Thursday 30 October 2014

BlackEnergy malware has compromised industrial control systems for two years

US CERT logo
THE US DEPARTMENT OF HOMELAND SECURITY Computer Emergency Response Team (US-CERT) has warned that industrial control systems (ICS) in the US have been compromised by the BlackEnergy malware for at least two years.
The BlackEnergy family of malware is believed to be the same used in the cyber attack against Georgia in 2008.
It uses a malicious decoy document to hide its activities, making it easier for the hackers to mount follow-up attacks.
US-CERT said the malware campaign is sophisticated and "ongoing", and attackers taking advantage of it have compromised unnamed ICS operators, planting it on internet-facing human machine interfaces (HMI) including those from GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC.
It is currently unknown whether other vendors' products have also been targeted, according to US-CERT.
"At this time, Industrial Control Systems-CERT has not identified any attempts to damage, modify or otherwise disrupt the victim systems' control processes," said the team in an alert.
"ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system.
"However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment."
US-CERT describes the malware as "highly modular", and said that not all functionality is deployed to all victims.
An analysis run by the team identified the probable initial infection vector for systems running GE's Cimplicity HMI with a direct connection to the internet.
"Analysis of victim system artefacts has determined that the actors have been exploiting a vulnerability (CVE-2014-0751) in GE's Cimplicity HMI product since at least January 2012," the alert read.
On Monday, US-CERT also warned of attacks spreading the Dyre banking malware, which steals victims' credentials.
The department said that, since mid-October, a phishing campaign had targeted "a wide variety of recipients", but elements, such as the exploits, email themes, and claimed senders of the campaign, "vary from target to target".
"A system infected with Dyre banking malware will attempt to harvest credentials for online services, including banking services," the alert warned.

T-Mobile toughens network encryption against government snooping

cell-hero
(Image: CNET/CBS Interactive)
T-Mobile's networks may have changed for the better — stronger signal, faster speeds, better coverage — but what you probably didn't know is that they're now even more secure.
In upgrading its U.S. networks, the fourth largest cellular giant in the country also bolstered encryption in a number of cities, switching to A5/3 encryption from the A5/1 standard on the older 2G networks, which in some cases still carry calls or text messages when faster data isn't available. Newer technologies, like 3G and 4G (LTE), already offer significantly stronger encryption.

The Washington Post, which first tested the networks in a number of cities, said New York, Washington, and Boulder, Colorado are now using the newer standard, covering tens of millions of customers.
Upgrading the network to the newer A5/3 encryption makes it significantly harder to eavesdrop on calls and text messages. Even for the National Security Agency, which reportedly is able to decode the older, legacy A5/1 encryption, may face headaches with the new standard.
T-Mobile did not comment on the encryption.
In densely populated areas, such as the cities with enhanced encryption, monitoring cellular calls becomes more difficult — simply because of the volume of people. The call and text data is still routed through ground networks, but filtering it becomes difficult. The Post explained that an "IMSI catcher," which can identify an individual cell subscriber, can make it easier to snoop on calls and texts without having to crack the phone or network's encryption.
AT&T said it is already ramping up its encryption efforts by offering A5/3 encryption, but tests by the Post found  in U.S. locations where T-Mobile upgraded, AT&T had not.
In any case, AT&T is shutting down its A5/1-encrypted 2G network by 2017, and replacing it with newer technology.

White House computer network 'hacked'

The White House  
According to reports, an unclassified network was breached
A White House computer network has been breached by hackers, it has been reported.
The unclassified Executive Office of the President network was attacked, according to the Washington Post.
US authorities are reported to be investigating the breach, which was reported to officials by an ally of the US, sources said.
White House officials believe the attack was state-sponsored but are not saying what - if any - data was taken.
In a statement to the AFP news agency, the White House said "some elements of the unclassified network" had been affected.
A White House official, speaking on condition of anonymity, told the Washington Post: "In the course of assessing recent threats, we identified activity of concern on the unclassified EOP network.
"Any such activity is something we take very seriously. In this case, we took immediate measures to evaluate and mitigate the activity.
'State-sponsored' "Certainly, a variety of actors find our networks to be attractive targets and seek access to sensitive information. We are still assessing the activity of concern."
The source said the attack was consistent with a state-sponsored effort and Russia is thought by the US government to be one of the most likely threats.
"On a regular basis, there are bad actors out there who are attempting to achieve intrusions into our system," a second White House official told the Washington Post.
"This is a constant battle for the government and our sensitive government computer systems, so it's always a concern for us that individuals are trying to compromise systems and get access to our networks."
The Post quoted its sources as saying that the attack was discovered two-to-three weeks ago. Some White House staff were reportedly told to change their passwords and there was some disruption to network services.
In a statement given to Agence France-Presse, a White House official said the Executive Office of the President received daily alerts concerning numerous possible cyber threats.
In the course of addressing the breach, some White House users were temporarily disconnected from the network.
"Our computers and systems have not been damaged, though some elements of the unclassified network have been affected. The temporary outages and loss of connectivity for our users is solely the result of measures we have taken to defend our networks," the official said.
The US's National Security Agency, Federal Bureau of Investigation and Security Service were reportedly investigating.
Requests for comment were referred to the Department for Homeland Security, a spokesman for which was not immediately available. A White House spokesman has not responded to the BBC's request for comment.

Carders offer malware with the human touch to defeat fraud detection

A new cybercrime tool promises to use credit card numbers in a more human way that is less likely to attract the attention of fraud-detection systems, and therefore be more lucrative for those who seek to profit from events like the Target breach.
The "Voxis Platform" is billed as "advanced cash out software" that promises to help carders earn "astronomical amounts" of cash by faking human interaction with different payment gateways, authors bragged in an ad posted around underground forums and to Bitcoin payments site Satoshibox.
The operator of the Voxis Team crime group, an entity known as Bl4ckS14y3r, has claimed the platform can funnel cash through 32 payment gateways without human interaction and automatically create fake customer profiles to make the transfers less suspicious.
IntelCrawler cybercrime investigator Andrew Komarov reported the software being flogged by Voxis Team member using the handle Conaco in October for US$180.
"The sophisticated Voxis Platform provides the underground economy options for washing stolen credit cards," Komarov said.
"Taking advantage of fraudulently obtained merchant accounts, bad actors can use speed to automate and load cards to be charged for pre-determined amounts at pre-determined times, all with the goal of sliding under fraud detection systems.
"The emulation of human behaviour and buying patterns increases their probabilities of having charges authorised."
Voxis Platform The Voxis Platform: a pretty UI, but is it more than carder phooey?
If the wares work as advertised it could help carders to do without money mules and stolen identities.
Supported payment gateways included Coinbase, Paypal, and WorldPay.
"Past breaches of retailers like Target and Home Depot have created a demand in the underground to quickly try and monetise the stolen cards," Komarov said. "Groups of cyber criminals actually pool their programming resources to build tools like the Voxis Platform."
He said IntelCrawler recommended processors bolster their know-your-customer capabilities in respect to new merchant accounts and tighten transaction scrubbing thresholds.
Voxis Team developers promised in the advertisement "so advanced" it was dubbed 'fantastico Platform' that would support Amazon EC2 and tunnelling via proxy.