... The unidentified hackers had used spear-phishing attacks
What exactly is a "spear-phishing" attack?
-------------
With Hurricane Electric, the attacker took advantage of the fact
that its domain name servers were configured, so anyone could
register for a free account with the company's hosted DNS service.
The service allowed anyone to register a DNS zone, which is a
distinct, contiguous portion of the domain name space in the
DNS. The registrant could then create A records for the zone
and point them to any IP address.
In addition, Hurricane did not check whether newly created zones
were already registered or owned by other parties, FireEye said.
-------------
You have got to be kidding. Who could possibly be that sloppy?
-------------
Moran believed the services were victims of hacker creativity
versus a flaw.
-------------
What?!
It's not a flaw to not check to see if a desired domain is not already
registered?!
========================================================
How hackers used Google to steal corporate data
Attackers used Google Developers and public DNS to disguise traffic
between the malware and command-and-control servers
August 14, 2014
A group of innovative hackers used free services from Google and an
Internet infrastructure company to disguise data stolen from corporate
and government computers, a security firm reported.
FireEye discovered the campaign, dubbed Poisoned Hurricane, in March
while analyzing traffic originating from systems infected with a remote
access tool (RAT) the firm called Kaba, a variant of the better known
PlugX.
The compromised computers were discovered in multiple U.S. and Asian
Internet infrastructure service providers, a financial institution, and
an Asian government organization. FireEye did not disclose the name of
the victims.
The unidentified hackers had used spear-phishing attacks to compromise
the systems, then used the malware to steal sensitive information and
send it to remote servers, FireEye said.
What was unique about the attackers was how they disguised traffic
between the malware and command-and-control servers using Google
Developers and the public Domain Name System (DNS) service of Hurricane
Electric, based in Fremont, Calif.
In both cases, the services were used as a kind of switching station to
redirect traffic that appeared to be headed toward legitimate domains,
such as adobe.com, update.adobe.com, and outlook.com.
"It was a novel technique to hide their traffic," Ned Moran, senior
threat intelligence researcher for FireEye, said Thursday.
The attackers' tactics were clever enough to trick a network
administrator into believing the traffic was headed to a legitimate
site, Moran said.
The malware disguised its traffic by including forged HTTP headers of
legitimate domains. FireEye identified 21 legitimate domain names used
by the attackers.
In addition, the attackers signed the Kaba malware with a legitimate
certificate from a group listed as the "Police Mutual Aid Association"
and with an expired certificate from an organization called "MOCOMSYS
INC."
In the case of Google Developers, the attackers used the service to host
code that decoded the malware traffic to determine the IP address of the
real destination and edirect the traffic to that location.
Google Developers, formerly called Google Code, is the search engine's
website for software development tools, APIs, and documentation on
working with Google developer products. Developers can also use the site
to share code.
With Hurricane Electric, the attacker took advantage of the fact that
its domain name servers were configured, so anyone could register for a
free account with the company's hosted DNS service.
The service allowed anyone to register a DNS zone, which is a distinct,
contiguous portion of the domain name space in the DNS. The registrant
could then create A records for the zone and point them to any IP
address.
In addition, Hurricane did not check whether newly created zones were
already registered or owned by other parties, FireEye said.
Google and Hurricane were notified of the malicious use of their
services, Moran said. Both companies had removed the attack mechanisms.
"We appreciate FireEye discovering and documenting this unusual attack,
so that we could immediately fix our service to eliminate the
possibility of this type of abuse in the future," Mike Leber, a
spokesman for Hurricane said in an email sent to CSOonline.
Moran believed the services were victims of hacker creativity versus a
flaw.
"These are services offered online that can be used for good or ill," he
said. "A gun can be used to protect and a gun can be used to hurt."
http://www.infoworld.com/d/security/how-hackers-used-google-steal-corporate-dat
a-247941?source=rss_infoworld_top_stories_
-----------------
See also:
Rise seen in use of Google service for mobile botnets
http://www.csoonline.com/article/2134158/mobile-security/rise-seen-in-use-of-go
ogle-service-for-mobile-botnets.html
--- NewsGate v1.0 gamma 2
* Origin: News Gate @ Net396 -Huntsville, AL - USA (1:396/4)
|