- Security Affairs newsletter Round 153 – News of the week
- Hacking Team is back … probably it never stopped its activity. Watch Out!
- Governments rely on Sandvine network gear to deliver spyware and miners
Posted: 11 Mar 2018 07:01 AM PDT
A new round of the weekly SecurityAffairs newsletter arrived!
The best news of the week with Security Affairs.
Once again thank you!
The post Security Affairs newsletter Round 153 – News of the week appeared first on Security Affairs.
Posted: 11 Mar 2018 05:26 AM PDT
ESET collected evidence of Hacking Team ‘activity post-hack, the company published an interesting analysis based on post hack samples found in the wild.
Security researchers at ESET have spotted in fourteen countries previously unreported samples of the Remote Control System (RCS), the surveillance software developed by the Italian Hacking Team, in fourteen countries.
Malware researchers that analyzed the sample believe that the Hacking Team developers are continuing the development of the surveillance malware.
Since 2003, Hacking Team gained notoriety for selling surveillance tools to governments and intelligence agencies, but human rights research group criticized its alleged sales to the authoritarian regimes.
The Remote Control System (RCS) is a sophisticated spyware that is able to transform the device in a surveillance tool by activating the webcam and microphone, extracting information from a targeted device, and intercepting emails and instant messaging.
The company made the headlines in July 2015 when it suffered a major security breach and attackers exfiltrated 400GB of internal data, including the spyware source code.
“A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team's shareholder structure, with Tablem Limited taking 20% of Hacking Team's shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.”
The experts started the investigation after researchers from the Citizen Lab provided them information that led to the discovery of a version of the RCS software signed with a previously unseen valid digital certificate.
The researchers uncovered many samples of Hacking Team spyware created after the 2015 data breach, their code implements some changes compared to variants released before the source code leak.
“The samples were compiled between September 2015 and October 2017. We have deemed these compilation dates to be authentic, based on ESET telemetry data indicating the appearance of the samples in the wild within a few days of those dates.” continues the analysis.
“Further analysis led us to conclude that all the samples can be traced back to a single group, rather than being isolated instances of diverse actors building their own versions from the leaked Hacking Team source code.”
ESET found six different certificates issued in succession, four of them were issued by Thawte to four different companies, and two were issued to the Hacking Team co-founder Valeriano Bedeschi and a guy named Raffaele Carnacina.
The samples analyzed have forged Manifest metadata to trick users into believing that they are using legitimate applications such as "Advanced SystemCare 9 (188.8.131.521)", "Toolwiz Care 184.108.40.206" and "SlimDrivers (220.127.116.11)".
To avoid detection vxers behind the samples have been using VMProtect, a technique observed also in Hacking Team spyware used before the HT hack.
The researchers believe that Hacking Team developers have developed the post-leak samples and no other APT that would have borrowed their code,
“We have, however, collected further evidence that ties these post-leak samples to Hacking Team's developers themselves.” continues ESET.
“The connections among these samples alone could have originated with virtually any group re-purposing the leaked Hacking Team source code or installer – as was the case with Callisto Group in early 2016. We have, however, collected further evidence that ties these post-leak samples to Hacking Team's developers themselves.”
The samples analyzed continues the versioning progression used in pre-leak samples, experts also noticed that the same names (Scout and Soldier) in the samples that were also present in past codes.
The researchers also discovered a subtle difference between the pre-leak and the post-leak samples is the difference in Startup file size. They pointed out that before the leak, the size of the copied file is 4MB, meanwhile, in the post-leak samples this file copy operation is padded to 6MB, most likely as a primitive detection evasion technique.
In the following table, there is the timeline associated with Hacking Team Windows spyware samples. The red item is the code reuse attributed to the Callisto APT Group.
The post-leak samples analyzed by the researchers, at least in two cases, were delivered in spear phishing message with an executable file disguised as a PDF document.
(Security Affairs – Hacking Team, RCS)
The post Hacking Team is back … probably it never stopped its activity. Watch Out! appeared first on Security Affairs.
Posted: 11 Mar 2018 12:37 AM PST
According to Citizen Lab, some governments are using Sandvine network gear installed at internet service providers to deliver spyware and cryptocurrency miners.
Researchers at human rights research group Citizen Lab have discovered that netizens in Turkey, Egypt and Syria who attempted to download legitimate Windows applications from official vendor websites (i.e. Avast Antivirus, CCleaner, Opera, and 7-Zip) have been infected with a nation-state malware.
According to the organization, local governments with the help of internet service providers have used deep-packet inspection boxes to hijack the traffic.
“This report describes how we used Internet scanning to uncover the apparent use of Sandvine/Procera Networks Deep Packet Inspection (DPI) devices (i.e. middleboxes) for malicious or dubious ends, likely by nation-states or ISPs in two countries.” states the report published by Citizen Lab.
Finfisher infected victims in seven countries and experts believe that in two of them the major internet providers have been involved.
The Citizen Lab researchers have found Sandvine PacketLogic devices being used on the networks of Türk Telecom and Telecom Egypt for distributing malware designed for varying purposes, ranging from surveillance to cryptocurrency mining.
“After an extensive investigation, we matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting.” states the report.
“The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns.”
Researchers highlighted that official websites for these legitimate applications redirect users to non-HTTPS downloads by default, making easy for attackers to redirect users.
The experts reported the case of the CBS Interactive’s Download.com, its users were redirected to downloads containing spyware in Turkey and Syria.
The surveillance malware the researchers found bundled by operators was similar to that used in the espionage campaigns conducted by StrongPity APT.
The expert discovered that the Sandvine boxes were used in Egypt to distribute either affiliate ads or browser cryptocurrency mining scripts.
According to Citizen Lab, the same boxes are also supposedly being used for censorship, for example blocking the access to websites like Human Rights Watch, Reporters Without Borders, Al Jazeera, Mada Masr, and HuffPost Arabic.
Citizen Lab reported Sandvine of their findings, but the firm flagged the study as “false, misleading, and wrong,” and asked the organization to return the second-hand PacketLogic device they used in their investigation.
Sandvine asked the experts to delay publication of the report, claiming that the researchers intentionally provided incorrect information.
On March 7, 2018, Sandvine sent a letter to the University of Toronto, to express its disappointment about the Citizen Lab analysis. External counsel responded to Sandvine's letter on behalf of the University of Toronto and Citizen Lab on March 8, 2018.
Sandvine criticized the unethical approach of the researchers, it also pointed out that tests were conducted by acquiring a second-hand Sandvine PacketLogic PL7720 box for testing.
“You state, broadly, that Sandvine takes seriously its commitment to corporate social responsibility and ethical use of its products,” reads a letter sent by attorneys representing the University and Citizen Lab. “However, you have not responded to any of the specific questions asked of Sandvine by Citizen Lab in letters dated February 16 and March 1, 2018.”
(Security Affairs – Sandvine, spyware)
The post Governments rely on Sandvine network gear to deliver spyware and miners appeared first on Security Affairs.
|You are subscribed to email updates from Security Affairs. |
To stop receiving these emails, you may unsubscribe now.
|Email delivery powered by Google|
|Google, 1600 Amphitheatre Parkway, Mountain View, CA 94043, United States|