Wednesday 26 March 2014

Hackers Can Force ATMs to Spit Out Money With a Text Message

http://i.kinja-img.com/gawker-media/image/upload/s--z77y8x0R--/t_ku-xlarge2/qipg2ekjivkyiuc8fhx9.jpg
It's getting remarkably easy to hack ATMs these days, and security researchers say that Microsoft's aging Windows XP is making the problem worse. This week, security analysts at Symantec blogged about a new technique popping up in Mexico that uses text messages to give hackers access. It's as wild as it sounds.
The method does take some grunt work, though. The first step in this method involves installing a known type of malware called Ploutus on an ATM. This requires the thief to physically break into the cabinet and use a CD-ROM or USB stick to infect that machine. In the past, the attack would then be carried out using an external keyboard to crack the ATM's security system. Now, however, you can simply connect a cell phone to the machine via USB and send a text to the phone. The phone turns the text into a network packet that commands the ATM to spit out cash.

NSA hacked into servers at Huawei headquarters, reports say

The U.S. National Security Agency has hacked into Huawei Technologies servers, spied on communications of company executives and collected information to plant so-called backdoors on equipment from the Chinese networking manufacturer, according to reports published over the weekend.
In response, the NSA said that it declines to comment on specific, alleged foreign intelligence activities. In a statement emailed to the IDG News Service, the agency elaborated, saying that "NSA's activities are focused and specifically deployed against -- and only against -- valid foreign intelligence targets in response to intelligence requirements."
On Monday, Huawei said in an email, "If the actions in the report are true, Huawei condemns such activities that invaded and infiltrated into our internal corporate network and monitored our communications."
The latest reports are part of a long-running cyberespionage saga. U.S. officials have contended for years that China's People's Liberation Army (PLA) works with manufacturers and hacking groups to spy on U.S. companies and government agencies.
Since last June, documents leaked by former U.S. intelligence contractor Edward Snowden and published by various news organizations have shown that the NSA has conducted its own surveillance campaigns, including programs to hack into equipment from Chinese networking manufacturers.
But according to new reports over the weekend from The New York Times and Der Spiegel and based on documents leaked by Snowden, the NSA succeeded in penetrating equipment at Huawei headquarters in a plan to monitor communications on the company's networking equipment worldwide.
The NSA "pried its way" into Huawei servers at the company's headquarters in Shenzhen, China, according to an online report in The New York Times Saturday.
The operation, code-named "Shotgiant," was to try to establish long-suspected links between Huawei and the PLA, and also to plant backdoors on Huawei equipment sold worldwide, according to the Times.
Among the information cited by newspaper was a 2010 document detailing Shotgiant operations. However, covert operations against Huawei go as far back as 2007, The New York Times report said. The NSA also monitored communications of Huawei executives, the report said.
One goal of Shotgiant was to place backdoors on Huwei technology in order to monitor communications on network equipment acquired by the company's customers, which include U.S. allies and adversaries, according to the report.
The report in the Times does not specify how successful this was, since technical details of the operation were withheld from publication at the request of the U.S. government, according to the newspaper.
The NSA is taking pains to distinguish its surveillance activities from those of China. U.S. government and business officials claim Chinese spying activities are intended, among other things, to gain commercial advantage over the U.S.
"We do not use foreign intelligence capabilities to steal the trade secrets of foreign companies on behalf of -- or give intelligence we collect to -- U.S. companies to enhance their international competitiveness or increase their bottom line," the NSA said in an emailed statement Sunday.
"It is important to note the overlay of law, regulation, policy, procedure, technical safeguards, training, culture, and ethos in the use of such tools; all of these things govern how NSA deploys various foreign intelligence techniques to help defend the nation," the NSA said.
The latest reports of the NSA's spying on Huawei follow earlier news stories about efforts to place backdoors on equipment from the company.
In December last year, Der Spiegel published a report outlining how the NSA intercepts deliveries of new computer equipment en route to plant spyware. The operation was conducted by the NSA's Office of Tailored Access Operations (TAO), which specializes in infiltrating computers, according to the report.
The newest reports this weekend say that the TAO unit by 2010 gained access to Huawei headquarters and was able to collect communications from Ren Zhengfei, the company's founder.
The Times story, however, pointed out that none of the documents leaked by Snowden show that NSA operations proved a specific link between Huawei and the PLA.
U.S. government officials for years have suspected that Chinese networking companies have worked with the PLA. For example, a congressional committee concluded an inquiry in 2012 with members still in doubt about the security of networking equipment from Huawei and ZTE
The U.S. government has also blocked efforts by Huawei to expand its business in the country. In September 2011, for example, the U.S. Department of Commerce said it had told Huawei that the company was barred from participating in a project to build a national wireless network.
Last October, Huawei issued a company report on cybersecurity in which it suggested ways companies could work together internationally to secure networks from hacking.
"We can confirm that we have never been asked to provide access to our technology, or provide any data or information on any citizen or organization to any Government, or their agencies," Huawei Deputy Chairman Ken Hu said in the report.
In an online article Saturday, The New York Times quoted William Plummer, a U.S.-based Huawei executive, as saying: "If such espionage has been truly conducted then it is known that the company is independent and has no unusual ties to any government, and that knowledge should be relayed publicly to put an end to an era of mis- and disinformation."
In addition to selling networking equipment, Huwaei is also the third-largest vendor of smartphones in the world. However, as recently as Mobile World Congress last month, a Huwaei official confirmed that the company has essentially given up on the network infrastructure business in the U.S., which makes efforts to sell mobile devices in the country more difficult.

An Open Letter to IBM's Open Letter

Last week, IBM published an "open letter" about "government access to data," where it tried to assure its customers that it's not handing everything over to the NSA. Unfortunately, the letter (quoted in part below) leaves open more questions than it answers.
At the outset, we think it is important for IBM to clearly state some simple facts:
  • IBM has not provided client data to the National Security Agency (NSA) or any other government agency under the program known as PRISM.
  • IBM has not provided client data to the NSA or any other government agency under any surveillance program involving the bulk collection of content or metadata.
  • IBM has not provided client data stored outside the United States to the U.S. government under a national security order, such as a FISA order or a National Security Letter.
  • IBM does not put "backdoors" in its products for the NSA or any other government agency, nor does IBM provide software source code or encryption keys to the NSA or any other government agency for the purpose of accessing client data.
  • IBM has and will continue to comply with the local laws, including data privacy laws, in all countries in which it operates.
To which I ask:
  • We know you haven't provided data to the NSA under PRISM. It didn't use that name with you. Even the NSA General Counsel said: "PRISM was an internal government term that as the result of leaks became the public term." What program did you provide data to the NSA under?
  • It seems rather obvious that you haven't provided the NSA with any data under a bulk collection surveillance program. You're not Google; you don't have bulk data to that extent. So why the caveat? And again, under what program did you provide data to the NSA?
  • Okay, so you say that you haven't provided any data stored outside the US to the NSA under a national security order. Since those national security orders prohibit you from disclosing their existence, would you say anything different if you did receive them? And even if we believe this statement, it implies two questions. Why did you specifically not talk about data stored inside the US? And why did you specifically not talk about providing data under another sort of order?
  • Of course you don't provide your source code to the NSA for the purpose of accessing client data. The NSA isn't going to tell you that's why it wants your source code. So, for what purposes did you provide your source code to the government? To get a contract? For audit purposes? For what?
  • Yes, we know you need to comply with all local laws, including US laws. That's why we don't trust you -- the current secret interpretations of US law requires you to screw your customers. I'd really rather you simply said that, and worked to change those laws, than pretending that you can convince us otherwise.
EDITED TO ADD (3/25): One more thing. This article says that you are "spending more than a billion dollars to build data centers overseas to reassure foreign customers that their information is safe from prying eyes in the United States government." Do you not know that National Security Letters require you to turn over requested data, regardless of where in the world it is stored? Or do you just hope that your customers don't realize that?

Walkthrough of a Recent Zbot Infection and associated CnC Server

During routine ThreatLabZ log analysis, we encountered the following malicious Zbot executable connecting back to it's CnC and exfiltrating data via POST requests.
  • MD5: 0b43d6a65f67ef48f4da3a1cc09335a1
  • Size: 442368 bytes
  • Detected as PWS:Win32/Zbot by Microsoft (VT 43/49)
[POST DATA]


iTpRAQWetIVVzRx502Gqds3DKmG80ru/P1ggedWTJAgrue/EVaoL95bMH6K0It8I9/wGHEIKbkXhcoxGOKgJOxGFYkvfoWsUM/NWAUQ+wdjlZOpD0Ke77Sob6rQT0WToRF9lWkhx514Es9wGHNKTn5xrTY7pJeqxGiTNMsB3fsCFfjZZKabmhwDzKTP/0W6FFEJb

What separated this discovery from your average CnC server? The attackers were kind enough to leave the CnC server largely exposed (directory browsing enabled, many files not password protected) to provide a rare behind the scenes look at a live botnet operation. Let's walk through what we observed.  

The above mentioned Zbot variant was responsible for dropping the following malicious files:
  • 6ca1690720b3726bc76ef0e7310c9ee7 - Win32/Stoberox.B (VT 26 / 50)
  • d2c6a0e888d66882d7dc29667c4c9ec0 - TrojanDownloader:Win32/Cutwail (VT 38/50)
We also noted that it started a server listening on ports 1548 and 3492 and sends some data via POST requests to hxxp://vodrasit.su/admin/gate.php
(see malwr sandbox report).

Domains contacted:
  • shivammehta.com [ IP: 181.224.129.14]
  • merdekapalace.com [IP: 202.71.103.21]
  • vodrasit.su [IP: 37.115.13.224]
IPs contacted:

Malicious IP Virus total links
99.42.33.76 https://www.virustotal.com/en/ip-address/99.42.33.76/information/
115.126.143.176 https://www.virustotal.com/en/ip-address/115.126.143.176/information/
50.179.168.36 https://www.virustotal.com/en/ip-address/50.179.168.36/information/
158.58.230.200 https://www.virustotal.com/en/ip-address/158.58.230.200/information/
212.186.32.8 https://www.virustotal.com/en/ip-address/212.186.32.8/information/
61.27.49.175 https://www.virustotal.com/en/ip-address/61.27.49.175/information/
86.133.91.153 https://www.virustotal.com/en/ip-address/86.133.91.153/information/
206.205.226.130 https://www.virustotal.com/en/ip-address/206.205.226.130/information/
172.245.217.122 https://www.virustotal.com/en/ip-address/172.245.217.122/information/
80.213.146.163 https://www.virustotal.com/en/ip-address/80.213.146.163/information/
81.206.227.11 https://www.virustotal.com/en/ip-address/81.206.227.11/information/
91.21.200.217 https://www.virustotal.com/en/ip-address/91.21.200.217/information/
1.240.64.211 https://www.virustotal.com/en/ip-address/1.240.64.211/information/
24.184.76.143 https://www.virustotal.com/en/ip-address/24.184.76.143/information/
97.104.63.159 https://www.virustotal.com/en/ip-address/97.104.63.159/information/
172.11.217.35 https://www.virustotal.com/en/ip-address/172.11.217.35/information/
87.1.90.206 https://www.virustotal.com/en/ip-address/87.1.90.206/information/
81.149.88.233 https://www.virustotal.com/en/ip-address/81.149.88.233/information/
203.110.94.69 https://www.virustotal.com/en/ip-address/203.110.94.69/information/
50.11.239.126 https://www.virustotal.com/en/ip-address/50.11.239.126/information/
181.224.129.14 https://www.virustotal.com/en/ip-address/181.224.129.14/information/
108.162.199.119 https://www.virustotal.com/en/ip-address/108.162.199.119/information/
202.71.103.21 https://www.virustotal.com/en/ip-address/202.71.103.21/information/
65.55.172.254 https://www.virustotal.com/en/ip-address/65.55.172.254/information/
120.150.210.249 https://www.virustotal.com/en/ip-address/120.150.210.249/information/

While looking at the POST data submitted to hxxp://vodrasit.su/admin/gate.php, we explored this site and found that it is currently hosting two malicious files and a password protected admin console.

Below are the files which are hosted on hxxp://vodrasit.su/, which can be observed thanks to the fact that the attackers left directory browsing enabled:

[   ]  admin.zip 03-Mar-2014 09:49 12M  
[DIR] admin/ 21-Aug-2013 23:44  
[   ]  all.exe 21-Mar-2014 17:36 457K
[   ]  rok.exe 21-Mar-2014 06:23 75K


 
all.exe attempted to communicate to the followings DGA generated Domains:
  • aulbbiwslxpvvphxnjij.biz
  • kvdmkndexomrceqydtgepr.net
  • gadmxsmfeqrscmfytvksirnyxm.com
  • xgkzhahdqsxgusireqxdqkzsk.ru
  • aemfyldumrlithbaayzhib.com
  • jbqswspnseqsqwmrnzxodivuciv.net
  • ijfifyhydeydxwdnrkuwsovofm.org
  • lrtofahqzlvrsxsscdaykzuqs.info
  • dgmeulrobvsfaskdrknkfswyt.biz
  • cqdwgydskztyluwhjzcmmjlfqs.ru
  • hiciqglzaqwopnzdmtkdro.com
  • xgadhizdspnditwhdaxcjae.info
  • bypjgqusdmeanbylqghtvcqkead.org
  • civmvcibuhjzuoijxrozaegmfi.biz
  • ijrtkzdjbztgattccytojrswsd.com
  • igaytdmoqkmfauzdbmrwrceapf.ru
  • jbtkscmfuuygmdmdrorodfmp.com
  • sougwcinroivgtpvjzijuocagqau.net
  • hiufeamaqsyxmntswooronrnvz.biz
  • bymncecukrcusxvctsduxceu.info
  • prdmzrmreylvkqqodj.com
  • sbusxwswayizfepfydtoovvbqhm.ru
  • yhayxjzmbpscaypizlnftofl.com
  • tkytijfhiaqbymnxkxcwxg.biz

Admin Console

Although we weren't able to access the live admin console as it was password protected, we were able to replicate the setup from the exposed source files (hxxp://vodrasit.su/admin.zipand it would appear as shown below:



Another directory with browsing enabled exists at hxxp://vodrasit.su/admin/db/. Here the data from infected machines connecting back to the CnC server can be observed:


Before being transmitted from a victim machine, the data is encrypted using RC4 encryption, base64 encoded and then sent via the POST method to the CnC.

Here is the code for first decoding the data using base64 decoding and then RC4 decryption:




After decoding and decrypting, a record is created in the aforementioned directory hxxp://vodrasit.su/admin/db/.

The following a sample of the information stored from an infected victim:



What does this data represent?


This particular record includes the following:
  • OS: WINDOWS 7
  • Bits: 0 means OS is 32 BIT 
  • Country: SOUTH KOREA

Chinese cops cuff 1,500 in fake base station spam raid

China’s police have arrested over 1,500 people on suspicion of using fake base stations to send out mobile SMS spam.
The current crackdown, began in February, according to Reuters. Citing a Ministry of Public Security missive, the newswire says a group operating in north-east Liaoning province, bordering North Korea, is suspected of pinging out more than 200 million spam texts.
China's fearsome law enforcers periodically embark on crackdowns of this kind which, given the sheer size and scale of the Middle Kingdom, often amount to little more than a symbolic gesture.
However, mobile spam is a massive problem in China.
Some 200 billion unwanted messages were sent in the country in the first half of 2013 alone, according to a Xinhua report from late last year
Fake base stations are becoming a particularly popular modus operandi. Often concealed in a van or car, they are driven through city streets to spread their messages.
This Beijing News story from November 2013 tells a typical tale.
The professional spammer in question charged 1,000 yuan (£100) to spam thousands of users in a radius of a few hundred metres.
The pseudo-base station used could send out around 6,000 messages in just half an hour, the report said. Often such spammers are hired by local businessmen to promote their wares.
Trend Micro highlighted the problem in a recent expose of the Mobile Cybercriminal Underground Market in China.
GSM modems, internet short message gateways and “SMS servers” were all listed as available on the dark web for local cyber criminals to buy.
The latter is effectively a “fake base station”, in that it apparently sends out a high power signal which forces all mobiles in the area to disconnect from their legitimate base station and connect to it.
SMS servers cost around 45,000 yuan (£4,400), according to the report.

About 55K in San Francisco impacted in theft of Sutherland computers

The San Francisco Department of Public Health (DPH) is warning more than 55,000 patients served in DPH facilities that their personal information may have been compromised in a Feb. 5 breach of Sutherland Healthcare Solutions (SHS), a billing and collections services provider.
How many victims? About 55,900. 
What type of personal information? Names, dates of birth, billing information, dates and locations of services, and, in some cases, Social Security numbers.
What happened? The SHS office in Southern California was broken into and computers containing the client information were stolen.
What was the response? The DPH is notifying all impacted patients and SHS is offering them a free year of credit monitoring and identity theft protection services.
Details: The SHS offices were broken into on Feb. 5. SHS notified the DPH on March 18 that the information was compromised. Most impacted patients received DPH services between August 2012 and November 2013.
Quote: “There is no confirmation that there has been any attempted access or attempted use of the information involved in this incident,” according to a notification posted to the DPH website. 
Source: sfdph.org, “Department of Public Health Patient Information Involved in Security Breach,” March 21, 2014.

Forget black hats – the best hackers are going grey and getting legit

A report from the Rand Corporation suggests the increasing market for software vulnerabilities that can be sold legitimately is tempting the most 1337 hackers and crackers to go legit, rather than suffer the vagaries of the black market in code and credentials.
"There's an economic seesaw in the market," Michael Callahan, VP of security products at Juniper Networks, told The Register. "At a point it becomes more attractive to sell on the legitimate market verses selling them to online arms dealers. It's driven by economics."
The black market can be as lucrative as the drugs trade, the Rand report notes, but the risks are also high, and not just from the police. While law enforcement is improving its abilities to catch cyber criminals the report notes that the attackers have the upper hand, but double-crossing within the industry is rife.
The study states that around 30 per cent of sellers in black market bazars for stolen credit cards and credentials are rippers – those who take the money and run. Of these, less than a fifth are caught and forced to complete the transaction.
Rand says that the increasing use of bug bounty programs offers an increasingly attractive form of revenue for security specialists, and one that provides a legitimate source of income., While rewards for such programs are still low, the report notes that some very high prices can be got for major undiscovered vulnerabilities from security organizations and from government buyers.
The report lists prices of up to $250,000 quoted for a solid iOS zero-day flaw (the top price for OS X is just $50,000) or $120,000 for a serious Windows flaw. The price depends a lot on how recent and effective the flaw is, but it's widely recognized in the community that the American government will outspend almost anyone else in the market.
Other revenue streams traditionally used by hackers and crackers on the dark side are also under pressure. Malware generation and exploit kits used to be a solid source of illicit revenue but the market is increasingly flooded and there are plenty of dodgy practices.
Last year 33 new exploit kits were detected online, the report states, and 42 more that are revamped versions of older code. But sellers are increasingly ripping off code of more successful kits and some, at the cheaper end of the market, are of little use against up-to-date security software.
Overall, the report finds that the prices for traditional purloined online goods like credit card numbers are falling rapidly, due to oversupply in the market. Those hackers working on the illegal side of the market are seeing revenues squeezed and this to could provide more of an incentive to go legit for the best players.

Palo Alto Networks pays $200m for endpoint security firm Cyvera

cyber-security-web
Palo Alto Networks is to buy Israeli endpoint security specialist Cyvera for $200m in the latest deal within the security sector.
The deal has been agreed by both Palo Alto and Cyvera's executive teams and is expected to close in the second half of this year, pending regulatory approval. The deal will see Palo Alto integrate Cyvera's advanced endpoint defence technologies into its enterprise security platform.
Mark McLaughlin, CEO of Palo Alto Networks, said the combination of technologies will let the company offer customers holistic security against advanced threats.
"This event marks a key milestone in our strategic enterprise security vision. It extends our next-generation security platform with a very innovative approach to preventing attacks on the endpoint," he said.
"It enables us to accelerate the delivery of the market's only highly integrated and automated enterprise security platform spanning networks, endpoints and the cloud. For customers, this translates into the most sophisticated and automated threat prevention for their entire organisation."
Cyvera currently has 55 employees at its Tel Aviv headquarters. It is currently unclear how they will be integrated into Palo Alto's workforce following the acquisition, and at the time of publishing Palo Alto had not responded to V3's request for comment.
Despite the lack of detail Cyvera has welcomed the move. The firm said it will allow the companies to become industry leaders in the growing advanced threat mitigation market.
"Much like Palo Alto Networks set out to disrupt the network security market with its next-generation security platform, we founded Cyvera to revolutionise protection for the endpoint – one of the most vulnerable frontiers for cyber attacks. We are pleased to join the Palo Alto Networks team and together help enterprise customers tackle the advanced threats they face today."
The news comes during a wider shift by Palo Alto to bolster its next-generation threat-mitigation offering. Palo Alto Networks released a new next-generation firewall called the PA-7050 in February.
Palo Alto is one of many security firms to acquire an endpoint security specialist in recent months. Competitor FireEye acquired endpoint security firm Mandiant in a $1bn deal earlier in January.

Tumblr rolls out two-factor authentication security upgrade

tumblr
Tumblr has rolled out a two-factor authentication security upgrade, in order to protect its customers from account-hijacking cyber attacks.
The company announced the move in a blog post, alerting users that it can be turned on from the settings page of their account. If turned on, users will need to authenticate their identity when logging in with a second set of credentials.
"You know how you need two keys to launch a nuclear missile? Two-factor authentication works like that. One key is your password, the other key is your cellular phone, and you need both to access your Tumblr Dashboard," explained the post.
The extra security feature is designed to stop hackers taking control of users' Tumblr accounts with a brute-force cyber attack, or stolen password. The feature can be disabled in the Settings menu of the Dashboard, but Tumblr urged its customers to leave the two-factor authentication service on.
"Your account is far less likely to get compromised if you've enabled two-factor authentication. But if you must, we'll ask you to enter your account password to make sure it's really you. You'll then be able to log in to your account without the extra verification step. If you would like to re-enable it at any point, you'll have to go through the aforementioned setup process again."
Tumblr is one of many companies to roll out the service. Twitter added the feature in May 2013 after suffering a number of data breaches. Dropbox rolled out the service in August 2012 following a massive data breach that saw criminals break into a number of its customers' accounts using passwords stolen in a separate phishing attack.
Account-hijacking cyber attacks targeting websites and services such as Tumblr have been a growing problem facing the security community. Security firm Sucuri detected a cyber attack that had hijacked more than 162,000 legitimate WordPress sites earlier in March.

Hackers targeting Microsoft Word and Outlook zero-day vulnerability

cyber-security-man
Hackers are targeting a newly discovered zero-day vulnerability in Microsoft's Word and Outlook services, according to security firm Qualys.
Qualys CTO Wolfgang Kandek revealed the attack in a blog post, warning businesses that a successful attack could grant hackers remote access to their systems.

"The vulnerability CVE-2014-1761 is in the file format parser for RTF (Rich Text Format) and could be used by an attacker to gain remote access to the targeted system. The attack vector is a document in RTF format that the victim would have to open with Word," read the post.
"If the target uses Outlook 2007, 2010 or 2013 for email, please be aware that Word is the default viewer for emails, and that even looking at the email in the preview pane could lead to an infection through this attack."

Kandek said the vulnerability is particularly troubling as it affects Apple Mac systems running Microsoft Office for the Mac 201 as well as Windows systems.
Microsoft has since released an emergency workaround for the vulnerability on its TechNet blog.
"Today, Microsoft released Security Advisory 2953095 to notify customers of a vulnerability in Microsoft Word. At this time, we are aware of limited, targeted attacks directed at Microsoft Word 2010," read the advisory.
"To facilitate deployment of the first workaround, we are providing a Fix it automated tool. The fix uses Office's file block feature and adds few registry keys to prevent opening of RTF files in all Word versions."
Kandek praised Microsoft for its rapid response, confirming that the temporary fix does effectively mitigate the exploit. "It seems that EMET ASLR enforcements efficiently counters the exploit. Good stuff," he said.
The Word and Outlook attack is one of many advanced threats uncovered targeting Microsoft services in recent months. Microsoft was forced to release an emergency fix for a vulnerability in Internet Explorer known to have been targeted by hackers earlier in March.

Microsoft warns Windows XP users the end is nigh as cyber apocalypse awaits

Microsoft will end support for XP on 8 April 2014
Microsoft has warned die-hard Windows XP users to prepare to deal with an influx of cyber attacks targeting their systems following the official support cut-off. The warning comes just two week before support for XP ends on 8 April.
Microsoft Trustworthy Computing Group (TwC) director Tim Rains issued the warning in a blog post, advising businesses still using XP that they will be putting themselves and their customers at increased risk.
"Today, attackers typically steal personal and business information from the systems they go after and try to keep a lower profile, as the goal is financial profit more regularly than mischievous disruption or ego," read the post.
"The types of attacks that we expect to target Windows XP systems after 8 April 2014 will likely reflect the motivations of modern-day attackers. Cyber criminals will work to take advantage of businesses and people running software that no longer has updates available to repair issues."
Rains highlighted the danger posed by self-replicating malware, such as the Conficker worm, as a particularly dangerous threat, warning that once the cut-off occurs it will be close to impossible to stop the malware spreading.
"Malware purveyors will likely integrate new vulnerabilities targeting Windows XP, into malware that tries to multiply. The success of the virus named Conficker, to infect systems in enterprise environments, illustrates that security firewalls and strong password policies are still not comprehensively used," read the post.
"Organisations that continue to run Windows XP after support ends, should be on guard for this type of threat in their environment."
Conficker is an infamous worm that was first discovered targeting Windows users in November 2008. The malware was designed to create a criminal botnet and at its peak is believed to have infected as many as 15 million machines.
Rains highlighted ransomware as another key threat facing Windows XP users. "We have seen a large uptick in ransomware in recent years. Attackers use this type of malware to extort users into paying them to unencrypt files that the malware has encrypted on their system, or to unlock the system's desktop," read the post.
"After April 2014, attackers will likely attempt to use unpatched vulnerabilities on Windows XP-based systems to distribute ransomware. This type of attack can have a crippling impact on small businesses and consumers that lose access to important data or systems."
Rains is one of many security experts to warn SMEs about the danger a successful cyber attack can pose. Security firm AVG told V3 in September 2013 that SMEs' lax attitudes to security is leaving them one cyber attack away from bankruptcy.
Worse still, Rains said following the cut-off, businesses will be more susceptible to basic cyber attacks, such as phishing and drive-by downloads. He said businesses may mitigate the threat by disconnecting XP systems from the internet, but argued that the safest policy will be to upgrade to a newer version of Windows.
"The guidance above provides suggestions towards managing some of the risks of running Windows XP post 8 April. However, the primary thrust of our advice is clear: the best option is to migrate to a modern operating system like Windows 7 or Windows 8 that have a decade of evolved security mitigations built in and will be supported after 8 April 2014," read the post.
Rains is one of many security professionals to warn businesses to avoid using Windows XP after the cut-off. Experts from numerous companies told V3 that criminals are hoarding exploits in preparation for an XP hacking rampage earlier in March. Security firm Malwarebytes pledged to support Windows XP for as long as possible in a bid to shield its users from the hacking rampage.

Malwarebytes pledges to protect Windows XP users after support cut-off

Microsoft Windows XP screen
Security firm Malwarebytes has pledged to protect Windows XP for as long as possible in a bid to shield its users from the hacking rampage expected to occur after support from Microsoft ends on 8 April.
Malwarebytes made the promise while unveiling its new Premium anti-malware tool. The news comes after reports that criminals are hoarding exploits in preparation for an XP hacking rampage when support ends.
A Malwarebytes spokesman told V3 companies still need XP security as much of its customer base, which numbers in the hundreds of millions, are still using the decade-old operating system (OS).
“Malwarebytes is offering XP support because a lot of our current users are still using the OS, and they evidently still need protection. These make up 20 percent of the existing user base,” he said.
He added that Malwarebytes will continue to provide XP support for as long as it could. “We’re going to support XP as long as we’re technically able. The only time we’ll stop is if Microsoft does something like forcibly upgrade its XP customers,” he said.
The Premium tool features uses a custom heuristics engine designed to track malware's behaviour and advanced Anti-Rootkit technology to protect users from advanced threats.
Malwarebytes founder and CEO Marcin Kleczynski claims the combination of technologies will protect users from advanced threats other security services can't detect.
"Six years after the launch of the first version, and following 18 months of development and countless research hours, we are thrilled to announce Premium," he said.
"It has been a real labour of love. We are proud of what we have created and believe it builds upon the success of our existing products to give people a strong proactive countermeasure against today's advanced online threats."
The Premium service is available on the Malwarebytes store now and costs $25 per year. Each licence provides coverage for up to three PCs.
Malwarebytes is one of many security firms to warn of the dangers posed by the XP support cut-off. Paul Ducklin, senior security analyst at Sophos, told V3 in February that Microsoft's XP support cut-off could lead to a boom in global spam levels.

US hacked servers at Chinese firm Huawei and scoured email database

huawei-sign-logo
The National Security Agency (NSA) hacked into the servers of Chinese telecoms giant Huawei and accessed the source code at the heart of its products, according to reports.
The New York Times and Der Spiegel said documents from ex-CIA worker Edward Snowden showed that the spy agency went to great lengths to infiltrate the servers of Huawei, and had great success.
Der Spiegel said the US gained access to the source code at the heart of key Huawei products as well as information on 1,400 customers and internal documents on training given to its product engineers.
Such widespread knowledge and access to its source code allowed the US to read emails sent by all staff at the firm, which are routed through the firm's key servers in Shenzhen, including those of CEO Ren Zhengfei.
"We currently have good access and so much data that we don't know what to do with it," states one internal NSA document, according to Der Spiegel.
The document reportedly states that the reason for the large-scale effort against Huawei was due to the “unique” threat it could pose to the US, given its dominance in the telecoms market that gives it such large-scale insight to global web traffic.
"Huawei's widespread infrastructure will provide the PRC [People's Republic of China] with SIGINT [signals intelligence] capabilities."
Huawei hit back at the revelations in a statement criticising the US: "If the actions in the report are true Huawei condemns such activities that invaded and infiltrated into our internal corporate network and monitored our communication."
It also moved to reassure customers that its equipment and networks were free from interference, secure and not under threat.
"The security and integrity of our corporate network and our products are our highest priorities. That is the reason why we have an end-to-end security assurance system and why we are continuously working to enhance that system," it said.
"Like other enterprises, we continuously block, clean and reinforce our infrastructure from cyber threats."
The revelations come amid ongoing tensions between the US and China in the cyber arena, with China accused of targeting US firms on several occasions. Mandiant uncovered 141 attacks against US companies in February 2013.
Publicly, though, both nations have always downplayed any animosity and claimed they share common goals online. Whether this public show of unity lasts after the latest revelations remains to be seen.