed routing chats through China. As Taiwan insists it is an independent nation but China classifies it as a rogue province, the prospect of governmental video chats being intercepted by Beijing is surely not welcome.

Nor will this news be welcome at Zoom, which has pledged to clean up its act after a week from hell in which it was found to have been rather careless about several aspects of its service’s security.

Before I jump in, I want to start with a quote from an old colleague of mine - "Bug hunting is all about finding assumptions in software and violating those assumptions to see what happens." That is precisely what we are going to do today. We are going to dive into the murky depths of Safari and hammer the browser with obscure corner cases until we uncover weird behavior quirks. Once we collect enough quirks, we can tie them together into a full kill chain.

The camera security model in iOS and macOS is pretty intense. In a nutshell, each app must be explicitly granted camera/microphone permission, which is handled by the OS via a standard alert box.

But there is an exception to this rule. Apple's own apps get camera access for free. So Mobile Safari can technically access the camera without asking. Furthermore, new web technologies such as the MediaDevices Web API (commonly used in WebRTC transmissions) allow websites to utilize Safari's permission to access the camera directly. Great for web-based video conferencing apps such as Skype or Zoom. But... this new web-based camera tech undermines the OS's native
 
aquakinsingdiagram.jpg


Some Docker installations are getting hammered by malware skiddies hoping to mine digital cash using other people's CPU time.

Infosec outfit Aqua – no, not the Barbie Girl band – said miscreants have spotted that a decent number of Docker deployments are lazily or inadvertently exposing the daemon API port to the public internet with no protection. It's a fairly common error that hackers have exploited in the past to mine digital coins, although lately we're told there have been thousands of infection attempts daily via this interface, all involving a piece of Linux malware dubbed Kinsing.

"These are the highest numbers we’ve seen in some time, far exceeding what we have witnessed to date," noted researcher Gal Singer this week.

"We therefore believe that these attacks are directed by actors with sufficient resources and the infrastructure needed to carry out and sustain such attacks, and that this is not an improvised endeavor."
 
Internal confidential documents belonging to some of the largest aerospace companies in the world have been stolen from an industrial contractor and leaked online.

The data was pilfered and dumped on the internet by the criminals behind the DoppelPaymer Windows ransomware, in retaliation for an unpaid extortion demand. The sensitive documents include details of Lockheed-Martin-designed military equipment – such as the specifications for an antenna in an anti-mortar defense system – according to a Register source who alerted us to the blueprints.

Other documents in the cache include billing and payment forms, supplier information, data analysis reports, and legal paperwork. There are also documents outlining SpaceX's manufacturing partner program.

The files were siphoned from Visser Precision by the DoppelPaymer crew, which infected the contractor's PCs and scrambled its files. When the company failed to pay the ransom by their March deadline, the gang – which tends to demand hundreds of thousands to millions of dollars to restore encrypted files – uploaded a selection of the documents to a website that remains online and publicly accessible.

Visser is a manufacturing and design contractor in the US whose clients are said to include aerospace, automotive, and industrial manufacturing outfits – think Lockheed Martin, SpaceX, Tesla, Boeing, Honeywell, Blue Origin, Sikorsky, Joe Gibbs Racing, the University of Colorado, the Cardiff School of Engineering, and others. The leaked files relate to these customers, in particular Tesla, Lockheed Martin, Boeing, and SpaceX.

When asked about the dump, a Lockheed Martin spokesperson told us: "We are aware of the situation with Visser Precision and are following our standard response process for potential cyber incidents related to our supply chain.

"Lockheed Martin has made and continues to make significant investments in cybersecurity, and uses industry-leading information security practices to protect sensitive information. This includes providing guidance to our suppliers, when appropriate, to assist them in enhancing their cybersecurity posture."

Visser Precision did not respond to a request for comment on the leak. Tesla, SpaceX, and Boeing did not respond either.
 
Right now, you're more than likely spending the vast majority of your time at home. Someday, however, we will all be able to leave the house once again and emerge, blinking, into society to work, travel, eat, play, and congregate in all of humanity's many bustling crowds.

The world, when we eventually enter it again, is waiting for us with millions of digital eyes—cameras, everywhere, owned by governments and private entities alike. Pretty much every state out there has some entity collecting license plate data from millions of cars—parked or on the road—every day. Meanwhile all kinds of cameras—from police to airlines, retailers, and your neighbors' doorbells—are watching you every time you step outside, and unscrupulous parties are offering facial recognition services with any footage they get their hands on.

In short, it's not great out there if you're a person who cares about privacy, and it's likely to keep getting worse. In the long run, pressure on state and federal regulators to enact and enforce laws that can limit the collection and use of such data is likely to be the most efficient way to effect change. But in the shorter term, individuals have a conundrum before them: can you go out and exist in the world without being seen?
 
In an effort to fend off the coronavirus while getting economies restarted, the world has hit on the same idea: a smartphone app that alerts people if they have been close to someone who has the virus.

It may be the only effective solution to mass lockdowns; the virus is spreading “too fast to be contained by manual contact tracing, but could be controlled if this process was faster, more efficient and happened at scale,” researchers from the University of Oxford have concluded in a new paper.

They argue that “a contact-tracing app which builds a memory of proximity contacts and immediately notifies contacts of positive cases can achieve epidemic control if used by enough people.”

There are already COVID-19 apps in use in China, Hong Kong, Russia and Singapore and both the US and Europe are working hard on their own versions that could be released before the end of the month.

Not all these apps work in the same way however and with experts saying that to be effective they would have to be used by at least 60 per cent of the population, it is critical that whatever approach is taken is acceptable to a vast majority of the population.
 
The world is careening toward the reality that almost all electronics in your home and business are connected to the internet. Many of these devices contain things like heating elements, batteries, and motors that are entirely software-controlled. Do you… trust them? Coalfire decided to see how low the barrier was for hackers to attempt to cause life-threatening harm by weaponizing one of today’s increasingly common and cheap devices. In this three-part blog post, we will identify the target, uncover challenges, and hopefully answer our query above.

Yksi uusi työkalu offensiiviseen pakkiin.
 
Back
Top