Apr 30 2014

Cybercrime ‘Highlights’ of First Quarter 2014

As a supplement to the next McAfee Labs Threats Report, which will appear next month, we offer this timeline of leading cybercrime events that made news in the first quarter of 2014.

2014 Q1 cybercrime timeline

  • January 2: A systems administrator at the Monju fast breeder reactor facility in Japan notices suspicious connections emanating from a machine in the control room, coinciding with what was meant to be a routine software update to a free media player.[1] Context names the attack, based on a Gh0st RAT variant, the Monju Incident.
  • January 6: McAfee Labs describes a new Pony botnet variant (Backdoor-FJW) that attempts to steal Bitcoin wallets from infected systems.[2]
  • January 16: Unknown hackers breach the Orange French website. Details of up to 800,000 customers of the multinational telecommunications company are compromised.[3]
  • January 17: Researchers at Qihoo 360 Dr.Web announce the first Android bootkit.  Android.Oldboot modifies a device’s boot partition and booting script file to launch a system service and extract a malicious application early in a system’s startup. Intended for Android devices in China, 92% of victims are located in this country.[4]
  • January 22: Romanian authorities arrest Guccifer, a 40-year-old hacker suspected of breaching the social media and email accounts of several high-level individuals, including members of the Bush and Rockefeller families, officials of the Obama administration, former US Secretary of State Colin Powell, and George Maior, the head of the Romanian Intelligence Service SRI.[5]
  • January 28: McAfee Labs reminds mobile users that scammers still target Japanese smartphones using apps (Android/BadPush, Android/OneClickFraud) that lead their owners to malicious one-click-fraud websites.[6] Other adult-oriented apps (Android/PhimSms) target Vietnamese users.[7]
  • February 4: Adobe releases an out-of-band security update addressing a critical remote code execution vulnerability, CVE-2014-0497, being exploited in the wild.[8]
  • February 4: German prosecutors arrest three suspects in the Netherlands. The alleged criminals are said to have stolen US$45 million from ATM machines in 27 countries between December 2012 and February 2013 by embezzling prepaid MasterCard debit card numbers.[9]
  • February 10: Kaspersky Labs announces the discovery of a large number of malware infections across large parts of the globe.[10] McAfee Labs also details the attack, called Careto.[11]
  • February 11: A new unpatched vulnerability, CVE-2014-0322, in Microsoft Internet Explorer 10 is found in the wild. FireEye announces it is actively exploited in a watering-hole attack (Operation SnowMan) targeting visitors to the official website of the US Veterans of Foreign Wars.[12]
  • February 13: FireEye identifies a zero-day Adobe Flash exploit, CVE-2014-0502, that affects the latest version of the player. The exploit is used in Operation GreedyWonk, which affects several nonprofit and research organizations.[13]
  • February 17: First discovered by Xylitol on January 15, researchers at Malwarebytes analyze a new variant of the banking Trojan ZeusVM. The crimeware uses the steganography to disguise its configuration code in a digital photo. The image contains data encrypted using Base64 encoding and RC4 and XOR encryption algorithms. The variant targets popular financial institutions including Barclays, Deutsche Bank, and Wells Fargo.
  • February 28: Security experts at G Data say they have discovered a very complex and sophisticated rootkit designed to steal confidential data and exfiltrate them from targeted organizations. Uroburos takes its name from a mythical serpent or dragon that ate its own tail and from a sequence of characters concealed deep within the malware’s code: Ur0bUr()sGotyOu#. The authors appear to speak Russian and are from the same group that performed a cyberattack against the United States in 2008.[14]
  • March 3: A McAfee Labs researcher describes Android/BadInst.A, a suspicious app on Google Play that almost automatically downloads, installs, and launches other apps from Google Play without user interaction.[15]
  • March 3: Researchers at Team Cymru publish a white paper about a pharming attack hitting thousands small office/home office wireless routers around the world. Exploiting various vulnerabilities in more than 300,000 routers (Asus, D-Link, Cisco, Linksys, Micronet, Netgear, Tenda, TP-Link) to overwrite the DNS settings, the attackers redirected traffic to their sites and domains.[16]
  • March 8: Cybercriminals take advantage of the disappearance of Malaysia Airlines Flight 370 to infect users with malware in scam messages.
  • March 11: Russian-Moroccan hacker Farid Essebar, known online as Diabl0, is arrested in Bangkok.[17] He is suspected to have compromised computer systems and websites belonging to Swiss banks, causing damage of more than US$4 billion. Essebar was arrested in August 2005 for offenses related to the creation and distribution of W32/Zotob and was sentenced to two years in prison.[18]
  • March 20: Microsoft warns of a zero-day vulnerability, CVE-2014-1761, in Word that is being actively exploited in targeted attacks and was discovered by the Google security team. This remote code execution vulnerability can be exploited via a malicious rich text format file.[19]

The post Cybercrime ‘Highlights’ of First Quarter 2014 appeared first on McAfee.

Apr 30 2014

Hacks on widely used traffic control gear could cause gridlock and chaos

Hacks that allow spies, villains, or terrorists to manipulate traffic signals may seem like the exclusive province of action movies, but a well-known security researcher says they're not as far-fetched as many people may think.

Cesar Cerrudo of security penetration testing firm IOActive said he has identified more than 50,000 devices in New York, Washington DC, Los Angeles, and cities in at least seven countries around the world that can be hacked using inexpensive gear that's easy and—at least in the US—legal to obtain and operate. The equipment Cerrudo used included a drone flying at heights of 650 feet and radio hardware that sells for $100. With more sophisticated transmitters, antennas, and other hardware, he said an attacker could be as far away as two miles from the targeted signals.

In a blog post published Wednesday, he wrote:

Read 6 remaining paragraphs | Comments

Apr 30 2014

US State Department adopting social media to counter Al-Qaeda propaganda

The State Department unveiled Wednesday that it is widely employing social media as a method to counter online violent extremism from Al-Qaeda and others.

Buried in an intelligence report published Wednesday, the government said that the Center for Strategic Counterterrorism Communications (CSCC), established in 2011, last year produced more than 10,000 online postings globally, some of which included one of 138 government-produced videos.

"CSCC's programs draw on a full range of intelligence information and analysis for context and feedback. CSCC counters terrorist propaganda in the social media environment on a daily basis, contesting space where AQ and its supporters formerly had free rein. CSCC communications have provoked defensive responses from violent extremists on many of the 249 most popular extremist websites and forums as well as on social media," said the document, Country Reports on Terrorism 2013 (PDF).

Read 4 remaining paragraphs | Comments

Apr 30 2014

Microsoft Confirms Internet Explorer 0-Day

So during the past weekend, Microsoft confirmed an Internet Explorer 0-day that is actually being used in targeted online attacks. Vulnerability in Internet Explorer Could Allow Remote Code Execution It will be interesting to see if they push an out of band patch for this one or just wait for the next Patch Tuesday. It’s [...] The post...

Read the full post at darknet.org.uk