Weekly Cybernote #9

For this 9th edition of our Weekly Cybernote, we will as usual cover three topics. The first concerns the new banking malware Dyreza, while the second will be about how YouTube is used by hackers to sell credit card numbers. Lastly, the third point revisits an old story about Nokia, who allegedly gave in to a hacker’s threats and paid millions of euros to regain control over its OS Symbian.

Dyreza: the new malware that targets users of banking websites
After Zeus, which has become famous for all the wrong reasons, researchers identified the Dyreza Trojan horse that was used to dupe the clients of banking websites with man-in-the-middle attacks that intercept internet users’ login credentials. The malware Zeus (or Zbot), already rampant since 2006 and targeting bank clients, gave way to Dyreza, also known as “Dyre”. As for this other Trojan, it also attacks bank clients. Recently identified by security researchers, it is used for launching MITM (Man in the middle) attacks, with the cybercriminal intercepting unencrypted traffic and misleading users into thinking they are on a secure connection with their bank. Even though Dyreza bears several similarities to Zeus, it is not a derivative but rather a new malware program. It uses an interception technique on the targeted browser to view unencrypted traffic in order to sneak in when a user attempts to set up a secure SSL connection with a website. During a Dyreza-led attack, the user will be under the impression that he is entering his authentication credentials on his bank’s website and establishing an SSL connection, but the malware is in fact redirecting traffic to its own servers.

YouTube, new platform for selling credit card data
You would think that to obtain stolen credit card numbers, you would need to arm yourself with all the latest complex cryptographic tools and plunge into the Darknet, as was the case for Silk Road, the underground Canadian supermarket shut down by the FBI in 2013. Today there is a much simpler way to do this: log on to YouTube. A report that the Digital Citizens Alliance (DCA) has just published shows that Google’s website is indeed used by a large number of hackers to promote their illegal services. Simply type in the right keywords, such as “CC info with CVV” or just “how to get credit card numbers”. YouTube will then return a whole list of film adverts, which sometimes run into tens of thousands. This is the opportunity for the hacker to show some samples, just to prove that he has what he claims to have. You will then see rows of a table listing credit card numbers, the type of card (Visa, Mastercard, etc.), the cardholder’s first name and last name and even the 3-digit security code (CVV).

Nokia paid millions of euros in ransom for Symbian
A Finnish television channel recently revealed that the telecoms manufacturer Nokia was blackmailed 6 years ago by hackers and paid a “ransom” of several million euros. The events have been partially confirmed by the police. Apparently, hackers had gotten their hands on the keys allowing the decryption of a central portion of the Symbian source code, the operating system on older Nokia terminals. They then threatened to go public with the code, which would have compromised its integrity. It would have been possible to insert malware programs without them being detected. This was obviously a risk that Nokia did not wish to take. Following the orders they received, Nokia left a suitcase of bills in a parking lot, which the hackers immediately took. Nokia had warned the police beforehand, but they were unable to keep track of the blackmailers. The investigation is still ongoing.

Linux known exploit detection

The integration of a new patch into the Linux kernel has been proposed to enable the successful detection of exploitation attempts.

The principle is very simple: when a security fix is added to the kernel, a new code will be added to call the “ exploit” function (with the CVE number of the exploit that is being patched, for example). Then, if someone tries to exploit this vulnerability, the attempt will be unsuccessful because the vulnerability has been patched, but the exploit function will be called in order to log the exploitation attempt.

This concept has several advantages because when a malicious attacker successfully roots your Linux system, chances are that your system wouldn’t log anything, but if an exploitation attempt fails, you will be able to log some information in the system.

So the argument in favor of this functionality is that most hackers will try multiple exploits before they succeed in breaking into your system for many reasons, such as not knowing your Linux kernel version, or probably  because they are script kiddies who use exploitation kits that will try to run multiple exploits.

The main detractors of this new security function claim that attackers, after successfully exploiting the system (with an exploit that is not patched), will be able to delete the logs that have been created by the exploit function. A suggestion would be to log it immediately on an external syslog server (or directly to a SOC if the organization has one).

Another potential issue is that after years of patching the kernel, a lot of annotations and exploit function calls would be present in the Linux source code. In order to keep the kernel as clean as possible, an idea would be to delete these annotations after a few years (a vulnerability has few chances of being tested if is 3 years old).

What is interesting is that even if it is based on signatures and has no chance of proactively detecting a 0day exploitation, this technique would give you precious information about hacking attempts in your organization.

Also, you might think that if you have a NIPS (Network Intrusion Prevention System) you would be able to detect these attempts without having such features in your kernel.

The problem is that your NIPS engine will be based on a signature approach, and there are plenty of techniques to bypass this approach. Advanced Evasion Techniques (AET) are a good example.

The Linux known exploit detection is also beneficial because it won’t analyze the shellcode of the exploitation (which might change or might use polymorphism to easily bypass the detection engine) but would detect the vulnerability exploitation directly. In this case you will prevent false positives.

This functionality is not considered a “must-have” that would solve all your problems: you won’t be protected against 0day attacks and you will still need to patch your operating system. It would not replace one of your security layers, but it can be considered a “nice-to-have”.

These precious logs have a value only if you know what to do when such an alert is raised: you have to define a manual or automated process that will, for example, investigate on what’s going on in order to block the attacker.

We hope that third party vendors will copy this initiative, and it would also make a lot of sense that Adobe Acrobat warns you about vulnerability exploitation attempts in your system.

Weekly Cybernote #8

For this eighth edition of the Weekly Cybernote, we will concentrate on three very different subjects: the hack orchestrated by Iranian cyber-spies through a bogus news website, the music streaming service Spotify whose data had been hacked, and lastly a cybercriminal in Australia who hijacked Apple devices for ransom.

A group of Iranian cyber-spies targeted more than 2000 military officials using a bogus news website
In Iran, a group of cyber-spies managed to spy on more than 2000 people, including American and Israeli military officials using a fake news site called NewsOnAir.org. For three years, these spies used this site to target and establish contact with military personnel in the US and in Israel and hack their personal accounts on social networks. The operation was apparently orchestrated by Iranians but there is still insufficient information to trace back to the main mastermind. According to iSight, the site republished legitimate articles that were first published by actual press organizations, including BBC and press agencies Associated Press and Reuters, but with the bylines replaced by fake reporters’ names. The identities of some journalists were also stolen in this affair.

Spotify victim of a hacking
After eBay, it was Spotify’s turn to get hacked. The Swedish online music giant had in fact detected “unauthorized access” to its systems and internal data. As simple users of the service, there is not much to worry about, as only personal particulars may have been compromised. Anything more confidential, such as passwords or credit card PINs, was not involved in this operation. However, as a precaution, Spotify advises its users to log off and log on again to the service in order to update security measures. Users of the service are also urged to update their Android applications through Google Play, the Amazon Appstore of the official website. As for iOS or Windows Phone, nothing amiss has been reported.

An Australian cybercriminal demands a ransom for unlocking Apple devices
Oleg Pliss is a cybercriminal based in Australia who demanded a ransom for unlocking Apple devices. Pliss apparently “hijacked” several Australian iPhones, iPads and Macs, which he would unlock in exchange for sums ranging from 50 to 100 dollars. For almost a week, several owners of such devices in Australia were woken up by unpleasant messages indicating that their devices had been hacked and that they would need to pay a ransom in order for them to be unlocked. The hacker, who used the name of an engineer at Oracle, demanded payment from targeted users to his PayPal account before he would restore the devices to working order.