Hack the Pentagon, hackers found more than 100 flaws

Do you remember the ‘Hack the Pentagon‘ initiative? ‘Hack the Pentagon’ is the initiative launched by the US Government this year to test the resilience to cyber attacks of the US defenses.

The Pentagon has launched the first government-funded bug bounty initiative in the world and 1,400 white accepted the challenge.

“I am confident that this innovative initiative will strengthen our digital defenses and ultimately enhance our national security,” commented the Defense Secretary Ash Carter.

According to the Reuters, the participants are US citizens and were submitted to background checks before being accepted to the Hack the Pentagon program, this is the principal difference with a common bug bounty initiative.

The program is being led by the DoD Defense Digital Service, which is a small team of engineers and experts, set up in November 2015,  meant to “improve the Department’s technological agility and solve its most complex IT problems.”

Now the white hacker crew has shared the result of its activity, they have found more than 100 vulnerabilities in Pentagon infrastructure under the bug bounty program. Not so bad if we consider that a threat actor like a foreign government could exploit such kind of flaws to compromise Government networks.

In some cases, the hackers have been rewarded up to $US15,000 for disclosures of the worst vulnerabilities.

Highly-sensitive components in the Pentagon infrastructure were not tested by the white hackers recruited by the Government.

The US Defense Secretary Ashton Carter told the Defense One conference in Washington DC that the Hack the Pentagon initiative has dropped the cost of vulnerability discovery and of course allowed improving the security of Government infrastructure.

“They are helping us to be more secure at a fraction of the cost,” Carter said. “And in a way that enlists the brilliance of the white hatters, rather than waits to learn the lessons of the black hatters.”

“Why hasn’t anybody in the federal government done that?” “There’s not a really good answer to that, right? It’s a pretty successful thing.”

The Secretary Carter also announced the IT giants will join their efforts in order to support the Pentagon in improving the cyber security of its infrastructure.

“We’ve got some additional amazing innovators lined up, so stay tuned there also for who else will be joining,”he said.

Cybersecurity is a primary goal for the US Government, its infrastructures are under unceasing attacksof hackers and nation-state hackers, let’s think for example to the hack of the Office of Personnel Management systems that resulted in the stolen records of 21.5 million current and former government employees.

SA companies racing to lock the cyber door

Companies in South Africa are rapidly deploying increased security to frustrate cyber thieves who are intent on stealing financial information, says an industry expert.

According to the Gemalto Breach Level Index (BLI) for 2015, 1 938 383 data records were stolen per day in 1 673 data breaches across the globe as criminals ramped up efforts to access personal and financial information.

“The appetite for a two-factor authentication is growing rapidly in South Africa, with 100% of the IT managers recently surveyed recognising that two-factor authentication can help their organisations comply with data protection regulations such as Popi and pass security audits,” Neil Cosser, Identity and Data Protection manager for Africa at Gemalto told Fin24.

Popi or the Protection of Personal Information Act mandates that companies in SA take measures to protect the personal data of customers with fines of up R10m for non-compliance.

Two factor authentication has emerged as a strategy to ensure transactions are authenticated via additional channels, typically via SMS.

Defensive strategies

READ: Hackers, corporates drive security arms race

“Recent news stories notwithstanding, South Africans are reasonably well protected from digital crime. Regulation, technology and the banks themselves all help in this regard. Most banks use two-factor authentication and have continued to improve on the particular forms of it they use,” Gerhard Oosthuizen, chief information officer, Entersekt told Fin24.

But despite the moves to increase security, local IT professionals are less confident about their defensive strategies.

“There is still a long way to go however, as 69% of IT professionals are not confident that their data would be secure if perimeter defences were breached,” said Cosser.

“Adding to this, 66% say unauthorised users can access their networks and 16% believe unauthorised users have access to their entire networks,” he added.

Hacker group Anonymous Africa has made headlines by taking down the websites of the SABC, as well Gupta-owned Oakbay Investments, ANN7 and The New Age.

The group has also targeted the Economic Freedom Fighters (EFF) this week.

“While today’s security strategies are dominated by a focus on breach prevention (including firewalls, antivirus, content filtering, and threat detection), history has taught us that perimeters are eventually breached and made obsolete. Simply putting up a wall around your data and standing watch is no longer enough,” said Cosser.

Encryption

READ: Globilisation helps cyber crooks

South Africa ranked 26th of the most attacked countries at the end of the first three months of 2016, according to data from Check Point.

That compares with a ranking of 52nd in the comparative period in 2015.

“South Africa’s rise in ranking shows that the range and volume of attacks that organisations face has continued to grow in the first quarter of 2016, highlighting the challenges they face in securing their networks,” said Doros Hadjizenonos, country manager at Check Point Software Technologies South Africa.

Cosser advised that encryption of data is an effective strategy deal with the inevitability of unauthorised network intrusion.

“Someone is going to get past the network perimeter defences at some point. Organisations thus need to make sure that whoever gets in their system can’t use the data,” he said.

Here's how cyber crooks target company bosses

C-level executives are the main targets of spear phishing cyber scams which are aimed at stealing money from companies, an international survey has revealed.

Business email compromise (BCE) scams cost companies in excess of $2.3bn, an international survey has revealed.

Data from the US Federal Bureau of Investigation showed that 12 000 enterprises globally have been affected by spear phishing scams.

These cyber attack strategies rely of social engineering. A cyber crook typically sends an official-looking email to the finance department of an organisation demanding that payment be urgently made to a service provider.

According to data from security firm Trend Micro, chief executives are impersonated 31% of the time, followed by company presidents at 17% and managing directors 15%.

Finance target

READ: Here's how cyber crooks target young and old

“The number of BEC victims increased by 270% during the first eight months of 2015, amounting to an average loss of $130 000 per scam,” said Trend Micro.

Predictably, the most targeted position for BCE scams are chief financial officers at 40.38%, followed by director of finance at 9.62%, and financial controller (5.77%).

Trend Micro also showed that subject lines in the attack email were simple. The most popular subject simply indicates a dated payment or transfer request.

“Despite the great impact BEC schemes have created, analysing the flow of the attacks reveal that its components are surprisingly trivial. Analysis of the email subjects used in BEC schemes revealed that most are simple and vague, at times composed only of one word,” said the security firm.

South African businesses are unprepared for the impact of cybercrime.

READ: SA business unprepared for cybercrime

“Worldwide, digital technology continues to transform the world of business by exposing organisations to a multitude of opportunities and threats. It is, therefore, not surprising that cybercrime continues to escalate rapidly, ranking as the second-most reported crime in South Africa,” said Graham Croock, director of IT Audit, Risk and Cyber Lab at BDO South Africa.

Hacking tools

While banks dominate the financial eco-system, cyber criminals have realised that businesses offer lucrative returns for hacking.

“Although banks are obviously a lucrative target, criminals don’t target them exclusively. They target money,” Gerhard Oosthuizen, chief information officer of Entersekt told Fin24.

“One of the big new trends in 2016 is criminals going after individuals and businesses directly. Banks spend a lot of time focusing on and thinking of how they can protect their customers. With a direct attack on a non-bank entity, that additional protection layer is gone,” he added.

Trend Micro showed that cyber hacking tools are low cost for criminals, lowering the barrier for entry.

“Most malware used in BEC schemes are off-the-shelf variants, ones that can be easily purchased online for a cheap price. Some malware can be bought for as much as $50, while some are far cheaper, or even available for free,” said the company.

Prices for Backdoor tools range from HawkEye at $35 to Knight Logger at $25, while DarkCometis free. Malicious encryption tools cost between $25 and $60.

Trend Micro advised business executives to carefully check details on payment requests, verify vendors, and raise employee awareness among strategies to beat cyber crooks.

Gupta-owned Oakbay responds to hacker attacks

Oakbay Investments, whose dominant shareholders include the Gupta brothers, has acknowledged that hackers have targeted its websites.

Hacktivist group Anonymous Africa said via Twitter on Wednesday that it had targeted taking down several websites of companies falling under the Oakbay Investments umbrella.

READ: Hack attack threat for Gupta websites, Oakbay and Sahara down

Just after 14:00 on Wednesday, websites belonging to IT company Sahara, broadcaster ANN7, newspaper The New Age as well as Oakbay Investments and Oakbay Resources and Energy went on the blink.

By Wednesday evening, some of these sites such as ANN7 and The New Age were operational again, but others like Sahara and the Oakbay websites were still down.

“Oakbay is aware of attempts to hack into its websites and has taken preventative measures, in collaboration with its IT consultants,” Oakbay told Fin24 in an emailed statement.

“Whilst some of the company’s websites are running slightly slower than normal, the matter is under control,” added the company.

The downtime of the Oakbay websites comes amid the Gupta family being under the spotlight in South Africa for their close links to President Jacob Zuma and allegations of ‘state capture’.

Earlier on Wednesday, Anonymous tweeted that it was “going to send a message to the Guptas”.

Alleged cyber attacks on the Gupta-owned Oakbay come just days after public broadcaster the SABC acknowledged to Fin24 that its websites suffered disruptions from hackers on Sunday.

Anonymous Africa claimed responsibility for the SABC websites’ downtime with the hacktivist group saying it carried out the attack because of creeping censorship at the broadcaster.

On Tuesday, Anonymous Africa further claimed responsibility for downing the website of political party the Economic Freedom Fighters (EFF). Anonymous Africa said it targeted the EFF for the party’s alleged “racism”.

The group said this week that it has also launched attacks on a website belonging to Zimbabwe's ruling Zanu-PF party.

The attacks that the group has carried out this week have typically taken the form of ‘Distributed Denial of Service’ (DDoS) methods.

These types of attacks tap compromised computers on networks to launch thousands of requests at website’s web servers, which typically results in service disruptions for those targeted sites.

Ransomware jumps from smartphones to TV

Mobile malware capable of locking down smartphones has made its way to smart TVs, a security company has revealed.

FLocker (detected as Androidos_flocker.a and short for “Frantic Locker”) was first identified on mobile phones in 2015, but has recently migrated to smart TVs, Trend Micro said.

As ransomware, it is able to lock smartphones by encrypting the contents and demanding that users pay to have their data released.

“There is no major difference between aFLocker variant that can infect a mobile device and one that affects smart TVs. To avoid static analysis, FLocker hides its code in raw data files inside the ‘assets’ folder. The file it creates is named ‘form.html’ and it looks like a normal file,” said Trend Micro.

The company has collected over 7 000 variants of the malware and said that the author has rewritten the code several times to avoid detection and improve its routine.

Ransom demand

READ: Here's how ransomware hits SA

Within 30 minutes after infecting a device,FLocker begins background operations where it requests admin privileges. If denied, it will freeze the screen, faking a system update.

“The C&C [command and control] then delivers a new payload misspelled.apk and the ‘ransom’ HTML file with a JavaScript (JS) interface enabled. This HTML page has the ability to initiate the APK installation, take photos of the affected user using the JS interface, and display the photos taken in the ransom page,” Trend Micro said.

The latest version of FLocker masquerades as a cyber security agency, demanding $200 worth of iTunes gift cards.

Trend Micro also said that the malware is location aware. It deactivates itself if it detects its location as Kazakhstan, Azerbaijan, Bulgaria, Georgia, Hungary, Ukraine, Russia, Armenia and Belarus.

READ: How ransomware has cost Fin24 users thousands

Experts expect ransomware attacks to escalate as cyber criminals eye lucrative returns.

“These attacks are going after anyone with money, and of course the banking account is the obvious place to focus your attention as an attacker. Wealthier banking clients are increasingly being sifted out from the rest of us,” Gerhard Oosthuizen, chief information officer of Entersekt, told Fin24.

“A number of big cases have come up with hospitals and even police stations paying the ransom to unlock their business critical data. We foresee that this trend will continue,” he added.

To remove FLocker from smart TVs, users should contact the manufacturer or attempt Android Debug Bridge debugging by connecting the TV to a PC.

Anonymous Africa claim ‘take down’ of SABC websites

Johannesburg - A group claiming to be part of hacktivist network Anonymous says it has launched a cyber attack on SABC websites.

The main SABC website as well as other websites belonging to the public broadcaster - such as that of 5FM and SAFM - were either unavailable or slow to load on Sunday around midday.

A Twitter account belonging to a group dubbed Anonymous Africa has claimed responsibility for the downtime.

Anonymous Africa said it is carrying out the attack in light of alleged censorship at the SABC.

SABC chief operating officer Hlaudi Motsoeneng has controversially moved this year to block the broadcaster from displaying visuals of the burning of public property.

Motsoeneng has also come under fire for pushing a sunshine news editorial policy at the SABC, which involves showing more good news stories.

“Attacks against all SABC entities now underway,” said a tweet from Anonymous Africa on Sunday.

“You have heard of the Arab Spring? Well now its time for the #African Summer!” tweeted Anonymous Africa.

The Twitter account further said on Sunday that it had carried out a 'Distributed Denial of Service' (DDos) attack against the broadcaster.

This type of cyber attack involves flooding a website server with thousands of requests that eventually disrupt the website.

Meanwhile, SABC spokesperson Kaizer Kganyago late on Sunday afternoon confirmed to Fin24 that the broadcaster's websites had been hacked on Sunday.

"Our guys have found that there are people who hacked our system," Kganyago told Fin24 after 16:20.

"It is a serious matter that we are not taking lightly," Kganyago added.

Kganyago further said that SABC technicians were working on restoring the broadcaster's websites.

The SABC spokesperson further slammed the hackers for being "cowards" for attacking what he called a "national key-point".

The hacktivist group said that it stopped its attack at 16:00 on Sunday, but at 16:06 the SABC websites were still down.

SA business 'unprepared' for cybercrime

Cape Town – South African businesses are ill-equipped to deal with emerging cyber security threats and relay on outdated protection strategies, says a security expert.

Cyber criminals have increased their attacks on SA, but company strategies have lagged the merging threats.

“A common but often misunderstood and over relied on solution is the implementation of firewalls. However, the major pitfall of this so-called ‘trusted’ solution is that firewall configuration is often not aligned with changing cyber security policies,” said Graham Croock, director of IT Audit, Risk and Cyber Lab at BDO South Africa.

“In short, the rate of change with regard to cyber-related risk is accelerating rapidly, increasing the security gaps organisations contend with, and leaving them more exposed than ever before,” he added.

Security firm Kaspersky Lab found that 7% of South African organisations experienced a cyber attack in the last year.

Malicious software such as Equation, Red October, Careto, Flame, Turla, Epic Turla, Wild Neutron, Poseidon and Desert Falconsrepresent the majority of attacks, but Kaspersky said that businesses should be more concerned with bespoke attacks, even though they make up less than 1% of attack strategy.

“Corporate breaches in the headlines are turning hackers into the new super rogues, as these dedicated, organised, and well-financed cyber criminals bombard organisations through alternating attack tools and paths,” said Croock.

READ: Here's how cyber crooks target young and old

He submitted seven precautions for limiting the impact of cyber attack:

•         Treat security breaches as “when” and not “if” situations
•         Invest meaningfully in people processes and technology
•         Put cyber, network security and survival in the business context
•         Stop deployment of and reliance on “end point fix solutions”
•         Practice resilience scenarios and Business Continuity Plans (BCP)
•         Understand the attack lifecycle and plan accordingly
•         Ensure that you have an active education programme in place to ensure your staff understand the threats and are trained to react appropriately to an attack

The University of Calgary recently paid C$20 000 to cyber criminals who extorted the institution by encrypting data on 100 computers on campus, reported the BBC.

The Hollywood Presbyterian Medical Centre was also forced to cough up $17 000 to gain access to its computer systems.

“Keeping pace with new attack techniques, and effectively defending against advanced threats, is perhaps the biggest challenge facing security teams today in a world of cyber threats. Therefore, architecting a cyber security solution that dynamically adapts to ongoing change is crucial. This, however, is expensive and for many organisations, unaffordable,” said Croock.

READ: Thousands of dangerous app downloads in SA

He said that companies should prepare for 10 major cyber security risks:

1.    Failure to identify cyber risks and implement basic cyber security controls
2.    Failure by executives to identify and understand what generates corporate cyber security risks
3.    Lack of a cyber security policy
4.    Confusing compliance with cyber security
5.    Failure to recognise the importance of social engineering and the risks associated with the human factor
6.    Bring your own device policy (BYOD) and the cloud
7.    Lack of adequate funding, talent, training and implementation of inappropriate resources
8.    Insufficient information security training
9.    Lack of a business continuity and data recovery plan
10.    Failure to identify, accept and understand the rate at which cyber risks are evolving (polymorphic risk)

Croock warned that organisations would do well to prepare for an increase in number of attacks, especially as “attack-for-hire” gains traction.

“The attacks are becoming more sophisticated and are comprising multiple layers and techniques, each outsourced to specialty groups, ensuring zero-day effects.”

Cyber security a 'growing threat' in aviation

Protection against cyber attacks is becoming a growing challenge in the aviation industry, according to Tony Tyler, CEO of the International Air Transport Association (Iata).

Experts estimate that cyber security breaches cost a total of $500m in 2015. It is also estimated that 94% of global companies have experienced some form of cyber attack. It is further estimated that about 13% of people still click on phishing attacks.

"Our electronically connected world is vulnerable to hackers bent on causing chaos," said Tyler at Iata's annual general meeting which took place in Dublin this week.

"We are all vulnerable and there is no guaranteed way to stay a step ahead."

Subsequently, Tyler said real-time collaboration and information exchange between industry and governments is critical.

"Make no mistake. We face real threats. Government and industry must be nimble, share information, use global standards and keep a risk-based mindset when developing counter-measures," said Tyler.

During a panel discussion on cyber security, Matthew Finn - a cyber security expert from Augmentiq - said businesses should look at security in a holistic way.

He said there is currently a downward trend of documentation fraud, but an upward trend regarding identity theft.

General Linda Urrutia-Varhall, of the US Department of Defence, added that aviation is still a central focus for terrorists and criminals.

Aviation industry role-players and authorities need to gather and share information to deal with threats, said Urrutia-Varhall.

Kurt Pipal of the FBI pointed out that airline companies sit on a lot of big data and that this is also of interest for industrial espionage.

He cautioned companies to be very careful about subcontractors and he stressed the importance of sharing intelligence information in the industry.

"Build awareness and do not have a silo approach. Identify your vulnerabilities and make the assumption that you are going to be hacked. Participate in a 24/7 securities operation centre," suggested Pipal.

"Occasionally you could even use a so-called 'dark agent' - a hacker to test your system. Companies do fire drills, so why do they not do cyber security drills too?"

Alerting to all Windows users of a new type of a Self-propagating ransomware that exhibits worm-like behavior to propagate itself.

Microsoft is alerting all Windows users of a new type of ransomware that exhibits worm-like behavior.

“We are alerting Windows users of a new type of ransomware that exhibits worm-like behavior. This ransom leverages removable and network drives to propagate itself and affect more users. We detect this ransomware as Ransom:Win32/ZCryptor.A.”  states Microsoft,

The Infection vector

Ransom:Win32/ZCryptor.A is spread through the spam email infection vector. It runs at start-up as soon as ZCryptor is executed.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

zcrypt = {path of the executed malware}

In the start-up folder it drops zycrypt.lnk and autorun.inf in removable drives:

%User Startup%\zcrypt.lnk

It also changes the file attributes to be in Stealth mode from the user, also it makes a copy of itself as {Drive}:\system.exe and %APPDATA%\zcrypt.exe

For Example:  c:\users\administrator\appdata\roaming\zcrypt.exe

The Payload

It then displays the ransom note to users in an HTML file How to decrypt files.html

Later it encrypts files in your disk and then will change the file extension to .zcrypt (Eg. <originalfilename.zcrypt>)

Infected machines are observed to have zcrypt1.0 mutex which denotes that an instance of this ransomware is already running on the infected machine.

The connection has also been observed to the following URL. But the domain is already down while testing

http://<obfuscated>/rsa/rsa.php?computerid={Computer_ID} where the {Computer_ID} is entry found inside a dropped file %APPDATA%\cid.ztxt

For example, c:\users\administrator\appdata\roaming\cid.ztxt

The warning issued by Microsoft also include information about Detection, Prevention, and Recovery from such kind of self-propagating ransomware