Hackers use Dropbox, WordPress to spread malware

The Chinese cyberspies behind the widely publicized espionage campaign against The New York Times have added Dropbox and WordPress to their bag of spear-phishing tricks.

The gang, known in security circles as the DNSCalc gang, has been using the Dropbox file-sharing service for roughly the last 12 months as a mechanism for spreading malware, said Rich Barger, chief intelligence officer for Cyber Squared. While the tactic is not unique, it remains under the radar of most companies.

"I wouldn't say it's new," Barger said on Thursday. "It's just something that folks aren't really looking at or paying attention to."

The gang is among 20 Chinese groups identified this year by security firm Mandiant that launch cyberattacks against specific targets to steal information. In this case, the DNSCalc gang was going after intelligence on individuals or governments connected to the Association of Southeast Asian Nations. ASEAN is a non-governmental group that represents the economic interests of ten Southeast Asian countries.

The attackers did not exploit any vulnerabilities in Dropbox or WordPress. Instead, they opened up accounts and used the services as their infrastructure.

The gang uploaded on Dropbox a .ZIP file disguised as belonging to the U.S.-ASEAN Business Council. Messages were then sent to people or agencies that would be interested in the draft of a Council policy paper. The paper, contained in the file, was legitimate, Barger said.

When a recipient unzipped the file, they saw another one that read, "2013 US-ASEAN Business Council Statement of Priorities in the US-ASEAN Commercial Relationship Policy Paper.scr." Clicking on the file would launch a PDF of the document, while the malware opened a backdoor to the host computer in the background.

Once the door was open, the malware would reach out to a WordPress blog created by the attackers. The blog contained the IP address and port number of a command and control server that the malware would contact to download additional software.

Dropbox is a desirable launchpad for attacks because employees of many companies use the service. "People trust Dropbox," Barger said.

For companies that have the service on its whitelist, malware moving from Dropbox won't be detected by a company's intrusion prevention systems. Also, communications to a WordPress blog would likely go undetected, since it would not be unusual behavior for any employee with access to the Internet.

In general, no single technology can prevent such an attack. "There's no silver bullet here," Barger said.

The best prevention is for security pros to share information when their companies are targeted, so others can draw up their own defense, he said.

In The New York Times attack, the hackers penetrated the newspaper's systems in September 2012 and worked undercover for four months before they were detected.

The attack coincided with an investigative piece the newspaper published on business dealings that reaped several billion dollars for the relatives of Wen Jiabao, China's prime minister.

Source: http://www.pcworld.com/article/2044262/hackers-use-dropbox-wordpress-to-spread-malware.html

WordPress Plugin Unblocks Censored Sites, Including The Pirate Bay

A new WordPress plugin makes it dead easy to uncensor blocked websites. In just a few clicks people can setup their own proxy site with the popular blogging software. An essential tool for people whose speech is restricted by oppressive regimes, and handy for downloaders in The Netherlands, Italy, Finland and other countries where ISPs are blocking The Pirate Bay. Additionally, the plugin partially defeats the PIPA and SOPA bills in the US.

There’s been a lot of talk about censorship lately. Last week the Internet witnessed the largest protest in its history, against the Internet censorship bills PIPA and SOPA. And earlier this month ISPs in Finland and the Netherlands were ordered to censor The Pirate Bay.

Alongside the millions who protest against these increasing censorship initiatives, there’s also a group of people who come up with ways to route around it. One of these projects is the RePress plugin for WordPress.

The plugin is developed by the hosting company Greenhost and allows everyone with a WordPress blog to start a proxy for sites that are censored elsewhere in the world. As an example, Greenhost have setup a Pirate Bay and Wikileaks proxy.

“By adding this plug-in to your WordPress website it will start functioning as a proxy and uncensor any blocked website you’d like,” Greenhost explains. “The only thing you’ll need is a WordPress website and the ability to install new plug-ins. After that you can maintain a list of websites you’d like to keep open freely available on the web.”

One of the main motivations for the plugin’s developers was to provide people in the Netherlands full access to The Pirate Bay when the recent court order is enforced. However, if SOPA or PIPA pass there might also be a need for people in the US to have a tool like this.

“We hope people outside Holland use the plug-in to uncensor piratebay.org, as it is in danger of being blocked in our country after a court-ruling. In the Netherlands we could then uncensor websites for people in oppressive regimes like Iran, Syria or the US after SOPA is passed.”

“[SOPA and PIPA] are said to defend the interests of the Entertainment industry, but will mainly cause grave and undeniable damage to the Open and Free web and all of its users: from the end-consumer to the cutting edge developers and inventors. Our aim is to make this impossible,” the Greenhost team notes.

Although the plugin can’t prevent domain names from being seized, it is indeed a good solution to bypass all of the common blocking measures that are used today.

The RePress initiative is applauded by several politicians, including European Parliament member Marietje Schaake. “This is a fantastic opportunity for human rights activists and a solution for people who face technological censorship and repression,” she told Webwereld.

To those eager to start their own proxy of blocked websites, RePress can be downloaded in the WordPress repository.