The Hackers Become The Hacked

Milan-based “digital mercenar[ies]”, Hacking Team, have fallen victim to their own sword in a hack that has revealed documents that allege that the company did business with various repressive regimes.  The outfit use vulnerabilities and malware to access the networks of their clients’ target in a legal offensive, which they offer to law enforcement services and national security organisations. 

A Reporters Without Borders report released in 2013 named Hacking Team as a “corporate enem[y] of the internet”.  Hacking Team has frequently denied selling their software to repressive administrations and the firm responded to this with a statement claiming that they go  “to great lengths to assure that [their] software is not sold to governments that are blacklisted by the EU, the USA, NATO and similar international organisations or any ‘repressive’ regime.”  They repeat this on their website; yet the 400GB of documents purport that they have been providing services for several repressive authorities including those from Azerbaijan, Bahrain, Kazakhstan, Russia, Saudi Arabia, the UAE and Uzbekistan. 

The integrity of these documents, which were communicated using the official Twitter feed of the firm, have not yet been independently verified.  The hackers posted to the feed for hours after the initial deluge until the company regained control on Monday morning.  The posts, which highlighted particular documents (including emails, invoices and screenshots of employee computers), have since been removed.  The organisation’s Twitter name, which has also been changed back, was changed to Hacked Team. 

One of these tweets asserts that negotiations between Hacking Team and a third-party reseller took place in the context of exporting their software to Nigeria.  Such a sale may have circumvented the export controls put in place by Italy.  Another such tweet, shows an internal debate about a course of action after attacks by the University of Toronto averred that they had sold hacking software to Ethiopia with the purpose of attacking US journalists.  These allegations have never been confirmed or dismissed publically by the company; however, in March, they were dismissed by a spokesperson who suggested that they were “based on some nicely presented suppositions”. 

January 2015 saw the company denying any current business relations with the national intelligence service for Sudan to the Italian representative of the UN.  Despite this one of the documents supposedly leaked from the company, contains an invoice for 480,000€ received from the Sudanese.  The answer to the UN’s follow-up question, “whether there have [been] any previous business arrangements”, is not recorded. 

The organisation’s website specifically state that they “provide [their] software only to governments or government agencies” and not to “individuals or private businesses”.  However another invoice suggests that they had dealings with the private Brazilian company, YasNiTech, to whom three months access to their remote access tool was sold.  This allowed the organisation to hack into Android, Blackberry and Windows devices.  It is unknown as to whether this was part of a larger contract with the Brazilian state government, if not it is in clear breach of their policy. 

The hacker who has now claimed responsibility for the Hacking Team hack, also claimed responsibility for the hack of their “wannabe competitor”, Gamma Group International.  GGI were best known for their FinFisher surveillance software, 40GB of which was leaked in 2014, giving details of their clients, capabilities and pricing. 

One of the employees of Hacking Team, Christian Pozzi, tweeted saying that the documents are “false lies” and that “a lot of what the attackers are claiming regarding [their] company is not true”.  He stated that they “are currently working closely with the police” and that he “can’t comment about the recent breach”.  Later his feed was hacked and then the entire account was deleted. 

The rare chance to allegedly look inside the workings of a cyber-surveillance firm, like Hacking Team, is being welcomed by numerous privacy groups.  Privacy International released a statement, stating that the “tools [Hacking Team are selling] are [being] used to target human rights activists and pro-democracy supporters at home and abroad.  Surveillance companies like Hacking Team have shown they are incapable of responsibly regulating themselves, putting profit over ethics, time after time. Since surveillance companies continue to ignore their role in repression, democratic states must step in to halt their damaging business practices.”

The veracity of these documents has not yet been confirmed but many are calling for the initiation of a full investigation among them Marietje Schaake, a Dutch MEP who’s been dealing with issues in surveillance tech for years, who is calling for an “urgent, thorough investigation” into the legality of the alleged sales and whether or not they are in contravention of the European sanction against Russia and Sudan.  Whether or not the documents turn out to be genuine many people are asking who’ll be the hacker’s next target. 

In a previous post we discussed the exploitation of zero-day vulnerabilities in Adobe Flash Player, specifically in regards to the flaw, CVE-2015-3113.  The data dump from the Hacking Team hack revealed another zero-day vulnerability in the Flash Player and Windows software: a patch for which is expected to be released today.  Remember to update with this patch as soon as possible to avoid attacks on your system.  

Cybercriminals exploit Flash zero-day flaw

Last Tuesday Adobe Systems released a patch for the Flash Player vulnerability, CVE-2015-3113.  However just four days later a malware researcher, who goes by Kafeine, spotted the Magnitude exploit kit being used for a drive-by download attack, exploiting the vulnerability. 

The Common Vulnerabilities and Exposures database tracked the flaw known as CVE-2015-3113.  It turns out that CVE-2015-3113 had zero-day status and had been targeted for several weeks by a China-based cyberespionage group prior to the patch being released.  These attacks were targeted against organisations in a broad range of industries from aerospace, defence and technology to construction, transportation, engineering and telecommunications. 

The goal of the exploiters is to compromise sophisticated defence systems and to remain undetected for as long as possible.  For this reason it is not uncommon for Flash Player and other popular applications to be targeted in zero-day exploits. 

Despite this, incidents of non-selective, widespread attacks using zero-day exploits are uncommon; predominantly due to the value of zero-day vulnerabilities to the attackers.  Financially it is not sensible for such brash campaigns to be used as this draws attention to the vulnerability and makes it more likely for it to be discovered and patched quickly. 

Instead the exploiters usually prefer to integrate their exploits into already patched vulnerabilities, working on the principle that many users will not install patches speedily enough.  The creators of these exploit kits, however, are dramatically reducing the time they need to incorporate the attack.  As such, users are being left with a much shorter time frame to deploy the patch in before the exploits are integrated.  In the case of the CVE-2015-3113 vulnerability this was only 4 days.  This causes issues in organisations who typically install updates in schedules often separated by more than a week. 

Another Flash Player exploit occurred earlier this year by the Nuclear EK exploit kit.  This was integrated a mere week after the patch was released.  A decreasing trend in patch window size is emerging. 

Currently the Magnitude attacks on the CVE-2015-3113 vulnerability install the Cryptowall ransomware, if successful.  This could be changed at any time by the attackers.  

Sophisticated malware bug Regin detected

A sophisticated piece of malware believed to have been created by a government to obtain confidential information has been detected.

The bug, known as Regin, is believed to have been created in 2008 to spy on individuals, businesses and rival government organisations, according to computer security company Symantec.

Once the bug has breached a computer, it can gain control of the mouse pointer, recover deleted files and make copies of passwords.

Almost half of the attacks targeted individuals and small businesses, alongside telecoms companies in what appears to be an attempt to gain access to calls routed through their infrastructure.

Regin victims may have been tricked into using fake versions of well-known websites, resulting in the installation of the bug. The low-key nature of the bug means it could be used in espionage campaigns lasting several years, Symantec said in a blog post.

The news comes in the wake of the Information Commissioner calling for a website live-streaming scenes from 584 UK homes and businesses via internet-connected security cameras and webcams to be taken down.

A hacker gained control of the cameras through their remote log-in function, an easy function to abuse should the owner choose to keep using the default password the device was shipped with.

The anonymous creator of the Russian site told the Telegraph the hack was enabled by "laziness and IT ignorance" on the part of the public.

Stephen Bonner, a partner in KPMG’s Cyber Security practice, said Regin appeared to carry the fingerprints of a sophisticated cyber espionage operation, "possibly by a nation state".

"Firms need to think carefully about the how they protect their most sensitive information – their crown jewels– as well as being vigilant in detecting and being ready to respond to sophisticated attacks,” he said.

The bug has mainly infected computers in the Russian Federation, Saudi Arabia, Mexico and Ireland, according to research.

Symantec compared Regin with Stuxnet, a "large and complex" computer worm believed to have been developed to sabotage the Iranian nuclear research program by the US and Israel, making it the world's first digital weapon.

How to choose a secure password

• Do not keep the default password

• Choose a password with a combination of upper and lower case letters, numbers and keyboard symbols

• Choose a password containing at least eight characters - longer passwords are harder for criminals to guess or break

• Avoid using obvious passwords such as names or birthdays of people close to you or numerical passcodes or PINs that use ascending or descending number

• Don’t recycle passwords (for example password2, password3)

• Never disclose your passwords to anyone else, if you think that someone else knows your password, change it immediately

• Don't enter your password when others can see what you are typing

• Change your passwords regularly

• If you must write passwords down in order to remember them, make sure they are meaningless and unusable to other people by writing them in code.

(Article taken from telegraph.co.uk)

E-Cigarettes From China Spreading Malware Through USB Charger

Smoking will not only damage your health but also your computer as e-cigarettes manufactured in China are reportedly being used to spread malicious software through the USB connection used to charge the device.

A recent post to social news site Reddit detailed how the computer of an executive at a "large corporation" had been infected with malware from an undetermined source. Further investigation apparently revealed that it had stemmed from a $5 (£3.20) e-cigarette bought from the online auction site eBay.

"The executive's system was patched up to date, had antivirus and anti-malware protection, " Reddit user Jrockilla said. "Web logs were scoured and all attempts made to identify the source of the infection but to no avail. "Finally after all traditional means of infection were covered, IT started looking into other possibilities. They finally asked the executive: 'Have there been any changes in your life recently?' The executive answered: 'Well yes, I quit smoking two weeks ago and switched to e-cigarettes.' And that was the answer they were looking for."

The e-cigarette was found to have malware hard coded into the charger, which "phoned home" and infected the system when plugged into the computer's USB port. Pierluigi Paganini, chief information security officer at ID management firm Bit4Id, said that electronic cigarettes were just the latest vector to serve the spread of malicious software.

"Hackers are able to exploit any electronic device to serve a malware to compromise a poorly protected network," Paganini said in a blogpost."Despite the (fact the) idea could appear hilarious, many electronic cigarettes can be charged over USB using a special cable or by inserting one end of the cigarette directly into a USB port."

Paganini cites other examples of "apparently harmless" USB devices being used as a hacking tool in the past, including a charger for Apple iOS devices like iPhones and iPads.

(Article taken from ibtimes.com)