A Trickbot Assault Shows US Military Hackers’ Growing Reach

For more than two years, General Paul Nakasone has promised that, under his leadership, United States Cyber Command would “defend forward,” finding adversaries and preemptively disrupting their operations. Now that offensive strategy has taken an unexpected form: an operation designed to disable or take down Trickbot, the world’s largest botnet, believed to be controlled by Russian cybercriminals. In doing so, Cyber Command set a new, very public, and potentially messy precedent for how US hackers will strike out against foreign actors—even those working as non-state criminals.

Over the past weeks, Cyber Command has carried out a campaign to disrupt the Trickbot gang’s million-plus collection of computers hijacked with malware. It hacked the botnet’s command-and-control servers to cut off infected machines from Trickbot’s owners, and even injected junk data into the collection of passwords and financial details that the hackers had stolen from victim machines, in an attempt to render the information useless. The operations were first reported by The Washington Post and Krebs on Security. By most measures, those tactics—as well as a subsequent effort to disrupt Trickbot by private companies including Microsoft, ESET, Symantec, and Lumen Technologies—have had little effect on Trickbot’s long-term operations. Security researchers say the botnet, which hackers have used to plant ransomware in countless victim networks, including hospitals and medical research facilities, has already recovered.

But even despite its limited results, Cyber Command’s Trickbot targeting shows the growing reach of US military hackers, say cyberpolicy observers and former officials. And it represents more than one “first,” says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. Not only is this the first publicly confirmed case of Cyber Command attacking non-state cybercriminals—albeit ones whose resources have grown to the level that they represent a national security risk—it’s actually the first confirmed case in which Cyber Command has attacked another country’s hackers to disable them, period.

“It’s certainly precedent-setting,” says Healey. “It’s the first public, obvious operation to stop someone’s cyber capability before it could be used against us to cause even greater harm.”

Security researchers have observed strange happenings in Trickbot’s massive collection of hacked computers for weeks, actions that would only be recently revealed as the work of US Cyber Command. The botnet went largely offline on September 22 when, rather than connect back to command-and-control servers to receive new instructions, computers with Trickbot infections received new configuration files that told them to receive commands instead from an incorrect IP address that cut them off from the botmasters, according to security firm Intel 471. When the hackers recovered from that initial disruption, the same trick was used again just over a week later. Not long after, a group of private tech and security firms led by Microsoft attempted to cut off all connections to Trickbot’s US-based command-and-control servers, using court orders to ask Internet service providers to cease routing traffic to them.

But none of those actions have prevented Trickbot from adding new command-and-control servers, rebuilding its infrastructure within days or even hours of the takedown attempts. Researchers at Intel 471 used their own emulations of the Trickbot malware to track commands sent between the command-and-control servers and infected computers, and found that, after each attempt, traffic quickly returned.

“The short answer is, they’re completely back up and running,” says one researcher working in a group focused on the tech-industry takedown efforts, who asked not to be identified. “We knew this wasn’t going to solve the long-term problem. This was more about seeing what could be done via paths x-y-z and seeing the response.”

Even so, Cyber Command’s involvement in those operations represents a new kind of targeting for Fort Meade’s military hackers. In past operations, Cyber Command has knocked out ISIS communications platforms, wiped servers used by the Kremlin-linked disinformation-focused Internet Research Agency, and disrupted systems used by Iran’s Revolutionary Guard to track and target ships. (WIRED reported this week that under Nakasone, Cyber Command has carried out at least two other hacking campaigns since the fall of 2019 that have yet to be publicly revealed.) But in contrast to those asymmetric efforts to disable enemy communication and surveillance systems, Cyber Command’s Trickbot attack represents its first known “force-on-force” operation, notes Jason Healey—a cyberattack meant to disable the means for an enemy cyberattack.

Read More

Researchers Found 55 Flaws in Apple’s Corporate Network

For months, Apple’s corporate network was at risk of hacks that could have stolen sensitive data from potentially millions of its customers and executed malicious code on their phones and computers, a security researcher said on Thursday.

ARS TECHNICA

This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED’s parent company, Condé Nast.

Sam Curry, a 20-year-old researcher who specializes in website security, said that, in total, he and his team found 55 vulnerabilities. He rated 11 of them critical because they allowed him to take control of core Apple infrastructure and from there steal private emails, iCloud data, and other private information.

The 11 critical bugs were:

  • Remote Code Execution via Authorization and Authentication Bypass
  • Authentication Bypass via Misconfigured Permissions allows Global Administrator Access
  • Command Injection via Unsanitized Filename Argument
  • Remote Code Execution via Leaked Secret and Exposed Administrator Tool
  • Memory Leak leads to Employee and User Account Compromise allowing access to various internal applications
  • Vertica SQL Injection via Unsanitized Input Parameter
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Wormable Stored XSS allows Attacker to Fully Compromise Victim iCloud Account
  • Full Response SSRF allows Attacker to Read Internal Source Code and Access Protected Resources
  • Blind XSS allows Attacker to Access Internal Support Portal for Customer and Employee Issue Tracking
  • Server-Side PhantomJS Execution allows attacker to Access Internal Resources and Retrieve AWS IAM Keys

Apple promptly fixed the vulnerabilities after Curry reported them over a three-month span, often within hours of his initial advisory. The company has so far processed about half of the vulnerabilities and committed to paying $288,500 for them. Once Apple processes the remainder, Curry said, the total payout might surpass $500,000.

“If the issues were used by an attacker, Apple would’ve faced massive information disclosure and integrity loss,” Curry said in an online chat a few hours after posting a 9,200-word writeup titled We Hacked Apple for 3 Months: Here’s What We Found. “For instance, attackers would have access to the internal tools used for managing user information and additionally be able to change the systems around to work as the hackers intend.”

Curry said the hacking project was a joint venture that also included fellow researchers: Brett Buerhaus, Ben Sadeghipour, Samuel Erb, and Tanner Barnes.

Among the most serious risks were those posed by a stored cross-site scripting vulnerability (typically abbreviated as XSS) in JavaScript parser that’s used by the servers at www.iCloud.com. Because iCloud provides service to Apple Mail, the flaw could be exploited by sending someone with an iCloud.com or Mac.com address an email that included malicious characters.

The target need only open the email to be hacked. Once that happened, a script hidden inside the malicious email allowed the hacker to carry out any actions the target could when accessing iCloud in the browser. Here is a video showing a proof-of-concept exploit that sent all of the target’s photos and contacts to the attacker.

Curry said the stored XSS vulnerability was wormable, meaning it could spread from user to user when they did nothing more than open the malicious email. Such a worm would have worked by including a script that sent a similarly crafted email to every iCloud.com or Mac.com address in the victims’ contact list.

A separate vulnerability, in a site reserved for Apple Distinguished Educators, was the result of it assigning a default password—“###INvALID#%!3” (not including the quotation marks)—when someone submitted an application that included a username, first and last name, email address, and employer.

Read More

When Coffee Machines Demand Ransom, You Know IoT Is Screwed

With the name Smarter, you might expect a maker of network-connected kitchen appliances to be, well, smarter than companies selling conventional appliances. But in the case of the Smarter’s internet-of-things coffee maker, you’d be wrong.

ARS TECHNICA

This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED’s parent company, Condé Nast.

Security problems with Smarter products first came to light in 2015, when researchers at London-based security firm Pen Test partners found that they could recover a Wi-Fi encryption key used in the first version of the Smarter iKettle. The same researchers found that version 2 of the iKettle and the then-current version of the Smarter coffee maker had additional problems, including no firmware signing and no trusted enclave inside the ESP8266, the chipset that formed the brains of the devices. The result: The researchers showed that a hacker could probably replace the factory firmware with a malicious one. The researcher EvilSocket also performed a complete reverse engineering of the device protocol, allowing remote control of the device.

Two years ago, Smarter released the iKettle version 3 and the Coffee Maker version 2, said Ken Munro, a researcher who worked for Pen Test Partners at the time. The updated products used a new chipset that fixed the problems. He said that Smarter never issued a CVE vulnerability designation, and it didn’t publicly warn customers not to use the old one. Data from the Wigle network search engine shows the older coffee makers are still in use.

As a thought experiment, Martin Hron, a researcher at security company Avast, reverse engineered one of the older coffee makers to see what kinds of hacks he could do with it. After just a week of effort, the unqualified answer was: quite a lot. Specifically, he could trigger the coffee maker to turn on the burner, dispense water, spin the bean grinder, and display a ransom message, all while beeping repeatedly. Oh, and by the way, the only way to stop the chaos was to unplug the power cord. You can see it for yourself here.

“It’s possible,” Hron said in an interview. “It was done to point out that this did happen and could happen to other IoT devices. This is a good example of an out-of-the-box problem. You don’t have to configure anything. Usually, the vendors don’t think about this.”

When Hron first plugged in his Smarter coffee maker, he discovered that it immediately acted as a Wi-Fi access point that used an unsecured connection to communicate with a smartphone app. The app, in turn, is used to configure the device and, should the user choose, connect it to a home Wi-Fi network. With no encryption, the researcher had no problem learning how the phone controlled the coffee maker and, since there was no authentication either, how a rogue phone app might do the same thing.
That capability still left Hron with only a small menu of commands, none of them especially harmful. So he then examined the mechanism the coffee maker used to receive firmware updates. It turned out they were received from the phone with—you guessed it—no encryption, no authentication, and no code signing.

These glaring omissions created just the opportunity Hron needed. Since the latest firmware version was stored inside the Android app, he could pull it onto a computer and reverse engineer it using IDA, a software analyzer, debugger, and disassembler that’s one of a reverse engineer’s best friends. Almost immediately, he found human-readable strings.

“From this, we could deduce there is no encryption, and the firmware is probably a ‘plaintext’ image that is uploaded directly into the FLASH memory of the coffee maker,” he wrote in this detailed blog outlining the hack.

To actually disassemble the firmware—that is, to transform the binary code into the underlying assembly language that communicates with the hardware, Hron had to know what CPU the coffee maker used. That required him to take apart the device internals, find the circuit board, and identify the chips.

With the ability to disassemble the firmware, the pieces started to come together. Hron was able to reverse the most important functions, including the ones that check if a carafe is on the burner, cause the device to beep, and—most importantly—install an update.

Read More

A Ransomware Attack Has Struck a Major US Hospital Chain

Universal Health Services, a hospital and health care network with more than 400 facilities across the United States, Puerto Rico, and United Kingdom, suffered a ransomware attack early Sunday morning that has taken down its digital networks at locations around the US. As the situation has spiraled, some patients have reportedly been rerouted to other emergency rooms and facilities and had appointments and test results delayed as a result of the attack.

An emergency room technician at one UHS-owned facility tells WIRED that their hospital has moved to all-paper systems as a result of the attack. Bleeping Computer, which first reported the news, spoke to UHS employees who said the ransomware has the hallmarks of Ryuk, which first appeared in 2018 and is widely linked to Russian cybercriminals. Ryuk is typically used in so-called “big-game hunting” attacks in which hackers attempt to extort large ransoms from corporate victims. UHS says it has 90,000 employees and treats about 3.5 million patients each year, making it one of the US’ largest hospital and health care networks.

“We are using paper for everything. All computers are completely shut down,” the UHS employee told WIRED. “Paper is workable, there is just a lot more documentation to be done so things don’t get lost—orders, meds, etc. Patient care is about the same still in the ER, since we are where the patient enters the hospital and the visit gets started. There is concern for patients who were already on the floors when this happened, but everyone is stepping up their game big time.”

“Our facilities are using their established back-up processes, including offline documentation methods,” UHS said in a statement. The company did not return a request for further comment from WIRED and would not confirm that it is a ransomware attack. The company’s statement did confirm that the “IT network across Universal Health Services facilities is currently offline, due to an IT security issue,” and that patient and employee data appear not to have been compromised in the attack.

Ransomware attacks on large organizations have been prevalent since the mid-2010s, but the pace of assaults seems to have increased in recent months. Hospitals, in particular, have long been a favorite target, because patient safety hangs in the balance when a hospital’s network goes down. In addition to UHS, the Ashtabula County Medical Center in Ohio and Nebraska Medicine have both suffered ransomware attacks in recent days that caused system outages and threatened patient services.

And earlier this month, a patient with a life-threatening condition died in Düsseldorf, Germany, after a ransomware attack at a nearby hospital forced her to be taken to a more distant facility. The episode may have been the first example of a patient who died because of the fallout from a ransomware attack.

“These incidents are hugely concerning; they could have fatal consequences,” says Brett Callow, a threat analyst at the antivirus company Emsisoft. “I would say things are as bad as they’ve ever been—worse, in fact.”

Ryuk ransomware was attributed to North Korean actors when it first emerged, but many researchers now link it instead to Russian cybercriminals. It’s often preceded by a phishing attack that infects a target with a trojan, then exfiltrates the victim’s data and triggers a Ryuk infection. The ransomware seems to be used by a few splinter groups in addition to its originators, though, making it difficult to trace and correlate activity from the presence of the malware alone. The actor that first used it throughout 2018 and 2019 seemed to go dark in April, but has recently reappeared.

Read More

A New Botnet Is Covertly Targeting Millions of Servers

Researchers have found what they believe is a previously undiscovered botnet that uses unusually advanced measures to covertly target millions of servers around the world.

ARS TECHNICA

This story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED’s parent company, Condé Nast.

The botnet uses proprietary software written from scratch to infect servers and corral them into a peer-to-peer network, researchers from security firm Guardicore Labs reported on Wednesday. Peer-to-peer (P2P) botnets distribute their administration among many infected nodes rather than relying on a control server to send commands and receive pilfered data. With no centralized server, the botnets are generally harder to spot and more difficult to shut down.

“What was intriguing about this campaign was that, at first sight, there was no apparent command-and-control (CNC) server being connected to,” Guardicore Labs researcher Ophir Harpaz wrote. “It was shortly after the beginning of the research when we understood no CNC existed in the first place.”

The botnet, which Guardicore Labs researchers have named FritzFrog, has a host of other advanced features, including:

  • In-memory payloads that never touch the disks of infected servers
  • At least 20 versions of the software binary since January
  • A sole focus on infecting secure shell, or SSH, servers that network administrators use to manage machines
  • The ability to backdoor infected servers
  • A list of login credential combinations used to suss out weak login passwords that’s more “extensive” than those in previously seen botnets

Taken together, the attributes indicate an above-average operator who has invested considerable resources to build a botnet that’s effective, difficult to detect, and resilient to takedowns. The new code base—combined with rapidly evolving versions and payloads that run only in memory—make it hard for antivirus and other end-point protection to detect the malware.

The peer-to-peer design makes it difficult for researchers or law enforcement to shut down the operation. The typical means of takedown is to seize control of the command-and-control server. With servers infected with FritzFrog exercising decentralized control of each other, this traditional measure doesn’t work. Peer-to-peer also makes it impossible to sift through control servers and domains for clues about the attackers.

Harpaz said that company researchers first stumbled on the botnet in January. Since then, she said, it has targeted tens of millions of IP addresses belonging to government agencies, banks, telecom companies, and universities. The botnet has so far succeeded in infecting 500 servers belonging to “well-known universities in the US and Europe, and a railway company.”

Once installed, the malicious payload can execute 30 commands, including those that run scripts and download databases, logs, or files. To evade firewalls and endpoint protection, attackers pipe commands over SSH to a netcat client on the infected machine. Netcat then connects to a “malware server.” (Mention of this server suggests that the FritzFrog peer-to-peer structure may not be absolute. Or it’s possible that the “malware server” is hosted on one of the infected machines, and not on a dedicated server. Guardicore Labs researchers weren’t immediately available to clarify.)

To infiltrate and analyze the botnet, the researchers developed a program that exchanges encryption keys the botnet uses to send commands and receive data.

“This program, which we named Frogger, allowed us to investigate the nature and scope of the network,” Harpaz wrote. “Using Frogger, we were also able to join the network by ‘injecting’ our own nodes and participating in the ongoing P2P traffic.”

Before infected machines reboot, FritzFrog installs a public encryption key to the server’s “authorized_keys” file. The certificate acts as a backdoor in the event the weak password gets changed.

The takeaway from Wednesday’s findings is that administrators who don’t protect SSH servers with both a strong password and a cryptographic certificate may already be infected with malware that’s hard for the untrained eye to detect. The report has a link to indicators of compromise and a program that can spot infected machines.

This story originally appeared on Ars Technica.


More Great WIRED Stories

Read More

The Attack That Broke Twitter Is Hitting Dozens of Companies

A security staffer at one targeted organization who asked that WIRED not use his name or identify his employer described a more wholesale approach: At least three callers appeared to be working their way through the company directory, trying hundreds of employees over just a 24-hour period. The organization wasn’t breached, the staffer said, thanks to a warning that the company had received from another target of the same hacking campaign and passed on to its staff prior to the hacking attempts. “They just keep trying. It’s a numbers game,” he says. “If we hadn’t had a day or two’s notice, it could have been a different story.”

Phone-based phishing is hardly a new practice for hackers. But until recently, investigators like Allen and Nixon say, the attacks have focused on phone carriers, largely in service of so-called “SIM swap” attacks in which a hacker would convince a telecom employee to transfer a victim’s phone service to a SIM card in their possession. They’d use that phone number to intercept two-factor authentication codes, or as a starting point to reset the passwords to cryptocurrency exchange accounts.

The Twitter hack’s use of those same phone-based social engineering methods shows how those phishers have expanded their target lists beyond telcos, says Unit 221b’s Nixon. She posits that while this might be due to phone carriers hardening their defenses against SIM swaps, it’s more likely spurred by companies becoming newly vulnerable during the Covid-19 pandemic. With so many firms hastily shifting to remote work, she says, phone-based social engineering has become far more powerful.

The same hackers who honed their skills against telecoms have found other industries that are less well prepared for their tricks, Nixon says. “All of a sudden you’ve got these people that are highly trained, highly effective, efficient, and organized, suddenly hitting a bunch of soft targets,” she says. “And that’s probably a big reason why there’s such a problem right now.”

Despite the apparent youth of the hackers involved, Nixon says the ongoing attacks seem well coordinated, with multiple collaborators working together and hiring independent hackers offering specialized services from reconnaissance to voice acting. “Need someone that has experience with social engineering over call, great pay,” wrote one OGUser forum member in March named “biggas,” as captured in a collection of OGUser messages leaked on Telegram in April. “Looking for a social engineering god that is from USA and has a clear & normal adult voice. No little kids,” the same user wrote back in November.

Gone Vishing

In their social engineering calls with victims—including in one recorded call reviewed by WIRED—the hackers typically use a VoIP service that allows them to spoof their phone number. They attempt to establish trust with the victim by referencing seemingly private data such as the victim’s role at the company, their start date, or the names of their coworkers. In some cases, they’ll even ask the victim to confirm that they’re a “real” IT person, suggesting they look up their spoofed identity in the company’s directory or its collaboration software. When the victim seems convinced, they ask them to navigate to a fake login page address—usually for a single sign-on portal like Duo or Okta—and enter their credentials.

Another member of the hacking group immediately obtains those details and enters them into the real login page. The real login page then prompts the victim to enter their two-factor authentication code. When the user is fooled into typing that code into the fake site, it’s also relayed to the second hacker, who enters it into the real login page, allowing them to fully take over the account. The hackers’ phishing site that allows that spoofing, unlike the kind usually linked in a phishing email, is usually created only for that specific phone call and is taken down immediately after the hackers steal the victim’s credentials. The vanishing website and the lack of email evidence makes this sort of phone-based engineering often harder to detect than traditional phishing.

Read More

Intel Is Investigating How Confidential Data Ended Up Online

There is also a folder dedicated to the Intel Management Engine, but its contents, too, aren’t anything Intel integrators don’t already know. They’re test code and recommendations for when and how often to run those automated tests while designing systems that include an Intel CPU with the Intel ME.

One of the dump’s newer bits included “Whitley/Cedar Island Platform Message of the Week,” dated May 5. Cedar Island is the motherboard architecture that lies beneath both Cooper Lake and Ice Lake Xeon CPUs. Some of those chips were released earlier this year, while some have yet to become generally available. Whitley is the dual-socket architecture for both Cooper Lake (14 nm) and Ice Lake (10 nm) Xeons. Cedar Island is for Cooper Lake only

Some contents provide a cryptic reference to voltage failures in some Ice Lake samples. It’s not clear if the failures apply to actual hardware delivered to customers or if they’re happening on reference boards Intel provided to OEMs for use in designing their own boards.

While Intel said it doesn’t believe the documents were obtained through a network breach, a screenshot of the conversation Kottmann had with the source provided an alternate explanation. The source said that the documents were hosted on an unsecured server hosted on Akamai’s content delivery network. The source claimed to have identified the server using the nmap port-scanning tool and from there, used a python script to guess default passwords.

Here’s the conversation:

source: They have a server hosted online by Akami CDN that wasn’t properly secure. After an internet wide nmap scan I found my target port open and went through a list of 370 possible servers based on details that nmap provided with an NSE script.

source: I used a python script I made to probe different aspects of the server including username defaults and unsecure file/folder access.

source: The folders were just lying open if you could guess the name of one. Then when you were in the folder you could go back to root and just click into the other folders that you didn’t know the name of.

deletescape: holy shit that’s incredibly funny

source: Best of all, due to another misconfiguration, I could masqurade as any of their employees or make my own user.

deletescape: LOL

source: Another funny thing is that on the zip files you may find password protected. Most of them use the password Intel123 or a lowercase intel123

source: Security at it’s finest.

Kottmann said they didn’t know the source well, but, based on the apparent authenticity of the material, there’s no reason to doubt the source’s account of how it was obtained.

The Intel spokeswoman didn’t immediately provide a response to the claim.

Many onlookers have expressed alarm that the source code has comments containing the word backdoor. Kottmann told Ars that the word appeared two times in the source code associated with Intel’s Purely Refresh chipset for Xeon CPUs. So far, there are no known analyses of the source code that have found any covert methods for bypassing authentication, encryption, or other security protections. Besides, the term backdoor in coding can sometimes refer to debugging functions or have other benign meanings.

People are also lampooning the use of the passwords Intel123 and intel123. These are no doubt weak passwords, but it’s unlikely their purpose was to secure the contents of the archive files from unauthorized people.

This story originally appeared on Ars Technica.


More Great WIRED Stories

Read More

Chinese Hackers Have Pillaged Taiwan’s Semiconductor Industry

Taiwan has faced existential conflict with China for its entire existence and has been targeted by China’s state-sponsored hackers for years. But an investigation by one Taiwanese security firm has revealed just how deeply a single group of Chinese hackers was able to penetrate an industry at the core of the Taiwanese economy, pillaging practically its entire semiconductor industry.

At the Black Hat security conference today, researchers from the Taiwanese cybersecurity firm CyCraft plan to present new details of a hacking campaign that compromised at least seven Taiwanese chip firms over the past two years. The series of deep intrusions—called Operation Skeleton Key due to the attackers’ use of a “skeleton key injector” technique—appeared aimed at stealing as much intellectual property as possible, including source code, software development kits, and chip designs. And while CyCraft has previously given this group of hackers the name Chimera, the company’s new findings include evidence that ties them to mainland China and loosely links them to the notorious Chinese state-sponsored hacker group Winnti, also sometimes known as Barium, or Axiom.

“This is very much a state-based attack trying to manipulate Taiwan’s standing and power,” says Chad Duffy, one of the CyCraft researchers who worked on the company’s long-running investigation. The sort of wholesale theft of intellectual property CyCraft observed “fundamentally damages a corporation’s entire ability to do business,” adds Chung-Kuan Chen, another CyCraft researcher who will present the company’s research at Black Hat today. “It’s a strategic attack on the entire industry.”

Skeleton Key

The CyCraft researchers declined to tell WIRED the names of any victim companies. Some were CyCraft customers, while the firm analyzed other intrusions in cooperation with an investigative group known as the Forum of Incident Response and Security Teams. Several of the semiconductor company victims were headquartered at the Hsinchu Industrial Park, a technology hub in the Northwest Taiwanese city of Hsinchu.

The researchers found that in at least some cases, the hackers appeared to gain initial access to victim networks by compromising virtual private networks, though it wasn’t clear if they obtained credentials for that VPN access or if they directly exploited vulnerabilities in the VPN servers. The hackers then typically used a customized version of the penetration testing tool Cobalt Strike, disguising the malware they planted by giving it the same name as a Google Chrome update file. They also used a command-and-control server hosted on Google’s or Microsoft’s cloud services, making its communications harder to detect as anomalous.

From their initial access points, the hackers would attempt to move to other machines on the network by accessing databases of passwords protected with cryptographic hashing and attempting to crack them. Whenever possible, CyCraft’s analyst say, the hackers used stolen credentials and legitimate features available to users to move through the network and gain further access, rather than infect machines with malware that might reveal their fingerprints.

The most distinctive tactic that CyCraft found the hackers using repeatedly in the victims’ networks, however, was a technique to manipulate domain controllers, the powerful servers that set the rules for access in large networks. With a custom-built program that combined code from the common hacking tools Dumpert and Mimikatz, the hackers would create a new authorized user in the domain controller’s memory, a trick known as skeleton key injection. That newly created user would have access to machines across the company. “It’s like a skeleton key that lets them go anywhere,” Duffy says.

China Ties

CyCraft quietly published most of these findings about Operation Skeleton Key in April of this year. But in its Black Hat talk, it plans to add several new findings that help to tie the hacking campaign to mainland China.

Read More

Dutch Hackers Found a Simple Way to Mess With Traffic Lights

In movies like Die Hard 4 and The Italian Job, hijacking traffic lights over the internet looks easy. But real-world traffic-light hacking, demonstrated by security researchers in years past, has proven tougher, requiring someone to be within radio range of every target light. Now a pair of Dutch researchers has shown how hackers really can spoof traffic data to mess with traffic lights easily from any internet connection—though luckily not in a Hollywood style that would cause mass collisions.

At the Defcon hacker conference Thursday, Dutch security researchers Rik van Duijn and Wesley Neelen will present their findings about vulnerabilities in an “intelligent transport” system that would allow them to influence traffic lights in at least 10 different cities in the Netherlands over the internet. Their hack would spoof nonexistent bicycles approaching an intersection, tricking the traffic system into giving those bicycles a green light and showing a red light to any other vehicles trying to cross in a perpendicular direction. They warn that their simple technique—which they say hasn’t been fixed in all the cases where they tested it—could potentially be used to annoy drivers left waiting at an empty intersection. Or if the intelligent transport systems are implemented at a much larger scale, it could potentially even cause widespread traffic jams.

“We were able to fake a cyclist, so that the system was seeing a cyclist at the intersection, and we could do it from any location,” says Neelen. “We could do the same trick at a lot of traffic lights at the same time, from my home, and it would allow you to interrupt the traffic flow across a city.”

Neelen and van Duijn, who are cofounders of the applied security research firm Zolder, say they got curious earlier this year about a collection of smartphone applications advertised to Netherlanders that claimed to give cyclists more green lights when the app is activated. In pilot projects across the Netherlands, cities have integrated traffic signals with apps like Schwung and CrossCycle, which share a rider’s location with traffic systems and, whenever possible, switch lights to green as they approach an intersection. The system functions as a smartphone-based version of the sensors that have long been used to detect the presence of a vehicle waiting at a red light, optimized so that a bike rider doesn’t have to stop.

But given that the information about the cyclist’s location comes from the user’s smartphone, the two researchers immediately wondered if they could inject spoofed data to wreak havoc. “We were just surprised that user input is getting allowed into systems that control our traffic lights,” says Neelen. “I thought, somehow I’ll be able to fake this. I was really curious how they were preventing this.”

As it turns out, some of the apps weren’t preventing it at all. Neelen and van Duijin found they could reverse engineer one of the Android apps—they declined to tell WIRED which apps they tested, since the problems they found aren’t yet fixed—and generate their own so-called cooperative awareness message, or CAM, input. That spoofed CAM data, sent using a Python script on the hackers’ laptop, could tell traffic lights that a smartphone-carrying cyclist was at any GPS location the hackers chose.

Initially, the app whose CAM inputs Neelen and van Duijn spoofed only worked to influence a couple of traffic lights in the Dutch city of Tilburg. In the videos below, the pair demonstrates changing the light from red to green on command, albeit with a delay in the first demo. (The nonexistent bicycle doesn’t always get immediate priority in Tilburg’s smartphone-optimized traffic system.)

[embedded content]

[embedded content]

Neelen and van Duijn later found the same spoofing vulnerability in another, similar app with a much wider implementation—they say it had been rolled out to hundreds of traffic lights in 10 Dutch cities, although they tested it only in the West Netherlands city of Dordrecht. “It’s the same vulnerability,” Neelen says. “They just accept whatever you put into them.”

Read More

How to Know If You’ve Been Hacked, and What to Do About It

Everyone is vulnerable to the threat of cybercriminals or hackers getting access to your information, but the threats aren’t equal for everyone.

WIRED UK

This story originally appeared on WIRED UK.

The average person will likely face fewer sophisticated threats than, say, a senior politician, activist, or CEO. High-profile figures may be targeted with phishing emails that are looking to steal secrets from corporate networks or initiate the transfer of large sums of money. You, your friends, and your family will likely face different threats: from people you know seeking revenge or, more likely, crime groups using automated tools to scoop up credentials en masse.

“We all like to think we’re not susceptible to social engineering or other kinds of cyberattacks, but the truth is that even intelligent, self-aware people get caught up in online scams that can have very damaging consequences, financially or socially,” says Jake Moore, a cybersecurity specialist at Eset, an internet security company.

Understanding the threats is key. Everyone has their own threat model that includes things that matter most to them—what’s important to you may not be equally important to someone else. But there’s a value to everything you do online, from Facebook and Netflix to online banking and shopping. If one of your accounts is compromised, stolen login information or financial details can be used across the web. It’s that sort of scenario that lets people order takeaways through compromised Deliveroo accounts.

While Facebook, Twitter, Instagram, and other social networks are less likely to contain your credit card details, there are other types of risk. Hacked social media accounts can be used to post compromising messages that could embarrass or defame somebody, be used for harassment, or to build up a picture of who you are and everyone you know.

“Discovering if you have been hacked can be a rather complicated task,” Moore adds. “You could wait to have it proven by losing control of your precious accounts, but like anything, it is better to be proactive and stop it from happening in the future.” If you think you’ve been hacked, here’s where to start and what you can do next.

Spot Unusual Behavior

The clearest sign that you’ve been hacked is when something has changed. You might not be able to access your Google account using your regular username and password, or there may have been a suspicious purchase charged to one of your bank accounts. These are fairly obvious indications that you’ve been compromised in some way—and hopefully banks will detect any suspicious payments before things spiral too far.

However, before any of your accounts are compromised, there may be warning signs. The account that someone is trying to break into may warn you about unusual attempts to log in. For instance, Facebook and Google will send notifications and emails alerting you to attempts to access your account. This will usually be if someone has tried to get in and failed, but alerts can also be sent when someone has successfully signed in from an unfamiliar location.

There’s barely a day that goes by without some company, app, or website suffering a data breach—from Adobe to Dungeons and Dragons. These breaches can include phone numbers, passwords, credit card details, and other personal information that would let criminals steal your identity, among other threats. Companies should be quick to tell you if they’ve been compromised, but using a breach notification service can also give you a heads-up. Haveibeenpwned and F-Secure’s identity checker will tell you about old data breaches but can also alert you to new cases where your details are swept up in compromised accounts.

Take Back Control

Once you know your account has been hacked, that’s when the hard work begins. Regaining control of an account may not be straightforward—depending on who has access to it—and there’s a good chance it will involve a lot of admin: anything from telling everyone you know that your email has been compromised to dealing with law enforcement.

Read More
Page 1 of 3123»