US Investigators Pinpoint Author Of Google Attack Code

The big news over the past few months were the Aurora attacks and how they seemed to originate from China, last month Microsoft took the unusual step and released an Out-Of-Band patch for the IE6 0-Day vulnerability used in the attacks.

Within the last few days the origin of the code was traced to 2 Chinese schools which both claimed they had no knowledge of the exploit.

It was always thought the exploit originated from China due to parts of the code only being discovered on Chinese language sites, the latest news is that the actual origin of the code has been discovered by US investigators.

US investigators have pinpointed the author of a key piece of code used in the alleged cyber attacks on Google and at least 33 other companies last year, according to a new report.

Citing a researcher working for the US government, The Financial Times reports that a Chinese freelance security consultant in his 30s wrote the code that exploited a hole in Microsoft’s Internet Explorer browser. The report also says that Chinese authorities had “special access” to this consultant’s work and that he posted at least a portion of the code to a hacking forum.

The story follows another report from The New York Times that traced the attacks to a pair of Chinese schools – Shanghai Jiaotong University and Lanxiang Vocational School – claiming that the latter had ties to the Chinese military. A day later, representatives of both schools denied involvement to the Chinese state news agency, and the Lanxiang representative denied ties to the military.

It all sounds like a conspiracy from the TV show 24 with schools tied to the Chinese military and ’special’ access to underground forums.

It’ll be interesting to watch which direction it heads after this and if it’s going to increase the tension between the US and China governments. The whole cyberwar has been going on for quite a while now with both sides trying to covertly steal information from each other.

So far the author of the code has not been named and his real identity or purpose is also a little vague.

If I understand correctly what is being implied above, the author of the code posted a PoC (proof of concept) type exploit to a hacking forum.

Someone took this PoC, turned it into a working exploit and attacked 33 US based companies. If the conspiracists are right this ’someone’ would be the Chinese government and they used to the exploit to steal commercially valuable data from some big US players.

Bank Login-Stealing Botnet Found Hiding in Amazon Cloud

We've all heard security researchers flail about the vulnerabilities of cloud computing; well, here's some interesting news.

Black-hat hackers got into an unnamed website hosted on Amazon's servers then proceeded to install an illegal command and control infrastructure. Named America's number one most wanted botnet, Zeus was discovered on Amazon's Elastic Compute Cloud (EC2) by security researchers yesterday.

The Zeus Trojan is a keylogger designed to steal data such as login credentials, account numbers and credit card information. It creates fake HTML forms on banking login pages to allow hackers to steal user data. This particular botnet has been linked to around $100 million in bank fraud in 2009.

Although we don't yet have details on exactly how the website in question was hacked, we have learned that the software has been removed from the Amazon cloud. This incident is the first example of malware being found on AWS' infrastructure.

As we were warned by black hats in April this year, cloud computing carries certain risks and opportunities for exploitation. Our own Sarah Perez wrote:

In another part of the Sensepost presentation, they looked specifically at vulnerabilities of Amazon's Web Services. To start off, they detailed the process involved in setting up a new instance on EC2... While Amazon has provided 47 machine images they built themselves, the remaining 2721 images were build by other EC2 users. Can you really believe that all of these images were built securely? Basically, the template directory is just a big archive of user-generated content. And you know what user-gen content is like... risky.
As John Pescatore told the Financial Times, "The security of these cloud-based infrastructure services is like Windows in 1999. It's being widely used and nothing tremendously bad has happened yet. But it's just in early stages of getting exposed to the Internet, and you know bad things are coming."

Will hackers continue to employ web services to carry out their schemes in 2010? Twitter, Facebook, Google Apps, and now Amazon Web Services have all been used for evil this year. How can websites, corporations, and end users be smarter about online security to avoid personal and financial loss next year? Let us know what you think in the comments.

NetTeller Attacks Increase

We at digitalImpostors have noticed a dramitic increase in the targeting of small to medium business and their mid-sozed banks trough the security defects in a popular banking applicaiton, NetTeller. Some of us who have worked forensics cases see the same security holes being attacked for over 10 month period.
We will soon be putting out a white paper on the specific details as soon as we feel law enforcement has made some headway into these attakcs.
One thing we can say, this is from your typical Wetern European countries. There is some evidence which points to the same criminal organizations which were involved in some large compromises, for which a certain Floridian snitch is currently being held.

More to come.

Real-time hackers beating two-factor security

An incident in which a US construction firm lost $447 000 in a matter of minutes - despite using two-factor authentication when accessing the company bank account - has highlighted the dangers of `piggy-back' malware which can run in parallel, stealing data and using it alongside the legitimate user.

Previous incarnations of piggy-back malware have simply harvested user credentials for later access by hackers, but the fact that financial services are increasingly using two-factor authentication means that hackers are now being attracted to real-time parallel hacking of legitimate data sessions.
According to the

MIT Technology Review newswire

, an account manager at Ferma, a Californian construction firm, accessed his firm's bank account online using a one-time transaction authentication number.
Unknown to the manager, his data session was hacked in real time and - despite the security of the session - the hackers piggy-backed their session on his, and siphoned off $447 000.
The interception of the data session using a trojan infection has potentially severe repercussions for the use of two-factor authentication devices by a growing number of electronic banking service users, as despite the data session being authenticated, it is still hackable in real time.
MIT Technology Review newswire quotes Sam Curry, vice president of product marketing with RSA Security - which produces the SecurID two-factor authentication device used by many third-party companies - as saying that, whilst one-time password technology and other additional security measures can raise the bar against attackers, it will not keep them out forever.
"Companies should be very leery of both prophecies of doom, like the death of a technology, and rosy visions of security", he said.
"Everything is breakable", Curry concluded.

Credit card fraud might have played role in financing Mumbai terror attacks, expert suggests

ndian authorities have recovered $1,200 and several credit cards from a backpack carried by one of the terrorists

who assailed ten targets in Mumbai, killing at least 172 people and injuring hundreds of others, according to press

reports. The presence of the cards might signal that credit card fraud helped fund the terror attacks, Dennis Lormel,

an anti-money laundering consultant who once led the Federal Bureau of Investigation’s anti-terrorist financing unit,

told Complinet.

The credit cards in question reportedly were issued by Citibank, HSBC, ICICI Bank, Axis Bank, HDFC Bank and

State Bank of Mauritius.

“I’m interested in the potential credit card fraud as a funding source and operational support mechanism,” Lormel

said.

For Lormel, the possible link between credit card fraud and the Mumbai terrorist attacks is more than a fleeting

interest. He has long feared that terrorists are becoming increasingly adept at generating funds through such illicit

schemes; he recently wrote a white paper in which he dubbed credit card fraud a “growth industry” for terrorists.

“There is no empirical statistical data establishing the nexus between credit card exploitation and terrorism, but

there are ample anecdotal case studies demonstrating how extensively terrorists rely on credit card information in

furtherance of their heinous activities,” Lormel wrote in his paper.

Alternative funding sources

Lormel added that a previous Complinet article examining how the Mumbai attacks might have been funded

“presents interesting and viable possible funding sources.”

“It’s highly likely hawalas were used. Wealthy individual donors and charities could be funding sources, as pointed

out. It will be interesting to determine if drugs and other criminal activities contributed. Likewise, the nexus between

Dawood Ibrahim and the attack should be one of the highest investigative priorities,” he said.

“The attack itself will play out to be inexpensive. The overall operation will be much costlier when you factor in the

training and subsistence of the attackers and their logistical support element.”

Still, Lormel conceded that it may be some time before authorities can say with any degree of certainty how the

murderous rampage was funded.

“It’s too early to understand the scope of the funding for the attacks,” he said.