Category Archives: Cyber warfare

Russia is going to disconnect from the internet as part of a planned test

Russia plans to disconnect the country from the internet as part of an experiment aimed at testing the response to cyber attacks that should isolate it.

Russia plans to conduct the country from the Internet for a limited period of time to conduct a test aimed at assessing the security of its infrastructure. Russian citizens will be able to reach only Internet resources within the national territory, any other only resource hosted outside the country will be not reachable.

The news was reported by the Russian news agency RosBiznesKonsalting (RBK), the experiment could be conducted before April 1st.

According to the “The National Digital Economy Program” bill submitted to Parliament in 2018, Russian Internet service providers (ISPs) should ensure operations even if nation-state actors carry out cyber attacks to isolate Russia from the Internet. The authorities want to ensure that the access to Russian Internet resources will be maintained also under attack, to do this, Russian experts are thinking a sort of DNS managed by Moscow.

Currently, among the 12 organizations that oversee DNS base servers worldwide where isn’t an entity in Russia.

ISPs should be able to route traffic through nodes under the control of the Russian Government to allow the connections between Russians entities.

Of course, the concentration of the traffic through nodes controlled by Moscow could open the door to a massive surveillance

“In addition, Russian telecom firms would also have to install “technical means” to re-route all Russian internet traffic to exchange points approved or managed by Roskomnazor, Russia’s telecom watchdog.” reported ZDNet.

“Roskomnazor will inspect the traffic to block prohibited content and make sure traffic between Russian users stays inside the country, and is not re-routed uselessly through servers abroad, where it could be intercepted.”

Russia

The experiment has been agreed in a session of the Information Security Working Group at the end of January. The Group includes InfoWatch, MegaFon, Beeline, MTS, RosTelecom, and other major companies in the country.

All internet providers agreed with the law’s goals, but the technical implementation raises many concerns bacause experts believe it could cause major disruptions to Russian internet traffic. Anyway the goal of the project it to observe the way ISPs networks would react in this scenario.

“Natalya Kaspersky [President InfoWatch company] confirmed to RBC that at the meeting of the working group, a bill was discussed on the sustainability of the Runet for external shutdown.” reported RBK agency,

“All participants in the discussion agree that he has good goals, but the mechanisms for its implementation raise many questions and disputes. Moreover, the methods of its implementation have not yet been precisely defined. Therefore, they came to the conclusion that market participants need to organize exercises or something similar in order to understand how this can all be implemented in practice” said Kaspersky.

According to Finanz.ru, local internet services Mail.ru and Yandex.ru were also supportive of the test.

Pierluigi Paganini

(SecurityAffairs – Russia, Internet)

The post Russia is going to disconnect from the internet as part of a planned test appeared first on Security Affairs.

Germany makes its cyber capabilities available for NATO alliance

Germany announced it is going to make its cyber capabilities available for the NATO alliance to help fight hacking and electronic warfare.

Germany is going to share its cyber warfare capabilities with the NATO alliance to protect members of the alliance against hacking and electronic warfare.

During the 2016 Warsaw Summit, NATO officially recognised cyberspace as a military operational domain. This means that the NATO alliance will respond with conventional weapons in case of a severe cyber attack confirming that the Internet is a new battlefield.
Each Ally is committed to improving its resilience to cyber attacks and the ability to promptly respond to cyber attacks, including in hybrid contexts. The Alliance aims to expand the scope of the NATO Cyber Range to allow allies in improving cyber capabilities and information sharing on threat and best practices.

NATO fears both nation-state hacking and attacks carried out by cyber criminals, their activities are becoming even more intense and urge a proper response from the alliance.

“NATO has designated cyberspace as a conflict domain alongside land, sea and air and says electronic attacks by the likes of Russia and China — but also criminals and so-called “hacktivists” — are becoming more frequent and more destructive.” reads a post published by AFP press.

NATO alliance

During a meeting of defence ministers held in Brussels on Thursday, Germany told allies that it would make both its defensive and offensive cyber capabilities available.

“Just as we provide army, air force and naval forces to NATO, we are now also in a position to provide NATO capabilities on the issue of cyber within the national and legal framework that we have,” German Defence Minister Ursula von der Leyen said.

Germany is not alone, the US, Britain, Denmark, the Netherlands and Estonia have all announced the availability of their offensive cyber capabilities to the alliance.

NATO members hope that the announcement of the sharing for offensive capabilities would work as a deterrent for threat actors.

Members of the alliance that already share conventional military means, aims to share their cyber capabilities for NATO missions and operations.

Potential targets of these operations can include any connected system, ranging from computers and mobile devices, to ICS systems in critical infrastructure.

“In a sign of the growing importance NATO countries attach to the cyber battlefield, this year Britain said it would spend 65 million pounds (74 million euros/$83 million) on offensive capabilities.” concludes AFP.

Pierluigi Paganini

(SecurityAffairs – NATO alliance, Germany)

The post Germany makes its cyber capabilities available for NATO alliance appeared first on Security Affairs.

Security Affairs newsletter Round 200 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Can Enterprises execute a GRC Movement?
Experts observed a new sextortion scam Xvideos-themed
Hacker who reported a flaw in Hungarian Magyar Telekom faces up to 8-years in jail
Experts found popular beauty apps in the Play Store including malicious code
Metro Bank is the first bank that disclosed SS7 attacks against its customers
QuadrigaCX exchange lost access to $145 Million funds after founder dies
Security firm Recorded Future discovered the hacker behind Collection #1
Young hacker gets 10 years jail sentence for SIM Swapping attacks
Roughly 500,000 Ubiquiti devices may be affected by flaw already exploited in the wild
Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild
Severe bug in LibreOffice and OpenOffice suites allows remote code execution
SpeakUp Linux Backdoor targets Linux servers in East Asia and LATAM.
A critical counterfeiting vulnerability addressed in Zcash
New ExileRAT backdoor used in attacks aimed at users in Tibet
Reverse RDP Attack – Rogue RDP Server can be used to hack RDP clients
Security expert Marco Ramilli released for free the Malware Hunter tool
Android devices could be hacked by viewing a malicious PNG Image
Expert publicly disclosed the existence of 0day flaw in macOS Mojave
Ursnif: Long Live the Steganography and AtomBombing!
Hackers broke into Australias Parliament Computer Network
NITEC19 – NATO Opens Defense Innovation Challenge calls for C4ISR solutions
Phishing campaign leverages Google Translate as camouflage
Three out of the four flaws fixed with iOS 12.1.4 were exploited in the wild
Vulnerabilities in Kunbus Industrial Gateway allows to control the devices
Exclusive – MalwareMustDie Team analyzed the Cayosin Botnet and its criminal ecosystem
GandCrab ransomware campaign targets Italy using steganography

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 200 – News of the week appeared first on Security Affairs.

Historical OSINT – “I Know Who DDoS-ed Georgia and Bobbear.co.uk Last Summer”

Appreciate my rhetoric. In this post I'll provide actionable intelligence on a key DDoS for hire service that was primarily used in the Russia vs Georgia Cyber Attacks circa 2009 including the DDoS attack against Bobbear.co.uk. Related actionable intelligence on the campaign: hxxp://setx.in - Email: info@antiddos.eu - setx.mail@gmail.com - hxxp://httpdoc.info - hxxp://fakamaza.info. The last one

Historical OSINT – Sub7 Crew Releases New Version on 11th Anniversary of The RAT

It's 2010 and I've recently came across to the following announcement at Sub7's Main Forum - the most ubiquitous trojan horse also known as Remote Access Tool circa the 90's on the upcoming release of a new version. "People can buy unique FUD servers in the shop and custom clients can also be written to help you admin PC's remotely with your own features. These are selling well so be sure to

Historical OSINT – A Peek Inside The Georgia Government’s Web Site Compromise Malware Serving Campaign – 2010

Remember the massive Russia vs Georgia cyber attack circa 2009? It seems that the time has come for me to dig a little bit deeper and provide actionable intelligence on one of the actors that seem to have participated in the campaign including a sample Pro-Georgian type of Cyber Militia that apparently attempted to "risk-forward" the responsibility for waging Cyberwar to third-parties including

Government, Private Sector Unprepared for 21st Century Cyber Warfare

U.S. government agencies and businesses are largely unprepared for a major cyber attack from state-sponsored actors, and must prepare now, according to a report by key governmental-focused think tanks.

The post Government, Private Sector Unprepared for 21st Century Cyber Warfare appeared first on The Security Ledger.

Related Stories

Security Affairs newsletter Round 199 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Using steganography to obfuscate PDF exploits
Aztarna – the open-source scanning tool for vulnerable robots
Cobalt cybercrime gang abused Google App Engine in recent attacks
Dailymotion forces password reset in response to credential stuffing Attack
Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin
Authorities shut down XDEDIC marketplace in an international operation
Disable FaceTime, a bug lets you hear a persons audio before he answers
Law enforcement worldwide hunting users of DDoS-for-Hire services
Netanyahu accuses Iran of cyber attacks carried out daily
US DoJ charges Huawei sanctions violations and in technology espionage
Facebook paid teens $20 to install a Research App that spies on them
Iran-Linked APT39 group use off-the-shelf tools to steal data
Reading the ENISA Threat Landscape Report 2018
Skyscanner launches a public bug bounty program
Sofacys Zepakab Downloader Spotted In-The-Wild
Airbus data breach exposes some employeesdata
CookieMiner Mac Malware steals browser cookies and sensitive Data
Exclusive: spreading CSV Malware via Google Sheets
Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever
Researchers published the PoC exploit code for Linux SystemD bugs
Facebook dismantled a vast manipulation campaign tied to Iran
State Bank of India left archive with millions of Customer messages exposed
The return of the AdvisorsBot malware
US authorities aim to dismantle North Koreas Joanap Botnet
Apple issued a partial fix for recent FaceTime spying bug
Home Design website Houzz suffered a data breach
IBM experts warn of malicious abuses of Apple Siri Shortcuts
Operators of the TheMoon botnet offer it as a service

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 199 – News of the week appeared first on Security Affairs.

Security Affairs: Security Affairs newsletter Round 199 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

Using steganography to obfuscate PDF exploits
Aztarna – the open-source scanning tool for vulnerable robots
Cobalt cybercrime gang abused Google App Engine in recent attacks
Dailymotion forces password reset in response to credential stuffing Attack
Hackers are targeting Cisco RV320/RV325, over 9K routers exposed online
Hackers compromise WordPress sites via Zero-Day flaws in Total Donations plugin
Authorities shut down XDEDIC marketplace in an international operation
Disable FaceTime, a bug lets you hear a persons audio before he answers
Law enforcement worldwide hunting users of DDoS-for-Hire services
Netanyahu accuses Iran of cyber attacks carried out daily
US DoJ charges Huawei sanctions violations and in technology espionage
Facebook paid teens $20 to install a Research App that spies on them
Iran-Linked APT39 group use off-the-shelf tools to steal data
Reading the ENISA Threat Landscape Report 2018
Skyscanner launches a public bug bounty program
Sofacys Zepakab Downloader Spotted In-The-Wild
Airbus data breach exposes some employeesdata
CookieMiner Mac Malware steals browser cookies and sensitive Data
Exclusive: spreading CSV Malware via Google Sheets
Imperva mitigated DDoS attack generated 500 Million Packets per Second, the largest ever
Researchers published the PoC exploit code for Linux SystemD bugs
Facebook dismantled a vast manipulation campaign tied to Iran
State Bank of India left archive with millions of Customer messages exposed
The return of the AdvisorsBot malware
US authorities aim to dismantle North Koreas Joanap Botnet
Apple issued a partial fix for recent FaceTime spying bug
Home Design website Houzz suffered a data breach
IBM experts warn of malicious abuses of Apple Siri Shortcuts
Operators of the TheMoon botnet offer it as a service

Pierluigi Paganini

(SecurityAffairs – newsletter)

The post Security Affairs newsletter Round 199 – News of the week appeared first on Security Affairs.



Security Affairs

Security Affairs: US authorities aim to dismantle North Korea’s Joanap Botnet

FBI and Air Force experts are sinkholing the Joanap botnet to collect information about it and dismantle the malicious infrastrcuture.

The U.S. Justice Department declares war to the Joanap Botnet that is associated with North Korea. 

The U.S. DoJ announced this week that it is working to dismantle the infamous Joanap botnet, a malicious infrastructure that is believed to be associated to Pyongyang.

The FBI and the U.S. Air Force Office of Special Investigations (AFOSI) obtained court orders and search warrants that allow them to conduct sinkholing of the Joanap botnet.

The Joanap bot is a remote access trojan (RAT) that allows the attackers to exfiltrate data from compromised systems, it supports many commands and is also able to drop additional payloads.

The authorities set up servers that mimic the botnet’s communication system in order to collect information on infected systems and share them with ISP and the owners of the compromised computers.

The U.S. authorities will also inform foreign victims through the FBI’s Legal Attaches that works with the law enforcement and security agencies in their countries.

The Joanap botnet has been around since 2009, experts pointed out that the threat is still spreading through unpatched systems and unprotected networks. The bot is delivered by using the Brambul SMB worm that is able to spreads through a network by brute-forcing SMB shares leveraging on a list of hard-coded credentials.

Experts linked both the Joanap and Brambul malware to the North Korea-linked Hidden Cobra APT group.

The Joanap bot infected systems in many industries, including media, aerospace, financial, and critical infrastructure sectors across the world.

“Computers around the world remain infected by a botnet associated with the North Korean Regime,” said Assistant Attorney General John Demers. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”

“Through technical means and legal process, the FBI continually seeks to disrupt the malicious cyber activities of North Korean cybercriminals, as in this case, and all cyber actors who pose a threat to the United States and our international partners.” explained ADIC Paul Delacourt,

In June 2018, the FBI filed a complaint against the North Korean citizen Park Jin Hyok, an expert that works for North Korean military intelligence agency Reconnaissance General Bureau (RGB).

The man, also known as Pak Jin Hek, is also linked to the dreaded Lazarus APT Group, according to the authorities it was involved in numerous computer intrusions in which he had used also the Brambul malware to gain unauthorized access to computers.

“Moreover, a complaint was filed on June 8, 2018, charging Park Jin Hyok with a conspiracy to carry out numerous computer intrusions backed by the North Korean government.  That complaint alleged how co-conspirators used Brambul to gain unauthorized access to computers, and then used those computers to carry out the charged malicious cyber activities.  The Brambul worm itself was recovered from the computer networks of some victims of the conspiracy. “

The good news for users is that the Joanap is not effective against updated Microsoft Windows systems running Windows Defender and using Windows Update. Most of the antivirus programs are also able to detect both Joanap and Brambul.

Pierluigi Paganini

(SecurityAffairs – Joanap botnet, North Korea)

The post US authorities aim to dismantle North Korea’s Joanap Botnet appeared first on Security Affairs.



Security Affairs

US authorities aim to dismantle North Korea’s Joanap Botnet

FBI and Air Force experts are sinkholing the Joanap botnet to collect information about it and dismantle the malicious infrastrcuture.

The U.S. Justice Department declares war to the Joanap Botnet that is associated with North Korea. 

The U.S. DoJ announced this week that it is working to dismantle the infamous Joanap botnet, a malicious infrastructure that is believed to be associated to Pyongyang.

The FBI and the U.S. Air Force Office of Special Investigations (AFOSI) obtained court orders and search warrants that allow them to conduct sinkholing of the Joanap botnet.

The Joanap bot is a remote access trojan (RAT) that allows the attackers to exfiltrate data from compromised systems, it supports many commands and is also able to drop additional payloads.

The authorities set up servers that mimic the botnet’s communication system in order to collect information on infected systems and share them with ISP and the owners of the compromised computers.

The U.S. authorities will also inform foreign victims through the FBI’s Legal Attaches that works with the law enforcement and security agencies in their countries.

The Joanap botnet has been around since 2009, experts pointed out that the threat is still spreading through unpatched systems and unprotected networks. The bot is delivered by using the Brambul SMB worm that is able to spreads through a network by brute-forcing SMB shares leveraging on a list of hard-coded credentials.

Experts linked both the Joanap and Brambul malware to the North Korea-linked Hidden Cobra APT group.

The Joanap bot infected systems in many industries, including media, aerospace, financial, and critical infrastructure sectors across the world.

“Computers around the world remain infected by a botnet associated with the North Korean Regime,” said Assistant Attorney General John Demers. “Through this operation, we are working to eradicate the threat that North Korea state hackers pose to the confidentiality, integrity, and availability of data. This operation is another example of the Justice Department’s efforts to use every tool at our disposal to disrupt national security threat actors, including, but by no means limited to, prosecution.”

“Through technical means and legal process, the FBI continually seeks to disrupt the malicious cyber activities of North Korean cybercriminals, as in this case, and all cyber actors who pose a threat to the United States and our international partners.” explained ADIC Paul Delacourt,

In June 2018, the FBI filed a complaint against the North Korean citizen Park Jin Hyok, an expert that works for North Korean military intelligence agency Reconnaissance General Bureau (RGB).

The man, also known as Pak Jin Hek, is also linked to the dreaded Lazarus APT Group, according to the authorities it was involved in numerous computer intrusions in which he had used also the Brambul malware to gain unauthorized access to computers.

“Moreover, a complaint was filed on June 8, 2018, charging Park Jin Hyok with a conspiracy to carry out numerous computer intrusions backed by the North Korean government.  That complaint alleged how co-conspirators used Brambul to gain unauthorized access to computers, and then used those computers to carry out the charged malicious cyber activities.  The Brambul worm itself was recovered from the computer networks of some victims of the conspiracy. “

The good news for users is that the Joanap is not effective against updated Microsoft Windows systems running Windows Defender and using Windows Update. Most of the antivirus programs are also able to detect both Joanap and Brambul.

Pierluigi Paganini

(SecurityAffairs – Joanap botnet, North Korea)

The post US authorities aim to dismantle North Korea’s Joanap Botnet appeared first on Security Affairs.

Reading the ENISA Threat Landscape Report 2018

According to the ENISA Threat Landscape Report 2018, 2018 has brought significant changes in the techniques, tactics, and procedures associated with cybercrime organizations and nation-state actors.

I’m proud to present you the ENISA Threat Landscape Report 2018, the annual report published by the ENISA ETL group that provides insights on the evolution of the cyber threats in 2018.

ENISA Threat Landscape Report 2018

2018 was characterized by significant changes in the cyber threat landscape especially for TTPs associated with threat agent groups. Financially motivated attackers focused their efforts in develing and spreading crypto-miners, this threat appeared in the top 15 threats included in the report.

Nation-state hacking reduced the use of complex malware and appears to go towards low profile social engineering attacks.

“Recent political activities have underlined the emergence of various, quite novel developments in the perceived role of cyberspace for society and national security.” reads the ENISA Threat Landscape Report 2018. “Cyber-diplomacy, cyber-defence and cyberwar regulation have dominated the headlines. These developments, when transposed to actions, are expected to bring new requirements and new use cases for cyberthreat intelligence.”

ENISA experts believe threat actors are going to adapt their activities towards the changes introduced by to prevents the above interference.

The main trends emerged in the 2018’s cyberthreat landscape are:

  • Mail and phishing messages have become the primary malware infection vector.
  • Exploit Kits have lost their importance in the cyberthreat landscape.
  • Cryptominers have become an important monetization vector for cyber-criminals.
  • State-sponsored agents increasingly target banks by using attack-vectors utilised in cyber-crime.
  • Skill and capability building are the main focus of defenders. Public organisations struggle with staff retention due to strong competition with industry in attracting cybersecurity talents.

The report highlights the importance of cyber threat intelligence to respond to increasingly automated attacks leveraging automated tools and skills. Unfortunately, low-capability organisations/end-users have no access to cyberthreat intelligence solutions exposing them to severe risks of hack.

Another element of concern is the diffusion of IoT devices that are poorly protected.

“The need for generic IoT protection architectures/good practices will remain pressing.” continues the report.

All the above trends are detailed in the ENISA Threat Landscape 2018 (ETL 2018), a must-read for cyber security experts and passionates.

Let me close with the Top Threats 2018, for each threat the report includes detailed information on trends and observed evolution.

Enjoy it!


Pierluigi Paganini

(SecurityAffairs –  cybersecurity, ENISA Threat Landscape Report 2018)

The post Reading the ENISA Threat Landscape Report 2018 appeared first on Security Affairs.

Iran-Linked APT39 group use off-the-shelf tools to steal data

An Iran-linked cyber-espionage group tracked as APT39 is carrying out a widespread campaign using a broad range of custom and off-the-shelf tools.

The APT39 cyberespionage group is carrying out a widespread campaign using a broad range of custom and off-the-shelf tools. The group has been active at least since November 2014, its operations are aligned with the ones attributed to the Chafer group and OilRig groups, it brings together TTPs used by both actors.

APT39 cyber spies focused their operations in the Middle East, other entities targeted by the group are the U.S. and South Korea. Most of the victims belong to the telecommunications and travel industries, cyber spies also targeted high-tech industry and government.

APT39

“APT39 primarily leverages the SEAWEED and CACHEMONEY backdoors along with a specific variant of the POWBAT backdoor. While APT39’s targeting scope is global, its activities are concentrated in the Middle East.” reads the report published by FireEye.

“APT39 has prioritized the telecommunications sector, with additional targeting of the travel industry and IT firms that support it and the high-tech industry.”

The operations collected by the APT39 group aims to collect geopolitical data along with monitoring targets of interest. 

Experts observed an overlap between malware distribution techniques and command and control infrastructures used by APT39 and the ones observed in campaign associated with other Iran-linked APT groups.

Researchers at FireEye pointed out that the POWBAT backdoor used by the APT39 group is different from the one used by the APT34, but they don’t exclude a close collaboration between the two crews collaborate.

“While APT39 and APT34 share some similarities, including malware distribution methods, POWBAT backdoor use, infrastructure nomenclature, and targeting overlaps, we consider APT39 to be distinct from APT34 given its use of a different POWBAT variant. It is possible that these groups work together or share resources at some level.” continues the report.

Initial compromise leverages spear-phishing messages using malicious attachments or including URLs that point to a POWBAT infection. Furthermore, cyberspies also target vulnerable web servers of organizations to install web shells such as ANTAK and ASPXSPY, attackers used stolen legitimate credentials to compromise externally facing Outlook Web Access (OWA) resources.

In the post-infection phase, the threat actors leverage custom backdoors such as SEAWEED, CACHEMONEY, and a unique variant of POWBAT that is used by attackers to gain a foothold in a target environment.

Attackers use tools like Mimikatz and Ncrack, along with legitimate tools such as Windows Credential Editor and ProcDump and the port scanner BLUETORCH.

Once inside the target environment, for lateral movement that attackers use tools such as Remote Desktop Protocol (RDP), Secure Shell (SSH), PsExec, RemCom, and xCmdSvc. Other custom tools used by the threat actors are as REDTRIP, PINKTRIP, and BLUETRIP that allow them to create SOCKS5 proxies between infected hosts.

APT39 use to compress data using WinRAR or 7-Zip before exfiltrating it.

“APT39’s targeting not only represents a threat to known targeted industries, but it extends to these organizations’ clientele, which includes a wide variety of sectors and individuals on a global scale.” FireEye concludes. 

“APT39’s activity showcases Iran’s potential global operational reach and how it uses cyber operations as a low-cost and effective tool to facilitate the collection of key data on perceived national security threats and gain advantages against regional and global rivals,”

Pierluigi Paganini

(SecurityAffairs – IRAN, APT39)

The post Iran-Linked APT39 group use off-the-shelf tools to steal data appeared first on Security Affairs.

Netanyahu accuses Iran of cyber attacks carried out daily

Israeli Prime Minister Benjamin Netanyahu accuses Iran of launching cyber-attacks on its country with a daily basis.

Prime Minister Benjamin Netanyahu revealed that Iran launched cyber-attacks on Israel on a daily basis, but its experts are able to block them.

“Iran attacks Israel on a daily basis,” Netanyahu declared during a cyber conference in Tel Aviv.

“We monitor these attacks, we see these attacks and we foil these attacks all the time.”

The Israeli Prime Minister added that today countries need to combine an effective cyber defence with a prolific and advanced cyber security industry.

“Any country can be attacked today with cyber-attacks and every country needs the combination of a national cyber defence effort and a robust cyber security industry,” Netanyahu said.

“I think Israel has that… in ways that are in many ways unmatched,” he said.

A few days ago, Israel launched a massive attack on Iranian targets in Syria, after Iranian fighters fired a surface-to-surface rocket at the northern Golan Heights. The Israeli air force hit an airport in Damascus and killed 12 pro-regime fighters.

A few days ago, Israel launched a massive attack on Iranian targets in Syria, after Iranian fighters fired a surface-to-surface rocket at the northern Golan Heights. The Israeli air force hit an airport in Damascus and killed 12 pro-regime fighters.

Netanyahu

In recent months, the operations of Iran-linked APT groups in the Middle East were increased as never before.

Early January, security experts at FireEye uncovered a DNS hijacking campaign that was targeting government agencies, ISPs and other telecommunications providers, Internet infrastructure entities, and sensitive commercial organizations in the Middle East, North Africa, North America and Europe. According to the experts, the campaign is carried out, with “moderate confidence,” by APT groups linked to the Iranian Government.

In 2018, multiple reports published by Palo Alto Networks described TTPs adopted by Iran-linked APT group OilRig (aka APT34) that targeted entities in the Middle East.

Pierluigi Paganini

(SecurityAffairs – Israel, Netanyahu)

I

The post Netanyahu accuses Iran of cyber attacks carried out daily appeared first on Security Affairs.

Upcoming Ukraine elections in the crosshairs of hackers

The Ukrainian authorities are observing a surge in allege state-sponsored attacks aimed at disrupting the upcoming presidential election.

Ukraine reported a surge in cyber attacks aimed at disrupting the upcoming presidential election, the Government believes that Russian nation-state actors could be responsible for them.

The news was reported by Reuters, attackers intensified attacks against the Ukrainian government and political party, according to the experts with the clear intent of disrupting the presidential election scheduled for March.

According to Pro-Western President Petro Poroshenko, likely to stand in the elections, declared that Russia will attempt to interfere in the election and has developed a powerful cyber arsenal to do it.

“This is not just our take. The Russian meddling to influence Ukraine’s elections is well under way,” Petro Poroshenko told foreign diplomats.

President opponent is the former prime minister Yulia Tymoshenko, which is also known to be pro-Western.

Threat actors are carrying out spear-phishing attacks against election officials, in some cases, they are using stolen credentials purchased on the dark web. Techniques used by attackers are similar to ongoing cyberattacks on Ukrainian energy, transport, and banking industries.

“Serhiy Demedyuk told Reuters the attackers were using virus-infected greeting cards, shopping invitations, offers for software updates and other malicious “phishing” material intended to steal passwords and personal information.” reported Reuters.

“Ten weeks before the elections, hackers were also buying personal details of election officials, Demedyuk said, paying in cryptocurrency on the dark web, part of the internet accessible only through certain software and typically used anonymously.”

Authorities confirmed that hackers did not penetrate national election infrastructure

Of course, Russia has denied any involvement in hacking campaigns aimed at Ukraine’s elections.

“Russian state structures have never interfered, and are not interfering, in the internal affairs of other countries.” said Kremlin spokesman Dmitry Peskov.

The cyber police and experts worry that state-sponsored hackers could hit critical infrastructure in energy and banking industries.

In 2017, NotPetya attack hit thousands of computers in Ukraine before spreading worldwide, alleged Russia-linked hackers compromised the supply chain of the Ukrainian tax accounting system called MeDoc.

Pierluigi Paganini

(SecurityAffairs – Ukraine elections, Russia)

The post Upcoming Ukraine elections in the crosshairs of hackers appeared first on Security Affairs.

The Threat Intelligence Market Segment – A Complete Mockery and IP Theft Compromise – An Open Letter to the U.S Intelligence Community

I recently came across to the most recently published DoD Cyberspace Strategy 2018 which greatly reminded me of a variety of resources that I recently took a look at in terms of catching up with some of the latest cyber warfare trends and scenarios. Do you want to be a cyber warrior? Do you want to "hunt down the bad guys"? Watch out - Uncle Sam is there to spank the very bottom of your digital

Security Affairs newsletter Round 197 – News of the week

A new round of the weekly SecurityAffairs newsletter arrived!

The best news of the week with Security Affairs.

Let me inform you that my new book, “Digging in the Deep Web” is online with a special deal

20% discount

Kindle Edition

Paper Copy

Digging The Deep Web

Once again thank you!

TA505 Group adds new ServHelper Backdoor and FlawedGrace RAT to its arsenal
Computers at the City Hall of Del Rio were infected by ransomware
German Watchdog will request Facebook changes
Unsecured MongoDB archive exposed 202 Million private resumes
Which is the link between Ryuk ransomware and TrickBot?
Zurich refuses to pay Mondelez for NotPetya damages because its ‘an act of war
A flaw in vCard processing could allow hackers to compromise a Win PC
Cranes, drills and other industrial machines exposed to hack by RF protocols
Mozilla will disable Adobe Flash by default starting from Firefox 69
Too many issues in Pentagon networks expose it to cybersecurity risks
Critical bug in Amadeus flight booking system affects 141 airlines
Experts link attack on Chilean interbank network Redbanc NK Lazarus APT
GreyEnergy: Welcome to 2019
I swiped right, Viewing sensitive data cached in your Safari browser.
Multiple Fortnite flaws allowed experts to takeover players accounts
Collection #1 dump, 773 million emails, 21 million passwords
Drupal fixes 2 critical code execution issues flaws in Drupal 7, 8.5 and 8.6
South Korea: hackers compromised Defense Acquisition Program Administration PCs
Unprotected server of Oklahoma Department of Securities exposes millions of government files
Android apps use the motion sensor to evade detection and deliver Anubis malware
Attacks in the wild leverage flaw in ThinkPHP Framework
Fallout Exploit Kit now includes exploit for CVE-2018-15982 Flash zero-day
Oracle critical patch advisory addresses 284 flaws, 33 critical
Twitter fixed a bug in its Android App that exposed Protected Tweets
6 Reasons We Need to Boost Cybersecurity Focus in 2019
A bug in Microsoft partner portal ‘exposes ‘ support requests to all partners
ES File Explorer vulnerabilities potentially impact 100 Million Users

Pierluigi Paganini

(SecurityAffairs – Microsoft partner portal, data leak)

The post Security Affairs newsletter Round 197 – News of the week appeared first on Security Affairs.

South Korea: hackers compromised Defense Acquisition Program Administration PCs

South Korea – Allegedstate-sponsored hackers compromised 10 PCs at ministry’s Defense Acquisition Program Administration.

Unknown hackers compromised 10 PCs at ministry’s Defense Acquisition Program Administration which is the office that manages the military procurement.

The news was confirmed by the South Korea Ministry of National Defense.

“It has been turned out that 30 computers installed on the internal system of the Defense Acquisition Program Administration, in charge of arms procurement such as next-generation fighter jets, have come under simultaneous virtual attacks and 10 out of them saw internal data leaked.”
the Korea’s 
Dong-A Ilbo reports

“As cyberattacks have continued on major Korean foreign affairs facilities including the Korean presidential office Cheong Wa Dae, the National Assembly and the Defense Acquisition Program Administration, concerns are ever increasing regarding the government’s cyber security capabilities.”

The systems targeted by the hackers contain sensitive data on purchases for military equipment and weapons, including “next-generation fighter jets,”

The security breach was disclosed this week in a report from a South Korean politician.

The National Assembly and the Defense Acquisition Program Administration confirmed that no confidential information was accessed or exfiltrated by hackers.

The security breach has occurred on October 4, 2018, the attack aimed at 30 computers, but only 10 of them were hacked. The intrusion was spotted on October 26 when the National Intelligence Service noticed suspicious traffic on IP associated with the Agency.

The intrusion coincides with another attack on Liberty Korea Party Rep. Baek Seung-joo’s email account. Experts believe that a threat actor politically motivated targeted systems of Korea’s major organizations simultaneously. 

“It is dubious whether the agency issued a conclusion to conceal damage and minimize the scope of penetration,” Rep. Lee pointed out. “Further investigation to find out if the source of attacks is North Korea or any other party.”

The A Ilbo added that an intelligence agent said that further review will be executed on defense measures implemented to protect by the Defense Acquisition Program Administration’s systems.

Pierluigi Paganini

(SecurityAffairs – South Korea, Defense Acquisition Program Administration)

The post South Korea: hackers compromised Defense Acquisition Program Administration PCs appeared first on Security Affairs.

Exposing Iran’s Most Wanted Cybercriminals – FBI Most Wanted Checklist – OSINT Analysis

Remember my most recently published "Assessing The Computer Network Operation (CNO) Capabilities of the Islamic Republic of Iran - Report"? The report details and discusses in-depth the most prolific Iran-based government-sponsored and tolerated hacking groups including the following groups: - Ashiyane Digital Security Team - Iranhack Security Team - Iranian Datacoders Security Team - Iran

Dancho Danchev’s Threat Data – How to Request Free Access Including a Christmas Discount

Dear blog readers, I wanted to let everyone know that I'm currently offering unlimited and exclusive access to Threat Data - The World's Most Comprehensive Threats Database in the true spirit of the Christmas seasons to selected set of individuals and organizations that approach me at dancho.danchev@hush.com Key Summary Points: - the platform basically represents the majority of proprietary

Dancho Danchev – Cyber Threat Analyst – Join Me on Patreon Community!

Dear blog readers, In the true spirit of the Christmas season I decided to let everyone know that I've recently launched my own Patreon Community Page with the idea to let everyone know that I'm currently busy crowd-funding a high-profile upcoming Cyber Security Investment Project - and I would love to hear from you more details about your thoughts regarding new Tier Features and whether or

Joining Team Astalavista – Stay Tuned!

Dear blog readers I wanted to let everyone know that I will be shortly joining Team Astalavista - The World's Most Popular Information Security Portal acting a Managing Director following a successful career as Managing Director through 2003-2006 where I used to maintain a highly informative and educational Security Newsletter featuring exclusive content and security interviews (Security

Cyber Security Project Investment Proposal – DIA Needipedia – Fight Cybercrime and Cyber Jihad With Sensors – Grab Your Copy Today!

Dear blog readers, I decided to share with everyone a currently pending project investment proposal regarding the upcoming launch of a proprietary Technical Collection analysis platform with the project proposal draft available on request part of DIA's Needipedia Project Proposal Investment draft or eventually through the Smith Richardson Foundation. In case you're interested in working with me