Mac-using iPhone developers are the latest targets of a widespread, sophisticated cyberattack.

Microsoft revealed yesterday that it got hit with the same kind of Java-based hack that targeted Apple and Facebook earlier this year, and which may also have compromised Twitter, spilling secrets on 250,000 of its customers.

The Microsoft attack seems to have had a smaller impact than the others.

“During our investigation, we found a small number of computers, including some in our Mac business unit, that were infected by malicious software using techniques similar to those documented by other organizations,” Microsoft wrote.

It’s not clear if all three companies were targeted by the exact same attacker, but the techniques used were similar:

• Programmers within the targeted company visited a website aimed at mobile app developers, probably iPhone developers specifically.
• The website infected the programmers’ computers, via their web browser’s Java plugin. Initially the malware appears to have targeted Macs, but Reuters reports that there is also a version that targets Windows PCs.
• The malware on the developer computers then attempted to transmit information back to the hackers.

It’s not clear from these reports exactly how much information got leaked, or what kind of information the hackers were seeking. Microsoft says no customer data was compromised. Facebook also said earlier this month that no customer data got out.

VentureBeat’s upcoming DevBeat conference — by and for hackers — will include sessions on what developers need to know about security, including an all-night “breakathon” where you’ll learn black hat techniques. Find out more about DevBeat.

Twitter wasn’t so lucky: 250,000 of its customer accounts were compromised, with hackers making off with usernames, hashed passwords, and session IDs.

Also unclear: The source of these attacks. However, Reuters reports that the attacks may have originated in China. A widely-publicized report from Mandiant this week identified a People’s Liberation Army unit, called APT1, which it claims has been responsible for a long-term, sophisticated cyber espionage campaign.

Apple responded earlier this month by issuing its own patch for OS X. Oracle, which publishes Java, issued its own patch later.

As a side note: Apple has not shipped Java since Mac OS X Lion — which launched in July of 2011 — and also disables Java if it has not been used in 35 days.

That’s looking more and more like a wise idea.

Photo credit: carlosj via photopin cc

Rupert Murdoch, owner of the Wall Street Journal’s parent company Dow Jones, says Chinese hackers are still attacking the paper’s systems.

Last week a number of well-known newspapers reported hacks on their systems. This included both the New York Times and the Wall Street Journal. It was rumored that The Washington Post has been experiencing breaches as well. The New York Times reported that Chinese hackers had accessed its systems specifically breaking into the accounts of its Shanghai bureau chief and the South Asia bureau chief.

The Wall Street Journal soon followed up, saying Chinese hackers also broke into its systems “apparently to spy on reporters covering China.” This was on January 31. A week later, Murdoch says the paper is still being attacked by Chinese hackers.

He tweeted, “Chinese still hacking us, or were over the weekend.”

According to the New York Times the attacks began soon after the newspaper published a story about China’s Prime Minister and his family’s wealth. The Wall Street Journal is another obvious target given its coverage of the region and popularity. But why the newspapers? The information in those emails is important, especially if these were state sponsored attacks. An attacker may be able to see who the reporter’s source is, where they are at any given time, and gain more understanding of how that reporter gets her information.

You can’t write cyber espionage off as a thing of the future. While the New York Times says that the hackers didn’t actually steal any important information, the technology is there. Viruses like Flame and Gauss that can turn on your camera, record your audio, and take screenshots only when communications apps are open show just how strong spyware is today.

At the time a spokesperson for Dow Jones said that this is an “ongoing issue” and promised the publication is working with law enforcement and security professionals to protect its reporters.

hat tip Cnet; Rupert Murdoch image via World Economic Forum/Flickr

The United States has been watching Iran for cyber activity for some time now with a fear that cyber espionage and war tactics are getting even stronger. One Air Force commander is jumping on board with this concern, saying Iran in particular is a “force to be reckoned with.”

U.S. Air Force Space Command General William Shelton told Reuters he believes Iran was provoked by the Stuxnet attacks in 2010, and has been building up its cyber war tactics ever since. In order to prevent future attacks, Shelton explained that the Defense Department plans on expanding the number of civilian Air Force employees working on network security by 1,000. This adds to its current 6,000 employees, as Ars Technica notes.

Stuxnet, the virus that Shelton says may have caused Iran to increase its cyber warfare development, attacked the country’s Natanz nuclear plants in 2010. The virus attacks SCADA systems, or the computers that control industrial, physical equipment such as nuclear fueling infrastructure, all the way down to prison doors. The attacks did just that, and reportedly damaged the fueling equipment used in this nuclear facility.

It was later uncovered that Stuxnet was a joint effort between the United States and Israel.

Defense Secretary Leon Panetta warned of more of these attacks in a recent speech saying we can expect a “cyber Pearl Harbor” on our hands. He pointed out how connected devices, water supplies, and electrical grids can all be tampered with and that we need to prepare for cyber war in the future.

Air Force image via Shutterstock

Rocra is the latest in spyware attacking government entities around the world. The virus is a new piece of malware that Russian security firm Kaspersky Lab has discovered. It’s flown under the radar for five years — and it is still in use to this day.

Rocra, short for Red October, spies on governments with a number of “info-stealing modules,” or facets of the malware that nab and send back documents and other data from that computer. Created in 2007, it steals the usual data suspects, such as documents, PDFs, and a number of other file types, but it also specifically looks for the extension “acid.” This is created by an encryption program called Acid Cryptofiler used by NATO and some European Union organizations.

Cyber-espionage has become a big concern, as more reports of state-sponsored attacks surface. While there’s thus far no evidence to suggest that this is a state-sponsored attack, governments such as the United States are getting more serious about cyber-attacks and talking about beefing up preparation for them. Recently, outgoing Defense Secretary Leon Panetta said that we could be facing a “cyber-Pearl Harbor.”

Kaspersky belives that the malware writers are likely Russian-speaking, given a number of Russian phrases that show up in the malware’s code.

Kaspersky does not outright name the organizations that were infected by Rocra, but it did specify that the malware targets government organizations, scientific research organizations, embassies, and consulates. The majority of these infections were in Eastern Asia, though Kaspersky did find some in Western Europe and North America. The research firm discovered this by monitoring its cloud security tools and setting up a “sinkhole server,” or a server that monitors all traffic going in and out of the malware’s command and control server. From the sinkhole, Kaspersky learned that IP addresses out of Switzerland, Kazakhstan, and Greece contacted the command and control server most frequently.

The malware can also “resurrect” itself once a previously infected computer is wiped. When it is first installed, Rocra adds itself as a plug-in to Microsoft Word and Adobe Reader, according to Kaspersky. After the machine is “clean,” the attacks can send a document to the computer that revitalizes the virus when opened.

Furthermore it attacks more than just regular computers; it can also steal information from mobile phones (including the iPhone and Windows phones) as well as record data from network switches and routers.

A computer is infected with the malware through a simple social engineering attack. That is, the criminals will send a phishing email to their target in the hopes that they open an attachment.

hat tip The New York Times; Spying image via Shutterstock

Researchers announced a new malware called miniFlame today that may be monitoring and stealing data from specific, highly profitable victims. It is a sister to the Flame malware that made headlines earlier this year.

The malware was found by Kaspersky Lab after it discovered and began monitoring the command and control servers of Flame. It recorded communications between Flame and the command and control servers as expected, but there was a separate, unexpected entity communicating with the same server. That turned out to be miniFlame.

MiniFlame is an extension of cyber espionage malware Flame in that it can be used as a plug in but is also capable of operating as its own entity. Kaspersky says it is a “high precision, surgical attack tool” that is likely reserved for bigger, more profitable targets. Indeed, researchers believe that Flame has infected up to 6,000 people, while miniFlame has only attacked around 60 people, or one percent of Flame’s pool.

The malware is one of the four strains of viruses Kaspersky found after analyzing code from Flame’s command and control servers. There, researchers discovered communications protocols for IP, SPE, SP, and FL. “FL” was quickly identified as Flame. SPE is today’s miniFlame. Kaspersky says SP is likely an older version of SPE. IP is yet to be found and is the youngest of the four.

Flame was discovered earlier this year and was quickly labeled one of the most advanced cyber espionage tools known. It targets the Middle East and is packed with modules that all perform some sort of spying technique such as turning on the computer’s microphones to record audio and taking screen shots when certain communications apps are open such as email or Skype. Gauss was found soon thereafter targeting systems in Lebanon, specifically programmed to steal bank account login credentials and other associated data.

Gauss can also use miniFlame as a plug-in, which strengthens the idea that the Flame and Gauss malware writers were in some way connected. When Gauss uses miniFlame, however, it refers to it as “John.”

Flame is similarly connected to the Stuxnet and Duqu viruses, as it shares a separate module with the two.

MiniFlame doesn’t target specific regions, but there are several variations of miniFlame that target places like Pakistan and Iran. There have also been some cases found in France. Thus far, researchers have only found six of these variants but believe there are up to six more. Those currently under watch were created between 2010 and 2011, though the protocol for miniFlame, SPE, was created in 2007.

Unlike Flame or Gauss, the creators of miniFlame can control the computer it infects through a backdoor miniFlame sets up. Once in it listens to commands that all go by names. These include:

• Fiona: Writes files to the machine
• Sonia: Data stealing, sends files back to the command and control servers
• Sam: Puts the computer to sleep for “specified amount of time”
• Barbara: Takes a screenshot if a specific application is open

Others include Elvis, Eve, Drake, Charles, Alex, and Tiffany.

How miniFlame actually gets installed onto victims’ computers is still unknown. Researchers believe it could be deployed from the command and control server when Flame and Gauss infect the system, though it can operate without the aid of Flame and Gauss.

hat tip Wired; Candles image via Shutterstock; Flame command and control server image via Kaspersky Lab

Sept. 9 - 10, 2013
San Francisco, CA

Early Bird Tickets on Sale

The U.S. Congress Intelligence Committee and telecommunications vendor Cisco are agreed on one thing: Chinese networking equipment companies can’t be trusted.

Whether that’s just political posturing and jingoistic protectionism or the plain simple facts of global geopolitics depends a lot on who you believe.

According to Reuters, this morning Cisco killed a seven-year partnership with Chinese networking manufacturer ZTE after investigations reportedly showed that ZTE sold banned technology to Iran. Sending U.S.-developed technology that could allow Iran to monitor and control Internet usage violates U.S. sanctions against that country — and could put Cisco’s U.S. business in jeopardy.

According to Cisco’s financial statements, more than half of its revenue is from North and South America, and most of that will be from the U.S. Cisco had partnered with ZTE, licensing Cisco technology to the up-and-coming company in an attempt to fight larger and more dangerous competitor Huawei in emerging markets.

Coincidentally, perhaps, the U.S. House of Representatives’ Intelligence Committee released a draft report saying, in part, that both Huawei and ZTE “cannot be trusted to be free of foreign state influence,” and therefore, U.S.-based Internet service providers and telecommunications companies should “seek other vendors” for infrastructure projects.

This is not new.

Congress has been concerned about China electronically spying on the U.S. for some time now. The concern is that, since Chinese companies either have close ties to the Chinese government or can be compelled to allow significant amounts of government access to their technology, products used in the sensitive telecom industry could contain backdoors or intentional security holes to facilitate espionage.

Very similar, of course, to what the FBI wants Facebook, Twitter, and Skype to grant it. Or to what the NSA was rumored to have built into various version of Windows.

China has been accused of industrial espionage many times, as well as of spying on activists and political dissidents, and very recently was reported to be attempting to access military systems in the White House itself (not for the first time). So it’s hard for China to wear the white cape here.

But that doesn’t stop the country from trying, and a spokesman for China called upon Congress to “set aside prejudices and respect the facts,” according to Reuters, as well as offering a veiled threat, saying the U.S. should “do more that is beneficial to Sino-American economic and trade ties, rather than the contrary.”

The story won’t end here.

But if it continues in the current path, this war of words threatens to become something more substantial, potentially involving trade sanctions on both sides.

photo credit: ukaszSie via photopin cc

Flame, the malware related to the infamous Stuxnet that hit Iranian nuclear systems in 2010, may have three sisters in the wild, according to new research by Russian security firm Kaspersky Lab.

Kaspersky Lab first announced the existence of Flame in May, saying it was deployed around two years prior in 2010, and had already affected thousands of computers. Work may have even started on the malware as early as 2007. It targeted a number of countries in the Middle East, and was called one of the most advanced cyber espionage tools to date.

Since May, Kaspersky Lab has been studying Flame’s command and control servers, or the server that receives any data Flame steals and regularly communicates with the malware. When researchers first accessed the command and control server’s dashboard, they immediately assumed it was created by “script kiddies,” or young, inexperienced hackers. The writers also avoided using what Kaspersky calls “professional terms,” including bot, botnet, infection, or malware-command. Instead, they used words like backup, blog, and download. Kaspersky realized that the simplicity of the C&C home as well as the verbiage used was meant to trick anyone who might have audited the server.

In addition to learning about how the malware writers configured their “home base,” Kaspersky also found logs that displayed the nickname of the hacker, along with when the hacker did work on the C&C. Researches hid the nicknames in its analysis report, but provided the initials O, D, H, and R, indicating that there were four separate developers. Each had a different job and accessed a different amount of files within the system .

The four hackers also built four protocols, which communicated with different “clients,” or pieces of malware.

“A close look at these protocol handlers revealed four different types of clients codenamed SP, SPE, FL and IP,” said Kaspersky in its analysis. “We can confirm that the Flame malware was identified as client type FL. Obviously, this means there are at least three other undiscovered cyber-espionage or cyber-sabotage tools created by the same authors: SP, SPE and IP.”

What these three do and whether they are currently active is unknown.

The Flame virus, however, is enough to indicate what the sisters could do. While active, Flame unpacked 20 different modules that spied on the infected computer in different ways. It could tell when you had a communication app open, such as GMail or instant message, and take periodical screen shots to record your conversations. Flame could also turn on the computer’s microphone to record audio happening in the vicinity.

hat tip Wired; Fire equipment image via Shutterstock

The emergence of Chinese telecom companies Huawei and ZTE has meant a larger selection of cheaper phones for U.S. consumers. But the companies may also present a security threat to the U.S., according to U.S. Congressman Mike Rogers. Rogers says hardware from the two companies could make it easier for China to spy on U.S. companies and government agencies, Reuters reports.

Rogers heads up the U.S. House of Representatives’ Intelligence Committee, which began investigating the allegations last November. Topping the committee’s list is the concern that China-made software and hardware contain security backdoors that could facilitate espionage.

According to one claim, China has even gone as far as to subsidize the products of Huawei and ZTE in an effort to secure market share.

As a result of the fears, Rogers warns that the U.S. government may seek legislation to protect U.S. networks. ”This is going to be a huge problem that we’re going to have to get a handle on very quickly,” he said at the Bloomberg Government conference in Washington.

Unsurprisingly, Huawei has countered similar allegations in the past.

“Given that Huawei has publicly and repeatedly and in a detailed fashion debunked this type of misinformation with solid facts, it would be truly unfortunate if such unsubstantiated and unclearly motivated statements persist,” Huawei told Reuters in a statement.

ZTE responded similarly, denying that it receives support from the Chinese government.

These sorts of denials haven’t sated the concerns, however. Earlier this year, the Australian government prevented Huawei from bidding on construction of its $38 million nationwide high-speed Internet network. The decision, which followed a similar situation in India in 2006, was a result of fears that Huawei was too close with the Chinese government.

Alperovitch, the vice president of threat research for McAfee, started the day in Omaha, Neb., where he was believed to be briefing U.S. government officials. His tale of investigating the cyber evidence, which began in earnest in March, was chronicled in a lengthy Vanity Fair (yes, not the sort of magazine you expect to see writing about cyber security) article that appeared Wednesday. He did interviews with CNN, NPR, and a bunch of other media. At Black Hat, the McAfee revelation was the talk of the day.

“They started calling me on my personal phone,” he told Joris Evers, a public relations official for McAfee. “How did they get my phone number?”

Evers said, “Maybe you should change it.”

This is not the sort of attention that most Black Hat news stories get. Some attendees were trying to debunk the story, saying there was no way that the ring was as vast as suggested. They thought it curious that Alperovitch named the operation himself, after a remote access tool that was used in the attack.

Alperovitch told Vanity Fair magazine, Reuters and others that the five-year spying campaign penetrated the computer networks of 72 governments and major corporations. Last week, Alperovitch briefed senior White House officials on Shady RAT. He talked to executive branch agencies and congressional committee staff. McAfee believes that the governments infiltrated by Shady RAT operatives include the United States, Taiwan, South Korea, Vietnam, and Canada. Others hit include the United Nations, the Olympic committees in three countries, and the International Olympic Committee. About 49 targets were in the U.S. A total of 13 defense contractors were hit.

“It came from a process of putting different pieces together, with a lot of cooperation,” Alperovitch said to me at the party.

Alperovitch picked up the first trail in the spying scheme in 2009, according to Vanity Fair, when a McAfee client in the defense industry found that its network had been penetrated.

The magazine wrote, “Forensic investigation revealed that the defense contractor had been hit by a species of malware that had never been seen before: a spear-phishing email containing a link to a Web page that, when clicked, automatically loaded a malicious program — a remote-access tool, or rat — onto the victim’s computer. The rat opened the door for a live intruder to get on the network, escalate user privileges, and begin exfiltrating data.”

McAfee identified the command and control server that launched the attack and blocked it. But only in March did Alperovitch discover there were logs of the attacks stored on the computer. That allowed McAfee to figure out who had been attacked and how the sequence of events unfolded. Curiously, none of the attacks took place in China.

Alperovitch said the evidence indicates a “state actor” perpetrated the sophisticated hacking plot, leading others to believe China — which Google blamed for Operation Aurora cyber espionage attacks — was behind the scheme.

I asked him if McAfee had an army of researchers poring over the details of the intelligence ring.

“No, it was just me and a small group,” he said. His post credited Adam Meyers for research help.

Asked why he didn’t name the country that did the spying, Alperovitch said, “We didn’t have the evidence. So we didn’t say.”