Global cyber-espionage campaign
The attack campaign was discovered and analyzed by researchers from security firm Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics.
Dubbed MiniDuke, the attack campaign used targeted email messages — a technique known as spear phishing — that carried malicious PDF files rigged with a recently patched exploit for Adobe Reader 9, 10 and 11.
The exploit was originally discovered in active attacks earlier this month by security researchers from FireEye and is capable of bypassing the sandbox protection in Adobe Reader 10 and 11. Adobe released security patches for the vulnerabilities targeted by the exploit on Feb. 20.
The new MiniDuke attacks use the same exploit identified by FireEye, but with some advanced modifications, said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, on Wednesday. This could suggest that the attackers had access to the toolkit that was used to create the original exploit.
The malicious PDF files are rogue copies of reports with content relevant to the targeted organizations and include a report on the informal Asia-Europe Meeting (ASEM) seminar on human rights, a report on Ukraine’s NATO membership action plan, a report on Ukraine’s regional foreign policy and a report on the 2013 Armenian Economic Association, and more.
If the exploit is successful, the rogue PDF files install a piece of malware that’s encrypted with information gathered from the affected system. This encryption technique was also used in the Gauss cyber-espionage malware and prevents the malware from being analyzed on a different system, Raiu said. If run on a different computer, the malware will execute, but will not initiate its malicious functionality, he said.
Another interesting aspect of this threat is that it’s only 20KB in size and was written in Assembler, a method that’s rarely used today by malware creators. Its small size is also unusual when compared to the size of modern malware, Raiu said. This suggests that the programmers were “old-school,” he said.
The piece of malware installed during this first stage of the attack connects to specific Twitter accounts that contain encrypted commands pointing to four websites that act as command-and-control servers. These websites, which are hosted in the U.S., Germany, France and Switzerland, host encrypted GIF files that contain a second backdoor program.
The second backdoor is an update to the first and connects back to the command-and-control servers to download yet another backdoor program that’s uniquely designed for each victim. As of Wednesday, the command-and-control servers were hosting five different backdoor programs for five unique victims in Portugal, Ukraine, Germany and Belgium, Raiu said.These unique backdoor programs connect to different command-and-control servers in Panama or Turkey, and they allow the attackers to execute commands on the infected systems.
The people behind the MiniDuke cyber-espionage campaign have operated since at least April 2012, when one of the special Twitter accounts was first created, Raiu said. However, it’s possible that their activity was more subtle until recently, when they decided to take advantage of the new Adobe Reader exploit to compromise as many organizations as possible before the vulnerabilities get patched, he said.
The malware used in the new attacks is unique and hasn’t been seen before, so the group might have used different malware in the past, Raiu said. Judging by the wide range of targets and the global nature of the attacks, the attackers probably have a large agenda, he said.
MiniDuke victims include organizations from Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russia, Slovenia, Spain, Turkey, Ukraine, United Kingdom and the United States.
In the United States, a research institute, two pro-U.S. think tanks and a health care company have been affected by this attack, Raiu said without naming any of the victims.
The attack is not as sophisticated as Flame or Stuxnet, but is high-level nevertheless, Raiu said. There are no indications regarding where the attackers might operate from or what interests they might be serving.
That said, the backdoor coding style is reminiscent of a group of malware writers known as 29A, believed to be defunct since 2008. There’s a “666″ signature in the code and 29A is the hexadecimal representation of 666, Raiu said.
A “666″ value was also found in the malware used in the earlier attacks analyzed by FireEye, but that threat was different from MiniDuke, Raiu said. The question of whether the two attacks are related remains open.
News of this cyber-espionage campaign comes on the heels of renewed discussions about the Chinese cyber-espionage threat, particularly in the U.S., that were prompted by a recent report from security firm Mandiant. The report contains details about the years-long activity of a group of cyberattackers dubbed the Comment Crew that Mandiant believes to be a secret cyberunit of the Chinese Army. The Chinese government has dismissed the allegations, but the report was widely covered in the media.
Raiu said that none of the MiniDuke victims identified so far was from China, but declined to speculate on the significance of this fact. Last week security researchers from other companies identified targeted attacks that distributed the same PDF exploit masquerading as copies of the Mandiant report.
Those attacks installed malware that was clearly of Chinese origin, Raiu said. However, the way in which the exploit was used in those attacks was very crude and the malware was unsophisticated when compared to MiniDuke, he said.
Article source: http://www.pcworld.com/article/2029517/researchers-discover-new-global-cyberespionage-campaign.html
Obama to combat cyber espionage
The United States has recently stepped up the rhetoric against China on cyber espionage, with President Barack Obama joined the chorus on Wednesday.
He complained billions of dollars could be lost due to theft of American corporate secrets, following warnings by Pentagon officials that cyber espionage could be a dire threat to America’s national security.
Washington’s allegations show it is rather impatient with rampant backdoor thefts in the digital world, but casting China as a specific culprit for the ubiquitous problem is unfair.
Computer hacking is an emerging threat to global security. Both China and the United States are victims of electronic assaults.
In 2012, more than 14 million computers in China were hijacked and controlled from foreign IP addresses, with more than 10 million of those being controlled from IP addresses in the U.S., according to CNCERT, China’s top Internet coordination center.
In fairness, that does not mean the hackers were American, or that Washington was supporting or condoning the digital attacks against China. With computer technologies evolving so fast, hackers can easily hide or change their IPs. That makes hackers anonymous and difficult to trace.
Using the same logic, any hasty accusation aimed at a specific country for cyber attacks is technologically flawed and politically inappropriate.
Blaming the attacks on Chinese hackers is a rash statement that lacks credible evidence, while picking on Beijing as backing such acts sounds like an insidious attempt to tarnish China’s image.
The Chinese government has launched dozens of campaigns against backdoor spying and malicious software, cutting off remote control by tens of millions of IP addresses.
To eradicate cyber crime on the borderless Internet is barely possible without transnational cooperation. In this new field, the United States and China share common interests.
China-U.S. relations are the most important bilateral relations on earth. Instead of trading barbs and taking aggressive steps against each other, the world’s biggest and second largest economies would do well to combine their efforts to build a safer virtual world.
Article source: http://manilatimes.net/index.php/technology/43675-us-china-to-combat-cyber-espionage
Researchers discover new global cyber- espionage campaign
The attack campaign was discovered and analyzed by researchers from security firm Kaspersky Lab and the Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics.
Dubbed MiniDuke, the attack campaign used targeted email messages — a technique known as spear phishing — that carried malicious PDF files rigged with a recently patched exploit for Adobe Reader 9, 10 and 11.
The exploit was originally discovered in active attacks earlier this month by security researchers from FireEye and is capable of bypassing the sandbox protection in Adobe Reader 10 and 11. Adobe released security patches for the vulnerabilities targeted by the exploit on Feb. 20.
The new MiniDuke attacks use the same exploit identified by FireEye, but with some advanced modifications, said Costin Raiu, director of Kaspersky Lab’s global research and analysis team, on Wednesday. This could suggest that the attackers had access to the toolkit that was used to create the original exploit.
The malicious PDF files are rogue copies of reports with content relevant to the targeted organizations and include a report on the informal Asia-Europe Meeting (ASEM) seminar on human rights, a report on Ukraine’s NATO membership action plan, a report on Ukraine’s regional foreign policy and a report on the 2013 Armenian Economic Association, and more.
If the exploit is successful, the rogue PDF files install a piece of malware that’s encrypted with information gathered from the affected system. This encryption technique was also used in the Gauss cyber-espionage malware and prevents the malware from being analyzed on a different system, Raiu said. If run on a different computer, the malware will execute, but will not initiate its malicious functionality, he said.
Another interesting aspect of this threat is that it’s only 20KB in size and was written in Assembler, a method that’s rarely used today by malware creators. Its small size is also unusual when compared to the size of modern malware, Raiu said. This suggests that the programmers were “old-school,” he said.
The piece of malware installed during this first stage of the attack connects to specific Twitter accounts that contain encrypted commands pointing to four websites that act as command-and-control servers. These websites, which are hosted in the U.S., Germany, France and Switzerland, host encrypted GIF files that contain a second backdoor program.
The second backdoor is an update to the first and connects back to the command-and-control servers to download yet another backdoor program that’s uniquely designed for each victim. As of Wednesday, the command-and-control servers were hosting five different backdoor programs for five unique victims in Portugal, Ukraine, Germany and Belgium, Raiu said.These unique backdoor programs connect to different command-and-control servers in Panama or Turkey, and they allow the attackers to execute commands on the infected systems.
The people behind the MiniDuke cyber-espionage campaign have operated since at least April 2012, when one of the special Twitter accounts was first created, Raiu said. However, it’s possible that their activity was more subtle until recently, when they decided to take advantage of the new Adobe Reader exploit to compromise as many organizations as possible before the vulnerabilities get patched, he said.
The malware used in the new attacks is unique and hasn’t been seen before, so the group might have used different malware in the past, Raiu said. Judging by the wide range of targets and the global nature of the attacks, the attackers probably have a large agenda, he said.
MiniDuke victims include organizations from Belgium, Brazil, Bulgaria, Czech Republic, Georgia, Germany, Hungary, Ireland, Israel, Japan, Latvia, Lebanon, Lithuania, Montenegro, Portugal, Romania, Russia, Slovenia, Spain, Turkey, Ukraine, United Kingdom and the United States.
In the United States, a research institute, two pro-U.S. think tanks and a health care company have been affected by this attack, Raiu said without naming any of the victims.
The attack is not as sophisticated as Flame or Stuxnet, but is high-level nevertheless, Raiu said. There are no indications regarding where the attackers might operate from or what interests they might be serving.
That said, the backdoor coding style is reminiscent of a group of malware writers known as 29A, believed to be defunct since 2008. There’s a “666″ signature in the code and 29A is the hexadecimal representation of 666, Raiu said.
A “666″ value was also found in the malware used in the earlier attacks analyzed by FireEye, but that threat was different from MiniDuke, Raiu said. The question of whether the two attacks are related remains open.
News of this cyber-espionage campaign comes on the heels of renewed discussions about the Chinese cyber-espionage threat, particularly in the U.S., that were prompted by a recent report from security firm Mandiant. The report contains details about the years-long activity of a group of cyberattackers dubbed the Comment Crew that Mandiant believes to be a secret cyberunit of the Chinese Army. The Chinese government has dismissed the allegations, but the report was widely covered in the media.
Raiu said that none of the MiniDuke victims identified so far was from China, but declined to speculate on the significance of this fact. Last week security researchers from other companies identified targeted attacks that distributed the same PDF exploit masquerading as copies of the Mandiant report.
Those attacks installed malware that was clearly of Chinese origin, Raiu said. However, the way in which the exploit was used in those attacks was very crude and the malware was unsophisticated when compared to MiniDuke, he said.
Article source: http://www.pcworld.com/article/2029517/researchers-discover-new-global-cyberespionage-campaign.html
Military officer pleads guilty to espionage
HALIFAX, Nova Scotia – A former Canadian Navy intelligence officer who pleaded guilty to espionage on Wednesday was selling secrets to the Russians for about $3,000 a month.
Sub-Lt. Jeffrey Paul Delisle showed no emotion as he acknowledged to a Nova Scotia provincial court judge that he understood the consequences of entering guilty pleas to three charges and was voluntarily giving up his right to a trial
Federal prosecutor Lyne Decarie outlined the case against Delisle during a bail hearing in March, saying he voluntarily entered the Russian embassy in Ottawa in 2007 and offered to sell information to them. A publication ban was imposed on those hearings at the time.
At the bail hearing, Decarie read portions of a police statement where Delisle reportedly described the day he walked into the embassy as “professional suicide.”
“The day I flipped sides … from that day on, that was the end of my days as Jeff Delisle,” Decarie read from his statement.
She said he claimed to police that his betrayal “was for ideological reasons” and that he wasn’t doing it for the money.”
Delisle, 41, worked at a naval communications and intelligence center in Halifax that was a multinational base with access to secret data from NATO countries.
Decarie alleged in court that Delisle had access to the facility’s secure and unsecured systems that contained information from Canada and allies, and that he shared mostly military data.
Decarie said Delisle was asked to search for Russian references in the past month on his work computer, then copy it onto a USB key and take it home with him where he uploaded it to an email program that he shared with his foreign handler.
Decarie said Delisle, a father who is divorced from his first wife, received $5,000 for the first couple transfers and then $3,000 every month. Decarie said he began doing it “following some personal problem.”
He came to the authorities’ attention when he was returning from a trip to Brazil to meet a Russian handler in the fall of 2011, Decarie said. He was carrying several thousand dollars after staying the country only four days, raising the suspicions of Canada Border Services agents who shared their concerns with the police and military.
The prosecution said some time after, the Royal Canadian Mounted Police took over the account he shared with the Russians, allowing him to think he was transmitting material to a Russian agent when “it was actually the RCMP opening the email.”
Delisle was arrested in Halifax last Jan. 13 and charged with espionage and breach of trust, making him the first person in Canada to be convicted under the country’s Security of Information Act which was passed by Parliament after the terrorist attacks on the United States on Sept. 11, 2001.
Defense lawyer Mike Taylor said the evidence against his client is overwhelming.
“You reach a point in which you say, ‘OK we’re toast,’” Taylor said in a telephone interview with The Associated Press. “Barring some catastrophic happening there was going to be a conviction.”
Taylor said at no time did his client put any Canadian troops in danger.
“There was no information that indicated where troops were or ships were,” he said.
Taylor also suggested the Russians put pressure on when at one point he tried to stop spying. Decarie said Delisle told officers that the Russians had pictures of his children.
“They had all my information. They had photos of me,” Decarie read from the statement. “They had photos of my children and I knew exactly what it was for.”
Delisle, wearing a blue hooded sweat shirt, jeans and glasses, clasped his hands and appeared unmoved as the judge asked him if he understood the consequences of the plea on Wednesday.
Taylor said no deal on sentencing was reached with the prosecution. Delisle is looking at life in prison, but Taylor said it will be up to the judge. Two days of sentencing hearings will start Jan. 10.
The Canadian military, the government and police have not revealed any details about what information is alleged to have been disclosed. A spokesman for Canada’s defense minister said they’ll reserve comment as the judicial process continues.
Delisle, who joined the navy as a reservist in 1996, became a member of the regular forces in 2001 and was promoted to an officer rank in 2008. He had access to systems with information shared by the Five Eyes community that includes Canada, the United States, Britain, Australia and New Zealand.
In damage assessments read in court, officials in the Canadian intelligence community said the breaches from 2007 to 2012 could unmask intelligence sources and place a chill on the sharing of vital security information among allies.
“Delisle’s unauthorized disclosure to the Russians since 2007 has caused severe and irreparable damage to Canadian interests,” one official wrote in a statement read by Decarie.
___
Associated Press Writer Rob Gillies in Toronto contributed to this report.
Article source: http://www.foxnews.com/world/2012/10/10/canadian-military-officer-pleads-guilty-to-all-charges-in-navy-spy-case/
Lawyer pleads not guilty to bugging car
(09-25) 13:49 PDT OAKLAND — A divorce attorney pleaded not guilty Tuesday to charges that she hired a private investigator, who was a central character in Contra Costa County’s “dirty DUI” scandal, to illegally install listening devices inside the car of a client’s ex-husband.
Mary Nolan, 60, appeared in Oakland federal court, where she also pleaded innocent to four counts of tax evasion. She faces up to 15 years in prison and $750,000 in fines if convicted on all counts.
Nolan was first linked to disgraced private investigator Christopher Butler,50, in 2010, after two men told The Chronicle that she used their drunken driving arrests against them in divorce and custody battles. Both men have since filed civil lawsuits against Nolan alleging she orchestrated their arrests through Butler.
Butler pleaded guilty earlier this year to using attractive women to meet estranged husbands in bars and set them up for drunken driving arrests by police officers tied for him.
Butler, who is scheduled to be sentenced Tuesday afternoon, admitted in court papers that Nolan referred clients to him. He also estimated that he bugged between 75 and 100 cars during his tenure as a private investigators.
Nolan was never charged in connection with the drunken driving scandal that snared Butler and others.
But prosecutors alleged in their separate case against Nolan that in at least one instance she hired Butler to bug the car of a client’s spouse so she could use the recorded information against him in divorce proceedings.
Nolan’s court appearance drew the attention of Phil Dominic, 55, of Oakland, who said Nolan represented his ex-girlfriend in a 2010 custody dispute over their son. His case is not the one forming the basis of the criminal case against Nolan.
Dominic said Nolan lied about him to family court judges and destroyed his relationship with the mother of his son, as well as his child.
“This is Christmas for me,” said Dominic, who heckled Nolan as she left the courthouse.
Dominic said he was organizing a group of men whose wives were represented by Nolan to discuss taking legal action against the attorney.
“I told her one day she’d get caught,” Dominic said. “I told her, ‘One day I’m going to see you on the other side.”
Outside court, Nolan’s attorney Jay Weill declined to comment.
Nolan is scheduled to appear in court next month for further proceedings.
Justin Berton is a San Francisco Chronicle staff writer.
Article source: http://www.sfgate.com/bayarea/article/Lawyer-pleads-not-guilty-to-bugging-car-3893211.php