Search the Community
Showing results for tags 'Cyber'.
Reefa posted a topic in Security & Privacy NewsYear back, one of the largest “Advanced Persistent Threat” (APT) hacking groups received widespread attention from the media and from the U.S. government. APT Groups are China’s cyber espionage units and they won’t stop their espionage operation, despite being exposed last year. Yes, APT hacking groups, APT1 and APT12, are again making headlines. Without bothering that the world knows about its cyber hacking activities, the two of its major hacking groups have became once again active and have resumed their espionage operation, reports the security firm Mandiant. A timeline of APT1 economic espionage conducted since 2006 and has systematically stolen confidential data from at least 141 organizations across multiple industries. Mandiant, the FireEye owned company, announced in its M-Trend report that over the past year the firm has a close eye on the APT1 group, which it first exposed in February 2013. It’s also been monitoring the second Chinese hackers group, APT12 that apparently hacked the New York Times in January 2013 compromising its networks over the course of past four months. Last year Mandiant provided the evidence linked APT1 group to UNIT 61398 of China’s 2nd Bureau of the People’s Liberation Army (PLA), but Beijing has always denied the accusations, remarking the report as “full of loopholes” and stated, “Chinese laws prohibit any action including hacking that damages Internet security,” and added, “to accuse the Chinese military of launching cyber attacks without solid proof is unprofessional and baseless.” But the American computer security firm, Mandiant keep on following the groups’ activities. The report reads, “Mandiant’s continued observations of APT1 and APT12 activity, measured by command and control (C2) sessions, revealed a different response behind the scenes, suggesting a possible acknowledgement that both groups had been exposed.” But the accusations wasn’t able to stop both the groups from continuing the cyber attacks. Rather both the groups only changed their operational infrastructure and delayed their return. “Based on comparisons between APT1 and APT12 activity during 2013 and the previous three years, Mandiant believes that these threat groups responded to their public exposure in two ways. First, both groups delayed their return to normal operations following the end of the Chinese New Year holidays in February. Second, both groups quickly shifted their operational infrastructure to continue their activities,” the report reads. Being following, Mandiant observed a longer period of inactivity but roughly 150 days after the article released in The New York Times, APT12 resumed its “pre-disclosure levels” of activity and APT1 resumed its consistent intrusion activity nearly 160 days after its exposure. “We believe APT1 and APT12 changed their exposed operational architecture in an attempt to obscure their future data theft operations,” said Mandiant. It is believed that the intrusive cyber operations probably won’t stop, as the PRC is continuously denying engaging in the state sponsored data theft activities and even after the disclosure of both the groups they have resumed their espionage operation. Source
By NIV ELIS 01/26/2014 21:06 Intel is already one of the most important players in Israel's economy, touting a cumulative investment of $10.8 billion in the state. Man analyzes computer code Photo: Jim Urquhart/Reuters When Israel’s first international cyber security conference opens in Tel Aviv on Monday, international superstar corporations like Microsoft, Cisco and IBM will mingle with local online security companies such as Check Point and Cyber Ark to explore areas of cooperation. The conference is a culmination for Prime Minister Binyamin Netanyahu, who for months has been pushing the concept of Israel becoming a “Cyber Nation,” a state that could lead the world in cyber security technology. At the Davos World Economic Forum last week, he attended a special meeting on the subject, declaring Israel at the forefront of cyber security technology. “In the information age information must be protected, otherwise there will be chaos, the jungle,” he said at Sunday’s cabinet meeting. “The assessment is that Israel, due to our special circumstances could offer various solutions in this area.” But it is possible that the company leading the way in Israel one seldom associated with cybersecurity: Intel. In 2011, Intel closed a deal to acquire Mcafee, a leading anti-virus company, for $7.68 billion. Though the move seemed somewhat baffling at the time, the company laid out a compelling reason just three weeks ago, when it announced that it was dropping the Mcafee name in favor of Intel Security. “With the Internet of Things becoming a reality, security must be embedded on every architecture and every device,” Intel’s Vice President of Global Consumer Marketing Gary Davis wrote at the time, referring to the increasing connectedness of everyday objects to wireless networks and the Internet. “We intend to make a new mobile security solution freely available later this year with the goal of providing digital security to everyone on every mobile device around the world,” he said. In other words, Intel believes that as chips move from computers phones and tablets to thermostats, washing machines, and cars, security has to be endemic to its hardware. “It’s not just a computer chip, it’s the Internet of things,” Intel Israel Spokesman Guy Grimland explained. “That means everything is more vulnerable as well. The moment the security is built in to the hardware, it’s much better.” What does that mean for Israel’s cyber scene? Intel is already one of the most important players in Israel's economy. On Sunday, the chip-maker celebrated 40 years of work in Israel, touting a cumulative investment of $10.8 billion in the Jewish state, and $35 billion worth of exports, over 10% of which were accounted for in 2013 alone. Thus far, however, Intel has shown limited interest in Israel’s cyber expertise. “Has there been leverage of Israeli abilities? No,” Intel Israel CEO Maxine Fassberg told The Jerusalem Post on Sunday. "The work we do with Mcafee affects all of Intel, but it’s not local.” That may change, however. “It’s a direction we have to explore to see what added value we can have,” Fassberg said. Intel Israel President Mooly Eden said that Israel’s security infrastructure, such as its elite army units and successful cyber security companies, make it worth looking at. “We definitely look at the opportunity of cyber in Israel and see how we can leverage it,” he said. As the Cyber conference unfolds in the coming days, the role Israel can play in shaping the global cyber security market will become clearer. Other big chip companies may follow Intel's lead. In the meantime, tech-watchers will remain focused on whether Intel will decide to build its new 10 nanometer chip factory--which could bring billions of dollars of investments and create or preserve hundreds of jobs--in Israel or a competing nation, such as Ireland. Intel executives remained tight-lipped on the status of negotiations, but said the announcement was sure to take place in 2014. http://www.jpost.com/Business/Business-News/Could-Intel-become-Israels-largest-cyber-security-firm-339425 Also see: Intel expects to make decision this year on next new chip plant By Tova Cohen TEL AVIV Sun Jan 26, 2014 8:50am EST Jan 26 (Reuters) - U.S. chip manufacturer Intel Corp expects to make a decision this year on the location of a new multi-billion dollar semiconductor plant using new 10 nanometre technology, executives at its Israeli unit said on Sunday. http://www.reuters.com/article/2014/01/26/intel-israel-plant-idUSL5N0L003O20140126
15 Jan 14 Last weekend, Target finally disclosed at least one cause of the massive data breach that exposed personal and financial information on more than 110 million customers: Malicious software that infected point-of-sale systems at Target checkout counters. Todays post includes new information about the malware apparently used in the attack, according to two sources with knowledge of the matter The seller of the point-of-sale memory dump malware allegedly used in the Target attack In an interview with CNBC on Jan. 12, Target CEO Gregg Steinhafel confirmed that the attackers stole card data by installing malicious software on point-of-sale (POS) devices in the checkout lines at Target stores. A report published by Reuters that same day stated that the Target breach involved memory-scraping malware. This type of malicious software uses a technique that parses data stored briefly in the memory banks of specific POS devices; in doing so, the malware captures the data stored on the cards magnetic stripe in the instant after it has been swiped at the terminal and is still in the systems memory. Armed with this information, thieves can create cloned copies of the cards and use them to shop in stores for high-priced merchandise. Earlier this month, U.S. Cert issued a detailed analysis of several common memory scraping malware variants. Target hasnt officially released details about the POS malware involved, nor has it said exactly how the bad guys broke into their network. Since the breach, however, at least two sources with knowledge of the ongoing investigation have independently shared information about the point-of-sale malware and some of the methods allegedly used in the attack. BLACK POS On Dec. 18, three days after Target became aware of the breach and the same day this blog broke the story, someone uploaded a copy of the point-of-sale malware used in the Target breach to ThreatExpert.com, a malware scanning service owned by security firm Symantec. The report generated by that scan was very recently removed, but it remains available via Google cache. According to sources, ttcopscli3acs is the name of the Windows computer name/domain used by the POS malware planted at Target stores; the username that the thieves used to log in remotely and download stolen card data was Best1_user; the password was BackupU$r According to a source close to the investigation, that threatexpert.com report is related to the malware analyzed at this Symantec writeup (also published Dec. 18) for a point-of-sale malware strain that Symantec calls Reedum (note the Windows service name of the malicious process is the same as the ThreatExpert analysis POSWDS). Interestingly, a search in Virustotal.com a Google-owned malware scanning service for the term reedum suggests that this malware has been used in previous intrusions dating back to at least June 2013; in the screen shot below left, we can see a notation added to that virustotal submission, 30503 POS malware from FBI. The source close to the Target investigation said that at the time this POS malware was installed in Targets environment (sometime prior to Nov. 27, 2013), none of the 40-plus commercial antivirus tools used to scan malware at virustotal.com flagged the POS malware (or any related hacking tools that were used in the intrusion) as malicious. They were customized to avoid detection and for use in specific environments, the source said. That source and one other involved in the investigation who also asked not to be named said the POS malware appears to be nearly identical to a piece of code sold on cybercrime forums called BlackPOS, a relatively crude but effective crimeware product. BlackPOS is a specialized piece of malware designed to be installed on POS devices and record all data from credit and debit cards swiped through the infected system. According the author of BlackPOS an individual who uses a variety of nicknames, including Antikiller the POS malware is roughly 207 kilobytes in size and is designed to bypass firewall software. The barebones budget version of the crimeware costs $1,800, while a more feature-rich full version including options for encrypting stolen data, for example runs $2,300. THE ATTACK Target has yet to honor a single request for comment from this publication, and the company has said nothing publicly about how this breach occurred. But according to sources, the attackers broke in to Target after compromising a company Web server. Somehow, the attackers were able to upload the malicious POS software to store point-of-sale machines, and then set up a control server within Targets internal network that served as a central repository for data hoovered by all of the infected point-of-sale devices. The bad guys were logging in remotely to that [control server], and apparently had persistent access to it, a source close to the investigation told KrebsOnSecurity. They basically had to keep going in and manually collecting the dumps. Its not clear what type of software powers the point-of-sale devices running at registers in Targets U.S. stores, but multiple sources say U.S. stores have traditionally used a home-grown software called Domain Center of Excellence, which is housed on Windows XP Embedded and Windows Embedded for Point of Service (WEPOS). Targets Canadian stores run POS devices from Retalix, a company recently purchased by payment hardware giant NCR. According to sources, the Retalix POS systems will be rolled out to U.S. Target locations gradually at some point in the future. WHO IS ANTIKILLER? A more full-featured Breadcrumbs-level analysis of this malware author will have to wait for another day, but for now there are some clues already dug up and assembled by Russian security firm Group-IB. Image: Securityaffairs.co Not long after Antikiller began offering his BlackPOS crimeware for sale, Group-IB published an analysis of it, stating that customers of major US banks, such as such as Chase (Newark, Delaware), Capital One (Virginia, Richmond), Citibank (South Dakota), Union Bank of California (California, San Diego), Nordstrom FSB Debit (Scottsdale, Arizona), were compromised by this malware. In his sales thread on at least one crime forum, Antikiller has posted a video of his product in action. As noted by Group-IB, there is a split second in the video where one can see a URL underneath the window being recorded by the authors screen capture software which reveals a profile at the Russian social networking site Vkontakte.ru. Group-IB goes on to link that account to a set of young Russian and Ukranian men who appear to be actively engaged in a variety of cybercrime activities, including distributed denial-of-service (DDoS) attacks and protests associated with the hackivist collective known as Anonymous. One final note: Dozens of readers have asked whether I have more information on other retailers that were allegedly victimized along with Target in this scheme. According to Reuters, smaller breaches on at least three other well-known U.S. retailers took place and were conducted using similar techniques as the one on Target. Rest assured that when and if I have information about related breaches I feel confident enough about to publish, you will read about it here first. http://krebsonsecurity.com/2014/01/a-first-look-at-the-target-intrusion-malware
Turk posted a topic in Security & Privacy NewsBy Derek Klobucher, SAP 1/09/2014 9:15AM The combination of FireEye’s cloud-based systems and Mandiant’s forensic investigators could dominate the cyber-security industry going forward. Page 1 Both hackers and antivirus makers were put on notice last week when two shining stars in the $67 billion worldwide cyber-security universe announced their merger. Milpitas, Calif.-based global network security company FireEye has acquired Washington, D.C.-based cyber-security firm Mandiant, which released a famous report last year about a Chinese military unit that allegedly pilfered data from at least 115 companies across major U.S. industries. FireEye and Mandiant Merger 01-08-2014-Forbes The combination of FireEye’s cloud-based systems and Mandiant’s forensic investigators could dominate the cyber-security industry going forward. “There is an accelerating awareness that just wasn’t there a year ago,” FireEye CEO David G. DeWalt said in FT last week, citing NSA surveillance and Chinese hacking. “A lot of companies, organizations and governments said ‘look how pervasive these superpowers are in monitoring and stealing from these companies.’” Beyond Antivirus FireEye’s cloud-based systems work differently than traditional — and declining — antiviruses, which look for known cyber-threats that have already struck other targets. FireEye solutions quarantine inbound traffic, scanning for shady characters, be they from hackers, competitors or even nation states. The merger makes sense to a lot of experts because Mandiant often handles the shady characters caught by FireEye. Mandiant’s technology helps identify the origin of a cyber-attack, and then bolster defenses against follow-ons. “Companies are spending tens of billions of dollars of their money on a model that doesn’t work,” FireEye’s DeWalt said of antivirus software in The New York Times last week. “It’s going to take people and products working together.” FireEye and Mandiant started collaborating last year on joint product deployments, something that many of their shared customers were already doing. The companies later started discussing a merger. Everybody Wins “It is absolutely generally accepted that you cannot solely rely on preventive services,” Mandiant founder Kevin Mandia said in FT last week. Those services used to take months to uncover a breech. “On the front line of the cyber battlefield you have to be able to say … it is these guys in St. Petersburg who normally use these 18 pieces of malware.” The merger will extend Mandiant’s scope to FireEye’s broad customer base of more than 1,000, and FireEye will gain access to Mandiant’s hallmark forensic investigators. Once integrated, the companies could inform customers of abnormal behavior immediately after detection, installing a temporary fix until one of Mandiant’s emergency team can take more permanent action. “Documents [released to the public by Edward Snowden] have made it evident to companies that the United States monitors allies as well as adversaries, including friendly governments, international organizations and the networks of some Internet companies,” The New York Times stated last week. “Some of them could turn to companies like FireEye and Mandiant for protection, an interesting twist since many of Mandiant’s employees come out of the American intelligence world.” Audacious Differentiator In addition to intelligence, these companies know a thing or two about the waning antivirus industry — and how to beat it. DeWalt, once CEO of antivirus titan McAfee, will preside over a combined company that security experts predict will enjoy strong growth, according to Reuters. But FireEye’s success will depend on more than its cloud-based systems and newly acquired software. Mandiant gained notoriety outside the cyber-security industry by specifically naming the Chinese People’s Liberation Army Unit 61398 as its suspect in a rash of industrial espionage hacks, an audacious move given that other security companies don’t usually name culprits. Page 2 would also consider naming names with Mandiant under its wing, according to DeWalt. “You will probably see us continue to do it when it is appropriate,” DeWalt said in Reuters last week. “There is some incredibly egregious behavior.” http://www.forbes.com/sites/sap/2014/01/09/the-future-of-global-cyber-security-is-in-the-cloud/