Close

This website uses cookies. For further information, please see our Legal and Cookie Notice

Threat Weekly – A Situational Awareness Report from our Technical Security Team

Volume 2, Issue 10 – 8 March 2012

ThreatCon 1: Normal

There is no such thing as perfect security. Bad guys are compromising companies that have made expensive, responsible, and sustained efforts to defend their infrastructure. Security breaches are inevitable. When they occur — whether a small compromise or a massive intrusion — you want to be armed and prepared. Mandiant M Trends 2012

TOP OF THE NEWS

Global Arrests And Charges Against Members of LulzSec and Anonymous Hacking Groups

Hector Xavier Monsegur (a/k/a “Sabu,” a/k/a “Xavier DeLeon,” a/k/a “Leon”) and five co-conspirators were arrested this morning in connection with hacks under the banners of Anonymous, Internet Feds and LulzSec. Sabu plead guilty to 12 counts in the indictment in addition to having cooperated with the FBI since June 7, 2011. He faces a maximum sentence of 124 years and 6 months in prison. The FBI broke down Sabu's activities into sections based on his affiliations with different groups over the last two years.

Count one charges him with Conspiracy to Engage in Computer Hacking during his association with Anonymous from December 2010 through early 2011. This includes participating in the DDoS attacks against MasterCard, Visa and PayPal; DDoSing, hacking and defacing computers owned by the Tunisian government; DDoSing Algerian government websites; DDoSing and hacking Yemeni government websites; and breaking into Zimbabwe government websites and attempting to steal confidential email.

Count two charges Sabu with Conspiracy to Engage in Computer Hacking during his escapades with an Anonymous splinter group called Internet Feds. He admits to hacking HB Gary and HB Gary Federal; stealing confidential information, emails, and data from rootkit.com; and defacing Aaron Barr's Twitter account. Other crimes committed by Internet Feds include unauthorized access to systems at publisher The Tribune Company and unauthorized access to systems at Fox Broadcasting, resulting in publication of personal information about aspiring contestants for Fox's X-Factor.

The third count includes the charges related to Sabu's activities while heading up LulzSec (Lulz Security). Sabu's LulzSec co-conspirators include Kayla, Topiary, TFlow, Pwnsauce and AVUnit. The third count includes the attack on PBS after it aired a Frontline episode about Bradley Manning and the WikiLeaks saga. Sabu next targeted Sony Pictures, gaining unauthorized access and stealing confidential data. Around the same time he began targeting Sony Music based on a tip on a vulnerability from a LulzSec supporter. He proceeded to compromise Sony Music Belgium and Sony Music The Netherlands and steal data, including upcoming release dates for albums they publish. He also passed along a vulnerability found in Sony Music Russia to other members of the group. Sabu also admitted to hacking FBI affiliate Infragard Atlanta and security firm Unveillance. He thieved usernames, passwords and confidential data; defaced the Infragard website; and stole the emails of Unveillance's CEO. Other charges under the third count are hacking the US Senate's website based on a tip about a vulnerability and stealing confidential data, as well as compromising software firm Bethesda Software and publishing stolen usernames, passwords and emails.

The incidents sparking the first three counts have already been reported by the media, but count four is where the story starts to get interesting. Those who have supported these groups' efforts and given them attention on Twitter and elsewhere should be advised that Sabu was not just in it for the lulz.

Count four charges Sabu with Computer Hacking in Furtherance of Fraud. He hacked into the computers of an auto parts company and proceeded to manipulate its systems to ship himself four automobile engines, together worth approximately $3450 USD.

Count five is for Conspiracy to Commit Access Device Fraud, otherwise known as credit card fraud. Sabu stole credit card information from two of the organizations he breached and purchased purloined cards on underground "carder" forums. He used these cards to pay at least $1000 USD in personal bills and sold cards to others to enable them to make fraudulent charges to the victims.

Count six is for Conspiracy to Commit Bank Fraud. Sabu had acquired the bank account numbers, routing numbers, social security numbers, names and addresses of more than a dozen victims and provided this information to his co-conspirators, who used it to commit bank fraud.

Last but not least, count seven is for Aggravated Identity Theft related to counts five and six. This enables the US government to seize assets equal to the personal gain Sabu enjoyed from his crimes and for proceeds attained by others based on his actions.

Those arrested today are lucky President Obama's proposed cybercrime legislation that added computer crimes to the Racketeer Influenced and Corrupt Organizations (RICO) Act had not been written into law. Many of the charges against LulzSec members would have qualified for far harsher punishments.

Those who suggest Sabu's actions were just hacktivism or "for the lulz" need to recognize that Sabu wasn't a Robin Hood who nobly gave voice to a cause, but a thief who admitted to lining his own pockets. Free speech is an important issue and we should all be on guard to protect it, exercise it and lawfully fight for it, on and offline. People who wish to support digital freedom should contribute their time and money to organizations like the Electronic Frontier Foundation, or donate their mad computer skillz to Hackers for Charity.

However, the actions of Sabu and his co-conspirators are not the way forward. Hopefully the prominence of this case will inspire those passionate about political and social causes to take a different path.

Don't be a Sabu... These stories take too long to write.

Source: http://nakedsecurity.sophos.com/2012/03/07/sabus-sordid-story-detailed-in-fbi-indictment

Police in South America and Europe Arrest 25 in Connection with Anonymous Activity

In a global police action, dubbed Operation Unmask and backed by Interpol, 25 people allegedly connected to the hacker group Anonymous have been arrested by officials. Interpol announced on Tuesday that the suspected hackers were arrested in simultaneous raids in Argentina, Chile, Colombia and Spain. 250 computers and devices belonging to suspects between 17 and 40 years of age were seized on 40 properties in 15 cities.

Operation Unmask had been initiated in the middle of February and is mainly targeting those people alleged to have started attacks on Colombian and Chilean web sites, including the site of the Colombian defence ministry, the Chilean branch of the Spanish utility company Endesa, and the Chilean national library.

In an apparent retaliatory move, several Twitter accounts associated with Anonymous called for a distributed denial of service attack on the Interpol web site. With the attack under way, the site was reportedly down earlier but is currently up.

Source: http://www.h-online.com/security/news/item/Interpol-coordinates-arrests-of-Anonymous-hackers-1445286.html

Anonymous takes down security firm's website, vows to fight on after arrests

Hackers claiming to belong to the Anonymous hacking collective early Wednesday defaced Panda Security's PandaLabs website in apparent response to the arrests of five hackers Tuesday in the U.K. and the U.S.  In a characteristically defiant message posted on Panda's hacked homepage, Anonymous taunted the former LulzSec leader Sabu for helping the FBI nab the hackers, and vowed to carry on its hacktivist campaign regardless of the setback.

"We are Antisec we'll fight till the end," the message noted. "To FBI and other s.... come at us bros we are waiting for you," it noted. The message was preceded by a seven-minute video clip set to the tune of "Santa Claus is Coming to Town" that appeared to recap Anonymous' activities over the past year.

The attackers also posted what seemed to be the login credentials of numerous Panda Labs employees on the defaced homepage. They noted that the attack on the security firm's site was in retaliation for Panda's alleged role in helping law enforcement crack down on members of the hacking collective.

"They helped to jail 25 anonymous in different countries and they were actively participating in our IRC channels trying to dox many others," the attackers said in apparent reference to a series of arrests of Anonymous members last year. "Yep we know about you. How does it feels being the spied one?" the message asked. Prior to the attack, PandaLabs technical director Luis Corrons had posted a blog titled "Where is the Lulz Now" praising Tuesday's arrests.

The attack on Panda Labs comes less than 24 hours after the U.S. Attorney's office for the Southern District of New York said it had arrested five prominent members of Anonymous and a splinter group LulzSec in raids in the U.K. and in Chicago. Among those arrested was an individual who is alleged to have been responsible for the Christmas Day hacks against security intelligence firm Strategic Forecasting (Stratfor).

More on this story at: http://www.networkworld.com/news/2012/030712-anonymous-takes-down-security-firm39s-257021.html

FBI director: Cyber-threats will someday top terrorism as leading national security worry

Today [1st March] at the annual RSA computer security conference in San Francisco, Director Mueller talked about cyber threats to U.S. national security, the FBI’s role in addressing these threats, and the increasing importance of public-private sector partnerships.

Mueller said the threats include the use of the Internet by terrorists to “grow their business and to connect with like-minded individuals.” He also touched on another national security concern—the significant challenges posed by foreign state-sponsored computer hacking and economic espionage.

The Bureau, according to Mueller, has substantial expertise to address these and other threats: “Given the FBI’s dual role in law enforcement and national security, we are uniquely positioned to collect the intelligence we need to take down criminal networks, prosecute those responsible, and protect our national security.” But we can’t do it alone, said Mueller, and our legal attaché offices around the world, FBI agents embedded in various international police departments, participation on a national cyber task force, and our regional computer forensics crime labs are examples of how we are collaborating with our partner agencies.

The Director also highlighted our InfraGard information-sharing program as a partnership with the private sector and assured conference participants that by working collectively, “we can improve cyber security and lower costs—with systems designed to catch threat actors rather than to withstand them.”

Source: http://www.fbi.gov/news/news_blog/at-rsa-conference-fbi-director-discusses-cyber-threats

THE REST OF THE WEEK’S NEWS

Michael Jackson's back catalogue stolen by smooth criminals

Michael Jackson's entire back catalogue, including an unreleased collaboration with Will.I.AM, has been stolen by hackers. The Sony Music archive has been infiltrated by cyber-crooks, who have illegally downloaded more than 50,000 digital files. Record company bosses paid $250 million (£156 million) to Jackson's estate in 2010 for the catalogue, including unheard material from studio sessions when the superstar recorded Off The Wall, Thriller and Bad.

A source tells Britain's Sunday Times, "Everything Sony purchased from the Michael Jackson estate was compromised. It caused them to check their systems and they found the breach. There was a degree of sophistication. Sony identified the weakness and plugged the gap." The haul is also said to include a duet with the late Freddie Mercury and Black Eyed Peas rapper will.i.am.

The attack was discovered weeks after hackers targeted Sony's PlayStation Network in April (11), but was only confirmed by a Sony Music representative on Saturday (03Mar12).

Source: http://www.contactmusic.com/news/hackers-steal-michael-jacksons-unreleased-tracks_1300070

Hackers had 'full functional control' of NASA computers

Hackers gained "full functional control" of key NASA computers in 2011, the agency's inspector general has told US lawmakers. Paul K Martin said hackers took over Jet Propulsion Laboratory (JPL) computers and "compromised the accounts of the most privileged JPL users".  He said the attack, involving Chinese IP addresses, was under investigation. In a statement, NASA said it had "made significant progress to protect the agency's IT systems".

Mr Martin's testimony on NASA's cybersecurity was submitted to the House Committee on Science, Space and Technology's Subcommittee on Investigations and Oversight. In the document, he outlined how investigators believed the attack had involved "Chinese-based internet protocol [IP] addresses". He said that the attackers had "full system access" and would have been able to "modify, copy, or delete sensitive files" or "upload hacking tools to steal user credentials and compromise other NASA systems". Mr Martin outlined how the agency suffered "5,408 computer security incidents" between 2010 and 2011. He also noted that "between April 2009 and April 2011, NASA reported the loss or theft of 48 Agency mobile computing devices".

In one incident an unencrypted notebook computer was lost containing details of the algorithms - the mathematical models - used to control the International Space Station. NASA told the BBC that "at no point in time have operations of the International Space Station been in jeopardy due to a data breach".

Mr Martin said NASA was a "target-rich environment for cyber-attacks". He said that the motivation of the hackers ranged from "individuals testing their skill to break into NASA systems, to well-organized criminal enterprises hacking for profit, to intrusions that may have been sponsored by foreign intelligence services". But while Mr Martin criticised aspects of NASA’s cybersecurity he noted investigations had resulted in "arrests and convictions of foreign nationals in China, Great Britain, Italy, Nigeria, Portugal, Romania, Turkey, and Estonia".

NASA said it was working to implement the security improvements Mr Martin suggested in his testimony.

However the chairman of the congressional subcommittee, Rep Paul Broun, quoted in an online report of proceedings, said: "Despite this progress, the threat to NASA’s information security is persistent, and ever changing. Unless NASA is able to constantly adapt - their data, systems, and operations will continue to be endangered."

http://www.bbc.co.uk/news/technology-17231695

US Air Force aims to turn cyber into a career

The [US] military has known for years that it will never be able to compete with the private sector when it comes to paying cyber experts. Pay, however, is not the only factor that keeps a soldier, sailor, airman or marine in the military. The Air Force is banking on the idea that job satisfaction might be a retention tool that overcomes the pay gap between what an airman might be able to get from industry and what he or she earns from Uncle Sam.

"The money's better on the outside. We get that," Skip Runyan, the technical director for the 39th Information Operations Squadron, the Air Force's main cyber training unit, said in an interview with Federal News Radio. But when you're working with the right authorities here, you can do a lot of things that can get you put in jail in the private sector," he said.

Having the legal authority to hack into computer systems is one thing. Getting to continuously employ those skills throughout an entire career is another matter. Apart from pay, it's one of the main problems the military has struggled with among its uniformed cyber experts so far. Even when a servicemember is trained to be a top-notch cyber warrior, he or she might only serve one tour of duty before his or her service shuffles them along to a non-cyber job. The problem with that, Runyan said: They get bored.

"Part of the reason that folks are getting out is that, right, wrong or indifferent, we give people one tour in cyber or in the operational side of things, and then we tell them that their next tour is going to be pulling wire somewhere," he said. "They say, 'Thanks, but I'll go work for a civilian corporation and keep doing what I love and what I do best.' We want to give them a career path and give them an incentive to stay in the Air Force." 

The Air Force has done just that. Roughly two years ago, it created career paths for both officers and enlisted personnel specifically intended to let cyber experts stay in the field throughout their military careers. "The approach in the Air Force is really second to none among the services," said Eric Bassel, director of the SANS Institute, during a Wednesday panel discussion at AFCEA's Homeland Security Conference in Washington.

More on this story at: http://www.federalnewsradio.com/?nid=396&sid=2768121

Anonymous Hacking Tool Infected With Trojan

Would-be Anonymous supporters, choose your attack tools carefully. That's because fraudsters have been disguising a banking Trojan application in a tool used by Anonymous for launching distributed denial-of-service (DDoS) attacks. "Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn't stop there. It also steals the users' online banking credentials, webmail credentials, and cookies," according to a Symantec Security Response blog posted Sunday.

Symantec said it had traced related attacks back to January 20, 2012, which is the day that the FBI took down Megaupload. "An attacker took a popular PasteBin guide, used by Anonymous members for downloading and using the DoS tool Slowloris, and modified it," said Symantec. As of February 15, 2012, Symantec said that 470 Tweets still linked to the Pastebin post with the malicious link.

According to a site devoted to Slowloris, the DDoS tool "holds connections open by sending partial HTTP requests." But the Pastebin post--the original dates from May 2011--was modified to include a link to a Trojanised version of Slowloris. "When the Trojanised Slowloris tool is downloaded and executed by an Anonymous supporter, a Zeus (also known as Zbot) botnet client is installed," said Symantec. "After installation of the Zeus botnet client, the malware dropper attempts to conceal the infection by replacing itself with the real Slowloris DoS tool."

Zeus malware is designed to steal people's sensitive financial information, but is also often used by attackers to surreptitiously turn infected PCs--aka zombies--into nodes in a botnet. In other words, Anonymous attackers who download the malicious version of Slowloris could find their PCs participating in a DDoS attack, just not of their own choosing.

That's in addition to this implementation of Zeus being used, said Symantec, to transmit "cookies, online banking credentials, and webmail credentials" from an infected PC to the botnet owner's command-and-control server.

While Anonymous has generally expressed antagonism toward security firms--the hacktivist collective did create a spin-off dubbed AntiSec, after all--The Register spotted at least one pro-Anonymous Twitter channel picking up on Symantec's Slowloris malware warning, in a post that read, "Anonymous supporters tricked into installing Zeus Trojan. This MUSTN'T happen. Be careful what you post and click on!"

This isn't the first warning related to the tools offered for participating in Anonymous DDoS campaigns. Last year, for example, LulzSec leader Sabu labelled the group's low orbit ion canon DDoS tool as a joke. What's curious with the malicious version of Slowloris discovered by Symantec, however, is that beyond stealing the financial details of whoever installs it, the software also still attacks websites targeted by Anonymous.

Source: http://www.informationweek.com/news/security/attacks/232602010

China Has A Scary Plan

The U.S. Department of Defense believes that China's military strategy relies heavily on over a decade of penetrating American government, military, and commercial computer networks. These penetrations, many of them never discovered, were mainly to steal technical data for commercial products. But a lot of military, diplomatic, and weapons data was obtained as well. The Department of Defense has been pleading with Congress for help in this area but Cyber War defence is not sexy, so American defences remain weak and the Chinese keep at it.

China uses all this Internet based theft to improve Chinese military capabilities and weaken American ones. Department of Defense officials also see China's ambitious space program as another component of Chinese military strategy. By combining the ability to knock down American military satellites while at the same time launching Internet based attacks at American military, government, and commercial Internet activities, China believes it could make up for a lot of current American military superiority. At the very least, the Chinese believe that all this stolen (via the Internet) data and damage to American space satellites would cripple American military power aimed at China.

This is all consistent with Chinese strategic thinking. Chinese leaders are very much aware of historical lessons and the writing of the ancient Chinese military writer Sun Tzu. This sage was a big proponent of the indirect approach and winning wars without much fighting. The Chinese particularly admire the American ability to fight so often but suffer such low casualties and seek to do that against the Americans. Not all of Sun Tzu's advice is still applicable but he was a big believer in doing what the enemy did not expect and exploiting enemy weaknesses. Sun Tzu lived 2,500 years ago, in a world that could not conceive of something like the Internet or space satellites. But Sun Tzu understood the value of information, communications, and secrets. That's what China is concentrating on now and it has the Department of Defense nervous.

Source: http://www.strategypage.com/htmw/htiw/articles/20120301.aspx Via G Forbes @OCEANUSlive

Most UK frauds now involve the Internet

More than half of all frauds in the UK are now carried out through or initiated on the internet, the fraud protection service CIFAS has revealed. CIFAS told ZDNet UK on Tuesday that the internet was the channel of perpetration for 122,988 frauds in 2011, or 53 percent of the total for the year. In 2010, that number was 101,855, or 47 percent of all frauds. "The internet has been the key focus for fraudsters," a CIFAS spokesman said. "It provides a key level of convenience and ease of use for consumers, but that same convenience is there for the fraudster whether they're a lone operator or a more organised criminal network."

CIFAS released the 2011 edition (PDF) of its annual Fraudscape report on Tuesday. Apart from pointing out that fraud in general went up nine percent between 2010 and 2011, the publication noted that the internet had become a much more prevalent vector for unauthorised account takeovers in particular. Whereas in 2010 the internet was used for 38 percent of such takeovers, in 2011 the proportion was 62 percent. CIFAS said there was evidence to suggest there were more frauds taking place that involved online usernames and passwords.

"There has… been a proportionate decrease in the number of takeovers that have happened over the phone, which would indicate that where fraudsters were previously able to talk their way round the member of staff to gain access to an account, they are now finding this route closed off to them," CIFAS said, adding that this highlighted the need for regularly reviewing passwords and settings.

In most cases, the accounts being taken over are for bank or store cards. The fraud protection service noted that these takeovers were being increasingly used to make payments, rather than to change the account-holder's registered address so as to receive new cards. The company also suggested that, the more gadgets get hooked up to the internet, the more of a target they become. "The increasingly embedded communications platforms such as smartphones, digital TV services or tablet PCs may also explain the surge in fraud against such products," it said. The internet also accounts for around three-quarters of all identity fraud cases, the report suggested. These cases tend to involve phishing attacks, where people are tricked by imposters into giving up personal details.

"The anonymity of the internet, the ability to make a number of applications very quickly and the lack of a requirement to produce identity documentation (in many cases) make it the ideal channel for fraudsters," CIFAS said.

Source: http://www.zdnet.co.uk/blogs/communication-breakdown-10000030/most-uk-frauds-now-involve-the-internet-10025565/

And Finally……. Find My iPad Leads Cops To $35 Million Dollar Stash Of Meth

We’ve seen Find My iPhone lead to some pretty funny arrests over the past few years, but one thing we haven’t seen Apple’s device tracking software do is lead the police to a haven of narcotics. Until now that is. San Jose Police were tracking down a single stolen iPad when they accidentally came across one of the biggest piles of crystal meth the county has ever seen.

Police tracked the iPad via GPS using the Find My iPad function on the device. Even though they didn’t have a search warrant for the apartment building where they tracked the stolen iPad to, the residents let the police enter. Shockingly, the cops found 780 pounds of crystal meth scattered around the apartment, worth about $35million.

“They probably thought if they didn’t [let the police enter], we’d suspect something,” Tomkins said. “Or they thought, ‘I’ll let them in — they probably won’t find anything.’”

District Attorney Jeff Rosen said roughly 100 pounds or a little more of meth are recovered annually in the county, making this seizure “easily at least six years’ worth,” he said. “I told my dad about the bust,” said Rosen, “and he said, ‘They have $35 million, and they can’t go out and buy an iPad?

Bottom line is, if you’re a crystal meth dealer you should probably watch more Breaking Bad and learn how to run a tight, clean operation that doesn’t steal iPads. Or at least only work with goons who know how to reset the device once it’s been stolen. Walter White would never stand for such recklessness.

Source: http://www.cultofmac.com/150521/find-my-ipad-leads-cops-to-35-million-dollar-stash-of-meth/