Tag Archives: malware

Report: Egyptian Citizens Exploited in Covert Cryptocurrency Mining

According to a new report from researchers at the University of Toronto, entities linked to the Egyptian government may have been hijacking “Egyptian internet users’ unencrypted web connections en masse” to secretly mine cryptocurrency.

According to the detailed report from the University of Toronto Citizen Lab, researchers identified techniques being used to hijack Egyptian citizens’ computers and mobile devices. Egyptian internet users were reportedly being covertly redirected to malware that used their computers to mine Monero cryptocurrency. The Citizens Lab describes itself as an “interdisciplinary laboratory” focused on “research, development, and high-level strategic policy and legal engagement at the intersection of information and communication technologies, human rights, and global security.”

— Through Internet scanning, we found deep packet inspection (DPI) middleboxes on Türk Telekom’s network. The middleboxes were being used to redirect hundreds of users in Turkey and Syria to nation-state spyware when those users attempted to download certain legitimate Windows applications.

— We found similar middleboxes at a Telecom Egypt demarcation point. On a number of occasions, the middleboxes were apparently being used to hijack Egyptian Internet users’ unencrypted web connections en masse, and redirect the users to revenue-generating content such as affiliate ads and browser cryptocurrency mining scripts.

— After an extensive investigation, we matched characteristics of the network injection in Turkey and Egypt to Sandvine PacketLogic devices. We developed a fingerprint for the injection we found in Turkey, Syria, and Egypt and matched our fingerprint to a second-hand PacketLogic device that we procured and measured in a lab setting.

—The apparent use of Sandvine devices to surreptitiously inject malicious and dubious redirects for users in Turkey, Syria, and Egypt raises significant human rights concerns.

The researchers called the scheme AdHose, which has two modes: spray mode and trickle mode. According to the report:

The Egyptian scheme, which we call AdHose, has two modes. In spray mode, AdHose redirects Egyptian users en masse to ads for short periods of time. In trickle mode, AdHose targets some JavaScript resources and defunct websites for ad injection. AdHose is likely an effort to covertly raise money.

Quartz Media reported the hardware used for implementing AdHose is used for revenue generation as well as a censorship tool. The report stated that the malware blocked certain news outlets such as Al Jazeera, Reporters Without Borders and Human Rights Watch, and redirected users attempting to access certain websites such as former-pornographic website Babylon-X.com and the Coptic Orthodox Church religious website for the pope (CopticPope.org).

Quartz Media explained that with “spray” mode, “any website that affected users tried to visit would redirect their browsers to either an ad network or cryptocurrency mining malware called Coinhive. One scan in January found 95% of devices observed, numbering over 5,700, were affected by AdHose.”

[RELATED: Report: FBI Paid Geek Squad Employees to Spy on Customers]

University researchers conducted tests that identified AdHose middleboxes in a Telecom Egypt “demarcation point,” which may provide evidence of a connection to the Egyptian government, as Telecom Egypt is state-owned.

The maker of the hardware is a Canadian company called Sandvine; the Citizen Lab researchers noted that Sandvine called their report “false, misleading, and wrong.” Sandvine also issued a statement to CoinDesk:

Based on a preliminary review of the report, certain Citizen Lab allegations are technically inaccurate and intentionally misleading….We have never had, directly or indirectly, any commercial or technology relationship with any known malware vendors, and our products do not and cannot inject malicious software. While our products include a redirection feature, HTTP redirection is a commodity-like technology that is commonly included in many types of technology products.

The researchers reached out to Sandvine and its owner Francisco Partners for comment on the discovery. They received a response stating:

A key part of the Sandvine’s innovation process is to ensure that we do not lose sight of the ethical impact of our technology on human rights, freedom of speech, and privacy. Sandvine has taken the approach on regulating access to the components of our solutions that could be sued to infringe on any of these. The usage of our regulatory compliance solutions is controlled by an EULA and software licenses that are required for any components that could conceivably be used to violate human rights, freedom of speech, and privacy.

However, the report stated that Sandvine referred to confidentiality issues as it refrained from commenting on business dealings in Egypt or Turkey. Business dealings with these countries would appear to contradice Sandvine’s Business Ethics Committee review process, in which it has used the World Bank Index to review sales with partners, stating they use “strong safeguards” that Sandvine asserts it maintains “regarding social responsibility, human rights, and privacy rights.”

“We emphasized that we were confident in our research findings, which two independent peer reviews confirmed,” the researchers at Citizens Lab maintained.

Advanced Cybercrime Gang ‘Equation’ Closely Linked to NSA

Malware Targeted Foreign Industry, Governments

by Jason Ditz, February 16, 2015

Over the weekend, it was reported that the NSA was scrambling to get ready for a new “leak” about their operations, which was uncovered by a “non-US” cybersecurity company. Today, Russian-based Kaspersky Labs unveiled a huge cache of information about a cybercriminal gang they are calling “Equation,” and which appears to be tightly connected to the NSA itself.

Kaspersky Labs released a 44-page report on Equation (pdf), which describes the group’s suite of malware, used to steal information from industries, corporations, governments, and even some individuals, as the most advanced on the planet.

Indeed, Equation’s malware is so successful and so hard to detect, that Kaspersky believes they’ve been in existence since 2001, or possibly as far back as 1996, and they are only now getting a glimpse into their existence.

Equation’s suite is said to be extremely modular, with initial Trojans being installed simply to see if the targeted computer’s user might be of interest, and if so depositing payloads of highly advanced software into the operation system, which is almost impossible to detect.

Though Kaspersky Labs declined to conclusively link them to the NSA in the report, the connection is impossible to deny, as the early Equation worms appear to be the basis for the Stuxnet worm, which US officials have openly admitted was government handiwork.

Equation’s delivery system also appears to have relied on it being quasi-governmental in some cases, intercepting shipments of commercial software being sent to potential targets of interest and replacing the installation CDs with infected alternatives. Kaspersky had examples of infected Oracle software CDs that were apparently created by Equation and delivered to customers instead of the actual CDs.

The malware identified infects Windows systems, and appears to successfully target all known modern versions of the Microsoft operating system. The report also notes some of the malware makes reference to Macintosh OSX versions of the malware, though none has yet been conclusively seen in the wild.

The malware embeds itself within the operating system, the registry, and into the firmware of the physical hard drives themselves, making it virtually impossible to detect and similarly difficult to remove. The use of hard drive firmware as a method of attack by the NSA had been previously reported, but the sophistication of the attacks are surprising many.

New Malware Tool Aims to Detect Government Surveillance

EFF, Amnesty International Back Effort to Stop Surveillance

by Jason Ditz, November 20, 2014
Amnesty International, the Electronic Frontier Foundation, and other groups are throwing their weight behind a new open-source software malware detection project called Detekt.

Unlike the more all-purpose antivirus and anti-malware programs, Detekt centers around detecting and warning end users of surveillance malware of the sort known to be used by government.The revelations of NSA surveillance last year by Edward Snowden has brought new attention to the problem of government surveillance, and nations across the planet are using malware utilities to spy on civilians. The Detekt program was developed by Claudio Guarnieri, who has previously developed other programs related to the analysis of malware. Detekt is designed only for Windows-based computers, which of course are the most commonly used and subsequently most commonly targeted.

Detekt is available at resistsurveillance.org, and the source is available at github. The program’s authors warn it may not detect the newest revisions of government surveillance malware, but that it may help weed out some of the most common.

Maryland Resident, Former NSA Contractor, to Run for NH Governor

We reported last week that Walt Havenstein, a resident of Maryland, has plans to file to run for Governor in New Hampshire. New Hampshire’s Constitution clearly states that (emphasis added):

[Art.] 42. [Election of Governor, Return of Votes; Electors; If No Choice, Legislature to Elect One of Two Highest Candidates; Qualifications for Governor.] The governor shall be chosen biennially in the month of November; and the votes for governor shall be received, sorted, counted, certified and returned, in the same manner as the votes for senators; and the secretary shall lay the same before the senate and house of representatives, on the first Wednesday following the first Tuesday of January to be by them examined, and in case of an election by a plurality of votes through the state, the choice shall be by them declared and published. And the qualifications of electors of the governor shall be the same as those for senators; and if no person shall have a plurality of votes, the senate and house of representatives shall, by joint ballot elect one of the two persons, having the highest number of votes, who shall be declared governor. And no person shall be eligible to this office, unless at the time of his election, he shall have been an inhabitant of this state for 7 years next preceding, and unless he shall be of the age of 30 years.

So that made us wonder: who is Walt Havenstein and why is he running for Governor of New Hampshire?

Havenstein is the former CEO of tech company SAIC. From SAIC’s website:

SAIC consults on the design, development, and use of products, parts, and programs for a diverse array of government and enterprise missions. We help optimize infrastructure, engineering processes, operational approaches, and logistics and supply chain management by offering a wide range of business and mission strategy services, including:

  • Analysis, reporting, and consulting on national policy and technical business issues.
  • International security, defense, and cultural advisory.
  • Implementation of organizational change processes.
  • Government contract project management and program support.

He retired in June of 2012, but not before securing $5.9 billion dollars in federal contracts. That ranks them 4th in companies that received federal contracts.

Source: WashingtonTechnology.com

It is no secret that SAIC is awarded billions of dollars a year in contracts, but what are these contracts for? According to Slate, SAIC may have been contracted by the government to place malware on Tor networks and websites (sometimes referred to as “dark web”). Dark web is usually used by journalists and activists who wish to transmit information anonymously. Sometimes, just like the regular web, it’s used for criminal activity.

The malware was used to collect data on website traffic and visitor information and activity and send it back to a data collection center. The IP address the malware was sending the information to was traced back to an address near Reston, Va. Further investigation found that a SAIC IP address, that was alloted to the NSA, was receiving the malware information.

Is it a coincidence that Havenstein announced his run shortly after gubernatorial candidate Andrew Hemingway announced his “Privacy First” platform?

From Hemingway’s Privacy First platform:

Outline: The concept of privacy is paramount in the protection of individual liberties.  The degree to which the government, either federal, state or local, corporations or curious individuals have the ability to gather information on anyone for any reason is the degree to which our privacy has been invaded.  Therefore, it is paramount that government must do everything in its power to prevent this incursion.  Government’s job should be to protect citizens from this intrusion and not to be the purveyor of it.  The advancement of digital capabilities and technology without legislative protection has led to an “open season” mentality on information and data collection. Whether it is through our medical and health organizations, our schools, or the blatancy of metadata collection by the National Security Agency (NSA), it is incumbent upon all government and political leaders to develop ways to protect the privacy of Americans and specifically, Granite Staters.

Let us know your thoughts below.


Follow Sam on Twitter.