Categories
security

Inside ‘Evil Corp,’ a $100M Cybercrime Menace — Krebs on Security

An inside look into the workings of a cybercrime organization. For an organization that purportedly develops sophisticated malware to steal banking credentials, the lack of basic cyber hygiene led to much info being extracted about their dealings. The irony.

The $5 million reward is being offered for 32 year-old Maksim V. Yakubets, who the government says went by the nicknames “aqua,” and “aquamo,” among others. The feds allege Aqua led an elite cybercrime ring with at least 16 others who used advanced, custom-made strains of malware known as “JabberZeus” and “Bugat” (a.k.a. “Dridex“) to steal banking credentials from employees at hundreds of small- to mid-sized companies in the United States and Europe.

Source: Inside ‘Evil Corp,’ a $100M Cybercrime Menace — Krebs on Security

Categories
security

How Attackers Used Look-Alike Domains to Steal $1 Million From a Chinese VC

This is a simple but brilliantly executed heist. Pretend to be the sender by sending from a similar looking domain.

One of the domains was a look-alike of the Chinese investment company’s domain; the other was a spoof of the Israeli firm’s domain. In both instances, the threat actors simply added an “s” to the end of the original domain name.

The next phase of the scam involved the attackers sending two emails with the same subject header as the original email thread about the planned seed funding.

Money meant to fund an Israeli startup wound up directly deposited to the scammers.

Source: How Attackers Used Look-Alike Domains to Steal $1 Million From a Chinese VC

Categories
privacy security

1.2 billion people exposed in data leak includes personal info, LinkedIN, Facebook

Another data leak, this time involving, let’s see, 1.2 billion people. This was found by security researchers in an unsecured ElasticSearch server – the server is now down. According to analysis, the data most likely comes from data enrichment companies.

A total count of unique people across all data sets reached more than 1.2 billion people, making this one of the largest data leaks from a single source organization in history. The leaked data contained names, email addresses, phone numbers, LinkedIN and Facebook profile information.

For a very low price, data enrichment companies allow you to take a single piece of information on a person (such as a name or email address), and expand (or enrich) that user profile to include hundreds of additional new data points of information.

Source: 1.2 billion people exposed in data leak includes personal info, LinkedIN, Facebook

Categories
security

Indian nuclear power plant’s network was hacked, officials confirm

Worryingly, attacks on critical infrastructure is becoming more and more common.

After initial denial, company says report of “malware in system” is correct.

Source: Indian nuclear power plant’s network was hacked, officials confirm

Categories
security

Samy Kamkar: PoisonTap – exploiting locked computers over USB

This is brilliant and scary at the same time. I’m always impressed by what Samy can think of. This particular hack makes your computer think a plugged-in Raspberry Pi is an Ethernet device and takes over all your Internet traffic, at the same time poisoning your browser with hijacked copies of Javascripts. This works even on a machine with screen locked.

It is reminiscent of the days of CD-ROM attacks, when your computer will auto-run the contents of a CD-ROM, even when the account is locked.

Source: Samy Kamkar: PoisonTap – exploiting locked computers over USB

Categories
security

US City Rejects $5.3 Million Ransom Demand and Restores Encrypted Files from Backup (SecAlerts)

This is the right strategy against ransomware. Backup, backup and backup. At the first sign of any ransomware attack it is important to isolate affected machines immediately and contact a cybersecurity professional to mitigate and prevent further infection.

The US city of New Bedford, Massachusetts, rejected a ransom demand of $5.3 million and came back with a counter-offer of $400,000, while restoring encrypted data from backup.

Source: US City Rejects $5.3 Million Ransom Demand and Restores Encrypted Files from Backup (SecAlerts)

Categories
security

Police hijack a botnet and remotely kill 850,000 malware infections – TechCrunch

When what you can remotely exploit, you can remotely remove.

In a rare feat, French police have hijacked and neutralized a massive cryptocurrency mining botnet controlling close to a million infected computers. The notorious Retadup malware infects computers and starts mining cryptocurrency by sapping power from a computer’s processor. Although the malware was used to generate money, the malware operators easily could have run other […]

Source: Police hijack a botnet and remotely kill 850,000 malware infections – TechCrunch

Categories
security

Responding to Firefox 0-days in the wild

This is what a sophisticated cyber attack looks like. Compromise a legitimate email account and send a phishing email from there. Throw in a few 0-days and success is almost guaranteed. Almost.

On Thursday, May 30, over a dozen Coinbase employees received an email purporting to be from Gregory Harris, a Research Grants…

Source: Responding to Firefox 0-days in the wild

Categories
phishing security

Multi-hop Phishing Attack

Today I received an email from a business associate whom I often corresponded with. Even though the email looks normal – it contains his full name and the usual email signature – something looks off.

The email body is very terse and contains only a link – alarm bells start going off. The link points to a valid Google docs document.

The document contains 2 links, both pointing to the same external site.

It is seemingly a login page for your Microsoft outlook account. But the domain is not associated with Microsoft. A classic phishing attack.

It so happens that the business associate is using Outlook for his email. After entering his credentials into the phishing site, the attacker must have used his credentials to send a copy of the phishing email to everyone in his contacts. Indeed that is the case, after I have confirmed with other associates. What makes this attack so successful is that 1) the email is from someone you have corresponded with 2) the first link opens a valid Google docs and some would have let their guard down at this point of time.

The latest report from FireEye states that 91% of cyber attacks comes from emails, and email-based attacks are getting increasingly more sophisticated. Some are also taking advantage of how email addresses are being shown on mobile devices.

Email Threat Report from FireEye

As cyber threats continue to evolve, we must continue to educate users on the importance of maintaining vigilance and to be mindful of the limitations of current solutions to address the risks of phishing and other attacks.

Edit: I have submitted the phishing site to Google’s Report Phishing Page

Categories
network privacy security

Vulnerability in Linksys and Cisco routers

This is a not a good week for network equipment manufacturers.

First, it was discovered that over 25000 Linksys Smart Wifi routers are vulnerable for sensitive information disclosure flaws.

Using data provided by BinaryEdge, our scans have found 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public internet, including:

  • MAC address of every device that’s ever connected to it (full historical record, not just active devices)
  • Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)
  • Operating system (such as “Windows 7” or “Android”)

In some cases additional metadata is logged such as device type, manufacturer, model number, and description – as seen in the example below.

The picture is worst for even Cisco, which embedded a default SSH keypair in all of its 9000 series devices. Basically this means that anyone (who knows the IPv6 address and keypair) can SSH into a vulnerable device and take over it completely. It is so serious that some have described it as a backdoor.