CyberheistNews Vol #5 #39 Expert Russians Hackers Use Satellites To Hide Amazing Exploits



*|CyberHeistNews|*
 
CyberheistNews Vol #5 #39 Sept 15, 2015

Expert Russians Hackers Use Satellites To Hide Amazing Exploits

Ouroboros, one of the world’s most sophisticated hacking groups with close ties to the Russian government, has been accused of hijacking unencrypted commercial satellite communications. They use hidden receiving stations in Africa and the Middle East to hide their Control & Command servers and mask attacks on Western military and governmental networks.

The group which created the advanced malware known as "Snake" or "Turla" was exposed last year as having mounted aggressive cyber espionage operations against Ukraine and a host of other European and American government organizations over nearly a decade.

In a report by Kaspersky released on Wednesday, they said they had identified a new "exquisite" attack channel being used by the group that was virtually untraceable. The need for hackers to communicate regularly with machines they have compromised allows security researchers to trace back the hackers' Command & Control servers.

"This method makes it almost impossible to discover the physical location of these C&C servers," said Stefan Tanase, senior security researcher at Kaspersky. "Safe to say this is the ultimate level of anonymity that any cyber espionage group has reached in terms of hiding its origins."

The Ouroboros satellite hack exploits the fact that most satellite communications being sent from satellites back to earth are unencrypted, and so can be spoofed. The process is laid out by Kaspersky in a large illustration and follows a number of steps. (Link below)

First, the Ouroboros malware sends out a request for instructions. Normally such a request goes straight to a C&C server, and is traceable. Ouroboros instead sends the request to an unwitting decoy server, because the hackers have identified it as a satellite communications user.

The request from Ouroboros is then automatically routed via a commercial satellite and beamed to earth towards the location of the decoy. Once the decoy server receives the request for instructions, it discards it, because the request is meaningless to it.

But the satellite will have beamed the request over a large geographical area. A hidden receiver anywhere in the area, planted by Ouroboros’ operators, can then pick up the unencrypted request. The receiver then issues a reply to Ouroboros, disguised as a communication returning from the decoy.

This way, any defender looking to trace communications from Ouroboros back to its controllers will lose the trace from the point at which the data becomes a signal beamed from a satellite, effectively breaking any direct digital link.

Ouroboros’ handlers are using satellite operators in the Middle East and Africa. Finding the receivers depends on the size of the dish, but it's a needle in a haystack because the area could be tens of thousands of square kilometers.

"The receivers do not necessarily cost much themselves but finding a physical location for these indicates that there is some kind of extensive logistical support network," Kaspersky said. Such operations point to a state intelligence service, he added.

For the moment, satellite operators are powerless to prevent the hackers from routing requests through their networks until they encrypt all of their downstream communications, which would cost hundreds of millions in new satellite arrays.

Western security officials have previously stated that Ouroboros is a Russian operation, a fact supported by the group’s targets and reverse engineering of the malware itself. What else is new for "once-a-spook-always-a-spook" Vladimir Putin.

However, to keep things in perspective, back at the ranch, the U.S. Government is hacking the Internet all over the world. Earlier administrations started this ball game, with initially the NSA deciding the Internet should not be encrypted back in 1978. Blog post with images, video, and multiple drill-down links:
https://blog.knowbe4.com/expert-russians-hackers-use-satellites-to-hide-amazing-exploits

Usually, foreign hackers infect target machines with spear-phishing attacks using public facing email addresses. Which of your email addresses are exposed on the Internet and are a target for phishing attacks? You can get a one-time no-charge Email Exposure Check (EEC) sent to you if you want to know how big your email attack surface is. Get it here:
https://www.knowbe4.com/email-exposure-check/

US Counter-Intel Czar Warns Hack Victims Against Spear Phishing

WASHINGTON–In a presentation at the Intelligence & National Security Summit, the director of the National Counterintelligence and Security Center (NCSC) announced a "new counterintelligence campaign" focused on reducing the potential security damage done by the Office of Personnel Management data breaches.

Called Know the Risk, Raise Your Shield, the campaign's opening salvo is a pair of spear-phishing awareness videos, urging people not to click on those links.

"There have been just over 500 breaches so far this year, some of which made the news," said NCSC Director Bill Evanina. "And 47 percent of adult Americans have been the victim of a breach in the last three years. That data is an opportunity for criminals, but it's also allowed foreign intelligence to collect information about government employees, contractors, and their families."

Here is a link to our blog with URLs for these videos which I think are a good idea to send to your users as part of your ongoing campaign to keep them on their toes with security top of mind:
https://blog.knowbe4.com/us-counter-intel-czar-warns-hack-victims-against-spear-phishing

BYOD Allowed? Aggressive Android Ransomware Spreading In The USA

Your Android device's lock screen PIN keeps your phone's contents safe, but not from a new strain of ransomware which hijacks your phone or tablet.

Security researchers at ESET discovered the first real example of malware that is able to reset the PIN of your phone to permanently lock you out of your own device. They called it LockerPin, and it changes the infected device's lock screen PIN code and leaves victims with a locked "FBI" screen, demanding a 500.00 dollar fine.

It gets worse...

Since the lock screen PIN is reset randomly, paying the ransom amount won't give you back your device access, because even the attackers don't know the randomly changed PIN code of your device. This is a novelty among ransomware, usually they do everything possible to unlock the device, up to and including live tech support.

LockerPin is spread through an adult entertainment app called Porn Droid, and installed from third-party websites, warez forums, and torrents – outside of the official Google Play Store.

LockerPin uses Social Engineering to install itself.

Once installed on the victim's smartphone, the app first tricks users into granting it device administrator rights. It does so by disguising itself as an "Update patch installation" window. After gaining admin rights, the malicious app goes on to change the user's lock screen PIN code, using a randomly generated number. Though the majority of infected devices are detected within the United States, the researchers have spotted the infections worldwide.

What To Do About It

ESET stated that there is no effective way to regain access to infected devices without losing personal data. Rebooting the device in Safe Mode and uninstalling the offending application does not do the trick. Using Android Debug Bridge (ADB) won't solve the issue either.

The only way to unlock the device and get rid of LockerPin ransomware app is to perform a factory reset that wipes out all the personal data and apps stored on your device.

How To Prevent This

To avoid falling victim to malicious apps like Porn Droid and other Adult Players, the rule is:

    • Don't install apps outside of the Google Play Store.
    • Don't grant administrator privileges to apps unless you truly trust them.
    • And obviously stay away from any and all porn apps and sites, talk about a "honey-trap"!
Training end-users to not fall for hacker tactics like this becomes critical if you have a BYOD policy in place. Effective security awareness training is a must these days.
Warm Regards,
Stu Sjouwerman
Quotes Of The Week
 
"No legacy is so rich as honesty." - William Shakespeare

"Good judgment comes from experience. Experience comes from bad judgment."
- Will Rogers
Thanks for reading CyberheistNews

Security News
 

This Week's Five Most Popular HackBusters Posts

    1. Reminder! If You Haven't yet, Turn Off Windows 10 Keylogger Now:
      http://www.hackbusters.com/news/stories/383895-reminder-if-you-haven-t-yet-turn-off-windows-10-keylogger-now

    2. Russian Hackers Hijack Satellite to Steal Data from Thousands of Hacked Computers:
      http://www.hackbusters.com/news/stories/386471-russian-hackers-hijack-satellite-to-steal-data-from-thousands-of-hacked-computers

    3. Lockpickers 3-D Print TSA Luggage Keys From Leaked Photos:
      http://www.hackbusters.com/news/stories/385828-lockpickers-3-d-print-tsa-luggage-keys-from-leaked-photos

    4. Warning! Seagate Wireless Hard Drives Have a Secret Backdoor for Hackers:
      http://www.hackbusters.com/news/stories/383165-warning-seagate-wireless-hard-drives-have-a-secret-backdoor-for-hackers

    5. Millennium Falcon coffee table re-creates the asteroid field chase:
      http://www.hackbusters.com/news/stories/386804-millennium-falcon-coffee-table-re-creates-the-asteroid-field-chase

[INFOGRAPHIC] Security of The Internet of Things (IoT)

The Internet of Things is far from secure. Don't just trust what I say, the FBI is getting worried about this too. I have talked about hacks of Internet enabled devices before, (fridges, baby monitors, smart cars, traffic lights), but there's nothing better than an infographic to see the big picture. This one is fascinating.

According to Computer Science Zone, there are around 4.9 billion connected smart devices in use in 2015. This number is going to skyrocket to 25 billion in the next five years, a number which translates to 2.5 IoT-enabled devices for each person on Earth.

With data breaches growing by the year, in number and size, IoT devices will gradually become the target of hackers, so I predict that micro-ransom infections of IoT devices are around the corner. Blog post with the Infographic and link to the FBI:
https://blog.knowbe4.com/infographic-security-of-the-internet-of-things-iot

2015 U.S Hacking Incidents More Than Previous Two Years Combined

In 2015 U.S. organizations are seeing a significant spike in hacking incidents. Over 122 million records were breached just from hacking alone. That is not counting all of the other incidents leading to sensitive information being exposed. This year will be the worst year ever for data breaches by far. So how do we keep our shareholders, customers, and stakeholders information protected? This question has been eluding executives for several years now.

The problem is that the lines between cybercrime and espionage are blurring. Unless our administration takes the lead in establishing and possibly enforcing international norms of online behavior, the frequency and sophistication of cyber hacking attacks will only increase.

StreetInsider has a good article they put together with a Managed Security Service Provider which analyzed the best practices with the highest bang for your budget. Note that their second "must-do" is effective security awareness training. All your employees need to be stepped through end-user education to prevent social engineering attacks from getting through. This article is good ammo to send to management if you need budget for that:
http://tinyurl.com/Hacking-incidents-in-the-U-S

Pentagon Hacked Again, Compromising Employee Financial Info

Is the FTC now going to sue the Pentagon because they did not protect consumer information?

Hackers infiltrated the Pentagon food court's computer system, compromising the credit and debit card info of an unknown number of employees. Lt. Col. Tom Crosson, a Defense Department spokesman, said on Tuesday that employees were notified that hackers may have stolen bank account information from people who paid for concessions at the Pentagon with a credit or debit card.

"Within the past week, the Pentagon Force Protection Agency has received numerous reports of fraudulent use of credit cards belonging to Pentagon personnel. These individuals had fraudulent charges to their account soon after they had legitimate transactions at the Pentagon," according to a copy of the notice to employees obtained by the Washington Examiner.

Crosson was unable to say how many people have been affected or over what time period, saying the Pentagon Force Protection Agency is investigating.

The investigation is still looking into which of the Pentagon's multiple food courts were affected, Crosson said. Investigators are asking employees to report if they receive a fraudulent charge on their credit card within the last 120 days and within 48 hours of making a purchase at the Pentagon. More at the Washington Examiner:
http://www.washingtonexaminer.com/pentagon-food-court-computers-hacked-exposing-employees-bank-information/article/2571606

Usually the hackers get in with spear-phishing attacks using public facing email addresses. Which of your email addresses are exposed on the Internet and are a target for phishing attacks? You can get a one-time no-charge Email Exposure Check (EEC) sent to you if you want to know how big your email attack surface is:
http://www.knowbe4.com/email-exposure-check/

Cyberheist 'FAVE' LINKS:
 
Copyright © 2014-2015 KnowBe4 LLC, All rights reserved.
Our mailing address is: 33 North Garden Ave Suite 1200, Clearwater, Florida, 33755



Subscribe to Our Blog


Comprehensive Anti-Phishing Guide




Get the latest about social engineering

Subscribe to CyberheistNews