Tuesday, December 11, 2012

Daily Report

Top Stories

 Saudi Arabia’s national oil company, Aramco, said December 9 that a cyberattack against it in August that damaged some 30,000 computers was aimed at stopping oil and gas production in Saudi Arabia. The attack on Aramco — which supplies a tenth of the world’s oil — was one of the most destructive hacker strikes against a single business. – Reuters

1. December 9, Reuters – (International) Saudi Aramco says hackers took aim at its production. Saudi Arabia’s national oil company, Aramco, said December 9 that a cyberattack against it in August that damaged some 30,000 computers was aimed at stopping oil and gas production in Saudi Arabia. The attack on Saudi Aramco — which supplies a tenth of the world’s oil — failed to disrupt production, but was one of the most destructive hacker strikes against a single business. Hackers from a group called Cutting Sword of Justice claimed responsibility for the attack, saying that their motives were political and that the virus gave them access to documents from Aramco’s computers, which they threatened to release. No documents were published. Aramco and the Saudi Interior Ministry were investigating the attack. A ministry spokesman said the attackers were an organized group operating from countries on four continents. The attack used a computer virus known as Shamoon, which infected workstations on August 15. The company shut its main internal network for more than a week. Shamoon spread through Aramco’s network and wiped computers’ hard drives clean. Aramco said damage was limited to office computers and did not affect systems software that might harm technical operations. Source: http://www.nytimes.com/2012/12/10/business/global/saudi-aramco-says-hackers-took-aim-at-its-production.html

  Standard Chartered Plc agreed to pay $327 million of fines after regulators alleged it violated U.S. sanctions with Iran, Bloomberg News reported December 10. – Bloomberg News See item 4 below in the Banking and Finance Sector

  A spokesman for the Frederick County, Maryland Division of Fire and Rescue Services said December 7 that information was illegally accessed from a company that provides data services for the ambulance service. – Associated Press

25. December 7, Associated Press – (Maryland) Information from ambulance billing stolen. Frederick County, Maryland’s rescue service said account information from the ambulance billing system was stolen and given to a theft ring. A spokesman for the Frederick County Division of Fire and Rescue Services said December 7 that the company which provides data services for the ambulance service learned in October that information had been illegally accessed. The company, Advanced Data Processing Inc., said some individual account information had been disclosed to a theft ring suspected of filing fraudulent federal tax returns. The theft included ambulance data from Frederick County and First Response Medical Transportation Corp. Advanced Data Processing said it notified people that were affected. Source: http://www.sfgate.com/news/crime/article/Information-from-ambulance-billing-stolen-4100280.php

  Security researchers from Carnegie Mellon University, in collaboration with experts from Coherent Navigation, identified new attack vectors against the Global Positioning System (GPS), Softpedia reported December 10. – Softpedia See item 30 below in the Communications Sector


Banking and Finance Sector

4. December 10, Bloomberg News – (International) Standard Chartered to pay $327 million in U.S.-Iran transfers case. Standard Chartered Plc agreed to pay $327 million of fines after regulators alleged it violated U.S. sanctions with Iran, Bloomberg News reported December 10. The bank will pay $100 million to the Federal Reserve and $227 million to the U.S. Department of Justice and the District Attorney for New York County. The settlement includes a $132 million fine to the Treasury Department’s Office of Foreign Assets Control, according to a statement from the Federal Reserve. ”The orders address unsafe and unsound practices related to inadequate and incomplete responses to examiner inquiries as well as insufficient oversight of its compliance program for U.S. economic sanctions, Bank Secrecy Act, and anti-money- laundering requirements,” the Federal Reserve said in the statement. As part of that agreement, the U.S. charged the bank with one count conspiring to violate the International Emergency Economic Powers Act. That charge will be dismissed after two years if Standard Chartered abides by the terms of the agreement, according to court papers. Source: http://www.businessweek.com/news/2012-12-10/standard-chartered-pays-327-million-in-u-dot-s-dot-iran-transfers-case

5. December 9, KSL-TV 5 Salt Lake City – (Utah) 2 men used truck to assist in ATM theft, police say. Police are looking for two people they said pried open the doors at a Murray, Utah gas station and used a pickup truck to steal an ATM December 9. A Murray Police sergeant said a white truck with a utility shell backed up to the entrance of a Tesoro gas station. After forcing the door open, one man entered the store and tied a tow rope to the ATM. The driver of the truck then dragged the ATM out of the store and partway down the street before it was loaded into the vehicle. Source: http://www.ksl.com/?sid=23312404&nid=148

6. December 8, Reading Eagle – (Pennsylvania) 4 arrested in bank-cheating check scheme. Police in Berks County, Pennsylvania, charged a Maryland woman and used a vehicle’s GPS tracking system to arrest three other suspects in a State-wide counterfeit-check scheme that stole more than $100,000 from Metro and Vist Financial banks, the Reading Eagle reported December 8. The scheme, which operated in the Reading, Harrisburg, York, and Philadelphia areas, originated in February. It was led by a Maryland man who drove “runners” to various banks to cash phony checks, police said. Exeter Township police said they arrested one of those runners December 6 on charges she cashed a bogus check at a Metro Bank branch. The man suspected of leading the scheme was stopped by police December 7. Exeter police had learned the man was driving a leased car and were able to track his location by using GPS information provided by the leasing company. Two other suspected runners were also arrested. Source: http://readingeagle.com/article.aspx?id=433933

7. December 8, Associated Press – (California) ‘Tiger Bandit’ bank robber arrested in Calif. Authorities said a suspected robber dubbed the “Tiger Bandit” implicated himself in five southern California bank heists, the Associated Press reported December 8. Los Angeles County Sheriff’s officials said the suspect was arrested December 4 when deputies served a search warrant at a relative’s house in Compton. The suspect got his nickname because he was caught in surveillance photos wearing a Detroit Tigers baseball cap. Investigators recovered clothing believed to have been worn during the robberies and some cash. Detectives also seized a car which matched surveillance video images of the getaway car used during a Santa Monica robbery. The suspect is also linked to bank robberies in Huntington Beach, Marina del Rey, Long Beach, and Lomita since November 23. Source: http://www.sfgate.com/news/crime/article/Tiger-Bandit-bank-robber-arrested-in-Calif-4083442.php

8. December 7, American Banker – (International) Skimming, trapping threatened ATMs in 2012: Survey. Fraud and physical attacks against ATMs rose globally in 2012, according to a survey of 225 respondents worldwide released December 6 by the ATM Industry Association. According to the survey, the swiping of details embedded in the magnetic stripes of debit and credit cards inserted into ATMs remains the top threat to ATM security, followed by the deployment of devices that trap cash or cards and prevent them from being dispensed to customers. The use of gas and explosives to destroy ATMs increased in the past six months as well, according to the survey. Forty-five percent of those surveyed said criminal attacks on ATMs in their country or region rose since the second quarter, while 53 percent said fraud and attacks on ATMs have added costs to their businesses. Roughly 54 percent of respondents said they invested more in security technology compared with six months ago, while 42 percent report no change in their investment. Source: http://www.americanbanker.com/issues/177_235/skimming-trapping-threatened-atms-in-2012-survey-1055023-1.html

9. December 7, U.S. Securities and Exchange Commission – (Florida) SEC charges prominent entrepreneur in Miami-based scheme. The U.S. Securities and Exchange Commission (SEC) December 7 charged a prominent Miami-based entrepreneur with defrauding investors by grossly exaggerating the financial success of his company that purportedly produced housing materials to withstand fires and hurricanes. The man stole at least $8.1 million, nearly half of the money raised from investors, to pay for various luxury expenses. The SEC alleges that the man raised at least $16.8 million from investors by portraying InnoVida Holdings LLC as having millions of dollars more in cash and equity than it actually did. To add an air of legitimacy to his company, he assembled a high-profile board of directors that included a former governor of Florida, a lobbyist, and a major real estate developer. He falsely told a potential investor he had invested tens of millions of dollars of his own money as InnoVida’s largest stakeholder, and he hyped a Middle Eastern sovereign wealth fund investment as a ruse to solicit additional funds from investors. The SEC also charged InnoVida’s chief financial officer, a certified public accountant living in Pembroke Pines, who helped the man create the false financial picture of InnoVida. Source: http://www.sec.gov/news/press/2012/2012-258.htm
For more stories, see items 25 above in Top Stories and 27 and 29 below in the Information Technology Sector

Information Technology Sector
26. December 10, Softpedia – (International) Exforel backdoor implemented at NDIS level to be more stealthy. Security researchers from Microsoft’s Malware Protection Center have identified a variant of the Exforel backdoor malware, VirTool:WinNT/Exforel.A, that is somewhat different from other malicious elements of this kind. The backdoor is implemented at the Network Driver Interface Specification (NDIS) level. Since Exforel.A implements a private TCP/IP stack and hooks NDIS_OPEN_BLOCK for the TCP/IP protocol, the backdoor TCP traffic is diverted to the private TCP/IP stack and then delivered to the backdoor. This makes this variant of the malware more low-level and stealthy because there is no connecting or listening port. Furthermore, the backdoor traffic is invisible to user-mode applications. According to experts, this particular version of Exforel – which can download, upload, and execute files, and rout TCP/IP packets – is used in a targeted attack against a particular organization. Source: http://news.softpedia.com/news/Exforel-Backdoor-Implemented-at-NDIS-Level-to-Be-More-Stealthy-Experts-Say-313567.shtml

27. December 10, Help Net Security – (International) Beware of Bitcoin miner posing as Trend Micro AV. Trend Micro researchers recently uncovered a piece of malware that tried to pass itself off as “Trend Micro AntiVirus Plus AntiSpyware”. The software in question is a trojan that creates the process svchost.exe and downloads additional malicious components such as a Bitcoin miner application created by Ufasoft. This particular application will, unbeknownst to the victim, use the infected system’s resources to create Bitcoins for the people behind this scheme. “This attack is timely because of the news that Bitcoin Central has been approved by the law to function as a bank where exchange from Euro and Bitcoins are now possible,” the researchers noted. Source: http://www.net-security.org/malware_news.php?id=2349&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+Reader

28. December 9, Associated Press – (International) Ex-Idaho woman hiding after $163m federal judgment. A former Idaho woman believed to be hiding out in the Caribbean owes the U.S. government $163 million, part of a federal civil judgment earlier this year stemming from an Internet scam, the Associated Press reported December 9. According to the Federal Trade Commission (FTC), she participated in an Internet scheme in which people were frightened into buying virus-protection software they did not need. Others involved in the business, called Innovative Marketing, paid some $16 million in settlements. But the woman from Idaho remains at large, possibly on the Caribbean island of Nevis. Her former boyfriend is also an international fugitive targeted by the FBI’s cybercrimes unit. Innovative Marketing pushed advertisements that claimed users had hundreds of viruses or illegal files that needed cleansing and offered software for $39.95 or more. But installing the product did not help; it gave the user more scareware ads, according to the FTC. Source: http://www.foxreno.com/news/ap/crime/ex-idaho-woman-hiding-after-163m-federal-judgment/nTQ95/

 29. December 8, PC World – (Texas) Anonymous affiliate indicted for threats, stolen credit cards. A federal grand jury in Dallas indicted a putative spokesman for the hacker collective known as Anonymous in connection with a massive data breach of Stratfor Global Intelligence. The man is in federal prison based on another indictment returned against him October 3. In that case he was charged with making a threat on the Internet, conspiring to make public restricted personal information of a federal employee, and retaliation against a federal law enforcement officer. One of the crimes he is accused of in the indictment is transferring a hyperlink from an Internet Relay Chat (IRC) channel apparently occupied by Anonymous to a channel controlled by himself. The hyperlink provided access to data stolen from Stratfor, which included more than 5000 credit card account numbers, information about their owners, and their Card Verification Values (CVV). By transferring and posting the hyperlink to the Internet, the man caused the data to be made available to persons online without the knowledge and authorization of Stratfor or the cardholders. He is also charged with possession of at least 15 credit card numbers and their CVV codes without the knowledge of the cardholders with intent to defraud them. In addition, the indictment accuses him of aggravated identity theft by knowingly transferring and possessing without lawful authority the means of identification of the credit card holders. Source: http://www.pcworld.com/article/2019242/anonymous-affiliate-indicted-for-threats-stolen-credit-cards.html
For more stories, see item 30 below in the Communications Sector

Communications Sector

30. December 10, Softpedia – (National) GPS software attacks more dangerous than jamming and spoofing, experts say. Security researchers from Carnegie Mellon University, in collaboration with experts from Coherent Navigation, identified new attack vectors against the Global Positioning System (GPS), Softpedia reported December 10. According to the researchers, a malicious 45-second GPS broadcast is capable of taking down more than 30 percent of the Continually Operating Reference Station (CORS) network, which is used for safety and life-critical applications. Furthermore, it could also disrupt 20 percent of the Networked Transport of RTCM via Internet Protocol (NTRIP) systems. A total of three new attack methods have been identified: GPS data level attacks, GPS receiver software attacks, and GPS dependent system attacks. GPS data level attacks are somewhat similar to spoofing, but they can cause more damage. For instance, such an attack can remotely crash a high-end receiver. The second type of attacks leverages the fact that GPS receivers run some kind of computer software that can be remotely compromised. Since GPS receivers are most often seen as devices instead of computers, the security holes leveraged by attackers can remain unpatched for extended periods of time. In order to mitigate such threats, experts recommend stronger verification of GPS receiver software and the deployment of regular software updates for IP-enabled devices. Another mitigation strategy refers to the use of Electronic GPS Attack Detection System (EGADS) that alerts users when an attack is underway, and an Electronic GPS Whitening System (EGWS) that re-broadcasts a whitened signal to otherwise vulnerable receivers. One noteworthy thing about these types of attacks is that they do not require sophisticated or expensive equipment. The hardware utilized by the researchers costs only about $2,500. Source: http://news.softpedia.com/news/GPS-Software-Attacks-More-Dangerous-Than-Jamming-and-Spoofing-Experts-Say-313388.shtml

31. December 10, Lower Providence Patch – (Pennsylvania) Police: Over $22,000 worth of copper cables stolen in Audubon. Lower Providence, Pennsylvania police reported that five copper power cables, worth over $22,000, were stolen from the Sprint/Nextel parking lot in Audubon. The incident was reported December 4 by a Sprint/Nextel switch technician. The technician told police that the cables were stolen from portable generators left on the property. According to police, at the time of the report two Olympian generators and three Generac generators were returned to the business and placed in its parking lot, with the power cables attached and in working order. The approximate value of each cable is $4,500. Source: http://lowerprovidence.patch.com/articles/police-over-22-000-worth-of-copper-cables-stolen-in-audubon

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.