Targets

Network Break 113: Nutanix Targets Networking; More IoT Threats - Packet Pushers -

Packet Pushers

Where Too Much Networking Would Be Barely Enough

All content ©2015 Packet Pushers Interactive, LLC. All rights reserved.


Information Security Podcasts

Big data has become a critical business tool and a transformative force for enterprises across multiple industries and geographies. Vast amounts of data are now organized, available and ready to be analyzed, leading to advanced tactics and strategies that were previously impossible.

But prior to adopting a big data and analytics solution, business leaders should answer a few fundamental questions: How will big data solutions affect my organization’s security profile? What governance is needed? Are my existing technology solutions sufficient?

Big Data Solutions: Handy Tools and Juicy Targets

Data proliferation has led to greater amounts of data passing through networks. Through big data solutions, organizations can aggregate, index and analyze many types of data. These solutions allow organizations to find patterns and correlations in the data that can potentially reveal new business insights.

The ability to consume and process this data makes big data solutions appealing to many organizations. However, what makes these solutions attractive to business leaders also makes them attractive to bad actors. Think of big data as a digital library that provides organizations with an index to easily locate and access files. If a cybercriminal were to gain access to this index, he or she would have a direct line to the organization’s most sensitive information.

Big data environments are tempting targets, and defending them puts additional stress on the security personnel and systems tasked with data protection. In addition, the exponential growth of data is leading to challenges beyond security, including governance issues related to data accuracy, accessibility, completeness and consistency. Organizations can avoid feeling overwhelmed when implementing a big data solution by effectively managing and protecting their environments with an integrated governance and technology strategy.

Governance and Data Reservoirs

With respect to governance, big data solutions call for an agile approach to profiling and understanding data as it is ingested. This enables organizations to implement appropriate controls as the data is profiled without inhibiting the speed and flexibility of technologies.

Data lakes, for example, present a unique security challenge since they allow organizations to access and process many types of data within a distributed environment. To address these challenges, organizations can utilize enhanced, agile governance to better organize data lakes, creating what is known as a data reservoir.

Within a data reservoir, organizations ensure that data is properly cataloged and protected as it is ingested by the data lake. To do so, a data owner classifies the information sources that feed the reservoir and determines how the data should be managed, including access control, quality control, masking of sensitive data and data retention periods. No data should enter the reservoir without being cataloged upfront, which enables the immediate application of appropriate security controls. This agile governance approach should be applied across all big data solutions.

Technology Considerations

From a technology standpoint, organizations should leverage existing platforms where possible and supplement with additional tools as required. At a minimum, organizations should consider coverage of the following areas:

  • Configuration and vulnerability management: Are traditional security tools sufficient to protect and secure the data?
  • Identity and access management (IAM): Are the requests for sensitive information authorized and valid?
  • Network traffic encryption: Are attackers able to intercept and access the data in motion?
  • Metadata management: Is your metadata sufficient to let you know where and how that information came into existence? Is your data usable?
  • Encryption and masking for structured data and redaction for unstructured data: Are the sensitive information assets protected from unprivileged users?
  • Data activity monitoring: Are there unusual error patterns indicating a possible attack?
  • Blocking and prevention: Are there new requests for analysis that were not scheduled or known?

The effort to strike the right balance of governance and technology is a continuous process and will be unique to each organization. However, by focusing first on governance and fundamental security components, an enterprise will be well on its way to securing its big data solution.

Read the solution brief: Top tips for Big Data Security


Security Intelligence

State and local government agencies, as well as K-12 educational institutions are being targeted in a newly discovered spam email campaign aimed at distributing a new ransomware variant, Proofpoint researchers warn.

Dubbed MarsJoke, the malware was observed in late August, but the first large-scale spam campaign involving this piece of ransomware kicked off only on Sept. 22, 2016. The distribution of this spam is fueled by the Kelihos botnet, which has been recently associated with other campaigns as well, Proofpoint reveals.

The MarsJoke ransomware email campaign spotted last week featured emails containing links to an executable file named “file_6.exe,” which was hosted on various sites with recently registered domains. Apparently, the attackers registered the abused domains for this specific campaign, marking a major shift from the usual attached document campaigns that well-known ransomware families such as Locky employ.

By referencing to a major national air carrier in the subject line and using a convincing email body, along with stolen branding, the attackers attempted to convince victims of the legitimacy of emails. Some of the used subject lines included “Checking tracking number,” “Check your package,” “Check your TN,” “Check your tracking number,” “Tracking information,” and “Track your package.”

In addition to state and local government agencies, and K-12 educational institutions, the spam was also targeting healthcare, telecommunications, insurance, and several other verticals, though in smaller numbers, Proofpoint says.

The MarsJoke malware distributed in this campaign is said to mimic the style of CTB-Locker, as well as to create .bat, and .txt instruction files and save them throughout the file system, to alert the victim on the infection. The ransomware doesn’t change the extension of the encrypted files, though it uses temp files with different extensions during the encryption process (it deletes them when the encryption has finished).

Infected users need to follow the instructions included in a locker window, but can also install the Tor browser and visit an onion portal to view these instructions. The malware also changes the victim’s desktop background and displays a ransom message in several languages, including English, Russian, Italian, Spanish, and Ukrainian. Victims are warned that, if a 0.7 Bitcoin ransom isn’t paid within 96 hours, their files are deleted.

MarsJoke connects to the command and control (C&C) server to report on the new infection, as well as to deliver information such as signature, malware version, and more. Data is URL-encoded, base64-encoded, Proofpoint says.

“Ransomware has become a billion dollar a year industry for cybercriminals. In the case of the MarsJoke campaign described here, K12 educational institutions and state and local governments are often seen as easy targets because they lack the infrastructure and funding to ensure robust backups and strong defensive resources are in place to prevent and mitigate infections,” Proofpoint notes.

According to the security firm, MarsJoke does not appear to be “just another ransomware.” Given the large message volume observed in this campaign, and corroborating it with the intended targets, it’s clear that the threat requires more attention, researchers say. “The message volume and targeting associated with this campaign bear further monitoring as attackers look to monetize new variants and old strains saturate potential victims,” Proofpoint concludes.

Related: CTB-Locker Ransomware Impersonator Uses WinRAR for Encryption

Related: Cry Ransomware Uses Google Maps to Find Victim Locations

Related: DetoxCrypto Ransomware Sends Screenshots to Operators

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags:


SecurityWeek RSS Feed

IBM X-Force Research reported that the operators of the Qadars Trojan have been progressively updating the malware’s defenses and tailoring its configurations to target 18 banks in the U.K. In addition to its recent U.K. activity, the researchers found that Qadars campaigns launched in early September 2016 mainly targeted banks in the Netherlands, U.S. and Germany.

This activity comes on the heels of an uptick of Ramnit Trojan attacks against U.K. banks. After a period of relatively low activity, during which cybercriminals shifted their focus to Germany, Brazil and the U.S., it seems the U.K. is back on fraudsters’ radar.

Qadars Makes the Rounds

From a global perspective, Qadars’ operators have been making the rounds, targeting banks all over the world in separate bouts of online banking fraud attacks since 2013. By count of targeted brands, it appears the gang remains most inclined to attack in Europe.

Between 2013 and 2014, the malware mainly targeted banks in France and the Netherlands. Its top targets between 2015 and 2016 were Australia, Canada, the U.S. and the Netherlands. This past year, Qadars operators focused primarily on the Germany, Poland, the U.S. and the Netherlands.

X-Force Research indicated that while most of Qadars’ targets have been banks, it is also after social networking credentials, online sports betting users, e-commerce platforms, payments and card services, among others.

Fueled by what appears to be experienced cybercrime factions, Qadars has been able to use advanced banking malware tactics ever since its early days, with capabilities such as:

  • Hooking the internet browser to monitor and manipulate user activity;
  • Fetching webinjections in real time from a remote server;
  • Supplementing fraud scenarios with an SMS hijacking app; and
  • Orchestrating the full scope of fraudulent data theft and transaction operation through an automated transfer system (ATS) panel.

ATS is fraudster lingo for a remote, web-based platform that Trojans access on the fly. The ATS panel contains transaction automation scripts, webinjections, preprogrammed transaction flow and parameters, transfer thresholds and mule account numbers on which the malware relies to complete illicit online transactions.

To steal two-factor authentication (2FA) codes from a user whose bank requires an out-of-band element, Qadars’ operators deployed the Perkele (iBanking) mobile bot as the malicious mobile component. In this case, Qadars even added the theft of codes from mobile devices to the ATS transaction orchestration flow.

But Qadars didn’t just use Perkele on bank transactions. It also targeted Facebook users who secured their accounts with 2FA, HackRead reported.

Qadars historically infects endpoints using exploit kits hosted on compromised hosts, or domains purchased for the purpose of serving malware. The Trojan was also pushed to user endpoints via botnets, leveraging downloader-type malware. In current campaigns, Qadars leverages the Rig Exploit Kit via the EiTest campaign to infect users, facilitating its infiltration with downloader malware.

Qadars v3 Hits the Ground Running

Although Qadars emerged in 2013, it has not been widely documented compared to other advanced Trojans of its type. Under the hood, Qadars’ developers borrowed code and fraud-facilitating concepts from the Zeus and Carberp Trojans, both of which had their source code leaked publicly in the past few years, thereby enabling malware authors to reuse parts of the code.

X-Force first detected Qadars v2 in October 2015. The present version, Qadars v3, was released in Q1 2016. Our researchers indicated that by May 2016, the malware’s developer released detailed update notes for v3, all written in Russian, noting which bug fixes and improvements were made to the code, admin panel and ATS panel. The notes also provided information about browser and webinjection updates.

The release notes indicated that Qadars is an advanced online banking Trojan that comes from a single source. Its source programs all operational components and does not buy injection kits from outsourced developers. When Qadars v3 was detected in the wild, the malware’s operators dedicated a new attack configuration to targeting all the major banks in Australia.

Qadars’ fraud tactics are enabled through:

  • Browser hooking (IE, Firefox);
  • Cookie and certificate theft;
  • Form grabbing;
  • Webinjections;
  • FIGrabbers and ATS;
  • Use of the Tor client on the victim’s machine to hide malware communications; and
  • Use of domain generation algorithm (DGA) to hide remote malware resources (as of v3).

In terms of attack methods, Qadars is capable of in-session fraud, remote-controlling the infected endpoint via virtual network computing (VNC) and performing a fraudulent transaction in real time when the user is logged on. Qadars can also collect victim credentials and use them in account takeover fraud at a later time and from a different device, depending on the targeted bank and the corresponding authentication challenges.

Researching Qadars v3

Qadars v3 is continuously evolving. Yet another updated release in late August 2016 offered a new Qadars build with some code updates designed to evade detection, layer anti-research features, and improve the performance and readability of the malware’s webinjection mechanisms.

The following section describes the technical changes made to the Qadars v3 in August 2016. This analysis was performed by malware researcher Hanan Natan and contributor Denis Laskov, senior security researcher at IBM Trusteer cybercrime labs.

Double Obfuscation on Dynamic API Resolution

Qadars’ new version obfuscates all of its Win32 API calls by employing a common trick often used by banking malware of this grade, such as URLZone, Dridex and Neverquest. When the malware code starts to run and after the packer has completed its part, it dynamically resolves all the memory address of the APIs it’s going to use.

Qadars contains hardcoded CRC32 values for all the function names it plans to use. This enables it to resolve the actual memory address of the function it will iterate over the export table of a particular system DLL and compare the CRC32 of the exported function name against the hardcoded one. If a match is found, Qadars saves the memory address of the function in a global variable.

The malware adds a twist to this well-known dynamic API resolving method by XORing the hardcoded CRC32 values of the function names with another constant value that’s embedded in the binary itself. By employing this method, Qadars makes it a bit harder for scripts to find and annotate the actual Win32 APIs it uses.

In the following disassembly excerpt, we can see how the malware resolves the Win32 API addresses and saves them into global variables:

qadars_fig_1

Internal Data Obfuscation

In the current Qadars version, we analyzed all the strings and data inside the binary that are XORed with a constant value that’s embedded in the binary. Just before the malware uses a string or data, it first performs an inverse XOR operation on it.

Moreover, the malware added a compression layer for the configurations it downloads from the command-and-control (C&C) server. The compression layer was likely added due to the fact that webinjections, which are part of the configuration, have become larger and more sophisticated over time as more banks were added to the target list, making config files heavier and more easily detectable.

While previous versions of the malware downloaded configurations that were only encrypted using an AES algorithm, the new version adds compression after the encryption phase. The configuration ultimately gets decompressed on the infected endpoint using aPLib, a compression library based on the algorithm used in aPACK.

Trojan Modules

Like other modular banking Trojans, such as Shifu, for example, Qadars v3 downloads a number of extra modules from its C&C server to perform the actual malicious activities. The malicious payload, or the MainModule, as it was named by the malware developer, is responsible for fetching those additional modules from the C&C.

One of the MainModule’s tasks is to inject the other downloaded modules into specific Windows processes according to the functionality of each module. It is possible to tell what task each module carries out according to a text string found in each one briefly describing its purpose:

  • ModuleFailback_32.dll is injected into all processes and used as a watchdog to restart the malware in case of termination (persistence).
  • ModuleKeylogger_32.dll is injected into all processes to ensure data is keylogged properly.
  • ModuleBrowser_32.dll is injected into browser processes only. This module is used for downloading webinjections from the C&C and for managing the actual web fraud.
  • ModuleVNC_32.dll is injected into browser processes for launching remote control.

The names of the modules, as named by the developer of the malware, can be found in the DLL’s export ordinal table. The moduleBrowser_32.dll even contains the path of the pdb file used during the actual development:

qadars_fig_2

Additional changes in this version enrich the ability of the MainModule to download and use a Tor client to anonymize communications and covertly download modules from the C&C, ad hoc.

Privilege Escalation Tricks

To elevate its privileges on infected machines, Qadars’ dropper can opt to display a social engineering message prompting the user to download a new Windows security update. That fake message is used to influence the user into unknowingly accepting a UAC prompt and inadvertently granting Qadars admin rights.

qadars_fig_3

Once the user clicks the fake update notice window, the malware’s dropper runs itself again using the ShellExecuteEx Win32 API. This time, however, the system displays a UAC dialog to the user.

The following figure shows an excerpt of the decompiled code. The malware doesn’t give the user an option to cancel or close the fake update window. Basically, users will encounter the UAC prompt again and again until they approve it, at which point the malware is launched again, this time with a new, higher privilege level:

qadars_fig_4

Conclusion

Qadars attack volumes, compared to Trojans like Neverquest or Dridex, are more humble. While it is not one of the top 10 financial malware threats on the global list, however, this Trojan has been flying under the radar for over three years, attacking banks in different regions using advanced features and capabilities. It’s possible that Qadars attack volumes remain limited because its operators choose to focus on specific countries in each of their infection sprees, likely to keep their operation focused and less visible.

On the technical side, Qadars is an active and evolving malware project, as are other malicious codes of its type. In that sense, this threat is as advanced and problematic as other banking Trojans, such as Gozi, Tinba or Ramnit. The language used in the Qadars v3 release notes suggests the malware developer is most likely a Russian-speaking black hat.

Qadars’ operators are well-versed in orchestrating the malware infection operation by leveraging exploit kits, launching fraudulent transactions from infected endpoints and circumventing 2FA by infecting victims’ mobile devices.

Beyond the preprogrammed parts of its configuration files, Qadars relies on communication with remote servers and ATS panels to fetch money mule account numbers in real time. It also displays social engineering injections delivered from its servers in real time and can enable hidden remote control of infected machines to defraud their owners’ accounts.

Malware IOCs

Dropper MD5

Some MD5 hashes are:

  • 1979D1E5E9395025BC395BA00DF824CA
  • 236034B533B76A025AE353F3577DC298
  • 26E2ECBDAEF376376141D5B42998D4CA
  • 394BED68BB412F26F8DF71874D346B9B
  • 63246F89F57498EDE2796169EA597DEF

AV Detection Aliases

Presently, Qadars may not be detected as such by all anti-virus software. Current aliases from top AV vendors detect the dropper’s executable sample as:

  • Win32/Sopinar.G
  • Trojan.Win32.Yakes.qpxg
  • BehavesLike.Win32.PWSZbot.dh
  • Heur.AdvML.B


Security Intelligence

A new report sorted through the most popular exploit kits being used by malicious actors to find many of the same programs and vulnerabilities being targeted.

Digital Shadows studied 22 exploit kits in In the Business of Exploitation and found a total of just 76 vulnerabilities being targeted. The most frequently exploited software shouldn't be much of a surprise to security administrators; 27 of the 76 vulnerabilities used in exploit kits targeted the Adobe Flash Player. Oracle's Java and Internet Explorer were the second and third most targeted programs and when added to Flash, those three pieces of software accounted for 62 of the 76 vulnerabilities found in all exploit kits. 

Many cybersecurity experts have called for the death of the Flash Player in order to save enterprises from the risk of exploits, but Michael Marriott, research analyst for Digital Shadows, said finding alternative solutions might not always be easier than patching the vulnerable software.

"The frequency of exploit kits targeting vulnerabilities in these programs is certainly a point of concern for organizations, and the response will be differ depending on the organization," Marriott told SearchSecurity. "There can be a trade-off between operational security and an organization's day-to-day activities. Finding this balance is important; for some organizations it will make sense to consider different software, for others the priority will be to patch these vulnerabilities in a timely manner. While patching can cause friction for organizations, so too would overhauling the software they use."

The report showed Internet Explorer took the ignominious title for having the most exploit kits using the same vulnerability with 11 of the kits targeting a vulnerability disclosed in 2013 that affects IE 6 through IE 10. Digital Shadows suggested the flaw, CVE-2013-2551, is found in so many kits because a proof of concept exploit was released soon after disclosure.

Marriott said organizations shouldn't assume they are safe from Internet Explorer issues even if it isn't the default on company systems.

"Simply because an organization has a different browser as default does not entirely remove the risk from Internet Explorer vulnerabilities," Marriott said. "This is because most organizations seldom remove IE from their computers entirely so there always remains the risk that an employee, maybe used to using IE at home, accesses it while in the office."

Five of the 22 exploit kits featured an Adobe Reader vulnerability first disclosed in 2010, but despite older vulnerabilities being in the mix, Marriott said the five most popular -- Angler, Neutrino, Nuclear, Magnitude and RIG -- set themselves apart because of how quickly the developers add newly discovered exploits.

"The popularity and success of a given exploit kit depends significantly on how quickly they can exploit the newest vulnerabilities," Marriott said. "Therefore, while older flaws cannot be ignored, the most popular exploit kits are using newer vulnerabilities and this should factor into an organization's patching processes. Organizations can identify the most popular exploit kits and understand the specific threat, based on the vulnerabilities it exploits and the delivery methods. Intelligence and context is key, so help the IT team prioritize the threat."

Next Steps

Learn more about Angler bypassing Microsoft EMET to exploit Silverlight and Flash.

Find out how Russian hacker arrests may have caused the use of the Angler exploit kit to drop.

Get info on how a Flash Player zero-day highlighted the threat of exploit kits.

PRO+

Content

Find more PRO+ content and other member only offers, here.


SearchSecurity: Security Wire Daily News

A relatively new Windows Trojan is capable of loading malicious applications onto Android and iOS devices connected to the infected machine via USB.

The threat, dubbed “DualToy” by Palo Alto Networks, has been around since January 2015. While the malware has mainly targeted users in China, the security firm reported that individuals and organizations in the United States, United Kingdom, Thailand, Spain and Ireland were also impacted.

Researchers discovered more than 8,000 unique DualToy samples. Earlier variants were only capable of infecting Android devices, but the Trojan’s developers added iOS capabilities within six months after the threat was first spotted.

On infected Windows PCs, DualToy injects processes, modifies browser settings and displays ads. When an Android or iOS device is connected to the infected PC via USB, the malware starts conducting various activities.

The malware’s developers are counting on the fact that when a user connects a mobile device to the infected computer, that device is likely already authorized, making it easier to use existing pairing records to interact with it in the background.

“Although this attack vector’s capability can be further limited by additional mechanisms (e.g., ADB enabling, iOS sandbox) which make this threat not so severe, DualToy reminds us again how attackers can use USB sideloading against mobile devices and how malware can be spread between platforms,” Palo Alto Networks researcher Claud Xiao explained in a blog post.

In order to infect Android and iOS devices, the Trojan checks for the presence of the Android Debug Bridge (ADB) and iTunes on the compromised Windows machine. If these applications are not found, the malware downloads and installs them.

ADB and iTunes are used by DualToy to install various applications on Android and iOS devices connected via USB to the infected computer. In the case of Android, several Chinese-language games were downloaded from a third-party app store.

On iOS phones and tablets, the malware collects system information and sends it back to its command and control (C&C) server. The data includes the device’s name, type, version, model number, serial number, IMEI, IMSI, firmware, and phone number.

DualToy also downloads several .ipa files (iOS application archives), including one that asks users to provide their Apple ID and password. The harvested credentials are encrypted and sent to a remote server.

This app, named Kuaiyong, is a third-party iOS app store, similar to ZergHelper, which in February managed to slip through Apple’s review process and made it onto the official App Store.

Palo Alto Networks has compared DualToy to AceDeceiver and WireLurker, both of which target iOS devices when they are connected to an infected computer.

view counter

Previous Columns by Eduard Kovacs:

Tags:


SecurityWeek RSS Feed

The infamous Ramnit Trojan is on the prowl again, and this time it targets personal banking customers of six unnamed UK banks.

Ramnit Trojan rides again

The Trojan has not changed much since we last saw it targeting banks and e-commerce sites in Canada, Australia, the USA, and Finland in December 2015: it still uses the same encryption algorithms, and the same (but updated) data-grabbing, web-injection, and file-exfiltrating modules (the latter is after files with interesting keywords, like ‘wallet’, ‘passwords’, and bank names targeted in the configurations).

“The configuration side is where we can see that Ramnit has been preparing for the next phase, with new attack schemes built for real time web-fraud attacks targeting online banking sessions,” IBM X-Force researchers explain. “Not all attacks have to happen in real time or from the victim’s device. Ramnit’s operators can also gather credentials from infected users and use them at a later time, in account takeover fraud from other devices.”

IBM warns of the Trojan’s resurgence after X-Force researcher Ziv Eli spotted the malware’s operators have set up two new attack servers and a new command and control server.

Whether these are the same operators that developed and used Ramnit in the last six years and went into temporary hiding after, in February 2015, a coalition of European law enforcement agencies shut down C&C servers used by the RAMNIT botnet is impossible to tell.

The Trojan’s source code was never sold or shared on underground forums, and IBM researchers believe it to be either still in the hands of the original cybergang, or of another one that bought it off of them.

If past delivery techniques are used again, the Trojan will be spread via spam, malvertising and exploit kits. IBM has helpfully provided indicators of compromise for administrators to use to spot the malware.


Help Net Security

Juniper Networks has become the latest company to acknowledge that one of the implants leaked by the Shadow Brokers targets some of their products.

Cisco and Fortinet did the same a few days earlier.

NetScreen firewalls

“Juniper Networks is investigating the recent release of files reported to have been taken from the so-called Equation Group,” Juniper employee Derrick Scholl explained in a post.

“As part of our analysis of these files, we identified an attack against NetScreen devices running ScreenOS. We are examining the extent of the attack, but initial analysis indicates it targets the boot loader and does not exploit a vulnerability on ScreenOS devices. We will continue to evaluate exactly what level of access is necessary in order to execute the attack, whether it is possible to detect the attack, and if other devices are susceptible.”

As a reminder: last December Juniper found and patched a critical vulnerability affecting ScreenOS on its NetScreen devices, which allowed unauthorized remote administrative access to the device over SSH or telnet and could have allowed a knowledgeable attacker to decrypt encrypted VPN traffic.

At the time, speculation was that the vulnerability arising from unauthorized code in ScreenOS created two backdoors, deliberately inserted by a state-sponsored intruder (or more of them). It was thought that at least one was the work of the NSA, as the NSA documents leaked by Edward Snowden showed that the NSA had the ability to backdoor Juniper’s network equipment.

The exploits and implants leaked by the Shadow Brokers are almost certainly the work of the NSA, i.e. their (formal or informal) hacking “arm” the Equation Group.

It is still unknown who the Shadow Brokers are. Snowden believes they might be state-sponsored Russian hackers, and the leak a way to urge the US government not to be hasty in denouncing Russia as the source of the DNC hack.

According to Shlomo Argamon, professor and director of the Master of Data Science Program at the Illinois Institute of Technology, the text that accompanied the leaked data points to the “Shadow Broker” most likely being a native English speaker trying to appear non-native.

“In the (quite unlikely) event that the writer is, in fact, not a native English speaker, their native tongue is much more likely to be a Slavic language (e.g., Russian or Polish) than either a Germanic or Romance language,” he added.

This opinion seems to prop a theory by former NSA staffers, who said that the “naming convention of the file directories, as well as some of the scripts in the dump” point to the attacker being an insider.


Help Net Security

Oracle Patches Record 276 Vulnerabilities with July Critical Patch Update

July 20, 2016 , 9:21 am

Apple Launches Bug Bounty with Maximum $ 200,000 Reward

August 4, 2016 , 8:30 pm

Miller, Valasek Deliver Final Car Hacking Talk

August 4, 2016 , 3:26 pm

Researchers Go Inside a Business Email Compromise Scam

August 4, 2016 , 10:00 am

Export-Grade Crypto Patching Improves

August 3, 2016 , 10:00 am

Kaspersky Lab Launches Bug Bounty Program

August 2, 2016 , 9:00 am

Threatpost News Wrap, July 29, 2016

July 29, 2016 , 10:45 am

KeySniffer Vulnerability Opens Wireless Keyboards to Snooping

July 26, 2016 , 9:30 am

Upcoming Tor Design Battles Hidden Services Snooping

July 25, 2016 , 3:51 pm

EFF Files Lawsuit Challenging DMCA’s Restrictions on Security Researchers

July 21, 2016 , 1:18 pm

Threatpost News Wrap, July 15, 2016

July 15, 2016 , 11:00 am

Academics Build Early-Warning Ransomware Detection System

July 14, 2016 , 1:05 pm

xDedic Hacked Server Market Resurfaces on Tor Domain

July 12, 2016 , 11:40 am

Conficker Used in New Wave of Hospital IoT Device Attacks

June 30, 2016 , 11:48 am

655,000 Healthcare Records Being Sold on Dark Web

June 28, 2016 , 10:00 am

Windows Zero Day Selling for $ 90,000

May 31, 2016 , 5:44 pm

Millions of Stolen MySpace, Tumblr Credentials Being Sold Online

May 31, 2016 , 1:37 pm

OTR Protocol Patched Against Remote Code Execution Flaw

March 10, 2016 , 10:23 am

uTorrent Forums User List Stolen

June 9, 2016 , 2:30 pm

Patched BadTunnel Windows Bug Has ‘Extensive’ Impact

June 15, 2016 , 3:23 pm

The Illusion Of An Encrypted Internet

June 7, 2016 , 12:56 pm

Meet the 18-Year-Old Who Hacked the Pentagon

June 21, 2016 , 3:15 pm

IoT Medical Devices: A Prescription for Disaster

July 11, 2016 , 11:31 am

Android KeyStore Encryption Scheme Broken, Researchers Say

July 7, 2016 , 11:52 am

Planes, Trains and Automobiles Increasingly in Cybercriminal’s Bullseye

June 29, 2016 , 8:19 am


Threatpost | The first stop for security news