System admins: Patch your servers as often as you can!
About 71.2 percent of all exploits kits that attempt to inject malware into internet surfers’ computers were developed in Russia, and about 51.8 percent exploit rather older operating system vulnerabilities.
To be sure, Blackhole 2.0 is the most often used hacking rootkit, installed on thousands of websites to attack and takeover visitors’ computers.
However, it targets fewer software security holes than rival cybercrime kits. That’s according to a fresh report by managed security firm Solutionary.
Contrary to various hype that exploit kits target unpatched flaws in products, Solutionary found that the overall majority (59 percent) of exploited security vulnerabilities were more than two years old.
The company reviewed 26 commonly used malware kits and discovered code abusing security bugs dating as far back as 2004, evidence that older vulnerabilities continue to be mined for profit by cybercrooks.
Typically, criminal hackers compromise otherwise perfectly legitimate websites to plant hacking toolkits and distribute fake antivirus software, banking Trojans and other bad code.
Researchers at the security firm concluded that antivirus products cannot detect more than about 64 percent of malware being distributed, a finding that’s likely to be controversial in more ways than more.
The practical upshot to all of this is that system admins would be wise to regularly update their servers especially Windows Server 2003, 2008 and 2012, Adobe Flash, web browsers and Java code, rather than rely on security scanners to block any attacks that come their way.
“Exploit root kits largely focus on targeting end-user applications,” said Rob Kraus, a director of security research at Solutionary. “As a result, it’s absolutely critical that organizations pay close attention to security patch management and endpoint security controls in order to significantly lower the likelihood of a server compromise.”
In other internet security news
A large group of activists, privacy organizations, journalists and others have called upon Microsoft to be more forthright about when, why, and to whom it discloses its data about Skype users and their communications.
In an open letter published yesterday, the activist coalition argues that Microsoft’s statements about the confidentiality of Skype conversations have been “persistently unclear and confusing,” casting several doubts on the security and privacy of the Skype platform.
“Many users of the platform rely on Skype for so-called ‘secure communications’ – whether they are activists operating in countries governed by authoritarian regimes, journalists communicating with sensitive sources, or users who wish to talk privately in confidence with business associates, family, or friends,” the letter explains.
Among the group’s numerous concerns is that although Skype was founded in Europe, its acquisition by a U.S.-based company may mean it is now subject to different eavesdropping and data-disclosure requirements than it was before.
The coalition group claims that both Microsoft and Skype have refused to answer several questions about what kinds of user data the service retains, whether it discloses such data to governments, and whether Skype conversations can be intercepted in any manner.
The letter calls upon Microsoft to publish a regular transparency report outlining what kind of data Skype collects, what third parties might be able to intercept or retain, and how Skype interprets its responsibilities under the laws that pertain to it.
Additionally, it asks for quantitative data about when, why, and how Skype shares data with third parties, including governments.
As the letter points out, several other companies already provide such reports, including Google, Twitter, and Sonic.net. Google’s most recent report showed that government requests for user data from online companies have increased 70 percent since mid-2010.
Microsoft acquired Skype in 2011 for $8.5 billion and has since been working to make the service a key pillar of its communications strategy. Most recently, Microsoft announced that it would shut down its Windows Live Messenger service in March and urged all current Messenger users to switch to Skype.
As could be expected, Microsoft’s strong-arm tactics haven’t pleased Messenger fans, but they’ve impressed privacy advocates even less, given the ambiguity about what information Skype discloses.
“On the eve of Microsoft’s integration of Skype into many of its key software and services, the time has come for the company to publicly document Skype’s security and privacy practices,” the open letter reads.
The letter is co-signed by a total of 61 individuals and 45 organizations, including such groups as the AIDS Policy Project, Cyber Arabs, DotConnectAfrica, the Egyptian Initiative for Personal Rights, the Electronic Frontier Foundation (EFF), Reporters Without Borders, the Thai Netizen Network, and the Tibet Action Institute.
“Microsoft has an ongoing commitment to collaborate with advocates, industry partners and governments worldwide to develop solutions and promote effective public policies that help protect people’s online safety and privacy,” the company said in an emailed statement.
In other internet security news
Kaspersky Labs said today that it has discovered yet another global spying campaign that targets numerous governmental agencies, political groups, universities and research institutions.
On the same level as the memorable ‘Flame Malware’ Kaspersky and a number of Cyber Emergency Response Teams (CERTs) discovered the malware, known as ‘Rocra or Red October’ which mostly targets institutions based in Eastern Europe, former USSR members and countries in Central Asia.
Kaspersky Labs says that Red October has been gathering a lot of data and intelligence from “mobile devices, computer systems and network equipment” and is currently still active. Data is gathered and sent to multiple command-and-control servers which the security firm says rivals the complex nature of Flame.
The malware is sent via a spear-phishing email which, according to Kaspersky, targets carefully-selected victims within an organization such as a government agency or the like. Containing at least three different exploits in Microsoft Excel and Word, once downloaded, the infected files drop a trojan on the affected computer which then scans the local network or the PC’s hard drive to detect if any other devices are vulnerable to the same security hole.
By simply dropping modules that can complete a number of tasks, usually as .dll libraries, an infected computer obeys various commands sent by the command center and then immediately discards the evidence.
Separated in to “persistent” and “one-time” tasks, the malware is able to spy and steal in a number of ways, including:
Waiting for a MS Office or PDF document and executing a malicious payload embedded in that document
Creating one-way covert channels of communication
Recording keystrokes and making screenshots
Retrieve e-mail messages and attachments
Collect general software and hardware environment information
Extracting browsing history from Chrome, Firefox, IE and Opera
Last but not least, it can save passwords
Extracting Windows account hashes
Extract Outlook account information
Performing network scans, then dump config data from Cisco devices when available
Some .exe tasks remain on the system while waiting for the correct environment. For example, waiting for a phone to connect. Microsoft’s Windows Phone 8, Nokia smartphones and even the iPhone are all said to be vulnerable.
Engineered specifically to steal encrypted files and even those that have been deleted from a victim’s computer, the malware — named after the novel movie “The Hunt for Red October” — has several key features which suggests it may be state-sponsored, although there is no official word on this yet.
And it gets worse. A lot worse… Among some of the features of Red October, there is a resurrection module within the malware which keeps the infection hidden and disguised as a plugin for a program such as Microsoft Office, which can then reincarnate the infection after its removal.
Additionally, Red October doesn’t simply focus on standard computers, but is also able to infect and steal information from mobile devices, hijacking information from external storage drives, accessing FTP servers and stealing information from a number of email databases.
In order to control the network of infection, Kaspersky says that over sixty domain names and several different servers, hosted in various countries, are employed. In order to keep the main command center secret, the C&C infrastructure works as a huge network of proxies.
Kaspersky believes that the cyberattackers have been active for a minimum of at least five years, based on domain name registration dates and various timestamps, and the firm “strongly believes” that the origins of the malware are Russian.
This high-profile network may suggest that state sponsorship could be involved. As Kaspersky Labs notes: “The data stolen by the attackers is obviously of the highest level and includes geopolitical data which can be used by nation states.”
“Such data could be traded in the underground and sold to the highest bidder, which can be of course, anywhere. Any information harvested, including stolen credentials or confidential data, is stored for later use. For example, if an attacker needs to guess a password in another location, it is possible that harvested data could provide clues, creating an espionage network full of intelligence that hackers can refer to in need,” says Kapersky.
After at least five years of activity, Kapersky believes that at least 5 terabytes of confidential information could easily have been stolen.
“Since 2008, the attackers collected information from hundreds of high profile victims although it’s unknown how the data was used so far. However, it’s possible that the information was sold on the black market, or used directly,” Kaspersky warns.
The overall majority of infections are based in Russia, although Kazakhstan, Azerbaijan, the U.S. and even Italy have all reported a few cases already. The exploits also appear to have Chinese origins, whereas the malware modules may have a Russian background.
Red October was first brought to Kaspersky’s attention in October 2012 after a tip of of an anonymous source. A full report on the spying campaign is due to be published this week. We will keep you posted.
In other internet security news
Political and hactivist collective group Anonymous has managed to hack into some of MIT’s websites earlier this morning in protest against the role computer crime laws and U.S. prosecutors may have played in the suicide of Aaron Swartz on Friday.
Twenty-six year old Internet activist Aaron Swartz was found hanged in his apartment in New York on Friday, having taken his own life at such a young age. He was under indictment for computer and wire fraud, facing fines and over thirty years in federal prison, and some are now blaming strict computer laws and the U.S. justice system for his untimely death.
Anonymous posted its message in red on a black background, claiming that Swartz’s prosecution was unjust and his actions were political activism, not criminal activities.
“Whether or not the government contributed to his suicide, the government’s prosecution of Swartz was a grotesque miscarriage of justice, a distorted and perverse shadow of the justice that Aaron died fighting for,” the message read.
“The situation Aaron found himself in highlights the injustice of U.S. computer crime laws, particularly their punishment regimes and the highly-questionable justice of pre-trial bargaining. Aaron’s act was undoubtedly political activism, and it had some very tragic consequences: his own death.”
Swartz was arrested in 2011 after allegedly using a laptop stashed at MIT to access J-STOR, an archive of academic journals, with a custom Python script and downloading 4.8 million articles. J-STOR charges for the documents, meaning the value of the articles amounted to a few millions of dollars.
Although J-STOR wasn’t interested in pressing charges, the U.S. government nevertheless proceeded with the indictment just the same. Swartz’s lawyer, Elliot Peters, was attempting to negotiate a plea bargain with prosecutors, but they remained insistent that he would have to spend time in prison.
Downloading the articles was part of Swartz’s campaign for free information online. He had pulled a similar stunt in 2008, when he snatched about 21 percent of U.S. court documents stored online and made them freely available to anyone, a bit similar to what Wiki Leaks did in 2010 and 2011.
While Swartz was suffering from severe depression, his family has attributed some of the blame for his death to his experiences of the U.S. criminal justice system. The Swartz family said in a statement that the justice system in the United States is “rife with intimidation and prosecutorial overreach”.
For its part, MIT has said that it will investigate how it handled the network breach and its role in Swartz’s prosecution. The Anonymous hackers were careful to say that they didn’t blame MIT, even apologizing for hijacking the university’s websites.
Anonymous called on the U.S. government to see the tragedy as a basis to reform computer crime and intellectual property laws and commit to a “free and unfettered internet for everybody”.
In other internet news
Internet security observers are predicting that 2013 could be the year when country-sponsored cyberwarfare goes mainstream, and some say that such attacks could also lead to actual deaths of citizens.
Last year, large-scale cyberattacks targeted at the Iranian government were uncovered, and in return, Iran is believed to have launched massive attacks aimed at U.S. banks and Saudi oil companies. At least twelve of the world’s fifteen largest military powers are currently building cyberwarfare programs, according to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.
And the situation could get a lot worse before it gets better. A full-fledged cyber Cold War is already in progress according to some. However, some security companies believe that the battle will become even more heated this year.
“Nation states and their armies will be more frequent actors and victims themselves of cyberthreats,” a team of researchers at McAfee Labs wrote in a recent report. McAfee Labs is now a subsidiary of Intel.
Michael Sutton, head of security research at cloud security company Zscaler, said he expects governments to spend furiously on building their cyber arsenals. Some may even outsource attacks to online hackers, in an effort to speed up the process.
The Obama administration and many in Congress have been more vocal about how an enemy nation or a terrorist cell could target the United States’ critical infrastructure in a cyberattack. Banks, stock exchanges, nuclear power plants and water purification systems are particularly vulnerable, according to numerous assessments delivered to Congress last year.
But after legislation aimed at preventing such attacks stalled in Congress last year, some experts believe this will be the year when cyberattacks will turn really deadly.
“Nation-state attackers will target critical infrastructure networks such as power grids at an unprecedented scale in 2013,” predicted Chiranjeev Bordoloi, CEO of security company Top Patch. “These types of attacks could grow more sophisticated, and the slippery slope could lead to the loss of human life.”
Get a great Linux dedicated server for less than $5 a month!