APT28 — State Sponsored Russian Hacker Group

Nearly a decade-long cyber espionage group that targeted a variety of Eastern European governments and security-related organizations including the North Atlantic Treaty Organization (NATO) has been exposed by a security research firm.

The US intelligence firm FireEye released its latest Advanced Persistent Threat (APT) report on Tuesday which said that the cyber attacks targeting various organisations would be of the interest to Russia, and "may be" sponsored by the Russian government.

The Report entitled "APT28: A Window Into Russia's Cyber Espionage Operations" published by FireEye has "evidence of long-standing, focused operations that indicate a government sponsor - specifically, a government based in Moscow."

"Despite rumours of the Russian government's alleged involvement in high-profile government and military cyber attacks, there has been little hard evidence of any link to cyber espionage," Dan McWhorter, FireEye vice president of Threat Intelligence, wrote in a blog post discussing the report.

"FireEye's latest APT report sheds light on cyber espionage operations that we assess to be most likely to be sponsored by the Russian government, long believed to be a leader among major nations in performing sophisticated network attacks."

The cyber-espionage group believed to have been operating since at least 2007 in order to steal political and state secrets from businesses and foreign governments. The group launched a cyber attack on government in Georgia, Eastern Europe, as well as NATO and the Organisation for Security and Co-operation in Europe, according to the report.

Whereas the Russian cyber criminal groups are known for conducting massive cyber campaigns aimed at stealing money and financial information, but APT28 focuses on "privileged information related to governments, militaries and security organizations."

“This group, unlike the China-based threat actors we track, does not appear to conduct widespread intellectual property theft for economic gain,” FireEye stated in the report. “Nor have we observed the group steal and profit from financial account information.”

The security firm analyzed that the malware used by APT28 features a consistent use of the Russian language. Moreover, more than 96 percent of malware samples analyzed by the researchers were compiled between Monday and Friday, between 8AM and 6PM in the time zone paralleling working hours in Moscow and St. Petersburg. This regularity in the work suggests that the hackers were in Moscow, the report argues.

The APT28 group has constantly updated their software and made the resulting binaries difficult to reverse engineer. It used a downloader tool that FireEye dubbed "SOURFACE", a backdoor labelled "EVILTOSS" that gives hackers remote access and a flexible modular implant called "CHOPSTICK" to enhance functionality of the espionage software.

Infection is usually achieved via a spear phishing email with a relevant lure and the malware hidden in the attachment. The hacker group has also created a number of fake domains for UK-based defence events, including the Counter Terror Expo, as part of the operation to gather intelligence on attendees.

Together with the help of above mentioned tools, the group gained access to the file system and registry; enumerate network resources; create processes; log keystrokes; access stored credentials; execute shellcode, and encrypt exfiltrated data uploaded with an RSA public key.

“The coding practices evident in the group’s malware suggest both a high level of skill and an interest in complicating reverse engineering efforts,” the report stated.

In  another report , a top White House official has confirmed that Russian hackers have hacked into the unclassified White House computer networks. "we identified activity of concern on the unclassified Executive Office of the President network,".

Russia has been suspected of attacks on Ukraine too, including attempts to gain access to politicians’ mobile phone communications.

By "Kunal Vohra", Director@H2K

Having Problem..!!??! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Share our posts and get a chance to win cash prizes 

"The Hackers Street"

For Daily Updates 

Russian Hackers Used Bug in Microsoft Windows for Spying

By "Kunal Vohra", Director@H2K

Russian hackers used a bug in Microsoft Windows to spy on several Western governments, NATO and the Ukrainian government, according to a report released Tuesday by iSight Partners, a computer security firm in Dallas.

The targets also included European energy and telecommunications companies and an undisclosed academic organization in the United States, the Internet security report said.

While it is unclear what type of information may have been retrieved, iSight said that the targets of the attacks were often linked to the standoff in Ukraine between Russia and the West.

That included the NATO summit meeting in Wales in early September at which the Russian hackers targeted the Ukrainian government and at least one American organization, the report said.

The illegal activities started as early as 2009 and used a variety of techniques to gain access to confidential information. But iSight said that it was only in the late summer that the Russian hackers started using what experts refer to as a zero-day attack — the exploitation of a previously unknown vulnerability — on Windows.

The bug affected versions from Windows Vista to the company’s latest software, Windows 8.1, though Microsoft is expected to release an update on Tuesday to resolve the potential vulnerability.

Despite efforts to thwart the Russian hackers’ attacks, iSight said using the Microsoft bug and other illegal tactics almost certainly allowed the hackers to gain some access to their targets.

“The use of this zero-day vulnerability virtually guarantees that all of those entities targeted fell victim to some degree,” the company said.

While the vulnerability affected many versions of Windows, iSight said the Russian hackers appeared to be the only group to use the bug. The company added, however, that other companies and organizations might also have been attacked.

Representatives for Microsoft and the Russian government were not immediately available for comment.

The discovery of the hacking is the latest in a series of worldwide attacks that have affected individuals, government agencies and companies.

Many of these attacks have originated in Russia and other Eastern European countries, though the purpose of the hackers’ efforts has often varied.

Last year, for example, Eastern European hackers gained access to the data of up to 110 million customers of the retailer Target.

In August, security researchers discovered that a separate Russian crime ring had amassed a huge collection of stolen online information, including roughly 1.2 billion user names and passwords and more than 500 million email addresses.

And this month, JPMorgan Chase also revealed that another cyberattack, which experts believe originated in Russia, had compromised the banking accounts of roughly 76 million households and seven million small businesses.

ISight said it had called the most recent Russian hackers the Sandworm team because they used encoded references to the science fiction series “Dune” in their attacks.

ISight said the group often used so-called spear-phishing techniques in its attacks against Western government and commercial targets. That involved sending emails to prospective targets with documents attached that, when opened, could allow the attacker to gain control of the computer.

Many of the emails were specifically related to the Ukrainian conflict and to wider issues linked to Russia, the company said.

Source:- New York Times

Microsoft Patches 3 Zero-day Vulnerabilities actively being Exploited in the Wild

As part of monthly patch update, Microsoft released eight security bulletins on Tuesday that address dozens of vulnerabilities including a zero-day flaw reportedly being exploited by Russian hackers to target NATO computers and a pair of zero-day Windows vulnerabilities that attackers have been exploiting to penetrate major corporations' networks.

Just a day before yesterday, our team reported you about a Zero-day vulnerability discovered by the cyber intelligence firm iSight Partners affecting all supported versions of Microsoft Windows and is being exploited in a five-year old cyber-espionage campaign against the Ukrainian government and U.S organisations.

Researchers at FireEye found two zero-day flaws, used in separate, unrelated attacks involving exploitation of Windows kernel, just a day after iSight partners disclosed zero-day in Windows. The pair of zero-day vulnerabilities could allow an attacker to access a victim's entire system.

According to the researchers at FireEye, the two of three so-called zero-day flaws are being actively exploited in the wild by hackers and are being used as "part of limited, targeted attacks against some major corporations."

Microsoft updates for the month of October 2014 Patch Tuesday address several vulnerabilities in all currently supported versions of Windows, Internet Explorer, Office, Sharepoint Server and the .Net framework. Three of the bulletins are marked "critical" and rest are "important" in severity. Systems administrators are recommended to apply the patches immediately for the critical updates.

The zero-day flaw (CVE-2014-4114) discovered by iSight partners in all supported versions of Microsoft Windows and Windows Server 2008 and 2012 that is being exploited in the "Sandworm" cyberattack, are patched as part of MS14-060. Microsoft rated Bulletin MS14-060 as important rather than critical because it requires a user to open a Microsoft Office file to initiate the remote code execution.

"The vulnerability [exists in Windows OLE] could allow remote code execution if a user opens a Microsoft Office file that contains a specially crafted OLE object," Microsoft warned in its bulletin. "An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the current user." (OLE is Microsoft technology for creating complex documents that contain a combination of text, sound, video and other elements.)

However, the two zero-days discovered by FireEye are patched as part of MS14-058 and are marked critical. They are designated CVE-2014-4148 and CVE-2014-4113.

"We have no evidence of these exploits being used by the same actors. Instead, we have only observed each exploit being used separately, in unrelated attacks," FireEye explained.

CVE-2014-4148 exploits a vulnerability in TrueType Font (TTF) processing. TTF processing is performed in kernel mode as part of the GDI and has been the source of critical vulnerabilities in the past as well.

The vulnerability affects Windows 8.1/Windows Server 2012 R2, Windows 8/Windows Server 2012, Windows 7/Windows Server 2008 R2 (Service Pack 0 and 1) and Windows XP Service Pack 3. It affects both 32-bit and 64-bit versions of the Operating System, but the attacks have only been observed against 32-bit systems.

However, CVE-2014-4113 is a local Elevation of Privilege (EoP) vulnerability that affects all versions of Windows including Windows 7, Vista, XP, Windows 2000, Windows Server 2003/R2, Windows Server 2008/R2, Windows 8.x and Windows Server 2012/R2.

Out of remaining bulletins, two are rated critical, both address remote code execution vulnerability in Internet Explorer and Microsoft .NET Framework respectively. Remaining bulletins are rated important in severity, include elevation of privilege bugs, Security Feature Bypass, and a remote code execution flaw.

By "Kunal Vohra", Director@H2K

Still Having Problem..!!! Connect with Admin
BBM: 7F72A48D


 Kunal Vohra Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates 

5 unanswered questions about the 1.2 billion passwords stolen by Russian hackers

By "Kunal Vohra" Director@H2K

There’s still much that’s unclear about Tuesday’s revelation that a small group of hackers in Russia have amassed a database of 1.2 billion stolen user IDs and passwords. The company that disclosed the incident, Hold Security, didn’t offer any fresh information Wednesday, but here are five questions we’d like to see answered (and a bonus one that we already know the answer to).

Where did the credentials come from?

Hold Security said the hacking group started out buying stolen credentials on the black market, then used those credentials to launch other attacks. But it’s unclear how many credentials they bought and how many of the 1.2 billion they culled themselves. Without that information, it’s hard to know how fresh—and hence how valuable—the stolen data is.

What websites are they for?

If the hackers managed to recently penetrate major websites, like financial or email services, then it’s time to change your password. But if the data comes from mainly smaller sites, the value of the credentials is likely lower—unless people reused the same password they use for sensitive accounts. You do have unique passwords for important accounts, don’t you?

What are the hackers going to do with them?

The answer to this depends partly on the previous two questions. If they are fresh credentials for important services like online banking, they are ripe to be used to siphon money from online accounts. If they are older or from little-used services, they might be used to send spam by email or post it in online forums.

Were the passwords hashed, and how?

Even most small websites don’t store passwords as plain text these days, but the scrambling system used to protect passwords called “hashing” offers varying degrees of protection. An older one called “MD5” can be attacked with brute force and broken in a few minutes—faster if the password is something common like “password123”—but a more modern and secure method takes longer to break and so is more costly.

Was I affected?

This is the big question for every Internet user. Hold Security says you can sign up for a forthcoming service that will notify you if your details were included. Website operators are being offered a US$120-a-year service that will notify them if their user accounts appear in this or other hacker databases.

Passwords aren’t that secure, are they?

Nope, especially as most people implement them today. That’s why major websites including Gmail, Facebook and Twitter offer two-factor authentication that requires a password and an ever-changing code produced by a smartphone app, or offer to send a login token via SMS when users connect from a new computer. Security companies are working on new methods for authentication, but it’s an ever-continuing cat-and-mouse game with hackers.

Still Having Problem..!!! Connect with Admin 

 Kunal Vohra

Download Our Official Android App & Get Free Internet

"The Hackers Street"

For Daily Updates