Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Country-sponsored cyberwarfare could go mainstream in 2013

Get a great Linux dedicated server for less than $3 a day!

Share on Twitter.

January 7, 2013

Internet security observers are predicting that 2013 could be the year when country-sponsored cyberwarfare goes mainstream, and some say that such attacks could also lead to actual deaths of citizens.

Last year, large-scale cyberattacks targeted at the Iranian government were uncovered, and in return, Iran is believed to have launched massive attacks aimed at U.S. banks and Saudi oil companies. At least twelve of the world's fifteen largest military powers are currently building cyberwarfare programs, according to James Lewis, a cybersecurity expert at the Center for Strategic and International Studies.

And the situation could get a lot worse before it gets better. A full-fledged cyber Cold War is already in progress according to some. However, some security companies believe that the battle will become even more heated this year.

"Nation states and their armies will be more frequent actors and victims themselves of cyberthreats," a team of researchers at McAfee Labs wrote in a recent report. McAfee Labs is now a subsidiary of Intel.

Michael Sutton, head of security research at cloud security company Zscaler, said he expects governments to spend furiously on building their cyber arsenals. Some may even outsource attacks to online hackers, in an effort to speed up the process.

The Obama administration and many in Congress have been more vocal about how an enemy nation or a terrorist cell could target the United States' critical infrastructure in a cyberattack. Banks, stock exchanges, nuclear power plants and water purification systems are particularly vulnerable, according to numerous assessments delivered to Congress last year.

But after legislation aimed at preventing such attacks stalled in Congress last year, some experts believe this will be the year when cyberattacks will turn really deadly.

"Nation-state attackers will target critical infrastructure networks such as power grids at an unprecedented scale in 2013," predicted Chiranjeev Bordoloi, CEO of security company Top Patch. "These types of attacks could grow more sophisticated, and the slippery slope could lead to the loss of human life."

Security firm IID also predicted that cyberattacks will lead to the loss of life in 2013. But others say that such events are unlikely. Our most potent online foes, Russia and China, haven't shown an interest in infrastructure attacks, at least not yet. Those that would pursue them -- Iran is often mentioned -- haven't yet proven capable of pulling off something on that scale.

Others disagree. Verizon, which runs an extensive cybersecurity business, is in the doubters' camp. "Many security experts are using anecdote and opinion for their predictions, whereas Verizon's researchers are applying empirical evidence," said Wade Baker, head of Verizon's security division.

"First and foremost, we simply don't believe there will be an all-out cyber war, although it's always possible," added Baker.

The U.S. has already put would-be attackers on notice. Defense Secretary Leon Panetta said recently that the United States reserves the right to use military force against a nation that launches a cyberattack on the country.

Even if hackers aren't capable of killing with a cyberattack, there is no doubt that they've become more destructive in their attempts.

The August 2012 attack on oil company Saudi Aramco, for instance, crashed 30,000 computers. Then in September, a series of additional attacks brought down the websites of several of the largest U.S. banks. It was the largest "denial of service" (DoS) attack ever recorded, and by a very significant margin.

Those kinds of attacks will grow "exponentially" in 2013, McAfee predicts. And other internet security experts seem to agree.

"Recently, we have seen several attacks in which the only goal was to cause as much damage as possible; we expect this malicious behavior to grow in 2013," the McAfee researchers wrote. "The worrying fact is that companies appear to be rather vulnerable to such attacks," the company added.

But there may be some good news on the cybersecurity front. Hacktivist group Anonymous is starting to fade. The leaderless collective's attacks have gained less attention lately, and many proposed operations have simply failed. That's because companies are beefing up their defenses against Anonymous' main weapon, the denial of service attack.

"Anonymous' level of technical sophistication has stagnated and its tactics are better understood by its potential victims," McAfee said in a recent research report. "While hacktivist attacks won't end in 2013, if ever, they are expected to decline in number, nevertheless. Sympathizers of Anonymous are also suffering."

In other internet security news

Internet security company McAfee warns that there is a real threat of a coordinated hack attack against at least 30 major U.S. banks early next year that would most likely be committed by Eastern European fraudsters.

The so-called Project Blitzkrieg's rumors started after a message in September on a hacking board from a user identifying himself as VorVzakone, who was looking for recruits for a campaign against large U.S. banks, credit unions, and Wall Street brokerages.

The poster claims to have made $5 million from a similar attempt in 2008 and posted malware screenshots of the code to be used. It had been suspected that the VorVzakone character was in fact a sting operation by the Russian security services.

However, after studying the information posted and cross-referencing it with its own malware logs, McAfee Labs suspects that the threat may be real and more widespread than initially believed, and Fidelity, E-Trade, Charles Schwab, PayPal, Citibank, Wachovia Securities, Wells Fargo, Capital One, and others are at high risk of being the subject of a concerted attack.

Overall, the McAfee team thinks that the malware that is being used is a variant of a four year-old family of trojan horses dubbed Gozi. A new version, dubbed Gozi Prinimalka and said to have a payload more advanced than Zeus or other banking-optimized malware, and has been quietly spreading in targeted attacks, with varying degrees of success.

"Not only did we find evidence validating the existence of an early pilot campaign operated by VorVzakone and his group using the Trojan Prinimalka that infected at a minimum 300 to 500 victims across the United States, but we were also able to track additional hacking campaigns as a result of the forum posting," wrote the report's author Ryan Sherstobitoff, a threats researcher with McAfee Labs.

"Some recent reports argue that VorVzakone has called off this attack because it has been made public. Yet it is possible that the publicity may merely drive his activities deeper underground," added Sherstobitoff.

The command and control servers used in the previous Prinimalka attacks are largely found in Romania, Russia, and the Ukraine, with an outpost in The Netherlands. Sherstobitoff said that the fact that new Prinimalka command and control servers are now starting to pop up outside these zones suggests that there are new recruits to the plan, and he warns security teams to be ready and alert.

"These campaigns will not initially target hundreds or thousands of victims, rather they will stay under the radar by attacking selected groups," he suggested.

"On average, this strategy is necessary if the attackers hope to succeed in transferring several million dollars over the course of the attacks. A limited number of infections reduces the malware's footprint and makes it more difficult for network defenses to detect its activities, something that has been planned from the start."

In other internet security news

A new Linux malware and rootkit has been discovered late yesterday that security researchers say is designed to inject iFrames and viruses into specific websites and then push traffic to malicious sites that then propagate the malware even further.

News of the rootkit has circulated for the past few days after an anonymous user of the Full Disclosure mailing list posted about it online. Since then, researchers at Kaspersky Lab and CrowdStrike have looked into the malware and shared their findings.

Originally designed for 64-bit Linux systems, it specifically targets kernel version 2.6.32-5-amd64, which is the latest kernel used in the 64-bit Debian Squeezy Linux flavor.

"The rootkit at hand seems to be the next step in iFrame injecting cyber crime operations, driving traffic to exploit rootkits," says George Wicherski, senior security researcher at CrowdStrike. "It could also be used in a Waterhole attack to conduct a targeted attack against a specific target audience without leaving much forensic trail," he added.

According to CrowdStrike, the malware doesn't appear to be a modified version of any known malware, and appears to be the work of an intermediate-level programmer. It is believed that it could be the work of a Russian software contractor.

"The malware ensures its startup by adding an entry to the /etc/rc.local script: insmod /lib/modules/2.6.32-5-amd64/kernel/sound/module_init.ko," says Martha Janus of Kaspersky Lab. "After loading it into memory, the rootkit uses one of two methods to retrieve kernel symbols and write them to the /.kallsyms_tmp file:

  • /bin/bash -c cat /proc/kallsyms > /.kallsyms_tmp
  • /bin/bash -c cat /boot/`uname -r` > /.kallsyms_tmp
  • "Then it extracts the memory addresses of several kernel functions and variables and stores them in the memory for later use," she says.

    In order to hide files and the startup entry, the rootkit hooks a number of kernel functions, including: vfs_readdir, vfs_read, filldir64 and filldir.

    In order to actually inject the iframes or JavaScript code references into the HTTP traffic, the malware hooks the tcp_sendmsg function, which receives one or multiple buffers to be sent out to the target and appends them to a connections outgoing buffer, notes CrowdStrike's Wicherski.

    "The TCP code will then later retrieve data from that buffer and encapsulate it in a TCP packet for transmission," he adds.

    "Based on the Tools, Techniques, and Procedures employed and some background information we cannot publicly disclose, a Russia-based attacker is likely," he adds. "It remains an open question regarding how the attackers have gained the root privileges to install the rootkit. However, considering the code quality, a custom privilege escalation exploit seems very unlikely."

    Janus further speculates in her analysis that the malware is still in the initial development stage due to the presence of debugging information and some of the functions do not seem to be fully working or implemented as of now.

    "So far, in most of the drive-by download scenarios we've seen, an automated injection mechanism is first implemented as a simple PHP script," Janus states. "In the case described above, we are dealing with something far more sophisticated-- a kernel-mode binary component that uses advanced hooking techniques to ensure that the injection process is more transparent and low-level than ever before," he said.

    "This rootkit, though it's still in the initial development stage, reveals a new approach to the drive-by download scheme and we can certainly expect more such malware in the future," he added.

    In other internet security news

    BSD software developers say that hackers broke into two of its FreeBSD project servers using a stolen SSH authentication key, with admin login credentials that appear to have belonged to one of the developers.

    The lead project developer behind the open-source operating system has launched a full-fledged investigation into the security breach and has taken a few of the servers offline during his probe. However, early indications are that the damage might have been far worse than was initially thought.

    None of the so-called base repositories - stores of core components such as the kernel, system libraries, compiler and daemons were hit, however. And only servers hosting source code for third-party packages were exposed by the attack, which was detected on November 11 and announced on Saturday, November 17, following a preliminary investigation.

    The intrusion itself may have happened as far back as September 19, according to the lead developer. On November 11, an intrusion was detected on two servers within the cluster. The affected machines were taken offline for analysis, and probably won't be reconnected until sometime next week.

    Additionally, a large portion of the remaining infrastructure machines were also taken offline as a precautionary gesture. "We have found no evidence of any modifications that would put any end user at risk. However, we do urge all BSD users to read the report available on our site and decide on any required actions themselves. We will continue to update you as further information becomes known. We do not currently believe users have been affected given current forensic analysis," read a FreeBSD statement on their site.

    "And no Trojanized packages have been uncovered, at least as yet. But FreeBSD users have been urged to carefully check third-party packages installed or updated between September 19 and November 11 nonetheless, as a precaution," it continued.

    The team has promised to tighten up security, in particular by phasing out legacy services such as the distribution of FreeBSD source via CV Sup, in favor of the more robust Subversion, freebsd-update, and portsnap distribution methods. The hack was "not due to any vulnerability or code exploit within FreeBSD", according to the BSD developers.

    The whole incident raises some embarassing and troubling questions since it seems that the unknown attackers behind the hacking attempt managed to steal both SSH (remote administration) key file and passwords from a developer.

    Analysis of the attack can be found in an informative blog post by Paul Ducklin of Sophos. Attacks on open-source repositories are far from unprecedented. was suspended for a month in July 2011 following a much more serious malware attack and a server compromise.

    Then in August 2011 another breach on the website left visitors exposed to malware that could infiltrate said MySQL databases.

    But perhaps the most similar attack to the FreeBSD hacking attempt occurred in 2009, with a breach against the Apache Software Foundation, also facilitated by the misuse of SSH keys.

    In other internet security news

    The U.S. Transportation Security Administration (TSA) has taken yet another bad doze of publicity with the recent discovery that its questionable security system allows passengers in its PreCheck system to choose their own security status, and thus compromising other security features.

    The TSA's PreCheck system allows some frequent fliers willing to pay $100 for a background check to skip some of the onerous security checks, like taking off shoes and unpacking laptops or toiletries. PreCheck customers are still subject to more intensive searches on a randomized basis, however.

    Aviation blogger John Butler discovered that the barcode information used for the boarding passes of Precheck fliers wasn't encoded, and could be read by a simple smartphone app. It contained the flier's name, flight details, and a number, either a 1 or a 3, with the latter confirming the passenger was cleared for lesser screening.

    Ordinarily, it would be a relatively simple task to just scan the issued boarding pass, decode it, and then change the security setting if you are planning to bring something suspicious aboard, or even change the name on the ticket to match a fake ID.

    But after placing the new information into a barcode, and a couple of minutes of cut and paste, the new boarding pass would work as normal, Butler explained, and that's where all the issue lies.

    "The really scary part in all of that is both the TSA document checker, because the scanners the TSA use are just barcode decoders, they don't check against the real time information," he said. "So the TSA document checker will not pick up on the alterations."

    This means that, as long as their boarding pass has a 3 on it, they can always use the Pre-Check line. But the agency that appears to devote so much time to irradiating fliers, fondling vibrators, promoting the homosexual agenda, or just plain stealing fliers' belongings doesn't seem to have thought of that.

    The TSA only deems it necessary to have barcode readers for checking the data itself against the presented ID, not the accuracy of the boarding pass itself. And simply encrypting the data would also work as well, so how come they didn't think of that?

    Get a great Linux dedicated server for less than $3 a day!

    Share on Twitter.

    Source: McAfee Security Labs.

    Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

    You can link to the Internet Security web site as much as you like.

    Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
    Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

    Click here to order your new fully dedicated Plesk server with the Linux operating system.

    Get your Linux or Windows dedicated server today.

    Click here to order your new fully dedicated Plesk server with the Linux operating system.