Security News

A group of researchers in computer security and secure data destruction has discovered a new stealthy method of GPS spoofing that has proven to be highly effective against road navigation systems.

GPS spoofing has existed for many years. In theory, this attack method can be used to deceive drivers to reach an arbitrary location, but in practice the instructions provided by the navigation system often contradict the physical path (e.g., bending to the left on a highway), making it less likely to work in a real-world scenario.

Researchers now claim to have discovered a more efficient and less likely to arouse suspicion method. Using this technique, an attacker could trick the victim into following an incorrect route (for example, making ambulances or patrols enter a loop path), deflecting a specific vehicle to a specific location, or making the target enter a dangerous situation.

For the attack to work, the hacker needs to know the approximate destination of the victim, who will fall into the deception more likely if it is someone who does not know the destination zone.

Using 600 real taxi routes from Manhattan and Boston, researchers in secure data destruction have created an algorithm that generates a virtual path that mimics the shape of the real roads. The attack is more likely to work in a city where there is dense traffic.

During an attack, the hacker could create fake GPS signals to set the final location in a nearby “phantom location”. The navigation system recalculates the new route, which the investigators called the “phantom route”, and guides the victim to the phantom location.

To avoid arousing suspicion, the phantom route is generated according to the collected taxi trips. The search algorithm runs on each road segment in an effort to identify all possible phantom locations. During the tests, the algorithm identified, on average, approximately 1.5K potential phantom routes for each trip.

The algorithm elaborates the GPS data for the victim’s device so that the navigation instruction enabled and the routes shown on the map show consistency with respect to the physical road network, as mentioned by experts in secure data destruction from the International Institute of Cyber Security.

In some cases, if the original location is not on the path to the phantom location, the navigation system may inform the user that the route is being recalculated, but researchers have determined based on a survey that this would not generate too much suspicion, considering that this can often happen in a real world scenario.

This type of attack can be carried out using a portable GPS spoofer, which costs approximately $200, from a distance of 40-50 meters. The attacker can follow the target vehicle or place the spoofer in or under the target car and control it. Researchers reproduced the attack on a real-world scenario using their own car, driven after midnight in suburban areas to avoid traffic problems. They also asked 40 people (20 in the US and 20 in China) to use a driving test simulator that was attacked through the recently discovered method. The attack success rate was 95%, and only two people detected the attack remotely.

 

The information contained in this website is for general information purposes only. The information is gathered from Security Newspaper while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Security experts today are seeing signs of growing competition between ransomware distributors.

 

Attackers are starting to probe previously unreached countries, where users may not be prepared for fighting ransomware and where competition among criminals is lower.

Ransomware-as-a-Service is becoming more and more popular, with amateur cybercriminals trying to earn easy money.

 

Ransomware Attacking Backup Files

The traditional defence against ransomware is having a disaster recovery solution in place, as users can restore their machines to the most recent backup copy before the attack.

This is leading modern cyber criminals to also attack and delete backup programmes and files to remove this as an option for their victims.

One of the few solutions in the market that has taken this into account, prevents any process in the system from modifying backup files.

 

The information contained in this website is for general information purposes only. The information is gathered from IT Brief while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Security researchers have uncovered a “highly targeted” mobile malware campaign that has been operating since August 2015 and found spying on 13 selected iPhones in India.

The attackers, who are also believed to be operating from India, were found abusing mobile device management (MDM) protocol—a type of security software used by large enterprises to control and enforce policies on devices being used their employees—to contol and deploy malicious applications remotely.

Exploiting Apple MDM Service to Remotely Control Devices

 

 

To enroll an iOS device into the MDM requires a user to manually install enterprise development certificate, which enterprises obtained through the Apple Developer Enterprise Program.
Companies can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using Apple Configurator.

Once a user installs it, the service allows the company administrators to remotely control the device, install/remove apps, install/revoke certificates, lock the device, change password requirements, etc.

“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results”.

Since each step of the enrollment process requires user interaction, such as installing a certificate authority on the iPhone, it is not yet clear how attackers managed to enroll 13 targeted iPhones into their MDM service.

However, researchers who discovered the campaign, believe that the attackers likely used either a social engineering mechanism, like a fake tech support-style call, or physical access to the targeted devices.
According to the researchers, the attackers behind the campaign used the MDM service to remotely install modified versions of legitimate apps onto target iPhones, which were designed to secretly spy on users, and steal their real-time location, contacts, photos, SMS and private messages from chat applications.

To add malicious features into secure messaging apps, such as Telegram and WhatsApp, the attacker used the “BOptions sideloading technique,” which allowed them to inject a dynamic library into the legitimate apps.

“The injection library can ask for additional permissions, execute code and steal information from the original application, among other things,” researchers explain.

The malware injected into the compromised versions of the Telegram, and WhatsApp applications were designed to send contacts, location, and images from the compromised device to a remote server located at hxxp[:]//techwach[.]com

At this time, it is not known who is behind the campaign, who was targeted in the campaign, and what were the motives behind the attack, but researchers find evidence suggesting the attackers were operating from India, while the attackers planted a “false flag” by posing as Russian.
At the time of reporting, Apple had already revoked 3 certificates linked to this campaign, and after getting informed by the Talos team, the company also canceled the rest two certificates as well.

 

The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.

Researchers from the Z-Lab at CSE Cybsec that completed the analysis a number of payloads being part of a new cyber espionage campaign conducted by the Russian APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium).

Last time experts attributed an ongoing campaign to APT28 was in June, when experts from Palo Alto Networks noticed that the group was using new tools in a recent string of attacks.

Palo Alto Networks explained t the APT group has shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

While conducting ordinary threat intelligence activities, experts at Z-Lab at CSE Cybsec have recently discovered a new series of malware samples that were submitted to the major online sandboxes.

In particular, they noticed a malware sample submitted to Virus Total that was attributed by some experts to the Russian APT28 group.

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

With the help of the researcher that goes online with the Twitter handle Drunk Binary (@DrunkBinary) researchers from Z-Lab obtained a collection of samples to compare with the one that was uploaded on VirusTotal platform.

The analysis revealed that it was a new variant of the infamous APT28 backdoor tracked as X-Agent, in particular, a new Windows version that appeared in the wild in June,

The attack analyzed CSE Cybsec is multi-stage, the experts discovered an initial dropper malware written in Delphi programming language (a language used by the APT28 group in other campaigns) downloads a second stage payload from the Internet and executes it.

 

The payload communicates to the server using HTTPS protocol, making it impossible to eavesdrop on the malicious traffic it generates.

The experts also analyzed another malicious DLL, apparently unrelated to the previous samples, that presents many similarities with other payloads attributed to the Russian APT group.

This malware immediately caught the attention of the expert because it contacts a C2 with the name “marina-info.net” a clear reference to the Italian Military corp, Marina Militare. This lead them into believing that the malicious code was developed as part of targeted attacks against the Italian Marina Militare, or some other entities associated with it.

This last DLL seems to be completely unconnected with the previous samples, but further investigation leads the experts into believing that it was an additional component used by APT28 in this campaign to compromise the target system.

APT28 has a rich arsenal composed of a large number of modular malware and the dll is the component of the X-Agent dissected by the Z-Lab.

X-Agent is a persistent payload injected into the victim machine that can be compiled for almost any Operating System and can be enhanced by adding new ad-hoc component developed for the specific cyber-attack.

In this case, the component was submitted to online sandboxes while the new campaign was ongoing. The experts cannot exclude that the APT group developed the backdoor to target specific organizations including the Italian Marina Militare or any other subcontractor. In their analysis, the experts were not able to directly connect the malicious dll file to the X-Agent samples, but they believe they are both parts of a well-coordinated surgical attack powered by APT28 tracked by Z-Lab as Roman Holiday because it targeted Italian organizations in the summertime.

The dll that connect to “marina-info.net” might be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges.

Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb, on the below link.

http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v7.pdf

 

Update CSE Malware ZLab – Operation Roman Holiday – Hunting the Russian APT28

An internationally active criminal network has infected hundreds of thousands of private and commercial computer systems with different malware. This network known as “Avalanche” is currently one of the largest known botnet infrastructures in the world. A total of 20 different botnets could be identified that used this infrastructure to distribute millions and millions of spam and phishing-mails as well as malware like ransomware or banking trojans.

On November 30th, 2016, after more than four years of investigation, the Public Prosecutor’s Office Verden and the Lueneburg Police, Germany, in close cooperation with the United States Attorney’s Office for the Western District of Pennsylvania, the Department of Justice and the FBI, Europol, Eurojust and global partners, dismantled this international criminal infrastructure. The German Federal Office for Information Security (BSI) supported this operation.

In the course of the dismantling of the infrastructure, so called ‘Sinkhole Servers’ were installed to identify IP addresses of infected computers. At the end of November 2017, this sink holing was extended for another year. Furthermore, information on affected German IP addresses will be provided to the responsible Internet service providers (ISPs) in Germany, who then can notify their customers of the infection. With this approach, only currently infected systems being part of this botnet infrastructure can be identified. Information on affected IP addresses in other countries is provided by CERT-Bund to the respective national CERTs in more than 80 countries worldwide.

Victims notified by their ISPs should check their systems for a malware infection and fix security vulnerabilities on their computers. By dismantling the infrastructure, the malware is still on the system. It cannot be excluded, that criminals might regain control over the infected machines again. Therefore, affected users should act immediately. Even users who do not receive a warning from their provider could take this as an occasion to check their computer for vulnerabilities and infections.

According to our analysis, primarily Windows-based computers and Android smartphones were part of the respective botnets. However, infections of smartphones with Apple iOS,Microsoft Windows Phone or operating systems like Apples OS X or Linux cannot be ruled out completely.

Currently, there is no indication that systems being part of the Internet of Things (IoT) like webcams, printers or TV-receivers are part of the botnet infrastructure.

 

The information contained in this website is for general information purposes only. The information is provided by CERT-Bund while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.