ISSSource White Papers

Posts Tagged ‘Israel’

Monday, June 1, 2015 @ 04:06 PM gHale

An attack focusing on small- and medium-sized businesses in different countries is working despite employing malware not very good at hiding.

Called “Grabit,” researchers at Kaspersky Labs found attackers were able to hit businesses in Thailand, India, the U.S., UAE, Germany, Israel, Canada, France, Austria, Sri Lanka, Chile and Belgium.

Flash Vulnerability Fixed, then Exploited
Social Networks: Moose on the Loose
PuTTY Malware Steals Credentials
Apache Fixes Security Manager Hole

The compromised organizations are from a wide range of sectors, chemicals, nanotechnology, education, agriculture, media, and construction.

Although the activity of the malware is easy to view, the levels of files exfiltrated is impressive, the researchers said. About 10,000 files ended up stolen from SMB organizations mainly from Thailand, India and the U.S.

Kaspersky found the attacker collects the information with a commercial keylogger called HawkEye (developed by HawkEye Products), along with a configuration module with several remote administration tools (RATs) to control the infected system.

Among the RATs identified is DarkComet, said Ido Naor, senior security researcher at Kaspersky’s Global Research and Analysis Team.

On one of the C&C servers the researchers found 2,887 passwords, 1,053 emails, and 3,023 usernames from almost 5,000 different hosts. The data ended up associated with Outlook, Facebook, Skype, Google mail, Pinterest, Yahoo, LinkedIn and Twitter, as well as bank accounts.

Grabit communicates with its command and control (C&C) server over random ports via an unencrypted channel (HTTP), which allows a clear view of the traffic. The stolen data ends up packed and encrypted, Naor said.

However, since traffic is in plain text, intercepting it revealed the credentials for the FTP/SMTP servers that received the stolen data.

The campaign started in late February and ended in mid-March, the researchers said.

Every sample they caught varied in size and activity from the others, the smallest one being 0.52MB and the largest weighing 1.57MB, suggesting the attacker experimented with features, packers and integration of “dead code” designed to make binary analysis more difficult.

Based on their findings, the researchers said those behind Grabit did not write all the code themselves and the group has more technical members than others, focusing on making the malware untraceable.

The attack arrives on the victim’s doorstep via an email attachment under the form of a Microsoft Word document laced with a malicious macro that transfers the keylogger from a compromised server.

Wednesday, April 23, 2014 @ 09:04 AM gHale

When it comes to spam, the United States is the leader in the “countries by volume” category, while Belarus tops the “countries by population” category, a new report said.

In the first category, the U.S. accounts for 16 percent of all spam, according Sophos’ “Dirty Dozen” spam report for the first quarter of 2014. Spain, Russia, Italy, China, Germany, Japan, France, Argentina, South Korea, Ukraine, and India all follow the U.S.

Users Breaching Security Policies
Execs Not Seeing All Security Facts: Report
9 Attacks Cause 92% of incidents: Report
DDoS Techniques Changing

In the countries by population grouping, Belarus heads the list, followed by Uruguay, Israel, Luxembourg, Bulgaria, Taiwan, Spain, Bahamas, Macau, Romania, Macedonia, and Argentina.

Bulgaria, Spain, Macau, Romania, and Argentina are new entries in the “by population” category.

In the “by volume” category, Israel moved up to third from 12th and 7th in previous quarters.
Belarus topping the “Spam-Relaying ‘Dirty Dozen’ Countries by Population” chart is not surprising, researchers said because the country is becoming a hotspot for spammers.

It is important to keep in mind, these are spam-relaying countries, which means it is not necessarily sent out by individuals or organizations located in these countries. Instead, it means that computers in these locations end up abused for spam.

Click here to view the report.

Monday, August 19, 2013 @ 03:08 PM gHale

IBM is going to pay close to $1 billion to pick up security company, Trusteer.

In a sign that IBM is taking security very seriously, this is its second largest acquisition of a security company after its 2006 purchase of Internet Security Systems for $1.3 billion.

Cisco Deals for Security Provider
Security Firm Deals for Services Unit
IBM gets Deeper into Cloud
Blue Coat Deals for Analytics Firm

Trusteer has offices in Boston and Tel Aviv, Israel. IBM said it planned to open a cyber security software lab at Trusteer’s offices in Tel Aviv, which will employ more than 200 researchers and developers. The lab will be in addition to other research and development facilities in Israel.

Trusteer competes with long-established security providers such as Symantec Corp., Intel Corp’s McAfee division and EMC Corp’s RSA security unit. Privately held competitors include FireEye, which has filed to go public, and Bromium.

“In founding Trusteer, I pulled together a team with strong skills in data security and programming,” said Trusteer founder and chief executive Mickey Boodaei.

Among other security fronts, Trusteer examines advanced malware and how it affects large organizations. “The moment we understood the problem and the limitations of existing solutions, we built a unique system to identify attacks,” Boodaei said.

“We concluded that one of the technology’s main applications is in preventing fraud carried out by taking over the end-user’s computer and carrying out online bank transactions – a kind of fraud that was causing hundreds of millions of dollars in losses to banks around the world at the time.”

Thursday, April 18, 2013 @ 03:04 PM gHale

Israeli websites are under attack as part of the Anonymous OpIsrael campaign which launched a series of distributed denial of service (DDoS) assaults April 7.

In its analysis of the hit, Trend Micro said the source of these attacks — over 90 percent of the traffic — came from outside Israel on April 7. A regular day would not have close to that amount of outside traffic.

BackDoor Botnet Taken Over
Zeus Reigns as Supreme Botnet
Grum Botnet Coming Back Slowly
Cookie Attack can Hijack Accounts

Based on information collected by Trend Micro’s Smart Protection Network, a big spike in traffic was very apparent that day.

Another part of the analysis shows hacktivists were not the only ones launching the attacks. Quit a few of the IP addresses associated with the botnets were under the control of cyber criminals.

More precisely, the IP addresses were victims of ransomware, Fake AV and exploit kit attacks.

“These findings highlight how major DDoS attacks are, at least in part, not just carried out by hacker groups like Anonymous but by cybercriminals as well. These attacks are not nearly as ‘harmless’ as some would think,” said Trend Micro Big Data Security Analyst Chris Huang.

Thursday, March 7, 2013 @ 06:03 PM gHale

Iran fought off attacks against its offshore oil and gas platforms as they ended up targeted in an effort to cripple the country.

The attacks ended up stymied and the head of IT at the Iranian Offshore Oil Company, Mohammad Reza Golshani said Israel was behind the attacks, according to a Reuters report.

Stuxnet Older than We Think
Cyber War Stakes Rising
U.S., Israel behind New Iran Attack
Flame: ‘20 Times Larger than Stuxnet’
Shamoon Target: Aramco Production
Stuxnet Hit 4 Oil Companies
Iran behind Shamoon Attack

Golshani said the attack happened over the past couple of weeks. The attack routed through China and affected only the communications systems of the network.

It is almost two weeks since the managing director of the National Iranian Offshore Oil Company Mahmoud Zirakchianzadeh announced his company’s negotiations on deals worth $14 billion.

Iran is currently under pressure from the international sanctions, mainly in oil exports, imposed by the UN Security council, the U.S., and the European Union.

On Saturday, the EU threatened to ban Iran’s natural gas export to put pressure on the country’s nuclear program. Iran’s now exporting to Turkey and has swap deals with Armenia and Azerbaijan.

Oil ministry spokesman, Alireza Nikzad-Rahbar, said the possible ban was a “propaganda campaign” because “right now no EU member imports Iranian gas supply.”

The UN Security Council imposed four rounds of sanctions in efforts to pressure Tehran to give up its nuclear program, which the West fears is about creating a nuclear weapon. Iran insists its nuclear ambitions are peaceful. The sanctions targeted Iran’s oil exports and cut off access to international banking networks.

Tehran faces pressure with sanctions, but also various forms of cyber attack, such as Stuxnet, Flame and Gauss, three viruses that gathered information on sensitive Iranian equipment and slowed down its nuclear centrifuges.

Wednesday, February 27, 2013 @ 11:02 AM gHale

A form of the Stuxnet worm used to cripple Iran’s nuclear program was in existence two years longer than first believed.

In addition, there is also evidence the military-grade malware’s origins date back to 2005, and possibly earlier, a new report from Symantec said.

Members of the Symantec Security Response team found an earlier version of the highly sophisticated malcode called “Stuxnet 0.5.” Experts previously thought the earliest version dated back to 2007. Discovered in July 2010, the plan of the virus was to surreptitiously disrupt the Natanz uranium enrichment facility in Iran.

Cyber War Stakes Rising
U.S., Israel behind New Iran Attack
Flame: ‘20 Times Larger than Stuxnet’
Shamoon Target: Aramco Production
Stuxnet Hit 4 Oil Companies
Impact of Shamoon on SCADA Security
Iran behind Shamoon Attack

First reports had Stuxnet getting its attack green light in the waning moments of George W. Bush’s presidency in 2009. At the time, President Bush wanted to sabotage the electrical and computer systems at Natanz, which is a fuel enrichment plant in Iran. After Bush left office, President Barack Obama accelerated the program, said former senior intelligence officials, one of whom worked for the National Intelligence office.

Stuxnet is a sophisticated piece of computer malware designed to sabotage industrial processes controlled by Siemens SIMATIC WinCC and PCS 7 control systems. The worm used known and previously unknown vulnerabilities to install, infect and propagate, and was powerful enough to evade state-of-the-art security technologies and procedures.

Widely considered among the most complicated coding in the malware world, Stuxnet honed in on computers running the Siemens software at 14 known industrial sites. The malware shut off valves that supplied uranium hexafluoride gas into centrifuges, thereby damaging a uranium enrichment system by letting pressure build until the gas solidified.

“In addition, the code will take snapshots of the normal running state of the system, and then replay normal operating values during an attack so that the operators are unaware that the system is not operating normally,” the Symantec researchers said. “It will also prevent modification to the valve states in case the operator tries to change any settings during the course of an attack cycle.”

In analyzing the oldest known version of Stuxnet, researchers found the worm was in development as early as November 2005 and released in the wild two years later. Its programming called for it to stop communicating with its command-and-control servers on Jan. 11, 2009 and stop spreading via infected USB keys on July 4 of the same year. But a number of dormant infections ended up detected last year around the world, almost half in Iran and 21 percent in the United States.

Later versions became far more aggressive in propogating and exploiting vulnerabilities. It also appears its developers were people with access to Flamer source code, unlike later versions built on the Tilded platform.

“The existence of unrecovered versions of Stuxnet, both before version 0.5 and especially between versions 0.5 and 1.001, are likely,” according to a Symantec blog post.

As ISSSource reported back in October 2011, Stuxnet was a comprehensive U.S.-Israeli program designed to disrupt Iran’s nuclear technology. This joint program first surfaced in 2009 and worked in concert with an earlier U.S. effort that consistently sabotaged Iran’s purchasing network abroad.

The groundwork for the attack plan began much earlier though. In 2007, Idaho National Laboratory (INL) inked a development contract with Siemens the purpose of which was to help Siemens study its own computer weaknesses, the sources said. Quite a few suppliers have these types of pacts with INL to test platforms to find and resolve weaknesses.

Wednesday, December 19, 2012 @ 06:12 PM gHale

By Richard Sale
The new virus hitting Iran that targets computers and wipes entire disk partitions clean is a joint U.S.-Israel attack, CIA sources said.

In what seems like a very similar attack scenario as the August Shamoon virus that hit Middle East energy companies, the virus implantation in Iran actually occurred before the Shamoon attack, the sources said.

Flame: ‘20 Times Larger than Stuxnet’
Shamoon Target: Aramco Production
Stuxnet Hit 4 Oil Companies
Impact of Shamoon on SCADA Security
Iran behind Shamoon Attack
Shamoon Mitigations Shelter Systems

The story on the Iran attack broke two days ago by Ars Technica and the former senior CIA officials, who requested anonymity because they are close to the investigation, confirmed to ISSSource the U.S. and Isreal were behind the Tehran-focused attack. Right now who or what the new virus is targeting remains unclear.

Dubbed Batchwiper, the malware systematically wipes any drive partitions starting with the letters D through I, along with any files stored on the Windows desktop of the user logged in when the program executes, according to security researchers who independently confirmed the findings.

The reports come seven months after an investigation into a separate wiper program targeting the region led to the discovery of Flame, the highly sophisticated espionage malware reportedly designed by the U.S. and Israel to spy on Iran. The original wiper program, named Wiper, was interesting because it shared a file-naming convention almost identical to those used by the state-sponsored Stuxnet and Duqu operations, an indication it may have been related, security researchers said.

A separate wiping malware known as Shamoon wreaked havoc on some energy sector computers in the Middle East, including destroying hard drives at least 30,000 workstations operated by Saudi Aramco, the world’s largest oil producer. Unlike Wiper, the Shamoon code base is very rudimentary, raising the possibility that hacktivists or other amateur coders developed it. Batchwiper, which gets its name because of its destructive payload is contained in a batch file, also appears to be rudimentary.

“Despite its simplicity in design, the malware is efficient and can wipe disk partitions and user profile directories without being recognized by antivirus,” said the Iranian CERT advisory, which published Sunday.

The virus, however, is not probably widely distributed. This targeted attack is simple in design and there is no similarity to the other sophisticated targeted attacks. One thing this malware does is it is able to remain active even after a machine reboots. It does this by adding a registry entry. The RAR archive dropper name is GrooveMonitor.exe, presumably to disguise it as a legitimate Windows Office 2007 service. GrooveMonitor.exe then drops additional files named juboot.exe, jucheck.exe, SLEEP.EXE, and WmiPrv.exe.

The batch file programming allows it to wipe drives only on certain dates, with the next one being January 21. Previous dates listed in the file include December 11, 12, and 13, suggesting the malware campaign may have been active for the past week and may already have inflicted damage.

It remains unclear how Batchwiper is spreading. Possibilities, researchers said, include the use of USB drives, malicious insiders, spear phishing campaigns or “probably as the second stage of a targeted intrusion.”
Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.

Thursday, November 29, 2012 @ 04:11 PM gHale

Information stolen from one of a U.N. nuclear watchdog’s former servers is up and viewable on a hacker website.

The stolen information was in a statement by a group calling for an inquiry into Israel’s nuclear activities. The International Atomic Energy Agency (IAEA) is investigating Iran’s nuclear program.

Ford Website Hacked
Impact of Shamoon on SCADA Security
Iran behind Shamoon Attack
Shamoon Mitigations Shelter Systems

The IAEA said the theft concerned “some contact details related to experts working” with the Vienna-based agency but it did not say who might have been behind the action.

The stolen data did not include information related to confidential work carried out by the IAEA, one official said. One of the agency’s tasks is preventing the spread of nuclear weapons.

The statement posted in the name of Parastoo (which in Farsi means swallow, the bird, and can also be a woman’s name) included a large number of email addresses and called for the people to whom they belonged to sign a petition for an “open” IAEA investigation into Israel’s Dimona reactor.

The statement dated November 25 and headlined “Parastoo Hacks IAEA” said: “Israel owns a practical nuclear arsenal, tied to a growing military body.”

Middle East experts said Israel has the only atomic arsenal but the country neither confirms nor denies this under a “strategic ambiguity” policy to deter Arab and Iranian foes.

Israel and the United States accuse Iran of seeking to develop a nuclear weapons capability, a charge Tehran denies, and said the Islamic state is the main proliferation threat. That was one of the thoughts behind the Stuxnet virus: To delay or end Iran’s nuclear capability.

IAEA spokeswoman Gill Tudor said the agency “deeply regrets this publication of information stolen from an old server that was shut down some time ago”.

Measures are underway to address concern over possible vulnerability in the server, she said.

“The IAEA’s technical and security teams are continuing to analyze the situation and do everything possible to help ensure that no further information is vulnerable,” Tudor said.

Thursday, November 15, 2012 @ 12:11 PM gHale

By Richard Sale
Major U.S. oil companies already facing increasingly sophisticated cyber attacks by China have also been infected by the Stuxnet virus that has attacked computers in countries from Germany, Indonesia to Kazakhstan, U.S. intelligence sources said.

Victims of the Stuxnet virus, intelligence sources said, include Baker Hughes, ConocoPhillips, Marathon, and Chevron, which last week was the first of the group to declare it had been attacked by the virus.

India on Stuxnet Alert
Talk to Me: Stuxnet, Flame a Global Alert
Stuxnet Warfare: The Gloves are Off
Flame: ‘20 Times Larger than Stuxnet’
New Stuxnet Waiting for Green Light
Stuxnet Loaded by Iran Double Agents

In a Wall Street Journal story late last week, Chevron, the billion dollar oil company based in California, confirmed its computer systems were infected with Stuxnet, a virus developed by the U.S. and Israel to strike Iranian nuclear facilities at Natanz.

Chevron spokesman Morgan Crinklaw was quoted by The Wall Street Journal as saying the company was protected from major damage to its network, adding the company made “every effort to protect our data systems from those types of threats.”

According to U.S. officials, any industrial component is liable to be targeted by such sophisticated attacks. James Lewis, cyber expert at the Center for International and Strategic Studies (CSIS), said “thousands of places around the world were infected but only one was damaged,” the Iranian facility at Natanz.

Lewis said “Stuxnet is an interesting weapons design. You need to introduce the virus and then you need to trigger it. It only works against a specific configuration.” The first stage of the virus uses a “beacon” that performs surveillance of the target, mapping an electrical blueprint of Iran’s centrifuges, with the data sent back to the National Security Agency in Maryland. The second stage, a trigger, added a number of “zero-day exploits” that can cause physical damage. The virus was only configured for Iranian nuclear facilities. It wasn’t designed to spread, U.S. officials said.

But it did.

U.S. sources confirmed the account of researchers at Symantec and Kaspersky Labs that stated Stuxnet had two versions. The first, launched in 2010, had a 21-day period after which the virus would be null and void. Shortly thereafter, the U.S. and Israel launched a second version, believing the first was ineffective. The second version had a different trigger, and U.S. sources said they believed Israel introduced some error in the code trigger. They didn’t elaborate.

Naming the Victims
Chevron was one of the first oil companies to be a victim of the Stuxnet virus. Others, including Baker Hughes, Marathon, ExxonMobil, Shell, and BP, have yet to make any public admission of the attacks of the virus because reporting incidents could trigger liability.

Blair Nicholas, of the law firm Bernstein Litowitz Berger and Grossman based in San Diego, said in a recent news report, “To the extent that there aren’t adequate procedures in place to protect the companies’ crown jewels and somebody gets the key to the jewelry box, there is certainly potential for shareholder derivative liability.”

Besides Chevron, none of Stuxnet’s corporate victims, including Marathon Oil, ConocoPhillips and Baker Hughes, has disclosed the attacks in filings with regulators.

These same companies have already been victims of Chinese-backed industrial espionage assaults that have cost them billions of dollars in plans and intellectual property, sources said, and some of the Chinese attacks remained undetected for years.

In attacks on Baker Hughes and Shell Oil, the Chinese targeted bid data as well as project plans and financial information.

Conoco and Exxon experienced similar breaches, but they went unreported because of client confidentiality. Studies have already been done of malware aimed at seizing data in the computers of a drilling rig working on a ConocoPhillips project, sources said.

None of these companies have commented on this matter to the U.S. press.

New Threats to Platforms
New computer-controlled oil platforms are already a reality. But offshore-onshore contact and the processes out on the platform are often controlled by onshore personnel via networked PCs. When onshore and offshore networks are linked the chances of attacks by viruses and hackers increase dramatically.

Experts say that while oil companies have improved offshore safety, they have lagged in the field of information security. For example, several experts said virus attacks have led to electronic equipment becoming unstable, and while personnel undergo scenario training to reduce risks, such training is seldom employed in the field of information security.

This is especially dangerous when the current trend is going toward the direction of unmanned robot-controlled platforms, which leave electronic equipment more exposed to attack. Ludolf Luehmann, manager of IT at Shell, Europe’s largest oil company, said in a recent news report, “We see an increasing number of attacks on our IT systems and information, and there are various motivations behind it: Criminal and commercial,” all focusing on research and development to gain a competitive advantage.

Cyber war experts like Lewis are aware most industries operate on computers vulnerable to attack, and hackers are increasing in numbers, becoming more knowledgeable and skilled, and making more daring attacks on systems. “The Chinese have been very successful,” Lewis said.

Oil companies are warning the worst case scenario would be one in which valves were accessed, which could set offshore rigs on fire, kill personnel and halt production. The cost of down time on an offshore rig is $6.3 million a day, experts said. The financial loss could be huge.

Stuxnet, which crippled Iran’s nuclear centrifuges, shows the potential devastation of a worm created to cause damage. Experts believe this kind of attack could be replicated on oil producing offshore rigs.

Riemer Brower, head of IT security at Abu Dhabi Company for Onshore Oil Operations, said the oil industry has avoided any damaging incidents so far, but he warned that “the oil companies in charge are no longer really in control.”
Richard Sale was United Press International’s Intelligence Correspondent for 10 years and the Middle East Times, a publication of UPI. He is the author of Clinton’s Secret Wars and Traitors.

Archived Entries