Denmark accuses Russia of hacking Defense Ministry's mail for two yrs

Denmark's defense minister, Claus Hjort Frederiksen, has accused Russian hackers of targeting their Defence Ministry's email accounts for the past two years, but very few times they succeeded.

According to the reports published by the Centre for Cyber Security (CFCS), a group of pro-Kremlin hackers tried to broke into the emails accounts of the country's defense ministry's employees in 2015 and 2016.

“What’s happening is very controlled. It’s not small hacker groups doing it for the fun of it,” Frederiksen told Danish news agency Ritzau.

“It’s connected to intelligence agencies or central elements in the Russian government, and holding them off is a constant struggle.”

The hacking group behind this attack said to be the same group which allegedly hacked American Democrat Party email accounts last year during the Presidential election campaign. The group is allegedly controlled and operated by the Russain government, and functions with different names as APT28, Pawn Storm, Sofacy and Fancy Bears.


Here is the timeline of the Hack attack done by the Russian hackers 

  •  March-June 2015: A smaller number of phishing emails were sent to specific employees working in the Defence Ministry and Foreign Ministry



  • April-June 2015: First attempt to steal login information using a fake login site for the Defence’s email system. Several hundred phishing emails were sent to specific employees working for the Defence Ministry again



  •  June-October 2015: A small number of phishing emails were sent to specific employees working for the Defence Ministry and Foreign Ministry



  •  September-October 2015: The second attempt to steal login information was attempted, again using a fake login site. Several hundred phishing emails were sent to specific employees working for the Defence Ministry during this time as well. During the same period, attempts to force entry to Defence email accounts were also discovered



  •  February-April 2016: Reconnaissance activity against the Defence’s emails and other public authorities’ email systems



  •  April 2016: Hackers try to force entry into several user accounts for remote access for servers for several Defence IT systems. Should one such server be compromised, the hacker can potentially gain access and control it.



  •  October 2016: The hacker’s third attempt at stealing login information using a fake login page is attempted and about 1,000 phishing emails were sent to specific employees working for the Defence Ministry again




Cybersecurity at hardware level is the goal of DARPA’s new program


ARLINGTON, Va. Defense Advanced Research Projects Agency (DARPA) officials launched a new program, System Security Integrated Through Hardware and Firmware (SSITH) that aims to protect against cyber intruders at the hardware architecture and circuit level, rather than relying only on software-based security patches. In a closed-door meeting of government contractors on April 21, the Pentagon scientists showed how the secure computer chips could stop 40 percent of current cyber attacks that are exploited through software.

Nobody's thought of making the chips secure before.

“This race against ever more clever cyberintruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software. The SSITH program will complement DARPA software security efforts like High-Assurance Cyber Military Systems (HACMS) and the Cyber Grand Challenge (CGC) by taking advantage of new technologies to develop integrated circuits that are inherently impervious to software end-runs,” said SSITH program manager, Linton Salmon of the Agency’s Microsystems Technology Office.

America's DARPA reckons too many vulnerabilities arise from hardware design errors, so it wanted experts and boffins to propose better hardware-level security mechanisms. Intel's Security Guard Extensions (SGX) is a favourite target for attack boffins crafting proofs-of-concept against the architecture.

The $50 million program is looking initially for research proposals for that lay out how those design tools will work and the microchip security architecture they will build. Later phases will involve the building and testing of prototypes and demonstrations that the tools can be scaled for mass production.

SSITH specifically seeks to address the seven classes of hardware vulnerabilities listed in the Common Weakness Enumeration, a crowd-sourced compendium of security issues that is familiar to the information technology security community. In cyberjargon, these classes are permissions and privileges, buffer errors, resource management, information leakage, numeric errors, crypto errors, and code injection. Researchers have documented some 2800 software breaches that have taken advantage of one or more of these hardware vulnerabilities, all seven of which are variously present to in the integrated microcircuitry of electronic systems around the world.

DARPA says it’s looking for “innovative approaches that enable revolutionary advances in science, devices, or systems.” The strategic challenge for participants in the SSITH program will be to develop new integrated circuit (IC) architectures that lack the current software-accessible points of illicit entry, yet retain the computational functions and high-performance the ICs were designed to deliver. They want designers to “limit the permitted hardware to states that are assured to be secure”, without sacrificing performance.

The idea is to break the cycle of fixing vulnerabilities through software updates, even when what’s ultimately being exploited is a security weakness in the hardware.

Another goal of the program is to develop of design tools that would become widely available so that hardware-anchored security would eventually become a standard feature of ICs in both Defense Department and commercial electronic systems. The anticipated 39-month program centres on covering development and demonstration of hardware architectures and techniques to measure the security of new hardware designs, including tradeoffs in things like performance, power efficiency, and circuit area.

Carder Fly, who sent heroin to journalist Brian Krebs, received 41 months in prison

Black Hat Hackers for many years seriously disliked journalist Brian Krebs. The fact is that Krebs is one of the veterans of computer security journalism, famous for his investigations and revelations. Thanks to the information collected by him, it was possible to bring out many hacking groups to clean water. Moreover, Krebs often gave the information which he collected, to the hands of law enforcement agencies, he also publishes large-scale revelations in his blog, de-anonymization the criminals and explaining step by step how he managed to do it.

One example, only recently Krebs managed to expose the hack-group vDos (for which his website was immediately subjected to a long DDoS-attack, using IoT-devices, the capacity of 620 Gbit / s), as well as he built the structured theory of who ran recently closed aggregator for leaks LeakedSource.

Of course, hackers do not like Krebs activities and his publicity. Hackers were taking revenge journalist for many years. They sent a SWAT team to his home, took $ 20,000 credit on his behalf, transferred $ 1,000 to his PayPal account from stolen payment card's, and the PayPal account was compromised more than once, and hackers tried to transfer money from Krebs's account to terrorist, to banned organization in Russia DAESH. Also, Malware authors mention Brian Krebs in the code of their programs.

But hacker, known under the pseudonyms Fly, Flycracker and MUXACC1 (as well as Tomas Rimkis, Flyck, Centurion, Stranier and Darklife) zealously followed Krebs. He is also citizen of Ukraine Sergei Vovnenko. In 2013, Vovnenko thought of a new "setup". At the closed account forum thecc.bz, fundraising was announced to purchase 1 gram of heroin. The drug was planned to be sent to Brian Krebs by post, and hurt the journalist. The idea was to notify the local police station before delivery that Krebs is junkie and soon he should receive heroin by mail.

Then the "jokers" managed to collect 1.6532 BTC, buy for this money 12 bags of heroin (10 + 2 bonus) and really send them to Krebs. On Monday, July 29, 2013, the parcel was delivered to his address. Packets with drugs were hidden in the envelope with magazine Chicago Tribune glued to the back of the cover.

However, Fly and his accomplices did not know that Brian Krebs infiltrated thecc.bzfor a long time, and he secretly watched the collection of funds and the entire "operation" of the avengers. The journalist warned the local police station in advance that he was going to be sent drugs and gave the law enforcement agencies all the information. Once the parcel was delivered, Krebs called the police, who confiscated the parcel for the necessary research.

But Fly did not calm down. So, he published in the public domain Krebs's e-mail address, photos of his house and other confidential information, and then he sent the funeral wreath to the journalist, addressed to Krebs's wife and with an unambiguous threatening message.

After that, Brian Krebs becam interested in Fly personality. With the support of the Group-IB specialists, the journalist conducted thorough investigation and eventually calculated the 28-year-old Sergei Vovnenko, who resided with his wife and child in Naples, Italy. Krebs handed over to the authorities all information about Vovnenko, as a result, in 2014, Carder was arrested, and after about 15 months was extradited to the United States. By the way, from the prison Vovnenko even sent Krebs Christmas cards, congratulating him, and apparently he repented.

However, Vovnenko was not prosecute not so much for his attacks on Brian Krebs, but because of his carder activities. According to court documents, Fly had Zeus-botnet, which eventually infected more than 13 000 devices. The hacker and his accomplices stole confidential information from infected machines, including data on bank cards and payment system accounts. After that the stolen information was resold on underground carder forums.

February 17, 2017 Brian Krebs said that the court in the case of the Fly finally concluded. As a result, Vovnenko, who last year pleaded guilty, was sentenced to 41 months in prison and ordered him to pay $ 83,368 to cover the damage caused to them. Most of this time, carder has already spent waiting for the trial. So, very soon Vovnenko will be freed.

U.S. prosecutors demand 30 years prison Sentence for Russian Hacker Seleznev

US prosecutors are demanding 30 years in prison for Russian citizen Roman Seleznev, who is accused of cyber fraud.This is largest sentence given out for cybercrime by the US.

According to the case file, prosecutors said that sentence of 30 years in prison is enough. The Prosecutor noted that the gravity of the crimes of Russian hacker could have warranted a life imprisonment.

The prosecution also noted that before the process Seleznev was uncooperative with the investigation. Also, the prosecution urged to ignore evidence of an admission of the defendant, which he said after verdict.

We will remind, in August 2016 the jury convicted Seleznev of 38 of 40 charges under article "cyber fraud", "theft of personal information under aggravating circumstances" and others.

Russian citizen Roman Seleznev admitted to the crime. "I accept full responsibility for all. I'm afraid of punishment. (...) I want to say I'm wrong and apologize", described in letter of Seleznev addressed to Court.

The citizen of the Russian Federation also promises that when he will gets out of jail, he will work honestly to "pay my debt to victims and society."

The prosecution estimated the damage of Seleznev about $170 million, because in the hacker's computer about 1.7 million credit card with all information were discovered in 2014 s.

Agents of the U.S. Secret service detained Seleznev in the Maldives in 2014. After that Russia made sanctions list of four employees of Ministry of Justice, qualifying actions of the American side as kidnapping and violation of international law.

It is worth noting that Roman Seleznev is the son of a famous Russian politician Valery Seleznev who said to RIA Novosti news agency "My son was tortured because being in jail in a foreign country after abduction is torture in itself. He is innocent"

Chrome, Firefox and Opera are vulnerable to phishing technique and Unicode in domain names

Chinese researcher warned Xudong Zheng that the browsers Chrome, Firefox and Opera are vulnerable to virtually undetectable phishing attacks. With the help of attacks hackers can register fake domains that are virtually indistinguishable from the real resources of Apple, Google, eBay, Amazon and many other companies and services. The technique described by the researcher have its origins in the 2001 as method of homograph attacks.

ICANN decided to allow non-ASCII characters (Unicode) in domain names a few years ago. The specialists of the ICANN understand what it is a fraud with risk, because many Unicode symbols look almost identical: a good example can serve as Cyrillic a (U+0430) and Latin a (U+0041). For this reason, Punycode was adopted for use instead real Unicode. As a result the Chinese domain 短.co needs to be transformed into the browser address bar in xn--s7y.co, in order not to introduce confusion and not to create unnecessary problems.

Zheng writes that the browser producers had to transform by default the Punycode URL in Unicode-symbols inside the browser, but all quickly became clear that Punycode can be used to disguise phishing sites. It helps phishing sites more easier to impersonate legitimate resources. For example, if the attacker will register the domain xn-pple-43d.com it will be analogue apple.com, but only the letter "a" will be here Cyrillic. This is the homograph attack. Browser producers contrasted to such fraud special filters that can convert address to Unicode, only if the Punycode URL contains characters of only one language (that is, the address contains only Chinese characters, Cyrillic characters and so on).

But the researcher found that modern browsers can be overcome. He invites everyone to visit page (https://www.аррӏе.com/) and make sure with your own eyes. The domain that looks in the browser as legitimate resource apple.com actually is the domain xn-80ak6aa92e.com. The fact that the word "apple" are written in Cyrillic characters. In such cases, the phishing filters of the browser do not work. To detect spoofing is possible only by studying detailed information on the certificate page, which will display the real domain name.

Chrome, Firefox, and Opera (including Opera version of Neon) are vulnerable to such attacks. At the same time, Edge, Internet Explorer, Safari, Vivaldi and Brave display the Punycode URL thus protecting the users.

Zheng reports that he contacted with Google and Mozilla on January 20, 2017. Google engineers have already fixed the problem in Chrome Canary 59, and full patch will appear as part of Chrome Stable 58, the release of which is expected on 25 April 2017. The Mozilla developers had not time to prepare fixing and recommend users to disable support for Punycode: type in the address bar of Firefox about:config and then ask for the option network.IDN_show_punycode setting true.

MilkyDoor Android Malware accesses secure corporate networks


A new form of Android malware, named Milkydoor, uses remote port forwarding via Secure Shell (SSH) tunnels by encrypting its payloads to hide malicious traffic and grant attackers access to firewall-protected networks to a variety of an enterprise’s services—from web and FTP to SMTP. Further, this is carried out without the user’s knowledge or consent. The access can then be leveraged to poll internal IP addresses in order to scan for available—and vulnerable—servers.

Around 200 unique Android apps with installs ranging between 500,000 and a million on Google Play have been found embedded with the malware. Among them is Hairstyles step by step. Hundreds of other programs, including books for children and doodle applications, have also suffered infections by MilkyDoor. It appears criminals seized most if not all of these apps, repackaged them with malware, and uploaded them to the Play Store.

Security researchers from Trend Micro, the ones who discovered MilkyDoor, say they reported the apps to Google, which promptly removed them from their official app store.

MilkyDoor is similar to DressCode in routines and techniques. DressCode was an Android malware family that adversely affected enterprises by infecting mobile devices connect to. Just like MilkyDoor, DressCode also has the ability to evade Google's Play Store security scans, reaching the store on two different occasions, in August and September 2016.

However, the main difference between the two malwares is that while DressCode relied on SOCKS proxies servers to allow attackers access to internal company networks, MilkyDoor creates an SSH tunnel.

MilkyDoor is a better version of DressCode. The malicious code runs a process called android.process.s, disguised as an Android system package in order to draw attention away from it when running. Upon the Trojanized app’s installation, MilkyDoor requests a third-party server, which we’ve tracked as freegeoip[.]net, to obtain the device’s local IP address, including the country, city, and its coordinates (longitude/latitude). It then uploads information to its command and control (C&C) server, which replies with data in JavaScript Object Notation (JSON) format that contains an SSH server’s user, password, and host. The malware’s operators leverage Java Secure Channel (JSch), a common library that is a pure Java implementation of SSH2, to establish the SSH tunnel between the infected device and the attacker.

In other words, these routines allow MilkyDoor's attackers to evade security solutions set up by an organisation and leverage infected devices to breach the company's internal network. From there, they scan for vulnerable servers, possibly with the intention of holding databases for ransom.

In-depth analysis of the malicious code within the software development kit (SDK) integrated into the apps indicate they were updated versions (1.0.6). Tracing the malware and the SDK revealed that they were distributed as early as August 2016. The earlier iterations were adware integrators, with the backdoor capabilities added in version 1.0.3.

Because of these actions, the only way of stopping MilkyDoor attacks is by detecting the malware on user devices before or during installation. For this, it is advised that users employ some sort of mobile security solution for their smartphones. Enterprises are advised to deploy firewalls on BYOD devices to help prevent internal systems from accessing uncommonly used ports like Port 22. At the same time, users should exercise caution around suspicious apps and should keep their mobile operating systems up-to-date.

Mobile malware’s disruptive impact on enterprises continues to see an uptick in prevalence as mobile devices become an increasingly preferred platform to flexibly access and manage data.

Facebook, Twitter, and Snapchat paying hackers to find technical glitches

Facebook, Twitter, and Snapchat have a found a unique way to find glitches.  It may surprise you, but it is true that they are paying hefty amounts to white hat hackers around the world to keep them updated about the glitches in their system.

 These technical giants are spending about around £156,000 every day, to keep their system hassle free.

One of the hackers known as Topiary online, Jake Davis, who was previously a black hat hacker,  and was arrested in 2011, but now works for the giant technical companies.

He explains his work to Newsbeat, he is now paid by the likes of Twitter to hack their website. "Twitter have paid me for disclosing bugs to them. It's very simple."

According to him, the hackers would be happy to do this work even if they are not paid, so the money is just a bonus for them. For them, the  main reward is "kudos from other hackers. They're good at hacking, and they want to be seen to be good at the thing."

The larger tech companies are more generous with their payouts. "Facebook are particularly good, they have got a £500 minimum for disclosing bugs to them,"  says Jake.

He says that till now Twitter has paid  $800,000 (£625,000) to nearly 642 hackers.

Teenage hacker makes £400, 000 by developing a virus, attacks hundreds of organisations


A teenage hacker from Hertfordshire, Adam Mudd, then 16 created a computer hacking software, Titanium Stresser tool which he sold to cyber criminals across the world which was used to launch 1.7 Million attacks. The tool inflicted distributed denial of service (DDoS) attacks on targeted websites. Virus lets users crash websites and computers by flooding them with data. Using the username themuddfamily, he also carried out 594 attacks himself against 181 victims in a span of 18 months including one on his own college, West Herts. He attacked 70 other schools and colleges.

Mudd, now 20 pleaded guilty to three offenses under the Computer Misuse Act and money laundering at an earlier hearing in October which involve impairing the operation of computers, contravening the Computer Misuse Act and concealing criminal property. He is facing jail charges.

He made about £380, 000 between September 2013 and March 2015 by selling the software which cost universities, schools, the universities of Cambridge, Essex and East Anglia, gaming websites like RuneScape, Minecraft, Xbox Live, computer gamers’ communications tool TeamSpeak and other businesses millions of pounds trying to defend themselves. The court heard there were about 25,000 attacks on fantasy game, RuneScape which is 1.4 percent of the total attacks and the company which owns it spent £6m in the last four years trying to defend itself.

The program had 112,298 registered users who carried out the attacks on over 666,000 IP addresses. Of those, nearly 53,000 were in the UK. He received a total of £240,153.66 and 249.81 bitcoins - worth an overall £386,079. He is expected to be sentenced next week.

Mudd, who lived with his parents in Kings Langley was said to have been more interested in his online status than the money brought in by his software.

The computer science student, who has Asperger syndrome and “lost in an alternate reality” wrote the program in September 2013 after withdrawing from school to avoid bullying, the Old Bailey heard. Mudd developed the software from his bedroom. Mudd had been offline for two years, which was a form of punishment for any computer-obsessed teenager.

Mudd had been in his bedroom when he was arrested at his home in Toms Lane, Kings Langley, in March 2015 and he refused to unlock his computer until his father intervened.

The court hearing coincided with a report by the National Crime Agency which found that teenage hackers are motivated more by idealism and impressing their friends than obtaining money.

An Asperger syndrome teenaged hacker faces jail

A teenaged hacker who almost made £400,000 by coding and selling a virus which was used to launch 1.7million hacking attacks on websites around the world is now facing jail.

Adam Mudd, who is now 20, lived with his parents in Kings Langley, Hertfordshire, was more interested in online social status rather than the money brought in by selling his  Titanium Stresser software which crashes users websites and computers by flooding them with data.

The computer science student started coding and distributing the denial of service, or DDoS, software to criminals when he was just 16-year-old. He started writing the program after being withdrawn from school to avoid bullying as he has Asperger syndrome.

He used the program to carry out  600 attacks on networks operated by schools, colleges, the universities of Cambridge, Essex and East Anglia and others.

From all these hacks, he received a total of £240,153.66 and 249.81 bitcoins - worth an overall £386,079. He was operating with the username themuddfamily.

Last October, Mudd admitted computer hacking and money laundering.





Hackers using Pixel tracking to gather Pre-Hack data


A simple email marketing trick used by marketers and advertisers to track web users and email recipients have also been abused by cybercriminals and online spies to gather information on possible targets or to improve the efficiency of phishing attacks, both mass and targeted in scope.

“We’ve seen a lot more use of this tactic recently as a probing or information-gathering tool,” by phishers and other cyber criminals, said Donald Meyer of Check Point Software Technologies Ltd.

Pixel tracking is a decades-old email marketing technique that relies on embedding a one-by-one pixel image, usually transparent or of the same colour of the email's background which prevents users from noticing them in most cases. Tracking pixels or web beacons are downloaded when a user opens an email or visits a website unless the user blocks the loading of images inside his emails which lets the advertiser know a user has opened one of its emails.

With a code as simple as  "<img src=”http://example.com/cgi-bin/program?e=email-address”>", the marketing tools ping a website whenever someone downloads an image.

Because of the way most email programs and web browsers work, tracking pixels, once downloaded, can collect and report information about the user’s email address, operating system, device, software, IP address, hostname, cookie usage settings, usage of webmail and date and time of opening the email. Email marketers can use this data to measure the effectiveness of their campaigns. Advertisers can also use it to compile data about the hardware and software their targets employ.

Unfortunately, everything which makes tracking pixels great for marketers and advertisers — unobtrusiveness, automaticity and the amount of data captured — also makes them great for hackers’ reconnaissance. Using the same trick if a hacker gets hold of all this information, they can abuse it to carry out malicious campaigns.

"In phishing attacks, tracking pixels can be used to learn which recipients are most likely to open scam emails. Since some scammers retool mass phishing attacks against random users to target high-value enterprise users, scammers are turning to pixel tracking to increase the odds a spear phishing attack will succeed.... Our security researchers have already discovered tracking pixels being used in the wild as a surveillance tool to gather information for use in phishing scams," explained Meyer in a blog post on Monday (April 17).

Check Point detected tracking pixels used for a phishing campaign back in August 2016. The red "X's" mark the location of the pixels, which email security tools prevented from loading properly. Hackers trying to break into a network have to explore its architecture first to find points of entry and ways to move around the system undetected. During this reconnaissance stage, an attacker will often send phishing emails to map out the network, locate potential weak points and figure out who in the organisation is most likely to open suspicious-looking mail and click on links or attachments.

Furthermore, if the employees of a company are all using webmail clients, it's quite possible that the company uses a managed cloud service to handle many of its internal operations. An attacker that can identify that cloud platform could find it very easy to hone future attacks around vulnerabilities in that platform.

Fortunately, it's not difficult to protect against this sneaky threat.

Unlike a full-fledged hacking attack, such a reconnaissance won’t involve any executable code, and will generally get under the security radar. Email programs should be set so they don’t automatically download images. To counteract this threat it is advisable to deploy email and anti-phishing security controls as part of your cloud-security arsenal. Continuous patch management and a healthy dose of scepticism around emails that contain anomalous image placeholders go a long way, too.