Mac Malware Implies HackingTeam Has Returned

HackingTeam has been quiet recently, following the hack against them last July that revealed embarrassing amounts of their private data, emails, and code. Now researchers have discovered a piece of newly developed malware affecting the Mac OSX operating system that has led to a belief that the group has returned.

A sample of the malware was uploaded to Google’s VirusTotal scanning service on the 4th of February which at the time wasn’t detected by any major anti-virus products (now according to Ars Technica, it is detected by 10 out of 56 AV services.) SentinelOne researcher Pedro Vilaça demonstrated on Monday some functions of the malware which was shown to last be updated around October or November with an embedded encryption key dated October 16th. The malware works by installing a copy of HackingTeam’s Remote Code Systems compromise platform, with these two pieces of evidence implying that the malware is built upon old and unexceptional code from the team, instead of the entirely new code that the group promised they would return with following their compromise.

“HackingTeam is still alive and kicking but they are still the same crap morons as the e-mail leaks have shown us,” Vilaça wrote. “If you are new to OS X malware reverse engineering, it’s a nice sample to practice with. I got my main questions answered so for me there’s nothing else interesting about this. After the leak I totally forgot about these guys :-).”

Another examination of the sample by Patrick Wardle, a Mac security expert at Synack, found that while the malware appears to be built upon the old HackingTeam code it has several tricks up its sleeve for evading detection. This includes using Apple’s native encryption scheme to protect its binary file, which is the first of its kind seen by Wardle.

Exactly how the malware gets installed is yet to be discovered, with top possibilities are users being deceived into installing it thinking it is benign software, or that it is bundled with another piece of malware that executes its installer. While this malware isn’t enough proof alone to show that HackingTeam is active again, Vilaça found through the Shodan search engine and a scan of the IP address in VirusTotal’s sample show that the control server has been active as recently as January, which means this malware, regardless of its origin, should be treated as more than a hoax.

Microsoft Improves Cyberattack Security Measures

In the modern interconnected world, we rely on technology to complete work, and enjoy various forms of entertainment. Unfortunately, this means there are unscrupulous individuals who try to exploit any loopholes and attack networks. Perhaps, they feel this is a way of exposing a company’s poor security or attempt to ruin people’s free time in a bitter manner. Whatever the case, there’s numerous examples of networks being breached including PlayStation Network. Recently, Xbox Live has suffered from some downtime, due to cyberattacks. This isn’t acceptable for either Sony or Microsoft because they are charging a fee to access a service.

On another note, Steam encountered problems due to a caching error, and allowed access to other people’s accounts. This emphasizes the need for extremely secure networks which involves a great deal of investment. Back in November, Microsoft opened a new facility which brings together around 50 security experts from various divisions including the Office, Windows, Azure, Xbox and other groups. This means they can unify different teams with roughly 3,500 other security employees throughout various offices. Hopefully, this should improve security measures, and help prevent cyberattacks from occurring. While the new facility’s cost is unknown, reports suggest the company has spent $1 billion on security last year. Duncan Brown, research director at IDC Research Inc said:

“Microsoft has been on the fringe of security for some time,”

“Now, they are putting it at the center of operations.”

According to Microsoft, every second matters when dealing with cyberattacks, and it’s essential to have a rapid response. The best form of this is via “machine learning”. So how does this work? Microsoft hired a group of white-hat hackers known as Red Team to attack its networks. The information during these breaches are monitored by programs alongside real attacks to form a database which should help with future cyberattacks. It’s always a difficult task to deal with complicated attacks from criminals, but it’s clear that Microsoft is investing in security infrastructure.

Nissan’s Main Websites Knocked Offline by Anonymous

Anonymous have struck once again, the target this time: car manufacturer Nissan. Two of Nissan’s main websites were affected by the attack, with their global and Japanese sites being suspended after a barrage of traffic was received by both sites. While both of those sites remain offline, both the US and European sites remain online.

The basis for this attack is part of another of Anonymous’ operations, OpKillingBay, addressing Japan’s advocacy of whaling and the killing of hundreds of whales every year by the country. This operation has been indiscriminate in its attack on Japanese corporations on Twitter, with the #OpKillingBay being full of tweets telling people not to buy Japanese products such as cars and citing their attacks as punishment for their crimes. Nissan has stated that they have no view on Japanese whaling activities.

The attack on Nissan’s sites is not the first cyberattack made to protest whaling. Japanese Prime Minister Shinzo Abe’s website was taken down last month with an Anonymous-affiliated hacktivist claiming responsibility for the attack. The targets are not limited to Japan either, as in November a number of government websites in Iceland, including the prime minister’s and those of a number of ministries were hit.

A member of Anonymous claiming responsibility for the attack on Nissan stated that they were attacking large corporations in Japan as it is the best way to raise awareness for the issue, with the widespread censorship of it amongst Japanese domestic news outlets. They did mention that they wished no harm to Nissan’s customer or system data.

Whaling may be a major issue, with the harm that it does to the environment and the fact that the Japanese persistence on the matter being in contradiction with international law, but whether the correct way to protest it is cyberattacks is another matter. Anonymous is hardly a group to do things by half-measures though, so we could expect to see attacks on other Japanese departments or corporations in the near future until Japan addresses the issue.

TalkTalk Allegedly Knew About Hack a Week Ago and Tried to Cover It Up

While TalkTalk publicly admitted on Thursday night (22nd Octoboer) to its servers being hacked – “a significant and sustained cyberattack,” in its own words – the UK internet service provider is accused of knowing about the hack for up to a week before revealing it, and of trying to cover it up.

According to reports in The Telegraph, TalkTalk customers experienced attacks on their home computers and phonecalls from scammers who knew their names and account detail the week before the company made an official statement regarding the hack.

“Someone rang up on Monday claiming to be from TalkTalk and they had all my account details,” Mr Walter, a Senior Analytics Director for Moodys and TalkTalk customer, told The Telegraph. “My partner gave them remote access to our laptop before realising it was a scam, and pulling the plug. But a virus had already been put on the computer and it’s going to cost time and money to sort out. I think TalkTalk’s actions have shown extremely poor regard for their customers, and a failure to encrypt the data was sloppy in the extreme.”

“I have received two phone calls – one last Friday, the 16th, and then again this Tuesday,” another customer, Jeremy Cotgrove, revealed. “Both sounded dodgy, a delay on the line and someone speaking very poor English. I just put the phone down as it did not sound kosher.”

Keith Vaz, the Labour Member of Parliament for Leicester East and Chairman of the Home Affair Select Committee, said that there was emerging evidence to support the assertion that TalkTalk had tried to hide the scale of the crime. “Suggestions that TalkTalk has covered up both the scale and duration of this attack are alarming and unacceptable and must be thoroughly investigated,” Vaz added.

The attackers, who used a simple SQL Injection to access the servers – described as the equivalent of TalkTalk “leaving the backdoor open” – have purportedly sent a ransom e-mail to CEO Baroness Harding of Winscombe, the Conservative Peer professionally known as Dido Harding, who also admitted that some sensitive user data had not been encrpyted.

Image courtesy of The Drum.

Sony Reportedly ‘Spooked’ It Could Be Victimized by Cyberattack Again

Sony Pictures Entertainment is still trying to recover from a major data breach that saw several movies leaked online, personal employee data stolen, and confidential emails published for the world to see.

It looks like the company is worried it could be victimized again after the scheduled Christmas release of “The Interview,” which features Seth Rogen and James Franco. Considering the FBI noted that 90 percent of companies would likely fall victim to the same type of attack, it will be curious to see if Sony is able to quickly improve its defenses.

“They are spooked,” according to an anonymous government source, when speaking of Sony’s recent experiences following the data breach. The Department of Justice’s National Security Division is investigating the breach, indicating the federal government wants to verify if a foreign state government could be involved.

The FBI hasn’t been able to determine what hacker group is behind the breach, while a group called the “Guardians of Peace” claimed credit. Alleged ties to North Korea, which haven’t been verified, continue to seem like a possible source involved in the attack.

(Image courtesy of The Huffington Post)

Canada Blames Chinese Army Unit for Cyberattack

Canada announced on Tuesday that A highly sophisticated Chinese state-sponsored actor had hacked into the National Research Council, a leading body that works close with major companies such as aircraft and train maker Bombardier Inc. The Chinese government denies all claims and accuses Canada of making irresponsible accusations without credible evidence.

While Canada didn’t provide any details to the attack, CrowdStrike Chief Technology Officer Dmitri Alperovitch said “it was similar to other hacking campaigns launched by a Unit 61486 of the People’s Liberation Army, nicknamed Putter Panda”. The group has thousands of people and conduct intelligence on satellite and aerospace industries. “It certainly looks like one of the actors we track out of China that we’ve seen going after aircraft manufacturers in the past,” Alperovitch said to Reuters.

This is the first time ever they managed to identify a suspect in a long string of attacks on government and commercial computers. Former Canadian cabinet minister Stockwell Day separately confirmed that Chinese operators were suspect of hacking the Finance Department and the Treasury Board in 2011. The Canadian government has never publicly said who it thought was behind the 2011 attacks.

China’s Foreign Ministry demanded that Canada “cease making groundless accusations against China”.

“Canada, lacking reliable evidence, has wrongly censured China without any provocation, and this is an irresponsible action,” said ministry spokesman Qin Gang. “China resolutely opposes this.”

With China being Canada’s second largest import-trading partner, they generally enjoy a good relationship. The latest attack on the National Research Council must however have made it impossible for them to keep quiet. By making it public, it could also be considered a warning shot across the bow, saying ‘We treat this stuff very seriously’.

Thank you Reuters for providing us with this information

More Than One Thousand Power Plants Found Compromised by Unknown Cyberattack

Since the major topics nowadays are secret service cyber conspiracies and cyberattacks, the latest news points to another cyberattack aimed at more than one thousand power plants worldwide.

Symantec, a company specialising in software security, has apparently uncovered a malware campaign started by a group called Dragonfly, allowing remote access to computer systems from various power plants. Symantec stated that the group has used the malware only to spy on its victims, though serious damage could have been done as well.

A number of 1,018 organisations across 84 countries are stated to have been infected, spanning from grid operations to gas pipelines. It has later been discovered that Dragonfly’s base servers were based in Eastern Europe, leading to the conclusion that the group is of Russian origin. They reportedly used techniques spanning from garden pushing attacks, to campaigns targeting component manufacturers, allowing infections to take hold in any downstream system.

The comparison made against the infected systems led to the conclusion that the sophisticated Stuxnet virus has been used, something which the US previously used to damage nuclear power plants in Iran back in 2010. Up to this point, the real purpose of this major cyberattack is unclear.

Thank you The Verge for providing us with this information
Image courtesy of Picture-Newsletter