Kaspersky Provides its Side of the Story – Kaspersky published today its version of events in regards to the whole US-Russian-Kaspersky spying saga. It was in response to reports recently claiming that Russian FSB agents had effectively turned the Anti-Virus into an interactive search engine and was able to scan computers all over the world. As a result, when an NSA contractor took classified files home without permission, the data and subsequent NSA tools and data ended up with the Russian government. Kaspersky has denied any wrongdoing and has begun an investigation to try and build back the trust with foreign governments and the public. The preliminary results of the investigation were published today and reveal that Kaspersky admit collecting the secret NSA documents but that it was unintentional. They stress that the process was automatic as the documents discovered by the anti-virus matched malware signatures the company believed belonged to a cyber espionage group they were investigating at the time. When the incident took place they published the now famous report into an actor called ‘The Equation Group”, which security experts acknowledge now as the NSA’s cyber division. When the files collected seemed to be of new and unknown variants of malware used by The Equation Group, Kaspersky analysts collected the data and analysed it before realising they may have discovered the source code to NSA’s cyber tools. Eugene Kaspersky was made aware of the find and ordered the files be deleted and insists no third party was made aware or provided the files. Kaspersky then goes on to claim that the NSA contractor who managed to smuggle NSA tools out of the NSA’s network was also infected with malware after downloading pirated version of Microsoft Office. This contained a trojan backdoor called Win32.Mokes.hvl and is a key point in the report because Kaspersky claim that this keylogger was allowing a random cybercrook access to the NSA contractor’s computer that had the NSA tools on.
For the first part of the investigation the report corroborates with what online reports and theories are saying in that Kaspersky acted and behaved as designed and only collected malicious executables and not top secret or classified data as what was first suspected. The next step is for how the Americans respond to the report and whether they accept or spin a different version of events. Either way the rest of the report is going to be interesting to say the least.
Reaper Is Getting Stronger – Hackers are moving swiftly to make the Reaper IoT Botnet a force to be reckoned with. With millions of devices already herded into the botnet, hackers are now swapping scripts on online forums that can scan the internet for vulnerable IoT devices and dump default or weak credentials from them. The Reaper malware targets poorly protected connected devices such as routers and wireless cameras but does not merely exploit default credentials, it also exploits nearly a dozen other vulnerabilities. Arbor’s Security Engineering & Response Team states that rather than millions of devices within the herd it reckons the botnet has amassed only 10,000 – 20,000 devices but has another 2 million hosts identified as potential nodes. It’s not clear why these additional nodes have not been absorbed by the botnet yet but it is theorised that Reaper may be used as a booster/stressor Distributed Denial of Service for China’s internal DDoS-for-hire market. With the storm gathering strength, it is only a matter of time before Reaper takes it first victim and if the Marai botnet that took down the internet is anything to go by, the results of Reaper could be quite spectacular.
Hacker Demands $50K from Hackers – We see it in the news so often of how the good guys are always getting extorted by the bad guys, it is a nice change to hear how the bad guys this time are being extorted. A hacker has gotten into Basetools.ws, an underground forum where stolen credit cards, profile data and spamming tools are sold with over 150,000 users and has demanded $50K or they’ll share data on the site’s administrator with US authorities. To prove their claim, the hacker has shared images of the Basetools administration panel and an image showing the site admin’s login details and IP address. They also dumped tools that Basetool users were selling such as login credentials, backdoors, spambots and other data. As soon as the demand went live, Basetools went offline and into maintenance mode. The reason for the ransom seems to be out of revenge, with the hacker claiming Basetools administrator has been manipulating statistics. In the wider scheme of things this hack is of note because it reveals data of stolen data and compromised servers that before now were not known about and could be taken over and used for spam, malware hosting or other malicious activity. The owners of these services will need to be notified about being compromised and there is also data on companies who have not reported a breach yet and will need to be given the bad news.