“Knowledge speaks, but wisdom listens.”
by paganinip on January 14th, 2012 in securityaffairs
In these hours on the web is turning the news of a cyber attack performed by a group of Chinese hackers against some U.S. Government Agencies. Once again, the weapon used against the strategic objectives is a cyber weapon, in particular it has been used a new version of the trojan Sykipot.
Chinese hackers have deployed trojan that is aiming the Defense Department, the Department of Homeland Security, the State Department and potentially a other United States government agencies and businesses. The trojan is targeting smart card readers produced by the company ActivIdentity that provides authentication software.
The attacks originate have been originated by Chinese servers and for sure they have targeted the defense sector to steal sensible information. The attack has been conceived to exploit the identity management processes used in governative environments for the physical and logical access management.
What is really interesting is the process followed by the creator of the original trojan detected in December, the original versions of the Sykipot malware was a Trojan that opened a backdoor into the infected PCs to grab documents from high level offcials within target organizations and businesses. This time the malware has been packaged to compromise smart card readers running ActivClient, the client application of ActivIdentity. ActivIdentity ActivClient is the market-leading security application that allows customers to use smart cards and USB tokens as identity management devices inside a smart card-based PKI authentication for Windows login, VPN, Web Login, Remote Sessions, as well as data security, digital signature and secure email. This solution is largely used at the DoD and in number of other US government agencies.
We are dealing with a cyber weapon specifically packaged for a specific target and that makes use of modules available in instances of malware known to researchers. A trend, that does not differ in philosophy, observed in the case of Duqu and Stuxnet. This is the first report of Sykipot being used to compromise smart cards, the authentication devices privileged for identy management systems of the American militia. Hacker have used a version of Sykipot that dates back to March of last year already used for several attacks executed in the past year.The spreading vector is an email campaign addressed to specific targets. Let consider that the malware has appeared several times in combination with zero-day exploits and has been used to launch targeted attacks since 2007.
The attacks compromise smart card readers running in Windows O.s, in partiulary the native x509 modules according what has been reported by US government.
How does the trojan work? It uses a keylogger to steal PINs for the smartcards during their usage. When a card is inserted into the reader, the trojan acts, as authenticated user, is free to access sensitive and protected information. The stoled data are send back to the attacker that is able to drive remotely the operations.
The event is undoubtedly of the utmost gravity and the attack with this method could compromise the whole PKI architecture on which are based the logical and physical access management.
Written by David Rosenberg
Published by The Media Line – Sunday, January 08, 2012
Cyber warriors are gaining the knowledge to do more than virtual vandalism
The hacker attack that exposed the credit card numbers and other personal information of thousands of Israelis last week shows every sign of being an unsophisticated break-in that exploited the weaknesses of a poorly secured website. But experts warn that for Israel, like other highly networked economies, the worst is yet to come.
Lone-wolf hackers have gradually gained the knowledge and experience once the preserve of intelligence agencies and armies. Instead of defacing websites or shutting them down by flooding them with e-mails, growing numbers of hackers have the ability to disrupt electricity, water, medical and other critical services, they say.
“To shut down a major network, even for a government, is considered to be difficult, and demands excellent experience and knowledge, but there are a few tens of thousands of people around the world who could do it,” Ron Porat, who co-founded Hacktics, an Israeli maker of anti-hacking technology, told The Media Line. “Some of them have the motivation also.”
A group of Saudi hackers dubbed Group-XP led by someone who goes by the web name OxOmar claimed last week to have obtained the personal information some 400,000 Israelis through credit card data. The Bank of Israel said the numbers were in fact much smaller, probably about 15,000 names, and that the credit card issuers had blocked the exposed accounts.
Nevertheless, the attack drew a sharp response from Israel as well as its arch-nemesis, the Palestinian militant movement Hamas. Israel’s Deputy Foreign Minister Danny Ayalon termed the cyber-attack “a breach of sovereignty comparable to a terrorist operation” and hinted at unspecified “retaliatory action.”
Hamas, which is not believed to have had anything to do with this attack, termed it “a new form of resistance.” Spokesman Sami Abu Zuhri was quoted by Reuters urging others to ignore Ayalon’s threat and “use all means available in the virtual space to confront Israeli crimes.”
Much attention has been focused on governments engaging in cyber-warfare, such as the Stuxnet worm that allegedly wreaked havoc on Iran’s nuclear program or when a Chinese state-controlled telecommunications company hijacked a big chunk of the world’s Internet traffic, including data from the U.S. military, for 18 minutes in April 2010.
But hackers like OxOmar are a growing threat as well.
Israel and Palestinian hackers have been engaged in a cyber cold war for more than a decade. Israeli teenagers blocked websites belonging to the Lebanese Shiite movement Hizbullah, provoking Palestinians and other Arabs to declare an e-Jihad. Those attacks consisted mainly of denial of service attacks and defacing website, although embarrassingly for Israel these included over the years high-profile sits like those of the Knesset and Foreign Ministry. During Operation Cast lead in 2009, Hamas was probably responsible for an attack on Israel’s Amos 3 spy satellite. More recently, Israeli hackers took over an official Hamas website and uploaded Israel’s national anthem onto it.
Other cyber wars have erupted across the Middle East. Anonymous, a loose collection of so-called “hacktivists,” launched denial of service attacks against government websites in Egypt, Tunisia and elsewhere during the Arab Spring uprisings. In November, Anonymous turned its sites on the Muslim Brotherhood. “The Muslim Brotherhood has become a threat to the revolution Egyptians had fought for, some with their lives,” it declared in a video.
While Israeli credit card companies were handling the Saudi break-in, Turkish hackers were threatening to unleash a wave of attacks against French websites after lawmakers in Paris approved legislation that would ban the denial of the Armenian genocide.
They have already assaulted French websites, including that of Valerie Boyer, the French politician who introduced the law that could punish genocide deniers with jail time.
But that is small change compared to what hacker are potential capable of doing, say experts. Indeed, hackers now take the trouble to exploit human weaknesses to enter networks, for instance, applying for a job and using the interview to gain access to a company’s headquarters and physical access to a computer.
“These kind of things were once done by the CIA, but now they are being done by hackers. It’s becoming very, very hard to defend any organization including the army and intelligence units,” said Porat. “In the past most hackers used a single vector or two to hack into system. They use multi-vector attacks now.”
Danny Dolev, a leading computer scientist and engineer at the Hebrew University of Jerusalem, said that Israel was as well protected as any heavily networked economy even if it remains vulnerable. Policy makers and defense officials have over the past year come to recognize the extent of the theat.
In August, he noted, the government created a National Cyber Directorate to coordinate activities of the agencies that deal with the issue and to secure infrastructure against cyber attacks. The exposure of credit card details will awaken the public’s attention, which is as critical as technology defenses.
“I’m glad in a certain way it happened because it will awaken awareness,” Dolev told The Media Line. “Awareness means being careful when you plug in a disk on key, being careful when you change a password and being careful when you put your information on a social network.”
Dolev expressed doubt that a lone hacker is capable of bringing down an entire economy, but he said they are capable of doing serious damage. “Let’s assume a single hacker enters the blood database and changes few of the blood types of the database,” he said. “This would be horrendous. It would not bring down a country but it could do a lot of harm. There is damage that would be significant.”