Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

FBI charges man alleged to be lord of Gameover botnet

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 3, 2014

Click here to order the best dedicated server and at a great price.

An FBI indictment in the United States has been unsealed against an alleged cybercrime mastermind following a takedown operation that disrupted the internet infrastructure upon which the Gameover ZeuS botnet and the CryptoLocker ransomware had been running.

Specifically, 30 year-old Evgeniy Bogachev of Anapa, Russian Federation, was officially charged with conspiracy, computer hacking, wire fraud, bank fraud and money laundering in connection with his alleged role as an administrator of the Gameover ZeuS botnet.

Bogachev is further charged with conspiracy to commit bank fraud related to his alleged involvement in a cybercrime scam involving Jabber ZeuS, a prior variant of ZeuS malware.

A separate U.S. civil suit also alleges that Bogachev led a tightly knit gang of cyber criminals based in Russia and the Ukraine behind both the Gameover ZeuS and the even more infamous CryptoLocker ransomware.

Gameover ZeuS is a common distribution mechanism for CryptoLocker, which is also spread using infected email attachments that pose as a voicemail or shipping confirmation.

A U.S. Department of Justice statement on the case alleged Bogachev is using the online nicknames "Slavik" and "Pollingsoon", among others, to rule the criminal network.

The FBI, Europol and the U.K.'s National Crime Agency coordinated an attack to dismantle the infrastructure of the GameOver ZeuS botnet as part of Operation Tovar.

The FBI said they'd identified and seized "servers acting as command and control hubs for the Cryptolocker malware".

Technical assistance in running the operation was provided by a variety of technology firms including Dell SecureWorks, CrowdStrike, Microsoft, F-Secure, Level 3 Communications, McAfee, Symantec, Trend Micro and a few others.

GameOver ZeuS, which is estimated to have infected 500,000 worldwide, is designed to steal financial and personal data from compromised PCs and workstations.

CryptoLocker works by locking victims out of their PCs and encrypts their files before demanding a ransom, payable in BitCoins. An estimated 234,000 machines worldwide have been infected by CryptoLocker.

Simply dismantling a zombie's control infrastructure is only part of the work because infected PCs still need to be disinfected.

The UK’s National Crime Agency (NCA) warned its citizens that they had just two weeks to protect their computers following the disruption of CryptoLocker and the Gameover ZeuS botnet.

Past experience suggests that cybercrooks often successfully rebuild zombie networks, but we can't really be sure if and when this would happen so the two-week deadline seems a bit arbitrary and even perhaps counterproductive.

Britain's?'Get Safe Online' initiative became difficult to reach on Tuesday morning in the aftermath of the NCA's cleanup advice, which pointed towards as the prime resource for information on cleaning up infected PCs.

"Please bear with us, we're working as hard as possible to restore our normal service free of charge, expert online safety & security advice," GetSafeOnline said on Monday evening in an update to its official Twitter profile.

Access remained patchy hours later on Tuesday midday, at the time of writing. Whether or not all this is due to the weight of extra and unplanned for demand or something more nefarious isn't immediately clear at this point in time, however.

Victims of Gameover ZeuS may alternatively use a micro-website created by DHS’s Computer Emergency Readiness Team (US-CERT) for help in removing the malware.

In other internet security news

Monsanto has admitted today that credit card data along with names, addresses and U.S. taxation information for at least 1,300 customers and employees was compromised after hackers broke into its servers sometime in March.

The security breach affected Monsanto's Precision Planting division which manufactures specialist farming equipment. It came as the agriculture giant pushed to sell big data intelligence services harvested from and disseminated to its customers.

Precision Planting senior counsel Reuben Sheldon said in a letter sent to the Office of the Attorney General of Maryland that Monsanto did not believe that the hackers would have sought client and staff data. But now we know that they did.

"We believe that this unauthorised access was not an attempt to steal customer information. But instead, it is possible that files containing personal information may have been accessed and therefore we are making this notification," Sheldon said.

"Files on the affected servers contained personal information, including customer names, addresses, tax identification numbers which in some cases could be Social Security Numbers and financial account information.

"And some HR data was also stored on the servers, including some W2 tax forms that contained employee name, addresses and Social Security numbers and even driver’s license numbers," Monsanto added.

The company initially told specialist agriculture news site Argi-Pulse that hackers did not steal customer farming data which was stored on a separate server.

Monsanto has offered affected staff and clients a year of credit monitoring services to combat the risk of subsequent fraud and was reviewing the security of all its systems, the company added.

The company has been a favourite target of hacktivists. In 2011, members of the Anonymous hacking collective stole and published details of over 2,500 Monsanto employees.

And in May, members operating under #operationgreenrights claimed to have hacked and released 1,800 usernames and passwords stolen from companies, including Monsanto.

And then in January of this year, it released what it claimed were 48 database name records along with login information.

In other internet security news

CERT (the Computer Emergency Response Team) reports that no less than 76 companies and various organizations have admitted they've been hacked into and getting past their IT defence mechanisms.

CERT released its findings in an annual report late yesterday. The mostly Australian businesses represented 135 organizations reporting to the CERT Australia survey and were part of a 35 percent uptick in reported information security incidents from the previous 2012 annual survey.

Overall, breached organizations were unclear about the exact motivations behind the attacks but suggested that commercial competitors could have been at fault.

The report also highlighted well known security shortcomings across various organizations including a lack of plans for forensic preservation of evidence ahead of security breaches, an average drop of 25 to 28 percent in security spending, and the rather poor adoption of payment security controls using PCI DSS technology.

In other findings, no less than 18 organizations said they would maintain their Windows XP deployments despite Microsoft's end of life plans for the operating system on April 8, 2014.

CERT also notes that the use of cryptography has spiked by 35 percent to 60 percent of responding organizations. Most respondents were part of the Federal Attorney General's Trusted Information Sharing Network (TISN), which serves as a security intelligence sharing hub between CERT and the country's critical infrastructure and nominated systems of national interest.

A quarter of the TISN respondents hailed from defence, 16 percent from the energy sector and 13 percent from banking and finance industries.

About 73.8 percent of respondents were from large organizations and agencies with more than 200 employees, yet most (over 74.6 percent) had fewer than five full time IT security people on their payroll.

On average, user access management was the most common security control in use, followed by disaster recovery (DR) and change controls.

Most organizations applied four of the Australian Signals Directorate's lauded security control list, but few had applied critical application whitelisting which the intel agency was an incredibly effective means of ensuring security, according to CERT.

In other internet security news

Internet security researchers in Russia have reported a software vulnerability in SAP NetWeaver which could allow hackers and attackers to gain access to Central User Administration tables.

Catalogued as CVE-2014-3787, details on the security vulnerability in the service-oriented and integration platform were kept under wraps by security firm PT Security which conducted regular tests on SAP enterprise software.

The Central User Administration feature streamlined management of multiple users accounts that were managed on different clients.

SAP was among the most popular business applications and was used by about 73.4 percent of Forbes 500 companies.

Dmitry Gutsko said the sensitive information disclosure security vulnerability affected NetWeaver versions 7.20 and earlier.

"By successfully exploiting the vulnerability, an attacker can read any tables from SAP Central User Administration via accessing the affiliated system, which may lead to disclosure of user data stored in all CUA systems," Gutso warned in a disclosure.

Users were advised to apply the latest NetWeaver security patches to fix the security hole. SAP users were notoriously bad at updating and securing their deployments. In 2013, ERP Scan founder Alexander Polyakov found hundreds of organizations that ran vulnerable and older versions of SAP and had exposed deployments to the public internet.

Polyakov found many customers that ran versions of NetWeaver j2EE that contained critical security flaws allowed attackers to execute commands without user authentication.

And in January of this year, the same security company reported a critical XML External Entity (XXE) security vulnerability within SAP NetWeaver's GRMGApp which was open to unauthorised access.

In other internet security news

It's reported in the blogosphere today that China is escalating its war of words with the United States over online espionage, releasing a report by its Internet Media Research Center that concludes that the US does a lot of spying online.

As could be expected, there's also a lot of strong language in the report, such as this opening paragraph-- “As a superpower, the United States does take into account its political, economic, military and technological advantages to unscrupulously monitor other countries, including its own allies. The U.S.' spying operations have gone far beyond the legal rationale of "anti-terrorism" and have exposed its true colors of pursuing self-interest in complete disregard of moral integrity. These operations have flagrantly breached International laws, seriously infringed upon the human rights and put global cyber security under threat. They deserve to be rejected and condemned by the whole world.”

China's specific allegations suggest the U.S. have conducted the following activities against it and other nations:

  • Collecting nearly 5 billion mobile phone call records across the globe every day.
  • Spying over German Chancellor Angela Merkel's cell phone for more than 10 years.
  • Plugging into the main communication networks between Yahoo's and Google's overseas data centers, and stealing data of hundreds of millions of customers.
  • Monitoring mobile phone apps for years and grabbing private data.
  • Waging large-scale cyber attacks against China, with both Chinese leaders and the telecom giant Huawei as targets.
  • The document goes on quite a bit, mostly repeating Edward Snowden's allegations and throwing in a few other incidents reported by other nations.

    Expressions of outrage about NSA activities voiced by the United Nations and privacy groups are given a new airing, as is just about every report from any newspaper anywhere about Snowden-sourced NSA activities.

    That China has put this all on letterhead is significant inasmuch as it shows the nation is very angry indeed and wants the US to know it.

    That the document doesn't miss a chance to paint the US as a declining imperial power unfairly seeking to nobble its likely new superpower successor will also go down well with local audiences.

    Actions like China's new vetting program for imported IT products and possible ban on IBM servers are likely to have more impact on the US because they hit it directly where it hurts the most-- in the wallet.

    And let's also note that there's colossal hypocrisy on both sides-- if China could do the things the NSA is accused of, would it really back off? Or would it decline the grubby practice of same “pursuing self-interest in complete disregard of moral integrity” just like it did in Tiananmen Square? There's real food for thought in the whole thing.

    In other internet security news

    Apple is denying that a security breach of its iCloud service is the reason for an outbreak of ransomware infecting Australian iCloud users.

    Click here to order the best dedicated server and at a great price.

    Australian Apple owners yesterday complained that their hardware had been remotely locked by a hacker identifying himself as Oleg Pliss and demanding a PayPal transfer of $50 to restore them back to life.

    Apple Australia has contacted us and offered the following statement on the situation-- “Apple takes security very seriously and iCloud wasn't compromised during this incident. Impacted users should change their Apple ID password as soon as possible and avoid using the same user name and password for multiple services. Any users who need additional help can contact AppleCare or visit their local Apple Retail Store.”

    So how did the entity known as Pliss manage to compromise so many accounts? People familiar with the matter have told us that Pliss is likely in possession of usernames and passwords gleaned from sources other than Apple and has attacked users who use the same identifier for multiple services including iCloud.

    Lots of users have weak passwords and/or use them to log on to multiple services. And it is certainly possible to come by such data-- breaches at Adobe and eBay would have yielded many email addresses that could be used to target Australian users.

    If that is indeed what has transpired on this occasion it is perhaps scarier than an iCloud security breach, because to this date, compromised passwords have not been deployed to power large-scale attacks.

    If Pliss is in deed the initiator of such efforts, millions of people could be at risk on most of their Apple devices.

    Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

    Share on Twitter.

    Source: The FBI.

    Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

    You can link to the Internet Security web site as much as you like.

    Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
    Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

    Click here to order our special clearance dedicated servers.

    Get your Linux or Windows dedicated server today.

    Click here to order our special clearance dedicated servers.