Chinese APT Deploys NanHaiShu RAT Against International Adversaries

A threat group activating from China has been deploying the NanHaiShu RAT (Remote Access Trojan) against China's opposition in the now concluded South China Sea dispute, on which a UN arbitration court has sided with the Philippines.

According to F-Secure, this threat group has used the NanHaiShu (South China Sea) RAT to infect the computers of individuals from the Department of Justice of the Philippines, the organizers of the Asia-Pacific Economic Cooperation (APEC) Summit and a major international law firm involved in the South China Sea arbitration process.

The group's choice of targets shows a clear affiliation with China. F-Secure also says that initially the group used servers hosted in the US for the RAT's C&C infrastructure, but when the US sent military ships to the South China Sea, quickly moved operations to servers located in mainland China.

Group used macro malware to infect targets with the RAT

Malicious files attached to pear-phishing emails were used to infect targets. The attachments were XLS or DOC files that contained VBA macro scripts, which executed embedded JS code that installed the RAT.

NanHaiShu's capabilities are the regular features you'll find in a RAT, having the ability to collect PC identifying data, sending it to a server, and waiting for commands from the RAT's operator, which can be anything from downloading/uploading files to executing CLI commands.

RAT used only during the South China Sea arbitration process

F-Secure started seeing activity with NanHaiShu in January 2015, after in December 2014, the Permanent Court of Arbitration announced the Philippines-China arbitration case. The last attack was spotted in October 2015, just before the APEC summit took place in the Philippines.

The South China Sea dispute has been at the center of many cyber-security incidents recently. Only in the last three weeks, Chinese hackers have taken credit for attacks on Vietnamese airports and Philippines government institutions.

Below is a timeline of attacks with the NanHaiShu RAT. The infographic was extracted from F-Secure's report on NanHaiShu, also available online for free.

Timeline of NanHaiShu infections
Timeline of NanHaiShu infections

Let's block ads! (Why?)

Nigerian Scammers Evolve with the Times, Move on to BEC and RATs

The Nigerian cyber-crime scene, famous for its Nigerian Prince and 419 scam tactics, has evolved to using malware and is now actively targeting enterprises using BEC (Business Email Compromise) techniques, a SecureWorks investigation has revealed.

For many years, the Internet has been plagued by massive spam floods, in most instances carrying emails from Nigerian cyber-crime crews that were trying to extort and fool home users into sending them money via various methods. Historically, these crews have been calling themselves "yahoo-yahoo boys," "yahoo boiz," or "G-boys."

As time passed and as the Internet population got more educated, their tactics became known and entered the Internet lore. As such, a change was needed.

Nigerian scammers shift focus to businesses

Riding the rising wave of BEC scams, Nigerian scam crews have shifted their focus towards businesses instead of home users. Using BEC (Business Email Compromise) and BES (Business Email Spoofing) tactics, these crews are targeting the email communications between companies, looking for orders and invoices.

The scammers compromise email servers or email accounts, search for ongoing business leads, and register look-alike domains in order to intervene as a middleman between those email exchanges.

Most of the time they clumsily edit emailed PDF invoices, adding their bank account details instead of the correct one. They also send spoofed emails claiming to be one or another high-ranking exec inside a company, requiring an urgent payment. The first method seems to be more lucrative than the second since it's harder to spot.

WWG1 uses email bombs and RATs

SecureWorks says it discovered a group which they named "Wire-Wire Group 1" (WWG1) or Threat Group-2798 (TG-2798), actively targeting businesses.

This group uses commodity remote access trojans (RATs), which they email en-masse to victims in a tactic called email bomb. The malware is used to infect targets, get control over their PC, and gather intelligence. SecureWorks says the group is not particularly apt at dealing with malware but has one member that handles this operation.

In fact, the group managed to infect one of their own computers, allowing SecureWorks experts that were investigating the RAT's server to discover details about their operations.

WWG1 has over 30 members

WWG1 consists of over 30 members, most of which are from their late twenties up to the forties, operate from home, don't flaunt their wealth on social media, and are very active in their local churches.

This is opposite from the image of yahoo boyz everyone had in the past, of college teens that operate from cyber-cafes, and show off on social media.

In fact, most of the Nigerian BEC scammer gangs don't use the yahoo boyz term to describe themselves, but use expressions such as "wire-wire," "waya-waya," or "the new G-work."

What businesses should do, according to SecureWorks, is to implement 2FA for corporate and personal email accounts, inspect corporate email control panels for suspicious redirect rules, carefully review current and past wire transfers for the correct payment details, and use non-email channels to confirm wire transfers with their business partners.

To help enterprises targeted by this kind of BEC groups, the company has even published a tool that can analyze PDFs and highlight any later edits, such as new bank account numbers overlaid on top of the original document.

Typical BEC process
Typical BEC process

Let's block ads! (Why?)

Pluggable Transports Help Tor Users Go Around State-Level Censorship

After helping the Debian Project move operations to the Dark Web, the
Tor Project is now highlighting a hidden feature of the Tor Browser that allows users from certain countries to access the Tor network, even if that state is actively blocking access to the Tor relays themselves.

Countries such as China, Iran, Kazakhstan, Uzbekistan, and others, use state-level ISP blocks to prevent Tor Browsers from connecting to Tor relays, the entry point to the Tor network.

The thinking is that if users can't connect to Tor, they can't use Tor to sidestep state-level firewalls, and won't have a means to access "sensitive" content, censored by a country's ruling regime.

For the Tor network to properly work, the list of Tor relays always needs to be public, which also allows oppressive countries to block the relays any time they wish.

Pluggable Transports hide Tor traffic

Since the practice of state-level Internet censorship has been gaining ground, the Tor Project has published a blog post today, revealing a hidden feature that's been available in the Tor Browser for years.

Called Pluggable Transports (PT), these are special tools inside the Tor Browser package that take regular Web traffic and disguise it as innocuous protocols, where authorities rarely look.

These PTs connect to special relays, called PT bridges that relay the Tor traffic to its destination. The Tor Project is asking the community for help, requesting users to host PT bridges as well, not only regular Tor relays.

Currently, the Tor Browser supports four PT types and is working on adding three more.

PT Description Language Maintainer
obfs4

(recommended)

Is a transport with the same features as ScrambleSuit but utilizing Dan Bernstein's elligator2 technique for public key obfuscation, and the ntor protocol for one-way authentication. This results in a faster protocol. Go Yawning Angel
meek

(recommended for Chinese users)

Is a transport that uses HTTP for carrying bytes and TLS for obfuscation. Traffic is relayed through a third-party server (Google App Engine). It uses a trick to talk to the third party so that it looks like it is talking to an unblocked server. Go David Fifield
Format-Transforming Encryption (FTE) It transforms Tor traffic to arbitrary formats using their language descriptions. See the research paper. Python/C++ Kevin Dyer
ScrambleSuit Is a pluggable transport that protects against follow-up probing attacks and is also capable of changing its network fingerprint (packet length distribution, inter-arrival times, etc.). Python Philipp Winter
StegoTorus

(Undeployed PT)

Is an Obfsproxy fork that extends it to a) split Tor streams across multiple connections to avoid packet size signatures, and b) embed the traffic flows in traces that look like HTML, JavasCript, or PDF. C++ Zack Weinberg
SkypeMorph

(Undeployed PT)

It transforms Tor traffic flows so they look like Skype Video C++ Ian Goldberg
Dust

(Undeployed PT)

It aims to provide a packet-based (rather than connection-based) DPI-resistant protocol. Python Brandon Wiley

Let's block ads! (Why?)

Advertisers Use Battery Status to Track Users Online

The Battery Status API that's supported by all major browsers has gone from a theoretical method of tracking users online to a de-facto reality, Princeton researchers have discovered.

The HTML5 Battery Status API was developed by the W3C (World Wide Web Consortium), the organization that regulates most Web standards, and was introduced in most Web browsers by the summer of 2015.

The API allows browsers to share information with online entities (websites, Web services, other APIs) about the device's battery level, the time it will take to discharge the battery, and the time it will take to recharge it.

W3C argued that this API could be useful for websites and services that wanted to automatically shift to a low-power consumption mode when the underlying device's battery was draining.

From theoretical research to a cruel reality

In 2015, four security researchers from Belgium and France, have tried to warn the W3C and other user privacy groups that this API could, in theory, be used to track users online.

They argued that advertisers or malicious entities could use the Battery Status API readings, together with other user fingerprinting techniques to identify users online.

Three days ago, Lukasz Olejnik, one of those researchers published a blog post pointing to a new research study from Princeton University, published in July 2016.

The study was a massive work that analyzed how the Alexa 1 million websites track users online. Among the study's findings was a section (6.5) that detailed the usage of the Battery Status API to identify and track users online.

At least two advertisers employ HTML5 Battery Status API readouts

The Princeton researchers said they'd identified two tracking scripts, loaded across multiple websites, that utilized battery levels as a method of fingerprinting users.

Used together with other fingerprinting details, advertisers could create a very accurate tracking system that could distinguish between users, and based on their battery status, reconstruct the exact order in which the user had accessed various services. This method is efficient even if the user is using browsers in the private browsing mode.

"Expected or not, battery readout is actually being used by tracking scripts," Lukasz Olejnik notes. "Some companies may be analyzing the possibility of monetizing the access to battery levels. When battery is running low, people might be prone to some - otherwise different - decisions. In such circumstances, users will agree to pay more for a service."

Olejnik says that a response of this study, he was told that some browser makers are considering restricting or removing access to this API.

Let's block ads! (Why?)

Samsung Details the Iris Scanner and Security Options on the Note 7

Samsung unveiled the Galaxy Note 7 just a couple of days ago, and one of the novelties that it brings to the Note series is the incorporated iris scanner. Much has been said on this security feature, and it was only to be expected, considering that the iris scanner is the most secure biometric authentication technology, or at least that's what the South Korean giant claims.

Samsung has released an in-depth analysis of the iris scanner, considering that it's one of the main selling points of the Galaxy Note 7. The iris scanner provides additional functionality to the new device, even when it comes to using mobile payment services like Samsung Pay.

The technology allows users to perform payments without even having to touch the phone. In case you didn't know, Samsung Pay can also be used with the fingerprint scanner found on the handset.

The iris scanning technology uses mathematical pattern recognition of images of the user's iris, from one or both eyes. The device scans the iris, and the reason this technology is reliable is that each person has a unique and intricate iris pattern that is almost impossible to replicate.

The iris scanner was also incorporated into Samsung's Galaxy Tab Iris, created for government organizations and enterprises in India.

Samsung spent 3 years working on the iris scanning technology

The Galaxy Note 7 stores information on the iris as an encrypted code, and when the user wishes to access content on the smartphone, the IR LED and camera capture the iris for recognition and digitize the pattern to later compare it with the encrypted code.

The iris scanner works in low light conditions, as the technology makes use of the Note 7's display brightness in order to scan the user's irises. Samsung points out that the IR LED is safe to use without having any health implications associated with the technology, and it has received the highest international Electrotechnical Commission (IEC) 62471 (photo biological stability) certification level.

An executive has stated that the company spent 3 years working on perfecting this technology and that the iris scanner could be featured on mid-range Samsung devices as well.

Let's block ads! (Why?)

Samsung Galaxy A4 Receives Wi-Fi Certification

Samsung has just unveiled its latest flagship, the Galaxy Note 7, and it's stunning in terms of design and specifications alike. The smartphone is bound to leave its mark on the market, as analysts say that it might actually record higher sales than the Galaxy S7 and S7 edge in the long run.

Samsung Galaxy A4 has recently appeared on India's import-export website Zauba, but few details are known about this smartphone. According to recent information from Price Raja, Samsung applied for Wi-Fi certification for SM-A430FD, SM-A430L, SM-A430X, SM-A430S, and SM-A430K, which means that the handset is close to being released.

The listing doesn't provide much information aside from the fact that Galaxy A4 features the model number SM-A430. In addition, word is that the Galaxy A4 could pack a 5.5-inch display, and its price tag would fall somewhere between $373 and $448.

Galaxy A4 should come with 3GB of RAM and a 3,000mAh battery

It is said that the device will boast an Exynos processor, 3GB of RAM, and a 13MP rear-facing camera. It will also have a 5MP selfie shooter and a 3,000mAh non-removable battery, and it will ship with Android Marshmallow 6.0.1 out of the box.

The last Galaxy A smartphone that Samsung released was the Galaxy A5 in December of last year. The handset had the same rear and front camera capacity as on the rumored Galaxy A4, but it came with a Qualcomm Snapdragon 410, while the upcoming device is expected to have a more powerful processor.

Other specs of the Galaxy A5 include Adreno 306 graphics processing unit and 2GB of RAM, as well as a 5-inch Super AMOLED capacitive touchscreen display that supports HD (720p) resolution and featured 294ppi (pixel per inch).

The smartphone also came with a 2,300mAh battery and offered lots of connectivity options. After passing through Zauba and receiving Wi-Fi certification, it's clear that the Galaxy A4 will be released soon, and more information should surface in the coming weeks.

Let's block ads! (Why?)

Return to Top ▲Return to Top ▲