Tag Archives: Hackers

Apple users targeted in first known Mac ransomware campaign

BOSTON (Reuters) – Apple Inc customers were targeted by hackers over the weekend in the first campaign against Macintosh computers using a pernicious type of software known as ransomware, researchers with Palo Alto Networks Inc told Reuters on Sunday.

Ransomware, one of the fastest-growing types of cyber threats, encrypts data on infected machines, then typically asks users to pay ransoms in hard-to-trace digital currencies to get an electronic key so they can retrieve their data.

Security experts estimate that ransoms total hundreds of millions of dollars a year from such cyber criminals, who typically target users of Microsoft Corp’s Windows operating system.

Palo Alto Threat Intelligence Director Ryan Olson said the “KeRanger” malware, which appeared on Friday, was the first functioning ransomware attacking Apple’s Mac computers.

“This is the first one in the wild that is definitely functional, encrypts your files and seeks a ransom,” Olson said in a telephone interview.

Hackers infected Macs through a tainted copy of a popular program known as Transmission, which is used to transfer data through the BitTorrent peer-to-peer file sharing network, Palo Alto said on a blog posted on Sunday afternoon.

When users downloaded version 2.90 of Transmission, which was released on Friday, their Macs were infected with the ransomware, the blog said.

An Apple representative said the company had taken steps over the weekend to prevent further infections by revoking a digital certificate that enabled the rogue software to install on Macs. The representative declined to provide other details.

Transmission responded by removing the malicious version of its software from its website. On Sunday it released a version that its website said automatically removes the ransomware from infected Macs.

The website advised Transmission users to immediately install the new update, version 2.92, if they suspected they might be infected.

Palo Alto said on its blog that KeRanger is programmed to stay quiet for three days after infecting a computer, then connect to the attacker’s server and start encrypting files so they cannot be accessed.

After encryption is completed, KeRanger demands a ransom of 1 bitcoin, or about $400, the blog said.

Olson, the Palo Alto threat intelligence director, said that the victims whose machines were compromised but not cleaned up could start losing access to data on Monday, which is three days after the virus was loaded onto Transmission’s site.

Representatives with Transmission could not be reached for comment.

(Editing by Jeffrey Benkoe and Sandra Maler)

Hackers could ‘Mousejack’ wireless mice, keyboards to access computers

A cyber security company says it has discovered a design flaw in scores of wireless keyboards and mice that hackers could exploit to access computers as if they were their own devices.

Bastille Networks announced the discovery in a news release last week, claiming a hacker armed with a $15 piece of hardware and a few lines of code could gain full control of a computer by exploiting a loophole in the way wireless keyboards and mice communicate with the devices.

The company says the majority of mice and keyboards that use wireless dongles, as opposed to Bluetooth technology, are vulnerable. The dongles are plugged into USB ports on the computer, and clicks, mouse movements and keystrokes are transmitted to them through radio signals.

However, Bastille says hackers within 100 meters of the vulnerable dongles could “Mousejack” a computer by taking advantage of those connections, allowing the hackers to send their own clicks, mouse movements and keystrokes to the computers as if they were sitting in front of it.

That could allow them to view sensitive data or insert malicious code, the company said.

Bastille claims billions of devices are vulnerable, and computers running Windows, Macintosh and Linux software were all at risk. But one manufacturer downplayed the risk of a breach.

“Bastille Security identified the vulnerability in a controlled, experimental environment,” Logitech said on its message board. “The vulnerability would be complex to replicate and would require physical proximity to the target. It is therefore a difficult and unlikely path of attack.”

“What’s particularly troublesome about this finding is that just about anyone can be a potential victim here, whether you’re an individual or a global enterprise,” Marc Newlin, the Bastille engineer responsible for discovering the security flaw, said in a statement.

Bastille supplied a list of vulnerable mice and keyboards on its website, and manufacturers like Logitech and Lenovo have already issued firmware patches they say address the security flaw.

But Bastille noted that patches might not be available for every dongle, and device owners will need to check with manufacturers to see if there is a fix available. In the interim, it recommends using a wired mouse or possibly replacing a vulnerable device with one known to be secure.

NSA chief says ‘when, not if’ foreign country hacks U.S. infrastructure

SAN FRANCISCO (Reuters) – The U.S. National Security Agency chief said on Tuesday it was a “matter of when, not if” a foreign nation-state attempts to launch a cyber attack on the U.S. critical infrastructure, citing the recent hack on Ukraine’s power grid as a cause for concern.

Speaking at the RSA cyber security conference in San Francisco, Admiral Michael Rogers said he was also worried about data manipulation and potential offensive cyber threats posed by non-nation-state actors such as Islamic State.

The U.S. government said last week a December blackout in Ukraine that affected 225,000 customers was the result of a cyber attack, supporting what most security researchers had already concluded.

Some private researchers have linked the incident to a Russian hacking group known as “Sandworm.”

(Reporting by Dustin Volz; Editing by Jeffrey Benkoe)

U.S. waging cyber war on Islamic State, commandos active

WASHINGTON (Reuters) – The United States is waging cyber attacks against Islamic State in Syria and Iraq, and its newly deployed commandos are also carrying out secret missions on the ground, Pentagon leaders said on Monday, in the latest signs of quietly expanding U.S. activity.

U.S. Defense Secretary Ash Carter said the cyber attacks, particularly in Syria, were designed to prevent Islamic State from commanding its forces, and Washington was looking to accelerate the cyber war against the Sunni militant group.

“The methods we’re using are new. Some of them will be surprising,” Carter told a Pentagon news conference.

General Joseph Dunford, chairman of the U.S. military’s Joint Chiefs of Staff, said the cyber attacks were helping lay the groundwork for an eventual offensive operation to recapture the city of Mosul in Iraq from Islamic State.

Carter and Dunford, the Pentagon’s top civilian and uniformed officials, both suggested the attacks were aimed at overloading the militants’ networks. They declined to delve into specifics.

“We don’t want the enemy to know when, where and how we’re conducting cyber operations. We don’t want them to have information that will allow them to adapt over time,” Dunford said.

Dunford suggested Islamic State might not know why its computer networks were proving unreliable.

“They’re going to experience some friction that’s associated with us and some friction that’s just associated with the normal course of events in dealing in the information age. And frankly, we don’t want them to know the difference.”

U.S. COMMANDOS

The United States disclosed in January that a new, roughly 200-strong U.S. continent of special operations forces was “in place” in Iraq, poised to carry out raids against Islamic State and other secret missions, both in Iraq and in Syria.

Carter disclosed on Monday that the so-called “expeditionary targeting force,” or ETF, was already operating on the ground.

“The ETF is in position, it is having an effect and operating, and I expect it to be a very effective part of our acceleration campaign,” he said, without elaborating.

Its deployment represents increased U.S. military activity on the ground against Islamic State, exposing American forces to greater risk – something President Barack Obama has done only sparingly.

The force follows another deployment last year of up to 50 U.S. special operations troops in Syria to coordinate on the ground with U.S.-backed forces battling Islamic State.

The U.S. military disclosed last week that those U.S. forces helped opposition forces recapture the strategic Syrian town of al-Shadadi from Islamic State.

The Pentagon said recapturing the town helped sever links between Mosul in Iraq and Raqqa in Syria, the two major power centers in Islamic State’s self-declared caliphate.

More knowledge about the group’s operations is expected to be discovered, Carter said.

“As our partners take control of Shadadi, I believe we will learn a great deal more about ISIL’s criminal networks, its criminal enterprise and what it does to sustain them,” Carter said, using an acronym for the group.

(Reporting by Phil Stewart and David Alexander; Editing by Susan Heavey and Richard Chang)

Sony hackers linked to breaches in 4 other countries, report finds

SAN FRANCISCO (Reuters) – The perpetrators of the 2014 cyber attack on Sony Pictures Entertainment were not activists or disgruntled employees, and likely had attacked other targets in China, India, Japan and Taiwan, according to a coalition of security companies that jointly investigated the Sony case for more than a year.

The coalition, organized by security analytics company Novetta, concluded in a report released on Wednesday that the hackers were government-backed but it stopped short of endorsing the official U.S. view that North Korea was to blame.

The Obama administration has tied the attack on Sony Corp’s film studio to its release of “The Interview,” a comedy that depicted the fictional assassination of North Korean leader Kim Jong Un.

Novetta said the breach “was not the work of insiders or hacktivists.”

“This is very much supportive of the theory that this is nation-state,” Novetta Chief Executive Peter LaMontagne told Reuters. “This group was more active, going farther back, and had greater capabilities and reach than we thought.”

Novetta worked with the largest U.S. security software vendor Symantec Corp, top Russian security firm Kaspersky Lab and at least 10 other institutions on the investigation, a rare collaboration involving so many companies.

They determined that the unidentified hackers had been at work since at least 2009, five years before the Sony breach. The hackers were able to achieve many of their goals despite modest skills because of the inherent difficulty in establishing an inclusive cyber security defense, the Novetta group said.

LaMontagne said the report was the first to tie the Sony hack to breaches at South Korean facilities including a power plant. The FBI and others had previously said the Sony attackers reused code that had been used in destructive attacks on South Korean targets in 2013.

The Novetta group said the hackers were likely also responsible for denial-of-service attacks that disrupted U.S. and South Korean websites on July 24, 2009. The group said it found overlaps in code, tactics and infrastructure between the attacks.

Symantec researcher Val Saengphaibul said his company connected the hackers to attacks late last year, suggesting the exposure of the Sony breach and the threat of retaliation by the United States had not silenced the gang.

The coalition of security companies distributed technical indicators to help others determine if they had been targeted by the same hackers, which Novetta dubbed the Lazarus Group.

(Reporting by Joseph Menn; Editing by Tiffany Wu)

California hospital makes rare admission of hack, ransom payment

LOS ANGELES/BOSTON (Reuters) – While it was not the first hacked organization to acquiesce to attackers’ demands, the California hospital that paid $17,000 in ransom to hackers to regain control of its computer system was unusual in one notable way: It went public with the news.

Hollywood Presbyterian Medical Center relented to the demands, President Allen Stefanek said, because he believed it was the “quickest and most efficient way” to free the Los Angeles hospital’s network, which was paralyzed for about 10 days.

That announcement sparked fears Thursday among hospitals and security experts that it would embolden hackers to launch more “ransomware” attacks and calls in California for tougher laws.

“It’s no different than if they took all the patients and held them in one room at gunpoint,” said California State Senator Robert Hertzberg, who on Thursday introduced legislation to make a ransomware attack equivalent to extortion and punishable by up to four years in prison.

Usually embarrassment and a desire to discourage hackers keep attacked companies quiet. Hollywood Presbyterian did not say why it made the disclosure, but its hand may have been forced by spreading rumors a week after the hack. Stefanek confirmed the cyber attack after at least one doctor appeared to have told local media.

In addition, he disputed media reports the 434-bed hospital had faced a ransom demand of $3.4 million, far more than the amount paid in the hard-to-trace cyber-currency bitcoin.

In a ransomware attack, hackers infect PCs with malicious software that encrypts valuable files so they are inaccessible, then offer to unlock the data only if the victim pays a ransom.

The hack at Hollywood Presbyterian forced doctors to use pen and paper in an age of computerization. News reports said its fax lines were jammed because normal e-mail communication was unavailable, and some emergency patients had to be diverted to other hospitals.

Investigators said administrators were so alarmed that they may have paid ransom first and called police later.

Medical facilities in the area plan to consult cyber security experts on how to protect themselves, the Hospital Association of Southern California said. “Hospitals are certainly now aware of ransomware more than they ever were before, and this has become a very real threat,” said spokeswoman Jennifer Bayer.

Some experts said ransomware encryption can be so hard to crack that victims feel they have little choice but to pay if they want their systems back. The hackers’ success could also prompt other hospitals to make quick payments to avoid the disruption and bad publicity Hollywood Presbyterian faced.

“Our number one fear is that this now pretty much opens the door for other people to pay,” said Bob Shaker, a manager at cyber security firm Symantec Corp.

‘CAT AND MOUSE’

He knew of at least 20 other attacks on healthcare facilities in the past year and hundreds more in other industries that had been kept secret.

Some of those put patients at risk and affected infusion pumps that deliver chemotherapy drugs, risking patient overdoses, he said.

Because hackers hide their identities and demand payment in bitcoin, authorities may have to work harder to find them than if they used old-fashioned methods.

But cyber-crime experts say that they can still be traced.

“The public nature of the network does give law enforcement an angle to help defeat them,” said Jonathan Levin, co-founder of Chainalysis, a New York company working with bitcoin users. “But it’s a game of cat and mouse.”

Ransomware is big business for cyber criminals and security professionals. Although ransoms typically are less than the hospital paid, $200 to $10,000, victims of a ransomware known as CryptoWall reported losses over $18 million from April 2014 to June 2015, the FBI said.

Ransomware attacks climbed sharply in 2014, when Symantec observed some 8.8 million cases, more than double the previous year. IBM said that last year more than half of all customer calls reporting cyber attacks involved ransomware.

(Editing by Sharon Bernstein and Cynthia Osterman)

Cyber attack snarls Los Angeles hospital’s patient database

LOS ANGELES (Reuters) – The FBI is investigating a cyber attack that has crippled the electronic database at Hollywood Presbyterian Medical Center for days, forcing doctors at the Los Angeles hospital to rely on telephones and fax machines to relay patient information.

The origin of the computer network intrusion was unknown but since it began late last week has bogged down communications between physicians and medical staff newly dependent on paper records and doctors’ notoriously messy handwriting, doctors and a Federal Bureau of Investigation spokeswoman said on Tuesday.

“It’s right there on paper, but it may not be legible,” Dr. Rangasamy Ramanathan, a neonatal-perinatal specialist affiliated with the 434-bed facility, said. “The only problem is doctors’ writing.”

Although the cyber attack has snarled the hospital’s patient database, doctors have managed to relay necessary medical records the old-fashioned way through phone lines and fax machines, Ramanathan said.

The FBI is seeking to pinpoint hackers responsible for the intrusion, FBI spokeswoman Ari Dekofsky said. She declined to release further details.

Allen Stefanek, the hospital’s president and CEO, told Los Angeles television station KNBC-TV the hospital declared an internal emergency on Friday, after encountering significant information technology problems due to the hack.

A spokeswoman for the hospital could not be reached for comment.

(Reporting by Alex Dobuzinskis; Editing by Lisa Shumaker)

U.S. planned major cyber attack on Iran if diplomacy failed, NYT reports

WASHINGTON (Reuters) – The United States had a plan for an extensive cyber attack on Iran in case diplomatic attempts to curtail its nuclear program failed, The New York Times reported on Tuesday, citing a forthcoming documentary and military and intelligence officials.

Code-named Nitro Zeus, the plan was aimed at crippling Iran’s air defenses, communications systems and key parts of its electrical power grid, but was put on hold after a nuclear deal was reached last year, the Times said.

The plan developed by the Pentagon was intended to assure President Barack Obama that he had alternatives to war if Iran moved against the United States or its regional allies, and at one point involved thousands of U.S. military and intelligence personnel, the report said. It also called for spending tens of millions of dollars and putting electronic devices in Iran’s computer networks, the Times said.

U.S. intelligence agencies at the same time developed a separate plan for a covert cyberattack to disable Iran’s Fordo nuclear enrichment site inside a mountain near the city of Qom, the report said.

The existence of Nitro Zeus was revealed during reporting on a documentary film called “Zero Days” to be shown on Wednesday at the Berlin Film Festival, the Times said. The film describes rising tensions between Iran and the West in the years before the nuclear agreement, the discovery of the Stuxnet cyberattack on the Natanz uranium enrichment plant, and debates in the Pentagon over the use of such tactics, the paper reported.

The Times said it conducted separate interviews to confirm the outlines of the program, but that the White House, the Department of Defense and the Office of the Director of National Intelligence all declined to comment, saying that they do not discuss planning for military contingencies.

There was no immediate response to a request by Reuters for comment from the Pentagon.

(Reporting by Eric Walsh; Editing by Chris Reese)

Ukraine sees Russian hand in cyber attacks on power grid

KIEV (Reuters) – Hackers used a Russian-based internet provider and made phone calls from inside Russia as part of a coordinated cyber attack on Ukraine’s power grid in December, Ukraine’s energy ministry said on Friday.

The incident was widely seen as the first known power outage caused by a cyber attack, and has prompted fears both within Ukraine and outside that other critical infrastructure could be vulnerable.

The ministry, saying it had completed an investigation into the incident, did not accuse the Russian government directly of involvement in the attack, which knocked out electricity supplies to tens of thousands of customers in central and western Ukraine and prompted Kiev to review its cyber defenses.

But the findings chime with the testimony of the U.S. intelligence chief to Congress this week, which named cyber attacks, including those targeting Washington’s interests in Ukraine, as the biggest threat to U.S. national security.

Relations between Kiev and Moscow soured after Russia annexed the Crimean peninsula in March 2014 and pro-Russian separatist violence erupted in Ukraine.

Hackers targeted three power distribution companies in December’s attack, and then flooded those companies’ call centers with fake calls to prevent genuine customers reporting the outage.

“According to one of the power companies, the connection by the attackers to its IT network occurred from a subnetwork … belonging to an (internet service) provider in the Russian Federation,” the ministry said in a statement.

Deputy Energy Minister Oleksander Svetelyk told Reuters hackers had prepared the attacks at least six months in advance, adding that his ministry had ordered tighter security procedures.

“The attack on our systems took at least six months to prepare – we have found evidence that they started collecting information (about our systems) no less than 6 months before the attack,” Svetelyk said by phone.

Researchers at Trend Micro, one of the world’s biggest security software firms, said this week that the software used to infect the Ukrainian utilities has also been found in the networks of a large Ukrainian mining company and a rail company.

The researchers said one possible explanation was that it was an attempt to destabilize Ukraine as a whole. It was also possible these were test probes to determine vulnerabilities that could be exploited later, they said.

(Writing by Matthias Williams; additional reporting by Eric Auchard; Editing by Ruth Pitchford)

U.S. intelligence chief warns of cyber, ‘homegrown’ security threats

WASHINGTON (Reuters) – Attacks by “homegrown” Islamist extremists are among the most imminent security threats facing the United States in 2016, along with dangers posed overseas by Islamic State and cyber security concerns, the top U.S. intelligence official said on Tuesday.

In his annual assessment of threats to the United States, Director of National Intelligence James Clapper warned that fast-moving cyber and technological advances “could lead to widespread vulnerabilities in civilian infrastructures and U.S. government systems.”

In prepared testimony before the Senate Armed Services and Intelligence Committees, Clapper outlined an array of other threats from Russia and North Korean nuclear ambitions to instability caused by the Syrian migrant crisis.

“In my 50 plus years in the intelligence business I cannot recall a more diverse array of crises and challenges than we face today,” Clapper said.

Islamic State poses the biggest danger among militant groups because of the territory it controls in Iraq and Syria, and is determined to launch attacks on U.S. soil, Clapper said. It also has demonstrated “unprecedented online proficiencies,” he said.

While the United States “will almost certainly remain at least a rhetorically important enemy” for many foreign militant groups, “homegrown violent extremists … will probably continue to pose the most significant Sunni terrorist threat to the U.S. homeland in 2016,” he said, referring to Sunni Muslim jihadists.

“The perceived success” of attacks by such extremists in Europe and San Bernardino, California, “might motivate others to replicate opportunistic attacks with little or no warning,” Clapper said.

A married couple inspired by Islamist militants shot and killed 14 people in San Bernardino in December.

General Vincent Stewart, director of Defense Intelligence Agency, told the Senate Armed Services Committee that Islamic State aims to conduct more attacks in Europe during 2016 and has ambitions to attack inside the United States.

The group is taking advantage of the refugee flow from Syria’s civil war to hide militants among them and is adept at obtaining false documentation, Clapper said.

Al Qaeda affiliates, most notably the one in Yemen known as Al Qaeda in the Arabian Peninsula, have proven resilient and are positioned to make gains this year despite pressure from Western counterterrorism operations, Clapper said.

He cited threats from Russia’s increasingly assertive international policies, saying “We could be into another Cold War-like spiral.”

U.S. intelligence assesses that North Korea, which launched a satellite into orbit last weekend, is committed to developing a long-range nuclear armed missile that can reach the United States and has carried out some steps towards fielding a mobile intercontinental ballistic missile system, Clapper said.

He said North Korea has followed through on publicly stated plans to re-start a plutonium production reactor and could begin to assemble a plutonium stockpile within months.

CIA director John Brennan said one of North Korean leader Kim Jong Un’s objectives in conducting nuclear and missile tests is to advance efforts by North Korea to “market” such technology, presumably to other rogue regimes around the world.

(Writing by Doina Chiacu; Editing by Mohammad Zargham and Alistair Bell)