Skip to content
Dec 22 14

North Korea Internet totally down. Sabotage or technical issue?

by Pierluigi Paganini
North Korea vs USA

The North Korea is experiencing a severe Internet outage, the country is isolated from the World Wide network. US cyber attack suspected.

North Korea is suffering a severe internet outage, the Internet appears totally down in the country and security experts speculate on a possible retaliation in response to the recent attack that compromised internal systems at Sony Pictures.

The problems to the Internet in North Korea began on Friday, the situation has been deteriorating over time, by Monday night the country was completely cut off from the world wide web.

Is it a cyber attack or just a technical issue?

The US Government hasn’t provided official comment to the Internet outage, fueling the climate of suspicion.

“As we implement our responses, some will be seen, some may not be seen.” said the US State Department spokesman Marie Harf. 

Many other assumptions are circulating, including possible limitations caused by the Chinese infrastructure used by the North Korea to access the World Wide Internet. Some experts propend for a maintenance problem, others for an intentional operation run by the government of Beijing.

“Other possible explanations for North Korea’s internet outage could be woes included China, through which many of its connections are routed, wanting to restrain its ally by limiting its access. It could also be a maintenance problem.” reports a blog post published on The Telegraph.

Matthew Prince, CloudFlare’s founder, defined the Internet access as “toast” in an email to The New York Times:

“CloudFlare, an Internet company based in San Francisco, confirmed Monday that North Korea’s Internet access was “toast.” A large number of connections had been withdrawn, “showing that the North Korean network has gone away,” Matthew Prince, CloudFlare’s founder, wrote in an email.” 

The expert Doug Madory, director of Internet analysis at Dyn Research, explained that networks of North Korea were “under duress”, he also added that the outage is one of the worst he had seen before.

 “I wouldn’t be surprised if they are absorbing some sort of attack presently.” “I haven’t seen such a steady beat of routing instability and outages before. Usually there are isolated blips, not continuous connectivity problems.” Madory told the North Korea Tech blog: “North Korea is totally down.”

North Korea Internet outage

In these days, experts at Arbor Networks observed several DDoS attacks targeting the national internet infrastructure, but the researchers excluded the involvement of the US government.

It is premature to speculate on what happened in the next few days we will know more.

Pierluigi Paganini

(Security Affairs –  North Korea, Internet)

Dec 22 14

Cyber attack on German steel factory caused severe damage

by Pierluigi Paganini
cyber attack hit blast furnaces control systems

The annual IT security report issued by the German BSI reported that a sophisticated cyber attack on a steel factory caused severe damage.

A cyber attack could cause serious damage to a production plant or a facility, we discussed several times this attack scenario that represents a nightmare for security experts and Intelligence agencies. The news of the day is that a German steel factory suffered massive damage caused by a cyber attack on its network. According to the German Government, unknown hackers have infiltrated the production networks gaining the control of a blast furnace, as reported in the annual IT security report.

The document was published on Wednesday by the Federal Office for Information Security (BSI) and reveals the effect of a cyber attack that caused physical damage to the target.

The attack started with a spear phishing email that was sent by attackers to the factory’s office networks, the threat actor once obtained the access to internal system moved its activity to production networks that was compromised too.

cyber attack hit blast furnaces control systems 3

Once accessed the production networks the systems were compromised by the attackers and the report states that single components inside the plant started to fail frequently showing several anomalies.

The continuous failures observed by the internal staff caused a serious anomaly to one of the plant’s blast furnaces, the expert report that it was impossible to shut down it in a controlled manner.

The cyber attack on the system controlling the blast furnaces resulted in “massive damage to plant,” as explained in the document issued by the BSI. The experts consider the attack very sophisticated, the document describes the technical skills of the attacker as “very advanced.”

The cyber attack is considered  by experts sophisticated because the attackers have shown a deep knowledge of a variety of different industrial components that were hacked in the incursion.

The cyber attack recalled in the minds of the experts the events that occurred in the case Stuxnet, when the virus compromised the centrifuges in the Iranian nuclear plant of Natanz.

Cyber weapons are a reality and other cyber attacks could cause serious damage in the next future.

Pierluigi Paganini

(Security Affairs –  Cyber weapon, cyber attack)

Dec 22 14

Chthonic, a new strain of ZeuS trojan hits 150 banks worldwide

by Pierluigi Paganini

A new strain of Zeus Trojan dubbed Chthonic has been discovered in the wild targeting more than 150 banks and 20 payment systems mainly in Europe.

Experts believe they have seen everything about the Zeus trojan, P2P versions, versions that infect SaaS, agents that exploit the Tor network or that recruit money mules … then promptly a new strain of the malware appears in the wild and astonishes all.

The new Zeus variant is dubbed Chthonic and relies on a new mechanism to load its modules. The new strain of malware infected machines prevalently in the UK, Spain, US, Russia and Japan. Other infections have also been reported in other European countries, including Bulgaria, Ireland, France, Germany and Italy.

Chthonic 3

Chthonic is served to the victims through the Andromeda bot, as well as through an exploit for a vulnerability in Microsoft Office (CVE-2014-1761) that is distributed via email.

“A significant new malware threat targeting online banking systems and their customers has been detected by Kaspersky Lab’s security analysts. Identified as an evolution of the infamous ZeuS Trojan, Trojan-Banker.Win32.Chthonic, or Chthonic for short, is known to have hit over 150 different banks and 20 payment systems in 15 countries. It appears to be mainly targeting financial institutions in the UK, Spain, the US, Russia, Japan and Italy.” states a blog post published by Kaspersky Lab.

The Expert discovered that many components of Chthonic are compatible with 64-bit systems, it combines the encryption scheme from other strains of Zeus, as well as a virtual machine implemented by ZeusVM and KINS trojan.

“Chthonic shares some similarities with other Trojans. It uses the same encryptor and downloader as Andromeda bots, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.” continues the post.

Chthonic uses a main module that download all the other modules of the malware, the agent works with both 32-bit and 64-bit platforms and among its capabilities there is collecting system information, stealing passwords from the system through Pony malware, keylogging, web camera control, form grabbing, web injection and remote access through VNC remote desktop component.

Chthonic 2

The experts highlighted the web injectors of Chthonic that allow the malware to insert its own code in the browser when victims visit the website of targeted banks.

“Chthonic exploits computer functions including the web camera and keyboard to steal online banking credentials such as saved passwords. Attackers can also connect to the computer remotely and command it to carry out transactions.” states the report.

“Chthonic’s main weapon, however, is web injectors. These enable the Trojan to insert its own code and images into the bank pages loaded by the computer’s browser, allowing the attackers to obtain the victim’s phone number, one-time passwords and PINs, as well as any login and password details entered by the user.”

The attack scheme is not different from the one implemented with other strain of Zeus, it relies on the man-in-the-middle technique that allows Chthonic to intercept communication from the client to the targeted bank and modifies the web page loaded in the browser injecting the necessary code. The code injection allows attackers to steal banking information (log-in details, PIN, one-time password).

At least in one attack against a Japanese bank, Chthonic was able to hide the bank’s warnings, meanwhile affected customers of Russian banks were deceived using an iframe with a phishing copy of the website that has the same size as the original window.

“Fortunately, many code fragments used by Chthonic to perform web injections can no longer be used, because banks have changed the structure of their pages and in some cases, the domains as well.”

The discovery of Chthonic trojan is the demonstration that the ZeuS Trojan is still evolving thanks also to the availability of its source code in the hacking underground.

““The discovery of Chthonic confirms that the ZeuS Trojan is still actively evolving. Malware writers are making full use of the latest techniques, helped considerably by the leak of the ZeuS source code. “

A detailed analysis of the malware is available on SecureList website.

Pierluigi Paganini

(Security Affairs –  Chthonic, Zeus Banking Trojan)

Dec 22 14

FBI stated the North Korea hacked Sony Pictures, Pyongyang wants a joint investigation

by Pierluigi Paganini
Sony Pictures the-interview-movie-poster

An announcement by the FBI stated the North Korea hacked Sony Pictures, but Pyongyang refused accusations and offered support for the investigation.

The cyber attack against Sony Pictures is monopolizing the attention of the media, in particular the problem of the attribution is hard to solve.

The FBI released the findings of its investigation that definitively indicate that North Korea was behind the cyberattack on Sony Pictures.

“As a result of our investigation, and in close collaboration with other US Government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions,” the FBI said Friday in a statement.

The US law enforcement suspect the involvement of the North Korea’s Unit 121, which is the group of hackers working under the direction of the General Bureau of Reconnaissance.

Investigators have recognized the TTPs of North Korean state-sponsored hackers, the FBI confirmed in the official update provided on the Sony case. The FBI revealed many similarities between the wiper malware that infected the systems at Sony Pictures and other malicious code attributed to the North Korean cyber units. Below an excerpt from the FBI update:

As a result of our investigation, and in close collaboration with other U.S. government departments and agencies, the FBI now has enough information to conclude that the North Korean government is responsible for these actions. While the need to protect sensitive sources and methods precludes us from sharing all of this information, our conclusion is based, in part, on the following:

- Technical analysis of the data deletion malware used in this attack revealed links to other malware that the FBI knows North Korean actors previously developed. For example, there were similarities in specific lines of code, encryption algorithms, data deletion methods, and compromised networks.

- The FBI also observed significant overlap between the infrastructure used in this attack and other malicious cyber activity the U.S. government has previously linked directly to North Korea. For example, the FBI discovered that several Internet protocol (IP) addresses associated with known North Korean infrastructure communicated with IP addresses that were hardcoded into the data deletion malware used in this attack.

-Separately, the tools used in the SPE attack have similarities to a cyber attack in March of last year against South Korean banks and media outlets, which was carried out by North Korea.

The US authorities are very concerned by the possibility that similar attacks will hit other companies in USA in the next months.

“We are deeply concerned about the destructive nature of this attack on a private sector entity and the ordinary citizens who worked there. Further, North Korea’s attack on SPE reaffirms that cyber threats pose one of the gravest national security dangers to the United States,” read the FBI statement.

In response to the FBI update on the Sony Pictures hack, the North Korea has refused the accusations and has proposed a joint investigation with the US law enforcement according to the state news agency, KCNA.

The North Korean authorities explained that they can prove the Government has nothing to do with the cyberattack on Sony Pictures. The statement reported by the KCNA also warns of “grave consequences” if the US refuses to cooperate in the investigation.

While FBI blames the North Korea that denies any involvement, a message claiming to be from the GOP, aka Guardians of Peace, taunted the Bureau.

“The result of investigation by FBI is so excellent that you might have seen what we were doing with your own eyes,” states the message posted to Pastebin. “We congratulate you success,’ continued the message. ‘FBI is the BEST in the world.”

The message announces further revelation for Christmas, a gift for its followers

“You will find the gift for FBI at the following address,’ read the message, including a link to a YouTube video titled ‘you are an idiot!”

Sony Pictures you are an Idiot FBI

to be continued …

Pierluigi Paganini

(Security Affairs –  Sony Pictures, North Korea)

Dec 21 14

ISIS operates spear phishing attacks against a Syrian citizen media group

by Pierluigi Paganini
ISIS vs Syrian Group 2

A Syrian citizen media group critical of ISIS was recently targeted in a spear phishing campaign which aim to de-anonymize its members.

The Islamic State in Iraq and Syria (ISIS) is accused to have run cyber attacks against the Syrian citizen media group known as Raqqah is being Slaughtered Silently (RSS), the news was reported by the organization Citizen’s Lab. The ISIS hit the Syrian citizen media group because criticized the cruel conduct of the ISIS members. The intent of the ISIS hackers was to unmask the location of the militants of the Raqqah is being Slaughtered Silently.

The Syrian group RSS critics abuses made by ISIS members during the occupation of the city of Ar-Raqqah, located in northern Syria.

“A growing number of reports suggest that ISIS is systematically targeting groups that document atrocities, or that communicate with Western media and aid organizations, sometimes under the pretext of finding “spies”.”

ISIS vs Syrian Group

ISIS members are persecuting local groups searching for alleged spies of Western governments.

Alleged members of the ISIS supported the group into tracking members of the organization that have convicted them, through the use of malware. The experts at the Citizen’s Lab uncovered a spear phishing campaign targeting RSS members.

“Though we are unable to conclusively attribute the attack to ISIS or its supporters, a link to ISIS is plausible,” Citizen’s Lab noted. “The malware used in the attack differs substantially from campaigns linked to the Syrian regime, and the attack is focused against a group that is an active target of ISIS forces.”

The malicious emails contain a link to a decoy file, which is used to serve a custom malware that gathers information on the victim’s computer.

 “The unsolicited message below was sent to RSS at the end of November 2014 from a Gmail email address. The message was carefully worded, and contained references specific to the work and interests of RSS.” states the report. “The custom malware used in this attack infects a user who views the decoy “slideshow,” and beacons home with the IP address of the victim’s computer and details about his or her system each time the computer restarts.”

The experts noticed that the specific malware is quite different from the malicious RATs used by the Syrian Government, one of the differences is for example in the control infrastructure, replaced in the case of the alleged ISIS malware with an email account used to gather information from infected machine.

“Unlike Syrian regime-linked malware, it contains no Remote Access Trojan (RAT) functionality, suggesting it is intended for identifying and locating a target,” said CL. “Further, because the malware sends data captured by the malware to an email address, it does not require that the attackers maintain a command-and-control server online. This functionality would be especially useful to an adversary unsure of whether it can maintain uninterrupted Internet connectivity.”

This attack chain implemented by hackers is not sophistication, the experts haven’t observed the use of exploits neither complex evasion technique.

Western intelligence is aware of the presence of hackers in the ISIS collective that are already working to secure communications between ISIS members and is supporting the group to spread propaganda messages avoiding detection.

“In addition, ISIS has reportedly gained the support of at least one individual with some experience with social engineering and hacking: Junaid Hussain (aka TriCk), a former member of teamp0ison hacking team.While Mr. Hussain and associates have reportedly made threats against Western governments, it is possible that he or others working with ISIS have quietly supported an effort to identify the targeted organization, which is a highly visible thorn in the side of ISIS.”

Experts reported also numerous cyber attacks by ISIS members targeting Internet cafés that are used by many hacktivits in the country.

“Reports about ISIS targeting Internet cafés have grown increasingly common, and in some cases reports point to the possible use of keyloggers as well as unspecified IP sniffers to track behavior in Internet cafes,” Citizen’s Lab reported “

The Citizen’s Lab seems to be confident of the involvement of a non state-actors in the attack and ISIS it a plausible suspect.

“After considering each possibility, we find strong but inconclusive circumstantial evidence to support a link to ISIS,” CL said. “Whether or not ISIS is responsible, this attack is likely the work of a non-regime threat actor who may be just beginning to field a still-rudimentary capability in the Syrian conflict. The entry costs for engaging in malware attacks in a conflict like the Syrian Civil War are low, and made lower by the fact that the rule of law is nonexistent for large parts of the country.”

Pierluigi Paganini

(Security Affairs –  ISIS, malware)

Dec 21 14

Diving in the Illegal Underground Hacking Markets

by Pierluigi Paganini
Underground Cybercrime market

Experts at Dell Secure Works Counter Threat Unit (CTU) published a new report on the evolution of the hacking underground marketplaces.

The monitoring of black hat markets is one the principal activities of security experts and intelligence agencies, it allows information gathering on evolution of cyber threats and emerging trends in the criminal ecosystem.

In 2013, experts at Dell Secure Works Counter Threat Unit (CTU) published a very interesting report titled “The Underground Hacking Economy is Alive and Well.”, which investigated the online marketplace for stolen data and hacking services. The report detailed the goods sold in the black markets and related cost, giving the readers an interesting picture of the criminal underground.

The criminal underground is characterized by rapid dynamics and a careful analysis could allow law enforcement and security agency to understand the evolution of cyber threats and the TTPs of principal operators. One year later, the same team of experts at Dell SecureWorks released an update to the study of black hat markets, titled “Underground Hacker Markets“, which reports a number of noteworthy trends.

The researcher noticed a growing interest in the personal data, in particular in any kind of documentation that could be used as a second form of authentication, including passports, driver’s licenses, Social Security numbers and even utility bills.

“The markets are booming with counterfeit documents to further enable fraud, including new identity kits, passports, utility bills, social security cards and driver’s licenses.” states the report.

Another distinguishing element of the evolution of the underground marketplaces in the last year is the offer of Hacker Tutorials.

Training tutorials provide instruction to criminals that want to sell stolen credit cards to other crews, or detailed information on running exploit kits, on the arrangement of spam and phishing campaigns or how to run DDoS attacks.

“These tutorials not only explain what a Crypter, Remote Access Trojan (RAT) and exploit kit is but also how they are used, which are the most popular, and what hackers should pay for these hacker tools,” the report said.

Other tutorials include instruction to do an ATM hack, how to do bank transfers without being detected and cashing out stolen credit card data.

underground hacking tutorials

The data provided by Dell confirms the findings of another report issued by TrendMicro that noticed in the Brazilian underground a significant availability of similar products and services.

Criminal crews specialized their business in selling premium credit cards, a direct consequence of the large number of data breaches occurred this year and that flooded the underground hacking markets with millions of credit and debit card stolen data.

The researchers explained black marketplaces, exactly like any other market, reward the reliability and reputation of the leading vendors who devote so much attention to customer care.

In particular, cyber criminals are differentiating their offer based on the service levels provided to the buyers and guarantees on stolen data.

“It is apparent that the underground hackers are monetizing every piece of data they can steal or buy and are continually adding services so other scammers can successfully carry out online and in-person fraud,” is reported in the report.

For those criminals that desire to acquire a new identity for illegal activities, the underground market offer identity packages that include passports, drivers licenses and social security cards, practically anything is necessary to commit an identity theft.

In the underground marketplace, it is possible to acquire a working social security card, name, and address for $250, paying another $100 a scammer can buy a utility bill to use in identity verification processes. Counterfeit non-US passports are available for a cost between $200 to $500. The experts explained that it is very hard to find US passports because US law enforcement is believed to infiltrate the Hacking community, making risky their commercialization. Fake US driver’s licenses run for $100-$150, meanwhile counterfeit Social Security Cards run between $250 and $400 on average, in both cases, these documents could be used to improve efficiency of fraud schemes.

Premium cards continue to be precious commodities in the criminal underground, a full collection of stolen credentials, also referred with the hacker slang term “fullz”, run for $30 in US while in 2013 it was offered for $5. The fullz includes also information related to the card holder like name, address, phone number, email addresses, dates of birth, Social Security numbers, bank account numbers, credit card numbers and banking credentials.

The researchers noticed that the price of individual credit card numbers remains unchanged from last year, Premium Master Card and Visa cards including both Track 1 and 2 data are selling for $35 and $23 respectively.

Another precious commodity in the hacking underground is the malware, cost for Remote access Trojans (RATs) is decreased respect the previous year, and today are sold for a price ranging from $20 to $50 for notorious RATS such as DarkComet. Several RATs are also offered for free deflating the prices. The underground community also offers popular exploit kits like Nuclear and Sweet Orange for the best prices with Sweet Orange at $450 for a weekly lease up to $1,800 for an entire month.

“Hackers are looking for a RAT that is easily available for purchase or to use for free and which they can run through a Crypter (a program which encrypts malware, making it FUD or fully undetectable to Anti-Virus and Anti-Malware programs),” the report said.

The report includes a lot of interesting data related to products and services offered in the hacking underground, including botnet available for rent and DDoS attack on demand.

Regarding the price for bots located in specific countries, it is increased respect previous year and it depends on the location of the infected computers.

These random bots were considerably cheaper, for example, 1,000 bots ran $20; 5,000 bots ran $90; 10,000 ran $160; etc. However, this year they found pricing for bots located in specific countries, and these bots are considerably more expensive. The price for buying access to compromised computers does vary from country to country. The price for 5,000 individual bots located in the US runs from $600 to $1,000, while the same number of UK-based bots runs $400 to $500, a 50 to 100 percent decrease in price from the US bots.”

Don’t waste time … give a look to report!

Pierluigi Paganini

(Security Affairs –  Hacking underground, cybercrime)

Dec 20 14

Cyber-war or cyber-peace?

by Pierluigi Paganini
cyber-war 1

Equilibria in cyberspace are evidently unstable and many experts believe that we are in the midst of a cyber-war … there is the urgency of a regulation.

Some month’s ago, news have further stirred the already troubled waters of cyberspace: five Chinese PLA officers (People’s Liberation Army) have been indicted from the U.S. Justice Department.

The charge they were facing is ‘espionage for economic and trade purposes’. The accused are Wang Dong, Sun Kailiang, Wen Xinyu, Huang Zhenyu and Gu Chunhui, charged of 31 counts of espionage and theft of trade secrets[1].

The five soldiers are members of the PLA unit known as “Unit 61398“, which was raised to the headlines early last year. The unit was mentioned in a report by cybersecurity firm Mandiant as responsible for cyber attacks on U.S. government facilities, banks and companies.

The Chinese government’s response was immediate and predictable:”Allegations extremely ridiculous” was the judgment of the Chinese Foreign Ministry, whose spokesman called for a prompt correction of this “serious error without foundation that threatens international relations, cooperation with the USA and mutual trust.”

In fact, the U.S. has been for years the target of military and economic espionage, with periodic subtraction of Terabytes of information from all areas of industry, and serious harm to safety and industrial rights. A striking example was the interest (from unidentified hackers) for construction projects for the Joint Strike Fighter aircraft, also known as the F-35 Lightning II, traces of which start from 2007.

Whether China is behind all of that is not given to know, but in the opinion of Robert Gates, former Minister of Defense, the threat comes not only from that nation. In an interview with The Register, Gates expressed no surprise at the allegations that the Chinese Arm is trying to steal secrets and technology to U.S. companies, but extends to a dozen countries around the world the ability to conduct cyber espionage. He indicates, among others, France as the most likely after China.

These activities of cyber espionage are undoubtedly inspired or led by governments that may use military or civilian personnel when necessary.

The Chinese example is symptomatic, four possible vectors of attack[2] are easily identifiable: Communist Party of China (CPC), People’s Liberation Army (PLA), State Owned Enterprises (SOE), Civilian Hackers (Hacktivists). In the case of PLA, the Mandiant[3] report has shown that its organizational structure is based on several units specialized, on different International areas.

In other countries, cyber units are basically composed by military personnel, but this does not exclude the presence of highly qualified civilians. The cyber units are nominally established for the purpose of defense against cyber-attacks, but it is well known that in this area, he who knows how to defend also knows how to attack.

The cyberspace has some key features that make it easy to use for cyber-attacks: it requires technology, is persistent and based on fantasy and complexity, has a low cost of entry, uses COTS hardware and software devices, requires motivation.

The militarization of cyberspace is thus well established and involves the possibility of inflicting damage, attacking networks of communication, altering or destroying data, in order to achieve a position of advantage.

In a military sense, a cyber-attack is an un-authorized raid into the network of another country. The attack is carried out in another domain, the Domain of Cyber. This fifth domain of war follows unconventional rules, favored by a nearly impossibility to trace the source of attacks in a decisive manner. International law does not clarify the exact attribution of responsibilities.

In this situation, an unconventional form of warfare between states which exploits the cyber-capabilities to “deny the opponent the effective use of systems, weapons and tools or other infrastructure and processes controlled by them,” can turn into a Cyber-war[4].

When dealing with conventional conflicts, the management procedures have been regulated by international treaties over time. The very cyber-war, i.e. the extension of the “armed” confrontation in the fifth domain, should follow the same rules. The doctrines of military officers from many countries qualify it as just like a conventional conflict, but reality is different.

There is disagreement on the term “cyber-attack”. When can we speak of an “attack to the nation”, and what is the limit of the destructive consequences beyond which we can speak of “offensive attack”? Is it necessary that there is loss of life or can’t simply be triggered by material damage to the infrastructures? And also in this second case, which is the limit, the extent over which the trigger is configured as “attack”?

How is it possible to attribute liability in an incontrovertible manner, to a nation? Like a legal litigation, would it be necessary to have a third-party authority for forensic attribution to accountable actors, now in the cyberspace?

When we talk about attack among states, in the “cyber” world the responsibility cannot be mandatorily attributed to military units of a party. Acts of “cyber” hostility can be caused by people not organized in recognized military units.

The lack of shared interpretation about the meaning of “cyber-war” and its rules, should not prevent the achievement of international agreements on how to conduct “cybernetic” war. In the opinion of some experts[5], a treaty should include obligations of effective cooperation in the investigation subsequent to cyber-crimes. The lack of cooperation would indicate guilt or complicity by the nation.

Other analysts[6] prefer to extend the principles of the Geneva and The Hague Conventions to cyber-confrontations because they consider them also applicable/appropriate to this domain of confrontation. Signing humanitarian agreements for the creation of protected zones for the critical infrastructure of civilian interest, however, would not prevent the possibility of their involvement. The not framed cyber-warriors could be induced to not adhere to these protected enclaves of cyberspace. Particularly “the patriots who group together as cyber-armies”[7] might be tempted to do that.

The result of this unregulated use of increasingly sophisticated technologies can still overturn social norms of coexistence or legitimate confrontation.

It is therefore necessary to first resolve the ambiguities in the interpretation of Countries’ behaviour in cyberspace and create legal instruments for the recognition and attribution of responsibility to Nations.

Therefore, it is necessary first of all to resolve ambiguities in the interpretation of the behavior of states in cyberspace and created legal instruments for the recognition and allocation of national responsibilities. Finally, international cooperation[8] has to be shared and reinforced in tackling cyber-crimes that have an alibi for the inevitable buck-passing.


Such agreements should regulate the conduct of military confrontation in this domain, establish some rules of deterrence (by denial) based on the response structures to cyber-attacks, strengthen regulations on cyber warfare because they enable the effective tracking threats.

The politics should give a crucial impulse to agreements between states. The need for a cyber-treaty to prevent future cyber-wars is turning out to be increasingly urgent. Its achievement would undoubtedly have a positive impact on all countries, reducing the heavy costs caused by cyber-crime[9].

About the Author:

ing. Giuseppe G. Zorzino, CISA CISM CGEIT CRISC, is a security consultant with more than 33 years of experience in the IT industry. He is working on ISMS, IT governance, privacy, compliance, security awareness. Enlisted in the Italian Air Force Academy in 1972, he holds a Master in Electronic Engineering from University “Federico II”, Naples. He is member of ISACA (Information Systems Audit and Control Association), ISC2 Italian Chapter, Order of Engineers in Rome Province, Technical Committee of CESMA (Center for Aeronautical Military Studies “Giulio Douhet”). Zorzino has also achieved and maintains many other certifications like Lead Auditor ISO27001, Security+, MCSA:Sec 2003, IBM Certified Solution Architect.


Any views or opinions presented are solely those of the author and do not necessarily represent those of CESMA.


[2]21st Century Chinese Cyber Warfare”, LtCol (ret) W. Hagestad II, ITGP, 2012

[3]APT1, Exposing One of China’s Cyber Espionage Units”, Mandiant, 2013

[4] Cyber-war – L’insieme delle operazioni condotte nel e tramite il cyberspace al fine di negare all’avversario – statuale o non – l’uso efficace di sistemi, armi e strumenti informatici o comunque di infrastrutture e processi da questi controllati. Include anche attività di difesa e “capacitanti” (volte cioè a garantirsi la disponibilità e l’uso del cyber-space). Può assumere la fisionomia di un conflitto di tipo “tradizionale” – quando coinvolge le forze armate di due o più stati – ovvero “irregolare”, quando si svolge tra forze ufficiali e non ufficiali. Può rappresentare l’unica forma di confronto ovvero costituire uno degli aspetti di un conflitto che coinvolga altri dominii (terra, mare, cielo e spazio); in entrambi i casi, i suoi effetti possono essere limitati al cyber-space ovvero tradursi in danni concreti, inclusa la perdita di vite umane. – “Glossario Intelligence 2013”, Gnosis, 2013

[5]Why we need a cyberwar treaty”, Benjamin Mueller, The Guardian, Mon 2 June 2014

[6]It’s Time to Write the Rules of Cyberwar”, Karl Rauscher, IEEE Spectrum, 2013

[7]Hacktivism – Cyberspace has become the new medium for political voices”, François Paget, McAfee Labs™, 2012

[8]Convention on Cybercrime”, Budapest, 2001

[9]Report On Global Cost Of Cyber Crime”, Center for Strategic and International Studies-McAfee, June 2014,

Dec 20 14

USBdriveby, how to compromise a PC with a $20 microcontroller

by Pierluigi Paganini

USBdriveby is a device designed to quickly and covertly install a backdoor and override DNS settings on an unlocked machine via USB.

The security experts Samy Kamkar (@SamyKamkar) has proposed a very interesting way to compromise an unlocked computer and deploy a backdoor on it simply by using a pre-programmed Teensy microcontroller.

The cheap ($20) pre-programmed Teensy microcontroller, dubbed USBdriveby, emulates a generic USB peripheral, like a keyboard or a mouse, when plugged into a machine.


The pre-programmed Teensy microcontroller misuses the trust computers usually give USB devices to execute malicious applications that are used to compromise the machine.

“Specifically, when you normally plug in a mouse or keyboard into a machine, no authorization is required to begin using them. The devices can simply begin typing and clicking. We exploit this fact by sending arbitrary keystrokes meant to launch specific applications (via Spotlight/Alfred/Quicksilver), permanently evade a local firewall (Little Snitch), install a reverse shell in crontab, and even modify DNS settings without any additional permissions.” explains Kamkar.

The applications launched by the USBdriveby are able to evade the local defense, like firewall or IDS, install a reverse shell in crontab and modify DNS settings. without any additional permissions and without the machine detecting and blocking its actions.

The technical details about the creation of the USBdriveby tool are available on the official project’s page.

USBdriveby is a device you stylishly wear around your neck which can quickly and covertly install a backdoor and override DNS settings on an unlocked machine via USB in a matter of seconds. It does this by emulating a keyboard and mouse, blindly typing controlled commands, flailing the mouse pointer around and weaponizing mouse clicks.

In this project, we’ll learn how to exploit a system’s blind trust in USB devices, and learn how a $20 Teensy microcontroller can evade various security settings on a real system, open a permanent backdoor, disable a firewall, control the flow of network traffic, and all within a few seconds and permanently, even after the device has been removed.” states the official page of the project.

The USBdriveby attack is very insidious because it doesn’t request any additional permissions to run applications and without the target machine is able to detect any suspicious activity. Kamkar demonstrated that the USBdriveby works on Apple OS X systems, but the researcher confirmed that the attack can be easily modified to compromise Windows and Unix/Linux machines.

Kamkar explained that the USBdriveby could be easily ported on Arduino microcontrollers instead Teensy microcontrollers.

The experiment made Some Arduino microcontrollers can be also be used instead of a Teensy.

Below a Video POC of the USBdriveby attack:

If you are interested to proof the concept of hacking via USB, give a look to the BadUSB project, designed by Karsten Nohl and the srlabs team..

Pierluigi Paganini

(Security Affairs –  USBdriveby, hacking)

Dec 20 14

Google is aware of NTP Exploits publicly available

by Pierluigi Paganini
ntp servers

Security researchers at Google have discovered several serious flaws affecting the NTP protocol, which are remotely exploitable by the attackers.

Security experts at Google have uncovered several serious flaws in the Network Time Protocol (NTP), including several buffer overflows that are remotely exploitable.

The Network Time Protocol is a networking protocol for clock synchronization between computer systems accross a network. According to the experts, all the versions of NTP prior to 4.2.8 are affected by the flaw.

The most concerning part of the discovery is that the experts have also found several exploits in the wild exploiting vulnerabilities.

A remote attacker could exploit vulnerabilities to compromise servers running older versions of the NTP protocol.

“Google Security Team researchers Neel Mehta and Stephen Roettger have coordinated multiple vulnerabilities with CERT/CC concerning the Network Time Protocol (NTP). As NTP is widely used within operational Industrial Control Systems deployments, NCCIC/ICS-CERT is providing this information for US Critical Infrastructure asset owners and operators for awareness and to identify mitigations for affected devices,” an advisory from ICS-CERT says.

“These vulnerabilities could be exploited remotely. Exploits that target these vulnerabilities are publicly available.” issued an advisory which explains that a single packet could be enough to exploit a buffer overflow vulnerability in the NTP.

“A remote attacker can send a carefully crafted packet that can overflow a stack buffer and potentially allow malicious code to be executed with the privilege level of the ntpd process,” the advisory says.

It is not the first time that Network Time Protocol is targeted by the hackers, in the past criminal crews exploited it in the wild to run DDoS attacks taking advantage of a weakness in NTP to amplify DDoS attacks.

Earlier 2014, security researchers at Symantec have spotted a series of Network Time Protocol (NTP) reflection DDoS attacks during the Christmas Holidays.

In the following graph is reported the DDoS activity run by nearly 15000 IP addresses involved in the Network Time Protocol (NTP) reflection attack likely belonging to a botnet.

Network Time Protocol NTP reflection DDoS spike 2013 dec

The hackers exploit the NTP reflection attack, because it amplification factor that is nearly 1000. There’s more cause for alarm with NTP attacks because attackers get a better response rate.”

It is important to carefully review every network protocol that could be abused by hackers.

Pierluigi Paganini

(Security Affairs –  NTP protocol, hacking)

Dec 19 14

New security flaws in the SS7 protocol allow hackers to spy on phone users

by Pierluigi Paganini
cellular ss7 eavesdropping

German researchers have announced the discovery of news security flaws in SS7 protocol that could be exploited by an attacker to spy on private phone calls.

A team of German researchers has discovered security flaws that be exploited by a threat actor to spy on private phone calls and intercept text messages on a large scale, even when the mobile cellphone are using the most advanced encryption now available.

The flaws will be reported at the next hacker conference in Hamburg, and once again the attackers will exploit insecurity in the SS7 protocol, also known as Signaling System Number 7, that is the protocol suite used by several telecommunications operators to communicate with one another with directing calls, texts and Internet data.

The researchers also explained that the flaws in the SS7 protocol could be also exploited by criminal crews to defraud users and cellular carriers.

“The flaws, to be reported at a hacker conference in Hamburg this month, are the latest evidence of widespread insecurity on SS7, the global network that allows the world’s cellular carriers to route calls, texts and other services to each other. Experts say it’s increasingly clear that SS7, first designed in the 1980s, is riddled with serious vulnerabilities that undermine the privacy of the world’s billions of cellular customers.

The flaws discovered by the German researchers are actually functions built into SS7 for other purposes – such as keeping calls connected as users speed down highways, switching from cell tower to cell tower – that hackers can repurpose for surveillance because of the lax security on the network.” reports The Washington Post.

The SS7 protocol allows cell phone carriers to collect location data related to the user’s device from cell phone towers and share it with other carriers, this means that exploiting the SS7 a carrier is able to discover the position of its customer everywhere he is.

In a previous post, I explained that surveillance vendors using the SS7 protocol are able to geo-localize users with great precision.

“The tracking technology takes advantage of the lax security of SS7, a global network that cellular carriers use to communicate with one another when directing calls, texts and Internet data.” reports the Washington Post. 

As explained by the researchers, the problem resides in the intrinsic security of the Protocol that is considered outdated due to the presence of several serious security vulnerabilities which can lead to the violation of the privacy for billions of mobile users worldwide.

In time I’m writing, the researchers haven’t provided other information on the security vulnerabilities discovered in the SS7 protocol, but the experts believe that hackers can exploit them to track an individual or redirect user calls to the attackers.
SS7 protocol
The attack scenario is worrying and open the door to massive surveillance activities, The American Civil Liberties Union (ACLU) has also warned people against possible abuse of such vulnerabilities by Intelligence agencies and Law enforcement.

“Don’t use the telephone service provided by the phone company for voice. The voice channel they offer is not secure,” principle technologist Christopher Soghoian told Gizmodo. “If you want to make phone calls to loved ones or colleagues and you want them to be secure, use third-party tools. You can use FaceTime, which is built into any iPhone, or Signal, which you can download from the app store. These allow you to have secure communication on an insecure channel.”

Unfortunately, the vulnerabilities into SS7 protocol will continue to be present, even as cellular carriers upgrade to advanced 3G technology to avoid eavesdropping.

“But even as individual carriers harden their systems, they still must communicate with each other over SS7, leaving them open to any of thousands of companies worldwide with access to the network. That means that a single carrier in Congo or Kazakhstan, for example, could be used to hack into cellular networks in the United States, Europe or anywhere else.” states the Washington Post

“It’s like you secure the front door of the house, but the back door is wide open,” said Tobias Engel, one of the German researchers.

The team of researchers did not find evidence that the flaws discovered have been “marketed” to governments on a widespread basis, anyway it is impossible to understand is intelligence agencies are already exploiting them for their operations.

“Many of the big intelligence agencies probably have teams that do nothing but SS7 research and exploitation. They’ve likely sat on these things and quietly exploited them,” Soghoian said.

 Stay Tuned for further information …

Pierluigi Paganini

(Security Affairs –  SS7 protocol, surveillance)