03
Jan 17

The Download on the DNC Hack

Over the past few days, several longtime readers have asked why I haven’t written about two stories that have consumed the news media of late: The alleged Russian hacking attacks against the U.S. Democratic National Committee (DNC) and, more recently, the discovery of malware on a laptop at a Vermont power utility that has been attributed to Russian hacker groups.

I’ve avoided covering these stories mainly because I don’t have any original reporting to add to them, and because I generally avoid chasing the story of the day — preferring instead to focus on producing original journalism on cybercrime and computer security.

dncBut there is another reason for my reticence: Both of these stories are so politically fraught that to write about them means signing up for gobs of vitriolic hate mail from readers who assume I have some political axe to grind no matter what I publish on the matter.

An article in Rolling Stone over the weekend aptly captures my unease with reporting on both of these stories in the absence of new, useful information (the following quote refers specifically to the Obama administration’s sanctions against Russia related to the DNC incident).

“The problem with this story is that, like the Iraq-WMD mess, it takes place in the middle of a highly politicized environment during which the motives of all the relevant actors are suspect,” Rolling Stone political reporter Matt Taibbi wrote. “Absent independent verification, reporters will have to rely upon the secret assessments of intelligence agencies to cover the story at all. Many reporters I know are quietly freaking out about having to go through that again.”

Alas, one can only nurse a New Year’s holiday vacation for so long. Here are some of the things I’ve been ruminating about over the past few days regarding each of these topics. Please be kind.

Gaining sufficient public support for a conclusion that other countries are responsible for hacking important U.S. assets can be difficult – even when the alleged aggressor is already despised and denounced by the entire civilized world.

The remarkable hacking of Sony Pictures Entertainment in late 2014 and the Obama administration’s quick fingering of hackers in North Korea as the culprits is a prime example: When the Obama administration released its findings that North Korean hackers were responsible for breaking into SPE, few security experts I spoke to about the incident were convinced by the intelligence data coming from the White House.

That seemed to change somewhat following the leak of a National Security Agency document which suggested the United States had planted malware capable of tracking the inner workings of the computers and networks used by the North’s hackers. Nevertheless, I’d wager that if we took a scientific poll among computer security experts today, a fair percentage of them probably still strongly doubt the administration’s conclusions.

If you were to ask those doubting experts to explain why they persist in their unbelief, my guess is you would find these folks break down largely into two camps: Those who believe the administration will never release any really detailed (and likely classified) information needed to draw a more definitive conclusion, and those who because of their political leanings tend to disbelieve virtually everything that comes out of the current administration.

Now, the American public is being asked to accept the White House’s technical assessment of another international hacking incident, only this time the apparent intention of said hacking is nothing less than to influence the outcome of a historically divisive presidential election in which the sitting party lost.

It probably doesn’t matter how many indicators of compromise and digital fingerprints the Obama administration releases on this incident: Chances are decent that if you asked a panel of security experts a year from now whether the march of time and additional data points released or leaked in the interim have influenced their opinion, you’ll find them just as evenly divided as they are today.

The mixed messages coming from the camp of President-elect Trump haven’t added any clarity to the matter, either. Trump has publicly mocked American intelligence assessments that Russia meddled with the U.S. election on his behalf, and said recently that he doubts the U.S. government can be certain it was hackers backed by the Russian government who hacked and leaked emails from the DNC.

However, one of Trump’s top advisers — former CIA Director James Woolseynow says he believes the Russians (and possibly others) were in fact involved in the DNC hack.

It’s worth noting that the U.S. government has offered some additional perspective on why it is so confident in its conclusion that Russian military intelligence services were involved in the DNC hack. A White House fact sheet published alongside the FBI/DHS Joint Analysis Report (PDF) says the report “includes information on computers around the world that Russian intelligence services have co-opted without the knowledge of their owners in order conduct their malicious activity in a way that makes it difficult to trace back to Russia. In some cases, the cybersecurity community was aware of this infrastructure, in other cases, this information is newly declassified by the U.S. government.” Continue reading →


29
Dec 16

Happy Seventh Birthday, KrebsOnSecurity!

Hard to believe it’s time to celebrate another go ’round the Sun for KrebsOnSecurity! Today marks exactly seven years since I left The Washington Post and started this here solo thing. And what a remarkable year 2016 has been!

7-2016

The word cloud above includes a sampling of tags used in stories on KrebsOnSecurity throughout the past year. It’s been a wild one, riddled with huge attacks, big cybercriminal busts and of course a whole mess of data breaches.

The biggest attack of all — the 620 Gbps distributed denial-of-service (DDoS) assault against this site on Sept. 22 — resulted in KrebsOnSecurity being unplugged for several days. The silver lining? I now have a stronger site and readership. Through it all, the community that has grown up around this site was extremely supportive and encouraging. I couldn’t be prouder of this community, so a huge THANK YOU to all of my readers, both new and old.

It’s fair to say that many of the subjects in the word cloud above are going to continue to haunt us in 2017, particularly ransomware, CEO fraud and DDoS attacks. I am hopeful to have more on the “who” behind the September attacks against this site in the New Year. I promise it’s going to be a story worth waiting for. Stay tuned. Continue reading →


28
Dec 16

Holiday Inn Parent IHG Probes Breach Claims

InterContinental Hotels Group (IHG), the parent company for more than 5,000 hotels worldwide including Holiday Inn, says it is investigating claims of a possible credit card breach at some U.S. locations.

An Intercontinental hotel in New York City. Image: IHG

An Intercontinental hotel in New York City. Photo: IHG.

Last week, KrebsOnSecurity began hearing from sources who work in fraud prevention at different financial institutions. Those sources said they were seeing a pattern of fraud on customer credit and debit cards that suggested a breach at some IHG properties — particularly Holiday Inn and Holiday Inn Express locations.

Asked about the fraud patterns reported by my sources, a spokesperson for IHG said the company had received similar reports, and that it has hired an outside security firm to help investigate. IHG also issued the following statement:

“IHG takes the protection of payment card data very seriously. We were made aware of a report of unauthorized charges occurring on some payment cards that were recently used at a small number of U.S.-based hotel locations.  We immediately launched an investigation, which includes retaining a leading computer security firm to provide us with additional support.  We continue to work with the payment card networks.”

“We are committed to swiftly resolving this matter. In the meantime, and in line with best practice, we recommend that individuals closely monitor their payment card account statements.  If there are unauthorized charges, individuals should immediately notify their bank. Payment card network rules generally state that cardholders are not responsible for such charges.”

Headquartered in Denham, U.K., IHG operates more than 5,000 hotels across nearly 100 countries. The company’s dozen brands include Holiday Inn, Holiday Inn Express, InterContinental, Kimpton Hotels, and Crowne Plaza. Continue reading →


22
Dec 16

Before You Pay that Ransomware Demand…

A decade ago, if a desktop computer got infected with malware the chief symptom probably was an intrusive browser toolbar of some kind. Five years ago you were more likely to get whacked by a banking trojan that stole all your passwords and credit card numbers. These days if your mobile or desktop computer is infected what gets installed is likely to be “ransomware” — malicious software that locks your most prized documents, songs and pictures with strong encryption and then requires you to pay for a key to unlock the files.

Here’s some basic advice about where to go, what to do — and what not to do — when you or someone you know gets hit with ransomware.

Image: nomoreransom.org

Image: nomoreransom.org

First off — breathe deep and try not to panic. And don’t pay the ransom.

True, this may be easier said than done: In many cases the ransom note that hijacks the victim’s screen is accompanied by a digital clock ominously ticking down the minutes and seconds from 72 hours. When the timer expires, the ransom demand usually goes up or even doubles. Continue to ignore the demands and your files will be gone, kaput, nil, nyet, zilch, done forever, warns the extortion message.

See, the key objective of ransomware is a psychological one — to instill fear, uncertainty and dread in the victim — and to sow the conclusion in the victim’s mind that any solution for restoring full access to all his files involves paying up. Indeed, paying the ransom is often the easiest, fastest and most complete way of reversing a security mistake, such as failing to patch, opening a random emailed document e.g., or clicking a link that showed up unbidden in instant message. Some of the more advanced and professional ransomware operations have included helpful 24/7 web-based tech support.

The ransom note from a recent version of the "Locky" ransomware variant. Image: Bleepingcomputer.com.

The ransom note from a recent version of the “Locky” ransomware variant. Image: Bleepingcomputer.com.

Paying up is certainly not the cheapest option. The average ransom demanded is approximately $722, according to an analysis published in September by Trend Micro. Interestingly, Trend found the majority of organizations that get infected by ransomware end up paying the ransom. They also found three-quarters of companies which had not suffered a ransomware infection reported they would not pay up when presented with a data ransom demand. Clearly, people tend to see things differently when they’re the ones in the hot seat.

And for those not yet quite confident in the ways of Bitcoin (i.e. most victims), paying up means a crash course in acquiring the virtual currency known as Bitcoin. Some ransomware attackers are friendlier than others in helping victims wade through the process of setting up an account to handle Bitcoin, getting it funded, and figuring out how to pay other people with it. Others just let you figure it all out. The entire ordeal is a trial by fire for sure, but it can also be a very expensive, humbling and aggravating experience.

In the end the extortionist may bargain with you if they’re in a good mood, or if you have a great sob story. But they still want you to know that your choice is a binary one: Pay up, or kiss your sweet files goodbye forever.

This scenario reminds me of the classic short play/silent movie about the villainous landlord and the poor young lady who can’t pay the rent. I imagine the modern version of this play might go something like…

mustpaytherentVillain: You MUST pay the ransom!

Victim: I CAN’T pay the ransom!

Villain: You MUST pay the ransom!

Victim: I CAN’T pay the ransom!

Hero: I’ll pay the ransom!

Victim: Oh! My hero!

Villain: Curses! Foiled again!

Okay, nobody’s going to pay the ransomware demand for you (that’s only in Hollywood!). But just like the hero in the silent movie, there are quite a few people out there who are in fact working hard to help victims avoid paying the ransom (AND get their files back to boot).

Assuming you don’t have a recent backup you can restore, fear not: With at least some strains of ransomware, the good guys have already worked out a way to break or sidestep the encryption, and they’ve posted the keys needed to unlock these malware variants free of charge online.

But is the strain that hit your device one that experts already know how to crack?  Continue reading →


20
Dec 16

Report: $3-5M in Ad Fraud Daily from ‘Methbot’

New research suggests that an elaborate cybercrime ring is responsible for stealing between $3 million and $5 million worth of revenue from online publishers and video advertising networks each day. Experts say the scam relies on a vast network of cloaked Internet addresses, rented data centers, phony Web sites and fake users made to look like real people watching short ad segments online.

Online advertising fraud is a $7 billion a year problem, according to AdWeek. Much of this fraud comes from hacked computers and servers that are infected with malicious software which forces the computers to participate in ad fraud. Malware-based ad fraud networks are cheap to acquire and to run, but they’re also notoriously unstable and unreliable because they are constantly being discovered and cleaned up by anti-malware companies.

Now researchers say they’ve uncovered a new class of ad robot or “bot” fraud that was designed from the ground up to keep its nose clean — running not on infected hosts but instead distributed across a vast, rented network of dedicated Web servers and computers.

The Methbot ad fraud infrastructure. Image: White Ops.

The Methbot ad fraud infrastructure. Image: White Ops.

According to White Ops, a digital advertising security company based in New York City, those rented computers are connected to a network of more than 570,000 Internet addresses apparently leased or hijacked from various sources.

White Ops dubbed the video ad fraud network “Methbot,” and says the individuals at the helm of this network are spending upwards of $200,000 a month just maintaining a fully automated fraud network that imitates real Web site publishers showing real viewers video-based advertisements.

Ryan Castellucci, principal security researcher at White Ops, said Methbot’s coders built many of the fraud network’s tools from scratch — including the Web browser that each rented computer in the network uses to mimic Web sites displaying video ads. Spoofing actual news Web sites and other popular video-rich destinations, Methbot requests video ads from ad networks, and serves the ads to a vast array of bots that “watch” the videos.

To make each Web browsing session appear more like one generated by a human, Methbot simulates cursor clicks and mouse movements, and even forges social network login information so that it appears the user who viewed the ad was logged in to a social network at the time.

“They’ve written their own browser from scratch in Javascript, and this allows them to arbitrarily control the information that gets fed back to the ad networks and to companies like us who try to detect this stuff,” Castellucci said. “This has allowed Methbot to scale to beyond anything the industry has seen before, putting it in a new class of ad fraud.”

Interestingly, the registration records for virtually all of those Internet addresses have been forged so they appear to be controlled by some of the world’s largest Internet service providers (ISPs).

For instance, one of the many Internet addresses White Ops says was used by Methbot — 196.62.126*117 — is registered in October 2015 to AT&T Services Inc., but the contact address is “adw0rd.yandex.ru@gmail.com” (the letter “o” is a zero). Adw0rd is no doubt a play on Google Adwords, an online advertising service where advertisers pay to display brief advertising copy to Web users.

Another address tied to Methbot — 196.62.3*117 — is registered to the same adw0rd.yandex.ru@gmail.com account but also to “Comcast Cable Communications, Inc.” Records for another Methbot IP — 161.8.252.* — says the address is owned by “Verizon Trademark Services LLC.

Whoever dreamed up Methbot clearly spent a great deal of time and money building the fraud machine. For example, White Ops says the address space alone used by this ad fraud operation has a current market value of approximately $4 million. A full list of the 570,000+ Internet addresses used by Methbot is published in the White Ops report page.

“Methbot operators invested significant time, research, development, and resources to build infrastructure designed to remove these limitations and provide them with unlimited scale,” White Ops said in its report. “They created dedicated data centers to support proxy networks in order to hide the single origin source of their operation. This is the first time we’ve seen data centers impersonating residential internet connections. This makes the scale of this operation virtually unlimited, with none of the typical durability issues of maintaining a constant base of infected user machines.”

Methbot is thought to have made quite a bit more than malware-based ad bots that came before it. Source: White Ops.

Methbot is thought to have helped steal quite a bit more ad revenue than malware-based ad bots that came before it. Source: White Ops.

White Ops said it estimated the earning potential of Methbot by looking at the number of phony video ad impressions it could serve up and the average cost to advertisers for displaying those ads. Assuming an average CPM (cost per mille, or per thousand number of impressions) of $13, the company estimates Methbot has the ability to serve between more than 300 million impressions each day, with a daily revenue ranging from $2.6 million to $5.2 million. Continue reading →


14
Dec 16

New Critical Fixes for Flash, MS Windows

Both Adobe and Microsoft on Tuesday issued patches to plug critical security holes in their products. Adobe’s Flash Player patch addresses 17 security flaws, including one “zero-day” bug that is already actively being exploited by attackers. Microsoft’s bundle of updates tackles at least 42 security weaknesses in Windows and associated software.

brokenwindows

Half of the dozen patches Microsoft released yesterday earned its “critical” rating, meaning the flaws fixed in the updates could be exploited by malware or miscreants to seize remote control over vulnerable Windows computers without any help from users.

As per usual, the largest share of flaws fixed are in Microsoft’s browsers — Internet Explorer and Edge. Also included in the mix are updates for Microsoft Office and .NET.

According to security firm Shavlik, several of the vulnerabilities fixed with this Microsoft patches were publicly disclosed prior to this week, meaning would-be attackers have had a head start trying to figure out how to exploit them.

As part of a new Microsoft policy that took effect in October, home and business Windows users will no longer be able to pick and choose which updates to install and which to leave for another time. Consumers on Windows 7 Service Pack 1 and Windows 8.1 will henceforth receive what Redmond is calling a “Monthly Rollup,” which addresses both security issues and reliability issues in a single update. The “Security-only updates” option — intended for enterprises and not available via Windows Update —  will only include new security patches that are released for that month. What this means is that if any part of the patch bundle breaks, the only option is to remove the entire bundle (instead of the offending patch, as was previously possible). Continue reading →


13
Dec 16

‘Operation Tarpit’ Targets Customers of Online Attack-for-Hire Services

Federal investigators in the United States and Europe last week arrested nearly three-dozen people suspected of patronizing so-called “booter” services that can be hired to knock targeted Web sites offline. The global crackdown is part of an effort by authorities to weaken demand for these services by impressing upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

On Dec. 9, 2016, the U.S. Federal Bureau of Investigation (FBI) arrested Sean Sharma, a 26-year-old student at the University of California accused of using a booter service to knock a San Francisco chat service company’s Web site offline.

Sharma was one of almost three dozen others across 13 countries who were arrested on suspicion of paying for cyberattacks. As part of a coordinated law enforcement effort dubbed “Operation Tarpit,” investigators here and abroad also executed more than 100 so-called “knock-and-talk” interviews with booter buyers who were quizzed about their involvement but not formally charged with crimes.

Netspoof's DDoS-for-hire packages. Image: Samsclass.info.

Netspoof’s DDoS-for-hire packages. Image: Samsclass.info.

Stresser and booter services leverage commercial hosting services and security weaknesses in Internet-connected devices to hurl huge volleys of junk traffic at targeted Web sites. These attacks, known as “distributed denial-of-service” (DDoS) assaults, are digital sieges aimed at causing a site to crash or at least to remain unreachable by legitimate Web visitors.

“DDoS tools are among the many specialized cyber crime services available for hire that may be used by professional criminals and novices alike,” said Steve Kelly, FBI unit chief of the International Cyber Crime Coordination Cell, a task force created earlier this year by the FBI whose stated mission is to ‘defeat the most significant cyber criminals and enablers of the cyber underground.’ “While the FBI is working with our international partners to apprehend and prosecute sophisticated cyber criminals, we also want to deter the young from starting down this path.”

According to Europol, the European Union’s law enforcement agency, the operation involved arrests and interviews of suspected DDoS-for-hire customers in Australia, Belgium, France, Hungary, Lithuania, the Netherlands, Norway, Portugal, Romania, Spain, Sweden, the United Kingdom, and the U.S. Europol said investigators are only warning one-time users, but aggressively pursuing repeat offenders who frequented the booter services.

“This successful operation marks the kick-off of a prevention campaign in all participating countries in order to raise awareness of the risk of young adults getting involved in cybercrime,” reads a statement released Monday by Europol. “Many do it for fun without realizing the consequences of their actions – but the penalties can be severe and have a negative impact on their future prospects.”

The arrests stemmed at least in part from successes that investigators had infiltrating a booter service operating under the name “Netspoof.” According to the U.K.’s National Crime Agency, Netspoof offered subscription packages ranging from £4 (~USD $5) to £380 (~USD $482) – with some customers paying more than £8,000 (> USD $10,000) to launch hundreds of attacks. The NCA said twelve people were arrested in connection with the Netspoof investigation, and that victims included gaming providers, government departments, internet hosting companies, schools and colleges.

The Netspoof portion of last week’s operation was fueled by the arrest of Netspoof’s founder — 20-year-old U.K. resident Grant Manser. As Bleeping Computer reports, Manser’s business had 12,800 registered users, of which 400 bought his tools, launching 603,499 DDoS attacks on 224,548 targets.

Manser was sentenced in April 2016 to two years youth detention suspended for 18 months, as well as 100 hours of community service. According to BC’s Catalin Cimpanu, the judge in Manser’s case went easy on him because he built safeguards in his tools that prevented customers from attacking police, hospitals and government institutions. Continue reading →


08
Dec 16

‘Avalanche’ Crime Ring Leader Eludes Justice

The accused ringleader of a cyber fraud gang that allegedly rented out access to a criminal cloud hosting service known as “Avalanche” is now a fugitive from justice following a bizarre series of events in which he shot at Ukrainian police, was arrested on cybercrime charges and then released from custody.

Gennady Kapkanov. Source: NPU.gov

Gennady Kapkanov. Source: NPU.gov

On Nov. 30, authorities across Europe coordinated the arrest of five individuals thought to be tied to the Avalanche crime gang, in an operation that the FBI and its partners abroad described as an unprecedented global law enforcement response to cybercrime.

According to Ukrainian news outlets, the alleged leader of the gang — 33-year-old Russian Gennady Kapkanov — did not go quietly. Kapkanov allegedly shot at officers with a Kalashnikov assault rifle through the front door as they prepared to raid his home, and then attempted to escape off of his 4th floor apartment balcony.

Ukrainian police arrested Kapkanov and booked him on cybercrime charges. But a judge in the city of Poltava, Ukraine later ordered Kapkanov released, saying the prosecution had failed to file the proper charges (including charges of shooting at police officers), charges which could have allowed authorities to hold him much longer. Ukrainian media reports that police have since lost track of Kapkanov.

Ukraine’s Prosecutor General Yuri Lutsenko is now calling for the ouster of the prosecutor in charge of the case. Meanwhile, the Ukranian authorities are now asking the public for help in re-arresting Kapkanov.

kapkanovguns

Weapons police say they seized from Kapkanov’s apartment. Source: npu.gov.ua

Continue reading →