Information Security News
by Sean Gallagher
Malware-based espionage targeting political activists and other opposition is nothing new, especially when it comes to opponents of the Chinese government. But there have been few attempts at hacking activists more widespread and sophisticated than the current wave of spyware targeting the mobile devices of members of Hong Kong’s “Umbrella Revolution.”
Over the past few days, activists and protestors in Hong Kong have been targeted by mobile device malware that gives an attacker the ability to monitor their communications. What’s unusual about the malware, which has been spread through mobile message “phishing “ attacks, is that the attacks have targeted and successfully infected both Android and iOS devices.
The sophistication of the malware has led experts to believe that it was developed and deployed by the Chinese government. But Chinese-speaking hackers have a long history of using this sort of malware, referred to as remote access Trojans (RATs) as have other hackers around the world, for a variety of criminal activities aside from espionage. It’s not clear whether this is an actual state-funded attack on Chinese citizens in Hong Kong or merely hackers taking advantage of a huge social engineering opportunity to spread their malware. But whoever is behind it is well-funded and sophisticated.
Even as a Mac user, you may have heard about Bing, at least you may have seen it demonstrated in commercials . But if your default search engine on your Mac is all for suddenÂ switched to Bing, this may be due to another piece of legacy software that some Mac users may have a hard time living without : Microsoft's Internet Explorer. So why not just search ("google") if there is a version for OSX:
In short: I don't think this software does anything illegal. It clearly advertises what it does. If you feel otherwise, you can file a complaint with courts in Cyprus where the company is located.
Kuddos to Matthew for paying attention to egress traffic. We keep emphasizing how important it is to make sure no systems talk "outbound" without permission. Just this last week, various Shellshock exploits did just that: Turn devices into IRC clients or downloading additional tools via HTTP, or just reporting success via a simple ping.
So no surprise that Matthew wrote us: "... the first time I saw the storage array SSH to the internet I about fainted. ..."
I would be surprised too! And turns out that isn't the only person that experienced this. Mark noted:
"Had the seem freak moment when I saw it happen.Â The SAN happily communicating to an outside entity.Â Though the company had been well and truly hosed."
Luckily, before going too far down the incident handling road, Matthew realized that this was a false positive. The storage array in question called "back home" to the vendor to report on its status. The purpose of this communication is to report failed disks or other critical events that may trigger a service call. Vendors will agree to turn off this feature, but then of course it is up to you to recognize faulty disks.
Got anything like that? Let us know. (if possible with log snippet / packet capture or other show-and-tells)
To "celebrate" cyber security awareness month, we decided to focus on "scary false positives" during October. If you have any to share, please let us know. What we are looking for is preferably a lot entry, or another "indicator" that led you to believe that your system was compromised, but in the end turned out to be a false positive.
Please e-mail your stories to handlers-at-isc.sans.edu or use out Contact form.
Posted by InfoSec News on Oct 02http://www.cnet.com/news/jimmy-kimmel-tops-macaffees-list-of-most-dangerous-cybercelebrities/
Posted by InfoSec News on Oct 02http://www.thesecuritysetup.com/home/2014/10/1/hd-moore
Posted by InfoSec News on Oct 02http://www.scmp.com/news/hong-kong/article/1607579/anonymous-hacker-group-declares-cyber-war-hong-kong
Posted by InfoSec News on Oct 02http://www.wired.com/2014/10/open-windows/
Posted by InfoSec News on Oct 02http://www.nbcnews.com/tech/security/cyber-spy-high-meet-nsas-hacker-recruiter-n216056