Hackers used Xtreme RAT malware to gain access to Israeli Defense computer



 
Seculert, an Israel Cyber Security firm, told Reuters that hackers gained access to the Israeli Defense ministry computer by sending a malicious email containing an Xtreme RAT.

Seculert CTO Aviv Raff told Reuters that earlier this month hackers took control of around 15 computers including the Israel's Civil Administration computer which monitors Palestinians in Israeli-occupied territory.

The firm declined to identify other 14 computers targeted by the hackers. An anonymous source told Reuters these included companies involved in supplying Israeli defense infrastructure.

The latest attack is appeared to be originated from US servers. However, experts noticed some similarities to previous attacks. The firm suspects the Palestinians to be behind the cyber attack.

The firm hadn't determined what hackers did after gaining access to the systems. It believes that hackers had access to the infected computers several days.

Xtreme RAT is the remote access trojan that gives hackers complete access to the infected systems. An attacker is able to steal any documents or execute any other malware code in the system.

The same malware has been used in several other targeted-attacks including attacks targeting 'the Israeli police department', 'syrian anti-government activists' and other governments.

No, Your fridge is not sending spam emails - They are innocent

A recent report from security firm Proofpoint saying "Internet connected Refrigerators are participating in massive cyber attack" is one of the hot topic on Information Security.

The report said that a massive global cyber attack involved more than 750k malicious emails relied on more than 100k consumer gadgets such as routers, multimedia systems, tvs and refrigerator.

However, a recent report form Symantec says "Internet of Things" devices including the Internet-connected fridge are not source of this spam campaign.

Symantec confirmed the source of spam as several windows-based computers, and none of them were originated from any non-windows based computer systems.

"if your refrigerator uses a feature known as port forwarding and someone contacts the IP address on port 80, that traffic is allowed to reach your smart refrigerator."Symantec report reads.


"Viewed from outside, all you will see is the refrigerator and you may not even realize there is a router with potentially many other devices behind it, such as an infected computer." Symantec experts explained that it might be the reason why researchers mistakenly considered the IoT devices as source for the spam campaign.

Even though the IoT devices such as fridge are innocent at this time, experts say that we can expect them to be exploited by cyber criminals in future.  Researchers also pointed out that there is already few malware targeting Linux-based IoT devices. 

NatWest online banking service hit by DDOS attack


A cyber attack to disrupt online banking services of Natwest left the customers unable to access their accounts online.  The website suffered a distributed denial of service(DDOS) attack.

"Due to a surge in internet traffic deliberately directed at the NatWest website, some of our customers experienced difficulties accessing our customer web sites this evening. " Mirror quoted as Natwest spokesperson saying.

"We have taken the appropriate action to restore the affected web sites.  At no time was there any risk to customers.  We apologise for the inconvenience caused."

This is not the first time the Natwest website under a cyber attack.  Earlier this month, all of RBS and NatWest's systems went down for few hours.

It is still unknown who is responsible for this cyber attack.  Bank customers started to blame the Bank for not able to access their accounts. 

US Retail giant Target targeted by hackers, 40 million credits cards at risk

 

US retail giant Target has confirmed it was victim of a cyber attack that could compromised payment details of approximately 40 million credit card and debit cards accounts.

The information involved in this security breach includes customer name, credit card or debit card number, CVV, expiration date.

According to the Target's statement, the breach may affect the users who made credit or debit card purchases in their U.S. stores from November 27 to December 15, 2013.

"we want to stress that we regret any inconvenience or concern this incident may cause you. Be assured that we place a top priority on protecting the security of our guests’ personal information." The statement reads.

The retailer said they immediately alerted authorities and financial institutions and partnering with a leading forensics firm to conduct forensic investigation about the breach.

Puthiyathalaimurai Website Hacked by same hacker as JavaTV and AIADMAK site .

A pakistani hacker by name "H4$N4!N H4XOR" belonging  to "Pakistan Haxors Crew" who hacked the JayaTV website and AIADMAK site before has now hacked the Puthiyathalaimurai website again and left the following message.




" Security Breach!
Hello Admin, I Hack AIADMAK website & jaya Tv So Kick Out That Innocent Kid From The Jail.
Your Site Security Is 0% And Easy To F***k,
PATCH YOUR SECURITY! "

He was talking about the recent arrest of  P. Eswaran by Central Crime Branch whom they arrested on suspicion of hacking the AIADMAK site. Eswaran said that he was only trying to fix the vulnerability and this hack seems to also  suggest that also. The pakistani hacker who initially posted  about the defaces is still active.

Though Eswaran was only trying to protect the website what he did is still illegal under section 66 of the IT Act . It would be very interesting to see how this case would play in court since it is the first of its kind.

Notorious Stuxnet malware infected Russian Nuclear Plant, claims Eugene Kaspersky

 

The notorious Stuxnet malware which is widely believed to have been developed by US and Israel to target Iran Nuclear plants, managed to "badly" infect the internal network of Russian Nuclear power plant.

Eugene Kaspersky, founder of the Russian antivirus company Kaspersky, said a friend of him working at unnamed nuclear plant told him that their nuclear plant network was disconnected from the internet which is badly infected by Stuxnet.

"So unfortunately these people who were responsible for offensive technologies, they recognise cyber weapons as an opportunity." SC Magazine quoted Kaspersky as saying.

"All the data is stolen," Kaspersky said. "At least twice."

This is first time the Stuxnet infects the major nuclear plant outside of its intended target in Iran.

Pakistan Army website and Facebook fan pages hacked by Indian Hacker


If you are regular reader of EHN , you know that this is not the first time the Pakistan Army website is under cyber attack.  Once again Indian hacker "Godzilla" breached the Pakistan Army website.

Speaking to E Hacking News, the hacker said that he hacked into "pakistanarmy.gov.pk" and left a malicious PDF file disguised as a magazine.


The admin clicked the PDF exploit which results in his computer is infected with malware.  It allowed the hacker to compromise the facebook fan pages.

The following Facebook fans pages deleted by the hacker : Pakistan Army Official Facebook Page (www.facebook.com/OfficialPakArmy)  Pakistan Army Officers Club Facebook Page (www.facebook.com/fb.paoc), Pakistan Army Fan Facebook Page(www.facebook.com/pakarmyfanpage).

He claimed the admin removed the login page of CMS used by the website but failed to remove the backdoor.

"Now no more deals, if you can fire then we can bombard  You are punished for breaking ceasefire we are coming for you." Hacker stated as reason for the cyber attack.

The website and facebook pages has been recovered at the time of writing.  It also appears the admin of the facebook pages blocked India from accessing the pages.

You can find more proof and details about the hack here:
http://pastebin.com/3jkp6k2e

Hackers tried to Turn off the Lights at 2012 London Olympics Ceremony


The security specialists have disclosed that the 2012 London Olympics opening ceremony could have come under cyber-attack.

The threat was that the lights could have been turned off during the ceremony. Though the threat did not take place because of extensive precautions but it would have been a great deal.

The primary response to the threat came from the Olympic Cyber Co-ordination Team (OCCT), based at MI5 headquarters in Thames House , as reported by BBC News.

In the afternoon before the ceremony the officials reported that they were in full confidence that they could deal with the threat if it occurs after their meeting.

"There was a suggestion that there was a credible attack on the electricity infrastructure supporting the Games," Olympic cyber security head Oliver Hoare told BBC.

Hoare was also informed that the if the light went down it could be brought up within 30 seconds but 30 seconds is a long duration when you talk of Olympics.
Though nothing happened actually still the threat remain unclear but it is a great fact to be chewed upon.

Author: Shalini Bhushan 

New Trojan targeting South Korea sets Anonymous Wallpaper in infected system

After publishing details about a new DDOS attack carried out by a group called "DarkSeoul" against South Korean sites, Symantec researchers have come across a new piece of Malware designed to wipe the disks in infected systems.

The malware detected as Trojan.Korhigh, is capable of deleting files and overwrite Master Boot Record(MBR) . In addition , it is also capable of changing user passwords to " highanon2013" and deleting specific file types including asp, html,php,jsp and etc.

The Cybercriminals who are behind the malware is interestingly designed the Trojan such that it will change the wallpaper of the compromised computers to Anonymous Image.



The Trojan also attempts to gather system information including OS version, computer name, current date and sends to remote server.

#OpTurkey: Turkish Prime Minister and government websites hacked by Hacktivists


Anonymous hacktivists and Syrian Electronic Army(SEA) carried out a serious of cyber attack against Turkish Government following the violence of the police against peaceful protesters.

Anonymous hacker with twitter handle @AnonsTurkey and SEA group has breached the official Prime Ministry website(basbakanlik.gov.tr) and compromised the data from the server.

"Turkish Gezi Resistance is one of the most noble social uprising in recent history. The Turkish people, the women, the children, the young and the old, long oppressed by the all powerful regime, are now well awake. Fear changed sides: the Turkish people are not afraid, the oppressors are. Turkish people are realizing their potential as free human beings, and unbeforeseen soul healing is happening." Anonymous said in today press release.

Anonymous is said to have compromised the email addresses, passwords and phone numbers.  However, they didn't share any data.  Meanwhile, Syrian Electronic Army attacked the same website and leaked more than 60 email addresses, passwords.

The hacktivists reportedly hacked a number of Government websites including kys.rshm.gov.tr, gatab.gov.tr and more.

Earlier today Deputy Prime Minister Bulent Arinc apologised for the police response to initial protests.  However, Turkish protesters have rejected the government's apology and continue the protest.

#OpSaudi : Anonymous launched cyber attack on Saudi Government site


Saudi branch of Anonymous hacktivist has launched cyberattack on Saudi Government websites , the operation has been named as "#OpSaudi". Few government websites are facing heavy Distributed-denial-of-service(DDOS) attack from the Anonymous.

The affected government sites include Saudi Arabia and the Ministry of Foreign Affairs(mofa.gov.sa), The Ministry of Finance(mof.gov.sa), General Intelligence Presidency(gip.gov.sa ).


gosi.gov.sa, Riyadh Region Traffic(www.rt.gov.sa), hrc.gov.sa are also being targeted by the hackers.

The Anonymous saudi also claimed they have gained access to the server of Qassim Region Traffic website(q-t.gov.sa/h.asp) and deleted the database. 

General Directorate of Education in Jeddah website fell victim to the cyber attack.  Hackers identified and exploited the SQL Injection vulnerability in feenakhair.jedu.gov.sa.

"saudi people like slave for the gov , and 2 days ago a saudi prince kidnapped a girl & raped her . then killed her and throw her body naked" Anonymous Saudi stated as reason for the cyber attack. 

#OpPhilippines: Anonymous Taiwan launched cyber war against Philippines


The Philippines cyber space is again facing another cyber war. Following the cyberattack from China, Malaysia hackers, now the Taiwan hackers have started the cyber war against Philippines.

The operation named #OpPhilippines has been launched by the Anonymous Taiwan. The attack comes after Philippine Coast Guard killed Taiwanese fisherman. EHN was notified about the cyberwar by pinoyhacknews.

"Philippine coastguard killed taiwanese unarmed fishermen is injustice and unforgivable. Philippine government protecting murders is unacceptable." The hackers posted in the pastebin. "You must apologize. Killers must be arrested immediately. Otherwise, we will not stop."

The hackers defaced the '.gov.ph' domain registry website(dns.gov.ph/opph.html). They also defaced one more government webstie "Advanced Science and Technology Institute(suppliers.asti.dost.gov.ph/opph.html)".

The hacktivist also leaked database from six different Government websites as part of the cyberwar. The links to the database dump is provided in a single paste(pastebin.com/sRykr2Wd).

The affected websites includes Department of Education of the Philippines(former.deped.gov.ph), onlineservices.ipophil.gov.ph, Provincial Government of Bulacan (bulacan.gov.ph), Philippine Public Safety College(ppsc.gov.ph),Province of Sulu(sulu.gov.ph). The leak contains username, email address and passwords.

The hackers also dumped(pastebin.com/D7gCEdS6) the database from the 'gov.ph' domain registry website that contains username and password details belong to all Government websites. It has more than 2300 entries.

Cooperative development authority of Philippines website hacked


The official website belongs to the Cooperative development authority of Philippines has been attacked by a hacker team with the name of Al-Qaeda militant.

The team earlier today sent notification to EHN in Twitter "@EHackerNews Official Website of the Provincial Government of Camiguin, Philippines #Hacked www.camiguin.gov.ph".

They defaced the main webpage of the site with a text "Hacked by Bin Laden hacker".  The hackers also defaced the Official Website of the Provincial Government of Camiguin, Philippines(www.camiguin.gov.ph).

"The reason is that we against the Goverment We do it for Osama Bin Laden :)" The hacker stated as a reason for the attack .

At the time of writing, both sites show Forbidden error message  "You don't have permission to access / on this server.  Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request." It seems like the admin is investigating the issue and trying to patch the vulnerability.

The mirror :
http://www.zone-h.org/mirror/id/19570687

Cyber Attack shuts down Election Commission of Pakistan website


The Election Commission of Pakistan(ECP) website reportedly suffered cyber attacks - Pakistan Government temporarily shuts down the www.ecp.gov.pk to avoid further cyber attack.

The attacks are allegedly originated from Asia and Russia, according to Director General IT, Khizar Aziz statement.
 
“Had our host server was based in Pakistan, then there could have been immense loss,”The Pakistan Today quoted as Khizar Aziz saying.

He said the ECP host server is Canada-based server.  He also said that they are transferring the ECP to more secure server to prevent future cyber attacks.

"Aziz said that ECP’s website has been shutdown under a deliberate strategy to avoid further attacks during the transition period." The Pakistan Today report reads.

DDOS attack brings the Internet to its knees

The fight between a spam fighting company called "Spamhaus" and a web hosting company called "Cyberbunker" has slowed down a majority of the internet by making DNS resolving slow.



The reason behind the attack is that Spamhaus added the IP addresses of cyberbunker to its "spam" list due to Cyberbunker allowing almost any sort of content to be hosted hence also maybe the source for spam. So Cyberbunker attacked back and this attack also affected normal internet users.

The attack was possible because of the large number of vulnerable DNS servers that allow open DNS resolving.Simply put an attack exploiting this type of vulnerability makes use of the vulnerability of the DNS server to increase the intensity of the attack 100 fold.

The origins of these type of attacks goes back to the 1990's to an attack called "smurf attack"

But now the attack method has become more efficient and uses DNS amplification to flood the victim with spoofed requests which are sent to the DNS servers by using a botnet of compromised computers.The attack at its peak reached a speed of 300 Gbps making it the largest DDOS attack in history.

Cyberbunker which claims itself to be a supporter of free speech and defender against the "big bullies" seems to have now have stooped down to their level of using aggressive offensive methods that affect the normal functioning of the internet.This is not the way to go !

The people who run DNS resolvers are also equally responsible for these attacks as its their vulnerable servers that make these attacks possible, the internet community should come up with a PERMANENT solution to this problem.

Please read cloudflare's blog post for a detailed analysis : http://blog.cloudflare.com/the-ddos-that-almost-broke-the-internet

South Korea hit by cyber attack.




Yesterday South Korea was hit by a massive cyber attack . The attack disturbed the functioning of three banks and two TV channels. The bank were hit such that no financial transactions can be made.

The TV channels were affected by locking their computers hence not allowing the TV channels to edit or function to full efficiency.The attack points towards North Korea which only days ago said it will attack South Korea.

The attacks originated from China but this might simply be because the IP's from North Korea are not allowed in South Korean Cyberspace ,so the hackers  could have used compromised computers in China to bypass that restriction and also to hide their real location.

Unlike other "disruption" attacks which rely on DDOS this was done using a malware called "DarkSeoul" which "locked" the systems.

These sort of attacks are more dangerous because when you block the DDOS attack the servers will get back to "normal" with minimum effort but a virus attack takes much longer to recover from and even then you cant be really sure that the computers are fully clean.

This recent attack shows that the need for a strong "physical" army is not needed to bring down an another country. A few experienced hackers can do the work of a massive army. 

Pakistani Government under cyber attack from hacker 'Godzilla'



It is third day since the Indian hacker "Godzilla" took control of the Proxy used by Pakistan Government websites, Pakistan temporarily lost access to their proxy network.

Today, the hacker claimed to have got access of the back up server and found the back up server is also saved in the same network. 

He also found that the pakistan.gov.pk is not running but just pretending that they are up.

"One thing is true Pakistan is good at pretending like nothing happened, let it be a cyber attack or a TERRORIST attack. " The hacker said.

We have also checked the Pakistan.gov.pk website by clicking the login button, it just redirects to an IP address(202.83.164.27/wps/portal) that was used by Pakistan government when they didn't have proxy system.

The IP address is down now because the govt have made it down long time when they shifted to proxy network.

Hacker also said he is extracting the data from the Database.  Once he finished the extracted the data, he will take down the rest of IPs .

*Update*:
Pakistan Datatbase dumped :
http://www.ehackingnews.com/2013/03/indian-hacker-godzilla-leaked-pakistan.html

All Pakistani Ministry & other Pakistani government sites hacked by Indian hacker


After hacking the main Pakistani government and Army site,  the Indian hacker "Godzilla" today notified EHN about another cyber attack against the Pakistani Government websites.

Yesterday, the hacker hacked the Pakistani main government website(pakistanarmy.gov.pk) by exploiting the proxy-misconfiguration vulnerability.  Today he managed to hack more Pakistani website by gaining access to the Internal Networks.

"proxy was configured in such a way that the local ip 192.168.70.103 was running through that proxy" The hacker told EHN.  "It is a local ip switched through the proxy"

"Pakistan Government Switches under control. Pakistan admins please dont disturb us when we are working. Your official website www.pakistan.gov.pk will be up as soon as we finish are work." The hacker said.

"You tried to use proxy for your security and we used the same proxy to crush you."

"IBM SERVER AND Layer 2-3 Gigabit Ethernet Switch Module for IBM eServer BladeCenter and 22 local machines were used to build the proxy and secure the digital cyber space of Pakistan. which is owned badly."

List of hacked sites:

Ministry of Information Technology of Pakistan
www.moitt.gov.pk

Ministry of Railways of Pakistan
www.railways.gov.pk

Ministry of Economic Affairs & Statistics of Pakistan
www.ead.gov.pk

Ministry of Interior of Pakistan
www.interior.gov.pk

Ministry of Inter Provincial Coordination of Pakistan
www.ipc.gov.pk

Ministry of Religious Affairs Pakistan
www.mora.gov.pk

Establishment Division of Pakistan
www.establishment.gov.pk

Ministry of Housing & Works of Pakistan
www.housing.gov.pk

Ministry of Science and Technology of Pakistan
www.mosp.gov.pk

Planning Commission of Pakistan
www.planningcommission.gov.pk

Ministry of Minorites Affair of Pakistan
www.minorities.gov.pk

Local Government Division of Pakistan
www.lgrd.gov.pk

Ministry of Environment of Pakistan
www.moenv.gov.pk

*Update 1:
 Pakistani Government under heavy cyber attack from hacker 'Godzilla' 
http://www.ehackingnews.com/2013/03/pakistani-government-under-cyber-attack.html

*Update 2:
 Indian Hacker Godzilla leaked Pakistan Government website's Database details
http://www.ehackingnews.com/2013/03/indian-hacker-godzilla-leaked-pakistan.html

China blames US for more than half of cyber attacks this year


China's National Computer Network Emergency Response Coordination Center (CNCERT) , the Chinese top cyber security agency reportedly identified that more than half of cyber attacks on this year targeting their nation's computer system are originated from the US.

CNCERT detected 2,196 US-based control servers were controlling 1.29 million infected computers in china.

According to Xinhua report, more than 80 websites of public institutions , Government and companies were attacked from september 2012 to February 2013. CNCERT found that 39 of those websites were attacked from U.S. IP addresses.

"A large amount of facts have proven that for many years, China has been one of the primary victims of cyber attacks," an unnamed official from the China National Internet Information Office told Xinhua.

Last month, US-based computer security company released a report which accused Chinese military unit of conducting a series of sophisticated hacking attack on US. But Chinese authorities denied the accusations and claimed that their systems are targeted by US.

Nullcrew hackers deface Time Warner cable website


The hacker from Nullcrew hacktivists has managed to breach the Time Warner's support page - An American cable telecommunications company.

The hackers announced that attack in Twitter "We hacked Time Warner Cable, due to them attempting to participate in the six strikes. supportcenter.timewarnercable.com:8888/sdcxuser/".

They defaced the site with a gorilla picture. In the defacement page, the hackers leaked the database details, username, passwords, SSL Keys file password.

The hacktivist criticize the password used by admin,  they are using the very simple password "changeme".

At the time of writing, the website has been taken down by the admin, you can see the mirror of the defacement here: http://www.freezepage.com/1362546977OFVSJKBYGE