Thoughts of a Technocrat

Music: Ruckspin & Quark - Sunshine

2012-05-26T18:04:00.001-04:00

--------------------------------

http://soundcloud.com/ranking-records

Fundamentals of Chinese Information Warfare

2012-05-14T15:58:00.002-04:00

The Potomac Institute Cyber Center hosted a special program on Fundamentals of Chinese Information Warfare and Impacts on the Western World on Friday, May 11, 2012. The guest speakers included William T. Hagestad II, author of the new book 21st Century Chinese Cyberwarfare (IT Governance, 2012)

http://www.potomacinstitute.org/index.php?option=com_content&view=article&id=1193:new-date-may-11-fundamentals-of-chinese-information-warfare&catid=65:past-events&Itemid=94

The commentary is pretty insightful and near the end of touches on some possible geopolitical solutions that can be used to change China's behavior.

Hat-tip to Bill and his Red Dragon Rising blog.

-----------------------------------------------

Here is the Potomac Institute for Policy Studies lecture and panel discussion on "Russian Cyber Capabilities".

Project Grey Goose - Operation Poachers

2012-05-14T14:41:00.002-04:00

http://jeffreycarr.blogspot.com/2012/05/announcing-project-grey-goose-operation.html

I'm pleased to announce that the fourth Project Grey Goose investigation, commencing today, will target the very serious problem of domestic and international poaching of endangered species. I founded Project Grey Goose in August, 2008 as an experiment in crowd-sourcing an Open Source Intelligence (OSINT) effort whose goal was to investigate possible Russian government connections in the cyber attacks against Georgian government websites during the Russia Georgia war. Rather than focusing on hackers, this project will focus on criminals who are viciously taking the lives of rare and beautiful animals for body parts and profit; i.e. poachers. The problem is vast and growing, and it's my sincere hope that Project Grey Goose's unique international collaborative approach to OSINT will make an impact.

I'm particularly happy to announce that my co-manager for this project is Nada Bakos, a former CIA intelligence analyst and targeting officer. I can't imagine a more qualified person to help lead this effort than Nada and I'm excited to have her aboard to help this mission succeed.

-----------------------------------

Check out the link above to Jeffrey's blog, if you want to know how you can help.

Uighur Leader Accuses China of ‘Systematic Assimilation’

2012-05-14T12:23:00.002-04:00

Via VOA News -

Exiled representatives of the Uighur, an ethnic group that lives mainly in Western China’s province of Xinjiang, are meeting in Japan for their fourth annual conference. The World Uighur Congress, based in Germany, opposes what it calls the Chinese occupation of their land, and the group's gatherings routinely draw criticism from Beijing.

Rebiya Kadeer, leader of the World Uighur Congress, and also known as "the Mother of the Uighur Nation," has been living in exile in the United States since her release from a Chinese prison in 2005.

She joined more than 100 representatives of the ethnic group from more than 20 countries, including the United States, Germany and Australia, to elect new leadership and discuss strategies to engage China over the issue of self-determination.

Kadeer said the Uighurs are facing a threat to their existence because of the Chinese government’s policy of systematic assimilation. She also accuses Chinese authorities of committing extra-judicial killings, economic exploitation, and destroying Uighur values.

--------------------------------------

With that in mind, could you guess who might want to target companies or organization interested in the Uyghur Congress with targeted zero-day malware? I wonder. ;)

APT: A Geopolitical Problem
http://www.ericjhuber.com/2011/08/apt-geopolitical-problem.html

South China Sea Spat Goes Cyber

2012-05-13T13:28:00.000-04:00

Via The Diplomat -

China continues to raise the heat in its dispute with the Philippines over the sovereignty of Scarborough Shoal/Huangyan Island. On Monday, He Jia, an anchor on China’s state-run CCTV, mistakenly declared that “China has unquestionable sovereignty over the Philippines” rather than just over the disputed island. On Tuesday, Chinese Vice Foreign Minister Fu Ying warned a Philippine diplomat that China was fully prepared to do anything to respond to escalation. Deep-water drilling has begun near islands in the South China Sea and Chinese travel agencies have reportedly suspended tours to the Philippines. Chinese netizens are fully in support of the claims, and have in many instances criticized the Ministry of Foreign Affairs for not taking more assertive action.

As with previous territorial disputes in East Asia these days (see China-Vietnam, China-Japan, and Korea-Japan), the political, diplomatic, and military maneuvering has a cyber component. On April 20, Chinese hackers attacked the website of the University of the Philippines. The next day, Filipino hackers struck back with the defacement of Chinese websites. On the 23rd and 24th, the two sides again traded tit-for-tat attacks (a very useful timeline up until April 30 can be found here). Attacks have continued over the last week; attackers have also pasted the Chinese flag on the website of the Philippines News Agency.

From almost the beginning of the attacks, the Philippines government has called for both sides to stop. On April 22, a Philippines government spokesperson said, “We call on citizens, including ours, to exercise civil temperance.” On April 25, the Philippines’ Department of Science and Technology and Information and Communications Technology Office declared that the attacks were neither sanctioned nor condoned, and on May 10 a spokesman went further in warning that such attacks “will not benefit anyone and could possibly lead to bigger problems in the future for the Philippines and China and escalate the already tense situation at Panatag Shoal (Scarborough Shoal).” This is not a misplaced worry as freelance attacks could make it much more difficult for the two sides to communicate and signal intentions.

Unfortunately, there has been silence from Beijing on the issue. China’s leaders seem to be embracing the conflict, or at least the prospect of conflict, as a welcome distraction from the problems of Chen Guangcheng and Bo Xilai. As Michael Yip and Craig Weber argue, the Chinese government – after years of enrolling students in patriotic education that stresses a history of national humiliation – needs to align itself with and divert away from nationalistic responses to real and perceived slights. Political hacking acts as a diversion – venting resentment away from the regime, focusing web users’ ire on outside actors, and maintaining the government’s nationalistic credentials.

When China’s Minister of Defense General Liang Guanglie was at the Pentagon this week, he talked about how China wanted to work to improve cybersecurity. Beijing could gain a great deal of credibility by doing what the Philippines has done: call on both sides to stop the attacks.

TTPs: Lessons from Today's Amnesty Hack

2012-05-11T14:37:00.000-04:00

Via Imperva -

Amnesty International UK's website was hacked courtesy a backdoor dropped on visitors systems. Most likely done by a foreign government, many speculate that it's the Chinese. Websense's blog gives a good technical overview of the attack.

But what does it mean for security teams?

In some cases, hackers don’t want to steal the data from the website but rather want to infect the users who are visiting. This can lead to more access to business critical data which, for example, is often stored as files on a fileserver. In the Amnesty case, the real prize isn't Amnesty's data per se, but the corporate and individual data and files of those who visit the site.

-------------------------------------------------

This exact technique has been used by advanced adversaries in previous targeted attacks. Intelligence sources have obvsered this technique being used in attacks against the US defense industry as well.

July 2011 - Attack On Pacific Northwest National Lab Started At Public Web Servers

Iran's Web Censorship Filters Supreme Leader's Own Statement

2012-05-10T11:09:00.000-04:00

Via Ars Technica -

Iranian Supreme Leader Ayatollah Ali Khamenei’s own words have now become a victim of Iran’s massive online censorship infrastructure.

According to Radio Free Europe (RFE), last week Khamenei issued a “fatwa,” or religious edict, confirming that anti-filtering tools and software are illegal in Iran. The decree came in response to a question by Mehr News (Google Translate), a semi-official news agency, which had asked for clarification on the ruling due to the fact that, as journalists, employees sometimes need to access blocked websites and other non-authorized information.

Khamenei, according to a translation by RFE, replied: "In general, the use of antifiltering software is subject to the laws and regulations of the Islamic republic, and it is not permissible to violate the law."

However, his own use of the word “antifiltering” apparently triggered Iran’s own filtering system, making Khamenei’s words inaccessible to most Iranians.

RFE also reported that this filtering episode prompted Tabnak, a conservative news website, to respond: "The filtering of a [religious] order is so ugly for the executive [branch] that it can bring into question the whole philosophy of filtering."

Iran, of course, has a notorious surveillance and filtration system in place—just last month, the Islamic Republic published a "Request for Information" for furthering its so-called "halal Internet."

Matisyahu - One Day (Coma Remix)

2012-05-09T22:15:00.000-04:00

GPS Jamming Affects Ship Navigation off Korean Coast

2012-05-08T11:04:00.003-04:00

Via Marine Link -

122 ships, including Coast Guard vessels and a passenger vessel, have reported malfunctions in their navigation systems since the apparent jamming of satellite signals by North Korea last week, reported 'Safety4Sea'.

According to the Coast Guard in Incheon, west of Seoul, a total of 122 ships were affected by the disruption to Global Positioning System (GPS) signals. Among the vessels were eight patrol boats belonging to the Coast Guard, a passenger liner carrying 387 people and a petrol products carrier.

Fishing boats operating near the tense western maritime border with North Korea also reported errors in their navigation systems, although none of them led to accidents, Coast Guard officials said.

The transport ministry said about 250 commercial flights in and out of international airports at Incheon and Gimpo, also west of Seoul, were also affected by the jamming, although they were not put in danger.

South Korea came under similar electronic attacks in March of last year, and in August and December of 2010, all of which were blamed on the North. South Korean Defense Minister Kim Kwan-jin has said anti-jamming programs are being developed to counter the attacks.

The defense ministry has also said the North operates a regiment-sized electronic warfare unit near its capital Pyongyang, and some battalion-sized units closer to the inter-Korean border.

On The Rebound: Shining Path Factions Vie for Control of Upper Huallaga Valley

2012-05-06T23:32:00.000-04:00

Via The Jamestown Foundation -

After the Peruvian army captured Comrade Artemio on February 12 and two potential successors on March 4 and April 3, President Ollanta Humala declared that the Shining Path was “totally defeated”—a prediction that is already proving to be premature. The Shining Path faction in the Upper Huallaga Valley retains a core group of loyal fighters capable of conducting military operations to pressure the government for Artemio’s release, but they are more dangerous for their apparent alliance with Movadef, a rising political movement that the government sees as a “front” for the Shining Path. Meanwhile, the 500-fighter faction of the Shining Path led by Comrade Jose in the VRAE has made clear its desire to expand its international narco-trafficking enterprise into the Upper Huallaga Valley and exploit the power vacuum with Artemio out of the picture. A takeover of the Upper Huallaga Valley would elevate Comrade Jose to the level of one of South America’s premier narco-trafficking bosses. Neither Shining Path faction is near surrender, and questions linger about whether President Humala’s new four-year anti-drug strategy underwritten by millions of dollars of U.S. aid will tame or enflame the country’s narco-trafficking insurgencies.

Background

The Shining Path consists of a 500-fighter faction in the River Apurimac and River Ene Valley (VRAE) led by Comrade Jose and a smaller 150-fighter faction in the Upper Huallaga Valley led until February 12 by Comrade Artemio. The VRAE and Upper Huallaga Valley factions split in 1999 after the capture of then leader Comrade Feliciano (Oscar Ramirez Durand). Comrade Artemio succeeded Feliciano in 1999 and remained loyal to Shining Path founder, Abimael Guzman (Chairman Gonzalo), who was captured in 1992. After Feliciano’s capture, Comrade Jose’s faction disavowed the Shining Path of Guzman, Feliciano and Artemio, who they criticized for alienating the campesinos during the war against the State in 1980s and for offering truces to the government once Guzman was captured.

Both factions officially espouse turning Peru into a Marxist state, but they depend on their capitalist narco-trafficking enterprises for financial survival. It is no coincidence that the two surviving factions of the once 15,000-fighter Shining Path operate in the country’s two main coca producing regions—the VRAE and the Upper Huallaga Valley, which produce 75% of Peru’s coca. With Peru expected to surpass Colombia as the world’s largest coca producer (61,200 hectares) in 2012, both factions stand to benefit.

[...]

Conclusion

The capture of Comrade Artemio has weakened his faction, but a core group of his fighters continue to engage in shows of military force to support Movadef’s political goals. There appears to be a low likelihood of a Shining Path merger considering that the two groups operate in distinct areas and harbor contrasting motivations. If Artemio’s faction continues to splinter, however, Jose’s faction may gain control of the major drug trafficking routes in the Upper Huallaga Valley and revive the Shining Path under a model like the FARC—a drug cartel with a nominal Marxist ideology. Both Shining Path factions benefit from the country’s increasing coca production, while they are also capable attracting recruits from the cocaleros if the drug eradication plan moves forward. The drug war can only be won if the cocaleros are provided with a substitute to growing coca, but historically the state has struggled to meet this need.

After the capture of Abimael Guzman in 1992, then President Fujimori said, “Sendero has been defeated. I defeated it.” Twenty years later, President Humala shows similar optimism, but the events on the ground suggest that both Shining Path factions will adapt to the realities on the ground after Artemio’s picture and implement new strategies in order to survive.

------------------------------------------------------------

http://en.wikipedia.org/wiki/Shining_Path

Shining Path (Sendero Luminoso in Spanish) is a Maoist guerrilla insurgent organization in Peru. It prefers to be called the "Communist Party of Peru" or "PCP" for short. The Shining Path's ideology and tactics have been influential on other Maoist insurgent groups, notably the Communist Party of Nepal (Maoist) and other Revolutionary Internationalist Movement-affiliated organizations. Widely condemned for its brutality, including violence deployed against peasants, trade union organizers, popularly elected officials and the general civilian population, the Shining Path is described by the Peruvian government as a terrorist organization. The group is on the U.S. Department of State's list of Foreign Terrorist Organizations, and the European Union and Canada likewise describe it as a terrorist organization and prohibit providing funding or other financial support.

Xtreme RAT Used in Targeted Attack Against Syria Activist

2012-05-04T11:50:00.000-04:00

Via F-Secure Labs -

Syria has been the center of much international attention lately. There's unrest in the country and the authoritarian government is using brutal tactics against dissidents. These tactics include using technology surveillance, trojans and backdoors.

Some time ago we received a hard drive via a contact. The drive had an image of the system of a Syrian activist who had been targeted by the local authorities.

The activist's system had become infected as a result of a Skype chat. The chat request came from a fellow activist. The problem was that the fellow activist had already been arrested and could not have started the chat.

Initial infection occurred when the activist accepted a file called MACAddressChanger.exe over the chat. This utility was supposed to change the hardware MAC address of the system in order to bypass some monitoring tools. Instead, it dropped a file called silvia.exe which was a backdoor — a backdoor called "Xtreme RAT".

Xtreme Rat is a full-blown malicious Remote Access Tool.

Sold for 100 euro (Paypal) via a page hosted at Google Sites: hxxps://sites.google.com/site/nxtremerat

We have reasons to believe this infection wasn't just bad luck. We believe the activist's computer was specifically targeted. In any case, the backdoor calls home to the IP address 216.6.0.28. This IP block belongs to Syrian Arab Republic — STE (Syrian Telecommunications Establishment).

This would not have been the first case of using trojans for such purposes in Syria, either.

"Right On" by The Roots (feat. Joanna Newsom & STS)

2012-05-04T02:23:00.002-04:00

Microsoft Fingers Chinese Firewall/IPS Vendor In Windows Exploit Leak

2012-05-03T16:20:00.002-04:00

Via Dark Reading -

Microsoft today announced that it had rooted out the source of a leak from within its third-party security software firm partnership program that resulted in the weaponization of a bug in Windows -- raising questions about whether the Microsoft Active Protections Program (MAPP) could be vulnerable to other such breaches.

Chinese firewall and IPS vendor Hangzhou DPTech Technologies Co., Ltd., according to Microsoft, was the culprit behind a rapid-fire turnaround of a working exploit for the Windows Remote Desktop (RDP) flaw in mid-March, just after the bug was patched by Microsoft.

[...]

Microsoft today was mum on how it ultimately rooted out DPTech as the source of the leak, or on just what Hangzhou DPTech Technologies did. "During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member of the MAPP program, Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA). Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program," said Yunsun Wee, director or Microsoft Trustworthy Computing, in a statement.

HD Moore, chief security officer at Rapid7 and creator of Metasploit, says it couldn't have been simple to trace the leak to a specific company. "[It's] interesting and somewhat surprising that they found it at all," Moore says.

Meanwhile, the announcement by Microsoft appears to raise more questions than it answers. Concerns about a Chinese security vendor leaking Windows vulnerability details before the patch window had closed, and whether this was truly the first breach of the MAPP program, sent a chill through the industry.

"Yes, it is a little concerning that it was a Chinese firm that leaked the Microsoft information. That being said, what did Microsoft really expect was going to happen? The Chinese do not have a very good track record of adhering to NDA and other agreements," says Paul Henry, security and forensic analyst at Lumension. "It is important to recognize that the MAPP program is relatively new, so there will be bumps in the road as Microsoft works out the delicate balance between strategic sharing and safeguarding the distribution of sensitive information regarding its products."

-----------------------------------------

MAPP Update: Taking Action to Decrease Risk of Information Disclosure
http://blogs.technet.com/b/msrc/archive/2012/05/03/mapp-update-taking-action-to-decrease-risk-of-information-disclosure.aspx

-----------------------------------------

Shocker. Kudos to MS for tracking this down to the company. Impressive.

Determined Adversaries and Targeted Attacks

2012-04-30T16:10:00.001-04:00

Via Microsoft Security Intelligence Report -

Over the past two decades the internet has become fundamental to the pursuit of day-to-day commercial, personal, and governmental business. However, the ubiquitous nature of the internet as a communications platform has also increased the risk to individuals and organizations from cyberthreats. These threats include website defacement, virus and worm (or malware) outbreaks, and network intrusion attempts. In addition, the global presence of the internet has allowed it to be used as a significant staging ground for espionage activity directed at industrial, political, military, and civil targets.

During the past 5 years, one specific category of threat has become much more widely discussed. Originally referred to as Advanced Persistent Threats (APT) by the U.S. military — referring to alleged nation-state sponsored attempts to infiltrate military networks and exfiltrate sensitive data — the term APT is today widely used in media and IT security circles to describe any attack that seems to specifically target individual organization, or is thought to be notably technical in nature, regardless of whether the attack was actually either advanced or persistent.

In fact, this type of attack typically involves two separate components — the action(s) and the actor(s) — that may be targeted against governments, military organizations or, increasingly, commercial entities and civil society.

The actions are the attacks themselves, which may be IT-related or not, and are referred to as Targeted Attacks in this paper. These attacks are initiated and conducted by human actors, who are collectively referred to in this paper as Determined Adversaries. These definitions are important because they emphasize the point that the attacks are carried out by human actors who may use any tools or techniques necessary to achieve their goals; these attacks are not merely malicious software or exploits. Using an encompassing term such as APT can mask this reality and create the impression that all such attacks are technically sophisticated and malware-driven, making it harder to plan an effective defensive posture.

For these reasons, this paper uses Targeted Attacks and Determined Adversaries as more specific and meaningful terms to describe this category of attack.

-------------------------------------------------------------

Be sure to check out Microsoft's Security Intelligence Report (SIR) Volume 12.
http://www.microsoft.com/security/sir/default.aspx

The Microsoft Security Intelligence Report (SIR) analyzes the threat landscape of exploits, vulnerabilities, and malware using data from Internet services and over 600 million computers worldwide. Threat awareness can help you protect your organization, software, and people.

Snow Leopard Users Most Prone to Flashback Infection

2012-04-29T10:01:00.002-04:00

Via Computerworld.com -

Of the Macs that have been infected by the Flashback malware, nearly two-thirds are running OS X 10.6, better known as Snow Leopard, a Russian antivirus company said Friday.

Doctor Web, which earlier this month was the first to report the largest-ever malware attack against Apple Macs, mined data it's intercepted from compromised computers to come up with its findings.

[...]

In a Friday blog post, Doctor Web published an analysis of the communications between 95,000 Flashback-infected Macs and the sinkholed domains. Those communication attempts took place on April 13, more than a week after Doctor Web broke the news of the botnet's massive size.

[...]

Not surprisingly, 63.4% of the Flashback-infected machines identified themselves as running OS X 10.6, or Snow Leopard, the newest version of Apple's operating system that comes with Java.

Snow Leopard accounted for the largest share of OS X last month, according to metrics company Net Applications, making it the prime target of Flashback.

Leopard, or OS X 10.5, is the second-most-common Flashback-infected operating system, said Doctor Web: 25.5% of the 95,000 Macs harboring the malware ran that 2007 edition.

Apple bundled Java with Leopard as well, but unlike Snow Leopard and Lion, it no longer ships security updates for the OS, and so has not updated Java on those Macs.

Last month, Leopard powered 13.6% of all Macs.

But while Snow Leopard's and Leopard's infection rates are higher than their usage shares, the opposite's true of OS X 10.7, or Lion. The 2011 OS accounted for 39.6% of all copies of OS X used last month, yet represented only 11.2% of the Flashback-compromised Macs.

Doctor Web did not connect those dots in its analysis, but the numbers make clear that versions of Mac OS X that included Java -- Snow Leopard and Leopard -- are much more likely to be infected by Flashback. Conversely, Lion -- by default, sans Java -- is significantly more resistant to the malware.

The Russian company's data also showed that many Mac users don't keep their machines up-to-date, something ZDNet blogger Ed Bott noted on Friday.

Twenty-four percent of the Snow Leopard-infected Macs were at least one update behind, 10.4% were three or more behind, and 8.5% were four or more behind.

Lion users were no better patch practitioners: 28% were one or more updates behind.

[...]

To protect Snow Leopard and Lion systems from the Java-exploiting Flashback, users should launch Software Update from the Apple menu and download this month's Java updates. Software Update will also serve the newest version of those operating systems to Macs running outdated editions.

People running Leopard can disable Java in their browser(s) to stymie attacks.

Later this year, Oracle will release Java 7 for OS X. Mac users who upgrade to Java 7 will then receive security updates directly from Oracle, not from Apple.

Music: Swindle (ft. Footsie & Nadia Suliman) – Ignition

2012-04-28T13:03:00.001-04:00

---------------------------------------

Swindle and Ignition on Beatport.com.

Photos: Space Shuttle Discovery

2012-04-27T20:07:00.000-04:00

Grabbed these shots today, at about 4:45pm EST. Free entrance and parking at Steven F. Udvar-Hazy Center.

------------------------------------------------

Space Shuttle Discovery (Orbiter Vehicle Designation: OV-103) @ Steven F. Udvar-Hazy Center, an annex of the Smithsonian Institution's National Air and Space Museum.

US Experts To Help Decrypt 'FARC' Computers

2012-04-25T17:55:00.002-04:00

Via ColombiaReports.com (23 April 2012) -

A team of U.S. computer experts has arrived in Colombia to help national authorities recover information from the computer of deceased FARC leader "Alfonso Cano," reported Colombian newspaper El Espectador Monday.

Investigators with the Prosecutor General's office are working to break encryption codes on seven computers, 38 USB sticks and 24 hard drives recovered after a military bombing killed Cano in November, 2011.

The technology was retrieved from a FARC camp after the attack in Suarez, a town in the southwestern Cauca department.

The heavily-encrypted data uses four languages and multiple passwords, and requires the "meticulous" skills of the U.S. team to salvage and analyze it.

Investigators have already recovered some information from Cano's computer, including a plan to attack five army air bases with remote controlled helicopters.

----------------------------------------------------

Some of the 'plans' may be more aspirational, than operational ;)

The Mobile Exploit Intelligence Project

2012-04-24T16:30:00.003-04:00

Dan Guido, working with Mike Arpaia, brings his well received intelligence-driven security ideas from "The Exploit Intelligence Project" of 2011, into the mobile space.

http://www.trailofbits.com/research/

Nissan Gets Hacked, Intellectual Property Possible Target

2012-04-24T11:36:00.000-04:00

Via DailyTech.com (April 24, 2012) -

Nissan Motor Company has announced that its information systems have been hacked. So far, the company doesn't know who the hackers were, or where they struck from and it's unclear what data may have been compromised. Nissan believes that the hackers were looking for intellectual property related to its EV drivetrains.

Nissan maintains that it quickly secured its system and issued a statement alerting customers and employees that its data systems were breached. Nissan says that the infiltration was noticed on April 13 so it has been roughly 10 days since the database was compromised.

The statement read:

We have detected an intrusion into our company's global information systems network.

On April 13, 2012, our information security team confirmed the presence of a computer virus on our network and immediately took aggressive actions to protect the company's systems and data. This included actions to protect information related to customers, employees and other partners worldwide. This incident initially involved the malicious placement of malware within our IS network, which then allowed transfer from a data store, housing employee user account credentials.

As a result of our swift and deliberate actions we believe that our systems are secure and that no customer, employee or program data has been compromised. However, we believe that user IDs and hashed passwords were transmitted. We have no indication that any personal information and emails have been compromised. Regardless, we are continuing to take appropriate precautionary measures.

Due to the ever-evolving sophistication and tenacity of hackers targeting corporations and governments on a daily basis, we continue to vigilantly maintain our protection and detection systems and related countermeasures to keep ahead of emerging threats. Our focus remains on safeguarding the integrity of employee, consumer and corporate information.
Nissan says that it opted to keep the hack secret for the last 10 days until it had a better idea what was going on according to a spokesman cited by The Detroit Bureau.

------------------------------------------------------------------------------------------

Looks like Active Directory might have got popped.

Primary Sources....

Nissan Statement: Nissan is Taking Actions to Protect and Inform Employees and Customers Following an Intrusion into the Company's Global Network Systems

The Detroit Bureau: Nissan Scrambles After Major Cyber-Attack

Both Mac and Windows are Targeted at Once

2012-04-23T23:05:00.001-04:00

Via Symantec Security Response Blog -

Symantec Security Response, along with some other security vendors, reported the discovery of the OSX.Flashback malware recently patched by Apple. Many people may be surprised to learn the infection volume is reported at over 600,000 computers.

On a new front, we have recently identified new Java Applet malware, which uses the Oracle Java SE Remote Java Runtime Environment Code Execution Vulnerability (CVE-2012-0507) to download its payload. This attack vector is the same as the older one, but in this case the Java Applet checks which OS it is running on and downloads a suitable malware for the OS.

[...]

When a victim loads the Java Applet malware, it breaks the Java Applet sandbox by using the CVE-2012-0507 vulnerability. This vulnerability is effective for both Mac and Windows operating systems. Then, if the threat is running on a Mac operating system, it downloads a dropper type malware written in Python. However, if the threat is running on a Windows operating system, it downloads a standard Windows executable file dropper. Both droppers drop a Trojan horse program that opens a back door on the compromised computer.

[...]

The Trojan only checks whether it is a Windows operating system or not in this code, but the downloaded Python dropper checks again whether it is a Mac operating system or not. If it is running on Linux or some other operating system, the threat does nothing. Python is not a popular script to write malware in, but it works fine on a Mac operating system because Python has already been installed by default.

Finally, one of two back door Trojans is dropped on to the computer. These two Trojans are downloaded from the same server, but are a little bit different from each other.

The back door Trojan for the Mac operating system written in Python can control the “polling times”, which is related to how many times it gets commands from the server at certain time intervals. The author has done this in order to avoid IDS or IPS detection by reducing network communication. The network connection is also encrypted by RC4 or compressed by Zlib.

[...]

Recently, malware that targets Mac computers, such as OSX.Flashback and OSX.Sabpab, are increasing. This recent increase provides evidence that malware authors now consider Mac computers a viable battleground along with the Windows platform. Certainly it is now time for you to arm your Mac computer with a good security product.

Symantec detects the Java Applet malware as Trojan.Maljava, the droppers as Trojan.Dropper, and the back door Trojans as Backdoor.Trojan. We continue to watch out for both Mac and Windows malware in order to protect our customers.

Defense Clandestine Service: Pentagon Reorganizes Intel into New Spy Shop

2012-04-23T22:50:00.002-04:00

Via CBS News -

The Pentagon is rebranding and reorganizing its clandestine spy shop, sending more of its case officers to work alongside CIA officers to gather intelligence in places like China, after a decade of focusing intensely on war zones.

Several hundred case officers will make up the new Defense Clandestine Service. Drawn from the Defense Intelligence Agency, the officers will be sent to beef up U.S. intelligence teams in areas that are now receiving more attention. Those include Africa, where al Qaeda is increasingly active, to parts of Asia where the North Korean missile threat and Chinese military expansion are causing increasing U.S. concern.

The new effort was described by a senior defense official who spoke on condition of anonymity because he was not authorized to speak publicly about the classified program.

Defense Department case officers already secretly gather intelligence across the globe on terrorism, weapons of mass destruction and other issues, mostly working out of CIA stations in embassies and operating undercover like their CIA counterparts.

But an internal study by the Director of National Intelligence last year found the agency still focused more on its traditional mission of providing the military with intelligence in war zones, and less on what's called "national" intelligence — gathering and disseminating information on global issues and sharing that intelligence with other national security agencies, the official said.

The study also found that the Pentagon did not always reward clandestine service overseas with promotions, so its most experienced case officers often left for the CIA, or switched to other career paths within the Pentagon.

[...]

The case officers in the field — some military and some civilian — will answer directly to the top intelligence representative in their post, usually the CIA's chief of station, in addition to serving their agency back home. The arrangement is likely to curb complaints seen in earlier expansions of the Defense Department's spy mission, which the CIA and other agencies saw as the military stepping on their territory.

The changes were worked out by the top Pentagon intelligence official, Under Secretary of Defense for Intelligence Michael Vickers, and his CIA counterpart who heads the National Clandestine Service, and briefed to Congress before Defense Secretary Leon Panetta signed off on the new program last Friday.

------------------------------------------------------------

Looks like they are playing better together, post-CIFA days.

Recent Purported CEIEC Document Dump Booby-Trapped

2012-04-16T17:41:00.000-04:00

Via ShadowServer -

In recent weeks thousands documents have been released online by a hacktivist going by the online moniker of "Hardcore Charlie." These documents appear to have potentially been sourced and possibly stolen from various businesses and governments in different countries including the United States, the Philippines, Myanmar, Vietnam, and others. In particular Hardcore Charlie has been attempting to draw attention to some of the documents that apparently relate to U.S. military operations in Afghanistan. The twist in all of this is that the documents are purported to have been stolen by Hardcore Charlie from the Beijing based military contractor China National Import & Export Corp (CEIEC). If true, that would mean that the documents were stolen at least twice. These are allegations that CEIEC has strongly denied and condemned in a post on their website.

This entire turn of events has raised more questions than they have answered. Are the documents legitimate? Where were they original stolen from? If these were really stolen twice, who stole them first? We unfortunately do not have the answer to any of these questions. However, one thing we do have are words of caution and some interesting information about a handful of the documents found in this dump. Within the document dump in a folder related to Vietnam are 11 malicious documents (8 unique) that exploit vulnerabilities (CVE-2010-3333 and CVE-2009-3129) in Microsoft Office to install malware. These documents installed four different types of backdoors that reported back to six distinct command and control servers. Two of the backdoors were unfamiliar to us and the other two were the well known Poison Ivy RAT and the Enfal/Lurid. At least one hostname could be tied back to a known set of persistent actors engaged in cyber espionage.

[...]

Vietnamese Targeting and Timeline

These nine unique samples from the document dump from Hardcore Charlie appear to lead to multiple different attack campaigns targeting Vietnamese interests. The malicious documents have Vietnamese names and will open legitimate clean versions of the documents in Vietnamese upon successful exploitation. At least one of the trojan samples even saves itself as a file that might blend in on a Vietnamese computer. Another has strings related to the Vietnamese version of Google, while another uses a DNS name that is in Vietnamese as well. We would suspect this may just be the tip of the ice berg.

As for timing -- several indicators seem to point to these documents being approximately a year old. The most obvious and more tamper proof piece of evidence being a VirusTotal submission from April 2011. You may note the document from this submission was named BC cua chi binh voi BCS.doc. However, this file has the same MD5 hash of of32f5ad4f09135fcdde86ecd4c466a993, which matches the file was saw named Danh sach.doc. This indicates that his activity is not new and these files may have been unknowingly included in this document dump

Conclusion

These malicious documents within the data dump raise several questions and can lead to plenty of speculation. Were these malicious documents resident on victim systems from previous targeted APT campaigns and exfiltrated alongside the legitimate documents as part of another cyber espionage operation? Could it be that they were intentionally placed into this data dump? Anything is possible and we do not have all the answers. However, we can tell you that a few of the malware samples had previously been submitted to VirusTotal in early 2011. Additionally meta data of the clean documents dropped by a few of the malware payloads showed that the documents were also created in 2011, indicating that the malicious documents have likely been circulating in the wild for more than year.

Although many questions remain, the following facts are clear:

A small subset of the documents contained in the purported CEIEC dump are malicious.
These malicious documents drop a mix of malware families including Poison Ivy, Enfal/Lurid and two unnamed families.
Some of the malware samples extracted from the CEIEC dump connect to infrastructure used in previous APT campaigns.

These documents just go to show that malicious files can end up pretty much anywhere. We are stating the obvious but remember to exercise caution when viewing files you downloaded from the Internet. Microsoft patched the two vulnerabilities used in these attacks quite some time ago. They patched CVE-2009-3129 with MS09-067 and CVE-2010-3333 with MS10-087. Malicious documents that exploit vulnerabilities in Microsoft Office, Adobe Acrobat [Reader], or components loaded by these pieces of software are still some of the most common ways in which cyber espionage attacks are conducted. Staying current with the latest versions and security patches for any software you run is highly recommended.

SabPub Mac OS X Backdoor: Java Exploits, Targeted Attacks and Possible APT link

2012-04-14T14:49:00.004-04:00

Via Securelist.com (Kaspersky) -

We can confirm yet another Mac malware in the wild - Backdoor.OSX.SabPub.a being spread through Java exploits.

This new threat is a custom OS X backdoor, which appears to have been designed for use in targeted attacks. After it is activated on an infected system, it connects to a remote website in typical C&C fashion to fetch instructions. The backdoor contains functionality to make screenshots of the user’s current session and execute commands on the infected machine.

The remote C&C website - rt***.onedumb.com is hosted on a VPS located in the U.S, Fremont, CA.

“Onedumb.com” is a free dynamic DNS service. Interesting, the C&C at IP 199.192.152.* was used in other targeted attacks (known as “Luckycat”) in the past.

[...]

The Java exploits appear to be pretty standard, however, they have been obfuscated using ZelixKlassMaster, a flexible and quite powerful Java obfuscator. This was obviously done in order to avoid detection from anti-malware products.

At the moment, it is not clear how users get infected with this, but the low number and it’s backdoor functionality indicates that it is most likely used in targeted attacks. Several reports exist which suggest the attack was launched through e-mails containing an URL pointing to two websites hosting the exploit, located in US and Germany.

The timing of the discovery of this backdoor is interesting because in March, several reports pointed to Pro-Tibetan targeted attacks against Mac OS X users. The malware does not appear to be similar to the one used in these attacks, though it is possible that it was part of the same or other similar campaigns.

One other important detail is that the backdoor has been compiled with debug information - which makes its analysis quite easy. This can be an indicator that it is still under development and it is not the final version.

--------------------------------------------------------------------------------------

Kaspersky redacted part of the C2 info, but Symantec did not...

Symantec - OSX.Sabpab
http://www.symantec.com/security_response/writeup.jsp?docid=2012-041310-1536-99&tabid=2

Next, the Trojan connects to the following location and opens a back door on the compromised computer: hxxp://rtx556.onedumb.com

Fighting the OSX/Flashback Hydra

2012-04-14T14:10:00.002-04:00

Via ESET Threat Blog -

The biggest Mac botnet ever encountered, the OSX/Flashback botnet, is being hit hard. On April 12th, Apple released a third Java update since the Flashback malicious code outbreak. This update includes a new tool called MRT (Malware Removal Tool) which allows Apple to quickly push malware removal code to their user base. The first mission of MRT: remove Flashback.

[...]

When it comes to disclosing a realistic number of unique infected hosts, we strive to be as accurate and objective as possible. Defining a unique host is not trivial, even if OSX/Flashback uses hardware UUIDs. Our data indicates many UUIDs that connected to our sinkhole (a server we set up to capture incoming traffic from bot-infected machines trying to communicate with their command-and-control servers), came from a big range of IP addresses, indicating that there may be UUID duplicates. Virtual Machines or so-called Hack-intosh installations may explain this.

When browsing Hack-intosh forums, we found out that everyone who is using the fourth release candidate of a special distribution has the same hardware UUID (XXXXXXXX-C304-556B-A442-960AB835CB5D) and even discuss ways to arbitrarily modify it.

Oddly enough, we found this UUID connected to our sinkhole from 20 different IP addresses. This indicates that those who considered UUID to count the number of distinct infected hosts probably have underestimated the botnet size.

Flashback evolved a lot in the last few months. The authors moved fast and added obfuscation and fallback methods in case the main C&C server is taken down. The dropper now generates 5 domain names per day and tries to get an executable file from those websites. The latest variants of the dropper and the library encrypt its important strings with the Mac hardware UUID. This makes it difficult for researchers to analyze a variant reported by a customer if they don’t also have access to the UUID.

The fallback mechanism that Flashback uses when it is unable to contact its C&C servers is quite interesting. Each day, it will generate a new Twitter hashtag and search for any tweet containing that hashtag. A new C&C address can be provided to an infected system this way. Intego reported this last month, but the latest version uses new strings. Twitter has been notified of the new hashtags and are working on remediations to make sure the operator of the botnet cannot take back control of his botnet through Twitter.

------------------------------------------------------------------

Flashback Malware Removal Tool
http://support.apple.com/kb/DL1517

This Flashback malware removal tool that will remove the most common variants of the Flashback malware. If the Flashback malware is found, a dialog will be presented notifying the user that malware was removed. In some cases, the Flashback malware removal tool may need to restart your computer in order to completely remove the Flashback malware.

This update is recommended for all OS X Lion users without Java installed.