U.S. Emergency Alert System open to false messages

It's fair to say that should you see one of these warnings on your television as you're drinking your wake-up coffee, you're probably not going to have the best of days. Though, when you're told that the "bodies of the dead are rising from their graves and attacking the living," one might meet such reports — despite the official standing of such interruptions — with some skepticism.

That's exactly what happened in Montana in February, when hackers broke in to the U.S. Emergency Alert System (EAS), which interrupts television and radio broadcasts in times of local and national warnings. The default password wasn't changed, allowing the hackers to walk in to the Internet-connected appliance.

But a new security advisory warning warns that the EAS system is wide open to remote attacks by hackers, who can broadcast fake reports and materials.

The "critical" rating from IOActive [PDF] warns that DASDEC-I and DASDEC-II application servers, made by Digital Alert Systems, are left wide open to attackers, following a recent firmware update that also disseminated the secure-shell (SSH) key.

The key allows anyone with limited knowledge to log in at the root level of the server and "manipulate any system function," including browse key directories and access its peering arrangement.

From the advisory, an attacker who gains control of one or more DASDEC systems "can disrupt these stations' ability to transmit and could disseminate false emergency information over a large geographic area," which in some cases could be "forwarded to and mirrored" by other systems," spreading false information over a wider area.

The key is now in the public domain, and "cannot be easily removed except by a root privileged user on the server." The security advisory warns the maker of these appliances to "re-evaluate their firmware and push updates to all appliances."

Other advisories were published, including one by the U.S. CERT team, which notes that firmware version 2.0-2 resolves this vulnerability.

Attack on South Korean targets part of a larger cyber-espionage campaign

The March 20 cyber-attack on South Korean financial services and media firms, known as Dark Seoul, was thought to be significant not only for the high-profile nature of the targets but also for the use of a Master Boot Record (MBR) wiping functionality that erased the hard drives of infected PCs.

According to McAfee Labs, however, Dark Seoul is notable for another reason: it can be linked back to an ongoing, persistent operation against South Korea known as Operation Troy, which has been targeting the world’s most wired nation since at least 2009. And, the threat appears to come from within.

“McAfee Labs can connect the Dark Seoul and other government attacks to a secret, long-term campaign that reveals the true intention of the Dark Seoul adversaries: attempting to spy on and disrupt South Korea’s military and government activities,” the security firm noted in a white paper dissecting the issue.

“The attackers have attempted since 2009 to install the capability to destroy their targets using an MBR wiper component, as seen in the Dark Seoul incident. From our analysis we have established that Operation Troy had a focus from the beginning to gather intelligence on South Korean military targets. We have also linked other high-profile public campaigns conducted over the years against South Korea to Operation Troy, suggesting that a single group is responsible.”

Aside from the obvious reference to trojan viruses, the term “Operation Troy” has been given to the campaign because of a liberal sprinkling of Roman and Trojan terms throughout the attack code, which McAfee said most likely points to a group called the NewRomanic Cyber Army Team as the perpetrators.

The latest attacks managed to create a significant disruption of ATM networks in South Korea, while denying access to funds. But in addition to wiping the MBR to render systems unusable, creating an instant slowdown to operations within the target, Operation Troy is also focused on stealing and holding data hostage and announcing the theft in an Anonymous-style hacktivist approach.

“Public news media have reported only that tens of thousands of computers had their MBRs wiped by the malware,” McAfee said. “But there is more to this story: The main group behind the attack claims that a vast amount of personal information has been stolen. This type of tactic is consistent with Anonymous operations and others that fall within the hacktivist category, in which they announce and leak portions of confidential information.”

McAfee uncovered that in 2011, one of the same financial institutions was hit with destructive malware that caused a denial of service. “The attackers left a calling card a day after the attacks in the form of a web pop-up message claiming that the NewRomanic Cyber Army Team was responsible and had leaked private information from several banks and media companies,” the firm said, noting that they also referenced destroying the data on a large number of machines (i.e., MBR wiping).

The attackers who conducted the operation remained hidden for a number of years prior to the March 20 incident by using a variety of custom tools. While analyzing malware components from before the March 20 incident, McAfee found both similar and identical attributes of the files involved that link them to the 3Rat remote administration tool client used on March 20, as well as to samples dating to 2010. The firm said that it’s also possible that the campaign known as 10 Days of Rain is a byproduct of Operation Troy; some of the analysis suggests that the malware Concealment Troy was present in these attacks.

“This spying operation had remained hidden and only now has been discovered through diligent research and collaboration,” McAfee noted. “We also suspect the attackers had knowledge of the security software running within the environment before they wiped the systems, given that some of the variants used in the attack were made to look as if they were antimalware update files from before March 20.”

In all, McAfee’s investigation found a long-term domestic spying operation underway since at least 2009, all based on the same code, attempting to infiltrate specific South Korean targets.

“Typically this sort of advanced persistent threat (APT) campaign has targeted a number of sectors in various countries, but Operation Troy, as these attacks are now called, targets solely South Korea,” it noted. “From our analysis of unique attributes within the malware samples we have determined that…the malware used in these attacks were compiled to specifically target South Korea and used Korean-language resources in the binaries. The malware connected to legitimate Korean domains that were running a bulletin board and sent a specific command to a PHP page to establish an IRC channel and receive commands.”

Top Five IT Security Cyber Threats

As cybercrime expands and evolves, a new study categorizes and describes the top five threats: data breaches, malware, DDoS, mobile threats and the industrialization of fraud – and they're all interrelated.

  1. Data Breach
  2. Malware
  3. DDoS
  4. Mobile Threats
  5. Industrialisation of Fraud 

Security firm 41st Parameter describes each threat in turn. The data breach threat is illustrated by the LivingSocial breach earlier this year. 50 million records were compromised in April. Although no financial records were stolen, they probably weren’t the direct target: “consumers don’t realize that the real concern behind the theft of personal data (such as email addresses, birthdates and encrypted passwords) is potential exposure to various forms of identity theft.”

The real problem with large data heists comes in the following months when the attackers use the data they have stolen to engineer compelling phishing attacks “to dupe unsuspecting victims into revealing sensitive data that can be used to open new accounts or take over existing ones.” In this instance there were two difficulties – firstly consumers still tend to reuse passwords over multiple accounts, and secondly LivingSocial’s business model sends out ‘daily deals’ emails to its subscribers. A forged email could look like a genuine LivingSocial mail but actually contain a disguised link to a malicious site.

That malicious site would contain the second of the major threats: malware. Malware delivery from a malicious URL, otherwise known as drive-by downloading, is one of the three top delivery mechanisms of 2012. The others are app repackaging for mobile devices, and smishing. The first takes a genuine app, alters it for bad intent, and then redistributes it via a different channel. Smishing is the use of “unsolicited text messages that prompt users to provide credentials.”

There is no single solution to malware, but the threat can be mitigated by the use of up-to-date anti-malware software, and improved visibility into the devices – especially mobile devices – that connect to the corporate network.

The third threat is DDoS. DDoS attacks are disruptive, driving costs up and reputations down; and there are more than 7000 DDoS attacks every day. But there is a growing issue “more prevalent now than it’s ever been,” when the target site is a bank. Possibly using account credentials stolen by the malware distributed after a data breach, it’s now “common for fraudsters to access a group of accounts, perform reconnaissance and money movement activities and then immediately launch a DDoS attack in order to create a diversion.”

The fourth threat is that posed by and to the mobile market – 700 million smartphones were sold in 2012 alone. “Since fraudsters typically attack the weakest point of ingress,” warns 41st Parameter, “and without the proper device recognition and detection systems in place, the mobile channel may soon emerge as their channel of choice.” Overall, 2012 saw a 163% increase in mobile threats, with 95% of mobile threats attacking the Android platform. In all, 32.8 million mobile devices were infected with malware.

Finally, the report discusses the industrialization of fraud. Since online transactions are by their nature ‘machine-to-machine’ they lend themselves to automation. But just as the banks automate their own processes, so too are criminals automating fraud. “Recently, 41st Parameter has seen the standardization of fraud software building blocks and data formats, which make it easier to collaborate and exchange information between fraud rings.” And there are more than 10,000 of these fraud rings in the US alone.

One of the problems that comes from this automation is that criminals can just as easily perpetrate hundreds or thousands of small frauds to gain the same financial return as a few large ones – but staying small they are more likely to slip under the banks’ fraud detection systems.

All of these threats could stem from that initial data breach: stolen personal data leading to phishing and the installation of malware that steals account data (although the mobile arena is increasingly used to do the same), in turn leading to financial fraud which is increasingly industrialized and disguised by DDoS attacks. In fact, “The increase in large-scale data breaches and high-volume, coordinated fraud attacks are byproducts of the industrialization of fraud driven by the movement of services online,” says Eli Katz, vice president of financial industry solutions at 41st Parameter. “Financial institutions and consumers must each take steps to adjust to this evolving threat landscape.”

Malware Infections Are Usually From "Legitimate" Websites

You're more likely to encounter malware through reputable, hacked services than seedy, illict websites.

If you've spent even a small amount of time on the internet, you're probably aware of a simple fact: Malware is everywhere. Everywhere. Hiding in your computer, tracking your private data, and generally being a pain in everyone's digital rear end. Thankfully, there's lots of advice on avoiding malware infections, the most common being to show discretion with the pages you visit. Just avoid obscure and untrusted "phishing" websites asking for personal information, and you'll bypass 90-95% of the bad stuff, right? According to Google, no, not really. The web giant has updated its Transparency Report with breakdowns on common infection sources, revealing the biggest malware culprits to be compromised "legitimate" pages that unwittingly take advantage of visitors.

Let's make one thing clear: It is still a horrible idea to just visit some illict porn site and start downloading everything you see. That will turn out badly. What Google's saying is that the vast majority of malware infections come from perfectly legal services which most users assume are safe. Some are small Mom-and-Pop operations, others could be significantly larger, but all have vulnerabilities that hackers took advantage of. Google blocks approximately 10,000 of these websites per day to stem the tide, but with up to 90,000 infections detected during especially infectious weeks, the company is clearly involved in a long-term struggle.

That said, it's not all bad news. As webmasters become more aware of online security, the response time between detecting an infection and repairing it has dropped dramatically in recent years. Google's Safe Browsing, for example, informs users and webmasters when websites have been compromised, discouraging traffic until the problem is fixed. We'll probably never fully get rid of malware, considering that approximately 100 million browsers see warnings each week. Still, while the number seems daunting, the fact that we know about it at all is a step in the right direction.

Source: Google Transparency Report, via Ars Technica

Fake Job Postings Displayed on Infected Computers

For cyber criminals, Zeus is the complete package: not only will it steal your money, it now helps the gangs recruit the money mules to get stolen money out of the country and into their own accounts.

Money mules are generally unwitting dupes employed by the criminals to do the risky bit of the theft – the actual money transfer out of the country. Since electronic transfers can be traced, it is the money mule rather than the criminal that tends to get arrested. The criminals thus have a constant requirement for new mules.

Employment agencies are a prime target for mule recruitment. If somebody is already looking for, or in need of, employment then he or she can more easily be duped. Typically, the criminals would place attractive looking adverts offering easy money for little work as a local payments processing agent, or shipping agent. Such offers are still found in spam campaigns. But as spam filters improve, and employment agencies get more efficient at finding and rejecting suspicious adverts, more efficient recruitment has become necessary.

What better route than Zeus?

Zeus is a man-in-the-browser trojan. Its most common use is to fool the user into thinking the page on the screen is the official bank page as part of a financial fraud. But the same methodology can be used to fool the user into thinking an advert for a shipping agent is genuine. This is now happening. “A recent Zeus malware configuration analyzed by Trusteer’s security team,” reports Etay Maor, Trusteer’s fraud prevention solutions manager, “is using Man-in-the-Browser (MitB) techniques to present the user with an advertisement for a mule recruitment site every time the victim accesses CareerBuilder [dot] com. The mule recruitment website in this case is marketandtarget [dot] com.”

Since this all happens on the local infected PC, there is nothing the genuine CareerBuilder site can do. The code is injected into the browser by Zeus – and if the user is tempted and visits the marketandtarget website (currently down, according to Trusteer) then he or she will be invited to apply for an attractive looking position that is just a disguised money mule. One example found by Trusteer is seeking ‘mystery shoppers’ – people who ‘love to shop’. Typically, dirty money would go into the mule’s account, who would then use it to buy expensive and salable goods. Those goods would be sold by the criminals, and ‘clean’ money would go into their accounts.

“By using CareerBuilder as a platform,” explains Maor, “the Zeus operators maximize their outreach to potential mule targets. While HTML injection is typically used for adding data fields or to present bogus messages, in this case we witnessed a rare usage that attempts to divert the victim to a fake job offering.  Because this redirection occurs when the victim is actively pursuing a job, in this case with CareerBuilder [dot] com, the victim is more likely to believe the redirection is to a legitimate job opportunity.”

People looking for a job should always remember that while money for little effort is always attractive, it is rarely legal – and it is the money mule rather than the criminal that tends to get caught.

Car theives found using handheld fobs to hack automatic car locks

A mystery technology is allowing car thieves to pop open automatic car locks over the air using a hand-held device – but police have no idea how they’re managing to do it.

A surveillance video from Long Beach, Calif., captured the device in action, showing two thieves as they approached cars parked in driveways and proceeded to gain access to them with an antilock device of some kind that appears to function just like a standard key fob. Then they rifle through the car and take everything of value.

"This is bad in the sense we're stumped," Long Beach Deputy Police Chief David Hendricks told the Today Show. “We are stumped and we don't know what this technology is."

He added that even the car manufacturers have no idea what’s happening. Typically, the “unlock” button on a key fob sends a one-time encrypted code to the car telling it to open up – by virtue of the dynamically generated code, it should be impossible to clone a key fob. Also, the hack appears to work only on some makes and models. Security video shows the devices failing, for instance, when it comes to Ford SUVs and Cadillacs.

"We've reached out to the car manufacturers, the manufacturers of the vehicle alarm systems: Nobody seems to know what this technology is," Hendricks added. "When you look at the video and you see how easy it is, it's pretty unnerving."

The hack is spreading, too. Home security cameras in Illinois have caught the exact same behavior.

Car security is not a newcomer to the cyberthreat scene, it should be noted. Researchers at the University of Washington and the University of San Diego in 2010 created CarShark, a laptop-based program that can hack into telematics software to control engines, brakes, locks, alerts and more. Meanwhile, at the 2011 BlackHat security conference, iSec Partners unlocked and started a Subaru Outback using only their Android smartphones. By setting up their own GSM network, the researchers snagged authentication passwords by way of text messages. This gained them entry to the vehicle, and also allowed them to fire up the engine.

"It's interesting to see that the researchers have identified that most cars built since the late 1990s have a computer diagnostic port, since this port needs direct physical access to operate and therefore hack", said Barmak Meftah, Fortify Software's chief products officer, speaking to Infosecurity about CarShark. "But now these systems are being wirelessly enabled and held together with several tens of megabytes of code; it's a relatively small step to modify the code and allow hackers an easy and wireless back door into a car's computer system", he added.

As cars get smarter, and more connected, the threats simply increase. That's why last year, McAfee, Ford, Intel and others said that they were working on a way to “protect the dozens of tiny computers and electronic communications systems that are built into every modern car” by uncovering and locking up vulnerabilities.

"It used to be that drivers only had to worry about driving safely, following the rules of the road and maintaining their vehicle, but now vehicle owners have a new issue to worry about: IT security," said Neil DuPaul, a security researcher for Veracode, in a blog post. "Automotive companies are competing for our business, and are looking for ways to set their vehicles apart from all the other options consumers have. Enter connected cars. First introduced in luxury vehicles, these cars offer features that make driving more enjoyable and convenient. These features are becoming more common in cars at all price points, meaning consumers should be aware of the security issues they introduce."

Subscribe to our Newsletter

Search ALL Articles

Managed V. Non-Managed



US-CERT Latest Warnings

Latest US-CERT Released Warnings

Posted Articles