IT Security News

IT Security News

1 2 3 6

Security researchers have discovered a new variant of Dridex – one of the most nefarious banking Trojans actively targeting financial sector – with a new, sophisticated code injection technique and evasive capabilities called “AtomBombing.”
On Tuesday, Magal Baz, security researcher at Trusteer IBM disclosed new research, exposing the new Dridex version 4, which is the latest version of the infamous financial Trojan and its new capabilities.
Dridex is one of the most well-known Trojans that exhibits the typical behavior of monitoring a victim’s traffic to bank sites by infiltrating victim PCs using macros embedded in Microsoft documents or via web injection attacks and then stealing online banking credentials and financial data.

 

Read More:

Yahoo has just revealed that about 32 million user accounts were accessed by hackers in the last two years using a sophisticated cookie forging attack without any password.
These compromised accounts are in addition to the Yahoo accounts affected by the two massive data breaches that the company disclosed in last few months.
The former tech giant said that in a regulatory filing Wednesday that the cookie caper is likely linked to the “same state-sponsored actor” thought to be behind a separate, 2014 data breach that resulted in the theft of 500 Million user accounts.

 

Read More:

Late last week the FBI was forced to make yet another public service announcement on the growing ransomware epidemic. In it, the Bureau pleaded with businesses to report infections, so that the authorities can get a better idea of the scale of the problem they’re facing. It also warned that cybercriminals are increasingly targeting business servers in the hope of infecting more machines and extracting a greater ransom from their victims.

This tells us two things: that the authorities still haven’t got a handle on the problem facing citizens and businesses, and that organisations are failing to put in place layered security to lock down risk across multiple threat vectors. We address both in a new report out this week.

Read More

Scotland Yard involved in European raids and arrest of key member of DDoS extortionist gang DD4BC. Police have arrested at least one member of the notorious hacker gang DD4BC, which has been waging a two year extortion campaign against banks and businesses. The suspected member of the group was arrested after a global police operation tracked down the gang to Bosnia-Herzegovina.
Read more

Older versions of Internet Explorer and Windows 8 OS receive their last patch update. Microsoft has delivered its last Patch Tuesday for users of the Windows 8 operating system, and older versions of Internet Explorer (8, 9 and 10), issuing nine bulletins – six of which are rated as critical. “The first Patch Tuesday of 2016 turns out to be low in numbers, but broad and packing quite a punch: six of the nine bulletins are rated critical, including the Windows Kernel and Office bulletins,” blogged Qualys CTO Wolfgang Kandek.

Read more

Workers may need to take extra care about who they are speaking to after a top European court ruled that companies are within their rights to monitor and read private messages sent by their employees during work hours.

The European Court of Human Rights (ECHR) said a firm that read one employee’s private chats sent while he was on the clock was within its rights to sack him for not completing his professional duties within his contracted hours.

However, it warned that such policies must also protect workers against widespread snooping, and recommended that companies draw up policies to define exactly what information they are allowed to monitor and collect

 

Read more

World’s most complex cash register malware plunders millions in US • The Register 

The world’s most complex sales till malware has been discovered … after it ripped millions of bank cards from US retailers on the eve of post-Thanksgiving shopping frenzies.

The ModPOS malware has pilfered “multiple millions” of debit and credit cards from the unnamed but large retail companies incurring millions of dollars in damages.

The attackers have operated in a low-key, ultra professional manner since late 2013 and has only come to light after weeks of painstaking reverse-engineering efforts by malware experts.

They have kept mum, too. Cybercrime forums are entirely devoid of references to the malware.

“This is POS [point-of-sale] malware on steroids,” iSight Partners senior director Steve Ward says. “We have been examining POS malware forever, for at least the last eight years and we have never seen the level of sophistication in terms of development …[engineers say] it is the most sophisticated framework they have ever put their hands on.”

Ward says his team took three weeks to debride one of ModPOS’ three kernel modules. By contrast it took the same experts 30 minutes to reverse engineer the Cherry Picker POS malware revealed last week.

The “incredibly talented” authors have done an “amazing job” and have such an understanding of security that the work has impressed the white hat engineers.

“It is hard not to be impressed,” Ward says.

He says the criminals have spent a “tonne” of time and money on each packed kernel-driver module which behaving like a rootkit is as difficult to detect as it is to reverse.

That approach to the 0module build is novel.

The anti-forensics componentry is highly-sophisticated, meaning most businesses that the advanced Eastern European attackers have popped will not know the cause of the attack.

It is clearly a tool targeted designed for large-scale revenue generation and return on investment.

Ward and his colleagues have briefed more than 80 major retailers across the US, all of which are on high alert for infection.

He says the attack group will need to change parts of its codebase to re-gain some of its now lost obfuscation, but adds that some changes will be much harder to implement than others.

The encryption used for network and command and control data exfiltration and communication is protected with 128 bit and 256 bit encryption, with the latter requiring a new private key for each customer.

This makes it much more difficult to know what data is being stolen, unlike other sales register malware that slurp details in cleartext.

For this full news report go to theregister.co.uk

The European Court of Justice has ruled that the EU Safe Harbour agreement allowed American tech companies such as Facebook to transfer users’ data from the EU to the US is now invalid, .

The court said the transfer of data could be suspended because the US “… does not afford an adequate level of protection”.

EU data protection laws are among the toughest in the world and forbid the data of EU citizens to be exported to countries outside the EU without adequate levels of protection.

 

The European Court of Justice has ruled that the EU Safe Harbour agreement allowed American tech companies such as Facebook to transfer users’ data from the EU to the US is now invalid, .

The court said the transfer of data could be suspended because the US “… does not afford an adequate level of protection”.

EU data protection laws are among the toughest in the world and forbid the data of EU citizens to be exported to countries outside the EU without adequate levels of protection.

 

Why does Safe Harbour ruling threaten Facebook data transfers? BBC News

Published on Oct 6, 2015 “BBC News”
The EU’s top court rules that a data transfer pact with the US did not do enough to protect people’s privacy, causing problems for Facebook. Rory Cellan-Jones explains why.

 

EU Strikes Blow Against Facebook, Data Transfers

Published on Oct 6, 2015 “RT America”
The European Court of Justice ? the EU’s highest ? ruled a 15-year-old agreement between American technology companies handling European data to be invalid, which might be a major blow to companies from ranging from Amazon to Facebook. “Boom Bust” correspondent Bianca Facchinei has more details on the decision.

 

Safe Harbor has been ruled INVALID!

Published on Oct 6, 2015 “Zettabox”
The European Court of Justice has ruled Safe Harbor as INVALID. What should your company do now with its data?

 

Published on Oct 6, 2015 “Associated Press”
The European Union’s highest court struck a blow against Facebook and other web companies by ruling that a long-running pact allowing the free transfer of data to the US was invalid as it does not adequately protect consumers. (Oct. 6)

A critical vulnerability has been identified in the Linux GNU C Library (glibc), which is a commonly used component of most Linux distributions. This security vulnerability GHOST (CVE-2015-0235) was discovered by the Qualys. The flaw in Glibc exposes a buffer overflow that can be triggered locally and remotely in the “gethostbyname” functions.
It’s unclear whether attackers have been aware or exploiting this vulnerability before it was found but as its now become common knowledge we can expect that a lot of cyber attacker will attempt to use this vulnerability to exploit system.

Video Provided by Qualys on this security vulnerability.

 

CVE:
CVE-2015-0235

RISK:
This vulnerability this security hole could allow attackers to execute malicious code on servers and remotely gain control of Linux system.
A flaw in a commonly used component in most Linux distributions could allow an attacker to take remote control of a system after merely sending a malicious email.

Impact:
GHOST is considered to be critical because hackers could exploit it to silently gain complete control of a targeted Linux system without having any prior knowledge of system credentials (i.e. administrative passwords).

To execute the exploit code a hackers first need to gain access to a venerable system. So if you Linux server is secure with no existing vulnerabilities and you do not allow unauthorised file to be opened or executed on the system then the risk of impact is low

Some of the Affected Linus Distributions:

  • Debian 7 (wheezy),
  • Red Hat Enterprise Linux 6 & 7,
  • CentOS 6 & 7
  • Ubuntu 12.04

 

Best Course Of Action:
Mitigate the risk is to apply a patch from your Linux vendor

 

Detection:

To identify the version of glibc on your Linux system, run this command:
#ldd –version

To identify what file on your system are using glibc, run the  following command :
# lsof | grep libc | awk ‘{print $1}’ | sort | uniq

 

 

More Info can be found on the Qualys  Blog

A zero-day vulnerability affecting all Microsoft supported versions of Windows Operating system, including Windows Server has been identified. Also we are seen reports from iSight identifying a cyber espionage campaign already in progress to compromise exposed system

The vulnerability Exploitation is identified by CVE-2014-4114, and also known as Sandworm. It was been reportedly discovered in the wild in connection with a cyber espionage campaign that iSIGHT Partners has attributed to Russia. The zero-day vulnerability is reported as been used in early September  to infect victims with malicious attachments, primarily PowerPoint files. Although the attackers used PowerPoint as its attack vector.

 

The vulnerability exists in the OLE package manager in Microsoft Windows and Server. The OLE packager (packager .dll) is able to download and execute external files like INF, allowing the attacker to execute commands.

 

Risk Level

The Risk level appears high, because if one group could design a worm to exploit the hole, then someone will try to recode the worm and make it wide spread.

Impact – we are only at the early stage of trying to understand what we are looking at. But the if the vulnerability allows the possibility to download and execute a file that the potential impact is extremely High

 

http://www.tripwire.com/state-of-security/incident-detection/microsoft-windows-zero-day-exploit-sandworm-used-in-cyber-espionage-cve-2014-4114/

 

iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign – See more at: http://www.isightpartners.com/2014/10/cve-2014-4114/#sthash.mDSsxZ8j.dpuf

http://www.isightpartners.com/2014/10/cve-2014-4114/

.

 

http://www.theregister.co.uk/2014/10/14/isight_microsoft_announce_windows_and_windows_server_0day/


.

.
Russian Hackers Target EU, NATO

1 2 3 6