Researchers say North Korea behind attacks exploiting a Korean word processing program

Recent reports had confirmed that the relations between the two Koreas (North and South), which were bad for years, now showed some signs of improvement. After Seoul and Pyongyang had exchanged reconciliatory gestures and expressed their willingness to talk. There was even a rather high probability that the third intra-Korean summit would happen in near future.

However, the situation might go in other direction after reading a PDF report by FireEye, a U.S-based security company that provides automated threat forensics and dynamic malware protection against advanced cyber threats. The report says that North Korea is likely behind cyber-attacks that have focused on exploiting a word processing program widely used in South Korea.

Genwei Jiang and Josiah Kimble, authors of the report, identified several malicious documents in the wild that exploit a previously unknown vulnerability (CVE-2015-6585) in the Hangul Word Processor (HWP). HWP, published by a South Korean company, is a Korean word processing application.

“It is widely used in South Korea, primarily by government and public institutions. Some HWP programs are frequently used by private organizations, such as HWP Viewer. The payloads and infrastructure in the attack are linked to suspected North Korean threat actors. Hancom patched CVE-2015-6585,” the authors said in the report.

The authors have said that only a handful of attacks have been publicly attributed to the secretive nation, which is known to have well-developed cyber capabilities.

According to them, if the malicious HWP file is opened, it installs a backdoor which FireEye nicknamed "Hangman", which is used for downloading files and probing file systems and similar to backdoor FireEye calls Peachpit, which may have been developed by North Korea, the report said.

Once Hangman has collected data, it sends it to command-and-control servers over an SSL (Secure Sockets Layer) connection. The IP addresses of those servers are hard-coded into Hangman and have been linked to other suspected North Korea-related attacks.

“While not conclusive, the targeting of a South Korean proprietary word processing software strongly suggests a specific interest in South Korean targets, and based on code similarities and infrastructure overlap, FireEye Intelligence assesses that this activity may be associated with North Korea-based threat actors,” the authors added.

According to a news report published in PCWorld, one of the most prominent instances was the devastating attack in November 2014 against Sony Pictures, which lost sensitive corporate data and email and saw many of its computers rendered inoperable.

“In a rare move, the FBI blamed North Korea for the Sony hack based on an analysis of malware suspected to have been developed by the country and used in other attacks,” the news report added.

To minimize cyber attacks, Senate bill proposes standards for cars

Good news for cars users and bad news for hackers as Senators Ed Markey and Richard Blumenthal has proposed new legislation that is designed to require cars sold in the United State to meet certain standards of protection against digital attacks and privacy.

It is said that the new privacy standards would govern data collected from vehicles under proposed legislation introduced in the U.S. Senate on Tuesday.

Soon after the WIRED revealed that two security researchers (Charlie Miller and Chris Val) have developed and plan to partially release a new attack against hundreds of thousands of Chrysler vehicles that could allow hackers to gain access to their internal networks, the U.S. government  has planned to come up with the legislation to increase the security in vehicles.

According to a new report posted on Wired, “Drivers shouldn’t have to choose between being connected and being protected,” Markey wrote in a statement. “Controlled demonstrations show how frightening it would be to have a hacker take over controls of a car. We need clear rules of the road that protect cars from hackers and American families from data trackers.”

As per the proposed legislation, data stored in the car should be secured to prevent unauthorized access and vehicles will also have to detect, alert and respond to hacking attempts in real time.

Similarly, National Highway Traffic Safety Administration (NHTSA)will develop new privacy standards under which vehicle owners will be made aware of what data is being collected, transmitted and shared.

“Owners will be offered the chance to opt out of such data collection without losing access to key navigation or other features where feasible,” the news report read.

The increasing hacking attacks against vehicles said to be the reason behind the proposed law.

Earlier this year, BMW fixed a vulnerability in its connected drive system that allowed an attacker to remotely unlock a car. It had not enabled encryption on its servers, allowing an attacker to mimic the server and send a lock or unlock command to a car. The fix was as simple as enabling HTTPS, but 2.2 million cars had to be upgraded.

#OpISIS: A Cyber attack against Twitter accounts related to ISIS

The Islamic State(ISIS) terrorist group is using social networking sites like Twitter to recruit people.  To bring an end to this, Anonymous hacktivists and their affiliates earlier this year launched an operation called "#OpISIS" against the ISIS.

The main motive of the operation is to take down all the websites and mainly Social Media accounts related to the ISIS.

The hacktivists have been on a search to identify Twitter accounts linked to ISIS. In March 2015, they reportedly tracked more than 25,000 Twitter accounts.  Most of the accounts have been reported and removed from Twitter. They also reportedly "destroyed" more than 100 websites.

Anonymous hackers now leaked more than 4000 email addresses, IP addresses and logs which is said to be taken from online communities supporting ISIS. Few links to the dumps have been shared in the Hackers Leaks website.

Some of the Email addresses listed in the dump ends with "*.gov" extension.

Hackers used Xtreme RAT malware to gain access to Israeli Defense computer

Seculert, an Israel Cyber Security firm, told Reuters that hackers gained access to the Israeli Defense ministry computer by sending a malicious email containing an Xtreme RAT.

Seculert CTO Aviv Raff told Reuters that earlier this month hackers took control of around 15 computers including the Israel's Civil Administration computer which monitors Palestinians in Israeli-occupied territory.

The firm declined to identify other 14 computers targeted by the hackers. An anonymous source told Reuters these included companies involved in supplying Israeli defense infrastructure.

The latest attack is appeared to be originated from US servers. However, experts noticed some similarities to previous attacks. The firm suspects the Palestinians to be behind the cyber attack.

The firm hadn't determined what hackers did after gaining access to the systems. It believes that hackers had access to the infected computers several days.

Xtreme RAT is the remote access trojan that gives hackers complete access to the infected systems. An attacker is able to steal any documents or execute any other malware code in the system.

The same malware has been used in several other targeted-attacks including attacks targeting 'the Israeli police department', 'syrian anti-government activists' and other governments.

No, Your fridge is not sending spam emails - They are innocent

A recent report from security firm Proofpoint saying "Internet connected Refrigerators are participating in massive cyber attack" is one of the hot topic on Information Security.

The report said that a massive global cyber attack involved more than 750k malicious emails relied on more than 100k consumer gadgets such as routers, multimedia systems, tvs and refrigerator.

However, a recent report form Symantec says "Internet of Things" devices including the Internet-connected fridge are not source of this spam campaign.

Symantec confirmed the source of spam as several windows-based computers, and none of them were originated from any non-windows based computer systems.

"if your refrigerator uses a feature known as port forwarding and someone contacts the IP address on port 80, that traffic is allowed to reach your smart refrigerator."Symantec report reads.

"Viewed from outside, all you will see is the refrigerator and you may not even realize there is a router with potentially many other devices behind it, such as an infected computer." Symantec experts explained that it might be the reason why researchers mistakenly considered the IoT devices as source for the spam campaign.

Even though the IoT devices such as fridge are innocent at this time, experts say that we can expect them to be exploited by cyber criminals in future.  Researchers also pointed out that there is already few malware targeting Linux-based IoT devices. 

NatWest online banking service hit by DDOS attack

A cyber attack to disrupt online banking services of Natwest left the customers unable to access their accounts online.  The website suffered a distributed denial of service(DDOS) attack.

"Due to a surge in internet traffic deliberately directed at the NatWest website, some of our customers experienced difficulties accessing our customer web sites this evening. " Mirror quoted as Natwest spokesperson saying.

"We have taken the appropriate action to restore the affected web sites.  At no time was there any risk to customers.  We apologise for the inconvenience caused."

This is not the first time the Natwest website under a cyber attack.  Earlier this month, all of RBS and NatWest's systems went down for few hours.

It is still unknown who is responsible for this cyber attack.  Bank customers started to blame the Bank for not able to access their accounts. 

US Retail giant Target targeted by hackers, 40 million credits cards at risk


US retail giant Target has confirmed it was victim of a cyber attack that could compromised payment details of approximately 40 million credit card and debit cards accounts.

The information involved in this security breach includes customer name, credit card or debit card number, CVV, expiration date.

According to the Target's statement, the breach may affect the users who made credit or debit card purchases in their U.S. stores from November 27 to December 15, 2013.

"we want to stress that we regret any inconvenience or concern this incident may cause you. Be assured that we place a top priority on protecting the security of our guests’ personal information." The statement reads.

The retailer said they immediately alerted authorities and financial institutions and partnering with a leading forensics firm to conduct forensic investigation about the breach.

Puthiyathalaimurai Website Hacked by same hacker as JavaTV and AIADMAK site .

A pakistani hacker by name "H4$N4!N H4XOR" belonging  to "Pakistan Haxors Crew" who hacked the JayaTV website and AIADMAK site before has now hacked the Puthiyathalaimurai website again and left the following message.

" Security Breach!
Hello Admin, I Hack AIADMAK website & jaya Tv So Kick Out That Innocent Kid From The Jail.
Your Site Security Is 0% And Easy To F***k,

He was talking about the recent arrest of  P. Eswaran by Central Crime Branch whom they arrested on suspicion of hacking the AIADMAK site. Eswaran said that he was only trying to fix the vulnerability and this hack seems to also  suggest that also. The pakistani hacker who initially posted  about the defaces is still active.

Though Eswaran was only trying to protect the website what he did is still illegal under section 66 of the IT Act . It would be very interesting to see how this case would play in court since it is the first of its kind.

Notorious Stuxnet malware infected Russian Nuclear Plant, claims Eugene Kaspersky


The notorious Stuxnet malware which is widely believed to have been developed by US and Israel to target Iran Nuclear plants, managed to "badly" infect the internal network of Russian Nuclear power plant.

Eugene Kaspersky, founder of the Russian antivirus company Kaspersky, said a friend of him working at unnamed nuclear plant told him that their nuclear plant network was disconnected from the internet which is badly infected by Stuxnet.

"So unfortunately these people who were responsible for offensive technologies, they recognise cyber weapons as an opportunity." SC Magazine quoted Kaspersky as saying.

"All the data is stolen," Kaspersky said. "At least twice."

This is first time the Stuxnet infects the major nuclear plant outside of its intended target in Iran.

Pakistan Army website and Facebook fan pages hacked by Indian Hacker

If you are regular reader of EHN , you know that this is not the first time the Pakistan Army website is under cyber attack.  Once again Indian hacker "Godzilla" breached the Pakistan Army website.

Speaking to E Hacking News, the hacker said that he hacked into "" and left a malicious PDF file disguised as a magazine.

The admin clicked the PDF exploit which results in his computer is infected with malware.  It allowed the hacker to compromise the facebook fan pages.

The following Facebook fans pages deleted by the hacker : Pakistan Army Official Facebook Page (  Pakistan Army Officers Club Facebook Page (, Pakistan Army Fan Facebook Page(

He claimed the admin removed the login page of CMS used by the website but failed to remove the backdoor.

"Now no more deals, if you can fire then we can bombard  You are punished for breaking ceasefire we are coming for you." Hacker stated as reason for the cyber attack.

The website and facebook pages has been recovered at the time of writing.  It also appears the admin of the facebook pages blocked India from accessing the pages.

You can find more proof and details about the hack here:

Hackers tried to Turn off the Lights at 2012 London Olympics Ceremony

The security specialists have disclosed that the 2012 London Olympics opening ceremony could have come under cyber-attack.

The threat was that the lights could have been turned off during the ceremony. Though the threat did not take place because of extensive precautions but it would have been a great deal.

The primary response to the threat came from the Olympic Cyber Co-ordination Team (OCCT), based at MI5 headquarters in Thames House , as reported by BBC News.

In the afternoon before the ceremony the officials reported that they were in full confidence that they could deal with the threat if it occurs after their meeting.

"There was a suggestion that there was a credible attack on the electricity infrastructure supporting the Games," Olympic cyber security head Oliver Hoare told BBC.

Hoare was also informed that the if the light went down it could be brought up within 30 seconds but 30 seconds is a long duration when you talk of Olympics.
Though nothing happened actually still the threat remain unclear but it is a great fact to be chewed upon.

Author: Shalini Bhushan 

New Trojan targeting South Korea sets Anonymous Wallpaper in infected system

After publishing details about a new DDOS attack carried out by a group called "DarkSeoul" against South Korean sites, Symantec researchers have come across a new piece of Malware designed to wipe the disks in infected systems.

The malware detected as Trojan.Korhigh, is capable of deleting files and overwrite Master Boot Record(MBR) . In addition , it is also capable of changing user passwords to " highanon2013" and deleting specific file types including asp, html,php,jsp and etc.

The Cybercriminals who are behind the malware is interestingly designed the Trojan such that it will change the wallpaper of the compromised computers to Anonymous Image.

The Trojan also attempts to gather system information including OS version, computer name, current date and sends to remote server.

#OpTurkey: Turkish Prime Minister and government websites hacked by Hacktivists

Anonymous hacktivists and Syrian Electronic Army(SEA) carried out a serious of cyber attack against Turkish Government following the violence of the police against peaceful protesters.

Anonymous hacker with twitter handle @AnonsTurkey and SEA group has breached the official Prime Ministry website( and compromised the data from the server.

"Turkish Gezi Resistance is one of the most noble social uprising in recent history. The Turkish people, the women, the children, the young and the old, long oppressed by the all powerful regime, are now well awake. Fear changed sides: the Turkish people are not afraid, the oppressors are. Turkish people are realizing their potential as free human beings, and unbeforeseen soul healing is happening." Anonymous said in today press release.

Anonymous is said to have compromised the email addresses, passwords and phone numbers.  However, they didn't share any data.  Meanwhile, Syrian Electronic Army attacked the same website and leaked more than 60 email addresses, passwords.

The hacktivists reportedly hacked a number of Government websites including, and more.

Earlier today Deputy Prime Minister Bulent Arinc apologised for the police response to initial protests.  However, Turkish protesters have rejected the government's apology and continue the protest.

#OpSaudi : Anonymous launched cyber attack on Saudi Government site

Saudi branch of Anonymous hacktivist has launched cyberattack on Saudi Government websites , the operation has been named as "#OpSaudi". Few government websites are facing heavy Distributed-denial-of-service(DDOS) attack from the Anonymous.

The affected government sites include Saudi Arabia and the Ministry of Foreign Affairs(, The Ministry of Finance(, General Intelligence Presidency( )., Riyadh Region Traffic(, are also being targeted by the hackers.

The Anonymous saudi also claimed they have gained access to the server of Qassim Region Traffic website( and deleted the database. 

General Directorate of Education in Jeddah website fell victim to the cyber attack.  Hackers identified and exploited the SQL Injection vulnerability in

"saudi people like slave for the gov , and 2 days ago a saudi prince kidnapped a girl & raped her . then killed her and throw her body naked" Anonymous Saudi stated as reason for the cyber attack. 

#OpPhilippines: Anonymous Taiwan launched cyber war against Philippines

The Philippines cyber space is again facing another cyber war. Following the cyberattack from China, Malaysia hackers, now the Taiwan hackers have started the cyber war against Philippines.

The operation named #OpPhilippines has been launched by the Anonymous Taiwan. The attack comes after Philippine Coast Guard killed Taiwanese fisherman. EHN was notified about the cyberwar by pinoyhacknews.

"Philippine coastguard killed taiwanese unarmed fishermen is injustice and unforgivable. Philippine government protecting murders is unacceptable." The hackers posted in the pastebin. "You must apologize. Killers must be arrested immediately. Otherwise, we will not stop."

The hackers defaced the '' domain registry website( They also defaced one more government webstie "Advanced Science and Technology Institute(".

The hacktivist also leaked database from six different Government websites as part of the cyberwar. The links to the database dump is provided in a single paste(

The affected websites includes Department of Education of the Philippines(,, Provincial Government of Bulacan (, Philippine Public Safety College(,Province of Sulu( The leak contains username, email address and passwords.

The hackers also dumped( the database from the '' domain registry website that contains username and password details belong to all Government websites. It has more than 2300 entries.

Cooperative development authority of Philippines website hacked

The official website belongs to the Cooperative development authority of Philippines has been attacked by a hacker team with the name of Al-Qaeda militant.

The team earlier today sent notification to EHN in Twitter "@EHackerNews Official Website of the Provincial Government of Camiguin, Philippines #Hacked".

They defaced the main webpage of the site with a text "Hacked by Bin Laden hacker".  The hackers also defaced the Official Website of the Provincial Government of Camiguin, Philippines(

"The reason is that we against the Goverment We do it for Osama Bin Laden :)" The hacker stated as a reason for the attack .

At the time of writing, both sites show Forbidden error message  "You don't have permission to access / on this server.  Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request." It seems like the admin is investigating the issue and trying to patch the vulnerability.

The mirror :

Cyber Attack shuts down Election Commission of Pakistan website

The Election Commission of Pakistan(ECP) website reportedly suffered cyber attacks - Pakistan Government temporarily shuts down the to avoid further cyber attack.

The attacks are allegedly originated from Asia and Russia, according to Director General IT, Khizar Aziz statement.
“Had our host server was based in Pakistan, then there could have been immense loss,”The Pakistan Today quoted as Khizar Aziz saying.

He said the ECP host server is Canada-based server.  He also said that they are transferring the ECP to more secure server to prevent future cyber attacks.

"Aziz said that ECP’s website has been shutdown under a deliberate strategy to avoid further attacks during the transition period." The Pakistan Today report reads.

DDOS attack brings the Internet to its knees

The fight between a spam fighting company called "Spamhaus" and a web hosting company called "Cyberbunker" has slowed down a majority of the internet by making DNS resolving slow.

The reason behind the attack is that Spamhaus added the IP addresses of cyberbunker to its "spam" list due to Cyberbunker allowing almost any sort of content to be hosted hence also maybe the source for spam. So Cyberbunker attacked back and this attack also affected normal internet users.

The attack was possible because of the large number of vulnerable DNS servers that allow open DNS resolving.Simply put an attack exploiting this type of vulnerability makes use of the vulnerability of the DNS server to increase the intensity of the attack 100 fold.

The origins of these type of attacks goes back to the 1990's to an attack called "smurf attack"

But now the attack method has become more efficient and uses DNS amplification to flood the victim with spoofed requests which are sent to the DNS servers by using a botnet of compromised computers.The attack at its peak reached a speed of 300 Gbps making it the largest DDOS attack in history.

Cyberbunker which claims itself to be a supporter of free speech and defender against the "big bullies" seems to have now have stooped down to their level of using aggressive offensive methods that affect the normal functioning of the internet.This is not the way to go !

The people who run DNS resolvers are also equally responsible for these attacks as its their vulnerable servers that make these attacks possible, the internet community should come up with a PERMANENT solution to this problem.

Please read cloudflare's blog post for a detailed analysis :

South Korea hit by cyber attack.

Yesterday South Korea was hit by a massive cyber attack . The attack disturbed the functioning of three banks and two TV channels. The bank were hit such that no financial transactions can be made.

The TV channels were affected by locking their computers hence not allowing the TV channels to edit or function to full efficiency.The attack points towards North Korea which only days ago said it will attack South Korea.

The attacks originated from China but this might simply be because the IP's from North Korea are not allowed in South Korean Cyberspace ,so the hackers  could have used compromised computers in China to bypass that restriction and also to hide their real location.

Unlike other "disruption" attacks which rely on DDOS this was done using a malware called "DarkSeoul" which "locked" the systems.

These sort of attacks are more dangerous because when you block the DDOS attack the servers will get back to "normal" with minimum effort but a virus attack takes much longer to recover from and even then you cant be really sure that the computers are fully clean.

This recent attack shows that the need for a strong "physical" army is not needed to bring down an another country. A few experienced hackers can do the work of a massive army. 

Pakistani Government under cyber attack from hacker 'Godzilla'

It is third day since the Indian hacker "Godzilla" took control of the Proxy used by Pakistan Government websites, Pakistan temporarily lost access to their proxy network.

Today, the hacker claimed to have got access of the back up server and found the back up server is also saved in the same network. 

He also found that the is not running but just pretending that they are up.

"One thing is true Pakistan is good at pretending like nothing happened, let it be a cyber attack or a TERRORIST attack. " The hacker said.

We have also checked the website by clicking the login button, it just redirects to an IP address( that was used by Pakistan government when they didn't have proxy system.

The IP address is down now because the govt have made it down long time when they shifted to proxy network.

Hacker also said he is extracting the data from the Database.  Once he finished the extracted the data, he will take down the rest of IPs .

Pakistan Datatbase dumped :