CyberInsecure.com

Archive for the ‘Breaches And Incidents’ Category

According to ZDNet, during the last couple of hours, visitors of popular and high trafficked web sites such as CNN, BBC, Washington Post, Gamespot, WorldOfWarcraft, Mashable, Chow.com, ITpro.co.uk, AndroidCommunity, Engadget and Chip.de, started reporting that parts of the web sites are unreachable due to malware warnings appearing through the EyeWonder interactive digital advertising provider.

According to Google’s SafeBrowsing advisory for EyeWonder, the exploits were hosted on currently active and participating in the Cold Fusion injection attack domains, namely elfah .net, 2ici .cn and javazhu.3322 .org - the following have also managed to compromise Pakistan’s Telecommunication Authority.

By using RealPlayer Import stack overflow exploit and another one attempting a QVOD Player URL overflow, the cybercriminals then attempt to push eight different malware samples. Detection rates for the droppers are improving.

Interestingly, one of the malware samples attemps to download the updated list of malware binaries by connecting a compromised Italian site part of the Cold Fusion injection attacks (betheboss.it) since it appears to have been exploited in such a way.

This malware incident demonstrates how a single exploitation of a trusted third-party content/ad serving vendor can not only undermine its credibility, but potentially the credibility of the sites using the network. And since the ads on the affected sites are dynamically served through different networks, it remains questionable whether it was in fact EyeWonder that served malicious content, or a compromised partner of the network itself.

Case in point - the partnership between Facilitate Digital and EyeWonder comes in a very insecure fashion with EyeWonder having a permanent iFrame tag loading a domain (adsfac.us) belonging to Facilitate Digital on its front page.

For the time being, EyeWonder.com remains down for maintenance.

Credit: ZDNet.com Security Blogs

Researchers at ESET have reliable intelligence that the Waledac botnet is currently being prepared for a spam campaign around the Independence Day theme. They have registered at least 18 domain names all related to the theme of video, fireworks, and Independence Day. The criminals behind Waledac are preparing to start sending spam with links to supposed videos of Independence Day fireworks which are, in reality, fresh copies of the Waledac malware family.

ESET estimates the size of Waledac’s botnet as tens of thousands of infected computers. More than 20,000 compromised computers will be used to send the malicious emails, in an effort to increase the size of the botnet. This effort will allow the criminals to send out even more spam. Currently, detection of the new variants of Waledac is quite low, with only a handful of antivirus products detecting the newest threat.

The Waledac family has been active since the end of 2008 and has been known to exploit events such as Christmas or Valentine’s day in order to spread in a way very similar to methods used by the infamous Storm Worm. Also, just like the Storm Worm, Waledac uses a peer-to-peer network to receive commands from its controllers. The main objective behind the Waledac operation is to use infected computers to send spam.

Consumers are reminded not to follow links in unsolicited emails, even if they appear to come from someone they know. As dangerous as fireworks can be, when used as directed, they are still safer than unsolicited emails!

Credit: ESET ThreatBlog
Credit: Websense

Earlier today, Trend Micro Technical Account Manager Fioravante Souza in Brazil spotted a (potentially harmful) URL that redirects users from the Best Buy domain site. Users who visit www.bestbuy.com, as it turns out, are redirected to the URL, http://pics. bubbled.cn/gallery/
hardcore/?23c4f60c1b9f604d6ffb21cba599301f (do not visit). The compromised page in the domain is found to be the landing page where visitors can choose the language to be used as they browse within the site. Threat Research Manager, Ivan Macalintal, further identifies that a GEO-IP check happens prior to displaying the said landing page.

“If (the) requesting IP is from the Latin America Region (LAR), users are redirected to the ‘Choose English or Spanish’ page—and then bingo!” Macalintal says.

The source code of the landing page shows a garbled set of code found at the bottom of the script, a clear sign of code obfuscation. Beneath a 3-layer obfuscation, an iframe redirects the user to a Luckysploit-laden site. The Luckysploit web exploit kit and the obfuscation seen is reminiscent of that found in Gumblar.

The WHOIS info of the .CN site states that it has been created just last June 4, 2009 by the same old criminals. Further investigation shows that the first .CN site is actually located in Germany and is used by attackers in Ukraine. Suffice it to say, the Russkranians are the culprits once again.

Best Buy has been informed of the said URL redirections and is resolving the matter.

Credit: TrendLabs/Trend Micro

Websense Security Labs has detected that Torrentreactor, one of the oldest and most reliable torrent search engines on the Web, has been compromised and injected with malicious code. The site has been injected with an IFrame leading to a site laden with exploits. The exploits on the payload site include Internet Explorer (MDAC) and Microsoft Office Snapshot Viewer, as well as Adobe Acrobat Reader and Adobe Shockwave.

According to Websense, the malware has an extremely low detection rate, with just two of 32 anti-virus engines identifying the threat. Once executed, it installs a rootkit on victims’ machines. If the user’s browser is successfully exploited, a malicious file is downloaded and run from the exploit site. The file is a Trojan Downloader and connects to a Bot C&C server at IP 78.109.29.116. After connecting to the IP, the file downloads a Rootkit installer from the same IP. This IP address has ties to the Russian Business Network.

This isn’t the first time that security researchers have reported Torrentreactor is foisting malware on its users. In March 2008, the site suffered a similar iframe attack, according to Dancho Danchev.

Credit: The Register
Credit: Websense Security Labs

Manchester City Council was prevented from issuing hundreds of motoring penalty notices in time after the infamous Conficker worm knocked out parts of its IT systems.

Drivers caught on camera driving in bus lanes escaped punishment after the town hall fine processing system was taken offline in February, following infection by the infamous worm. Failure to issue 1,609 tickets within the statutory limit of 28 days left the city £43,000 out of pocket.

Clean up costs and consultancy fees were a far more significant cost, resulting in costs estimated at £600k. In additional, council IT chiefs spent a further £600k on Wyse thin client terminals as part of an enhanced backup strategy.

Town hall chiefs also spent a further £169,000 on extra staff needed to handle a backlog of benefits claims. Compensation payments to benefit claimants piled on the financial pain.

In total the incident cost the council an estimated £1.5m, the Manchester Evening News reports. Infection by the worm left council workers unable to send emails or print documents, and struggling with extra red tape after they were obliged to keep additional back-up paper records in case data was lost.

Council chiefs have banned the use of memory sticks, which were blamed (extracts from memos here) for causing the infection, as well as disabling all USB ports in response to the incident. Albert Square IT chiefs have also promised to revamp the council’s disaster recovery strategy, which the incident exposed as hopelessly inadequate.

Steve Park, Head of ICT at Manchester city council, told the MEN: “I’d like to reassure the public that we’ve built on and improved our disaster recovery strategy, which covers all our main networks.”

“This means that in the event of an emergency those key systems can be recovered with minimal disruption to the services involved.”

The fallout from the Conficker worm infection represents the second time in a week that Manchester City Council has made headlines following IT cock-ups. Data Watchdogs at the ICO put the council on notice over breaches of the Data Protection Act last week following the earlier loss of two unencrypted laptops from council premises. One of the stolen machines contained personal details on hundreds of teachers and support workers at local schools.

Previous victims of the Conficker worm have included the UK’s Houses of Parliament and hospitals in Sheffield, as well as many other organisations outside the UK.

Credit: The Register

The Iranian opposition coordinated a cyber attack yesterday that has successfully managed to disrupt access to major pro-Ahmadinejad Iranian web sites, including the President’s homepage which continues returning a “The maximum number of user reached, Server is too busy, please try again later…” message.

Through a combination of DIY (do it yourself) denial of service attack tools (DDoS), multiple iFrame loading scripts, public web page “refresher” tool, and a much more effective PHP script, the participants have already prompted some of the major Iranian outlets to switch to “lite” versions of their sites in an attempt to mitigate the attack.

The campaign appears to have been organized through Twitter, which despite public reports that the site has been banned in Iran, appears to be still accessible through a a persistent supply of proxy servers on behalf of the opposition.

Moreover, the ongoing distributed denial of service attacks, are using techniques which greatly resemble those used in last year’s Russia vs Georgia cyber attack, and the ones Chinese hacktivists used back in 2008 in order to temporarily shut down CNN, with a single exception - there’s no indication of a botnet involvement in the present attack.

Instead, the attack relies on the so called people’s information warfare concept, which is the self-mobilization of individuals, or their recruitment based on political/nationalistic sentiments by a third-party, for conducting various hacktivism activities such as web site defacements, or launching distributed denial of service attacks.

The following are some of the sites that are currently under attack, remain totally unresponsive, or return “server is too busy” error messages:

Ahmadinejad.ir - Mahmoud Ahmadinejad’s Official Blog - under attack
Leader.ir - Office of the Supreme Leader, Sayyid Ali Khamenei - under attack
President.ir - Presidency of The Islamic Republic - under attack
Farsnnews.com - Fars News Agency - under attack
Irib.ir - Islamic Republic of Iran Broadcasting - under attack
Kayhannews.ir - News Portal - “Service Unavailable”
Irna.ir - Islamic Republic News Agency - “service unavailable”
Mfa.gov.ir - Ministry of foreign affairs , Islamic Republic of Iran - under attack
Moi.ir - Ministry of Interior - under attack
Police.ir - National Police - under attack
Justice.ir - Ministry of Justice - under attack
Presstv.ir - Iranian Press TV - “server is too busy”

Among the first web-based denial of service attack used, is a tool called “Page Rebooter” which is basically allowing everyone to set an interval for refreshing a particular page, in this case it’s 1 second. Pre-defined links to the targeted sites were then distributed across Twitter and the Web, through messages link the following :

“Please spread word about a cyber effort to exert pressure on the paramilitary in Iran. They have launched denial of service attacks on US websites that are run by live bloggers feeding us up to the minute information about what is going on in Iran on the ground. To fight back, open these two URLs in as many tabs/windows as possible and simply leave your computer running overnight! We must show solidarity with them in their quest for freedom! The 2nd link targets PressTV, the mouthpiece of Ahmadinejad and Khamenei.”

The second stage of the campaign consisted in the distribution of a multiple iFrame loading script which was automatically refreshing farsnews.com, irna.ir and rajanews.com. The script has since changed its location and is advertised under a new domain.

The third stage included a combined attack, this time including DIY (do-it-yourself) denial of service tools (DDoS), which despite their primitive nature are indeed causing server overload for their targets. Each of the tools is distributed with a simple manual, including links to large images at the targeted web sites, one which the software using proxies will attempt to obtain automatically.

The tools themselves, BWRaeper.exe (detected as Worm.AutoIt.AA); PingFlooder.exe (flagged as banker malware); Server_Attack_By-_C-4.exe (Riskware.ServerAttack.F) and SupportIran.php, have already been picked up by antivirus vendors. The last tool is a basic PHP script targeting those running a server that supports PHP in order to use it.

SupportIran.php has also been released as an improved version to the multiple iFrame loader, and is currently used in the attack as well, having the following sites pre-defined to attack simultaneously - khamenei.ir; presstv.ir; irna.ir; president.ir; mfa.gov.ir; moi.ir; police.ir; justice.ir; live.irib.ir.

There have already been speculations that the magnitude of these local attacks — Iranian users targeting Iranian web sites – is contributing to the “strange changes in Iranian traffic transit” reported during the last couple of days. The attacks are still ongoing.

Credit: ZDNet.com Security Blogs

A large internet service provider said data for as many as 100,000 websites was destroyed by attackers who targeted a zero-day vulnerability in a widely-used virtualization application.

Technicians at UK-based Vaserv.com were still scrambling to recover data on Monday evening UK time, more than 24 hours after unknown hackers were able to gain root access to the company’s system. The attackers were able to penetrate his servers by exploiting a critical vulnerability in HyperVM, a virtualization application made by a company called LXLabs. Vaserv.com got hit by a zero-day exploit in version 2.0.7992 of the HyperVM application.

No one could receive a response to inquiries sent to LXLabs company, which according to its website is located in Bangalore.

Data for about half of the websites hosted on Vaserv was destroyed all at once sometime Sunday evening, shortly after administrators noticed “strangeness” on the system. The attackers had the ability to execute sensitive Unix commands on the system, including “rm -rf,” which forces a recursive delete of all files.

Some 50 percent of Vaserv’s customers signed up for unmanaged service, which doesn’t include data backup. It remains unclear of those website owners will ever be able to retrieve their lost data. As a result, at least half the websites that were hosted on the site remain offline.

“Since last night, I’ve had probably 40 phone calls from clients saying ‘Why is my website down,’” said Daniel Voyce, a web developer for Nu Order Webs who uses Vaserv to host customer sites. “It’s making me look bad.”

Voyce said the hackers, given the high level of server access they gained, were likely able to intercept a wealth of sensitive data stored on Vaserv’s servers. Voyce said his customers are safe because all sensitive information was encrypted.

Little is known about the people who attacked the site. So far, there are no known reports of individuals taking credit for the hack. The breach was likely the result of a SQL injection attack that penetrated Vaserv’s central management software and removed vital binaries and data for about half of all user data stored by the service.

Vaserv specializes in low-cost web hosting using VPS, or virtualized private servers. Virtualization features in LXLabs’ HyperVM helped Vaserv provide the service, which costs a fraction of the price of dedicated server hosting.

It remains unclear how other webhosts using the HyperVM have been affected.

Update: On Monday, the boss of LxLabs was found dead in a suspected suicide. Reports of the death of K T Ligesh, 32, come in the wake of the exploitation of a critical vulnerability in HyperVM. The effect of his death on the development of updated software by LxLabs is unknown at time of writing.

Ligesh was found hanged in his Bangalore house on Monday morning, after a late night drinking session. The Times of India reports that he was upset with the loss of a recent contract. Ligesh was also still coming to terms with the suicides by hanging of his sister and mother five years ago.

Security researchers at Milw0rm warn that the Kloxo (formerly Lxadmin) web hosting platform from LxLabs contains 24 security vulnerabilities and exploits. The flaws include SQL injection vulnerabilities and flaws that create a way for hackers to gain file access to files hosted on a vulnerable system.

The vulnerabilities are confirmed to affect Klaxo version 5.75, though other versions may also be affected. Milw0rm went public with an alert on the vulnerability last Thursday after failing to hear back from LxLabs in what it considered to be a timely manner.

LxLabs recently said that more than 30,000 virtualized private servers (vpses) were managed by HyperVM, and more than 8,000 servers running Kloxo. The largest single installation of hyperVM centrally manages more than 4000 VPSes.

Virtualization features of HyperVM allow hosting firms such as VAserv to provide low-cost web hosting at a fraction of the price of dedicated server hosting.

Credit: The Register

A recent McAfee service pack led to systems being rendered unbootable, according to posts on the security giant’s support forums.

The mandatory service pack for McAfee’s corporate Virus scanning product, VSE 8.7, was designed to address minor security bugs but instead tagged windows system files as malware. The software update was issued on 27 May and pulled on 2 June, after problems occurred. Users were advised to keep the patch if they’d already installed it in a low-key announcement on McAfee’s knowledge base.

Posts on McAfee’s support forum paint a different picture of PCs and server left unbootable after the update had automatically deleted Windows systems files wrongly identified as potentially malign. Users described the incident as a “massive fail” by McAfee and reports that sysadmins are angry that a long awaited patch turned out to do more harm than good.

In a statement, McAfee acknowledged potential problems but said that these were rare. It said it planned to reissue the service pack once glitches with the software were ironed out.

McAfee removed Patch 1 for McAfee VirusScan Enterprise 8.7i from its download servers out of precaution after a potential issue with the update was discovered. A very small number of customers reported trouble with the patch on a limited number of computers.

Once the cause of the problem has been identified and the issue has been resolved, we will repost Patch 1. Customers should contact McAfee support if they have any questions regarding this issue, and check the McAfee ServicePortal for further updates.

Problems with anti-virus scanner definition updates that result in false alarms against harmless files are a well known Achilles’ heel of security software. The issue causes more trouble in cases where system files are flagged as potentially malign. The problems with McAfee’s enterprise security software are arguably even worse than that because they involve a service pack and not just regular definition updates.

McAfee users have every right to ask tough questions about the security giant’s quality assurance and testing regime even if, as McAfee states, only a small percentage of users ran into problems.

Credit: The Register

Hackers claim to have stolen all T-Mobile US’s corporate data, customer accounts and network infrastructure. It includes databases, confidential documents, scripts and programs from T-Mobile servers, financial documents up to 2009. T-Mobile has 148m subscribers worldwide and 33m in the US.

The mail, sent to The Reg, claims that the group tried to sell the data to T-Mobile’s competitors, but was turned down. It is now offering it for sale to the highest bidder. The message said the group tried contacting people by email. But given spam filters, and the weekend timing of the leak, it could be the messages never got through.

The mail contains some details of what has been stolen, and is available from the insecure.org.

A T-Mobile spokesman said 2 days ago: “The protection of our customers’ information, and the safety and security of our systems, is absolutely paramount at T-Mobile. Regarding the recent claim, we are fully investigating the matter. As is our standard practice, if there is any evidence that customer information has been compromised, we would inform those affected as soon as possible.”

Yesterday T-Mobile has confirmed that files posted on a full disclosure mailing list are genuine - but the company fails to explain whether or not cybercriminals really got full access to its systems, IDG reports.

T-Mobile, which is investigating the hack, has issued an updated statement that the data posted matches a document on its system, but this failed to prove that customer records or other sensitive files had also been compromised:

To reaffirm, the protection of our customers’ information and the security of our systems is paramount at T-Mobile.

Regarding the recent claim on a Web site, we’ve identified the document from which information was copied, and believe possession of this alone is not enough to cause harm to our customers.

We continue to investigate the matter, and have taken additional precautionary measures to further ensure our customers’ information and our systems are protected.

At this moment, we are unable to disclose additional information in order to protect the integrity of the investigation, but customers can be assured if there is any evidence that customer information has been compromised, we would inform those affected as quickly as possible.

Given that the hackers are attempting to attract bids for the purloined data, it’s odd that they didn’t publish a sample of customer records - or similarly juicy information - rather than network scans of little interest to anyone except security anoraks. A sample of data of greater interest would surely attract more interest in bidding for the information, if that was the intention.

Some security firms are beginning to conclude that the hackers are holding little beyond the network scan data already posted. Amichai Shulman, CTO of Imperva, commented: “Rumours of a major T-Mobile data breach are all over the internet as hackers are reportedly selling confidential data to the highest bidder. Hackers have posted a list of servers they allegedly accessed and it is very comprehensive with some sensitive info in it.

Reports of the breach against T-Mobile US, alongside a previous confirmed leak of consumer data from parent firm Deutsche Telekom last year, detract from the firm’s overall reputation in security, Shulman argued.

“Telecom operators, with the massive amounts of data they store and collect, remain prime targets. Less than three years ago, T-Mobile’s owner, Deutsche Telekom, experienced a breach losing 17 million records.

“The cumulative impact of these breaches will threaten not only T-Mobile’s brand image, but could also impact any telecommunications provider unless the issue of data security is vigorously addressed.”

Credit: The Register

Security experts have discovered a family of data-stealing trojans that have burrowed into automatic teller machines in Eastern Europe over the past 18 months.

The malware logs the magnetic-stripe data and personal identification number of cards used at an infected machine and provides an intuitive interface for retrieving the information using the ATM’s receipt printer, according to analysts from SpiderLabs, the research arm of security firm Trustwave. Since late 2007 or so, there have been at least 16 updates to the software, an indication that the authors are working hard to perfect their tool.

“They’re following more of a rapid development lifecycle,” Nicholas Percoco, vice president and head of SpiderLabs, said. “They’re seeing what works and putting out new versions.”

SpiderLabs researchers delved into four of the more recent versions and what they found was a highly capable family malware written with professional standards. Once installed, it monitors the ATM’s transaction message queue for track 2 data stored on inserted cards. If it contains data belonging to a banking customer, it logs it, along with the PIN code that was entered.

The software also works with controller cards that allow the attackers to operate infected machines. When such a card is inserted, the ATM’s display shows a window offering 10 command options that can be selected using the keypad. Options include the ability to print collected data, restore log files to the condition prior to the malware installation, and uninstall the malware altogether.

A secondary menu also allows the person to force the machine to dispense all its cash. There is also documentation for another feature that would upload intercepted card data to a chip on the controller card, but that capability doesn’t seem to work yet. Controller cards include both master and single function. The former is presumably for people higher up in the organization while the latter would be used by mules who are not fully trusted.

The findings build on a report issued in March by Sophos that documented card-sniffing trojans that targeted ATMs made by Diebold. The ATM manufacturer said several suspects had been apprehended following an incident “isolated in Russia” in which attempts were made to use the malware.

SpiderLabs’ Percoco said he didn’t know if the malware his researchers studied was tied to the Sophos report. Both malicious programs can be installed only by people with physical access to the machines, making some level of insider cooperation necessary. But unlike the Sophos report, SpiderLabs said the software targeted ATMs made by multiple vendors, though Percoco declined to say which ones. The SpiderLabs report said only that the targeted ATMs ran on the Windows XP operating system.

“These are systems that are connected to financial networks that are literally sitting out in the open, and they are vulnerable,” Percoco said. “All these systems are unattended, or most of them are. You often walk by when they’re being serviced.”

Credit: The Register