Monday 19 December 2016

Russian hacker Rasputin allegedly stole logins from the US election agency EAC

r
According to the security firm Record Future, a Russian-speaking hacker was offering for sale stolen login credentials for a U.S. agency that tests and certifies voting equipment, the U.S. Election Assistance Commission (EAC).

The EAC Agency was formed in 2002, it is tasked of certifying voting systems and developing best practices for administering elections.
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                       
More than 100 allegedly compromised U.S. Election Assistance Commission login credentials were offered for sale by a hacker that uses the Rasputin online moniker.

“On December 1, 2016, Recorded Future threat intelligence technology identified chatter related to a suspected breach of the U.S. Election Assistance Commission (EAC).” Record Future said in a Thursday blog post.

“Further research identified a Russian hacker (Recorded Future refers to this actor as Rasputin) soliciting a buyer for EAC database access credentials.”

Researchers discovered that some of these credentials included the highest administrative privileges that could be used by an attacker to steal sensitive information from the U.S. Election Assistance Commission or deploy an Exploit kit to compromise targeted individuals in a watering hole attack.

Recorded Future shared multiple screenshots that demonstrate the hacker had access to the system at the U.S. Election Assistance Commission.

Election and software systems test reports (image provided by Rasputin).

The Rasputin hacker claimed to have broken in the system via an unpatched SQL injection (SQLi) vulnerability.

The U.S. Election Assistance Commission (EAC) investigated the incident with authorities and has terminated access to the vulnerable application.

“The U.S. Election Assistance Commission (EAC) has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects.” reads a statement issued by the Agency.

The Election Assistance Commission clarified that it does not administer elections.

“The EAC does not maintain voter databases. The EAC does not tabulate or store vote totals,” added the commission.

The discovery of this new data breach raises the debate around possible interference with 2016 Presidential. The US Government blamed the Russia for attempted to influence the U.S. election through several high-profile cyber attacks.

SQL Injection Attack is Tied to Election Commission Breach


Just as cybersecurity concerns over the U.S. presidential election reach a fevered pitch, the U.S. agency responsible for certifying that voting machines work properly says it may have been hacked. That’s after independent researchers say they uncovered evidence that hackers have infiltrated the agency in question – the U.S. Election Assistance Commission. On Thursday security firm Recorded Future reported that a hacker offered to sell knowledge of an unpatched SQL injection vulnerability on the Dark Web. The vulnerability would have given an attacker access to the Election Assistance Commission (EAC) website and backend systems. In addition to knowledge of the vulnerability, the seller also included 100 potentially compromised access credentials for the system, including some with administrative privileges

“This vulnerability would of given an adversary access to the EAC database, allowed them to plant malware on the site or effectively stage a watering hole attack,” said Levi Gundert, VP of intelligence and strategy at Recorded Future. EAC is an independent bipartisan commission that develops voting guidelines and provides information on administering elections. The commission is also responsible for testing and certifying voting equipment and systems to ensure they meet security standards, according to the agency’s website. Gundert said access to EAC’s systems by an attacker would be invaluable for future attacks, helping them glean sensitive information about existing electronic voting systems as well as those coming online.

 The Election Assistance Commission acknowledged the vulnerability and released the following statement: “EAC has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects… Upon detecting the intrusion, the EAC terminated access to the application and began working with federal law enforcement agencies to determine the source of this criminal activity. The FBI is currently conducting an ongoing criminal investigation.” Little is known about the hacker selling the SQL injection flaw. According to a report by Recorded Future the seller’s native language is Russian and goes by the online handle “Rasputin.” Researchers said they spotted Rasputin advertising the flaw on the Dark Web for between $2,000 and $5,000 on Dec. 1 and alerted authorities the next day. “Based on Rasputin’s historical criminal forum activity, Recorded Future believes it’s unlikely that Rasputin is sponsored by a foreign government,” Recorded Future said. SQL injections are among the most common techniques employed by hackers to steal valuable information from corporate databases. Recorded Future declined to share technical specifics of the SQL injection vulnerability or EAC’s compromised platform.

 This past U.S. presidential election has seen an unprecedented amount of concern over hackers attempting to sway election results. In August, the Federal Bureau of Investigation’s Cyber Division warned election officials nationwide to fortify voter registration data systems in the wake of two breaches it was able to detect earlier this summer. Earlier this week, President Barack Obama said the U.S. intelligence community has concluded Russian cyberattacks were part of an effort to influence the 2016 presidential election. Gundert doesn’t believe the sale of the unpatched SQL injection vulnerability is tied to past election attacks. However, he said, stolen credentials and earlier attacks that may have taken advantage of the SQL injection vulnerability could fuel more serious cyberattacks in the future. “It’s unclear how long the EAC vulnerability has been active; however, it could have been potentially discovered and accessed by several parties independently,” Recorded Future said.

Just as cybersecurity concerns over the U.S. presidential election reach a fevered pitch, the U.S. agency responsible for certifying that voting machines work properly says it may have been hacked. That’s after independent researchers say they uncovered evidence that hackers have infiltrated the agency in question – the U.S. Election Assistance Commission. On Thursday security firm Recorded Future reported that a hacker offered to sell knowledge of an unpatched SQL injection vulnerability on the Dark Web. The vulnerability would have given an attacker access to the Election Assistance Commission (EAC) website and backend systems. In addition to knowledge of the vulnerability, the seller also included 100 potentially compromised access credentials for the system, including some with administrative privileges.

See more at: SQL Injection Attack is Tied to Election Commission Breach https://wp.me/p3AjUX-vSX
“This vulnerability would of given an adversary access to the EAC database, allowed them to plant malware on the site or effectively stage a watering hole attack,” said Levi Gundert, VP of intelligence and strategy at Recorded Future. EAC is an independent bipartisan commission that develops voting guidelines and provides information on administering elections. The commission is also responsible for testing and certifying voting equipment and systems to ensure they meet security standards, according to the agency’s website. Gundert said access to EAC’s systems by an attacker would be invaluable for future attacks, helping them glean sensitive information about existing electronic voting systems as well as those coming online. The Election Assistance Commission acknowledged the vulnerability and released the following statement: “EAC has become aware of a potential intrusion into an EAC web-facing application. The EAC is currently working with Federal law enforcement agencies to investigate the potential breach and its effects… Upon detecting the intrusion, the EAC terminated access to the application and began working with federal law enforcement agencies to determine the source of this criminal activity. The FBI is currently conducting an ongoing criminal investigation.” Little is known about the hacker selling the SQL injection flaw. According to a report by Recorded Future the seller’s native language is Russian and goes by the online handle “Rasputin.” Researchers said they spotted Rasputin advertising the flaw on the Dark Web for between $2,000 and $5,000 on Dec. 1 and alerted authorities the next day. “Based on Rasputin’s historical criminal forum activity, Recorded Future believes it’s unlikely that Rasputin is sponsored by a foreign government,” Recorded Future said. SQL injections are among the most common techniques employed by hackers to steal valuable information from corporate databases. Recorded Future declined to share technical specifics of the SQL injection vulnerability or EAC’s compromised platform. This past U.S. presidential election has seen an unprecedented amount of concern over hackers attempting to sway election results. In August, the Federal Bureau of Investigation’s Cyber Division warned election officials nationwide to fortify voter registration data systems in the wake of two breaches it was able to detect earlier this summer. Earlier this week, President Barack Obama said the U.S. intelligence community has concluded Russian cyberattacks were part of an effort to influence the 2016 presidential election. Gundert doesn’t believe the sale of the unpatched SQL injection vulnerability is tied to past election attacks. However, he said, stolen credentials and earlier attacks that may have taken advantage of the SQL injection vulnerability could fuel more serious cyberattacks in the future. “It’s unclear how long the EAC vulnerability has been active; however, it could have been potentially discovered and accessed by several parties independently,” Recorded Future said.

See more at: SQL Injection Attack is Tied to Election Commission Breach https://wp.me/p3AjUX-vSX

Hack attack fear scares Canadian exam board away from online tests

testing
Every year Ottawa's Education Quality and Accountability Office (EQAO) tests secondary school students in their literacy skills. This year it rolled out online tests and the results weren't good.
In October the online pilot test of the Ontario Secondary School Literacy Test (OSSLT) was deployed and quickly fell over with its legs in the air mimicking a dead parrot. The failure was the result of what it called an "intentional, malicious and sustained distributed denial-of-service attack," against the testing system.
The attack was successful despite earlier testing of the online system against the possibility of just such an online assault. Forensic examiners are still investigating where the attack came from – El Reg suggests they look for a computer-savvy kid who doesn't study English much.
The original plan was for the OSSLT to be run for real in March, with students and teachers being able to choose whether to do the tests online or in the old-fashioned way. But because the source of the attack is still unknown, the EQAO is dropping all online testing for the time being.
"While we are pressing 'pause' on EQAO's move toward online assessments, we are by no means hitting 'stop,'" said Richard Jones, interim CEO of EQAO.
"In the days following the cyberattack in October, we heard from hundreds of members of Ontario's education community about the online OSSLT and we will take the time required to continue those discussions, so that we can integrate feedback into our system design. The intent is to come back with a system that better addresses needs in terms of usability, accessibility and security."

NAB sent details of 60,000 customers to wrong email address

The National Australia Bank (NAB) has taken "full responsibility" and apologised for the sending of personal data of 60,000 customers to an "incorrect email address".
The email contained each customer's name, address, email address, branch and account number, as well as an NAB identification number for some customers. Those impacted were customers who had their accounts created by the bank's migrant banking team while they were overseas.
"This error does not impact customers who set up an account in Australia," the bank said in a statement on Friday afternoon. "We take the privacy and the protection of our customers' personal information extremely seriously.
"The error was caused by human error and identified following our own internal checks and as soon as we realised what had happened we took action."
NAB said it had not seen any unusual activity on the affected accounts, and 40 percent of those customers had either closed their accounts or not used them in 2016. The bank said 19,000 accounts contained less than AU$2.
"We are sorry for this error and we will continue to work hard to improve and strengthen our processes," the bank said.
NAB said it had notified the Office of the Australian Information Commissioner and the Australian Securities and Investments Commission.
In October, NAB posted a AU$352 million statutory net profit for the 2016 financial year and praised its reduction in "technology incidents".

LinkedIn's training arm resets 55,000 members' passwords, warns 9.5m


linkedinLynda.com, the training arm of LinkedIn, on Saturday issued email notices to about 55,000 members whose data it says has been perused by an “unauthorized third party.”
The letter sent to members, two of whom thoughtfully forwarded it to El Reg, reads as follows:
We recently became aware that an unauthorized third party breached a database that included some of your Lynda​.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution. Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, ​we wanted to notify you as a precautionary measure.
The Register asked LinkedIn when the breach detected, when it occurred and how many people were impacted.
The company offered a statement penned by an un-named spokesperson, re-stating news of the breach and offering the following.
As a precautionary measure, we reset passwords for the less than 55,000 Lynda.com users affected and are notifying them of the issue. We’re also working to notify approximately 9.5 million Lynda.com users who had learner data, but no protected password information, in the database. We have no evidence that any of this data has been made publicly available and we have taken additional steps to secure Lynda.com accounts.
LinkedIn has form when it comes to breaches: earlier this year the company downplayed the sale of 117m user records. Which is a trivial number compared to the billion users records Yahoo! last week admitted it had lost, probably as a result of management fearing a costly and complex encryption re-tooling effort

PayAsUGym breach exposes passwords


Fitness website PayAsUGym has been breached in a hack that may have exposed up to 400K emails and passwords.
In a breach notice to users, the firm admitted one of its servers was hacked after “underground researchers” posted screenshots purporting to show PayAsUGym’s hacked database via Twitter. The 1x0123 hacker crew later claimed that they planned to sell off the compromised database through underground markets.
PayAsUGym apparently used the obsolete MD5 hashing technology, making it straightforward to work out the corresponding passwords using a brute force attack and dictionary lookups.
Troy Hunt, the security researcher behind the haveibeenpwned breach notification website, warned over the weekend that “PayAsUGym data appears to be circulating with “more than 400k unique emails in there for UK customers”.
Hunt reposted a notice that admitted email addresses and passwords might have been breached. PayAsUGym, which says that it doesn’t store credit card numbers, has reset user passwords.
Password reuse is always a bad idea. Those users who their PayAsUGym password at other sites are particularly exposed to so-called credential-stuffing attacks, where hackers try passwords exposed at one site at other sites.
Luke Brown, VP and GM EMEA at Digital Guardian, said: “It’s easy to think that breaches from consumer sites like PayAsUGym do not affect businesses, but it’s certainly possible that some customers have used their business email address to sign up to these services. Using the compromised login details, hackers can attempt to hijack the email accounts, steal more data, and target the victims’ friends, family and place of work in advanced social engineering attacks.
“This highlights why it’s so important for businesses to make sure that employees can’t use the same password for their personal and professional accounts. Implementing a good password policy will ensure that these increasingly common login ‘dumps’ can’t be used to access or steal sensitive corporate information,” he added.
PayAsUGym offers flexible access to day passes, fitness classes and no-contract membership at over 2,200 UK gyms. The firm is yet to respond to a request from El Reg to confirm the number of breached records.

Thursday 15 December 2016

Yahoo hacked again, more than one billion accounts stolen

Yahoo has disclosed that more than one billion accounts may have been stolen from the company's systems in another cyberattack
The company said in a statement Wednesday after the markets closed that unnamed attackers stole the accounts in August 2013, a year prior to a previously disclosed attack, in which attackers stole around 500 million accounts in September 2014.
The company wasn't able to identify the intrusion associated with the August 2013 breach.
The statement said the hackers may have stolen names, email addresses, telephone numbers, hashed passwords (using the weak, easy-to-crack MD5 algorithm), dates of birth, and in some cases, encrypted or unencrypted security questions and answers.
Yahoo said it has invalidated unencrypted security questions and answers so that they cannot be used to access affected accounts.
Payment card data and bank account information, stored in separate systems, are not thought to have been stolen in the attack.

SOURCE CODE STOLEN

The company admitted that hackers may have developed a way of accessing accounts without a password by stealing Yahoo's secret source code.
"Based on the ongoing investigation, the company believes an unauthorized third party accessed the company's proprietary code to learn how to forge cookies," which can be used to store authentication credentials locally.
"The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used," the statement said.
Yahoo has also invalidated the cookies.

REPORTING DELAY 'UNACCEPTABLE'

It's the latest security blow against the former internet giant, which earlier this year -- just as it was being bought by Verizon for $4.8 billion -- said it had been attacked by "state-sponsored" hackers.
Yahoo still hasn't said who behind the attack, nor which state may have sponsored the hackers.
Verizon reiterated its statement on Wednesday, saying it "will evaluate" the purchase as Yahoo continues its investigation.
The news likely won't help confidence in the company that was heavily criticized by six leading senators for taking two years to disclose the September 2014 breach.
When reached, a Yahoo spokesperson said in an email that the company is "working closely with law enforcement."
Yahoo was down more than 2.5 percent in after-hours trading on the Nasdaq in New York.

BlackEnergy power plant hackers target Ukrainian banks

The same hackers who turned out the lights at Ukrainian utilities last December have been running attacks against the same country’s banks over recent months.
Security firm ESET reports that the gang slinging the TeleBots malware against Ukrainian banks shares a number of similarities with the BlackEnergy group, which conducted attacks against the energy industry in Ukraine in December, 2015 and January, 2016. ESET thinks that the BlackEnergy crew has evolved into what it calls the TeleBots group.
As with campaigns attributed to BlackEnergy group, the attackers used spear-phishing emails with Microsoft Excel documents containing malicious macros as their main means of spreading infection.
Once a victim clicks on the Enable Content button, Excel executes the malicious macro. That gets the attackers a compromised PC, which is used to further infiltrate a compromised network, sniff passwords, and other hacker tricks.
Eventually the hackers drop the KillDisk malware onto compromised PCs. This malware deletes system files, making machines unbootable, before displaying a Mr Robot-themed logo on the computers' screens as a sign-off.
Analysis by ESET shows that the code of the macro used in TeleBots documents matches the macro code that was used by the BlackEnergy group in 2015.
Russia was the prime suspect for the BlackEnergy attacks. The latest attacks follow recent accusations by Russian security services that foreign agencies were trying to sabotage Russia's financial system.

Sunday 4 December 2016

Mirai botnet attacks targeting multiple ISPs


 
Analysis The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected. The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so.
Problems at the Post Office began on Sunday, while TalkTalk was hit yesterday; collectively this has affected hundreds of thousands of surfers. Similar attacks against thousands of KCOM broadband users around Hull that started about the same time targeted users of telco-supplied routers. Thousands of punters at the smaller ISP were left without a reliable internet connection as a result of the assault, which targeted routers from Taiwanese manufacturer ZyXEL.
KCOM told El Reg that Mirai was behind the assault on its broadband customers, adding that: "ZyXEL has developed a software update for the affected routers that will address the vulnerability." The timing and nature of this patch remains unclear.
ZyXEL told El Reg that the problem stemmed from malicious exploitation of the maintenance interface (port 7547) on its kit, which it was in the process of locking down.
With malicious practice in place, unauthorised users could access or alter the device's LAN configuration from the WAN-side using TR-064 protocol.
ZyXEL is aware of the issue and assures customers that we are handling the issue with top priority. We have conducted a thorough investigation and found that the root cause of this issue lies with one of our chipset providers, Econet, with chipsets RT63365 and MT7505 with SDK version #7.3.37.6 and #7.3.119.1 v002 respectively.
Last week a widespread attack on the maintenance interfaces of broadband routers affected the telephony, television, and internet service of about 900,000 Deutsche Telekom customers in Germany. Vulnerable kit from ZyXEL also cropped up in the Deutsche Telekom case. Other victims include customers of Irish ISP Eir where (once again) ZyXEL-supplied kit was the target.
The Post Office confirmed that around "100,000 of our customers" have been affected and that the attack had hit "customers with a ZyXEL router".
ZyXEL routers are not a factor in the TalkTalk case, where routers made by D-Link are under the hammer. TalkTalk confirmed that the Mirai botnet was behind the attack against its customers, adding in the same statement that a fix was being rolled out.
Along with other ISPs in the UK and abroad, we are taking steps to review the potential impacts of the Mirai worm. A small number of customer routers have been affected, and we have deployed additional network-level controls to further protect our customers.
We do believe this has been caused by the Mirai worm – we can confirm that a fix is now in place, and all affected customers can reconnect to the internet. Only a small number of our customers have the router (a D-Link router) that was at risk of this vulnerability, and only a small number of those experienced connection issues.
The Post Office is similarly promising its customers that a fix is in the works.
Post Office can confirm that on 27 November a third party disrupted the services of its broadband customers, which impacted certain types of routers. Although this did result in service problems we would like to reassure customers that no personal data or devices have been compromised. We have identified the source of the problem and implemented a resolution which is currently being rolled out to all customers.
It's unclear who is responsible for the growing string of attacks on ISP customers across Europe or their motives. The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc. The IoT malware scans for telnet before attempting to hack into vulnerable devices, using a brute-force attack featuring 61 different user/password combinations, the various default settings of kit from various manufacturers. Up to 5m devices are up for grabs thanks to wide open management ports, according to some estimates.
Jean-Philippe Taggart, senior security researcher at Malwarebytes, said: "The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign.
"So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection. This prevents the ISP from applying an update that would solve these issues. The botnet gains a longer life as users seldom reboot their routers unless they're experiencing a problem."
Other experts imply further attacks along the same lines are inevitable because the state of router security is poor and unlikely to improve any time soon.
Daniel Miessler, director of advisory services at IOActive, commented: "Recent attacks to Deutsche Telekom, TalkTalk and the UK Post Office will be felt by hundreds of thousands of broadband customers in Europe, but while the lights stay on and no one is in any real physical or financial danger, sadly nothing will change. IoT will remain fundamentally insecure.
"The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better. The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example."