400,000 Records Exposed in Michigan State University Breach

Hackers attempted to extort Michigan State University after gaining access to a database containing 400,000 student and employee records. The organization believes that only a few hundred records have actually been stolen by the attackers.

MSU reported on Friday that an unauthorized party breached one of its servers on November 13. The attacker accessed a database containing 400,000 records, including names, social security numbers, MSU identification numbers and dates of birth of current and former students and employees.

The exposed information dates as far back as 1970. MSU pointed out that passwords, contact details and financial information were not stored in the affected database.

The university said it took the affected database offline within 24 hours after discovering the breach and it determined that only 449 of the records have been accessed by the hackers.

Affected individuals have been offered two years of free identity protection and fraud recovery services. The incident is being investigated by the MSU Police Department in collaboration with federal law enforcement authorities.

Michigan State University representatives told Fox47News that the hackers attempted to extort the organization after gaining access to the database. It’s unclear how much money they wanted, but the university said it refused to pay up.

This is not the first time MSU has suffered a data breach. In 2012, a hacker leaked roughly 1,500 records allegedly stolen from the university’s systems and, in 2013, the organization admitted that hackers modified employee banking information using stolen credentials.

According to DataBreaches.net, a hacker recently leaked contact information and credentials allegedly stolen from MSU. The hacker published the data in late October and the incident does not appear to be related to the November 13 breach.

iPhone Call Logs Quietly Synced to iCloud, Forensics Firm Warns

Hackers attempted to extort Michigan State University after gaining access to a database containing 400,000 student and employee records. The organization believes that only a few hundred records have actually been stolen by the attackers.

MSU reported on Friday that an unauthorized party breached one of its servers on November 13. The attacker accessed a database containing 400,000 records, including names, social security numbers, MSU identification numbers and dates of birth of current and former students and employees.

The exposed information dates as far back as 1970. MSU pointed out that passwords, contact details and financial information were not stored in the affected database.

The university said it took the affected database offline within 24 hours after discovering the breach and it determined that only 449 of the records have been accessed by the hackers.

Affected individuals have been offered two years of free identity protection and fraud recovery services. The incident is being investigated by the MSU Police Department in collaboration with federal law enforcement authorities.

Michigan State University representatives told Fox47News that the hackers attempted to extort the organization after gaining access to the database. It’s unclear how much money they wanted, but the university said it refused to pay up.

This is not the first time MSU has suffered a data breach. In 2012, a hacker leaked roughly 1,500 records allegedly stolen from the university’s systems and, in 2013, the organization admitted that hackers modified employee banking information using stolen credentials.

According to DataBreaches.net, a hacker recently leaked contact information and credentials allegedly stolen from MSU. The hacker published the data in late October and the incident does not appear to be related to the November 13 breach.

Cyberspies Launch U.S. Attacks Hours After Trump Elected

Just hours after Donald Trump was elected president of the United States, researchers spotted a series of election-themed spear-phishing attacks aimed at think tanks and non-governmental organizations (NGOs) in the U.S.

According to security firm Volexity, the attacks were launched by a Russia-linked threat group known as The Dukes, APT29, Cozy Bear and Cozy Duke. This and another actor believed to be sponsored by the Russian government, known as Pawn Storm and Fancy Bear, are suspected of launching attacks against the U.S. Democratic Party before the presidential election.

Volexity said the Dukes sent out spear-phishing emails from Gmail accounts and compromised email accounts at Harvard’s Faculty of Arts and Sciences (FAS). The targeted users specialize in national security, international affairs, defense, public policy, and European and Asian studies.

The Dukes has been targeting think tanks and NGOs in the United States since July 2015. However, in August 2016, the attackers started using a new piece of malware, which Volexity has dubbed “PowerDuke.”

Unlike in previous attacks, which involved ZIP files containing malicious executables, the threat group delivered PowerDuke via emails carrying macro-enabled Word and Excel documents. The malicious documents were set up to install a downloader designed to fetch the PowerDuke backdoor.

PowerDuke was also used in attacks launched in October and the ones observed on November 9, after the presidential election in the U.S.

The first attack wave spotted after the elections involved fake eFax emails titled “The Shocking Truth About Election Rigging in the United States.” This wave was similar to earlier attacks where the APT actor used links pointing to ZIP files to deliver its backdoors.

The second attack used the same eFax theme, but the emails were titled “Elections Outcome Could Be Revised [Facts of Elections Fraud]” and they delivered PowerDuke via macro-enabled documents.

The third wave involved emails coming from a fas.harvard.edu address and messages apparently sent via the “Harvard PDF Mobile Service.” Titled “Why American Elections Are Flawed,” these emails also carried PowerDuke malware.

The next two waves also leveraged Harvard FAS email addresses and they appeared to be forwarded from someone at the Clinton Foundation. The hacker calling himself Guccifer 2.0, which experts believe could be a persona used by Russian cyberspies, claimed in October that he had hacked the Clinton Foundation, but the organization refuted the claims.

PowerDuke, which is deployed on a system only after anti-analysis checks are conducted, is capable of collecting information about the infected device, creating and terminating processes, downloading and uploading files, and obtaining text from the current window. The backdoor is hidden in innocent-looking PNG image files and some of its components are loaded only in memory.

Hackers Can Abuse iOS WebView to Make Phone Calls

The iOS applications of Twitter, LinkedIn and possibly other major vendors can be abused by hackers to initiate phone calls to arbitrary numbers. The attacker can also prevent the victim from ending the call.

Security researcher Collin Mulliner said the cause of the flaw is related to WebView and how the component is handled by some iOS applications. WebView is a browser integrated into mobile apps. It allows developers to build their apps with web technologies, and it’s often used to display web pages inside an application without the need for third-party browsers.

According to Mulliner, an attacker who can convince a user to open a specially crafted webpage via a vulnerable app can make phone calls from the victim’s device. The attack website needs to redirect the victim to a TEL URI, which initiates a call to a specified number. This part of the attack involves only one line of HTML code, but the victim can easily end the call once the number is dialed.

In 2008, Mulliner informed Apple of a similar Safari vulnerability that allowed attackers not only to initiate phone calls, but also to prevent the victim from canceling the call by freezing the phone’s graphical user interface for a few seconds. At the time, Apple addressed the issue with the release of iOS 3.0.

The researcher determined that this bug resurfaced and he managed to tweak his old proof-of-concept (PoC) exploit to initiate calls from the Twitter and LinkedIn iOS apps and prevent the user from canceling the call. He published demonstration videos for both applications.

“The trick is to cause the OS to open a second application while the phone is dialing the given number. Opening applications is pretty straight forward, you open a URL that causes the OS to spawn another application,” Mulliner explained. “This can be anything from the messages app (via the SMS: URL) or iTunes (via the itms-apps: URL). You can pretty much get any application to launch that has a URI binding. In 2008 I used a SMS URL with a really really long phone number to block the UI thread.”

Mulliner reproduced the vulnerability in Twitter and LinkedIn, but he believes other iOS apps could be affected. Applications that open links in third party browsers, such as Safari and Chrome, are not impacted.

The expert informed Twitter of his findings via the company’s bug bounty program on HackerOne, but the social media giant marked it as duplicate this week without any comment. He also notified LinkedIn and Apple of the vulnerability, but did not wait for them to release patches before making the issue public.

Applications such as Safari, Dropbox and Yelp warn the user that a phone call is about to be made and prompts them to confirm the action, and the researcher believes other apps should do the same. In addition to app developers, Apple should take steps to prevent this type of WebView abuse.

Mulliner started investigating the issue after hearing the story of an 18-year-old teen from Arizona who used a similar exploit to “prank” his friends. However, the teen ended up being arrested because he unknowingly used an exploit designed to trigger calls to 911, causing disruptions to emergency services in his area.

Mulliner provided other examples of serious attacks that can be carried out using this type of exploit.

“DoSing 911 is pretty terrible but there are other examples such as expensive 900 numbers where the attacker can actually make money. A stalker can make his victim dial his phone number so he gets his victim's number. Altogether things you don't want to happen,” he said.

Sixth Individual Arrested in Connection with Coin.mx, Links to JPMorgan Hack

A Florida man is the latest person to be charged in connection with alleged illegal activities associated with coin.mx, a now defunct unlicensed bitcoin exchange. Riccardo Hill, a resident of Brandon, Florida was charged with conspiring to operate an unlicensed money transmitting business. He was released Thursday on a $75,000 bond following a court appearance in Manhattan.

Hill, 38, was arrested in October. He is the ninth person to be arrested following the investigation into the JPMorgan data breach that was disclosed in 2014. Prosecutors claim that coin.mx was owned by Gery Shalon, an Israeli charged with masterminding the hacks that breached JPMorgan and other companies.

Shalon, and Ziv Orenstein (another Israeli) were arrested in Israel in July 2015. They were extradited to the US and pleaded not guilty to a hacking and fraud scheme including but not limited to JPMorgan. Prosecutors said the scheme dated back to 2007 and compromised more than 100 million people's personal information.

A third individual, Joshua Aaron from Florida, is also wanted in connection with these charges. Aaron is believed to have fled to Russia, which he frequently visited. This has led to some suggestions that the actual hacker (rather than the orchestrators) of the JPMorgan hack and others may be Russian. Last month Bloomberg reported that Aaron had been located in Russia, but is no longer welcome there. "The only American suspect named in the largest known hack of Wall Street is negotiating his return to the U.S. from a detention cell in Russia, where he's no longer welcome."

The investigation into the JPMorgan breach led to Sharon, and Sharon led to coin.mx. Coin.mx seems to have been used as a laundering facility for other criminal activities, including the proceeds of ransomware. It is possible that the personal details stolen from the JPMorgan and other hacks helped facilitate some of this illegal activity.

Coin.mx was operated by Anthony Murgio, also from Florida. He and four others associated with the bitcoin exchange were arrested around the same time as Shalon. At that time the FBI stated: "Murgio and his co-conspirators knowingly enabled the criminals responsible for those attacks to receive the proceeds of their crimes, yet, in violation of federal anti-money laundering laws, Murgio never filed any suspicious activity reports regarding any of the transactions."

The latest charge against Hill claims that he was employed as a finance support manager and business development consultant for an unlicensed bitcoin exchange, that is, Coin.mx. The complaint against Hill claims that he and others profited from numerous bitcoin transactions conducted on behalf of victims of schemes involving ransomware. 

Of the five other individuals arrested in connection with coin.mx, two have pleaded guilty. Murgio and two others have pleaded not guilty, and will face trial in February 2017. Neither Murgio nor Hill is accused of direct involvement with hacking.

Why Monitoring Control Plane Activity is a Requirement for Securing Industrial Networks

Monitoring network activity is key to securing any production environment. Keeping tabs on the activities of the users, applications and the devices enables operators to ensure expected and normal operations. Monitoring also allows problems to be detected and corrected before damage can occur. 

However, not all networks are created equal. Monitoring industrial control system activity is difficult for two reasons. First, they use different protocols than IT networks. Second, separate protocols are used for performing data-plane and control-plane activities: 

Data-Plane: sometimes referred to as the user plane, carries the user-data traffic. The data-plane is used by the HMI and SCADA applications to communicate process parameters and physical measurements between the human operator and the industrial equipment (I/Os).

Control Plane: carries the control information. In industrial networks the control-plane activities including all the engineering activity related to the maintenance lifecycle of industrial controllers, such as any read/change of: controller firmware, control-logic, configuration settings, or state. It also includes the administration and operations traffic. [Note that the term ‘control-plane’ is a general networking term, and isn’t related to the control layer of the Purdue Model or controllers in ICS networks]

The protocols used for data-plane activities, are those used by HMI/SCADA applications to communicate with control-devices. These protocols which include MODBUS, PROFINET, DNP3 and more, are well known and fully documented. 

However, many are unaware of the fact that in ICS networks the control-plane activities use different protocols - a separation that does not exist in IT networks! 

Unlike the data-plane protocols, control-plane protocols are vendor specific proprietary protocols that are mostly unknown, undocumented and often unnamed. This is because they were designed to be used only by the vendor’s engineering software tools. But over the years, other tools that utilize these protocols have been developed and can be used for control-plane activities and changing critical industrial controllers.

While many companies are concerned about cyber threats to their operations, most do not understand the difference between data plane and control plane protocols. Fewer understand the implications of the use of proprietary vendor specific protocols  for control plane activity therefore don’t monitor them leaving a dangerous security gap in their networks. 

The Importance of Monitoring Control-Plane Activities

Unlike the Data Plane which contains information relating to the systems’ process parameters (i.e. current temperature in a tank, or the RPM of a turbine), core functions are carried out via the control plane. These include changes to controller logic, firmware uploads/downloads and configuration changes.

Industrial controllers (PLCs, RTUS, DCS) are critical devices that are responsible for the entire process lifecycle in industrial environments. They are proprietary computers provided by vendors like Rockwell Automation, Siemens, GE, Schneider Electric and others.

In IT networks, activities like changing a server configuration or the software code it executes, are highly privileged activities. They can only be executed by a select group of users, typically systems administrators. Hackers need to compromise privileged access credentials in order make operational changes on an IT network.

In contrast, industrial controllers do not have any authentication mechanisms or encryptions mechanisms. This enables anyone with network access to access these critical devices and make changes to their configuration and logic, changes that can lead to severe operational disruptions. These can range from process glitches to major leaks of dangerous materials, physical catastrophes, and even explosions. Therefore, when adversaries want to cause operational damage — they target industrial controllers via the control plane. 

To make things worse, control plane activities aren’t logged or registered anywhere - not on the device, or the Historian, or any other component in the ICS network. This allows adversaries to hide their actions  and remain undetected until the physical damage is detected.

The combination of these shortcomings - lack of authentication mechanisms, access controls, change logs and the ability to monitor changes - may come as a surprise to those in the IT community. Unfortunately, it’s a fact. 

Contrary to what many believe, attacking industrial controllers using control plane activities doesn’t require special expertise. Basic knowledge of control system engineering is enough.

Protection Starts with Visibility

Industrial organizations — especially those involved with sensitive manufacturing processes or critical infrastructures — are paying close attention to ICS cybersecurity incidents that can disrupt operations while causing physical and financial damage.

Since most threats to ICS systems occur in the control plane, it is essential to monitor these activities. Protecting ICS networks begins and ends with gaining visibility and control over control plane activities.

Easier said than done, because (as I mentioned earlier) the protocols for the controllers are mostly proprietary and undocumented.

Fortunately, new ICS network monitoring technologies that focus on the control-plane protocols can provide early detection of reconnaissance activities, such as requests to read the controller firmware or logic from an unknown laptop, or requests to list open ports on a controller. Such activities may indicate the presence of a malicious actor seeking to compromise the system.

Monitoring the control-plane activities in industrial networks will also identify attempts to tamper with control devices in real-time, allowing ICS cyber security professionals to quickly respond and prevent, or at least minimize, damage to operational systems.

Finally, monitoring control plane activities provides a full audit trail of actions executed by employees, contractors, and integrators that have unfettered access to ICS networks. This audit trail also helps supervise insiders’ activities and enables detection of unauthorized changes and human error.

Phishing campaign pushing Locky ransomware

A phishing campaign pushing Locky ransomware is targeting some of the 22 million victims of the massive United States Office of Personnel Management breaches of 2014 and 2015. According to researchers at PhishMe Intelligence, the campaign involves attackers impersonating OPM representatives who are targeting government contractors and workers that have had personal information stolen from them. Related Posts Inside the RIG Exploit Kit November 4, 2016 , 5:58 pm Nymaim Dropper Updates Delivery, Obfuscation Methods October 31, 2016 , 3:57 pm Following Lull, New Campaigns Pushing Retooled ‘Pumpkin’ Locky October 25, 2016 , 1:13 pm Attackers are using phishing messages that warn targets that the OPM has detected “suspicious movements” in their bank accounts. The email goes onto ask recipients to “examine the attached scanned record.” At the bottom of the phishing attack messages is the email signature of Elis Lucas, account manager with the U.S. Office of Personnel Management. The attachment is a zip archive that when launched runs a JavaScript application that downloads and runs a sample of the Locky encryption ransomware. The attackers, researchers wrote, are demonstrating their “unscrupulous nature and willingness to exploit the misfortune of others at any step in their delivery and infection process.” PhishMe found 323 unique JavaScript application attachments used in the campaign with the capability of downloading obfuscated Locky payloads from 78 command-and-control payload locations. Of note, PhishMe said, the sample it found contained four hardcoded command-and-control hosts, as well as a single payment site where victims could pay their ransom in Bitcoin in exchange for an encryption key. Locky has been potent since its initial detection on Feb. 16 – with attempts to infect computers in more than 100 countries. The preferred Locky attack vector has been email messages that contain an attached Word document embedded with a malicious macro. Once the macro is engaged, a script is initiated and Locky is downloaded onto a victim’s PC. The ransomware was used to target hospitals starting with Hollywood Presbyterian Medical Center in Los Angeles, which paid a $17,000 ransom, and this summer was spread by the Necurs botnet.  According to a Check Point analysis of Locky, researchers have documented at least 10 different Locky downloader variants. In those cases, each variant has tried to avoid detection by hiding the Locky payload in different file types (.doc, .docm, .xls and also .js) that claim mostly to be invoice attachments. According PhishMe, “These emails reinforce the fact that overcoming the phishing threat and the ransomware it delivers is not some insurmountable task. Instead, user education and the bolstering of incident response practices can give organizations the edge over threat actors.”

See more at: Locky Targets OPM Breach Victims https://wp.me/p3AjUX-vHN