Posts Tagged ‘UK’
Thursday, May 23, 2013 @ 04:05 PM gHale
There has been a big increase in the number of websites falling victim to the Darkleech attack on Wednesday, with quite a few of them hosted in the UK, said security firm Zscaler.
“The Apache Darkleech attack has been in the news for quite some time now,” said Zscaler’s Krishnan Subramanian. “The first compromise that we identified in our transactions dates back to mid-March. This Darkleech exploit (aka Linux.Cdorked) injects malicious redirections into a website that leads to a Blackhole exploit kit (BEK) landing page.
“We are currently observing a considerable rise in websites being compromised due to this attack. The infected websites redirect to a version of the BEK version 2.”
Subramanian said the complex nature of the attack’s exploit method makes it difficult to know exactly how many sites have been affected, making tracking and combating the threat a difficult task.
“The exploit code targets vulnerabilities in multiple plugins including Adobe PDF and Java when run on IE, causing the attacker to load malicious code in the context of the application. When deobfuscating the PDF exploit, we can see the final URL used for redirection. However, this URL was not accessible (404 error response) at the time of writing, hence it was not possible to retrieve the malicious binary file,” Subramanian said.
“Upon revisiting some of these compromised websites, it was found that the page was no longer serving the injected code. This provides a clue. The attackers probably choose random sites running the Apache Webservers that are vulnerable to the Darkleech exploit and infect them only for a brief period of time and then clean them up. Hence tracking Darkleech infections can be a challenging task.”
The attack already infected thousands of websites when researchers first uncovered it earlier this year. Subramanian said businesses or website owners worried their site has suffered an infection should contact their Apache server host to ensure they have installed the CVE-2012-1557 security patch to fix the flaw.
Thursday, April 18, 2013 @ 03:04 PM gHale
A new “magic” malware is active, persistent and had remained undetected on targeted machines in the UK for the past 11 months.
Attackers targeted several thousands of different entities, most in the UK at 78 percent, while six percent were in Italy and four percent each in Germany and the United States, according to a report from Seculert’s Aviv Raff.
The sample Seculert flagged had an unusual behavior when it communicated with its command and control (C&C) server as it used a custom-made protocol, and always used “a magic code” at the beginning of the conversation, Raff said.
Raff said he did not know why the UK was the main target, but he did say this is a persistent attack that went under the radar for almost a year.
“Furthermore, this malware is still under development,” he said. “We have seen several indications of features that are not yet implemented, and functions that are not yet used by the malware.
“For instance, in case the attacker would like to open a browser on the victim’s machine, the malware will pop up on the RDP session for the attacker via a box with the message ‘TODO:Start browser!’ ”
Raff said the real intention of the attackers behind this “magic” malware is unknown.
“As the malware is capable of setting up a backdoor, stealing information and injecting HTML into the browser, we believe that the current phase of the attack is to monitor the activities of their targeted entities,” he said.
“But, because this malware is also capable of downloading and executing additional malicious files, this might be only the first phase of a much broader attack.”
Asked what he felt made this different from other advanced persistent threats (APTs), which also included a backdoor and data stealing capabilities, Raff said, “We suspect that this is only the first phase of the attack, and like previous ones, the next phase will include a wiper module to cover the attacker’s tracks.”
Monday, April 8, 2013 @ 02:04 PM gHale
Yes, it focuses on the banking industry and it doesn’t really work in the manufacturing automation sector, but the credential-stealing Shylock Trojan is growing increasingly sophisticated, a new report said.
Its level of sophistication keeps rising because its creators continue adding new modules and functionalities to the man-in-the-browser malware, according to a Symantec report.
Shylock makes its loot via man-in-the-browser (MiTB) attacks designed to pilfer banking login credentials from a predetermined list of target organizations. Symantec said Shylock is targeting more than 60 banks and financial institutions mostly in the United Kingdom but also in the United States and Italy. From its inception in July 2011 until around May of 2012, Shylock was only targeting institutions in the UK, so this global expansion is part of the Trojan’s new look.
The malware’s creators are also refining the target list to root out less valuable banks that have either become harder to compromise or no longer provide services for high-value clients.
Shylock’s list of potential features includes an archiver that allows it to compress and upload recorded video files to remote servers, a BackSocks mechanism that allows Shylock to use infected machines as proxy servers, a diskspread functionality that lets Shylock spread via removable drives, an ftpgrabber module that supports password theft from various applications, an MsgSpread which gives Shylock the ability to proliferate through Skype instant messages, and a VNC that provides attackers with a remote connection to compromised devices.
Shylock’s creators aren’t just refining their target list and adding features to expand its capabilities and reach; they’re also fortifying its infrastructure to avoid downtime.
Shylock possessed the ability to move itself over Skype messages since January. Before that, its most substantial upgrade happened in November of last year, when its creators added a detection-evading function that let them determine whether the virus was executing organically on a computer or if researchers were opening it in a virtual machine to pick it apart.
Friday, April 5, 2013 @ 07:04 PM gHale
Darkleech malware injected invisible iFrames that link to malicious web pages into thousands of web sites, researchers said.
The malware uses an Apache web server module to add the iFrames, although no researchers have found a credible attack vector for the route of the malicious module installation. Darkleech is also very careful when selecting victims to have the iFrames injected into, running a blacklist of users it won’t send dangerous content to. Infected servers are in 48 countries, but are mostly concentrated on sites in the U.S., the UK and Germany.
Networking giant Cisco investigated Darkleech for six weeks in February and March 2013 and found 2,000 infected servers during this period.
Darkleech uses an Apache module to inject invisible iFrames into web pages; the iFrames link to malicious sites where visitors can potentially have their systems compromised using the Blackhole exploit kit, Cisco said. The Blackhole kit uses a number of exploits and targets security holes in Oracle’s Java, Adobe Flash and Reader, and other popular plugins. There are plenty of holes and users often run without up-to-date plugins. One study by WebSense found only one in twenty browsers with Java installed has a current version.
Darkleech uses a subtle approach to hijacking its victims, the researchers said. The iFrames end up dynamically generated by an Apache module when the victim visits an infected site. Web administrators find this difficult to detect because the web site’s own source code remains untouched. Certain IP addresses won’t end up injected with iFrames though, and will go on a blacklist instead – visitors from security and hosting firms end up ignored, as are recently attacked users, various browsers and bots, and those accessing via search from a number of search engines or sites.
Mary Landesman and Gregg Conklin, from Cisco Web Security, sampled 1,239 infected sites as part of their investigation and determined the attackers concentrated their efforts on sites running versions of Apache 2.2.22 or later and typically installed on Linux systems, but how the attackers managed to inject Darkleech remains unclear.
The Darkleech software appears to backdoor the system by replacing the SSH daemon with a specially crafted one. This daemon implements a backdoor which transmits the access credentials of anyone logging in to a third-party site. Given this depth of infection, administrators should revert to a backup copy of the site after reinstalling the system, and ensure all user name and password combinations end up changed.
During the period of the Cisco engineer observation, Darkleech spread on web sites like the Los Angeles Times and a blog belonging to Seagate. The malicious iFrames remained undetected for around a month.
Wednesday, March 20, 2013 @ 05:03 PM gHale
It is all ahead full for the first of a planned new generation of nuclear power plants in the UK.
Energy Secretary Ed Davey told MPs in the Commons he was granting planning consent for French energy giant EDF to construct Hinkley Point C in Somerset.
The proposed $21.14 billion (£14 billion) power plant would be capable of powering five million homes.
Davey said the project was “of crucial national importance” but environmental groups reacted angrily.
The building of Hinkley Point C should clear a path for new plants across the UK. The project will create between 20,000 and 25,000 jobs during construction and 900 permanent jobs once in operation.
Davey told the Commons: “The planning decision to give consent to Hinkley Point follows a rigorous examination from the Planning Inspectorate, and detailed analysis within my department.
“This planned project adds to a number of new energy projects consented since May 2010, including wind farms and biomass and gas-fired power stations.
“It will benefit the local economy, through direct employment, the supply chain and the use of local services.”
The news is a boost to the nuclear industry following a series of setbacks in plans to construct a new fleet of reactors in the UK, which ministers say will cut carbon and keep the lights on.
The move could lock a generation of consumers into higher energy bills, via a strike price that should double the current price of electricity.
Monday, March 4, 2013 @ 04:03 PM gHale
A hacker doing time in the UK for hacking, ended up taking an IT course the prison offers inmates to prepare themselves for a successful entry back into society upon their release, ended up breaking into the prison’s mainframe.
Nicholas Webber, 21, the founder of the GhostMarket online forum where cyber crooks were able to trade stolen credit card details, tools to commit computer offenses, and knowledge, is the inmate enrolled in the IT class at HMP Isis prison in South London, according to a report in the Daily Mail of London. Apparently, his actions caused ‘major panic’ but it is not clear what, if anything, he managed to access.
Arrested two years ago along with a few accomplices and sentenced to five years in prison, Webber ended up included in the group that took IT lessons provided by the prison in order to teach inmates skills that would help them once they got out.
This incident would have stayed quiet but the prison’s IT teacher, Michael Fox, has an unfair dismissal case against the prison.
Fox said after they discovered the hack, he was held responsible for it and dismissed first by the prison, and then to his employers at the Kensington and Chelsea College where is also worked as a teacher.
He said he was not knowledgeable of Webber’s hacking background and that, ultimately, he wasn’t the one who allowed him to attend the lessons in the first place.
“At the time of this incident in 2011 the educational computer system at HMP Isis was a closed network. No access to personal information or wider access to the Internet or other prison systems would have been possible,” said a Prison Service spokesman.
Further details were not immediately available.
Monday, January 28, 2013 @ 02:01 PM gHale
A British member of Anonymous is facing 18 months in prison after a guilty verdict in Southwark Crown Court in the UK last week for orchestrating attacks that knocked PayPal, Visa and Mastercard offline.
Christopher Weatherhead, 22, who used the online nickname “Nerdo,” was “a high-level operator,” prosecutors said. In addition to Weatherhead, Ashley Rhodes, 28, an Anonymous crony, will do seven months.
Another British citizen, Peter Gibson, 24, got a six-month suspended sentence for playing a lesser role in the website attacks. The fate of a fourth defendant, Jake Birchall, 18, will come at a later date.
Judge Peter Testar said the distributed-denial-of-service (DDoS) assaults organized by Weatherhead against PayPal and other companies weren’t money-making exercises, but were targeted and meant to cause damage.
“It’s intolerable that where an individual or a group disagrees with a company they should be able to interfere with its activity,” he said.
The attacks were part of “Operation Payback”, an Anonymous campaign that first targeted anti-piracy sites, music labels and movie studios but then moved against financial firms that refused to process donations to Wikileaks after the website published leaked U.S. diplomatic cables.
These DDoS assaults launched using the Low Orbit Ion Cannon (LOIC), a tool favored by Anonymous and typically used by dozens if not hundreds of people at a time to overwhelm web servers. The hackers cost PayPal $5.5 million and forced it to take more than a hundred staff from parent firm eBay just to keep its website up and running while the attacks took place over a few weeks, officials said.
Weatherhead, of Northampton, said he was studying at the town’s university at the time, and claimed he only looked on while others launched the attacks in 2010. Nevertheless, the court convicted him of one count of conspiracy to impair the operation of computers in December.
Rhodes of Camberwell in London, Gibson from Hartlepool and Birchall of Chester had already pleaded guilty to the charge.
“In short, the crown says that Weatherhead is a high-level operator, an organizer, a purchaser at the top of the indictment,” Joel Smith, prosecuting, told the court.
Mark Ruffell, defending, said although Weatherhead was responsible for his own actions, the attacks in question ended up carried out by any number of the 11,000 people logged into the Anonymous chat server used to spread the word about the timings and targets of the DDoS attacks. He also argued Weatherhead’s first and main motive was youthful idealism and a belief that copyright was wrong.
“He’s not the first student, nor will he be the last, to try to change the world and come a cropper,” Ruffell said.
However, Judge Testar was satisfied that Weatherhead “had a main role.”
“It was apparent to me from those [chat server] logs that he was directing the activity of others. He gave encouragement, he gave technical advice, he nominated targets,” he said.
Smith said Rhodes and Gibson focued on “doxxing,” a process that involves dragging up and compiling as much information as possible about a target.
Documents recovered from Rhodes’ computer showed Weatherhead congratulated the pair on their research. However, the court accepted the idea Gibson did not play a part in the conspiracy during the time PayPal, Mastercard and Visa were under attack.
Gibson’s barrister told the court that her client’s involvement with the group was much shorter than the others and that he stopped chatting to the group when he realized they were going to attack the payment-processing sites.
“Gibson disconnected from the group when he realized they intended to attack financial targets, which he strongly disagreed with, so he broke off all contact. It was a purposeful act on his part and he never returned, he never went back,” she said.
Gibson’s realization he was doing wrong was why Judge Testar suspended his sentence.
Rhodes had “a more hands-on approach”, Smith told the court. “He was the only one with a LOIC on his computer and his conversation on IRC seemed to focus more on the attacks.”
Wednesday, January 23, 2013 @ 05:01 PM gHale
Willow trees cultivated for green energy can yield up to five times more biofuel if they grow diagonally, compared with those that grow naturally up toward the sky.
This effect is true in the wild and in plantations around the UK, but scientists were previously unable to explain why some willows produced more biofuel than others.
Now British researchers found a genetic trait that causes this effect and become activated in some trees when they sense they are at an angle, such as where they end up blown sideways in windy conditions.
The effect creates an excess of strengthening sugar molecules in the willows’ stems, which attempt to straighten the plant upwards. These high-energy sugars ferment into biofuels when the trees harvest in a process that currently needs to be more efficient before it can rival the production of fossil fuels.
Officials grow willow widely across the UK, destined to become biofuels for motor vehicles, heating systems and industry. Researchers said in the future they could bread all willow crops for this genetic trait, making them a more productive and greener energy source.
“We’ve known for some time that environmental stresses can cause trees to naturally develop a slightly modified ‘reaction wood’ and that it can be easier to release sugars from this wood,” said Dr. Nicholas Brereton of the Department of Life Sciences at Imperial College London. “This is an important breakthrough, our study now shows that natural genetic variations are responsible for these differences and this could well be the key to unlocking the future for sustainable bioenergy from willow.”
The researchers conducted a trial in controlled laboratory conditions on a rooftop in central London at the Gro-dome facility at Imperial’s South Kensington Campus. They cultivated some willows at an angle of 45 degrees, and looked for any genetic differences between these plants and those allowed to grow naturally straight upwards.
The team then looked for the same effect with willows growing in natural conditions on Orkney Island, off the northern-most coast of Scotland, where winds are regularly so strong the trees constantly bend over at severe angles. Their measurements confirmed those willows could release five times more sugar than identical trees grown in more sheltered conditions at Rothamsted Research in the south of the UK.
“We are very excited about these results because they show that some willows respond more to environmental stresses, such as strong winds, by changing the composition of their wood in ways that are useful to us,” said Dr. Angela Karp at Rothamsted Research who leads the BBSRC-funded BSBEC-BioMASS project said. “As breeders this is good news because it means we could improve willow by selecting these types from the huge diversity in our collections.”
This work forms part of the BBSRC Sustainable Bioenergy Centre (BSBEC) where it links with other programs aimed at improving the conversion of biomass to fuels. Coupled with work at Rothamsted Research, the new results will help scientists to grow biofuel crops in climatically challenging conditions that have limited options for growing food crops, therefore minimizing conflicts of food versus fuel.
Traditionally grown for wicker furniture and baskets, and an ancient medicinal plant whose chemical contents were the precursors to Aspirin, willows are important crops for energy and the environment. Willow requires less than a tenth of the fertilizer used for most cereal crops, and its shoots re-grow quickly after they are harvested. Environmental groups also say willow plantations are also attractive to a variety of wildlife, making a positive impact on local biodiversity.
Tuesday, July 3, 2012 @ 01:07 PM gHale
Cyber attacks continue growing and if you don’t believe it, just ask the UK’s internal counter-intelligence and security agency, MI5.
Vulnerabilities on the Internet are currently being “exploited aggressively not just by criminals but also states,” said Jonathan Evans, the head of MI5.
Evans also said MI5 is investigating instances of cyber attacks in more than a dozen companies and that one major London business suffered £800 million ($1.3 billion) in losses following an attack.
This comes hot on the heels of a report from Cambridge University saying cyber crime is currently costing Britain £11 billion ($17.3 billion).
“Some academics, such as the authors of the recently released Cambridge University cybercrime report, claim that more resources should be focused on catching and punishing cyber criminals as opposed to preventing computer crime – but unfortunately this is as logical as waiting until you have been burgled before installing locks,” said Ross Brewer, managing director and vice president, international markets, LogRhythm, a security provider.
“The scale and nature of today’s cyber threat calls for continuous, protective monitoring of networks to ensure that even the smallest intrusion or anomaly can be detected before it becomes a bigger problem for all,” he said. “As traditional point security tools continue to prove their own limitations, more holistic strategies need to be adopted – and log data is becoming an invaluable intelligence resource for anybody wanting to keep a close eye on all network activity.”
“This level of visibility is also critical to facilitate deep forensic analysis into today’s sophisticated cyber attacks, enabling them to be accurately attributed to the correct perpetrators.”