Posts Tagged: Mandiant


4
Nov 13

Hackers Take Limo Service Firm for a Ride

A hacker break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities.

CorporateCarOnline says: "Trust Us: Your Data is Secure"

CorporateCarOnline says: “Trust Us: Your Data is Secure”

The high-value data cache was found on the same servers where hackers stashed information stolen from PR Newswire, as well as huge troves of source code data lifted from Adobe Systems Inc. — suggesting that the same attacker(s) may have been involved in all three compromises.

In this case, the name on the file archive reads “CorporateCarOnline.” That name matches a company based in Kirkwood, Missouri which bills itself as “the leading provider of on-demand software management solutions for the limousine and ground transportation industry.”

I reached out several times over almost two weeks seeking comment from CorporateCarOnline.com. At length, I reached owner Dan Leonard, who seemed to know what I was calling about, but declined to discuss the matter, saying only that “I’d prefer not to talk to anybody about that.”

It’s understandable why the company would decline to comment: Inside the plain text archive apparently stolen from the firm are more than 850,000 credit card numbers, expiry dates and associated names and addresses. More than one-quarter (241,000) of all compromised card numbers were high- or no-limit American Express accounts, card numbers that have very high resale value in the cybercrime underground.

Alex Holden, chief information security officer at Hold Security LLC and a key collaborator on the research in this post, said CorporateCarOnline confirmed to him that the data was stolen from its systems.

“While the target is not a household name, it is, arguably, the highest socially impacting target yet,” Holden said. “By its nature, limo and corporate transportation caters to affluent individuals and VIPs.”

Further pointing to a compromise at the site is the presence of a vulnerability in its implementation of ColdFusion, a Web application platform that has become a favorite target of the attackers thought to be responsible for this and other aforementioned breaches of late.

Below are some of the rich and famous whose pick up and drop-off information — and in some cases credit card data — was in the stolen archive. Nearly all of these individual records were marked with “VIP” or “SuperVIP!” notations. Included in quotes are notes left for the chauffeur.

CELEBRITIES

Photo: Keith Allison

Photo: Keith Allison

LeBron James – Thomas & Mack Center sports arena, athlete entrance, July 22, 2007; “Call Lynn upon arrival.”

Tom Hanks – Chicago Midway, June 19, 2013; “VVIP. No cell/radio use with passenger/prepaid. 1500 W. Taylor Street Chicago, Rosebud, Dinner Reser @8pm”

Aaron Rodgers – Duncan Aviation, Kalamazoo, Mich., June 26, 2010; “Kregg Lumpkin and wife. 3 Bottle Waters. Greg Jennings Foundation.”

LAWMAKERS

-House Judiciary Committee Chairman Rep. John Conyers, (D-Mich.), July 4, 2011, Indianapolis International Airport; “Meet and Greet Baggage Claim. US Congressman. A DFTU situation” [not quite sure what this stands for, but my guess is “Don’t F*** This Up”]

-Sen. Mark Udall (D-Colo.), chair of the Senate Armed Services Committee’s Subcommittee on Strategic Forces. Boston Logan Intl. Airport, Sept. 14, 2009; “Contact if need be Yolanda Magallanes [link added]. Client will have golf clubs with him.”

Other current members of Congress whose information appears in this database include Rep. Joe Garcia (D-Fla.); Rep. Gus Bilirakis (R-Fla.); Rep. Jim Matheson (D-Utah); Rep. Lynn Westmoreland, Rep. Joe Baca (D-Calif.), Rep. Mario Diaz-Balart (R-Fla.).

A number of former lawmakers were passengers with limo companies that gave their customer data to CorporateCarOneline, including:

-Sen. Tom Daschle (D-SD), Des Moines, Iowa, July 21, 2010; “Ag Innovation Committee. Passengers plus luggage. Passengers: Lori Captain, Mary Langowski, Jonathan Sallet, Tom West, Jim Collins, Senator Tom Daschle, JB Penn, Anthony Farina.”

-Sen. John Breaux (D-La.), Aug. 27, 2010; “Ambassador Steven Green & Senator Breaux. ***VIP***DO NOT COLLECT”

-Rep. James Saxton (R-NJ), Rep. William Delahunt (D-Mass.), Rep. Billy Tauzin (R-La.),

Continue reading →


20
Feb 13

Bit9 Breach Began in July 2012

Malware Found Matches Code Used Vs. Defense Contractors in 2012

Cyber espionage hackers who broke into security firm Bit9 initially breached the company’s defenses in July 2012, according to evidence being gathered by security experts investigating the incident. Bit9 remains reluctant to name customers that were impacted by the intrusion, but the custom-made malicious software used in the attack was deployed last year in highly targeted attacks against U.S. Defense contractors.

bit9Earlier this month, KrebsOnSecurity broke the story of the breach at Waltham, Mass.-based Bit9, which involved the theft of one of the firm’s private digital certificates. That certificate was used to sign malicious software, or “malware” that was then sent to three of the company’s customers. Unlike antivirus software, which tries to identify and block known malicious files, Bit9’s approach helps organizations block files that aren’t already digitally signed by the company’s own certificates.

After publishing a couple of blog posts about the incident, Bit9 shared with several antivirus vendors the “hashes” or unique fingerprints of some 33 files that hackers had signed with the stolen certificate. KrebsOnSecurity obtained a list of these hashes, and was able to locate two malicious files that matched those hashes using Virustotal.com — a searchable service and database that lets users submit suspicious files for simultaneous scanning by dozens of antivirus tools.

The first match turned up a file called “media.exe,” which according to Virustotal was compiled and then signed using Bit9’s certificate on July 13, 2012. The other result was a Microsoft driver file for an SQL database server, which was compiled and signed by Bit9’s cert on July 25, 2012.

Asked about these findings, Bit9 confirmed that the breach appears to have started last summer with the compromise of an Internet-facing Web server, via an SQL injection attack. Such attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server.

In an exclusive interview with KrebsOnSecurity, Bit9 said it first learned of the breach on Jan. 29, 2013, when it was alerted by a third party which was not a customer of Bit9. The company believes that the trouble began last July, when an employee started up a virtual machine that was equipped with an older Bit9 signing certificate which hadn’t been actively used to sign files since January 2012.

Harry Sverdlove, Bit9’s chief technology officer, said the company plans to share more details about its investigation into the intrusion in a post to be published Thursday on Bit9’s blog. For instance, he said, the control server used to coordinate the activities of the malware sent by the attackers traced back to a server in Taiwan.

Sverdlove said Bit9 will not reveal the identities of the customers that were apparently the true target of the breach; he would only characterize them as “three non-critical infrastructure entities.” Sverdlove said although it is clear now that Bit9 was hacked as a jumping-off point from which to launch more stealthily attacks against a handful of its customers, that reality hardly softens the blow.

“Although it doesn’t make us feel any better, this wasn’t a campaign against us, it was a campaign using us,” Sverdlove said. “We don’t take any solace in this, but the good news is they came after us because they weren’t able to come after our customers directly.”

It’s not clear why the attackers waited so long to use the stolen certs, but in any case Bit9 says the unauthorized virtual machine remained offline from August through December, and was only turned on again in early January 2013.

Continue reading →


1
Feb 13

Source: Washington Post Also Broadly Infiltrated By Chinese Hackers in 2012

The Washington Post was among several major U.S. newspapers that spent much of 2012 trying to untangle its newsroom computer networks from a Web of malicious software thought to have been planted by Chinese cyberspies, according to a former information technology employee at the paper.

twpOn Jan. 30, The New York Times disclosed that Chinese hackers had persistently attacked the Gray Lady, infiltrating its computer systems and getting passwords for its reporters and other employees. The Times said that the timing of the attacks coincided with the reporting for a Times investigation, published online on Oct. 25, that found that the relatives of Wen Jiabao, China’s prime minister, had accumulated a fortune worth several billion dollars through business dealings.

The following day, The Wall Street Journal ran a story documenting similar incursions on their network. Now, a former Post employee is coming forward with information suggesting that Chinese hacker groups had broadly compromised computer systems within the Post’s newsroom and other operations throughout 2012.

According to a former Washington Post information technology employee who helped respond to the break-in, attackers compromised at least three servers and a multitude of desktops, installing malicious software that allowed the perpetrators to maintain access to the machines and the network.

“They transmitted all domain information (usernames and passwords),” the former Post employee said on condition of anonymity. ” We spent the better half of 2012 chasing down compromised PCs and servers.  [It] all pointed to being hacked by the Chinese. They had the ability to get around to different servers and hide their tracks. They seemed to have the ability to do anything they wanted on the network.

The Post has declined to comment on the source’s claims, saying through a spokesman that “we have nothing to share at this time.” But according to my source, the paper brought in several computer forensics firms – led by Alexandria, Va. based Mandiant – to help diagnose the extent of the compromises and to evict the intruders from the network. Mandiant declined to comment for this story.

Update, Feb. 2, 7:42 a.m. ET: The Post has published its own story confirming my source’s claims.

Continue reading →


17
Jul 12

How to Break Into Security, Bejtlich Edition

For this fourth installment of advice columns aimed at people who are interested in learning more about security as a craft or profession, I reached out to Richard Bejtlich, a prominent security blogger who last year moved from a job as director of incident response at General Electric to chief security officer at security forensics firm Mandiant.

Bejtlich responded with a practical how-to for a security novice looking to try on both attacker and defender hats. Without further ado…

Bejtlich: Providing advice on “getting started in digital security” is similar to providing advice on “getting started in medicine.” If you ask a neurosurgeon he or she may propose some sort of experiment with dead frog legs and batteries. If you ask a dermatologist you might get advice on protection from the sun whenever you go outside. Asking a “security person” will likewise result in many different responses, depending on the individual’s background and tastes.

Rather than try to devise a thorough curriculum that provides balanced coverage of the dozen or more distinct disciplines that one might call “digital security,” this article covers one aspect: magic. More specifically, this advice strives to dispel the notion that digital security is a realm where only magicians can perform superhuman feats involving computers and data. Rather, the point is to provide a way for beginners to get a feel for convincing a computer to take actions probably not expected by its original programmers. For those with a more technical inclination, the article provides a means to watch what is happening at the network level.

Continue reading →


29
Jan 10

Simmering Over a ‘Cyber Cold War’

New reports released this week on recent, high-profile data breaches make the compelling case that a simmering Cold War-style cyber arms race has emerged between the United States and China.

study issued Thursday by McAfee and the Center for Strategic and International Studies found that more than half of the 600 executives surveyed worldwide said they had been subject to “stealthy infiltration” by high-level adversaries, and that 59 percent believed representatives of foreign governments had been involved in the attacks.

A more granular analysis issued Thursday by Mandiant, an Alexandria, Va. based security firm, focuses on data breaches it has responded to involving the so-called “advanced persistent threat,” or those characterized by highly targeted attacks using custom-made malicious software in the hands of patient, well-funded assailants.

Mandiant notes that the scale, operation and logistics of conducting these attacks – against the government, commercial and private sectors – indicates that they’re state-sponsored.

The Chinese government may authorize this activity, but there’s no way to determine the extent of its involvement. Nonetheless, we’ve been able to correlate almost every APT intrusion we’ve investigated to current events within China. In all cases, information exfiltrated by each set of attackers correlates with a need for intelligence related to upcoming major U.S. / China mergers and acquisitions, corporate business negotiations, or defense industrial base acquisition opportunities [emphasis added].

The reports come just days after the Christian Science Monitor revealed that three Texas-based oil companies – Conoco, ExxonMobil and Marathon – were alerted by the FBI that their systems were penetrated back in 2008. The Monitor story said the attacks, thought to have originated in China, targeted “bid data” about oil reserves and potential drilling sites.

Continue reading →