Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Hackers successfully attacked a hedge fund, trades delayed

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

June 23, 2014

Click here to order the best dedicated server and at a great price.

Various reports in the blogosphere this morning say that hackers have successfully attacked a hedge fund, delaying several trades and then stealing profitable secrets in a rare but very direct raid on the United States financial services sector.

BAE Systems Applied Intelligence says that the clever attack cost the unnamed US-based hedge fund millions of dollars over two months, the firm alleges.

Hackers apparently lifted large chunks of data on complex high speed trades from the financial firm, then sent the details to external servers using malware which implanted itself on the victim's network.

For now, the identity of the attackers is unknown, said BAE product director Paul Henninger, but the stolen data could be immensely profitable for smaller hedge fund firms looking for a leg up into the market.

The assumption of espionage was given further weight because attackers added slight delays to the time between the issuance and execution of the victim's trades-- a feat which would certainly lead to the discovery of the attacks but may have provided a competing firm with a much needed trading advantage.

Henninger said that the attacks occurred in January 2013 and was escalated to the company board. Why it took so long for the news to become public isn't known at this time.

"This was something that was getting reviewed at the board level of this hedge fund precisely because it was having a material impact on performance across the whole portfolio," said Henninger.

Incredibly, the attacks began with a successful by very simple spear phishing email campaign against a staffer from where malware was deployed to gain a direct foothold in the company.

The attackers knew exactly what they were doing. Henninger didn't know if the hack was reported to the Securities and Exchange Commission or FBI and noted that the fund would have little incentive to do so.

Attacks against hedge funds don't often make it onto the public record. More than three years ago, Cyber Engineering Services founder Joe Drissel tipped off one hedge fund that it was compromised after he discovered its stolen data on a hacked server.

The unnamed company, which initially laughed off the disclosure, later disconnected its entire enterprise network from the Web when Drissel sent its IT manager a copy of a stolen file.

Attackers had installed no less than three trojans on the victims' machines which went completely undetected by anti-virus software.

Internet security teams have since reported phishing emails targeted towards hedge funds that lured victims to open malicious documents purportedly discussing carried interest fees.

In other internet security news

Exactly a year ago, Edward Snowden leaked the NSA's Advanced Network Technology catalog, a complete listing of the hardware and software tools the agency makes available to its agents for its spying activities.

Since then, enterprising security experts are using the same extensive catalog to build similar tools using low-cost and readily available electronics that anybody can easily get.

Led by Michael Ossmann of Great Scott Gadgets, his team examined the leaked catalog and discovered that a number of the devices the NSA developed can be very simple to recreate.

To be sure, Ossmann was able to build a simple software-defined radio (SDR) system capable of recording and transmitting data from a target PC using a Kickstarter project, and says that the hardware can be bought from the market for $300 or less.

"SDR lets you engineer a radio system of any type you like really quickly so you can research wireless security in any radio format," he added.

Ossmann said that he was also able to build two devices from the NSA's catalog using little more than a few transistors and a two-inch length of wire as an antenna. These mimic the NSA products Ragemaster, a plug that sits on the monitor cable of a computer and broadcasts screen images.

And of course there's also the Surlyspawn keystroke logger, built at a small fraction (less than 5 percent) of the cost the U.S. government gets charged for the same thing.

In a presentation at the Hack In The Box conference in Amsterdam last month, Ossmann detailed some of his creations and the methods he and his team used to build them using off-the-shelf components.

Those devices aren't as small as the NSA's hardware, but are just as effective, he said. The team has now set up a website,, detailing the different spying products they have reverse-engineered, and more details will be given out at presentations at the DEFCON hacking conference being hosted in Las Vegas in August.

Ossmann's goal isn't to help hackers conduct their own spying operations, nor to make it easier for the government to get low-cost surveillance hardware. While he has developed tools for the federal government, the goal of his project is to help the security industry understand the range of threats it should be protecting against.

"Showing how such devices exploit weaknesses in our systems means we can make them more secure in the future," he added.

In other internet security news

It was revealed this morning that LinkedIn accounts can easily be hijacked through simple man in the middle (MITM) attacks due to a failure to promptly patch a SSL stripping vulnerability.

The security flaw is described as a zero-day vulnerability and it allows attackers to gain full control of a user's account after they had logged in via SSL.

Attackers could jump between the user and the service and replace the secure protocol with HTTP allowing access to their account.

User IDs, passwords and all LinkedIn data could then be siphoned off by hackers. All users outside of Europe and the United States who didn't tick a box to activate optional HTTPS beyond the login screen were vulnerable to the attack, said Zimperium CEO Zuk Avraham.

"Through a relatively straightforward MITM attack that leverages an SSL stripping technique, hackers can steal a user’s credentials and gain full control of the user’s account," Avraham said.

"We have reached out to LinkedIn six times over the last year to bring this critical security vulnerability to their attention and have urged them to improve their network security, but more than a year after disclosing the security hole they have yet to implement a patch for this vulnerability," he added.

"When the victim types in an email and a password, it’ll be sent over the network in an unencrypted form that can be easily read by any attacker, even the most amateur ones," he stated.

Avraham used his companies hacking tool to demonstrate the attack against his own account. He said accounts could be randomly accessed via the same flaw affecting LinkedIn's mobile app.

He warned that attackers could soil an organizations' reputation by breaking into their account and changing details or sending out messages.

LinkedIn has been gradually implementing full SSL across its websites since December last year and is testing various techniques to handle mixed content and speed up page loading under tighter security arrangements, we are told.

But LinkedIn did provide us with the following statement about the issues raised by Zimperium-- "LinkedIn is committed to protecting the security of our members. In December 2013 we started transitioning the LinkedIn site to default HTTPS and just last week announced that we are serving all traffic to all users in the US and the EU by default over HTTPS. This issue does not impact the vast majority of LinkedIn members given our ongoing global release of HTTPS by default."

In other internet security news

Thousands of Supermicro baseboard management controllers (BMCs) continue to reveal administrator passwords in clear text after a security patch described as unsuitable was not applied by system administrators.

Overall, accessing the machines could be extremely simple for the tech savvy. Vulnerable servers would pop during a network or Shodan scan for port 49152.

Any of the roughly 3296 exposed BMCs could easily be accessed with the hardware's factory default password.

The world's worst access code "password" would grant full access to plenty of others. Baseboard management controllers were an element of motherboards that were the central component of Intelligent Platform Management Interfaces (IPMI) which provided remote access over UDP to system admins for physical state monitoring of machines.

In 2013, H.D. Moore of metasploit fame warned that Supermicro had a security issue. Fixes weren't very effective, leaving Carinet Security Incident Response Team security engineer Zachary Wikholm blown away by the Supermicro security flaw.

"This simply means that as of this this writing, there are 31,964 systems that have their passwords available on the open market, Wikholm wrote on web host Carinet's security incident response team's blog.

The issue wasn't noted by Tony Carothers of the SANS Internet Storm Centre which verified the flaw.

"The security vulnerability involves a plaintext password file available for download simply by connecting to the specific port, 49152," Carothers said.

"One of our team has tested this security vulnerability, and it works very well." Admins would need to reflash their systems with a new IPMI BIOS issued by Supermicro as a fix, but this was not possible for some system admins, Wikholm said.

He offered an alternative work-around that he said did the trick for those unable to reflash.

The Shodan scan run by the sites proprietor John Matherly returned 9.8 million replies for HTTP GET requests from a scattering of devices running on port 49152, many of which ran embedded Linux platforms and broadcasted their kernel and hardware architectures.

Some 6.4 million of these were AT&T U-Verse web media boxes and did not spew critical data.

For the Supermicro controller subset, information on kernel versions could be matched against Shodan to help identify embedded host information.

Many of the total pool ran old Linux kernel versions-- 23,380 operated on kernel 2.4.31.x, 112,883 on 2.4.30.x kernel, and 710,046 systems maintained 2.4.19.x.

The news follows a few revelations last week that 207,000 BMCs exposed to the pubic internet could be exploited via a handful of basic configuration and protocol weaknesses.

Worse, access to the various BMCs permitted hackers to compromise the host server as well as other BMCs within its management group which shared common passwords, the researchers said at the time.

In other internet security news

Dell said today that hackers have made a staggering US $620,000 in the Dogecoin crypto-currency system by exploiting vulnerable Synology network attached storage (NAS) servers.

The clever attackers pulled off the largest heist of its kind so far by planting mining software on the NAS servers to 'borrow' their computational power.

Several NAS now boast powerful multi-core CPUs that would be capable of mining such coins.

Several unpatched Synology servers were infected and continued to mine Dogecoins for the assailants, according to Dell.

It took just two months for the attackers to accrue 500 million coins worth US $620,000, Dell Secureworks researcher Pat Litke wrote in a blog post.

"To this date, this incident is the single most profitable, illegitimate mining operation," Litke wrote."

"This conclusion is based in part on prior investigations and research done by Secureworks, as well as further searching of the internet," he added.

Secureworks' analysis suggests that an experienced hacker, likely of German descent and using the alias Folio, was behind the Dogecoin mining spree. And that he could probably as well had mined Bitcoins instead.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

Source: BAE Systems Applied Intelligence.

Click here to order the best dedicated server and at a great price.

Save Internet's URL to the list of your favorite web sites in your Web browser by clicking here.

You can link to the Internet Security web site as much as you like.

Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet    Terms of use    Privacy agreement    Legal disclaimer

Click here to order our special clearance dedicated servers.

Get your Linux or Windows dedicated server today.

Click here to order our special clearance dedicated servers.