Thursday, July 23, 2015

Analysts Say Hacking Team Breach Creates ‘One-Stop Shop for Badness’



Analysts Say Hacking Team Breach Creates ‘One-Stop Shop for Badness’
July 21, 2015

An attack on an Italian cyber-security firm is having far-reaching implications and Microsoft is now finding itself on the defensive trying to patch holes that are letting in the worst kind of malware.
On July 6, a company called Hacking Team, which provides spyware and other surveillance technology to government agencies and law enforcement around the world, ironically could not prevent a team of hackers from invading their own databases. The attackers stole massive amounts of sensitive information, including documents identifying weaknesses in software programs like Internet Explorer, and made all of this information public.
“You could say that they got hacked and now the bad guys know how to get the good guys,” said a Wapack Labs analyst who is currently monitoring the situation.
These weaknesses in software, called Day Zero Vulnerabilities, allow hackers (including Hacking Team) to use exploitative software to find their way into computers and access private information such as user names and passwords. From there, the hackers can let themselves into the victim’s personal cyberspace, accessing everything from contact lists to credentials for financial accounts to Facebook profiles.
While developing technology to allow their clients in the US, Egypt, Iran and other countries to spy on criminals, political opponents, and ordinary citizens, Hacking Team identified a “Zero Day” Vulnerability  - a vulnerability not previously known, in Internet Explorer 11 that opened a door into computers running on Windows. When cyber-rogues turned the tables on Hacking Team and slipped into the company’s seemingly secure network, the Internet Explorer vulnerability that Microsoft was apparently unaware of was up for grabs to hackers around the globe.
“It’s one thing for a company to work with governments to help track bad actors through cyberspace,” said a Wapack Lab analyst, “it’s another for one to collect these exploits and become a one-stop shop for badness.”

The IE11 vulnerability has resulted in a particularly insidious type of invasion of Windows computers using remote code execution malware. Once inside a system, remote code execution allows hackers access to computers and gives them to make changes within the system, no matter where the owner is located in the world.
Remote code execution malware is difficult for users to detect because it circumvents normal security settings, anti-virus and anti-malware programs, and memory protection technologies. 
On June 9, Microsoft was contacted by Vectra Threat Labs that the day zero vulnerability in Internet Explorer was being exploited by hackers using remote code execution malware to victimize Windows users. Five days later, Microsoft presented an update to patch the weak spot named MS15-065 CVE-2015-2419. But if users aren’t downloading the patch, they face continued threats from hackers taking over their computers.
This recent attack on Microsoft using information stolen from Hacking Team is just the tip of the iceberg. More than 450GBs of data was stolen from the firm and hackers from every corner of the world are currently sifting through bounty, looking for vulnerabilities like the one used to attack Internet Explorer. Though Hacking Team purports to be fleshing out holes in software to benefit law enforcement and government agencies, from an economic standpoint the company could profit exponentially if it were to sell its information to both sides of a conflict.
As Wapack Labs analysts continue to monitor the global implications of Hacking Team’s security weaknesses as they unfold, they will be working to determine just whose side Hacking Team is really on. Is the firm selling information about software vulnerabilities to a government, and then offering a head’s up about those vulnerabilities to the parties the government intends to target?
If so, Hacking Team certainly would not be the first high tech company to engage in profiteering by selling technology to both sides of a conflict. In 2001, journalist and historian Edwin Black reported that IBM’s German-based subsidiary profited wildly by selling its punch card data collection and processing equipment – the precursor to the modern computer – to the Nazis in the years leading up to the war. IBM continued to provide technology to the Nazis even after the US joined the Allies to oust the Third Reich. At the same time, IBM was selling the same equipment to Allied governments. However, while the Allies were using the equipment to track the movement of troops, supplies and equipment, the Nazis were using it to record and improve the deadly efficiency of the concentration camp system.
Technology has come a long way since the punch card, but turning a profit by selling technological weapons to oppressive governments, and their foes, may have been brought into the modern era by companies like Hacking Team.
Regardless of their intent, which Wapack Labs analysts will continue to try to determine, Hacking Team has aided and abetted the enemies of their clients by failing to protect their own data.

About Wapack Labs
Wapack Labs, located in the technology mills of Manchester, NH is a Cyber Threat Analysis and Intelligence organization supporting the Red Sky Alliance, the FS-ISAC, and individual organizations by offering expert level targeted intelligence analysis answering some of the hardest questions in Cyber. Wapack Labs’ engineers, researchers, and analysts design and deliver transformational cyber-security analysis tools that fuse open source and proprietary information, using deep analysis techniques and visualization. Information derived from these tools and techniques serve as the foundation of Wapack Labs’ information reporting to the cyber-security teams of its customers and industry partners located around the world.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com.

Wednesday, March 18, 2015

Manchester, NH - Cyber Intelligence Hub??

I've been thinking about how this might sound if posted, but for the last 24 hours, it's stuck with me. I can't seem to make it go out of my head --kinda like that music that my kids sing over and over.

We posted a piece on the Wapack Labs CMS site today that talked, at a high level, about a slug of data that we happened upon during our routine daily tasks. That slug of data was roughly 3.5Gb (and still growing) of user names and passwords (plus financials, plans, and a lot more) from over 100 transportation and shipping companies in dozens of countries around the world. This was a GREAT piece of work by our analytic team. And we do this on a daily basis. Some of the stories we tell, well, truth is stranger than fiction, and here in our office, we can tell you some stories that if you saw them on television, you probably wouldn't believe it.

One such story came out two days ago. I'm not going to take credit because we didn't write it. This kind of work is clearly not even in our ballpark. It's a different kind of intelligence called a new name.. "Internet Intelligence". It means, identifying how things are routed on the internet. We (the lab) focus more on the who and why, where this report focused on how the internet moved data. I'm referring to a report put out by Dyn describing nuclear data in the UK being routed to Russia. To us, this comes as no surprise, but to the lay reader, you might wonder why? Great question!

So here's the deal... I realized yesterday as I walked up to Elm Street from our little nondescript office in the mills, that we live in a town that literally possess an amazing skillset in cyber.  I know of one small company here that does penetration testing work... for those not in the know, these guys are GOOD. They work for DC organizations. Dyn showed that they have an amazing capacity for internet intelligence, and us? Well, we do cyber intel for thousands of banks, a big telecom provider, some Managed Security Companies, and a whole bunch of Global 2000 sized organizations.

Manchester has become home to an amazing,  highly specialized talent pool in cyber intelligence.  I realize many of you have absolutely no idea what that means. Maybe one day we can show you. For now, just know, when retailers lose credit cards, or your health insurer gets whacked for all of that patient data, there are companies (right here in Manchester) who're chasing those bad guys.. heck, stop by my office, I'll show you pictures of some of them. Or stop by Dyn.. they'll show you how the data gets moved. Or stop by, we'll I'll leave the others out of this for now.


Tuesday, February 10, 2015

The Henrybasset Blog: New agency to sniff out threats in cyberspace

The Henrybasset Blog: New agency to sniff out threats in cyberspace: Maybe it shouldn't bother me as much as it does... oh hell, yes it should. This piece ran, above the fold, front page, column one ...

Monday, February 9, 2015

The Henrybasset Blog: The Absence of Basic OPSEC

The Henrybasset Blog: The Absence of Basic OPSEC: I'm in DC through Wednesday for a conference. I drove down from the tundra that is New Hampshire, arriving late last night. The confe...

Saturday, January 31, 2015

Victim Notification Service and new Wapack Labs Su...

The Henrybasset Blog: Victim Notification Service and new Wapack Labs Su...: If you've noticed, we've begun sending victim notifications in the last few weeks... and for good reason. As we listen to the market...