Attackers sign malware using crypto certificate stolen from Opera Software

Hackers penetrated network servers belonging to Opera Software, stole at least one digital certificate, and then used it to distribute malware that incorrectly appeared to be published by the browser maker.

The attack was uncovered, halted, and contained on June 19, according to a short advisory that Opera published Wednesday morning. While administrators have cleaned the system and have yet to find any evidence of any user data being compromised, the breach still had some troubling consequences.

"The attackers were able to obtain at least one old and expired Opera code signing certificate, which they have used to sign some malware," Wednesday's advisory stated. "This has allowed them to distribute malicious software which incorrectly appears to have been published by Opera Software or appears to be the Opera browser. It is possible that a few thousand Windows users, who were using Opera between June 19 from 1.00 and 1.36 UTC, may automatically have received and installed the malicious software."

Read 3 remaining paragraphs | Comments

    


Norton Mobile Insight Discovers Facebook Privacy Leak

Today we released a new version of Norton Mobile Security for Android devices that contains our new Norton Mobile Insight technology. Mobile Insight has analyzed over 4 million Android applications and processes tens of thousands of new applications every day. Through automatic and proprietary static and dynamic analysis techniques, Mobile Insight is able to automatically discover malicious applications, privacy risks, and potentially intrusive behavior. Further, Mobile Insight will tell you exactly what risky behavior an application will perform and give you specific, relevant, and actionable information.

The ability of Mobile Insight to automatically provide granular information on the behavior of any Android application even surprised us when we reviewed the most popular applications exhibiting privacy leaks. 

Of particular note, Mobile Insight automatically flagged the Facebook application for Android because it leaked the device phone number. The first time you launch the Facebook application, even before logging in, your phone number will be sent over the Internet to Facebook servers. You do not need to provide your phone number, log in, initiate a specific action, or even need a Facebook account for this to happen. 

According to Google Play, hundreds of millions of devices have installed the Facebook application and a significant portion of those devices are likely affected.

We reached out to Facebook who investigated the issue and will provide a fix in their next Facebook for Android release. They stated they did not use or process the phone numbers and have deleted them from their servers. 

Unfortunately, the Facebook application is not the only application leaking private data or even the worst. We will continue to post information about risky applications to this blog in the upcoming weeks.

In the meantime, if you wish to verify if your Facebook app or other applications are leaking private information, you can download Norton Mobile Security with Norton Mobile Insight and scan your device. You may be surprised at what your applications are leaking about you.

Four Years of DarkSeoul Cyberattacks Against South Korea Continue on Anniversary of Korean War

Yesterday, June 25, the Korean peninsula observed a series of cyberattacks coinciding with the 63rd anniversary of the start of the Korean War. While multiple attacks were conducted by multiple perpetrators, one of the distributed denial-of-service (DDoS) attacks observed yesterday against South Korean government websites can be directly linked to the DarkSeoul gang and Trojan.Castov.

We can now attribute multiple previous high-profile attacks to the DarkSeoul gang over the last 4 years against South Korea, in addition to yesterday’s attack. These attacks include the devastating Jokra attacks in March 2013 that wiped numerous computer hard drives at South Korean banks and television broadcasters, as well as the attacks on South Korean financial companies in May 2013.

Conducting DDoS attacks and hard disk wiping on key historical dates is not new for the DarkSeoul gang. They previously conducted DDoS and wiping attacks on the United States Independence Day as well.
 

Castov_Blog_Timeline_v06.png

Figure 1. Four years of DarkSeoul activity
 

The DarkSeoul gang’s attacks tend to follow similar methods of operation. Trademarks of their attacks include:

  • Multi-staged, coordinated attacks against high-profile targets in South Korea
  • Destructive payloads, such as hard disk wiping and DDoS attacks configured to trigger on historically significant dates
  • Overwriting disk sectors with politically-themed strings
  • Use of legitimate third-party patching mechanisms in order to spread across corporate networks
  • Specific encryption and obfuscation methods
  • Use of specific third-party webmailer servers to store files
  • Use of similar command-and-control structures

The attacks conducted by the DarkSeoul gang have required intelligence and coordination, and in some cases have demonstrated technical sophistication. While nation-state attribution is difficult, South Korean media reports have pointed to an investigation which concluded the attackers were working on behalf of North Korea. Symantec expects the DarkSeoul attacks to continue and, regardless of whether the gang is working on behalf of North Korea or not, the attacks are both politically motivated and have the necessary financial support to continue acts of cybersabotage on organizations in South Korea. Cybersabotage attacks on a national scale have been rare—Stuxnet and Shamoon (W32.Disttrack) are the other two main examples. However, the DarkSeoul gang is almost unique in its ability to carry out such high-profile and damaging attacks over several years.
 

Castov_Blog_Image_v06.png

Figure 2. Castov DDoS attack

 

The Castov DDoS attack occurs in the following manner:

  1. Compromised website leads to the download of SimDisk.exe (Trojan.Castov), a Trojanized version of a legitimate application.
  2. SimDisk.exe drops two files onto the compromised system: SimDisk.exe (Clean), the legitimate non-Trojanized version, and SimDiskup.exe (Downloader.Castov).
  3. Downloader.Castov connects to a second compromised server to download the C.jpg file (Downloader.Castov), an executable file which appears to be an image.
  4. Threat uses the Tor network to download Sermgr.exe (Trojan.Castov).
  5. Castov drops the Ole[VARIABLE].dll file (Trojan.Castov) in the Windows system folder.
  6. Castov downloads the CT.jpg file from a Web server hosting a ICEWARP webmail, that has been compromised as a result of publicly known vulnerabilities in ICEWARP. The CT.jpg file contains a timestamp used by Castov to synchronize attacks.
  7. Once this time is reached, Castov drops Wuauieop.exe (Trojan.Castdos).
  8. Castdos begins to overload the Gcc.go.kr DNS server with DNS requests, effectively performing a DDoS attack affecting multiple websites.

Can Apple read your iMessages? Ars deciphers “end-to-end” crypto claims

Aurich Lawson

Ever since the National Security Agency's secret surveillance program came to light three weeks ago, implicated companies have issued carefully worded statements denying that government snoops have direct or wholesale access to e-mail and other sensitive customer data. The most strenuous denial came 10 days ago, when Apple said it took pains to protect personal information stored on its servers, in many cases by not collecting it in the first place.

"For example, conversations which take place over iMessage and FaceTime are protected by end-to-end encryption so no one but the sender and receiver can see or read them," company officials wrote. "Apple cannot decrypt that data. Similarly, we do not store data related to customers’ location, Map searches or Siri requests in any identifiable form."

Some cryptographers and civil liberties advocates have chafed at the claim that even Apple is unable to bypass the end-to-end encryption protecting them. After all, Apple controls the password-based authentication system that locks and unlocks customer data. More subtly, but no less important, cryptographic protections are highly nuanced things that involve huge numbers of moving parts. Choices about the types of keys that are used, the ways they're distributed, and the specific data that is and isn't encrypted have a huge effect on precisely what data is and isn't protected and under what circumstances.

Read 15 remaining paragraphs | Comments