Tag Archives: Hackers

Cyber attack eases, hacking group threatens to sell code

Hardwares used for Cybersecurity are displayed at the desk of Security Platform during the TechCrunch Disrupt event in Manhattan, in New York City, NY, U.S. May 15, 2017. REUTERS/Eduardo Munoz

By Dustin Volz

WASHINGTON (Reuters) – Governments turned their attention to a possible new wave of cyber threats on Tuesday after the group that leaked U.S. hacking tools used to launch the global WannaCry “ransomware” attack warned it would release more malicious code.

The fast-spreading cyber extortion campaign, which has infected more than 300,000 computers worldwide since Friday, eased for second day on Tuesday, but the identity and motive of its creators remain unknown.

The attack includes elements that belong to the U.S. National Security Agency and were leaked online last month.

Shadow Brokers, the group that has taken credit for that leak, threatened on Tuesday to release more recent code to enable hackers to break into the world’s most widely used computers, software and phones.

A blog post written by the group promised from June to release tools every month to anyone willing to pay for access to some of the tech world’s biggest commercial secrets.

It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs. “More details in June,” it promised.

The spread of the WannaCry attack – which encrypts a user’s data and demands a “ransom” be paid electronically to free it up again – slowed to a trickle on Tuesday, with few, isolated examples being reported.

In Canada, the Universite de Montreal was hit, with 120 of the French-language university’s 8,300 computers affected, according to a university spokeswoman.

There were no new, major incidents in the United States. Fewer than 10 U.S. organizations have reported attacks to the Department of Homeland Security since Friday, a U.S. official told reporters on Tuesday.

The attack has caused most damage in Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.

The United States likely avoided greater harm as the attack targeted older versions of Microsoft Corp’s <MSFT.O> Windows operating system, and more U.S. users have licensed, up-to-date, patched versions of the software, compared to other regions of the world.

The Department of Homeland Security began an “aggressive awareness campaign” to alert the tech industry to the importance of installing the patch that Microsoft issued in March that protected users from the vulnerability exploited by the attack, a U.S. official working on the attack told Reuters.

Microsoft said on Tuesday it was aware of Shadow Brokers’ most recent claim and that its security teams monitor potential threats in order to “help us prioritize and take appropriate action.”

Microsoft President and Chief Legal Officer Brad Smith said earlier this week the WannaCry attack used elements stolen from the NSA. The U.S. government has not commented directly on the matter.

NORTH KOREA LINK PROBED

Cyber security researchers around the world have said they have found evidence that could link North Korea with the WannaCry cyber attack.

A researcher from South Korea’s Hauri Labs said on Tuesday their own findings matched those of Symantec <SYMC.O> and Kaspersky Lab, who said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.

“It is similar to North Korea’s backdoor malicious codes,” said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service.

Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta.

FireEye Inc <FEYE.O>, another large cyber security firm, said it was also investigating, but it was cautious about drawing a link to North Korea.

“The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator,” FireEye researcher John Miller said.

U.S. and European security officials told Reuters on condition of anonymity that it was too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.

The Lazarus hackers, acting for impoverished North Korea, have been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of $81 million from the Bangladesh central bank, according to some cyber security firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.

North Korea has denied being behind the Sony and banking attacks. North Korean officials were not immediately available for comment and its state media has been quiet about the matter.

NO INFORMATION TO SHARE

In China, foreign ministry spokeswoman Hua Chunying said she had no information to share, when asked about the origin of the attack and whether North Korea might be connected.

Several Asian countries have been affected by the malware, although the impact has not been as widespread as some had feared.

In Malaysia, cyber security firm LE Global Services said it identified 12 cases so far, including a large government-linked corporation, a government-linked investment firm and an insurance company. It did not name any of the entities.

“We may not see the real picture yet, as companies are not mandated to disclose security breaches to authorities in Malaysia,” said LE Global CEO Fong Choong Fook.

“The real situation may be serious. In one of the cases, the attack was traced back to early April.”

Vietnam’s state media said on Tuesday more than 200 computers had been affected, but one of the country’s leading anti virus companies, Bkav, later put the figure at 1,900.

Taiwan Power Co. <TAIWP.UL> said that nearly 800 of its computers were affected, although these were used for administration, not for systems involved in electricity generation.

(Additional reporting by Eric Auchard in Frankfurt, Julia Edwards Ainsley in Washington, Jim Finkle in Toronto, Allison Lampert in Montreal, Jess Macy Yu in Taipei, My Pham and Mai Nguyen in Hanoi, Ju-min Park in Seoul, Michael Martina in Beijing and Liz Lee in Kuala Lumpur,; Writing by Jeremy Wagstaff in Singapore and Bill Rigby in New York; Editing by Sam Holmes)

British hospitals, Spanish firms among targets of huge cyberattack

An ambulance waits outside the emergency department at St Thomas' Hospital in central London, Britain May 12, 2017. REUTERS/Stefan Wermuth

By Costas Pitas and Carlos Ruano

LONDON/MADRID (Reuters) – A huge cyberattack brought disruption to Britain’s health system on Friday and infected many Spanish companies with malicious software, and security researchers said a dozen other countries may be affected.

Hospitals and doctors’ surgeries in parts of England were forced to turn away patients and cancel appointments. People in affected areas were being advised to seek medical care only in emergencies.

“We are experiencing a major IT disruption and there are delays at all of our hospitals,” said the Barts Health group, which manages major London hospitals. Routine appointments had been canceled and ambulances were being diverted to neighboring hospitals.

Telecommunications giant Telefonica was among the targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services.

Authorities in both countries said the attack was conducted using ‘ransomware’ – malicious software that infects machines, locks them up by encrypting data and demands a ransom to restore access. They identified the type of malware as ‘Wanna Cry’, also known as ‘Wanna Decryptor’.

A Telefonica spokesman said a window appeared on screens of infected computers that demanded payment with the digital currency bitcoin in order to regain access to files.

In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement. Still, the news prompted security teams at large financial services firms and businesses around the world to review their plans for defending against ransomware attacks, according to executives with private cyber security firms.

A spokeswoman for Portugal Telecom said: “We were the target of an attack, like what is happening in all of Europe, a large scale-attack, but none of our services were affected.”

British based cyber researcher Chris Doman of AlienVault said the ransomware “looks to be targeting a wide range of countries”, with preliminary evidence of infections from 14 countries so far, also including Russia, Indonesia and Ukraine.

PM BRIEFED

A spokesman for British Prime Minister Theresa May said she was being kept informed of the incident, which came less than four weeks before a parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s U.S. election and on the eve of this month’s presidential vote in France.

But those attacks – blamed on Russia, which has repeatedly denied them – followed a entirely different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

The full extent of Friday’s disruption in Britain remained unclear.

“This attack was not specifically targeted at the NHS and is affecting organizations from across a range of sectors,” NHS Digital, the computer arm of the health service, said in a statement.

Britain’s National Cyber Security Centre, part of the GCHQ spy agency, said it was aware of a cyber incident and was working with NHS Digital and the police to investigate.

A reporter from the Health Service Journal said the attack had affected X-ray imaging systems, pathology test results, phone systems and patient administration systems.

Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organizations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

“Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said.

“Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

It was not immediately clear how many Spanish organizations had been compromised by the attacks, if any critical services had been interrupted or whether victims had paid cyber criminals to regain access to their networks.

(Additional reporting by Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Kate Holton, Andy Bruce, Michael Holden and David Milliken; Editing by Mark Trevelyan and Ralph Boulton)

GE fixing bug in software after warning about power grid hacks

FILE PHOTO: The logo of a General Electric (GE) facility is seen behind tree branches in Medford, Massachusetts, U.S., April 20, 2017. REUTERS/Brian Snyder/File Photo

By Jim Finkle

(Reuters) – General Electric Co <GE.N> said on Wednesday it is fixing a bug in software used to control the flow of electricity in a utility’s power systems after researchers found that hackers could shut down parts of an electric grid.

The vulnerability could enable attackers to gain remote control of GE protection relays, enabling them to “disconnect sectors of the power grid at will,” according to an abstract posted late last week on the Black Hat security conference website.

Protection relays are circuit breakers that utilities program to open and halt power transmission when dangerous conditions surface.

Interest in grid security has intensified amid the increased use of cyber weapons by nation states, including two high-profile cyber attacks in Ukraine that authorities in Kiev have blamed on Russia.

Three New York University security experts are scheduled to discuss the issue at the Las Vegas Black Hat hacking conference in July. They could not be reached immediately for comment.

GE is not aware of any cases in which hackers exploited the bug to cause power outages, said GE spokeswoman Annette Busateri. The bug only involves older GE protection relays introduced in the 1990s “before current industry expectations for security,” she said.

“We have been in the process of issuing notifications and providing product upgrades to our affected customer base on available firmware updates to address this issue,” she said.

GE has issued patches for five of six models affected by the vulnerability and will soon release a patch for the sixth model, Busateri said.

Michael Assante, former chief security officer with the North American Electric Reliability Corp, which regulates the North American grid, said the product was still widely deployed because the industry runs systems for decades before upgrading to new technologies.

“This is certainly a significant issue,” he said.

Hackers caused power to go out in 2015 and 2016 attacks in Ukraine by using other techniques to force breakers to open, Assante said.

(Reporting by Jim Finkle in Toronto; Editing by Chizu Nomiyama and Jeffrey Benkoe)

Cyber extortion demands surge as victims keep paying: Symantec

A man walks past a display of hexadecimal code in a file photo. REUTERS/Nigel Treblin

By Alastair Sharp

TORONTO (Reuters) – Hackers are demanding increasingly hefty ransoms to free computers paralyzed with viruses, as cyber criminals seek to maximize profits from large numbers of victims willing to pay up, according to cyber security firm Symantec Corp.

The average demand embedded in such malicious software, which is known as ransomware, more than tripled last year to $1,077 from $294, and the pricing has continued to rise in 2017, according to Symantec.

“The bad guys haven’t found the top end of what people will pay,” Symantec Director of Security Response Kevin Haley said in a telephone interview.

Symantec said 69 percent of ransomware infections in 2016 hit consumer computers, with the remainder targeting businesses and other organizations.

More than a third of consumer ransomware victims around the globe pay cyber criminals to regain access to their data, according to Symantec. In the United States, where such attacks are most prevalent, 64 percent pay.

“If six out of ten people will pay your ransom when it’s three hundred bucks, you’re thinking ‘What if I raise it to four hundred? What if I raise to five hundred?'” Haley said.

The surge in cyber extortion has been fueled partly by the sale of ransomware kits, which sell for $10 to $1,800 on underground markets and make it easy for wannabe cyber crooks to get in the business, according to Symantec.

One kit, known as Shark, lets users name their demand, which its creators collect from victims and pass on to attackers, minus a 20 percent commission.

Ransomware attacks have increased sharply over the past year, with criminals targeting hospitals, police departments and other providers of critical services in the United States and Europe.

In some cases, the attacks have interrupted critical public services.

U.S. and European hospitals have been forced to divert patients to other facilities when ransomware paralyzed computer systems.

Local police have been forced to manually dispatch calls, and San Francisco’s public transit system was unable to collect fares for a weekend during the busy Christmas shopping season.

(Reporting by Alastair Sharp; Editing by Steve Orlofsky; Editing by Jim Finkle and Steve Orlofsky)

Hackers release files indicating NSA monitored global bank transfers

FILE PHOTO: Swift code bank logo is displayed on an iPhone 6s among Euro banknotes in this picture illustration January 26, 2016. REUTERS/Dado Ruvic/File Photo - RTS11WHG

By Clare Baldwin

(Reuters) – Hackers released documents and files on Friday that cybersecurity experts said indicated the U.S. National Security Agency had accessed the SWIFT interbank messaging system, allowing it to monitor money flows among some Middle Eastern and Latin American banks.

The release included computer code that could be adapted by criminals to break into SWIFT servers and monitor messaging activity, said Shane Shook, a cyber security consultant who has helped banks investigate breaches of their SWIFT systems.

The documents and files were released by a group calling themselves The Shadow Brokers. Some of the records bear NSA seals, but Reuters could not confirm their authenticity.

The NSA could not immediately be reached for comment.

Also published were many programs for attacking various versions of the Windows operating system, at least some of which still work, researchers said.

In a statement to Reuters, Microsoft <MSFT.O>, maker of Windows, said it had not been warned by any part of the U.S. government that such files existed or had been stolen.

“Other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers,” the company said.

The absence of warning is significant because the NSA knew for months about the Shadow Brokers breach, officials previously told Reuters. Under a White House process established by former President Barack Obama’s staff, companies were usually warned about dangerous flaws.

Shook said criminal hackers could use the information released on Friday to hack into banks and steal money in operations mimicking a heist last year of $81 million from the Bangladesh central bank.

“The release of these capabilities could enable fraud like we saw at Bangladesh Bank,” Shook said.

The SWIFT messaging system is used by banks to transfer trillions of dollars each day. Belgium-based SWIFT downplayed the risk of attacks employing the code released by hackers on Friday.

SWIFT said it regularly releases security updates and instructs client banks on how to handle known threats.

“We mandate that all customers apply the security updates within specified times,” SWIFT said in a statement.

SWIFT said it had no evidence that the main SWIFT network had ever been accessed without authorization.

It was possible that the local messaging systems of some SWIFT client banks had been breached, SWIFT said in a statement, which did not specifically mention the NSA.

When cyberthieves robbed the Bangladesh Bank last year, they compromised that bank’s local SWIFT network to order money transfers from its account at the New York Federal Reserve.

The documents released by the Shadow Brokers on Friday indicate that the NSA may have accessed the SWIFT network through service bureaus. SWIFT service bureaus are companies that provide an access point to the SWIFT system for the network’s smaller clients and may send or receive messages regarding money transfers on their behalf.

“If you hack the service bureau, it means that you also have access to all of their clients, all of the banks,” said Matt Suiche, founder of the United Arab Emirates-based cybersecurity firm Comae Technologies, who has studied the Shadow Broker releases and believes the group has access to NSA files.

The documents posted by the Shadow Brokers include Excel files listing computers on a service bureau network, user names, passwords and other data, Suiche said.

“That’s information you can only get if you compromise the system,” he said.

ATTEMPT TO MONITOR FLOW OF MONEY

Cris Thomas, a prominent security researcher with the cybersecurity firm Tenable, said the documents and files released by the Shadow Brokers show “the NSA has been able to compromise SWIFT banking systems, presumably as a way to monitor, if not disrupt, financial transactions to terrorists groups”.

Since the early 1990s, interrupting the flow of money from Saudi Arabia, the United Arab Emirates and elsewhere to al Qaeda, the Taliban, and other militant Islamic groups in Afghanistan, Pakistan and other countries has been a major objective of U.S. and allied intelligence agencies.

Mustafa Al-Bassam, a computer science researcher at University College London, said on Twitter that the Shadow Brokers documents show that the “NSA hacked a bunch of banks, oil and investment companies in Palestine, UAE, Kuwait, Qatar, Yemen, more.”

He added that NSA “completely hacked” EastNets, one of two SWIFT service bureaus named in the documents that were released by the Shadow Brokers.

Reuters could not independently confirm that EastNets had been hacked.

EastNets, based in Dubai, denied it had been hacked in a statement, calling the assertion “totally false and unfounded.”

EastNets ran a “complete check of its servers and found no hacker compromise or any vulnerabilities,” according to a statement from EastNets’ chief executive and founder, Hazem Mulhim.

In 2013, documents released by former NSA contractor Edward Snowden said the NSA had been able to monitor SWIFT messages.

The agency monitored the system to spot payments intended to finance crimes, according to the documents released by Snowden.

Reuters could not confirm whether the documents released Friday by the Shadow Brokers, if authentic, were related to NSA monitoring of SWIFT transfers since 2013.

Some of the documents released by the Shadow Brokers were dated 2013, but others were not dated.

The documents released by the hackers did not clearly indicate whether the NSA had actually used all the techniques cited for monitoring SWIFT messages.

(Additional reporting by Tom Bergin in London; Dustin Volz and John Walcott in Washington; Joseph Menn in San Franciso; and Jim Finkle in Buffalo, New York.; Editing by Brian Thevenot and Cynthia Osterman)

U.S. authorities charge Russian spies, hackers in huge Yahoo hack

The John Sopinka Courthouse, where Karim Baratov appeared in front of a judge, in connection with a U.S. Justice Department investigation into the 2014 hacking of Yahoo, is pictured in Hamilton, Ontario, Canada March 15, 2017 . REUTERS/Peter Power

By Dustin Volz

WASHINGTON (Reuters) – The United States on Wednesday charged two Russian intelligence agents and two hackers with masterminding the 2014 theft of 500 million Yahoo accounts, the first time the U.S. government has criminally charged Russian spies for cyber offences.

The charges came amid a swirl of controversies relating to alleged Kremlin-backed hacking of the 2016 U.S. presidential election and possible links between Russian figures and associates of U.S. President Donald Trump. This has given rise to uncertainty about whether Trump is willing to respond forcefully to any action by Moscow in cyberspace and elsewhere.

The 47-count Justice Department indictment included charges of conspiracy, computer fraud and abuse, economic espionage, theft of trade secrets, wire fraud, access device fraud and aggravated identify theft. It painted a picture of the Russian security services working hand-in-hand with cyber criminals, who helped spies further their intelligence goals in exchange for using the same exploits to make money.

“The criminal conduct at issue, carried out and otherwise facilitated by officers from an FSB unit that serves as the FBI’s point of contact in Moscow on cyber crime matters, is beyond the pale,” Acting Assistant Attorney General Mary McCord said at a press conference announcing the charges.

Russia’s Federal Security Service (FSB) is the successor to the KGB.

The Kremlin, which denies Russia tried to influence the U.S. election in any way, said on Thursday Moscow had received no official notification of the indictment, but hoped it would.

However, Dmitry Peskov, President Vladimir Putin’s spokesman, dismissed out of hand the idea that FSB employees could have been involved in the Yahoo hack.

“We have said repeatedly that there can be no discussion of any official involvement of any Russian agency, including the FSB…in any unlawful cyber activities,” said Peskov, who has cast U.S. allegations against Russia as part of a political campaign to kill off a U.S.-Russia rapprochement.

Yahoo said when it announced the then-unprecedented breach last September that it believed the attack was state-sponsored, and on Wednesday the company said the indictment “unequivocally shows” that to be the case.

The charges announced Wednesday are not related to the hacking of Democratic Party emails during the 2016 U.S. presidential election. U.S. intelligence agencies have said they were carried out by Russian spy services, including the FSB, to help the campaign of Republican candidate Donald Trump.

The indictment named the FSB officers involved as Dmitry Dokuchaev and his superior, Igor Sushchin, who are both in Russia.

Dokuchaev was arrested for treason in December, according to the Russian news agency Interfax.

Reuters sent a request for comment to the FSB in Moscow on Wednesday evening but there was no response.

The alleged criminals involved in the scheme include Alexsey Belan, who is among the FBI’s most-wanted cyber criminals and was arrested in Europe in June 2013 but escaped to Russia before he could be extradited to the United States, according to the Justice Department.

Karim Baratov, who was born in Kazakhstan but has Canadian citizenship, was also named in the indictment.

The Justice Department said Baratov was arrested in Canada on Tuesday. Mark Pugash of Toronto police later confirmed the Tuesday arrest.

McCord said the hacking campaign was waged by the FSB to collect intelligence but that the two hackers used the collected information as an opportunity to “line their pockets.”

The United States does not have an extradition treaty with Russia, but McCord said she was hopeful Russian authorities would cooperate in bringing criminals to justice. The United States often charges cyber criminals with the intent of deterring future state-sponsored activity.

The administration of former President Barack Obama brought similar charges against Chinese and Iranian hackers who have not been extradited.

In a statement, White House spokesman Michael Anton said the charges “are part of a broad effort across the government to defend the United States against cyber attacks and cyber-related crimes.”

‘RED NOTICE’

Yahoo in December announced another breach that occurred in 2013 affecting one billion accounts. Special Agent Jack Bennett of the FBI’s San Francisco Division said the 2013 breach is unrelated and that an investigation of that incident is ongoing.

The hacks forced Yahoo to accept a discount of $350 million in what had been a $4.83 billion deal to sell its main assets to Verizon Communications Inc <VZ.N>.

At least 30 million of the Yahoo accounts in the 2014 breach were the most seriously affected, with Belan able to burrow deep into their accounts and take user contact lists that were later used for a financially motivated spam campaign, according to the indictment. Belan also stole financial information such as credit card numbers and gift cards, it said.

Yahoo had previously said about 32 million accounts had fallen victim to the deeper attack, which it said leveraged forged browser cookies to access accounts without the need for a password.

According to the indictment, FSB officers Sushchin and Dokuchaev also directed Baratov to use the information gained in the Yahoo breach to hack specific targets who possessed email accounts with other service providers, including Google.

When Baratov was successful, Dokuchaev would reward him with a bounty, the indictment charged.

Examples where Google accounts were targeted include an assistant to the deputy chairman of the Russian Federation, an officer of the Russian Ministry of Internal Affairs, and a physical training expert employed by the Russian government.

Details in the indictment reflect the often murky relationship in Russia between criminal hackers and government intelligence officers.

Interpol issued a “red notice” on Belan in relation to an earlier hacking campaign, according to the indictment. Instead of arresting Belan, however, the FSB recruited him to help with cyber espionage and provided tools to evade detection from other authorities.

Belan later gained unauthorized access to Yahoo’s network that he shared with FSB, the indictment said.

(Reporting by Dustin Volz in Washington and Joseph Menn in San Francisco; Additional reporting by Julia Edwards in Washington and Alexander Winning and Dasha Afanasieva in Moscow; Editing by Jeffrey Benkoe and James Dalgleish)

Global private companies confident, but unprepared for hacking threat: PwC

LONDON (Reuters) – The chief executives of some of the worlds’ leading private companies are confident about their firms’ prospects and plan to recruit more staff, but are ill-prepared for cyber attacks, according to a report by PwC on Thursday.

The “Undaunted, but underprepared?” report found 86 percent of CEOs were confident about their companies revenue prospects in 2017, an increase of 5 percent from last year.

That made it the first time in five years that private company bosses were more confident than public company CEOs.

The report, based on responses from 781 private company CEOs in 79 countries, also found that 41 percent of private company CEOs were not concerned about cyber threats and only 68 percent were concerned about the speed of technological change.

Stephanie Hyde, Global Entrepreneurial and Private Business Leader for PwC UK, said it was worrying that private company CEOs were less concerned about technology and cyber compared to their public counterparts, as they had less resources available to invest in addressing these issues.

“This may make them more vulnerable to cyber attacks, so in theory they should be more concerned about these threats not less,” she said.

“In our view, this is probably the single most worrying finding in our report, especially in light of growing evidence that hackers are now targeting smaller and private businesses, thinking they will not be so well protected.”

(Reporting by Michael Holden)

SAP pushes to patch risky HANA security flaws before hackers strike

SAP logo at SAP headquarters in Walldorf, Germany, January 24, 2017. REUTERS/Ralph Orlowski

By Eric Auchard

FRANKFURT (Reuters) – Europe’s top software maker SAP said on Tuesday it had patched vulnerabilities in its latest HANA software that had a potentially high risk of giving hackers control over databases and business applications used to run big multinational firms. While hacks on phones, websites and computers that consumers rely on every day grab headlines, vulnerabilities in big business software are more lucrative to attackers as these tools store data and run transactions which are the lifeblood of businesses. The latest security weaknesses, known in industry parlance as “zero day” vulnerabilities, rank among the most critical ever found in HANA, the engine that runs SAP’s latest database, cloud and other more traditional business apps, according to Onapsis, the security company which uncovered these issues.

SAP software acts as the corporate plumbing for many multinationals and the company claims 87 percent of the top 2,000 global companies as customers.

Onapsis said vulnerabilities lay in a HANA component known as “User Self Service” (USS) which would allow malicious insiders or remote attackers to fully compromise vulnerable systems, without so much as valid usernames and passwords.

It reported 10 HANA vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time, according to interviews with executives of both companies.

The resulting patch issued by SAP on Tuesday was rated by it as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers. SAP is releasing five HANA patches this week to fix a range of vulnerabilities uncovered in recent months.

“SAP has done a great job by releasing fixes much faster than in past situations,” Onapsis Chief Executive Mariano Nunez told Reuters in an interview.

Customers must in turn choose when to apply such patches to software that runs their most critical corporate functions, a process that may take months or years, in rare cases. They must balance security risks against operational demands.

SAP executives urged security managers working for its customers to patch relevant systems.

“There has not been one case where a customer who applied the recommended patches has been affected,” Siddhartha Rao, vice president of SAP Product Security Response, said of the six years he has been on the job. “We currently expect there will not be that many customers affected by these issues,” he said.

Last May, however, the U.S. Department of Homeland Security issued an alert advising SAP customers they needed to urgently plug holes for which SAP already had offered patches in 2010, but which some customers failed to adopt, leaving dozens exposed to hacker break-ins afterward. (http://reut.rs/2mkTVgI)

Three dozen enterprises were found to have telltale signs of unauthorized access due to outdated or misconfigured SAP NetWeaver Java systems, Onapsis said at the time.

Onapsis helps secure more than 200 SAP customers ranging from Schlumberger to Sony Corp, Westinghouse and the U.S. Army. It also identifies security vulnerabilities for corporate customers in rival systems from Oracle.

Giving HANA customers breathing room, the USS component first offered by SAP in October 2014 is not activated by default, but must be specially enabled, Onapsis said.

It has identified two companies – an energy company and a retailer – where vulnerabilities were found and fixed. Companies which are not using USS features are unaffected, Onapsis said.

Technical details can be found on the security blogs of SAP (https://goo.gl/11Dz5w) and Onapsis (https://goo.gl/Xiryyp). There is no evidence hackers have taken advantage so far, the companies said.

Last year, the company issued more than 160 patches in all, SAP said. Ten percent of these were HANA related, Onapsis added.

(Reporting by Eric Auchard; Editing by Stephen Coates)

CIA contractors likely source of latest WikiLeaks release: U.S. officials

The lobby of the CIA Headquarters Building in Langley, Virginia, U.S. on August 14, 2008. REUTERS/Larry Downing/File Photo

By John Walcott and Mark Hosenball

WASHINGTON (Reuters) – Contractors likely breached security and handed over documents describing the Central Intelligence Agency’s use of hacking tools to anti-secrecy group WikiLeaks, U.S. intelligence and law enforcement officials told Reuters on Wednesday.

Two officials speaking on condition of anonymity said intelligence agencies have been aware since the end of last year of the breach, which led to WikiLeaks releasing thousands of pages of information on its website on Tuesday.

According to the documents, CIA hackers could get into Apple Inc <AAPL.O> iPhones, devices running Google’s Android software and other gadgets in order to capture text and voice messages before they were encrypted with sophisticated software.

The White House said on Wednesday that President Donald Trump was “extremely concerned” about the CIA security breach that led to the WikiLeaks release.

“Anybody who leaks classified information will be held to the highest degree of law,” spokesman Sean Spicer said.

The two officials told Reuters they believed the published documents about CIA hacking techniques used between 2013 and 2016 were authentic.

One of the officials with knowledge of the investigation said companies that are contractors for the CIA have been checking to see which of their employees had access to the material that WikiLeaks published, and then going over their computer logs, emails and other communications for any evidence of who might be responsible.

On Tuesday in a press release, WikiLeaks itself said the CIA had “lost control” of an archive of hacking methods and it appeared to have been circulated “among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.”

The CIA, which is the United States’ civilian foreign intelligence service, declined to comment on the authenticity of purported intelligence documents.

The agency said in a statement that its mission was to collect foreign intelligence abroad “to protect America from terrorists, hostile nation states and other adversaries” and to be “innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad.”

The CIA is legally prohibited from surveillance inside the United States and “does not do so”, the statement added.

CONTRACTORS MUST BE ‘LOYAL TO AMERICA’

A U.S. government source familiar with the matter said it would be normal for the Federal Bureau of Investigation and the CIA both to open investigations into such leaks. U.S. officials previously have confirmed that prosecutors in Alexandria, Virginia for years have been conducting a federal grand jury investigation of WikiLeaks and its personnel.

A spokesman for the prosecutors declined to comment on the possibility of that probe being expanded. It is not clear if the investigation of the latest CIA leaks is part of the probe.

Contractors have been revealed as the source of sensitive government information leaks in recent years, most notably Edward Snowden and Harold Thomas Martin, both employed by consulting firm Booz Allen Hamilton <BAH.N> while working for the National Security Agency.

U.S. Senator Dianne Feinstein of California and a Democrat on the intelligence committee, said the government needed to stop the breaches.

“I think we really need to take a look at the contractor portion of the employee workforce, because you have to be loyal to America to work for an intelligence agency, otherwise don’t do it,” Feinstein said.

Both U.S. Senate and U.S. House of Representatives intelligence committees have either opened or are expected to open inquiries into the CIA breach, congressional officials said.

Some cyber security experts and technology companies have criticized the government for opting to exploit rather than disclose software vulnerabilities, though an interagency review process set up under former President Barack Obama was intended to err on the side of disclosure.

Those concerns would grow if U.S. authorities did not notify companies that CIA documents describing various hacking techniques had been compromised.

Apple, Alphabet Inc’s <GOOGL.O> Google, Cisco Systems Inc <CSCO.O> and Oracle Corp <ORCL.N> did not immediately respond when asked if they were notified of a CIA breach before WikiLeaks made its files public.

At Apple, none of the vulnerabilities described in the documents provoked a panic, though analysis was continuing, according to a person who spoke with engineers there.

Google’s director of information security and privacy, Heather Adkins, said in a statement: “As we’ve reviewed the documents, we’re confident that security updates and protections in both Chrome and Android (operating systems) already shield users from many of these alleged vulnerabilities. Our analysis is ongoing and we will implement any further necessary protections.”

LARGER NUMBER OF CONTRACTORS

One reason the investigation is focused on a potential leak by contractors rather than for example a hack by Russian intelligence, another official said, is that so far there is no evidence that Russian intelligence agencies tried to exploit any of the leaked material before it was published.

One European official, speaking on condition of anonymity, said the WikiLeaks material could in fact lead to closer cooperation between European intelligence agencies and U.S. counterparts, which share concerns about Russian intelligence operations.

U.S. intelligence agencies have accused Russia of seeking to tilt last year’s U.S. presidential election in Trump’s favor, including by hacking into Democratic Party emails. Moscow has denied the allegation.

One major security problem was that the number of contractors with access to information with the highest secrecy classification has “exploded” because of federal budget constraints, the first U.S. official said.

U.S. intelligence agencies have been unable to hire additional permanent staff needed to keep pace with technological advances such as the “internet of things” that connects cars, home security and heating systems and other devices to computer networks, or to pay salaries competitive with the private sector, the official said.

Reuters could not immediately verify the contents of the published documents.

A person familiar with WikiLeaks’ activities said the group has had the CIA hacking material for months, and that the release of the material was in the works “for a long time.”

In Germany on Wednesday, the chief federal prosecutor’s office said that it would review the WikiLeaks documents because some suggested that the CIA ran a hacking hub from the U.S. consulate in Frankfurt.

“We will initiate an investigation if we see evidence of concrete criminal acts or specific perpetrators,” a spokesman for the federal prosecutor’s office told Reuters.

Chancellor Angela Merkel is scheduled to visit Washington on March 14 for her first meeting with Trump, who has sharply criticized Berlin for everything from its trade policy to what he considers inadequate levels of military spending.

(Reporting by John Walcott, Mark Hosenball, Dustin Volz, Yara Bayoumy in Washington and Matthias Sobolewski and Andrea Shalal in Berlin; Additional reporting by Joseph Menn in San Francisco; Writing by Grant McCool; Editing by Peter Graff and Bill Rigby)

Austrian parliament says Turkish Islamist hackers claim cyber attack

Austrian Parliament building

VIENNA (Reuters) – Austria’s parliament said on Tuesday that a Turkish Islamist hackers’ group had claimed responsibility for a cyber attack that brought down its website for 20 minutes this weekend.

Aslan Neferler Tim (ANT), or Lion Soldiers Team, whose website says it defends the homeland, Islam, the nation and flag, without any party political links, claimed the attack, a parliamentary spokeswoman said.

Relations between Turkey and Austria soured last year after President Tayyip Erdogan cracked down on dissent following a failed coup, and Vienna has since made a solo charge within the European Union for accession talks to be dropped.

On its Facebook page on Sunday afternoon, above a screenshot indicating the website was not loading, ANT said in Turkish: “Our reaction will be harsh in response to this racism of Austria against Muslims!!! (Parliament down).”

ANT says it has carried out “operations” against the pro-Kurdish Peoples’ Democratic Party (HDP), the Austrian central bank and an Austrian airport.

An Interior Ministry spokesman said on Tuesday that an investigation had begun into the cyber attack and, declining to elaborate further, noted that no data had been lost.

A parliamentary spokeswoman said: “ANT has claimed responsibility.” When asked if ANT was responsible, she said: “We assume so.”

The website was brought down after the server was flooded with service requests, a so-called DDoS-attack, similar to an attack last November that targeted the Foreign Affairs and Defense Ministries’ websites, a statement from parliament said.

DDoS attacks are among the most common cyber threats. One such attack targeted the European Commission’s computers in November.

The Vienna-based Organization for Security and Cooperation in Europe (OSCE) was also recently the target of a cyber attack.

(Reporting by Shadia Nasralla, Francois Murphy in VIENNA and Daren Butler in ISTANBUL; Editing by Louise Ireland)