The Guardian reports:

The FBI has struck a major blow against hacking groups after arresting or charging five key members . . . → Read More: LulzSec – Sabu taken down – leadership of LulzSec arrested]]> Turns out that Sabu, the leader of LulzSec, was arrested late last year and started working for the FBI since they threatened to take his kids away. Senior leaders of the group were arrested today.

The Guardian reports:

The FBI has struck a major blow against hacking groups after arresting or charging five key members of the LulzSec hacking crew and revealing that the head of the group, who went by the nickname “Sabu”, has been working for it since the middle of 2011.

Hector Xavier Monsegur, known as Sabu, was charged with 12 criminal counts of conspiracy to engage in computer hacking and other crimes in court papers in Manhattan federal court.

Monsegur, an unemployed 28-year-old Puerto Rican living in New York, pleaded guilty to carrying out online attacks against PayPal and Mastercard, documents unsealed in a Manhattan court on Tuesday shows.

The charges were filed via a “criminal information” form, which means the suspect, Sabu, has likely been cooperating with the government.

Five other people – two in the UK, two in Ireland and one in Chicago – were either arrested or charged by the FBI on Tuesday.

[...] In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users’ online banking credentials, webmail . . . → Read More: Anonymous supporters voluntarily installed infected tool, leaking banking and email credentials]]> Symantec reports that

[...] In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users’ online banking credentials, webmail credentials, and cookies.

[...] The deception of Anonymous supporters began on January 20, 2012, the day of the FBI Megaupload raid. An attacker took a popular PasteBin guide, used by Anonymous members for downloading and using the DoS tool Slowloris, and modified it. In this modified version, the attacker changed the download link to a Trojanized version of the Slowloris tool with matching text

[...]

Not only will supporters be breaking the law by participating in DoS attacks on Anonymous hacktivism targets, but may also be at risk of having their online banking and email credentials stolen. The joining of malicious financial and identity fraud malware, Anonymous hacktivism objectives, and Anonymous supporter deception is a dangerous development for the online world.

 

Always be careful what you download. Think twice before participating in ‘campaigns’ against ‘the Man’. You can’t trust anyone on the Internet.

Feeds from thousands of Trendnet home security cameras have been breached, allowing any web user to access live footage without needing a password.

Internet addresses which link to the video streams have been posted to a variety of popular messageboard sites.

Users have expressed concern after finding they could view children’s bedrooms, . . . → Read More: Trendnet home security cam flaw exposes video feeds on net]]> BBC reports,

Feeds from thousands of Trendnet home security cameras have been breached, allowing any web user to access live footage without needing a password.

Internet addresses which link to the video streams have been posted to a variety of popular messageboard sites.

Users have expressed concern after finding they could view children’s bedrooms, among other locations.

[...]

The author discovered that after setting up one of the cameras with a password, its video stream became accessible to anyone who typed in the correct net address.

Trendnet says it is in the process of releasing firmware updates for its devices

In each case, this consisted of the user’s IP address followed by an identical sequence of 15 characters.

The writer then showed how the Shodan search engine – which specialises in finding online devices – could be used to discover cameras vulnerable to the flaw.

[...] Mr Wood added that the California-based firm estimated that “fewer than 1,000 units” might be open to this threat in the UK, but could not immediately provide an exact global tally beyond saying that it was “most likely less than 50,000″.

Trendnet released patches to be applied to fix this issue. I would recommend you apply them ASAP, unless you want the insides of your homes displayed on the Internet.

They report,

WASHINGTON—The Federal Bureau of Investigation said cybercriminals hacked into a cybercrime conference call between its agents and law enforcement officials overseas.

[...]The FBI said the breach wasn’t . . . → Read More: DLP lesson: Embarrassing: Anonymous tapes FBI – Scotland Yard Conference Call]]> Many outlets, amongst them the Wall Street Journal report today that the Anonymous hacker group ‘intercepted’ a conference call held by the FBI and Scotland Yard.

They report,

WASHINGTON—The Federal Bureau of Investigation said cybercriminals hacked into a cybercrime conference call between its agents and law enforcement officials overseas.

[...]The FBI said the breach wasn’t made on the agency’s secure email or other computer systems. Instead it appeared to be result of a law enforcement officer overseas who was invited to be on the FBI call and who forwarded the information to his private email account, which was compromised by hackers.

So, the meeting invite was in an email, containing conference call number and access code, and it was sent to a private email account outside of the agency networks.

Lesson: don’t forward internal/sensitive/not-for-the-public-eye-classified information outside of your company/agency/internal network. This is a classic case of DLP – Data Loss Prevention.

In October 2011, Internet infrastructure firm VeriSign released its usual quarterly report. Buried in the 50-page filing to the SEC was the revelation that the company had been breached multiple times the previous year.

The incidents . . . → Read More: Verisign hacked several times in 2010, didn’t disclose until now]]> Verisign’s DNS service was hacked a number of times, as they recently admitted in their SEC filing, InfoWorld reports:

In October 2011, Internet infrastructure firm VeriSign released its usual quarterly report. Buried in the 50-page filing to the SEC was the revelation that the company had been breached multiple times the previous year.

The incidents came to light only today, when news service Reuters found the information during an investigation of whether public companies were disclosing breach incidents in their financial statements. VeriSign’s account of the incidents carried few details, and the company refused additional comment.

In the filing, VeriSign stated, “In 2010, the company faced several successful attacks against its corporate network in which access was gained to information on a small portion of our computers and servers. We have investigated and do not believe these attacks breached the servers that support our DNS (Domain Name System) network.”

They did not divulge any more information regarding these events.

UPDATE 08/29/2011 09:30PM EDT:

GANSEC analysis: It looks like that this worm is pretty basic, the only change being the usage of the RDP-login-mechanism. It uses a dictionary based password attack against the Administrator account, using a very limited list. To us, this looks more like a trial run or experiment than a full . . . → Read More: Morto – Windows Worm spreading via RDP – Remote Desktop Connections]]>  

UPDATE 08/29/2011 09:30PM EDT:

GANSEC analysis: It looks like that this worm is pretty basic, the only change being the usage of the RDP-login-mechanism. It uses a dictionary based password attack against the Administrator account, using a very limited list. To us, this looks more like a trial run or experiment than a full scale attempt at the launch of a new serious worm.

Also, SecureWorks released this advisory today:

Description

Morto spreads in a worm-like fashion by forcing infected systems to scan for servers allowing RDP login. Once Morto finds an RDP-accessible system, it attempts to log in to a domain or local system account named ‘Administrator’ using one of 30 weak passwords.

Passwords attempted for login are:

admin, password, server, test, user, pass, letmein, 1234qwer, 1q2w3e, 1qaz2wsx, aaa, abc123, abcd1234, admin123, 111, 123, 369, 1111, 12345, 111111, 123123, 123321, 123456, 654321, 666666, 888888, 1234567, 12345678, 123456789, 1234567890

Upon successful login, Morto uploads a payload to the victim computer using the filename ‘a.dll.’

When this payload is executed, the following files are created:

* %windows%\clb.dll
* %windows%\temp\ntshrui.dll
* <system folder>\sens32.dll
* C:\windows\offline web pages\cache.txt

Infected systems will have a REG_BINARY value under HKEY_LOCAL_MACHINE\SYSTEM\Wpa named “md” created by the malware. Deleting this value prevents the malware from executing on compromised systems. However, this action does not remove or clean the malware from the compromised system.

Morto then attempts to find other systems to infect by scanning for other RDP servers on TCP port 3389.

The payload attempts to communicate with command and control servers within the following domain names:

* jifr.info
* jifr.co.cc
* jifr.co.be
* jifr.net
* qfsl.net
* qfsl.co.cc
* qfsl.co.be
[...]

Recommended Actions

The CTU Research Team encourages adherence to widely accepted best practices, which can mitigate the spread of this worm:

* Limit access to RDP from public Internet sources.
* Limit access to RDP from internal sources where possible.
* Ensure strong passwords are in use, especially for administrative accounts.
* Limit administrative access via RDP.
* Monitor for inbound RDP activity that may be indicative of attempted compromise.
* Monitor for outbound RDP activity that may be indicative of active infections.
* Monitor for outbound communications to known Command and Control servers and domains.

They also recommend to monitor the Windows Event Logs for repeated failed Administrator-level logins.

Initial post: 08/29/2011

Threatpost is reporting that a new Microsoft Worm is making the rounds, this time spreading via RDP – Remote Desktop Connections.

Threatpost states,

A new worm called Morto has begun making the rounds on the Internet in the last couple of days, infecting machines via RDP (Remote Desktop Protocol). The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows.

Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003.

[...] On Sunday, the SANS Internet Storm Center reported a huge spike in RDP scans in the last few days, as infected systems have been scanning networks and remote machines for open RDP services. One of the actions that the Morto worm takes once it’s on a new machine is that it scans the local network for other PCs and servers to infect.

Well, you may be wrong. You may be on the hook . . . → Read More: As a business, you may be responsible for fraudulent charges, not your bank]]> If you are a small-to midsize business, you may think that if you become the victim of an attack resulting in loss of money, you are protected by your bank, just like you would be if your personal credit card would get charged fraudulently.

Well, you may be wrong. You may be on the hook for the entire amount yourself.

DarkReading reports,

A recent ruling by a U.S. District Court of Maine magistrate in favor of a bank being sued by a construction company that had money stolen from its account by hackers highlights how vulnerable small to midsize business owners are to online fraud.

Unlike consumer bank accounts that come with fraud-reversal protection, businesses are left on the hook for fraudulent transfers — a fact that many remain ignorant about, but of which hackers are well-aware, say security experts.

“They don’t get the same kind of protection that an individual consumer gets, but they don’t get much more attention than an individual consumer [from banks], so they are very vulnerable from that standpoint,” says Terry Austin, CEO of Guardian Analytics. “And the criminals figured this out. A lot of the action a couple years ago was in retail banking, and we still see fraud there, but the big, really significant fraud attacks have been against the small-business community. There are hundreds of thousands of dollars, sometimes up to million-dollar attacks on these small businesses.”

This is very disconcerting. So what can you do?

You need to make sure that you are as secure as you can be.

The article continues,

But SMBs must also do their part to secure their machines. Often small-business owners assume that if they’re ever hit by bank-stealing malware, the bank will reverse charges because this is what they are conditioned to believe due to their retail banking experiences. But banks rarely extend the same fraud reversal for business accounts as they do for consumer accounts. So SMBs at the very least need to start with the most basic principles of installing security software, establishing strong passwords,and limiting access to banking credentials across the organizations. Many experts also believe that small businesses should consider buying a dedicated machine solely for online banking.

“One thing I recommend to every small business is to not bank from a computer you use for anything else, period. Just don’t do it,” says Chet Wisiniewski, senior security adviser at Sophos. “Don’t ever search the Web, don’t go to Google, don’t go to Facebook. Because of the Web risk, simply visiting an infected site puts you at risk. Do you really want to take that chance if you can buy the perfect banking netbook for $200? An alternative to that, too, is to use a live CD Linux distribution that’s not writable.”

Additionally, SMBs need to know to ask the right questions when they’re looking for a bank, Austin says.

“These small businesses don’t know how to ask their banks the right questions about their fraud policies,” Austin says, explaining that companies need to ask about what their liability is in the event of an attack, what kind of authentication the bank uses, how the bank monitors activity to look for anomalous behavior, whether the bank utilizes risk-detection technology with behavioral analytics, and what the processes are when fraud is detected.

Good advice.

HelpNetSecurity reports:

The admission comes in the wake of cyber intrusions into the networks of three US military contractors – one of them confirmed by . . . → Read More: RSA finally admits that SecurID tokens have been compromised]]> Too little, too late — they could have admitted that when it first went public – RSA finally admitted that SecurID tokens have been compromised. How many? All of them.

HelpNetSecurity reports:

The admission comes in the wake of cyber intrusions into the networks of three US military contractors – one of them confirmed by the company, others hinted at by internal warnings and an unusual domain name and password reset process.

RSA’s Chairman Art Coviello has stated that the company is offering to virtually all of its customers to replace the SecurID tokens they are currently using or to provide security monitoring services. For financial institutions, RSA is offering to also provide transactions monitoring.

No additional details about what the RSA attackers did steal that allowed them to misuse the tokens, but it seems likely that both the seeds that link every token to a specific account and the algorithm that calculates the numeric sequence generated by the token have been compromised.

If you use RSA SecurID, you will need to request new tokens for your entire organization ASAP.

Reuters reports,

They breached security systems designed to keep out intruders by creating duplicates to “SecurID” electronic keys from EMC Corp’s (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter.

It was . . . → Read More: Lockheed Martin and other DoD contractors breached]]> Looks like hackers broke into networks owned by Lockheed Martin and other Department of Defense contractors.

Reuters reports,

They breached security systems designed to keep out intruders by creating duplicates to “SecurID” electronic keys from EMC Corp’s (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter.

It was not immediately clear what kind of data, if any, was stolen by the hackers. But the networks of Lockheed and other military contractors contain sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.

They further report,

Rick Moy, president of NSS Labs, an information security company, said the original attack on RSA was likely targeted at its customers, including military, financial, governmental and other organizations with critical intellectual property.

He said the initial RSA attack was followed by malware and phishing campaigns seeking specific data that would link tokens to end-users, which meant the current attacks may have been carried out by the same hackers.

So it looks like that the attack on EMC/RSA specifically happened with retrieving the sensitive data of their customers in mind.

That is bad news. We will probably see other major companies suffering from similar attacks in the near future.