Blog

  • Oil Producer Saudi Aramco Reveals Cyber Attack Hit 30,000 Workstations

    posted by Keito
    2012-08-29 20:53:43
    'Saudi Aramco, the world's biggest oil producer, has resumed operating its main internal computer networks after a virus infected about 30,000 of its workstations in mid-August.

    Immediately after the Aug. 15 attack, the company announced it had cut off its electronic systems from outside access to prevent further attacks. Saudi Aramco said the virus "originated from external sources" and that its investigation into the matter was ongoing. There was no mention of whether this was related to this month's Shamoon attacks.

    “The disruption was suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network,” Saudi Aramco said over Facebook.

    “We would like to emphasize and assure our stakeholders, customers and partners that our core businesses of oil and gas exploration, production and distribution from the wellhead to the distribution network were unaffected and are functioning as reliably as ever,” Saudi Aramco’s chief executive, Khalid al-Falih, said in a statement.

    However, one of Saudi Aramco’s websites which was taken offline after the attack - www.aramco.com - remained down yesterday. E-mails sent by Reuters to people within the company continued to bounce back.

    Supposed hacktivists have claimed the hit on the oil giant, saying they would hit the company again tomorrow. The group said it was “fed up of crimes and atrocities taking place in various countries around the world”, in a post on Pastebin. They said they were targeting the House of Saud, the ruling royal family of Saudi Arabia, and targeted Aramco as it was “the largest financial source for Al-Saud regime”.

    The group, calling itself the ‘Cutting Sword of Justice’, claimed to have hacked Aramco systems in several countries before sending a virus across 30,000 computers achieving a 75 percent infection rate of all the company’s systems. It refuted suggestions that a nation state was behind the attack.

    Symantec, one of the world’s largest internet security companies, said on the day after the Saudi Aramco attack that it had discovered a new virus that was targeting at least one organisation in the global energy sector, although it did not name that organisation.

    “It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable,” Symantec said in a blog posting about the virus, which it called W32.Disttrack. “Threats with such destructive payloads are unusual and are not typical of targeted attacks.”

    Saudi Aramco’s al-Falih said in his statement yesterday: “Saudi Aramco is not the only company that became a target for such attempts, and this was not the first nor will it be the last illegal attempt to intrude into our systems, and we will ensure that we will further reinforce our systems with all available means to protect against a recurrence of this type of cyber attack.”'

    http://thehackernews.com/2012/08/saudi-aramco-oil-producers-30000.html
  • Disable Java NOW, users told, as 0-day exploit hits web

    posted by Keito
    2012-08-29 20:33:00
    'All operating systems, browsers vulnerable.

    A new browser-based exploit for a Java vulnerability that allows attackers to execute arbitrary code on client systems has been spotted in the wild – and because of Oracle's Java patch schedule, it may be some time before a fix becomes widely available.

    The vulnerability is present in the Java Runtime Environment (JRE) version 1.7 or later, Atif Mushtaq of security firm FireEye reported on Sunday, while PCs with Java versions 1.6 or earlier installed are not at risk.

    The vulnerability allows attackers to use a custom web page to force systems to download and run an arbitrary payload – for example, a keylogger or some other type of malware. The payload does not need to be a Java app itself.

    In the form in which it was discovered, the exploit only works on Windows machines, because the payload that it downloads is a Windows executable. But the hackers behind the Metasploit penetration testing software say they have studied the exploit and found that it could just as easily be used to attack machines running Linux or Mac OS X, given the appropriate payload.

    All browsers running on these systems were found to be vulnerable if they had the Java plugin installed, including Chrome, Firefox, Internet Explorer, Opera, and Safari.

    Although the actual source of the exploit is not known, it was originally discovered on a server with a domain name that resolved to an IP address located in China. The malware it installed on compromised systems attempted to connect to a command-and-control server believed to be located in Singapore.

    Oracle has yet to comment on the vulnerability or when users should expect a fix, but it might be a while. The database giant ordinarily observes a strict thrice-annual patch schedule for Java, and the next batch of fixes isn't due until October 16.

    Downgrading to an earlier version of Java is not advised, because even though earlier versions aren't vulnerable to this particular exploit, they may contain other bugs that expose still other vulnerabilities.

    In advance of any official patch, and because of the seriousness of the vulnerability, malware researchers at DeepEnd Research have developed an interim fix that they say seems to prevent the rogue Java code from executing its payload, although it has received little testing.

    Because the patch could be used to develop new exploits if it fell into the wrong hands, however, DeepEnd Research is only making it available by individual request to systems administrators who manage large numbers of clients for companies that rely on Java.

    For individual users, the researchers say, the best solution for now is to disable the Java browser plugin until Oracle issues an official patch.'

    http://www.theregister.co.uk/2012/08/27/disable_java_to_block_exploit/
  • It's time we started meeting oppression with resistance...

    posted by Keito
    2012-08-24 21:53:04
  • ‘Operation Free Assange’: Anonymous take down UK’s Justice Ministry’s website

    posted by Keito
    2012-08-21 12:16:09
    'The website for the UK Ministry of Justice is under attack after hacktivists engaged a mission to try and take down justice.gov.uk in retaliation for Britain’s handling of WikiLeaks founder Julian Assange.

    Several Twitter accounts associated with the loose-knit Anonymous collective have acknowledged that the UK Ministry of Justice’s website is being targeted with a distributed denial-of-service, or DDoS, attack. The assault on the website is being carried out under a campaign branded #OpFreeAssange.

    “#OpFreeAssange: TANGO DOWN! http://www.justice.gov.uk/ [500 Internal Server Error] [#Anonymous #WikiLeaks],” reads one tweet sent from the @Anon_Central Twitter account.

    The hackers also claim to have taken down the website of another British government department, the Department of Work and Pensions. “Gov. of UK Expect Us!” read a tweet by Anonymous.

    Assange, the founder and editor of whistleblower website WikiLeaks, has been ordered by Swedish authorities to be extradited from the UK where he had been under house arrest. Two women from Sweden have accused Assange of sex crimes, although he has yet to be charged.

    In fear of being sent to Sweden and then extradited to the US to be tried for his role with WikiLeaks, Assange applied for political asylum in Ecuador, which the Latin American country finally granted him last week after two months of waiting. Regardless, British authorities have refused to give Assange safe passage out of the Ecuadorian Embassy in London so that he may travel overseas.

    Before Ecuador President Rafael Correa approved the asylum bid, British authorities threatened to storm the embassy last week, prompting supporters of Assange and WikiLeaks to surround the building overnight in hopes of deterring any attempt by the UK to follow through with the extradition.

    “If the UK did not throw away the Vienna conventions the other night, it is because the world was watching. And the world was watching because you were watching,” Assange told his supporters during his Sunday afternoon speech from London.

    “So, the next time somebody tells you that it is pointless to defend those rights that we hold dear, remind them of your vigil in the dark before the Embassy of Ecuador.”

    In addition to lambasting the British for coming close to violating international law, Assange asked for US President Barack Obama to “do the right thing” and end his war on whistleblowing, saluting accused WikiLeaks contributor Private First Class Bradley Manning as a hero whose release from prison must be made immediately.'

    http://www.trueactivist.com/operation-free-assange-anonymous-take-down-uks-justice-ministrys-website/
  • Shamoon virus targets energy sector infrastructure

    posted by Keito
    2012-08-18 13:13:40
    'A new threat targeting infrastructure in the energy industry has been uncovered by security specialists.

    The attack, known as Shamoon, is said to have hit "at least one organisation" in the sector.

    Shamoon is capable of wiping files and rendering several computers on a network unusable.

    On Wednesday, Saudi Arabia's national oil company said an attack had led to its own network being taken offline.

    Although Saudi Aramco did not link the issue to the Shamoon threat, it did confirm that the company had suffered a "sudden disruption".

    In a statement, the company said it had now isolated its computer networks as a precautionary measure.

    The disruptions were "suspected to be the result of a virus that had infected personal workstations without affecting the primary components of the network", a statement read.

    It said the attack had had "no impact whatsoever" on production operations.

    'Rendered unusable'

    On Thursday, security firms released the first detailed information about Shamoon.

    Experts said the threat was known to have had hit "at least one organisation" in the energy sector.

    "It is a destructive malware that corrupts files on a compromised computer and overwrites the MBR (Master Boot Record) in an effort to render a computer unusable," wrote security firm Symantec.

    The attack was designed to penetrate a computer through the internet, before targeting other machines on the same network that were not directly connected to the internet.

    Once infected, the machines' data is wiped. A list of the wiped files then sent back to the initially infected computer, and in turn passed on to the attacker's command-and-control centre.

    During this process, the attack replaces the deleted files with JPEG images - obstructing any potential file recovery by the victim.

    'Under the radar'

    Seculert, an Israel-based security specialist, also analysed the malicious code and concluded that it had unusual characteristics compared with other recent attacks.

    "The interesting part of this malware is that instead of staying under the radar and collect information, the malware was designed to overwrite and wipe the files," the company said.

    "Why would someone wipe files in a targeted attack and make the machine unusable?"

    Shamoon is the latest in a line of attacks that have targeted infrastructure.

    One of the most high-profile attacks in recent times was Stuxnet, which was designed to hit nuclear infrastructure in Iran.

    Others, like Duqu, have sought to infiltrate networks in order to steal data.'

    http://www.bbc.co.uk/news/technology-19293797