« Back to Blog

This Week in Security: Expert Takes on the Headlines

By The Cylance Research Team

Thousands of 'Deep Web' Sites Affected by Hack on Freedom Hosting II

Freedom Hosting II (FHII), estimated to be home of one-fifth of the dark web, was subject to an attack resulting in defacements and loss of availability to hosted content.

Those claiming responsibility for the attack assert that FHII was a knowing party to gigabytes of child pxxnography and other untoward content.

The hackers, in a show of bravado, detailed how the attack was carried out and released dumps of database contents, private keys, and system files on the BitTorrent network.

Users should consistently monitor their credit card for fraud. Luckily, credit card companies have become relatively vigilant in spotting fraud and alerting their customers, but there are some good tips here.

Windows-Based Mirai Variants Becoming More Prolific

Since the public release of the Mirai Botnet source code, countless offshoots of the malware have been seen out in the wild. Windows-based variants of Mirai have been observed over the last few weeks, and while the Linux-only variations have been quite prolific, the addition of a Windows component make this malware that much more attractive to attackers. The attack surface is greatly expanded with the expanded platform-support.

Observed samples can scan, fingerprint, and discover vulnerable hosts based on the port and interrogation behavior. When the Windows-based trojan finds a vulnerable Linux-based target, the Linux version of the Mirai code is downloaded and executed on those hosts. Essentially, Mirai is becoming multi-platform and no longer just Linux-based. Beyond that, the trojan is able to target and attack additional applications such as MySQL and MSSQL. Some observed binaries can function as both the server and client role (in the context of the malware) depending on parameters passed during execution.

In simple terms, the Mirai 'server' is used to corral bots (via telnet, for example) and track their resources, as well as listen for and issuance of attack commands to broad targets. The 'client' is the running bot listening for attack instructions or maintenance commands.

As always, users should take the following steps to protect themselves:

   Change default passwords (and even usernames, if possible) on routers, wireless access points, and other network devices. Make the password long (minimum of 12-14 characters) and use a combination of lowercase and uppercase alphabetical characters, numbers, and symbols.
   Keep firmware and patches up to date on devices, and be sure to get updates only from the manufacturer's site or service. Most devices have a built-in web page or app to perform the update, and an increasing number of home network devices update automatically.
   If the device has a built-in firewall, review configuration options to block unnecessary ports and services. Additionally, if there are options to configure services such as Universal Plug and Play (UPnP), disable them if they are not necessary.
   Don't connect your "things" directly to the Internet. Instead, use a firewall (if available) to restrict device traffic.

iOS “Hacking Tools” Posted Publicly

Cellebrite gained notoriety when they assisted the U.S. Government to unlock a suspect’s iPhone in the high profile case of the San Bernardino terrorist attack. This past January, it was reported that Cellebrite suffered a breach, with approximately 900GB worth of sensitive data extracted by the attacker. The attacker has come forward and released a cache of the tools exfiltrated from Cellebrite’s network.

According to Cellebrite, there was no sensitive source code present in the leaked data. The hacker managed to decrypt the tools from UFED images, and included a fully functional python script with the tools to facilitate execution.

With the public release of these cracking tools, we recommend consumers be vigilant when it comes to physical device security:

   Never leave your mobile device unattended (e.g. on a desk or plugged in to a wall outlet out of your field of view)
   Use a lock passcode for locking your device and maintain a short timeout for automatically re-locking
   Don’t plug your mobile device in to any unknown USB ports
   Enable remote deletion/wiping on your device if availableBlog_Hdr_ThisWeekInSecurity_021017_Thumb

Tags: cybersecurity, Security News, Mirai, Freedom Hosting II, hacking tools