When the mastermind hackers of the notorious Carberp Banking Trojan were arrested, we thought the story had ended. But a sample that we received on May 7th, a month after the arrests, looked very suspicious. It connected to a well known URL pattern and it really was the Carberp Trojan. Moreover, the domain it connected […]
Last week during his keynote speech at the Interop IT conference, PayPal’s Chief Information Security Officer Michael Barrett pointed to a slide depicting a tombstone for passwords with the dates 1961-2013. According to Barrett, while passwords are still required for so many applications and services, they have simply outlived their usefulness. Barrett predicted that we Read more…
Today Norman and the Shadowserver Foundation released a joint detailed report dubbed Operation Hangover, which relates to a recently released ESET blog about a targeted cyber/espionage attack that appears to be originating from India. Symantec released a brief blog around this incident last week and this Q&A will provide additional information relevant to Symantec around this group.
Q: Do Symantec and Norton products protect against threats used by this group?
Yes. Symantec confirms protection for attacks associated with Operation Hangover through our antivirus and IPS signatures, as well as STAR malware protection technologies such as our reputation and behavior-based technologies. Symantec.cloud also detects the targeted emails used by this group.
Q: Has Symantec been aware of the activities of Operation Hangover?
Yes. As called out in our initial blog, multiple security vendors have been tracking this group. Symantec has been privy to information surrounding this group for a period of time and has been actively tracking their work while ensuring that the best possible protection was in place for the various threats used by them.
Q: Where does the name Operation Hangover come from?
Norman and Shadowserver derived the name Operation Hangover, as one of the most prevalent malwares used by this group contains a project debug path containing this name.
Q: How does a victim get infected?
The initial compromise occurs through a spear phishing email sent to the target. The email contains an attachment using a theme relevant to the target. Figure 1 shows the different stages in the Operation Hangover attack.
Figure 1. Operation Hangover attack
The email contains a malicious attachment that, if opened, infects the victims system or attempts to use an exploit against the target victim’s system. If successful, the first stage malware is loaded onto the victim’s system. This malware, in the most part, is from a family of Visual Basic downloaders known as Smackdown.
Following reconnaissance of the infected system by the attacker, they can then decide whether to download the second stage of malware that consists of information stealers mostly written in C++ from a malware family known as HangOve. There are several possible modules from the HangOve family downloaded, which can perform the following taks:
Q: Does Symantec know who this group is targeting?
Yes. Symantec telemetry has identified Pakistan as being the main target of this attack. With defense documents being used as a lure in these attacks, it would suggest the targets of interest are government security agencies. Symantec has however also observed this group taking part in industrial espionage in countries outside of Pakistan.
Q: How widespread is the threat?
As seen in figure 2 and 3, Symantec telemetry is reporting Pakistan as being the main country impacted by this group. These findings correspond to other researcher’s findings in relation to this group. As previously stated, it is also evident that the operations of this group does not solely focus on one target or region.
Figure 2. Heat map of Symantec telemetry for Operation Hangover related detections
Figure 3. Top 10 countries showing Symantec telemetry for Operation Hangover detections
Q: What name does Symantec give to threats used by this group?
Symantec has detection in place for the threats used by this group under the following detection names:
For Symantec customers to identify this group, we are remapping the main components of this campaign to the following:
The following Intrusion Prevention Signature (IPS) is also in place.
Q: Do Symantec/Norton products protect against known exploits used in this campaign?
Yes. The known vulnerabilities being used by this group are listed below along with the Symantec protections. At this time there is no evidence to suggest that the group are using, or have at any time used, a zero-day vulnerability in their attacks.
Q: How will this report affect the group orchestrating Operation Hangover?
Similar to other cases, despite the exposure of the Operation Hangover group, Symantec believes they will continue their activities. Symantec will continue to monitor their activities and provide protection against these attacks. As always, we advise customers to use the latest Symantec technologies and incorporate layered defenses to best protect against attacks by groups of this kind.
The public sector has a somewhat mixed record when it comes to staving off security breaches within its walls. In the UK, for example, the hugely embarrassing data losses at HMRC (Inland Revenue/Taxation services) – when the personal details of 25 million people were heavily compromised, due to what were described as “serious institutional deficiencies” – still linger in the mind a few years down the line.
On the plus side, the UK government has been heavily engaged in getting its own house in order, identifying information security as a key priority for 2013 and beyond. In recent months, new initiatives to address growing cyber security threats have been announced, with a cyber security ‘fusion cell’ established for cross-sector threat information sharing. The intention is to put government, industry and information security analysts side-by-side for the first time. The analysts will be joined by members of intelligence agencies, law enforcement and government IT, as they exchange information and techniques, and monitor cyber attacks in real time.
However, many of today’s businesses work across international boundaries, so preventing breaches and loss of data has become a world-wide challenge. According to a report from Ernst & Young, ‘Data loss prevention: Keeping your sensitive data out of the public domain’, companies in every industry sector around the globe have seen their sensitive internal data lost, stolen or leaked to the outside world.
“A wide range of high-profile data loss incidents have cost organisations millions of dollars in direct and indirect costs, and have resulted in tremendous damage to brands and reputations,” it states. “Many different types of incidents have occurred, including the sale of customer account details to external parties and the loss of many laptops, USB sticks, backup tapes and mobile devices, to name just a few. The vast majority of these incidents resulted from the actions of internal users and trusted third parties, and most have been unintentional.
“As data is likely one of your organisation’s most valuable assets, protecting it and keeping it out of the public domain is of paramount importance. In order to accomplish this, a number of DLP [Data Loss Prevention] controls must be implemented, combining strategic, operational and tactical measures.”
In the face of such global threats, governments are responding. The European Commission, for example, has introduced a computer emergency response team in each member country to promote reporting of online attacks and breaches. The recently published draft EU Cybersecurity Directive makes it compulsory for all ‘market operators’, including utilities, transport and financial services businesses, as well as public authorities who use ‘network and information systems’ within their businesses, to implement technical and organisational measures to manage cyber risks.
These organisations will be subject to independent regulation, have to disclose security breaches to the regulators, submit to compulsory regulatory audits and be sanctioned, if they fail to comply with the law.
All good news, then… But the simple reality is that any public sector department or body intent on ensuring its own security could readily put in place measures to stop such data breaches and losses, such as, for example, secure File Transfer Protocols and Data Guardians (a secure database application with up to 448-bits of Blowfish encryption), enabling the locking down of data.
Public sector organisations are often, by their nature, large and complex, making it relatively easy for a rogue employee to access a sub-set of highly sensitive data; or simply to move on to another job, with the organisation unaware that a certificate relating to that employee is about to expire, all due to a lack of adequate central management. So they need such solutions.
Take Symantec’s Managed PKI for SSL service, for example, which enables organisations to manage and deploy SSL certificates from a single centrally managed platform, while also tailoring the deployment to meet their individual requirements (such as, if your organisation needs to issue multiple SSL certificates to different internal organisations or business units. Managed PKI for SSL allows for both centralised control and delegated administration). This cloud-based approach dramatically lowers the cost and complexity of managing multiple SSL certificates by eliminating the time it takes to authenticate multiple different business units, individual purchasing, personnel, training, and maintenance expenses and complexity associated with deploying multiple SSL certificates.
What SSL does is to protect applications that demand the highest level of security – enabling the secure transmission of sensitive data, Web services-based business process automation, digital form signing, enterprise instant messaging and electronic commerce. It also protects firewalls, virtual private networks (VPNs), directories and enterprise applications. Trust lies in knowing that the people, networks and devices accessing, modifying or sharing information within a community are verified.
There can be a tendency to imagine things are worse in our own backyard, but the security issues we face in the UK are, by and large, no different from those in other countries or indeed in other industries. One manufacturer in Europe, for instance, saw its production line go down when a certificate suddenly expired. Eventually, the problem was traced to an expired SSL certificate. Symantec’s solution, through a complete audit of the company’s architecture, using a product called Certificate Intelligence Center, would have identified any certificates that were about to expire and immediately notified the business – and (if a Symantec SSL certificate) automatically have renewed the offending certificate. Instead, the outcome was estimated to be in the millions of Euros, in terms of lost production, damage to their brand, corporate reputation and a workforce standing idle.
Part 2 – the impact of the changing threat landscape.
In the first part of this 3-part blog we looked at changes in the cloud security industry and how mergers and acquisitions and vendors’ changing strategies have impacted their customers….
A famous man in a spider suit once said, “With great power, comes great responsibility.” The power that lies within the hands of Generation Z, a generation born into technology that has never lived in a time where they couldn’t conquer the world from a tablet screen, undeniably comes with great responsibility. In honor of McAfee’s Read more…
Today, Trend Micro published a report about a targeted attack campaign they’re calling SafeNet (the campaign’s name is unrelated to the security company of the same name). The group behind this campaign is utilizing spear phishing emails wi…
Financial theft is one of the most lucrative forms of cybercrime. Malware authors continue to deliver sophisticated tools and techniques to unlock online bank accounts. Attackers design and develop botnets to perform financial fraud, targeting banks and other institutions for profit. These botnets traditionally have monitored victims’ Internet activities and intercepted banking transactions to extract Read more…
年明け以降、日本語のワンクリック詐欺が Google Play で猛威を振るっています。詐欺師たちは、1 月末から 700 個にも及ぶアプリを公開しています。新しいアプリは日々公開されており、Google Play にアプリを公開するために詐欺師たちは 25 ドルの登録料を払い、これまでにおよそ 4,000 ドルを費やしています。
図 1. 開発者と開発されたアプリの合計
詐欺アプリへの対応はイタチごっこの様相を呈しています。アプリが Google Play から削除されると、詐欺師たちは別のアカウントでさらにアプリを公開します。それらもすぐに削除されますが、今度はまた別のアカウントでさらに多くのアプリを公開するのです。アプリの大半は公開された当日に削除されますが、特に週末に公開されたアプリの中には、ダウンロード数が 3 桁になるまで生き延びてしまうものもあります。こうした詐欺アプリは、アダルト動画に興味を持つユーザーを欺いて、有料サービスに登録させるためのサイトに誘い込みます。1 人でも詐欺に引っかかれば、99,800 円が詐欺師の懐に入るので、さらに多くの開発者アカウントを作って、詐欺アプリの数を増やせば、実入りも多くなるというわけです。
図 2. マルウェア作成者の開発者ページ
最近、詐欺師たちは新しい手口を思いついたようです。典型的なワンクリック詐欺アプリでは、アプリ内で Web ページを表示するために Webview クラスを使用します。通常、クリック詐欺へと誘い込むアダルト関連のサイトが表示されますが、新しいアプリでは、同じようなアダルト関連サイトでも、個人情報(Google アカウント、電話番号、国際移動体装置識別番号(IMEI)、Android ID、機種の詳細情報など)を盗み出すアプリをホストするサイトが表示されます。新しい詐欺アプリは、手動でダウンロードしてインストールする必要があるアプリのダウンローダとしての役割を果たします。
図 3. 悪質なアプリをホストするサイト
図 4. 偽の Google Play サイト。ここから悪質なアプリがダウンロードされる
図 5. デバイスからアップロードされるデータ
この新しい手口で気になるのは、詐欺師たちがアプリページの説明にランダムなキーワードを列挙していることです。従来はアダルト関連のキーワードだけが記載されていましたが、ここではより多くの人を標的にしようとしています。詐欺師たちの狙いは、アプリを探しているユーザーが詐欺アプリを偶然見つけて、アダルト風のアイコンに目を引かれてしまうことです。アプリのタイトルも、たいていはアダルト風のものですが、中にはランダムな名前のアプリもあります。
図 6. 悪質なアプリのページ
図 7. アプリの説明に列挙されているキーワード
個人情報がどのように悪用されるのかについてはまだ確認できていませんが、被害者のもとに詐欺師から何らかの形で連絡が来るものと思われます。シマンテックは、このブログで説明しているアプリを Android.Oneclickfraud として検出します。ノートン モバイルセキュリティや Symantec Mobile Security などのセキュリティアプリをデバイスにインストールすることをお勧めします。スマートフォンとタブレットの安全性に関する一般的なヒントについては、モバイルセキュリティの Web サイト(英語)を参照してください。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。
寄稿: Avdhoot Patil
有名人のスキャンダルは注目度が高く、フィッシング詐欺師もサイトに利用しようとして常に狙っています。最近では、英国の歌手で女優のリタ・オラさんを利用したフィッシングサイトが確認されています。このフィッシングサイトは、無料の Web ホスティングサイトをホストとして利用していました。
このフィッシングサイトでは、ビデオを「ソーシャルプラグイン」と称して、Facebook のログイン情報を入力するよう求めてきます。フィッシングページには、背景にリタ・オラさんが映っている偽の YouTube 画像が貼り付けられていますが、問題のビデオには、彼女が登場するアダルトビデオと思わせるタイトルが付いています。リタさんが最近注目を浴びる出来事があったことから、フィッシング詐欺師がさっそくそれに目をつけたようです。フィッシングサイトは、ログイン情報を入力すれば背景に映っているビデオを見られると思わせる作りになっています。実際には、ログイン情報を入力しても、彼女のアダルト向け画像が載っているあるサイトにリダイレクトされるだけです。もちろん、ビデオの画像が載っているサイトにユーザーをリダイレクトするのは、ログインが有効であると思わせ、疑惑をそらすためです。この手口に乗ってログイン情報を入力したユーザーは、個人情報を盗まれ、なりすまし犯罪に使われてしまいます。
インターネットを利用する場合は、フィッシング攻撃を防ぐためにできる限りの対策を講じることを推奨します。
* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/ja にアクセスしてください。