IP address

Linux Malware Campaign uses Hacked DNS Server

June 19th, 2013

The attack that employed compromised Apache Web server binaries is turning out to be more complex than originally thought, as researchers now have found that the attackers also are using Trojaned Nginx and Lighted binaries as part of the campaign. More concerning, though, is the possibility that the attacks also have compromised a number of DNS servers and are using them to change crucial elements of the campaign on the fly and helps hide their tracks.

The new details of the attack campaign, which researchers have dubbed Linux/Cdorked, show that the attackers have cast a wider net than what was found originally and have access to a wider range of compromised machines. Researchers at ESET who have analyzed the attack say that the group behind the attacks may have been active since December 2012. The researchers have discovered more than 400 Web servers compromised by this malware, and that some of them are among the most highly trafficked sites on the Web.

Still, with the new details and further investigation into the attack, researchers still aren’t sure how the attackers are getting their malware onto the compromised Web servers.

“We still don’t know for sure how this malicious software was deployed on the web servers. We believe the infection vector is not unique. It cannot be attributed solely to installations of cPanel because only a fraction of the infected servers are using this management software. One thing is clear, this malware does not propagate by itself and it does not exploit vulnerability in specific software. Linux/Cdorked.A is a backdoor, used by malicious actor to serve malicious content from legitimate websites,” Marc-Etienne M. Leveille of ESET wrote in an analysis of the attacks.

The general pattern of the attacks involves the attackers modifying Web server binaries on target sites, and then using the malicious binary to serve code to certain users that redirect them to a malicious site. The user may then be redirected to a third site, but the end goal is to push the victim to a site that serves the Black hole exploit kit. On mobile devices, such as iPhones and iPads, users are redirected to porn sites.

The attackers in this campaign are being quite careful to hide their actions, both on the client level and in a larger sense. In addition to keeping a large blacklist of IP ranges that the malware will not redirect to malicious Web sites, the attackers also appear to be using compromised DNS servers to change domains and subdomains quickly. The construction of the URLs for these domains that are part of the redirection chain for the Cdorked malware have a peculiar format, and after looking into them, the ESET researchers came to the conclusion that the DNS servers being used have been compromised.

“The peculiar format of the subdomains and the fact that they are constantly changing strongly suggested that the DNS servers were also compromised. We did some tests where we modified the characters of the subdomain and in some cases the IP address in the response changed. With some more testing we were able to confirm that the IP address returned by the DNS request is actually encoded in the subdomain itself. It is using the characters at odd positions to form a 4 bytes long hex string to decode the IP address from. A basic chained XOR cipher is used to encode the IP address,” M.Lavielle said. “Due to the algorithmic nature of this behavior, we see no other explanation than the presence of trojanized DNS server binaries on the nameservers involved in Linux/CDorked.A.”

Cyber security researchers say that the tactics the attackers are using are not the most efficient ones and that they are causing themselves some unnecessary trouble.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

China slams cyberattack accusations over lack of proof

February 19th, 2013

China is refuting a report that names its military as the source of recent cyberattacks against the U.S.

A report released this week by U.S. security firm Mandiant linked the People’s Liberation Army to a large number of cyberattacksagainst U.S. corporations, government agencies, and other organizations. The report specifically pointed the finger at Chinese military Unit 61398, noting that digital forensic evidence led investigators to the building housing that unit.

China’s response?

As expected, the government has criticized the report, citing a lack of hard evidence. In a press conference held by China’s Department of Defense News Affairs, Defense Ministry representative Geng Yansheng challenged Mandiant’s findings.

Yansheng claimed the report relied on the use of IP addresses to trace the attacks to China. But such addresses are commonly stolen and used by hackers, he noted. Therefore, it’s difficult to know the exact source of a hacking attempt.

“Everyone knows that the use of usurped IP addresses to carry out hacking attacks happens on an almost daily basis,” he said, according to Reuters.

Yansheng also asserted that there is no standard international definition of what constitutes a cyberattack.

“There is no legal evidence behind the report subjectively inducing that the everyday gathering of online (information) is online spying,” he said, Reuters added.

Finally, Yansheng called it irresponsible for Mandiant to publish such a report since cyberattacks are conducted anonymously, leaving uncertainty as to their source.

Turning the tables to portray China as the victim, Yansheng also said his country is one of the main targets of cyberattacks.

A Google translated version of the press release has Yansheng saying, “According to statistics, the Chinese armed forces access to the Internet user terminal suffered a large number of foreign attacks[. A]ccording to the IP address of the display…a considerable number of attack sources [were] from the United States, but we did not…accuse the U.S. side.”

Yansheng also reiterated the claim that China forbids hacker attacks and that the government has always cracked down on such criminal activities.

Despite China’s protestations, the United States remains concerned over the reported cyberattacks. The U.S. government is “eyeing fines, penalties, and other trade restrictions” against the country, according to the Associated Press, even as it pursues more diplomatic channels.

“We have repeatedly raised our concerns at the highest levels about cybertheft with senior Chinese officials, including in the military, and we will continue to do so,” Caitlin Hayden, spokeswoman for the White House’s National Security Council, said in a statement. “The United States and China are among the world’s largest cyberactors, and it is vital that we continue a sustained, meaningful dialogue and work together to develop an understanding of acceptable behavior in cyberspace.”

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta

Backdoors Found in Barracuda Networks Gear

February 9th, 2013

A variety of the latest firewall, spam filter and VPN appliances sold by Campbell, Calif. basedBarracuda Networks Inc. contain undocumented backdoor accounts, the company disclosed today. Worse still, while the backdoor accounts are apparently set up so that they would only be accessible from Internet addresses assigned to Barracuda, they are in fact accessible to potentially hundreds of other companies and network owners.

Barracuda’s hardware devices are broadly deployed in corporate environments, including the Barracuda Web Filter, Message Archiver, Web Application Firewall, Link Balancer, and SSL VPN. Stefan Viehböck, a security researcher at Vienna, Austria-based SEC Consult Vulnerability Lab.,discovered in November 2012 that these devices all included undocumented operating system accounts that could be used to access the appliances remotely over the Internet via secure shell (SSH).

Viehböck found that the username “product” could be used to login and gain access to the device’s MySQL database (root@localhost) with no password, which he said would allow an attacker to add new users with administrative privileges to the appliances. SEC Consult found a password file containing a number of other accounts and hashed passwords, some of which were uncomplicated and could be cracked with little effort.

Viehböck said he soon found that these devices all were configured out-of-the-box to listen for incoming SSH connections on those undocumented accounts, but that the devices were set to accept connection attempts only from Internet address ranges occupied by Barracuda Networks. Unfortunately, Barracuda is not the only occupant of these ranges. Indeed, acursory lookup of the address ranges at network mapping site Robtex.com shows there are potentially hundreds of other companies running Web sites and other online operations in the same space.

Barracuda Networks has not yet responded to requests for comment. However, this morning the company released a series of advisories acknowledging these and other vulnerabilities, flagging the backdoor flaws as “medium” threats. The company’s fix includes restricting remote SSH configuration to two accounts — and requiring those accounts to use a public/private encryption key pair. But according to SEC Consult, Barracuda’s fix still allows remote SSH logins via the “root” account without requiring an encryption key exchange, and the fix does nothing to further restrict the range of Internet addresses that can be used to access the backdoor accounts. SEC Consult said Barracuda replied that the remaining accounts were vital for customer support.

“In secure environments it is highly undesirable to use appliances with backdoors built into them,” Viehböck wrote in SEC Consult’s advisory. ”Even if only the manufacturer can access them.”

Barracuda also released updates to fix a serious vulnerability in the company’s SSL VPN product that SEC Consult found could let an unauthenticated attacker to download configuration files and database dumps, and allow the system to be shutdown and new administrative passwords set without prior authentication.

It’s not clear for how long the backdoor accounts have existed in Barracuda’s products, but the researchers found evidence that they have been in place since at least 2003. Also, this threadon the security mailing list Full Disclosure  includes some interesting discussion about how these backdoor accounts may have been used.

Get your personal as well as office laptops encrypted by Alertsec

Unencrypted laptops present a major risk of data loss. 80% of information theft is due to lost or stolen laptops and other equipment. About 50% of network intrusions are performed with credentials gathered from lost or stolen devices. The penalties for a data breach are severe not only in terms of the monetary fines imposed on the organization, but also the potential loss of trust from customers and suppliers. Encryption software greatly enhances the security of your organization’s data as the information is not compromised if a laptop is lost or stolen.

Alertsec Xpress is the full disk encryption service that delivers a mobile data protection system for all information stored on laptops used throughout your organization.

Enhanced by Zemanta