Tag Archives: Security

TRITON Malware Targeting Critical Infrastructure Could Cause Physical Damage

triton-ics-scada-malware

Security researchers have uncovered another nasty piece of malware designed specifically to target industrial control systems (ICS) with a potential to cause health and life-threatening accidents.

Dubbed Triton, also known as Trisis, the ICS malware has been designed to target Triconex Safety Instrumented System (SIS) controllers made by Schneider Electric—an autonomous control system that independently monitors the performance of critical systems and takes immediate actions automatically, if a dangerous state is detected.

Researchers from the Mandiant division of security firm FireEye published a report on Thursday, suggesting state-sponsored attackers used the Triton malware to cause physical damage to an organization.

Neither the targeted organization name has been disclosed by the researchers nor they have linked the attack to any known nation-state hacking group.

According to separate research conducted by ICS cybersecurity firm Dragos, which calls this malware “TRISIS,” the attack was launched against an industrial organization in the Middle East.

Triton leverages the proprietary TriStation protocol, which is an engineering and maintenance tool used by Triconex SIS products and is not publicly documented, suggesting that the attackers reverse engineered it when creating their malware.

“The attacker gained remote access to an SIS engineering workstation and deployed the TRITON attack framework to reprogram the SIS controllers,” FireEye researchers said.

The hackers deployed Triton on an SIS engineering workstation running Windows operating system by masquerading it as the legitimate Triconex Trilog application.

The current version of TRITON malware that researchers analyzed was built with many features, “including the ability to read and write programs, read and write individual functions and query the state of the SIS controller.”

“During the incident, some SIS controllers entered a failed safe state, which automatically shut down the industrial process and prompted the asset owner to initiate an investigation,” the researchers said.

Using TRITON, an attacker can typically reprogram the SIS logic to falsely shut down a process that is actuality in a safe state. Though such scenario would not cause any physical damage, organizations can face financial losses due to process downtime.

Besides this, attackers can also cause severe life-threatening damages by reprogramming the SIS logic to allow unsafe conditions to persist or by intentionally manipulating the processes to achieve unsafe state first.

“The attacker deployed TRITON shortly after gaining access to the SIS system, indicating that they had pre-built and tested the tool which would require access to hardware and software that is not widely available.”

Researchers believe Triton is emerging as a severe threat to critical infrastructures, just like Stuxnet, IronGate, and Industroyer, because of its capabilities to cause physical damage or shut down operations.

Researchers at Symantec have also provided a brief analysis here.

Bitcoin: definition, hacks and frauds

Despite being around for several years, Bitcoin is suddenly all over the news. You probably already know it is something to do with money, so this article will help to explain what this cyrptocurrency is, why it matters, and how to use it safely.

What is Bitcoin?

Bitcoin works pretty much like every other currency – people can buy goods and services, and money can be traded on the foreign exchange market too. Coins are held in a digital wallet – and encrypted set of files on your computer – and act just like cash when making a payment.

There are some key differences however:

  • Bitcoin is entirely digital – there are no bank notes or coins – so all transactions take place electronically.
  • It is not managed by a central bank like the US Federal Reserve, instead its users maintain a shared control.
  • It uses heavy encryption to verify “money” is genuine, and to protect the identities of buyers and sellers making a transaction.

Why does Bitcoin matter?

Free from the control of central banks Bitcoin is, theoretically, affected less by interest rate rises, or ‘quantitative easing. This makes it very attractive to foreign currency investors.

The fact that this cryptocurrency works exactly like cash makes it very attractive to criminals. Police cannot trace a payment made with a physical £5 in a physical store – and the same is true of its transactions. This is why ransomware demands typically specify payment in Bitcoin.

Bitcoin – a valuable target for theft

Currently this digital currency is not widely used by consumers – but with the increased level of attention being given to the currency, more of us may be tempted to get on board. But there are some important security issues you need to be aware of first.

The digital wallet used to store Bitcoin acts just like your real-world wallet. So if someone steals your digital wallet from your computer, they also steal all the contents – your Bitcoins. Because it is virtually untraceable, there is little chance that the thief will be caught, which is why its theft and fraud is becoming increasingly popular.

On the 7th December, hackers were able to steal 4700 Bitcoin (worth £56 million!) from an online exchange. The criminals were able to break into an employee’s computer and steal crucial data that allowed them to make off with the money – early indications suggest that malware installed on the PC provided the necessary access.

In November, another Bitcoin banking service, Tether, was compromised. Hackers managed to steal nearly $31 million worth of Bitcoin belonging to service users from the bank’s virtual account. The bank has not released details of how the attack was carried out, but again it appears that the issue was caused by one of their computers being compromised.

How to protect yourself

Your digital wallet is key to protecting your digital money. If cybercriminals can steal your digital wallet, or trick you into handing over user names, passwords or encryption keys, you could be robbed.

In reality the principles for staying safe when using cryptocurrency are exactly the same as shopping online. Never give a stranger your Bitcoin account details. And always ensure that your computer is properly protected against hacking and malware using a security solution like Panda Gold Protection. Ready to learn more? Check out our Bitcoin archive.

Download your Antivirus

The post Bitcoin: definition, hacks and frauds appeared first on Panda Security Mediacenter.

Read More

Zero-Day Remote ‘Root’ Exploit Disclosed In AT&T DirecTV WVB Devices

remote-root-directv

Security researchers have publicly disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after trying to get the device manufacturer to patch this easy-to-exploit flaw over the past few months.

The problem is with a core component of the Genie DVR system that’s shipped free of cost with DirecTV and can be easily exploited by hackers to gain root access and take full control of the device, placing millions of people who’ve signed up to DirecTV service at risk.

The vulnerability actually resides in WVBR0-25—a Linux-powered wireless video bridge manufactured by Linksys that AT&T provides to its new customers.

DirecTV Wireless Video Bridge WVBR0-25 allows the main Genie DVR to communicate over the air with customers’ Genie client boxes (up to 8) that are plugged into their TVs around the home.

Trend Micro researcher Ricky Lawshae, who is also a DirecTV customer, decided to take a closer look at the device and found that Linksys WVBR0-25 hands out internal diagnostic information from the device’s web server, without requiring any authentication.

hacking-news

When trying to browse to the wireless bridge’s web server on the device, Lawshae was expecting a login page or similar, but instead, he found “a wall of text streaming before [his] eyes.”

Once there, Lawshae was able to see the output of several diagnostic scripts containing everything about the DirecTV Wireless Video Bridge, including the WPS pin, connected clients, running processes, and much more.

What’s more worrisome was that the device was accepting his commands remotely and that too at the “root” level, meaning Lawshae could have run software, exfiltrate data, encrypt files, and do almost anything he wanted on the Linksys device.

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point that I became pretty frustrated,” Lawshae wrote in an advisory published Wednesday on Trend Micro-owned Zero Day Initiative (ZDI) website. 

“The vendors involved here should have had some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent these simple yet impactful bugs from reaching unsuspecting consumers.”

Lawshae also provided a video, demonstrating how a quick and straightforward hack let anyone get a root shell on the DirecTV wireless box in less than 30 seconds, granting them full remote unauthenticated admin control over the device.

The vulnerability was reported by the ZDI Initiative to Linksys more than six months ago, but the vendor ceased communication with the researcher and had yet not fixed the problem, leaving this easy-to-exploit vulnerability unpatched and open for hackers.

So, after over half a year, ZDI decided to publicize the zero-day vulnerability, and recommended users to limit their devices that can interact with Linksys WVBR0-25 “to those that actually need to reach” in order to protect themselves.

Newly Uncovered ‘MoneyTaker’ Hacker Group Stole Millions from U.S. & Russian Banks

hacking-bank-account

Security researchers have uncovered a previously undetected group of Russian-speaking hackers that has silently been targeting Banks, financial institutions, and legal firms, primarily in the United States, UK, and Russia.

Moscow-based security firm Group-IB published a 36-page report on Monday, providing details about the newly-disclosed hacking group, dubbed MoneyTaker, which has been operating since at least May 2016.

In the past 18 months, the hacking group is believed to have conducted more than 20 attacks against various financial organisations—stolen more than $11 Million and sensitive documents that could be used for next attacks.

According to the security firm, the group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (United States).

Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US.” Group-IB says in its report.

Group-IB also warned that the MoneyTaker attacks against financial organizations appear to be ongoing and banks in Latin America could be their next target.

MoneyTaker: 1.5 Years of Silent Operations

Since its first successful attack in May last year, MoneyTaker has targeted banks in California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia and Florida, primarily targeting small community banks with limited cyber defenses.

Even after a large number of attacks against so many targets, MoneyTaker group managed to keep their activities concealed and unattributed by using various publicly available penetration testing and hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, and code demonstrated as proof-of-concepts at a Russian hacking conference in 2016.

“To propagate across the network, hackers used a legitimate tool psexec, which is typical for network administrators.” Group-IB says in its report.

money-taker

Besides using open-source tools, the group has also been heavily utilizing Citadel and Kronos banking trojans to deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.

“Upon execution, ScanPOS grabs information about the current running processes and collects the user name and privileges on the infected system. That said, it is primarily designed to dump process memory and search for payment card track data. The Trojan checks any collected data using Luhn’s algorithm for validation and then sends it outbound to the C&C server.”

The group uses ‘fileless’ malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts – they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code ‘on the fly’ – during the attack,

 “To escalate privileges up to the local administrator (or SYSTEM local user), attackers use exploit modules from the standard Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they can use the Mimikatz program, which is loaded into the memory using Meterpreter, to extract unencrypted Windows credentials.” 

Moreover, MoneyTaker also makes use of SSL certificates generated using names of well-known brands—including as Bank of America, Microsoft, Yahoo and Federal Reserve Bank—to hide its malicious traffic.

hacking-banks

The hacking group also configure their servers in a way that malicious payloads can only be delivered to a predetermined list of IP addresses belonging to the targeted company. Also, it relies on PowerShell and VBS scripts to ensure persistence in the targeted system.

The very first attack, which Group-IB attributes to MoneyTaker was conducted in May 2016, when the group managed to gain access to First Data’s STAR—the largest U.S. bank transfer messaging system connecting ATMs at over 5,000 organizations—and stole money.

In January 2017, the similar attack was repeated against another bank.

Here’s how the attack works:

“The scheme is extremely simple. After taking control over the bank’s network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked,” Group-IB explains.

“Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules.”

The money mules then removed overdraft limits, which made it possible for them to overdraw cash even with debit cards. Using these cards, they “withdrew cash from ATMs, one by one.”

According to the report, the average money stolen by MoneyTaker from United States banks alone was about $500,000, and more than $3 million was stolen from at least three Russian banks.

The report also detailed an attack against a Russian bank, wherein the MoneyTaker group used a modular malware program to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer system similar to SWIFT.

The modular tool had capabilities to search for payment orders and modify them, replace original payment details with fraudulent ones, and carefully erase malware traces after completing its tasks.

While it is still unclear how MoneyTaker managed to get its foothold in the corporate network, in one specific case, the entry point of compromise of the bank’s internal network was the home computer of the bank’s system administrator.

Group-IB believes that the hackers are now looking for ways to compromise the SWIFT interbank communication system, although it found no evidence of MoneyTaker behind any of the recent cyber attacks on SWIFT systems.

Security Flaw Leaves Major Banking Apps Vulnerable to MiTM Attacks Over SSL

hacking-mobile-banking-apps

A team of security researchers has discovered a critical implementation flaw in major mobile banking applications that could leave banking credentials of millions of users vulnerable to hackers.

The vulnerability was discovered by researchers of the Security and Privacy Group at the University of Birmingham, who tested hundreds of different banking apps—both iOS and Android—and found that several of them were affected by a common issue, leaving their users vulnerable to man-in-the-middle attacks.

The affected banking apps include HSBC, NatWest, Co-op, and Bank of America Health, Santander, and Allied Irish bank, which have now been updated after researchers reported them of the issue.

According to a research paper [PDF] published by researchers, vulnerable applications could allow an attacker, connected to the same network as the victim, to intercept SSL connection and retrieve the user’s banking credentials, like usernames and passwords/pincodes—even if the apps are using SSL pinning feature.

SSL pinning is a security feature that prevents man-in-the-middle (MITM) attacks by enabling an additional layer of trust between the listed hosts and devices.

When implemented, SSL pinning helps to neutralize network-based attacks wherein attackers could attempt to use valid certificates issued by rogue certification authorities.

“If a single CA acted maliciously or were compromised, which has happened before, valid certificates for any domain could be generated allowing an attacker to Man-in-the-Middle all apps trusting that CA certificate,” the researchers wrote in their paper.

However, there are two key parts to verify an SSL connection—the first (authentication) is to verify whether the certificate is from a trusted source and the second (authorization) is to make sure the server you are connecting to presents the right certificate.

Researchers found that due to lack of hostname verification, several banking applications were not checking if they connected to a trusted source.

Verifying a hostname ensures the hostname in the URL to which the banking app connects matches the hostname in the digital certificate that the server sends back as part of the SSL connection.

“TLS misconfiguration vulnerabilities are clearly common; however none of the existing frameworks will detect that a client pins a root or intermediate certificate, but fails to check the hostname in the leaf,” the paper reads.

Besides this issue, the researchers also detailed an “in-app phishing attack” affecting Santander and Allied Irish Banks, which could have allowed attackers to hijack part of the victim’s screen while the app was running and use it to phish for the victim’s login credentials.

To test this vulnerability in hundreds of banking apps quickly and without requiring to purchase certificates, researchers created a new automated tool, dubbed Spinner.

man-in-the-middle-attack-ssl-pinning

Spinner leverages Censys IoT search engine for finding certificate chains for alternate hosts that only differ in the leaf certificate.

“Given the certificate for a target domain, the tool queries for certificate chains for alternate hosts that only differ in the leaf certificate. The tool then redirects the traffic from the app under test to a website which has a certificate signed by the same CA certificate, but of course a different hostname (Common Name),” the researchers explain.

“If the connection fails during the establishment phase then we know the app detected the wrong hostname. Whereas, if the connection is established and encrypted application data is transferred by the client before the connection fails then we know the app has accepted the hostname and is vulnerable.”

The trio, Chris McMahon Stone, Tom Chothia, and Flavio D. Garcia, worked with the National Cyber Security Centre (NCSC) to notify all affected banks, which then resolved the issues before they publicly disclosed their research this week.

Process Doppelgänging: New Malware Evasion Technique Works On All Windows Versions

Process-Doppelganging-malware-evasion-technique

A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools.

Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader.

Ensilo security researchers Tal Liberman and Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London.

Process Doppelgänging Works on All Windows Versions

Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.

Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products.

In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running.

Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore.

On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows.

Here’s How the Process Doppelgänging Attack Works:

Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions.

NTFS Transaction is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically.

NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely.

According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below:

  1. Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
  2. Load—create a memory section from the modified (malicious) file.
  3. Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
  4. Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, “making it invisible to most recording tools such as modern EDRs.”

Process Doppelgänging Evades Detection from Most Antiviruses

malware evasion technique

Liberman told The Hacker News that during their research they tested their attack on security products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even advance forensic tools.

In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, with Process Doppelgänging to bypass antivirus detection.

When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below:

Process-Doppelganging-malware-evasion-technique

However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown in the image at top of this article.

Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year.

But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users’ computers.

Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.

I don’t expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks.

This is not the very first time when enSilo researchers have discovered a malware evasion technique. Previously they discovered and demonstrated AtomBombing technique which also abused a designing weakness in Windows OS.

In September, enSilo researchers also disclosed a 17-year-old programming error in Microsoft Windows kernel that prevented security software from detecting malware at runtime when loaded into system memory.

What is a botnet?

Botnets have become one of the biggest threats to security systems today. Their growing popularity among cybercriminals comes from their ability to infiltrate almost any internet-connected device, from DVR players to corporate mainframes.

Botnets are also becoming a larger part of cultural discussions around cyber security. Facebook’s fake ad controversy and the Twitter bot fiasco during the 2016 presidential election worry many politicians and citizens about the disruptive potential of botnets. Recently published studies from MIT have concluded that social media bots and automated accounts play a major role in spreading fake news.

The use of botnets to mine cryptocurrencies like Bitcoin is a growing business for cyber criminals. It’s predicted the trend will continue, resulting in more computers infected with mining software and more digital wallets stolen.

Aside from being tools for influencing elections and mining cryptocurrencies, botnets are also dangerous to corporations and consumers because they’re used to deploy malware, initiate attacks on websites, steal personal information, and defraud advertisers.

It’s clear botnets are bad, but what are they exactly? And how can you protect your personal information and devices? Step one is understanding how bots work. Step two is taking preventative actions.

How Do Botnets Work?

To better understand how botnets function, consider that the name itself is a blending of the words “robot” and “network”. In a broad sense, that’s exactly what botnets are: a network of robots used to commit cyber crime. The cyber criminals controlling them are called botmasters or bot herders.

Size Matters

To build a botnet, botmasters need as many infected online devices or “bots” under their command as possible. The more bots connected, the bigger the botnet. The bigger the botnet, the bigger the impact. So size matters. The criminal’s ultimate goal is often financial gain, malware propagation, or just general disruption of the internet.

Imagine the following: You’ve enlisted ten of your friends to call the Department of Motor Vehicles at the same time on the same day. Aside from the deafening sounds of ringing phones and the scurrying of State employees, not much else would happen. Now, imagine you wrangled 100 of your friends, to do the same thing. The simultaneous influx of such a large number of signals, pings, and requests would overload the DMV’s phone system, likely shutting it down completely.

Cybercriminals use botnets to create a similar disruption on the internet. They command their infected bot army to overload a website to the point that it stops functioning and/or access is denied. Such an attack is called a denial of service or DDoS.

Botnet Infections

Botnets aren’t typically created to compromise just one individual computer; they’re designed to infect millions of devices. Bot herders often deploy botnets onto computers through a trojan horse virus. The strategy typically requires users to infect their own systems by opening email attachments, clicking on malicious pop up ads, or downloading dangerous software from a website. After infecting devices, botnets are then free to access and modify personal information, attack other computers, and commit other crimes.

More complex botnets can even self-propagate, finding and infecting devices automatically. Such autonomous bots carry out seek-and-infect missions, constantly searching the web for vulnerable internet-connected devices lacking operating system updates or antivirus software.

Botnets are difficult to detect. They use only small amounts of computing power to avoid disrupting normal device functions and alerting the user. More advanced botnets are even designed to update their behavior so as to thwart detection by cybersecurity software. Users are unaware they’re connected device is being controlled by cyber criminals. What’s worse, botnet design continues to evolve, making newer versions harder to find.

Botnets take time to grow. Many will lay dormant within devices waiting for the botmaster to call them to action for a DDoS attack or for spam dissemination.

Vulnerable Devices

Botnets can infect almost any device connected directly or wirelessly to the internet. PCs, laptops, mobile devices, DVR’s, smartwatches, security cameras, and smart kitchen appliances can all fall within the web of a botnet.

Although it seems absurd to think of a refrigerator or coffee maker becoming the unwitting participant in a cyber crime, it happens more often than most people realize. Often appliance manufacturers use unsecure passwords to guard entry into their devices, making them easy for autonomous bots scouring the internet to find and exploit.

As the never-ending growth of the Internet of Things brings more devices online, cyber criminals have greater opportunities to grow their botnets, and with it, the level of impact.

In 2016, a large DDoS attack hit the internet infrastructure company Dyn. The attack used a botnet comprised of security cameras and DVRs. The DDoS disrupted internet service for large sections of the country, creating problems for many popular websites like Twitter and Amazon.

Botnet Attacks

Aside from DDoS attacks, botmasters also employ botnets for other malicious purposes.

Ad Fraud

Cybercriminals can use the combined processing power of botnets to run fraudulent schemes. For example, botmasters build ad fraud schemes by commanding thousands of infected devices to visit fraudulent websites and “click” on ads placed there. For every click, the hacker then gets a percentage of the advertising fees.

Selling and Renting Botnets

Botnets can even be sold or rented on the internet. After infecting and wrangling thousands of devices, botmasters look for other cybercriminals interested in using them to propagate malware. Botnet buyers then carry out cyber attacks, spread ransomware, or steal personal information.

Laws surrounding botnets and cybercrime continue to evolve. As botnets become bigger threats to internet infrastructure, communications systems, and electrical grids, users will be required to ensure their devices are adequately protected from infection. It’s likely cyber laws will begin to hold users more responsible for crimes committed by their own devices.

Botnet Structures

Botnet structures usually take one of two forms, and each structure is designed to give the botmaster as much control as possible.

Client-server model

The client-server botnet structure is set up like a basic network with one main server controlling the transmission of information from each client. The botmaster uses special software to establish command and control (C&C) servers to relay instructions to each client device.

While the client-server model works well for taking and maintaining control over the botnet, it has several downsides: it’s relatively easy for law enforcement official to location of the C&C server, and it has only one control point. Destroy the server, and the botnet is dead.

Peer-to-peer

Rather than relying on one centralized C&C server, newer botnets have evolved to use the more interconnected peer-to-peer (P2P) structure. In a P2P botnet, each infected device functions as a client and a server. Individual bots have a list of other infected devices and will seek them out to update and to transmit information between them.

P2P botnet structures make it harder for law enforcement to locate any centralized source. The lack of a single C&C server also makes P2P botnets harder to disrupt. Like the mythological Hydra, cutting off the head won’t kill the beast. It has many others to keep it alive.

Botnet Prevention

It should be clear by now that preventing botnet infection requires a comprehensive strategy; one that includes good surfing habits and antivirus protection. Now that you’ve armed yourself with the knowledge of how botnets work, here are some ways to keep botnets at bay.

Update your operating system

One of the tips always topping the list of malware preventative measures is keeping your OS updated. Software developers actively combat malware; they know early on when threats arise. Set your OS to update automatically and make sure you’re running the latest version.

Avoid email attachments from suspicious or unknown sources

Email attachments are a favorite source of infection for many types of viruses. Don’t open an attachment from an unknown source. Even scrutinize emails sent from friends and family. Bots regularly use contact lists to compose and send spam and infected emails. That email from your mother may actually be a botnet in disguise.

Avoid downloads from P2P and file sharing networks

Botnets use P2P networks and file sharing services to infect computers. Scan any downloads before executing the files or find safer alternatives for transferring files.

Don’t click on suspicious links

Links to malicious websites are common infection points, so avoid clicking them without a thorough examination. Hover your cursor over the hypertext and check to see where the URL actually goes. Malicious links like to live in message boards, YouTube comments, pop up ads, and the like.

Get Antivirus Software

Getting antivirus software is the best way to avoid and eliminate botnets. Look for antivirus protection that’s designed to cover all of your devices, not just your computer. Remember, botnets sneak into all types of devices, so look software that’s comprehensive in scope.

With the Internet of Things increasing, so too does the potential for botnet size and power. Laws will eventually change to hold users more responsible for the actions of their devices. Taking preventative action now will protect your identity, data, and devices.

The post What is a botnet? appeared first on Panda Security Mediacenter.

Read More

Is Your DJI Drone a Chinese Spy? Leaked DHS Memo Suggests

dji-drone-china-spying

The United States Department of Homeland Security (DHS) has recently accused Da-Jiang Innovations (DJI), one of the largest drone manufacturers, of sending sensitive information about U.S. infrastructure to China through its commercial drones and software.

A copy memo from the Los Angeles office of the Immigration and Customs Enforcement bureau (ICE) has begun circulating online more recently, alleging “with moderate confidence” that DJI drones may be sending US critical infrastructure and law enforcement data back to China.

However, the bureau accessed “with high confidence” that this critical data collected by the DJI systems could then be used by the Chinese government to conduct physical or cyber attacks against the U.S. critical infrastructure and its population.

The memo goes on to specify the targets the Chinese Government has been attempting to spy on, which includes rail systems, water systems, hazardous material storage facilities, and construction of highways, bridges, and rails.

The memo, marked as “unclassified/law enforcement sensitive,” was dated back to August this year, but was recently published by the Public Intelligence project.

In its memo, ICE cited what it called a reliable source in the drone industry “with first and secondhand access,” but did not identify it, specifying that the concern is over DJI drones used by companies and institutions, not the ones flown by hobbyists in the U.S. and elsewhere.

According to ICE, the DJI drones operate on two Android smartphone apps—DJI GO and Sky Pixels—that automatically tag GPS imagery and locations, access users’ phone data, and register facial recognition data even when the system is off.

Beside this, ICE says the apps also capture users identification and personal information, like their full names, email addresses, phone numbers, computer credentials, images, and videos.

“Much of the information collected includes proprietary and sensitive critical infrastructure data, such as detailed imagery of power control panels, security measures for critical infrastructure sites, or materials used in bridge construction,” the ICE memo reads.

Citing an unnamed source, ICE alleged that DJI then automatically uploads this collected information to its cloud storage systems located in China, Taiwan, and Hong Kong, which the Chinese government most likely has access to.

Drone Maker Denies Sending Data to Chinese Government

Of course, the drone-maker has denied the allegations, saying that the memo from the US government office was based on “clearly false and misleading claims.”

“The allegations in the bulletin are so profoundly wrong as a factual matter that ICE should consider withdrawing it, or at least correcting its unsupportable assertions,” DJI said in a statement, cited by The New York Times.

According to a DJI spokesman, users have complete control over how much data they can share with the Chinese drone maker, and the automatic function offered by the DJI apps to store user flight logs can also be turned off.

Moreover, the DJI has recently added a new feature that allows pilots to cut off all outside internet connections while the drone is flying.

According to drone research firm Skylogic Research, DJI dominates the overall drone market with an almost two-thirds share in the United States and Canada. Not just hobbyists, but DJI drones are also used by commercial customers like contractors, police and realtors.

The accusation that DJI is facing is similar to the one faced by Kaspersky Labs for spying on its users and sending the stolen data back to the Russian government.

The DHS has also banned Kaspersky antivirus products in US government agencies over Russian spying fears without actually having any substantial evidence. The company has always denied any direct involvement with the Russian spies in the alleged incident.

Here’s the NSA Employee Who Kept Top Secret Documents at Home

nghia-hoang-pho-nsa-employee

A former employee—who worked for an elite hacking group operated by the U.S. National Security Agency—pleaded guilty on Friday to illegally taking classified documents home, which were later stolen by Russian hackers.

In a press release published Friday, the US Justice Department announced that Nghia Hoang Pho, a 67-year-old of Ellicott City, Maryland, took documents that contained top-secret national information from the agency between 2010 and 2015.

Pho, who worked as a developer for the Tailored Access Operations (TAO) hacking group at the NSA, reportedly moved the stolen classified documents and tools to his personal Windows computer at home, which was running Kaspersky Lab software.

According to authorities, the Kaspersky Labs’ antivirus software was allegedly used, one way or another, by Russian hackers to steal top-secret NSA documents and hacking exploits from Pho’s home PC in 2015.

“Beginning in 2010 and continuing through March 2015, Pho removed and retained U.S. government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information,” the DoJ said in disclosing Pho’s guilty plea. 

“This material was in both hard-copy and digital form, and was retained in Pho’s residence in Maryland.”

For those unaware, the U.S. Department of Homeland Security (DHS) has even banned Kaspersky Labs’ antivirus software from all of its government computers over suspicion of the company’s involvement with the Russian intelligence agency and spying fears.

Kaspersky CEO Says He Would Leave If Russia Asked Him To Spy

Though there’s no substantial evidence yet available, an article published by US news agency WSJ in October claimed that Kaspersky software helped Russian spies steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer’s home PC.

However, Kaspersky Labs has denied any direct involvement with the Russian spies in the alleged incident.

Just last month, Kaspersky claimed that its antivirus package running on the Pho’s home PC detected the copies of the NSA exploits as malicious software, and uploaded them to its cloud for further analysis by its team of researchers.

According to the company, as soon as its analysts realized that its antivirus had collected more than malicious binaries, the company immediately deleted the copy of the classified documents, and also created a special software tweak, preventing those files from being downloaded again.

Even, when asked if Russian intel agency had ever asked him to help it spy on the West at a media briefing at the Kaspersky’s offices in London on Tuesday, CEO Eugene Kaspersky said “They have never asked us to spy on people. Never.”

Kaspersky further added that “If the Russian government comes to me and asks me to anything wrong, or my employees, I will move the business out of Russia.”

NSA Hacker Faces A Prison Sentence Of Up To 10 Years

In Pho’s plea deal with prosecutors, the NSA hacker admitted that he copied information from NSA computers multiple times between 2010 and 2015 and took it all home with him.

Taking classified documents at home is a clear violation of known security procedures—and in this process, Pho eventually exposed the top secret information to Russian spies.

Pho has pleaded guilty in a United States district court in Baltimore to one count of willful removal and retention of national defense information, with no other charges filed against him and there’s no mention of Pho selling or passing off that confidential data.

The retention of national defense information offense carries a possible 10-year prison sentence.

Federal prosecutors said they would seek an eight-year sentence for Mr. Pho. However, his attorney can ask for a more lenient sentence.

Pho remains free while awaiting sentencing on 6th April next year.

Computer Security Day 2017: The Current State of Cybersecurity

Thursday 30th November marks the 29th Computer Security Day – an unofficial “holiday” used to raise awareness of cybersecurity issues that affect us all. At the most basic level, people across the world are encouraged to take the opportunity to create new strong passwords.

The annual Computer Security Day is also a useful chance to assess wider cybersecurity implications, and how well industry and individuals are protecting themselves.

So, what is the current state of IT security?

Security is more complex than ever

Every day new devices are added to home networks, most of which also connect to the Internet. From smart heating thermostats to remote controlled blinds and games consoles, technology is becoming part of the very fabric of our homes. And if smart speakers like Amazon’s Alexa and Apple’s HomePod sell as well as expected this Christmas, the home network is going to become busier (and more complicated) than ever.

The only drawback to all these devices is that they increase the number of potential attack points for cybercriminals. In the past, hackers would only have the option of breaking into your home PC. But with so many network connected devices to choose from, hacking in has actually become easier.

Security is not being prioritised by manufacturers

In the rush to sell their products as quickly as possible, some manufacturers are cutting corners. The software powering these devices often contains bugs and security holes that can be used by hackers to gain access. Once connected to the device, they can then attack other more important devices, like your laptop or PC.

Where there are decent security provisions on the device, owners are making basic mistakes that place their network at risk. As always, poor passwords are the biggest problem, making the hacker’s job even easier. If you have network connected devices at home, use this Computer Security Day to update all of those passwords too.

We are getting better at cybersecurity

Networks may be more complex than ever, but our security options are also improving. Most home routers used to connect to the Internet now include firewall functions to keep hackers out for instance. And the tools used to detect and remove malware are also improving daily.

In fact, anti-malware is the last line of defence when it comes to protecting your personal data. If hackers do manage to break through defences and compromise network-connected devices like webcams and smart speakers, anti-malware will stop them accessing your computers where the really valuable personal information is held.

If you do nothing else this Computer Security Day, please take a few minutes to download and install a free copy of Panda Antivirus for your PC. You should also take the opportunity to protect your smartphone too – download a free copy of Panda Mobile Security today.

The post Computer Security Day 2017: The Current State of Cybersecurity appeared first on Panda Security Mediacenter.

Read More