A forensicating, incident responding, reverse engineering, perl slinging unix beard. My words are my own not my employers.
2135 stories
·
2 followers

Chinese Government runs a MITM attack against Microsoft Outlook

1 Share

GreatFire revealed that the popular Microsoft Outlook emailing service was subjected to a man-in-the-middle (MITM) attack in China.

This time the popular Outlook email service was allegedly hacked by Chinese authorities. The Outlook email service was not reachable in China over the weekend and according the to experts at the GreatFire organization, Chinese Government run a man-in-the-middle attack, exactly as it has already done in the past against many other web services. In December, the Gmail service has been blocked in China and also in that circumstance, the experts speculated that the Chinese Government used the China’s Great Firewall to interfere with the email service.

In a fist time, Chinese users suffered an anomalous outage for the Outlook service, the IMAP and SMTP protocols were not working on both on desktop and mobile email clients on Jan 17. GreatFire notes that the MitM attack only affected the email clients while web services outlook.com and live.com were not impacted.

“We have tested Outlook to verify the attack and have produced the same results. IMAP and SMTP for Outlook were under a MITM attack. Do note however that the web interfaces (https://outlook.com and https://login.live.com/ ) were not affected. The attack lasted for about a day and has now ceased.” reports a blog post published by GreatFire .

According to the GreatFire, the Man-in-the-Middle attack only affected the email clients and web interface of outlook.com website, meanwhile live.com were not affected.

“This form of attack is especially devious because the warning messages users receive from their email clients are much less noticeable than the warning messages delivered to modern browsers.” continues GreatFire.

GreatFire seems to have no doubts, the attack was operated by the work of  the Cyberspace Administration of China which was earlier known as  State Council Information Office and that is the principal Internet watchdog operated my the authorities.

The department directs, coordinates and supervises online content management and handles administrative approval of businesses related to online news reporting, it is an administrative office under the State Council.

The experts at GreatFire conducted a series of tests trying to reproduce the issue by accessing Outlook using the same IMAP port for the email service in a browser and found that a the connection was established with a self-signed digital certificate.

“To reproduce the result in a Firefox browser, we first configured Firefox to allow access on port 993 which is the port used by IMAP. We then accessed https://imap-mail.outlook.com:993. We immediately received the warning message. As you can see, the certificate is self-signed, which is consistent with previous MITM attacks in China.”

outlook mitm digital certificate

GreatFire strongly suggests organizations, including Microsoft and Apple, to revoke digital certificates used in the attack:

“We have outlined CNNIC’s dubious history in a previous blog post. Given the dangerous nature of this attack on Outlook, we again strongly encourage organizations, including Microsoft and Apple, to immediately revoke trust for the CNNIC certificate authority.”

Pierluigi Paganini

(Security Affairs –  GreatFire, Outlook)

The post Chinese Government runs a MITM attack against Microsoft Outlook appeared first on Security Affairs.

Read the whole story
Share this story
Delete

China Blamed for Operation Poisoned Helmand Attack on Afghan Sites

1 Share

China Blamed for Operation Poisoned Helmand Attack on Afghan Sites

China has been blamed for a covert watering hole attack on a Content Delivery Network used by the Afghanistan government to host its official departmental websites.

Security firm ThreatConnect’s Intelligence Research Team (TCIRT) spotted the targeted cross site scripting drive-by attack, which affected numerous Afghan government sites including the Ministry of Foreign Affairs, Finance, Justice, Education, and even the Afghan Embassy in Canberra.

The javascript URL in question is probably a legitimate one the attackers have turned malicious by altering the script, TCIRT said in a blog post.

“Note that the gov.af websites would not need to be compromised individually for this attack to be delivered to visitors of the sites, because it is the back-end CDN infrastructure that is serving up the malicious script,” it said.

China is suspected of being behind the so-called 'Operation Poisoned Helmand' attack for two main reasons.

First, it came during a high profile bilateral meeting on development between Chinese premier Li Keqiang and Afghan CEO Abdullah Abdullah. In fact, the image of the two which was used to spread the malware was modified by the attackers just hours after it was likely taken, TCIRT claimed.

A similar tactic was apparently used back in June when Li met Greek prime minister Antonis Samaras in Athens and a malicious Java file was found hosted on the Embassy of Greece in Beijing.

Secondly, TCIRT claimed that the malicious Java applet found in the most recent attack shares the same source code as another which it spotted at a URL connected with the Operation Poisoned Hurricaine attacks which have been linked to China in the past.

TCIRT concluded:

“By exploiting and co-opting Afghan network infrastructure that is used by multiple ministerial level websites, Chinese intelligence services would be able to widely distribute malicious payloads to a variety of global targets using Afghanistan’s government websites as a topical and trusted distribution platform, exploiting a single hidden entry point. This being a variant of a typical ‘watering-hole’ attack, the attackers will most likely infect victims outside the Afghan government who happened to be browsing any one of the CDN client systems, specifically, partner states involved in the planned troop reduction.”

Read the whole story
Share this story
Delete

ZeuS variant strikes 150 banks worldwide

1 Share
A new strain of the malevolent ZeuS malware has been discovered targeting over 150 banks and 20 payment systems across the globe.
Read the whole story
Share this story
Delete

NetSec Tool:Dshell

1 Share
I was introduced to a nice network forensics tool today called Dshell, written by the U.S. Army Research Lab. Written in Python, it allows dissection of pcaps using decoders, which can be chained together to do multiple analyses of traffic. You can run decode -l to see the list of available decoders, which includes:

dns  - extract and summarize DNS queries/responses (defaults: A,AAAA,CNAME,PTR records)
reservedips  - identify DNS resolutions that fall into reserved ip space
large-flows - display netflows that have at least 1MB transferred
long-flows  - display netflows that have a duration of at least 5 mins
rip-http   - rip files from HTTP traffic
protocols - Identifies non-standard protocols (not tcp, udp or icmp)

and many others..

You can download the source and find what dependencies need installed as well as examples and syntax at:

https://github.com/USArmyResearchLab/Dshell


Read the whole story
Share this story
Delete

Understanding & Detecting Backoff POS Malware

RSA
1 Share

Point of Sale (POS) malware has had its share of headlines this year. Now with the holiday shopping season underway POS systems will certainly be an enticing target for hackers to explore due to the payoff of thousands of fresh credit card numbers that will be run through these devices. “Backoff” is part of a recently discovered InfoStealer malware family aimed at Point of Sale systems. RSA’s research teams have conducted extensive research on the malware itself and the ecosystem that it operates within.

The goal of Backoff is to identify and steal credit card and transaction data through traditional memory scraping mechanisms also seen in other POS malware such as Alina, BlackPOS and Dexter. As usual, the malware uploads collected data to a hardcoded C2 that can also command the malware to update itself or download and install other malware.

Our RSA FirstWatch team has compiled a report that they call “The Full Story of the Backoff Trojan Operation” that describes the tactics and ecosystem along with some information related to attribution of the possible authors of the malware.

RSA‘s Incident Response team’s report on Backoff helps break down how RSA solutions such as RSA Security Analytics and RSA ECAT can be employed to alert an organization about this type of infection, helping to lead to expedited response time, reduced exposure, and subsequently assisting in stoping the attack before any data theft occurs. Additionally a digital appendix has been produced that includes Yara signatures and a Blacklist that can be imported into ECAT to help an organization quickly identify and categorize known files.

We hope that this information is informative as well as actionable and adds to your organization’s ability to thwart threats of this type. If you already subscribe to RSA Live, our threat intelligence feeds are continually updated as our research teams discover and identify indicators related to this and other malicious threats.

The post Understanding & Detecting Backoff POS Malware appeared first on Speaking of Security - The RSA Blog and Podcast.

Read the whole story
Share this story
Delete

Obama Signs 5 Cybersecurity Bills

1 Share
First Time in Dozen Years Major CyberSec Bills Become Law
Without ceremony, President Obama has signed five cybersecurity-related bills, including legislation to update the Federal Information Security Management Act, the law that governs federal government IT security.
Read the whole story
Share this story
Delete
Next Page of Stories