Was Dropbox Really Hacked?

Dropbox suffered a major outage over the weekend.

In one of the more bizarre recent incidents, after the service went down on Friday evening a group of hackers claimed to have infiltrated the service and compromised its servers.

However, on the Dropbox blog, Dropbox VP of engineering Ardita Ardwarl told users that hackers were not to blame.

Ardwari said, “On Friday evening we began a routine server upgrade. Unfortunately, a bug installed this upgrade on several active servers, which brought down the entire service. Your files were always safe, and despite some reports, no hacking or DDOS attack was involved.”

The fault occurred when a bug in an upgrade script caused an operating system upgrade to be triggered on several live machines, rendering them inoperative. Although the fault was rectified in three hours, the knock-on effects led to problems that lasted through the weekend for some users.

Dropbox has assured users that there are no further problems and that all users should now be back online. It said that at no point were files in danger, adding that the affected machines didn’t host any user data. In other words, the “hackers” weren’t hackers at all, but attention seeking trolls.

Dropbox claims to have over 200 million users, many of which it has acquired through strategic partnerships with device manufacturers offering free storage with purchases.

Source

The company is looking forward to an initial public offering (IPO) on the stock market, so the timing of such a major outage could not be worse. Dropbox, which includes Bono and The Edge from U2 amongst its investors, has recently enhanced its business offering to appeal to enterprise clients, and such a loss of uptime could affect its ability to attract customers.

Yahoo Spreading Malware?

Some advertisements on Yahoo Inc’s European websites last week spread malicious software, Yahoo said on Sunday, potentially infecting the computers of thousands of users.

Last Friday, Fox-IT, a Delft, Netherlands-based computer security firm, wrote in a blog that attackers had inserted malicious ads served by ads.yahoo.com.

In a recently released statement, a Yahoo spokesman, said: “On Friday, January 3 on our European sites, we served some advertisements that did not meet our editorial guidelines, specifically they spread malware.” Yahoo said it promptly removed the bad ads, and that users of Mac computers and mobile devices were not affected.

Malware is software used to disrupt a computer’s operations, gather sensitive information, or gain access to private computer systems.

Fox-IT estimated that on Friday, the malware was being delivered to approximately 300,000 users per hour, leading to about 27,000 infections per hour. The countries with the most affected users were Romania, Britain, and France.

“It is unclear which specific group is behind this attack, but the attackers are clearly financially motivated and seem to offer services to other actors,” Fox-IT wrote in the January 3 blog post.

Source

Some ATMs Still On XP

Cyber-criminals have been cutting holes into European cash machines in order to infect them with malware.

The holes were cut so that the hackers could plug in USB drives that installed their code onto the ATMs. Details of the attacks on an unnamed European bank’s cash dispensers were presented at the hacker-themed Chaos Computing Congress in Hamburg, Germany.

The thefts came to light in July after the lender involved noticed several its ATMs were being emptied. The bank discovered the criminals were vandalising the machines to use the infected USB sticks. Once the malware had been transferred, they patched the holes up. This allowed the same machines to be targeted several times without the hack being discovered.

The attackers could take the highest value banknotes in order to minimise the amount of time they were exposed. Interestingly the software required the thief to enter a second code in response to numbers shown on the ATM’s screen before they could release the money and the thief could only obtain the right code by phoning another gang member and telling them the numbers displayed. This stopped the criminals going alone.

Source

Cryptolocker Infects 250K Systems

DELL’s security research team has revealed that a new form of ransomware, dubbed “Cryptolocker” has managed to infect up to 250,000 devices, stealing almost a million dollars in Bitcoins.

“Based on the presented evidence, researchers estimate that 200,000 to 250,000 systems were infected globally in the first 100 days of the CryptoLocker threat,” Dell announced in a Secureworks post.

The firm worked out that if the Cryptolocker ransomware threat actors had sold its 1,216 total Bitcoins (BTC) that they collected from September this year, immediately upon receiving them, they would have earned nearly $380,000.

“If they elected to hold these ransoms, they would be worth nearly $980,000 as of this publication based on the current weighted price of $804/BTC,” Dell said.

Cryptolocker is unique when compared against your average ransomware. Instead of using a custom cryptographic implementation like many other malware families, Cryptolocker uses third-party certified cryptography offered by Microsoft’s CryptoAPI.

“By using a sound implementation and following best practices, the malware authors have created a robust program that is difficult to circumvent,” Dell said.

Conventionally, ransomware prevents victims from using their computers normally and uses social engineering to convince them that failing to follow the malware authors’ instructions will lead to real-world consequences. These consequences, such as owing a fine or facing arrest and prosecution, are presented as being the result of a fabricated indiscretion such as pirating music or downloading illegal pornography.

“Victims of traditional forms of ransomware could ignore the demands and use security software to unlock the system and remove the offending malware,” Dell explained. “Cryptolocker changes this dynamic by aggressively encrypting files on the victim’s system and returning control of the files to the victim only after the ransom is paid.”

Dell said that the earliest samples of Cryptolocker appear to have been released on 5 September this year. However, details about its initial distribution phase are unclear.

“It appears the samples were downloaded from a compromised website located in the United States, either by a version of Cryptolocker that has not been analysed as of this publication, or by a custom downloader created by the same authors,” Dell added.

Dell seems to think that early versions of Cryptolocker were distributed through spam emails targeting business professionals as opposed to home internet users, with the lure often being a ‘consumer complaint’ against the email recipient or their organisation.

Attached to these emails would be a ZIP archive with a random alphabetical filename containing 13 to 17 characters, containing a single executable with the same filename as the ZIP archive but with an EXE extension, so keep your eye out for emails that fit this description.

Source

Did Stuxnet Infect A Russian Nuclear Plant?

Kaspersky has claimed that the infamous Stuxnet computer worm “badly infected” the internal network of an unnamed Russian nuclear plant after it caused chaos in Iran’s nuclear facilities.

Speaking at a keynote presentation given at the Canberra Press Club 2013, Kaspersky CEO Eugene Kaspersky said a staffer at the unnamed nuclear plant informed him of the infection.

“[The staffer said] their nuclear plant network which was disconnected from the internet was badly infected by Stuxnet,” Kaspersky said.

“So unfortunately these people who were responsible for offensive technologies, they recognise cyber weapons as an opportunity.”

Stuxnet was discovered to have spread throughout industrial software and equipment in 2010 and is believed to have been created by the United States and Israel to attack Iran’s nuclear facilities. According to Kaspersky’s source, the malware was carried into the Russian nuclear plant and installed on a physically separated “air-gapped” network.

Kaspersky also made a rather outlandish joke during his speech, saying that all data is subject to theft. “All the data is stolen,” Kaspersky said. “At least twice.”

“If the claim of the Russian nuclear plant infection is true, then it’s easy to imagine how this “collateral damage” could have turned into a very serious incident indeed, with obvious diplomatic repercussions,” said security expert Graham Cluley.

“There is no way to independently verify the claim, of course. But it is a fact that Stuxnet managed to infect many computer systems outside of its intended target in Iran,” Cluley added. “Indeed, the very fact that it spread out of control, was what lead to its discovery by security firms.”

Earlier this year, Symantec claimed that the Stuxnet computer worm could date back further than 2010 and was more widespread than originally believed.

Symantec’s report called “The Missing Link” found a build of the Stuxnet attack tool, dubbed Stuxnet 0.5, which it said dated back to 2005 and used different techniques to sabotage industrial facilities.

Source

Google Expands Malware Blocker

Google has expanded malware blocking in an early development build of Chrome to sniff out a wider range of threats than the browser already recognizes.

Chrome’s current “Canary” build — the label for very-early versions of the browser, earlier than even Chrome’s Dev channel — will post a warning at the bottom of the window when it detects an attempted download of malicious code.

Features added to the Canary build usually, although not always, eventually make it into the Dev channel — the roughest-edged of the three distributed to users — and from there into the Beta and Stable channels. Google did not spell out a timetable for the expanded malware blocking.

Chrome has included malware blocking for more than two years, since version 12 launched in June 2011, and the functionality was extended in February 2012with Chrome 17.

Chrome is now at version 30.

Canary’s blocking, however, is more aggressive on two fronts: It is more assertive in its alerts and detects more malware forms, including threats that pose as legitimate software and monkey with the browser’s settings.

“Content.exe is malicious, and Chrome has blocked it,” the message in Canary reads. The sole visible option is to click the “Dismiss” button, which makes the warning vanish. The only additional option, and that only after another click, is to “Learn more,” which leads to yet another warning.

In Canary, there is no way for the user to contradict the malware blocking.

That’s different than in the current Stable build of Chrome, which relies on a message that says, “This file is malicious. Are you sure you want to continue?” and gives the user a choice between tossing the downloaded file or saving it anyway.

As it has for some time, Chrome will show such warnings on select file extensions, primarily “.exe,” which in Windows denotes an executable file, and “.msi,” an installation package for Windows applications. Canary’s expansion, said Google, also warns when the user tries to download some less obvious threats, including payloads masquerading as legitimate software — it cited screen savers and video plug-ins in a  blog posting — that hijack browser settings to silently change the home page or insert ads into websites to monetize the malware.

Google’s malware blocking is part of its Safe Browsing API (application programming interface) and service, which Chrome, Apple’s Safari and Mozilla’s Firefox all access to warn customers of potentially dangerous websites before they reach them.

In Chrome’s case, the malware warning stems not only from the Safe Browsing “blacklist” of dodgy websites, but according to NSS Labs, a security software testing company, also from the Content Agnostic Malware Protection (CAMP) technology that Google has baked into its implementation of Safe Browsing.

Source

ATM Malware Found In Mexico

A malicious software program identified in ATMs in Mexico has been improved and translated into English, which suggests it may be used elsewhere, according to security vendor Symantec.

Two versions of the malware, called Ploutus, have been discovered, both of which are engineered to empty a certain type of ATM, which Symantec has not identified.

In contrast to most malware, Ploutus is installed the old-fashioned way — by inserting a CD boot disk into the innards of an ATM machine running Microsoft Windows. The installation method suggests that cybercriminals are targeting standalone ATMs where access is easier.

The first version of Ploutus displays a graphical user interface after the thief enters a numerical sequence on an ATM’s keypad, although the malware can be controlled by a keyboard, wrote Daniel Regalado, a Symantec malware analyst, on Oct. 11.

Ploutus is programmed for a specific ATM model since it assumes there is a maximum of four cassettes per dispenser in the ATM. It then calculates the amount of money that should be dispensed based on the number of bills. If any of the cassettes have less than the maximum number of 40 bills, it releases whatever is left, repeating that process until the ATM is empty.

Kevin Haley, director of Symantec Security Response, said in an interview earlier this month that the attackers have deep knowledge of the software and hardware of the particular ATM model.

“They clearly know how this machine worked,” he said.

The source code of Ploutus “contains Spanish function names and poor English grammar that suggests the malware may have been coded by Spanish-speaking developers,” Regalado wrote.

In a new blog post, Regalado wrote that the attackers made Ploutus more robust and translated it into English, indicating the same ATM software can be exploited in countries other than Mexico.

The “B” variant of Ploutus has some differences. It only accepts commands through the keypad but will display a window showing the money available in the machine along with a transaction log as it dispenses cash. An attacker cannot enter a specific number of bills, so Ploutus withdraws money from the cassette with the most available bills, Regalado wrote.

Symantec advised those with ATMs to change the BIOS boot order to only boot from the hard disk and not CDs, DVDs or USB sticks. The BIOS should also be password protected so the boot options can’t be changed, Regalado wrote.

Source

Will Google’s Project Shield Work?

Google has opened Project Shield, its service for small websites that don’t have the forces to repel denial of service attacks that might come their way.

Google introduced the service on Google+, saying that it is aimed at websites that might otherwise be at risk of online disruption.

“Project Shield, [is] an initiative that enables people to use Google’s technology to better protect websites that might otherwise have been taken offline by “distributed denial of service” (DDoS) attacks. We’re currently inviting webmasters serving independent news, human rights, and elections-related content to apply to join our next round of trusted testers,” it said.

“Over the last year, Project Shield has been successfully used by a number of trusted testers, including Balatarin, a Persian-language social and political blog, and Aymta , a website providing early-warning of scud missiles to people in Syria. Project Shield was also used to protect the election monitoring service in Kenya, which was the first time their site stayed up throughout an election cycle.”

Interested websites should visit the Google Project Shield page and request an invitation to the experience. They should not try to do the same at Nvidia’s website, as they will probably just come away with a handheld games console. This will not offer much assistance against DDoS attacks.

According to a video shared by Google last night, Project Shield works by combining the firm’s DDoS mitigation technologies and Page Speed Service (PSS).

Source

Cyber Attacks Increasing In Middle East

Syria’s civil war and political strife in Egypt have given birth to new battlegrounds on the Web and driven a surge in cyber attacks in the Middle East, according to a leading Internet security company.

More than half of incidents in the Gulf this year were so-called “hacktivist” attacks – which account for only a quarter of cybercrime globally – as politically motivated programmers sabotaged opposing groups or institutions, executives from Intel Corp’s software security division McAfee said on Tuesday.

“It’s mostly bringing down websites and defacing them with political messages – there has been a huge increase in cyber attacks in the Middle East,” Christiaan Beek, McAfee director for incident response forensics in Europe, Middle East and Africa (EMEA), told Reuters.

He attributed the attacks to the conflict in Syria, political turmoil in Egypt and the activities of hacking collective Anonymous.

“It’s difficult for people to protest in the street in the Middle East and so defacing websites and denial of service (DOS) attacks are a way to protest instead,” said Beek.

DOS attacks flood an organization’s website causing it to crash, but usually do little lasting damage.

The Syrian Electronic Army (SEA), a hacking group loyal to the government of President Bashar al-Assad, defaced an Internet recruiting site for the U.S. Marine Corps on Monday and recently targeted the New York Times website and Twitter, as well other websites within the Middle East.

Beek described SEA as similar to Anonymous.

“There’s a group leading operations, with a support group of other people that can help,” said Beek.

McAfee opened a centre in Dubai on Monday to deal with the rising threat of Internet sabotage in the region, the most serious of which are attacks to extract proprietary information from companies or governments or those that cause lasting damage to critical infrastructure.

Cyber attacks are mostly focused on Saudi Arabia, the world’s largest oil exporter, Qatar, the top liquefied natural gas supplier, and Dubai, which is the region’s financial, commercial and aviation hub, said Gert-Jan Schenk, McAfee president for EMEA.

“It’s where the wealth and critical infrastructure is concentrated,” he said.

The “Shamoon” virus last year targeted Saudi Aramco, the world’s largest oil company, damaging about 30,000 computers in what may have been the most destructive attack against the private sector.

“Ten years ago, it was all about trying to infect as many people as possible,” added Schenk. “Today we see more and more attacks being focused on very small groups of people. Sometimes malware is developed for a specific department in a specific company.”

Source

Chinese Hackers Go After Dissidents

The “Comment Crew,” a group of China-based hackers whose outing earlier this year in major media outlets caused a conflict with the U.S., have resumed their attacks against dissidents.

FireEye, a security vendor that specializes in trying to stop sophisticated attacks, has noticed attackers using a fresh set of tools and evasion techniques against some of its newer clients, which it can’t name. But Rob Rachwald, director of market research for FireEye, said in an interview Monday that those clients include an organization in Taiwan and others involved in dissident activity.

The Comment Crew was known for many years by security analysts, but its attacks on The New York Times, described in an extensive report in February from vendor Mandiant, thrust them into an uncomfortable spotlight, causing tense relations between the U.S. and China.

Rachwald said it is difficult to determine if the organizations being targeted now were targeted by the Comment Crew previously, but FireEye said last month that the group didn’t appear to be hitting organizations they had compromised before.

Organizations opposing Chinese government policies have frequently been targeted by hackers in what are believed to be politically motivated surveillance operations.

The Comment Crew laid low for about four months following the report, but emerging clues indicate they haven’t gone away and in fact have undertaken a major re-engineering effort to continue spying. The media attention “didn’t stop them, but it clearly did something to dramatically alter their operations,” Rachwald said in an interview.

“If you look at it from a chronological perspective, this malware hasn’t been touched for about 18 months or so,” he said. “Suddenly, they took it off the market and started overhauling it fairly dramatically.”

FireEye researchers Ned Moran and Nart Villeneuve described the new techniques on Monday on FireEye’s blog.

Two malware samples, called Aumlib and Ixeshe, had been used by the Comment Crew but not updated since 2011. Both malware programs have now been altered to change the appearance of their network traffic, Rachwald said.

Many vendors use intrusion detection systems to spot how malware sends data back to an attacker, which helps determine if a network has been compromised. Altering the method and format for how the data is sent can trick those systems into thinking everything is fine.

In another improvement, encryption is now employed to mask certain components of the programs’ networking communication, Rachwald said. The malware programs themselves, which are designed to steal data and log keystrokes, are basically the same.

Mandiant’s report traced the hacking activity to a specific Chinese military unit called “61398.” The company alleged that it waged a seven-year hacking spree that compromised 141 organizations.

Rachwald said it is strongly believed the Comment Crew is behind the new attacks given its previous use of Aumlib and Ixeshe. But the group has also re-engineered its attack infrastructure so much over the last few months that it is difficult to say for sure.

Source

« Previous Page — Next Page »