Category: data breach

Un malware à retardement s’est glissé sur Google Play

Google Play a été purgé en urgence de trois applications qui hébergeaient un malware redirigeant vers des contenus malveillants via des messages d’alerte.

Tout est parti d’un message posté dans la soirée du 23 janvier sur les forums d’Avast. L’éditeur de sécurité IT d’origine tchèque a été informé, par l’un des utilisateurs de son antivirus mobile, de la probable présence d’un malware sur Google Play.

Il s’est écoulé dix jours avant qu’Avast ne communique l’information à Google… qui a réagi en retirant, ce mercredi 4 février, trois applications dans lesquelles l’agent malveillant en question s’était infiltré.

En tête de liste, le jeu de cartes Durak, téléchargé entre 5 et 10 millions de fois en quelques semaines, d’après les statistiques du Play Store.

Les deux autres applications touchées étaient également classées dans la catégorie « Divertissement ». La première consistait en un test de QI ; la deuxième proposait une approche ludique de l’histoire russe.

Ces trois applications – qui trouvent justement leurs racines en Russie (sans qu’on n’en connaisse précisément les créateurs) – auraient dû être bloquées selon la politique en vigueur sur le Play Store et à laquelle sont soumis les développeurs.

Un motif en particulier aurait dû motiver leur suspension : l’affichage de publicité à travers le système de notification d’Android, alors même qu’il ne s’agissait pas d’une « fonctionnalité à part entière » desdites applications. Et pour cause : c’est précisément le malware qui les déclenchait.

Alerte(s) à la pub

Plusieurs utilisateurs des forums Avast expliquent avoir signalé le problème à Google « début janvier » et déplorent l’absence de réaction du groupe Internet américain.

Ils ont tous détecté plus ou moins les mêmes symptômes : à chaque déverrouillage de leur appareil mobile (smartphone ou tablette), une page Web – ou une notification – s’ouvre pour afficher un message d’alerte.

Connexion Internet lente, infection virale, système d’exploitation pas à jour, fichiers illicites détectés en mémoire : quel que soit le désagrément, l’utilisateur est invité à prendre des mesures immédiates.

Mais s’il suit les conseils prodigués, il est redirigé vers des contenus malveillants. Aussi bien des sites Internet hébergeant des scripts malveillants que des applications volant des données personnelles ou envoyant des SMS surtaxés.

Pour ne pas éveiller les soupçons, le malware fait preuve de… patience. Il ne s’active qu’à deux conditions : que l’application infectée soit lancée au moins une fois et que l’appareil soit redémarré par la suite.

Dès lors, un compte à rebours s’enclenche. Les premiers comportements suspects ne sont généralement perceptibles qu’au bout d’une semaine. Il faut parfois même attendre jusqu’à un mois. Ce qui rend le malware d’autant plus difficile à détecter.

Trois réseaux publicitaires « légitimes » sont exploités pour afficher les messages d’alerte. Les instructions sont contenues au sein même du paquet d’installation (APK), dans un fichier nommé ads_settings.json.

Des commandes peuvent être reçues depuis un serveur distant via la composante mobi.dash.overapp.DisplayCheckService. La vérification du redémarrage de l’appareil est effectuée par mobi.dash.overapp.DisplayCheckRebootReceiver. Il est même possible de modifier la page d’accueil du navigateur avec mobi.dash.homepage.AdsHomepageUtils.

Ci-dessous, une démonstration du malware en vidéo par l’utilisateur qui a découvert le pot aux roses :

{{ source }}

New spyware targets iOS devices, steals pictures and data

A team of hackers that target governments, the military and journalists has turned its attention to the iPhone, according to Trend Micro.

The computer security company says it has discovered new spyware that infects iPhones, gathers large amounts of personal information and sends it to a remote server.

The spyware, called XAgent, is delivered via a phishing attack using a technique called island hopping. In that, the phones of friends and associates of the true target are first infected and then used to pass on the spyware link. It’s based on the assumption that the target is more likely to click on links from people they know than from strangers.

Once installed, XAgent will collect text messages, contact lists, pictures, geo-location data, a list of installed apps, a list of any software processes that are running and the WiFi status of the device. That information is packaged and sent to a server operated by the hackers. XAgent is also capable of switching on the phone’s microphone and recording everything it hears.

XAgent runs on both iOS 7 and iOS 8 phones, whether they’ve been jailbroken or not. It is most dangerous on iOS 7 since it hides its icon to evade detection.

On iOS 8 it isn’t hidden and needs to be manually launched each time the phone is rebooted—a process that would require the user to purposely reinfect their phone each time. For that reason, Trend Micro believes the spyware was written before iOS8 was launched last year.

While close to three quarters of Apple mobile devices are using iOS 8, a quarter are still running iOS7, according to data published by Apple this week.

“We’ve been monitoring the actors behind this for quite some time,” said Jon Clay, senior manager of Global Threat communication at Trend Micro, in a phone interview. “The criminals have introduced [the iOS app] as part of their campaign to move further into the [targeted] organization, using this rather than PC malware.”

While the identity of the hackers isn’t known, Trend Micro says it believes those behind what it calls “Operation Pawn Storm” to be a pro-Russian group. Past targets have included military organizations, defense contractors, embassies and media groups.

Clay says the group might have targeted iOS because it discovered or assumed that a lot of its targets use Apple devices, either as work phones or secondary personal devices.

Security software such as that offered by Trend Micro will detect XAgent, he said. Users can also look through phone logs, but manual detection of the spyware is quite difficult.

His best advice is the same that’s been offered for years: don’t click on links that appear to be suspicious, especially when they involve downloading software or entering passwords.

“The good thing for users is that this isn’t something that can be automatically done,” he said. “There are steps you have to do as a user to install this.”

{{ source }}

more on island hopping / leapfrogging

 

Obama Proposes New 30-Day Data Breach Notification Law

President Barack Obama previewed a new data breach notification law today in a speech to the Federal Trade Commission

President Barack Obama previewed a new data breach notification law today in a speech to the Federal Trade Commission, which will set a 30-day deadline for notifications.

He said that this year’s data breaches, including the recent hack of Sony, make the economy more vulnerable.

“Today, I’m focusing on how we can better protect American consumers from identity theft and ensure our privacy, including for our children at school,” he said.

To start with, he pointed out that almost every state has a different law on the books about how and when to notify people in the event of a data breach.

For example, according to Baker & Hostetler LLP, a national law firm with a focus on data privacy issues, notification deadlines vary from five days in Connecticut to 45 days in Ohio, Vermont, and Wisconsin.

“It’s confusing for consumers and it’s confusing for companies — and it’s costly, too, to have to comply to this patchwork of laws,” said Obama. “Sometimes, folks don’t even find out their credit card information has been stolen until they see charges on their bill, and then it’s too late.”

A common set of laws, even with stringent rules, would be welcomed by many in the industry, said Jim Reavis, CEO of the Cloud Security Alliance.

“We’ve been looking for uniformity,” he said. “If we create more uniformity in the country, it will be good for the industry.”

Under the proposed law, there would be a uniform 30-day breach notification deadline, with the clock starting when the breach is discovered.

“In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans —- even when they do it overseas,” Obama said.

The president also proposed a Consumer Privacy Bill of Rights, which would ensure that consumers would have the right to decide how companies use their personal data, and the Student Digital Privacy Act, which would restrict the use of data collected about students.

The president called on business leaders and consumer privacy advocates to work together to get these laws passed.

“This mission, protecting our information and privacy in the Information Age, this should not be a partisan issue,” he said. “This should be something that unites all of us as Americans.”

However, several previous attempts to pass similar legislation have all failed and, even with both houses now under the control of the opposing political party, the odds are no better this time around, said John Pescatore, director of emerging trends at the SANS Institute.

For example,even if both houses approve the bill, they may water it down to such an extent that the president vetoes it, he said.

And none of the important details, such as what specifically constitutes a data breach, have been released yet, he added.

“Is it simply that the data was lost?” he asked. “Someone lost a data tape and can’t find it — does it require notification? Or does it require proof that someone saw the information? These are some of the things that are different state by state.”

Not every breach is the same, said Tsion Gonen, chief strategy officer at SafeNet, Inc., which was just acquired by Amsterdam-based cybersecurity firm Gemalto.

“For example, it is possible for a company to be breached, and yet still protect the data with technologies like encryption,” he said.

Security experts also had some criticism of the 30-day notification deadline.

“Thirty days is an aggressive window,” said Kevin Jones, senior security architect at Washington, DC-based Thycotic Software, Ltd.

Companies have to fully understand the scope of the breach first, and fix any ongoing security issues, before they go public, he said.

“A shot clock of 30 days may cause organizations to buckle under pressure and disclose before the issue is fully addressed, which would just bring the spotlight on them for attackers,” he said.

And there doesn’t seem to be any incentive for companies to discover breaches earlier, said Kevin Conklin, VP of marketing and product strategy at Framingham, Mass.-based security firm Prelert Inc.

“It’s an average of 200 days or more before companies learn of a breach,” he said. “At that point, the damage to consumers has already been done. Forcing companies to report breaches quickly is important, but these companies need to proactively take steps to identify breaches earlier.”

“A rush to disclosure can sometimes hamper research by law enforcement and other parties,” added Drew Kilbourne, managing director at Dulles, VA-based Cigital. “Often breaches are not immediately disclosed in order to not tip off the attacker that they have been discovered, allowing time to study the attack to learn about new or evolved tradecraft and attack vectors and perform attribution.”

The proposed law will not make anyone safer or prevent breaches, he added. Breach notifications are more about retaining customers and public perception.

“Quicker notification may be more window dressing than an effective strategy,” he said.

This story, “Obama Proposes New 30-Day Data Breach Notification Law” was originally published by CSO.

{{ source }}

Utilizing Island Hopping in Targeted Attacks

Every company is a potential cyber-attack target; even if they’re not the “end target.” This is what “island hopping” aims to achieve.

Island Hopping, also known as “leapfrogging” was formerly known as a military strategy in which attackers initially concentrate their strategy on entities that were not their original targets but can be leveraged in order to get to the original target.

Island hopping or “leapfrogging” is also being applied in targeted attacks, where attackers carry out the technique by not going straight to the target company. Instead, attackers go after their target’s affiliates first – preferably smaller companies who may not be as protected. These targeted companies may be from any industry of any size, including small businesses, payroll and HR services, healthcare firms, and law firms.

Attackers that use the island hopping technique may then use these companies to gain access to the affiliate in order to get to the target company. Another way it is applied is when the attacker moves laterally within the target network itself. Attackers usually scan for other systems connected to the one initially compromised and attempt to penetrate them as well.

Target data breach

One of the most notable cases of a targeted attack that used the island hopping technique was the Target data breach early 2014. The story behind the Target data breach inevitably revealed that Fazio Mechanical Services, a heating and refrigeration firm, reported that their systems were abused by cybercriminals in order to breach the retail giant. Multiple sources close to the investigation reveal that credentials were stolen in an email malware attack at Fazio that began at least two months before thieves started stealing card data from thousands of Target cash registers.

Recommendations and countermeasures

It is recommended for IT administrators to look out for these signs of a potential data breach:

  • Injected DNS records -Attackers often tamper with DNS records in order to make sure that connections to their C&Cs are not blocked.
  • Failed/irregular logins – Checking for failed login attempts, as well as successful ones made at irregular time periods can reveal attackers’ attempts to move within the network.
  • Unknown large files are often an indicator of a data breach and may need to be checked as it may contain data stolen from within the network. Attackers often store these files in their targets’ systems prior to exfiltration
  • It’s important to study the warnings issued by your security solutions even though most warnings flag non-malicious files.

{{ source }}