Cyber Research

Cyber News

Cyber Info



 February, 2016







 In this issue



*      "Operation Dust Storm" Attackers Target Japanese Critical Infrastructure

*      BAE Systems faces cyberattacks by hackers more than 100 times a year

*      Understanding The Weapons Of Mobile Warfare

*      Creating Cybersecurity Rating Systems for Cars

*      Latest Cyber Security News


about the Cyber Security News update

The Cyber News Update is an activity of the Cyber Research Center - Industrial Control Systems and intended to reach out to all Cyber Security Professionals interested in industrial / critical infrastructure threats, protection & resilience. For more information visit the CRC-ICS website at www.crc-ics.net or www.cyber-research-center.net


"Operation Dust Storm" Attackers Target Japanese Critical Infrastructure

February 23, 2016

Commercial and critical infrastructure organizations in Japan have been targeted in a multi-year campaign dubbed by researchers “Operation Dust Storm.”

A report published on Tuesday by endpoint security firm Cylance details the activities of a threat group that has been active since at least 2010. The attackers have targeted various organizations in Japan, South Korea, the United States, Europe, and several Southeast Asian countries, and in 2015 they started focusing on Japanese organizations.

The actor, which experts believe is a well-funded and well-organized group likely associated with a nation-state, relied on watering holes, spear phishing, unique backdoors and zero-day exploits to conduct reconnaissance and espionage.

According to Cylance, the threat actor has breached the systems of Japanese organizations in the electricity generation, finance, construction, oil and natural gas, and transportation sectors.

Experts reported that early Operation Dust Storm attacks were relatively unsophisticated and they were easily detected by the security industry. The group’s activities attracted the attention of researchers in 2011, when they used Adobe Flash Player (CVE-2011-0611) and Internet Explorer (CVE-2011-1255) zero-day vulnerabilities to deliver a piece of malware dubbed “Misdat.”

In October 2011, the attackers leveraged news surrounding the Libyan crisis and the death of Muammar Gaddafi to target US defense organizations and Uyghurs. The following year, they leveraged another Internet Explorer zero-day (CVE-2012-1889) in their operations.

In March 2013, shortly after Mandiant published a report on the notorious Chinese state-sponsored threat group known as APT1, experts noticed a significant drop in Operation Dust Storm activity until August 2013. Another noteworthy event took place in February 2014, when the actor started using a new Internet Explorer zero-day exploit (CVE-2014-0322) distributed via a watering hole set up on a software reseller’s website.

In 2015, when it started focusing on Japan, Operation Dust Storm targeted various types of organizations, including an automaker, the Japanese subsidiary of a South Korean electric utility firm, and an oil and gas company.

In addition to its previous tools, in May 2015, the group added several Android backdoors to its arsenal. These threats, designed to forward SMS messages and call information to a command and control (C&C) server, were used against victims in South Korea and Japan.

The pieces of malware used in the first attacks were unsophisticated and easy to detect, but the more recent campaigns involved custom threats that largely evaded security products, Cylance said in its report.

“At this time, [Cylance] does not believe the attacks were meant to be destructive or disruptive. However, our team believes that attacks of this nature on companies involved in Japanese critical infrastructure and resources are ongoing and are likely to continue to escalate in the future,” Cylance concluded.

More info https://www.cylance.com/operation-dust-storm





BAE Systems faces cyberattacks by hackers more than 100 times a year

February 23, 2015

BAE Systems has revealed that it is subject to "serious and persistent" cyberattacks twice a week. This means hackers, backed by foreign governments, target the defence, security and aerospace multinational more than 100 times a year, aiming to steal its secrets, the company said.


Apart from the more serious threats, BAE said that it also faces "many more" attacks by cybercriminals who are not as sophisticated or organised. Kevin Taylor, head BAE's Applied Intelligence business, said, "Behind every cyber attack is a real human with motivations and ways of operating. Understanding the threat such as what motivates them and how they work is one of the best ways of defending against them."

Dr Adrian Nish, BAE's head of cyber threat intelligence, was of the opinion that cybercriminals had become more professional in recent times. "We are seeing the industrialisation of cyber crime. They are running phone support scams, writing their own software that comes with service agreements and money-back guarantees if the code gets detected with the promise of a replacement. People really think it is a nine-to-five job," Nish said.

The revelations come at a time when the UK-headquartered company is fighting hard to be taken as a serious player in the cyberspace sector, in order to bag both government and commercial contracts. The potential of its cyber business was highlighted during BAE's annual results recently, when its cyber and intelligence division alone posted annual sales of £1.85bn (€2.36bn, $2.61bn), indicating that this was one of its fastest growing divisions.

Ian King, chief executive of BAE, who played a key role in his company diversifying into cyberspace with the acquisition of Detica in 2008, said that he foresaw huge opportunities in this space. "[This division is] well placed to generate attractive returns... as commercial adjacencies of cyber and commercial electronics continue to grow", he added.


Read more at http://www.ibtimes.co.uk/bae-systems-faces-cyberattacks-by-hackers-more-100-times-year-1545382





Understanding The Weapons Of Mobile Warfare

September 24, 2015.

Michael Shaulov, head of mobility at Check Point, discusses the main threats targeting mobile devices – and how companies can protect against them.

mobile phone

As enterprises go increasingly mobile, it’s inevitable that cybercrime will follow.

Hackers and criminals know that when a technology shift happens, security often lags behind, meaning there is low-hanging fruit to be targeted.

Our 3rd annual mobility survey found that 72 percent of companies had experienced a 100 percent or greater increase in the number of personal mobile devices connecting to their networks during the past two years. So it’s no surprise that malware and other mobile threats are multiplying.

In fact, summer 2015 saw mobile malware being found both on Google Play and Apple’s ‘walled garden’ App Store, highlighting that criminals have found ways to bypass the security and review measures of both stores to spread infections to users’ devices. A 2015 study by Check Point and a global cellular network provider found that one in 1000 devices were infected with mobile surveillance and mobile Remote Access Trojans (mRATs). And while over half of infected devices were Android-based, 47 percent were iOS-based, challenging the common assumption that iOS is inherently more secure.

Mobiles are a juicy target for several reasons – they hold large amounts of personal and business data, including valuable user credentials for applications and websites; they’re almost always on and connected to the internet; and they have audio and video recording capabilities. And crucially, they usually do not receive anywhere near the same level of protection against malware or hacking as a PC, if they receive any at all. This means that a monitoring or data-stealing infection on a device could go unnoticed for months.

So what are the most dangerous threats to mobiles? There are hacker weapons and tricks which target both Apple and Android devices, as well as threats that are specific to each vendors’ operating system. Here, we’ll examine both the common, and OS-specific threats in detail.

Trojan Horse

Mobile remote access trojans (mRATs)

These attacks give an attacker the ability to remotely gain access to everything stored on and flowing through either Android or iOS devices. mRATs commonly find their way onto Android devices through apps available on Google marketplace, despite Google working hard to protect them with regular security code checks. iOS devices are equally vulnerable as attackers can ‘jailbreak’ a device, removing all the built-in iOS security mechanisms, by physically obtaining access or by propagating the jailbreak code from a compromised computer, before installing mRATs onto the device. Threats have also emerged that are capable of targeting non-jailbroken iOS devices, such as 2014’s WireLurker and 2015’s YiSpecter malware.

WiFi man in the middle (MitM)

A MitM attack can occur when any type of device connects to a rogue WiFi hotspot. Since all communications are passed through the attacker-controlled network device, they can eavesdrop and even alter the network’s communication. MitM attacks have always been a concern for wireless devices, however, the prevalence of smartphones in an individual’s personal and business life has made mobile devices much more attractive targets for attackers. These attacks are very difficult for mobile users to spot as the typical alerts and warning signs that individuals are used to seeing on PCs and laptops are much more subtle on mobiles due to the limited screen size and simplified browsers.

Zero-day attacks

Zero-day attacks represent exploits of vulnerabilities on both iOS and Android that have been uncovered – but not yet released. Many times, these vulnerabilities lead to the silent installation of attacks, such as mRATs on a device through a remote exploitation technique. Once on the device, they may enable the attacker to steal passwords, corporate data and emails, as well as capture all keyboard activity and screen information.

Exploiting elevated privileges on Android

Android system vulnerabilities can be exploited to gain elevated privileges without leaving a trace, such as the recent Certifigate vulnerability that affected hundreds of millions of devices. The attacks take advantage of opportunities created by the fragmentation of the Android operating system and the openness and vastness of its eco-system, creating opportunities for attackers to infiltrate devices and orchestrate a broad range of attacks.

Fake iOS certificates

These attacks use distribution certificates to ‘side-load’ an application, sidestepping Apple’s app store validation process by downloading straight onto the device. This method has already been seen in use, for example in mid-2013 a rogue Chinese site used an enterprise certificate to distribute pirated iOS-based apps, enabling attackers wide ranging access to data on Apple devices.

Malicious iOS profiles

These attacks use the permissions of a profile to circumvent typical security mechanisms, enabling an attacker to do almost anything. A user may be tricked into downloading a malicious profile and in doing so, they may unknowingly provide the rogue configuration the ability to re-route all traffic from the mobile device to an attacker-controlled server, to further install rogue apps, and even to decrypt communications.

iOS WebKit vulnerabilities

WebKits enable web browsers to render web pages correctly for a user. Attackers will exploit vulnerabilities in a Webkit to execute scripts of their own, sidestepping the robust security measures implemented by Apple. Attackers commonly use them as a springboard for remote device infection.

With attackers targeting mobile devices using such an arsenal of techniques, it is critical that organisations ensure they have a mobile threat prevention solution in place that delivers a range of capabilities and protections in order to stop device hijacking and data interception. The ideal solution should be able to:

· analyse apps as they are downloaded to devices, examining their behaviour in a virtualised environment before allowing their use, or flagging them as malicious.
· regularly assess devices for vulnerabilities and signs of being targeted by attackers
· mitigate network-based attacks by identifying suspicious network behaviour, correlating events both on the device and network to disable suspicious activity and prevent any data being sent to an attacker

As mobile becomes the next security battleground, organisations will need to adopt the same rigorous approaches to protecting their mobile estate as they do to the rest of their IT infrastructure – or risk being vulnerable to the weapons of mobile warfare.

More Info http://www.techweekeurope.co.uk/security/cyberwar/understanding-the-weapons-of-mobile-warfare-186338




Creating Cybersecurity Rating Systems for Cars


February 22, 2016.


Automobiles have crash ratings. Do they need ratings for cybersecurity, too?


Jacob Olcott, vice president for development at BitSight Technologies, which develops rating systems to assess IT security, says the industry is looking at two types of ratings: one for use by consumers, which would reassure drivers about the security of autos' IT systems, and the other for use by automakers, which would rate the security of their IT supply chain.

A rating system would help "folks within the supply chain, from a hardware and software standpoint, [to provide] assurances to the automobile manufacturers that they are creating products that will stand the test of time inside an automobile," says Olcott, who will moderate a session titled Do We Need Cyber Ratings for the Auto Industry? 8 a.m. PST on March 2 at the RSA Conference 2016 in San Francisco. Panelists include Chan Lieu, senior legislative adviser at Venable, and Tadayoshi Kohno, a computer science and engineering associate professor at the University of Washington.

In the interview with Information Security Media Group (click on player beneath photo to listen), Olcott:

  • Contrasts crash ratings with prospective cybersecurity metrics;
  • Discusses potential industry-federal government collaboration in designing and implementing an automotive cybersecurity rating system; and
  • Addresses congressional interest in developing cybersecurity standards for automobiles (see Car Hacking Spurs Automakers to Share Threat Information).

Olcott says cybersecurity ratings will become a more critical issue when automakers begin to manufacture driverless cars. It's critical for industry and the government to be transparent and accountable in developing security metrics for driverless cars to ensure consumer trust and confidence, he says.

Before joining BitSight, Olcott managed the cybersecurity consulting practice at Good Harbor Security Risk Management. Previously, he served as legal adviser to the Senate Commerce Committee and as counsel to the House of Representatives Homeland Security Committee. He completed his education at the University of Texas at Austin and the University of Virginia School of Law.


Read more: http://www.databreachtoday.in/interviews/creating-cybersecurity-rating-systems-for-cars-i-3088



Latest Cyber Security News

Cyber Crime

PBX phone system hacking nets crooks $50 million over four years: A bloke has admitted laundering millions of dollars for hackers who ripped off US companies by hacking into their telephone systems. The Register, February 12, 2016

Fraudsters Tap Kohls Cash for Cold Cash: Scam artists have been using hacked accounts from retailer Kohls.com to order high-priced, bulky merchandise that is then shipped to the victims home. While the crooks don�t get the stolen merchandise, the unauthorized purchases rack up valuable credits called Kohls cash that the thieves quickly redeem at Kohls locations for items that can be resold for cash or returned for gift cards. KrebsOnSecurity, February 11, 2016

CryptoWall Ransomware Gang Extorts $330,000: Over a three-month period in 2015, a single cybercrime gang managed to earn at least $330,000 in bitcoins thanks to an estimated 670 victims paying attackers ransom demand to decrypt their ransomware-infected systems. BankInfoSecurity, February 10, 2016

Hacker dumps data on 10K DHS employees, threatens FBI next: An unknown hacker on Sunday posted the details of almost 10,000 Department of Homeland Security (DHS) employees online, which he claimed to obtain by hacking the Justice Department. TheHill, February 8, 2016

Financial Cyber Security

Should Banks Expect New Cybersecurity Guidance?: How will federal banking regulators respond to growing criticism of the Cybersecurity Assessment Tool issued by the Federal Financial Institutions Examination Council? BankInfoSecurity, February 12, 2016

Skimmers Hijack ATM Network Cables: If you have ever walked up to an ATM to withdraw cash only to decide against it after noticing a telephone or ethernet cord snaking from behind the machine to a jack in the wall, your paranoia may not have been misplaced: ATM maker NCR is warning about skimming attacks that involve keypad overlays, hidden cameras and skimming devices plugged into the ATM network cables to intercept customer card data. KrebsOnSecurity, February 9, 2016

Business Email Fraud: Who’s Liable?: In May, 2014, Texas-based manufacturing firm AFGlobal Corp. was hit by a business email compromise attack that resulted in fraud losses of $480,000. BankInfoSecurity, February 8, 2016

Cybercrime Gangs Blend Cyber Espionage And Old-School Hacks In Bank Heists: Metel, GCMAN, and Carbanakis comeback highlight how cybercriminals are now going after bank users and systems with cyber espoinage-type tools and tactics. DarkReading, February 8, 2016

Banks to FFIEC: Cyber Tool is Flawed: Banking institutions and associations that have demanded the Federal Financial Institutions Examination Council make significant changes to the Cybersecurity Assessment Tool are now anxiously waiting for the council to take action. BankInfoSecurity, January 26, 2016

Cyber Privacy

Government-mandated crypto backdoors are pointless, says report: If you needed another confirmation that government-mandated backdoors in US encryption products would only serve to damage US companies competitiveness without actually bringing much benefit to the countries security, you only need to look at a recent report by security researchers Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar. HelpNetSecurity, February 12, 2016

Identity Theft

IRS website attack nets e-filing credentials for 101,000 taxpayers: The US Internal Revenue Service was the target of a malware attack that netted electronic tax-return credentials for 101,000 social security numbers, the agency disclosed Tuesday. ars technica, February 10, 2016

Cyber Warning

A look into the current state of mobile security: A quarter of all mobile apps have at least one high risk security flaw, 35 percent of communications sent by mobile devices are unencrypted, and the average mobile device connects to 160 unique servers each day, according to a new NowSecure report. HelpNetSecurity, February 12, 2016

Netflix-themed phishing, malware supply black market with stolen credentials: As the Netflix movie streaming service spreads all over the world, the number of users rises, as well as the number of those who wish to use it but donot want to pay for it or want to pay less than the set price. With such a wide (and widening) pool of potential targets, it’s no wonder that some cyber crooks are opting to concentrate on them. HelpNetSecurity, February 12, 2016

Beware of Airbnb-themed phishing schemes: Airbnb-themed phishing scams do not crop up often, but customers of the service should be aware of the possibility of getting their login credentials stolen and misused. HelpNetSecurity, February 12, 2016

Cyber Security Management - C-Suite

Perceptions Of IT Security Risk Changing In Business Ranks: Business leaders increasingly see IT security risk as huge, but policy making and visibility still lag. DarkReading, February 12, 2016

Survey: 65% of Businesses Expect to Suffer an Information Security Breach: A new report by NTT Security found that organizations expect costs associated with a data breach would include legal fees, compensation to customers, third party resources and fines or compliance costs. SecuritySales, February 10, 2016

Cyber Security Management - Cyber Defense

Gmail to warn you if your friends aren�t using secure e-mail: Google has confirmed a number of changes to Gmail with the arrival of two new features that will let you know if the people you are corresponding with are not hip with TLS encryption. ars technica, February 10, 2016

Cyber Security Management - Cyber Update

Critical Fixes Issued for Windows, Java, Flash: Microsoft Windows users and those with Adobe Flash Player or Java installed, its time to update again! Microsoft released 13 updates to address some three dozen unique security vulnerabilities. Adobe issued security fixes for its Flash Player software that plugs at least 22 security holes in the widely-used browser component. Meanwhile, Oracle issued an unscheduled security fix for Java, its second security update for Java in as many weeks. KrebsOnSecurity, February 10, 2016

US National Cyber Security

Government Must Prepare for When Quantum Computers Can Crack Its Encryption: US lawmakers including Senator John McCain and Ted Lieu are attempting to undermine technology companies efforts to encrypt everyone�s communications, citing dangers to law enforcement. But that debate may be moot: Computers are getting so powerful that they will eventually be able to break any encryption. Vice, February 12, 2016

Protecting U.S. Innovation From Cyberthreats: More than any other nation, America is defined by the spirit of innovation, and our dominance in the digital world gives us a competitive advantage in the global economy. However, our advantage is threatened by foreign governments, criminals and lone actors who are targeting our computer networks, stealing trade secrets from American companies and violating the privacy of the American people. Wall Street Journal, February 9, 2016

Critical Infrastructure

Power Grid Honeypot Puts Face on Attacks: TENERIFE, Spain, The rhetoric around hacking the power grid would have you believe its a relatively mundane practice. Policymakers, intelligence agencies and vendors, for example, spread the word gleefully, leaning on scenarios such as state-sponsored hackers shutting off the lights in the dead of winter as a scare tactic to glean budget and influence. ThreatPost, February 9, 2016

Internet of Things

IoT’s Day of Reckoning on the Horizon: TENERIFE, Spain, When it comes to the internet of things, it isnot Wi-Fi that scares Chris Rouland, its the whole wireless spectrum, constantly being updated with new and poorly secured protocols. ThreatPost, February 8, 2016

IoT Reality: Smart Devices, Dumb Defaults: Before purchasing an Internet of things (IoT) device, a thermostat, camera or appliance made to be remotely accessed and/or controlled over the Internet consider whether you can realistically care for and feed the security needs of yet another IoT thing. KRebsOnSecurity, February 8, 2016

Cyber Underworld

Evidence Suggests the Sony Hackers Are Alive and Well and Still Hacking: TENERIFE, SPAIN THE MASSIVE hack against Sony in late 2014 was sudden and loud. The perpetrators made themselves known four days before Thanksgiving with a red skull emblazoned on computer screens company-wide and an ominous warning that they were about to spill Sony secrets. Wired, February 12, 2016

Dark Web Suppliers and Organized Cybercrime Gigs: IBM X-Force researchers closely follow the activity and fraud methods of banking Trojans in the wild. In one of their recent findings, the team uncovered an interesting link between an underground webinjection vendor and three well-known cybercrime groups: the operators of the Ramnit, CoreBot and ZeusVM banking Trojans. SecurityIntelligence, February 11, 2016

Cyber Law

House bill would kill state, local bills that aim to weaken smartphone crypto: On Wednesday, Rep. Ted Lieu (D-Calif.) and Rep. Blake Farenthold (R-Tex.) introduced a new bill in Congress that attempts to halt state-level efforts that would weaken encryption. ars technica, February 10, 2016

The EU-US Privacy Shield: What to Expect Next: On February 2, the potential replacement to the invalidated Safe Harbor data transfer mechanism, the EU-US Privacy Shield, was announced by the European Commission and the US Department of Commerce, as we covered here. However, while organizations and representatives on both sides of the Atlantic welcomed the conclusion of the negotiations on Tuesday, the true substance of the Privacy Shield is yet to come. ArentFox, February 8, 2016

Cyber Misc

The Malware Museum Shows Just How Cute the Internet Was in the 80s and 90s: When it comes to cybersecurity, we spend so much time talking about the future of Internet threats how terrifying and destructive they could become, what we should do about them, why they are getting more dangerous every days that it can be easy to forget about their past. Enter the Malware Museum, a site launched last week by Jason Scott with help from Mikko Hypponen through the Internet Archive. It attempts to re-create and commemorate some highlights from the library of malicious programs distributed in the 1980s and 1990s, when computer-based threats were still in their infancy. Slate, February 12, 2016

Cyber Sunshine

UK Police Arrest Suspect Over CIA Directorïs Email Hack: Police in the United Kingdom have arrested a teenager on suspicion of having perpetrated a series of high-profile hack attacks, pranks and data breaches using the names �Cracka� and �DotGovs,� against senior White House officials, as well as CIA Director John Brennan. GovInfoSecurity, February 12, 2016





Cyber ReseArch

Cyber News

Cyber info


The content of this CRC-ICS Cyber News Update is provided for information purposes only. No claim is made as to the accuracy or authenticity of the content of this news update or incorporated into it by reference. No responsibility is taken for any information or services which may appear on any linked websites. The information provided is for individual expert use only.



Founded in 2015, the Cyber Research Center - Industrial Control Systems is a not for profit research & information sharing expert center working on the future state of Physical & Cyber Protection and Resilience. CRC-ICS goals are to inform industries / critical infrastructures about the fast changing threats they are facing and the measures, controls and techniques that can be implemented to be prepared to deal with these cyber threats.



Cyber Research Center - Industrial Control Systems. 2016

www.crc-ics.net or www.cyber-research-center.net