Posts Tagged ‘UK’

Wednesday, March 19, 2014 @ 02:03 PM gHale

There is a new operation just discovered that has over 25,000 Unix servers suffering from an infection for the past two years.

Called “Windigo” after the mythical creature from Algonquian Native American folklore, the servers are sending out 35 million spam emails each day, putting around 500,000 computers at risk of malware infection.

“Each day over half a million computers are put at risk of infection, as they visit websites that have been poisoned by web server malware planted by Operation Windigo redirecting to malicious exploit kits and advertisements,” said ESET security researcher Marc-Étienne Léveillé.

Most of the infected servers are in the U.S., Germany, France and the UK. Many of the affected servers belong to hosting providers. The list of victims includes companies such as cPanel and kernel.org.

ESET has been investigating the campaign for around one year. In total, 25,000 servers suffered infection, of which 10,000 still have the issue.

Mac users are not out in the cold as Windows users end up directed to malware-serving exploit kits. People who visit the infected websites from Macs end up pushed to adult content or served ads for dating sites.

Léveillé highlights the Ebury backdoor deployed by the attackers doesn’t exploit Linux or OpenSSH vulnerabilities. Instead, it ends up planted manually.

“The fact that they have managed to do this on tens of thousands of different servers is chilling. While anti-virus and two factor authentication is common on the desktop, it is rarely used to protect servers, making them vulnerable to credential stealing and easy malware deployment,” Léveillé said.

Pierre-Marc Bureau, security intelligence program manager at ESET, said they are investigating the campaign because cybercriminal operations that rely on Linux malware are not something we get to see every day, particularly when it comes to an operation as complex as Windigo.

Bureau said this is the biggest botnet of servers they have ever seen. What they do know is the bot masters are very good in programming and the administration of Linux systems. Additionally, they probably have good connections in the underground, considering their capabilities to send spam and install malware.

The complete paper of the Windigo operation is available on ESET’s website.

Monday, January 27, 2014 @ 06:01 PM gHale

The Xtreme RAT malware has not only hit Israeli police systems, it has also targeted governments in the U.S., UK, and other countries, researchers said.

The attackers sent rogue messages with a .RAR attachment to email addresses within the targeted government agencies, said researchers at antivirus developer Trend Micro.

RELATED STORIES
Energy Sector Under Attack
Report: Security Needs Proactive Approach
Report: Execs Still Lack Security Understanding
Senior Mgt Biggest Security Violators

The archive contained a malicious executable that looks like a Word document that, when run, installed the Xtreme RAT malware and opened a decoy document with a news report about a Palestinian missile attack.

The attack came to light at the end of October when the Israeli police shut down its computer network in order to clean the malware from its systems. Like most remote access Trojan programs (RATs), Xtreme RAT gives attackers control over the infected machine and allows them to upload documents and other files back to their servers.

After analyzing malware samples used in the Israeli police attack, security researchers from Norway-based antivirus vendor Norman uncovered a series of older attacks from earlier this year and late 2011 that targeted organizations in Israel and the Palestinian territories. Their findings painted the picture of a year-long cyber espionage operation performed by the same group of attackers in the region.

According to data found by Trend Micro, the campaign’s scope appears to be much larger.

“We discovered two emails sent from {BLOCKED}a.2011@gmail.com on Nov 11 and Nov 8 that primarily targeted the Government of Israel,” Trend Micro senior threat researcher Nart Villeneuve, said in a blog post earlier this week. “One of the emails was sent to 294 email addresses.”

“While the vast majority of the emails were sent to the Government of Israel at ‘mfa.gov.il’ [Israeli Ministry of Foreign Affairs], ‘idf.gov.il’ [Israel Defense Forces], and ‘mod.gov.il’ [Israeli Ministry of Defense], a significant amount were also sent to the U.S. Government at ‘state.gov’ [U.S. Department of State] email addresses,” Villeneuve said. “Other U.S. government targets also included ‘senate.gov’ [U.S. Senate] and ‘house.gov’ [U.S. House of Representatives] email addresses. The email was also sent to ‘usaid.gov’ [U.S. Agency for International Development] email addresses.”

The list of targets also included ‘fco.gov.uk’ (British Foreign & Commonwealth Office) and ‘mfa.gov.tr’ (Turkish Ministry of Foreign Affairs) email addresses, as well as addresses from government institutions in Slovenia, Macedonia, New Zealand, and Latvia, the researcher said. Some non-governmental organizations like the BBC and the Office of the Quartet Representative, also ended up a target.

The Trend Micro researchers used metadata from the decoy documents to track down some of their authors to an online forum. One of them used the alias “aert” to talk about various malware applications including DarkComet and Xtreme RAT or to exchange goods and services with other forum members, Villeneuve said.

Monday, January 6, 2014 @ 03:01 PM gHale

Europe users clicking on Yahoo.com had a good chance of having their computers infected with malware from malicious ads over a four-day time frame.

Cybercriminals were able to place compromised ads.yahoo.com as early as December 30, said researchers at security firm Fox-IT. Malicious iframes placed on the website redirected users to domains hosting the Magnitude exploit kit.

RELATED STORIES
Webcams Can Watch Without User Knowing
Ransomware Uses Webcam in Scam
Teen Hacked, Blackmailed
Old Trojan Remains Effective

The exploit kit leveraged Java vulnerabilities to push various pieces of malware, including ZeuS, Andromeda, Dorkbot, Tinba (Zusy), and Necurs.

Yahoo said users from Europe are the only ones that can suffer from the issue. Fox-IT said most infections were in Romania, the UK, and France.

Yahoo cleared up the problem by January 3. However, researchers from HitmanPro said there could be as much as 2.5 million computers infected with the malware.

The victims did not have to click on the malicious ads in order to have their devices infected with malware. Users from Europe who visited Yahoo.com from a computer running a vulnerable version of Java should immediately scan their computers with an up-to-date antivirus program to make sure they’re not a victim of the attack.

Wednesday, October 30, 2013 @ 04:10 PM gHale

A United Kingdom man is facing charges of breaching thousands of computer systems in the United States and elsewhere – including the computer networks of federal agencies – to steal massive quantities of confidential data.

Lauri Love, 28, of Stradishall, England, is facing one count of accessing a U.S. department or agency computer without authorization and one count of conspiring to do the same, according to a federal indictment handed up from the New Jersey U.S. Attorney’s office.

RELATED STORIES
Charges Filed in Cyber Fraud Case
4 Dutch Men Face Cyber Theft Charges
Identity Theft Service Suspect Arrested
Feds Bust 2 in Skimming Device Scam

An investigation led by the U.S. Army Criminal Investigation Command-Computer Crime Investigative Unit and the FBI in Newark found Love illegally infiltrated U.S. government computer systems – including those of the U.S. Army, U.S. Missile Defense Agency, Environmental Protection Agency and National Aeronautics and Space Administration – resulting in millions of dollars in losses.

Law enforcement authorities in the United Kingdom, including investigators with the Cyber Crime Unit of the National Crime Agency (NCA), said they arrested Love at his residence Oct. 25. Love faced charges previously in New Jersey on a federal complaint, also unsealed in connection with his arrest. He also faces charges in a criminal complaint in the Eastern District of Virginia related to other intrusions.

According to the indictment, between October 2012 and October 2013, Love and fellow conspirators sought out and hacked into thousands of computer systems. Once inside the compromised networks, Love and his conspirators placed hidden back doors within the networks, which allowed them to return to the compromised computer systems at a later date and steal confidential data.

The stolen data included the personally identifying information (PII) of thousands of individuals, some of whom were military servicemen and servicewomen, as well as other nonpublic material.

Love and his conspirators planned and executed the attacks in secure online chat forums. They communicated in these chats about identifying and locating computer networks vulnerable to cyber attacks and gaining access to and stealing massive amounts of data from those networks. They also discussed the object of the conspiracy, which was to hack into the computer networks of the government victims and steal large quantities of non-public data, including PII, to disrupt the operations and infrastructure of the United States government.

To gain entry to the government victims’ computer servers, Love and conspirators often deployed SQL injection attacks. They also exploited vulnerabilities in the ColdFusion web application platform. Like SQL Injection attacks, this method of hacking allowed the conspirators to gain unauthorized access to secure databases of the victims. Once they got into the network, they created back doors, leaving the system vulnerable and helping them maintain access, officials said.

Love and his conspirators took steps to conceal their identities and illegal hacking activities. To mask their IP addresses, the conspirators used proxy and Tor servers to launch the attacks. They also frequently changed their nicknames in online chat rooms, using multiple identities to communicate with each other.

If convicted, the Love faces a maximum potential penalty of five years in prison and a $250,000 fine, or twice the gross gain or loss from the offense.

Monday, October 21, 2013 @ 05:10 PM gHale

As the United Kingdom attempts to secure its future energy needs and cut greenhouse gas emissions, Britain inked a pact with a French energy company and Chinese investors to build the country’s first nuclear power plant in 18 years.

The government struck a deal with Electricite de France and a group of Chinese investors Monday to build the country’s first nuclear power plant since 1995

RELATED STORIES
Nuclear Plant Safety Varies by Region
Leak in AZ Nuke; VA Unit Back Up
Corrosion Found at PA Nuke
PPL Nuke Safety Violations

“If people at home want to be able to keep watching the television, be able to turn the kettle on, and benefit from electricity, we have got to make these investments,” Energy Secretary Ed Davey told the BBC. “It is essential to keep the lights on and to power British business.”

The deal for the new reactor at Hinkley Point in southwest England, which will generate power in 2023, underlines the desperation politicians across Europe face in meeting energy needs amid dwindling fossil fuel resources and rising costs.

Germany decided two years ago to shut down all of its nuclear power plants by 2022, following years of anti-nuclear protests and the meltdown at Fukushima, Japan in 2011 after an earthquake and tsunami devastated the facility. But the effort needed to ramp up renewable energy sources to replace domestic nuclear reactors is costly because the country must build many new wind, solar, water and biomass plants and Germany must overhaul its energy grid to balance the fluctuating supply such power sources provide.

One of the last barriers to the British deal ended up removed during a visit to Asia last week by Treasury chief George Osborne, who said Chinese firms could invest in civilian nuclear projects.

China General Nuclear Corp. and China National Nuclear Corp will provide 30 percent to 40 percent of the financing under the agreement in principle, EDF said. EDF, majority-owned by the French government, will provide 45 percent to 50 percent.

The deal also helps China, which relies on foreign technology for its generating stations and is trying to develop its own reactors.

Friday, September 27, 2013 @ 05:09 PM gHale

The crack down on cyber bad guys is ongoing throughout the world and law enforcement agencies are finding some success in a very difficult environment to find and capture criminals.

A small snapshot of a triumph for the white hats shows that UK law enforcement anti-hacker efforts stopped the theft of over $1.6 billion (£1billion) in just over two years, according to the Met’s Police Central e-crime Unit (PCeU).

RELATED STORIES
Two Busted in Ransomware Plot
Guilty Plea in Espionage Case
Hacker Sold Access to Networks
Cyber School CEO Busted

As well as the money, the report also said PCeU operations have led to 126 suspects arrested and 89 people convicted, with 30 more awaiting trial, according to the PCeU Harm and reduction report 2013.

The operations also disrupted 26 national and international cyber-based organized crime groups and secured 184 years imprisonment for the 61 criminals.

At first the police said they would cut the cost of cyber crime by $813 million (£504 million) within four years in 2011. The report highlighted the Allandale and Caldelana operations as key victories that helped it double its projected goal.

Operation Allandale was a sting against a gang conspiring to defraud banks worldwide using a sophisticated phishing scam. The operation resulted in the arrest of three men and prevented $119 million (£74 million) worth of financial damage.

Operation Caldelana saw police target an organized crime group responsible for a sophisticated phishing scam responsible for stealing money from victims’ bank accounts. The operation prevented $63 million (£39 million) worth of damage.

“The PCeU has exceeded all expectations in respect of making the UK’s cyber space more secure,” said Commander Steve Rodhouse, head of gangs and organized crime at the Met. “This is due to its innovative partnership work with industry and law enforcement across the globe and its dynamic system for developing intelligence, enforcing the law and quickly putting protection measures in place,” he said.

Monday, September 16, 2013 @ 05:09 PM gHale

Over half of companies are more worried about their own employees turning rogue than about external cyber-threats, a survey said.

While cyber security is a global issue, this survey, conducted by IT Governance, wanted to show how company directors and board members currently perceive IT security issues. Most of the respondents in this survey are from the UK, are IT professionals, and work for tech and financial firms, telecoms, and the government/local authorities. It does give a regional snapshot on some security issues.

RELATED STORIES
ICS Security Certification in Development
Unlimited Career Path for Security Pros
Mining, Energy Face Worker Shortage
Online Security Career Portal

A quarter of the 260 respondents said their organization received a concerted cyber attack in the past 12 months. However, the true total may be higher, as over 20 percent are unsure if their organization has been subject to an attack.

Despite that, over 40 percent of respondents said their company is either making the wrong level of investment in information security or are unsure if their investment is appropriate.

And it doesn’t help that reports on the status of the organization’s IT security often gets delivered once a year or in even bigger intervals — or in 30 percent of the cases board-level job candidates are aware and understand current IT security threats.

The good news is customers are beginning to take the company’s security credentials into consideration when choosing their suppliers. Seventy-four percent of respondents said their customers prefer dealing with suppliers with such credentials, while 50 percent said customers asked their company about its information security measures in the past 12 months.

Despite all this, compliance with the ISO/IEC 27001 security standard is not high (around 35 percent) with the companies whose employees/managers have been polled.

Thursday, August 22, 2013 @ 04:08 PM gHale

Yes, the cyber threat from criminals and nation states is very real, but when push comes to shove, over 50 percent of businesses consider their own employees the greatest security threat, according to a new survey.

Fifty-four percent of respondents believe insiders are the biggest threat, compared to 27 percent who fear criminals the most, 12 percent state-sponsored cyber attacks and 8 percent competitors, according to the survey conducted by IT Governance.

RELATED STORIES
Execs, Staffers Differ on Security
Security Spending Off-Kilter with Risk
Wireless Field Sensors Vulnerable
U.S. Disinformation Plan for China

On top of that, 25 percent of respondents said their business had received a “concerted cyber-attack” in the past 12 months.

That number could actually be higher, as 21 percent of respondents said they do not know whether or not they suffered such an attack, said officials at IT Governance, a UK-based security provider.

The UK government, among many others, has made a concerted effort to make IT security a board-level issue. IT Governance’s survey suggests there is some board level recognition of IT security, but that there is room for improvement.

The majority of respondents (58 percent) said their organization gives the board of directors “regular” report on the state of its IT security. That is an encouraging figure, but for 35 percent of those companies that provide reports, they are filed “less than annually.”

Only 30 percent of respondents said an understanding of IT security is a pre-requisite for a position on the board.

Other findings from IT Governance’s survey include the fact 50 percent of respondents said customers had inquired about their IT security measures in the past 12 months, and 26 percent have lost sleep because of worries about IT security.

IT Governance surveyed 260 respondents, mostly business and IT executives from businesses in the UK and U.S.

Click here to download the survey.

Friday, August 16, 2013 @ 04:08 PM gHale

There is a new ransomware family in town called Browlock, which spreads by tricking users into believing the police are after them.

There have been infections on machines in the United States, Canada and the UK, said researchers from F-Secure. On top of that, other countries are now experiencing attacks. F-Secure traced the attacks to a server in St. Petersburg, Russia.

RELATED STORIES
Browser Extensions Steal Account Info
Mac Attack: Ransomware Targets Safari
Ransomware Forces Survey on Victim
Music App a Political Android Trojan

If users end up on a compromised site hosting the scam or click on a malicious ad, their screen becomes locked, and a message ends up displayed. The messages look like like they come from federal authorities in the victim’s home country or region, including the European Cybercrime Centre and the Royal Canadian Mounted Police.

Users get a message saying they have violated the law because either they have committed copyright infringement, viewed or distributed child pornography, or unknowingly allowed access to their computer to install malware. The message will go on to say to unlock their computer and avoid prosecution, they must pay a fine of, in one case, up to $310, through an online payment site.

“This ransomware is very simple, and just uses the browser to display a lock screen demanding the victim to pay a fake fine and plays tricks to prevent closing the browser tab,” F-Secure Labs researchers wrote in a blog post.

The FBI said criminals profit roughly $150 million annually through the schemes.

As a warning, users should keep their antivirus technology up to date and to never pay any one of these fines. Removing ransomware is usually possible with the help of a security solution, but oftentimes the process may require restoration of the operating system, which could result in the loss of documents or applications.

 
 
Archived Entries