WannaCry hero arrested over banking malware

Hutchins accused of writing Kronos banker.

Marcus Hutchins, the security researcher credited for blunting the effect of the WannaCry ransomware attack in May this year, has been arrested in the United States.

Briton Hutchins – who goes under the name Malwaretech – and an unnamed individual were arrested in Las Vegas ahead of this week’s Black Hat and DefCon security conferences.

A US grand jury indictment published by Motherboard states the pair face six charges related to creating, distributing and demonstrating the Kronos malware in 2014.

Hutchins is said to have written Kronos, while the unnamed defendant sold the malware on the Alphabay dark web market and Russian internet forums for an asking price of US$2000 to US$3000.

Kronos is a credentials-stealing malware that attempts to exfiltrate victims’ bank account details to the attackers that control it.

The unnamed defendant is said to have demonstrated Kronos in a YouTube video as part of his marketing effort for the malware. It was available until recently but has now been taken down by YouTube.

Another YouTube video purporting to show how to set up Kronos for a banking botnet remains available.

Hutchins rose to fame in May after he registered a domain that deactivated dissemination of WannaCry.

He was widely lauded for his quick thinking, and received a US$13,000 bug bounty for his efforts.

WannaCry ransom money on the move

Separately, the ransom collected by the WannaCry attackers has been moved out of the Bitcoin digital wallets it was being stored in.

The Actual Ransom twitter bot tweeted that three wallets had been emptied of a total of US$140,000 (A$176,200) in Bitcoin.

It’s not clear at this stage what the final destination for the WannaCry ransom is, or who it is trying to cash out the payments.

View the Original article

Advertisements

Botnet builder gets almost four years in prison

Earnt millions from Linux malware.

The man who built the infrastructure for the Ebury botnet has received a 46-month prison sentence in the United States after pleading guilty to wire fraud and other computer crimes charges.

Forty one-year-old Russian Maxim Senakh was arrested by Finnish police for his role in the Ebury botnet and extradited to the US in January this year.

The US Department of Justice said Senakh supported the Ebury campaign by creating accounts with domain registrars to develop the botnet infrastructure.

According to the US DoJ, Senakh and an associate known only as “Silver Fox”

View the Original article

Bail for arrested UK researcher who stopped WannaCry

Out of custody on $30,000 surety.

A judge in Las Vegas set a US$30,000 (A$37,853) bail for a British cyber security researcher accused of advertising and selling malicious code used to pilfer banking and credit card information.

Marcus Hutchins, also known as MalwareTech, won’t be released until Monday United States time.

His lawyer Adrian Lobo said she expected him to be on a flight on Tuesday to Wisconsin, where a six-count indictment against him was filed in US district court. 

Hutchins was receiving support from a “variety of sources” around the world to post his bail, she said.

Judge Nancy Koppe dismissed a federal prosecutor’s claim that Hutchins was a flight risk, though she did order him to surrender his passport. If released, Hutchins would be barred from computer use or internet access.

Marcus Hutchins, 23, gained celebrity status worldwide in May when he was credited with mitigating the spread of the global WannaCry ransomware attack.

He was indicted along with an unnamed co-defendant on July 12, alleged to have been involved in the creation and sale of the Kronos banking malware.

The case remained under seal until Thursday, a day after his arrest in Las Vegas, where he and tens of thousands of others flocked for the annual Black Hat and Def Con security conventions.

Hutchins allegedly advertised, distributed and profited from the Kronos malware between July 2014 and 2015, according to the indictment. If downloaded from email attachments, Kronos left victims’ systems vulnerable to theft of banking and credit card credentials, which could have been used to siphon money from bank accounts..

Hutchins was “doing well, considering what’s gone on,” Lobo told reporters. She said Hutchins never expected to be in his current situation and that she did not know the identity of his co-defendant.

News of Hutchins’ arrest on Wednesday shocked other researchers, many of whom rallied to his defence and said they did not believe he had ever engaged in cyber crime.

View the Original article

Blood Service escapes penalties in data breach investigation

Contractor given harsher rebuke.

The Australian Red Cross Blood Service and its website contractor have escaped penalties from the country’s privacy watchdog over a 2016 data breach that exposed the data of 550,000 donors.

In late October last year the Blood Service revealed its website partner Precedent had inadvertently exposed a 1.74GB database backup containing 1.28 million records entered by donors as part of the appointment booking process.

A Precedent employee tasked with enhancing a feature on the Blood Service’s Donate Blood site accidently saved a backup of the site’s user acceptance testing (UAT) database to a publicly accessible portion of the web server that hosted the UAT environment. 

The database contained information on the 550,000 prospective donors who had booked an appointment to donate blood between 2010 and 5 September 2016.

The contents of the exposed file contained people’s names, genders, physical and email addresses, phone numbers, date and country of birth, as well as sensitive medical information like blood type and instances of high-risk sexual behaviour.

An anonymous individual discovered the file while scanning IP address ranges and notified security researcher Troy Hunt, who alerted Australia’s computer emergency response team AusCERT.

Privacy commissioner Timothy Pilgrim at the time said his office would investigate the breach, which – due to its scale and severity – is considered Australia’s biggest and most sensitive data breach to date.

The OAIC today announced the results of its 10-month investigation

View the Original article

Ships are turning back to radio to avoid cyber attack

Threats prompt return of WW2 tech for navigation.

The risk of cyber attacks targeting ships’ satellite navigation is pushing nations to delve back through history and develop back-up systems with roots in World War Two radio technology.

Ships use GPS and other similar devices that rely on sending and receiving satellite signals, which many experts say are vulnerable to jamming by hackers.

About 90 percent of world trade is transported by sea and the stakes are high in increasingly crowded shipping lanes. Unlike aircraft, ships lack a back-up navigation system and if their GPS ceases to function, they risk running aground or colliding with other vessels.

South Korea is developing an alternative system using an earth-based navigation technology known as eLoran, while the United States is planning to follow suit. Britain and Russia have also explored adopting versions of the technology, which works on radio signals.

The drive follows a series of disruptions to shipping navigation systems in recent months and years. It was not clear if they involved deliberate attacks; navigation specialists say solar weather effects can also lead to satellite signal loss.

Last year, South Korea said hundreds of fishing vessels had returned early to port after their GPS signals were jammed by hackers from North Korea, which denied responsibility.

In June this year, a ship in the Black Sea reported to the US Coast Guard Navigation Centre that its GPS system had been disrupted and that over 20 ships in the same area had been similarly affected.

US Coast Guard officials also said interference with ships’ GPS disrupted operations at a port for several hours in 2014 and at another terminal in 2015. It did not name the ports.

The NotPetya ransomware attack that hit AP Moller-Maersk’s IT systems in June and made global headlines did not involve navigation but underscored the threat hackers pose to the technology dependent and inter-connected shipping industry. It disrupted port operations across the world.

The eLoran push is being led by governments who see it as a means of protecting their national security. Significant investments would be needed to build a network of transmitter stations to give signal coverage, or to upgrade existing ones dating back decades when radio navigation was standard.

US engineer Brad Parkinson, known as the “father of GPS” and its chief developer, is among those who have supported the deployment of eLoran as a back-up.

“ELoran is only two-dimensional, regional, and not as accurate, but it offers a powerful signal at an entirely different frequency,” Parkinson said.

“It is a deterrent to deliberate jamming or spoofing, since such hostile activities can be rendered ineffective.”

Korean stations

Cyber specialists say the problem with GPS and other global navigation satellite systems (GNSS) is their weak signals, which are transmitted from 12,500 miles above the Earth and can be disrupted with cheap jamming devices that are widely available.

Developers of eLoran – the descendant of the loran (long-range navigation) system created during World War II – say it is difficult to jam as the average signal is an estimated 1.3 million times stronger than a GPS signal.

To do so would require a powerful transmitter, large antenna and lots of power, which would be easy to detect, they add.

Shipping and security officials say the cyber threat has grown steadily over the past decade as vessels have switched increasingly to satellite systems and paper charts have largely disappeared due to a loss of traditional skills among seafarers.

“My own view, and it is only my view, is we are too dependent on GNSS/GPS position fixing systems,” said Grant Laversuch, head of safety management at P&O Ferries.

“Good navigation is about cross-checking navigation systems, and what better way than having two independent electronic systems.”

Lee Byeong-gon, an official at South Korea’s Ministry of Oceans and Fisheries, said the government was working on establishing three sites for eLoran test operations by 2019 with further ones to follow after that.

But he said South Korea was contending with concerns from local residents at Gangwha Island, off the west coast.

“The government needs to secure a 40,000 pyeong (132,200 square metre) site for a transmitting station, but the residents on the island are strongly opposed to having the 122 to 137 metre-high antenna,” Lee said.

In July, the United States house of representatives passed a bill which included provisions for the US Secretary of Transportation to establish an eLoran system.

“This bill will now go over to the senate and we hope it will be written into law,” said Dana Goward, president of the US non-profit Resilient Navigation and Timing Foundation, which supports the deployment of eLoran.

“We don’t see any problems with the President signing off on this provision.”

The previous administrations of Presidents George W. Bush and Barack Obama both pledged to establish eLoran but never followed through. However, this time there is more momentum.

In May, US Director of National Intelligence Daniel Coats told a senate committee the global threat of electronic warfare attacks against space systems would rise in coming years.

“Development will very likely focus on jamming capabilities against … global navigation satellite systems, such as the US global positioning system,” he said.

Spoofing dangers

Russia has looked to establish a version of eLoran called eChayka, aimed at the Arctic region as sea lanes open up there, but the project has stalled for now.

“It is obvious that we need such a system,” said Vasily Redkozubov, deputy director general of Russia’s Internavigation Research and Technical Centre.

“But there are other challenges apart from eChayka, and

View the Original article

Microsoft patches first critical Linux on Windows bug

Total of 25 critical vulnerabilities fixed this month.

Microsoft’s monthly Patch Wednesday bundle of fixes sees a total of 25 critical vulnerabilities in several products taken care of, including the first fix for a security flaw in the Windows Subsystem for Linux (WSL).

Attackers who are logged in locally could abuse the bug in how WSL handles named pipes interprocess communications, and execute code with full administrator privileges.

Microsoft said the privilege escalation vulnerability (CVE-2017-8622), which affects Windows 10 version 1703 64-bit, is unlikely to be exploited.

The Windows Subsystem for Linux appeared last year. It is the result of a collaboration between Microsoft and Canonical, which develops Ubuntu, and allows users to run Linux binary executables on Windows 10.

Memory corruption issues continue to plague Microsoft’s scripting engine for Windows used by Internet Explorer and the Edge web browsers, with 17 bugs that allow remote code execution being squashed this month.

Such vulnerabilities could be exploited through web pages that contain malicious Javascript that triggers the flaws in the scripting engine.

This month’s fixes for critical vulnerabilities also handle remote code execution flaws in the Microsoft JET database engine, and the Windows Search, input method editor, and PDF document components.

Patches are also available for Microsoft’s Remote Desktop Protocol, Sharepoint collaboration tool, SQL Server database and other software including the built-in Adobe Flash Player in the Edge and Internet Explorer web browsers.

 

View the Original article

Cisco deletes Meraki customer data in config bungle

Unsure what info is lost.

Network equipment giant Cisco has owned up to an embarrassing blunder for its Meraki management platform that has led to customer data being deleted in the service offering’s cloud storage.

Cisco said its Meraki engineers made a configuration change error on the North American object storage service.

“On August 3rd, 2017, our engineering team made a configuration change that applied an erroneous policy to our North American object storage service and caused certain data uploaded prior to 11:20AM Pacific time on August 3 to be deleted,” Cisco said.

Lost data includes customer Meraki dashboard custom splash page themes and organisation logos, floor plans, and device placement photos.

Custom enterprise apps in the Cisco Meraki System Manager have also been deleted, as have user voice menus, music on hold, contact images and voice mail greetings.

Customers are advised to wait while Cisco engineers work to rectify the error before uploading new data to the Meraki service.

The company said it is working out what tools it can build to help customers identify the data they have lost from the Cisco Meraki cloud.

Cisco’s Meraki service is a cloud-based management platform for networking devices, security cameras, and mobility as well as security appliances.

The Westfield chain of shopping malls and Accor Hotels are among Cisco Meraki customers.

View the Original article

Broadpwn flaw allows for remote takeover of smartphones

Makes self-propagating malware possible.

A vulnerability in Broadcomm’s wi-fi chips can be exploited to infect mobile devices with self-propagating malware, paving the way for mass attacks that don’t require any user intervention.

Exodus Intelligence researcher Nitay Artenstein found the flaw, dubbed “Broadpwn”, in the Broadcomm BCM43xx wi-fi chipsets.

They are the dominant choice for high-end smartphones, used in the likes of Samsung’s Galaxy S8, the Nexus 5 and 6 models made for Google, and all Apple iPhones after the iPhone 5, Artenstein noted.

He discovered that the firmware for the Broadcomm chip is not encrypted, nor are there any integrity checks, making it relatively easy for attackers to reverse engineer the code and patch it.

By exploiting 802.11 wi-fi protocol association process probe requests and a bug in Broadcomm’s implementation of the wireless multimedia (WMM) quality of service extension, Artenstein was able to write a proof of concept that can silently implant attacker code on vulnerable devices without any user interaction.

The remote attack against the Broadcomm BCM43xx chipsets bypasses mitigations such as address space layout randomisation and code execution prevention, meaning it could be used to code self-propagating malware.

These mitigations largely killed off the worms that were common throughout the early 2000s. The most recent self-propagating malware of this type was the Conficker worm of 2009.

Artenstein decided to create such a network worm through Broadpwn, and testing in public showed plenty of vulnerable smartphones.

“Running an Alfa wireless adapter on monitor mode for about an hour in a crowded urban area, we’ve sniffed hundreds of SSID names in probe request packets,” Artenstein wrote.

“Of these, approximately 70 percent were using a Broadcom wi-fi chip. Even assuming moderate infection rates, the impact of a Broadpwn worm running for several days is potentially huge.”

He warned that hacks through new attack surfaces like the Broadcomm chipset could resurrect network worms while also providing a backdoor into otherwise secure mobile operating systems.

Both Apple and Google issued patches for the Broadpwn vulnerability this month.

View the Original article

Apple removes VPNs from App Store in China

Move seen as blow to freedom of speech.

Apple is removing virtual private network (VPN) services from its app store in China, drawing criticism from VPN service providers who accuse the tech giant of bowing to pressure from Beijing cyber regulators.

VPNs allow users to bypass China’s so-called “Great Firewall”, aimed at restricting access to overseas sites.

In January, Beijing passed laws seeking to ban all VPNs that are not approved by state regulators. Approved VPNs must use state network infrastructure.

In a statement on Sunday, an Apple spokeswoman confirmed it will remove apps that don’t comply with the law from its China App Store, including services based outside the country.

Beijing has shut down dozens of China-based providers and it has been targeting overseas services as it bids to tighten its control over the internet, ahead of the Communist Party congress in August.

While personal VPN providers have been the subject of state-led attacks in the past, this marks the first time Apple has complied with requests to scrub overseas providers from its store, a move that VPN providers say is unnecessarily supportive of China’s heightened censorship regime.

VPN provider ExpressVPN said it had received a notice from Apple that its software would be removed from the China App Store “because it includes content that is illegal in China”.

“We’re disappointed in this development, as it represents the most drastic measure the Chinese government has taken to block the use of VPNs to date, and we are troubled to see Apple aiding China’s censorship efforts,” ExpressVPN said.

Other major providers, including VyprVPN and StarVPN, confirmed they also received the notice from Apple.

“We view access to internet in China as a human rights issue and I would expect Apple to value human rights over profit,” Sunday Yokubaitis, president of Golden Frog, which oversees VyprVPN, said.

Yokubaitis said Golden Frog will file an appeal to Apple over the ban.

China users with billing addresses in other countries will still be able to access VPN apps from other branches of the App Store. A number of VPN apps were still accessible on the China App store at the time of writing.

Apple is in the middle of a localisation drive in China, and named a new managing director for the region – a new role – this month.

It is also establishing a data centre with a local partner in the southwestern province of Guizhou to comply with new Chinese cloud storage regulations.

VPN providers say that while the apps are not available on the store, users are still able to manually install them using VPN support built into Apple’s operating system.

“We are extremely disappointed that Apple has bowed to pressure,” said Yokubaitis. “

View the Original article

Congress asks US agencies for Kaspersky documents

Eugene Kaspersky Panel says products could be used to carry out “nefarious activities”.

A United States congressional panel has asked 22 American government agencies to share documents on Moscow-based infosec vendor Kaspersky Lab, saying its products could be used to carry out “nefarious activities against the United States,” according to letters seen by Reuters.

The requests made on Thursday by the house of representatives committee on science, space and technology are the latest blow to the anti-virus company, which has been countering accusations by US officials that it may be vulnerable to Russian government influence.

The committee asked the agencies for all documents and communications about Kaspersky Lab products dating back to January 1, 2013, including any internal risk assessments. It also requested lists of any systems that use Kaspersky products and the names of any US government contractors or subcontractors that do so.

Kaspersky has repeatedly denied that it has ties to any government and said it would not help any government with cyber espionage. It said there is no evidence for the accusations made by US officials.

The committee “is concerned that Kaspersky Lab is susceptible to manipulation by the Russian government, and that its products could be used as a tool for espionage, sabotage, or other nefarious activities against the United States,” wrote the panel’s Republican chairman, Lamar Smith, in the letters.

They were sent to all cabinet-level agencies, including the Department of Commerce and Department of Homeland Security, as well as the Environmental Protection Agency and the National Aeronautics and Space Administration, among others.

A committee aide told Reuters the survey was a “first step” designed to canvass the US government and that more action may follow depending on the results. The committee asked for responses by August 11.

Longstanding suspicions about Kaspersky grew in the United States when dipolomatic relations deteriorated following Russia’s 2014 annexation of Crimea. The soured further when intelligence agencies determined that Russia interfered in the 2016 US presidential election using cyber means.

Congress this week slapped new sanctions on Russia, in part in response to the allegations, which Moscow flatly denies. Moscow retaliated by ordering out 755 US diplomats.

US intelligence chiefs in May publicly expressed doubt about the safety of Kaspersky products for the first time, although they offered no specific evidence of any wrongdoing. The government is reviewing how many agencies use software from Kaspersky Lab.

In June, FBI agents visited the homes of Kaspersky employees as part of a counterintelligence probe, two sources familiar with the matter said. The Trump administration also took steps to remove Kaspersky from a list of approved government vendors.

A defense spending policy bill advancing in the US senate would prohibit the Department of Defense from using Kaspersky products.

Last week the company launched a free, global version of its anti-virus software, saying it would help “secure the whole world.”

View the Original article