Ukrainian Police Arrest 6 Hackers Linked to DDoS and Financial Attacks

Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively.

According to the authorities, the four suspected hackers they arrested last week, all aged from 26 to 30 years, stole more than 5 million Hryvnia (around 178,380 USD) from the bank accounts of Ukrainian citizens by hacking into their computers.

The suspects carried out their attacks by scanning vulnerable computers on the Internet and infecting them with a custom Trojan malware to take full remote control of the systems

The group then apparently enabled key-logging on the infected computers in an attempt to capture banking credentials of victims when the owners of those infected computers fill in that information on any banking site or their digital currency wallet.

Once getting a hold on the victims banking and financial data, the attackers logged into their online banking accounts and transferred the funds or cryptocurrencies to the accounts controlled by the attackers.

Besides stealing money, the suspects also left the backdoor on the victims’ computers for further control, so that they can use them in the future for carrying out other illicit activities.

Criminal proceedings against all the four people have been initiated under several articles of the Criminal Code of Ukraine, including theft and unauthorized interference with the work of computers, automated systems, computer networks or telecommunication networks.

Two Ukrainian DDoS Hackers Arrested

In a separate press release, Police today announced the arrest of two other hackers, 21- and 22-years-old, suspected of performing DDoS attacks against several critical Ukrainian resources, including news sites of the city of Mariupol and several state educational institutions.

According to the authorities, the duo developed two DDoS hacking tools which they used to send hundreds of automatic queries to their targeted regional information resources every second, eventually making their service unavailable.

The pair is currently facing up to six years in prison under article 361 of the Criminal Code of Ukraine, which includes unlawful interference with the work of computers, automated systems, computer networks or telecommunication networks.

IT Giant HCL Exposed Employee Passwords and Customer Project Details Online

  • Multiple subdomains operated by HCL were found to be publicly exposed.
  • The sensitive data exposed includes personal information and plaintext passwords for new hires, customer reports, and dashboards for managing personnel.

Indian IT firm HCL has come under the scanner after it left sensitive information such as employee passwords, as well as certain customer details out in the open. The alarming discovery was made by a security researcher from UpGuard.

The researcher found that sensitive information did not have any authentication measures and was publicly available. Upon being informed by the researcher, the technology service provider took down the exposed data.

What happened?

Multiple subdomains of HCL were found spilling sensitive information. Initially, a single file containing customer keywords was found to be openly available for download from an HCL-owned domain. Subsequent searches on this domain led to the discovery of other publicly accessible pages with personal and business data.

What information was exposed?

One of the exposed subdomains contained a webpage with a dashboard for HR-related tasks. This dashboard contained records of 364 new employees. It included “candidate ID, name, mobile number, joining date, joining location, recruiter SAP code, recruiter name, created date, user name, cleartext password, BGV status, offer accepted, and a link to the candidate form.” Another page exposed names and SAP codes of more than 2,800 employees.

HCL’s “SmartManage” reporting system was also exposing confidential reports through its interface. This included ‘Internal Analysis Reports’, ‘Weekly Customer Reports’ and ‘Installation Reports’ that were related to HCL’s clients.

Another page displayed the names, email address, and mobile phone numbers for fifteen cab hubs and seven bus hubs. In addition, a system known as “Smart Recruit” showed details of approvers in the hiring process.

Response from HCL

UpGuard observed that HCL remediated the data exposure quickly when it informed the firm. “HCL has a Data Protection Officer, which not all companies do. The existence of that role is clearly advertised, and an email address for contacting them easy to find. Though HCL never responded to UpGuard, they took action immediately on notification,

W97M/Downloader hosted on multiple CMS like Magento, WordPress, and Joomla

  • This malware campaign has primarily targeted the United States, Germany, India, and the United Kingdom.
  • W97M steals banking login credentials and sends it to .ru websites.

Researchers observed that some instances of the W97M/Downloader malware are now being served in compromised websites by a custom PHP dropper.

The big picture

  • The compromised websites include malicious W97M documents which contain VB scripts.
  • The websites trick victims into downloading the document (INVOICE-959502-12723.doc), upon which the VB script downloads and executes a specific malware from its C&C server.

“W97M/Downloader is a specially-crafted Microsoft Word document that, when opened, silently executes a malicious macro that connects to multiple remote servers to download and display additional components,” researchers described.

This malware campaign has primarily targeted the United States, Germany, India, and the United Kingdom.

Key highlights

  • The downloader malware is hosted on multiples CMS like Magento, WordPress, and Joomla. However, the malicious code is not CMS based.
  • W97M is usually distributed via malspam campaigns and infects Chrome or Firefox to inject malicious code into browsers.
  • This malware also steals banking login credentials and sends it to .ru websites.
  • W97M has also been serving as a bridge to ransomware such as TeslaCrypt as well as Banking Trojans such as Dridex and Vawtrak, which are part of Zeus malware family.

How to stay protected?

  • Security experts recommend users not to enable the macro functionality within Microsoft Office.
  • Researchers also request users to avoid opening emails and attachments sent by unknown parties.

Cybercriminals break into production systems of Stack Overflow

  • Stack Overflow mentioned that the attackers gained access to production systems on May 11.
  • However, it says that no customer or user data was breached due to the incident.

Stack Overflow, a popular online forum for programmers and computer professionals, was breached by attackers. Production systems belonging to Stack Overflow were the prime target in this incident.

Mary Ferguson, Vice President of Engineering, informed that these systems were accessed last week. “Over the weekend, there was an attack on Stack Overflow. We have confirmed that some level of production access was gained on May 11,” she said in an update.

Stack Overflow started in 2008 and is one of the most preferred sites used by programmers of all levels. It currently has a user base of around 10 million users.

User data said to be unaffected

Ferguson also suggested that the attacker intrusion did not compromise any user data. “We discovered and investigated the extent of the access and are addressing all known vulnerabilities. We have not identified any breach of customer or user data.”

More information is to be brought forth by Stack Overflow on this incident, as the investigation is still underway. It is not known how the attackers gained access to the production systems.

This is the second major security incident observed on online forums. Last year, another popular Q&A forum Quora was breached by attackers which affected over 100 million users.

Cisco patches serious security flaws found in Prime Infrastructure

The flaws affect the web-based management interface of Cisco Prime Infrastructure and Cisco Evolved Programmable Network Manager.
While two of the flaws required an attacker to have credentials for an attack, the third one could be exploited by an unauthenticated attacker who has the network access.
Cisco has released security updates to patch critical security vulnerabilities discovered in it’s Prime Infrastructure (PI) platform. The flaws were the result of an improper input validation that existed in the web-based management interface of PI, as well as in the Cisco Evolved Programmable Network(EPN) Manager. This could allow remote attackers to execute arbitrary code with elevated privileges.

What are the vulnerabilities?

The three flaws identified were given a CVSS score of 9.8. Among the three, CVE-2019-1821 could be exploited by unauthenticated attackers with network access to the vulnerable interface.
However, CVE-2019-1822 and CVE-2019-1823 required the attackers to have valid credentials for the interface in order to exploit them.
Worth noting

Cisco’s security advisory indicates that the vulnerabilities arose because of PI not handling user-input.

“These vulnerabilities exist because the software improperly validates user-supplied input. An attacker could exploit these vulnerabilities by uploading a malicious file to the administrative web interface. A successful exploit could allow the attacker to execute code with root-level privileges on the underlying operating system,” read the advisory.

However, the firm has resolved vulnerabilities with software updates. Users are advised to install the updates immediately.

Apart from these updates, Cisco has also recently released over 40 advisories that address numerous security flaws found in some of the products. It includes Cisco NX-OS, Cisco FXOS, Cisco Webex, Cisco Firepower amongst others.

Microsoft SharePoint vulnerability spotted in the wild

The Saudi and Canadian Cyber Security Centres have issued reports on a vulnerability in Microsoft’s SharePoint that is being exploited in the wild.

The vulnerability, CVE-2019-0604, has been patched by Microsoft, but if exploited can give an attacker the ability to execute commands and download and upload files, reported AT&T Alien Labs. The malware involved is a backdoor  that is likely an earlier version of the second-stage malware deployed in the intrusions reported by Saudi Arabia.

The Alien Labs team also has seen evidence the malware is being used by Fin7.

“It’s likely multiple attackers are now using the exploit. One user on Twitter has reported that they have seen exploitation from the IP address 194.36.189[.]177 – which we have also seen acting as a command and control server for malware linked to FIN7,” the report said.

Cybersecurity Workforce Executive Order to Help with Workforce Shortage

President Trump signed an Executive Order directing the federal government to take critical steps to strengthen America’s cybersecurity workforce.

The Executive Order enhances mobility of frontline cybersecurity practitioners, supports the development of their skills to encourage excellence in the field and helps ensure the US keeps its competitive edge in cybersecurity. The United States currently has a shortage of 300,000 cybersecurity practitioners.

“America’s cybersecurity practitioners—whether working in the private sector or serving in the federal, state, local, tribal, or territorial governments—constitute a core element in our country’s frontline defense and we must urgently bolster them in the face of a myriad of cybersecurity threats,” said Acting Secretary Kevin K. McAleenan.

Under the Cybersecurity Workforce Executive Order, the Department of Homeland Security will work with partners from around the federal government on several initiatives to strengthen the workforce. DHS will create the Federal Cybersecurity Rotational Program, in which Information Technology (IT) and cybersecurity practitioners in the federal government can serve temporary assignments in DHS, share knowledge and cybersecurity best practices and undergo training.

Fake site pretending as KeePass Password Manager found distributing adware

  • The fake site is part of a large network of sites that are involved in the distribution of adware bundles as free programs.
  • The site is named as keepass[.]com and contains four links for Windows, Windows Portable, Mac and Linux.

A fake site that appears to promote the popular KeePass password management software has been found distributing adware to unsuspecting visitors. The fake site is part of a large network of sites that are involved in the distribution of adware bundles as free programs.

What’s the matter?

Berk Cem Göksel, an independent security researcher, has discovered that a site named keepass[.]com is acting as the official site for KeePass Password manager to distribute malware. The malware is propagated in the form of .dmg and .exe files which are available on the site.

How does the fake site look?

According to BleepingComputer, keepass[.]com contain four links of KeePass for Windows, Windows Portable, Mac and Linux.

While the first three links contain similar URLs and download adware bundles, the fourth link for Linux takes the visitors to the legitimate keepass[.]info site.

The three malicious links are cdndownloadapr[.]com and are meant for adware bundles whose file names are dynamically generated based on the values in the URL.

What do the adware bundles carry?

The distributed adware bundles come with a digital certificate signed by a company named ‘In Profit Limited’. The signs used in these certificates are changed quite often.

Once the users click ‘Next’ on these certificates, they are presented with a series of offers that include search offers, extensions, anti-malware PUPs, and other unwanted malicious software.

The adware bundle is also capable of stealing a ton of information from infected systems that include the hardware type, location and more.

How to stay safe?

It is always advisable to download and install software from trusted and official sites. In case you are prompted to install software other than the intended program, then immediately shut down the program and do not let it continue.

Unprotected MongoDB database leaks over 80 million records belonging to an SMS marketing firm ApexSMS

  • The leaky database also kept a track of users who clicked on messages through Grand Slam Marketing, another small advertising company.
  • The data exposed in the incident includes MD5-hashed emails, IP addresses, Phone numbers, and ZIP codes.

ApexSMS Inc., an SMS text marketing company that also does business under the name of Mobile Drip, has suffered a data breach due to an unprotected MongoDB database. The unguarded database has exposed a total of 80,055,125 records belonging to the firm.

What data was involved?

According to the security researcher Bob Diachenko, the database contained a massive amount of data related to an SMS operation center with “one of the most prominent folder called ‘leads’”.

The exposed records include:

  • MD5 hashed email
  • First/last name
  • City/state/country/zip
  • IP address
  • Phone number
  • Carrier network for mobile
  • Line type (mobile or landline)

What are the other interesting facts?

Upon further investigation, Diachenko found that ApexSMS Inc. undertakes so-called SMS Bombing campaigns. SMS bomber is a software program that duplicates the same message multiple times or creates unique messages before sending them to specific phone numbers.

SMS Bombing is usually used for pranks, harassment or marketing campaigns. It is highly advertised on hacker or black hat forums. ApexSMS spammed millions of cell phone numbers with a variety of messages while pushing their victims to dozens of different scam sites.

TechCrunch reported that around 2.1 million users had fallen victim to these scammed sites which were sent as SMS through toll-free phone numbers.

Which scammed sites are involved?

The leaky database also kept a track of users who clicked on messages through Grand Slam Marketing, another small advertising company. The company’s name came to the light through a scam site named ‘premium partner’

Another scam site copytm.com contained hidden code that stole users’ names, email addresses, phone numbers, and IP addresses. The stolen data was submitted to ApexSMS spam database.

Apart from storing scammed sites, the database also kept a record of SMS replies from users.

What actions have been taken?

TechCrunch has reported the issue to Mobile Drip which later responded by saying that it has engaged an outside legal firm to investigate the matter.

“We take compliance and data security very seriously, and we are currently investigating to determine to what extent our information has been exposed to unauthorized parties. We have currently engaged an outside legal firm to assist with our investigation of this matter and we are also engaging a cybersecurity firm to perform a security audit,” said the company.

Although it is unclear as for how long the database was left open on the internet, Diachenko has revealed that the misconfigured database has been quietly secured days after the initial reporting.

Augustana College hit with ransomware attack

  • Augustana College confirmed that the ransomware infected server contained personal information of students.
  • The college is providing 24 months of complimentary credit monitoring and identity restoration services for all potentially affected individuals.

Attackers infected one of the Augustana college’s servers that contained personal information of students with ransomware.

What happened?

On February 18, 2019, Augustana discovered a ransomware attack on one of its servers. Upon discovery, the college immediately conducted a comprehensive internal investigation and confirmed the incident on March 18, 2019.

What information was involved?

After a thorough investigation, on April 01, 2019, the college confirmed that the ransomware infected server contained personal information of students. However, the college confirmed that there has been no evidence of any information misuse.

What was the immediate action taken?

  • Augustana has hired external forensic investigators to investigate the incident.
  • The college has taken the infected server offline and has moved the stored information to other servers.
  • It has hired third-party vendors to strengthen its security system and avoid such incidents from happening in the future.
  • The educational institution is also planning to provide training to users on how to identify malicious files.
  • It is further providing 24 months of complimentary credit monitoring and identity restoration services for all potentially affected individuals.

“Augustana College (‘Augustana’), recently discovered an incident that may affect the security of your personal information. We want to provide you with information about the incident, steps we are taking in response, and steps you can take to better protect against the possibility of identity theft and fraud, should you feel it is appropriate,” the security notice read.

Fake site pretending as KeePass Password Manager found distributing adware

  • The fake site is part of a large network of sites that are involved in the distribution of adware bundles as free programs.
  • The site is named as keepass[.]com and contains four links for Windows, Windows Portable, Mac and Linux.

A fake site that appears to promote the popular KeePass password management software has been found distributing adware to unsuspecting visitors. The fake site is part of a large network of sites that are involved in the distribution of adware bundles as free programs.

What’s the matter?

Berk Cem Göksel, an independent security researcher, has discovered that a site named keepass[.]com is acting as the official site for KeePass Password manager to distribute malware. The malware is propagated in the form of .dmg and .exe files which are available on the site.

How does the fake site look?

According to BleepingComputer, keepass[.]com contain four links of KeePass for Windows, Windows Portable, Mac and Linux.

While the first three links contain similar URLs and download adware bundles, the fourth link for Linux takes the visitors to the legitimate keepass[.]info site.

The three malicious links are cdndownloadapr[.]com and are meant for adware bundles whose file names are dynamically generated based on the values in the URL.

What do the adware bundles carry?

The distributed adware bundles come with a digital certificate signed by a company named ‘In Profit Limited’. The signs used in these certificates are changed quite often.

Once the users click ‘Next’ on these certificates, they are presented with a series of offers that include search offers, extensions, anti-malware PUPs, and other unwanted malicious software.

The adware bundle is also capable of stealing a ton of information from infected systems that include the hardware type, location and more.

How to stay safe?

It is always advisable to download and install software from trusted and official sites. In case you are prompted to install software other than the intended program, then immediately shut down the program and do not let it continue.