targets

now browsing by tag

 
 

Iran-linked hackers used Microsoft Word flaw against Israeli targets, security firm says

Source: National Cyber Security – Produced By Gregory Evans

Iran-linked hackers used Microsoft Word flaw against Israeli targets, security firm says

Hackers allegedly linked to the Iranian government launched a digital espionage operation this month against more than 250 different Israel-based targets by using a recently disclosed and widely exploited Microsoft Word vulnerability, cybersecurity experts tell CyberScoop.

The hacking group, dubbed OilRig by security researchers and believed to be tied to Iranian intelligence services, utilized a software flaw in Word officially known as CVE-2017-0199 that allows attackers to execute a remote computer intrusion to take full control of a target device while leaving little or no trace, said Michael Gorelik, vice president of Israeli security firm Morphisec.

Over the last month, Morphisec has investigated the incident on behalf of multiple victims. Clients showed forensic evidence on their respective networks that could be linked back to OilRig. After its disclosure in March, CVE-2017-0199 was quickly exploited by nation-states and cybercriminals alike.

John Hultquist, ‎Director of Cyber Espionage Analysis at iSIGHT Partners, confirmed Morphisec’s findings.

“We have recently seen these actors and [other] cyber espionage actors targeting Asia adopt CVE-2017-0199. The vulnerability was a proliferation issue before it was patched, and remains one now,” said Hultquist.

OilRig has been around since at least 2015, according to numerous security industry experts who have watched the group target Israeli networks repeatedly and with varying tactics.

To exploit the Microsoft Word vulnerability, a target must open or preview an infected Microsoft Office or WordPad file, which OilRig sent out in large numbers to hundreds of Israeli-based targets, including government agencies and officials. When opened, the attachment designed by OilRig would download the Hanictor trojan, a variant of fileless malware capable of bypassing most security and anti-virus protections.

CVE-2017-0199 was patched earlier this month by Microsoft after an extraordinary nine-month delay from when it was initially communicated to the company privately. Getting the vast ecosystem of Microsoft users to patch machines is a slow and unreliable process, however, so many often remain vulnerable after a patch is published.

Point of initial contact

“The OilRig campaign is a multi-stage kill chain meant to burrow into Israeli critical defense infrastructure,” said Tom Kellermann, CEO of D.C.-based venture capital firm Strategic Cyber Ventures. Kellerman is a major investor in TrapX, another cybersecurity firm that also detected and helped clients defend against the Iranian cyberattack.

The beginnings of the Iranian operation are believed to have started with a series of phishing emails sent to Ben Gurion University employees although it quickly expanded to include various Israeli technology and medical companies. Ben Gurion University is home to Israel’s Cyber Security Research Center, a scientific institute that develops sophisticated cyber capabilities.

Gorelik said an investigation is ongoing to better understand the full scope of damage caused by the hackers. His firm, Morphisec, posted technical analysis of the attack on Thursday morning.

Investigators were able to identify a series of command and control servers activated by the hackers on April 16, which were subsequently used to launch the offensive cyber operation, according to a notification published Wednesday by Israel’s Computer Emergency Response Team. The first round of phishing emails were sent on April 19 and the last came on April 24. The malware-laden emails carried subject lines relating to nonexistent “resumes, exams and holiday plans,” said Gorelik.

Exploiting CVE-2017-0199 enables an attacker to download and execute a Visual Basic script containing PowerShell commands whenever a vulnerable user opens a document containing an embedded exploit, according to American cybersecurity firm FireEye. Malware payloads executed after the exploit can come from all manner of malware families.

FireEye previously found that various hackers — including both governments and cybercriminals — were using the same CVE-2017-0199 vulnerability to breach a wide array of different victims.

On April 11, researchers at FireEye described an attack exploiting CVE-2017-0199 this way:

A threat actor emails a Microsoft Word document to a targeted user with an embedded OLE2 embedded link object
When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious HTA file
The file returned by the server is a fake RTF file with an embedded malicious script
Winword.exe looks up the file handler for application/hta through a COM object, which causes the Microsoft HTA application (mshta.exe) to load and execute the malicious script
“This kind of vulnerability is very rare,” Gorelik said. “There has been progress from this group. This is one of the more advanced fileless campaigns I’ve seen. It was a targeted, large campaign using quite a big infrastructure. It’s fileless, so it’s very hard to detect. They regenerated signatures on the endpoint each and every time for the trojan so it’s very hard to remediate, identify or remove it.

He added, “this Iranian group is quite advanced I would say.”

The Iran-backed espionage campaign was first revealed in broad terms Wednesday through a vague press announcement issued by the Prime Minister’s Office, claiming that Israel’s newly formed Cyber Defense Authority helped to thwart the attack.

The attacks were “relatively well planned and took considerable resources. It is obvious that there was intelligence gathering prior to the attack and a careful selection of targets — in this case Israeli computing companies,” said Boaz Dolev, CEO of the Israeli security firm ClearSky in an interview with the Israeli newspaper Haaretz.

Source:

The post Iran-linked hackers used Microsoft Word flaw against Israeli targets, security firm says appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

How Smartphones Are Becoming Hacking Targets

Source: National Cyber Security – Produced By Gregory Evans

How Smartphones Are Becoming Hacking Targets

In the wake of last month’s “Gooligan” attacks, which targeted more than a million Android devices and gained access to the users’ Google accounts, experts are suggesting that a flood of simlar smartphone hacking incidents may be on the way

The post How Smartphones Are Becoming Hacking Targets appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Dell Security targets small organizations with AI product launch

Dell-office-logo-300x278Dell has launched a new AI-based security solution, Threat Defence, which has been designed specifically for smaller organizations with limited or no IT resource. The new offering utilizes machine learning and AI technologies to prevent threats from entering an organizations perimeter, as opposed to simply detecting them once inside. Dell claims the new offering stops […] View full post on AmIHackerProof.com | Can You Be Hacked?

FireEye acquires Invotas, targets next-gen cyber security with orchestration and automation

Source: National Cyber Security – Produced By Gregory Evans

FireEye acquires Invotas, targets next-gen cyber security with orchestration and automation

FireEye has announced that it has acquired Invotas International, a firm that looks at security automation and orchestration. The firm has not disclosed how much it has paid out in this purchase. In a post on the company website, CEO Dave De Walt called the move his firm’s “latest game-changer” and said: “The integration of Invotas’ technologies promises to have a profound effect on a world faced with an escalating threat landscape, addressing critical needs of organizations struggling to keep pace with advance of cyber attacks.” Paul Nguyen, Invotas’ chief executive officer, described FireEye as a “perfect fit” for his firm, and said: “The strength of Invotas’ technology centers around its ability to easily integrate into the security ecosystem of an organization and automate key elements of incident response. Invotas technology, which allows organisations to consolidate data from multiple sources, will be integrated into FireEye’s platform. Customers will be able purchase security technology, and consolidate it into an customised incident response plan. Bob Tarzey , Analyst and Director at Quocirca said: “As FireEye does broaden its product base, and have more products and services, its customers are going to need a way of having a single view of those and […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post FireEye acquires Invotas, targets next-gen cyber security with orchestration and automation appeared first on National Cyber Security.

View full post on National Cyber Security

Ocwen Financial, homeowners targets of mortgage fraud

Source: National Cyber Security – Produced By Gregory Evans

Ocwen Financial, homeowners targets of mortgage fraud

State Attorney General Hector Balderas is warning of a “dangerous new scam” that is targeting New Mexicans who are having trouble paying their mortgages. “Do not pay Ocwen mortgage payments by Moneygram in response to ‘Making Home Affordable’ offer letters or calls,” he said in a news release, referring to Ocwen Financial Group. “This is a scam … ” How it works: Consumers get a letter offering them a “trial payment plan” or loan modification, and they’re given a phone number to make the payments. “Ocwen has investigated the matter and determined that third-parties are posing as Ocwen employees to obtain payment from consumers,” the alert says. Beware if you get a call about this. The callers at times will spoof an Ocwen phone number, often in the 214 area code, Balderas said. Consumers who have questions about their home loan can contact the real Ocwen at 800-746-2936. If you’re hit by the scam, call the AG’s Consumer Protection Division at 505-222-9100 or 1-800-678-1508. Happy holidays – from the Scrooges, the stealthy scammers and the off-shore Santas who are out in force this season looking to separate you from your money. With a little caution, though, you can avoid a […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Ocwen Financial, homeowners targets of mortgage fraud appeared first on National Cyber Security.

View full post on National Cyber Security

Gameover ZeuS Trojan Targets Users of Monster.com Employment Portal

Zeus Trojan is one of the most popular families of Banking Trojan, which was also used in a targeted malware campaign against a Salesforce.com customer at the end of the last month and researchers found that the new variant of Zeus Trojan has web crawling capabilities that are used to grab sensitive business data from that customer’s CRM instance.‘GameOver’ Banking Trojan is also a variant of Zeus financial malware that spreads via phishing emails. GameOver Zeus Trojan makes fraudulent transactions from your bank once installed in your system with the capability to conduct Distributed Denial of Service, or DDoS, attack using a botnet, which involves multiple computers flooding the financial institution’s server with traffic in an effort to deny legitimate users access to the site.Now, a new variant of GameOver Zeus Trojan has been spotted, targeting users of popular employment websites with social engineering attacks, implemented to fetch additional private information about the victims, that could be used for bypassing multi-factor authentication mechanisms on other websites or services.

 

The new variant has the capabilities to use complex web injections and perform Man-In-The-Browser (MITB) attack, which means it has caliber to infect a web browser to modify web pages, modify web contents or can insert addition contents, all in a completely covert fashion invisible to both the user and web host, even when other authentication factor solutions are in use.Initially the new variant of the GameOver Zeus Trojan targeted ‘CareerBuilder.com’, which is the largest employment website in the US, but now the researchers at F-Secure came across the same variant targeting one of the world largest employment website, ‘Monster.com’.The victims are served with the fake login page which looks similar to the same legitimate page (hiring.monster.com) of the website. Once the victim login, they are directed to the web page injected by the malware.

The web page serves 18 different security questions to choose from, that are nothing but all the common security questions which the various websites ask; from mailing websites to financial ones. The list of which are given below:• In what City / Town does your nearest sibling live?• In what City / Town was your first job?• In what city did you meet your spouse/significant other?• In what city or town did your mother and father meet?• What are the last 5 digits / letters of your driver\’s license number?• What is the first name of the boy or girl that you first dated?• What is the first name of your first supervisor?• What is the name of the first school you attended?• What is the name of the school that you attended aged 14-16?• What is the name of the street that you grew up on?• What is the name of your favorite childhood friend?• What is the street number of the first house you remember living in?• What is your oldest sibling\’s birthday month and year? (e.g., January 1900)• What is your youngest sibling\’s birthday?• What month and day is your anniversary? (e.g January 2)• What was the city where you were married?• What was the first musical concert that you attended?• What was your favorite activity in school? The researchers warned the HR Recruiters with the website accounts to be on the lookout for any such irregularities.

Source: http://whogothack.blogspot.co.uk/2014/04/gameover-zeus-trojan-targets-users-of.html#.Vl4DA1UrLIU

The post Gameover ZeuS Trojan Targets Users of Monster.com Employment Portal appeared first on Am I Hacker Proof.

View full post on Am I Hacker Proof

The world’s richest countries agree that hacking industrial targets for profit isn’t right

Source: National Cyber Security – Produced By Gregory Evans

The world’s richest countries agree that hacking industrial targets for profit isn’t right

The world’s richest nations have agreed for the first time to abstain, in principle, from hacking for commercial gain. At the G20 conference attended by countries including the US, China, Russia, France, and Germany, world leaders agreed that “no country should conduct or support [computer]-enabled theft of intellectual property […] with the intent of providing competitive advantages to companies or commercial sectors.” This is by no means a legally binding agreement, but some argue that it gives countries justification if they want to react to future acts of economically-motivated hacking. “Words have an effect, and people have now committed not to do this,” cyber-policy expert James A. Lewis told The Washington Post, adding that if a country breaks the promise “you respond,” for example, with economic sanctions. However, past evidence suggests that it’s economic threats like these — rather than publicly-announced agreements — that carry the real weight, and even then, such warnings can go ignored. The case in point is the ongoing dispute over economic espionage between the US and China, with claims earlier this year that Chinese hackers linked to the country’s military had targeted more than a hundred American companies, including Coca-Cola and the security firm RSA. In September, the […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post The world’s richest countries agree that hacking industrial targets for profit isn’t right appeared first on National Cyber Security.

View full post on National Cyber Security

TalkTalk hack: industry hits back after Daily Mail targets ‘gaming addict’

Source: National Cyber Security – Produced By Gregory Evans

TalkTalk hack: industry hits back after Daily Mail targets ‘gaming addict’

The gaming industry has hit back after theDaily Mail claimed a suspect arrested in connection with the TalkTalk hack was a “violent video game addict”. The UKIE, the UK’s games industry body, told WIRED that there was “no link between addiction or antisocial behaviour” and playing games in a “balanced” way. After TalkTalk was hit by a major cyberattack — its second this year — a teenage boy from Northern Ireland was arrested on Monday and charged with offences under the Computer Misuse Act. Although the teenager, who cannot be named, has been released on bail and authorities are still investigating whether he has any connection to the ransom demands sent to TalkTalk, he has become the figurehead for one of the UK’s most significant data breaches. And his actions are already being linked to violent video games. “Games are played by millions of people safely and sensibly every day and the games industry takes its responsibility towards players, especially younger ones, seriously,” Dr Jo Twist, CEO of UKIE said in response to the Daily Mail’s claims. “Just like any other mature medium, games deal with adult themes, but the PEGI age ratings are robust and there to guide parents and children around what content is appropriate for different ages.” Source: http://www.wired.co.uk/news/archive/2015-10/28/talktalk-hacker-gamer-blame-daily-mail

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post TalkTalk hack: industry hits back after Daily Mail targets ‘gaming addict’ appeared first on National Cyber Security.

View full post on National Cyber Security

Retirees Prime Targets for Identity Theft

Source: National Cyber Security – Produced By Gregory Evans

Well, one thing’s for sure: A disproportionate percentage of identity theft complaints come from people 50-plus (though I’m sure some readers would hardly consider 50-somethings to be seniors—but you get the point). Some scammers go after seniors because they know that many older people have a lot of money saved up. And it’s also no secret that many seniors aren’t as sharp as they used to be, and also are not caught up on technology. Some common scams that target the elderly: A caller pretending to be “your favorite grandson.” This lures the victim into announcing the name of that grandson, and then the crook identifies himself by that name. If the victim has hearing loss, he can’t tell that the caller’s voice doesn’t sound like his grandson. The caller then gives a sob story and asks Gramps to wire him some money. Retirement home employees access resident records for their Social Security numbers and other data, then sell these to crooks. An e-mail supposedly from the victim’s bank (or IRS or FBI) warns them that something is wrong and that they must act immediately to resolve the issue—and the action involves typing in their Social Security number, bank login […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Retirees Prime Targets for Identity Theft appeared first on National Cyber Security.

View full post on National Cyber Security

New England prep school rape defendant had list of targets: friend

Friends of a former student at an elite New Hampshire prep school who is on trial for allegedly raping a younger student described in court testimony on Monday a young man who had made a list of girls he wanted to have sex with before graduation.

Prosecutors have said Owen Labrie, now 19, took a 15-year-old girl to the roof of a campus building before sexually assaulting her in a machine room at St. Paul’s School in May 2014, shortly before graduation.

The 15-year-old girl’s name was marked all in caps on a list Labrie shared with friends of girls he intended to “slay,” a slang term used by students at the boarding school used to refer to sex, according to e-mails prosecutors submitted as evidence on Monday.

Read More

The post New England prep school rape defendant had list of targets: friend appeared first on Parent Security Online.

View full post on Parent Security Online