Red October espionage platform unplugged hours after its discovery

Key parts of the infrastructure supporting an espionage campaign that targeted governments around the world reportedly have been shut down in the days since the five-year operation was exposed.

The so-called Red October campaign came to light on Monday in a report from researchers from antivirus provider Kaspersky Lab. It reported that the then-ongoing operation was targeting embassies as well as governmental and scientific research organizations in a wide variety of countries. The research uncovered more than 60 Internet domain names used to run the sprawling command and control network that funneled malware and received stolen data to and from infected machines. In the hours following the report, many of those domains and servers began shutting down, according to an article posted Friday by Kaspersky news service Threatpost.

"It's clear that the infrastructure is being shut down," Kaspersky Lab researcher Costin Raiu told the service. "Not only the registers killing the domains and the hosting providers killing the command-and-control servers but perhaps the attackers shutting down the whole operation."

Read 3 remaining paragraphs | Comments

Air Force’s cyber commander says Iran is next big ’Net menace

General William Shelton, commander of the US Air Force Space Command, told reporters in a press briefing for the Defense Writers Group that he believes Iran's growing "cyber" capabilities will be a "force to be reckoned with," thanks in part to Iran's response to the Stuxnet attacks on its nuclear facilities in 2010.

"It's clear that the Natanz situation generated reaction by them," Shelton told reporters, referring to the nuclear facility where Stuxnet crippled centrifuges. "They are going to be a force to be reckoned with, with the potential capabilities that they will develop over the years and the potential threat that will represent to the United States."

Shelton, who oversees the Air Force's own cyberwarfare operations, the 24th Air Force, is pushing for more expansion of Air Force communications. Current plans from the Defense Department's Cyber Command—the joint command responsible for coordinating the military's offensive and defensive network operations—call for an additional 1,000 civilian employees to the Air Force's network operations and security workforce over the next two years. The Air Force's "cyber professionals" currently number about 6,000.

Read 2 remaining paragraphs | Comments

Critical Java vulnerabilities confirmed in latest version

Security researchers have confirmed that the latest version of Oracle's Java software framework is vulnerable to Web hacks that allow attackers to install malware on end users' computers.

"We have successfully confirmed that a complete Java security sandbox bypass can be still gained under the recent version of Java 7 Update 11 (JRE version 1.7.0_11-b21)," Adam Gowdiak, CEO of Poland-based Security Explorations, wrote in an advisory posted Friday to the Full Disclosure mailing list. "As a result, two new security vulnerabilities (51 and 52) were spotted in a recent version of Java SE 7 code and they were reported to Oracle today (along with a working Proof of Concept code)."

Gowdiak's advisory comes a few days after researchers from security firms Trend Micro and Immunity Inc. independently reported the emergency patch Oracle released on Sunday was incomplete. While attacks actively waged online last week exploited two vulnerabilities in the an older version to surreptitiously install malware on computers that browsed to malicious websites, Java 7 Update 11 fixed only one of them, those researchers said. On Wednesday, KrebsOnSecurity reported exploit code for that version was being sold in underground Internet forums.

Read 4 remaining paragraphs | Comments

The Future of Hacktivism and Anonymous

After the publication of the 2013 Threats Predictions from McAfee Labs, I have received many queries regarding our expectation of a possible slowdown in Anonymous activity this year. Some readers agreed, while others were more skeptical. With this blog, I will attempt to explain these positions.

The Anonymous signature
Today, many people use the Anonymous banner. It is more and more difficult to identify the true actors of this brand of hacktivism. In the following image (which appears to be from a French maker of false papers: “certified counterfeiter/fake document wholesaler”), we see the Anonymous logo used by cybercriminals.


“Anonymous” also appeared with a bomb threat on November 5, 2012. Last February, we saw an attempt to extort US$50,000 from Symantec by Yamatough, a hacker claiming sympathy for Anonymous and Antisec. Some researchers were very suspicious regarding the real motivation.

Consequently, some researchers claim Anonymous is now an universal banner for all kind of campaigns to misinform and brainwash, and with its image damaged its notoriety will decline. On the other hand, other researchers say that with #OpWCIT, #WBC, #SandyShooting, and #AaronSwartz, Anonymous has become even more visible.

In 2012 we noted various alleged Anonymous operations that were not just unclear but fake. On November 5t Anonymous threatened Facebook and Zynga; nothing serious occurred. In September, a tweet claimed attack responsibility after GoDaddy was unable to serve millions of websites hosted on its servers. The failure was in fact caused by a series of internal network events that corrupted router data tables. The same month, Antisec claimed to have stolen 12 million Apple device identifiers from a computer of an FBI agent. In fact, this data came from the app-publishing company BlueToad.

Some say Anonymous is eroding its credibility with such efforts. For example, they point the finger at @AnonymousOwn3r, who likes to spread such misinformation. Others are more cautious, wondering, for example, if they can believe BlueToad.

Confused or uncoordinated actions?
December was announced as the month of a leak of “an unprecedented amount” of data (Project Mayhem). In the fourth quarter, YouTube became saturated with hundreds of Project Mayhem’s call-to-action videos, mainly appealing to those who wanted to expose corruption and/or to support the hacktivist cause. As reported by the, it may be hard to determine who is associated with the Anonymous group or any other “establishment”-related entities set up solely to gather information on participants and to entrap those who are actively leaking information. Leaked data were said to be available via TYLER, a Wikipedia style peer-to-peer network reachable after the installation of some dedicated software. Today, it is difficult to measure the significance of this platform.

The lack of results is sometimes considered detrimental to the Anonymous reputation and its image. Many uncoordinated operations such as DDoS are launched for just one day but never succeed over the long term. (The targeted companies recover within a day.) Yet the other side will say these are uncoordinated efforts for certain ops but that doesn’t mean Anonymous is in decline.

Too many script kiddies and opportunists?
We also noted some thought-provoking arrests in 2012:

  • Sabu (Q1), who cooperated with the police
  • CabinCr3w members (Q2): This one was not very serious, using an image of his girlfriend for his claims
  • TriCk (TeaMp0isoN leader), 17 years old (Q2): A curious choice as an “Anonymous” member who appears more kid than terrorist

Are these arrests a sign of immaturity or a sign of gradual decay? What are their real motivations?
Some will say the arrests lead only to script kiddies. Others will mention Barrett Brown and add that arrests have made Anonymous more cautious but certainly not silent.

The need of another name?
In some recent attacks, the claims were not made solely by Anonymous, but also by groups called Parastoo—after breaking into the International Atomic Energy Agency server—or NullCrew—which claimed responsibility for multiple computer attacks against corporations, educational institutions, and government agencies. Perhaps for these people, calling themselves Anonymous and nothing more may now be inadequate to meet their goals? Here, like me, some researchers will explain that if we need to use your own pseudonym or a group name you cease to be a real Anonymous. Others will reply there has always been alignment between Anonymous and other groups.

Reinforcement of other actors
Anonymous is just one aspect of hacktivism. Without the Anonymous banner, people with strong political motivation, long-term dedication, or high-level hacking techniques will create significant actions in the future. Some will defend their ideas of freedom, like French hacktivists supporting people fighting against the new French Notre Dame des Landes airport. Others (which we call cyberarmies) will convey extremist ideas from nondemocratic countries. For example, do not confuse Anonymous and The Izz ad-Din al Qassam Cyber Fighters group responsible for recent attack on banks in the United States (Operation Ababil).

Several successes in 2012
Despite many discontinued operations, Anonymous enjoyed condemning the Megaupload closure (OpMegaUpload in Q1), demonstrating in European streets and online against SOPA, PIPA, ACTA, etc. (Q1), or in London on November 5 attacking the Westboro Baptist Church group after the Connecticut massacre (Q4).

Decline or second era?
In my last whitepaper on hacktivism (page 31), I included a diagram explaining where hacktivism is headed:


It seems to me that Anonymous in its actual form (first era) will have difficulty surviving. Those in it “for the lulz” are taking a step backward. For the present, this step may be the most significant movement in the group because the movements of “Real political consciousness” and “Cooperation” are still in their early stages. Anonymous in its second era has not yet appeared. That is why we predicted a decline in 2013. By next year, we should know if the Anonymous (second era) has appeared or if the movement morphes into another hacktivist group such as “Cyberoccupiers.”