The Coming Cyber War #17

Cyber Warfare:

For the last year, someone has been probing the critical infrastructure of the internet.

Obama wishes to avoid a cyber warfare arms race.

What is the US Navy's version of information warfare? 

Should the NSA and US military's cyber command be split?  Senator McCain strongly opposes.

The Pentagon is continuing to reach out to Silicon Valley.

Cyber Security:

Google is offering $200k to hack its Nexus Android phones.

Singapore is pulling its public servants off the net for security reasons. 

A former USAF general has been named the US cyber security chief. 

The US 911 emergency system can be crippled by a mobile bot net.

Cyber Espionage:

The FBI is investigating whether or not Russia is attempting to interfere with the US elections.

The US intelligence agencies are concerned about the threat of Russia throwing doubt on the US election via hackers.

British firms are selling software allowing for anyone to see what's on a smart phone.

GovRAT malware is designed to target US government officials.

Guccifer 2.0, the suspected Russian hacking team, has released more DNC documents.

Watch a leaked video demonstrating how an Italian company's spyware infects computers.

Smartphones can steal 3d printing designs by listening to the printer in action.

New leaked Snowden files show what the NSA could do for satellite eavesdropping.  

Cyber Crime:

18 to 24 year olds are the most likely to use the DARKNET.

Britain is supposedly edging closer to having 10 year prison terms for online pirating.

An FBI agent posed as a journalist to deliver malware to a suspect.

Hackers that broke into the CIA Director's personal email account have been arrested.

An Israeli group,vDOS, claimed to have made $600k doing mercenary DDoS attacks.  The supposed coowners have been since arrested.

PhotoMiner, a cryptocurrency mining malware, has infected Seagate NAS boxes.

Russian hackers are targeting the anti doping agency with hopes of getting US athletes' data.

A teenager figured out how to get free data on his phone.

The Coming Cyberwar #11

Cyber Warfare:

This is how the USMC plans on using cyberwarfare.

The US Navy & USMC are facing cultural issues with cyberwarfare.

The US Naval Academy has graduated its first midshipman focused on cyberwarfare.

The US Senate is attempting to elevate US Cyber command.

Russia's cyberturfing trolls refuse to be dragged into the light.

SecDef Carter highlights US Army cyber security.

IRONGATE is the first IDed STUXNET clone.

NATO is considering making cyber warfare a separate combat domain.

Cyber Security:

The first software has been developed to test the security of Quantum Keys.

DARPA is developing an 'extreme DDOS' defense.

The DOD's cyber security priorities haven't changed in a long time, despite press & hype.

Cyber Crime:

Here's an update on the Skimer malware infecting  ATMs world wide.

Hackers are targeting US & Chinese companies...as stock analysts?

ZCryptor appears to be the first self propagating ransomware.

Hackers Appear to Have Caused Ukrainian Power Outage

Hackers likely caused a Dec. 23 electricity outage in Ukraine by remotely switching breakers to cut power, after installing malware to prevent technicians from detecting the attack, according to a report analyzing how the incident unfolded.

The report from Washington-based SANS ICS was released late on Saturday, providing the first detailed analysis of what caused a six-hour outage for some 80,000 customers of Western Ukraine's Prykarpattyaoblenergo utility.

SANS ICS, which advises infrastructure operators on combating cyber attacks, also said the attackers crippled the utility's customer-service center by flooding it with phone calls to prevent customers from alerting the utility that power was down.

"This was a multi-pronged attack against multiple facilities. It was highly coordinated with very professional logistics," said Robert Lee, a former U.S. Air Force cyber warfare operations officer who helped compile the report for SANS ICS. "They sort of blinded them in every way possible."

Experts widely describe the incident as the first known power outage caused by a cyber attack. Ukraine's SBU state security service blamed Russia, and U.S. cyber firm iSight Partners identified the perpetrator as a Russian hacking group known as "Sandworm."

link.

FSB Linked Kaspersky Lab Researcher States Harrassed, Targeted by Malware From Spy Agencies

Researchers tasked with revealing attacks by intelligence agencies are being harassed, locked out of tenders, and in some cases deported, Kaspersky researcher Juan Andrés Guerrero-Saade says.

Retaliation by the unnamed agencies is in direct response to news of prominent advanced-persistent threat campaigns that have coloured information security reporting over recent years.

Those reports are forcing researchers to reveal malware attacks by government spy agencies.

link.

Oh How Russian! Kaspersky Lab Employees Accuse Security Company of Tricking Rivals' Software Into Deleting Uninfected Files

Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees.

They said the secret campaign targeted Microsoft Corp (MSFT.O), AVG Technologies NV (AVG.N), Avast Software and other rivals, fooling some of them into deleting or disabling important files on their customers' PCs.

Some of the attacks were ordered by Kaspersky Lab's co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology, they said.

"Eugene considered this stealing," said one of the former employees. Both sources requested anonymity and said they were among a small group of people who knew about the operation.

Kaspersky Lab strongly denied that it had tricked competitors into categorizing clean files as malicious, so-called false positives.

"Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing," Kaspersky said in a statement to Reuters. "Such actions are unethical, dishonest and their legality is at least questionable."

Executives at Microsoft, AVG and Avast previously told Reuters that unknown parties had tried to induce false positives in recent years. When contacted this week, they had no comment on the allegation that Kaspersky Lab had targeted them.

link.

The Equation Group is America's Cyberwarfare Manhattan Project

“What we really need is a Manhattan Project for cybersecurity.” It’s a sentiment that swells up every few years in the wake of some huge computer intrusion—most recently the Sony and Anthem hacks. The invocation of the legendary program that spawned the atomic bomb is telling. The Manhattan Project is America’s go-to shorthand for our deep conviction that if we gather the smartest scientists together and give them billions of dollars and a sense of urgency, we can achieve what otherwise would be impossible.

A Google search on “cyber Manhattan Project” brings up results from as far back as 1997—it’s second only to “electronic Pearl Harbor” in computer-themed World War II allusions. In a much-circulated post on Medium last month, futurist Marc Goodman sets out what such a project would accomplish. “This Manhattan Project would help generate the associated tools we need to protect ourselves, including more robust, secure, and privacy-enhanced operating systems,” Goodman writes. “Through its research, it would also design and produce software and hardware that were self-healing and vastly more resistant to attack and resilient to failure than anything available today.”

These arguments have so far not swayed a sitting American president. Sure, President Obama mentioned cybersecurity at the State of the Union, but his proposal not only doesn’t boost security research and development, it potentially criminalizes it. At the White House’s cybersecurity summit last week, Obama told Silicon Valley bigwigs that he understood the hacking problem well—“We all know what we need to do. We have to build stronger defenses and disrupt more attacks”—but his prescription this time was a tepid executive order aimed at improving information sharing between the government and industry. Those hoping for something more Rooseveltian must have been disappointed.

On Monday, we finally learned the truth of it. America already has a computer security Manhattan Project. We’ve had it since at least 2001. Like the original, it has been highly classified, spawned huge technological advances in secret, and drawn some of the best minds in the country. We didn’t recognize it before because the project is not aimed at defense, as advocates hoped. Instead, like the original, America’s cyber Manhattan Project is purely offensive.

link.

All your internet are belong to us.  

Meet Babar: The French Government's Spyware/Malware

The NSA, GCHQ, and their allies in the Five Eyes are not the only government agencies using malware for surveillance. French intelligence is almost certainly hacking its targets too—and now security researchers believe they have proof.

On Wednesday, the researchers will reveal new details about a powerful piece of malware known as “Babar,” which is capable of eavesdropping on online conversations held via Skype, MSN and Yahoo messenger, as well as logging keystrokes and monitoring which websites an infected user has visited.

Babar is “a fully blown espionage tool, built to excessively spy” on its victims, according to the research, and which Motherboard reviewed in advance. The researchers are publishing two separate but complementary reports that analyze samples of the malware, and all but confirm that France’s spying agency the General Directorate for External Security (DGSE) was responsible for its creation.

France’s Defense Ministry did not respond to a request for comment by the time of publication.

link.

2nd link.

I am waiting for the first German and Brazilian government malwares to be uncovered (I am 100% sure they exist). Then their hypocrisy can be unmasked.  The NSA might be the best at it, but it does not mean the other nation states are not doing this, too.  This is definitely not a case where the Russians, Chinese and Anglosphere are the sole naughty children online.

The Equation Group: Your Hard Drive is Watching you

The U.S. National Security Agency has figured out how to hide spying software deep within hard drives made by Western Digital, Seagate, Toshiba and other top manufacturers, giving the agency the means to eavesdrop on the majority of the world's computers, according to cyber researchers and former operatives.

That long-sought and closely guarded ability was part of a cluster of spying programs discovered by Kaspersky Lab, the Moscow-based security software maker that has exposed a series of Western cyberespionage operations.

Kaspersky said it found personal computers in 30 countries infected with one or more of the spying programs, with the most infections seen in Iran, followed by Russia, Pakistan, Afghanistan, China, Mali, Syria, Yemen and Algeria. The targets included government and military institutions, telecommunication companies, banks, energy companies, nuclear researchers, media, and Islamic activists, Kaspersky said.

The firm declined to publicly name the country behind the spying campaign, but said it was closely linked to Stuxnet, the NSA-led cyberweapon that was used to attack Iran's uranium enrichment facility. The NSA is the agency responsible for gathering electronic intelligence on behalf of the United States.

A former NSA employee told Reuters that Kaspersky's analysis was correct, and that people still in the intelligence agency valued these spying programs as highly as Stuxnet. Another former intelligence operative confirmed that the NSA had developed the prized technique of concealing spyware in hard drives, but said he did not know which spy efforts relied on it.

NSA spokeswoman Vanee Vines declined to comment.

link.

There's a lot more to this than just the hard drives.

Banking Malware Targeting Infrastructure SCADA Networks Like Stuxnet Did, but for What Purpose?

Researcher spots spike in traditional financial malware hitting ICS/SCADA networks -- posing as popular GE, Siemens, and Advantech HMI products.

A renowned ICS/SCADA security researcher has discovered a surprising twist in cyberattacks hitting plant floor networks: traditional banking Trojan malware posing as legitimate ICS software updates and files rather than the dreaded nation-state custom malware in the wake of Stuxnet.

Kyle Wilhoit, senior threat researcher with Trend Micro, recently found 13 different types of crimeware versions disguised as human machine interface (HMI) products Siemens Simatic WinCC, GE Cimplicity, and Advantech device drivers and other files. The attacks appear to be coming from traditional cybercriminals rather than nation-state attackers, and are not using cyber espionage-type malware.

"It's an interesting trend -- traditional banking Trojans, not targeted attacks," Wilhoit says.

The ICS/SCADA community has been understandably on alert for the next Stuxnet-type attack, and recent discoveries of malware such as Havex and BlackEnergy, both of which have been detected targeting that environment, have put these types of nation-state, targeted attacks in focus.

But Wilhoit says his findings show that traditional cybercriminals are looking for targets in the ICS/SCADA world, and likely for money-making rather than spying or sabotage purposes. "So to succeed in attacking SCADA, you don't have to necessarily be targeted in nature... The ultimate end goal here is probably not industrialized espionage, but to get banking credentials" or other financially lucrative information, he says.

link.

Google's VirusTotal Being Used by Chinese Cyberwarfare Units to Test Malware

Before companies like Microsoft and Apple release new software, the code is reviewed and tested to ensure it works as planned and to find any bugs.

Hackers and cybercrooks do the same. The last thing you want if you’re a cyberthug is for your banking Trojan to crash a victim’s system and be exposed. More importantly, you don’t want your victim’s antivirus engine to detect the malicious tool.

So how do you maintain your stealth? You submit your code to Google’s VirusTotal site and let it do the testing for you.

It’s long been suspected that hackers and nation-state spies are using Google’s antivirus site to test their tools before unleashing them on victims. Now Brandon Dixon, an independent security researcher, has caught them in the act, tracking several high-profile hacking groups—including, surprisingly, two well-known nation-state teams—as they used VirusTotal to hone their code and develop their tradecraft.

“There’s certainly irony” in their use of the site, Dixon says. “I wouldn’t have expected a nation state to use a public system to do their testing.”

link.

Are the Russians Behind the Uroburos Malware?

Russian government hackers are suspected of creating a highly-sophisticated piece of malware designed to steal files from nation states’ digital infrastructure.

The Uroburos malware, named after an ancient symbol depicting a serpent or dragon eating its own tail that recently appeared in the Broken Sword 5 video game, worked in in peer-to-peer mode, meaning it can move across machines even if they’re not connected to the public Internet.

G-Data said Uroburos was “one of the most advanced rootkits we have ever analysed in this environment”.

link.

Malware Designed to Mine Bitcoins

A team of computer scientists at the University of California, San Diego, has taken an unprecedented, in-depth look at how malware operators use the computers they infect to mine Bitcoin, a virtual currency whose value is highly volatile.

Researchers examined more than 2,000 pieces of malware used by Bitcoin mining operations in 2012 and 2013. They were able to estimate how much money operators made off their operations and which countries were most affected. The computer scientists report that the revenue of 10 of the mining operations they studied reached at least 4,500 Bitcoin over two years. This may not seem like much, but Bitcoin's value increased from about $10 to about $1,000 during that time, with a peak of $1,100 in November 2013. One Bitcoin is currently worth about $618.

Bitcoin mining is particularly attractive for malware operators because of its low cost and because it requires little to no investment in any kind of infrastructure. "At the current stratospheric value of Bitcoin, miners with access to significant computational horsepower are literally printing money," said Danny Huang, a Ph.D. student in computer science and the first author on the study.

This has the potential to change the game in malware, explained Alex Snoeren, a professor of computer science at the Jacobs School of Engineering at UC San Diego, and one of the paper's co-authors. "If it ever becomes very profitable, it could reinvigorate the malware industry," he said.

The study is part of a larger effort by computer scientists at UC San Diego to better understand how malware operators make money, from sending spam to stealing personal information, such as credit card numbers. "These transactions show how society and technology shape each other," said Huang. Researchers will present their paper, "Botcoin: Monetizing Stolen Cycles," at the Network Distributed System Security conference Feb. 23 to 25 in San Diego. To track down transactions, researchers used techniques developed by their colleague and co-author, Sarah Meiklejohn, a Ph.D. student at the Jacobs School of Engineering.

The study was conducted in partnership with George Mason University, UC Berkeley and the International Computer Science Institute.

link.

Keeping with the Scary Halloween Theme: Meet badBIOS, the Malware Which Can Infect Across Air Gaps

Three years ago, security consultant Dragos Ruiu was in his lab when he noticed something highly unusual: his MacBook Air, on which he had just installed a fresh copy of OS X, spontaneously updated the firmware that helps it boot. Stranger still, when Ruiu then tried to boot the machine off a CD ROM, it refused. He also found that the machine could delete data and undo configuration changes with no prompting. He didn't know it then, but that odd firmware update would become a high-stakes malware mystery that would consume most of his waking hours.

In the following months, Ruiu observed more odd phenomena that seemed straight out of a science-fiction thriller. A computer running the Open BSD operating system also began to modify its settings and delete its data without explanation or prompting. His network transmitted data specific to the Internet's next-generation IPv6 networking protocol, even from computers that were supposed to have IPv6 completely disabled. Strangest of all was the ability of infected machines to transmit small amounts of network data with other infected machines even when their power cords and Ethernet cables were unplugged and their Wi-Fi and Bluetooth cards were removed. Further investigation soon showed that the list of affected operating systems also included multiple variants of Windows and Linux.

"We were like, 'Okay, we're totally owned,'" Ruiu told Ars. "'We have to erase all our systems and start from scratch,' which we did. It was a very painful exercise. I've been suspicious of stuff around here ever since."

In the intervening three years, Ruiu said, the infections have persisted, almost like a strain of bacteria that's able to survive extreme antibiotic therapies. Within hours or weeks of wiping an infected computer clean, the odd behavior would return. The most visible sign of contamination is a machine's inability to boot off a CD, but other, more subtle behaviors can be observed when using tools such as Process Monitor, which is designed for troubleshooting and forensic investigations.

Another intriguing characteristic: in addition to jumping "airgaps" designed to isolate infected or sensitive machines from all other networked computers, the malware seems to have self-healing capabilities.

"We had an air-gapped computer that just had its [firmware] BIOS reflashed, a fresh disk drive installed, and zero data on it, installed from a Windows system CD," Ruiu said. "At one point, we were editing some of the components and our registry editor got disabled. It was like: wait a minute, how can that happen? How can the machine react and attack the software that we're using to attack it? This is an air-gapped machine and all of the sudden the search function in the registry editor stopped working when we were using it to search for their keys."

link.