The operation, which was a collaborative effort by Europol, the FBI, German police, and security groups, resulted in five arrests and the seizure of 39 servers in various countries. Officials say the Avalanche crew and its infrastructure was distributed around the world and estimated that damages from the group’s activities were in the hundreds of millions of Euros. The group conducted spam, phishing, and malware attacks using a wide variety of malware strains and tactics.
Investigators began looking at the Avalanche infrastructure in 2012 after a widespread ransomware attack that was attributed to the group. Many victims also were infected with banker malware that stole banking credentials and other private data. Like many cybercrime crews, Avalanche used money mules to cash out their profits and layers of personnel to handle specific tasks in an effort to avoid detection. The group also employed technical methods to attempts to confuse law enforcement and security researchers.
The malware campaign is known as Gooligan, and it’s a variant of older malware called Ghost Push that has been found in many malicious apps. Researchers at Check Point recently discovered several dozen apps, mainly in third-party app stores, that contain the malware, which is designed to download and install other apps and generate income for the attackers through click fraud. The malware uses phantom clicks on ads to generate revenue for the attackers through pay-per-install schemes, but that’s not the main concern for victims.
The Gooligan malware also employs exploits that take advantage of several known vulnerabilities in older versions of Android, including Kit Kat and Lollipop to install a rootlet that is capable of stealing users’ Google credentials.Although the malware has full remote access to infected devices, it doesn’t appear to be stealing user data, but rather is content to go the click-fraud route. Most users are being infected through the installation of apps that appear to be legitimate but contain the Gooligan code, a familiar infection routine for mobile devices.
Researchers from Cisco’s Talos group have come across a new version of the Cerber ransomware that uses these techniques, combined with pretty rudimentary email messages to trick victims into clicking on links that lead to the malicious files. Typically, sophisticated ransomware crews will use well-crafted emails with malicious attachments that contain the ransomware. But this Cerber campaign isn’t using any attachments in its spam emails and instead is relying on trickery to entice users into following the links, which are obfuscated and lead to sites on the Tor anonymity network.
The attack involves a technique called re-tasking in which the researchers changed the functionality of the audio jacks on a target computer. So, whereas an input jack would normally be used by a microphone and the output jack would be used by the speakers, the researchers remapped the jacks so that the speakers can record sound when plugged into an output jack. The technique, developed by a team at Ben Gurion University of the Negev in Israel, involves the use of custom malware on the machine, but the researchers showed in their work that the attacks can succeed in recording audio from across a room.
The attack that the researchers developed allows them to record audio surreptitiously and then transmit it to another machine several meters away. The technique can be used without the user’s interaction.
“It’s pretty difficult to defend against such an attack, but it’s possible that anti-virus will detect such a microphone retasking and will block it. Chip manufacturers can redesign the internal commands that can be sent to the controller and regulate it in a better way,” Mordechai Guri, one of the paper's authors, said.
Trailrunner7 writes: As voice has continued to emerge as one of the key interfaces for new devices and apps, including vehicles, bank accounts, and home automation systems, concerns about the security of these systems have evolved, as well. Now, as both Google and Adobe have demonstrated systems that can insert and replace words in recorded speech or mimic human speech those concerns are becoming more concrete.
Adobe has revealed a project known as VoCo that has that it has compared to a Photoshop for voice recordings. The app can take a small piece of a person’s recorded voice and give the user the ability to rearrange or insert words or short phrases into the recording. The user types whatever text he wants into the app and the software can then add them into the recording wherever the user specifies.
Google also has been working on a synthetic speech system, known as WaveNet, which models raw audio waveforms to produce speech that sounds more human. Many existing text-to-speech systems rely on a database of recorded words to produce sentences. Google’s model doesn’t have that limitation.
The proposed change to Rule 41 of the Federal Rules of Criminal Procedure would allow law enforcement officials to get a single warrant from essentially any judge where things related to a given crime have occurred to remotely search computers that might be involved in the crime. The modification also would allow officers to remotely search computers of victims of computer crimes.
Privacy advocates and some legislators say that the change would constitute a huge a expansion of government hacking powers, while Department of Justice officials and supporters of the change say it’s simply a procedural change. The United States Supreme Court approved the change in April and it is scheduled to go into effect on Dec. 1. Congress has the ability to enact legislation to prevent the change, but so far has not.
On Thursday, a group of five senators introduced a bill that would keep Rule 41 as-is for now and delay the change until July 1, 2017. The idea is to give Congress time to consider the consequences of the proposed change. Sen. Ron Wyden (D-Ore.), one of the sponsors of the new bill, has expressed concern about the change to the rule for months.
The technique is a simple one but has proven to be quite effective. Rather than spamming out huge volumes of email with rigged attachments, the attackers are calling selected hotels and telling the customer service reps that they’re having trouble using the online reservation system. They then ask if they can email over a document with their travel details. The attacker will stay on the phone with the victim until he opens the attachment, which is a Word document loaded with a malicious VBS script, according to researchers at Trustwave, who have investigated several incidents involving this technique recently.
This attack represents an interesting mixture of social engineering tactics and traditional spear phishing methods. Even highly targeted phishing campaigns typically involve several different waves of emails. But this technique allows the attacker to choose his target individually and receive immediate confirmation that the attack succeeded. The malware that’s involved in the attack is powerful and has a long list of capabilities. Once installed, it connects to a remote server and downloads a second stage tool that’s disguised as an Adobe file. It installs a persistence mechanism and might download even more tools.
Trailrunner7 writes: The recent DDoS attacks by the Mirai botnet against various targets, including DNS provider Dyn, have drawn the attention of congressional leaders, who say there may be a need for regulation of IoT device security in order to address the problem of vulnerable embedded devices.
In a joint hearing on Wednesday, the House Subcommittee on Communications and Technology and the Subcommittee on Commerce, Manufacturing, and Trade delved into the issue of IoT security and several lawmakers said that they were reluctant to get the government involved in regulating this problem, but it may be inevitable. The problem, of course, is that many of the embedded devices that make up the IoT aren’t manufactured in the United States, so regulation would have no effect on their security.
Another piece of the puzzle is the fact that there’s no one federal agency or independent organization that oversees security standards for IoT devices. There are embedded computers in cars, appliances, medical devices, and hundreds of other kinds of devices. That cuts across many different industries and regulatory fields, a problem that the federal government is not set up to handle.
“I actually think we need a new agency. We can’t have different rules if a computer makes calls, or a computer has wheels, or is in your body,” said cryptographer Bruce Schneier, another witness during the hearing. “The government is getting involved here regardless, because the stakes are too high. The choice isn’t between government involvement and no government involvement. It’s between good government involvement and stupid government involvement. I’m not a regulatory fan but this is a world of dangerous things.”
Trailrunner7 writes: A renowned hardware hacker has released a cheap USB device that, when plugged in to any computer–even password-protected or locked ones–can hijack all of the Internet traffic from the PC, steal web cookies, and install a persistent backdoor that survives after device is removed.
Known as PoisonTap, the device is the work of Samy Kamkar, a security researcher and hardware hacker who built the tool on a cheap Raspberry Pi Zero board. He’s released the code for PoisonTap, which could be a key tool in the arsenal of any security researcher or hacker. The device sounds simple, but there’s a whole lot going on in the background.
The device tells the infected machine that the PoisonTap local network contains all of the IPv4 space, so all Internet requests go through the device. The device performs a similar trick in order to siphon off web cookies from HTTP requests. When a browser running on the infected machine makes an HTTP request, the device will perform DNS spoofing so that the request goes to the PoisonTap web server rather than the intended one. The device has the ability to grab cookies from any of the Alexa top one million sites, Kamkar said.
Trailrunner7 writes: A major privacy group has filed a lawsuit against the FBI to force the bureau to release all relevant documents about its plan to share a huge amount of biometric information with the Department of Defense.
The lawsuit filed by EPIC (Electronic Privacy Information Center) concerns the FBI’s Next Generation Identification system, which comprises fingerprint, iris scan, and facial recognition data, and the bureau has been using it for several years.
EPIC’s lawsuit asks that the FBI be forced to release records about the plan to share NGI data with the Department of Defense under the Freedom of Information Act. EPIC filed a FOIA request about the plan last year and though the FBI said it has located 35 pages of records that are responsive to the request, it hasn’t released any of those records.
Trailrunner7 writes: The news has been full of headlines for weeks about election fraud, voting machine hacking, and all kinds of other scary sounding stuff. Much of the coverage has been hyperbolic to say the least, so we decided to get some clear-headed, rational thoughts on the topic from Avi Rubin. Avi is a professor at Johns Hopkins University and did some of the pioneering work on voting machine security in the early 2000s. We talked with Avi about the problems with electronic voting machines, the potential for tampering with them, whether the machines can be attacked remotely, and what other avenues attackers might have to disrupt the election.
Google has been among the louder advocates for the increased use of encryption across the web in the last few years. The company has made significant changes to its own infrastructure, encrypting the links between its data center, and also has made HTTPS the default connection option on many of its main services, including Gmail and search. And Google also has been encouraging owners of sites of all shapes and sizes to move to secure connections to protect their users from eavesdropping and data theft.
That effort has begun to bear fruit in a big way. New data released by Google shows that at the end of October, 68 percent of pages loaded by the Chrome browser on Chrome OS machines were over HTTPS. That’s a significant increase in just the last 10 months. At the end of 2015, just 50 percent of pages loaded by Chrome on Chrome OS were HTTPS. The numbers for the other desktop operating systems are on the rise as well, with macOS at 60 percent, Linux at 54 percent, and Windows at 53 percent.
The facts of the current case are fairly straightforward there’s really only one bit that’s in dispute: whether a large swath of the Windows user base was at risk of attack. Last month, researchers from Google’s Threat Analysis team discovered new flaws in Windows and Adobe Flash. The team found that both bugs were being used in targeted attacks–spear-phishing attempts via email with rigged attachments–and informed both vendors about the vulnerabilities. The Flash bug is the more serious of the two, as it is remotely exploitable, while the Windows flaw is a local privilege-escalation weakness.
Adobe patched the Flash bug quickly and warned customers that it was being used in attacks already. Meanwhile, Microsoft decided not to rush out an emergency patch for the Windows vulnerability, probably because it isn’t dangerous enough to warrant the commitment of time and resources that requires. Google’s team waited 10 days after informing Microsoft and then disclosed some details of the flaw, saying that it was doing so because of the existence of active attacks.
There are some valid reasons to disclose unpatched vulnerabilities, but doing so to protect a tiny percentage of users against a phishing attack while potentially putting a much larger number at higher risk shouldn’t be one of them.
The IoTSeeker tool from Rapid7 is designed to comb through users’ networks and identify common IoT devices with default usernames and passwords enabled. Those are the devices upon which botnets such as Mirai feed, especially those with telnet exposed on default ports. Mirai searches for devices with telnet enabled and using default credentials and then compromises them and begins scanning again.
The new rule will require broadband companies to have customers opt in to the sale or sharing of their online histories as part of marketing or ad deals. It includes restrictions on the way that providers can share users’ location data and other information and also ensures that they will have to tell consumers exactly what data they collect and what they do with it. The changes do not apply to how broadband providers can use customer information in their own marketing, though.
The new regulations also require that broadband providers have “common-sense” data breach notifications and reasonable security practices.
The vote by the FCC makes distinctions between broadband providers and phone carriers and other service providers. Before the vote, providers and others had urged the FCC to align its rules with existing ones from the FTC on usage of customer data for marketing.