Below, you will find the HP Security Researchkey articles of interest for July 17, 2015. These are publically available articles that are provided as a news service only. The intent of this blog post is to share current events related to the cyber security industry.
The examination of commercial malware developed by Hacking Team has revealed much to the security community. Of particular interest to platform security researchers at Intel’s Advanced Threat Research team (ATR) is the presence of what appears to be a UEFI-based persistent infection mechanism. ATR has been researching vulnerabilities related to system firmware and working with a community of firmware developers and platform manufacturers to mitigate these threats. Others have also posted good information about this issue. Here, we will provide some preliminary analysis of the firmware threat.
The Andromeda botnet is a well-known bothnet that surfaced around 2011 and has delivered well-known backdoor variants like Gamarue. In past revivals, the botnet has been distributed through malicious emails containing attachments or links to compromised websites hosting exploit kit content. What makes this botnet successful is its highly configurable and modular design that can fit any malicious intent, like distributing Zeus or, more recently, distributing a Lethic bot.
A large group of security companies have formed a coalition to oppose the proposed rules from the Department of Commerce that would regulate the export of so-called intrusion software, a broad term that researchers and legal experts are concerned would limit security research and development.
Over 22 million people had their personal information hijacked in a cyberattack on the US Office of Personnel Management. The attack is over, but its threat will literally last lifetimes. Members of the intelligence community are stressing that the attack will continue to be a problem until each one of those people whose sensitive personal information was stolen drops dead.
By now, many of you loyal KrebsOnSecurity readers have seen stories in the mainstream press about the coordinated global law enforcement takedown of Darkode[dot]me, an English-language cybercrime forum that served as a breeding ground for botnets, malware and just about every other form of virtual badness. This post is an attempt to distill several years’ worth of lurking on this forum into a narrative that hopefully sheds light on the individuals apprehended in this sting and the cybercrime forum scene in general.
The FBI have assisted Romanian authorities in the closure of three piracy-based torrent sites in the region. A report from the prosecutor’s office in Romania’s High Court of Cassation and Justice details a cooperative investigation dating back four years which has now resulted in raids and site seizures, including the domain serialepenet.ro.
The challenge of APTs targeting Industrial Control Systems continues to evolve and escalate. It is true that a number of the ICS-specific attacks in the years immediately following Stuxnet (e.g. Duqu, Flame, Shamoon) are not so interesting as derivatives of Stuxnet or in how they utilize more general, IT-centric exploits. However, 2014 was a milestone year in that we saw two APTs that uniquely expanded on the initial methods used by Stuxnet: Energetic Bear/Dragonfly (Havex) and Sandworm (Black Energy campaign).
On July 6th, information spread that the Italian company known as the Hacking Team were themselves the victims of a cyber attack. In the aftermath of this leak, Vectra researchers have analyzed the leaked data, and identified a previously unknown vulnerability in Internet Explorer 11 that impacts a fully patched IE 11 on both Windows 7 and Windows 8.1.
The authors present new biases in RC4, break the WI-FI Protected Access Temporal Key Integrity Protocol (WPA-TKIP, and design a practical plaintext recovery attack against the Transport Layer Security (TLS) protocol.