New Indian Subcontinent APT Group Emerges

A new APT group has emerged on the Indian subcontinent, identified by ForcePoint as ‘Monsoon’

A group of hackers from the Indian subcontinent have been identified by researchers at ForcePoint. The Indian hackers are thought to have compromised what may be up to ‘thousands’ of computers in a series of apparently disconnected hacks that are now thought to have come from this one central source.

The so-called ‘Monsoon Group’ has also been known as Patchwork APT, Dropping Elephant and Operation Hangover. The hackers used a series of spear phishing emails to disseminate Word macros laden with malicious Trojans to enable potential remote code execution.

Although the attacks are thought to have been spread across more than 100 countries, the overarching campaign appears to target both Chinese nationals within different industries and government agencies in Southern Asia.

ForcePoint researchers Andy Settle, Nicholas Griffin and Abel Toro explain that Monsoon used ‘command and control (C&C) infrastructures’ built using RSS feeds and even GitHub accounts. In basic terms, a C&C infrastructure exists as a collection of , often virtualised, servers and supporting technical infrastructure elements, conduits and toolsets used to control the path of malware, which in particular feature botnet related activity.

The ForcePoint is said to have uncovered the hackers after building upon existing intelligence and research work carried out by Cymmetria, Kaspersky, and BlueCoat – some of which being initial research dating back to 2013 – making this unmasking in 2016 all the sweeter no doubt.

As a result of the research and investigations here, ForcePoint has produced as 57-page document entitled, ‘Monsoon – Analysis of an APT campaign: Espionage and data loss under the cover of current affairs’.

“Our Monsoon investigation has uncovered what is clearly a concerted and persistent campaign to steal sensitive data from a variety of critical sources. The use of both current and topical themes as lures, not only indicates the precision level of targeting but also the targeting decision process itself,” writes ForcePoint’s head of special investigations Andy Settle.

The malware components used in Monsoon were typically distributed through weaponised documents sent through e-mail to specifically chosen targets. Themes of these documents are usually political in nature and taken from recent publications on topical current affairs.

“In today’s world there is no space anymore for single-factor protection,” said Pavel Sotnikov, managing director for Eastern Europe, Caucasus and Central Asia at Qualys.

Speaking to, Sotnikov suggested that companies should adopt Defence-in-Depth methodology for layered robust security measures.

“If we take website security as an example, there definitely should be continuous automated vulnerability testing both for the website and the infrastructure that supports it, moreover there should be security testing during all stages of the SDLC in addition to the secure coding practices,” she said.

Sotnikov added, “additionally, there should be Web Application Firewall for proactive protection. Ideally, all this should be complemented through regular manual penetration testing by qualified professionals.”

“Concentrate your efforts on appropriate risk mitigation, complemented with risk transfer activities, and you will prevent majority of incidents before they occur.”


Source: SC Magazine

Millions of VW Cars at Risk: Wireless Hack Lets Crooks Clone Volkswagen Keys

If you own a Volkswagen with keyless entry, it’s likely to be vulnerable to a remote-cloning attack, according to new research.

After reverse-engineering the keyless entry systems of multiple VW models from the early 2000s to 2016, a team of researchers believe that the vast majority of the 100 million vehicles from VW Group sold in that time are vulnerable to a key-cloning attack that leaves the ignition and keyless entry system exposed to tampering.

The attack can be carried out using cheap, battery-run commercially-available radios, which are capable of eavesdropping and recording the rolling codes used by keyless entry systems and then emulating a key. One of the tools they developed for the attack, an Aduino-based RF transceiver, cost just $40 to make.

Researchers from the University of Birmingham in the UK, and German embedded-security consultancy Kasper & Oswald will present their research this week at the Usenix security conference in Austin, Texas.

They note in the paper that Volkswagen Group had relied on only a few cryptographic global master keys for the RKE systems in vehicles sold during the past two decades.

“With the knowledge of these keys, an adversary only has to eavesdrop a single signal from a target remote control. Afterwards, he can decrypt this signal, obtain the current UID and counter value, and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times,” they write.

The researchers discovered master keys by reverse-engineering the firmware of Electronic Control Units (ECUs) onboard vehicles in the study. The attack exploits weaknesses in the key distribution method.

There isn’t much car owners or Volkswagen can immediately do to reverse the vulnerability because patching or replacing ECUs and the key fobs would be a gargantuan undertaking.

What it does mean for car owners is that checking a system for tampering by listening for sound or watching for blinking indicators isn’t valid anymore, since a new valid code can be generated any time after the initial signal is eavesdropped, which can be done from up to 100m away.

Since car owners can’t practically block an attacker eavesdropping RF signals, “the only remaining (yet impractical) countermeasure is to fully deactivate or at least not use the [remote keyless entry] functionality and resort to the mechanical lock of the vehicle.”

A second attack the researchers explored relates to the ageing Hitag2 rolling code scheme, which is used by Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford.

The researchers found Hitag2 keyless entry system used a cryptographically weak cipher. As noted by Wired however, NXP, the semiconductor maker behind the Hitag2 scheme, has been advising manufacturers to upgrade to a modern scheme.

The researchers said they advised VW Group of the vulnerabilities and came to an agreement with the company not to disclose the cryptographic keys, part numbers of vulnerable ECUs, and how they reverse-engineered the processes.

The researchers argue that, given their findings, insurance companies may need to accept that cases that look like insurance fraud, such as a laptop stolen from a locked car without any physical traces of a break-in, can plausibly be an actual theft.

A VW Group spokesman later told ZDNet the security of its systems are up to scratch and that the researchers’ work went beyond flaws that are easy to exploit.

Here’s the full quote from VW Group spokesman, Peter Weisheit:

“The bar for theft prevention is constantly being raised, but ultimately there is no 100% guarantee for security. On one hand, criminals are equipped with sophisticated tools, and on the other hand, theft protection is impacted by the fact that we have to provide access to the OBD interface (On-Board Diagnosis) as well as the processes and documents in connection to these systems. With highly specialized technical knowledge, individual electronic components of the vehicles can be manipulated though this open interface.

Volkswagen’s electronic and mechanical security measures are state-of-the-art technology. Volkswagen also offers innovative technologies in this field that are continuously developed further.

Researchers from the university of Birmingham set themselves the task of analyzing security technologies such as the immobilizer and remote control to identify systematic weaknesses, regardless of practical applicability. Their academic work that has now been published showed that the security systems of the vehicles that were up to 15 years old do not have the same security level as, for example, our present vehicles based on the MQB Modular Transverse Matrix (e.g. the current Golf, Tiguan, Touran, Passat, etc.). These current vehicle generations are not affected by the problem described.

The responsible department at Volkswagen Group is in contact with the academics mentioned and a constructive exchange is taking place. We agreed that the authors would publish their mathematical-scientific findings, but without the sensitive content that could be used by accomplished criminals to break into vehicles. The findings obtained will serve to further improve the security technology.

The spokesperson said that the company won’t be commenting on further details yet.


Source: ZDNet

New Ransomware Arrives as Phony Alert from Microsoft

A new ransomware iteration has been detected by Symantec embedded in an email message disguised as an alert from Microsoft.

The threat (freedownloadmanager.exe), dubbed Trojan.Ransomlock.AT by Symantec, is showing up primarily in the United States. The email appears to be a legitimate notice from Microsoft claiming the user’s Windows license has expired and prompts the target to call a toll-free number in order to unlock their computer.

The new ransomware variant follows up on similar scams Symantec detected previously. The difference this time, the company stated, is that it now is using a recognizable name.

“What makes this different from traditional ransomware is that it appears the attackers have carefully thought out how to maximize revenue generation by using a combination of branded ransomware alongside manipulated search results,” the researchers said.

“Keep your OS and security software up to date, Symantec advised”.


Source: SC Magazine

Fake QR Code App Gets Hacker into Luxury Airport Lounges for Free

Free airline Fast Track for all! Free lunch and booze at luxury airport lounges for all! Duty-free shopping for all!

That’s what a fake QR code generating app can get you, according to Przemek Jaroszewski, head of Poland’s Computer Emergency Response Team (CERT).

At the Defcon security conference in Las Vegas on Sunday, Jaroszewski presented the simple program that he’s now used dozens of times to get into airline lounges all over Europe.

The Android app generates the QR codes in order to spoof a boarding pass for any name, flight number, destination and class.

He hasn’t tried it in the US yet, but as far as Europe goes, he says none of the airline lounges he’s tested the app in have checked the details of that fake QR code against their own ticketing databases. All the airlines check for are that the QR codes actually exist.

That means that he – or other hackers who figure out how to replicate the 500 lines of javascript he said he used to create the app – can get access to exclusive, luxury airport lounges or to buy things at duty-free shops that should require proof of international ticket.

If this sounds familiar, it should. Jaroszewski is far from the first one to get himself past feeble airport security checks.

His Defcon presentation paper lists previous airplane hijinx, including:

  • In 2003, Bruce Schneier described how to fly on someone else’s airplane ticket by screwing around with e-tickets. He said he wasn’t the first to get this idea, by far.
  • In 2005, Andy Bowers described how online check-in meant that you can get on a flight without ever proving you were the person who bought the ticket.
  • In 2007, Christopher Soghoian created a fake boarding pass generator website, allowing anyone to create a fake Northwest Airlines boarding pass: any name, airport, date, or flight, thereby demonstrating a known and obvious vulnerability in airport security involving boarding passes and IDs. That resulted in a visit from the FBI, the glass on his front door smashed in, a ransacked home, a search warrant taped to his kitchen table, and all of his computers removed from his house.
  • In 2008, Jeffrey Goldberg demonstrated the ineffectiveness of airport security check-in by carrying in an astonishing assortment of verboten items on a variety of flights: an OSAMA BIN LADEN, HERO OF ISLAM T-shirt, a stack of homemade boarding passes courtesy of Schneier, a Hezbollah flag featuring the image of an upraised fist clutching an AK-47 automatic rifle, and a beer belly concealing two cans’ worth of Budweiser, for example.

Jaroszewski told Wired that his Defcon talk was intended to point out that years after those exploits, the boarding pass insecurity not only persists, but it’s gotten easier to exploit because of airports’ reliance on automated QR code readers.

Wired quotes him:

Literally, it takes 10 seconds to create a boarding pass [on a mobile phone]. And it doesn’t even have to look legit because you’re not in contact with any humans.

Here’s a video of Jaroszewski using the fake QR code to get into Turkish Airlines’ Istanbul airport lounge (one of his favorites, he told Wired: it’s replete with a cinema, putting green, Turkish bakery and free massages).

Before you dismiss him as a cheap-o fraudster who doesn’t want to pay for a first class or business ticket, rest assured that, according to Wired, he flies 50 to 80 times a year and is solidly in gold status. He says he created the app last year, when that gold status was mistakenly rejected, to make sure he didn’t get locked out again.

What’s more, Jaroszewski has refrained from exploiting the fake QR codes to get into places he doesn’t have the right to access. Nor has he bought duty-free goods when he wasn’t traveling internationally. Both actions would probably be illegal.

This isn’t a security concern, according to the US’s Transportation Security Administration (TSA) and the International Air Transport Association (IATA), and they have no plans to fix it. As it is, it’s up to the airlines if they don’t want lounge-crashers to rip off their amenities.

Both organizations told Wired that a forged bar-coded boarding pass (BCBP) wouldn’t get you on a flight. Other security measures would likely reveal that the bearer of a fake QR code didn’t have a legitimate boarding pass.

Still, the fake QR code app underscores Jaroszewski’s point: even 13 years after Schneier’s fake boarding pass demonstration, airport security is hardly what you’d call airtight.


Source: Naked Security

This PC Monitor Hack Can Manipulate Pixels for Malicious Effect

Don’t believe everything you see. It turns out even your computer monitor can be hacked. On Friday, researchers at DEF CON presented a way to manipulate the tiny pixels found on a computer display.

Ang Cui and Jatin Kataria of Red Balloon Security were curious how Dell monitors worked and ended up reverse-engineering one. They picked apart a Dell U2410 monitor and found that the display controller inside can be used to change and log the pixels across the screen.

During their DEF CON presentation, they showed how the hacked monitor could seemingly alter the details on a web page. In one example, they changed a PayPal’s account balance from $0 to $1 million, when in reality the pixels on the monitor had simply been reconfigured.

It wasn’t exactly an easy hack to pull off. To discover the vulnerability, both Cui and Kataria spent their spare time over two years, conducting research and understanding the technology inside the Dell monitor.

However, they also looked at monitors from other brands, including Samsung, Acer and Hewlett Packard, and noticed that it was theoretically possible to hack them in the same manner as well.

The key problem lies in the monitors’ firmware, or the software embedded inside. “There’s no security in the way they update their firmware, and it’s very open,” said Cui, who is also CEO of Red Balloon.

The exploit requires gaining access to the monitor itself, through the HDMI or USB port. Once done, the hack could potentially open the door for other malicious attacks, including ransomware.

For instance, cyber criminals could emblazon a permanent message on the display, and ask for payment to remove it, Kataria said. Or they could even spy on users’ monitors, by logging the pixels generated.

However, the two researchers said they made their presentation to raise awareness about computer monitor security. They’ve posted the code to their research online.

“Is monitor security important? I think it is,” Cui said.


Source: CSO Online

Go-Based Linux Trojan Used for Cryptocurrency Mining

A new Linux Trojan allows cybercriminals to make a profit by abusing infected systems for cryptocurrency mining, Russian antivirus company Doctor Web warned on Monday.

Dubbed Linux.Lady.1, the malware is written in Google’s Go programming language and it uses various libraries that are available on GitHub. Go was first used to create malware in 2012, but it hasn’t been adopted by many cybercriminals.

Once it infects a system, the Linux malware collects information on the infected machine, including the operating system, CPUs and processes. The harvested data is sent back to a command and control (C&C) server, which provides a configuration file for downloading a cryptocurrency mining application.

The sample analyzed by Doctor Web delivered an application designed for Monero (XMR) mining. Monero is an open source cryptocurrency currently valued at only $2 per unit, but unlike Bitcoin, it can still be mined using personal computers.

Researchers also noticed that Linux.Lady.1 is capable of spreading to other Linux computers on the infected network. It does this by attempting to connect to remote hosts over port 6379 without a password. Experts believe the attackers are likely hoping that the host has not been configured properly.

If the connection is successful, Linux.Lady.1 downloads a script from a specified URL and adds it to the Cron scheduler of the infected device. This script, detected by Dr. Web as Linux.DownLoader.196, is responsible for downloading and installing a copy of the Linux Trojan on the compromised device.

This is not the first time the security firm has found Linux malware. Over the past months, it has warned users about the Encoder ransomware, Ekoms spyware and the Xunpes backdoor.

It’s also worth noting that Linux.Lady.1 is not the first Linux threat capable of mining for cryptocurrency. A couple of years ago, Symantec reported uncovering a Linux worm, calledDarlloz, which leveraged infected systems to mine for Mincoins or Dogecoins. The malware targeted various types of systems, including routers, set-top boxes and IP cameras.

By Eduard Kovacs

Source: Security Week


Crude Attempts at Malware: ‘Hitler-Ransomware’

Some pieces of ransomware are devilishly clever. Some are highly profitable. And some are just straight-up crude.

One new and particularly eyebrow-raising example is “Hitler-Ransomware,” which, as you might expect, displays a giant picture of Hitler on your screen. First discovered by AVG analyst Jakub Kroustek, and reported by Bleeping Computer, Hitler-Ransomware is still in development, and is far from a polished product.

For a start, it doesn’t even encrypt your files, despite claiming to. Instead, it removes the extension for files in certain directories, and shows an ominous one-hour countdown.The malware asks the victim for payment, but rather than demand a lump of Bitcoin, as is traditional for ransomware, it tells the target to purchase a “Vodafone Card” (likely a credit top-up card) for €25 and type in its code. (Other criminal scammers sometimes get victims to purchase gift cards for companies, such as Apple or Amazon).

Once the countdown is complete, the program forces Windows to crash, or land on a blue screen of death. After the computer is rebooted, Hitler-Ransomware then deletes all of the user’s files.

As Bleeping Computer points out, the developer of Hitler-Ransomware appears to be German, based on a block of German-language text found alongside the malware.

“This is a test,” a translated version of the text reads, and adds that the file is “by CoolNass,” possibly alluding to the ransomware’s author. “I am a Pro,” the text audaciously claims.


Source: Motherboard

Irish National Police Service Shuts Down IT Systems to Mitigate Cyber Attack

Garda Síochána (Gaelic Irish for “the Guardian of the Peace”), which is Ireland’s National Police service, has said it was at the receiving end of a cyber-attack, following which they had to shut down several IT computer systems to prevent attackers from gaining access to sensitive information.

The attack took place last Thursday, on August 4, but it was only disclosed to the public on Sunday, after authorities dealt with the intrusion.

According to local news media, police officials explained the attack was carried out with a new strain of malware that the police IT security team had never seen before.

Garda officials claimed the attackers did not manage to steal anything from their servers. This was possible because the IT staff managed to shut down the targeted computer systems in time before data was ex filtrated.

The Irish National Police servers, just like the ones belonging to any other law enforcement organization, hold information on ongoing investigations, staff members, and the general public.

Authorities did not indicate whom they suspected for the attack. A Garda spokesperson gave the Irish Independent the following statement:

“(After the threat was recognized) heightened security procedures were implemented and standard protocols were enforced across all Garda ICT environments to limit any effect on our systems. Working with security experts the threat was identified and an appropriate solution was implemented across all Garda Siochana ICT systems.”

By Catalin Cimpanu

Source: Softpedia

Obama Prepares to Boost U.S. Military’s Cyber Role

The Obama administration is preparing to elevate the stature of the Pentagon’s Cyber Command, signaling more emphasis on developing cyber weapons to deter attacks, punish intruders into U.S. networks and tackle adversaries such as Islamic State, current and former officials told Reuters.

Under the plan being considered at the White House, the officials said, U.S. Cyber Command would become what the military calls a “unified command” equal to combat branches of the military such as the Central and Pacific Commands.

Cyber Command would be separated from the National Security Agency, a spy agency responsible for electronic eavesdropping, the officials said. That would give Cyber Command leaders a larger voice in arguing for the use of both offensive and defensive cyber tools in future conflicts.

Both organizations are based at Fort Meade, Maryland, about 30 miles north of Washington, and led by the same officer, Navy Adm. Michael S. Rogers.

A former senior intelligence official with knowledge of the plan said it reflects the growing role that cyber operations play in modern warfare, and the different missions of the Cyber Command and the NSA. The official spoke on condition of anonymity.

A Cyber Command spokesman declined comment on the plan, and the NSA did not respond to requests for comment.

Established in 2010, Cyber Command is now subordinate to the U.S. Strategic Command, which oversees military space operations, nuclear weapons and missile defense.

U.S. officials cautioned that details of the plan, including some aspects of Cyber Command’s new status, are still being debated.

It was unclear when the matter will be presented to President Barack Obama for final approval, but the former senior intelligence official said it was unlikely anyone would stand in the way.

A senior official, speaking on condition of anonymity, said the administration was “constantly reviewing if we have the appropriate organizational structures in place to counter evolving threats, in cyber space or elsewhere.”

“While we have no changes to this structure to announce, the relationship between NSA and Cyber Command is critical to safeguarding our nation’s security,” the official said.

The Pentagon acknowledged earlier this year that it has conducted cyber attacks against Islamic State, although the details are highly classified.

“We are dropping cyber-bombs. We have never done that before,” Deputy Defense Secretary Robert Work said in April.

The Washington Post reported last month that Pentagon leaders had been frustrated with the slow pace of Cyber Command’s electronic offensive against Islamic State, militants who control parts of Iraq and Syria and have sympathizers and supporters worldwide.

In response, Rogers created Joint Task Force Ares to develop new digital weapons against Islamic State and coordinate with the Central Command, which is responsible for combat operations in the Middle East and South Asia.

The new task force has “the specific mission to accomplish cyberspace objectives in support of counter-ISIL operations,” a Cyber Command statement said. Task Force Ares, it said, “comprises operations and intelligence professionals from each of the military services.”

James Lewis, a cyber security expert at the Center for Strategic and International Studies, said the plan that will be presented to Obama highlights how Cyber Command, reliant on the NSA in its early years, is developing its own work force and digital tools.

“It reflects the maturing of Cyber Command and its own capabilities,” Lewis said.

Defense Secretary Ash Carter hinted at the higher status for Cyber Command in an April speech in Washington, in which he said the Pentagon is planning $35 billion in cyber spending over the next five years.

“Adapting to new functions will include changes in how we manage ourselves in cyberspace,” Carter said.

NSA’s primary mission is to intercept and decode adversaries’ phone calls, emails and other communications. The agency was criticized for over-reach after former NSA contractor Edward Snowden revealed some of its surveillance programs.

NSA’s focus is gathering intelligence, officials said, often favoring the monitoring of an enemy’s cyber activities. Cyber Command’s mission is geared more to shutting down cyber attacks – and, if ordered, counter attacking.

The NSA director has been a senior military officer since the agency’s founding in 1952. Under the plan, future directors would be civilians, an arrangement meant to underscore that NSA is not subordinate to Cyber Command.

By Warren Strobel

Source: Reuters

Android Bug Fear in 900 Million Phones

Serious security flaws that could give attackers complete access to a phone’s data have been found in software used on tens of millions of Android devices.

The bugs were uncovered by Checkpoint researchers looking at software running on chipsets made by US firm Qualcomm. Qualcomm processors are found in about 900 million Android phones, the company said. However, there is no evidence of the vulnerabilities currently being used in attacks by cyberthieves. “I’m pretty sure you will see these vulnerabilities being used in the next three to four months,” said Michael Shaulov, head of mobility product management at Checkpoint.

“It’s always a race as to who finds the bug first, whether it’s the good guys or the bad.”

Affected devices included:

  • BlackBerry Priv and Dtek50
  • Blackphone 1 and Blackphone 2
  • Google Nexus 5X, Nexus 6 and Nexus 6P
  • HTC One, HTC M9 and HTC 10
  • LG G4, LG G5, and LG V10
  • New Moto X by Motorola
  • OnePlus One, OnePlus 2 and OnePlus 3
  • US versions of the Samsung Galaxy S7 and Samsung S7 Edge
  • Sony Xperia Z Ultra

Mr Shaulov said six months of work to reverse engineer Qualcomm’s code revealed the problems. The flaws were found in software that handles graphics and in code that controls communication between different processes running inside a phone. Exploiting the bugs would allow an attacker to gradually be able to take more control over a device and gain access to its data.

Checkpoint handed information about the bugs and proof of concept code to Qualcomm earlier this year.

In response, Qualcomm is believed to have created patches for the bugs and started to use the fixed versions in its factories.

It has also distributed the patches to phone makers and operators. However, it is not clear how many of those companies have issued updates to customers’ phones.

Checkpoint has created a free app called QuadRooter Scanner that can be used to check if a phone is vulnerable to any of the bugs, by looking to see if the patches for them have been downloaded and installed.

In addition, Mr Shaulov said Android owners should only download apps from the official Google Play store to avoid falling victim to malicious programs.

“People should call whoever sold them their phone, their operator or the manufacturer, and beg them for the patches,” said Mr Shaulov.

In a statement, Qualcomm said: “We were notified by the researcher about these vulnerabilities between February and April of this year, and made patches available for all four vulnerabilities to customers, partners, and the open source community between April and July.

“We continue to work proactively both internally as well as with security researchers to identify and address potential security vulnerabilities.”

By Mark Ward

Source: BBC