Category Archives: Attacks

Hotels May Become New Data Breach Point

A data breach appears to have hit White Lodging, a firm which manages hotel franchises for the Marriott, Hilton and Starwood Hotel chains. As reported by Brian Krebs, The breach appears to have struck computers in the restaurants and gift shops of a number of hotels managed by the company over a time period extending from March 2013 until the end of the year, collecting credit card information. Krebs was alerted to the breach by a number of fraud specialists working in banking who were dealing with the fallout of the credit card frauds.

Mask/Careto Unmasked, Shadowy Spanish Spybots Slink into Sunset

Amid continuous revelations of a variety of “Advanced Persistent Threat” (APT) hacking operations sponsored by nation states–among them Flame/Gauss/Duqu/Stuxnet, Red October, Comment Crew, Shamoon, Icefog and Dark Seoul– the major global players such as the US, Russia, and China have been heavily represented. A new report by Kaspersky has revealed an advanced operation conducted by an as yet unknown but presumably Spanish speaking state. The operation apparently began as early as 2007, and the sophistication of the code has been judged as higher than that seen in programs such as Duqu, Red October or Icefog.

Based on multiple strings in the code, especially those referring to “Careto”, Spanish slang for ugly face or mask, it is assumed that the virus writers speak Spanish. The malware was discovered by Kaspersky Lab because it exploited a flaw in earlier versions of Kaspersky’s anti-virus software to hide itself from virus scans. The payload of the program also included a rootkit and a bootkit, employed zero-day exploits and   could infect a variety of 32 and 64 bit systems, including versions for Windows, Mac, and Linux, and possibly Android and IOS used on smartphones.

The campaign seems to have relied on spearphishing to send users to a malicious website which would deploy the modular program. Many of the malicious sites used addresses which impersonated the sites of a number of Spanish and international newspapers, all of which were signed by a valid certificate (albeit a certificate for an unknown (and probably fictitious) Bulgarian company called TecSystem LTD). The setup used on command and control servers for the malware was also designed to deny access to IP addresses that may be used by security researchers, among them Kaspersky Lab.

The entities targeted by the attacks seemed to primarily be in the UK, Brazil and Morocco, though a range of European countries are represented. The discovered targets are also only a limited subset of the possible targeted groups, as the team involved was very effective at covering their tracks, and the given targets in the image above only represent the systems being targeted at the time that Kaspersky made their investigation. However, soon after the operation was discovered, it was shut down, as detailed in the article linked below.

“Kaspersky researchers have sinkholed about 90 of the C&C domains the attackers were using, and the operation was shut down last week within a few hours of a short blog post the researchers published with a few details of the Mask campaign. Costin Raiu, head of the Global Research Analysis Team at Kaspersky, said that after the post was published, the Mask operators rolled up their campaign within about four hours.”

Dan Gifford- MCySec Media Manager

The Syrian Electronic Army: Mediums of Disinformatics


“We are just Syrian youths who want to defend their country against the media campaign that is full of lies and fabricated news reports”

The Syrian Electronic Army (SEA) most likely began at least in part as an outgrowth of the Syrian Computer Society (SCS), an internet and information science advocacy group founded by the late Basil Al-Assad in 1989, and later led by Bashar Al-Assad prior to his elevation to the presidency. In 1997 there were only 35,000 computers in the country, two for every thousand people.  The early days of Syria’s acceptance of the internet were marked by significant bureaucratic trepidation, predominantly motivated by concerns of cultural penetration. The opposing camp was urged onward by a recognition that in the face of heavy usage of the internet by other nations, especially Israel, Syrian perspectives were being drowned out. Surveys conducted in 1998 by an early advocate, Dr. Imad Mustafa, found that of 1.5 million documents on the web dealing with Syrian aspects of the Arab-Israeli conflict, 56% had been written by Israeli organizations, 18% by Zionist groups outside of Israel and another 17% were written by US government organizations. On issues rich with nationalistic fervor such as the Golan Heights, the survey found that there were essentially no existing sources or documents on the internet which were benign to Syrian interests, and that 71% of the documents were absolutely hostile to Syrian perspectives. This preoccupation with “correcting” the established media narrative has fed directly into the ethos of the SEA, though they also engage in “punishing” media outlets by propagating false news events.

The personnel evolution of the group can be roughly split into two phases. In the early phase of the group their website from May of 2011, was hosted by the SCS, and the domain registration pointed to the same group. A later site,, was registered with the approval of the SCS. By May of 2013, however, the SCS cut all of these ties and disabled use of the site. There may have been significant personnel changes later in the 2011 era, and it is entirely possible that the activists who shared membership in SCS and SEA left at that point. The second phase of the group was much more shadowy, international and varied in their technical aptitude.

The method of attacks has been multi-pronged, from website defacement and redirects, to propaganda posting on facebook, and in some cases campaigns distributing malware (intended to reveal the identity and activity of online actors) against the Syrian Opposition. Recent operations have been heavily focused on compromising social media accounts of news organizations and celebrities.

In April of 2013 SEA conducted spearphishing (directed emails designed to steal user credentials and other data) attacks which resulted in them obtaining control of the Associated Press twitter account, which they used to spread a false story about an explosion at the White House which injured the President.


The tweet caused a temporary drop in the Dow Jones Industrial Average of over a hundred points, but AP was quickly able to regain control of their twitter account and retract the false story.


This method of attack has proven to be both high profile and high impact, and the group seems to have generally shifted focus onto compromising social media accounts. These compromises have been varied in intent, from posting false information for shock value to pushing propaganda against perceived international enemies of Syria and Al-Assad. This week there has been a compromise of CNN’s twitter account and website, used both to spread propaganda in favor of Al-Assad and to plant a false news story apparently intended to disrupt financial markets. Increasing attempts to manipulate markets may indicate economic motives behind SEA operations, especially if these actions are combined with short-selling, though this connection would require further analysis for confirmation.

CNN hacked syrian-electronic-army-hack-cnn


The Syrian Electronic army represents a new type of cyber actor, one which is both a hacktivist group in the vein of Anonymous, and a state sponsored group much like many in operation across the world. However, unlike many hacking groups with state sponsorship, SEA concentrates on propaganda operations instead of espionage for military or economic reasons. In this sense they bear some similarity to groups like the Chinese Honker Union, and Russian hacktivist movements which have surrounded military operations and international controversies in Estonia and Georgia. The funding for the group remains murky. There are allegations that Rami Makhlouf, a billionaire cousin of Bashar Al-Assad, supported the group in leaving Syria and basing their operations in other Arab states, and continues to provide accommodations for group members. There are also rumors that hackers are paid between five hundred and a thousand dollars for successful website compromises.

Dan Gifford – MCySec Media Manager



Flames of the Dragon: A Profile of the PRC’s Cyber Situation

Since February of last year when the Mandiant Report was released, China has been at the forefront of cyber security news. It has become apparent that the PRC is waging all-out economic warfare through the use of widespread cyber espionage, intellectual property theft and massive data-exfiltration operations. China has a long history of copy-cat behavior and convoluted laws regarding intellectual property rights which support their various motivations for engaging in cyber espionage. Although much of this activity has been attributed to the Comment Crew (also referred to as APT1 by Mandiant), there are several organizations within the PRC’s hierarchy that contribute to these cyber intelligence operations.

There is also a looming concern over the PRC’s rapid expansion of their cyber-warfare capabilities. China appears focused on using their advances in cyber to balance their disparity with the U.S.’s traditional military technology and to add an additional layer to their anti-access strategy. A more frightening prospect is a build-up of military strategy that supports preemptive cyber-attacks which could lead to a cyberwar between the U.S. and China. This scenario may seem unlikely, but the NSA claimes to have foiled several Chinese cyber-attack attempts and there are reports of other recent cyber-attacks against the U.S. power grid.

The U.S. is not the only country that is concerned with China’s cyber behavior. The U.K. has addressed the PRC’s cyber espionage and expressed concern over the intentions of China’s Huawei Telecommunications company. Other European countries have accused China of accessing their foreign ministries as well. Mongolia has managed to join China’s target list having received a recent barrage of attacks, most likely in response to Mongolia’s outreach to Western nations. However, China’s cyber-attacks are not focused entirely on foreign nations. One of China’s primary targets for offensive cyber action is it’s own Tibet Autonomous Region. Several reports state that Tibet has become ground-zero for Chinese hackers and cyber-attacks in the PRC’s hunt for political dissidents within the region.

The PRC is committed to denying allegations that their central government is behind these cyber-attack and cyber-espionage campaigns. Several authorities within the U.S. also have expressed doubts over the hype of cyber escalation between the U.S. and China. The Obama administration has taken steps to initiate talks between the U.S. and China for improving cyber security between the two nations. The mood remains tense, especially following the revelations of Edward Snowden, with China accusing the U.S. of maintaining a double-standard in its behavior. Despite a steep decline in Chinese cyber activity following the release of Mandiant Report, China is back on the offensive with a resurgence of cyber-espionage efforts. It will be interesting to see where things go from here.

- by Ben Volcsko, Research Assistant

DARPA is Trying to Turn Cyberwar Into Child’s Play

DARPA, as expected, is coming up with many new and inventive ways of trying to rethink the cyber security challenges that DOD is plagued with. First they have developed a series of free computer and mobile app based games that, while seemingly innocuous, are actually providing algorithms for solving basic programming vulnerabilities. DARPA is also looking to shift the established system of cyberwarfare practices residing predominantly in the hands of technical experts to a mass-production type operation. This transition project is detailed in Wired’s article This Pentagon Project Makes Cyberwar as Easy as Angry Birds. Bob Dylan was right, “the times they are a-changin”.

- by Ben Volcsko, Research Assistant

Understanding How the Feds Handle Incident Response

Ever wondered how DHS, CYBERCOM and other federal cyber security agencies handle specific incident response? Well, you are in luck. Jason Healey, author of Above My Pay Grade – Incident Response at the National Level, explains the challenges and successes in tackling cyber incidents from the federal government’s perspective. Healey, director of the Cyber Statecraft Initiative of the Atlantic Council and creator of the first Computer Emergency Response Team that coordinated the response to incidents affecting the finance sector, provides an outstanding written account of the obstacles for today’s incident response handlers.

- by Ben Volcsko, Research Assistant Gets Fuzzed Amid General Condemnation by Security Professionals

As the flagship effort of President Obama’s terms in office, and a massive new repository of personal financial and medical information, was already a huge cyber attack target before the site even went live. The technical difficulties many users have experienced have been mostly due to inadequate testing during the site’s development, however, there are signs of very severe cyber attacks on the horizon.

A recent House hearing on security vulnerabilities on the website ended with the panel of experts; including Morgan Wright, CEO of Crowd Sourced Investigations; Fred Chang of Southern Methodist University; Avi Rubin of John’s Hopkins University; and David Kennedy, CEO of TrustedSEC, all declaring it was unsafe for Americans to trust their personal data to the website in its current form, and three of the four saying that the website should be pulled immediately and the implementation of the healthcare program delayed in order to address the website security issues.

Recently an implementation problem in the site’s search bar autocomplete function was revealing the ongoing “fuzzing” attacks being made on the site’s forms and databases.  A “fuzzing” attack is part of a technique called SQL injection, wherein an attacker uses the outward facing elements of a website, such as forms that feed into the site’s databases, to input commands to the database, potentially revealing or deleting confidential data. The autocomplete issue has been solved, however the attacks are certainly ongoing, with an unknown level of success.

The bottom line of this entire incipient misadventure is that website initiatives, especially ones that are juicy targets for political and personal data reasons, must be designed with security in mind first and foremost, and extensive security testing must be employed before the sites and their vulnerabilities are released on an unsuspecting public.

Dan Gifford – MCySec Media Manager

Cyber Threats to the Global Oil Supply Chain

The Federation of American Scientists has published a paper detailing threats to the global oil supply chain. Rounding out a list of major regional and geopolitical threats to the global oil infrastructure, the risks of SCADA and other attacks on pipelines, tanker ships, and refineries does seem substantial. The author is a little off base in suggesting that STUXNET type weapons could be used to attack oil systems- the sophistication of oil systems is much less than that seen in the Iranian nuclear enrichment program, and as such a STUXNET level weapon would probably be overkill. Even still, Despite significant vulnerabilities of the often unprotected systems to the internet and other venues of attack, major SCADA attacks have not yet become prevalent. The author is also somewhat mistaken in assessing that groups such as the Syrian Electronic Army could have the capabilities to conduct major SCADA infrastructure attacks. SEA capabilities are simply not on that level, and they have concentrated primarily on hacking email accounts by abusing password resets and other social engineering methods, rather than the technical expertise that would be necessary to deploy custom attack tools on SCADA. These technical quibbles aside, the author is entirely correct in his assessment that the complexity of the logistics operations involved in global oil systems provides a major avenue of attack, and I must agree that these sorts of attacks are waiting over the horizon.

Dan Gifford – MCySec Media Manager


Adobe’s Credential Security Failure is Impacting Other Web Services, Becoming Password Cracker’s Dream Come True

The breaches in Adobe’s databases, which were exposed by Hold Security and publicized by security journalist Brian Krebs have continued to have significant impacts beyond the company itself. In addition to the public release of extensive amounts of source code for flagship Adobe products such as CloudFlare, the usernames, passwords and password hints of upwards of 150 million users were exposed. This exposure is especially problematic because instead of using a one way hash with individual salts (which is the industry standard method of securing password data within a database), Adobe encrypted the entire password database with Triple DES, and did the entire database with the same key. What this means is that anyone can assemble this database for themselves, and sort by the encrypted password to find groups of users that used the same password, then use the groups of associated password hints to crack the passwords of entire groups of users.

Eventually, once enough of the plaintext password data is known, it may be possible to mount a “known plaintext attack” and recover the Triple-DES key, exposing the rest of the passwords. It is also possible that the original hackers who scooped the database were able to obtain the key, given that they successfully overcame many other security features within Adobe’s network. This would potentially release an unprecedented number of currently used passwords into the public domain, but even if the key is not recovered cryptoanalytically, the addition of password hint data to the database has potentially exposed millions of users to having their passwords found out. In addition to this, the release of so many organically created passwords into the public sphere means that password crackers suddenly have much more information for their attack dictionaries, further improving their position vis-a-vis login security.

Of course, after the breach Adobe required all users of their site and services to change their passwords. However, since so many people reuse password and login credentials across multiple sites, Adobe is not the only provider that has had to deal with the results of their truly epic blunder. Already Facebook, and have analyzed the breach and informed users that were using the same login credentials on Adobe that their accounts have been compromised and that they must change their passwords.

This incredible security failure has inspired much-warranted derision within the computing world, with comics luminary XKCD describing it as “The Greatest Crossword Puzzle in the History of the World”

Dan Gifford – MCySec Media Manager