Tag Archives: featured1

The US Malware Developer who Helped Russia Spy on Devices

Latvian-born hacker Alexsey Belan, a Russian citizen, has been on the FBI’s list of most wanted cybercriminals for some time. His latest misdeed was the theft of 500 million Yahoo accounts in order to spy on Russian journalists and officials from both the US government and the Kremlin itself.

The Department of Justice of the United States has officially accused him of the crime. The department suspects that he have committed the crime in collaboration with another cybercriminal and with two spies from the Russian Federal Security Service. Antichat was one of the cybercrime forums which Belan frequented. It is also one of those used by the Russian spyware company OpenGSM to recruit cybercriminals and increase their sales.

According to a Forbes investigation, OpenGSM has resold a tool to spy iPhones and Android smartphones that was developed by an American. Killer Mobile, a company headed by Joshua Alner, created a surveillance software called Tracer that has made its way to Russian shores.

A dangerous deal between Americans and Russians

A researcher who preferred to remain anonymous found an OpenGSM document that redirects users to a website owned by Alner from which a spyware kit could be obtained as part of a 600 euro package.

He also found Killer Mobile malware for Android on an OpenGSM website, proof that the company bought the vendor’s surveillance tools. In fact, Alner could have pocketed between 150 and 500 thousand dollars for that sale.

Neither Alner nor OpenGSM, which sells its software to government agencies and consumers, have come forth to comment about their research. Killer Mobile, a company with only ten employees, offered its malware — which is legally defined as a “hidden listening device” — to about sixty resellers in at least ten countries, an activity requiring an export license .

The spy software that OpenGSM commercialized served to host spyware on the devices of almost 800 users in Russia, Kazakhstan and the European Union in 2015. Another tool that OpenGSM offered, which was not developed by Killer Mobile, appears to have had mobile users in the US in its crosshairs.

Tensions are on the rise between geopolitical actors, both big and small, in the cyber-sphere, and as such we are collectively entering a period of uncertainty about where we stand in terms of our own personal security on our devices. Wherever the threat may come from, be it a government agency or a malware entrepreneur, it’s always best to be protected by an advanced cybersecurity solution.

The post The US Malware Developer who Helped Russia Spy on Devices appeared first on Panda Security Mediacenter.

Who’s Behind the Yahoo Attack? It might be Russian Agents

We’re all familiar with the massive data leaks that Yahoo suffered last year. But until recently, we had very little in the way of clues as to who was behind the attacks which started at the beginning of 2014. As more evidence comes to light, it’s becoming increasingly apparent that this is not your run-of-the-mill cybercrime. According to a recent indictment by the US Department of Justice, the folks behind that attack appear to be agents of the Russian Federal Security Service.

The theft of 500 million Yahoo accounts three years ago was allegedly used as a way for the Russian government to access information on a series of targets ranging from the White House itself to cloud computing companies. Military officials, executives of financial companies, and even an airline company were also among the targeted.

In the name of espionage, this attack gave hackers the means of stealing data such as names, email addresses, and credentials. According to information provided by Yahoo in their announcement of the breach, the culprits would not have been able to access data of a more confidential nature, such as sensitive financial information.

In a somewhat ironic turn of events, the information provided by the Justice Department indictment appears to indicate that the stolen data was also used to spy on Russian government officials.

The Yahoo Attack: A Breach to Go Down in History

While this would not be the first time that Russian cybercriminals have been accused of data theft, it is in fact the first time that charges have been filed against officials operating in the shadow of Vladimir Putin. Although the agency is supposed to help agencies of other countries track down Russian cybercriminals, in this case two of its own operatives allegedly collaborated to conceal the robbery from their superiors.

“The involvement and direction of F.S.B. officers with law enforcement responsibilities makes this conduct that much more egregious,” said acting assistant US Attorney General Mary B. McCord.

Although the Russian administration has not given an official response to the US indictment, the country’s press has called into question the US Department of Justice’s movement.

In any case, and regardless of who is responsible for these or other breaches, massive data leaks at services such as Yahoo highlight the need to use secure credentials and a protection that is suited to the needs of your company to prevent the theft of confidential information, or even considerable sums of money, in the event of a cyberattack.

The post Who’s Behind the Yahoo Attack? It might be Russian Agents appeared first on Panda Security Mediacenter.

‘Ghost Push’ Malware Threatens Android Users

Why should you update your Android device’s operating system? Two words. Ghost Push.

The well known trojan has had various iterations and it’s often updated to bypass new security updates.

At its peak, Ghost Push infected over 600,000 Android devices daily, a colossal number. The trojan is capable of rooting phones, displaying revenue-generating ads that drain your battery, and can be used by hackers as a means of spying on the infected party.

When infected, it is virtually impossible for the device’s owner to remove the virus, even by factory reset, unless the firmware is reflashed.

This is not an easy malware to get rid of.

The good news? A simple update of your Android operating system can make your phone much less penetrable to this type of malware.

However, even though Android has released version 7, Nougat, of its OS, there is still cause for concern. Recently released figures show that Android users are slow on the uptake when it comes to updating their OS. The majority of users are still running Lollipop, or earlier, meaning that they are vulnerable to the Ghost Push virus.

The latest iteration of the Ghost Push trojan.

In fact, the latest iteration of the Ghost Push trojan, which was discovered in September 2015, can infect devices running on Android Lollipop (version 5) or any of the OS that came before it.

In a recent blog post, Graham Cluley drove home the issue, emphasizing the root of what, on the surface, should be an easy problem to rectify. He said, “when you compare the take-up of new versions of Android compared to Apple iOS it’s clear that one ecosystem does a much better job of getting its users to upgrade to the latest version of their OS, protecting against security vulnerabilities, than the other.

There’s a reason for this. Whereas Apple has its own integrated app store, for Android it’s a different story. In their case, carriers, smartphone manufacturers and Google all have to work together to get a new update out to users. As such, the process takes longer, and updates are rolled out with much less frequency than they are for iOS.

Android Users

This, unfortunately, has a knock on effect that only serves to make Android users even more vulnerable. As Cluley puts it, Android users end up feeling abandoned, and this leads to many of them venturing “into the cloudy waters of installing third-party ROMs like CyanogenMod that receive regular updates.”

Recent research, also looked at the type of links that delivered the malware to users. Most were short links and ad links. The country most hit by the trojan infection, meanwhile, was India with more than 50 per cent of infections. Indonesia and the Philippines rank second and third, showing that the trojan is most prevalent in Asian countries. This doesn’t mean it’s not a threat in North America and Europe, though.

Be aware

Putting your trust in third-party sources can of course be risky, and that’s where infections like Ghost Push can be unwittingly installed by users. It’s important to be aware of what’s being installed.

Unfortunately installing third-party ROMs and applications can often lead to the installation of unwanted malicious malware and even ransomware. Android users should do their best to only download applications from reputable app stores and should avoid clicking on those suspect unknown third-party links, however tempting the proposition.

The post ‘Ghost Push’ Malware Threatens Android Users appeared first on Panda Security Mediacenter.

Keeping web browsing private from your ISP is as easy as VPN

By now you’ve probably read that Congress passed and President Trump signed legislation undoing measures that would have prevented internet service providers (ISPs) from sharing or selling your web browsing history without your permission. That signature means companies such as Comcast, Verizon, and AT&T – who already can see your every online move – can profit from your private search data by selling it to advertisers. 

China-based ‘Cloud Hopper’ Campaign Targets MSPs and Cloud Services

A new report by PwC UK and BAE Systems has revealed a sophisticated cyber campaign “of unprecedented size and scale” targeting managed IT service providers (MSPs). The campaign, dubbed Operation Cloud Hopper, was motivated by espionage and information gathering, as evidenced by the attackers’ choice of high value and low profile targets.

The authors of the report were able to conclude that Operation Cloud Hopper is almost certainly the work of a previously known group called APT10. The APT10 group is already well known in the world of cybersecurity, and it is a widely held view that it is based in China.

Using forensic analysis of operational times and IP zones, the authors of the report were able to conclude with a high level of certainty the identity of the group, their location in China, and the extent of the campaign. They were even able to sketch a portrait of their workday, including “a two hour lunch break”.

“Operating alone, none of us would have joined the dots to uncover this new campaign of indirect attacks,” Richard Horne, cyber security partner at PwC, recently told the BBC.

APT10 appears to be a well-staffed, highly organized operation with extensive logistical resources. According to the report, the group uses a variety of customized open-source software, original bespoke malware, and spear phishing techniques to infiltrate their targets’ systems.

Their strategy of choosing MSPs as a primary target has given them “unprecedented potential access to the intellectual property and sensitive data of those MSPs and their clients globally,” according to the report. “Given the level of client network access MSPs have, once APT10 has gained access to a MSP, it is likely to be relatively straightforward to exploit this and move laterally onto the networks of potentially thousands of other victims.”

Luis Corrons, technical director of PandaLabs, points out that carefully selecting targets, and customizing attacks accordingly, is more common every day. “Aside from the myriads of common cyberattacks businesses regularly have to deal with, nowadays we are witnessing huge increases in the amount of attacks in which cybercriminals are actually inside their victim’s network, adapting to his defenses and carrying out strikes with surgical precision as they target specific assets,” wrote Mr. Corrons in an email.

The Cloud Hopper campaign comes at a time when geopolitical tensions are increasingly crossing over into the realm of cyberespionage and cyberwarfare. Though the report does not openly suggest that there was any involvement on the part of the Chinese government, it does point out that the targeting of diplomatic and political organizations, as well as certain companies, “is closely aligned with strategic Chinese interests.”

 

Adaptive Defense Lets You Rest Easy

Fortunately, targeted attacks, even sophisticated ones perpetrated by highly professional groups like APT10, are pieces of cake for Panda’s Adaptive Defense. As it sees absolutely everything happening on all computers, it can stop these kinds of attacks proactively. Adaptive Defense can also provide forensic information about threats, by giving detailed and intelligent traceability for everything that happens on a company’s IT infrastructure — threat timeline, information flow, the behavior of active processes, etc.

Adaptive Defense 360 is the first cybersecurity managed service that combines next-generation protection (NG EPP) and detection and remediation technologies (EDR), with the ability to classify 100% of running processes. With this innovative technology, it is able to detect and block malware that other protection systems miss.

The post China-based ‘Cloud Hopper’ Campaign Targets MSPs and Cloud Services appeared first on Panda Security Mediacenter.

Millions of iCloud Accounts Could Be Wiped if Apple Refuses Ransom

No less than $75,000 in cryptocurrency (Bitcoin or Ether), or $100,000 in iTunes gift cards — this is the exorbitant ransom that cybercriminals have demanded from Apple. The group, calling themselves the Turkish Crime Family, claims to have stolen access to 300 million iCloud accounts, and have threatened to wipe them on April 7 (tomorrow) if the corporation doesn’t pay up.

The cybercriminals sent a series of screen shots to Motherboard that apparently show the exchange of emails between the hacker group and Apple’s security team. They also provided access to one of the email accounts that they allegedly used to communicate with the company and lay down their conditions for the deal.

According to the messages on the account, the cybercriminals uploaded videos to YouTube to show how they were able to log in to several stolen iCloud accounts and even showed how they were able to access an elderly woman’s photos and remotely delete them.

Apple Won’t Be Had So Easily

Allegedly, an Apple employee had asked the criminals to take down the video that they’d uploaded to YouTube. The company also declared, “We do not reward cyber criminals for breaking the law”.

There are a few holes in the attackers’ story. In the initial correspondence, they claimed to have accessed 300 million accounts on Apple’s iCloud, but on the Turkish Crime Family twitter account the claim was a more modest 200 million. In a later correspondence, the number jumped up to 559 million.

I just want my money and thought this would be an interesting report that a lot of Apple customers would be interested in reading and hearing,” one of the hackers told Motherboard. It seems clear that one of the strategies of this group is to blackmail Apple by making their actions public, alarming as many Apple clients as possible.

However, a spokesperson for Apple has stated that “there have not been any breaches in any of Apple’s systems including iCloud and Apple ID.” The supposed list of email addresses and passwords may therefore have been obtained through a third-party service that had been previously compromised.

The spokesperson also stated that they are “actively monitoring to prevent unauthorized access to user accounts and are working with law enforcement to identify the criminals involved.” We’ll have to wait until tomorrow to see if there is a real threat, or if the hackers are simply bluffing.

In any event, the company has taken the opportunity to remind users to use robust passwords, that they don’t use the same credentials over various websites, and that they activate two-step authentication to add an extra layer of security.

The post Millions of iCloud Accounts Could Be Wiped if Apple Refuses Ransom appeared first on Panda Security Mediacenter.

The Russian Government Uses Known Black Hat for Cyberespionage

Evgeniy M. Bogachev is in his early thirties and lives a comfortable life among his collection of luxury cars in a small resort city on the shores of the Black Sea. He is the most-wanted cybercriminal in the world, and the FBI is offering 3 million dollars for his capture.

The US accuses Bogachev of having created a global botnet composed of infected computers with the attention of winnowing millions of dollars from bank accounts all over the world. According to reporting from The New York Times, the cybercriminal’s victims included everyone from private users to public organizations such as, for example, a pest control company in North Carolina or a police precinct in Massachusetts.

However, Bogachev is seemingly much more than your common cybercrook. The FBI suspects that although he probably got into the business for the same reason as most cybercriminals (money), his activities have grown more complex with time. In fact, he is also suspected of controlling more than a million computers around the world, with access to photographs, documents, and all kinds of confidential personal and corporate information. So what began as a way of draining bank accounts all over the world for huge financial gain has become a unique window of opportunity for Russian intelligence agencies to carry out wide-reaching espionage.

While Bogachev perpetrated his cyber-heists, the Russian authorities appear to have not only turned a blind eye, but also shown their appreciation of his work. Given the extent of Bogachev’s access to computers from all over the globe, the Russian agency allegedly obtained, among other things, information from military services with ties to the conflicts in Ukraine and Syria. According to the Times, they also appear to have accessed information from US intelligence agencies.

At the moment, the attacks carried out by Bogachev under pseudonyms like slavik, lucky12345 or pollingsoon are going unpunished. Russia has no extradition treaty with the United States, and Russian officials have stated that as long as Bogachev does not commit any crime in Russian territory, there would be no reason to stop him.

The logical conclusion of this stance toward international cybercrime is troubling. It implies that the sale of malware by Russian cybercriminals in the dark corners of the internet, or even the theft of money, could be given a pass by Russian agencies.

If confirmed, the situation would prove that black hats could be recruited as mercenaries in cyber-conflicts between the world’s major powers. In such a scenario, the victims (i.e., individuals and businesses) are mere pawns in a game of cyberwar. The loss of things that are of great value to you, such as your privacy, confidential data, even the money in your bank accounts, is seen as mere collateral damage caught up in the forces of conflict between rival nations. It is now more indispensable than ever to have the necessary security tools to protect yourself and guarantee the safety of your digital assets.

The post The Russian Government Uses Known Black Hat for Cyberespionage appeared first on Panda Security Mediacenter.