Is Epic Turla Exploiting Windows XP?
Kaspersky Lab has discovered an espionage network that successfully attacked government institutions, intelligence agencies and European companies.
The firm has dubbed the spy operation Epic Turla, and said that it is in no doubt about its capabilities.
“Over the last 10 months, Kaspersky Lab researchers have analyzed a massive cyber-espionage operation which we call ‘Epic Turla’,” it said.
“The attackers behind Epic Turla have infected several hundred computers in more than 45 countries, including government institutions, embassies, military, education, research and pharmaceutical companies.”
Kaspersky said that Epic Turla used two zero-day exploits that affected Adobe and Microsoft software, along with some backdoor and social engineering tricks.
In particular, Kaspersky said a vulnerability in Windows XP and Windows 2003 – CVE-2013-5065 – termed a “privilege escalation vulnerability” is being used. “The CVE-2013-5065 exploit allows the backdoor to achieve administrator privileges on the system and run unrestricted. This exploit only works on unpatched Microsoft Windows XP systems.”
The use of this Windows XP flaw underlines the risk that the unsupported Windows XP OS poses. Kaspersky went on to explain that, once inside, attackers install their own rootkits and other malware tools and begin their surveillance.
“Once the attackers obtain the necessary credentials without the victim noticing, they deploy the rootkit and other extreme persistence mechanisms,” it said. “The attacks are still ongoing as of July 2014, actively targeting users in Europe and the Middle East.”
The attacks are just the latest in a long line of incidents that businesses need to be aware of as cyber attacks continue at an alarming rate.
In June the security firm Crowdstrike alerted the industry to Putter Panda, a cute-sounding but nasty piece of malware. That firm pointed an accusatory finger at China and charged it with espionage on the US and Europe.
Crowdstrike CEO George Kurtz said at the time, “China’s decade-long economic espionage campaign is massive and unrelenting. Through widespread espionage campaigns, Chinese threat actors are targeting companies and governments in every part of the globe.” Chinese authorities disputed this.
The report comes in the same week Hold Security reported uncovering a huge trove of 1.2 billion web passwords and login details that have been gathered by Russian cyber criminals.
Is Malware Wreaking Havoc On XP?
One of the top three malware programs affecting businesses in the second quarter is a worm that takes advantage of the large number of companies still using Windows XP, Trend Micro has warned.
The worm, dubbed DOWNAD, also known as Conficker, can infect an entire network via a malicious URL, spam email, or removable drive. Windows XP is particularly susceptible to this threat because it is known to exploit the MS08-067 Server service vulnerability in order to execute arbitrary code.
DOWNAD also has its own domain generation algorithm (DGA) that allows it to create randomly-generated URLs. It then connects to these created URLs to download files to the system. Trend Micro said that around 175 IP addresses are found to be related to the DOWNAD worm and that these IP addresses use various ports and are randomly generated via the DGA capability of DOWNAD.
“During our monitoring of the spam landscape, we observed that in Q2, more than 40 percent of malware related spam mails are delivered by machines infected by DOWNAD worm,” said Trend Micro anti-spam research engineer Maria Manly in a blog post.
“A number of machines are still infected by this threat and leveraged to send the spammed messages to further increase the number of infected systems. And with Microsoft ending the support for Windows XP this year, we can expect that systems with this OS can be infected by threats like DOWNAD.”
The security company warned that spam campaigns delivering FAREIT, MYTOB, and LOVGATE payloads in email attachments are attributed to DOWNAD infected machines. FAREIT is a malware family of information stealers that download variants of the Zeus Trojan, while MYTOB is an old family of worms known for sending a copy of itself in spam attachments.
The other top sources of spam with malware are the CUTWAIL botnet, together with Gameover ZeuS (GoZ). Manly said CUTWAIL was actually previously used to download GoZ malware but now a malware called UPATRE employs GoZ malware or variants of ZBOT which have peer-to-peer functionality.
“In the last few weeks we have reported various spam runs that abused Dropbox links to host malware like UPATRE,” Manly said. “We also spotted a spammed message in the guise of voice mail that contains a Cryptolocker variant. The latest we have seen is a spam campaign with links that leveraged CUBBY, a file storage service, this time carrying a banking malware detected as TSPY_BANKER.WSTA.”
According to Manly, cybercriminals and threat actors are probably abusing file storage platforms to mask their malicious activities and go undetected in the system and network.
“As spam with malware attachment continues to proliferate, so is spam with links carrying malicious files. The continuous abuse of file hosting services to spread malware appears to have become a favoured infection vector of cyber criminals most likely because this makes it more effective given that the URLs are legitimate thereby increasing the chance of bypassing anti-spam filters,” she added.
Can Malwarebytes Protect XP?
Malwarebytes has launched anti-exploit services to protect Windows users from hacking attacks on vulnerabilities in popular targets including Microsoft Office, Adobe software products and Java, a service which even offers protection for Windows XP users.
Consumer, Premium and Corporate versions of the service are available, and are designed to pre-emptively stop hackers from infecting Windows machines with malware.
“An exploit will typically first corrupt the memory of an application process, take control, then execute code,” said Malwarebytes director of special projects Pedro Bustamante.
“From the shell code it executes a payload that tells the exploit what to do and that in turn usually downloads malware from the internet and executes it. The final stage is usually where antivirus kicks in, when it’s being downloaded from the internet, and starts doing things like behavioural analysis to see if it’s malicious.
“We don’t care about that, what we do comes before then. We just look for exploit-like behaviour and block anything that looks like it at the shellcode or payload stages. We come into play before the malware even appears on the scene.”
The Consumer version of the anti-exploit service is free and offers basic browser and Java protection.
The Premium version costs $37.00 per user and adds Office and Adobe protection services as well as the ability to add custom shields to other internet-facing applications, like Messenger or Netflix.
The Corporate version costs$40.00 person user and offers complete anti-exploit protection and comes with Malwarebytes’ Anti-malware service and a toolkit for IT managers.
Bustamante explained that the technology is designed to help businesses and general web users defend against the new wave of exploit-based cyber attacks.
“Traditional security can’t deal with exploits. Every day we see people getting infected, even if they have the latest up-to-date antivirus readers, because of exploits,” he said. “This is why we care about the applications you run – Firefox, Chrome, Internet Explorer, Java, Acrobat [and Microsoft] Word, Excel [and] Powerpoint.”
Bustamante added that the service is doubly important for Windows XP users since Microsoft officially ceased support for the OS in April.
“We’re still seeing over 25 percent of our users running XP. For them this product is even more important,” he said.
“We see new zero-days if not every week, every month, and for XP users who are not getting any more patches from Microsoft this product will be essential.
“Every month Microsoft will be releasing security patches for newer versions of Windows. Every time Microsoft does this it’ll be a treasure map for hackers to find exploits on Windows XP.
“It’ll show them exactly where the vulnerabilities are, so every month will see an influx of new exploits targeting Windows XP.”
Did The British Go After Anonymous?
February 17, 2014 by admin
Filed under Around The Net
Comments Off on Did The British Go After Anonymous?
Did a British Spy agency linked to GCHQ attacked hacktivists of the Anonymous and Lulzsec collectives, according to leaked US National Security Agency (NSA) documents?
NBC published documents obtained by NSA whistleblower Edward Snowden showing that the group codenamed the Joint Threat Research Intelligence Group (JTRIG) proactively attempted to shut down and spread misinformation throughout the Anonymous collective.
The leaked document allege that the unit attempted to phish Anonymous members and launched attacks designed to disrupt and infiltrate its networks as part of an operation called Rolling Thunder.
The documents show the spies mounted a sophisticated espionage campaign that enabled intelligence officers to phish a number of Anonymous members to extract key bits of information.
The documents include conversations between intelligence officers and Anonymous members G-Zero, Topiary and pOke in 2011.
One log shows that a GCHQ spy duped the hacker pOke into clicking on a malicious link dressed up to look like a news article about Anonymous. The link used an unspecified method to extract data from the virtual private network (VPN) being used by pOke.
The documents allege pOke was not arrested, but that the information acquired during the phishing attack was used in the arrest of Jake Davis, who was known as Topiary, in July 2011.
Davis’ arrest was taken as a key victory for law enforcement. British citizen Davis was believed to have acted as a spokesman for many Anonymous cells and is credited as having written several of its statements.
A GCHQ spokesman declined The INQUIRER’s request for comment on NBC’s report, but reiterated the agency’s previous insistence that all of its operations are carried out within the letter of the law.
“It is a longstanding policy that we do not comment on intelligence matters. Furthermore, all of GCHQ’s work is carried out in accordance with a strict legal and policy framework,” read the statement.
Experts in the security community have questioned the GCHQ’s argument. Corero Network Security COO Andrew Miller said that the secret unit’s use of blackhat tactics was at the very least morally questionable.
“We have to remember that cyber-spooks within GCHQ are equally if not more skilled than many black hat hackers, and the tools and techniques they are going to use to fight cybercrime are surely going to be similar to that of the bad guys,” he said.
“Legally, we enter a very grey area here, where members of Lulzsec were arrested and incarcerated for carrying out DDoS attacks, but it seems that JTRIG are taking the same approach with impunity.”
The campaign against Anonymous is one of many revelations from the leaked Snowden files.
The files initially were leaked to the press in 2013 and detailed several intelligence operations carried out by the UK GCHQ and US NSA. Documents emerged in January alleging that GCHQ and NSA used mobile apps such as Angry Birds to spy on citizens.
Some Hackers Going To Jail
Thirteen people have been indicted, accused of being members of the Anonymous hacktivist group and allegedly involved in Operation Payback.
Operation Payback was the retaliation against payment firms that Anonymous put in motion following their blocking of Wikileaks donations.
The 13 are accused of taking part in a series of distributed denial of service (DDoS) attacks, and the US Department of Justice filed a federal grand jury indictment in US District Court in Alexandria, Virginia. The indictment charges them with conspiracy to intentionally cause damage to protected computers.
Anonymous is a loosely linked digital rights collective. In its early days it pulled together volunteers from all walks of life.
Operation Payback struck a number of organisations including Mastercard, Visa, Paypal and the Motion Picture Association of America. The attacks lasted between September 2010 and January 2011. As well as retaliating against payment providers, part of Operation Payback was aimed at parties thought to be involved in a campaign against The Pirate Bay.
Agence France Presse (AFP) has seen the indictment and named those indicted in it. They are Dennis Owen Collins, Jeremy Leroy Heller, Chen Zhiwei, Joshua Phy, Ryan Russel Gubele, Robert Audubon Whitfield, Anthony Tadros, Geoffrey Kenneth Commander, Austen Stamm, Timothy Robert McLain, Wade Carl Williams and Thomas Bell.
According to AFP the 13 alleged Anonymous members “planned and executed a coordinated series of cyber-attacks against victim websites by flooding those websites with a huge volume of irrelevant internet traffic with the intent to make the resources on the websites unavailable to customers and users of those websites.”
In short, they are accused of having conducted a digital sit-in protest.