Ukrainian Police Arrest 6 Hackers Linked to DDoS and Financial Attacks

Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively.

According to the authorities, the four suspected hackers they arrested last week, all aged from 26 to 30 years, stole more than 5 million Hryvnia (around 178,380 USD) from the bank accounts of Ukrainian citizens by hacking into their computers.

The suspects carried out their attacks by scanning vulnerable computers on the Internet and infecting them with a custom Trojan malware to take full remote control of the systems

The group then apparently enabled key-logging on the infected computers in an attempt to capture banking credentials of victims when the owners of those infected computers fill in that information on any banking site or their digital currency wallet.

Once getting a hold on the victims banking and financial data, the attackers logged into their online banking accounts and transferred the funds or cryptocurrencies to the accounts controlled by the attackers.

Besides stealing money, the suspects also left the backdoor on the victims’ computers for further control, so that they can use them in the future for carrying out other illicit activities.

Criminal proceedings against all the four people have been initiated under several articles of the Criminal Code of Ukraine, including theft and unauthorized interference with the work of computers, automated systems, computer networks or telecommunication networks.

Two Ukrainian DDoS Hackers Arrested

In a separate press release, Police today announced the arrest of two other hackers, 21- and 22-years-old, suspected of performing DDoS attacks against several critical Ukrainian resources, including news sites of the city of Mariupol and several state educational institutions.

According to the authorities, the duo developed two DDoS hacking tools which they used to send hundreds of automatic queries to their targeted regional information resources every second, eventually making their service unavailable.

The pair is currently facing up to six years in prison under article 361 of the Criminal Code of Ukraine, which includes unlawful interference with the work of computers, automated systems, computer networks or telecommunication networks.

A hotspot finder app exposed 2 million Wi-Fi network passwords

A popular hotspot finder app for Android exposed the Wi-Fi network passwords for more than two million networks.

The app, downloaded by thousands of users, allowed anyone to search for Wi-Fi networks in their nearby area. The app allows the user to upload Wi-Fi network passwords from their devices to its database for others to use.

That database of more than two million network passwords, however, was left exposed and unprotected, allowing anyone to access and download the contents in bulk.

Sanyam Jain, a security researcher and a member of the GDI Foundation, found the database and reported the findings to TechCrunch.

We spent more than two weeks trying to contact the developer, believed to be based in China, to no avail. Eventually we contacted the host, DigitalOcean, which took down the database within a day of reaching out.

“We notified the user and have taken the [server] hosting the exposed database offline,” a spokesperson told TechCrunch.

Each record contained the Wi-Fi network name, its precise geolocation, its basic service set identifier (BSSID) and network password stored in plaintext.

Although the app developer claims the app only provides passwords for public hotspots, a review of the data showed countless home Wi-Fi networks. The exposed data didn’t include contact information for any of the Wi-Fi network owners, but the geolocation of each Wi-Fi network correlated on a map often included networks in wholly residential areas or where no discernible businesses exist.

The app doesn’t require users to obtain the permission from the network owner, exposing Wi-Fi networks to unauthorized access. With access to a network, an attacker may be able to modify router settings to point unsuspecting users to malicious websites by changing the DNS server, a vital system used to convert web addresses into the IP addresses used to locate web servers on the internet. When on a network, an attacker also can read the unencrypted traffic that goes across the wireless network, allowing them to steal passwords and secrets.

Chafer threat actor group: A deep understanding of the Iran-linked threat group’s high-prolific targets

  • Chafer has compromised several airlines and telecommunications companies in the Middle East countries such as Saudi Arabia and Afghanistan.
  • Chafer has used leaked NSA hacking tools including EternalBlue that are freely available on the public internet.

Chafer hacking group, also known as APT39 is an advanced persistent threat group that has been active since July 2014. Chafer has been observed compromising web servers via SQL injection attacks in order to drop Backdoor.Remexi onto victims’ computers. Chafer primarily targets victims in Iran, followed by Middle East countries, and the United States.

Chafer linked to OilRig group

Experts noted that Chafer is linked to a group called OilRig that has shared its C&C server and infection vectors with Chafer. Chafer has used leaked NSA hacking tools including EternalBlue that are freely available on the public internet.

Chafer targeted telecoms in the Middle East

In 2015, Chafer compromised several airlines and telecommunications companies in the Middle East countries such as Saudi Arabia and Afghanistan, while one organization was located in the US.

Backdoors used by Chafer

In 2019, Chafer targeted Windows machines located in Iran with the Remexi malware which is capable of stealing user credentials, recording keystrokes, browser history and taking screenshots on targeted machines. Researchers noted that Chafer threat group uses Remexi backdoor to steal usernames and passwords in order to propagate further across the network.

  • Chafer has used MechaFlounder backdoor to target Turkish government firm in November 2018.
  • Apart from Remexi and MechaFlounder backdoor, Chafer was also spotted using other backdoors such as SEAWEED, CACHEMONEY, and a specific variant of the POWBAT backdoor.

Furthermore, Chafer threat group has exploited vulnerable web servers of targeted organizations in order to install web shells such as ANTAK and ASPXSPY,and has used stolen credentials to compromise externally facing Outlook Web Access (OWA) resources.

Security researcher MalwareTech pleads guilty, faces 10 years in prison

  • Marcus Hutchins, who goes by the pseudonym MalwareTech, is a popular name in the security community.
  • Hutchins was first arrested on August 2, 2017, while returning to the UK after attending the Black Hat and DEFCON conferences.

Security researcher Marcus Hutchins aka “MalwareTech” filed a plea deal on Friday, pleading guilty to creating and distributing malware before his career as a malware researcher.

In 2017, Hutchins became an icon of the security community after playing a critical role in helping stop the WannaCry ransomware outbreak.

In a public statement on his website, Hutchins wrote, “As you may be aware, I’ve pleaded guilty to two charges related to writing malware in the years prior to my career in security. I regret these actions and accept full responsibility for my mistakes. Having grown up, I’ve since been using the same skills that I misused several years ago for constructive purposes. I will continue to devote my time to keeping people safe from malware attacks.”

What does this mean?

Hutchins faced a total of 10 charges as per the indictment charged against him by the US government prosecutors. As per the plea deal, Hutchins has pleaded guilty to two counts, while the prosecution is dropping the other eight.

The two charges are for entering a conspiracy to create and distribute malware, and for aiding and abetting its distribution.

Under both the charges, he could be sentenced up to five years in prison, $250,000 in fines, and up to one year of supervised release. Thus, Hutchins could be potentially facing a ten-year prison term.

The prosecutors had charged Hutchins for developing two banking trojans – the Kronos and UPAS-Kit malware strains, and for working with a co-conspirator to advertise and sell the two malware online. Before he became a noted security researcher, Hutchins is believed to have worked on the two malware between July 2012 and September 2015.

Messy case

Due to the controversial situation surrounding his arrest, the case against Hutchins has garnered a lot of attention from the wider community. Hutchins claimed he was interrogated by the authorities while being intoxicated and sleep-deprived. His attorneys also added that the illicit actions in question were committed by Hutchins as a minor and outside the statute of limitations.

Later, the prosecution added charges for creating the UPAS-Kit trojan along with earlier charges for Kronos malware. Additionally, he was charged for lying to the FBI during interrogation.

Presently, Hutchins’ case is slated for a jury trial in Madison, Wisconsin, with no trial date announced yet.

What does the security community think?

After his arrest in 2017, Hutchins got out on a bail and lived in Los Angeles while fighting the charges against him. Due to the ongoing investigation, he was barred from working with his US-based employer Kryptos Logic.

Meanwhile, Hutchins gained popularity as MalwareTech by writing several malware analysis articles and posting tutorial videos on YouTube. This has gained him a reputation as one of the leading security researchers. On Twitter, the infosec community witnessed mixed reactions, with some researchers expressing sadness over the news of his plea deal. Others expressed shock over his admission of creating the two banking trojans.

Microsoft Issues Security Alert Over Cyber Attack: Reports

In an email notification to some affected users on Saturday, Microsoft said it became aware of an issue involving unauthorised access to some customers’ web-based email accounts by cybercriminals.

Microsoft has alerted some of its webmail users of possible hacker attacks that could access their email accounts illegally, media reports said. In an email notification to some affected users on Saturday, Microsoft said it became aware of an issue involving unauthorised access to some customers’ web-based email accounts by cybercriminals.

“We have identified that a Microsoft support agent’s credentials were compromised, enabling individuals outside Microsoft to access information within your Microsoft email account” between Jan. 1 and March 28,” Xinhua quoted Microsoft as saying in the email. The unauthorised access could have allowed unauthorized parties to view or access information of Microsoft email user accounts, such as email address, folder names, and the subject lines of emails, it said.

However, the software giant said the content of attached documents to emails would not be read or viewed, and it did not specify how many users of its Outlook.com mail service were affected. “Microsoft regrets any inconvenience caused by this issue,” said the company, recommending that affected users reset their login passwords.

The company assured its users that it has immediately disabled the compromised credentials to prevent their use for any further unauthorised access. Microsoft has offered contact information for its data protection officer to help possible hacking victims to better protect their email accounts.

Facebook Developers Exposed Data Of Millions On Amazon Cloud: Report

The third-party Facebook app developers exposed data in the public domain in two large datasets that contained 540 million users’ records.

SAN FRANCISCO: 

In yet another shocking revelation, US-based cyber security firm UpGuard has found that Facebook app developers left millions of user records, including comments, likes and reactions, exposed on the Amazon Cloud servers.

The third-party Facebook app developers exposed data in the public domain in two large datasets that contained 540 million users’ records.

“One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more,” said UpGuard in a blog post on Wednesday.

“A separate backup from a Facebook-integrated app titled ‘At the Pool’ was also found exposed to the public internet via an Amazon S3 bucket,” said the researchers.

The “At the Pool” discovery is not as large as the Cultura Colectiva dataset, but it contains plaintext (unprotected) passwords for 22,000 users.

“As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third-party access.

“But as these exposures show, the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today,” said UpGuard.

Combine that plenitude of personal data with storage technologies that are often misconfigured for public access and the result is a long tail of data about Facebook users that continues to leak.

A Facebook spokesperson told The Verge that the company’s policies prohibit storing Facebook information in a public database.

“Once alerted to the issue, we worked with Amazon to take down the databases. We are committed to working with the developers on our platform to protect people’s data,” the spokesperson added.

The political consultancy firm Cambridge Analytica also harvested data of 87 million users via a quiz app, leaving Facebook under heavy criticism on how it share user data with third parties.

“In each case, the Facebook platform facilitated the collection of data about individuals and its transfer to third parties, who became responsible for its security,” said UpGuard.

Unprotected MongoDB database exposes 6.7 million records belonging to Iranian ride-hailing firm

  • The leaky database that exposed records on the internet, contained two sets of invoice collections.
  • The information leaked in the incident included drivers’ first and last names, Iranian ID numbers, phone numbers, and invoice dates.

An Iran-based ride-hailing firm has exposed over 6.7 million records due to an unprotected MongoDB database. The leaky database named ‘doroshke-invoice-production’ was discovered using BinaryEdge search engine.

What did the leaky database contain – The leaky database that exposed records on the internet, contained two sets of invoice collections – the first set dating back to 2017 and the second set was from 2018. While the first set which went by the name ‘invoice95’ included 740, 952 records, the second set named ‘invoice96’ contained 6,031,317 records.

The information leaked in the incident included drivers’ first and last names, Iranian ID numbers, phone numbers, and invoice dates.

Security researchers Bob Diachenko notes that the number of Iranian drivers potentially impacted by the exposure can be low as the database contains many duplicate sets of data.

“Please note that the total number of records might not be representative of the total number of affected people, since there could be duplicates (I am still analyzing the samples), but from what I’ve seen, each record was unique. I have recorded duplicates in the dataset, so the estimated number of unique entries is about 1-2 Million,” Diachenko explained.

What actions have been taken – The researcher has informed the Iranian CERT about the incident. In addition, Diachenko has also contacted researchers in Iran to determine who should be alerted of the situation.

“We were able to get in touch with a couple of drivers with an attempt to identify the owner of the database. At the same time, my colleagues have reached out to the biggest ride-hailing companies in Iran to confirm data origin,” Diachenko wrote in a blog post.

Soon after the discovery, the researcher also contacted the ride-hailing firms in Iran. The unsecured database has been secured and is no longer accessible on the internet.

Drupal releases correct four moderately critical third-party vulnerabilities

Drupal this week issued a series of security releases to fix four “moderately critical” vulnerabilities, three related to the content management system’s Symfony PHP web application framework and a fourth involving the jQuery project JavaScript library.

The three Symfony issues consist of:

  • A cross-site scripting bug caused by the failure of validation messages in the PHP templating engine to escape (CVE-2019-10909)
  • A remote code execution vulnerability due to service IDs derived from unfiltered user input
  • A flaw potentially allowing attackers to modify the remember me cookie and authenticate as a different user.

These three problems, reported by PHP researcher Michael Cullum, were patched in Symfony itself, and repairs are also found in the newly released Drupal versions 8.6.15 and 8.5.15.

The same two new Drupal versions, plus also Drupal 7.66, have a fix for a cross-site scripting vulnerabilitythat researchers “dtv_rb” and “Jess” found in the jQuery project prior to its newest release, version 3.4.0.

Ransomware ravages municipalities nationwide this week

Municipalities took a beating this week with at least four reporting being shut down from new ransomware attacks or struggling to recover from an older incident.

Augusta, Maine; Imperial County, Calif.; Stuart, Fla.; and Greenville, N.C. were all in different stages of recovering from ransomware attacks over the last seven days.

Augusta City Center operations were shuttered after being hit with malware on April 18, according to the Sun-Journal. The city’s IT department did not say ransomware was to blame, but the description of what took place has all the hallmarks of a ransomware attack. The city said the malware gained entry into its network in an unknown fashion and then methodically locked up endpoints and servers. The attack has affected the police dispatch system, the municipal financial systems, billing, automobile excise tax records, assessor’s records and general assistance.

No information is believed to have been removed.

Imperial County and Stuart were hit earlier in the week with Ryuk ransomware, with each receiving a ransom demand, according to local news reports. Imperial’s network has been offline for five days since the attack and Stuart since April 13. The Los Angeles Times reported the county received a ransom note from the attackers, but was unable to obtain additional information from county officials. County workers are using their personal email accounts along with Facebook to communicate to residents.

Stuart is reportedly also working to restore its systems. Police communications were not affected and the city manager said payment card information is not stored, so it is not at risk. Stuart City Manager David Dyess told TCPalm an IT worker found the Trickbot dropper in the network while installing a new server. Trickbot is a dropper normally used to install malware on financial institutions, but lately has been used for other types of attacks, including ransomware, according to the Multi-State Information Sharing and Analysis Center (MS-ISAC). In this case, it dropped Ryuk.

Greenville, N.C. is still dealing with the aftereffects of an April 10 ransomware attack. Reflector.com said the city is now relying on paper forms while its IT department rebuilds. The city hopes to first have emergency services back online followed by financial services.

DLL Cryptomix Ransomware Variant Installed Via Remote Desktop

The CryptoMix ransomware is still alive and kicking as a new variant has been spotted being spread in the wild. This new version appends the .DLL extension to encrypted files and is said to be installed through hacked remote desktop services.

This variant was first reported in a topic in our forums where a victim stated that they were infected by the attackers hacking into their publicly exposed remote desktop services. According to the victim, the ransomware had also enabled the default administrator account and changed its password.

As ransomware continues to move away from malspam distribution and towards manual installation by hacked services or more targeted approaches, it is important to close off all publicly accessible services that can be used to gain access to Windows.

Unfortunately the CryptoMix Ransomware is still not decryptable for free.  For those who wish to discuss this ransomware and receive support, you can use our dedicated Cryptomix Help & Support Topic.

The DLL Cryptomix Ransomware Variant

In this variant, the ransom note continues to be named _HELP_INSTRUCTIONS_.TXT, but now uses the dllteam@protonmail.comdllteam1@protonmail.comdllpc@mail.comdllpc@tuta.iolaremohan@tuta.ioclaremohan@yandex.com, and mohanclare@yandex.com email addresses for a victim to contact for payment information.

DLL CryptoMix Ransom Note
DLL CryptoMix Ransom Note

With this version, when a file is encrypted by the ransomware it will modify the filename and then append the .DLL extension to encrypted file’s name. For example, a test file encrypted by this variant has an encrypted file name of 2DC998403F8EAAA90140B64040318E5D.DLL.

Folder of Encrypted DLL Files
Folder of Encrypted DLL Files

Unfortunately, at this time the ransomware cannot be decrypted for free. As this is just a cursory analysis of this new variant, if anything else is discovered, we will be sure to update this article.

How to protect yourself from Ransomware

In order to protect yourself from ransomware it is important that you use good computing habits and security software. The most important step is to always have a reliable and tested backup of your data that can be restored in the case of an emergency, such as a ransomware attack.

You should also make sure that you do not have any computers running remote desktop services connected directly to the Internet. Instead place computers running remote desktop behind VPNs so that they are only accessible to those who have VPN accounts on your network.

A good security software solution that incorporates behavioral detections to combat ransomware and not just use signature detections or heuristics is important as well.  For example, Emsisoft Anti-Malware and Malwarebytes Anti-Malware both contain behavioral detection that can prevent many, if not most, ransomware infections from encrypting a computer.

Last, but not least, make sure you practice the following security habits, which in many cases are the most important steps of all:

  • Backup, Backup, Backup!
  • Do not open attachments if you do not know who sent them.
  • Do not open attachments until you confirm that the person actually sent you them,
  • Scan attachments with tools like VirusTotal.
  • Do not connect Remote Desktop Services directly to the Internet. Instead, make sure they can only be accessed by logging into a VPN first.
  • Make sure all Windows updates are installed as soon as they come out! Also make sure you update all programs, especially Java, Flash, and Adobe Reader. Older programs contain security vulnerabilities that are commonly exploited by malware distributors. Therefore it is important to keep them updated.
  • Make sure you use have some sort of security software installed that uses behavioral detections or white list technology. White listing can be a pain to train, but if your willing to stock with it, could have the biggest payoffs.
  • Use hard passwords and never reuse the same password at multiple sites.
  • BACKUP!

Cisco Patches Critical Flaw In ASR 9000 Routers

The flaw could enable an unauthenticated, remote attacker to access the devices, Cisco said.

Cisco has rushed out patches for a critical vulnerability in its ASR 9000 routers that could give remote, unauthenticated attackers access to the devices – as well as the power to launch denial-of-service (DoS) attacks against them.

The flaw is specifically in Cisco Aggregation Services Routers (ASR) 9000 Series, Cisco’s popular carrier Ethernet router intended for service applications. The vulnerability could allow an unauthenticated, remote attacker to access internal applications on the sysadmin virtual machine for the router, according to a Wednesday advisory.

“An attacker could exploit this vulnerability by connecting to one of the listening internal applications,” the advisory stated. “A successful exploit could result in unstable conditions, including both a denial of service and remote unauthenticated access to the device.”

he vulnerability (CVE-2019-1710) has a CVSS score of 9.8, making it critical in severity.

Specifically, Cisco ASR 9000 routers have an issue where the internal sysadmin applications are incorrectly isolated in the secondary management interface. ASR 9000 routers that are running Cisco IOS XR 64-bit software and that have the secondary management interface are impacted.

That means an attacker could exploit this vulnerability by connecting to one of the listening internal applications. A successful exploit could result in unstable conditions, including both DoS and remote unauthenticated access to the device.

Cisco said that the vulnerability was discovered during internal security testing, and that it is not aware of any exploits.

Cisco has urged users to upgrade to the Cisco IOS XR 64-bit software as soon as possible: “This vulnerability has been fixed in Cisco IOS XR 64-bit Software Release 6.5.3 and 7.0.1, which will edit the calvados_boostrap.cfg file and reload the device,” it said.

Cisco on Wednesday also revealed that exploit code for a previously-disclosed critical remote code execution vulnerability was now available. The critical flaw (CVE-2017-3881) was previously disclosed in March 2017 and exists in the Cisco Cluster Management Protocol used in Cisco IOS and IOS XE software.

“A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges,” according to Cisco.

Cisco has released patches for the flaw – but the exploit code was made available by a security researcher on April 10, according to Cisco.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of exploitation of the vulnerability that is described in this advisory,” according to Cisco.

Earlier in April, Cisco re-patched flaws for two high-severity bugs affecting its RV320 and RV325 routers after a botched first attempt at fixing them. The company also reported two new medium-severity router bugs impacting the same router models – and with no reported fixes or workarounds.