Surveillance Firm Hack Exposes 400gb Of Data

This week learn about how 400GB of a surveillance firm's data was exposed and a new tricky malware deceiving users as a common update.

Breach

SURVEILLANCE FIRM HACK EXPOSES 400GB OF DATA

The Italian Internet surveillance firm Hacking Team was the target of a massive hack, resulting in 400GB of source code, exploits, emails and documents dumped on to the BitTorrent network for anyone to download.

Since the breach, researchers and journalists have been poring over the cache to reveal lists of clients, details of contracts, and methods of exploitation. This includes publishing details of zero-day exploits that vendors are now rushing to patch.

Initially, no one took responsibility for the breach and there are no details about how the breach occurred. However, a cyber criminal under the alias “Phineas Fisher” has taken credit via Twitter. Fisher’s claim has credibility since a hack on a similar surveillance company called Gamma Group was widely attributed to him.

“Phineas Fisher” has promised to release information of how he gained access “once they’ve had some time to fail at figuring out what happened and go out of business.”

This story underlines the case for continuous network monitoring. With companies having access to sophisticated intelligence-gathering techniques and zero-day exploits, even fully patched systems are not immune to exploitation. With companies having access to sophisticated intelligence-gathering techniques and zero-day exploits, even fully patched systems are not immune to exploitation.

Reference: ZD Net

Mitigation Strategies:

Malware

AD FRAUD MALWARE DECEIVES USERS WITH AUTO UPDATES

A Trojan called Kovter is distributed by exploit kits and generates fraudulent revenue from pay-per-click schemes by simulating users clicking on ads.

A French researcher named Kafeine analyzed a new version of Kovter that attempts to apply updates after it has infected its host. For example, after being delivered by an Adobe Flash exploit and targeting an outdated version of the software, it attempts to run the Flash auto-updater in order to patch the system against further exploitation.

The motivation for this new behavior is unclear but the most popular theory is that the exploit wants “exclusivity” on target, meaning no other malware can coexist and potentially disrupt its operations.

This highlights the importance of continuous log review to detect unsanctioned software installations as well as network monitoring to detect known command and control traffic.

Reference: Malware – Don’t Need Coffee

Mitigation Strategies:

Top 20 IP Addresses

63.123.72.11 – NEW 80.242.123.207 – NEW
113.106.93.203 123.57.77.111 – NEW
144.76.139.19 118.98.104.21
82.221.128.206 69.30.236.34 – NEW
61.160.212.27 – NEW 95.141.31.14 – NEW
209.41.163.23 – NEW 43.255.188.156 – NEW
193.238.152.34 – NEW 111.74.238.8
91.219.237.193 – NEW 5.152.192.10 – NEW
174.127.66.146 – NEW 79.141.172.10 – NEW
67.192.122.132 – NEW 79.141.165.44 – NEW