Researchers at Malwarebytes have discovered the first Mac malware of 2017, dubbed Quimitchin, that was used against  biomedical research institutions.

Security experts have spotted the first Mac malware of 2017, dubbed Quimitchin,  and it is considered a malicious code not particularly sophisticated and includes some antiquated code.

According to the researchers from Malwarebytes, the code has been in the wild for several years and was used in targeted attacks against biomedical research institutions.

The Quimitchin spyware was discovered by an IT admin who noticed an anomalous traffic from a certain Mac in his network.

The malicious code is composed of two only two files:

  • A .plist file that simply keeps the .client running at all times.
  • A .client file containing the malicious payload, a minified and obfuscated Perl script.

The main features implemented by the payload are the screen captures and webcam access.

“The script also includes some code for taking screen captures via shell commands. Interestingly, it has code to do this both using the Mac “screencapture” command and the Linux “xwd” command. It also has code to get the system’s uptime, using the Mac “uptime” command or the Linux “cat /proc/uptime” command.” reads the analysis published by MalwareBytes.

The ability of the malware to exfiltrate data from anything it can access, and the nature of the targets, biomedical facilities, suggest that threat actors behind the attacks were conducting a cyber espionage campaign.

Quimitchin

The Quimitchin uses antique system calls, and the analysis of its code revealed the use of the open source libjpeg code, which was last updated in 1998.

“These are some truly ancient functions, as far as the tech world is concerned, dating back to pre-OS X days. In addition, the binary also includes the open source libjpeg code, which was last updated in 1998.” continues the analysis.

“The Java class appears to be capable of receiving commands to do various tasks, which include yet another method of capturing the screen, getting the screen size and mouse cursor position, changing the mouse position, simulating mouse clicks, and simulating key presses. This component appears to be intended to provide a kind of rudimentary remote control functionality.”

Experts from Malwarebytes suspect that there is also a specific Linux variant in the wild because they have found Linux shell commands in the code of the scripts.

The security firm also found two Windows executable file that communicated with the same C&C server, in one case the Windows code used the same libjpeg library.

Despite the Quimitchin is not so complex, it continues to properly work avoiding the detection, something similar to the EyePyramid code.

Why a code like Quimitchin wasn’t detected for so long time?

Expert believe that is was using in a limited number of targeted attack so he was not spotted before.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – Quimitchin spyware, cyber espionage)

The post Quimitchin, a Mac backdoor that includes antiquated code appeared first on Security Affairs.

Source: securityaffairs

Georgia’s secretary of state, Brian Kemp, revealed that voter registration database was targeted by hackers with IP address linked to the DHS.

While President Barack Obama has ordered US intelligence agencies to deeper investigate the alleged Russian interference with the 2016 Presidential Election, Georgia announced it’s traced an attempted breach of the state’s voter registration database to the DHS.

The Georgia’s secretary of state, Brian Kemp, revealed that the voter registration database was targeted by hackers with IP address linked to the DHS.

The news is disconcerting as curious. Why IP addresses belonging to the DHS are involved in this cyber attack?

The first hypothesis sees a group of hacked systems at DHS that were used by a threat actor to access voter registration database. This means that hackers breached the systems of the US Government and are using them to move laterally and steal sensitive information.

In November 2014 the State Department has taken the unprecedented step of shutting down its entire unclassified email system in response to a suspected cyber attack.

‘Activity of concern’ was detected in the system concurrently with another cyber attack which hit the network at the White House computer network. A State Department staffer answering a call to the State Department Operations Center revealed that, as a precautionary measure, the e-mail system remained down.

In the same period, other US agencies were targeted by hackers, including the U.S. Postal Service and the National Weather Service, the U.S. Military confirmed that its systems were secured, according to official sources, none of the State Department’s classified systems were affected.

These are just a few examples of attacks that hit the US Government.

A second hypothesis sees someone in the US intelligence that is conducting a covert operation, for example, to build “false flag” for an alleged Russian attack, but sincerely this scenario is implausible. Another possibility is that agents at the DHS were conducting a penetration testing without authorization with the intent to measure the resilience of the Firewall to a cyber attack.

According to Georgia Secretary of State Brian Kemp, hackers were blocked by the firewall that protects Georgia’s voter registration database.

“Recently, I was made aware of a failed attempt to breach the firewall that protects Georgia’s voter registration database by an IP address associated with the Department of Homeland Security. On Thursday morning, , I sent a letter to DHS Secretary Jeh Johnson demanding to know why.” Georgia’s secretary of state, Brian Kemp wrote on his Facebook page.

The Wall Street Journal who visioned a copy of the letter sent by Mr Kemp, revealed the attempted attack occurred on November 15, just after the presidential election.

implausible. Another possibility is that agents at the DHS were conducting a penetration testing without authorization with the intent to measure the resilience of the Firewall to a cyber attack.

According to Georgia Secretary of State Brian Kemp, hackers were blocked by the firewall that protects Georgia’s voter registration database.

“Recently, I was made aware of a failed attempt to breach the firewall that protects Georgia’s voter registration database by an IP address associated with the Department of Homeland Security. On Thursday morning, , I sent a letter to DHS Secretary Jeh Johnson demanding to know why.” Georgia’s secretary of state, Brian Kemp wrote on his Facebook page.

The Wall Street Journal who visioned a copy of the letter sent by Mr Kemp, revealed the attempted attack occurred on November 15, just after the presidential election.

“We are looking into the matter. DHS takes the trust of our public and private sector partners seriously, and we will respond to Secretary Kemp directly,” the DHS said in a statement.

“At no time has my office agreed to or permitted DHS to conduct penetration testing or security scans of our network,” Kemp wrote in his letter. “Moreover, your department has not contacted my office since this unsuccessful incident to alert us of any security event that would require testing or scanning of our network.”

voter registration database

In response to the attacks the DHS offered a series of services to assess the security of voting systems, including cyber hygiene scans that were specifically designed to find flaws in the systems used during the election.

Anyway Kemp seems to have refused the DHS support

“But Georgia’s top election official is balking at the offers of assistance — and accusing the Obama administration of using exaggerated warnings of cyberthreats to intrude on states’ authority.” states a post published by Politico. “Georgia Secretary of State Brian Kemp’s objections add to a bumpy start for the Department of Homeland Security’s attempt to shore up safeguards for the election, during a summer when cyberattacks on the Democratic National Committee have called attention to weaknesses across the electoral system.”

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs –  US State Department, US Government)

The post Georgia traced an attempted breach of voter registration database to DHS appeared first on Security Affairs.

Source: securityaffairs

German-based ThyssenKrupp, one of the world’s largest steel producers, has announced that it has been the target of a cyber attack. The company said that the attack was a professional endeavour and has been traced back to the Southeast Asian region. The goal of the incursion was to steal technological know-how and research from some areas of the company’s Business Area Industrial Solutions. The attackers also breached the systems of Business Area Steel Europe, but … More
Source: helpnetsecurity

Alleged Asian hackers have targeted the German heavy industry giant ThyssenKrupp to steal company secrets.

Hackers from Southeast Asia targeted the German heavy industry giant ThyssenKrupp in the attempt of obtaining “technological know-how and research results.”

The news was announced on Thursday by a company spokesman that confirmed a report in the Wirschaftswoche weekly and added that the company as successfully repelled the attack.

The cyber attack was discovered by the IT security office, which spotted the hacking activities while they were ongoing and blocked them.

“The attack is over and had been repelled,” said the company spokesman.

The investigators speculate the attack was carried out by a group of professional hacked from Southeast Asia that is interested in the technological know-how and research activities of the company.

At the time I was writing there are no further details on the cyber attack neither the exact nature of the attackers (i.e. nation-state actors, cybercriminals).

The hackers launched a “massive cyber attack” against the divisions dealing with orders planning of industrial plants, the conglomerate’s Industrial Solutions, and Steel Europe business divisions.

Critical IT systems at the ThyssenKrupp such as the Marine Systems business unit and blast furnaces and power plants in Duisburg, were not affected

The ThyssenKrupp Marine should be a privileged target for hackers because it is the division that builds warships, including submarines for the German and Israeli navies.

The company excluded any sabotage or manipulation of data or applications, but it was unable to estimate if a limited portion of data, “data fragments,” had been stolen by the hackers.

“Experts say that in the complex IT landscapes of large companies, it is currently virtually impossible to provide viable protection against organized, highly professional hacking attacks,” the company added.

Stay tuned.

medianet_width=’300′; medianet_height= ‘250’; medianet_crid=’762221962′;

Pierluigi Paganini

(Security Affairs – ThyssenKrupp, hacking)

The post Hackers targeted the heavy industry ThyssenKrupp and stole industrial secrets appeared first on Security Affairs.

Source: securityaffairs

Overreliance on smartphones, both in out personal and professional lives, is a reality for many of us. These devices hold a lot of sensitive information – information that could be worth a lot to some people, especially if you are a high-positioned executive in a thriving business. Researchers from mobile security outfit Skycure have recently analyzed a malicious app they found on an Android 6.0.1 device owned by a VP at a global technology company. … More
Source: helpnetsecurity

A cyber espionage group that has been targeting organizations in Southeast Asia for years is misusing a legitimate conference invite as a phishing lure to trigger the download of backdoor malware. The APT in question is Lotus Blossom, and the security conference is Palo Alto Networks’ CyberSecurity Summit that is scheduled to take place in Jakarta, Indonesia, on November 3. About Lotus Blossom Lotus Blossom is a group that has been operating at least since … More
Source: helpnetsecurity