Iranian Hackers targeting US oil, gas, and electric companies

Iranian-Hackers-targeting-US-oil-gas-and-electric-companiesThe Hacker News reported: For all the talk about China and the Syrian Electronic Army, it seems there’s another threat to U.S. cyber interests i.e. Iran. Series of potentially destructive computer attacks that have been targeting American oil, gas and electricity companies tracked back to Iran.

Iranian hackers were able to gain access to control-system software that could allow them to manipulate oil or gas pipelines. Malware have been found in the power grid that could be used to deliver malicious software to damage plants. The targets have included several American oil, gas and electricity companies, which government officials have refused to identify.

The officials stated that the goal of the Iranian attacks is sabotage rather than espionage. Whereas, the cyber-attacks from China however, are more aimed at stealing information from the U.S. government that is confidential, as well as from private business. Mandiant announced that the Chinese government was backing the attacks. However, officials from the government in Beijing vehemently denied any connection to the attacks.

The new attacks, officials said, were devised to destroy data and manipulate the machinery that operates critical control systems, like oil pipelines. Iran has denied being the source of any attacks, adding that it had been a victim of American sabotage.

Tom Cross, director of security research at Lancope, told that industrial control systems such as those used to control oil and gas pipelines are more interconnected with public networks like the Internet than most people realize. “It is also difficult to fix security flaws with these systems because they aren’t designed to be patched and restarted frequently. In the era of state-sponsored computer attack activity, it is not surprising to hear reports of these systems being targeted,” he said.

Government officials also claimed that Iran was the source of a separate continuing campaign of attacks on American financial institutions that began last September and has since taken dozens of American banks intermittently offline, costing millions of dollars. But that attack was a less sophisticated denial of service effort.

Turkish FlashPlayer? no! It’s malware

shot_130328_212458[3]I recently came across the file “FlashPlayer.exe” during the course of regular research.

The file had been distributed with the file name FlashPlayer.exe and not surprisingly, when executed, it shows the following GUI, partly written in Turkish:


Obviously, it’s disguised as an Adobe Flash Player 11 installer.

Here is more info about the file:

File Name: FlashPlayer.exe
MD5: e2856b1ad6c74c51767cab05bdedc5d1
SHA1: 1ac150ddb964722b6b7c96808763b3e4d0472daf
CRC32: a8464606
SHA-256: b5f37cc44365a5a1b240e649ea07bbb17959ceddc3f8b67a793df694a6f03a88
SHA-512: e2d1388bd5feec51227cfa10a5606f7d3bc58f12ea95d688acb5178ff31a156a1092f739e7dd276f4c5368d89c33ed6a15b08ff5df294b9c3647905c1083921d
SHA-384: 5d622afcf87e33334a446df5dfd2be7769cab596cc9a121bfd6269bc85ee980f75e1a2d1472f0eb379788845230d883b
File Size: 561,152
Version: 2.01
Source: hxxps://
VirusTotal: Latest Report

Read the rest of analyze in Microsoft TechNet:

Evernote is suspect of a hack, change your password

Cross-posted from Evernote blog:

evernoteEvernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service.

As a precaution to protect your data, we have decided to implement a password reset. Please read below for details and instructions.

In our security investigation, we have found no evidence that any of the content you store in Evernote was accessed, changed or lost. We also have no evidence that any payment information for Evernote Premium or Evernote Business customers was accessed.

The investigation has shown, however, that the individual(s) responsible were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords. Even though this information was accessed, the passwords stored by Evernote are protected by one-way encryption. (In technical terms, they are hashed and salted.)

While our password encryption measures are robust, we are taking additional steps to ensure that your personal data remains secure. This means that, in an abundance of caution, we are requiring all users to reset their Evernote account passwords. Please create a new password by signing into your account on

After signing in, you will be prompted to enter your new password. Once you have reset your password on, you will need to enter this new password in other Evernote apps that you use. We are also releasing updates to several of our apps to make the password change process easier, so please check for updates over the next several hours.

As recent events with other large services have demonstrated, this type of activity is becoming more common. We take our responsibility to keep your data safe very seriously, and we’re constantly enhancing the security of our service infrastructure to protect Evernote and your content.

There are also several important steps that you can take to ensure that your data on any site, including Evernote, is secure:

  • Avoid using simple passwords based on dictionary words
  • Never use the same password on multiple sites or services
  • Never click on ‘reset password’ requests in emails — instead go directly to the service

Thank you for taking the time to read this. We apologize for the annoyance of having to change your password, but, ultimately, we believe this simple step will result in a more secure Evernote experience. If you have any questions, please do not hesitate to contact Evernote Support.

The Evernote team

Doc blocker : Oxford University blocked Google Docs

ox_small_cmyk_posFor about two and a half hours on Monday, students at Oxford University couldn’t access Google Docs after the University’s Computing Services team decided to take “extreme action” to halt phishing attacks and also to put pressure on Google.

Robin Stevens of OxCert explained in a blog post that, in the past, Google has been slow to respond to requests to help the university. The university’s problem is that phishers are frequently using Google Docs to present phishing forms to its users, with a legitimate domain shown to the user and not detectable by firewalls as Google traffic is over SSL. If phishing mail directing users to pages like this gets past the defenses, it is hard to detect and respond to.

Google’s security team have pointed the university at the “Report Abuse” button at the bottom of the Docs pages, but this takes time, at least a day or two and sometimes weeks, before Google respond. By that time the phishing attack is long gone; any users who would have been fooled will have most likely clicked a link within hours of the dubious mail arriving.

On Monday afternoon, the security team at Oxford were seeing multiple phishing incidents taking place and that tipped things over the edge; after considering the impact on legitimate business, it blocked Google Docs to prevent the phishing attacks deploying their information extracting forms. Stevens says the impact was actually greater on legitimate business than expected due to Google’s tight integration of Docs with other services, so, after two and a half hours, the restrictions were lifted.

He hopes that the temporary block will at least draw attention within the university to the dangers of phishing. He also hopes that Google will, with the resources at its disposal, find some way to automate responses to abuse reports. He closes saying “Google may not themselves be being evil, but their inaction is making it easier for others to conduct evil activities using Google-provided services.”


Facebook Got Hacked Last Month and Is Just Telling You Now

Cross-posted from Gizmodo:

facebook_logoFacebook just announced that it was hacked last month in a short statement on its website. Apparently, an unknown number employees visited a compromised developer site and were infected with malware. Facebook’s being very cagey about all this, but we’ve been able to scrounge up some details.

According to the statement, the company reacted swiftly with an investigation and remediation following the “sophisticated attack.” The company won’t say which law enforcement agencies it’s working with. It claims no user data was compromised.

What a surprise, Facebook waited until the end of the day on a Friday to tell us about an oopsies.

Here’s the full statement from the company.

Last month, Facebook Security discovered that our systems had been targeted in a sophisticated attack. This attack occurred when a handful of employees visited a mobile developer website that was compromised. The compromised website hosted an exploit which then allowed malware to be installed on these employee laptops. The laptops were fully-patched and running up-to-date anti-virus software. As soon as we discovered the presence of the malware, we remediated all infected machines, informed law enforcement, and began a significant investigation that continues to this day. We have no evidence that Facebook user data was compromised in this attack

We’ve reached out to the company for additional comment regarding the nature of the hack and other details. We’ll update when we hear back. [Facebook]

Facebook responded to our request for comment with the following. The company says it isn’t commenting further at this time.

We were able to investigate user data compromise [sic] by forensic analysis on the affected devices and infrastructure.

New Adobe Vulnerabilities Being Exploited in the Wild

adobe readerAdobe posted a vulnerability report warning that vulnerabilities in Adobe Reader and Acrobat XI (11.0.1) and earlier versions are being exploited in the wild. Adobe is currently investigating this issue.

According to the FireEye blog posted earlier today, the malicious file arrives as a PDF file. Upon successful exploitation of the vulnerabilities, two malicious DLL files are dropped.

Symantec detects the malicious PDF file as Trojan.Pidief and the two dropped DLL files as Trojan Horse.

We are currently investigating the possibility of further protections for these vulnerabilities and will provide an update to this blog when possible.

A subsequent advisory posted by Adobe indicates the following versions of Adobe Reader and Acrobat are vulnerable:

  • Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Reader 9.5.3 and earlier 9.x versions for Windows and Macintosh
  • Adobe Acrobat XI (11.0.01 and earlier) for Windows and Macintosh
  • Adobe Acrobat X (10.1.5 and earlier) for Windows and Macintosh
  • Adobe Acrobat 9.5.3 and earlier 9.x versions for Windows and Macintosh

Symantec claims losses from cybercrime exceed $100 billion

symantec_logo200h-Online: According to Symantec’s 2012 Norton Cybercrime Report, worldwide, private individuals have suffered approximately $100 billion (more than £69 billion at the current exchange rate) in financial losses as a result of cybercrime. In the period from July 2011 to July 2012, losses averaged $197 (£124) per victim.

A total of 556 million adults are reported to have fallen victim to malware, phishing or similar virtual crimes. The report claims that there are 1.5 million victims of cybercrime each day, or about 18 per second. The security specialist’s report also states that two-thirds of internet users have been caught out by cybercriminals at some point in their lives, and almost half (46%) were victims during the period covered by the report. The results reveal that many of those affected are victims of their own carelessness. Around 40% of people don’t use complex passwords or don’t change their passwords regularly.

According to Symantec, 85% of financial costs are the result of fraud, repairs, theft and lossThere appears to be a clear trend of cybercriminals targeting social networks and mobile devices, with around 20% of users having suffered losses as a result of such attacks. The study also claims that 15% of social media accounts have been compromised and that 10% of users have fallen for fake links and scams on social networks. A total of 75% of those surveyed believe that cybercriminals are increasingly targeting social networking services.

Losses within the EU are reported to amount to $16 billion (over £10 billion). China emerges as the country whose citizens have suffered the greatest financial loss – $46 billion (nearly £29 billion) – while Russia has the largest number of victims, with 92% of users surveyed in the country having experienced problems with cybercrime. The report surveyed more than 13,000 online adults aged 18-64 in 24 different countries.

1 million Apple Device IDs leaked, claim hackers

appleAccording to the AntiSec hacker group, they claim to hold more than 12 million Apple iOS Unique Device IDs, in addition to other personal information from device owners. As a move to back up such a claim, the AntiSec hacker group is said to have released slightly more than a million Apple Device IDs to the masses. This particular expose was unveiled on Pastebin, which is said to hold a detailed description of the method that the hacking group were said to have obtained the IDs from the FBI.

AntiSec claims, “During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”

Just a little bit of background information here, Apple Unique Device Identifiers (UDID) are actually sequences which comprise of 40 letters and numbers that are unique to each Apple device. Alone, they do not tell much, but in obtaining them, hackers can also gain access to majority of the information which most iOS app developers are able to obtain. Do you think this alleged Device ID leak is true?


Java zero day vulnerability actively used in targeted attacks

JavaZDNet: Security researchers from FireEye, AlienVault, and DeependResearch have intercepted targeted malware attacks utilizing the latest Java zero day exploit. The vulnerability affects Java 7 (1.7) Update 0 to 6. It does not affect Java 6 and below.

Based on related reports, researchers were able to reproduce the exploit on Windows 7 SP1 with Java 7 Update 6. There’s also a Metasploit module available.

Upon successful exploitation, the campaign drops MD5: 4a55bf1448262bf71707eef7fc168f7d – detected by 28 out of 42 antivirus scanners as Gen:Trojan.Heur.FU.bqW@a4uT4@bb; Backdoor:Win32/Poison.E

Users are advised to consider browsing the Web, and interacting with emails in an isolated environment, or to to block Java in their Web browsers until Oracle ships a patch for the security flaw.

Although what we’ve got here is a clear indication of an ongoing malicious attack utilizing a zero day flaw, on the majority of occasions cybercriminals wouldn’t necessarily rely on a zero day flaw in order to infect as many users as possible. Instead, they would stick to using outdated and already patched vulnerabilities taking into consideration the fact that end and corporate users aren’t patching their third-party software and browser plugins.

Crisis malware infects VMware virtual machines The Windows version of the Crisis Trojan is far more dangerous than first thought, being capable of infecting VMware virtual machine images, Windows Mobile devices and removable USB drives, research has revealed.

Crisis was originally uncovered targeting businesses with social engineering attacks that trick users into running a malicious Java applet in July.

Symantec has since revealed that the malware has more advanced capabilities, letting it search for and copy itself onto VMware virtual machine images on compromised computers.

Once on the images the malware can reportedly steal and intercept data from virtual machines including financial information.

“We’ve discovered it getting onto VM systems not via exploits but by copying itself into the VM code,” Symantec senior security response manager Peter Coogan told V3.

“We haven’t seen this before […] they’re increasing the amount of information the spyware can gather.”

As well as its VMware capabilities, Symantec also reported discovering the malware installing rogue modules on Windows Mobile devices connected to compromised systems, though the purpose of the modules remains unknown.

Coogan went on to clarify that Crisis “is incredibly complex and likely created by an advanced group”, warning that its full capabilities remain unknown.

Despite its sophisticated nature, Crisis is believed to have infected a select number of systems. Kaspersky Lab has reported discovering the malware on 21 systems located in Italy, Mexico, Iran, Turkey, Iraq, Oman, Brazil, Kazakhstan, Kyrgyzstan and Tajikistan, said Sergey Golovanov, Kaspersky Lab malware expert.