Cyber-ketju: verkkovakoilu,kännyköiden ja wlanien seuranta, hakkerointi, virukset, DoS etc

Microsoft has open-sourced the fuzzing tool it uses to scour its own code for potential security vulnerabilities.

Fuzzing is a way of testing software by feeding it random inputs in the hope it fails in revealing ways. The technique is widely admired because it gets results and can be automated.

The tool Microsoft has released is called “OneFuzz” and the company says it is “the testing framework used by Microsoft Edge, Windows, and teams across Microsoft is now available to developers around the world.”

“OneFuzz has already enabled continuous developer-driven fuzzing of Windows that has allowed Microsoft to proactively harden the Windows platform prior to shipment of the latest OS builds,”said Microsoft Security principal security software engineering lead Justin Campbell and senior director for special projects management Mike Walker.
 
The NSA has published online a guide for IT admins to keep systems free of bootkits and rootkits.

The American surveillance super-agency's 39-page explainer [PDF] covers UEFI security and, in particular, how folks can master Secure Boot and avoid switching it off for compatibility reasons.

A bootkit is a piece of software that runs before the OS starts up and tampers with it to ensure it runs some kind of malicious code later. Said code could be a rootkit that ensures another piece of the puzzle – spyware or ransomware, say – is deployed and executed with sysadmin-level powers. Secure Boot is a mechanism that uses cryptography to ensure you're booting an operating system that hasn't been secretly meddled with; any addition of a bootkit or rootkit should be caught by Secure Boot.

The guide walks people through the steps to deploy Secure Boot. The key thing is stopping a miscreant who has managed to obtain physical or admin-level access to a computer from gaining persistent, hidden control over the machine by altering the operating system and any software on top of it from the firmware level.
 
Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment.

In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 video encoders powered by the hi3520d chipset from Huawei's HiSilicon subsidiary. The security holes are present in software, whose developer is unknown, that runs on top of a Linux stack provided by HiSilicon for products using its system-on-chips.

"The vulnerabilities exist in the application software running on these devices," said Kojenov in his post. "All vulnerabilities are exploitable remotely and can lead to sensitive information exposure, denial of service, and remote code execution resulting in full takeover of the device."

The critical flaws include: an administrative interface with a backdoor password (CVE-2020-24215); root access via telnet (CVE-2020-24218); and unauthenticated file upload (CVE-2020-24217), which enables malicious code execution and command injection. All of these can be exploited over the network or internet to hijack vulnerable equipment. Kojenov also flagged vulnerabilities of high and medium severity: a buffer overflow (CVE-2020-24214) that stops the thing from working properly, and a way to access RTSP video streams without authorization (CVE-2020-24216).

Huawei insists the vulnerabilities were not introduced by its HiSilicon chips nor the SDK code it provides to manufacturers that use its components. That would mean someone else provided the makers of these video encoder devices application software riddled with holes, and this code was shipped with the equipment. The products just all happen to use the the hi3520d chipset.
 
A cryptocurrency exchange called KuCoin says it has been cracked, with over $100m of assets misappropriated.

The Register last covered KuCoin when it was mentioned by the Bitcoin-burgling cybercrooks who hacked a bunch of prominent Twitter users.

The Seychelles-based outfit, founded in 2017, proudly boasts of its venture capital backers who clearly admire its services facilitating trading of "numerous digital assets and cryptocurrencies". And on Saturday it advised users that it "detected some large withdrawals since September 26, 2020 at 03:05:37 (UTC+8)" and that an internal security audit revealed "part of Bitcoin, ERC-20 and other tokens in KuCoin's hot wallets were transferred out of the exchange, which contained few parts of our total assets holdings. The assets in our cold wallets are safe and unharmed, and hot wallets have been re-deployed."

The company also promised that any losses would be covered by insurance, but also advised that deposit and withdrawal services would be suspended pending a security review.

A later update included an FAQ in which customers asked why some of the withdrawals continued even after the first incident notification was posted. KuCoin assured customers it conducted those transactions itself and advised that restoration of withdrawal functions could take a week. In the volatile world of cryptocurrency, a week can be the difference between a win and a bust.

A Monday update, the latest, revealed the scale of the hack as KuCoin identified over $130m of assets. It also describes work among a number of crypto players to identify suspicious transactions, freeze transactions, and even lists some addresses suspected of involvement in the heist.
 
A federal agency has suffered a successful espionage-related cyberattack that led to a backdoor and multistage malware being dropped on its network.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an alert on Thursday, not naming the agency but providing technical details of the attack. Hackers, it said, gained initial access by using employees’ legitimate Microsoft Office 365 log-in credentials to sign onto an agency computer remotely.

“The cyber-threat actor had valid access credentials for multiple users’ Microsoft Office 365 (O365) accounts and domain administrator accounts,” according to CISA. “First, the threat actor logged into a user’s O365 account from Internet Protocol (IP) address 91.219.236[.]166 and then browsed pages on a SharePoint site and downloaded a file. The cyber-threat actor connected multiple times by Transmission Control Protocol (TCP) from IP address 185.86.151[.]223 to the victim organization’s virtual private network (VPN) server.”
 
Russian antivirus maker Kaspersky has said it uncovered "rogue UEFI firmware images" seemingly developed by black hats with links to China.

The rogue images had been "modified from their benign counterpart to incorporate several malicious modules", according to a post on Kaspersky's Securelist blog, which named the attack MosaicRegressor.

"MosaicRegressor is a multi-stage and modular framework aimed at espionage and data gathering. It consists of downloaders, and occasionally multiple intermediate loaders, that are intended to fetch and execute payload on victim machines," said Kaspersky in a statement.

The firm explained that UEFI firmware is "typically shipped within SPI flash storage that is soldered to the computer's motherboard", and thus any malware injected into it is "resistant to OS reinstallation or replacement of the hard drive." The technique shot to public prominence in 2015 when malware-for-governments purveyor Hacking Team was itself hacked, with details of its firmware-level spyware becoming public knowledge.

The malware-laden MosaicRegressor images were discovered in use as part of a wider campaign targeting charities in Africa, Asia, and Europe, "all showing ties in their activity to North Korea" – though Kaspersky attributed the malicious software to "a Chinese-speaking" person or group, possibly connected to the Winnti hacking crew. A single IP address mentioned in a previous list of suspected C2 infrastructure linked to Winnti gave Kaspersky a clue as to its origins, though no more than that.

"After further analysis we were able to determine that [the UEFI images] were based on the leaked source code of Hacking Team's VectorEDK bootkit, with minor customizations," the company added.

The malicious firmware modules wrote an executable called IntelUpdate.exe to the infected machine's startup folder, meaning the program would run whenever the system was booted. Among other components Kaspersky found were "a DXE driver that is based on Hacking Team's 'rkloader' component," and a Hacking Team driver called ntfs among others.

Kaspersky noted it was unable to find out exactly how the malicious firmware images were injected into victims' computers: the data could have been inserted while the equipment was in transit, or at the factory, or installed by malware running on the machine, and so on. "Unfortunately, we were not able to determine the exact infection vector that allowed the attackers to overwrite the original UEFI firmware," it said.

Fellow infosec biz ESET has conducted in-depth research into UEFI rootkits deployed by APT28, aka Russia's Fancy Bear hacking crew. In that case the rootkit was introduced to the target machine via "a poisoned application delivered via spear phishing emails."
 
Ransomware attacks that tear through corporate networks can bring massive organizations to their knees. But even as these hacks reach new popularity highs—and new ethical lows—among attackers, it's not the only technique criminals are using to shake down corporate victims. A new wave of attacks relies instead on digital extortion—with a side of impersonation.

On Wednesday, the Web security firm Radware published extortion notes that had been sent to a variety of companies around the world. In each of them, the senders purport to be from the North Korean government hackers Lazarus Group, or APT38, and Russian state-backed hackers Fancy Bear, or APT28. The communications threaten that if the target doesn’t send a set number of bitcoin—typically equivalent to tens or even hundreds of thousands of dollars—the group will launch powerful distributed denial of service attacks against the victim, walloping the organization with a fire hose of junk traffic strategically directed to knock it offline.
 
Six men accused of carrying out some of the world's most destructive hacks—including the NotPetya disk wiper and power grid attacks that knocked out electricity for hundreds of thousands of Ukrainians—have been indicted in US federal court.

The indictment said that all six men are officers in a brazen hacker group best known as Sandworm, which works on behalf of Unit 74455 of the Russian Main Intelligence Directorate, abbreviated from Russian as GRU. The officers are behind the "most disruptive and destructive series of computer attacks ever attributed to a single group," prosecutors said. The alleged goal: to destabilize foreign nations, interfere with their internal politics, and cause monetary losses.
 

Jättipaljastus: venäläishakkerit aikoivat sekaantua Tokion olympialaisiin – häiritsivät aikaisemmin vaaleja ja Skripal-tutkintaa​

Kuusi Venäjän sotilastiedustelupalvelu GRU:n upseeria on saanut Yhdysvalloissa syytteen kyberhyökkäyksien toteuttamisesta. Asiasta kertoo Daily Mail.

Yhdysvaltain oikeusministeriön mukaan kyberhyökkäysten kohteena olivat muun muassa Korean talviolympialaiset vuonna 2018 ja vuotta aiemmin Ranskan vaalit. Upseerien pyrkimyksenä oli häiritä myös ensi vuonna järjestettäviä Tokion olympialaisia ja paralympialaisia.

– He ovat vastuussa häiritsevimmistä ja tuhoisimmista tietokonehyökkäyksistä, jotka yksittäinen ryhmä on koskaan tehnyt, oikeusministeriö kertoo.

Ison-Britannian ja Yhdysvaltain viranomaisten mukaan venäläiset kaatoivat 2018 Korean olympialaisten avausseremonian aikana internet-yhteyden ja häiritsivät useita tv-lähetyksiä. Tarkoituksena oli pyyhkiä kaikki tiedot tietokoneilta ja estää niiden toiminta.

Kyberhyökkäyksiä tehtiin myös paralympialaisiin.

– GRU:n toimet olympialaisia ja paralympialaisia vastaan ovat katkeria sekä harkitsemattomia. Tuomitsemme ne erittäin vahvasti, Ison-Britannian ulkoministeri Dominic Raab linjasi.

Ison-Britannian viranomaisten mukaan GRU:n upseereilla oli samankaltaisia suunnitelmia Tokion olympialaisten ja paralympialaisten varalle. Kyberhyökkäyksien kohteena olisivat olleet olympialaisten järjestäjät, logistiikkapalvelut ja sponsorit.

Venäläiset aikoivat jälkinensä peittämiseksi esiintyä kiinalaisina ja pohjoiskorealaisina kyberrikollisina.


– Kesäolympialaisten hyökkäykset ovat uusin käänne Venäjän sotaretkellä, jonka tavoitteena on toimia pahantahtoisesti olympialaisia ja paralympialaisia kohtaan, brittihallitus tiedotti.

Venäjä suljettiin kansainvälisten urheilutapahtumien ulkopuolelle neljäksi vuodeksi, kun maan valtiojohtoinen dopingohjelma paljastui.

Viranomaisten mukaan Venäjä on tehnyt kyberhyökkäyksiä kansainvälisiä urheiluorganisaatioita kohtaan siitä lähtien, kun maan dopingvyyhti tuli ilmi. Venäjä on kieltänyt syytteet.

Nyt syytteessä olevaa kuusikkoa syytetään myös muista erittäin merkittävistä kyberrikoksista.

Britannian kansallisen kyberturvallisuuskeskuksen mukaan sama ryhmä teki kyberhyökkäyksen Ison-Britannian ulkoministeriön ja Skripalien myrkytystä tutkineen laboratorion tietokonejärjestelmiin 2018. Tarkoituksena oli häiritä tapauksen tutkintaa.

Ranskan vaaleissa GRU:n ryhmä hakkeroi ja vuosi yli 20 000 presidentti Emmanuel Macronin kampanjaan liittyvää sähköpostia. Ryhmä on tehnyt kyberhyökkäyksiä myös Ukrainan sähköverkkoon, Georgian parlamenttiin ja Georgian mediaan.

Yhdysvaltain mukaan kuusikkoa syytetään myös haittaohjelmasta, joka vaikutti yritysten tietokoneisiin ja aiheutti maailmassa lähes miljardin dollarin tappiot vuonna 2017.

Yhdysvaltain varaoikeusministeri John Demers väitti samojen henkilöiden olleen syytteessä Yhdysvaltain vaaleihin kohdistuneesta häirinnästä vuonna 2016. Nykyisissä syytteissä ei kuitenkaan ole kyse vaaleihin sekaantumisesta.

– FBI on toistuvasti varoittanut siitä, että Venäjä on lahjakas kybervihollinen. Näissä syytteissä paljastunut tieto osoittaa, kuinka tuhoisia Venäjän kyberrikolliset todella ovat, FBI:n varajohtaja David Bowdich kommentoi.
 
A former BAE Systems software engineer who allegedly leaked top-secret details about a frontline missile system also ignored orders from police to hand over passwords to his electronic devices, a court has heard.

Simon Finch, of Swansea, is said by prosecutors to have emailed details of the unidentified missile system to nine separate addresses. He was charged with offences under the UK's Official Secrets Act as well as the Regulation of Investigatory Powers Act (RIPA) last year, as we reported at the time.

Mark Heywood QC, prosecuting, told the Central Criminal Court in London: "Expert evaluation has concluded that the release of information of that kind, for example to a hostile adversary of the UK, would give them an understanding of the function of that relevant system which in turn would allow them methods of countering it."

Finch, who worked for both BAE Systems and defence research firm Qinetiq, was said to have encountered "problems in his personal life" before losing his job in 2018. As his life spiralled downwards, fuelled by two homophobic assaults which he claimed police ignored, Heywood told the court that Finch "complained of mistreatment which he said amounted to torture at the hands of police".

Merseyside Police allegedly mistreated Finch after arresting him for carrying a hammer and a machete in a public place, something he claims to have begun doing after the attacks.

Finch, said Heywood as he read from the email the engineer sent, was allegedly forced to defecate on the floor of his prison cell because police wouldn't get him to a toilet in time. The Crown alleges that Finch wrote and sent the email – which included details of the missile system's workings – because he wanted revenge against the UK in general after having his complaints about police mistreatment ignored by everyone he approached.

When police began investigating his October 2018 disclosures Finch did not cooperate, the prosecutor told the jury as reported by newswire Court News UK: "Later on, even after things came to light, he committed, consciously, a further offence. That is to say when he was asked quite simply to give up the passcodes for his electronic devices and given a formal notice to do that, so as to assist the investigation and prevent risk of further disclosure, he refused, so committing a further criminal offence."

Finch faces two charges under the Official Secrets Act: recording information for any purpose prejudicial to the safety or interests of the state which was calculated to be or might be or was intended to be directly or indirectly useful to an enemy; and making a damaging disclosure. He is also charged with failing to reveal his passwords to a police worker, under the Regulation of Investigatory Powers Act 2000.

The RIPA clause relating to relinquishing a password was introduced in 2007 and has been controversial ever since. A government barrister called for key safeguards around misuse of the power to be watered down back in January.

Finch denies all charges. The case, under judge Mrs Justice Whipple, continues.
 
Ryuk ransomware is being aggressively deployed to target US healthcare institutions, government cyber organisations in the US have warned.

"CISA, FBI, and HHS have credible information of an increased and imminent cybercrime threat to US hospitals and healthcare providers," the cybersecurity, investigative, and healthcare agencies said in a joint statement published overnight.

They warned that the American healthcare sector is at particular risk of attack, saying in an advisory note:

The cybercriminal enterprise behind Trickbot malware has continued to develop new functionality and tools increasing the ease, speed, and profitability of victimization. What began as a banking trojan and descendant of Dyre malware now provides its operators a full suite of tools to conduct a myriad of illegal cyber activities. These activities include credential harvesting, mail exfiltration, cryptomining, point-of-sale data exfiltration, and the deployment of ransomware, such as Ryuk.
 
Yritän käynnistää Youtuben. Ei avaudu. Kaikissa muissa kodin koneissa se avautuu ja toimii mitä ilmeisimmin ihan normaalisti.

Mikä ihme tämä tämmöinen ongelma voi olla?

Edit. Ratkesi.
Edit2. Ei ratkennutkaan. Tuubi aukeaa, mutta sen jälkeen pätkii ja oikuttelee ihan kuin olisi vain noin 1% kaistasta käytössä. Minuutissa latautuu vain muutama sekunti 1080 reson videostriimiä kun pitäisi tulla ihan helposti 4K:ta reaaliaikaisesti.
 
Viimeksi muokattu:
The Global Commission on the Stability of Cyberspace (GCSC), a group that works to develop policy the world can follow to keep the internet stable and secure, late last week delivered a final report that outlines its vision for how the nations of the world should behave online.

The GCSC exists because its founders and stakeholders believe the internet has become essential to life but is not safeguarded by the kind of conventions or norms that, in a conventional kinetic conflict, make it plain that schools or hospitals is barbaric.

The organisation is pragmatic enough to believe that some nations will never sign up to such norms because they don’t want restraints on their ability to conduct offensive online operations. But GCSC leaders also feel that if the organisation can create norms and have them adopted by nations and multilateral bodies, it will become possible to paint those who use the Net as a weapon as acting outside acceptable standards of behaviour.
 
In a collaboration between CyberNews Sr. Information Security Researcher Mantas Sasnauskas and researchers James Clee and Roni Carta, suspicious backdoors have been discovered in a Chinese-made Jetstream router, sold exclusively at Walmart as their new line of “affordable” wifi routers. This backdoor would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network.

CyberNews reached out to Walmart for comment and to understand whether they were aware of the Jetstream backdoor, and what they plan to do to protect their customers. After we sent information about the affected Jetstream device, a Walmart spokesperson informed CyberNews: “Thank you for bringing this to our attention. We are looking into the issue to learn more. The item in question is currently out of stock and we do not have plans to replenish it.”

Watch the video below to hear directly from Sasnauskas, Clee and Carta about how they discovered the backdoors and what it means for everyday consumers:
 
FireEye, a $3.5 billion company that helps customers respond to some of the world’s most sophisticated cyberattacks, has itself been hacked, most likely by a well-endowed nation-state that made off with “red-team” attack tools used to pierce network defenses.

The revelation, made in a press release posted after the close of stock markets on Tuesday, is a significant event. With a market capitalization of $3.5 billion and a some of the most seasoned employees in the security industry, the company's defenses are formidable. Despite this, attackers were able to burrow into FireEye's heavily fortified network using techniques no one in the company had ever seen before.

Nothing is forever and nothing is ultimately secure.

The National Security Agency says that Russian state hackers are compromising multiple VMware systems in attacks that allow the hackers to install malware, gain unauthorized access to sensitive data, and maintain a persistent hold on widely used remote work platforms.

The in-progress attacks are exploiting a security bug that remained unpatched until last Thursday, the agency reported on Monday. CVE-2020-4006, as the flaw is tracked, is a command-injection flaw, meaning it allows attackers to execute commands of their choice on the operating system running the vulnerable software. These vulnerabilities are the result of code that fails to filter unsafe user input such as HTTP headers or cookies. VMware patched CVE-2020-4006 after being tipped off by the NSA.
 
Twitterin ja Facebookin toiminnassa jättimäisiä kummallisuuksia.

Avaan Twitterin uuteen ikkunaan (voidakseni seurata kauanko mikäkin vie).
- Kestää noin 80 sekuntia ennen kuin sininen tipusymboli ilmestyy näyttöön. Latautumispalkki näyttään noin viidesosaa.
- Jossain kahden minuutin kieppeillä tipusymboli häviää ja rullaava latauskuvio ilmestyy.
- Kolmen ja puolen minuutin jälkeen tulee jo harmaa pallo ja "What's happening?" sekä oikean reunan symbolit. Sininen kehä jatkaa pyörimistään.
- Kuuden minuutin jälkeen tulee kaksi ensimmäisiä twiittivirran twiittejä näkyviin.
- Seitsemän minuutin jälkeen näkyy jo enemmän twiittejä.
- Paljon tämän jälkeen ilmestyvät ensimmäiset kuvat.

Eli asiat, joiden pitäisi tapahtua alle sekunnissa vievät lähemmäs kymmenen minuuttia. Aivan kuin yhteys joutuisi kulkemaan jonkin käsittämättömän pullonkaulan läpi. Aivan kuin minulle olisi jätetty Twitter-yhteydestäni alle tuhannesosa ja loppu yli 99.9% olisi syystä tai toisesta poissa minun käytöstäni.

Kun koitan lähettää twiittiä, niin yli puoli minuuttia myöhemmin tulee viesti, ettei onnistu. Uusintayritys. 90 sekuntia myöhemmin viesti, ettei onnistu. Kolmas yritys. Taas 90 sekuntia ja tulee viesti ettei onnistu.

Jos tykkään jonkin muun twiitistä, niin sydänlaskuri toimii reaaliajassa. Siinä ei näy mitään viivettä.

Käytännössä jokin siis estää minulta Twitterin käytön postaamiseen ja vaikeuttaa seuraamista. En tiedä mikä, miksi tai miten. En näe syytä esittää mahdollisista syistä julkisesti arvailuja.

En ole rikkonut yhteisösääntöjä enkä postannut tai tykännyt mitään mikä on edes näköetäisyydellä niiden rajoista.

Facbookin kanssa on osin samaa. Jos koitan muuttaa omia asetuksiani, niin asiat vain pysähtyvät. Ikkuna jäätyy.
 
Oletko koittanut tehdä saman toisessa nettiliittymässä? Jos epäilet että palveluntarjoaja throtlaa sua tahallaan, niin laita VPN päälle ja katso tapahtuuko sama.
 
Back
Top