Posts Tagged ‘Germany’
Tuesday, July 1, 2014 @ 11:07 AM gHale
Attackers mainly targeting the energy sector were able to get in and surreptitiously cull strategic information.
As more reports become public, it is apparent the attack, labeled Dragonfly, is a cyber espionage program mainly targeting energy grid operators, major electricity generation firms, petroleum pipeline operators, and energy industry industrial equipment providers, according to a report from Symantec. The majority of the victims were located in the United States, Spain, France, Italy, Germany, Turkey, and Poland.
The attacker’s approach is very strategic and almost surgical in how they are able to get into various systems. The Dragonfly group has a range of malware tools at its disposal and is capable of launching attacks through a number of different vectors. Its most ambitious attack campaign saw it compromise a number of industrial control system (ICS) equipment providers, infecting their software with a remote access-type Trojan. This caused companies to install the malware when downloading software updates for computers running ICS equipment, Symantec report said. These infections not only gave the attackers a beachhead in the targeted organizations’ networks, but also gave them the means to mount sabotage operations against infected ICS computers.
As more information is releasing, ICS-CERT is continually issuing new reports on its public portal.
Dragonfly appears to have a broad focus with espionage and persistent access as its current objective with sabotage as an optional capability if required.
In addition to compromising ICS software, Dragonfly has used spam email campaigns and watering hole attacks to infect targeted organizations. The group has used two main malware tools: Backdoor.Oldrea and Trojan.Karagany. The former appears to be a custom piece of malware, either written by or for the attackers.
The Dragonfly group, also known by other vendors as Energetic Bear, appears to have been in operation since at least 2011 and may have been active even longer than that, according to the report. Dragonfly initially targeted defense and aviation companies in the U.S. and Canada before shifting its focus mainly to U.S. and European energy firms in early 2013.
The campaign against the European and American energy sector quickly expanded in scope. The group initially began sending malware in phishing emails to personnel in target firms, according to the report. Later, the group added watering hole attacks to its offensive, compromising websites visited by those working in energy in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.
Dragonfly bears the hallmarks of a state-sponsored operation, displaying a high degree of technical capability. The group is able to mount attacks through multiple vectors and compromise numerous third party websites in the process. Dragonfly has targeted multiple organizations in the energy sector over a long period of time. Its current main motive appears to be cyber espionage. But that also has the potential for sabotage.
Analysis of the compilation timestamps on the malware used by the attackers indicates the group mostly worked between Monday and Friday, with activity mainly concentrated in a nine-hour period that corresponded to a 9 am to 6 pm working day in the UTC +4 time zone. Based on this information, it is likely the attackers are in Eastern Europe.
Dragonfly uses two main pieces of malware in its attacks. Both are remote access tool (RAT) type malware which provide the attackers with access and control of compromised computers. Dragonfly’s favored malware tool is Backdoor.Oldrea, also known as Havex or the Energetic Bear RAT. Oldrea acts as a back door for the attackers on to the victim’s computer, allowing them to extract data and install further malware.
Oldrea appears to be custom malware, either written by the group itself or created for it. This provides some indication of the capabilities and resources behind the Dragonfly group.
Once installed on a victim’s computer, Oldrea gathers system information, along with lists of files, programs installed, and root of available drives. It will also extract data from the computer’s Outlook address book and VPN configuration files. This data then writes to a temporary file in an encrypted format before sending to a remote command-and-control (C&C) server controlled by the attackers.
The majority of C&C servers appear to be on compromised servers running content management systems, indicating the attackers may have used the same exploit to gain control of each server. Oldrea has a basic control panel which allows an authenticated user to download a compressed version of the stolen data for each particular victim.
The second main tool used is Trojan.Karagany. Unlike Oldrea, Karagany was available on the underground market. The source code for version 1 of Karagany leaked in 2010. Symantec believes Dragonfly may have taken this source code and modified it for its own use. Symantec detected this version as Trojan.Karagany!gen1.
Karagany is capable of uploading stolen data, downloading new files, and running executable files on an infected computer. It is also capable of running additional plugins, such as tools for collecting passwords, taking screenshots, and cataloging documents on infected computers.
Symantec found the majority of computers compromised by the attackers suffered infection with Oldrea. Karagany saw use in 5 percent of infections. The two pieces of malware are similar in functionality and what prompts the attackers to choose one tool over another remains unknown.
The Dragonfly group used at least three infection tactics against targets in the energy sector. The earliest method was an email campaign, which saw selected executives and senior employees in target companies receive emails containing a malicious PDF attachment. Infected emails had one of two subject lines: “The account” or “Settlement of delivery problem.” All of the emails were from a single Gmail address.
The spam campaign began in February 2013 and continued into June 2013. Symantec identified seven different organizations targeted in this campaign. The number of emails sent to each organization ranged from one to 84.
The attackers then shifted their focus to watering hole attacks, comprising a number of energy-related websites and injecting an iframe into each which redirected visitors to another compromised legitimate website hosting the Lightsout exploit kit. Lightsout exploits either Java or Internet Explorer in order to drop Oldrea or Karagany on the victim’s computer. The fact the attackers compromised multiple legitimate websites for each stage of the operation is further evidence that the group has strong technical capabilities.
Going After ICS Vendors
The most ambitious attack vector used by Dragonfly was the compromise of a number of legitimate software packages. Three different ICS equipment providers ended up targeted and malware inserted into the software bundles they had made available for download on their websites. All three companies made equipment used in a number of industrial sectors, including energy.
The first identified Trojanized software was a product used to provide VPN access to programmable logic controller (PLC) type devices. The vendor discovered the attack shortly after it was mounted, but there had already been 250 unique downloads of the compromised software.
The second company to suffer compromise was a European manufacturer of specialist PLC type devices. In this instance, a software package containing a driver for one of its devices ended up compromised. Symantec estimated the Trojanized software was available for download for at least six weeks in June and July 2013.
The third firm attacked was a European company which develops systems to manage wind turbines, biogas plants, and other energy infrastructure. Symantec believes that compromised software may have been available for download for approximately ten days in April 2014.
The Dragonfly group is technically adept and able to think strategically. Given the size of some of its targets, the group found a “soft underbelly” by compromising their suppliers, which are invariably smaller, less protected companies.
Click here for more information on the Dragonfly attacks.
Tuesday, June 10, 2014 @ 03:06 PM gHale
By connecting dead ends, it is possible to significantly increase power grid stability.
As the input from renewable sources is volatile because of the uncertainty of things like how much and how hard the wind blows or if the sun is shining, there’s a higher risk of local power instabilities and potential blackouts.
In an effort to curb those issues, scientists from the Potsdam Institute for Climate Impact Research (PIK) in Potsdam, Germany, created a novel concept from nonlinear systems analysis called basin stability. They found by connecting dead ends can significantly increase power grid stability. The findings ended up confirmed via a case study of the Scandinavian power system.
“The cheapest and thus widespread way to implement new generators into a high-voltage power grid is by simply adding single connections, like creating dead-end streets in a road network,” said Peter J. Menck, lead author of a study on the subject.
To test the resulting system’s stability, the scientists simulated large perturbations in a standard electrical engineering model. “We found that in the power grid nodes close to the dead-end connections, the ability to withstand perturbations is largely reduced,” Menck said.
“Yet it turned out that this can be easily repaired by judiciously adding just a few transmission lines,” Menck said. Apparently, the provision of alternative routes in the network should allow for a dispersion of perturbation effects. Thereby, technical protection mechanisms at the different nodes of the grid can deal with problems, while dead ends make the effects culminate at single points of the network.
These new insights are the result of applying for the first time the novel mathematical concept of basin stability developed at PIK.
“From energy grids to the Amazon jungle or human body cells, systems possess multiple stable states,” said co-author Jürgen Kurths who leads the institute’s research domain “Transdisciplinary Methods and Concepts.”
“To understand blackouts, forest dieback, or cancer, it is crucial to quantify the stability of a system – and that’s precisely what we’re now able to do,” he said.
The concept conceives a system’s alternative states as points in a mountainous landscape with steep rocks and deep valleys. The likelihood that a system returns to a specific sink after suffering a severe blow depends on how big this basin is.
“Compared to the potential costs of a blackout, adding a few transmission lines would definitely be affordable,” said co-author Hans Joachim Schellnhuber, director of PIK. “The new study gives just one example that innovative solutions, in our case even based on already existing technology, can indeed help master the transformation of our energy system, for many good reasons such as climate stabilization.”
Wednesday, May 21, 2014 @ 07:05 PM gHale
Cyber crime and investigations know no boundaries and last week 300 houses ended up raided and over 100 people arrested as part of an international law enforcement operation targeting people believed to be responsible for selling, creating and using the BlackShades Remote Access Trojan (RAT).
News of the operation came out last week, when the members of hacker forums said police raided them. On Monday, Europol confirmed the operation and provided more details.
Raids took place in over 10 countries, including Belgium, France, the Netherlands, Germany, UK, Estonia, Austria, Canada, U.S., Denmark, Chile, Italy and Croatia.
Investigators seized over 1,000 computers, laptops, mobile phones, USB sticks, external hard drives and routers.
“This case is yet another example of the critical need for coordinated law enforcement operations against the growing number of cyber criminals operating on an EU and global level,” said Troels Oerting, head of the European Cybercrime Centre (EC3).
“EC3 will continue — together with Eurojust and other partners — to work tirelessly to support our partners in the fight against fraudsters and other cyber criminals who take advantage of the Internet to commit crime. The work is far from over, but our cooperation to work together across borders has increased and we are dealing with cases on an ongoing basis.”
The BlackShades RAT, which sells for between $40 and $100, is a popular tool among cybercriminals. The malware can hijack webcams, steal files, log keystrokes, and launch denial-of-service attacks against a designated target.
In a recent case in the Netherlands, an 18-year-old used it to infect over 2,000 computers. The teen hijacked the webcams of infected devices in an effort to capture intimate pictures of women.
The FBI arrested Michael Hogue, one of the creators of BlackShades, back in 2012. However, others continued to improve the RAT even after Hogue’s arrest. In November 2013, Symantec said the use of BlackShades had increased in the previous five months.
“This case is a strong reminder that no one is safe while using the Internet, and should serve as a warning and deterrent to those involved in the manufacture and use of this software,” said Koen Hermans, assistant to the National Member for the Netherlands.
“This applies not only to victims, but also to the perpetrators of criminal and malicious acts. The number of countries involved in this operation has shown the inherent value in Eurojust’s coordination meetings and coordination centers.”
Tuesday, May 6, 2014 @ 06:05 AM gHale
The average consolidated total cost of a data breach increased 15 percent in the last year to $3.5 million, new research found.
The cost incurred for each lost or stolen record containing sensitive and confidential information increased more than nine percent to a consolidated average of $145, according to the research from Ponemon Institute’s ninth annual “Cost of Data Breach Study: Global Analysis” report.
The research involved the collection of detailed information about the financial consequences of a data breach. For purposes of this research, a data breach occurs when sensitive, protected or confidential data ends up lost or stolen and put at risk. Ponemon Institute conducted 1,690 interviews with IT, compliance and information security practitioners representing 314 organizations in 10 countries: United States, United Kingdom, Germany, Australia, France, Brazil, Japan, Italy, India and the Arabian region (a consolidation of organizations in the United Arab Emirates and Saudi Arabia).
“The goal of this research is to not just help companies understand the types of data breaches that could impact their business, but also the potential costs and how best to allocate resources to the prevention, detection and resolution of such an incident,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. This year’s Cost of Data Breach Study also provides guidance on the likelihood an organization will have a data breach.
• The most costly breaches occurred in the U.S. and Germany at $201 and $195 per compromised record, respectively. The least expensive data breaches were in India and Brazil at $51 and $70, respectively.
• Root causes of data breaches differ among countries. Countries in the Arabian region and Germany had more data breaches caused by malicious or criminal attacks. India had the most data breaches caused by a system glitch or business process failure. Human error was most often the cause in the UK and Brazil.
• The most costly data breaches were those caused by malicious and criminal attacks. The U.S. and Germany paid the most at $246 and $215 per compromised record, respectively. These types of data breaches were least costly for companies in India and Brazil at $60 and $77 per compromised record, respectively.
• A security posture was critical to decreasing the cost of data breach. On average, companies that self-reported they had a strong security posture were able to reduce the cost by as much as $14 per record.
• The involvement of business continuity management reduced the cost of data breach by an average of almost $9 per record.
• The appointment of a Chief Information Security Officer (CISO) to lead the data breach incident response team reduced the cost of a breach by more than $6.
• Countries that lost the most customers following a data breach were France and Italy. Companies in the Arabian region and Brazil experienced the lowest loss of customers.
• The probability of a company having a data breach involving 10,000 or more confidential records is 22 percent over a two-year period. Countries most likely to experience a data breach include India, Brazil and France.
Consistent with previous Cost of Data Breach studies, most often the common cause of a data breach is a malicious insider or criminal attack. The survey asked what worries companies most about security incidents:
• The greatest threats to the companies in this study are malicious code and sustained probes. According to threats increased.
• Only 38 percent of companies have a security strategy to protect its IT infrastructure. A higher percentage (45 percent) has a strategy to protect their information assets.
• Malicious code and sustained probes have increased the most. Companies estimate they will be dealing with an average of 17 malicious codes each month and 12 sustained probes each month. Unauthorized access incidents have mainly stayed the same and companies estimate they will be dealing with an average of 10 such incidents each month.
Click here to register for the report.
Tuesday, April 22, 2014 @ 11:04 AM gHale
German specialty chemical company CABB International just switched owners from Bridgepoint to Permira, as the European equity firm purchased the pesticides, cosmetics and food maker.
European private equity house Bridgepoint earned an internal rate of return (IRR) of 2.4 times its original investment, and CABB had an enterprise value of over $1.1 billion, one industry official said.
In an effort to bulk up is portfolio, Permira seized the opportunity to add Sulzbach, Germany-based CABB. Permira already owns Arysta LifeScience, a developer of additives to enhance crop growth and combat diseases and bugs. Permira’s prior investments include cosmetic-additive maker Cognis, sold to BASF SE for $3.8 billion in 2010.
“CABB is perfectly positioned as a leading global supplier of fine chemicals, specialty chemicals and intermediates to a variety of growing global industries including the agrochemicals industry, which we know well,” said Torsten Vogt, co-head of Permira’s industrial team.
“In the past three years — under the ownership of Bridgepoint — CABB has made tremendous headway,” said Dr. Martin Wienkenhöver, CABB Group chief executive. “Today CABB is a well-known and trusted partner for a large number of blue chip companies in the agrochemical, chemical and pharmaceutical industry. Together with Bridgepoint, the management of CABB established a sustainable growth strategy and we are looking forward to continue with and accelerate our successful growth path with the support of Permira.”
CABB started up in 2003 through the reorganization of Clariant’s acetyls operations. The transaction should close in June.
Monday, April 7, 2014 @ 04:04 PM gHale
Siemens and security provider McAfee expanded their security partnership which started in 2011.
Industrial users face new challenges including a wider range of cyber threats than ever before. They often lack the resources necessary to respond efficiently to security incidents and do not have access to the global threat intelligence that would allow proactive defensive measures.
This critical information is vital to keep up with evolving government regulations, industry standards, sector specific best practices, and other risk information necessary for making informed business decisions.
The extended alliance with McAfee will complement Siemens’ service offerings by leveraging security solutions such as next generation firewall, security information and event management (SIEM), endpoint security, and global threat intelligence as part of its Managed Security Service as well as offering professional services. These offerings provide greater visibility and control at the factory level while reducing the risk of IP theft.
“McAfee’s broad portfolio of security technologies can serve as a great enabler of Siemens Industrial Security service offerings,” said Siegfried Russwurm, member of the managing board of Siemens AG and chief executive of Siemens’ Industry Sector speaking at the Hannover Fair in Hannover, Germany. “This will further strengthen our leading position in automation and drive technologies by providing additional security solutions and services to our industrial customer base. Industrial security is one of the building blocks for strong demand of connected manufacturing environments, and for the continued resurgence of the manufacturing sector globally. This partnership will be an important foundation for the future of manufacturing and Industry 4.0.”
“Siemens provides a deep experience in automation across numerous industries,” said Michael Fey, worldwide chief technology officer at McAfee. “By combining forces, McAfee, Intel and Siemens will drive the adoption of connected, managed and secured solutions at the plant level in order to help industrial customers to manage their security while bringing the uptime and reliability of the plant operations to a higher level. This collaboration should allow us to address the unique requirements of Industrial Control System customers for the operations technology market thus providing a complete security view across the entire company.”
The companies will continue to cooperate on the development of security products and solutions, specifically based on industrial protocols, that will enhance managed security service offerings for the process and factory automation industry.
Wednesday, March 19, 2014 @ 02:03 PM gHale
There is a new operation just discovered that has over 25,000 Unix servers suffering from an infection for the past two years.
Called “Windigo” after the mythical creature from Algonquian Native American folklore, the servers are sending out 35 million spam emails each day, putting around 500,000 computers at risk of malware infection.
“Each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.
Most of the infected servers are in the U.S., Germany, France and the UK. Many of the affected servers belong to hosting providers. The list of victims includes companies such as cPanel and kernel.org.
ESET has been investigating the campaign for around one year. In total, 25,000 servers suffered infection, of which 10,000 still have the issue.
Mac users are not out in the cold as Windows users end up directed to malware-serving exploit kits. People who visit the infected websites from Macs end up pushed to adult content or served ads for dating sites.
Léveillé highlights the Ebury backdoor deployed by the attackers doesn’t exploit Linux or OpenSSH vulnerabilities. Instead, it ends up planted manually.
“The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment,” Léveillé said.
Pierre-Marc Bureau, security intelligence program manager at ESET, said they are investigating the campaign because cybercriminal operations that rely on Linux malware are not something we get to see every day, particularly when it comes to an operation as complex as Windigo.
Bureau said this is the biggest botnet of servers they have ever seen. What they do know is the bot masters are very good in programming and the administration of Linux systems. Additionally, they probably have good connections in the underground, considering their capabilities to send spam and install malware.
The complete paper of the Windigo operation is available on ESET’s website.
Friday, March 7, 2014 @ 05:03 PM gHale
Manufacturing data determine the production process for a product, and are just as valuable today as the design.
They contain distinctive information about the product and how it ends up manufactured. Whoever possesses this information just needs the right equipment and a pirated or counterfeit product is ready to go.
While design data end up well-protected from unauthorized outside access today, production data often lie exposed and unsecured in the computer-assisted machinery.
An infected computer on the network, or a well-placed USB stick, are all a thief would need to steal data. Or hackers could directly attack the IT network – for instance, through unsecured network components, like routers or switches.
In the growing manufacturing automation industry, an increasing number of unsecured, computer-guided production machinery and networks in production facilities are gradually evolving into gateways for data theft. New security technologies may directly shield the sensitive data kept there.
There is a software application that immediately encrypts manufacturing data as soon as they emerge.
Integrated into computer and equipment, they ensure that both communicate with each other through a protected transportation channel and that only licensed actions end up executed.
“To the best of our knowledge, no comparable safeguard has previously existed for manufacturing data that reside directly in the machine tool,” said Thomas Dexheimer from the Fraunhofer Institute for Secure Information Technology SIT in Darmstadt Security Testlab.
Digital Rights Management (DRM) controls all important parameters of the assignment, such as designated use and quantity, among others. This way, brand manufacturers are able to guarantee that even external producers can only produce an authorized quantity, as instructed in advance – and no additional pirated units.
Dexheimer’s SIT colleague, Dr. Carsten Rudolph, is more involved with secured networks.
At the upcoming CeBIT show March 10-14 in Hannover, Germany, Rudolph will showcase his “Trusted Core Network.”
“Hackers can also gain access to sensitive production data via unsecured network components,” Rudolph said. “These are small computers themselves, and can be easily manipulated.”
In order to prevent this, he called upon one piece of technology that, for the most part, lies dormant (in deep slumber) and, for all intents and purposes, unused on our PCs: the Trusted Platform Module. This relates to a small computer chip that can encrypt, decrypt, and digitally sign the data. Installed into a network component, it indicates which software is running on the component, and assigns a distinct identity to it.
“As soon as the software changes in a component, the adjacent component registers this occurrence and notifies the administrator. Hacker attacks can be exposed quickly and easily this way,” Rudolph said.
“Both security technologies are important building blocks for the targeted Industry 4.0 scenario,” Dexheimer said. The term “Industry 4.0” stands for the fourth industrial revolution. After water and steam power, followed by electrical energy, electronics and information technology, now, the cyber-physical systems (IT systems embedded in machinery that communicate with each other via wireless or cabled networks) and the Internet of Things should move into the factory halls.
“This revolution can only work if the intellectual property is sufficiently protected. And that’s a tall order, because the targets of production IT will increase exponentially, due to ever growing digitization and networking,” Dexheimer said.
At CeBIT, Dexheimer and Rudolph will present a computer-assisted machine tool using a CAD computer and a 3D printer. SIT’s security software is on the computer and the printer; the data encrypted on the computer, and decrypted by the printer. The printer also validates the licensed authorization to conduct the print job. To ensure the data are also secure in the network, the scientists built a Trusted Platform Module into multiple routers.
Wednesday, February 26, 2014 @ 03:02 PM gHale
Using the Pony botnet, bad guys have been able to garner a nice cache of information from websites, email accounts, FTP servers and virtual currency, new research found.
Between September 2013 and mid-January 2014, these cyber bad guys stole over 700,000 credentials, 600,000 of which are for websites, 100,000 for email accounts, 16,000 for FTP servers, 900 for SSH, and 800 for Remote Desktop, according to a report from Trustwave’s SpiderLabs.
Based on data from the control panel of the attack, researchers found after four months of stealing information, the cybercriminals decided to stop the operation.
Most stolen credentials were in Germany (41,177), then Poland (17,214), Italy (15,672), the Czech Republic (14,835), Bulgaria (7,063), France (5,513), Croatia (4,725), Peru (4,616), India (2,761) and Vietnam (2,234).
Close to 80,000 Facebook accounts have felt the impact, followed by ones on accounts.google.com (13,740), nk.pl (13,169), seznam.cz (11,712), profil.wp.pl (8,036), abv.bg (6,589), yahoo.com (6,554), szn.cz (6,175), google.com (5,842) and pl-pl.facebook.com (3,974).
The Pony botnet has also targeted Bitcoin and other virtual currency wallets. Experts found the cybercriminals have stolen $220,000 worth of virtual currencies.
In addition to Bitcoin, the list also includes Litecoin, Feathercoin, Fastcoin, Bytecoin, Namecoin, Mincoin, Zetacoin and many others. In total, around 30 virtual currencies ended up targeted.
Because of the high value of Bitcoin, the attackers didn’t even have to compromise a large number of wallets. They only hijacked 85, out of which they transferred 355 Bitcoins, 280 Litecoins, 33 Primecoins and 46 Feathercoins.
While stealing money from bank accounts is becoming increasingly difficult for cybercriminals, when it comes to Bitcoin heists, there are a number of advantages. First of all, while all transactions are public, they’re also irreversible.
This means if someone empties your wallet, there’s nothing you can do about it. There’s no one who can put the “money” back into the wallet and the accounts cannot end up frozen to prevent theft.
Cybercriminals simply need to transfer the funds into their account on a trading website, convert the virtual coins to a real currency and move the money into their bank account.
Click here for more information from SpiderLabs.