- CyberCrime -

Last update 09.10.2017 13:16:36

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8 

LuminosityLink RAT Author Sentenced to 30 Months in Prison
19.10.2018 securityweek

The maker of the LuminosityLink remote access Trojan (RAT) was sentenced to 30 months in federal prison, the United States Department of Justice announced this week.

The man, Colton Grubbs, 21, of Stanford, Kentucky, admitted in court earlier this year to designing, marketing, and selling LuminosityLink, a piece of malware that could record keystrokes, access the camera and microphone for surveillance purposes, download files, and steal login credentials.

As part of his guilty plea, Grubbs also revealed that he was aware of the fact that some of his customers would use the software to remotely access and control computers without their owner's knowledge or consent.

The RAT was being sold via the luminosity[.]link and luminosityvpn[.]com websites, but the malware author suspended sales via luminosity[.]link in July 2017, half a year before law enforcement agencies released the details of an operation specifically targeting LuminosityLink users.

Grubbs, who admitted to selling the malicious program for $39.99 apiece to more than 6,000 customers, also provided assistance on the use of the RAT for unauthorized computer intrusions. The Trojan was used to target victims throughout the United States and around the world.

Under federal law, Grubbs must serve 85% of his prison sentence. He will be released under supervision of the United States Probation Office for a term of three years.

Grubbs has also been ordered to forfeit the proceeds of his crimes, including 114 Bitcoin (valued at over $725,000 at the moment), which was seized by the Federal Bureau of Investigation.

“Our modern society is dependent on computers, mobile devices, and the use of the internet. It is essential that we vigorously prosecute those who erode that confidence and illicitly gain access to computer systems and the electronic information of others. Everyone benefits when this deceitful conduct is discovered, investigated, and prosecuted,” Robert M. Duncan, Jr., United States Attorney for the Eastern District of Kentucky, said.

Online market for counterfeit goods in Russia has reached $1,5 billion
17.10.2018 securityaffairs

Group-IB: The online market for counterfeit goods in Russia has reached $1,5 billion, while the number of phishing attacks has surpassed 1,200 daily
Group-IB, an international company that specialises in the prevention of cyber attacks, has estimated that online sales of counterfeit goods are now worth $1.5 billion. This information was first made public by experts from Group-IB’s Brand Protection team at the CyberCrimeCon 2018 international cybersecurity conference.

According to Group-IB, the online market for counterfeit goods in Russia has increased by 23% in a year and totaled more than $1.5 billion in 2017, compared to $1.2 billion in 2016. Fraudsters use their websites to sell household appliances and computer equipment, clothing and footwear, jewelry, accessories, cosmetics, medicinal products, and much more, often at hugely discounted prices – up to 80% off. According to Group-IB’s statistics, every fifth counterfeit product was bought online. On average, Russians spend $78 per year on counterfeit goods.

“For large organisations, the actions of online fraudsters mean not only a direct loss in revenue, but also damaged customer loyalty, brand abuse, and fewer shoppers,” says Andrey Busargin, Director of Brand Protection at Group-IB. “It also leads to a decrease in what we call the psychological price, i.e. the cost that customers are willing to pay for a product from the official retailer. Around 64% of users stop buying a company’s goods after a negative experience.”

Counterfeit goods are not the only threat to popular brands on the Internet. Scammers create fake websites of known brands, fraudulent promotional campaigns, and fake accounts on social media. In recent years, an often-used fraud method has been fake mobile applications: 36% of users are unable to distinguish between genuine and fake apps, and 60% of the latter request access to the user’s personal data.

Fraudsters use various ways to deceive users: phishing websites, fake mobile apps, accounts and groups on social media. Phishing remains one of the most common online fraud. According to the experts from Group-IB Brand Protection, around 1,270 phishing attacks are carried out daily. The main goals of phishing resources are stealing money from bank cards and obtaining login credentials to personal accounts.

Scammers do not simply copy a company’s website, brand, logos, and colors in addition to registering a similar domain name; they also use the same promotional methods as the legal resources. To secure the traffic they need, scammers ensure that their websites appear at the top of search engine results: 96% of users click on links found on the first page displayed by search engines. Only 35% of them are official resources, however.

Contextual advertising also plays a role: for only $15, it is possible to buy 100 guaranteed visits to a phishing website. Scammers also buy banner ads, use search engine optimisation (SEO), and social media promotion (every day, around 150 social media users are deceived by fraudsters on average). In addition to technological ways of attracting traffic by using bots that target opinion leaders, scammers do not shy away from the classic tactic of mass email blasts purporting to be from popular brands, with 20% of users opening emails that contain content that is characteristic of malware or phishing.

Given that users blindly trust influencers (68% of people choose goods or services based on feedback on social media), scammers create fake accounts. For example, a fake account in Pavel Durov’s name brought in more than $50000 in only a couple of hours after being created. According to Group-IB, 43% of celebrities and 31% of politicians have fake accounts that use their names.

“Fighting online fraudsters and counterfeiting requires adopting serious countermeasures,” warns AndreyBusargin.

“We advise companies to continuously track phishing resources and monitor references to their brand in domain name databases, search engine results, social media, messengers, and context ads so as to identify scammers hiding behind the company’s brand. It is also important to monitor mobile applications, in both official and unofficial stores, in addition to forums, search engine results, social media, and websites where they might be found. To effectively fight against scammers and fraudsters, it is important to detect and block all the resources connected with a fraudulent website. Fraudsters usually create several phishing websites at once, which can be detected using correlation and website affiliation analysis.”

How Cybercriminals are Targeting free Wi-Fi Users?
17.10.2018 securityaffairs

Free Wi-Fi is convenient, but it is also unsafe and puts users at great risk. Here’s how the cybercriminals attack user on these open networks.
The free Wi-Fi is one of the catchiest things for the users in today’s world. This is the main reason why so many free public Wi-Fi can be found without much of a problem. It is not only free but convenient to use these open networks. However, many might not be aware of the fact that these free open Wi-Fi hotspots are actually unsafe and they put the users at great risk.

There are multiple ways in which many cybercriminals are targeting the users of these free Wi-Fi hotspots. Many of these users are at least aware that the open networks they connect are actually unsafe. But what they do not know are various ways in which they are being targeted by the cybercriminals and hackers on these open networks.

Ways in which Hackers Target free Wi-Fi Users

The open for all nature of the free public Wi-Fi networks makes them unsafe for all the users. All the cybercriminals are always on the lookout to get their hands on users’ personal or financial data or they look for vulnerabilities to get access to their devices. These free networks give the cybercriminals the perfect opportunity to fulfill their purpose. The following are some of the common ways how cybercriminals target the free Wi-Fi users.

free Wi-Fi

Man in the middle attack
The man in the middle attack is one of the most commonly used attacks where the cybercriminal places himself between the user and the router. This way, all the requests by the user actually routes through the hacker. This way, the hacker can actually have full control over the network, and he or she can easily get what they want from the user.

Carrying this attack successfully is so easy that it took 10 minutes to a 7 years old girl to hack into public Wi-Fi network and access stranger’s laptop. It was a real experiment and the girl who attempted and successfully hacked the network in 10 minutes was Betsy Davies. So, if a 7 years old can do it in 10 minutes, imagine what a pro can do in a matter of minutes.

Fake Wi-Fi Access Points
It is also easily possible for the cybercriminals to make fake Wi-Fi access points in public spaces. They can setup rouge Wi-Fi networks, which gives them all the data and the access to users’ device or system. It is fairly easy to create as the cybercriminals set up this rouge network as a bait and name it something very general. They wait for the user to connect to this rouge network and they can have them connected.

As soon as the web connection of the user is made on this rouge network, there are plenty of ways in which the attacker can carry out the attack. One way is that the cybercriminal may direct the user to a malicious website where he or she will be forced to download a malware on their system. The second is the spoofed banking page where the attacker would want the user to enter their banking detail and financial data so they can easily capture this sensitive information.

Fake Honeypots
The fake honeypots are quite similar to the fake Wi-Fi access points, but the only difference is that the honeypot is set in a more sophisticated manner. This increases the chances of more users’ falling for the trap that has been set by the cybercriminals.

Imagine connecting to an airport’s Wi-Fi network where you saw two options with similar names and even passwords. It is certain that one of these is a honeypot which is there to capture users’ data and use their sensitive information in the wrong way.

Intercepting your data and credentials

Another very brutal attack is the interception of users’ internet data when they are on these unsecured public Wi-Fi hotspots. The internet data transmitted on these networks is not encrypted. Since these networks are unsafe, it makes it easy for hackers to sniff and intercept that data which can have the login credentials of the user.

Due to this method, the cybercriminals easily get their hands on users’ data which includes their private information as well. Since this data is not encrypted, the hackers do not have to do much to use that data for their evil purposes.

So, these are some of the common attacks which are being used by the cybercriminals to target the users on the free Wi-Fi networks. There definitely is a way to stay protected on these public Wi-Fi hotspots and we are discussing it below.

How to stay protected with VPN on Public Wi-Fi Networks?

The best and the most advanced way to stay protected on these unsafe public Wi-Fi hotspots is to use a decent VPN service. There are some ace VPN providers who offer strong security and encryption which makes it extremely hard for the cybercriminals to get access to users’ accounts and data.

The VPN does not only encrypt all of users’ data to protect their privacy on the web, but it also creates a secure tunnel between the user’s device and the VPN server which is hard to break in. It is because the tunnel is also encrypted and the encrypted data goes through this tunnel. The cybercriminals cannot easily get their hands on users’ data if they are using one of the best VPN services.

Even if they get their hands on users’ data, then all they will get it gibberish, because all the top VPN providers offer strong encryption which is not only hard to break but also takes years to decrypt even if the hacker chooses to use some automatic tools.

Final Words

If you use the free public Wi-Fi hotspots a lot at different places like malls, cafes, restaurants, or any other public space, then you should be aware that these open networks are actually unsafe and it can put you in great danger. If you wish to use these free open Wi-Fi networks then you need to get a decent VPN service and connect it before surfing the web on these networks.

FBI IC3 warns of cyber attacks exploiting Remote Desktop Protocol (RDP)
30.9.2018 securityaffairs

The FBI Internet Crime Complaint Center (IC3) warns of cyber attacks exploiting Remote Desktop Protocol (RDP) vulnerabilities.
Remote Desktop Protocol (RDP) is a widely adopted protocol for remote administration, but it could dramatically enlarge the attack surface if it isn’t properly managed.

The FBI Internet Crime Complaint Center (IC3) and the DHS issued a joint alert to highlight the rise of RDP as an attack vector.

Attackers are exploiting this feature to access systems to deploy malware such as the SamSam ransomware.

“Malicious cyber actors have developed methods of identifying and exploiting vulnerable RDP sessions over the Internet to compromise identities, steal login credentials, and ransom other sensitive information.” reads the alert issued by IC3.

“The Federal Bureau of Investigation (FBI) and Department of Homeland Security (DHS) recommend businesses and private citizens review and understand what remote accesses their networks allow and take steps to reduce the likelihood of compromise, which may include disabling RDP if it is not needed.”

Attackers can “infiltrate the connection” between the local and the remote machines and inject malware into the remote system. Experts warn that attacks using the Remote Desktop Protocol do not require user input, this makes intrusions difficult to detect.

The IC3 warns of the following vulnerabilities:

Weak passwords
Outdated versions of RDP may use flawed CredSSP that opens to man-in-the-middle attack.
Allowing unrestricted access to the default Remote Desktop Protocol port (TCP 3389).
Allowing unlimited login attempts to a user account.

The alert includes the audit of network for systems using RDP for remote communication, limiting the use of the Remote Desktop Protocol, keeping systems up to date, and implements multi-factor authentication wherever possible.

Hackers target Port of Barcelona, maritime operations had not affected
23.9.2018 securityaffairs

The Port of Barcelona was hit by a cyber attack, fortunately, maritime operations had not affected.
On September 20, 2018 morning, the Port of Barcelona was hit by a cyber attack that forced the operators of the infrastructure to launch the procedure to respond to the emergency.

At the time of writing, there are no technical details about the cyber attack, the attackers hit several servers at the infrastructure, but maritime operations had not affected.

The land operations such as reception and delivery seem to haven’t suffered any problem due to the attack.

Port of Barcelona

The Information Systems department promptly launched an investigation into the incident, and it is implementing additional measures to lock out the attackers and minimize the effects.

Port of Barcelona
Early this morning the #PortofBarcelona suffered a cyberattack affecting a number of its servers.
Our Information Systems department is gauging the extent of the attack and implementing its contingency plans for this type of situation.

11:08 AM - Sep 20, 2018
17 people are talking about this
Twitter Ads info and privacy

Port of Barcelona
· Sep 20, 2018
The Information Systems Department of #PortofBarcelona continues working to recover the functionalities which have been affected by the cyber attack received by the organization this morning.

Port of Barcelona
Seaside operations are not been affected and all the scheduled ship calls are operating normally.
In terms of land operations, the reception and delivery of goods are as well developing normally.

8:28 PM - Sep 20, 2018
See Port of Barcelona's other Tweets
Twitter Ads info and privacy
Reading the tweets published by the Port of Barcelona, experts noticed that two days before the attack the operator warned of the effects of a cyberattack on safety and security of the infrastructure.

“The SMM Maritime Industry Report (MIR) states that 80% of the leaders in the shipping industry believe that cybersecurity is an “important” or “very important” issue, but not all ports are equally poised to deal with this kind of cyberattack. While American and Asian ports are keenly aware of this issue and allocate a significant portion of their budgets to protecting against cyberattacks, in Europe the concern with cybersecurity is more recent.” reads a blog post published by the Port of Barcellona.

“Incidents like the one with Maersk or the ones suffered by the ports of Antwerp and Rotterdam in 2011 and 2013 have helped raise awareness of the importance that this issue should be given in ports, yet there is still a great deal of work to be done.”

Port of Barcelona
No one is safe from a #cyberattack that puts at risk their activity and safety and that of their stakeholders. Nor even the ports. In #PierNext we review the challenges of implementing a #cybersecurity system in a port. http://bit.ly/PierNext_cybersecurity …

2:15 PM - Sep 18, 2018

Cybersecurity in the maritime sector: are ports prepared?
Sea transportation leaders think cybersecurity is a basic issue right now, but are ports prepared to face the attacks from hackers?

See Port of Barcelona's other Tweets
Twitter Ads info and privacy
According to the Administrator of Systems and Projects at Port of Barcelona, Cristian Medrano, who spoke days before the cyber attack, no one is immune to cyber attacks … a sinister prophecy

Magecart cybercrime group stole customers’ credit cards from Newegg electronics retailer

20.9.2018 securityaffairs CyberCrime

Magecart hackers have stolen customers’ credit card data from the computer hardware and consumer electronics retailer Newegg.
The Magecart cybercrime group is back, this time the hackers have stolen customers’ credit card data from the computer hardware and consumer electronics retailer Newegg.

Magecart is active since at least 2015, recently the group hacked the websites of Ticketmaster, British Airways, and Feedify to inject a skimmer script used to siphon users’ payment card data.

behind the Ticketmaster and British Airways data breaches has now victimized popular computer hardware and consumer electronics retailer Newegg.

The security firms Volexity and RiskIQ have conducted a joint investigation on the hack.

“Volexity was able to verify the presence of malicious JavaScript code limited to a page on secure.newegg.com presented during the checkout process at Newegg. The malicious code specifically appeared once when moving to the Billing Information page while checking out.” reported Volexity.

“This page, located at the URL https://secure.newegg.com/GlobalShopping/CheckoutStep2.aspx, would collect form data, siphoning it back to the attackers over SSL/TLS via the domain neweggstats.com.”

Now Magecart group managed to compromise the Newegg website and steal the credit card details of all customers who made purchases between August 14 and September 18, 2018.

“On August 13th Magecart operators registered a domain called neweggstats.com with the intent of blending in with Newegg’s primary domain, newegg.com. Registered through Namecheap, the malicious domain initially pointed to a standard parking host.” reads the analysis published by RiskIQ.

“However, the actors changed it to a day later, a Magecart drop server where their skimmer backend runs to receive skimmed credit card information. Similar to the British Airways attack, these actors acquired a certificate issued for the domain by Comodo to lend an air of legitimacy to their page”

NewEgg timeline

Active since at least 2015, the Magecart hacking group registered a domain called neweggstats(dot)com (similar to Newegg’s legitimate domain newegg.com) on August 13 and acquired an SSL certificate issued for the domain by Comodo.

The technique is exactly the one employed for the attack against the British Airways website.

On August 14, the group injected the skimmer code into the payment processing page of the official retailer website, so when customers made payment the attackers were able to access their payment data and send them to the domain neweggstats(dot)com they have set up.

newegg skimmer
“The skimmer code is recognizable from the British Airways incident, with the same basecode. All the attackers changed is the name of the form it needs to serialize to obtain payment information and the server to send it to, this time themed with Newegg instead of British Airways.” continues RiskIQ.

“In the case of Newegg, the skimmer was smaller because it only had to serialize one form and therefore condensed down to a tidy 15 lines of script”

Experts noticed that the users of both desktop and mobile applications were affected by the hack.

Customers that made purchases on the Newegg website between August 14 and September 18, 2018, should immediately block their payment card.

Feedify cloud service architecture compromised by MageCart crime gang
17.9.2018 securityaffairs

MageCart cyber gang compromised the cloud service firm Feedify and stole payment card data from customers of hundreds of e-commerce sites.
MageCart crime gang appears very active in this period, payment card data from customers of hundreds of e-commerce websites may have been stolen due to the compromise of the cloud service firm Feedify.

Cloud service firm Feedify has over 4,000 customers, it is a cloud platform to engage customers’ clients with powerful tools that target them based on their behavior.

Feedify leverages a JavaScript script that their customers add to their websites to use the service. MageCart hackers compromised the supply chain for the Feedify service. The script loads various resources from Feedify’s infrastructure, including a library named “feedbackembad-min-1.0.js,” which was compromised by MageCart.


Every user a page of the e-commerce site of a Feedify customer will load the malicious script that allowed the crooks to siphon personal information and payment card data.

Yonathan Klijnsma

They've been affected by Magecart since Friday, August 17 2018 @ 16:51:01 GMT as we recorded it.

Magecart on Feedify. A customer engagement tool. According to there website 4000+ website use there tooling/code. Fixed today after I notified them.@ydklijnsma @GossiTheDog

View image on TwitterView image on Twitter

10:05 PM - Sep 11, 2018
See Yonathan Klijnsma's other Tweets
Twitter Ads info and privacy
The group has been active since at least 2015 and compromised many e-commerce websites to steal payment card and other sensitive data.

The group injects a skimmer script in the target websites to siphon payment card data, once the attackers succeed in compromising a site, it will add an embedded piece of Javascript to the HTML template. Below an example script dubbed MagentoCore.

<script type="text/javascript" src="hxxps://magentocore.net/mage/mage.js"></script>
This script records keystrokes from customers and sends them to a server controlled by the attacker.

Typically hackers attempt to compromise third-party features that could allow them to access a large number of websites.

According to the security firm RiskIQ, the MageCart group carried out a targeted attack against the British Airways and used a customized version of the script to remain under the radar.

Using the same tactic, the MageCart compromised the website using the Feedify service by injecting their malicious code into a library the Feedify script served to customers’ websites.

According to the experts from RiskIQ, MageCart hackers might have had access to the Feedify servers for nearly a month.

Once notified Feedify the compromise, the company removed the malicious script:

View image on TwitterView image on TwitterView image on Twitter

Magecart on Feedify. A customer engagement tool. According to there website 4000+ website use there tooling/code. Fixed today after I notified them.@ydklijnsma @GossiTheDog

8:42 PM - Sep 11, 2018
29 people are talking about this
Twitter Ads info and privacy
but apparently, the hackers re-infected the library.

Yonathan Klijnsma

FYI: Feedify is re-infected with Magecart since about an hour ago, exact time of infection is: Wed, 12 Sep 2018 14:16:02 GMT.

URL: hxxps://cdn[.]feedify[.]net/getjs/feedbackembad-min-1.0.js

/cc @Placebo52510486 @GossiTheDog @_feedify

Yonathan Klijnsma

They've been affected by Magecart since Friday, August 17 2018 @ 16:51:01 GMT as we recorded it. https://twitter.com/Placebo52510486/status/1039585013057118209 …

5:22 PM - Sep 12, 2018
See Yonathan Klijnsma's other Tweets
Twitter Ads info and privacy
The events demonstrate the ability of the MageCart crime gang in compromising the infrastructure of its victims.

In August, security expert Willem de Groot discovered that the MagentoCore skimmer at the time already infected 7,339 Magento stores.

At the time, querying the PublicWWW service it was possible to verify that the MagentoCore script was deployed on 5,214 domains, actually the number of compromised website id still high (4762) despite the awareness campaign.

Cobalt crime gang is using again CobInt malware in attacks on former soviet states
13.9.2018 securityaffairs CyberCrime

The Russian Cobalt crime gang was particularly active in the last month, a new report confirms a massive use of the CobInt malware in recent attacks.
Security researchers from Proofpoint reported the massive use of the CobInt malware by the Cobalt group in recent attacks. The Cobalt name is based on the association of the malware with the “Cobalt Group” and an internal DLL name of “int.dll” used in some of the samples detected by the experts.

On August 13, 2018, security experts from Netscout’s ASERT, uncovered a new campaign carried out by the Cobalt crime gang. The hackers targeted also the NS Bank in Russia and Carpatica/Patria in Romania.

Cobalt crime gang has been active since at least 2016, it targeted banks worldwide, the group leveraged spear-phishing emails to compromise target systems, spoofed emails from financial institutions or a financial supplier/partner.

The attackers exploited several vulnerabilities in Microsoft Office, including CVE-2017-8570, CVE-2017-11882, and CVE-2018-0802.

The group also targeted entities in other sectors, including Government agencies, Telco, Internet service providers, manufacturing, entertainment, and companies in the healthcare industry.

Early this year the hacker group used the malware as a first-stage downloader, but in later attacks, the crew did not use it anymore. CobInt is a multi-stage CobInt malware dropped by the group via malicious Office documents that were created using the ThreadKit builder kit.

The Cobalt crime gang used again the CobInt backdoor in many attacks since July, including the attacks aimed at the Russian and Romanian banks.

In August, Proofpoint experts observed at least four campaigns of the group leveraging the CobInt malware.

“We have also observed an actor commonly known as Cobalt Gang (or Group) using another new downloader that shares many of these characteristics since early 2018. Group-IB named this malware “CobInt” and released a report on its use by Cobalt Gang in May [3]. While we noticed that Cobalt Gang appeared to stop using CobInt as a first-stage downloader around the time researchers at Group-IB published their findings, they have since returned to using the downloader as of July.” reads the analysis published by Proofpoint.

Below the list of the attacks carried out by the Cobalt crime gang in the last weeks:

Date Description CVV
August 2, 2018 Attacker used messages with the subject “Подозрение на мошенничество” (Translated from Russian: “Suspicion of fraud”) purporting to be from “Interkassa” using a sender email address with a lookalike domain “denis[@]inter-kassa[.]com”.
August 14, 2018, Attackers used messages spoofing the Single Euro Payments Area (SEPA) with lookalike sender domains sepa-europa[.]com or sepa-europa[.]info and subjects such as “notification”, “letter”, “message”, and “notice”. The messages (Figure 1) contained: CVE-2017-8570, CVE-2017-11882, or CVE-2018-0802
August 16, 2018, Attackers used messages purporting to be from Alfa Bank using a lookalike domain aifabank[.]com and subjects such as “Fraud Control”, “Фрауд” (Translates to “Fraud”), “Предотвращение хищения” (Translates to “Prevention of theft“), and “Блокирование транзакций” (Translates to “Transaction Blocking”). CVE-2017-8570, CVE-2017-11882, or CVE-2018-0802
September 4, 2018 Attackers used messages purporting to be from Raiffeisen Bank using lookalike sender domains ralffeisen[.]com and subjects such as “Fraudulent transaction”, “Wire Transfer Fraud”, and “Request for data”. CVE-2018-8174

Cobalt crime Gang.png

Malware analysis reveals that the CobInt is a downloader written in C that can be broken up into three stages: an initial downloader for the core component, the core component, and several additional modules.

The first stage downloader disguises its activity by the use of Windows API function hashing and downloads the second stage via HTTPS.

The main component downloads and executes various modules from its C&C. C&C hosts are stored in a 64-byte chunk of encrypted data that can be decrypted by XORing with a 64-byte XOR key.

The malware supports the following commands:

load/execute module;
stop polling C&C;
execute function set by module;
update C&C polling wait time.
These, Proofpoint notes, are reconnaissance steps that the attackers are likely to follow with the deployment of additional modules to the compromised systems of interest.

“CobInt provides additional evidence that threat actors — from newer players we featured in our AdvisorsBot blog to established actors like TA505 and Cobalt Group– are increasingly looking to stealthy downloaders to initially infect systems and then only install additional malware on systems of interest.” Proofpoint concludes.

“As defenses improve across the board, threat actors must innovate to improve the returns on their investments in malware and infection vectors, making this approach consistent with the “follow the money” theme we have associated with a range of financially motivated campaigns over the years. This appears to be the latest trend as threat actors look to increase their effectiveness and differentiate final payloads based on user profiles”

Further details, including IoCs are reported in the analysis published by Proofpoint.

US charges North Korea agent over Sony Pictures hack and WannaCry
7.9.2018 securityaffairs CyberCrime

The U.S. Department of Justice charged a North Korea agent over WannaCry and 2014 Sony Pictures Entertainment Hack.
The U.S. Department of Justice announces charges against a North Korean government spy that was involved in the massive WannaCry ransomware attack and the 2014 Sony Pictures Entertainment hack.

“the Justice Department charged on Thursday in a 174-page criminal complaint that detailed how hackers caused hundreds of millions of dollars’ worth of damage to the global economy.” states the NYT.

“Only one North Korean, Park Jin-hyok, was named — charged with computer fraud and wire fraud in the 2014 hack of Sony Pictures Entertainment.”

north korea sony hack-3

The individual charged by the US DoJ is Park Jin Hyok, an expert that works for North Korean military intelligence agency Reconnaissance General Bureau (RGB).

The man, also known as Pak Jin Hek, is also linked to the dreaded Lazarus APT Group.

The complaint against Mr. Park was filed under seal on June 8, just a few days before the summit meeting between Trump and Mr. Kim in Singapore.

The complaint also reports of a hacking unit working for North Korea’s intelligence agency, that operates out of China and other Asian nations
The 2014 Sony Pictures Entertainment hack was carried out by Pyongyang in retaliation for the production of the comedic film “The Interview” that mocks the North Korean leader Kim Jong Un.

At the time, the US law enforcement suspected the involvement of North Korea’s Unit 121, which is the group of hackers working under the direction of the General Bureau of Reconnaissance.

North Korea sony hack

Hackers wiped many computers from the company and exfiltrated over 200GB of sensitive data, including upcoming movie scripts, celebrities phone numbers, employees data versions of then-unreleased films.
WannaCry infected 200,000 computers across 150 countries in a matter of hours after the beginning of the massive attack, it took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

The ransomware infected systems in any industry and also targeted critical infrastructures such as hospitals and banks.

The US intelligence highlighted that North Korea hackers were free to operate from Chine. Chosun Expo Joint Venture helped fund North Korean hacking groups by covering their activities with legitimate programming work from an office in Dalian, China. According to the complaint, some customers were aware the employees “were North Korean computer programmers connected to the government.”
Mr. Park, who worked there from 2011 to 2013, and his colleagues were overseen by a company manager and North Korean political attaché́, the Justice Department said.

Hyok worked in China from at least 2011 to 2013 and returned to North Korea shortly before the attack against Sony Pictures in November 2014.

The investigation is still ongoing, this kind of investigations are very difficult and cannot leverage classified information from the intelligence agencies

“In order to get admissible evidence,” John Carlin, the former head of the Justice Department’s National Security Division, “prosecutors have to work through any issues the intelligence community might have.”

U.S. Charges North Korean Over Lazarus Group Hacks
7.9.2018 securityweek CyberCrime

The U.S. Department of Justice on Thursday announced charges against a North Korean national who is believed to be a member of the notorious Lazarus Group, to which governments and the cybersecurity industry have attributed several high profile attacks.

The suspect is Park Jin Hyok, who according to the DOJ worked for a North Korean government front company known as Chosun Expo Joint Venture and Korea Expo Joint Venture (KEJV). The Democratic People’s Republic of Korea allegedly used this company, which also has offices in China, to support its cyber activities.

The complaint, filed on June 8 in a U.S. District Court in Los Angeles and made public on Thursday, accuses Park and other members of the Lazarus Group of conducting destructive cyberattacks that resulted in “damage to massive amounts of computer hardware and extensive loss of data, money and other resources.”United States charges North Korean hacker of the Lazarus Group

The complaint describes both successful and unsuccessful campaigns of the threat actor, but it focuses on four operations: the 2014 Sony Pictures Entertainment hack, the $81 million cyber heist from the central bank of Bangladesh in 2016, the 2017 WannaCry ransomware attack, and attempts to breach the systems of several U.S. defense contractors, including Lockheed Martin, over the course of 2016 and 2017.

Five Eyes countries and Japan last year officially blamed North Korea for the WannaCry attack.

According to the DOJ, Park worked as a computer programmer at KEJV, which has been linked to DPRK military intelligence. Park allegedly did programming work for the company’s paying clients, while also engaging in malicious activities on behalf of Pyongyang.

The man has been charged with one count of conspiracy to commit computer fraud and abuse, for which he faces up to five years in prison, and one count of conspiracy to commit wire fraud, which carries a sentence of up to 20 years in prison.

“DPRK cyber adversaries represent some of the most active and disruptive threat groups today,” said Dmitri Alperovitch, CTO and co-founder of CrowdStrike. “Their tradecraft continues to grow in sophistication, leveraging cyber capabilities for conducting data exploitation, data destruction, cyber espionage and financially-motivated criminal activity — often costing organizations millions of dollars in damages. In the past year, we’ve witnessed DPRK commit to expansive cyber operations in support of their ability to service regime priorities and effectuate national interest. These crimes have impacted the global financial system and nearly every sector of the economy.”

“One of the most important steps taken towards achieving effective cyber deterrence is the attribution of these attacks and holding the perpetrators accountable, as we witnessed today by the announcement of the US Department of Justice,” Alperovitch added.

FDD Senior Fellow David Maxwell, who specializes in North Korea’s nuclear and cyber threats, noted that the charges represent a critically important development.

“Although there is a significant time lapse between the hack and this indictment, it shows that the U.S. is tracking the North Korea threat, and that despite the current nuclear diplomacy the U.S. will pursue cyber operatives and hacker/criminals who wish to do the U.S. and the U.S. economy harm,” Maxwell said via email.

“The U.S. has to address cyber threats, though this is just one very small step toward improving cyber defenses. The U.S. has to make it known it will hunt down hackers who do us harm, whether they are individuals or working for state actors such as North Korea,” he added.

This is not the first time the United States has charged foreign nationals over cyberattacks believed to have been sponsored – or at least condoned – by their respective governments. The DOJ in the past years unsealed indictments against Chinese, Russian, Syrian and Iranian nationals.

Google paid million dollars to track offline purchases using Mastercard Data
4.9.2018 securityaffairs CyberCrime

Google has paid Mastercard millions of dollars to access offline transactions of its users, the news was revealed by Bloomberg.
New problems for Google, experts discovered a secret agreement of the tech giant with Mastercard to track user purchases offline.

Google has paid Mastercard millions of dollars to access offline transactions of its users.

The embarrassing agreement was revealed by Bloomberg that cited four unidentified people with knowledge of the deal.

Google used Mastercard data to track whether its ads led to a sale at a physical store in the U.S.

Google and Mastercard signed the agreement after a four-year negotiation, it gives the company all Mastercard transaction data in the US.

Neither Mastercard or Google have never disclosed the deal, roughly two billion Mastercard holders aren’t aware that Big G was tracking them.

“Alphabet Inc.’s Google and Mastercard Inc. brokered a business partnership during about four years of negotiations, according to four people with knowledge of the deal, three of whom worked on it directly.” reads the report published by Bloomberg.

“The alliance gave Google an unprecedented asset for measuring retail spending, part of the search giant’s strategy to fortify its primary business against onslaughts from Amazon.com Inc. and others.”

Google used the data to fuel a new tool for advertisers, called Store Sales Measurement, that is currently in a test phase for a restricted group of advertisers. The tool aims at tracking the conversion rate of online advertisements into real-world retail sales.

Google never revealed that the source of data used by its Store Sales Measurement service since its presentation, the company only declared that its customers had access to approximately 70% of U.S. credit and debit cards through partners.

“People don’t expect what they buy physically in a store to be linked to what they are buying online,” said Christine Bannan, counsel with the advocacy group Electronic Privacy Information Center (EPIC).

“There’s just far too much burden that companies place on consumers and not enough responsibility being taken by companies to inform users what they’re doing and what rights they have.”

This suggests that not just Mastercard, Google has deals with other credit card companies as well, which total of 70% of the people who use credit and debit cards in the United States.

However, it seems that users can reportedly opt out of offline ad tracking by merely turning off “Web and App Activity” in their Google account.

Mastercard denied that it has provided personal information to any third parties.

“Regarding the [Bloomberg] article you cited, I’d quickly note that the premise of what was reported is false. The way our network operates, we do not know the individual items that consumer purchases in any shopping cart—physical or digital.” a Mastercard spokesperson said in a statement:

“No individual transaction or personal data is provided. That delivers on the expectation of privacy from both consumers and merchants around the world. In processing a transaction, we see the retailer’s name and the total amount of the consumer’s purchase, but not specific items.”

Cobalt cybercrime gang targets Russian and Romanian banks
2.9.2018 securityaffairs CyberCrime

On August 13, ASERT observed the Cobalt crime gang actively pushing a new campaign aimed at institutions in eastern Europe and Russia.
Security experts from Netscout’s ASERT uncovered a new campaign carried out by the Cobalt cybercrime group.

The attacks were detected on August 13, 2018, experts revealed that the hackers targeted also the NS Bank in Russia and Carpatica/Patria in Romania.

Cobalt crime gang has been active since at least 2016, it targeted banks worldwide.

Cobalt hackers leverage spear-phishing emails to compromise target systems, messages spoof emails from financial institutions or a financial supplier/partner.

The new campaign discovered by Netscout’s ASERT researchers presents a novelty, One one of the phishing emails sent by Cobalt contains two separate malicious URLs. A weaponized Word document and a binary with a .jpg extension.

The experts also detected two malware samples used in the campaign, a JavaScript backdoor and another malicious code tracked as COOLPANTS, a reconnaissance backdoor associated with the group.

COOLPANTS borrows the code from the Coblnt backdoor, 28 of the 57 functions matched using Diaphora, a tool that compares binaries.


The backdoor connects to hxxps://apstore[.]info, a domain already identified by researchers from Proofpoint as a command and control for Cobalt malware.

2831589 - ETPRO TROJAN Cobalt Group Downloader (apstore .info in DNS Lookup) (trojan.rules)
2831590 - ETPRO TROJAN Cobalt Group Downloader (apstore .info in TLS SNI) (trojan.rules)
Experts form ASERT detected on 13 August 2018, a new sample of COOLPANTS compiled on 1 August 2018. This sample connects to rietumu[.]me as C2, the analysis of the domain allowed the discovery of the email address solisariana[@]protonmail[.]com associated with other five new domains all created on 1 August 2018 (compass[.]plus; eucentalbank[.]com; europecentalbank[.]com; inter-kassa[.]com; and unibank[.]credit).

The domains were clearly used to target the financial institutions.

“Hunting for samples associated with inter-kassa[.]com leads to a phishing email uploaded to VirusTotal, d3ac921038773c9b59fa6b229baa6469. At the time of analysis, VirusTotal scored the phishing email with a 0, indicating nothing malicious was identified by the anti-virus engines.” reads the report.

“Most of the email content appears benign except for a link embedded in the message. The name “Interkassa” appears to be a payment processing system which makes it a prime masquerading target for attackers as noted in the tactics employed by the Cobalt Group for this ongoing campaign.”

The experts analyzed used the inter-kassa domain to search for associated malicious campaigns. They found only a spear-phishing email dated 2 August 2018 addressed to ns-bank bank and sent by “Interkassa.” The mail pretends to be sent from Denys Kyrychenko, co-owner and CTO of Interkassa.

The phishing message includes two malicious links. one of them points to a weaponized Word document with an embedded VBA script. If the victim enables the macros, the script generates a cmd.exe command that launches cmstp.exe with an INF file. The INF file connects to the C2 to fetch a payload that is executed by cmstp.exe.

The attackers used a JavaScript backdoor, tracked as ‘more_eggs,’ that is identical to a backdoor discovered by last year Trend Micro and attributed to Cobalt cybercrime gang.

The backdoor supports the following commands that allow Cobalt to take over an infected system:

d&exec – Downloads and executes a PE file.
more_eggs – Downloads an update for itself.
gtfo – Delete itself and related registry entries.
more_onion – Executes the “new” copy of itself.
vai_x – Executes a command via cmd.
The second link in the spear-phishing email connects the C2 to download an executable rather than an image file. Unfortunately, at the time of analysis, the C2 was not responding.

ASERT discovered also another campaign allegedly linked with Cobalt group targeting Romanian carpatica[.]ro by masquerading as Single Euro Payments Area (SEPA).

“ASERT believes Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi.” concludes ASERT.

“ASERT also recommends that employees are trained to spot phishing emails and, where possible, closely inspect emails for look-alike domains that might contain malicious attachments or links.”

Further details, including IoCs are reported in the analysis published by the researchers.

New Cobalt Campaign Targets Russian and Romanian Banks
31.8.2018 securityweek CyberCrime

A new campaign by the Russia-based Cobalt hacking group was observed on August 13, 2018. Cobalt is best-known for targeting financial institutions, and this campaign is no different. Two targets have been identified to date: NS Bank in Russia and Carpatica/Patria in Romania.

Cobalt has been operating since at least 2016. So far it is credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan. Last year it was reported that Cobalt had expanded its range into also targeting government, telecom/Internet, service providers, manufacturing, entertainment, and healthcare organizations, often using government organizations and ministries as a stepping stone for other targets.

A common theme for Cobalt is to start with spear-phishing emails to gain the initial entry. In financial attacks, the emails usually masquerade as other financial institutions or a financial supplier/partner domain to gain the target's trust.

In an analysis of the new campaign, Netscout's ASERT researchers show numerous parallels with known Cobalt TTPs and tools -- but with one new divergence. One of the phishing emails it has discovered contains two separate malicious URLs. The first is a weaponized Word document, while the second is a binary with a .jpg extension.

The researchers had uncovered two malware samples that connect the new campaign to Cobalt. The first was a JavaScript backdoor that shares functionality with other backdoors. The second is COOLPANTS, a reconnaissance backdoor linked to Cobalt and originally found by researcher Szabolcs Schmidt. The new report notes that COOLPANTS appears to be an evolution of Coblnt -- 28 of its 57 functions match under comparison tool Diaphora. Furthermore, COOLPANTS connects to hxxps://apstore[.]info, which Proofpoint describes as a Cobalt C2.

On 13 August 2018, ASERT found a new sample almost identical to COOLPANTS. It was compiled at the same time on 1 August 2018. Its 48 functions match those in COOLPANTS under the 'Best Match' tab in Diaphora. This sample, however, has rietumu[.]me as its C2. Inspecting rietumu[.]me, ASERT found the email address, solisariana[@]protonmail[.]com. Pivoting from this address, it found five more new domains all created on 1 August 2018.

The domains are compass[.]plus; eucentalbank[.]com; europecentalbank[.]com; inter-kassa[.]com; and unibank[.]credit. Each one is clearly designed to masquerade as the domain of a financial services organization. The real Interkassa, for example -- and according to its genuine website -- is a payments processing firm based in Ukraine.

The researchers used the inter-kassa domain and searched for samples. They found a spear-phishing email that bears all the hallmarks of a Cobalt campaign, dated 2 August 2018. It is addressed to bulavina AT ns-bank DOT ru and sent by "Interkassa" <denis AT inter-kassa DOT com>. Interestingly, LinkedIn lists a Denys Kyrychenko as co-owner and CTO of Interkassa.

It is this email that provides two embedded malicious links. One calls a weaponized Word document with an embedded VBA script. If macros are allowed, the script generates a cmd.exe command that launches cmstp.exe with an INF file. The INF file beacons back to the C2 to download a payload that is executed by cmstp.exe.

The eventual JavaScript backdoor -- named 'more_eggs' -- is almost identical to the backdoor analyzed by Trend Micro this time last year and attributed to Cobalt. Both provide five commands that essentially allow attackers to take over an infected system.

These commands are d&exec (downloads and executes a PE file); more_eggs (downloads an update for itself); gtfo (deletes itself and related registry entries); more_onion (executes the 'new' copy of itself); and vai_x (executes a command via cmd). Only the last command differs between the two versions, with the earlier one having the name more_power for vai_x.

The second URL in the spear-phishing email, with a dot-jpg filename, downloads an executable rather than an image file. This also ultimately beacons to its C2 server, which was not -- at the time of analysis -- responding.

ASERT is confident that this, and another campaign discovered by Intel471 targeting Romanian carpatica[.]ro by masquerading as Single Euro Payments Area (SEPA), are both the work of the Cobalt group. Only the use of two separate infection points in one email with two separate C2s makes this campaign unusual. "One could speculate that this would increase the infection odds," comments the report -- for example, if Word macros are successfully disallowed by the target, he or she might still succumb to the disguised jpg.

"ASERT believes," says the report, "Cobalt Group will continue targeting financial organizations in Eastern Europe and Russia based on the observables in this campaign and their normal modus operandi." It is worth mentioning that Trend Micro has suggested that COBALT starts by targeting Russia and the old USSR states to test out its methodology before moving on to European and other targets.

ASERT is the threat intelligence team of Arbor Networks, which is the security division of NETSCOUT.

How Cybercriminals Are Using Blockchain to Their Advantage
30.8.2018 securityweek CyberCrime

Cybercriminals Have Been Experimenting With a Blockchain Domain Name System (DNS)

The takedowns of AlphaBay and Hansa in 2017 by law enforcement gave rise to much speculation about the future of dark web marketplaces. As I’ve discussed before, an environment of fear and mistrust are driving the cybercriminal community to incorporate alternative technologies to improve security and remain below the radar as they conduct illicit business online. One such technology is blockchain.

When most people hear the term “blockchain” they typically think of cryptocurrencies and other applications where transactions and interactions among a community of users must be executed with a high degree of trust, efficiency and transparency. However, if we consider the recent challenges that administrators of online criminal forums have encountered, it only makes sense that they would explore applications for blockchain. To that end, some have been experimenting with a blockchain domain name system (DNS) as a way of hiding their malicious activity and bullet-proofing their offerings.

A blockchain DNS is different from a traditional DNS. Typically, when we type a website into an Internet browser, a computer will query a DNS server for an IP address. Essentially, this is the Internet equivalent of a phone book. It includes the name of the entity and then, after the “dot”, the extension known as the Top Level Domain (TLD), which could be .com, .gov., .edu, .uk, .de, etc. The TLD is controlled by a central authority such as Internet Corporation for Assigned Names and Numbers (ICANN) with a global reach, or regional authorities like Nominet in the U.K. or DENIC in Germany. In contrast, Blockchain DNS is a decentralized DNS. Blockchain TLDs – including .bit, .bazar and .coin – are not owned by a single central authority. DNS lookup tables are shared over a peer-to-peer network and use a different technology from traditional DNS requests.

Decentralized DNS offers many benefits such as countering censorship by authorities (for example if a government orders all Internet Service Providers in a country to stop redirecting domains to a relevant IP address), or preventing DNS spoofing, where attackers can insert corrupt DNS data so that the name server returns an incorrect IP address and redirects traffic to an attacker computer. However, decentralized DNS can also be abused by attackers for malicious purposes. As blockchain domains do not have a central authority and registrations contain unique encrypted hashes rather than an individual’s name and address, it is harder for law enforcement to perform site takedowns. The following are just a few examples of bad actors using blockchain.

Back in January 2016, one of the first groups to employ blockchain DNS to create a .bazar domain in an attempt to better secure their operations was a group known as The Money Team. In July 2017, the Joker’s Stash, a popular Automated Vending Cart (AVC) site used to purchase stolen payment card details, began using blockchain DNS alongside its established Tor (.onion) domain. Users wanting to access the .bazar version of the site need to install a blockchain DNS browser extension or add-on. Other AVC sites and forums used to trade stolen account information have also been experimenting with peer-to-peer DNS technology.

Blockchain technology has also allowed users to realize alternative models for online marketplaces. The site known as Tralfamadore, for example, uses blockchain as its back-end to store the necessary databases and code to support front-end user interfaces. Transactions are made using cryptocurrency and recorded as smart contracts on the blockchain. The aim is to improve trust among users of the site as all transactions are permanently recorded and scam vendors can be more easily identified.

Another marketplace using blockchain technology is the site OpenBazaar. This project began in April 2016 and its userbase has increased steadily since then. In the first half of 2018, the number of new users on the site has risen by roughly 4,000, while the items for sale have gone up from 18,000 to over 27,000. Despite these gains, OpenBazaar has not been used for cybercriminal activity to any great extent, and the majority of items listed on the site would not be classed as illicit.

Despite these examples, it’s important to remember that as with most things in life, there are tradeoffs. The use of blockchain for cybercriminal activity is no exception. The primary issue preventing its wider adoption is that with blockchain-based platforms all interactions are publicly recorded. This goes against the strong desire by many users to engage in private messaging. Many cybercriminals are choosing to conduct their business away from dark web marketplaces and underground forums altogether. Instead, they are using their site to advertise their service and then directing users to dedicated channels on Jabber, Internet Relay Chat (IRC), Skype, Discord and Telegram to conduct their business. Buyers can contact sellers directly through peer-to-peer networks and private chat channels and execute transactions using cryptocurrencies or electronic payment services.

As cybersecurity professionals, we should continue to monitor for an uptick in the adoption of blockchain for the buying and selling of illicit goods. And while we’re at it, we should also continue to assess other emerging technologies that could be used for nefarious purposes. Because as long as there is a market for what cybercriminals have for sale – everything from compromised accounts and stolen payment cards to counterfeit goods – you can be sure they’ll find new and creative ways to profit.

Notorious Cybercriminal Released From Prison
29.8.2018 securityweek CyberCrime

Earlier this month, Belarusian authorities released from prison Sergey Yarets, a notorious cybercriminal and co-developer of the Andromeda botnet.

Yarets, who used the online moniker of Ar3s, was arrested in late November 2017, when Federal Bureau of Investigation (FBI) and law enforcement agencies in Europe dismantled the Andromeda botnet.

Also known as Gamarue or Wauchos, Andromeda has been around since 2011, its primary purpose being that of credential theft and malware distribution. Detected on over 1 million machines each month during the second half of 2017, the botnet had been associated with 80 malware families.

At the time of takedown, security researchers identified 464 distinct Andromeda botnets and 1,214 domains and IP addresses of command and control (C&C) servers. In January this year, ESET warned of difficult cleaning efforts for such a long-lived botnet and said Andromeda would die a slow death.

Despite Andromeda’s size (victims were identified in over 200 countries) and the considerable effort international law enforcement agencies and private organizations put into taking it down, Yarets was released on August 9, 2018.

When arrested, Yarets was charged for his involvement in the sale, maintenance, and use of Andromeda. A resident of Rechitsa, Gomel Region, Belarus, he was formerly a technical director at OJSC “Televid” Tele-Radio, threat intelligence provider Recorded Future reveals.

Opposition news agency Radio Svaboda, the only Belarusian media outlet to have reported the release, says that Yarets was ordered to pay $5,500 as retribution for the income made from the botnet, and that his apparent cooperation with the authorities was what led to his quick release.

As per Radio Svaboda Belarus’ reporting, Yarets’s lawyer “elaborated that Yarets’s extraordinary knowledge should serve the country’s interests and that there was no evidence of damage done to Belarusian citizens or organizations because Yarets did not target member countries of the Commonwealth of Independent States,” Recorded Future notes.

Yarets apparently claimed that Andromeda was created by a “genius and alcoholic” developer, supposedly the Russian threat actor waahoo. Yarets claims he received the exclusive rights of the Andromeda Trojan in 2012.

Although waahoo apparently continued to be involved in the Trojan’s development until approximately 2015, Yarets was the only one responsible for Andromeda’s operation at the time of his arrest.

“The Belarusian investigators and judges most likely knew this but did not take it into account for unknown reasons,” Recorded Future notes.

“This case is an example of a selective approach toward the punishment of cybercriminals in ex-Soviet states, allowing them to avoid just punishment when states are interested in them, diminishing the importance and efficiency of international cooperation in this field,” the security firm concludes.

Three members of FIN7 (Carbanak) gang charged with stealing 15 million credit cards
3.8.2018 securityweek  CyberCrime

Three members of the cybercrime group tracked as FIN7 and Carbanak have been indicted and charged with 26 felony counts
Three members of the notorious cybercrime gang known as FIN7 and Carbanak have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The gang stole over a billion euros from banks across the world, the name “Carbanak” comes with the name of the malware they used to compromise computers at banks and other financial institutions. The three suspects (Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30) are Ukrainians, they were arrested last year in Europe between January and June.

Fedorov, is a skilled hacker and, who is suspected to be a manager of the group, was arrested at the request of U.S. officials in Bielsko-Biala, Poland, in January and is currently waiting for his extradition to the United States.

In January 2018 foreign authorities also arrested Fedir Hladyr in Dresden, Germany, he is currently detained in Seattle pending trial. Hladyr is suspected to be a system administrator for the group.

In late June 2018, foreign authorities arrested Andrii Kolpakov in Lepe, Spain. The man is suspected to be a supervisor of the group. He is currently detained in Spain pending the United States’ request for extradition.

According to DoJ, the suspects stole more than 15 million credit cards from over 6,500 individual point-of-sale terminals at 3,600 business locations in 47.

“Three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe have been arrested and are currently in custody facing charges filed in U.S. District Court in Seattle, announced Assistant Attorney General Brian A.” reads the press release published by the DoJ.

“In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. “


“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” said Assistant Attorney General Benczkowski. “Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”
The trio has been accused of targeting hundreds of companies in the United States, and U.S. individuals. The list of victims is long and includes Chipotle Mexican Grill, Jason’s Deli, Sonic Drive-in, and Arby’s.

According to the European authorities, FIN7 developed sophisticated banking trojan tracked as Cobalt, based on the Cobalt Strike penetration testing tool, that was spread through spear-phishing campaigns aimed at employees at different banks.

Once infected the victims’ PC with Carbanak malware, the hackers attempted to identify key people authorized to transfer money from the banks in order to make transactions to fake accounts or ATMs under the control of the gang.

The three men could face many years in prison if convicted.

Researchers Stealthily Manipulate Road Navigation Systems
19.7.2018 securityweek CyberCrime

A team of researchers from Virginia Tech, the University of Electronic Science and Technology of China, and Microsoft Research has discovered a new and stealthy GPS spoofing method that has been proven to be highly effective against road navigation systems.

GPS spoofing has been around for many years. This attack method can in theory be used to trick drivers into going to an arbitrary location, but in practice the instructions provided by the targeted navigation system often contradict the physical road (e.g. make a left turn on a highway), making it less likely to work in a real-world scenario.

Researchers now claim to have discovered a more efficient method that is less likely to raise suspicion. Using this technique an attacker could trick the victim into following an incorrect route (e.g. cause ambulances and police cars to enter a loop route), deviate a targeted vehicle to a specific location, or cause the target to enter a dangerous situation (e.g. enter a highway the wrong way).

For the attack to work, the attacker needs to know the target’s approximate destination and the most likely victim of this technique would be an individual who in not familiar with the area.

Using 600 real-world taxi routes from Manhattan and Boston, the researchers have created an algorithm that generates a virtual route mimicking the shape of real roads. The attack is most likely to work in a city where road networks are dense.

The attacker creates false GPS signals in an effort to set the final location to a nearby “ghost location.” The navigation system recalculates the new route, which researchers have dubbed the “ghost route,” and guides the victim, turn-by-turn, to the ghost location.

In order to avoid raising suspicion, the ghost route is generated based on the collected taxi trips. The search algorithm is run at each road segment in an effort to identify all possible attack (ghost) locations. During tests, the algorithm identified, on average, roughly 1,500 potential attack routes for each trip.

New GPS spoofing attack

“The algorithm crafts the GPS inputs to the target device such that the triggered navigation instruction and displayed routes on the map remain consistent with the physical road network,” researchers said in their paper.

In some cases, if the original location is not on the route to the ghost location, the user may be informed by the navigation system that the route is being recalculated, but researchers have determined based on a survey that it might not raise too much suspicion considering that this can often occur in a real-world scenario.

These types of attacks can be carried out using a portable GPS spoofer, which costs roughly $200, from a distance of 40-50 meters (130-160 feet). The attacker can either follow the targeted vehicle or place the spoofer inside or under the targeted car and control it remotely.

The researchers reproduced the attack in a real-world scenario using their own car, which they drove after midnight in suburban areas to avoid causing any problems. They also asked 40 individuals (20 in the U.S. and 20 in China) to use a driving test simulator that was attacked via the newly discovered method. The attack’s success rate was 95%, with only one Chinese and one U.S. participant detecting the attack.

Dark Web Chatter Helpful in Predicting Real World Hacks, Firm Says
18.7.2018 securityweek  CyberCrime

Some hacks are serendipitous events for skiddies who happen across a website with an easily exploitable common vulnerability. Others, especially the major breaches of major enterprises, are planned and executed with care. Such planning often leaves traces of noise across the internet. IntSights, founded in 2015, searches both the surface and deep web for this noise, and converts it into actionable intelligence. It looks for evidence of planned attacks before they actually occur.

Financial services is one sector that is unlikely to fall to skiddie attacks. The bank heists of $4.4 million (NIC Asia Bank, November 2017), $60 million (Far Eastern Bank, October 2017) and $100 million (Post-Soviet Bank, Russia, February 2017) would have needed planning. IntSight is predicated on the idea that such planning may be detectable; and if detected, the attack can be mitigated.

It has found considerable growth in pre-attack indicators, matching the actual growth in real financial services attacks. An analysis (PDF) focuses on two categories of 'attack indicators' found on the internet: company or customer data offered for sale in a black market, and phishing email target lists. Based on this analysis, IntSights finds that financial organizations comprise the single most-attacked industry sector.

In the first six months of 2017, it found an average of 207 attack indicators per U.S. bank. By the first six months of 2018, this had risen to an average of 520 indicators per bank -- an increase of 151%.

These figures come from a similar year-on-year growth of 135% in instances of financial data being sold on dark web black markets. a 91% increase in corporate email addresses found on phishing target lists, a 40% increase in corporate credential leakage, and a 149% increase in stolen bank card information.

Following high-profile takedowns of major deep web marketplaces leading to arrests and prosecutions for the sale of illegal physical goods (such as drugs and guns), IntSights believes that these marketplaces are now concentrating on the sale of data. However, even this is evolving. While the deepest forums remain, criminals are increasingly untrustful of their fellow members -- and are shifting towards business hidden in plain sight on the surface web.

Over the same period, IntSights has seen a 49% growth in the creation of fake social media accounts -- or put another way, two new fake profiles targeting each individual bank per week.

"A fake profile," notes the report, "can lure users to phishing sites or downloading fake apps. It can pose as customer service and ask for confidential information. It can spread false information to misdirect the public, manipulate stock price or influence the public to buy or sell. Additionally, it can also be used to harvest personal data and enrich other personal data that the attacker might hold."

The report also notes that the three dominant hacking groups that attack the financial sector are Money Taker, Carbanak and Cobalt -- all believed to be situate in Russia. Money Taker is thought to be responsible for more than 20 successful attacks against financial institutions in the U.S., UK and Russia. Carbanak has been credited with more than 300 successful attacks on banks, financial institutions and retailers. Cobalt has been credited with the theft of $9.7 million from the Russian MetakkinvestBank; ATM thefts of $2.18 million from Taiwan banks; a SWIFT attack on Russian banks; and more than 200 other attacks on banks in Europe, Thailand, Turkey and Taiwan.

However, financial services aren't merely attacked by criminal gangs -- they also attract the attention of nation-state APT groups like Lazarus (North Korea). Lazarus has been credited with the 2014 attack on Sony Pictures; the WannaCry ransomware attack on multiple organizations around the world; the theft of $12 million from Banco del Austro in Ecuador; the theft of $1 million from Tien Phong Bank in Vietnam -- SWIFT attack; the theft of $81 million from the Central Bank of Bangladesh; the theft of $60 million from FEIB Bank in Taiwan; and the theft of $5 million from various banks in Nepal.

Based on its analysis of the activity it has tracked over the last 18 months, IntSights sees a continuously adapting and evolving financial services threat landscape -- some of which is already evident. Criminals will increasingly attack the supply chain, gaining access to large enterprises via their smaller suppliers. They will also look to compromise third-party software used by larger organizations -- a case in point being the recent Ticketmaster breach via Inbenta software.

IntSights also believes that direct extortion 'will become the new ransomware'. The huge fines that can be levied from new legislation such as the EU's General Data Protection Regulation (GDPR) will far exceed that amount that can be extorted by ransomware or the cost of recovering from ransomware. "Regulation fines and brand reputation damage," warns the report, "can be way more costly than downtime or lost data. Therefore, organizations are willing to pay more to not have a breach disclosed to the public, rather than pay to regain access to their data. Hackers will leverage this fear as a tactic to get more money."

Finally, IntSights notes that black market vendors are moving away from the deep web "to social media platforms (such as Facebook closed groups) and encrypted chat rooms (such as Telegram, ICQ and Jabber). We expect this trend to continue over the next year as it provides black market vendors with better privacy and secrecy."

"We see many financial organizations too focused on stopping direct attacks to their corporate systems," concludes Itay Kozuch, director of threat research at IntSights. "However, our research shows that cybercriminals have begun circumventing these defenses using social media, mobile application stores and phishing schemes.

"These tactics leverage an organization's brand and credibility to trick users and run scams, which can be even more costly and dangerous than direct attacks," he added. "We published our Financial Services Threat Landscape report to help these organizations widen their view of the threat landscape to not just protect against direct attacks, but protect their customers and prevent successful fraud."

Israel-born startup IntSights Cyber Intelligence raised $17 million in a Series C funding round led by Tola Capital in June 2018, bringing the total capital raised by the firm to $41.3 million.

Hacker offered for sale US Military Reaper Drone documents for $200
12.7.2018 securityaffairs CyberCrime

Researchers at threat intelligence firm Recorded Future have reported that a hacker was trying to sell US Military Reaper drone documents for less than $200.
The news is disconcerting, the hackers may have obtained the documents related to the Reaper drone by hacking into at least two computers belonging to U.S. military personnel.

“Specifically, an English-speaking hacker claimed to have access to export-controlled documents pertaining to the MQ-9 Reaper unmanned aerial vehicle (UAV). Insikt analysts engaged the hacker and confirmed the validity of the compromised documents.” reads the analysis published by Recorded Future.

“Insikt Group identified the name and country of residence of an actor associated with a group we believe to be responsible.”

Experts from Recorded Future contacted the hacker that explained to them that had obtained the documents by exploiting a vulnerability in Netgear routers that was known since 2016.

The hacker used the Shodan search engine to discover vulnerable devices online and targeted them with the available exploit, evidently one of them gave the attacker the access to the precious documents.

reaper drone documents-leaked-7

The compromised Netgear router was located at Reaper station at the Creech Air Force Base in Nevada and it was simple for the hacker to compromise it.

The hacker stole Reaper maintenance course books and a list of airmen assigned to controlling the drone.

“Utilizing the above-mentioned method, the hacker first infiltrated the computer of a captain at 432d Aircraft Maintenance Squadron Reaper AMU OIC, stationed at the Creech AFB in Nevada, and stole a cache of sensitive documents, including Reaper maintenance course books and the list of airmen assigned to Reaper AMU.” states Recorded Future.

“While such course books are not classified materials on their own, in unfriendly hands, they could provide an adversary the ability to assess technical capabilities and weaknesses in one of the most technologically advanced aircrafts.”

The hacker also offered for sale a dozen training manuals describing improvised explosive device defeat tactics, how to operate an M1 Abrams tank, a file on tank platoon tactics, and crewman training and survival manual.

Though Recorded Future couldn’t elicit the source of those docs from the hacker, the company said it appeared the files had been taken from a U.S. Army staffer.

reaper drone documents-leaked

The documents weren’t classified, but Recorded Future pointed out that their content was highly sensitive and could be abused by various threat actors, including terrorist organizations.

Recorder Future reported its discovery to the DHS in mid-June that started an internal investigation.

“We will not comment on documents that were allegedly stolen, and cannot verify.” a said a Department of Defense spokesperson.

If the source of the documents is confirmed, this incident raises the discussion about the lack of security on military personnel computers.

“Maybe government agencies should start looking into their own policies,” concludes Recorded Future researcher Andrei Bareseyvich. “Right now it seems to be a bigger problem than we had anticipated.”

Hackers steal $13.5 Million from Israeli Bancor exchange
11.7.2018 securityaffairs CyberCrime

The Israeli-based decentralized cryptocurrency Bancor exchange is the last victim of a security breach in the cryptocurrency industry.
According to a statement published by the Bancor exchange, an unknown hacker has stolen roughly $13.5 million worth of cryptocurrency.

The security breach occurred on July 9, 2018 at 00:00 UTC, the attackers gained access to one of the wallets operated by the Israeli exchange, no user wallets were compromised.


This morning (CEST) Bancor experienced a security breach. No user wallets were compromised. To complete the investigation, we have moved to maintenance and will be releasing a more detailed report shortly. We look forward to being back online as soon as possible.

12:56 PM - Jul 9, 2018
88 people are talking about this
Twitter Ads info and privacy
The company moved its infrastructure to maintenance to conduct the investigation.
Bancor exchange doesn’t operate as a classic exchange platform, it used a complex mechanism based on smart contracts running on the Ethereum platform to improve the speed of transactions compared with classic exchange platforms.

“With Bancor exchange, every transaction is executed directly against a smart contract. This means that converting a cryptocurrency does not require matching two parties in real-time with opposite wants; rather, it can be completed by a single party directly through the token’s smart contract.” reads the company.

bancor exchange

The attackers gained the access to a company wallet to withdraw $12.5 million (24,984 Ether (ETH) from Bancor smart contracts and transfer the funds to a private wallet they controlled.

The attackers also withdrew 229,356,645 Pundi X (NPXS) ($1 million) from another wallet.

The attackers also withdrew 3,200,000 Bancor tokens (BNT) (roughly $10 million) that were obtained by Bancor last year as part of its ICO that raised over $150 million. Fortunately, a security feature in Bancor tokens allowed the company to freeze the transfers of funds making impossible for the hackers to move them to other wallets.


Here is the latest update on the recent security breach:

10:35 PM - Jul 9, 2018
505 people are talking about this
Twitter Ads info and privacy
“It is not possible to freeze the ETH and any other stolen tokens,” reads the statement published by Bancor.

“However, we are working together with dozens of cryptocurrency exchanges to trace the stolen funds and make it more difficult for their thief to liquidate them.”

Bancor did not reveal how the hackers have breached its wallet and stolen the funds.

Russian police detained cybercriminals who broke into the accounts of 700,000 customers of popular Internet stores
27.6.2018 securityaffairs CyberCrime

The Ministry of Internal Affairs of the Russian Federation and Group-IB have detained cybercriminals who broke into the accounts of 700,000 customers of popular Internet stores
The Administration “K” of the MIA of Russia, with the assistance of Group-IB, an international company specializing in the prevention of cyberattacks and the development of information security products, detained two cybercriminals who were breaking into and stealing the accounts of loyalty program members from popular online stores, payment systems and bookmakers. In total, about 700,000 accounts were compromised, 2,000 of which the hackers put up for sale for $5 each. The detainees admitted on the spot that they had earned at least 500,000 rubles. However, the real amount of damage remains to be determined.

The investigation began in November 2015, after a large-scale cyberattack was made on the website of a large online store to gain access to the personal accounts of the store’s loyalty program members, who received bonuses for purchases. In a month, about 120,000 accounts were compromised.

It was discovered that the attackers had collected compromised account information from various Internet services on hacker forums and used special programs to automatically guess passwords of accounts on the website of the online store.

The cybercriminals took advantage of the fact that many users of the website use the same login/password pair on several resources. If the logins and passwords came up on the website of the store under attack, they hacked those personal accounts. The hackers checked the amount of the accumulated bonuses and sold the compromised accounts on hacker forums at a price of $5 per account or 20-30% of the nominal balance of the accounts. The buyers then used them to pay for products with the bonuses.

It was quickly revealed that the hackers were engaged in more than selling compromised accounts. They also offered services for “hijacking” accounts—changing the phone number and e-mail on the accounts of the online store. The cost of that “service” was 10% of the bonus balance on the account.

To cover their tracks and hamper the companies’ security services, the hackers launched their attacks from different IP-addresses, using anonymizers and changing the digital fingerprint of the browser (User-Agent). In all, requests for authorization came from more than 35,000 unique IP addresses.

After large retailers began to check all orders with payment bonuses carefully in early 2016, the hackers switched to other lesser-known online stores. In addition, the hackers began to work on tips—information about new online stores with bonus programs and coupon services where it was possible to access personal accounts, for which the attackers promised to pay up to 50% of the amount received from the further sale of the compromised accounts.

In the course of the investigation, Group-IB specialists established the identities of the intruders. The leader of the group was a resident of Ryazan Region, born in 1998, and his partner, who provided technical support for their joint online store, resided in Astrakhan Region and was born in 1997. In May 2018, both were detained by the Administration “K” of the MIA of Russia. During a search, evidence of their unlawful activities was seized, along with narcotics. The cybercriminals were charged under part 2 of article 272 (“Illegal Accessing of Computer Information “) and article 228 (“Illegal Acquisition, Storage, Transportation, … of Narcotic Drugs “) of the Criminal Code of the Russian Federation. The suspects have confessed. The investigation is continuing.

Flight Tracker Flightradar24 Hit by Data Breach
21.6.2018 securityweek  CyberCrime

Flightradar24 hacked

Flightradar24, a highly popular flight tracking service based in Sweden, has instructed some users to change their passwords after detecting a breach on one of the company’s servers.

Earlier this week, some Flightradar24 users started receiving emails alerting them of a security breach in which email addresses and password hashes associated with accounts registered prior to March 16, 2016, may have been compromised.

Some of the individuals who received the notification complained that the emails looked like phishing attempts, especially since the company had not mentioned the incident on its website or social media channels. It has however confirmed to users who inquired via social media and the company’s forum that the emails are legitimate.

In response to posts on the Flightradar24.com forum, a company representative highlighted that no personal information was compromised, and noted that payment information is not stored on its systems.

Flightradar24 said it was confident that the incident had been contained after the targeted server was “promptly” shut down after the intrusion was detected.

The company did not specify which hashing algorithm was used for the exposed passwords, but noted that the compromised system had been retired and used an older algorithm that allows for the hashes to be cracked. Affected users’ passwords have been reset as a result. The flight tracker says it has been using a more secure hashing algorithm since 2016.

The company has not said how many users are impacted – it’s notification only mentions that the incident affects a “small subset of Flightradar24 users.” However, considering that the service is said to have more than 40 million users per month and its mobile applications are among the most installed apps on Google Play and the Apple App Store, even a “small subset” could be a significant number.

FlightRadar24 says it has notified the Swedish Data Protection Authority in order to comply with the EU’s General Data Protection Regulation (GDPR).

Experts warn hackers have already stolen over $20 Million from Ethereum clients exposing interface on port 8545

11.6.2018 securityaffairs  CyberCrime

Cybercriminal group has managed to steal a total of 38,642 Ether, worth more than $20,500,000, from clients exposing the unsecured interface on port 8545.
Cybercriminals have raked over 20 million dollars in the past few months by hijacking poorly configured Ethereum nodes exposed online are continuing their operations.

In March, security experts from Qihoo 360 Netlab reported a hacking campaign aimed at Ethereum nodes exposed online, crooks were scanning for port 8545 to find wallets that exposed their JSON-RPC.

According to the researchers, the cybercrime gang stole 3.96234 Ether (between $2,000 and $3,000)., but currently, they have tracked another criminal gang that already stolen an amazing amount of funds that are available in their wallets.

Researchers claim the cybercriminal group has managed to steal a total of 38,642 Ether, worth more than $20,500,000.

360 Netlab
Remember this old twitter we posted? Guess how much these guys have in their wallets? Check out this wallet address https://www.etherchain.org/account/0x957cd4ff9b3894fc78b5134a8dc72b032ffbc464#transactions … $20,526,348.76, yes, you read it right, more then 20 Million US dollars https://twitter.com/360Netlab/status/974374944711815168 …

8:48 AM - Jun 11, 2018
107 people are talking about this
Twitter Ads info and privacy
“If you have honeypot running on port 8545, you should be able to see the requests in the payload, which has the wallet addresses,” states Qihoo 360 Netlab team. “And there are quite a few IPs scanning heavily on this port now.”

Geth is a popular client for running Ethereum node allowing users to manage them remotely through the JSON-RPC interface.

Developers can use this programmatic API to build applications that can retrieve private keys, transfer funds, or retrieve personal details of the owner of the wallet.

The hackers moved stolen funds to the Ethereum account having the address 0x957cD4Ff9b3894FC78b5134A8DC72b032fFbC464.
Ethereum port 8545
The good news is that the JSON-RPC interface comes disabled by default in most apps.

In May 2018, crooks used the Mirai-based Satori botnet to scan the Internet for Ethereum mining software that were left accidentally left exposed online.

Unfortunately there are several groups that are actively scanning the Internet for insecure JSON-RPC interface to steal funds from unsecured cryptocurrency wallets.

Development team have to secure their applications by only allowing connections to the geth client originating from the local computer, another alternative consists in the implementation of authentication mechanism for remote RPC connections.

Experts believe the hackers will increase their scanning for port 8545 also thanks the availability online of tools that automate the process.