Hackin9
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Documents from the National Security Agency and the United Kingdom's Government Communications Headquarters (GCHQ) obtained by former NSA contractor Edward Snowden reveal that the two agencies—and GCHQ in particular—targeted antivirus software developers in an attempt to subvert their tools to assure success in computer network exploitation attacks on intelligence targets. Chief among their targets was Kaspersky Labs, the Russian antivirus software company, according to a report by The Intercept's Andrew Fishman and First Look Media Director of Security Morgan Marquis-Boire.

Kaspersky has had a high profile in combatting state-sponsored malware and was central in the exposure of a secret NSA-backed hacking group that had been in operation for 14 years. More recently, it was revealed that Kaspersky had come under direct attack recently from an updated version of the Duqu malware—possibly launched by an Israeli-sponsored hacking group. The same malware was found on the networks of locations hosting negotiations over Iran's nuclear program. But the latest Snowden documents show that both the NSA and GCHQ waged a somewhat more subversive battle against Kaspersky—both by attempting to reverse-engineer the company's antivirus software and leveraging its intelligence-collection operations for their own benefit.

Kaspersky was not the only target, but the company was the one most prominently mentioned in the Snowden documents released today by The Intercept. GCHQ officials mentioned Kaspersky by name in a warrant extension request "in respect of activities which involve the modification of commercial software" in June 2008, requesting authorization to reverse engineer Kaspersky's and other companies' software products to exploit them for intelligence purposes. (The original warrant had been in place since at least January of 2008.)

Read 7 remaining paragraphs | Comments

 

Brute forcing SMTP credentials is hardly new. But I have seen a couple of odd patterns lately in one of my mail servers, and was wondering if anybody has any insight into these patterns. For this diary, I am using logs starting May 31st until today.

First, the overall patterns shows very strong spikes with 2000-3000 attempts per hour. These spikes usually come from many different IP addresses, so they are likely caused by a botnetprobing my system. The last spike on June 19thwas caused by about 400 different IP addresses (I am running fail2ban, and they are blocked after a couple of attempts).

SMTP brute force over time

The usernames are where it gets a bit more interesting. Here is a list of the top 20:

   6096 leonelfetuscrosby   3595 dan   3399 ix444ejxvwda050   2763     176      83 ncoppen     82 info     56 spam     53 admin     47 sales     34 abuse     28 paul     28 pager     26 test     23 support     21 awilloughby     20 webmaster     18 hr     18 d573697     17 help

The part that is of some concern is that a couple of the users are actual users of the server. The ranking goes somewhat by the amount of e-mail created by the user in general, so it is possible that spamers do try usernames they already have in their database against mail servers used by their domain. I dont capture passwords, but the number of attempts for most of the usernames is small, so I assume only a couple of passwords are used. The first and third name are odd as they look random. Could they be used to detect if the mail server responds differently for users that do not exist?

---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Around 1400 passengers at Warsaw's Chopin (Okecie) airport in Poland were grounded on Sunday after hackers allegedly attacked the computer system used to issue flight plans to the airplanes. The source of the attack isn't yet known.

The alleged hack targeted LOT, the state-owned flag-carrying Polish airline. Reuters is reporting that the attack took place on Sunday afternoon, and was fixed about five hours later. 10 LOT flights were cancelled and about a dozen more were delayed, according to a LOT spokesman.

The spokesman didn't provide any details of what had actually occurred, though he did give away this one tantalising morsel: "We're using state-of-the-art computer systems, so this could potentially be a threat to others in the industry." The spokesman said that flights that were already in the air were not affected by the hack and could land normally. Also, the hack didn't affect the airport itself; it was just the LOT computers.

Read 3 remaining paragraphs | Comments

 
 

CSO Online

Irony: NIST releases InfoSec guidelines for government contractors
CSO Online
The National Institute of Standards and Technology (NIST) has published a document for protecting Controlled Unclassified Information (CUI) when it resides on sub-contactor networks or other non-federal systems. Given the developments at the Office of ...

and more »
 

Naked Security

Monday review - the hot 26 stories of the week
Naked Security
You can easily unsubscribe if you decide you no longer want it. Image of days of week courtesy of Shutterstock. Tags: computer security, Infosec, monday review, news, security news, weekly roundup. inShare. How likely are you to recommend Naked ...

 
Internet Storm Center Infocon Status