Ukrainian Police Arrest 6 Hackers Linked to DDoS and Financial Attacks

Ukrainian Police have this week busted out two separate groups of hackers involved in carrying out DDoS attacks against news agencies and stealing money from Ukrainian citizens, respectively.

According to the authorities, the four suspected hackers they arrested last week, all aged from 26 to 30 years, stole more than 5 million Hryvnia (around 178,380 USD) from the bank accounts of Ukrainian citizens by hacking into their computers.

The suspects carried out their attacks by scanning vulnerable computers on the Internet and infecting them with a custom Trojan malware to take full remote control of the systems

The group then apparently enabled key-logging on the infected computers in an attempt to capture banking credentials of victims when the owners of those infected computers fill in that information on any banking site or their digital currency wallet.

Once getting a hold on the victims banking and financial data, the attackers logged into their online banking accounts and transferred the funds or cryptocurrencies to the accounts controlled by the attackers.

Besides stealing money, the suspects also left the backdoor on the victims’ computers for further control, so that they can use them in the future for carrying out other illicit activities.

Criminal proceedings against all the four people have been initiated under several articles of the Criminal Code of Ukraine, including theft and unauthorized interference with the work of computers, automated systems, computer networks or telecommunication networks.

Two Ukrainian DDoS Hackers Arrested

In a separate press release, Police today announced the arrest of two other hackers, 21- and 22-years-old, suspected of performing DDoS attacks against several critical Ukrainian resources, including news sites of the city of Mariupol and several state educational institutions.

According to the authorities, the duo developed two DDoS hacking tools which they used to send hundreds of automatic queries to their targeted regional information resources every second, eventually making their service unavailable.

The pair is currently facing up to six years in prison under article 361 of the Criminal Code of Ukraine, which includes unlawful interference with the work of computers, automated systems, computer networks or telecommunication networks.

Recent DanaBot campaigns observed with new ransomware module

  • DanaBot campaigns targeted at European countries also drop a ransomware executable onto target systems.
  • The trojan also comes with new plugins, configuration files, and other updates.

Banking trojan DanaBot, which is known to target organizations across Europe, North America, and Australia, has been found being distributed with a ransomware module. Security researchers from CheckPoint came across this new variant in few of the recent DanaBot campaigns. According to the researchers, DanaBot also had new plugins, configuration files, string encryptions, file name generation algorithms as well as had a different communication protocol.

Worth noting

  • In a report by CheckPoint, researchers indicate that the new DanaBot is also spread through phishing emails that contain a malicious link. This link acts as a dropper for DanaBot.
  • On top of having a new communication protocol, the researchers found that the recent campaigns used additional plugins and configuration files for DanaBot.
  • Coming to the ransomware module, it was identified to be a variant of “NonRansomware”, which is known for enumerating files on local drives and encrypting them except for the Windows directory.
  • After execution, the ransomware runs a Batch script. This script performs a host of actions which includes disabling Windows Defender, removing system logs amongst others. Furthermore, it schedules a task that executes the ransomware every 14 minutes until a certain period and then proceeds with encryption.

Evolving malware

CheckPoint researchers hint that the threat actors behind DanaBot continue to keep updating the trojan. “For almost a year, DanaBot has been extending its capabilities and evolving into a more sophisticated threat. We assume its operators will continue to add more improvements,” they said.

“A lot of ransomware still remain a relatively stable source of income for cybercriminals. Therefore such simple ‘copy-paste’ encryptors as the one that was described here will continue to emerge constantly,” the researchers wrote, regarding the prevalence of ransomware attacks.

Hackers Abused MSPs and Their Remote Management Tools to Deploy Ransomware on Customers’ Networks

  • The remote management tools which were targeted include Webroot SecureAnywhere and Kaseya VSA.
  • The tools have been abused to execute a Powershell script that downloads and installs the Sodinokibi ransomware.

Attackers have hacked three Managed Service Providers (MSPs) and abused their remote management tools to deploy Sodinokibi ransomware on their customers’ systems.

The incident came to light after some of the impacted MSPs reported in a subreddit on Reddit dedicated to MSPs.

The big picture

Kyle Hanslovan, co-founder and CEO of Huntress Lab, analyzed the incidents and revealed the following,

  • Attackers compromised the MSPs via exposed RDP endpoints.
  • Upon compromise, attackers gained escalated privileges and uninstalled antivirus products such as ESET and Webroot.
  • The attackers then searched for remote management tools used by MSPs to manage remotely-located workstations of their customers.
  • They then abused the remote management tools to execute a Powershell script on customers’ systems.
  • The malicious script downloaded and installed the Sodinokibi ransomware on customer endpoints.
  • The abused remote management tools include Webroot SecureAnywhere and Kaseya VSA.

“Two companies mentioned only the hosts running Webroot were infected. Considering Webroot’s management console allows administrators to remotely download and execute files to endpoints, this seems like a plausible attack vector,” Hanslovan said.

Webroot makes 2FA mandatory

After the incident, Webroot mandated enabling two-factor authentication (2FA) for accounts in order to prevent hackers from using any other potentially hijacked accounts to deploy ransomware.

“Recently, Webroot’s Advanced Malware Removal team discovered that a small number of customers were impacted by a threat actor exploiting a combination of customers’ weak cyber hygiene practices around authentication and RDP,” Chad Bacher, SVP of Products at WEBROOT told ZDNet via email.

“To ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory. We did this by conducting a console logout and software update the morning of June 20,” Bacher added.

New Bird Miner Mac cryptominer leverages Ableton Live 10 cracked installer for propagation

  • The Ableton Live 10 cracked installer can be downloaded from a pirate website called VST Crack.
  • Ableton Live is a high-end music production software and is used as an instrument for live performance by DJs.

A new Mac cryptocurrency miner detected as Bird Miner has been found leveraging craked installer for Ableton Live 10 software for propagation. Ableton Live is a high-end music production software and is used as an instrument for live performance by DJs. The software is also used for composing, recording, mixing and mastering music.

How does it propagate?

According to Malwarebytes, the Ableton Live 10 cracked installer can be downloaded from a pirate website called VST Crack. The software is more than 2.6 GB. Once installed, the software downloads Bird Miner’s post-install script among other things. The cracked installer also copies some installed files to new locations with random names.

The files that get dropped on the infected system with random names have a variety of functions. This includes launching three different shell scripts.

Malicious scripts

One of the scripts launched is called Crax and its installed in the /usr/local/bin/ directory. Crax ensures that the malware gains persistence on the victim’s system without being detected by security solutions.

“The first thing it does is check to see if Activity Monitor is running and, if it is, unload the other processes. If Activity Monitor isn’t running, the malware then goes through a series of CPU usage checks. If the results show that it’s pegging the CPU at more than 85 percent, it again unloads everything,” explained the researchers.

After Crax completes its check process, it loads two more processes named ‘com.Flagellariaceae.plist’ and ‘com.Dail.plist’. While the first one runs a script named Pecora, the second runs a script called Krugerite.

These two scripts once again check for Activity Monitor and later launches an executable named Nigel which is an old version of open-source software called Qemu. The Nigel enables attackers to execute the miner code by hiding it inside Qemu images.

Worth noting

Malwarebytes highlights that the malware was first spotted in a pirated Ableton Live 10 installer. Since then, it has been found to be distributed via other software through the same site. The site has been distributing the malware in one form or the other for at least four months.

Lightbox adware redirects mobile users to random sites

  • The redirected sites include pages related to viral apps or just random tech articles.
  • If the visitor chooses to install any of these apps, they are taken to the respective official store’s webpage.

An external script has been found redirecting visitors to several random sites. This script is frequently used by various webmasters to provide easy Lightbox functionalities on their websites.

Dissecting the malicious script

According to the researchers from Sucuri, the issue came to light after visitors were redirected to random sites while accessing a site via mobile. During the investigation, it was discovered that the installed script made a call to another script and redirected mobile users to a link (below).

hxxp://click[.]thebestoffer[.]gq/?utm_medium=6a9d4be48f9dd74ece2547f9a7d3ed068107809c&utm_campaign=js_1&1=&2=

What next?

Once users fall prey to the URL redirection attack, then they would be bombarded with various random pages related to viral apps or just random tech articles. If the visitor chooses to install any of these apps, they are taken to the respective official store’s webpage.

After a while, the script changes into a different campaign and redirects the visitors to another shady looking page https[:]//you.1gowest[.]top/?utm_medium=87e4ad4e587d6a3c668e4dda57a31ea60a0235b2&utm_campaign=1gowest.

So far, there has been no evidence of extremely malicious happening through the script.

Threat actors often implement this type of technique to generate revenue on the downloaded tool, app or script. Therefore, it is very necessary for webmasters to be cautious while adding external assets to their websites.

SACK Panic and three other vulnerabilities discovered in Linux and FreeBSD kernels

 

  • All these vulnerabilities are related to the minimum segment size (MSS) and TCP selective acknowledgment (SACK) capabilities.
  • ‘SACK Panic’ is the most severe vulnerability of all the flaws.

Four TCP networking vulnerabilities in FreeBSD and Linux kernels have been discovered by security researchers recently. All these vulnerabilities are related to the minimum segment size (MSS) and TCP selective acknowledgment (SACK) capabilities.

SACK PANIC, the serious one

In a report, Netflix Information Security’s Jonathan Looney has revealed that ‘SACK Panic’ is the most severe vulnerability of all the flaws. Tracked as CVE-2019-11477, the vulnerability has been marked with a CVSS score of 7.5. It could permit an attacker to remotely induce a kernel panic within recent Linux operating systems.

A kernel panic is a kind of vulnerability where an operating system cannot be recovered easily. This could force a restart of a targeted host, causing a temporary shutdown in services.

The SACK Panic flaw impacts Linux kernel version 2.6.29 and later. It can be addressed by deploying PATCH_net_1_4.patch. Additionally, the versions of the Linux kernel up to 4.14 require a second patch PATCH_net_1a.patch.

The other way to mitigate the issue is by completely disabling SACK processing on the system.

What are the other flaws?

As per Red Hat, the two other issues that impact the kernel’s TCP processing subsystem are CVE-2019-11478 (dubbed SACK Slowness) and CVE-2019-11479. These flaws are considered to be moderate severity vulnerabilities.

The CVE-2019-11478 can be exploited by sending a crafted sequence of SACKs which will fragment the TCP retransmission queue, while CVE-2019-11479 allows attackers to trigger a DoS attack.

CVE-2019-5599 is the FreeBSD counterpart of CVE-2019-11478. The flaw impacts FreeBSD 12 installations using the RACK TCP Stack. It can be abused by delivering “a crafted sequence of SACKs which will fragment the RACK send map.”

Linux and FreeBSD admins and users can address CVE-2019-11478 by applying PATCH_net_2_4.patch. The second issue, CVE-2019-11479, can be addressed by using PATCH_net_3_4.patch and PATCH_net_4_4.patch security patches. CVE-2019-5599 can be patched only by applying ‘ ‘split_limit.patch’ and set the net.inet.tcp.rack.split_limit sysctl’’ to a reasonable value to limit the size of the SACK table.

Mermaids transgender charity data breach exposed confidential emails

Mermaids UK has apologized for an “inadvertent” data breach which exposed private messages between the charity and the parents of gender variant and transgender children.

As first reported by the Sunday Times last week, over 1,000 pages of confidential emails were leaked online, including “intimate details of the vulnerable youngsters it [the charity] seeks to help.”

The letters, sent between 2016 and 2017, also contained the names, addresses, and telephone numbers of those reaching out to the charity.

When data breaches occur, it is often the case that cyberattackers infiltrate internal networks and steal information — and this data may be published online or sold in underground forums.

However, in Mermaids UK’s case, the material had simply been uploaded to the web and could be accessed just by typing in “Mermaids” and the UK charity number assigned to the group.

After being warned of the leak on Friday, the charity removed the content from public view.

CNET: Black Hat cancels Rep. Will Hurd’s headline speech after Twitter backlash

In a statement, Mermaids UK called the data breach “inadvertent” and insists there is no evidence of the sensitive material being abused.

Mermaids said the leak involved roughly 1,100 emails between executives and trustees, rather than the correspondence of private users, according to the BBC. A spokesperson said the records were not related to “Mermaids service users emailing each other, and their emails and private correspondence being available to an outside audience.”

The charity added that the emails stemmed from a “private user group” and “the information could not be found unless the person searching for the information was already aware that the information could be found.” (Considering the publication was able to find the information through a simple online search, however, this position may not be wholly accurate.)

The UK’s Information Commissioner’s Office (ICO) has been informed, a step now demanded in light of the General Data Protection Regulation (GDPR) legislation, introduced in 2018.

TechRepublic: Magecart attack: What it is, how it works, and how to prevent it

Under the terms of GDPR, organizations now must be prompt when it comes to reporting data breaches and should they be found wanting in terms of data protection and security, heavy fines can be issued. Each security incident is considered on a case-by-case basis.

Mermaids has also contacted the families affected, alongside stakeholders and the Charity Commission.

See also: Have I Been Pwned: It’s time to grow up and smell the acquisition potential

“Mermaids apologizes for the breach,” the charity added. “Even though we have acted promptly and thoroughly, we are sorry.  At the time of 2016 — 2017, Mermaids was a smaller but growing organization. Mermaids now has the internal processes and access to technical support which should mean such breaches cannot now occur.”

Reported losses from NBN scams increase by nearly 300% in 2019: ACCC

Australian consumers reported over AU$110,000 in monthly losses from NBN scams in the January-May 2019 period, according to the Australian Competition and Consumer Commission (ACCC).

Compared to the average monthly losses of AU$38,500 in 2018, this is a near 300% increase.

“People aged over 65 are particularly vulnerable, making the most reports and losing more than AU$330,000 this year. That’s more than 60% of the current losses,” ACCC Acting Chair Delia Rickard said.

Despite being only halfway through the year, the amount of reported losses for NBN scams in 2019 has already exceeded the total of last year’s losses, which was around AU$462,000.

“Scammers are increasingly using trusted brands like ‘NBN’ to trick unsuspecting consumers into parting with their money or personal information,” Rickard added.

See also: ACCC questions fairness of NBN basic pricing

The most common types of NBN scams, the ACCC said, include scammers pretending to be the NBN attempting to sell NBN services or test the speed of their connection and asking them to provide personal details such as their name, address, date of birth, and Medicare number or payment; scammers pretending to be NBN Co or an internet provider and claiming there is a connection problem that requires remote access to fix, allowing them to install malware or steal valuable personal information; and scammers calling during a blackout offering consumers the ability to stay connected during a blackout for an extra fee.

“We will never make unsolicited calls or door knock to sell broadband services to the public. People need to contact their preferred phone and internet service provider to make the switch,” NBN Co chief security officer Darren Kane said.

“We will never request remote access to a resident’s computer and we will never make unsolicited requests for payment or financial information.”

This follows the ACCC in April releasing its annual Targeting scams report, which unveiled that the total combined losses from scams in 2018 exceeded AU$489 million  — AU$149 million more than the year prior, up 41.7% year on year.

Of that total reported amount, AU$107 million was reported to Scamwatch, the ACCC’s scam reporting website.

“These record losses are likely just the tip of the iceberg. We know that not everyone who suffers a loss to a scammer reports it to a government agency,” Rickard said at the time.

RELATED COVERAGE

Cryptocurrency scams took over AU$6m from Australians in 2018: ACCC

While hacking scams accounted for over AU$3 million in reported losses.

ACCC starts breaking out Vodafone NBN customer connections

Vodafone Australia is sitting around the level of Aussie Broadband and MyRepublic in the latest ACCC Wholesale Market Indicators Report.

TPG is still king of NBN speed report

TPG still delivers on its download speed promises the most often, while Exetel won on upload speeds, Telstra on latency, and Optus on the highest number of daily outages, according to the fifth ACCC report.

ACMA warns TPG, Foxtel, Aussie Broadband on priority assistance

TPG, Aussie Broadband, MyRepublic, Foxtel, Activ8me, Exetel, Dodo, Skymesh, Southern Phone, Spintel, and V4 Telecom have been formally warned to provide accurate information on priority assistance services.

NBN pulls in AU$2b revenue so far for FY19

For the first nine months of FY19, NBN has reported AU$2 billion in revenue and negative AU$808 million in EBITDA.

Network technologies are changing faster than we can manage them (TechRepublic)

Kentik’s Cisco Live survey shows networks are changing faster than they have in decades, and companies are stumbling trying to keep up with the changes.

Update: Over 20 million affected in massive AMCA data breach

  • The data was compromised after AMCA’s payment system was breached on August 1, 2018, and remained vulnerable till March 30, 2019.
  • AMCA has started notifying consumers whose credit card number, social security number or lab test order information may have been accessed.

Maryland Attorney General Brian E. Frosh is alerting Marylanders that their medical and other private information may have been compromised in the massive AMCA data breach. The data breach has impacted over 20 million patients of five diagnostic firms that took services from American Medical Collection Agency.

Who are the victims?

The companies that were affected in the data breach are:

  • Quest Diagnostics: 11.9 million patients
  • LabCorp: 7.7 million patients
  • BioReference Laboratories: 422,600 patients
  • Carecentrix: 500,000 patients
  • Sunrise Laboratories: unknown number of patients

The data of these companies were compromised after AMCA’s payment system was breached on August 1, 2018 and remained vulnerable till March 30, 2019.

What data was involved?

Although the compromised information varies for each victim company, but it includes some or all of the following:

  • Patient Name
  • Date of Birth
  • Address
  • Phone Number
  • Date of Service
  • Provider
  • Balance Information
  • Payment Card Information
  • Bank Account Information
  • Social Security Number
  • Lab Test Performed

How is the situation being addressed?

AMCA has started notifying consumers whose credit card number, social security number or lab test order information may have been accessed.

Meanwhile, General Frosh has also urged consumers to review their financial and medical accounts for suspicious activity.

“Massive data breaches like the one experienced by the AMCA are extremely alarming, especially considering the likelihood that personal, financial, and medical information may now be in the hands of thieves and scammers,” said General Frosh, CBS Baltimore reported.

Distributed Denial of Service attack on Telegram causes service outages

  • The attack caused services outages primarily in South and North America.
  • However, users in the United Kingdom, the Netherlands, Germany, Ukraine, Russia, Australia, and China also faced connection issues and network disruptions.

A Distributed Denial of Service (DDoS) attack on Telegram messenger caused service outages and connection problems for users at certain parts of the world.

Which countries were impacted?

The attack caused services outages primarily in South and North America. However, users in the United Kingdom, the Netherlands, Germany, Ukraine, Russia, Australia, and China also faced connection issues and network disruptions.

“We’re currently experiencing a powerful DDoS attack, Telegram users in the Americas and some users from other countries may experience connection issues,” Telegram tweeted.

What happened?

A network of compromised computers targeted Telegram servers with a DDoS attack. A botnet formed of compromised computers sent huge traffic to Telegram servers which resulted in unstable connections as the messenger could not handle all the requests.

What is a DDoS attack?

In a Distributed Denial of Service (DDoS) attack, multiple compromised systems are used to target a server with a huge volume of traffic. DDoS attack aims at bringing services down by bombarding them with so much traffic that their services and infrastructure are unable to handle it.

On February 28, 2018, GitHub suffered world’s largest DDoS attack that took the service offline from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC.

Source of the attack

Pavel Durov, Founder and CEO of Telegram noted that the DDoS attack has been originated from China.

“IP addresses coming mostly from China. Historically, all state actor-sized DDoS (200-400 Gb/s of junk) we experienced coincided in time with protests in Hong Kong (coordinated on @telegram). This case was not an exception,” Durov tweeted.

Connection problem resolved

Telegram confirmed users that their data are safe. “There’s a bright side: All of these lemmings are there just to overload the servers with extra work – they can’t take away your BigMac and coke. Your data is safe,” Telegram tweeted.

As of now, the connection issues have been resolved and users will be able to use Telegram messenger without any disruptions.

Major airplane parts manufacturer ASCO hit with ransomware attack

  • ASCO factory in Zaventem, Belgium was hit by a ransomware infection causing major downtime as most of the plants IT systems were infected.
  • ASCO shut down production in factories across Germany, Canada, and the United States.

What is the issue?

ASCO, one of the largest airplane parts manufacturer, suffered a ransomware attack crippling production in factories across four countries.

What happened?

On June 7, 2019, ASCO factory in Zaventem, Belgium was hit by a ransomware infection causing major downtime as most of the plant’s IT systems were infected.

  • As a result of which, almost 1,000 of its 1,400 workers were sent home.
  • The manufacturing company also extended leave for the entire week as well as shut down production in factories across Germany, Canada, and the United States.
  • However, the non-production offices located in France and Brazil were operational.

“We have submitted an application for recognition of temporary unemployment due to force majeure,” Vicky Welvaert, HR director at ASCO said.

Worth noting

The airplane parts manufacturer’s some of the primary clients include Airbus, Boeing, Bombardier, and Lockheed Martin.

What actions were taken?

  • The aviation company has notified the appropriate authorities and the police department about the incident.
  • It has also engaged third-party IT experts to remediate the incident as quickly as possible.

“We have informed all competent authorities in this area of this cyber attack and have engaged external experts to solve the problem. We are currently working hard and hard at it,” Welvaert added.

However, details related to the name of the ransomware and the recovery steps taken by the company to remediate the attack still remains unknown.